Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
5
Helpful
2
Replies

Cisco 3850 and strange netflow logs

igor.hamzic81
Level 1
Level 1

‎02-25-2021 06:00 AM

Hi all,


I have a 3850 L3 switch configured to send netflow to QRadar. Everything is working fine but recently I have seen some strange events popping up in netflow coming from this switch.


Recently we have tightened security with an ACL on a VLAN interface in inbound direction as we have found the users are generating malicious traffic. The ACL is pretty restrictive allowing specific ports and protocols to internal resources, allowing basic web surfing and at the end denying everything else.

The thing that is weird to me is that sometimes I see traffic to the IPs on the internet using UDP in the logs with destination packets and bytes at 0 which the ACL should block(when enabling log on the deny statement I can see the packets being dropped).

Also when checking the firewall I can see that no such UDP traffic reached it and went to the IP address on the internet.


An example of the logs I've been seeing from netflow are in the attachment.

Does someone have an explanation why would such logs pop up in netflow?


My own explanation is that traffic is indeed dropped by the ACL but somehow I get these logs from time to time that can be safely ignored. I would like to know if my explanation is correct or if something else is going on.


Thanks in advance for any help.

Labels:
Preview file
65 KB
0 Helpful
2 Replies 2

Reza Sharifi
Hall of Fame
Hall of Fame

‎02-25-2021 06:50 AM

Hi,

It appears that this is incoming traffic from AWS/West region (54.241.176.x). Do you have a VPN or DX setup to AWS?

And the rest is 224.x.x.x (multicast).

 

HTH 

igor.hamzic81
Level 1
Level 1
In response to Reza Sharifi

‎02-26-2021 06:12 AM - edited ‎02-26-2021 06:15 AM

Hi Reza,

 

thanks for the reply. I know that the IPs are from AWS and multicast(this just a small snip of the traffic) but that is not what's strange to me.

The strange part, to me at least, in the picture is the part where is shows 0 destination packets and 0 destination bytes. If I have an ACL on a VLAN interface where UDP traffic to the internet is blocked why am I seeing this traffic in netflow?

Netflow data is sent to QRadar from the interface where the link to the firewall is connected so the ACL on VLAN interface should block UDP traffic and not send it to the link.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card