Exporting Flow to multiple servers (Flow Samplicators)

Exporting Flow to multiple servers (Flow Samplicators)

    NetFlow Samplicator

    In our previous article we have discussed the alternative way to get flow statistics using a NetFlow generator. One of the fundamental features of the generator is its capability to export flow records to multiple destinations (NetFlow collectors). Often, it is necessary to export NetFlow traffic to more than a single NetFlow collector, for instance for production, testing or development purposes. Indeed, many network devices with a built-in NetFlow feature are capable to export flows to multiple destinations as well as most of NetFlow generators. Below is an example of Flexible NetFlow on a Cisco IOS router which is configured to export flow records to two NetFlow collectors – 192.168.3.1 and 192.168.4.1 (Picture 1).

    flow record NETFLOW-RECORD
     match ipv4 source address match ipv4 destination address
     match ipv4 protocol
     match transport source-port
     match transport destination-port
     match ipv4 tos
     match interface input
     collect counter bytes
     collect counter packets
     collect interface output
    
     flow exporter NETFLOW-EXPORTER1
     destination 192.168.3.1
     source GigabitEthernet0/0
     transport udp 2055
     template data timeout 60
    
    flow exporter NETFLOW-EXPORTER2
     destination 192.168.4.1
     source GigabitEthernet0/0
     transport udp 2055
     template data timeout 60
    
    flow monitor NETFLOW-MONITOR
     record NETFLOW-RECORD
     exporter NETFLOW-EXPORTER1
     exporter NETFLOW-EXPORTER2
     cache timeout active 30
     cache timeout inactive 15
    
    interface GigabitEthernet0/1
    ip flow monitor NETFLOW-MONITOR input

    Flow Samplicator

    Picture 1: Network Topology with NetFlow Exporter and Two Collectors


    However, some network devices do not support the exporting of flow records to multiple locations. In this case, we can use a workaround in the form of a flow samplicator inserted between a NetFlow exporter and collectors. A NetFlow samplicator is a program that receives UDP datagrams on a given port from a single or multiple senders (NetFlow exporters) and resends those datagrams to a specified set of receivers (NetFlow collectors).

    To demonstrate the function of a NetFlow samplicator, we will replace a flow exporter running Cisco IOS with a VyOS appliance (Picture 2). The appliance with the IP address 192.168.3.254/24 is located in the middle of a network topology and is configured to operate as a NetFlow exporter. It does not support flow exporting to multiple locations. Therefore, the VyOS appliance exports flow records version 9 to the NetFlow samplicator that is listening on the IP address 192.168.3.2 and the UDP port 2055. It is a job of the samplicator to redistribute NetFlow traffic (UDP datagrams) to the configured receivers.

    Net Flow Samplicator

    Picture 2: Network Topology with a NetFlow Exporter, Samplicator and Two Collectors


    Below is the configuration related to NetFlow v9 on VyOS.

    system {
        config-management {
            commit-revisions 100
        }
        console {
            device ttyS0 {
                speed 9600
            }
        }
        flow-accounting {
            interface eth1
            netflow {
                sampling-rate 100
                server 192.168.3.2 {
                    port 2055
                }
                timeout {
                    expiry-interval 60
                    flow-generic 3600
                    icmp 300
                    max-active-life 604800
                    tcp-fin 300
                    tcp-generic 3600
                    tcp-rst 120
                    udp 300
                }
                version 9
            }
            syslog-facility daemon
        }
    }

    Let’s start NetFlow samplicator and check if it is listening on the socket 192.168.3.2/2055 (Picture 3).

    $ sudo samplicate -s 192.168.3.2 -S -p 2055 -d 192.168.4.1/2055 192.168.5.1/2055
    -b Set socket buffer size ( default 65536)
    -c Specify a config file to read.
    -d Debug level
    -f Fork. This option sets samplicate to work as background process.
    -n Do not compute UDP checksum (leave at 0)
    -p <port> UDP port to accept flows on (default 2000)
    -S Maintain (spoof) source address.
    -s <address> Interface address to accept flows on (default any)
    -x <delay> Transmission delay in microseconds.

    Checking Whether Samplicator is Listening on IP address 192.168.3.2 UDP 2055

    Picture 3: Checking Whether Samplicator is Listening on IP address 192.168.3.2 UDP 2055


    Soon after the NetFlow samplicator is started, we should see the debugging messages (Picture 4) in the console. The samplicator resends NetFlow records received from the NetFlow exporter with the IP address 192.168.3.1, the source port 39268 as UDP datagrams to NetFlow collectors 192.168.4.1 and 192.168.5.1, the destination UDP port 2055.

    Captured Debugging Output from Samplicator CLI

    Picture 4: Captured Debugging Output from Samplicator CLI


    Use Wireshark or tcpdump to open the pcap files captured on both collectors and explore. When we reviewed both captures properly, we could see that flow records contained many flows, counting a single IP packet that has been sent from different source IP addresses to the destination IP address 172.16.2.1 (Picture 5). Those are TCP segments with SYN flag set, sent from the spoofed IP address 172.16.1.1/24 in order to prevent legitimate users to access SSH service (TCP port 22), running on the host 172.16.2.1. Notice, the source IP address of NetFlow exporter 192.168.3.1. This is the IP address of the VyOS router. As the samplicator is configured with the option -S (spoof source address), it preserves the IP address of the original Netlow exporter (VyOS). Therefore, the IP address configured on the network interface of a UDP samplicator – 192.168.4.2 is not used.

    Wireshark Capture Screen on NetFlow Collector1

    Picture 5: Wireshark Capture Screen on NetFlow Collector1


    Conclusion:

    Ideally, flow exporters should be able to export flow records to multiple destinations. In reality, many network devices with a built-in NetFlow feature can export them only to a single or at most two flow collectors. Luckily, a hack in the form of a UDP samplicator can be used as a great workaround. Running as a virtual appliance or on physical hardware, samplicators resend UDP streams to multiple receivers. The number of receivers is only limited by hardware resources of the samplicator appliance, such as CPU and RAM. The resources of the built-in NetFlow exporters are also saved and performance kept as they do not need to export to multiple locations. Instead, flow export is off loaded to a dedicated appliance.

    NFA is in Open Beta. Sign up to get a FREE licence and install NFA.

    LEARN MORE

    NO COMMENTS

    Leave a Reply