By default Cisco IOS doesn’t provide any traffic monitoring tools like iftop or iptraff available in Linux. While there are lots of proprietary solutions for this purpose including Cisco Netflow Collection, you are free to choose nfdump and nfsen open source software to monitor traffic of one or many Cisco routers and get detailed monitoring data through your Linux command line or as graphs at absolutely no cost.
Below is beginner’s guide that helps to quickly deploy netflow collector and visualizer under Linux and impress everybody by cute and descriptive graphs like these:
It is highly recommended to look through Netflow basics to get brief understanding of how it works before configuring anything. For example, here is Cisco’s document that gives complete information about Netflow. In a few words to get started you should enable netflow exporting on Cisco router and point it to netflow collector running under Linux. Exported data will contain complete information about all packets the router has received/sent so nfdump and nfsen working under Linux will collect it and visualize to present you the graph like above example.
Cisco Router Setup
1. Enable flow export on ALL Cisco router’s interfaces that send and receive some traffic, here is an example:
Router1# configure terminal Router1(config)#interface FastEthernet 0/0 Router1(config-if)#ip route-cache flow input Router1(config-if)#interface FastEthernet 0/1 Router1(config-if)#ip route-cache flow input ...2. Setup netflow export:
Router1# configure terminal Router1(config)#ip flow-export source FastEthernet0/0 Router1(config)#ip flow-export source FastEthernet0/1 Router1(config)#ip flow-export version 5 Router1(config)#ip flow-export destination 1.1.1.1 23456Where 1.1.1.1 is IP address of Linux host where you plan to collect and analyze netflow data. 23456 is port number of netflow collector running on Linux.
Linux Setup
1. Download and install nfdump.
cd /usr/src/ wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.2/nfdump-1.6.2.tar.gz/download tar -xvzf nfdump-1.6.2.tar.gz cd nfdump-1.6.2 ./configure --prefix=/ --enable-nfprofile make make install2. Download and install nfsen.
It requires web server with php module and RRD so make sure you have the corresponding packages installed. I hope you’re running httpd with php already so below are rrd/perl related packages installation hints only.
Fedora/Centos/Redhat users should type this:
yum install rrdtool rrdtool-devel rrdutils perl-rrdtoolUbuntu/Debian:
aptitude install rrdtool librrd2-dev librrd-dev librrd4 librrds-perl librrdp-perlIf you run some exotic Linux distribution just install everything that is related to rrd + perl.
At last, nfsen installation:
cd /usr/src/ wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.5/nfsen-1.3.5.tar.gz/download tar -xvzf nfsen-1.3.5.tar.gz cd nfsen-1.3.5 cp etc/nfsen-dist.conf etc/nfsen.confIn order to continue you should edit file etc/nfsen.conf to specify where to install nfsen, web server’s username, its document root directory etc. That file is commented so there shouldn’t be serious problems with it.
One of the major sections of nfsen.conf is ‘Netflow sources’, it should contain exactly the same port number(s) you’ve configured Cisco with — recall ‘ip flow-export …’ line where we’ve specified port 23456. E.g.
%sources = (
'Router1' => { 'port' => '23456', 'col' => '#0000ff', 'type' => 'netflow' },
);Now it’s time to finish the installation:./install.pl etc/nfsen.confIn case of success you’ll see corresponding notification after which you will have to start nfsen daemon to get the ball rolling:
/path/to/nfsen/bin/nfsen startFrom this point nfdump started collecting netflow data exported by Cisco router and nfsen is hardly working to visualize it — just open web browser and go to http://linux_web_server/nfsen/nfsen.php to make sure. If you see empty graphs just wait for a while to let nfsen to collect enough data to visualize it.
