Hi Yuri,
Thanks for responding. That makes a lot of sense looking up the output
interface. I use Scrutinizer as a netflow collector, so will have to see if
I could get to that data easily.
Is this something you use instead of the ACL log option?
Thanks again,
Tom
On Thu, May 31, 2012 at 1:18 PM, Yuri Bank <yuribank_at_gmail.com> wrote:
> Netflow will generally include the input/output interface for each flow.
> By default for netflow v9 at least.
> Do a 'show snmp mib ifmib ifindex'
>
> Look for the null0 interface index number.
>
> Then match that ifindex num in your netflow collector, if it supports such
> actions. ( I use Nfsen/nfcapd )
>
> -Yuri
>
>
>
> On May 31, 2012 4:46 AM, "Carlos G Mendioroz" <tron_at_huapi.ba.ar> wrote:
>
>> Wow...
>> I have no experience with this, but sounds interesting and kind of a trap.
>>
>> I am using netflow and have never payed attention to interface info. Only
>> to L3/L4 source/destination and size mostly.But if denied traffic is
>> exposed, I guess I'm counting it as valid :( Unless the collector has this
>> knowledge embedded.
>>
>> Nice to know though.
>> -Carlos
>>
>>
>> Tom Kacprzynski @ 31/05/2012 00:54 -0300 dixit:
>>
>>> Hello,
>>> I was reading the ACL configuration guide and came upon this paragraph:
>>>
>>> "Packets matching an entry in an ACL with a log option are process
>>> switched. It is not recommended to use the log option on ACLs, but rather
>>> use NetFlow export and match on a destination interface of Null0. This is
>>> done in the CEF path. The destination interface of Null0 is set for any
>>> packet that is dropped by the ACL. "
>>>
>>> http://www.cisco.com/en/US/**docs/ios-xml/ios/sec_data_acl/**
>>> configuration/12-4t/sec-**access-list-ov.html#GUID-**
>>> 97E3F195-6145-4D3C-A7F2-**DE718D3D2204<http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-access-list-ov.html#GUID-97E3F195-6145-4D3C-A7F2-DE718D3D2204>
>>>
>>>
>>> Does anyone have experience configuring matching denied ACLs on null0? I
>>> wasn't able to configure netflow on null0.
>>>
>>> Thank you,
>>>
>>> Tom
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> ______________________________**______________________________**
>>> ___________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>> --
>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________**______________________________**
>> ___________
>> Subscription information may be found at: http://www.groupstudy.com/**
>> list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>
Blogs and organic groups at http://www.ccie.net
Received on Thu May 31 2012 - 22:09:02 ART
This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART