18
CLEAR-Flow
This chapter describes the following topics:
Overview on page 375
●
Configuring CLEAR-Flow on page 375
●
Adding CLEAR-Flow Rules to ACLs on page 376
●
CLEAR-Flow Rule Examples on page 389
●
Overview
CLEAR-Flow is a broad framework for implementing security, monitoring, and anomaly detection in
ExtremeWare XOS software. Instead of simply looking at the source and destination of traffic, CLEAR-
Flow allows you to specify certain types of traffic that require more attention. Once certain criteria for
this traffic are met, the switch can either take an immediate, pre-determined action, or send a copy of
the traffic off-switch for analysis.
CLEAR-Flow is an extension to Access Control Lists (ACLs). You create ACL policy rules to count
packets of interest. CLEAR-Flow rules are added to the policy to monitor these ACL counter statistics.
The CLEAR-Flow agent monitors the counters for the situations of interest to you and your network.
You can monitor the cumulative value of a counter, the change to a counter over a sampling interval,
the ratio of two counters, or even the ratio of the changes of two counters over an interval. For example,
you can monitor the ratio between TCP SYN and TCP packets. An abnormally large ratio may indicate
a SYN attack.
The counters used in CLEAR-Flow are either defined by you in an ACL entry, or can be a predefined
counter. See the section
If the rule conditions are met, the CLEAR-Flow actions configured in the rule are executed. The switch
can respond by modifying an ACL that will block, prioritize, or mirror the traffic, executing a set of CLI
commands, or sending a report using a SNMP trap or EMS log message.
NOTE
CLEAR-Flow is available only on the BlackDiamond 10K family of switches.
Configuring CLEAR-Flow
CLEAR-Flow is an extension to ACLs, so you must be familiar with configuring ACLs before you add
CLEAR-Flow rules to your ACL policies. Creating ACLs is described in detail in
Lists
(ACLs)".
Chapter 13
how to apply ACL policies to the switch. In this current chapter, you will find information about the
CLEAR-Flow rules that you add to ACL policies, including the CLEAR-Flow rules' syntax and behavior.
ExtremeWare XOS 11.3 Concepts Guide
"Predefined CLEAR-Flow Counters"
describes how to create ACL policies, the syntax of an ACL policy file, and
for a list and description of these counters.
Chapter
13,
"Access
375