Blog :: NetFlow Reporting

How to Enable Cisco TrustSec NetFlow


As I was visiting customers onsite last week, a few of them asked me if we support Cisco TrustSec NetFlow exports. Of course, we do. In fact, Plixer was the first to announce Cisco TrustSec NetFlow Support.

In this blog, we will revisit the benefits and limitations of Cisco TrustSec NetFlow configuration, but let’s start with the basics.

What is Cisco TrustSec?

The short answer: it is a foundational security component of Cisco Borderless Networks. In other words, it is an architecture that tells you who and what is connecting to your network. It controls what users can do and where they can go while they are there.

Cisco TrustSec provides corporate governance for all users, devices, and IP addresses.  Each Cisco TrustSec Group is a secure network with an established domain of trusted network devices.  Every device in the domain is authenticated by its peer device. Communication on the links between devices in the domain is protected with a combination of encryption, message integrity checks, and data-path replay protection mechanisms. Cisco TrustSec policies are centrally managed by Cisco Identity Services Engine (ISE) with enforcement functions available in campus switches, data center switches, firewalls, and routers.

Among the benefits of implementing Cisco TrustSec are:

  • Highly scalable line-rate marking and policy enforcement on capable devices
  • Simplified and automated firewall and access control administration
  • Reduced ACL maintenance, complexity, and overhead

Why would you want to enable NetFlow for Cisco TrustSec?

Well, why wouldn’t you? Cisco TrustSec builds upon the existing identity-aware infrastructure by enforcing segmentation and access control policies at scale, using the capabilities detailed below. Cisco TrustSec security groups provide users access that is consistently maintained as resources move across domains.

Cisco TrustSec NetFlow reporting allows admins to monitor the traffic from and between the different groups, which is crucial in order to have a granular control of your network.

Limitations of Cisco TrustSec NetFlow Fields

You may see the security group tag (SGT) value being exported in Flexible NetFlow (FNF). It records as zero in the following cases:

  • the packet is received with an SGT value of zero from a trusted interface
  • the packet is received without an SGT
  • the SGT is not found during the IP-SGT lookup

Cisco CSR100V, ISR4400, and ASR1000 platforms support Cisco TrustSec fields only in IPv4 FNF records.

TrustSec ingress and egress NetFlow can be applied to interfaces to support:

  • Unicast traffic only
  • L2-switched traffic only
  • Multicast traffic only
  • Both unicast and multicast traffic

How to Enable Cisco TrustSec NetFlow Exports

The Cisco TrustSec NetFlow fields, source SGT, and destination security group tag (DGT) in the FNF records help administrators correlate the flow with identity information. It enables network engineers to allocate application resources, as well as detect potential security and policy violations.

The Cisco TrustSec fields can be configured in addition to the existing match fields under the flow record. To add the Cisco TrustSec flow objects to the flow record as key or non-key fields, use the following:

The match flow cts {source | destination} group-tag command specifies the Cisco TrustSec fields as key fields. This allows you to differentiate flows, with each flow having a unique set of values for the key fields.

The collect flow cts {source | destination} group-tag specifies the Cisco TrustSec fields as non-key fields. The values in non-key fields are added to flows to provide additional information about the traffic in the flows.

The next step is to configure the flow record under flow monitor. To export the FNF data, a flow exporter needs to be set up and then added under the flow monitor. Last, apply the flow monitor to the interface. For more details on how to configure Flexible NetFlow, please visit my colleague Scott’s blog.

Struggling with NetFlow exports in general? Contact support team and we will help you get things started.