Table of Contents
Advertisement
Data Enabling Features
Guidelines for Configuring NetFlow on Your Network
Ideally NetFlow should be collected from the core and distribution switches in your network. These
switches, together with the NetFlow from Internet-facing routers or SYSLOG from firewalls, typically
represent the entire network. With this in mind, review the following guidelines before deploying
NetFlow in your network:
•
•
•
•
•
•
Note
The taskflow for configuring NetFlow to work with MARS is as follows:
1.
2.
3.
4.
5.
The following tasks provide guidance on the required device configuration:
•
•
Enable Cisco IOS Routers and Switches to Send NetFlow to MARS
For more information on NetFlow and configuring the settings in Cisco IOS, refer to:
Before you configure NetFlow from MARS, you must first configure it on the router or switch.
To enable NetFlow on a Cisco IOS router or switch and to push those events to the MARS Appliance,
follow these steps:
User Guide for Cisco Security MARS Local Controller
2-32
MARS normalizes NetFlow and SYSLOG events to prevent duplicate event reporting from the same
reporting device.
Review VLANS in switches and pick several VLANs for which the traffic volume is low. This
approach allows you to slowly integrate NetFlow and become comfortable with using it in your
environment.
Be aware of existing CPU utilization on NetFlow capable devices. For more information on
understanding how NetFlow affects the performance of routers and network throughput, see the
following link:
http://www.cisco.com/en/US/tech/tk812/technologies_white_paper0900aecd802a0eb9.shtml
Consider using a sampling of NetFlow data 10:1 100:1 ratio's in highly utilized VLANS.
Be selective in using NetFlow, you to not need to enable it on all NetFlow-capable devices. In fact,
such usage can create duplicate reporting of events, further burdening the MARS Appliance.
MARS uses NetFlow versions 5 and 7. Ensure that the version of Cisco IOS software or Cisco
CatOS running on your reporting devices supports at least one of these NetFlow versions.
For releases 4.2.3 and earlier of MARS, you cannot define drop rules for a NetFlow-based event.
For these releases, tuning of NetFlow events must be performed on the reporting device.
Identify the reporting devices on which to enable NetFlow.
Enable NetFlow on each identified reporting device and direct the NetFlow data to the MARS
Appliance responsible for that network segment.
Verify that all reporting devices are defined in the MARS web interface.
Enable NetFlow processing in the MARS web interface.
Allow MARS to study traffic for a week to develop a usage baseline before it beings to generate
incidents based on detected anomalies.
Enable Cisco IOS Routers and Switches to Send NetFlow to MARS, page 2-32
Enable NetFlow Processing in MARS, page 2-34
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_book09186a00805b
88ed.html
Chapter 2
Reporting and Mitigation Devices Overview
78-17020-01
Advertisement
Table of Contents
Troubleshooting
