Cisco Cisco ASA 5585-X with No Payload Encryption
Cisco Systems, Inc.
www.cisco.com
www.cisco.com
Cisco ASA
NetFlow Implementation Guide
This guide describes how to configure NetFlow Secure Event Logging (NSEL), how to handle events
and syslog messages through NSEL, and how to use NetFlow collectors.
and syslog messages through NSEL, and how to use NetFlow collectors.
•
•
•
•
•
•
•
About NSEL
The Cisco ASA supports NetFlow Version 9 services. The ASA and ASASM implementations of NSEL
provide a stateful, IP flow tracking method that exports only those records that indicate significant events
in a flow. In stateful flow tracking, tracked flows go through a series of state changes. NSEL events are
used to export data about flow status and are triggered by the event that caused the state change.
provide a stateful, IP flow tracking method that exports only those records that indicate significant events
in a flow. In stateful flow tracking, tracked flows go through a series of state changes. NSEL events are
used to export data about flow status and are triggered by the event that caused the state change.
The significant events that are tracked include flow-create, flow-teardown, flow-denied (excluding those
flows that are denied by EtherType ACLs), and flow-update. The ASA implementation of NSEL
generates periodic NSEL events, called flow-update events, to provide periodic byte counters over the
duration of the flow. These events are usually time-driven, which makes them more in line with
traditional NetFlow; however, they may also be triggered by state changes in the flow.
flows that are denied by EtherType ACLs), and flow-update. The ASA implementation of NSEL
generates periodic NSEL events, called flow-update events, to provide periodic byte counters over the
duration of the flow. These events are usually time-driven, which makes them more in line with
traditional NetFlow; however, they may also be triggered by state changes in the flow.
Note
The flow-update event is not available in Version 9.0(1). It is available in Versions 8.4(5), and 9.1(2) and
later.
later.
The ASA also exports syslog messages that include the same information. You can disable these syslog
messages to avoid performance degradation by generating both NSEL records and syslog messages that
represent the same event.
messages to avoid performance degradation by generating both NSEL records and syslog messages that
represent the same event.
Each NSEL record has an event ID and an extended event ID field, which describes the flow event.