CCNA CyberOps SECOPS – Objective 2.3

Reading Time: 1 minute

Identify the elements from a NetFlow v5 record from a security event

Implementing Cisco Cybersecurity Operations (210-255)

When it comes to Netflow, the 5-tuple is king. Be sure to know the 5-tuple.

Source IP AddressDestination IP AddressSource PortDestination PortProtocol
10.1.1.2192.168.1.323343443TCP
10.1.3.3192.168.3.24323253UDP
192.168.4.5172.16.3.23232125TCP

Beyond the 5-tuple, Netflow v9 and IPFIX (Industry Standard) allow for many other attributes to be recorded.

IOS-XE Configuration of Netflow

flow exporter MY_FLOW_EXPORTER 
  description Netflow Exporter Example
  destination mynetflowcollector.contoso.com
  export-protocol netflow-v9
  transport udp 2205 
  exit 
flow monitor MY_NETFLOW_MONITOR 
  exporter MY_FLOW_EXPORTER
int GigabitEthernet1/0/1
  ip flow monitor MY_NETFLOW_MONITOR input
  ip flow monitor MY_NETFLOW_MONITOR output