Cisco TrustSec Configuration Guide, Cisco IOS Release 15M&T
Flexible NetFlow Export of Cisco TrustSec Fields
Downloads: This chapterpdf (PDF - 1.37MB) The complete bookPDF (PDF - 3.0MB) | The complete bookePub (ePub - 475.0KB) | Feedback

Flexible NetFlow Export of Cisco TrustSec Fields

Contents

Flexible NetFlow Export of Cisco TrustSec Fields

The Flexible NetFlow Export of Cisco TrustSec Fields feature supports the Cisco TrustSec fields in the Flexible NetFlow (FNF) flow record and helps to monitor, troubleshoot, and identify non-standard behavior for Cisco TrustSec deployments.

This module describes the interaction between Cisco TrustSec and FNF and how to configure and export Cisco TrustSec fields in the NetFlow Version 9 flow records.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Flexible NetFlow Export of Cisco TrustSec Fields

  • The security group tag (SGT) value exported in Flexible NetFlow (FNF) records is zero in the following scenarios:
    • The packet is received with an SGT value of zero from a trusted interface.
    • The packet is received without an SGT.
    • The SGT is not found during the IP-SGT lookup.
  • For Cisco ISR 3900E, ISR 3900, ISR 2950, ISR 2900, ISR 1900, and ISR 890 Platforms, Cisco TrustSec fields are supported for both IPv4 and IPv6 FNF records.

Information About Flexible NetFlow Export of Cisco TrustSec Fields

Cisco TrustSec Fields in Flexible NetFlow

The Cisco TrustSec fields, source security group tag (SGT) and destination security group tag (DGT), in the Flexible NetFlow (FNF) flow records help administrators correlate the flow with identity information. It enables network engineers to gain a detailed understanding of the customer use of the network and application resources. This information can then be used to efficiently plan and allocate access and application resources and to detect and resolve potential security and policy violations.

The Cisco TrustSec fields are supported for ingress and egress FNF and for unicast and multicast traffic.

The following table presents Netflow v9 enterprise specific field types for Cisco TrustSec that are used in the FNF templates for the Cisco TrustSec source and destination source group tags.

ID

Description

CTS_SRC_GROUP_TAG

Cisco Trusted Security Source Group Tag

CTS_DST_GROUP_TAG

Cisco Trusted Security Destination Group Tag

The Cisco TrustSec fields are configured in addition to the existing match fields under the FNF flow record. The following configurations are used to add the Cisco TrustSec flow objects to the FNF flow record as key or non-key fields and to configure the source and destination security group tags for the packet.
  • The match flow cts {source | destination} group-tag command is configured under the flow record to specify the Cisco TrustSec fields as key fields. The key fields differentiate flows, with each flow having a unique set of values for the key fields. A flow record requires at least one key field before it can be used in a flow monitor.
  • The collect flow cts {source | destination} group-tag command is configured under flow record to specify the Cisco TrustSec fields as non-key fields. The values in non-key fields are added to flows to provide additional information about the traffic in the flows.

The flow record is then configured under flow monitor and the flow monitor is applied to the interface. To export the FNF data, a flow exporter needs to be configured and then added under the flow monitor.

How to Configure Flexible NetFlow Export of Cisco TrustSec Fields

Configuring Cisco TrustSec Fields as Key Fields in the Flow Record

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    flow record record-name

    4.    match {ipv4 | ipv6} protocol

    5.    match {ipv4 | ipv6} source address

    6.    match {ipv4 | ipv6} destination address

    7.    match transport source-port

    8.    match transport destination-port

    9.    match flow direction

    10.    match flow cts source group-tag

    11.    match flow cts destination group-tag

    12.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 flow record record-name


    Example:
    Device(config)# flow record cts-record-ipv4
     

    Creates a new Flexible NetFlow (FNF) flow record, or modifies an existing FNF flow record, and enters Flexible NetFlow flow record configuration mode.

     
    Step 4 match {ipv4 | ipv6} protocol


    Example:
    Device(config-flow-record)# match ipv4 protocol
     

    (Optional) Configures the IPv4 protocol or IPv6 protocol as a key field for a flow record.

     
    Step 5 match {ipv4 | ipv6} source address


    Example:
    Device(config-flow-record)# match ipv4 source address
     

    (Optional) Configures the IPv4 or IPv6 source address as a key field for a flow record.

     
    Step 6 match {ipv4 | ipv6} destination address


    Example:
    Device(config-flow-record)# match ipv4 destination address
     

    (Optional) Configures the IPv4 or IPv6 destination address as a key field for a flow record.

     
    Step 7 match transport source-port


    Example:
    Device(config-flow-record)# match transport source-port
     

    (Optional) Configures the transport source port as a key field for a flow record.

     
    Step 8 match transport destination-port


    Example:
    Device(config-flow-record)# match transport destination-port
     

    (Optional) Configures the transport destination port as a key field for a flow record.

     
    Step 9 match flow direction


    Example:
    Device(config-flow-record)# match flow direction
     

    (Optional) Configures the direction in which the flow is monitored as a key field.

     
    Step 10 match flow cts source group-tag


    Example:
    Device(config-flow-record)# match flow cts source group-tag
     

    Configures the Cisco TrustSec source security group tag (SGT) in the FNF flow record as key fields.

     
    Step 11 match flow cts destination group-tag


    Example:
    Device(config-flow-record)# match flow cts destination group-tag
     

    Configures the Cisco TrustSec destination security group tag (DGT) in the FNF flow record as key fields.

     
    Step 12 end


    Example:
    Device(config-flow-record)# end
     

    Exits Flexible NetFlow flow record configuration mode and returns to privileged EXEC mode.

     

    Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    flow record record-name

      4.    match {ipv4 | ipv6} protocol

      5.    match {ipv4 | ipv6} source address

      6.    match {ipv4 | ipv6} destination address

      7.    match transport source-port

      8.    match transport destination-port

      9.    collect flow direction

      10.    collect flow cts source group-tag

      11.    collect flow cts destination group-tag

      12.    collect counter packets

      13.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 flow record record-name


      Example:
      Device(config)# flow record cts-record-ipv4
       

      Creates a new Flexible NetFlow (FNF) flow record, or modifies an existing FNF flow record, and enters Flexible NetFlow flow record configuration mode.

       
      Step 4 match {ipv4 | ipv6} protocol


      Example:
      Device(config-flow-record)# match ipv4 protocol
       

      (Optional) Configures the IPv4 protocol or IPv6 protocol as a key field for a flow record.

       
      Step 5 match {ipv4 | ipv6} source address


      Example:
      Device(config-flow-record)# match ipv4 source address
       

      (Optional) Configures the IPv4 or IPv6 source address as a key field for a flow record.

       
      Step 6 match {ipv4 | ipv6} destination address


      Example:
      Device(config-flow-record)# match ipv4 destination address
       

      (Optional) Configures the IPv4 or IPv6 destination address as a key field for a flow record.

       
      Step 7 match transport source-port


      Example:
      Device(config-flow-record)# match transport source-port
       

      (Optional) Configures the transport source port as a key field for a flow record.

       
      Step 8 match transport destination-port


      Example:
      Device(config-flow-record)# match transport destination-port
       

      (Optional) Configures the transport destination port as a key field for a flow record.

       
      Step 9 collect flow direction


      Example:
      Device(config-flow-record)# collect flow direction
       

      (Optional) Configures the flow direction as a non-key field and enables the collection of the direction in which the flow was monitored.

       
      Step 10 collect flow cts source group-tag


      Example:
      Device(config-flow-record)# collect flow cts source group-tag
       

      Configures the Cisco TrustSec source security group tag (SGT) in the FNF flow record as non-key fields.

       
      Step 11 collect flow cts destination group-tag


      Example:
      Device(config-flow-record)# collect flow cts destination group-tag
       

      Configures the Cisco TrustSec destination security group tag (DGT) in the FNF flow record as non-key fields.

       
      Step 12 collect counter packets


      Example:
      Device(config-flow-record)# collect counter packets
       

      (Optional) Configures the number of packets seen in a flow as a non-key field and enables collecting the total number of packets from the flow.

       
      Step 13 end


      Example:
      Device(config-flow-record)# end
       

      Exits Flexible NetFlow flow record configuration mode and returns to privileged EXEC mode.

       

      Configuring a Flow Exporter

      Each flow exporter supports only one destination. If you want to export the data to multiple destinations, you must configure multiple flow exporters and assign them to the flow monitor.

      Before You Begin

      Ensure that you create a flow record. For more information see the “Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record” section and the “Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record” section.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    flow exporter exporter-name

        4.    destination {ip-address | hostname} [vrf vrf-name]

        5.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 flow exporter exporter-name


        Example:
        Device(config)# flow exporter EXPORTER-1
         

        Creates a flow exporter or modifies an existing flow exporter, and enters Flexible NetFlow flow exporter configuration mode.

         
        Step 4 destination {ip-address | hostname} [vrf vrf-name]


        Example:
        Device(config-flow-exporter)# destination 172.16.10.2
         

        Specifies the IP address or hostname of the destination system for the exporter.

         
        Step 5 end


        Example:
        Device(config-flow-exporter)# end
         

        Exits Flexible NetFlow flow exporter configuration mode and returns to privileged EXEC mode.

         

        Configuring a Flow Monitor

        Before You Begin

        To add a flow exporter to the flow monitor for data export, ensure that you create the flow exporter. For more information see the “Configuring a Flow Exporter” section.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    flow monitor monitor-name

          4.    record record-name

          5.    exporter exporter-name

          6.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3 flow monitor monitor-name


          Example:
          Device(config)# flow monitor FLOW-MONITOR-1
           

          Creates a flow monitor or modifies an existing flow monitor, and enters Flexible NetFlow flow monitor configuration mode.

           
          Step 4 record record-name


          Example:
          Device(config-flow-monitor)# record FLOW-RECORD-1
           

          Specifies the record for the flow monitor.

           
          Step 5 exporter exporter-name


          Example:
          Device(config-flow-monitor)# exporter EXPORTER-1
           

          Specifies the exporter for the flow monitor.

           
          Step 6 end


          Example:
          Device(config-flow-monitor)# end
           

          Exits Flexible NetFlow flow monitor configuration mode and returns to privileged EXEC mode.

           

          Applying a Flow Monitor on an Interface

          To activate a flow monitor, the flow monitor must be applied to at least one interface.

          Before You Begin

          Ensure that you create a flow monitor. For more information see the “Configuring a Flow Monitor” section.

          SUMMARY STEPS

            1.    enable

            2.    configure terminal

            3.    interface type number

            4.    {ip | ipv6} flow monitor monitor-name {input | output}

            5.    end


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Device> enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.
             
            Step 2 configure terminal


            Example:
            Device# configure terminal
             

            Enters global configuration mode.

             
            Step 3 interface type number


            Example:
            Device(config)# interface ethernet 0/0
             

            Specifies an interface and enters interface configuration mode.

             
            Step 4 {ip | ipv6} flow monitor monitor-name {input | output}


            Example:
            Device (config-if)# ip flow monitor FLOW-MONITOR-1 input
             

            Activates a flow monitor that was created previously by assigning it to the interface to analyze traffic.

             
            Step 5 end


            Example:
            Device(config-if)# end
             

            Exits interface configuration mode and returns to privileged EXEC mode.

             

            Verifying Flexible NetFlow Export of Cisco TrustSec Fields

            SUMMARY STEPS

              1.    enable

              2.    show flow record record-name

              3.    show flow exporter exporter-name

              4.    show flow monitor monitor-name

              5.    show flow monitor monitor-name cache

              6.    show flow interface type number


            DETAILED STEPS
              Step 1   enable

              Enables privileged EXEC mode.

              • Enter your password if prompted.




              Example:
              Device> enable
              Step 2   show flow record record-name

              Displays the details of the specified Flexible NetFlow (FNF) flow record.




              Example:
              Device> show flow record cts-recordipv4
              
              flow record cts-recordipv4:
                Description:        User defined
                No. of users:       1
                Total field space:  30 bytes
                Fields:
                  match ipv4 protocol
                  match ipv4 source address
                  match ipv4 destination address
                  match transport source-port
                  match transport destination-port
                  match interface input
                  match interface output
                  match flow direction
                  match flow cts source group-tag
                  match flow cts destination group-tag
                  collect counter packets
              
              
              Step 3   show flow exporter exporter-name

              Displays the current status of the specified FNF flow exporter.




              Example:
              Device> show flow exporter EXPORTER-1
              
              Flow Exporter EXPORTER-1:
                Description:              User defined
                Export protocol:          NetFlow Version 9
                Transport Configuration:
                  Destination IP address: 100.100.100.1
                  Source IP address:      3.3.3.2
                  Transport Protocol:     UDP
                  Destination Port:       2055
                  Source Port:            65252
                  DSCP:                   0x0
                  TTL:                    255
                  Output Features:        Used
              
              
              Step 4   show flow monitor monitor-name

              Displays the status and statistics of the specified FNF flow monitor.




              Example:
              Device> show flow monitor FLOW-MONITOR-1
              
              Flow Monitor FLOW-MONITOR-1:
                Description:       User defined
                Flow Record:       cts-recordipv4
                Flow Exporter:     EXPORTER-1
                Cache:
                  Type:                 normal (Platform cache)
                  Status:               allocated
                  Size:                 200000 entries
                  Inactive Timeout:     60 secs
                  Active Timeout:       1800 secs
                  Update Timeout:       1800 secs
                  Synchronized Timeout: 600 secs
                  Trans end aging:      off
              
              
              Step 5   show flow monitor monitor-name cache

              Displays the contents of the specified FNF flow monitor cache.




              Example:
              Device> show flow monitor FLOW-MONITOR-1 cache
              
                Cache type:                              		 Normal
                Cache size:                                 4096
                Current entries:                            2
                High Watermark:                            	2
              
                Flows added:                                6
                Flows aged:                                 4
                  - Active timeout      (1800 secs)  	      0
                  - Inactive timeout    (15 secs)    	      4
                  - Event aged                              0
                  - Watermark aged                          0
                  - Emergency aged                          0
              
                IPV4 SOURCE ADDRESS:       		               10.1.0.1
                IPV4 DESTINATION ADDRESS:  	                172.16.2.0
                TRNS SOURCE PORT:          		               58817
                TRNS DESTINATION PORT:     	                23
                FLOW DIRECTION:            		               Input
                IP PROTOCOL:               		               6
                SOURCE GROUP TAG: 				                      100
                DESTINATION GROUP TAG: 		                   200
                counter packets:           		               10
              
                IPV4 SOURCE ADDRESS:       		               172.16.2.0
                IPV4 DESTINATION ADDRESS:  	                10.1.0.1
                TRNS SOURCE PORT:          		               23
                TRNS DESTINATION PORT:     	                58817
                FLOW DIRECTION:            		               Output
                IP PROTOCOL:               				             6
                SOURCE GROUP TAG: 				                      200
                DESTINATION GROUP TAG:		                    100
                counter packets:           				             8
              
              
              Step 6   show flow interface type number

              Displays the details of the FNF flow monitor applied on the specified interface. If a flow monitor is not applied on the interface, then the output is empty.




              Example:
              Device>  show flow interface GigabitEthernet0/0/3
              
              Interface GigabitEthernet0/0/3
                FNF:  monitor:          FLOW-MONITOR-1
                      direction:        Input
                      traffic(ip):      on
                FNF:  monitor:          FLOW-MONITOR-1
                      direction:        Output
                      traffic(ip):      on
              
              

              Configuration Examples for Flexible NetFlow Export of Cisco TrustSec Fields

              Example: Configuring Cisco TrustSec Fields as Key Fields in the Flow Record

              The following example shows how to configure the Cisco TrustSec flow objects as key fields in an IPv4 Flexible NetFlow flow record:

              Device> enable
              Device# configure terminal
              Device(config)# flow record cts-record-ipv4
              Device(config-flow-record)# match ipv4 protocol
              Device(config-flow-record)# match ipv4 source address
              Device(config-flow-record)# match ipv4 destination address
              Device(config-flow-record)# match transport source-port
              Device(config-flow-record)# match transport destination-port
              Device(config-flow-record)# match flow direction
              Device(config-flow-record)# match flow cts source group-tag
              Device(config-flow-record)# match flow cts destination group-tag
              Device(config-flow-record)# end
              
              

              Example: Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record

              The following example shows how to configure the Cisco TrustSec flow objects as non-key fields in an IPv4 Flexible NetFlow flow record:

              Device> enable
              Device# configure terminal
              Device(config)# flow record cts-record-ipv4
              Device(config-flow-record)# match ipv4 protocol
              Device(config-flow-record)# match ipv4 source address
              Device(config-flow-record)# match ipv4 destination address
              Device(config-flow-record)# match transport source-port
              Device(config-flow-record)# match transport destination-port
              Device(config-flow-record)# collect flow direction
              Device(config-flow-record)# collect flow cts source group-tag
              Device(config-flow-record)# collect flow cts destination group-tag
              Device(config-flow-record)# collect counter packets
              Device(config-flow-record)# end
              
              

              Example: Configuring a Flow Exporter

              Device> enable
              Device# configure terminal
              Device(config)# flow exporter EXPORTER-1
              Device(config-flow-exporter)# destination 172.16.10.2
              Device(config-flow-exporter)# end
              
              

              Example: Configuring a Flow Monitor

              Device> enable
              Device# configure terminal
              Device(config)# flow monitor FLOW-MONITOR-1
              Device(config-flow-monitor)# record FLOW-RECORD-1
              Device(config-flow-monitor)# exporter EXPORTER-1
              Device(config-flow-monitor)# end
              
              

              Example: Applying a Flow Monitor on an Interface

              The following example shows how to activate an IPv4 flow monitor by applying it to an interface to analyze traffic. To activate an IPv6 flow monitor, replace the ip keyword with the ipv6 keyword.

              Device> enable
              Device# configure terminal
              Device(config)# interface ethernet 0/0
              Device(config-if)# ip flow monitor FLOW-MONITOR-1 input
              Device(config-if)# end
              
              

              Additional References for Flexible NetFlow Export of Cisco TrustSec Fields

              Related Documents

              Related Topic

              Document Title

              Cisco IOS commands

              Cisco IOS Master Command List, All Releases

              Security commands

              Data export in Flexible NetFlow

              “Flexible NetFlow Output Features on Data Export” chapter in the Flexible Netflow Configuration Guide publication

              Flexible NetFlow flow records and flow monitors

              “Customizing Flexible NetFlow Flow Records and Flow Monitors” chapter in the Flexible Netflow Configuration Guide publication

              Technical Assistance

              Description

              Link

              The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

              To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

              Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

              http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

              Feature Information for Flexible NetFlow Export of Cisco TrustSec Fields

              The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

              Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

              Table 1 Feature Information for Flexible NetFlow Export of Cisco TrustSec Fields

              Feature Name

              Releases

              Feature Information

              Flexible NetFlow Export of Cisco TrustSec Fields

              Cisco IOS 15.4(3)M

              The Flexible NetFlow Export of Cisco TrustSec Fields feature supports the Cisco TrustSec fields in the Flexible NetFlow (FNF) flow record and helps to monitor, troubleshoot, and identify non-standard behavior for Cisco TrustSec deployments.

              The following commands were introduced by this feature: match flow cts {source | destination} group-tag and collect flow cts {source | destination} group-tag.