How-to configure a free NetFlow forwarder or NetFlow duplicator

Brad Reese how to
Archive

Aironet

Power Supplies

VoIP Gateways

Competitive Lab Tests

Subscribe to Brad's how to

How-to configure a free NetFlow forwarder or NetFlow duplicator
Fri, 05/21/10 - 8:50pm View how to tips and comments

Michael Patterson - President and CEO of network performance measurement vendor - Plixer International, sent to me the following "how-to email" earlier this week:

Hi Brad,

I had a customer with some Enterasys switches contact me the other day with a problem. It seems that Enterasys N series switches will only forward NetFlow to one collector. This is a problem because the customer needed to get the NetFlow to two destinations.

What this customer needed was a NetFlow Forwarder or NetFlow Duplicator. Some even call it a NetFlow replicator.

The diagram below explains what he needed to configure:

We installed a program called the Samplicator, below is a description of this program:

"This simple program listens for UDP datagrams on a network port, and sends copies of these datagrams on to a set of destinations. Optionally, it can perform sampling, i.e. rather than forwarding every packet, forward only 1 in N. Another option is that it can 'spoof' the IP source address, so that the copies appear to come from the original source, rather than the relay. Currently only supports IPv4."

Here is the process we went through to set it up.

Most Linux people are used to building from source. First perform the following:

Download the samplicator-1.3.6.tar.gz file from the site.

At this point the binary is in the system path and can be run from any directory.

Learn more about sudo...

The options are as follows:

Specifying receivers:

A.B.C.D[%cport[%cfreq][%cttl]]...
where:

Config file format:

a.b.c.d[/e.f.g.h]: receiver...
where:

Note: Receivers specified on the command line will get all packets, those specified in the config-file will get only packets with a matching source.

I setup the Enterasys switch (10.1.1.253) to send Netflow to the Samplicator on port 2000. The Samplicator on my PC was configured to listen on port 2000 (which is the default) and to export to three NetFlow collectors (10.1.37.20, 10.1.15.211 and 10.1.7.18) which are all listening on port 2055. When a packet comes into 10.1.1.5 from 10.1.1.253, it spits out 3 packets, one for each collector (10.1.37.20, 10.1.15.211 and 10.1.7.18).

In summary, on the command line we typed in:

Remember, the "-f" runs the program in the background and it is optional. Anyway, we performed a Wireshark capture on port 2055 and saw that it was indeed samplicating while spoofing the source. Notice below that the switch (10.1.1.253) sent the NetFlow to the Samplicator (10.1.1.5) and the Samplicator forwarded the same packet onto 3 destinations without modifying the source IP address:

Each of the above 3 destinations was running Plixer's Scrutinizer NetFlow and sFlow Analyzer.

It actually only took a few minutes to set this up. Since this will work on all types of UDP packets, this can be useful for SNMP Traps, Syslogs or Netflow. Some of you probably have questions on its performance. I haven't stressed tested it, but the load on the CPU was about 1%.

Anyway, this should work for forwarding IPFIX or NetFlow from Cisco routers, Cisco ASA devices, sFlow switches, etc.

Hopefully, you'll stress test it and let me know, Plixer's President and CEO, if it works, you can email me at: Michael Patterson.

Visit Brad's how to archive.

Don't be shy, what tips can you provide on NetFlow forwarder or NetFlow duplicator?