Detecting and Analyzing Network Threats With NetFlow
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Contents
Detecting and Analyzing Network Threats With NetFlowLast Updated: May 10, 2012
This document contains information about and instructions for detecting and analyzing network threats such as denial of service attacks (DoS) through the use of the following NetFlow features:
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Detecting and Analyzing Network Threats With NetFlowBefore you can use NetFlow for detecting and analyzing network threats you need to understand NetFlow and how to configure your router to capture IP traffic status and statistics using NetFlow. See the Cisco IOS NetFlow Overview and Configuring NetFlow and NetFlow Data Export modules for more details. NetFlow and Cisco Express Forwarding (CEF) or distributed CEF (dCEF) must be configured on your system before you enable NetFlow. Information About Detecting and Analyzing Network Threats With NetFlow
NetFlow Layer 2 and Security MonitoringThe Layer 2 and Layer 3 fields supported by the NetFlow Layer 2 and Security Monitoring Exports feature increase the amount of information that can be obtained by NetFlow about the traffic in your network. You can use the network traffic information for applications such as traffic engineering and usage-based billing. Layer 3 fields captured by the NetFlow Layer 2 and Security Monitoring Exports feature improve the capabilities of NetFlow for identifying DoS attacks. Layer 2 IP header fields help identify the path that the DoS attack is taking through the network. Layer 2 and Layer 3 fields are not key fields. They provide additional information about the traffic in an existing flow. Changes in the values of NetFlow key fields, such as the source IP address, from one packet to the next packet results in the creation of a new flow. For example, if the first packet captured by NetFlow has a source IP address of 10.34.0.2 and the second packet captured has a source IP address of 172.16.213.65, NetFlow will create two separate flows. Most DoS attacks consist of an attacker sending the same type of IP datagram repeatedly, in an attempt to overwhelm target systems. In such cases, the incoming traffic often has similar characteristics, such as the same values in each datagram for one or more fields that the NetFlow Layer 2 and Security Monitoring Exports feature can capture. The originator of DoS attacks cannot be easily identified because the IP source address of the device sending the traffic is usually forged. However, you can easily trace the traffic back through the network to the router on which it is arriving by using the NetFlow Layer 2 and Security Monitoring Exports feature to capture the MAC address and VLAN-ID fields. If the router on which traffic is arriving supports NetFlow, you can configure the NetFlow Layer 2 and Security Monitoring Exports feature on it to identify the interface on which the traffic is arriving. The figure below shows an example of an attack in progress.
Once you have concluded that a DoS attack is taking place by analyzing the Layer 3 fields in the NetFlow flows, you can analyze the Layer 2 fields in the flows to discover the path that the DoS attack is taking through the network. An analysis of the data captured by the NetFlow Layer 2 and Security Monitoring Exports feature, for the scenario shown in the above figure, indicates that the DoS attack is arriving on Router C, because the upstream MAC address is from the interface that connects Router C to Switch A. It is also evident that there are no routers between the target host (the e-mail server) and the NetFlow router, because the destination MAC address of the DoS traffic that the NetFlow router is forwarding to the e-mail server is the MAC address of the e-mail server. You can learn the MAC address that Host C is using to send traffic to Router C by configuring the NetFlow Layer 2 and Security Monitoring Exports feature on Router C. The source MAC address will be from Host C. The destination MAC address will be for the interface on the NetFlow router. Once you know the MAC address that Host C is using and the interface on Router C on which Host C's DoS attack is arriving, you can mitigate the attack by reconfiguring Router C to block Host C's traffic. If Host C is on a dedicated interface, you can disable the interface. If Host C is using an interface that carries traffic from other users, you must configure your firewall to block Host C's traffic, but still allow the traffic from the other users to flow through Router C.
Layer 3 Information Capture Using NetFlow Layer 2 and Security Monitoring ExportsThe five fields that the NetFlow Layer 2 and Security Monitoring Exports feature captures from Layer 3 IP traffic in a flow are the following:
Figure 5 shows the fields in an IP packet header. Table 4 describes the header fields in Figure 5.
Figure 6 shows the fields in an ICMP datagram. Table 5 interprets the packet format in the figure seen above. ICMP datagrams are carried in the data area of an IP datagram, after the IP header.
Layer 2 Information Capture Using NetFlow Layer 2 and Security Monitoring ExportsThe NetFlow Layer 2 and Security Monitoring Exports feature can capture the values of the MAC address and VLAN ID fields from flows. The two supported VLAN types are 802.1q and the Cisco Inter-Switch Link (ISL) protocol. Layer 2 MAC Address FieldsThe Layer 2 fields for which the NetFlow Layer 2 and Security Monitoring Exports feature captures the values are as follows:
Figure 2 shows the Ethernet Type II and Ethernet 802.3 frame formats. The destination address field and the source address field in the frame formats are the MAC address values that are captured by NetFlow. Table 1 explains the fields for the Ethernet frame formats.
Layer 2 VLAN ID FieldsNetFlow can capture the value in the VLAN ID field for 802.1q tagged VLANs and Cisco ISL encapsulated VLANs. This section describes the two types of VLANs, 802.1q and ISL.
Understanding 802.1q VLANsDevices that use 802.1q insert a four-byte tag into the original frame before it is transmitted. Figure 3 shows the format of an 802.1q tagged Ethernet frame. Table 2 describes the fields for 802.1q VLANs.
Cisco ISL VLANsISL is a Cisco-proprietary protocol for encapsulating frames on a VLAN trunk. Devices that use ISL add an ISL header to the frame. This process is known as VLAN encapsulation. 802.1Q is the IEEE standard for tagging frames on a VLAN trunk. Figure 4 shows the format of a Cisco ISL-encapsulated Ethernet frame. Table 3 describes the fields for 802.1q VLANs.
NetFlow Top TalkersThe usual implementation of NetFlow exports NetFlow data to a collector. The NetFlow Top Talkers features can be used for security monitoring or accounting purposes for top talkers, and matching and identifying key traffic in your network. These features are also useful for a network location where a traditional NetFlow export operation is not possible. The NetFlow Top Talkers features do not require a collector to obtain information regarding flows. Instead, the NetFlow data is displayed on the router when the NetFlow Dynamic Top Talkers CLI show ip flow top command, or the NetFlow Top Talkers show ip flow top-talkersis used. Comparison of the NetFlow Dynamic Top Talkers CLI and NetFlow Top Talkers FeaturesThere are two very similar NetFlow features that can be used for monitoring the highest volume traffic in your network. The feature names are: NetFlow Dynamic Top Talkers CLIThis feature was introduced in 12.4(4)T. The NetFlow Dynamic Top Talkers CLI feature is used to obtain an overview of the highest volume traffic (top talkers) in your network. It provides an overview of the traffic by aggregating the flows in the cache based on the aggregation field that you select when you use the NetFlow Dynamic Top Talkers CLI feature. The NetFlow Dynamic Top Talkers CLI feature does not require modifications to the configuration of the router. The show ip flow top command is the only command that you need to use for the NetFlow Dynamic Top Talkers CLI feature. You can invoke any of the NetFlow Dynamic Top Talkers CLI options directly from the show ip flow top command whenever you need them.
The NetFlow Dynamic Top Talkers CLI feature aggregates flows and allows them to be sorted so that they can be viewed. The flows can be aggregated on fields in the cache such as source or destination IP address, ICMP type and code values, and so forth. For a full list of the fields that you can aggregate the flows on, refer to the show ip flow topcommand in the Cisco IOS NetFlow command reference documentation. The aggregated top talker flows can be sorted by any of the following criteria:
In addition to sorting top talkers, you can further organize your output by specifying criteria that the top talkers must match, such as source or destination IP address or port. The match keyword is used to specify this criterion. For a full list of the matching criterion that you can select, refer to the show ip flow topcommand in the Cisco IOS NetFlow command reference documentation. The NetFlow Dynamic Top Talkers CLI feature can help you quickly identify traffic that is associated with security threats such as DoS attacks because it does not require configuration modifications. You can change the NetFlow Dynamic Top Talkers CLI options for identifying and analyzing network threats in the aggregated flows on-the-fly as you learn more about the traffic that is of interest. For example, after you have identified that there is a lot of ICMP traffic in your network by using the show ip flow top 10 aggregate icmp command you can learn what IP networks the traffic is being sent to by using the show ip flow top 10 aggregate icmp match destination-prefix 172.0.0.0/8 command.
The show ip flow top command:
show ip flow top and show ip cache verbose flowMany of the values shown in the display output of the show ip cache verbose flow command are in hexadecimal. If you want to match these values using the show ip flow top command with the match keyword, you must enter the field value that you want to match in hexadecimal. For example, to match on the destination port of 00DC in the following except from the show ip cache verbose flow command, you would use the match destination-port 0x00DC keywords and argument for the show ip flow top command.
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et0/0.1 10.10.11.4 Et1/0.1 172.16.10.8 06 00 00 209
00DC /0 0 00DC
/0 0 0.0.0.0 40 281.4
MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)
Min plen: 40 Max plen: 40
Min TTL: 59 Max TTL: 59
IP id: 0
Match Criteria with the show ip flow top commandYou can limit the top talkers that are displayed by the show ip flow top command by using the match keyword and arguments. For example, you can display the IP destination address top talkers that have a prefix of 224.0.0.0 using the show ip flow top 10 aggregate destination-address match destination-prefix 224.0.0.0/3 command. For a full list of the matching criterion that you can select, refer to the show ip flow topcommand in the Cisco IOS NetFlow Command Reference . If you do not configure match criteria all of the flows are considered as candidates for aggregation as top talkers based on the volume of traffic they represent. The Order That Aggregation Occurs inWith the exception of the flows keyword, all matches are performed prior to aggregation, and only matching flows are aggregated. For example, the show ip flow top5aggregate destination-address match destination-prefix 172.16.0.0/16 command analyzes all of the available flows looking for any flows that have destination addresses that match the destination-prefix value of 172.16.0.0/16. If it finds any matches it aggregates them, and then displays the number of aggregated destination-address flows that is equal to the number of top talkers that were requested in the command-in this case five. The flows keyword matches the number of aggregated flows post-aggregation. For example, the show ip flow top 2 aggregate destination-address match 6 command aggregates all of the flows on the values in their destination IP address field, and then displays the top talkers that have 6 aggregated flows. Number of Flows MatchedIf you do not specify match criteria and there is traffic in the flows that includes the field that you used to aggregate the flows on, all of the flows will match. For example, if your router has 20 flows with IP traffic and you enter the show ip flow top 10 aggregate destination-address command the display will indicate that 20 of 20 flows matched, and the 10 top talkers will be displayed. If you use the match keyword to limit the flows that are aggregated to the flows with a destination prefix of 224.0.0.0/3, and only one flow matches this criterion the output will indicate that one out of six flows matched. For example, if your router has 6 flows with IP traffic, but only one of them has a destination prefix of 224.0.0.0/3, and you enter the show ip flow top 10 aggregate destination-address match destination-prefix 224.0.0.0/3 command, the display will indicate that 1 of 6 flows matched. If the total number of top talkers is less than the number of top talkers that were requested in the command, the total number of top talkers is displayed. For example, if you enter a value of five for the number of top talkers to display and there are only three top talkers that match the criteria that you used, the display will only include three top talkers. When a match criterion is included with the show ip flow top command, the display output will indicate "N of M flows matched" where N <= M, N = matched flows, and M = total flows seen. The numbers of flows seen could potentially be more than the total number of flows in the cache if some of the analyzed flows were removed from the cache and new flows were created ahead of the current point, as the top talkers feature sweeps through the cache. Therefore, M is NOT the total number of flows in the cache, but rather, the number of observed flows. If you attempt to display the top talkers by aggregating them on a field that is not in the cache you will see the "% aggregation-field" is not available for this cache" message. For example, if you use the show ip flow top 5 aggregate s ource-vlan command, and you have not enabled the capture of VLAN IDs from the flows, you will see the "% VLAN id is not available for this cache" message. NetFlow Top TalkersThis feature was introduced in 12.3(11)T. NetFlow Top Talkers is used to obtain information about individual flows in the cache. It does not aggregate the flows like the NetFlow Dynamic Top Talkers CLI feature. The NetFlow Top Talkers feature compares all of the flows and displays information about each of the flows that have the heaviest traffic volumes (top talkers). The show ip flow top-talkerscommand requires you to pre-configure the router using the NetFlow Top Talkers configuration commands:
For a full list of the matching criterion that you can select, refer to the ip flow top-talkerscommand in the Cisco IOS NetFlow Command Reference . If you do not configure match criteria all of the flows are considered as candidates as top talkers based on the volume of traffic they represent. For more information on the NetFlow Top Talkers feature, refer to Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands. Filtering and Sampling of NetFlow TrafficNetFlow provides highly granular per-flow traffic statistics in a Cisco router. A flow is a unidirectional stream of packets that arrive at the router on the same subinterface, have the same source and destination IP addresses, Layer 4 protocol, TCP/UDP source and destination ports, and the same ToS (type of service) byte in the IP headers. The router accumulates NetFlow statistics in a NetFlow cache and can export them to an external device (such as the Cisco Networking Services (CNS) NetFlow Collection Engine) for further processing. Full NetFlow accounts for all traffic entering the subinterface on which it is enabled. But in some cases, you might gather NetFlow data on only a subset of this traffic. The Random Sampled NetFlow feature and the NetFlow Input Filters feature each provide ways to limit incoming traffic to only traffic of interest for NetFlow processing. Random Sampled NetFlow provides NetFlow data for a subset of traffic in a Cisco router by processing only one randomly selected packet out of n sequential packets. The NetFlow Input Filters feature provides the capability to gather NetFlow data on only a specific user-defined subset of traffic.
The table below compares the NetFlow Input Filters feature and the NetFlow Random Sampled feature.
NetFlow Input Filters Flow ClassificationFor the NetFlow Input Filters feature, classification of packets can be based on any of the following: IP source and destination addresses, Layer 4 protocol and port numbers, incoming interface, MAC address, IP Precedence, DSCP value, Layer 2 information (such as Frame-Relay DE bits or Ethernet 802.1p bits), and Network-Based Application Recognition (NBAR) information. The packets are classified (filtered) on the above criteria, and flow accounting is applied to them on subinterfaces. The filtering mechanism uses the Modular QoS Command-Line Interface (MQC) to classify flows. You can create multiple filters with matching samplers on a per-subinterface basis. For example, you can subdivide subinterface traffic into multiple classes based on type of service (ToS) values or destination prefixes (or both). For each class, you can also configure sampling at a different rate, using higher rates for higher-priority classes of traffic and lower rates for lower-priority ones. MQC has many policies (actions) such as bandwidth rate and queuing management. These policies are applied only if a packet matches a criterion in a class map that is applied to the subinterface. A class map contains a set of match clauses and instructions on how to evaluate the clauses and acts as a filter for the policies, which are applied only if a packet's content satisfies the match clause. The NetFlow Input Filters feature adds NetFlow accounting to the MQC infrastructure, which means that flow accounting is done on a packet only if it satisfies the match clauses. Two types of filter are available:
For more information on Modular QoS Command-Line Interface (MQC) refer to the Cisco IOS Quality of Service Solutions Configuration Guide . Random Sampled NetFlow Sampling ModeSampling mode makes use of an algorithm that selects a subset of traffic for NetFlow processing. In the random sampling mode that the Random Sampled NetFlow feature uses, incoming packets are randomly selected on average one out of each n sequential packets is selected for NetFlow processing. For example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the 5th packet and then the 120th, 230th, 302nd, and so on. This sample configuration provides NetFlow data on 1 percent of total traffic. The n value is a parameter that you can configure from 1 to 65535 packets. Random Sampled NetFlow The NetFlow Sampler MapRandom Sampled NetFlow is useful if you have too much traffic and you want to limit the traffic that is analyzed. A NetFlow sampler map is created with the flow-sampler-map sampler-map-name command. The sampling mode for the sampler map is configured with the mode random one-out-of sampling-rate command. The range of values for the sampling-rate argument is 1 to 65535. Each NetFlow sampler map can be applied to one or many subinterfaces as well as physical interfaces. The sampler map is applied to an interface or subinterface with the flow-sampler sampler-map-name command. You can define up to eight NetFlow sampler maps. How to Configure and Use NetFlow to Detect and Analyze Network ThreatsUsing NetFlow to detect and analyze network threats requires a combination of configuration commands and show commands. You start by configuring the NetFlow Layer 2 and Security Monitoring Exports feature to capture values of the additional non-key fields from the flows so that they can be displayed in the cache by the NetFlow show commands. Capturing the values in the additional non-key fields is required so that you can identify the path the traffic is taking through the network and other characteristics of the traffic such as TTL values and packet length values. After you configure the NetFlow Layer 2 and Security Monitoring Exports feature, you use the NetFlow Dynamic Top Talkers CLI command to obtain an overview of the traffic flows the router is forwarding. The overview displays information such as the protocol distribution in the flows, the source ip addresses that are sending the flows, and the networks the flows are being sent to. After you identify the type of flows that you want to focus, on such as ICMP traffic, and other characteristics such as source IP addresses and destination network prefixes, you use the NetFlow Top Talkers feature to obtain more focused and detailed information on the individual flows. The NetFlow Top Talkers feature is configured with match criteria that focuses it on the types of traffic that you have identified. If your router is keeping track of several flows and you are only interested in analyzing a subset of them you, can configure NetFlow Input Filters to limit the flows that NetFlow is tracking.
PrerequisitesCEF or dCEF must be configured globally, and on the interface that you want to run NetFlow on, before you configure NetFlow Layer 2 and Security Monitoring Exports. You must have NetFlow enabled on at least one interface in the router before you configure NetFlow Layer 2 and Security Monitoring Exports. If you want to capture the values of the Layer 3 IP fragment offset field from the IP headers in your IP traffic using the ip flow-capture fragment-offset command, your router must be running Cisco IOS 12.4(2)T or later. This section contains the following procedures: Configuring NetFlow Layer 2 and Security Monitoring ExportsPerform the following task to configure the NetFlow Layer 2 and Security Monitoring Exports feature. Before You Begin
SUMMARY STEPS
To export the data captured with the NetFlow Layer 2 and Security Monitoring feature, you must configure NetFlow to use the NetFlow Version 9 data export format. DETAILED STEPS
Verifying NetFlow Layer 2 and Security Monitoring ExportsThis task verifies that NetFlow Layer 2 and Security Monitoring Exports is configured correctly. The show ip cache verbose flowcommand gives a detailed view of the status and statistics for flows in the NetFlow main cache. The values for the NetFlow non-key fields that you have configured with the NetFlow Layer 2 and Security Monitoring Exports feature are included for each flow. To see the values of the fields that you have configured the NetFlow Layer 2 and Security Monitoring Exports feature to capture, your router must be forwarding IP traffic that meets the criteria for these fields. For example, if you configure the ip flow-capture vlan-id command, your router must be forwarding IP datagrams over interfaces that are configured as VLAN trunks to capture the VLAN-ID values from the layer-two frames carrying the IP datagrams in the flow. RestrictionsDisplaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding On platforms running dCEF, NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt. Cisco 7500 Series Platform To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed dCEF, enter the following sequence of commands: Router# if-con slot-number LC- slot-number # show ip cache verbose flow For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information: Router# execute-on slot-number show ip cache verbose flow Cisco 12000 Series Platform To display detailed NetFlow cache information on a Cisco 12000 Series Internet Router, enter the following sequence of commands: Router# attach slot-number LC- slot-number # show ip cache verbose flow For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information: Router# execute-on slot-number show ip cache verbose flow To verify the configuration of NetFlow Layer 2 and Security Monitoring Exports use the following step. DETAILED STEPS
Using NetFlow Dynamic Top Talkers CLI to Display the Protocol DistributionYou can obtain a quick overview of the traffic in your network by viewing the protocol distribution. Use this task to display the top talkers (aggregated flows) for these three IPv4 protocol types: DETAILED STEPS
Using NetFlow Dynamic Top Talkers CLI to Display the Source IP Address Top Talkers Sending ICMP TrafficThe display output from the show ip flow top 10 aggregate protocol sorted-by packets descending used in Using NetFlow Dynamic Top Talkers CLI to Display the Protocol Distribution section indicates that there is a possible ICMP-based DoS attack in progress. The next step to take is to identify the flows that are sending the ICMP traffic. In this case the flows will be aggregated on the source IP addresses. DETAILED STEPS
Using NetFlow Dynamic Top Talkers CLI to Display the Destination IP Address Top Talkers Receiving ICMP TrafficThe display output from the show ip flow top 5 aggregate source-address sorted-by packets match protocol icmp command used in Using NetFlow Dynamic Top Talkers CLI to Display the Source IP Address Top Talkers Sending ICMP Traffic section showed the six top talkers (IP source addresses) that are sending the 12 ICMP traffic flows. The next step to take is to identify the flows that are the target of the ICMP traffic. In this case the flows will be aggregated on the destination IP addresses. DETAILED STEPS
Configuring NetFlow Top Talkers to Monitor Network ThreatsThe previous task (Using NetFlow Dynamic Top Talkers CLI to Display the Destination IP Address Top Talkers Receiving ICMP Traffic) identified a probable ICMP-based DoS attack on the host with the IP address 172.16.10.2. This task uses the NetFlow Top Talkers feature to configure the router to monitor the DoS attack by tracking the individual ICMP flows. After you have configured the NetFlow Top Talkers feature to focus on the DoS attack traffic, you can use the show ip flow top-talkers verbose command to identify the path the DoS traffic is taking through the network. Perform the following task to configure the NetFlow Top Talkers feature. DETAILED STEPS
Monitoring and Analyzing the NetFlow Top Talkers Flows
SUMMARY STEPS
DETAILED STEPS
Configuring NetFlow Filtering and SamplingIf you use the show ip cache flow command or the show ip cache verbose flow command to display the flows in the cache, you will see the ICMP flows that are selected by NetFlow filtering and sampling on interface Ethernet0/0.1, and flows for all NetFlow supported traffic types on any other interfaces that NetFlow is running on. The show ip flow top-talkers [verbose] command is used to display the flow status and statistics for the traffic type you configured with the match criteria over interfaces to which you applied the service policy. For example, in this case you configured top talkers to match on ICMP traffic sent from any host that is arriving on Ethernet0/0.1 and destined for 172.16.10.2. In this task the Top Talkers feature is being used more as a flow filter to separate flows of interest from all of the flows the router is seeing, rather than a filter to display the flows with the highest traffic volumes. Top talkers is used in this manner because in this example all of the ICMP DoS attack flows are of interest, not just the flows with the highest volumes. This is why a large value is assigned to the top keyword in the top talkers configuration. Setting the value for the top keyword to 50 when the largest number of ICMP DoS attack flows tracked by the router is 12 ensures that all of the ICMP DoS attack flows will be tracked. If your router sees a significant number of flows involved in a DoS attack, you might want to set the value for the top keyword to a number that is less than the total number of flows to limit the number of flows that you see in the display when you use the show ip flow top-talkerscommand. This will ensure that you are seeing the flows that have the highest volume of DoS attack traffic. However, if all of the flows have the same traffic volume, the show ip flow top-talkerscommand will not be able to differentiate between them. It displays the number of flows that you set the value of the top keyword to, starting from the first flow in the cache. Perform the following task to configure NetFlow Filtering and sampling.
DETAILED STEPS
Verify NetFlow Filtering and Sampling
SUMMARY STEPS
DETAILED STEPS
Monitoring and Analyzing the Sampled and Filtered NetFlow Top Talkers Flows
SUMMARY STEPS
DETAILED STEPS
Configuration Examples for Detecting and Analyzing Network Threats With NetFlow
Configuring NetFlow Layer 2 and Sec Mon Exports to Capture Traffic From a Simulated FTP Attack ExampleThe following example shows how to use the NetFlow Layer 2 and Security Monitoring Exports feature to find out whether your network is being attacked by a host that is sending fake FTP traffic in an attempt to overwhelm the FTP server. This attack might cause end users to see a degradation in the ability of the FTP server to accept new connections or to service existing connections. This example uses the network shown in the figure below. Host A is sending fake FTP packets to the FTP server. This example also shows you how to use the Layer 2 data captured by the NetFlow Layer 2 and Security Monitoring Exports feature to learn where the traffic is originating and what path it is taking through the network.
R2! hostname R2 ! interface Ethernet0/0 mac-address aaaa.bbbb.cc02 ip address 172.16.1.2 255.255.255.0 ! interface Ethernet1/0 mac-address aaaa.bbbb.cc03 no ip address ! interface Ethernet1/0.1 encapsulation dot1Q 5 ip address 172.16.6.1 255.255.255.0 ! ! router rip version 2 network 172.16.0.0 no auto-summary ! R3! hostname R3 ! ip flow-capture fragment-offset ip flow-capture packet-length ip flow-capture ttl ip flow-capture vlan-id ip flow-capture ip-id ip flow-capture mac-addresses ! interface Ethernet0/0 mac-address aaaa.bbbb.cc04 no ip address ! interface Ethernet0/0.1 encapsulation dot1Q 5 ip address 172.16.6.2 255.255.255.0 ip accounting output-packets ip flow ingress ! interface Ethernet1/0 mac-address aaaa.bbbb.cc05 no ip address ! interface Ethernet1/0.1 encapsulation dot1Q 6 ip address 172.16.7.1 255.255.255.0 ip accounting output-packets ip flow egress ! router rip version 2 network 172.16.0.0 no auto-summary ! R4! hostname R4 ! interface Ethernet0/0 mac-address aaaa.bbbb.cc07 ip address 172.16.10.1 255.255.255.0 ! interface Ethernet1/0 mac-address aaaa.bbbb.cc06 no ip address ! interface Ethernet1/0.1 encapsulation dot1Q 6 ip address 172.16.7.2 255.255.255.0 ! router rip version 2 network 172.16.0.0 no auto-summary ! Analyze an FTP DoS Attack Using the show ip cache verbose flow command ExampleThe show ip cache verbose flow command displays the NetFlow flows. You can use this display output to identify the path that the FTP traffic from Host A is taking as it is received and transmitted by R3.
R3# show ip cache verbose flow IP packet size distribution (189118 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .043 .610 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .173 .000 .173 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 25 active, 4071 inactive, 615 added 263794 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 25736 bytes 50 active, 974 inactive, 1648 added, 615 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-FTP 12 0.0 895 40 0.9 1363.8 5.5 TCP-FTPD 12 0.0 895 40 0.9 1363.8 5.6 Total: 590 0.0 317 383 16.1 430.1 12.4 Et0/0.1 192.168.87.200 Et1/0.1 172.16.10.2 06 00 00 63 0015 /0 0 0015 /0 0 0.0.0.0 40 94.5 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 40 Max plen: 40 Min TTL: 59 Max TTL: 59 IP id: 0 Et0/0.1 192.168.87.200 Et1/0.1 172.16.10.2 06 00 00 63 0014 /0 0 0014 /0 0 0.0.0.0 40 94.5 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 40 Max plen: 40 Min TTL: 59 Max TTL: 59 IP id: 0 Et0/0.1 10.10.10.2 Et1/0.1 172.16.10.2 06 00 00 64 0015 /0 0 0015 /0 0 0.0.0.0 40 96.0 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 40 Max plen: 40 Min TTL: 59 Max TTL: 59 IP id: 0 Et0/0.1 10.10.10.2 Et1/0.1 172.16.10.2 06 00 00 64 0014 /0 0 0014 /0 0 0.0.0.0 40 96.0 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 40 Max plen: 40 Min TTL: 59 Max TTL: 59 IP id: 0 Et0/0.1 10.234.53.1 Et1/0.1 172.16.10.2 06 00 00 63 0015 /0 0 0015 /0 0 0.0.0.0 40 94.5 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 40 Max plen: 40 Min TTL: 59 Max TTL: 59 IP id: 0 Et0/0.1 10.234.53.1 Et1/0.1 172.16.10.2 06 00 00 63 0014 /0 0 0014 /0 0 0.0.0.0 40 94.5 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 40 Max plen: 40 Min TTL: 59 Max TTL: 59 IP id: 0 Et0/0.1 172.30.231.193 Et1/0.1 172.16.10.2 06 00 00 63 0015 /0 0 0015 /0 0 0.0.0.0 40 94.5 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 40 Max plen: 40 Min TTL: 59 Max TTL: 59 IP id: 0 Et0/0.1 172.30.231.193 Et1/0.1 172.16.10.2 06 00 00 63 0014 /0 0 0014 /0 0 0.0.0.0 40 94.5 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 40 Max plen: 40 Min TTL: 59 Max TTL: 59 IP id: 0 There are 8 FTP flows shown in the output. You can use the Layer 2 information in the flows that is captured by the ip flow-capture command to identify the path the traffic is taking through the network. In this example, the traffic is being sent to R3 on VLAN 5 by R2. You can demonstrate that R2 is transmitting the traffic over interface 1/0.1 because the source MAC address (aaaa.bbb.cc03) belongs to 1/0.1 on R2. You can demonstrate that R3 is transmitting the traffic using VLAN 6 on interface 1/0.1 to interface 1/0.1 on R4, because the destination MAC address (aaaa.bbbb.cc06) belongs to interface 1/0.1 on R4.
You can use this information to mitigate this attack. One possible way to mitigate this attack is by configuring an extended IP access list that blocks all FTP traffic from the source IP addresses that Host A is spoofing and applying it Ethernet 0/0 on R2. Analyze an FTP DoS Attack Using NetFlow Dynamic Top Talkers CLI ExampleYou can use the NetFlow Dynamic Top Talkers CLI feature to quickly identify the FTP top talkers in the network traffic that might be sending the traffic. This will show you the IP source addresses that Host A is using as it sends the DoS attack traffic.
R3# show ip flow top 50 aggregate source-address sorted-by bytes descending match destination-port min 20 max 21
There are 5 top talkers:
IPV4 SRC-ADDR bytes pkts flows
=============== ========== ========== ==========
10.231.185.254 5640 141 2
10.132.221.111 3680 92 2
10.10.12.1 3640 91 2
10.251.138.218 3600 90 2
10.71.200.138 1880 47 1
9 of 34 flows matched.
After you have identified FTP top talkers traffic you need to identify the source IP addresses of IP traffic that is being sent to the host that you believe is under attack.
R3# show ip flow top 50 aggregate source-address match destination-prefix 172.16.10.2/32
There are 6 top talkers:
IPV4 SRC-ADDR bytes pkts flows
=============== ========== ========== ==========
10.251.138.218 6642 18 4
10.231.185.254 5068 28 4
10.132.221.111 14818 25 4
10.106.1.1 12324 12 2
10.71.200.138 12564 18 3
10.10.12.1 560 14 2
19 of 33 flows matched.
The final step is to cross reference the source IP addresses of any hosts that are sending any IP traffic to the host under attack with the list of source IP addresses from the FTP top talkers. This is required because the show ip flow top command does not support multiple match criteria. Therefore you cannot limit the top talkers to FTP traffic being sent to a specific host with a single show ip flow top command (match destination-port min 20 max 21 <and> match destination-prefix 172.16.10.2/32). The host with the IP address of 10.106.1.1 is apparently not involved in this DoS attack because it is not in the display output from the show ip flow top 50 aggregate source-address sorted-by bytes descending match destination-port min 20 max 21 command. This means that it is not sending FTP traffic to the host that is under attack. Therefore the host IP addressees involved in this FTP DoS attack are likely to be:
Now that you know the source addresses of the FTP traffic you can configure an extended access list that blocks FTP traffic from these address, and apply it to the interface that is closest to the point the traffic is entering your network.
Configuring NetFlow Layer 2 and Sec Mon Exports to Capture Traffic From a Simulated ICMP Attack ExampleThe following example shows how to use the NetFlow Layer 2 and Security Monitoring Exports feature to find out that your network is being attacked by ICMP traffic. It uses the network shown in the figure below. Host A is sending ICMP ping packets to the FTP server.
R2! hostname R2 ! interface Ethernet0/0 mac-address aaaa.bbbb.cc02 ip address 172.16.1.2 255.255.255.0 ! interface Ethernet1/0 mac-address aaaa.bbbb.cc03 no ip address ! interface Ethernet1/0.1 encapsulation dot1Q 5 ip address 172.16.6.1 255.255.255.0 ! ! router rip version 2 network 172.16.0.0 no auto-summary ! R3! hostname R3 ! ip flow-capture fragment-offset ip flow-capture packet-length ip flow-capture ttl ip flow-capture vlan-id ip flow-capture icmp ip flow-capture ip-id ip flow-capture mac-addresses ! interface Ethernet0/0 mac-address aaaa.bbbb.cc04 no ip address ! interface Ethernet0/0.1 encapsulation dot1Q 5 ip address 172.16.6.2 255.255.255.0 ip accounting output-packets ip flow ingress ! interface Ethernet1/0 mac-address aaaa.bbbb.cc05 no ip address ! interface Ethernet1/0.1 encapsulation dot1Q 6 ip address 172.16.7.1 255.255.255.0 ip accounting output-packets ip flow egress ! router rip version 2 network 172.16.0.0 no auto-summary ! R4! hostname R4 ! interface Ethernet0/0 mac-address aaaa.bbbb.cc07 ip address 172.16.10.1 255.255.255.0 ! interface Ethernet1/0 mac-address aaaa.bbbb.cc06 no ip address ! interface Ethernet1/0.1 encapsulation dot1Q 6 ip address 172.16.7.2 255.255.255.0 ! router rip version 2 network 172.16.0.0 no auto-summary ! Analyze an ICMP Ping DoS Attack Using the show ip cache verbose flow command ExampleThe show ip cache verbose flow command displays the NetFlow flows. You can use this display output to identify the path that the ICMP traffic from Host A is taking as it is received and transmitted by R3.
R3# show ip cache verbose flow IP packet size distribution (122369 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .065 .665 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .134 .000 .134 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 24 active, 4072 inactive, 404 added 176657 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 25736 bytes 48 active, 976 inactive, 1088 added, 404 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow ICMP 27 0.0 1131 763 3.9 1557.4 3.6 Total: 380 0.0 267 257 13.0 382.8 12.6 SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts Port Msk AS Port Msk AS NextHop B/Pk Active Et0/0.1 10.106.1.1 Et1/0.1 172.16.10.2 01 00 10 864 0000 /0 0 0800 /0 0 0.0.0.0 1500 1089.9 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 1500 Max plen: 1500 Min TTL: 59 Max TTL: 59 ICMP type: 8 ICMP code: 0 IP id: 0 Et0/0.1 10.71.200.138 Et1/0.1 172.16.10.2 01 00 00 864 0000 /0 0 0000 /0 0 0.0.0.0 554 1090.0 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 554 Max plen: 554 Min TTL: 59 Max TTL: 59 ICMP type: 0 ICMP code: 0 IP id: 0 FO: 185 Et0/0.1 10.231.185.254 Et1/0.1 172.16.10.2 01 00 00 864 0000 /0 0 0000 /0 0 0.0.0.0 554 1090.0 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 554 Max plen: 554 Min TTL: 59 Max TTL: 59 ICMP type: 0 ICMP code: 0 IP id: 0 FO: 185 Et0/0.1 10.10.12.1 Et1/0.1 172.16.10.200 01 00 00 864 0000 /0 0 0000 /0 0 0.0.0.0 554 1090.0 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 554 Max plen: 554 Min TTL: 59 Max TTL: 59 ICMP type: 0 ICMP code: 0 IP id: 0 FO: 185 Et0/0.1 10.132.221.111 Et1/0.1 172.16.10.2 01 00 10 864 0000 /0 0 0800 /0 0 0.0.0.0 1500 1089.9 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 1500 Max plen: 1500 Min TTL: 59 Max TTL: 59 ICMP type: 8 ICMP code: 0 IP id: 0 Et0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 01 00 00 864 0000 /0 0 0000 /0 0 0.0.0.0 554 1089.9 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 554 Max plen: 554 Min TTL: 59 Max TTL: 59 ICMP type: 0 ICMP code: 0 IP id: 0 FO: 185 Et0/0.1 10.10.12.1 Et1/0.1 172.16.10.200 01 00 10 864 0000 /0 0 0C01 /0 0 0.0.0.0 1500 1090.0 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 1500 Max plen: 1500 Min TTL: 59 Max TTL: 59 ICMP type: 12 ICMP code: 1 IP id: 0 Et0/0.1 10.106.1.1 Et1/0.1 172.16.10.2 01 00 00 864 0000 /0 0 0000 /0 0 0.0.0.0 554 1089.9 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 554 Max plen: 554 Min TTL: 59 Max TTL: 59 ICMP type: 0 ICMP code: 0 IP id: 0 FO: 185 Et0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 01 00 10 864 0000 /0 0 0C01 /0 0 0.0.0.0 1500 1089.9 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 1500 Max plen: 1500 Min TTL: 59 Max TTL: 59 ICMP type: 12 ICMP code: 1 IP id: 0 Et0/0.1 10.71.200.138 Et1/0.1 172.16.10.2 01 00 10 864 0000 /0 0 0C01 /0 0 0.0.0.0 1500 1090.0 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 1500 Max plen: 1500 Min TTL: 59 Max TTL: 59 ICMP type: 12 ICMP code: 1 IP id: 0 Et0/0.1 10.132.221.111 Et1/0.1 172.16.10.2 01 00 00 864 0000 /0 0 0000 /0 0 0.0.0.0 554 1089.9 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 554 Max plen: 554 Min TTL: 59 Max TTL: 59 ICMP type: 0 ICMP code: 0 IP id: 0 FO: 185 Et0/0.1 10.231.185.254 Et1/0.1 172.16.10.2 01 00 10 864 0000 /0 0 0C01 /0 0 0.0.0.0 1500 1090.0 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 1500 Max plen: 1500 Min TTL: 59 Max TTL: 59 ICMP type: 12 ICMP code: 1 IP id: 0 There are 12 ICMP flows shown in the output. You can use the Layer 2 information in the flows that is captured by the ip flow-capture command to identify the path the traffic is taking through the network. In this example, the traffic is being sent to R3 on VLAN 5 by R2. You can demonstrate that R2 is transmitting the traffic over interface 1/0.1 because the source MAC address (aaaa.bbb.cc03) belongs to 1/0.1 on R2. You can demonstrate that R3 is transmitting the traffic using VLAN 6 on interface 1/0.1 to interface 1/0.1 on R4, because the destination MAC address (aaaa.bbbb.cc06) belongs to interface 1/0.1 on R4.
You can use this information to mitigate this attack. One possible way to mitigate this attack is by configuring an extended IP access list that blocks all ICMP traffic from the source IP addresses that Host A is spoofing and applying it Ethernet 0/0 on R2. Analyze an ICMP Ping DoS Attack Using NetFlow Dynamic Top Talkers CLI ExampleYou can use the NetFlow Dynamic Top Talkers CLI feature to quickly identify the ICMP top talkers in the network traffic that might be sending the traffic. This will show you the IP source addresses that Host A is using as it sends the DoS attack traffic.
R3# show ip flow top 50 aggregate icmp
There are 3 top talkers:
ICMP TYPE ICMP CODE bytes pkts flows
========= ========= ========== ========== ==========
12 1 2466000 1644 4
8 0 1233000 822 2
0 0 1366164 2466 6
12 of 25 flows matched.
After you have identified the ICMP types and code values in the network traffic, you need to determine the source IP addresses for the ICMP traffic that being sent to the FTP server.
R3# show ip flow top 50 aggregate source-address match icmp type 12 code 1
There are 4 top talkers:
IPV4 SRC-ADDR bytes pkts flows
=============== ========== ========== ==========
10.251.138.218 867000 578 1
10.231.185.254 865500 577 1
10.71.200.138 865500 577 1
10.10.12.1 867000 578 1
4 of 24 flows matched.
R3# show ip flow top 50 aggregate source-address match icmp type 8 code 0
There are 2 top talkers:
IPV4 SRC-ADDR bytes pkts flows
=============== ========== ========== ==========
10.132.221.111 1095000 730 1
10.106.1.1 1095000 730 1
2 of 24 flows matched.
R3# show ip flow top 50 aggregate source-address match icmp type 0 code 0
There are 6 top talkers:
IPV4 SRC-ADDR bytes pkts flows
=============== ========== ========== ==========
10.251.138.218 416608 752 1
10.231.185.254 416608 752 1
10.132.221.111 416608 752 1
10.106.1.1 416608 752 1
10.71.200.138 416608 752 1
10.10.12.1 416608 752 1
6 of 24 flows matched.
The next step is to create a list of the source IP addresses that Host A is using.
Now that you know the source addresses of the ICMP DoS attack traffic, you can mitigate this attack by configuring an extended access list that blocks ICMP traffic from these address and applying it to the interface that is closest to the point that the traffic is entering your network. Configure NetFlow Filtering and Sampling ExampleThis example configuration contains the configuration commands required to use NetFlow filtering and sampling on the NetFlow router. ! hostname Router ! ip cef ! flow-sampler-map icmp-dos-fs-map mode random one-out-of 2 ! ! class-map match-any icmp-dos-class-map match access-group 101 ! ! policy-map icmp-dos-policy-map class icmp-dos-class-map netflow-sampler icmp-dos-fs-map ! interface Ethernet0/0 mac-address aaaa.bbbb.cc04 no ip address ! interface Ethernet0/0.1 encapsulation dot1Q 5 ip address 172.16.6.2 255.255.255.0 service-policy input icmp-dos-policy-map ! interface Ethernet1/0.1 encapsulation dot1Q 6 ip address 172.16.7.1 255.255.255.0 ip flow egress ! ip flow-capture fragment-offset ip flow-capture packet-length ip flow-capture ttl ip flow-capture vlan-id ip flow-capture icmp ip flow-capture ip-id ip flow-capture mac-addresses ! ip flow-top-talkers top 5 sort-by bytes match class-map icmp-dos-class-map ! access-list 101 permit icmp any host 172.16.10.2 ! end Where to Go NextSee the "Additional References" section for links to configuration information about additional NetFlow features and services. Additional ReferencesRelated Documents
MIBsFeature Information for Detecting and Analyzing Network Threats With NetFlowThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
1 This is a minor enhancement. Minor enhancements are not typically listed in Feature Navigator.
Glossarydata flowset --A collection of data records that are grouped in an export packet. export packet --A type of packet built by a device (for example, a router) with NetFlow services enabled. The packet is addressed to another device (for example, the NetFlow Collection Engine). The packet contains NetFlow statistics. The other device processes the packet (parses, aggregates, and stores information about IP flows). flow --A set of packets with the same source IP address, destination IP address, protocol, source/destination ports, and type-of-service, and the same interface on which flow is monitored. Ingress flows are associated with the input interface, and egress flows are associated with the output interface. flowset --A collection of flow records that follow the packet header in an export packet. A flowset contains information that must be parsed and interpreted by the NetFlow Collection Engine. There are two types of flowsets: template flowsets and data flowsets. An export packet contains one or more flowsets, and both template and data flowsets can be mixed in the same export packet. NetFlow --Cisco IOS accounting feature that maintains per-flow information. NetFlow Aggregation --A NetFlow feature that lets you summarize NetFlow export data on an IOS router before the data is exported to a NetFlow data collection system such as the NetFlow Collection Engine. This feature lowers bandwidth requirements for NetFlow export data and reduces platform requirements for NetFlow data collection devices. NetFlow Collection Engine (formerly NetFlow FlowCollector)--Cisco application that is used with NetFlow on Cisco routers and Catalyst series switches. The NetFlow Collection Engine collects packets from the router that is running NetFlow and decodes, aggregates, and stores them. You can generate reports on various aggregations that can be set up on the NetFlow Collection Engine. NetFlow v9 --NetFlow export format Version 9. A flexible and extensible means of carrying NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration. template --Describes the layout of a data flowset. template flowset --A collection of template records that are grouped in an export packet. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. 1 This is a minor enhancement. Minor enhancements are not typically listed in Feature Navigator. © 2012 Cisco Systems, Inc. All rights reserved.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||