A Shim tunnel encapsulates netflow payload inside a new UDP session by inserting a shim header ahead of the netflow header. This is an alternative method when you cannot deploy the other two methods NAT or GRE Tunnel.

The goal is for the Routers to send Netflow to the Gateway node, when will then forward it to the remote Trisul probe.

Substitute these for your environment

• Trisul Probe real IP : 192.168.2.99
• Gateway Node real IP : 192.169.2.81 (both should be able to ping each other)
• Port used : UDP 5111

The custom shim tunnel is provided by the netflow-shim-tunnel software running on the gateway node.

Visit https://github.com/trisulnsm/netflow-shim-tunnel/tree/master/binaries and download the binary for your platform.

Example

wget https://github.com/trisulnsm/netflow-shim-tunnel/raw/master/binaries/nfshim.el7

The goal here is to forward all netflow packets received on UDP 5111 to the remote probe 192.168.2.99 on the same 5111 port

Example

chmod +x nfshim.el7
./nfshim.el7  -D 0.0.0.0:5111  192.168.2.99:5111

Ensure you disable the firewall or allow port 5111 through systemctl stop firewalld or firewall-cmd –zone=public –add-port=5111/udp

Set the EnableShimTunnel option in the netflow config file.

vi /usr/local/etc/trisul-probe/domain0/probe0/config0/PI-7CA*

Set or add the following line in the Policy section

   <EnableShimTunnel>true</EnableShimTunnel>

Restart Trisul. You should now be able to see the Netflow analysis on the Trisul node with the actual router/switch IP addresses.