Cisco ASR1001 Netflow: различия между версиями
Sirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
(не показано 7 промежуточных версий этого же участника) | |||
Строка 5: | Строка 5: | ||
=NetFlow на ASR1001x= |
=NetFlow на ASR1001x= |
||
+ | ==Краткое описание== |
||
⚫ | |||
+ | [[Media:Cisco NetFlow Configuration.pdf|Cisco NetFlow Configuration.pdf]] |
||
+ | |||
+ | |||
⚫ | |||
+ | Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Cisco Bug Search Tool and the release notes for your platform and software release. |
||
+ | Flexible NetFlow is supported on Catalyst 3560-X and 3750-X (Cat3k-X) Series Switches on the 10GE Service Module. Previously unsupported on the platform, the service module can enable hardware-supported, line-rate NetFlow on all traffic that traverses the module. |
||
+ | 1. Create a Flow Record (specify the fields to export) |
||
+ | A flow record defines the information that NetFlow gathers, such as packets in the flow and the types of counters gathered per flow. You specify a series of “match” and “collect” commands that tell the router which fields to include in the outgoing NetFlow PDU. |
||
+ | The “match” fields are the “key” fields. They are used to determine the uniqueness of the flow. The “collect” fields are just extra info that to include to provide more detail to the collector for reporting and analysis. |
||
+ | The fields marked with required below, are fields required for StealthWatch to accept and build a flow record. |
||
+ | asr1k(config)# flow record LANCOPE1 |
||
+ | asr1k(config-flow-record)#match ipv4 protocol |
||
+ | asr1k(config-flow-record)#match ipv4 source address asr1k(config-flow-record)#match ipv4 destination address asr1k(config-flow-record)#match transport source-port asr1k(config-flow-record)#match transport destination-port asr1k(config-flow-record)#match interface input |
||
+ | asr1k(config-flow-record)#match ipv4 tos |
||
+ | asr1k(config-flow-record)#collect interface output |
||
+ | asr1k(config-flow-record)#collect counter bytes |
||
+ | asr1k(config-flow-record)#collect counter packets |
||
+ | asr1k(config-flow-record)#collect timestamp sys-uptime firstrequired; for calculating duration asr1k(config-flow-record)#collect timestamp sys-uptime lastrequired; for calculating duration |
||
+ | asr1k(config-flow-record)#collect flow sampler asr1k(config-flow-record)#collect routing next-hop address |
||
+ | ipv4 asr1k(config-flow-record)#collect ipv4 dscp |
||
+ | asr1k(config-flow-record)#collect ipv4 ttl minimum asr1k(config-flow-record)#collect ipv4 ttl maximum asr1k(config-flow-record)#collect transport tcp flags asr1k(config-flow-record)#collect routing destination as |
||
+ | optional; used to obtain sampling rate |
||
+ | optional; used for |
||
+ | closest interface determination |
||
+ | optional; used to generate QoS reports optional; provides pathing info |
||
+ | optional; provides pathing info |
||
+ | optional; security anaysis |
||
+ | optional; enable if you use BGP |
||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | Cisco ASR 9000 NetFlow Configuration |
||
+ | Appendix |
||
+ | Cisco ASR 1000 NetFlow Configuration |
||
+ | 6. Create a Flow Exporter (specify where/how NetFlow is to be sent) asr1k(config)#flow exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-exporter)#description Export NetFlow to StealthWatch asr1k(config-flow-exporter)#destination <fc_collector_IP_address> asr1k(config-flow-exporter)#source <interface> → (e.g. use a Loopback) asr1k(config-flow-exporter)#transport udp 2055 asr1k(config-flow-exporter)#version 9 |
||
+ | 7. Create a Flow Monitor (tie the Flow Record to the Flow Exporter) asr1k(config)#flow monitor IPv4_NETFLOW asr1k(config-flow-monitor)#record LANCOPE1 asr1k(config-flow-monitor)#exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-monitor)#cache timeout active 60 asr1k(config-flow-monitor)#cache timeout inactive 15 |
||
+ | 8. Assign Flow Monitor to selected interfaces |
||
+ | Repeat this step on every interface you are interested in monitoring traffic for. |
||
+ | asr1k(config)#interface <interface> → (e.g. VLAN1 or g2/1) asr1k(config-if)#ip flow monitor IPv4_NETFLOW input |
||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | If the ASR is being used for NAT and you would like to log the NAT translations within StealthWatch, run the following command: |
||
+ | ip nat log translations flow-export v9 udp destination X.X.X.X YYYY |
||
+ | Where X.X.X.X is the FlowCollector IP and YYYY is the configured NetFlow Export port. |
||
+ | |||
+ | =1= |
Текущая версия на 19:55, 12 июля 2024
NetFlow на ASR1001x
Краткое описание
Cisco NetFlow Configuration.pdf
Cisco ASR 1000 NetFlow Configuration
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Cisco Bug Search Tool and the release notes for your platform and software release. Flexible NetFlow is supported on Catalyst 3560-X and 3750-X (Cat3k-X) Series Switches on the 10GE Service Module. Previously unsupported on the platform, the service module can enable hardware-supported, line-rate NetFlow on all traffic that traverses the module. 1. Create a Flow Record (specify the fields to export) A flow record defines the information that NetFlow gathers, such as packets in the flow and the types of counters gathered per flow. You specify a series of “match” and “collect” commands that tell the router which fields to include in the outgoing NetFlow PDU. The “match” fields are the “key” fields. They are used to determine the uniqueness of the flow. The “collect” fields are just extra info that to include to provide more detail to the collector for reporting and analysis. The fields marked with required below, are fields required for StealthWatch to accept and build a flow record. asr1k(config)# flow record LANCOPE1 asr1k(config-flow-record)#match ipv4 protocol asr1k(config-flow-record)#match ipv4 source address asr1k(config-flow-record)#match ipv4 destination address asr1k(config-flow-record)#match transport source-port asr1k(config-flow-record)#match transport destination-port asr1k(config-flow-record)#match interface input asr1k(config-flow-record)#match ipv4 tos asr1k(config-flow-record)#collect interface output asr1k(config-flow-record)#collect counter bytes asr1k(config-flow-record)#collect counter packets asr1k(config-flow-record)#collect timestamp sys-uptime firstrequired; for calculating duration asr1k(config-flow-record)#collect timestamp sys-uptime lastrequired; for calculating duration asr1k(config-flow-record)#collect flow sampler asr1k(config-flow-record)#collect routing next-hop address ipv4 asr1k(config-flow-record)#collect ipv4 dscp asr1k(config-flow-record)#collect ipv4 ttl minimum asr1k(config-flow-record)#collect ipv4 ttl maximum asr1k(config-flow-record)#collect transport tcp flags asr1k(config-flow-record)#collect routing destination as optional; used to obtain sampling rate optional; used for closest interface determination optional; used to generate QoS reports optional; provides pathing info optional; provides pathing info optional; security anaysis optional; enable if you use BGP
Cisco ASR 9000 NetFlow Configuration Appendix Cisco ASR 1000 NetFlow Configuration 6. Create a Flow Exporter (specify where/how NetFlow is to be sent) asr1k(config)#flow exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-exporter)#description Export NetFlow to StealthWatch asr1k(config-flow-exporter)#destination <fc_collector_IP_address> asr1k(config-flow-exporter)#source <interface> → (e.g. use a Loopback) asr1k(config-flow-exporter)#transport udp 2055 asr1k(config-flow-exporter)#version 9 7. Create a Flow Monitor (tie the Flow Record to the Flow Exporter) asr1k(config)#flow monitor IPv4_NETFLOW asr1k(config-flow-monitor)#record LANCOPE1 asr1k(config-flow-monitor)#exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-monitor)#cache timeout active 60 asr1k(config-flow-monitor)#cache timeout inactive 15 8. Assign Flow Monitor to selected interfaces Repeat this step on every interface you are interested in monitoring traffic for. asr1k(config)#interface <interface> → (e.g. VLAN1 or g2/1) asr1k(config-if)#ip flow monitor IPv4_NETFLOW input
If the ASR is being used for NAT and you would like to log the NAT translations within StealthWatch, run the following command:
ip nat log translations flow-export v9 udp destination X.X.X.X YYYY
Where X.X.X.X is the FlowCollector IP and YYYY is the configured NetFlow Export port.