Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1010
Views
0
Helpful
3
Replies

Netflow filter, remove management traffic from stats

diconmurray
Level 1
Level 1

‎05-02-2008 03:22 AM

A customer would like to see NetFlow traffic from a managed CPE. I would like to remove my group of management ip addresses from the NetFlow statistics. Below is a possible config - will this work?

class-map match-all no-mgmt

match access-group name mgmt

flow-sampler-map one-of-one

mode random one-out-of 1

policy-map mgmtpolicy

class no-mgmt

netflow-sampler one-of-one

interface G0/1

service-policy input mgmtpolicy

ip access-list standard mgmt

deny 157.11.22.56

deny 157.12.33.45

deny 157.13.44.34

permit any

Labels:
0 Helpful
3 Replies 3

peter.nowack
Level 1
Level 1

‎05-03-2008 05:24 AM

Hello,

I think that the better solution is use some filtering on collector side. Which collector do you using? I bought Caligare and there is nice feature "Filtering", where I can specify which flows I want to drop. Another solution is create a new user group "i.e. my_customer" and set there restrictions what your customer can see...

Let me know what collector do you using. If you are not using Caligare, maybe in your collector you will find similar feature.

Bye,

Peter

0 Helpful

diconmurray
Level 1
Level 1
In response to peter.nowack

‎05-05-2008 05:54 AM

Thanks for the reply Peter, the problem is that the collector is owned by the customer and I need to filter the NetFlow traffic at source. The NetFlow export destination is their collection station so I have no control of the data once it leaves the router.

I would have thought some on might have had this requirement before or maybe I am looking at this from the wrong angle? Any ideas?

0 Helpful

peter.nowack
Level 1
Level 1
In response to diconmurray

‎05-05-2008 06:34 AM

It is a problem, because you cannot filter out flows on Cisco. If you configure/enable netflow, your customer will see all flows which goes through your device (you can only enable/disable netflow on L3 interfaces, but if you have 7600 with mls your customer will see almost of the traffic). I think that a "netflow proxy" could be solution. I'm not sure if some proxy software exists (I'm fancying), but maybe this proxy software filter out unwanted flows, then create a new netflow record that will send to your customer with spoofed IP address of your cisco. Try Google (flow-tools), but really I don't know if this kind of software exists. In the Caligare you can restrict view, but if your customer has own software it is really problem.

Kind regards,

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents