Enabling NetFlow on a Cisco Catalyst 6500 Switch

NetFlow can be enabled on Catalyst 6500 Switches with a Supervisor Engine 32, RSP 720 or a Supervisor Engine 720. NetFlow cache on the Multilayer Switch Feature Card (MSFC) captures statistics for flows routed in software and the NetFlow cache on the Policy Feature Card (PFC) captures statistics for flows routed in hardware. The configuration of Netflow neither disrupts the traffic nor disables the configured interface.

To start first install NetFlow Analyzer (or similar tool) on your PC so that your PC becomes a NetFlow Collector. Do note the port number (e.g.: 9996) used by you NetFlow Analyzer Application. With the data obtained NetFlow Collectors can generate reports and statistics of traffic flowing through the switch or router.

Next on the Catalyst 6500 configure NetFlow to enable NetFlow on both the MSFC and PFC, so that it can send the Netflow information to the NetFlow Collector. You also need to configure the NetFlow Data Export (NDE) on the switch in order to export the NetFlow statistics to the NetFlow collector. Assuming the NetFlow Collector IP Address is 172.16.16.1, the following configuration has to be made

ip flow-export destination 172.16.16.1 9996

ip flow-export source Loopback 0

ip flow-export version 5

To avoid spikes in the traffic report, use the ip flow-cache time active N command (where N can be from 1 to 60 minutes). The default is 30 minutes, which can lead to having spikes in your traffic report. It is important to set this value to 1 minute to generate alerts and view troubleshooting data.

ip flow-cache timeout active 1

On interfaces that need to be monitored, enter the ip route-cache command. Enabling ip route-cache on the interface enables NetFlow on the MFSC. On 6500 12.2SXH Release, NetFlow is enable on the Layer 3 interface using ip flow ingress command on the interface.

To enable NetFlow & NDE for Layer 2

interface vlan 10

ip route-cache

!

interace GigabitEthernet 1/1

ip route-cache

To enable NetFlow on the PFC, enter the mls netflow command and to configure flow mask on the PFC, configure mls flow ip interface-full. Apply ip flow ingress layer2-switched vlan 10,20 command to enables NetFlow and NDE for Layer 2-switched traffic (for ingress-bridged traffic) on the PFC. Should note that NetFlow does not show statistics of traffic that goes across the same VLAN and hence cannot be configured on a layer 2 interface.

Once configured, the interfaces in the NetFlow tool will be shown as ifindex instead of the actual interface name. To obtain the actual interface names the NetFlow tool will have to pull it from the switch SNMP MIB values, therefore you will have to configure SNMP on the NetFlow Collector as well as on the Catalyst 6500 Switch.

access-list 99 permit 172.16.16.1

!

snmp-server group GRPName v3 auth

snmp-server user snmp_username GRPName v3 auth md5 user_authpwd

snmp-server user snmp_username GRPName remote 172.16.16.1 v3 auth md5 user_authpwd access 99

snmp-server host 172.16.16.1 traps version 3 auth snmp_username

Decrypting Cisco Device Login Passwords

If your router or switch has been globally configured with the service password-encryption command, the passwords in the configuration will be encrypted for secrecy. In dire cases we would like to retrieve this password and that is when this procedure using the key chain command can be of great help. For this to work you have to be already logged into the device of which you are decrypting the password and you should have the authorization to execute these commands.

Key chains are typically used in EIGRP and RIPv2 routing protocols for authentication. A key chain can have number of keys and each key will have a key string associated with it.

Switch(config)#key chain CRACK

Switch(config-keychain)#do sh run | inc Admin

username Admin privilege 15 password 7 107E290A1600421908

Switch(config-keychain)#key 1

Switch(config-keychain-key)#key-string 7 107E290A1600421908

Switch(config-keychain-key)#exit

Switch#sh key chain CRACK

Key-chain CRACK:

key 1 -- text "P@ssw0rd"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

You can also decrypt the enable, line vty and console passwords using this method. However this method cannot be used to decrypt passwords which have been configured using the secret command (e.g: enable secret password or username username secret password ) as they use the more secure MD5 encryption. Considering the Security implication it is adviced to apply the enable secret password command and use TACACS+ or RADIUS for authentication. Using Cisco ACS you can block non-privileged administrators from using key chain command.