Cisco CS-MARS-20-K9 - Security MARS 20 User Manual page 83

Chapter 2 Reporting and Mitigation Devices Overview
Log in to the Cisco IOS router or switch with administrator's privileges.
Step 1
Enter the following commands:
Step 2
Command
enable
configure terminal
ip flow-export destination
<MARS_IP_address>
<UDP_port>
ip flow-export source
<
syslog_interface_name
ip flow-export version
<
version_number
ip flow-cache timeout active
5
ip flow-cache timeout
inactive 15
For each interface in the device, enter the following commands:
Step 3
Command
interface
ip route-cache flow
To verify that NetFlow is enabled correctly, enter the following commands:
Step 4
show ip flow export
show ip cache flow
78-17020-01
Purpose
Turn on enable mode.
Enter global configuration mode.
Note
Enables the data export to the MARS Appliance on UDP port 2055
(assuming the default port is used). MARS_IP_address is the IP
address of the MARS Appliance that is responsible for processing
the NetFlow events for this reporting device. UDP_port is the
default UDP port to send NetFlow (the default port is 2055).
•
>
Identifies which version of NetFlow, 5 or 7, to use when generating
> events. Cisco recommends using version 5 if supported.
version_number is either 5 or 7. MARS only supports NetFlow
versions 5 and 7.
Configures the flow timeout. This timeout value breaks up
long-lived flows into 5-minute segments. You can choose any
number of minutes between 1 and 60; however, selecting the default
of 30 minutes will result in spikes appearing in utilization reports.
Ensures that those flows that have finished are exported in a timely
manner.
Purpose
< > Specifies the interface for which you want to enable NetFlow and it
interface_name
enters the interface configuration mode. interface_name is the name
of the interface to which the MARS is connected. This command
varies based on the device type. For example,
Enables NetFlow for the selected interface.
Commands in this mode are written to the running
configuration file as soon as you enter them (using the Enter
key/Carriage Return).
Set the source IP for the interface to send the NetFlow. The
syslog_interface_name value should be the interface attached
to the network through which the MARS Appliance is
reachable, and it must equal the syslog source interface name.
interface type slot/port-adapter/port
routers)
interface type slot/port
User Guide for Cisco Security MARS Local Controller
Data Enabling Features
(Cisco 7500 series
(Cisco 7200 series routers)
2-33