Please enable JavaScript.
Coggle requires JavaScript to display documents.
day 5 - Coggle Diagram
day 5
Netflow
aggregate
based on source BGP. dest. bGP
this is autonomous system aggregate scheme
based on same destionation prefix/mask, same destination BGP, same outbound interface
destination prefix aggregate
prefix aggregate
based on same source prefix, same dest prefix, same source & destination BGP AS number
Protocol port prefix
based on same source protoocl, port number & destination port
source prefix
based on source IP, source BGP AS number & input interfae
lab
flow record
must have at lest one match criterion to make the flow unique
collect is to specify statistic
flow timeout default timer
Active flow timeout: 1800 seconds
•Inactive flow timeout: 15 seconds
long flow
NetFlow records are exported for long lived flows (e.g. large FTP transfer). 1 minute is
recommended and configuration is in minutes in IOS and seconds in MLS and NX-OS.
flexible netflow
can create flow based on MPLS, BGP, multicast or IPv6
can customized the match condition
traditional versus flexbile
left hand side show traditional netflow capture 7 parameters
right hand show can customized to 4 parameters
URL
https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/Cisco_NetFlow_Configuration.pdf
How Does the Router or Switch Determine Which Flows to Export to the NetFlow Collector Server?
A flow is ready for export when it is inactive for a certain time (ie: no new packets received for the flow); or if the flow is long lived (active) and lasts greater than the active timer (ie: long FTP download). Also, the flow is ready for export when a TCP flag indicates the flow is terminated (i.e. FIN, RST flag).
bandwidth consumption
https://community.helpsystems.com/es/forums/intermapper/intermapper-flows/0ec7a7fe-21cb-48a4-954d-3f531b87cd3e
about 2 % of total traffic consumed
3 pwd type
scrypt
most secure
type 9
Use scrypt as hashing algorith
SHA256
something designed to detect changes in the original data - not for storing passwords.
secret
Type 5
this mean the password will be encrypted when router store it in Run/Start Files using MD5
which apps like Cain can crack but will take long time
enable pwd with service pwd encryption (not in slide)
type 7 based on vigenere chipher, can crack easily
EEM
None—The none event detector publishes an event when the Cisco IOS event manager run command executes an EEM policy
Application-Specific—The application-specific event detector allows any Embedded Event Manager policy to publish an event.
event manager run command
1st example in the url
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/command/eem-cr-book/eem-cr-e1.html
Applet and TCL
Applets are a collection of CLI commands
-> Scripts are actions coded up in TCL(interpreter language)
packet capture tool
embeded packet capture (on router)
Once the data is captured, it can be examined
i. In addition, the data can be exported as a packet capture (PCAP) file to allow for further examination
supported on all IOS and XE router
packets are stored within a buffer in DRAM and are thus not persistent through a reload.
Mini protoocl analyzer
capture traffic from a SPAN and store in local buffer memory
Available in 7600, 6500 & ME6500
format based on lipcap and can use by many sniffer program
embeded wireshark (switch)
Available in catalyst 4500 and 3850
IP base image can support thsi feature
monitor capture { capture-name} { interface interface-type interface-id | control-plane} { in | out | both}
Packets captured in the output direction of an interface might not reflect the changes made by the device rewrite (includes TTL, VLAN tag, CoS, checksum, MAC addresses, DSCP, precedent, UP, etc.).
IP SLA
cisco proprietary protocol
Uses 1967 UDP port for control message
COPP
more manageable ?
because can run in switch
slow data plane path
slow-path processing (i.e., software processing path
ERSPAN
source IP & destination IP is host IP and not switch IP
show platform cmd
Cisco doesn't reveal the explanation of output