The wireless Flexible
NetFlow infrastructure supports the following:
- Flexible NetFlow Version 9.0
and 10
- User-based rate limiting
- Microflow policing
- Voice and video flow
monitoring
- Reflexive access control
list (ACL)
Microflow Policing
and User-Based Rate Limiting
Microflow policing
associates a 2-color 1-rate policer and related drop statistics to each flow
present in the NetFlow table. When the flow mask comprises all packet fields,
this functionality is known as microflow policing. When the flow mask comprises
either source or destination only, this functionality is known as user-based
rate limiting.
Voice and Video Flow
Monitoring
Voice and video flows
are full flow mask-based entries. The ASIC provides the flexibility to program
the policer parameters, share policers across multiple flows and rewrite the IP
address and Layer 4 port numbers of these flows.
Note |
For dynamic
entries, the NetFlow engine will use the policer parameters that are derived
for the flow based on the policy (ACL/QoS-based policies). Dynamic entries
cannot share policer across multiple flows.
|
Reflexive ACL
Reflexive ACLs allow
IP packets to be filtered based on upper-layer session information. The ACLs
allow outbound traffic and limit inbound traffic in response to the sessions
that originate inside the trusted network. The reflexive ACLs are transparent
to the filtering mechanism until a data packet that matches the reflexive entry
activates it. At this time, a temporary ACL entry is created and added to the
IP-named access lists. The information obtained from the data packet to
generate the reflexive ACL entry is permit/deny bit, the source IP address and
port, the destination IP address, port, and the protocol type. During reflexive
ACL entry evaluation, if the protocol type is either TCP or UDP, then the port
information must match exactly. For other protocols, there is no port
information to match. After this ACL is installed, the firewall is then opened
for the reply packets to pass through. At this time, a potential hacker could
have access to the network behind the firewall. To narrow this window, an idle
timeout period can be defined. However, in the case of TCP, if two FIN bits or
an RST is detected, the ACL entry can be removed.