Question : Configuring Cisco Netflow

I got a call today. A machine on my network is performing a port scan on my ISP's customer's server. They provided me with a NAT'd address for our machine, source port 500, destination port 500, and the customer's destination address. How can I setup netflow on my cisco 3550, to show my culprit internal address? I'm guessing I just want to aggregate info for source port 500, dest port 500, and dest IP?

I'm looking for specifics. I'm a cisco newbie, and the online docs are a little over my head for netflow.

Answer : Configuring Cisco Netflow

To enable netflow on your switch add this to the switch config.

Telnet to the switch, login

>enable
--->password
#conf t
(config)#ip flow-cache timeout active 1

On the interface you want to run netflow add the the below config command, where fe1 is replaced by you interface type and number. Type a '?' to see the available command options. ie. 'int ?' or 'int ether?' etc.

(config)#int fe1
(config-if)#ip route-cache flow
(config-if)#exit
(config)#ip flow-export version 5
(config)#ip flow-export destination
(config)#wr

dest ip and port point to your netflow collector running on another host.

Note: Netflow is only available on some versions of the 3550 and it depends on the IOS version running.

The PRTG guys offer a free Netflow test tool to see if it working, plus a little guide to tweaking your netflow setup.

http://www.paessler.com/support/kb/questions/20/Configuration-Tips-for-Cisco-Routers-and-PRTG

Regards Rob

Random Solutions

Need to connect two Linksys WAP54G together wirelessly

Help setting up a guest WLAN and user WLAn with Cisco Aironet 1130AG Access Points

MSN messenger constantly disconnects

using a wireless router with an existing network

Find Owner of a webpage?

How do I restore an apple mail account

Custom DNS pointer Record for external Server

Decode fields with dates

SPF Record placement

how to find Round trip time of network traffic