Cisco ASR1001 Netflow: различия между версиями
Sirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
Строка 33: | Строка 33: | ||
optional; security anaysis |
optional; security anaysis |
||
optional; enable if you use BGP |
optional; enable if you use BGP |
||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | Cisco ASR 9000 NetFlow Configuration |
||
+ | Appendix |
||
+ | Cisco ASR 1000 NetFlow Configuration |
||
+ | 6. Create a Flow Exporter (specify where/how NetFlow is to be sent) asr1k(config)#flow exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-exporter)#description Export NetFlow to StealthWatch asr1k(config-flow-exporter)#destination <fc_collector_IP_address> asr1k(config-flow-exporter)#source <interface> → (e.g. use a Loopback) asr1k(config-flow-exporter)#transport udp 2055 asr1k(config-flow-exporter)#version 9 |
||
+ | 7. Create a Flow Monitor (tie the Flow Record to the Flow Exporter) asr1k(config)#flow monitor IPv4_NETFLOW asr1k(config-flow-monitor)#record LANCOPE1 asr1k(config-flow-monitor)#exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-monitor)#cache timeout active 60 asr1k(config-flow-monitor)#cache timeout inactive 15 |
||
+ | 8. Assign Flow Monitor to selected interfaces |
||
+ | Repeat this step on every interface you are interested in monitoring traffic for. |
||
+ | asr1k(config)#interface <interface> → (e.g. VLAN1 or g2/1) asr1k(config-if)#ip flow monitor IPv4_NETFLOW input |
Версия 14:25, 8 июля 2024
NetFlow на ASR1001x
Cisco NetFlow Configuration.pdf
Cisco ASR 1000 NetFlow Configuration
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Cisco Bug Search Tool and the release notes for your platform and software release.
Flexible NetFlow is supported on Catalyst 3560-X and 3750-X (Cat3k-X) Series Switches on the 10GE Service Module. Previously unsupported on the platform, the service module can enable hardware-supported, line-rate NetFlow on all traffic that traverses the module.
1. Create a Flow Record (specify the fields to export)
A flow record defines the information that NetFlow gathers, such as packets in the flow and the types of counters gathered per flow. You specify a series of “match” and “collect” commands that tell the router which fields to include in the outgoing NetFlow PDU.
The “match” fields are the “key” fields. They are used to determine the uniqueness of the flow. The “collect” fields are just extra info that to include to provide more detail to the collector for reporting and analysis.
The fields marked with required below, are fields required for StealthWatch to accept and build a flow record.
asr1k(config)# flow record LANCOPE1
asr1k(config-flow-record)#match ipv4 protocol
asr1k(config-flow-record)#match ipv4 source address asr1k(config-flow-record)#match ipv4 destination address asr1k(config-flow-record)#match transport source-port asr1k(config-flow-record)#match transport destination-port asr1k(config-flow-record)#match interface input
asr1k(config-flow-record)#match ipv4 tos
asr1k(config-flow-record)#collect interface output
asr1k(config-flow-record)#collect counter bytes
asr1k(config-flow-record)#collect counter packets
asr1k(config-flow-record)#collect timestamp sys-uptime firstrequired; for calculating duration asr1k(config-flow-record)#collect timestamp sys-uptime lastrequired; for calculating duration
asr1k(config-flow-record)#collect flow sampler asr1k(config-flow-record)#collect routing next-hop address
ipv4 asr1k(config-flow-record)#collect ipv4 dscp
asr1k(config-flow-record)#collect ipv4 ttl minimum asr1k(config-flow-record)#collect ipv4 ttl maximum asr1k(config-flow-record)#collect transport tcp flags asr1k(config-flow-record)#collect routing destination as
optional; used to obtain sampling rate
optional; used for
closest interface determination
optional; used to generate QoS reports optional; provides pathing info
optional; provides pathing info
optional; security anaysis
optional; enable if you use BGP
Cisco ASR 9000 NetFlow Configuration Appendix Cisco ASR 1000 NetFlow Configuration 6. Create a Flow Exporter (specify where/how NetFlow is to be sent) asr1k(config)#flow exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-exporter)#description Export NetFlow to StealthWatch asr1k(config-flow-exporter)#destination <fc_collector_IP_address> asr1k(config-flow-exporter)#source <interface> → (e.g. use a Loopback) asr1k(config-flow-exporter)#transport udp 2055 asr1k(config-flow-exporter)#version 9 7. Create a Flow Monitor (tie the Flow Record to the Flow Exporter) asr1k(config)#flow monitor IPv4_NETFLOW asr1k(config-flow-monitor)#record LANCOPE1 asr1k(config-flow-monitor)#exporter NETFLOW_TO_STEALTHWATCH asr1k(config-flow-monitor)#cache timeout active 60 asr1k(config-flow-monitor)#cache timeout inactive 15 8. Assign Flow Monitor to selected interfaces Repeat this step on every interface you are interested in monitoring traffic for. asr1k(config)#interface <interface> → (e.g. VLAN1 or g2/1) asr1k(config-if)#ip flow monitor IPv4_NETFLOW input