Question : Configuring Cisco Netflow

I got a call today. A machine on my network is performing a port scan on my ISP's customer's server. They provided me with a NAT'd address for our machine, source port 500, destination port 500, and the customer's destination address. How can I setup netflow on my cisco 3550, to show my culprit internal address? I'm guessing I just want to aggregate info for source port 500, dest port 500, and dest IP?

I'm looking for specifics. I'm a cisco newbie, and the online docs are a little over my head for netflow.

Answer : Configuring Cisco Netflow

To enable netflow on your switch add this to the switch config.

Telnet to the switch, login

>enable
--->password
#conf t
(config)#ip flow-cache timeout active 1

On the interface you want to run netflow add the the below config command, where fe1 is replaced by you interface type and number. Type a '?' to see the available command options. ie. 'int ?' or 'int ether?' etc.

(config)#int fe1
(config-if)#ip route-cache flow
(config-if)#exit
(config)#ip flow-export version 5
(config)#ip flow-export destination
(config)#wr

dest ip and port point to your netflow collector running on another host.

Note: Netflow is only available on some versions of the 3550 and it depends on the IOS version running.

The PRTG guys offer a free Netflow test tool to see if it working, plus a little guide to tweaking your netflow setup.

http://www.paessler.com/support/kb/questions/20/Configuration-Tips-for-Cisco-Routers-and-PRTG

Regards Rob

Random Solutions

Fix this bug-BEA 149205

Ip subnet based VLAN

The home directory drive mapping works and sometimes it doesn't. What can be causing this instability?

Sending emails without being blacklisted

What client issued a DNS request in a Windows domain?

DNS server not updating

No TCP over GPRS, UDP only!

can the netstat results help tell what using up my bandwidth

DNS and AD authentication

Asterisk Recording and Screen Pop