Finding Feature Information
Restrictions for Flexible NetFlow Export of Cisco TrustSec Fields
Information About Flexible NetFlow Export of Cisco TrustSec Fields
- Cisco TrustSec Fields in Flexible NetFlow
How to Configure Flexible NetFlow Export of Cisco TrustSec Fields
Configuration Examples for Flexible NetFlow Export of Cisco TrustSec Fields
Additional References for Flexible NetFlow Export of Cisco TrustSec Fields
Feature Information for Flexible NetFlow Export of Cisco TrustSec Fields

Flexible NetFlow Export of Cisco TrustSec Fields

The Flexible NetFlow Export of Cisco TrustSec Fields feature supports the Cisco TrustSec fields in the Flexible NetFlow (FNF) flow record and helps to monitor, troubleshoot, and identify non-standard behavior for Cisco TrustSec deployments.

This module describes the interaction between Cisco TrustSec and FNF and how to configure and export Cisco TrustSec fields in the NetFlow Version 9 flow records.

Finding Feature Information
Restrictions for Flexible NetFlow Export of Cisco TrustSec Fields
Information About Flexible NetFlow Export of Cisco TrustSec Fields
How to Configure Flexible NetFlow Export of Cisco TrustSec Fields
Configuration Examples for Flexible NetFlow Export of Cisco TrustSec Fields
Additional References for Flexible NetFlow Export of Cisco TrustSec Fields
Feature Information for Flexible NetFlow Export of Cisco TrustSec Fields

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for Flexible NetFlow Export of Cisco TrustSec Fields

The security group tag (SGT) value exported in Flexible NetFlow (FNF) records is zero in the following scenarios:
- The packet is received with an SGT value of zero from a trusted interface.
- The packet is received without an SGT.
- The SGT is not found during the IP-SGT lookup.
For Cisco ISR 3900E, ISR 3900, ISR 2950, ISR 2900, ISR 1900, and ISR 890 Platforms, Cisco TrustSec fields are supported for both IPv4 and IPv6 FNF records.

Information About Flexible NetFlow Export of Cisco TrustSec Fields

Cisco TrustSec Fields in Flexible NetFlow

The Cisco TrustSec fields, source security group tag (SGT) and destination security group tag (DGT), in the Flexible NetFlow (FNF) flow records help administrators correlate the flow with identity information. It enables network engineers to gain a detailed understanding of the customer use of the network and application resources. This information can then be used to efficiently plan and allocate access and application resources and to detect and resolve potential security and policy violations.

The Cisco TrustSec fields are supported for ingress and egress FNF and for unicast and multicast traffic.

The following table presents Netflow v9 enterprise specific field types for Cisco TrustSec that are used in the FNF templates for the Cisco TrustSec source and destination source group tags.

ID	Description
CTS_SRC_GROUP_TAG	Cisco Trusted Security Source Group Tag
CTS_DST_GROUP_TAG	Cisco Trusted Security Destination Group Tag

The Cisco TrustSec fields are configured in addition to the existing match fields under the FNF flow record. The following configurations are used to add the Cisco TrustSec flow objects to the FNF flow record as key or non-key fields and to configure the source and destination security group tags for the packet.

The match flow cts {source | destination} group-tag command is configured under the flow record to specify the Cisco TrustSec fields as key fields. The key fields differentiate flows, with each flow having a unique set of values for the key fields. A flow record requires at least one key field before it can be used in a flow monitor.
The collect flow cts {source | destination} group-tag command is configured under flow record to specify the Cisco TrustSec fields as non-key fields. The values in non-key fields are added to flows to provide additional information about the traffic in the flows.

The flow record is then configured under flow monitor and the flow monitor is applied to the interface. To export the FNF data, a flow exporter needs to be configured and then added under the flow monitor.

How to Configure Flexible NetFlow Export of Cisco TrustSec Fields

Configuring Cisco TrustSec Fields as Key Fields in the Flow Record

SUMMARY STEPS

1. enable

2. configure terminal

3. flow record record-name

4. match {ipv4 | ipv6} protocol

5. match {ipv4 | ipv6} source address

6. match {ipv4 | ipv6} destination address

7. match transport source-port

8. match transport destination-port

9. match flow direction

10. match flow cts source group-tag

11. match flow cts destination group-tag

12. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	flow record record-name Example: Device(config)# flow record cts-record-ipv4	Creates a new Flexible NetFlow (FNF) flow record, or modifies an existing FNF flow record, and enters Flexible NetFlow flow record configuration mode.
Step 4	match {ipv4 \| ipv6} protocol Example: Device(config-flow-record)# match ipv4 protocol	(Optional) Configures the IPv4 protocol or IPv6 protocol as a key field for a flow record.
Step 5	match {ipv4 \| ipv6} source address Example: Device(config-flow-record)# match ipv4 source address	(Optional) Configures the IPv4 or IPv6 source address as a key field for a flow record.
Step 6	match {ipv4 \| ipv6} destination address Example: Device(config-flow-record)# match ipv4 destination address	(Optional) Configures the IPv4 or IPv6 destination address as a key field for a flow record.
Step 7	match transport source-port Example: Device(config-flow-record)# match transport source-port	(Optional) Configures the transport source port as a key field for a flow record.
Step 8	match transport destination-port Example: Device(config-flow-record)# match transport destination-port	(Optional) Configures the transport destination port as a key field for a flow record.
Step 9	match flow direction Example: Device(config-flow-record)# match flow direction	(Optional) Configures the direction in which the flow is monitored as a key field.
Step 10	match flow cts source group-tag Example: Device(config-flow-record)# match flow cts source group-tag	Configures the Cisco TrustSec source security group tag (SGT) in the FNF flow record as key fields.
Step 11	match flow cts destination group-tag Example: Device(config-flow-record)# match flow cts destination group-tag	Configures the Cisco TrustSec destination security group tag (DGT) in the FNF flow record as key fields.
Step 12	end Example: Device(config-flow-record)# end	Exits Flexible NetFlow flow record configuration mode and returns to privileged EXEC mode.

Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record

SUMMARY STEPS

1. enable

2. configure terminal

3. flow record record-name

4. match {ipv4 | ipv6} protocol

5. match {ipv4 | ipv6} source address

6. match {ipv4 | ipv6} destination address

7. match transport source-port

8. match transport destination-port

9. collect flow direction

10. collect flow cts source group-tag

11. collect flow cts destination group-tag

12. collect counter packets

13. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	flow record record-name Example: Device(config)# flow record cts-record-ipv4	Creates a new Flexible NetFlow (FNF) flow record, or modifies an existing FNF flow record, and enters Flexible NetFlow flow record configuration mode.
Step 4	match {ipv4 \| ipv6} protocol Example: Device(config-flow-record)# match ipv4 protocol	(Optional) Configures the IPv4 protocol or IPv6 protocol as a key field for a flow record.
Step 5	match {ipv4 \| ipv6} source address Example: Device(config-flow-record)# match ipv4 source address	(Optional) Configures the IPv4 or IPv6 source address as a key field for a flow record.
Step 6	match {ipv4 \| ipv6} destination address Example: Device(config-flow-record)# match ipv4 destination address	(Optional) Configures the IPv4 or IPv6 destination address as a key field for a flow record.
Step 7	match transport source-port Example: Device(config-flow-record)# match transport source-port	(Optional) Configures the transport source port as a key field for a flow record.
Step 8	match transport destination-port Example: Device(config-flow-record)# match transport destination-port	(Optional) Configures the transport destination port as a key field for a flow record.
Step 9	collect flow direction Example: Device(config-flow-record)# collect flow direction	(Optional) Configures the flow direction as a non-key field and enables the collection of the direction in which the flow was monitored.
Step 10	collect flow cts source group-tag Example: Device(config-flow-record)# collect flow cts source group-tag	Configures the Cisco TrustSec source security group tag (SGT) in the FNF flow record as non-key fields.
Step 11	collect flow cts destination group-tag Example: Device(config-flow-record)# collect flow cts destination group-tag	Configures the Cisco TrustSec destination security group tag (DGT) in the FNF flow record as non-key fields.
Step 12	collect counter packets Example: Device(config-flow-record)# collect counter packets	(Optional) Configures the number of packets seen in a flow as a non-key field and enables collecting the total number of packets from the flow.
Step 13	end Example: Device(config-flow-record)# end	Exits Flexible NetFlow flow record configuration mode and returns to privileged EXEC mode.

Configuring a Flow Exporter

Each flow exporter supports only one destination. If you want to export the data to multiple destinations, you must configure multiple flow exporters and assign them to the flow monitor.

Before You Begin

Ensure that you create a flow record. For more information see the “Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record” section and the “Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record” section.

SUMMARY STEPS

1. enable

2. configure terminal

3. flow exporter exporter-name

4. destination {ip-address | hostname} [vrf vrf-name]

5. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	flow exporter exporter-name Example: Device(config)# flow exporter EXPORTER-1	Creates a flow exporter or modifies an existing flow exporter, and enters Flexible NetFlow flow exporter configuration mode.
Step 4	destination {ip-address \| hostname} [vrf vrf-name] Example: Device(config-flow-exporter)# destination 172.16.10.2	Specifies the IP address or hostname of the destination system for the exporter.
Step 5	end Example: Device(config-flow-exporter)# end	Exits Flexible NetFlow flow exporter configuration mode and returns to privileged EXEC mode.

Configuring a Flow Monitor

Before You Begin

To add a flow exporter to the flow monitor for data export, ensure that you create the flow exporter. For more information see the “Configuring a Flow Exporter” section.

SUMMARY STEPS

1. enable

2. configure terminal

3. flow monitor monitor-name

4. record record-name

5. exporter exporter-name

6. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	flow monitor monitor-name Example: Device(config)# flow monitor FLOW-MONITOR-1	Creates a flow monitor or modifies an existing flow monitor, and enters Flexible NetFlow flow monitor configuration mode.
Step 4	record record-name Example: Device(config-flow-monitor)# record FLOW-RECORD-1	Specifies the record for the flow monitor.
Step 5	exporter exporter-name Example: Device(config-flow-monitor)# exporter EXPORTER-1	Specifies the exporter for the flow monitor.
Step 6	end Example: Device(config-flow-monitor)# end	Exits Flexible NetFlow flow monitor configuration mode and returns to privileged EXEC mode.

Applying a Flow Monitor on an Interface

To activate a flow monitor, the flow monitor must be applied to at least one interface.

Before You Begin

Ensure that you create a flow monitor. For more information see the “Configuring a Flow Monitor” section.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. {ip | ipv6} flow monitor monitor-name {input | output}

5. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	interface type number Example: Device(config)# interface ethernet 0/0	Specifies an interface and enters interface configuration mode.
Step 4	{ip \| ipv6} flow monitor monitor-name {input \| output} Example: Device (config-if)# ip flow monitor FLOW-MONITOR-1 input	Activates a flow monitor that was created previously by assigning it to the interface to analyze traffic.
Step 5	end Example: Device(config-if)# end	Exits interface configuration mode and returns to privileged EXEC mode.

Verifying Flexible NetFlow Export of Cisco TrustSec Fields

SUMMARY STEPS

1. enable

2. show flow record record-name

3. show flow exporter exporter-name

4. show flow monitor monitor-name

5. show flow monitor monitor-name cache

6. show flow interface type number

DETAILED STEPS

Step 1	enable Enables privileged EXEC mode. Enter your password if prompted. Example: Device> enable
Step 2	show flow record record-name Displays the details of the specified Flexible NetFlow (FNF) flow record. Example: Device> `show flow record cts-recordipv4` flow record cts-recordipv4: Description: User defined No. of users: 1 Total field space: 30 bytes Fields: match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match interface output match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter packets
Step 3	show flow exporter exporter-name Displays the current status of the specified FNF flow exporter. Example: Device> `show flow exporter EXPORTER-1` Flow Exporter EXPORTER-1: Description: User defined Export protocol: NetFlow Version 9 Transport Configuration: Destination IP address: 100.100.100.1 Source IP address: 3.3.3.2 Transport Protocol: UDP Destination Port: 2055 Source Port: 65252 DSCP: 0x0 TTL: 255 Output Features: Used
Step 4	show flow monitor monitor-name Displays the status and statistics of the specified FNF flow monitor. Example: Device> `show flow monitor FLOW-MONITOR-1` Flow Monitor FLOW-MONITOR-1: Description: User defined Flow Record: cts-recordipv4 Flow Exporter: EXPORTER-1 Cache: Type: normal (Platform cache) Status: allocated Size: 200000 entries Inactive Timeout: 60 secs Active Timeout: 1800 secs Update Timeout: 1800 secs Synchronized Timeout: 600 secs Trans end aging: off
Step 5	show flow monitor monitor-name cache Displays the contents of the specified FNF flow monitor cache. Example: Device> `show flow monitor FLOW-MONITOR-1 cache` Cache type: Normal Cache size: 4096 Current entries: 2 High Watermark: 2 Flows added: 6 Flows aged: 4 - Active timeout (1800 secs) 0 - Inactive timeout (15 secs) 4 - Event aged 0 - Watermark aged 0 - Emergency aged 0 IPV4 SOURCE ADDRESS: 10.1.0.1 IPV4 DESTINATION ADDRESS: 172.16.2.0 TRNS SOURCE PORT: 58817 TRNS DESTINATION PORT: 23 FLOW DIRECTION: Input IP PROTOCOL: 6 SOURCE GROUP TAG: 100 DESTINATION GROUP TAG: 200 counter packets: 10 IPV4 SOURCE ADDRESS: 172.16.2.0 IPV4 DESTINATION ADDRESS: 10.1.0.1 TRNS SOURCE PORT: 23 TRNS DESTINATION PORT: 58817 FLOW DIRECTION: Output IP PROTOCOL: 6 SOURCE GROUP TAG: 200 DESTINATION GROUP TAG: 100 counter packets: 8
Step 6	show flow interface type number Displays the details of the FNF flow monitor applied on the specified interface. If a flow monitor is not applied on the interface, then the output is empty. Example: Device> `show flow interface GigabitEthernet0/0/3` Interface GigabitEthernet0/0/3 FNF: monitor: FLOW-MONITOR-1 direction: Input traffic(ip): on FNF: monitor: FLOW-MONITOR-1 direction: Output traffic(ip): on

Configuration Examples for Flexible NetFlow Export of Cisco TrustSec Fields

Example: Configuring Cisco TrustSec Fields as Key Fields in the Flow Record

The following example shows how to configure the Cisco TrustSec flow objects as key fields in an IPv4 Flexible NetFlow flow record:

Device> enable
Device# configure terminal
Device(config)# flow record cts-record-ipv4
Device(config-flow-record)# match ipv4 protocol
Device(config-flow-record)# match ipv4 source address
Device(config-flow-record)# match ipv4 destination address
Device(config-flow-record)# match transport source-port
Device(config-flow-record)# match transport destination-port
Device(config-flow-record)# match flow direction
Device(config-flow-record)# match flow cts source group-tag
Device(config-flow-record)# match flow cts destination group-tag
Device(config-flow-record)# end

Example: Configuring Cisco TrustSec Fields as Non-Key Fields in the Flow Record

The following example shows how to configure the Cisco TrustSec flow objects as non-key fields in an IPv4 Flexible NetFlow flow record:

Device> enable
Device# configure terminal
Device(config)# flow record cts-record-ipv4
Device(config-flow-record)# match ipv4 protocol
Device(config-flow-record)# match ipv4 source address
Device(config-flow-record)# match ipv4 destination address
Device(config-flow-record)# match transport source-port
Device(config-flow-record)# match transport destination-port
Device(config-flow-record)# collect flow direction
Device(config-flow-record)# collect flow cts source group-tag
Device(config-flow-record)# collect flow cts destination group-tag
Device(config-flow-record)# collect counter packets
Device(config-flow-record)# end

Example: Configuring a Flow Exporter

Device> enable
Device# configure terminal
Device(config)# flow exporter EXPORTER-1
Device(config-flow-exporter)# destination 172.16.10.2
Device(config-flow-exporter)# end

Example: Configuring a Flow Monitor

Device> enable
Device# configure terminal
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# record FLOW-RECORD-1
Device(config-flow-monitor)# exporter EXPORTER-1
Device(config-flow-monitor)# end

Example: Applying a Flow Monitor on an Interface

The following example shows how to activate an IPv4 flow monitor by applying it to an interface to analyze traffic. To activate an IPv6 flow monitor, replace the ip keyword with the ipv6 keyword.

Device> enable
Device# configure terminal
Device(config)# interface ethernet 0/0
Device(config-if)# ip flow monitor FLOW-MONITOR-1 input
Device(config-if)# end

Additional References for Flexible NetFlow Export of Cisco TrustSec Fields

Related Topic	Document Title
Cisco IOS commands	Cisco IOS Master Command List, All Releases
Security commands	Cisco IOS Security Command Reference: Commands A to C Cisco IOS Security Command Reference: Commands D to L Cisco IOS Security Command Reference: Commands M to R Cisco IOS Security Command Reference: Commands S to Z
Data export in Flexible NetFlow	“Flexible NetFlow Output Features on Data Export” chapter in the Flexible Netflow Configuration Guide publication
Flexible NetFlow flow records and flow monitors	“Customizing Flexible NetFlow Flow Records and Flow Monitors” chapter in the Flexible Netflow Configuration Guide publication

Technical Assistance

Description	Link
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.	http://www.cisco.com/cisco/web/support/index.html

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Flexible NetFlow Export of Cisco TrustSec Fields

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1 Feature Information for Flexible NetFlow Export of Cisco TrustSec Fields
Feature Name	Releases	Feature Information
Flexible NetFlow Export of Cisco TrustSec Fields	Cisco IOS 15.4(3)M	The Flexible NetFlow Export of Cisco TrustSec Fields feature supports the Cisco TrustSec fields in the Flexible NetFlow (FNF) flow record and helps to monitor, troubleshoot, and identify non-standard behavior for Cisco TrustSec deployments. The following commands were introduced by this feature: match flow cts {source \| destination} group-tag and collect flow cts {source \| destination} group-tag.

Cisco TrustSec Configuration Guide, Cisco IOS Release 15M&T

Bias-Free Language

Book Title

Cisco TrustSec Configuration Guide, Cisco IOS Release 15M&T

Chapter Title