Cisco AVC IPFIX Support

As you can probably tell from the title, Cisco AVC IPFIX support is all of the rage now. With all kinds of new elements that can be exported and measured, why wouldn’t anyone want to send this to their NetFlow monitoring tool? One thing I have noticed working in support is that the more information and visibility we have across the network the easier it is to troubleshoot issues or combat a network threat. We have already seen some of the ways that network threat detection can be mitigated using IPFIX and AVC, and this blog will cover some of the new features of Cisco AVC MACE.

Cisco AVC now supports MACE metrics (Measurement, Aggregation and Correlation Engine). MACE offers some great information about what is happening on your network. Cisco MACE reporting offers ART (Application Response Time) and tons of new collect commands for monitoring IPv6 flows. This blog will be covering the setup and configuration for exporting Cisco MACE (specifically, ART)

The ART engine saves some data from each packet and performs the necessary calculations; then aggregates the flows based on the following layer 7 information:

• Destination address
• Destination port
• Layer 4 protocol
• Segment ID
• Source address

Configuring Cisco MACE reporting on an Interface:

To configure MACE on an interface we will first need to configure a flow record to collect all of the new MACE statistics.

Router: conf t

Router(conf): flow record type mace Flow_Record

Router(Flow_Record): collect art all

Router(Flow_Record): collect application name

Router(Flow_Record): collect counter client bytes

Router(Flow_Record):collect counter server bytes

Router(Flow_Record): collect counter client packets

Router(Flow_Record): collect application http host

Router(Flow_Record): collect application http url statistics

Router(Flow_Record): collect policy qos classification hierarchy

Router(Flow_Record): collect policy qos queue drops

Router(Flow_Record): collect time inter-packet-gap histogram

Router(Flow_Record): collect time inter-packet-gap

After the flow record has been created we need to create a flow exporter:

Router(conf): flow exporter Flow_Exporter

Router(Flow_Exporter): export-protocol ipfix

Router(Flow_Exporter): option application-attributes

Router(Flow_Exporter): option sub-application-table

Router(Flow_Exporter): option class-qos-table

Router(Flow_Exporter): option policy-qos-table

Router(Flow_Exporter): destination Ip-address (Netflow Collector server)

Next we  need to configure the flow monitor to use our flow record and flow exporter that we just created:

Router(Conf): flow monitor type mace Mace_Monitor

Router(Mace_Mon): record Flow_Record

Router(Mace_Mon): exporter Flow_Exporter

Configure a class map name:

Router(conf): class-map type waas Class_Map_Mace

Configure a policy map and class name:

Router(conf): policy-map type mace Policy_Mace

Router(policy): class Class_Map_Mace

Router(policy): flow monitor Mace_Monitor

Exit

Exit

Router(conf): interface type-number [name-tag]

Router(int): mace enable

End

And there you have it, you now have MACE enabled on an interface and can start doing some Cisco MACE reporting in your NetFlow analysis tool. For more information on this configuration and a complete list of all of the different Cisco AVC  MACE exports, see this Cisco document on configuring Cisco AVC MACE reporting. If you need any help in configuring your device to export Cisco AVC MACE metrics or need any other support please feel free to let us know!