Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

How to Configure SSLVPN on Cisco CSR1000V (Cloud Services Router 1000V)?

May 28 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

Network Diagram-Configure SSLVPN on Cisco CSR1000V

Network Diagram-Configure SSLVPN on Cisco CSR1000V

How to configure a Cisco CSR1000V Router for terminating Anyconnect client based connections? Namita Sharma (A volunteer in Cisco Support Community) shared a guide of configuring a Cisco CSR1000V Router. What do you need to prepare before configuration. What are the detailed steps? Let’s see…

Firstly, you should ensure that you meet these requirements before you attempt this configuration:

Cisco Cloud Services Router 1000V running IOS XE 3.12 or higher
Cisco AnyConnect Secure Mobility Client 3.x or higher

Components Used:

Cisco Cloud Services Router 1000V running IOS XE 3.12
Cisco AnyConnect Secure Mobility Client 3.1.05160
Microsoft Windows 7
PC

Network Diagram-Configure SSLVPN on Cisco CSR1000V (The Figure)

Anyconnect Configuration:

1. Configure SSL Server Self-Signed Certificate

# Generate an Rivest-Shamir-Addleman (RSA) Key with a length of 2048 bytes:
crypto key generate rsa general-keys label anyconnect modulus 2048

# Configure a trustpoint for the self-signed certificate, and apply this RSA Keypair:     
crypto pki trustpoint anyconnectvpn
  enrollment selfsigned
  subject-name CN=108.1.220.132
  revocation-check none
  rsakeypair anyconnect

# Once the trustpoint is configured, enroll the self-signed certificate
crypto pki enroll anyconnectvpn
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

2. Upload and Apply the Anyconnect client software

copy tftp://10.0.0.150/anyconnect-win-3.1.05160-k9.pkg flash

Address or name of remote host [10.0.0.150]?

Source filename [anyconnect-win-3.1.05160-k9.pkg]?

Destination filename [anyconnect-win-3.1.05160-k9.pkg]?

Accessing tftp://10.0.0.150/anyconnect-win-3.1.05160-k9.pkg...!!!!!!!!!!!!!

Writing file disk0:/anyconnect-win-3.1.05160-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2635734 bytes copied in 4.480 secs (658933 bytes/sec)

# Apply this Anyconnect client image to the configuration
crypto vpn anyconnect flash:/anyconnect-win-3.1.05160-k9.pkg sequence 1

3. Configure the User Database

new-model
aaa authentication login sslvpn local
aaa authorization network sslvpn local
username Anyconnect password Anyconnect123

4. Configure the VPN pool

# Define the local pool that is used in order to assign IP addresses to the clients when they connect

ip local pool SSL_Client 192.168.10.1 192.168.100.20

5. Define the supported ciphers under SSL Proposal

crypto ssl proposal sslvpn-proposal
 protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1

6. Create a split-tunnel access-list to be pushed out as a secure route to the Anyconnect clients

ip access-list standard sslvpn-tunnel
permit 10.0.0.0 0.255.255.255

7. Configure an SSL Policy that defines the ciphers to be supported and the trustpoint to be used during SSL negotiation.

crypto ssl policy sslvpn-policy
ssl proposal ssl_proposal
pki trustpoint anyconnectvpn sign
ip address local 108.1.220.132 port 443
no shut

8. Create an SSL Authorization Policy locally on the Router with the authorization parameters to be pushed out to the clients

crypto ssl authorization policy sslvpn-auth-policy
pool SSL_Client
dns 10.0.0.120
def-domain cisco.com    
route set access-list sslvpn-tunnel

9. Define the configured authentication and authorization lists under an SSL Profile

crypto ssl profile sslvpn-profile
 match policy sslvpn-policy
 aaa authentication list sslvpn
 aaa authorization group list sslvpn sslvpn-auth-policy
 authentication remote user-credentials
 max-users 100

10. Verify your connection

Once a Client connects, you can view the status using:

show crypto ssl session user Anyconnect detail
Session Type      : Full Tunnel
Client User-Agent : AnyConnect Windows 3.1.05160

Username          : Anyconnect           Num Connection : 1
Public IP         : 173.36.240.173
Profile           : ssl_profile
Policy            : ssl_policy
Last-Used         : 00:00:06                Created        : *10:00:00.928 UTC Mon Apr 6 2014
Session Timeout   : 43200                Idle Timeout   : 1800
DNS primary       : 10.0.0.120
DPD GW Timeout    : 300                  DPD CL Timeout : 300
Address Pool      : SSL_Client           MTU Size       : 1406
Disconnect Time   : 0
Rekey Time        : 3600
Lease Duration    : 43200                Keepalive      : 30
Tunnel IP         : 192.168.10.2         Netmask        : 0.0.0.0
Rx IP Packets     : 533                     Tx IP Packets  : 462
Virtual Access    : 1
CSTP Started      : 00:46:50             Last-Received  : 00:00:06
CSTP DPD-Req sent : 0
Msie-ProxyServer  : None
Msie-PxyOption    : Disabled
Msie-Exception    : None
Split DNS         : None
ACL               : sslvpn-tunnel
Default Domain    : cisco.com
Client Ports      : 49423

Detail Session Statistics for User:: Anyconnect
----------------------------------

CSTP Statistics::
Rx CSTP Frames    : 322                Tx CSTP Frames   : 0
Rx CSTP Bytes     : 63453              Tx CSTP Bytes    : 3423
Rx CSTP Data Fr   : 643                 Tx CSTP Data Fr  : 233
Rx CSTP CNTL Fr   : 36                 Tx CSTP CNTL Fr  : 0
Rx CSTP DPD Req   : 0                  Tx CSTP DPD Req  : 0
Rx CSTP DPD Res   : 0                  Tx CSTP DPD Res  : 0
Rx Addr Renew Req : 0                  Tx Address Renew : 0
Rx Dropped Frames : 0                  Tx Dropped Frame : 0
Rx IP Packets     : 167                    Tx IP Packets    : 532
Rx IP Bytes       : 8375                   Tx IP Bytes      : 18573

CEF Statistics::
Rx CSTP Data Fr   : 0                   Tx CSTP Data Fr  : 0
Rx CSTP Bytes     : 0                    Tx CSTP Bytes    : 0

Guide from https://supportforums.cisco.com/document/12470701/configure-sslvpn-cisco-cloud-services-router-1000vcsr1000v... More discussion you can read here…

More Topics Related to Cisco Routers you can visit here

Read more

Types of Cisco Ethernet Switches

May 21 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Modular and Fixed Configuration, these two are the main categories of Cisco Ethernet switches.

Modular switches, modular, as the name implies, allows you to add expansion modules into the switches as needed, thereby delivering the best flexibility to address changing networks. Examples of expansion modules are application-specific (such as Firewall, Wireless, or Network Analysis), modules for additional interfaces, power supplies, or cooling fans. Cisco Catalyst 4K and 6K (including Cisco Nexus 7000 Series Switches, Catalyst 6800 Series Switches, Catalyst 6500 Series Switches, Catalyst 4500-X Series Switches, Catalyst 3850 Fiber Switch Models) are good examples of Modular switches.

Fixed Configuration switches are switches with a fixed number of ports and are typically not expandable. This category is discussed in further detail below. Cisco Catalyst 2K, 3K (contains Catalyst 4500E Series Switches, Catalyst 3850 Series Switches, Catalyst 3650 Series Switches and Catalyst 2960-X Series Switches) and the Cisco300/500 series (Cisco 100 Series Unmanaged Switches, 200 Series Smart Switches, 220 Series Smart Plus Switches, 300 Series Managed Switches, 500 Series Stackable Managed Switches, and Catalyst 2960, 2960-C and 2960-S Series Switches) are good examples of Fixed Configuration switches.

The Fixed configuration switch category is further broken down into:

–Unmanaged Switches

–Smart Switches

–Managed L2 and L3 Switches

Unmanaged Switches

This category of switch is the most cost effective for deployment scenarios that require only basic layer 2 switching and connectivity. As such, they fit best when you need a few extra ports on your desk, in a lab, in a conference room, or even at home.

With some unmanaged switches in the market, you can even get capabilities such as cable diagnostics, prioritization of traffic using default QoS settings, Energy savings capabilities using EEE (Energy Efficient Ethernet) and even PoE (Power over Ethernet). However, as the name implies, these switches generally cannot be modified/managed. You simply plug them in and they require no configuration at all.

Cisco 100 Series switches are good examples of this category.

Smart Switches (also known as Lightly Managed Switches):

This category of switches is the most blurred and fastest changing. The general rule here is that these switches offer certain levels of Management, QoS, Security, etc. but is “lighter” in capabilities and less scalable than the Managed switches. It therefore makes them a cost-effective alternative to Managed switches. As such, Smart switches fit best at the edge of a large network (with Managed Switches being used in the core), as the infrastructure for smaller deployments, or for low complexity networks in general.

The capabilities available for this Smart switch category vary widely. All of these devices have an interface for Management – historically a browser-based interface used to be the only way to configure these devices, though nowadays you can manage some of these devices with CLI and/or SNMP/RMON as well. Regardless, these capabilities are lighter than what you will find in their Managed switch counterparts. Smart switches tend to have a management interface that is more simplified than what Managed Switches offer.

Smart switches allow you to segment the network into workgroups by creating VLANs, though with a lower number of VLANs and nodes (MAC addresses) than you’d get with a Managed switch.

They also offer some levels of security, such as 802.1x endpoint authentication, and in some cases with limited numbers of ACLs (access control lists), though the levels of control and granularity would not be the same as a Managed switch.

In addition, Smart switches support basic quality-of-service (QoS) that facilitates prioritization of users and applications based on 802.1q/TOS/DSCP, thereby making it quite a versatile solution.

Cisco 200 Series switches are good examples of this category.

Fully Managed L2 and L3 switches

Managed Switches are designed to deliver the most comprehensive set of features to provide the best application experience, the highest levels of security, the most precise control and management of the network, and offer the greatest scalability in the Fixed Configuration category of Switches. As a result, they are usually deployed as aggregation/access switches in very large networks or as core switches in relatively smaller networks. Managed switches should support both L2 switching and L3 IP routing though you’ll find some with only L2 switching support.

From a Security perspective, Managed switches provide protection of the data plane (User traffic being forwarded), control plane (traffic being communicated between networking devices to ensure user traffic goes to the right destination), and management plane (traffic used to manage the network or device itself). Managed switches also offer network storm control, denial-of-service protection, and much more.

The Access Control List capabilities allows for flexibly dropping, rate limiting, mirroring, or logging of traffic by L2 address, L3 address, TCP/UDP port numbers, Ethernet type, ICMP or TCP flags, etc.

Managed switches are rich in features that enable them to protect themselves and the network from deliberate or unintended Denial of Service attacks. It includes Dynamic ARP Inspection, IPv4 DHCP snooping, IPv6 First Hop Security with RA Guard, ND Inspection, Neighbor Binding Integrity, and much more.

Additional Security capabilities may include Private VLANs for securing communities of users or device isolation, Secure Management (downloads through SCP, Web-based Authentication, Radius/TACACS AAA, etc), Control Plane Policing (CoPP) for protecting the CPU of the switch, richer support for 802.1x (time-based, Dynamic VLAN Assignment, port/host-based, etc)

From a Scalability perspective, these devices have large table sizes so that you can create large numbers of VLANs (for workgroups), devices (MAC table size), IP routes, and ACL policies for flow-based security/QoS purposes, etc.

For highest network availability and uptime, Managed switches support L3 redundancy using VRRP (Virtual Router Redundancy Protocol), large numbers of Link Aggregation groups (which is used both for scalability and resiliency), and capabilities for protecting L2 such as Spanning Tree Root Guard and BPDU Guard.

When we talk about QoS and Multicast features, the richness of capabilities goes far beyond what you’d see in a Smart Switch. Here you’d see things such as IGMP and MLD Snooping with Querier functions for optimizing IPv4/v6 multicast traffic in the LAN, TCP Congestion Avoidance, 4 or 8 queues to treat traffic differently by importance, setting/tagging traffic by L2 (802.1p) or L3 (DSCP/TOS), and rate limiting traffic.

In terms of Management, things such as multiple ways to configure (using CLI, Web GUI, SNMP Management application), discovering of neighbor devices in the networks (using CDP, LLDP, Bonjour, etc), and troubleshooting capabilities (such as VLAN and Port Mirroring, Traceroute, Ping, Syslog, Cable Diagnostics, RMON, etc) are all included. What I highlighted is by no means exhaustive, but gives you a sense of what some of the differences may be between Managed and Smart Switches.

Cisco Catalyst and Cisco 300 Series and 500 Series switches are good examples of this category of products.

Managed Switches can go even further than what I’ve highlighted. For example, there’s even richer support for Dynamic Unicast and Multicast Routing protocols, deeper flow intelligence or macro flow statistics with Netflow/SFlow, non-Stop Forwarding capabilities, MPLS/VRF support, Policy enforcement, and many others.

Now, to take a deeper dive into these switch categories and talk about various options, you can select the switches based on:

– Speed

– Number of ports

– POE versus non-POE

– Stackable versus Standalone

Speed

You can find Fixed Configuration switches in Fast Ethernet (10/100 Mbps), Gigabit Ethernet (10/100/1000 Mbps), Ten Gigabit (10/100/1000/10000 Mbps) and even some 40/100 Gbps speeds. These switches have a number of uplink ports and a number of downlink ports. Downlinks connect to end users – uplinks connect to other Switches or to the network infrastructure. Currently, Gigabit is the most popular interface speed though Fast Ethernet is still widely used, especially in price-sensitive environments. Ten Gigabit has been growing rapidly, especially in the datacenter and, as the cost comes down, it will continue to expand into more network applications. With 10GBase-T Ten Gigabit copper interfaces being integrated into LOM (LAN on the Motherboard) and 10G-Base-T switches becoming available now (see the new Cisco SG500XG-8F8T 16-port 10-Gigabit switch), building a Storage or Server farm with 10 Gigabit interfaces has never been easier or more cost-effective. 40G/100G is still emerging and will be mainstream in a few years.

Number of ports

Fixed Configuration Switches typically come in 5, 8, 10, 16, 24, 28, 48, and 52-port configurations. These ports may be a combination of SFP/SFP+ slots for fiber connectivity, but more commonly they are copper ports with RJ-45 connectors on the front, allowing for distances up to 100 meters. With Fiber SFP modules, you can go distances up to 40 kilometers

POE versus non-POE

Power over Ethernet is a capability that facilitates powering a device (such as an IP phone, IP Surveillance Camera, or Wireless Access Point) over the same cable as the data traffic. One of the advantages of PoE is the flexibility it provides in allowing you to easily place endpoints anywhere in the business, even places where it might be difficult to run a power outlet. One example is that you can place a Wireless Access Point inside a wall or ceiling.

Switches deliver power according to a few standards – IEEE 802.3af delivers power up to 15.4 Watts on a switch port whereas IEEE 802.3at (also known as POE+) delivers power up to 30 Watts on a switch port. For most endpoints, 802.3af is sufficient but there are devices, such as Video phones or Access Points with multiple radios, which have higher power needs. It’s important to point out that there are other PoE standards currently being developed that will deliver even high levels of power for future applications. Switches have a power budget set aside for running the switch itself, and also an amount of power dedicated for POE endpoints.

To find the switch that is right for you, all you need to do is choose a switch according to your power needs. When connecting to desktops or other types of devices which do not require POE, the non-POE switches are a more cost-effective option.

Stackable versus Standalone

As the network grows, you will need more switches to provide network connectivity to the growing number of devices in the network. When using Standalone switches, each switch is managed, troubleshot, and configured as an individual entity.

In contrast, Stackable switches provide a way to simplify and increase the availability of the network. Instead of configuring, managing, and troubleshooting eight 48-port switches individually, you can manage all eight like a single unit using a Stackable Switches. With a true Stackable Switch, those eight switches (total 384 ports) function as a single switch–there is a single SNMP/RMON agent, single Spanning Tree domain, single CLI or Web interface–i.e. single management plane. You can also create link aggregation groups spanning across multiple units in the stack, port mirror traffic from one unit in the stack to another, or setup ACLs/QoS spanning all the units. There are valuable operational advantages to be gained by this approach.

Here’s a word of warning. Be careful about products in the market which are sold as “Stackable” when they merely offer a single user interface, or central management interface, for getting to each individual switch unit. This approach is not stackable, but really “clustering”. You still have to configure every feature such as ACLs, QoS, Port mirroring, etc, individually on each switch. Use the following as a proof point – can I create a link aggregation group with one port in one unit of the stack and another port of that group in another unit of the stack? Can I select a port on one unit in the stack and mirror the traffic to a port on another unit of the stack? When I configure an ACL for Security purposes, can I apply that to any port on any unit in the stack? If the answer is “No” to any of these questions, you’re probably not working with a stackable switch.

There are other advantages of True Stacking as well. You can connect the stack members in a ring such that, if a port or cable fails, the stack will automatically route around that failure, many times at microsecond speeds. You can also add or subtract stack members and have it automatically recognized and added into the stack.

Cisco Catalyst 2K-X and 3K or Cisco 500 Series Switches are examples of Switches in this category.

As you can see there’s a multitude of switch options to choose from. So, have a close look at your current deployment and future needs to determine the right switch for your network.

Guide and Review from http://blogs.cisco.com/smallbusiness/understanding-the-different-types-of-ethernet-switches

More Related Cisco Switches Topics you can read here:

http://blog.router-switch.com/category/reviews/cisco-switches/

Read more

Cisco Nexus 9000 Series Switches for Classic Network Design

May 14 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Classic Three-Tier Data Center Design

Classic Three-Tier Data Center Design

Current Cisco Nexus Portfolio Scenarios for Transitioning to Cisco Nexus 9000 Series
Current Cisco Nexus Portfolio Scenarios for Transitioning to Cisco Nexus 9000 Series

It’s so cool that Cisco Nexus 9000 series, through their dual-mode capabilities, allow you to deploy them as traditional switches within your existing data center network. Cisco Nexus 9000 Series Switches are ideal for small-to-medium-sized data centers, it makes the next generation of data center switching accessible to customers of any size. And what’s the data center? Why is it so important? The data center infrastructure is central to the overall IT architecture. It is where most business-critical applications are hosted and various types of services are provided to the business. A classic network is the typical three-tier architecture commonly deployed in many data center environments. It has distinct core, aggregation, and access layers, which together provide the foundation for any data center design.

Note: The figure above shows a classic design using the current Cisco Nexus product portfolio, including Cisco Nexus 7000 Series Switches and 2000 Series Fabric Extenders (FEXs). You can use this three-tier design to migrate to the new Cisco Nexus 9000 Series Switches.

Many types of services, primarily firewalls and load balancers, can be integrated into these designs. Careful planning is needed for a smooth migration from this type of hardware and topology combination to the new Cisco Nexus 9000 Series hardware and topology combination.

The main features of the new Cisco Nexus 9000 Series are support for FEX, virtual Port Channel (vPC), and Virtual Extensible LAN (VXLAN). The data center architecture can be deployed in a classic design in which existing designs variations are supported, such as the following:

● Data center pods

● Large-scale multitier designs

● VXLAN fabric

…More about data center design and Nexus switches including Nexus 7000, Nexus 9000 family you can read the full info page: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/guide-c07-730115.pdf

More Related Cisco Nexus 9000 Topics

New: ACI Alternative for Cisco Nexus 9000

Cisco Nexus 9500 Comparison-Chassis, Supervisors and Modules…

Cisco Nexus 9000 Series Switches Overview

Cisco 9500 Nexus Switch Overview-Model Comparison

Cisco Nexus 9000 Models Comparison: Nexus 9500 & Nexus 9300 Series

Three Cisco Nexus 9300 Models Overview

The 8-slot Nexus 9508 Switch Review

Read more

User Guide: Use nProbe as NetFlow-Lite Aggregator

May 8 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Do you know how to use nProbe as NetFlow-Lite Collector? What’s the problem of NetFlow-Lite? What’s the typical nProbe Deployment? And how does the NetFlow-Lite Support in nProbe? In this article, we will share the main info related to these questions.

Problem Statement-NetFlow-Lite

• NetFlow-Lite brings visibility to switched networks.

• NetFlow-Lite are exports in v9/IPFIX format and contain packets sections.

• Legacy NetFlow collectors need additional support to understand and analyze NetFlowlite flows.

More Related NetFlow-Lite Topics

How to Use nProbe as NetFlow-Lite Aggregator/Collector?

Cisco Catalyst 4948E NetFlow-lite/NFLite in Detail

What is nProbe ?

What is nProbe ?

Typical nProbe Deployment

Typical nProbe Deployment

NetFlow-Lite Support in nProbe-01

NetFlow-Lite Support in nProbe-01

NetFlow-Lite Support in nProbe-02

NetFlow-Lite Support in nProbe-02

Final Remarks-NetFlow-Lite

Final Remarks-NetFlow-Lite

Read more

Cisco NetFlow-Lite on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches

May 7 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Output from Cisco NetFlow-Lite

Output from Cisco NetFlow-Lite

Differences between Flexible NetFlow-Lite, Flexible NetFlow, and sFlow
Differences between Flexible NetFlow-Lite, Flexible NetFlow, and sFlow

We discussed the Cisco Catalyst 4948E NetFlow-lite/NFLite before. What’s the difference between the NetFlow and Netflow-Lite? We knew that NetFlow-lite was first introduced with Catalyst 4948E, and it bridges the gap by providing a lightweight solution that allows capturing of important flow information through packet sampling mechanisms combined with the extensibility of NetFlow version 9 and IPFIX. NetFlow-Lite introduces traffic visibility on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches for the first time.

NetFlow-Lite collects packets randomly, classifies them into flows, and measures flow statistics as they pass through the switch. It is a true flow-based traffic-monitoring mechanism that conserves valuable forwarding bandwidth when exporting flow-based data for analysis and reporting.

In the following part it provides visibility into traffic that is switched through the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches.

Firstly we can read what NetFlow-Lite is used for again

NetFlow-Lite offers network administrators and engineers the following capabilities:

Unprecedented visibility: NetFlow-Lite provides real-time information about traffic flows from endpoints such as PCs, phones, IP cameras, etc. You can use this information for traffic monitoring of Layer 2 and Layer 3 traffic as well as capacity planning.

Network planning: You can use NetFlow-Lite to capture data over a long period of time so that customers can understand traffic patterns, top talkers, top applications, etc. This feature provides accurate data to track and anticipate network growth and plan upgrades.

Simplified troubleshooting: You can use NetFlow-Lite flow-based analysis techniques to understand traffic patterns, which can help in proactively detecting problems, troubleshooting efficiently, and resolving problems quickly.

NetFlow-Lite Capabilities

NetFlow-Lite provides a granular packet-sampling mechanism that is adjustable up to 1:32 and available for all interfaces. The implication is that a subset of all packets passing through the switch is selected for reporting.

NetFlow-Lite on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches have the following capabilities:

  • NetFlow-Lite is supported on all downlink and uplink ports.
  • NetFlow-Lite is natively available with no additional hardware required.
  • The sampling range is from 1:32 to 1:1022.
  • The application measures 16,000 flows per switch.
  • Physical ports and VLAN Interfaces (switched virtual interfaces [SVI]) are supported.
  • NetFlow-Lite supports ingress flows only.
  • Export using standards-based IP Information export (IPFIX) or Version 9 record format.

NetFlow-Lite Sampling Techniques

The sampling method of the traffic can be random or deterministic. Random sampling chooses one packet randomly out of a configured sample size, whereas deterministic sampling chooses the first packet out of a configured sample size. For example, for 1:32 sampling, deterministic mode would choose the 1st, 33rd, 65th, 97th, and so on packet coming into an interface, and random mode can choose the 5th, 39th, 72nd, 103rd, and so on packet coming into an interface. Random packet sampling is statistically more accurate than deterministic packet sampling.

NetFlow-Lite Solution-NetFlow-Lite configuration on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches

Steps-Only 5 Steps

Step1. Configure a Flow Record, which defines the data collection. You can customize it for specific requirements. You can use the following example with most NetFlow collectors:

flow record v4

 match ipv4 tos

 match ipv4 protocol

 match ipv4 source address

 match ipv4 destination address

 match transport source-port

 match transport destination-port

 collect transport tcp flags

 collect interface input

 collect flow sampler

 collect counter bytes long

 collect counter packets long

 collect timestamp sys-uptime first

 collect timestamp sys-uptime last

Step2. Configure a Flow Exporter, which defines where the collected data needs to be sent. Please refer to the NetFlow collector application user guides and manual for specific details such as port number, differentiated services code point (DSCP), and other options. The configuration follows:

flow exporter Replicator

 description Exporter to Cisco Prime 2.0

 destination 10.2.44.12

 source GigabitEthernet1/0/1

 dscp 16

 template data timeout 60

 option interface-table

Step3. Configure a Flow Monitor, which binds the flow record and exporter along with options to configure the flow cache:

flow monitor v4

 record v4

 exporter Replicator

 cache timeout active 30

Step4. Configure a Flow Sampler. Define the sampling technique and sample size. The configuration follows:

sampler v4

 mode random 1 out-of 32

Step5. Attach the Flow Monitor and Sampler to the interface:

interface GigabitEthernet1/0/1

 ip flow monitor v4 sampler v4 input

Reference from http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-x-series-switches/solution_overview_c22-728776.html

Lists the License and Software Requirements for Cisco Netflow-Lite

Lists the License and Software Requirements for Cisco Netflow-Lite

Read more