Netflow filter, remove management traffic from stats

Unanswered Question
May 2nd, 2008
User Badges:

A customer would like to see NetFlow traffic from a managed CPE. I would like to remove my group of management ip addresses from the NetFlow statistics. Below is a possible config - will this work?


class-map match-all no-mgmt

match access-group name mgmt

flow-sampler-map one-of-one

mode random one-out-of 1


policy-map mgmtpolicy

class no-mgmt

netflow-sampler one-of-one


interface G0/1

service-policy input mgmtpolicy

ip access-list standard mgmt

deny 157.11.22.56

deny 157.12.33.45

deny 157.13.44.34

permit any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
peter.nowack Sat, 05/03/2008 - 05:24
User Badges:

Hello,

I think that the better solution is use some filtering on collector side. Which collector do you using? I bought Caligare and there is nice feature "Filtering", where I can specify which flows I want to drop. Another solution is create a new user group "i.e. my_customer" and set there restrictions what your customer can see...


Let me know what collector do you using. If you are not using Caligare, maybe in your collector you will find similar feature.


Bye,


Peter


diconmurray Mon, 05/05/2008 - 05:54
User Badges:

Thanks for the reply Peter, the problem is that the collector is owned by the customer and I need to filter the NetFlow traffic at source. The NetFlow export destination is their collection station so I have no control of the data once it leaves the router.

I would have thought some on might have had this requirement before or maybe I am looking at this from the wrong angle? Any ideas?

peter.nowack Mon, 05/05/2008 - 06:34
User Badges:

It is a problem, because you cannot filter out flows on Cisco. If you configure/enable netflow, your customer will see all flows which goes through your device (you can only enable/disable netflow on L3 interfaces, but if you have 7600 with mls your customer will see almost of the traffic). I think that a "netflow proxy" could be solution. I'm not sure if some proxy software exists (I'm fancying), but maybe this proxy software filter out unwanted flows, then create a new netflow record that will send to your customer with spoofed IP address of your cisco. Try Google (flow-tools), but really I don't know if this kind of software exists. In the Caligare you can restrict view, but if your customer has own software it is really problem.


Kind regards,


Peter


Actions

This Discussion