13.48 Netflow Input Filters - Clarification on ACL

Guys,

Task says "modify R6's netflow sampling so that every packet is sampled for sources on VLAN 146"

SG uses following solution:
ip access-l ext VLAN146
 permit ip 155.1.146.0 0.0.0.255 any
 permit ip any 155.1.146.0 0.0.0.255

class-map VLAN146
 match access-group name VLAN146

flow-sampler-map NORMAL
 mode randon one-out-of 1

policy-map NETFLOW_MAP
 class VLAN146
  netflow-sampler NORMAL

In this case, not only sources from VLAN 146 will be sampled every packet but all traffic that is destined to VLAN 146 as well right?

TIA

Comments

  • SG uses following solution:
    ip access-l ext VLAN146
     permit ip 155.1.146.0 0.0.0.255 any
     permit ip any 155.1.146.0 0.0.0.255

    This access-list matching source from 155.1.146.0 and to 155.1.146.0 both.

    I simulated same example:

    R1#show access-list
    Extended IP access list 100
        10 permit ip 10.10.10.0 0.0.0.255 any
        20 permit ip any 10.10.10.0 0.0.0.255
    !

    R3#ping 10.10.10.10 re 3
    R1#show flow-sampler

     Sampler : TEST, id : 1, packets matched : 190, mode : random sampling mode
      sampling interval is : 3
    !

    R1#telnet 30.30.30.30 /source-interface lo0
    Trying 30.30.30.30 ... Open

    User Access Verification

    Password:
    R3>exit

    [Connection to 30.30.30.30 closed by foreign host]
    R1#show flow-sampler

     Sampler : TEST, id : 1, packets matched : 202, mode : random sampling mode
      sampling interval is : 3

    HAPPY STUDY

    [:D]

  • So is the SG ACL correct or not? I only matched traffic FROM VL146 :)

  • The SG says to modify the existing one. Therefore take into account the piece of config:

    flow-sampler-map SAMPLER
     mode random one-out-of 10
    !
    policy-map NETFLOW_MAP
     class class-default
      netflow-sampler SAMPLER

    Therefore including the new piece of config

    policy-map NETFLOW_MAP
     class VLAN146
      netflow-sampler NORMAL

    This class will be put before the class-default and therefore it will match. 

     

    I tried it first with a standard ACL, though this doesn't work. So be warned [:)]

Sign In or Register to comment.