Manualshelf

Datasheet

ManualsBrandsCisco ManualsNetworkingC3KX-SM-10G=
12345678910
© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 14
Within the several characteristics of the flow monitor, one of the most requiring a customization is the “cache active
timeout,” which defines the flow-aging frequency expressed in seconds. In other words, it affects the granularity of
the statistics and the minimum time to react to a cyber security attack. It should be configured following the
collector recommendations, or in their absence a typical setting is one minute.
Deployment with Private VLAN
As explained in the architecture section, traffic that is locally switched within the stack and does not traverse the
service module is not monitored and consequently not visible in the Flexible NetFlow records. Although the amount
of locally switched traffic is typically a small fraction, this can represent a concern when Flexible NetFlow is used
for cyber security or forensic purposes.
Private VLAN (PVLAN) can overcome this limitation by preventing local switching and forcing the traffic to go
through the service module ports. The solution consists in the access 3560-X switch or 3750-X stack acting as a
Layer 2 device and the distribution switch as a Layer 3 gateway with local proxy Address Resolution Protocol
(ARP) functionality enabled within the VLAN(s) used by directly connected devices.
Figure 2 is an example where PVLAN edge, or protected ports, is used. Locally switched traffic is exchanged
between two workstations in the same subnet, both connected to a stack of Cisco Catalyst 3750-X switches.
Figure 2. How to Monitor Locally Switched Traffic (Left) with Private VLAN (Right) for Layer 2 Configured Switch or Stack
The following flow for outbound traffic shows how the traffic incoming the switch access port and destined to the
second workstation goes through the service module interface.
LAYER 2 DESTINATION VLAN ID: 20
DATALINK ETHERTYPE: 0x0800
MAC SOURCE ADDRESS: 0000.0400.0002
MAC DESTINATION ADDRESS: 503d.e5fb.adcb
IPV4 SOURCE ADDRESS: 11.1.10.102
IPV4 DESTINATION ADDRESS: 11.1.10.103
TRNS SOURCE PORT: 1024
TRNS DESTINATION PORT: 80