Re: Netflow to Match ACL Log denies from Yuri Bank on 2012-05-31 (Ccielab archives 05/2012)

From: Yuri Bank <yuribank_at_gmail.com>
Date: Thu, 31 May 2012 11:18:53 -0700

Netflow will generally include the input/output interface for each flow. By
default for netflow v9 at least.
Do a 'show snmp mib ifmib ifindex'

Look for the null0 interface index number.

Then match that ifindex num in your netflow collector, if it supports such
actions. ( I use Nfsen/nfcapd )

-Yuri

On May 31, 2012 4:46 AM, "Carlos G Mendioroz" <tron_at_huapi.ba.ar> wrote:

> Wow...
> I have no experience with this, but sounds interesting and kind of a trap.
>
> I am using netflow and have never payed attention to interface info. Only
> to L3/L4 source/destination and size mostly.But if denied traffic is
> exposed, I guess I'm counting it as valid :( Unless the collector has this
> knowledge embedded.
>
> Nice to know though.
> -Carlos
>
>
> Tom Kacprzynski @ 31/05/2012 00:54 -0300 dixit:
>
>> Hello,
>> I was reading the ACL configuration guide and came upon this paragraph:
>>
>> "Packets matching an entry in an ACL with a log option are process
>> switched. It is not recommended to use the log option on ACLs, but rather
>> use NetFlow export and match on a destination interface of Null0. This is
>> done in the CEF path. The destination interface of Null0 is set for any
>> packet that is dropped by the ACL. "
>>
>> http://www.cisco.com/en/US/**docs/ios-xml/ios/sec_data_acl/**
>> configuration/12-4t/sec-**access-list-ov.html#GUID-**
>> 97E3F195-6145-4D3C-A7F2-**DE718D3D2204<http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-access-list-ov.html#GUID-97E3F195-6145-4D3C-A7F2-DE718D3D2204>
>>
>>
>> Does anyone have experience configuring matching denied ACLs on null0? I
>> wasn't able to configure netflow on null0.
>>
>> Thank you,
>>
>> Tom
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________**______________________________**
>> ___________
>> Subscription information may be found at:
>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>
>>
>>
>>
>>
>>
>>
>>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________**______________________________**
> ___________
> Subscription information may be found at: http://www.groupstudy.com/**
> list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>

Blogs and organic groups at http://www.ccie.net
Received on Thu May 31 2012 - 11:18:53 ART

This archive was generated by hypermail 2.2.0 : Sun Jun 17 2012 - 09:04:20 ART