Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » hardware » Using a Shim Tunnel to send Netflow to a remote Trisul probe
Trace:
hardware:shimtunnel

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
hardware:shimtunnel [2019/01/10 15:05] – [Run the nfshim server on the gateway node] veerahardware:shimtunnel [2019/01/11 18:16] (current) veera
Line 2: Line 2:
  
  
-A Shim tunnel encapsulates netflow payload inside a new UDP session by inserting a shim header ahead of the netflow header. This is an alternative method when you cannot deploy  the other two methods  NAT or GRE Tunnel.+A Shim tunnel encapsulates netflow payload inside a new UDP session by inserting a shim header ahead of the netflow header which will preserve the router/switch IP address. This is an alternative method when you cannot deploy  the other two methods  [[hardware:gatewaynetflow|NAT]] or [[hardware:gretunnel|GRE Tunnel]].
  
- 
-The goal is for the Routers to send Netflow to the Gateway node, when will then forward it to the remote Trisul probe. 
  
  
Line 15: Line 13:
   * Gateway Node real IP : 192.169.2.81 (both should be able to ping each other)   * Gateway Node real IP : 192.169.2.81 (both should be able to ping each other)
   * Port used : UDP 5111   * Port used : UDP 5111
 +  * Source IP to use on the gateway end of shim tunnel : 10.251.52.4
  
  
 +
 +<note warning>
 +**Pre-check**
 +  * ensure IP Forwarding is disabled ''echo 0 > /proc/sys/net/ipv4/ip_forward''  
 +  * local iptables firewall rules allow the UDP port ''iptables -A INPUT -p udp -m udp --dport 5111 -j ACCEPT''
 +</note> 
 ===== Download the Shim software ===== ===== Download the Shim software =====
  
Line 22: Line 27:
  
 Visit https://github.com/trisulnsm/netflow-shim-tunnel/tree/master/binaries and download the binary for your platform. Visit https://github.com/trisulnsm/netflow-shim-tunnel/tree/master/binaries and download the binary for your platform.
- 
-Example 
  
 <code> <code>
Line 34: Line 37:
  
  
-Example+==== Example 1 : simple ==== 
  
 <code> <code>
 chmod +x nfshim.el7 chmod +x nfshim.el7
 ./nfshim.el7  -D 0.0.0.0:5111  192.168.2.99:5111 ./nfshim.el7  -D 0.0.0.0:5111  192.168.2.99:5111
 +</code>
 +
 +
 +==== Example 2 : bind to a specific local address for tunnel endpoint ====
 +
 +<code>
 +chmod +x nfshim.el7
 +./nfshim.el7  -D 0.0.0.0:5111  192.168.2.99:5111 10.251.52.4
 </code> </code>
  
Line 58: Line 70:
 </code> </code>
  
-Restart  Trisul+Restart  Trisul. You should now be able to see the Netflow analysis on the Trisul node with the actual router/switch IP addresses. 
  
-Now you should be able to see the traffic.+ 
 +===== Extra reference : Use Source NAT ===== 
 + 
 +In the very unlikely scenario the above steps dont work and the desired source IP is not seen on the outgoing packets, use SNAT (Source NAT).This example NATs the source IP for udp packets to 5111 (custom netflow)  to be the Shim end point. 
 + 
 +<code> 
 +iptables -t nat -A   POSTROUTING -p udp --dport 5111 \ 
 +    -o enp7s0  -j SNAT --to 10.251.52.4:5111 
 +</code> 
 + 
 +==== To view rules ==== 
 +  
 +<code> 
 +iptables -t nat -L -v --line-numbers 
 +</code> 
 + 
 +==== To delete a rule with id 3 ==== 
 + 
 +<code> 
 +iptables -t nat -D POSTROUTING 
 +</code>
  
  
hardware/shimtunnel.1547112912.txt.gz · Last modified: 2019/01/10 15:05 by veera