Integrações¶
Huawei¶
origin-as
É importante ressaltar que, para que os ASN (Autonomous System Numbers) sejam exportados, é necessário que o roteador possua pelo menos uma tabela de roteamento completa (full routing).
Netstream¶
Na caixa (Root/Admin)
slot 0 <0-10>
ip netstream sampler to slot self
ipv6 netstream sampler to slot self
ip netstream export version 9 origin-as bgp-nexthop ttl
ip netstream export template sequence-number fixed
ip netstream export index-switch 32
ip netstream as-mode 32
ip netstream timeout active 1
ip netstream timeout inactive 15
ip netstream export template timeout-rate 1
ip netstream export template option timeout-rate 1
ip netstream export template option application-label
ip netstream sampler fix-packets 1024 inbound
ip netstream sampler fix-packets 1024 outbound
ip netstream export source IP_ORIGEM
ip netstream export host IP_DO_RR_FLOW_API 3055
ipv6 netstream export version 9 origin-as bgp-nexthop ttl
ipv6 netstream export template sequence-number fixed
ipv6 netstream export index-switch 32
ipv6 netstream as-mode 32
ipv6 netstream timeout active 1
ipv6 netstream timeout inactive 15
ipv6 netstream export template timeout-rate 1
ipv6 netstream export template option timeout-rate 1
ipv6 netstream sampler fix-packets 1024 inbound
ipv6 netstream sampler fix-packets 1024 outbound
ipv6 netstream export source IP_ORIGEM
ipv6 netstream export host IP_DO_RR_FLOW_API 3055
# Sampling será fixo:
undo ip netstream export template option sampler
undo ipv6 netstream export template option sampler
# Adicione as interfaces de upstream.
interface Virtual-Ethernet0/1/101.408
description Operadora_1_IPv4
ip netstream inbound
ip netstream outbound
interface Virtual-Ethernet0/1/101.409
description Operadora_1_IPv6
ipv6 netstream inbound
ipv6 netstream outbound
interface 40GE0/1/49.2114
description Operadora_2_IPv4e6
ip netstream inbound
ip netstream outbound
ipv6 netstream inbound
ipv6 netstream outbound
display netstream all
Se o seu roteador Huawei está configurado para realizar serviços de CGNAT, é possível habilitar o envio de logs. No entanto, observe que o registro detalhado das sessões NAT pode gerar um volume substancial de dados.
Exemplo de configuração:
nat instance INSTANCE-NAME id 1 simple-configuration
nat log host IP_DO_RR_FLOW_API 3055 source IP_ORIGEM 3055 name RR_FLOW
nat log session enable netstream
É de extrema importância que o horário/UTC do roteador exportador de fluxos esteja devidamente configurado.
display clock
system-view immediately
clock timezone 1 minus 03:00:00
run clock datetime HH:MM:SS AAAA-MM-DD
run clock datetime 12:10:30 2024-04-24
Sincronize com servidor de horas ntp.br (https://ntp.br/)
ntp-service server disable
ntp-service ipv6 server disable
ntp-service server source-interface all disable
ntp-service ipv6 server source-interface all disable
ntp-service unicast-peer 200.160.0.8
ntp-service unicast-server 200.160.0.8
ntp-service unicast-server 200.160.7.186
ntp-service unicast-server 200.189.40.8
ntp-service refclock-master 2
ntp-service sync-interval 180
ntp-service source-interface <interface_ip_publico>
Perguntas frequentes
IP_ORIGEM - Normalmente o IP da interface de Loopback.
IP_DO_RR_FLOW_API Endereço IP do servidor RR Flow que irá receber os dados.
Em ambos vc pode configurar somente o IPv4 ou IPv6, exemplo:
ip netstream export source 10.50.50.50
ip netstream export host 172.16.0.100 3055
ipv6 netstream export source 10.50.50.50
ipv6 netstream export host 172.16.0.100 3055
Ou
ip netstream export source 2001:db8:ffff:ffff::ffff
ip netstream export host 2001:db8:cafe:d0ce::50 3055
ipv6 netstream export source 2001:db8:ffff:ffff::ffff
ipv6 netstream export host 2001:db8:cafe:d0ce::50 3055
ip netstream inbound | ip netstream outbound Associar às interfaces com IPv4 configurado que irão enviar os fluxos da interfaces. Normalmente apenas as interfaces de upstream.
interface 40GE0/1/49.32
vlan-type dot1q 32
description Operadora_IPv4
ip address 10.10.10.6 255.255.255.252
statistic enable
ip netstream inbound
ip netstream outbound
ipv6 netstream inbound | ipv6 netstream outbound Associar às interfaces com IPv6 configurado que irão enviar os fluxos da interfaces. Normalmente apenas as interfaces de upstream.
interface 40GE0/1/49.128
vlan-type dot1q 128
description Operadora_IPv6
ipv6 enable
ipv6 address 2001:DB8:1:1:1::2/64
statistic enable
ipv6 netstream inbound
ipv6 netstream outbound
Se a interfaces possuir IPv4 e IPv6
interface 40GE0/1/49.3264
vlan-type dot1q 3264
description Operadora_IPv6
ip address 10.10.10.6 255.255.255.252
ipv6 enable
ipv6 address 2001:DB8:1:1:1::2/64
statistic enable
ipv6 netstream inbound
ipv6 netstream outbound
Peer¶
ADMIN
system-view
flowspec ipv4-fragment-rule switch
flowspec match bras ipv4 enable
y
commit
run save
y
VS ou ADMIN
system-view
ip route-static 192.0.2.1 255.255.255.255 NULL0 description BLACKHOLE
ipv6 route-static 2001:DB8:DEAD:BEEF::1 128 NULL0 description BLACKHOLE
ip ip-prefix RRFLOW_FULL_ROUTING_IPV4 index 10 permit 0.0.0.0 0 greater-equal 1 less-equal 24
ip ipv6-prefix RRFLOW_FULL_ROUTING_IPV6 index 10 permit :: 0 greater-equal 16 less-equal 48
# Unicast
#
route-policy RRFLOW_IMPORT_UNICAST_IPV4 permit node 10
route-policy RRFLOW_IMPORT_UNICAST_IPV4 deny node 9999
#
route-policy RRFLOW_EXPORT_UNICAST_IPV4 permit node 10
if-match ip-prefix RRFLOW_FULL_ROUTING_IPV4
#
route-policy RRFLOW_EXPORT_UNICAST_IPV4 deny node 9999
#
#
route-policy RRFLOW_IMPORT_UNICAST_IPV6 permit node 10
route-policy RRFLOW_IMPORT_UNICAST_IPV6 deny node 9999
#
route-policy RRFLOW_EXPORT_UNICAST_IPV6 permit node 10
if-match ipv6 address prefix-list RRFLOW_FULL_ROUTING_IPV6
#
route-policy RRFLOW_EXPORT_UNICAST_IPV6 deny node 9999
#
# Flowspec
#
route-policy RRFLOW_IMPORT_FLOWSPEC_IPV4 permit node 10
#
route-policy RRFLOW_EXPORT_FLOWSPEC_IPV4 deny node 9999
#
#
route-policy RRFLOW_IMPORT_FLOWSPEC_IPV6 permit node 10
#
route-policy RRFLOW_EXPORT_FLOWSPEC_IPV6 deny node 9999
#
bgp <SEU_ASN>
peer <IPV4_SERVIDOR_RR_FLOW> as-number <SEU_ASN>
peer <IPV4_SERVIDOR_RR_FLOW> description RR_FLOW_IPv4
peer <IPV4_SERVIDOR_RR_FLOW> timer connect-retry 1
peer <IPV4_SERVIDOR_RR_FLOW> connect-interface <INTERFACE> # (multhope)
peer <IPV6_SERVIDOR_RR_FLOW> as-number <SEU_ASN>
peer <IPV6_SERVIDOR_RR_FLOW> description RR_FLOW_IPv6
peer <IPV6_SERVIDOR_RR_FLOW> timer connect-retry 1
peer <IPV6_SERVIDOR_RR_FLOW> connect-interface <INTERFACE> # (multhope)
ipv4-family unicast
peer <IPV4_SERVIDOR_RR_FLOW> enable
y
peer <IPV4_SERVIDOR_RR_FLOW> public-as-only
peer <IPV4_SERVIDOR_RR_FLOW> route-policy RRFLOW_IMPORT_UNICAST_IPV4 import
peer <IPV4_SERVIDOR_RR_FLOW> route-policy RRFLOW_EXPORT_UNICAST_IPV4 export
peer <IPV4_SERVIDOR_RR_FLOW> advertise-community
peer <IPV4_SERVIDOR_RR_FLOW> advertise-ext-community
peer <IPV4_SERVIDOR_RR_FLOW> advertise-large-community
peer <IPV4_SERVIDOR_RR_FLOW> capability-advertise add-path send
peer <IPV4_SERVIDOR_RR_FLOW> advertise add-path path-number <NUMERO_DE_SALTOS_EXPORTADO>
bestroute add-path path-number <NUMERO_DE_SALTOS_EXPORTADO>
ipv6-family unicast
peer <IPV6_SERVIDOR_RR_FLOW> enable
y
peer <IPV6_SERVIDOR_RR_FLOW> public-as-only
peer <IPV6_SERVIDOR_RR_FLOW> route-policy RRFLOW_IMPORT_UNICAST_IPV6 import
peer <IPV6_SERVIDOR_RR_FLOW> route-policy RRFLOW_EXPORT_UNICAST_IPV6 export
peer <IPV6_SERVIDOR_RR_FLOW> advertise-community
peer <IPV6_SERVIDOR_RR_FLOW> advertise-ext-community
peer <IPV6_SERVIDOR_RR_FLOW> advertise-large-community
peer <IPV6_SERVIDOR_RR_FLOW> capability-advertise add-path send
peer <IPV6_SERVIDOR_RR_FLOW> advertise add-path path-number <NUMERO_DE_SALTOS_EXPORTADO>
bestroute add-path path-number <NUMERO_DE_SALTOS_EXPORTADO>
ipv4-family flow
peer <IPV4_SERVIDOR_RR_FLOW> enable
y
peer <IPV4_SERVIDOR_RR_FLOW> route-policy RRFLOW_IMPORT_FLOWSPEC_IPV4 import
peer <IPV4_SERVIDOR_RR_FLOW> route-policy RRFLOW_EXPORT_FLOWSPEC_IPV4 export
peer <IPV4_SERVIDOR_RR_FLOW> redirect ip rfc-compatible
peer <IPV4_SERVIDOR_RR_FLOW> validation-disable
peer <IPV4_SERVIDOR_RR_FLOW> advertise-community
peer <IPV4_SERVIDOR_RR_FLOW> advertise-large-community
route validation-mode include-as
ipv6-family flow
peer <IPV6_SERVIDOR_RR_FLOW> enable
y
peer <IPV6_SERVIDOR_RR_FLOW> route-policy RRFLOW_IMPORT_FLOWSPEC_IPV6 import
peer <IPV6_SERVIDOR_RR_FLOW> route-policy RRFLOW_EXPORT_FLOWSPEC_IPV6 export
peer <IPV6_SERVIDOR_RR_FLOW> validation-disable
peer <IPV6_SERVIDOR_RR_FLOW> advertise-community
peer <IPV6_SERVIDOR_RR_FLOW> advertise-large-community
route validation-mode include-as
y
commit
run save
y
display bgp flow routing-table verbose
display bgp flow ipv6 routing-table verbose
display bgp flow peer
display bgp flow ipv6 peer
display bgp flow peer <IPV4_SERVIDOR_RR_FLOW> verbose
display bgp flow ipv6 peer <IPV6_SERVIDOR_RR_FLOW> verbose
dis bgp flow routing-table peer <IPV4_SERVIDOR_RR_FLOW> received-routes
dis bgp flow ipv6 routing-table peer <IPV6_SERVIDOR_RR_FLOW> received-routes
Junos¶
Contribuição @Maykbn utilizando MX204.
set services flow-monitoring version-ipfix template ipv4 flow-active-timeout 60
set services flow-monitoring version-ipfix template ipv4 flow-inactive-timeout 15
set services flow-monitoring version-ipfix template ipv4 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv4 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv4 ipv4-template
set services flow-monitoring version-ipfix template ipv6 flow-active-timeout 60
set services flow-monitoring version-ipfix template ipv6 flow-inactive-timeout 15
set services flow-monitoring version-ipfix template ipv6 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv6 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv6 ipv6-template
set services flow-monitoring version-ipfix template ipv6 flow-key flow-direction
set forwarding-options sampling instance netflow input rate 1024
set forwarding-options sampling instance netflow input run-length 0
set forwarding-options sampling instance netflow family inet output flow-active-timeout 60
set forwarding-options sampling instance netflow family inet output flow-server IP_DESTINO port PORTA_DESTINO
set forwarding-options sampling instance netflow family inet output flow-server IP_DESTINO autonomous-system-type origin
set forwarding-options sampling instance netflow family inet output flow-server IP_DESTINO no-local-dump
set forwarding-options sampling instance netflow family inet output flow-server IP_DESTINO version-ipfix template ipv4
set forwarding-options sampling instance netflow family inet output inline-jflow source-address IP_ORIGEM
set forwarding-options sampling instance netflow family inet6 output flow-active-timeout 60
set forwarding-options sampling instance netflow family inet6 output flow-server IP_DESTINO port PORTA_DESTINO
set forwarding-options sampling instance netflow family inet6 output flow-server IP_DESTINO autonomous-system-type origin
set forwarding-options sampling instance netflow family inet6 output flow-server IP_DESTINO no-local-dump
set forwarding-options sampling instance netflow family inet6 output flow-server IP_DESTINO version-ipfix template ipv6
set forwarding-options sampling instance netflow family inet6 output inline-jflow source-address IP_ORIGEM
set chassis fpc 0 sampling-instance netflow
set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 10
set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 5
# Adicione as interfaces de upstream.
set interfaces ge-0/0/0 unit 0 family inet sampling input
set interfaces ge-0/0/0 unit 0 family inet sampling output
set interfaces ge-0/0/0 unit 0 family inet6 sampling input
set interfaces ge-0/0/0 unit 0 family inet6 sampling output
Contribuição @charles_barreto utilizando MX104/MX80.
set services flow-monitoring version-ipfix template ipv4 flow-active-timeout 60
set services flow-monitoring version-ipfix template ipv4 flow-inactive-timeout 15
set services flow-monitoring version-ipfix template ipv4 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv4 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv4 ipv4-template
set services flow-monitoring version-ipfix template ipv6 flow-active-timeout 60
set services flow-monitoring version-ipfix template ipv6 flow-inactive-timeout 15
set services flow-monitoring version-ipfix template ipv6 template-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv6 option-refresh-rate seconds 30
set services flow-monitoring version-ipfix template ipv6 ipv6-template
set services flow-monitoring version-ipfix template ipv6 flow-key flow-direction
set forwarding-options sampling instance netflow input rate 1024
set forwarding-options sampling instance netflow input run-length 0
set forwarding-options sampling instance netflow family inet output flow-active-timeout 15
set forwarding-options sampling instance netflow family inet output flow-server IP_DESTINO port PORTA_DESTINO
set forwarding-options sampling instance netflow family inet output flow-server IP_DESTINO autonomous-system-type origin
set forwarding-options sampling instance netflow family inet output flow-server IP_DESTINO no-local-dump
set forwarding-options sampling instance netflow family inet output flow-server IP_DESTINO version-ipfix template ipv4
set forwarding-options sampling instance netflow family inet output inline-jflow source-address IP_ORIGEM
set forwarding-options sampling instance netflow family inet6 output flow-active-timeout 15
set forwarding-options sampling instance netflow family inet6 output flow-server IP_DESTINO port PORTA_DESTINO
set forwarding-options sampling instance netflow family inet6 output flow-server IP_DESTINO autonomous-system-type origin
set forwarding-options sampling instance netflow family inet6 output flow-server IP_DESTINO no-local-dump
set forwarding-options sampling instance netflow family inet6 output flow-server IP_DESTINO version-ipfix template ipv6
set forwarding-options sampling instance netflow family inet6 output inline-jflow source-address IP_ORIGEM
set chassis afeb slot 0 sampling-instance netflow
# Adicione as interfaces de upstream.
set interfaces xe-2/0/1 unit 0 family inet sampling input
set interfaces xe-2/0/1 unit 0 family inet sampling output
set interfaces xe-2/0/1 unit 1 family inet6 sampling input
set interfaces xe-2/0/1 unit 1 family inet6 sampling output
Cisco¶
Exemplo 1¶
sampler RR_FLOW_SAMPLER
mode random 1 out-of 1024
!
flow record RR_FLOW_RECORD_V4
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect interface output
collect flow sampler
collect counter bytes
collect counter packets
collect counter bytes long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow record RR_FLOW_RECORD_V6
match ipv6 traffic-class
match ipv6 next-header
match ipv6 source address
match ipv6 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv6
collect transport tcp flags
collect interface output
collect flow sampler
collect counter bytes
collect counter packets
collect counter bytes long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow exporter RR_FLOW_EXPORTER
destination IP_DO_RR_FLOW_API
source IP_ORIGEM
transport udp 3055
template data timeout 60
!
flow monitor RR_FLOW_MONITOR_V4
exporter RR_FLOW_EXPORTER
cache timeout active 60
cache timeout inactive 15
record RR_FLOW_RECORD_V4
!
flow monitor RR_FLOW_MONITOR_V6
exporter RR_FLOW_EXPORTER
cache timeout active 60
cache timeout inactive 15
record RR_FLOW_RECORD_V6
!
! Aplicar nas interfaces de upstream:
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.252
ip flow monitor RR_FLOW_MONITOR_V4 input sampler RR_FLOW_SAMPLER
ip flow monitor RR_FLOW_MONITOR_V4 output sampler RR_FLOW_SAMPLER
!
interface GigabitEthernet0/0/1
ipv6 address 2001:DB8:ABCD::1/64
ipv6 flow monitor RR_FLOW_MONITOR_V6 input sampler RR_FLOW_SAMPLER
ipv6 flow monitor RR_FLOW_MONITOR_V6 output sampler RR_FLOW_SAMPLER
!
interface GigabitEthernet0/0/2
ip address 10.0.0.1 255.255.255.252
ipv6 address 2001:DB8:ABCD::1/64
ip flow monitor RR_FLOW_MONITOR_V4 input sampler RR_FLOW_SAMPLER
ip flow monitor RR_FLOW_MONITOR_V4 output sampler RR_FLOW_SAMPLER
ipv6 flow monitor RR_FLOW_MONITOR_V6 input sampler RR_FLOW_SAMPLER
ipv6 flow monitor RR_FLOW_MONITOR_V6 output sampler RR_FLOW_SAMPLER
!
Exemplo 2¶
!
flow record RR_FLOW_RECORD_V4
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match bgp source-as
match bgp destination-as
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow record RR_FLOW_RECORD_V6
match ipv6 source address
match ipv6 destination address
match transport source-port
match transport destination-port
match bgp source-as
match bgp destination-as
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter RR_FLOW_EXPORTER
destination IP_DO_RR_FLOW_API
source IP_ORIGEM
transport udp 3055
template data timeout 60
!
!
flow monitor RR_FLOW_MONITOR_V4
exporter RR_FLOW_EXPORTER
cache timeout active 60
cache timeout inactive 15
record RR_FLOW_RECORD_V4
!
flow monitor RR_FLOW_MONITOR_V6
exporter RR_FLOW_EXPORTER
cache timeout active 60
cache timeout inactive 15
record RR_FLOW_RECORD_V6
!
!
! Aplicar o NetFlow às interfaces de upstream, exemplos:
!
!
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.252
ip flow monitor RR_FLOW_MONITOR_V4 input
ip flow monitor RR_FLOW_MONITOR_V4 output
!
interface GigabitEthernet0/0/1
ipv6 address 2001:DB8:ABCD::1/64
ipv6 flow monitor RR_FLOW_MONITOR_V6 input
ipv6 flow monitor RR_FLOW_MONITOR_V6 output
!
interface GigabitEthernet0/0/2
ip address 10.0.0.1 255.255.255.252
ipv6 address 2001:DB8:ABCD::1/64
ip flow monitor RR_FLOW_MONITOR_V4 input
ip flow monitor RR_FLOW_MONITOR_V4 output
ipv6 flow monitor RR_FLOW_MONITOR_V6 input
ipv6 flow monitor RR_FLOW_MONITOR_V6 output
!
Exemplo 3¶
!
flow record RR_FLOW_RECORD_V4
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect interface output
collect flow sampler
collect counter bytes
collect counter packets
collect counter bytes long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow record RR_FLOW_RECORD_V6
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect interface output
collect flow sampler
collect counter bytes
collect counter packets
collect counter bytes long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter RR_FLOW_EXPORTER
destination IP_DO_RR_FLOW_API
source IP_ORIGEM
transport udp 3055
template data timeout 60
!
!
flow monitor RR_FLOW_MONITOR_V4
exporter RR_FLOW_EXPORTER
cache timeout active 60
cache timeout inactive 15
record RR_FLOW_RECORD_V4
!
flow monitor RR_FLOW_MONITOR_V6
exporter RR_FLOW_EXPORTER
cache timeout active 60
cache timeout inactive 15
record RR_FLOW_RECORD_V6
!
!
! Aplicar o NetFlow às interfaces de upstream, exemplos:
!
!
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.252
ip flow monitor RR_FLOW_MONITOR_V4 input
ip flow monitor RR_FLOW_MONITOR_V4 output
!
interface GigabitEthernet0/0/1
ipv6 address 2001:DB8:ABCD::1/64
ipv6 flow monitor RR_FLOW_MONITOR_V6 input
ipv6 flow monitor RR_FLOW_MONITOR_V6 output
!
interface GigabitEthernet0/0/2
ip address 10.0.0.1 255.255.255.252
ipv6 address 2001:DB8:ABCD::1/64
ip flow monitor RR_FLOW_MONITOR_V4 input
ip flow monitor RR_FLOW_MONITOR_V4 output
ipv6 flow monitor RR_FLOW_MONITOR_V6 input
ipv6 flow monitor RR_FLOW_MONITOR_V6 output
!
Nokia¶
Configuração do netflow
configure system security source-address application cflowd <IP_ORIGEM>
configure cflowd
active-flow-timeout 60
inactive-flow-timeout 15
cache-size 102400
overflow 10
use-vrtr-if-index
template-retransmit 60
sample-profile 1 create
sample-rate 1024
exit
collector <IP_DO_RR_FLOW_API>:<PORTA_DO_RR_FLOW_API> version 9
description "RR_FLOW_API"
router Base
no shutdown
exit
Habilita a coleta das interfaces de Upstream.
configure router interface "UPSTREAM_OPERADORA"
cflowd-parameters
sampling unicast type interface direction ingress sample-profile 1
Comandos para debugar
show cflowd status
show cflowd collector
show cflowd collector detail
show cflowd interface
Sugestão para ajustar a Hora (NTP)
configure system time ntp no shutdown
configure system time zone BRT -03
configure system time ntp server 200.160.7.186
configure system time ntp server 201.49.148.135
admin set-time 2025/02/13 12:01:00
Linux¶
Sem suporte a dados de ASN
Os pacotes softflowd e fprobe não exportam dados de ASN nos fluxos, o que pode comprometer a exibição completa das informações nos dashboards.
Para resolver essa limitação, recomenda-se utilizar a funcionalidade proxyflow, que injeta os dados de ASN automaticamente.
Ao configurar o source_path para integrar seu Linux no config.json, defina o sampling com valor 1:
"sampling": 1
Utilizando softflowd¶
Instalação¶
Debian e Ubuntu:
apt update
apt install softflowd
Fedora:
dnf install softflowd
CentOS e RHEL:
yum install epel-release
yum install softflowd
Arch Linux:
yay -S softflowd
OpenSUSE:
zypper install softflowd
Configuração e Execução¶
Para iniciar o softflowd monitorando a interface eth0 e exportando os dados para o RR Flow API, utilize o seguinte comando:
softflowd -i eth0 -v 9 -t general=15s -t maxlife=60s -n <IP_RR_FLOW>:<PORTA_DO_RR_FLOW_API>
Exemplo:
softflowd -i eth0 -v 9 -t general=15s -t maxlife=60s -n 10.20.30.40:3055
Parâmetros:
-i eth0: Especifica a interface de rede a ser monitorada.-v 9: Define a versão do NetFlow para 9.-t general=15s: Define o tempo de inatividade após o qual um fluxo é considerado expirado.-t maxlife=60s: Define a duração máxima de vida de um fluxo.-n <IP_RR_FLOW>:<PORTA>: Especifica o endereço IP e a porta do RR Flow API que receberá os dados.
Execução Contínua¶
Para garantir que o softflowd seja executado continuamente e inicie automaticamente após reinicializações, crie um serviço no systemd:
- Crie o arquivo de serviço:
nano /etc/systemd/system/softflowd.service
- Adicione o seguinte conteúdo:
[Unit]
Description=Softflowd NetFlow Exporter
After=network.target
[Service]
ExecStart=/usr/sbin/softflowd -i eth0 -v 9 -t general=15s -t maxlife=60s -n <IP_RR_FLOW>:<PORTA_DO_RR_FLOW_API>
Restart=on-failure
[Install]
WantedBy=multi-user.target
-
Salve e saia do editor.
-
Ative e inicie o serviço:
systemctl enable softflowd
systemctl start softflowd
Utilizando fprobe¶
Instalação¶
Debian e Ubuntu:
apt update
apt install fprobe
Fedora:
dnf install fprobe
CentOS e RHEL:
yum install epel-release
yum install fprobe
Arch Linux:
yay -S fprobe
OpenSUSE:
zypper install fprobe
Configuração e Execução¶
Para iniciar o fprobe monitorando a interface eth0 e exportando os dados para o RR Flow API, utilize o seguinte comando:
fprobe -i eth0 -f ip -d 15 -e 60 <IP_RR_FLOW>:<PORTA_DO_RR_FLOW_API>
Exemplo:
fprobe -i eth0 -f ip -d 15 -e 60 10.20.30.40:3055
Parâmetros:
-i eth0: Especifica a interface de rede a ser monitorada.-f ip: Filtra pacotes IP.-d 15: Define o intervalo de inatividade após o qual um fluxo é considerado expirado.-e 60: Define a duração máxima de vida de um fluxo.
Execução Contínua¶
Para garantir que o fprobe seja executado continuamente e inicie automaticamente após reinicializações, crie um serviço no systemd:
- Crie o arquivo de serviço:
nano /etc/systemd/system/fprobe.service
- Adicione o seguinte conteúdo:
[Unit]
Description=fprobe NetFlow Exporter
After=network.target
[Service]
ExecStart=/usr/sbin/fprobe -i eth0 -f ip -d 15 -e 60 <IP_RR_FLOW>:<PORTA_DO_RR_FLOW_API>
Restart=on-failure
[Install]
WantedBy=multi-user.target
-
Salve e saia do editor.
-
Ative e inicie o serviço:
systemctl enable fprobe
systemctl start fprobe
Verificação¶
Para verificar se o softflowd ou o fprobe estão funcionando corretamente, utilize:
systemctl status softflowd
ou
systemctl status fprobe
Referências¶
Implementando essas instruções, você garantirá que o softflowd ou o fprobe sejam executados de forma contínua e reiniciem automaticamente após reinicializações do sistema, além de fornecer aos usuários uma compreensão clara dos parâmetros utilizados.
RouterOS¶
Qtualmente o RouterOS não envia dados de ASN em seu fluxo, o que resulta na ausência de algumas informações no carregamento das dashboards. Se você deseja ter essa funcionalidade não deixe de cobrar aos desenvolvedores no fórum neste tópico aqui
Para resolver essa limitação, recomendo utilizar a funcionalidade proxyflow, que injeta os dados de ASN automaticamente.
** Configuração
Exemplo RouterOS v7**
/ip traffic-flow set \
active-flow-timeout={VALOR_DE_COLLECTION_INTERVAL ex: 1m}\
inactive-flow-timeout=15 \
cache-entries={128k a 1M é um bom valor} \
enabled=yes
interfaces={INTERFACES_UPSTREAM}
/ip traffic-flow target add \
dst-address={IP_RR_NFDUMP_API} \
port={PORTA_RR_NFDUMP_API} \
src-address={IP_SOURCE_DO_SEU_ROUTER} \
version={ipfix/9}
/ip traffic-flow set \
active-flow-timeout=1m \
inactive-flow-timeout=15 \
cache-entries=512k \
enabled=yes \
interfaces=sfp-sfpplus1.406,sfp-sfpplus2.407 \
packet-sampling=yes \
sampling-interval=1023 \
sampling-space=1023
/ip traffic-flow target add \
dst-address=172.16.10.17 \
port=3055 \
src-address=10.50.50.6 \
version={ipfix/9}
[ print de exemplo de configuração no RouterOS aqui ]
Se desejar apenas coletar logs de CGNAT para ter um numero menor de dados preservando o espaço em disco ative apenas o nat-events=yes e desative o restante.
/ip traffic-flow ipfix set
nat-events=yes \
bytes=no \
dst-address=no \
dst-address-mask=no \
dst-mac-address=no \
dst-port=no \
first-forwarded=no \
gateway=no \
icmp-code=no \
icmp-type=no \
igmp-type=no \
in-interface=no \
ip-header-length=no \
ip-total-length=no \
ipv6-flow-label=no \
is-multicast=no \
last-forwarded=no \
nat-dst-address=no \
nat-dst-port=no \
nat-src-address=no \
nat-src-port=no \
out-interface=no \
packets=no \
protocol=no \
src-address=no \
src-address-mask=no \
src-mac-address=no \
src-port=no \
sys-init-time=no \
tcp-ack-num=no \
tcp-flags=no \
tcp-seq-num=no \
tcp-window-size=no \
tos=no \
ttl=no \
udp-length=no
Ajuste do seu config.json
sampling deve ser o mesmo valor de collection_interval, e o o mesmo valor de active-flow-timeout em min do RouterOS.
...
"source_path": [
{
"buffer": "67108864",
"compress": "lz4",
"maximum_days": 365,
"name": "Cgnat",
"port": 3056,
"sampling": 1,
"snmp": [
{
"community": "naoemaissegredo",
"ip": "10.0.0.6",
"port": 161,
"version": 2
}
],
"type": "netflow",
"vendor": "routeros"
}
]
...
Hard Offload
Se você estiver usando RouterOS v7 com Hard Offload ativado, o recurso de Traffic Flow (NetFlow) pode não funcionar corretamente.
Com o Hard Offload, o roteador usa o chip de switch (ou NPU) para encaminhar pacotes diretamente no hardware, sem envolver a CPU. Como o Traffic Flow coleta os dados na CPU, qualquer tráfego roteado apenas por hardware não será exportado para o RR Flow.
Peer BGP RouterOS
Para obter os dados via SNMP de peers (apenas v4) no RouterOS é possível apartir da versão 7.10 ou superior.
Proxy Flow¶
A partir da versão 1.8.0, foi implementado o suporte ao uso combinado do rr-flow-collector com o rr-flow-exporter, permitindo o enriquecimento automático dos dados com informações de ASN. No entanto, essa funcionalidade demanda um maior consumo de CPU.
Exemplo de configuração de source_path
{
"buffer": "67108864",
"compress": "lz4",
"name": "RouterOS",
"port": 4055,
"proxyflow": {
"port": 3055
},
"sampling": 1,
"snmp": [
{
"community": "public",
"ip": "10.0.0.1",
"port": 161,
"version": 2
}
],
"type": "netflow",
"vendor": "routeros"
},
O rr-flow-collector não possui suporte à identificação de endereços IP originais em cenários com NAT (Network Address Translation).
Quando um roteador realiza a tradução de endereços (NAT) — por exemplo, substituindo um IP interno como 192.168.0.10 por um IP público — os pacotes exportados via NetFlow geralmente contêm apenas os endereços já traduzidos. Isso significa que o RR Flow receberá e registrará o IP público, e não o IP real do cliente.
Logs CGNAT¶
A10 Networks¶
Registrando logs apenas dos blocos de portas alocado PBA (Port Block Allocation)
netflow monitor RRFLOW
record port-batch-v2-nat44 both
destination IP_RRFLOW PORTA_RRFLOW
source-address ip IP_ORIGEM_DO_A10
!
- port-batch-v2-nat44
- both Export both creation and deletion events
- creation Export only creation events
- deletion Export only deletion events
Exemplo:
configure terminal netflow monitor RRFLOW record port-batch-v2-nat44 both destination 172.16.10.17 3056 source-address ip 10.10.10.2 end write memory