Follow

How To Configure Local Router Monitoring Without SNMP with Silverline

Description

Router Monitoring is an add-on feature where Silverline receives flow data directly from your router. If you are interested in turning on this feature, please contact your Silverline Sales representative.

 

Netflow sends sampled data about the "flow" of traffic passing through the customer network to Silverline Collectors. That data is analyzed in near real-time, looking for known patterns indicating potential attacks, characterized by multiple signature types. The F5 Silverline SOC team uses this information to proactively mitigate attacks, protecting customer networks.

Netflow provides Interfaces sampled with ingress interface ifindex(es)

See also: Router Monitoring: Network Traffic

 

Environment

  • DDoS

    • Silverline Portal

      • Local Router

        • Netflow v9

Procedure

Step 1: Allowlist the following on your local router:

  1. Silverline's collector IP(s): 
    1. DCA: 107.162.8.254, 
    2. SJC: 107.162.9.254, 
    3. FRA: 107.162.10.254, 
    4. SIN: 107.162.11.254, 
    5. LON: 107.162.15.254
  2. Allowing outbound connectivity to a geographically located Silverline collector most known common UDP port used by NetFlow UDP port 2055, but other ports, such as 9555, 9995, 9025, and 9026, can also be used. Silverline defaults to UDP port 2055.

Step 2: Open a ticket with the SOC with the following information:

  1. Confirmation that you Allowlisted the above list.
  2. IMPORTANT: Must identify which interfaces to listen on (usually the WAN interface)
  3. Exporter IP - this is the IP address of the router that will be monitored ( by the collection of Netflow export received).
  4. Silverline Scrubbing Center where you would like to send the Netflow data
    • Example traceroute:
      • $ traceroute -m 20 -n 107.162.9.254 (collector in San Jose, SJC1)

        traceroute to 107.162.9.254 (107.162.9.254), 20 hops max, 52 byte packets

        <snip>

        3 10.160.44.30 3.449 ms 2.123 ms 1.975 ms

        4 10.160.82.5 4.679 ms 4.527 ms 4.427 ms

        5 10.160.0.137 2.231 ms 1.537 ms 1.486 ms

        6 38.104.126.249 1.787 ms 1.587 ms 2.317 ms

        7 213.248.82.152 2.056 ms 1.547 ms 1.617 ms

        8 62.115.118.169 24.422 ms 23.628 ms 23.870 ms

        9 62.115.35.130 22.669 ms 23.320 ms 22.785 ms
  5. Confirm if you are using Netflow version v9 - Our collectors don't support other versions
  6. Netflow by default contains ifindex(es) to monitor export IP flows. 
    • It requires that you enable ifindex persistence per interface first;
      config t
      interface <interface_id>
      snmp ifindex persist
      exit
      • It crafts a persistence within the ifIndex  (so if you add/remove an interface card or virtual interfaces or reboot nothing changes )
      • And this information is stored on the file-system disk and read by the OS
      • You can dir & more this file via the commands;

        • 1) dir disk0:snmp/

        • 2) more disk0:snmp/ifindex-table

  7. Confirm that the Sampling rate is set to 1:1000 (This is mandatory)
  8. Flow time out period
  9. Destination port (Netflow collector): Port 2055
  10. Provide Silverline with ifindex(es) to monitor and collect inbound received traffic flows.  

Example: Device Specific Configuration

Cisco IOS XR Devices

NetFlow is a Cisco-developed network protocol for collecting IP traffic details as it enters or exits an interface. In this lesson, we will learn, how to configure Netflow on Cisco IOS XR devices. Netflow configuration divided into 3 main components. These are-

  • Exporter Map
  • Sampler Map
  • Flow Monitor Map

First of all, limitation of NetFlow on Cisco IOS XR 6.2.x. These are-

  • Only NetFlow version 9 is allowed.
  • Do not use a management interface for exporting Netflow packets.
  • A source interface must need to be assigned.
  • You can not use a sub-interface to export NetFlow.

Exporter Map:

An exporter map contains transport layer information and network details for the Netflow export packet. You also can define the NetFlow version shown below:

flow exporter-map ExpMap
destination 107.162.9.254
source gigabitEthernet 0/0/0/0
transport udp 2055
version v9

Here, we define exporter-map and we name it ExpMap. Our NetFlow server IP is 107.162.9.254 (collector in San Jose, SJC1) and UDP port 2055. And, we are using the source interface gigabitEthernet 0/0/0/0.

 

Sampler Map:

The sampler map helps us to define which rate we are going to count.

sampler-map SamMap
random 1 out-of 1000

Here, we analyze 1 packet out of 1000. Please note that physical and sub-interfaces must need to be under the same sampler map.

Flow Monitor Map:

Monitor map will be assigned to the interface. It contains an exporter map and record map.

flow monitor-map MonMap
record ipv4
exporter ExpMap

Apply to Interface:

Finally, we need to apply monitor map and sampler map into our monitoring interface. Here we are applying our Netflow in gigabitEthernet 0/0/0/4 for inbound traffic.

interface gigabitEthernet 0/0/0/4
flow ipv4 monitor MonMap sampler SamMap ingress

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request