Friday, 5 February 2016

How to configure NetFlow on an ASA 5510

Unlike tools such as tcpdump, wireshark and the like that inspect all of the traffic (and its payload too) NetFlow is typically used to capture information about a specific 'stream' - this incorporates details such as source, destination, protocols and ports - which it identifies from anaylzing the packets headers only.

NetFlow is transmitted over UDP port 2055.

NetFlow is only available on IOS 8.2 and above and can be setup via the GUI or via the CLI - for the purposes of this tutorial I will be setting it up via the CLI.

We should firstly create a new class map and define an ACL to include our traffic:

access-list flow_export_acl permit ip host 10.0.0.1 host 10.0.0.2
exit

class-map flow_export_class
match access-list flow_export_acl

OR

match any (to match all trafic)

Now either create a new policy map and assign it to the global service policy:

policy-map flow_export_policy
class flow_export_class
service-policy flow_export_policy global

or use the exsiting one 'global_policy':

policy-map global_policy
class flow_export_class

We can then define a NetFlow server to reieve the data:
flow-export destination <interface> server1 2055
flow-export destination <interface> server2 2055
flow-export event-type all destination server1

To set the source interface that the NetFlow data will be sent from:
ip flow-export management

To check whether anything is being picked up you can issue:

show flow-export counters

or to review the configuration:

show flow-export

0 comments:

Post a comment