6 Replies Latest reply on May 10, 2010 1:15 PM by chris.lapoint

    NetFlow alert?

    sotherls

      Is it possible to create an alert if a conversation is detected from or to a certain country or countries?

        • Re: NetFlow alert?
          chris.lapoint

          Not currently, but there is already work underway on building out the infrastructure to support flow-based alerting in performance-friendly way.  

          Can you describe exactly how you'd like to set up the alert so I can capture this use-case?   For example, would you want to specify a particular source node or interface?

            • Re: NetFlow alert?
              sotherls

              I know this is a narrow minded use-case but there are certain countries that our sites should NOT be communicating with. If one of these countries is detected by NetFlow I want to be able to send an email alert, ring bells, spin around and make the sun rise.

              Is that enough or do you need more?

                • Re: NetFlow alert?
                  chris.lapoint

                  Nope, that's perfect.  

                  BTW, making the sun rise might be a challenge, but I'll make sure dev at least looks at it.

                    • Re: NetFlow alert?
                      Donald_Francis

                      Having netflow variables in other alerts would be awesome too.

                       

                      IE If an alert goes out for high utilization on a circuit and you could insert a variable for the netflow top talkers on it.

                        • Re: NetFlow alert?

                          It may be possible to set this up in other ways depending what network devices you have in your architecture?


                          If you know the address space of the country in question (which you can get from IANA and the like) it should be relatively straight forward in Cisco's to create say, a policy map to DSCP flag this traffic (and you can then set orion flow analyser to look for the class).


                          If you use CS1 as a class, most people don't use the scavenger class on their network.   You could have reports or threshold alerts generated based on the CS1 flags on your enterprise edge.

                          Alternatively you could create a permit log ACL and have syslog spew out a statement for every log match and setup alerts on the inbound syslog?

                           

                          Granted it's not as neat as having Orion do it for you but while they are devving something there are certainly potential options?

                          • Re: NetFlow alert?
                            chris.lapoint


                            Having netflow variables in other alerts would be awesome too.

                             



                            You read our minds ;-)   What we're working on...