Flexible NetFlow
Export of Cisco TrustSec Fields
The Flexible NetFlow Export of Cisco TrustSec
Fields feature supports the Cisco TrustSec fields in the Flexible NetFlow (FNF)
flow record and helps to monitor, troubleshoot, and identify non-standard
behavior for Cisco TrustSec deployments.
This module describes the interaction between Cisco TrustSec and FNF
and how to configure and export Cisco TrustSec fields in the NetFlow Version 9
flow records.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for
Flexible NetFlow Export of Cisco TrustSec Fields
-
The security
group tag (SGT) value exported in Flexible NetFlow (FNF) records is zero in the
following scenarios:
-
The packet
is received with an SGT value of zero from a trusted interface.
-
The packet
is received without an SGT.
-
The SGT is not found during the IP-SGT lookup.
-
For Cisco ISR
3900E, ISR 3900, ISR 2950, ISR 2900, ISR 1900, and ISR 890 Platforms, Cisco
TrustSec fields are supported for both IPv4 and IPv6 FNF records.
Information About Flexible NetFlow Export of Cisco TrustSec Fields
Cisco TrustSec
Fields in Flexible NetFlow
The Cisco TrustSec fields, source security group tag (SGT) and
destination security group tag (DGT), in the Flexible NetFlow (FNF) flow
records help administrators correlate the flow with identity information. It
enables network engineers to gain a detailed understanding of the customer use
of the network and application resources. This information can then be used to
efficiently plan and allocate access and application resources and to detect
and resolve potential security and policy violations.
The Cisco TrustSec fields are supported for ingress and egress FNF and
for unicast and multicast traffic.
The following table presents Netflow v9 enterprise specific field types
for Cisco TrustSec that are used in the FNF templates for the Cisco TrustSec
source and destination source group tags.
ID
|
Description
|
CTS_SRC_GROUP_TAG
|
Cisco Trusted Security Source Group Tag
|
CTS_DST_GROUP_TAG
|
Cisco Trusted Security Destination Group Tag
|
The Cisco TrustSec fields are configured in addition to the existing
match fields under the FNF flow record. The following configurations are used
to add the Cisco TrustSec flow objects to the FNF flow record as key or non-key
fields and to configure the source and destination security group tags for the
packet.
-
The
match flow cts {source | destination}
group-tag command is configured under the flow record to specify
the Cisco TrustSec fields as key fields. The key fields differentiate flows,
with each flow having a unique set of values for the key fields. A flow record
requires at least one key field before it can be used in a flow monitor.
-
The
collect flow cts {source | destination}
group-tag command is configured under flow record to specify the
Cisco TrustSec fields as non-key fields. The values in non-key fields are added
to flows to provide additional information about the traffic in the flows.
The flow record is then configured under flow monitor and the flow
monitor is applied to the interface. To export the FNF data, a flow exporter
needs to be configured and then added under the flow monitor.
How to Configure Flexible NetFlow Export of Cisco TrustSec Fields
Configuring Cisco
TrustSec Fields as Key Fields in the Flow Record
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
flow record
record-name
4.
match {ipv4 |
ipv6}
protocol
5.
match {ipv4 |
ipv6}
source address
6.
match {ipv4 |
ipv6}
destination address
7.
match transport source-port
8.
match transport destination-port
9.
match flow direction
10.
match flow cts source group-tag
11.
match flow cts destination group-tag
12.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global configuration mode.
|
Step 3 |
flow record
record-name
Example:
Device(config)# flow record cts-record-ipv4
|
Creates a new Flexible NetFlow (FNF) flow record, or modifies an
existing FNF flow record, and enters Flexible NetFlow flow record configuration
mode.
|
Step 4 |
match {ipv4 |
ipv6}
protocol
Example:
Device(config-flow-record)# match ipv4 protocol
|
(Optional) Configures the IPv4 protocol or IPv6 protocol as a key
field for a flow record.
|
Step 5 |
match {ipv4 |
ipv6}
source address
Example:
Device(config-flow-record)# match ipv4 source address
|
(Optional) Configures the IPv4 or IPv6 source address as a key
field for a flow record.
|
Step 6 |
match {ipv4 |
ipv6}
destination address
Example:
Device(config-flow-record)# match ipv4 destination address
|
(Optional) Configures the IPv4 or IPv6 destination address as a
key field for a flow record.
|
Step 7 |
match transport source-port
Example:
Device(config-flow-record)# match transport source-port
|
(Optional) Configures the transport source port as a key field
for a flow record.
|
Step 8 |
match transport destination-port
Example:
Device(config-flow-record)# match transport destination-port
|
(Optional) Configures the transport destination port as a key
field for a flow record.
|
Step 9 |
match flow direction
Example:
Device(config-flow-record)# match flow direction
|
(Optional) Configures the direction in which the flow is
monitored as a key field.
|
Step 10 |
match flow cts source group-tag
Example:
Device(config-flow-record)# match flow cts source group-tag
|
Configures the Cisco TrustSec source security group tag (SGT) in
the FNF flow record as key fields.
|
Step 11 |
match flow cts destination group-tag
Example:
Device(config-flow-record)# match flow cts destination group-tag
|
Configures the Cisco TrustSec destination security group tag
(DGT) in the FNF flow record as key fields.
|
Step 12 |
end
Example:
Device(config-flow-record)# end
|
Exits Flexible NetFlow flow record configuration mode and returns
to privileged EXEC mode.
|
Configuring Cisco
TrustSec Fields as Non-Key Fields in the Flow Record
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
flow record
record-name
4.
match {ipv4 |
ipv6}
protocol
5.
match {ipv4 |
ipv6}
source address
6.
match {ipv4 |
ipv6}
destination address
7.
match transport source-port
8.
match transport destination-port
9.
collect flow direction
10.
collect flow cts source group-tag
11.
collect flow cts destination group-tag
12.
collect counter packets
13.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global configuration mode.
|
Step 3 |
flow record
record-name
Example:
Device(config)# flow record cts-record-ipv4
|
Creates a new Flexible NetFlow (FNF) flow record, or modifies an
existing FNF flow record, and enters Flexible NetFlow flow record configuration
mode.
|
Step 4 |
match {ipv4 |
ipv6}
protocol
Example:
Device(config-flow-record)# match ipv4 protocol
|
(Optional) Configures the IPv4 protocol or IPv6 protocol as a key
field for a flow record.
|
Step 5 |
match {ipv4 |
ipv6}
source address
Example:
Device(config-flow-record)# match ipv4 source address
|
(Optional) Configures the IPv4 or IPv6 source address as a key
field for a flow record.
|
Step 6 |
match {ipv4 |
ipv6}
destination address
Example:
Device(config-flow-record)# match ipv4 destination address
|
(Optional) Configures the IPv4 or IPv6 destination address as a
key field for a flow record.
|
Step 7 |
match transport source-port
Example:
Device(config-flow-record)# match transport source-port
|
(Optional) Configures the transport source port as a key field
for a flow record.
|
Step 8 |
match transport destination-port
Example:
Device(config-flow-record)# match transport destination-port
|
(Optional) Configures the transport destination port as a key
field for a flow record.
|
Step 9 |
collect flow direction
Example:
Device(config-flow-record)# collect flow direction
|
(Optional) Configures the flow direction as a non-key field and
enables the collection of the direction in which the flow was monitored.
|
Step 10 |
collect flow cts source group-tag
Example:
Device(config-flow-record)# collect flow cts source group-tag
|
Configures the Cisco TrustSec source security group tag (SGT) in
the FNF flow record as non-key fields.
|
Step 11 |
collect flow cts destination group-tag
Example:
Device(config-flow-record)# collect flow cts destination group-tag
|
Configures the Cisco TrustSec destination security group tag
(DGT) in the FNF flow record as non-key fields.
|
Step 12 |
collect counter packets
Example:
Device(config-flow-record)# collect counter packets
|
(Optional) Configures the number of packets seen in a flow as a
non-key field and enables collecting the total number of packets from the flow.
|
Step 13 |
end
Example:
Device(config-flow-record)# end
|
Exits Flexible NetFlow flow record configuration mode and returns
to privileged EXEC mode.
|
Configuring a Flow
Exporter
Each flow exporter supports only one destination. If you want to
export the data to multiple destinations, you must configure multiple flow
exporters and assign them to the flow monitor.
Before You Begin
Ensure that you create a flow record. For more information see the
“Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record”
section and the “Configuring Cisco TrustSec Fields as Non-Key Fields in the
Flow Record” section.
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
flow exporter
exporter-name
4.
destination {ip-address |
hostname} [vrf
vrf-name]
5.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global configuration mode.
|
Step 3 |
flow exporter
exporter-name
Example:
Device(config)# flow exporter EXPORTER-1
|
Creates a flow exporter or modifies an existing flow exporter, and
enters Flexible NetFlow flow exporter configuration mode.
|
Step 4 |
destination {ip-address |
hostname} [vrf
vrf-name]
Example:
Device(config-flow-exporter)# destination 172.16.10.2
|
Specifies the IP address or hostname of the destination system for
the exporter.
|
Step 5 |
end
Example:
Device(config-flow-exporter)# end
|
Exits Flexible NetFlow flow exporter configuration mode and
returns to privileged EXEC mode.
|
Configuring a Flow
Monitor
Before You Begin
To add a flow exporter to the flow monitor for data export, ensure
that you create the flow exporter. For more information see the “Configuring a
Flow Exporter” section.
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
flow monitor
monitor-name
4.
record
record-name
5.
exporter
exporter-name
6.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global configuration mode.
|
Step 3 |
flow monitor
monitor-name
Example:
Device(config)# flow monitor FLOW-MONITOR-1
|
Creates a flow monitor or modifies an existing flow monitor, and
enters Flexible NetFlow flow monitor configuration mode.
|
Step 4 |
record
record-name
Example:
Device(config-flow-monitor)# record FLOW-RECORD-1
|
Specifies the record for the flow monitor.
|
Step 5 |
exporter
exporter-name
Example:
Device(config-flow-monitor)# exporter EXPORTER-1
|
Specifies the exporter for the flow monitor.
|
Step 6 |
end
Example:
Device(config-flow-monitor)# end
|
Exits Flexible NetFlow flow monitor configuration mode and returns
to privileged EXEC mode.
|
Applying a Flow
Monitor on an Interface
To activate a flow monitor, the flow monitor must be applied to at
least one interface.
Before You Begin
Ensure that you create a flow monitor. For more information see the
“Configuring a Flow Monitor” section.
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
interface
type number
4.
{ip |
ipv6}
flow monitor
monitor-name {input |
output}
5.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global configuration mode.
|
Step 3 |
interface
type number
Example:
Device(config)# interface ethernet 0/0
|
Specifies an interface and enters interface configuration mode.
|
Step 4 |
{ip |
ipv6}
flow monitor
monitor-name {input |
output}
Example:
Device (config-if)# ip flow monitor FLOW-MONITOR-1 input
|
Activates a flow monitor that was created previously by assigning
it to the interface to analyze traffic.
|
Step 5 |
end
Example:
|
Exits interface configuration mode and returns to privileged EXEC
mode.
|
Verifying Flexible
NetFlow Export of Cisco TrustSec Fields
SUMMARY STEPS1.
enable
2.
show flow record
record-name
3.
show flow exporter
exporter-name
4.
show flow monitor
monitor-name
5.
show flow monitor
monitor-name
cache
6.
show flow interface
type number
DETAILED STEPS
Step 1
|
enable
Enables
privileged EXEC mode.
Example:
|
Step 2
|
show flow record
record-name
Displays the
details of the specified Flexible NetFlow (FNF) flow record.
Example:
Device> show flow record cts-recordipv4
flow record cts-recordipv4:
Description: User defined
No. of users: 1
Total field space: 30 bytes
Fields:
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match interface output
match flow direction
match flow cts source group-tag
match flow cts destination group-tag
collect counter packets
|
Step 3
|
show flow exporter
exporter-name
Displays the
current status of the specified FNF flow exporter.
Example:
Device> show flow exporter EXPORTER-1
Flow Exporter EXPORTER-1:
Description: User defined
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 100.100.100.1
Source IP address: 3.3.3.2
Transport Protocol: UDP
Destination Port: 2055
Source Port: 65252
DSCP: 0x0
TTL: 255
Output Features: Used
|
Step 4
|
show flow monitor
monitor-name
Displays the
status and statistics of the specified FNF flow monitor.
Example:
Device> show flow monitor FLOW-MONITOR-1
Flow Monitor FLOW-MONITOR-1:
Description: User defined
Flow Record: cts-recordipv4
Flow Exporter: EXPORTER-1
Cache:
Type: normal (Platform cache)
Status: allocated
Size: 200000 entries
Inactive Timeout: 60 secs
Active Timeout: 1800 secs
Update Timeout: 1800 secs
Synchronized Timeout: 600 secs
Trans end aging: off
|
Step 5
|
show flow monitor
monitor-name
cache
Displays the contents of the specified FNF flow monitor cache.
Example:
Device> show flow monitor FLOW-MONITOR-1 cache
Cache type: Normal
Cache size: 4096
Current entries: 2
High Watermark: 2
Flows added: 6
Flows aged: 4
- Active timeout (1800 secs) 0
- Inactive timeout (15 secs) 4
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV4 SOURCE ADDRESS: 10.1.0.1
IPV4 DESTINATION ADDRESS: 172.16.2.0
TRNS SOURCE PORT: 58817
TRNS DESTINATION PORT: 23
FLOW DIRECTION: Input
IP PROTOCOL: 6
SOURCE GROUP TAG: 100
DESTINATION GROUP TAG: 200
counter packets: 10
IPV4 SOURCE ADDRESS: 172.16.2.0
IPV4 DESTINATION ADDRESS: 10.1.0.1
TRNS SOURCE PORT: 23
TRNS DESTINATION PORT: 58817
FLOW DIRECTION: Output
IP PROTOCOL: 6
SOURCE GROUP TAG: 200
DESTINATION GROUP TAG: 100
counter packets: 8
|
Step 6
|
show flow interface
type number
Displays the details of the FNF flow monitor applied on the
specified interface. If a flow monitor is not applied on the interface, then
the output is empty.
Example:
Device> show flow interface GigabitEthernet0/0/3
Interface GigabitEthernet0/0/3
FNF: monitor: FLOW-MONITOR-1
direction: Input
traffic(ip): on
FNF: monitor: FLOW-MONITOR-1
direction: Output
traffic(ip): on
|
Configuration Examples for Flexible NetFlow Export of Cisco TrustSec Fields
Example:
Configuring Cisco TrustSec Fields as Key Fields in the Flow Record
The following
example shows how to configure the Cisco TrustSec flow objects as key fields in
an IPv4 Flexible NetFlow flow record:
Device> enable
Device# configure terminal
Device(config)# flow record cts-record-ipv4
Device(config-flow-record)# match ipv4 protocol
Device(config-flow-record)# match ipv4 source address
Device(config-flow-record)# match ipv4 destination address
Device(config-flow-record)# match transport source-port
Device(config-flow-record)# match transport destination-port
Device(config-flow-record)# match flow direction
Device(config-flow-record)# match flow cts source group-tag
Device(config-flow-record)# match flow cts destination group-tag
Device(config-flow-record)# end
Example:
Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record
The following
example shows how to configure the Cisco TrustSec flow objects as non-key
fields in an IPv4 Flexible NetFlow flow record:
Device> enable
Device# configure terminal
Device(config)# flow record cts-record-ipv4
Device(config-flow-record)# match ipv4 protocol
Device(config-flow-record)# match ipv4 source address
Device(config-flow-record)# match ipv4 destination address
Device(config-flow-record)# match transport source-port
Device(config-flow-record)# match transport destination-port
Device(config-flow-record)# collect flow direction
Device(config-flow-record)# collect flow cts source group-tag
Device(config-flow-record)# collect flow cts destination group-tag
Device(config-flow-record)# collect counter packets
Device(config-flow-record)# end
Example:
Configuring a Flow Exporter
Device> enable
Device# configure terminal
Device(config)# flow exporter EXPORTER-1
Device(config-flow-exporter)# destination 172.16.10.2
Device(config-flow-exporter)# end
Example:
Configuring a Flow Monitor
Device> enable
Device# configure terminal
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# record FLOW-RECORD-1
Device(config-flow-monitor)# exporter EXPORTER-1
Device(config-flow-monitor)# end
Example: Applying
a Flow Monitor on an Interface
The following
example shows how to activate an IPv4 flow monitor by applying it to an
interface to analyze traffic. To activate an IPv6 flow monitor, replace the
ip keyword
with the
ipv6 keyword.
Device> enable
Device# configure terminal
Device(config)# interface ethernet 0/0
Device(config-if)# ip flow monitor FLOW-MONITOR-1 input
Device(config-if)# end
Additional
References for Flexible NetFlow Export of Cisco TrustSec Fields
Related Documents
Related Topic
|
Document Title
|
Cisco IOS commands
|
Cisco
IOS Master Command List, All Releases
|
Security commands
|
|
Data export in Flexible NetFlow
|
“Flexible NetFlow Output Features on Data Export” chapter
in the
Flexible Netflow Configuration Guide publication
|
Flexible NetFlow flow records and flow monitors
|
“Customizing Flexible NetFlow Flow Records and Flow
Monitors” chapter in the
Flexible Netflow Configuration Guide publication
|
Technical
Assistance
Description
|
Link
|
The
Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues with
Cisco products and technologies.
To
receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access
to most tools on the Cisco Support website requires a Cisco.com user ID and
password.
|
http://www.cisco.com/cisco/web/support/index.html
|
Feature
Information for Flexible NetFlow Export of Cisco TrustSec Fields
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature
Information for Flexible NetFlow Export of Cisco TrustSec Fields
Feature Name
|
Releases
|
Feature
Information
|
Flexible
NetFlow Export of Cisco TrustSec Fields
|
Cisco IOS 15.4(3)M
|
The Flexible NetFlow Export of Cisco TrustSec
Fields feature supports the Cisco TrustSec fields in the Flexible NetFlow (FNF)
flow record and helps to monitor, troubleshoot, and identify non-standard
behavior for Cisco TrustSec deployments.
The following commands were introduced by this feature:
match flow cts {source | destination}
group-tag and
collect flow cts {source | destination}
group-tag.
|