Community discussions

 
mavin
just joined
Topic Author
Posts: 11
Joined: Tue Dec 16, 2014 1:24 pm

CCR as NetFlow Generator

Thu Nov 19, 2015 11:56 am

Hi,
I've been search for this for a while now.

What I'd like to do is use a CCR to receive traffic from a port mirror (on a different switch) to generate NetFlows and send them to a server to analyze them.

I can see the CCR receiving traffic (on the interfaces menu) but no flows are being created. My guess is that packets with different dst-mac are dropped.

Is there a way to run a port in promiscuous mode to accept all packets?

On the RB740GL there is a "switch" menu where I can mirror a port to cpu. But on the CCR there is no such menu. (Probably because there is no/ a different switch-chip).

Could anyone please point me in the direction how to get generate flows on the CCR?

(I'm using a CCR1036 with v6.33)
 
User avatar
doneware
Trainer
Trainer
Posts: 539
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: CCR as NetFlow Generator

Thu Nov 19, 2015 3:45 pm

depending on the type of your CCR, it may not have any switch inside. the ccr1009 has one, the others do not have any.

the biggest issue is basically how you get the frames processed. if you mirror traffic, the DST MAC address stays the same. e.g. the router will not "receive" the frames (and so the packets), cause they are meant for a different device.

you can bridge traffic on the CCR transparently, but it will not be IP and traffic-flow will not recognise them. you can do "tool sniffer" with them, even dump the cache, but that's still not netflow :-)

netflow will only process forwarded IP traffic. and to get traffic forwarded by a router means the dst-mac of the incoming frame must be equal to the router's ip interface's mac-address.

but i will give a try to see how it can work out.
#TR0359
 
mavin
just joined
Topic Author
Posts: 11
Joined: Tue Dec 16, 2014 1:24 pm

Re: CCR as NetFlow Generator

Thu Nov 19, 2015 4:29 pm

Thanks for your answer.
You verify what I suspected.

A colleague had a temp fix with forwarding the traffic out to another physical port. That seems to work somehow. But that also limits the bandwidth since I only have 2 10GbE ports and would need 3 for that (1-input from port mirror, 2-forward out, 3 forward in).

From the server-world I know the promiscuous mode where the NIC accepts all packets regardless of their dst mac. To enable this would be the finest solution. But I don't think there is a switch in the RouterOS for that.

Is there any other way to tell the CCR to process all the packets?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: CCR as NetFlow Generator

Thu Nov 19, 2015 5:21 pm

Thanks for your answer.
You verify what I suspected.

A colleague had a temp fix with forwarding the traffic out to another physical port. That seems to work somehow. But that also limits the bandwidth since I only have 2 10GbE ports and would need 3 for that (1-input from port mirror, 2-forward out, 3 forward in).

From the server-world I know the promiscuous mode where the NIC accepts all packets regardless of their dst mac. To enable this would be the finest solution. But I don't think there is a switch in the RouterOS for that.

Is there any other way to tell the CCR to process all the packets?

eve using promiscuous mode in a lan using a switch you never receive all the frames on that vlan because thats the purpose of a switch, a switch forward frames only to the interface where the destination mac is a broadcast o multicast etc.

because that the most common networking device used to mirror traffic is the switch with the proper mirroring functionality, and even with the switch you need to be sure the traffic you want to capture is passing through the switch.
 
mavin
just joined
Topic Author
Posts: 11
Joined: Tue Dec 16, 2014 1:24 pm

Re: CCR as NetFlow Generator

Thu Nov 19, 2015 5:26 pm

The switch where the port mirror is configured is not the problem. This switch forwards all traffic (that I need) to the CCR.
The CCR also receives the traffic (which one can see on the Rx counters). But because the packets have a different dest-mac the interface on the CCR drops them.
Of course is this expected behaviour for a switch but in my case I do need all packets being process by the CPU.
 
Stril
Member Candidate
Member Candidate
Posts: 116
Joined: Fri Nov 12, 2010 7:18 pm

Re: CCR as NetFlow Generator

Tue Jan 24, 2017 11:02 am

Hi!

Did you find any solution on how to see the whole traffic with netflow in your setup?

Regards,

Who is online

Users browsing this forum: Google [Bot] and 89 guests