Downloads:
This chapter (PDF - 1.37MB)
The complete book (PDF - 3.0MB) |
The complete book (ePub - 475.0KB)
|
Feedback
|
Contents
- Flexible NetFlow Export of Cisco TrustSec Fields
- Finding Feature Information
- Restrictions for Flexible NetFlow Export of Cisco TrustSec Fields
- Information About Flexible NetFlow Export of Cisco TrustSec Fields
- Cisco TrustSec Fields in Flexible NetFlow
- How to Configure Flexible NetFlow Export of Cisco TrustSec Fields
- Configuring Cisco TrustSec Fields as Key Fields in the Flow Record
- Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record
- Configuring a Flow Exporter
- Configuring a Flow Monitor
- Applying a Flow Monitor on an Interface
- Verifying Flexible NetFlow Export of Cisco TrustSec Fields
- Configuration Examples for Flexible NetFlow Export of Cisco TrustSec Fields
- Example: Configuring Cisco TrustSec Fields as Key Fields in the Flow Record
- Example: Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record
- Example: Configuring a Flow Exporter
- Example: Configuring a Flow Monitor
- Example: Applying a Flow Monitor on an Interface
- Additional References for Flexible NetFlow Export of Cisco TrustSec Fields
- Feature Information for Flexible NetFlow Export of Cisco TrustSec Fields
Flexible NetFlow Export of Cisco TrustSec Fields
The Flexible NetFlow Export of Cisco TrustSec Fields feature supports the Cisco TrustSec fields in the Flexible NetFlow (FNF) flow record and helps to monitor, troubleshoot, and identify non-standard behavior for Cisco TrustSec deployments.
This module describes the interaction between Cisco TrustSec and FNF and how to configure and export Cisco TrustSec fields in the NetFlow Version 9 flow records.
- Finding Feature Information
- Restrictions for Flexible NetFlow Export of Cisco TrustSec Fields
- Information About Flexible NetFlow Export of Cisco TrustSec Fields
- How to Configure Flexible NetFlow Export of Cisco TrustSec Fields
- Configuration Examples for Flexible NetFlow Export of Cisco TrustSec Fields
- Additional References for Flexible NetFlow Export of Cisco TrustSec Fields
- Feature Information for Flexible NetFlow Export of Cisco TrustSec Fields
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Flexible NetFlow Export of Cisco TrustSec Fields
Information About Flexible NetFlow Export of Cisco TrustSec Fields
Cisco TrustSec Fields in Flexible NetFlow
The Cisco TrustSec fields, source security group tag (SGT) and destination security group tag (DGT), in the Flexible NetFlow (FNF) flow records help administrators correlate the flow with identity information. It enables network engineers to gain a detailed understanding of the customer use of the network and application resources. This information can then be used to efficiently plan and allocate access and application resources and to detect and resolve potential security and policy violations.
The Cisco TrustSec fields are supported for ingress and egress FNF and for unicast and multicast traffic.
The following table presents Netflow v9 enterprise specific field types for Cisco TrustSec that are used in the FNF templates for the Cisco TrustSec source and destination source group tags.The Cisco TrustSec fields are configured in addition to the existing match fields under the FNF flow record. The following configurations are used to add the Cisco TrustSec flow objects to the FNF flow record as key or non-key fields and to configure the source and destination security group tags for the packet.
- The match flow cts {source | destination} group-tag command is configured under the flow record to specify the Cisco TrustSec fields as key fields. The key fields differentiate flows, with each flow having a unique set of values for the key fields. A flow record requires at least one key field before it can be used in a flow monitor.
- The collect flow cts {source | destination} group-tag command is configured under flow record to specify the Cisco TrustSec fields as non-key fields. The values in non-key fields are added to flows to provide additional information about the traffic in the flows.
The flow record is then configured under flow monitor and the flow monitor is applied to the interface. To export the FNF data, a flow exporter needs to be configured and then added under the flow monitor.
How to Configure Flexible NetFlow Export of Cisco TrustSec Fields
Configuring Cisco TrustSec Fields as Key Fields in the Flow Record
SUMMARY STEPS
1. enable
2. configure terminal
3. flow record record-name
4. match {ipv4 | ipv6} protocol
5. match {ipv4 | ipv6} source address
6. match {ipv4 | ipv6} destination address
7. match transport source-port
8. match transport destination-port
9. match flow direction
10. match flow cts source group-tag
11. match flow cts destination group-tag
12. end
DETAILED STEPSConfiguring Cisco TrustSec Fields as Non-Key Fields in the Flow Record
SUMMARY STEPS
1. enable
2. configure terminal
3. flow record record-name
4. match {ipv4 | ipv6} protocol
5. match {ipv4 | ipv6} source address
6. match {ipv4 | ipv6} destination address
7. match transport source-port
8. match transport destination-port
9. collect flow direction
10. collect flow cts source group-tag
11. collect flow cts destination group-tag
12. collect counter packets
13. end
DETAILED STEPSConfiguring a Flow Exporter
Each flow exporter supports only one destination. If you want to export the data to multiple destinations, you must configure multiple flow exporters and assign them to the flow monitor.
Before You BeginSUMMARY STEPSEnsure that you create a flow record. For more information see the “Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record” section and the “Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record” section.
1. enable
2. configure terminal
3. flow exporter exporter-name
4. destination {ip-address | hostname} [vrf vrf-name]
5. end
DETAILED STEPSConfiguring a Flow Monitor
Before You BeginSUMMARY STEPSTo add a flow exporter to the flow monitor for data export, ensure that you create the flow exporter. For more information see the “Configuring a Flow Exporter” section.
1. enable
2. configure terminal
3. flow monitor monitor-name
4. record record-name
5. exporter exporter-name
6. end
DETAILED STEPSApplying a Flow Monitor on an Interface
Before You BeginSUMMARY STEPSEnsure that you create a flow monitor. For more information see the “Configuring a Flow Monitor” section.
1. enable
2. configure terminal
3. interface type number
4. {ip | ipv6} flow monitor monitor-name {input | output}
5. end
DETAILED STEPSVerifying Flexible NetFlow Export of Cisco TrustSec Fields
SUMMARY STEPS
1. enable
2. show flow record record-name
3. show flow exporter exporter-name
4. show flow monitor monitor-name
5. show flow monitor monitor-name cache
6. show flow interface type number
DETAILED STEPS
Configuration Examples for Flexible NetFlow Export of Cisco TrustSec Fields
Example: Configuring Cisco TrustSec Fields as Key Fields in the Flow Record
The following example shows how to configure the Cisco TrustSec flow objects as key fields in an IPv4 Flexible NetFlow flow record:
Device> enable Device# configure terminal Device(config)# flow record cts-record-ipv4 Device(config-flow-record)# match ipv4 protocol Device(config-flow-record)# match ipv4 source address Device(config-flow-record)# match ipv4 destination address Device(config-flow-record)# match transport source-port Device(config-flow-record)# match transport destination-port Device(config-flow-record)# match flow direction Device(config-flow-record)# match flow cts source group-tag Device(config-flow-record)# match flow cts destination group-tag Device(config-flow-record)# endExample: Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record
The following example shows how to configure the Cisco TrustSec flow objects as non-key fields in an IPv4 Flexible NetFlow flow record:
Device> enable Device# configure terminal Device(config)# flow record cts-record-ipv4 Device(config-flow-record)# match ipv4 protocol Device(config-flow-record)# match ipv4 source address Device(config-flow-record)# match ipv4 destination address Device(config-flow-record)# match transport source-port Device(config-flow-record)# match transport destination-port Device(config-flow-record)# collect flow direction Device(config-flow-record)# collect flow cts source group-tag Device(config-flow-record)# collect flow cts destination group-tag Device(config-flow-record)# collect counter packets Device(config-flow-record)# endExample: Applying a Flow Monitor on an Interface
The following example shows how to activate an IPv4 flow monitor by applying it to an interface to analyze traffic. To activate an IPv6 flow monitor, replace the ip keyword with the ipv6 keyword.
Device> enable Device# configure terminal Device(config)# interface ethernet 0/0 Device(config-if)# ip flow monitor FLOW-MONITOR-1 input Device(config-if)# endAdditional References for Flexible NetFlow Export of Cisco TrustSec Fields
Related Documents
Related Topic
Document Title
Cisco IOS commands
Security commands
Data export in Flexible NetFlow
“Flexible NetFlow Output Features on Data Export” chapter in the Flexible Netflow Configuration Guide publication
Flexible NetFlow flow records and flow monitors
“Customizing Flexible NetFlow Flow Records and Flow Monitors” chapter in the Flexible Netflow Configuration Guide publication
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
Feature Information for Flexible NetFlow Export of Cisco TrustSec Fields
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for Flexible NetFlow Export of Cisco TrustSec Fields Feature Name
Releases
Feature Information
Flexible NetFlow Export of Cisco TrustSec Fields
Cisco IOS 15.4(3)M
The Flexible NetFlow Export of Cisco TrustSec Fields feature supports the Cisco TrustSec fields in the Flexible NetFlow (FNF) flow record and helps to monitor, troubleshoot, and identify non-standard behavior for Cisco TrustSec deployments.
The following commands were introduced by this feature: match flow cts {source | destination} group-tag and collect flow cts {source | destination} group-tag.