New Member
Posts: 4
Registered: ‎05-06-2013

Simple inline setup for flow monitoring

I was hoping to get some help on what is probably a simple config for a home setup.

 

My goal is to monitor my all internet traffic in/out of my home network via netflow provided by the ERL.

 

I'm thinking I should be able to have the physical setup as follows

 

comcast modem <=> port 1 

port 2 <=> apple airport extreme router

 

And bridge(?) port 1 and port 2 to act as a simple switch(?) (sorry, not sure if this is the correct terminology), with my current router and setup acting as it always had.

 

Finally, then I would export the flow of all that traffic passing through the ERL to a netflow collector inside my network.

 

Any recommendations/insights/example config settings would be greatly appreciated.

 

To keep things simple, I was hoping to just leave the rest of my setup as-is for now and not use the ERL for anything more than monitoring traffic, just want to drop the ERL in-line at the WAN interface for now and see netflow.

 

Thanks!

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Simple inline setup for flow monitoring

That should work but doing software bridging on the router will have some performance impact. If you have a managed switch, maybe an alternative is to do port mirroring to get all packets to the router?

New Member
Posts: 4
Registered: ‎05-06-2013

Re: Simple inline setup for flow monitoring

My comcast service provides about 25 Mbps down and 5 Mbps up, so presumably the ERL wouldn't need to handle more than that. Would the ERL in software bridge mode be able to handle that?

 

Also, I did a little google searching/reading, interesting thought on the port spanning, I hadn't considered that as an option, but should have!

 

So the idea would be instead of sending netflow traffic to a collector, I would send a copy of all the traffic to a collection device to collect performance directly? 

 

I also saw that in addition to a managed switch, it looks like there is something (even simpler) which is a 'network tap'?

 

But presumably port spanning would involve buying more hardware, but may provide a simpler/more performant solution? 

 

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Simple inline setup for flow monitoring

[ Edited ]

Yeah 25 Mbps should be fine. Also in the current release there were some performance issues with certain bridged interfaces, and it should be fixed in the current alpha release v1.2.0alpha2. So if you want to use bridging you might want to participate in the beta program and give the latest version a try.

New Member
Posts: 4
Registered: ‎05-06-2013

Re: Simple inline setup for flow monitoring

 

I think I have the basics of the config.

 

But for the physical connections I had in mind, I realized that I haven't accounted for a way for the netflow information to get to my collection device sitting inside my home network.

 

Is this a way I could/should do it?

 

comcast modem <=> ERL port 1 

ERL port 2 <=> apple airport extreme router WAN port

ERL port 0 <=> apple airport extreme router ethernet port

 

The idea being that the netflow will be exported out from ERL over port 0 to my collection device(and also allow me to access the ERL ssh/gui from inside my network.)

 

If this is correct, do I need to take any further steps to secure my device, can someone outside my network get access to the ERL ssh/gui via port 1?

 

Here is my config I have so far, fwiw. When I ran traffic through port1 and port2, the operational command 'show flow-accounting' showed recorded flow-traffic, so it seems like I'm on the right track so far.

 


set interfaces ethernet eth1 bridge-group bridge br0
set interfaces ethernet eth2 bridge-group bridge br0
set interfaces bridge br0

set system flow-accounting netflow version 9
set system flow-accounting netflow server 192.168.1.100 port 2055
set system flow-accounting interface br0

 




Veteran Member
Posts: 5,456
Registered: ‎03-12-2011
Kudos: 2746
Solutions: 129

Re: Simple inline setup for flow monitoring


@UBNT-ancheng wrote:

That should work but doing software bridging on the router will have some performance impact. If you have a managed switch, maybe an alternative is to do port mirroring to get all packets to the router?


Out of curiosity what sort of performance hit should we expect from bridging like that? Is this on the 'to be accelerated list' like VLANs? Or is it not possible to accelerate due to it being layer2 and the router is designed for layer3?

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Simple inline setup for flow monitoring


@oddtodd wrote:
If this is correct, do I need to take any further steps to secure my device, can someone outside my network get access to the ERL ssh/gui via port 1?

If I understand correctly, the router is talking to the netflow collector using eth0, and the bridge interface (br0) and the bridged interfaces (eth1 and eth2) do not have IP addresses assigned right? If so, accessing the router from port 1 should be quite difficult.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Simple inline setup for flow monitoring


NVX wrote:

Out of curiosity what sort of performance hit should we expect from bridging like that? Is this on the 'to be accelerated list' like VLANs? Or is it not possible to accelerate due to it being layer2 and the router is designed for layer3?


Actually as mentioned before we have a basic proof-of-concept implementation of bridging acceleration. Of course it still needs work and then it will need to be tested thoroughly for production use.

Veteran Member
Posts: 5,456
Registered: ‎03-12-2011
Kudos: 2746
Solutions: 129

Re: Simple inline setup for flow monitoring


@UBNT-ancheng wrote:

@NVX wrote:

Out of curiosity what sort of performance hit should we expect from bridging like that? Is this on the 'to be accelerated list' like VLANs? Or is it not possible to accelerate due to it being layer2 and the router is designed for layer3?


Actually as mentioned before we have a basic proof-of-concept implementation of bridging acceleration. Of course it still needs work and then it will need to be tested thoroughly for production use.


Oh very nice! Would have thought VLAN acceleration would have been easier to do/come first, but not complaining! Man Happy

New Member
Posts: 4
Registered: ‎05-06-2013

Re: Simple inline setup for flow monitoring


@UBNT-ancheng wrote:

@oddtodd wrote:
If this is correct, do I need to take any further steps to secure my device, can someone outside my network get access to the ERL ssh/gui via port 1?

If I understand correctly, the router is talking to the netflow collector using eth0, and the bridge interface (br0) and the bridged interfaces (eth1 and eth2) do not have IP addresses assigned right? If so, accessing the router from port 1 should be quite difficult.


 

Ok, that was my thinking, that port1 should be secure, but nice to hear a confirmation. Thanks!

 

Actually, that was a question I had, I didn't see anything in the ERL commands for specifying over which interface the router will send the netflow, so I wasn't sure that it would go out over port 0.

 

 

Highlighted
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Simple inline setup for flow monitoring


oddtodd wrote:

Actually, that was a question I had, I didn't see anything in the ERL commands for specifying over which interface the router will send the netflow, so I wasn't sure that it would go out over port 0.


In this case that should be a regular "routing" decision and not specific to netflow. For example if eth0 is 192.168.1.1/24 and the router is trying to send a packet to 192.168.1.100, it knows it has a connected route to reach the host through interface eth0.