A while ago, I researched the possibility of using/enabling Netflow on a couple of Cisco 3560G switches we'd purchased. After much head scratching it was deemed you'd need IOS revision 12.2(58)SE to get any form of netflow - and its not even net flow. Hmmmm....
So... out of hours, I upgraded one of the switches to this new firmware to give it a go.
After a nervous wait for it to restart (Logging in remotely from home) I checked to see if the commands are available - which they were.
So off we go:
Create the exporter
flow exporter test-collector
description "collection of data for the boss"
destination 192.168.246.100
This creates an exporter profile in which I can describe what its for and where the data should go.
Then configure smartlog
Conf t
Logging smartlog
logging smartlog exporter test-collector
logging smartlog packet capture size 1024
We then need to give it something to report about. As a test I created an ACL which permits everything:
access-list 97 permit any smartlog
and then assigned it to an inteface
interface GigabitEthernet0/3
description Monitoring port for the boss
ip access-group 97 in
And thats it - pretty easy to setup but to be honest its limitations are immediately visible when using Scrutinizer (or other net/s/flow related applications). I've just shown you a test example of the ACL here - I amended it later to monitor a specific DENY on a particular protocol on a specific port.
This is netflow but with restrictions. The data has to be event based and as such - you can view the data when an event has occurred - hence it has been logged. That in itself limits what you can see.
Don't get me wrong, its far easier than trawling through syslog data and you can drill down into the raw data to at least see some of the packet, but other than assessing security concerns, I'm struggling to see how I'd use it.
In terms of satisfying the original request to view netflow data, I will put the question back to the originator with a politically cryptic hint of sarcasm.... "What netflow data????"
No comments:
Post a Comment