Getting NetFlow working on our Cisco ASA 5510 was a little more difficult than anticipated. It turns out you not only need to desginate the IP and port to send the NetFlow information to, but you also need to add that IP to a security policy to allow the information to be sent.
(config)# flow-export destination inside <IP address> <port>
(config)# logging flow-export-syslogs disable
(config)# access-list netflow-export extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)#match access-list netflow-export
(config)#policy-map global_policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type all destination <IP address>
What's nice is that PRTG can accept NetFlow traffic from an ASA and give you some nice data from it, including top talkers. On an aside, PRTG is great software and an incredible value. For monitoring, PRTG does some a everything and does it really well.
No comments:
Post a Comment