If you use the show ip cache flow command or the show ip cache verbose flow command to display the flows in the cache, you will see the ICMP flows that are selected by NetFlow filtering and sampling on interface Ethernet0/0.1, and flows for all NetFlow supported traffic types on any other interfaces that NetFlow is running on. The show ip flow top-talkers [verbose] command is used to display the flow status and statistics for the traffic type you configured with the match criteria over interfaces to which you applied the service policy. For example, in this case you configured top talkers to match on ICMP traffic sent from any host that is arriving on Ethernet0/0.1 and destined for 172.16.10.2.
In this task the Top Talkers feature is being used more as a flow filter to separate flows of interest from all of the flows the router is seeing, rather than a filter to display the flows with the highest traffic volumes.
Top talkers is used in this manner because in this example all of the ICMP DoS attack flows are of interest, not just the flows with the highest volumes. This is why a large value is assigned to the top keyword in the top talkers configuration. Setting the value for the top keyword to 50 when the largest number of ICMP DoS attack flows tracked by the router is 12 ensures that all of the ICMP DoS attack flows will be tracked.
If your router sees a significant number of flows involved in a DoS attack, you might want to set the value for the top keyword to a number that is less than the total number of flows to limit the number of flows that you see in the display when you use the show ip flow top-talkerscommand. This will ensure that you are seeing the flows that have the highest volume of DoS attack traffic. However, if all of the flows have the same traffic volume, the show ip flow top-talkerscommand will not be able to differentiate between them.
It displays the number of flows that you set the value of the top keyword to, starting from the first flow in the cache.
Perform the following task to configure NetFlow Filtering and sampling.
Configuring NetFlow Filtering and Sampling
Restrictions
Note Restrictions for NetFlow Input Filters
On Cisco 7500 platforms, the NetFlow Input Filters feature is supported only in distributed mode.
Restrictions for Random Sampled NetFlow
If full NetFlow is enabled on an interface, it takes precedence over Random Sampled NetFlow (which will thus have no effect). Disable full NetFlow on an interface before enabling Random Sampled NetFlow on that interface.
Enabling Random Sampled NetFlow on a physical interface does not automatically enable Random Sampled NetFlow on subinterfaces; you must explicitly configure it on subinterfaces. Also, disabling Random Sampled NetFlow on a physical interface (or a subinterface) does not enable full NetFlow. This restriction prevents the transition to full NetFlow from overwhelming the physical interface (or
subinterface). If you want full NetFlow, you must explicitly enable it.
You must use NetFlow Version 9 if you want to use sampler option templates or view NetFlow sampler IDs.
SUMMARY STEPS 1. enable
2. configure terminal
3. flow-sampler-map sampler-map-name 4. mode random one-out-of packet-interval 5. exit
6. class-map class-map-name [match-all | match-any]
7. match access-group access-group 8. exit
9. policy-map policy-map-name 10. class { class-name | class-default}
11. netflow-sampler sampler-map-name 12. exit
13. exit
14. interface interface-type interface-number [.subinterface number]
15. no [ip route-cache flow | ip flow ingress]
16. service-policy {input | output} policy-map-name 17. exit
18. ip flow-top-talkers 19. top number 20. sort-by packets
21. match class-map claas-name
22. no match destination address ip-address /prefix-mask 23. exit
24. access-list access-list-number permit icmp source destination 25. end
Detecting and Analyzing Network Threats With NetFlow Restrictions
DETAILED STEPS
Command or Action Purpose
Step 1 enable
Example:
Router> enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 flow-sampler-map sampler-map-name
Example:
Router(config)# flow-sampler-map icmp-dos-fs-map
Defines a statistical sampling NetFlow export flow sampler map.
• The sampler-map-name argument is the name of the flow sampler map to be defined.
Entering the flow-sampler-map command enables the flow sampler configuration mode.
Step 4 mode random one-out-of packet-interval
Example:
Router(config-sampler-map)# mode random one-out-of 2
Specifies a statistical sampling NetFlow export random sampling mode and a packet interval.
• The random keyword specifies that sampling uses the random sampling mode.
• The one-out-of packet-interval argument-keyword pair specifies the packet interval (one out of every npackets) from which to sample. For n, you can specify from 1 to 65535 (packets).
Step 5 exit
Example:
Router(config-sampler-map)# exit
Exits back to global configuration mode.
Detecting and Analyzing Network Threats With NetFlow
Restrictions
Command or Action Purpose Step 6 class-map class-map-name [match-all |
match-any]
Example:
Router(config)# class-map match-any icmp-dos-class-map
Creates a class map to be used for matching packets to a specified class.
• The class-map-name argument is the name of the class for the class map. The name can be a maximum of 40 alphanumeric characters. The class name is used for both the class map and for configuring policy for the class in the policy map.
• The match-all | match-anykeywords determine how packets are evaluated when multiple match criteria exist. Packets must either meet all of the match criteria (match-all) or only one of the match criteria (match-any) to be considered a member of the class.
Entering the class-mapcommand enables class-map configuration mode, in which you can enter one of the match commands to configure the match criteria for this class.
Step 7 match access-group access-group
Example:
Router(config-cmap)# match access-group 101
Configures the match criteria for a class map on the basis of the specified access control list (ACL).
• The access-group argument is a numbered ACL whose contents are used as the match criteria against which packets are checked to
determine if they belong to this class. An ACL number can be a number from 1 to 2699.
Step 8 exit
Example:
Router(config-cmap)# exit
Exits back to global configuration mode.
Step 9 policy-map policy-map-name
Example:
Router(config)# policy-map icmp-dos-policy-map
Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
• The policy-map-name argument is the name of the policy map. The name can be a maximum of 40 alphanumeric characters.
Entering the mapcommand enables quality of service (QoS) policy-map configuration mode, in which you can configure or modify the class policies for that policy map
Step 10 class { class-name | class-default}
Example:
Router(config-pmap)# class icmp-dos-class-map
Specifies the name of the class whose policy you want to create or change or specifies the default class (commonly known as the class-default class) before you configure its policy.
• The class-name argument is the name of the class for which you want to configure or modify policy.
• The class-default keyword specifies the default class so that you can configure or modify its policy.
Entering the class command enables QoS policy-map class configuration mode.
Detecting and Analyzing Network Threats With NetFlow Restrictions