As you can probably tell from the title, Cisco AVC IPFIX support is all of the rage now. With all kinds of new elements that can be exported and measured, why wouldn’t anyone want to send this to their NetFlow monitoring tool? One thing I have noticed working in support is that the more information and visibility we have across the network the easier it is to troubleshoot issues or combat a network threat. We have already seen some of the ways that network threat detection can be mitigated using IPFIX and AVC, and this blog will cover some of the new features of Cisco AVC MACE.

Cisco AVC IPFIX Support

Cisco AVC now supports MACE metrics (Measurement, Aggregation and Correlation Engine). MACE offers some great information about what is happening on your network. Cisco MACE reporting offers ART (Application Response Time) and tons of new collect commands for monitoring IPv6 flows. This blog will be covering the setup and configuration for exporting Cisco MACE (specifically, ART)

The ART engine saves some data from each packet and performs the necessary calculations; then aggregates the flows based on the following layer 7 information:

  • Destination address
  • Destination port
  • Layer 4 protocol
  • Segment ID
  • Source address

Configuring Cisco MACE reporting on an Interface:

IPFIX Support

 

To configure MACE on an interface we will first need to configure a flow record to collect all of the new MACE statistics.

Router: conf t

Router(conf): flow record type mace Flow_Record

Router(Flow_Record): collect art all

Router(Flow_Record): collect application name

Router(Flow_Record): collect counter client bytes

Router(Flow_Record):collect counter server bytes

Router(Flow_Record): collect counter client packets

Router(Flow_Record): collect application http host

Router(Flow_Record): collect application http url statistics

Router(Flow_Record): collect policy qos classification hierarchy

Router(Flow_Record): collect policy qos queue drops

Router(Flow_Record): collect time inter-packet-gap histogram

Router(Flow_Record): collect time inter-packet-gap

 

After the flow record has been created we need to create a flow exporter:

Router(conf): flow exporter Flow_Exporter

Router(Flow_Exporter): export-protocol ipfix

Router(Flow_Exporter): option application-attributes

Router(Flow_Exporter): option sub-application-table

Router(Flow_Exporter): option class-qos-table

Router(Flow_Exporter): option policy-qos-table

Router(Flow_Exporter): destination Ip-address (Netflow Collector server)

 

Next we  need to configure the flow monitor to use our flow record and flow exporter that we just created:

Router(Conf): flow monitor type mace Mace_Monitor

Router(Mace_Mon): record Flow_Record

Router(Mace_Mon): exporter Flow_Exporter

 

Configure a class map name:

Router(conf): class-map type waas Class_Map_Mace

 

Configure a policy map and class name:

Router(conf): policy-map type mace Policy_Mace

Router(policy): class Class_Map_Mace

Router(policy): flow monitor Mace_Monitor

Exit

Exit

Router(conf): interface type-number [name-tag]

Router(int): mace enable

End

 

And there you have it, you now have MACE enabled on an interface and can start doing some Cisco MACE reporting in your NetFlow analysis tool. For more information on this configuration and a complete list of all of the different Cisco AVC  MACE exports, see this Cisco document on configuring Cisco AVC MACE reporting. If you need any help in configuring your device to export Cisco AVC MACE metrics or need any other support please feel free to let us know!

Jake Bergeron author pic

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related

Leave a Reply