Cisco ASR1001 Netflow: различия между версиями

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску
 
(не показано 7 промежуточных версий этого же участника)
Строка 5: Строка 5:
   
 
=NetFlow на ASR1001x=
 
=NetFlow на ASR1001x=
  +
==Краткое описание==
[[Файл:Cisco NetFlow Configuration.pdf]]
 
  +
[[Media:Cisco NetFlow Configuration.pdf|Cisco NetFlow Configuration.pdf]]
  +
  +
 
==Cisco ASR 1000 NetFlow Configuration==
  +
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Cisco Bug Search Tool and the release notes for your platform and software release.
  +
Flexible NetFlow is supported on Catalyst 3560-X and 3750-X (Cat3k-X) Series Switches on the 10GE Service Module. Previously unsupported on the platform, the service module can enable hardware-supported, line-rate NetFlow on all traffic that traverses the module.
  +
1. Create a Flow Record (specify the fields to export)
  +
A flow record defines the information that NetFlow gathers, such as packets in the flow and the types of counters gathered per flow. You specify a series of “match” and “collect” commands that tell the router which fields to include in the outgoing NetFlow PDU.
  +
The “match” fields are the “key” fields. They are used to determine the uniqueness of the flow. The “collect” fields are just extra info that to include to provide more detail to the collector for reporting and analysis.
  +
The fields marked with required below, are fields required for StealthWatch to accept and build a flow record.
  +
asr1k(config)# flow record LANCOPE1
  +
asr1k(config-flow-record)#match ipv4 protocol
  +
asr1k(config-flow-record)#match ipv4 source address asr1k(config-flow-record)#match ipv4 destination address asr1k(config-flow-record)#match transport source-port asr1k(config-flow-record)#match transport destination-port asr1k(config-flow-record)#match interface input
  +
asr1k(config-flow-record)#match ipv4 tos
  +
asr1k(config-flow-record)#collect interface output
  +
asr1k(config-flow-record)#collect counter bytes
  +
asr1k(config-flow-record)#collect counter packets
  +
asr1k(config-flow-record)#collect timestamp sys-uptime firstrequired; for calculating duration asr1k(config-flow-record)#collect timestamp sys-uptime lastrequired; for calculating duration
  +
asr1k(config-flow-record)#collect flow sampler asr1k(config-flow-record)#collect routing next-hop address
  +
ipv4 asr1k(config-flow-record)#collect ipv4 dscp
  +
asr1k(config-flow-record)#collect ipv4 ttl minimum asr1k(config-flow-record)#collect ipv4 ttl maximum asr1k(config-flow-record)#collect transport tcp flags asr1k(config-flow-record)#collect routing destination as
  +
optional; used to obtain sampling rate
  +
optional; used for
  +
closest interface determination
  +
optional; used to generate QoS reports optional; provides pathing info
  +
optional; provides pathing info
  +
optional; security anaysis
  +
optional; enable if you use BGP
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
Cisco ASR 9000 NetFlow Configuration
  +
Appendix
  +
Cisco ASR 1000 NetFlow Configuration
  +
6. Create a Flow Exporter (specify where/how NetFlow is to be sent) asr1k(config)#flow exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-exporter)#description Export NetFlow to StealthWatch asr1k(config-flow-exporter)#destination <fc_collector_IP_address> asr1k(config-flow-exporter)#source <interface> → (e.g. use a Loopback) asr1k(config-flow-exporter)#transport udp 2055 asr1k(config-flow-exporter)#version 9
  +
7. Create a Flow Monitor (tie the Flow Record to the Flow Exporter) asr1k(config)#flow monitor IPv4_NETFLOW asr1k(config-flow-monitor)#record LANCOPE1 asr1k(config-flow-monitor)#exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-monitor)#cache timeout active 60 asr1k(config-flow-monitor)#cache timeout inactive 15
  +
8. Assign Flow Monitor to selected interfaces
  +
Repeat this step on every interface you are interested in monitoring traffic for.
  +
asr1k(config)#interface <interface> → (e.g. VLAN1 or g2/1) asr1k(config-if)#ip flow monitor IPv4_NETFLOW input
  +
  +
  +
  +
  +
  +
  +
  +
  +
If the ASR is being used for NAT and you would like to log the NAT translations within StealthWatch, run the following command:
  +
ip nat log translations flow-export v9 udp destination X.X.X.X YYYY
  +
Where X.X.X.X is the FlowCollector IP and YYYY is the configured NetFlow Export port.
  +
  +
=1=

Текущая версия на 19:55, 12 июля 2024


NetFlow на ASR1001x

Краткое описание

Cisco NetFlow Configuration.pdf


Cisco ASR 1000 NetFlow Configuration

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Cisco Bug Search Tool and the release notes for your platform and software release. Flexible NetFlow is supported on Catalyst 3560-X and 3750-X (Cat3k-X) Series Switches on the 10GE Service Module. Previously unsupported on the platform, the service module can enable hardware-supported, line-rate NetFlow on all traffic that traverses the module. 1. Create a Flow Record (specify the fields to export) A flow record defines the information that NetFlow gathers, such as packets in the flow and the types of counters gathered per flow. You specify a series of “match” and “collect” commands that tell the router which fields to include in the outgoing NetFlow PDU. The “match” fields are the “key” fields. They are used to determine the uniqueness of the flow. The “collect” fields are just extra info that to include to provide more detail to the collector for reporting and analysis. The fields marked with required below, are fields required for StealthWatch to accept and build a flow record. asr1k(config)# flow record LANCOPE1 asr1k(config-flow-record)#match ipv4 protocol asr1k(config-flow-record)#match ipv4 source address asr1k(config-flow-record)#match ipv4 destination address asr1k(config-flow-record)#match transport source-port asr1k(config-flow-record)#match transport destination-port asr1k(config-flow-record)#match interface input asr1k(config-flow-record)#match ipv4 tos asr1k(config-flow-record)#collect interface output asr1k(config-flow-record)#collect counter bytes asr1k(config-flow-record)#collect counter packets asr1k(config-flow-record)#collect timestamp sys-uptime firstrequired; for calculating duration asr1k(config-flow-record)#collect timestamp sys-uptime lastrequired; for calculating duration asr1k(config-flow-record)#collect flow sampler asr1k(config-flow-record)#collect routing next-hop address ipv4 asr1k(config-flow-record)#collect ipv4 dscp asr1k(config-flow-record)#collect ipv4 ttl minimum asr1k(config-flow-record)#collect ipv4 ttl maximum asr1k(config-flow-record)#collect transport tcp flags asr1k(config-flow-record)#collect routing destination as optional; used to obtain sampling rate optional; used for closest interface determination optional; used to generate QoS reports optional; provides pathing info optional; provides pathing info optional; security anaysis optional; enable if you use BGP







Cisco ASR 9000 NetFlow Configuration Appendix Cisco ASR 1000 NetFlow Configuration 6. Create a Flow Exporter (specify where/how NetFlow is to be sent) asr1k(config)#flow exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-exporter)#description Export NetFlow to StealthWatch asr1k(config-flow-exporter)#destination <fc_collector_IP_address> asr1k(config-flow-exporter)#source <interface> → (e.g. use a Loopback) asr1k(config-flow-exporter)#transport udp 2055 asr1k(config-flow-exporter)#version 9 7. Create a Flow Monitor (tie the Flow Record to the Flow Exporter) asr1k(config)#flow monitor IPv4_NETFLOW asr1k(config-flow-monitor)#record LANCOPE1 asr1k(config-flow-monitor)#exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-monitor)#cache timeout active 60 asr1k(config-flow-monitor)#cache timeout inactive 15 8. Assign Flow Monitor to selected interfaces Repeat this step on every interface you are interested in monitoring traffic for. asr1k(config)#interface <interface> → (e.g. VLAN1 or g2/1) asr1k(config-if)#ip flow monitor IPv4_NETFLOW input





If the ASR is being used for NAT and you would like to log the NAT translations within StealthWatch, run the following command: ip nat log translations flow-export v9 udp destination X.X.X.X YYYY Where X.X.X.X is the FlowCollector IP and YYYY is the configured NetFlow Export port.

1