Normally I would use the ACL log option, since you could see the data
quickly in 'real-time'. But in certain high traffic situations, such
as a DDoS attack, I would rely on my netflow data.
-yuri
On Thu, May 31, 2012 at 8:09 PM, Tom Kacprzynski <tom.kac_at_gmail.com> wrote:
> Hi Yuri,
> Thanks for responding. That makes a lot of sense looking up the output
> interface. I use Scrutinizer as a netflow collector, so will have to see if
> I could get to that data easily.
>
> Is this something you use instead of the ACL log option?
>
> Thanks again,
>
> Tom
>
>
>
> On Thu, May 31, 2012 at 1:18 PM, Yuri Bank <yuribank_at_gmail.com> wrote:
>>
>> Netflow will generally include the input/output interface for each flow.
>> By default for netflow v9 at least.
>>
>> Do a 'show snmp mib ifmib ifindex'
>>
>> Look for the null0 interface index number.
>>
>> Then match that ifindex num in your netflow collector, if it supports such
>> actions. ( I use Nfsen/nfcapd )
>>
>> -Yuri
>>
>>
>>
>> On May 31, 2012 4:46 AM, "Carlos G Mendioroz" <tron_at_huapi.ba.ar> wrote:
>>>
>>> Wow...
>>> I have no experience with this, but sounds interesting and kind of a
>>> trap.
>>>
>>> I am using netflow and have never payed attention to interface info. Only
>>> to L3/L4 source/destination and size mostly.But if denied traffic is
>>> exposed, I guess I'm counting it as valid :( Unless the collector has this
>>> knowledge embedded.
>>>
>>> Nice to know though.
>>> -Carlos
>>>
>>>
>>> Tom Kacprzynski @ 31/05/2012 00:54 -0300 dixit:
>>>>
>>>> Hello,
>>>> I was reading the ACL configuration guide and came upon this paragraph:
>>>>
>>>> "Packets matching an entry in an ACL with a log option are process
>>>> switched. It is not recommended to use the log option on ACLs, but
>>>> rather
>>>> use NetFlow export and match on a destination interface of Null0. This
>>>> is
>>>> done in the CEF path. The destination interface of Null0 is set for any
>>>> packet that is dropped by the ACL. "
>>>>
>>>>
>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-access-list-ov.html#GUID-97E3F195-6145-4D3C-A7F2-DE718D3D2204
>>>>
>>>>
>>>> Does anyone have experience configuring matching denied ACLs on null0? I
>>>> wasn't able to configure netflow on null0.
>>>>
>>>> Thank you,
>>>>
>>>> Tom
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 01 2012 - 10:43:19 ART
This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART