Notes for Catalyst 6500 Series Switches
Revised: April 26, 2013,, OL-22192-02
Flexible NetFlow Support
|
|
15.1(1)SY1 |
The following Flexible NetFlow flow exporter configuration subcommand was introduced on the Catalyst 6500 series switches:
This option allows Flexible NetFlow to export TrustSec environmental data tables that map Security Group Tags (SGTs) to Security Group Names (SGNs). |
12.2(50) SY IP Base LAN Image |
The following Flexible NetFlow commands and flow objects were introduced on the Catalyst 6500 series switches:
- cts role-based { ip | ipv6 } flow monitor monitor_name dropped
- cts source group-tag
- cts destination group-tag
|
Flexible NetFlow can account for packets dropped by SGACL enforcement when SGT and DGT flow objects are configured in the flow record with the standard 5-tuple flow objects
Use the flow record and flow exporter global configuration commands to configure a flow record, and a flow exporter, then use the flow monitor command to add them to a flow monitor. Use the show flow show commands to verify your configurations.
To collect only SGACL dropped packets, use the [ no ] cts role-based { ip | ipv6 } flow monitor dropped global configuration command.
For Flexible NetFlow overview and configuration information, see the following documents:
Flexible NetFlow Configuration Guide, Cisco IOS Release 15S
http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/15-s/fnf-15-s-book.html
Catalyst 6500 Release 15.0SY Software Configuration Guide
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/15_0_sy_swcg.html
Configuration Excerpt of an IPV4 Flow Record (5-tuple, direction, SGT, DGT)
Switch(config)# flow record cts-record-ipv4
Switch(config-flow-record)# match ipv4 protocol
Switch(config-flow-record)# match ipv4 source address
Switch(config-flow-record)# match ipv4 destination address
Switch(config-flow-record)# match transport source-port
Switch(config-flow-record)# match transport destination-port
Switch(config-flow-record)# match flow direction
Switch(config-flow-record)# match flow cts source group-tag
Switch(config-flow-record)# match flow cts destination group-tag
Switch(config-flow-record)# collect counter packets
Configuration Excerpt of an IPV6 Flow Record (5-tuple, direction, SGT, DGT)
Switch(config)# flow record cts-record-ipv6
Switch(config-flow-record)# match ipv6 protocol
Switch(config-flow-record)# match ipv6 source address
Switch(config-flow-record)# match ipv6 destination address
Switch(config-flow-record)# match transport source-port
Switch(config-flow-record)# match transport destination-port
Switch(config-flow-record)# match flow direction
Switch(config-flow-record)# match flow cts source group-tag
Switch(config-flow-record)# match flow cts destination group-tag
Switch(config-flow-record)# collect counter packets
Configuration Excerpt of an IPv4 Flow Monitor
Switch(config)# flow monitor cts-monitor-ipv4
Switch(config-flow-monitor)# record cts-record-ipv4
Configuration Excerpt of an IPv6 Flow Monitor
Switch(config)# flow monitor cts-monitor-ipv6
Switch(config-flow-monitor)# record cts-record-ipv6
Configuration Excerpt of the Global Flow Monitor (IPv4 and IPv6)
The following configuration applies the Flow Monitor to packets dropped by Role-Based Access Control Lists (RBACLs) for all TrustSec interfaces on the router or switch:
Switch(config)# cts role-based ip flow monitor cts-monitor-ipv4 dropped
Switch(config)# cts role-based ipv6 flow monitor cts-monitor-ipv6 dropped
Configuration Excerpt of the Interface Monitor
The Flow Monitor can be attached per interface, configured to filter for combinations of ingress (input), egress (output), multicast, unicast, or Layer2 switched traffic.
For IPv6, flow monitor is supported only for routed traffic in Cisco IOS Release 12.2(50)SY.
Switch(config)# interface TenGigabitEthernet 8/1
Switch(config-if)# ip address 192.1.1.1 255.255.255.0
;; Ingress IPv4 unicast only and egress unicast only
Switch(config-if)# ip flow monitor cts-monitor-ipv4 unicast input
Switch(config-if)# ip flow monitor cts-monitor-ipv4 unicast output
;; Ingress IPV4 L2-switched traffic only
Switch(config-if)# ip flow monitor cts-monitor-ipv4 layer2-switched input
;; Ingress Ipv4 multicast and egress IPv4 multicast traffic only
Switch(config-if)# ip flow monitor cts-monitor-ipv4 multicast input
Switch(config-if)# ip flow monitor cts-monitor-ipv4 multicast output
;; For both Unicast/multicast egress traffic
Switch(config-if)# ip flow monitor cts-monitor-ipv4 output
;; For both Unicast/multicast ingress traffic
Switch(config-if)# ip flow monitor cts-monitor-ipv4 input
;; For Ipv6 only the following are supported in Cisco IOS Release 12.2(50)SY
Switch(config-if)# ipv6 address 2022::22:1:1:11/64
Switch(config-if)# ipv6 flow monitor cts-monitor-ipv6 input
Switch(config-if)# ipv6 flow monitor cts-monitor-ipv6 unicast input
Switch(config-if)# ipv6 flow monitor cts-monitor-ipv6 output
Switch(config-if)# ipv6 flow monitor cts-monitor-ipv6 unicast output
Flexible NetFlow Show Commands
- show flow record
- show flow monitor
- show flow exporter
- show flow interface
- show cts role-based counters
- show flow monitor <monitor_name> cache
- show flow monitor <monitor_name> statistics
- show platform flow ip
- show platform software flow internal fnf
- show platform hardware flow table flowmask
- show platform hardware flow table profile
- show platform hardware acl entry rbacl all
- show platform hardware acl entry tcam
- show platform software flow internal export
- show platform software flow internal export statistics
- show platform internal export information
- show platform internal export statistics
FIPS Support
The Federal Information Processing Standard (FIPS) certification documents for Catalyst 6500 series switch software and hardware combinations are posted on the following website:
http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_fips140.html
The Catalyst 6500 Series FIPS certification documents describe the FIPS concepts and implementation per software/hardware combination.
TrustSec Considerations when Configuring FIPS
Perform initial setup, initialization, and configuration procedures of the Catalyst switch per the FIPS certification guide appropriate to your hardware and software configuration.
Licensing Requirements for FIPS
FIPS requires no licence for the Catalyst 6500 series switches.
Prerequisites for FIPS Configuration
- Disable Telnet. Users should log in using Secure Shell (SSH) only.
- Disable SNMPv1 and v2. Any existing user accounts on the device that have been configured for SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.
- Delete all SSH server RSA1 key-pairs.
Guidelines and Limitations for FIPS
- The RADIUS keywrap feature works only with Cisco Identity Services Engine 1.1 or Cisco ACS Release 5.2 or later releases.
- HTTPS/TLS access to the module is allowed in FIPS approved mode of operation, using SSLv3.1/TLSv1.0 and a FIPS approved algorithm.
- SSH access to the module is allowed in FIPS approved mode of operation, using SSHv2 and a FIPS approved algorithm. Many SSH clients provide cryptographic libraries that can be set to FIPS Mode, making all cryptographic operations FIPS 140-2 Level 2 compliant.
- Your passwords must have a minimum of eight alphanumeric characters including at least one letter and at least one number character.
Default Settings for FIPS
The default is FIPS mode disabled, RADIUS keywrap disabled.