Blog :: Network Operations :: Security Operations

Cisco High Speed Logging Support

We had the opportunity recently to work with the engineers behind Cisco High Speed Logging which is part of  the Cisco ASR 1000 Series.  This platform delivers multiple services embedded in the Cisco QuantumFlow Processor at wire speeds from 2.5 to 200 Gbps. The services include:

  • Security (for example, encryption and firewall)
  • Quality of service (QoS)
  • Network-Based Application Recognition (NBAR)
  • Cisco IOS® Flexible Packet Matching (FPM)
  • Broadband aggregation
  • Cisco Unified Border Element (SP Edition) (formerly called Session Border Controller, or SBC)

I was impressed to learn that Cisco high-speed logging can export up to 400K flows per second using NetFlow v9 or IPFIX!  Customers will need our virtual or hardware appliances to keep up with that kind of volume.  Check out all the new elements we saw in one of the templates from this device:

ASR High Speed Logging Export

Notice the ‘postNAT’ entries.  The ASR provides a firewall with Network Address Translation (NAT) performance details.  It also provides WAN optimization and voice features.  Take a look at all the Cisco High Speed Logging NetFlow elements listed on their web site.  Cisco includes support for NAT High Speed Logging per VRF. If you want to setup ASR HSL NetFlow, I pulled the following sample configurations from their web site:

Enabling High-Speed Logging for Global Parameter Maps

The following example shows how to enable logging of dropped packets, and to log error messages in NetFlow Version 9 format to an external IP address:

Device# configure terminal
Device(config)# parameter-map type inspect global
Device(config-profile)# log dropped-packets
Device(config-profile)# log flow-export v9 udp destination 5000
Device(config-profile)# log flow-export template timeout-rate 5000
Device(config-profile)# end

Enabling High-Speed Logging for Firewall Actions

The following example shows how to configure high-speed logging (HSL) for inspect-type parameter-map parameter-map-hsl.

Device# configure terminal
Device(config)# parameter-map type inspect parameter-map-hsl
Device(config-profile)# audit trail on
Device(config-profile)# alert on
Device(config-profile)# one-minute high 10000
Device(config-profile)# tcp max-incomplete host 100
Device(config-profile)# exit
Device(config)# poliy-map type inspect policy-map-hsl
Device(config-pmap)# class type inspect class-map-tcp
Device(config-pmap-c)# inspect parameter-map-hsl
Device(config-pmap-c)# end

After studying the 5 templates we were receiving in the capture Cisco sent us, I started creating reports for our next release.  Below is an example of one I put together that we are considering:

Cisco ASR HSL Support

Notice the new elements tcpAcknowledgementNumber, tcpControlBits and tcpSequenceNumber.  Reach out to our team if you would like to do some reporting on NAT High Speed Logging or some of the other details.

Cisco ASR Summary

The Cisco ASR 1000 Series consists of these different versions:  the Cisco ASR 1001 Router, the Cisco ASR 1002 Fixed Router, the Cisco ASR 1002 Router, the Cisco ASR 1002-X Router, the Cisco ASR 1004 Router, the Cisco ASR 1006 Router, and the Cisco ASR 1013 Router. All models use the innovative and powerful Cisco QuantumFlow Processor, which provides a huge leap in performance and resiliency for network processors.