1 00:00:07,740 --> 00:00:10,420 - [Tutor] You can enable NetFlow on network devices 2 00:00:10,420 --> 00:00:12,370 at all layers of the network, 3 00:00:12,370 --> 00:00:15,350 to record and analyze all network traffic, 4 00:00:15,350 --> 00:00:18,500 and identify threats such as malware 5 00:00:18,500 --> 00:00:20,170 that could be spreading laterally 6 00:00:20,170 --> 00:00:22,120 through the internal network. 7 00:00:22,120 --> 00:00:25,530 In other words, malware that spreads between adjacent host 8 00:00:25,530 --> 00:00:26,880 in the network. 9 00:00:26,880 --> 00:00:30,150 Note that as a best practice, NetFlow should be enabled 10 00:00:30,150 --> 00:00:33,410 as close to the access layer as possible. 11 00:00:33,410 --> 00:00:37,670 This means the user access layer, data center access layer, 12 00:00:37,670 --> 00:00:40,020 and VPN terminal points. 13 00:00:40,020 --> 00:00:43,240 Another best practice is that all NetFlow records 14 00:00:43,240 --> 00:00:48,000 belonging to a flow should be sent to the same collector. 15 00:00:48,000 --> 00:00:51,470 You can also deploy NetFlow in the internet edge 16 00:00:51,470 --> 00:00:54,150 to see what traffic is knocking on your door, 17 00:00:54,150 --> 00:00:56,240 and what is leaving your network. 18 00:00:56,240 --> 00:00:59,560 The Cisco ASR 1000 series routers 19 00:00:59,560 --> 00:01:02,800 provide multi-gigabit performance 20 00:01:02,800 --> 00:01:06,450 to meet the requirements for internet gateway functions 21 00:01:06,450 --> 00:01:08,810 for medium and large organizations. 22 00:01:08,810 --> 00:01:11,720 The architecture of the Cisco ASRS 23 00:01:11,720 --> 00:01:15,180 include the Cisco QuantumFlow Processor 24 00:01:15,180 --> 00:01:18,630 that provides a lot of high performance features 25 00:01:18,630 --> 00:01:21,450 such as application layer gateways, 26 00:01:21,450 --> 00:01:24,210 all layer four and layer seven 27 00:01:24,210 --> 00:01:26,820 zone based firewall session processing, 28 00:01:26,820 --> 00:01:31,820 high speed NAT and firewall translation logging, 29 00:01:32,070 --> 00:01:34,390 as well as NetFlow Event Logging. 30 00:01:34,390 --> 00:01:38,320 NetFlow Event Logging, otherwise known as NEL, 31 00:01:38,320 --> 00:01:41,020 uses NetFlow version nine templates 32 00:01:41,020 --> 00:01:45,490 to log binary syslog to NEL collectors, 33 00:01:45,490 --> 00:01:50,490 allowing not only the use of NAT at multi-gigabit rates, 34 00:01:51,220 --> 00:01:53,760 but also the ability to record NAT 35 00:01:53,760 --> 00:01:56,560 and firewall session creation 36 00:01:56,560 --> 00:01:59,940 and tear down records at very high speeds. 37 00:01:59,940 --> 00:02:01,840 So let's jump in. 38 00:02:01,840 --> 00:02:05,613 First, we log into our switch and enter the enable command. 39 00:02:07,501 --> 00:02:10,033 Then we enter configuration mode. 40 00:02:12,310 --> 00:02:15,713 The first thing we're going to do is create a flow record. 41 00:02:16,990 --> 00:02:20,253 We can add an optional description here as well. 42 00:02:21,560 --> 00:02:25,790 Next, we need to configure the key fields for the flow 43 00:02:25,790 --> 00:02:28,380 using the match command, 44 00:02:28,380 --> 00:02:31,780 and the non-key fields using the collect command. 45 00:02:31,780 --> 00:02:33,400 I'll speed this video up 46 00:02:33,400 --> 00:02:35,800 as there are a number of commands to enter here. 47 00:02:36,870 --> 00:02:39,080 Once we finish up adding these commands 48 00:02:39,080 --> 00:02:41,510 to the flow record configuration, 49 00:02:41,510 --> 00:02:45,300 we will move on to configure the flow exporter 50 00:02:45,300 --> 00:02:48,030 with the flow exporter command. 51 00:02:48,030 --> 00:02:51,000 In this, we will define the destination 52 00:02:51,000 --> 00:02:53,980 of our NetFlow Exporter. 53 00:02:53,980 --> 00:02:57,590 From here, we move on to configure the flow monitor. 54 00:02:57,590 --> 00:03:02,290 Here, we define the flow record and exporter we created, 55 00:03:02,290 --> 00:03:05,150 and we also set a cache timeout. 56 00:03:05,150 --> 00:03:08,473 Finally, we will apply the flow monitor to an interface.