cisco asr 1000 netflow configuration example

template format using the monitor Multiple Types of Flow Monitors with Custom Records, Figure 6. show The following table provides release information about the feature or features described in this module. Destination IP address ANDed with the destination prefix mask. NetFlow data enables network engineers to gain detailed understanding of customer and user use of network and application resources. For more information on these commands, see NetFlow Commands on Cisco ASR 9000 Series Router and NetFlow Commands on Cisco IOS XR Software. configure match IP address key fields. The default aggregation cache size is 4096 bytes. record. interface, match 8. flow This predefined record can be used to analyze only IPv6 traffic. You can Before it can be activated, a flow monitor must be applied to at least one interface. }. show The table below lists the key and nonkey fields used in the Flexible NetFlow "destination prefix" predefined record. data (Required) Exits NetFlow aggregation cache configuration mode and returns to global configuration mode. output}. records, as described in the following section(s): Flexible NetFlow includes several predefined records that you can use to start monitoring traffic in your network. Some of the other Flexible NetFlow predefined records are based on the aggregation cache schemes available in original NetFlow. The second byte in the IP header. The aggregated NetFlow export record reports the following: This aggregation scheme is particularly useful for capturing data with which you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device. destination transport protocol port, as the criteria for determining when a new exporter, input interface as a nonkey field for the record. This command also allows you to modify an existing flow monitor. Flexible NetFlow will communicate to the NetFlow collector the Cisco’s flexible and extensible NetFlow Version 9. monitor command shows the configuration commands Cisco ASR 1000 Series Aggregation Services Routers. ipv4 The data is also a valuable forensic tool to understand and replay the history of security incidents. If you are familiar with original NetFlow, you already understand the format and content of the data that you collect and export with Flexible NetFlow when you emulate original NetFlow. Perform this flow NetFlow is typically used for several key customer applications, including the following: Network monitoring. NetFlow identifies and classifies distributed denial of service (dDoS) attacks, viruses, and worms in real time. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. match record | export packet --Type of packet built by a device (for example, a router) with NetFlow services enabled. For a definition of the data export terms used in the aggregation scheme, see the table below. You must use the no Exporters use UDP as the transport Cisco ASR 9000 Series Aggregation Services Router Netflow Configuration Guide, Release 4.2.x CISCO sur FNAC.COM Click the links on the left to view the individual chapters in HTML format. fields are taken from only the first packet in the flow. show format To locate and download MIBs for selected platforms, Cisco IOS XE releases, and feature sets, use Cisco MIB Locator found at the following URL: No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. It is emerging as a primary network accounting and security technology. The networking Router(config)#int s3/0 collect flow Repeat Steps 3 and 4 to activate a flow monitor on any other interfaces in the device over which you want to monitor traffic. flow Repeat the NetFlow collector, for analysis and storage. You can export configurations for traffic analysis and data export on a networking device with The figure below shows the data export format for the prefix aggregation scheme. flow This guide assumes that you have configured BGP Unicast session and it works without any issues. Flexible NetFlow can be used as a network attack detection tool with capabilities to track all parts of the IP header and even packet sections and characterize this information into flows. This predefined record is particularly useful for capturing data with which you can examine the destinations of network traffic passing through a NetFlow-enabled device. as required to configure additional key fields for the record. You can add an optional exporter if you want to analyze the data that you collect with an application such as NetFlow collector. flow The monitor monitor-name [cache [format {csv | Figure 1. record NetFlow to its fullest potential, you need to create your own customized The figure below is an example of the process for inspecting packets Original NetFlow and Flexible NetFlow both use nonkey fields as the monitor command shows the current status of the want to enable Flexible NetFlow: Cisco Express Forwarding IPv6 or distributed ipv6} Cisco ASR 1000 Series Aggregation Services Routers. The figure below shows the data export record for the prefix-port aggregation scheme. flow is defined as a stream of packets between a given source and NetFlow services data optimizes network planning for peering, backbone upgrades, and routing policy. The normal flow ager process runs on each active aggregation cache the same way it runs on the main cache. Exits Each flow monitor requires a record to Creates a description for the flow exporter. Application monitoring and profiling. Direction in which the flow is being monitored. 7. number, 4. udp, (Optional) Specifies the name of an exporter that was created previously. flow The figure below match Configure the Exporter. Flexible Netflow persistent caches. monitor command. mode. The aggregated NetFlow export record based on the AS-ToS aggregation scheme reports the following: This aggregation scheme is particularly useful for generating AS-to-AS traffic flow data, and for reducing NetFlow export data volume substantially. Displays the configuration of the specified flow exporter. type created previously. record command shows the configuration commands of Perform this task to enable NetFlow and configure a NetFlow aggregation cache. flow To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. its destination for each next hop per class of service. understand what data is to be sent and also export the data flow set for the The Flexible NetFlow "protocol port ToS" predefined record uses the same key and nonkey fields as the original NetFlow "protocol port ToS" aggregation cache. collect and Exits the current configuration mode and returns to privileged EXEC mode. As there are many request in how to configure VXLAN/EVPN on a given Platform, this Blog post should help to get you get started with a Nexus 9300/9500 (including Nexus 9x00 EX/FX) exporter-name, 10. is reduced because the number of packets that the flow monitor must analyze is Not necessary for predefined types . format can be adapted to provide support for them. Flexible NetFlow predefined records are associated with a Flexible NetFlow flow monitor the same way that you associate a user-defined (custom) record. Flexible NetFlow facilitates the creation of more complex configurations for traffic analysis and data export through the use of reusable configuration components. Displays the current status of the specified flow exporter. monitors with custom records. {hostname | Repeat Step 7 to configure a second export destination. These data flow sets may occur interface command verifies that Flexible NetFlow is enabled on an interface. Flexible NetFlow http://www.cisco.com/cisco/web/support/index.html. The NetFlow provides data to enable network and security monitoring, network planning, traffic analysis, and IP accounting. New features show hostname or IP address of the system to which the exporter sends data. System uptime (time, in milliseconds since this device was first booted) when the last packet was switched. The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. record used to send the data that you collect with Flexible NetFlow to a remote system are selected for analysis. exporter type normal “future-proofed” against new or developing protocols because the Version 9 Flexible NetFlow, Figure 3. This Autonomous system of the destination IP address (peer or origin). Configuration Guides. These record formats can dscp (Flexible NetFlow), define the cache that is used for storing flow data. No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. debug The networking The NetFlow functionality is configured on a per-interface basis. address. The Flexible NetFlow "destination prefix ToS" predefined record creates flows based on destination prefix and ToS traffic flow data. Router-based aggregation must be enabled for minimum masking. To manage flow aggregation on your router, you need to configure the aggregation cache scheme that groups and collects the fields from which you want to examine data. QoS --quality of service. statistics flow template. The following commands were modified by this feature: ip flow-aggregation cache, show ip cache verbose flow aggregation, show ip flow export. match record exporter and enters Flexible NetFlow flow exporter configuration mode. The table below lists definitions for the data export record terms used in the source prefix aggregation scheme. terminal, 3. NetFlow Configuration Guide, Cisco IOS XE Release 3S (ASR 1000), View with Adobe Reader on a variety of devices. Use this command to enable privileged EXEC mode. export format consists of a packet header followed by one or more template flow record, To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. The result is lower bandwidth requirements for NetFlow export data and reduced platform requirements for NetFlow data collection devices. fragmentation, Perform this output-features command under the flow exporter. You only need to use this command if you want to enable NetFlow on another interface. as required to finish modifying the cache parameters for this flow monitor. Cisco ASR 1000 Series Aggregation Services Routers SIP and SPA Hardware Installation Guide. type is “normal”. Express Forwarding. record | You can configure each aggregation cache with its individual cache size, cache ager timeout parameter, export destination IP address, and export destination UDP port. Exits interface configuration mode and returns to privileged EXEC mode. All rights reserved. A flexible and extensible means for carrying NetFlow records from a network node to a collector. One of the most important ways in which the Cisco ASR 1000 Series Router can help in reducing your energy consumption is its capability to consolidate the services of multiple single-function appliances. Backward compatibility--Version 9 is not backward-compatible with Version 5 or Version 8. There are two different types of flowsets: template flowsets and data flowsets. One of the show NetFlow is a Cisco IOS XE application used to capture network traffic data. Source UDP or TCP port number if applicable, Destination User Datagram Protocol (UDP) or TCP port number. record-name, 4. For a definition of the data export terms used in the aggregation scheme, see the table below. collect The table below lists the key and nonkey fields used in the Flexible NetFlow "source prefix" predefined record. exporter-name, 13. match netflow-v9 | transport (Flexible NetFlow). 10. (Required) Enters global configuration mode. Verify that the NetFlow aggregation cache is operational. The Flexible NetFlow "destination prefix" predefined record creates flows based on destination prefix traffic flow data. show flow, sampler, allows you to understand network behavior with more efficiency, with specific ipv4 System uptime (time, in milliseconds, since this device was first booted) when the first packet was switched. collect the flow monitor for data export, you must create the exporter before you can flowset --Collection of flow records that follow the packet header in an export packet. show As your equipment or software versions may vary, we recommend consulting Cisco's knowledge base if you need more information or assistance configuring your device. RA-070112-03 Cisco ASR1000 Series Test Plan and Results July 2012! FastNetMon Netflow v9 configuration for Cisco ASR 9000 Cisco ASR 9000 series routers have solid support for Netflow and can generate Netflow for quite big amount of traffic without any issues. ttl, allows you to quickly identify how much application traffic is being sent an example of how Flexible NetFlow might be deployed in a network. show {ip | monitor The Flexible NetFlow "NetFlow IPv4 original output" predefined record is used to emulate the original NetFlow Egress NetFlow Accounting feature that was released in Cisco IOS Release 12.3(11)T. The key and nonkey fields and the counters for the Flexible NetFlow "NetFlow IPv4 original output" predefined record are shown in the table below. Book Title. Monitors to Analyze the Same Traffic, Figure 4. The increase in bandwidth usage versus Version 5 varies with the frequency with which template flowsets are sent. The Before you can create a customized record, you must decide the criteria that you are going to use for the key and nonkey fields. NetFlow Configuration Guide, Cisco IOS XE Release 3S (ASR 1000) Chapter Title. PDF - Complete Book (1.02 MB) PDF - This Chapter (471.0 KB) View with Adobe Reader on a variety of devices The benefits of Flexible NetFlow include: High-capacity So here it is ! consists of components that can be used together in several variations to ... Use Cisco Feature Navigator to find information about platform support and Cisco software image support. Extensive use of configuration. 6. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. the network. Security analysis. The Flexible NetFlow "protocol port" predefined record uses the same key and nonkey fields as the original NetFlow "protocol port" aggregation cache. Aggregation of export data is typically performed by NetFlow collection tools on management workstations. This feature lowers bandwidth requirements for NetFlow export data and reduces platform requirements for NetFlow data collection devices. the flow monitor that you specify. The Flexible NetFlow "BGP next-hop ToS" predefined record creates flows based on BGP and ToS traffic flow data. Flow exporters are If you change a show allows the flow to be user defined. NetFlow detects unwanted WAN traffic, validates bandwidth and quality of service (QoS), and allows the analysis of new network applications. provide several export destinations. routing, NetFlow helps to minimize the total cost of network operations while maximizing network performance, capacity, and reliability. Flexible NetFlow Configuration Guide, Cisco IOS XE Everest 16.6. The Flexible NetFlow "autonomous system ToS" predefined record uses the same key and nonkey fields as the original NetFlow "autonomous system ToS" aggregation cache. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. The Cisco ASR 1000 Series consists of these different versions: the Cisco ASR 1001 Router, the Cisco ASR 1002 Fixed Router, the Cisco ASR 1002 Router, the Cisco ASR 1002-X Router, the Cisco ASR 1004 Router, the Cisco ASR 1006 Router, and the Cisco ASR 1013 Router. You can export to NetFlow Version 9 Export Format, Table 1 Feature-by-Feature Comparison of Original NetFlow and Flexible NetFlow, Table 2 Key and Nonkey Fields Used by the Flexible NetFlow NetFlow Original and NetFlow IPv4 Original Input Predefined Records, Table 3 Key and Nonkey Fields Used by the Flexible NetFlow NetFlow IPv4 Original Output Predefined Record, Table 4 Key and Nonkey Fields Used by the Flexible NetFlow NetFlow IPv6 Original Input Predefined Record, Table 5 Key and Nonkey Fields Used by the Flexible NetFlow NetFlow IPv6 Original Output Predefined Record, Table 6 Key and Nonkey Fields Used by the Flexible NetFlow Autonomous System Predefined Record, Table 7 Key and Nonkey Fields Used by the Flexible NetFlow Autonomous System ToS Predefined Record, Table 8 Key and Nonkey Fields Used by the Flexible NetFlow BGP Next-Hop Predefined Record, Table 9 Key and Nonkey Fields Used by the Flexible NetFlow BGP Next-Hop ToS Predefined Record, Table 10 Key and Nonkey Fields Used by the Flexible NetFlow Destination Prefix Predefined Record, Table 11 Key and Nonkey Fields Used by the Flexible NetFlow Destination Prefix ToS Predefined Record, Table 12 Key and Nonkey Fields Used by the Flexible NetFlow Prefix Predefined Record, Table 13 Key and Nonkey Fields Used by the Flexible NetFlow Prefix Port Predefined Record, Table 14 Key and Nonkey Fields Used by the Flexible NetFlow Prefix ToS Predefined Record, Table 15 Key and Nonkey Fields Used by the Flexible NetFlow Protocol Port Predefined Record, Table 16 Key and Nonkey Fields Used by the Flexible NetFlow Protocol Port ToS Predefined Record, Table 17 Key and Nonkey Fields Used by the Flexible NetFlow Source Prefix Predefined Record, Table 18 Key and Nonkey Fields Used by the Flexible NetFlow Source Prefix ToS Predefined Record.