AI in Network Security Landscape
Objective
This lesson introduces how AI transforms network security by feeding telemetry (logs, flows, SNMP) into AI/ML systems for improved detection, prioritization, and automated response. You will configure a simple lab network to export syslog, NetFlow, and SNMP to a central SIEM/AI engine (SIEM1). In production, this is how security teams provide rich telemetry to ML pipelines so anomalies and threats can be detected and correlated across domains; for example, by combining flow anomalies with firewall policy changes to prioritize a true incident.
Real-world scenario: An enterprise uses an AI-enabled SIEM/XDR to reduce alert noise and speed up incident response. The network devices must reliably send time-stamped logs, flow records, and SNMP telemetry to the AI system so the ML models can learn baseline behavior, detect anomalies, and recommend automated actions.
Topology & Device Table
ASCII topology (all IPs shown on each interface):
R1 and SW1 form the access layer; R1 connects to the security/telemetry network where the firewall and SIEM/AI engine reside. PC1 is a test host.
Device Table
| Device | Interface | IP Address | Subnet Mask | Role |
|---|---|---|---|---|
| R1 | GigabitEthernet0/1 | 10.0.10.1 | 255.255.255.0 | Default gateway for access VLAN; NetFlow & Syslog exporter |
| R1 | GigabitEthernet0/0 | 192.168.1.1 | 255.255.255.0 | Uplink to security/telemetry network |
| SW1 | Vlan1 (management) | 10.0.10.2 | 255.255.255.0 | Access switch management |
| SW1 | GigabitEthernet0/1 | (connected to PC1) | N/A | Access port |
| FW1 | eth0 (toward R1) | 192.168.1.2 | 255.255.255.0 | Firewall inline to security network |
| SIEM1 | eth0 | 192.168.1.100 | 255.255.255.0 | AI/SIEM/XDR server (collects logs, flows, SNMP) |
| PC1 | eth0 | 10.0.10.10 | 255.255.255.0 | Test endpoint |
Key Concepts (before hands-on)
-
Telemetry types and protocol behavior
- Syslog: devices send log messages via UDP/514 (commonly) to a collector; logs must be time-stamped (NTP) to correlate events across the network. In production, malformed timestamps break ML baselining—accurate times are critical.
- NetFlow / IPFIX: flow records summarize conversations (src/dst, ports, bytes); collectors receive UDP exports (e.g., UDP/2055). ML uses flows to detect anomalies such as unusual volumes, scanners, or lateral movement.
- SNMP: SNMP polling/traps provide device health and counters; polling gives periodic metrics (CPU, interface counters) while traps alert on events. The AI uses these metrics for baselining and resource-related anomalies.
-
Why normalization and enrichment matter
Raw logs/flows are noisy. The SIEM normalizes fields (timestamps, IPs, hostnames) and enriches events (DNS lookups, asset tags). AI models require consistent schemas to compare behavior across devices and services. -
Data fidelity and sampling considerations
High-volume telemetry (full NetFlow) can overwhelm collectors; sampling may be used. In production, tuning sampling rates and retention balances detection effectiveness against storage/egress costs. -
Automation and feedback loop
AI-driven systems often produce prioritized alerts and automated playbooks (e.g., block an IP at the firewall). Network devices must provide APIs or integrations (syslog for context; SNMP/REST for state changes) so automated responses are reliable and auditable. -
Security of telemetry
Telemetry channels should be protected (TLS, VPNs) for confidentiality and integrity in production. Unsigned/unprotected telemetry exposes sensitive metadata.
Step-by-step configuration
Step 1: Base device identity and management addressing
What we are doing: Set hostnames, management IPs and a domain so telemetry records include meaningful device identity. This helps the AI correlate events to devices and reduces ambiguity in the dataset.
R1> enable
R1# configure terminal
R1(config)# hostname R1
R1(config)# ip domain-name lab.nhprep.com
R1(config)# enable secret Lab@123
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip address 10.0.10.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# exit
SW1> enable
SW1# configure terminal
SW1(config)# hostname SW1
SW1(config)# interface Vlan1
SW1(config-if)# ip address 10.0.10.2 255.255.255.0
SW1(config-if)# no shutdown
SW1(config-if)# exit
SW1(config)# exit
What just happened: Setting the hostname and domain places a stable identifier in logs and flow metadata. Assigning management IPs allows the SIEM and administrators to reach devices for polling and collection. The enable secret secures privileged exec access.
Real-world note: Consistent hostnames and an internal domain (lab.nhprep.com) let AI correlation use a single canonical identity for each device.
Verify:
R1# show running-config | include hostname
hostname R1
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES manual up up
GigabitEthernet0/1 10.0.10.1 YES manual up up
SW1# show running-config | include hostname
hostname SW1
SW1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.0.10.2 YES manual up up
GigabitEthernet0/1 unassigned YES unset up up
Step 2: Configure NTP so logs/flows have accurate timestamps
What we are doing: Point devices to the SIEM for NTP. Correct timestamps are essential for ML models that build temporal baselines and correlate cross-device events.
R1# configure terminal
R1(config)# ntp server 192.168.1.100
R1(config)# exit
SW1# configure terminal
SW1(config)# ntp server 192.168.1.100
SW1(config)# exit
What just happened: Devices will synchronize clocks to the SIEM NTP server (192.168.1.100). With synchronized time, syslog messages and flow timestamps align across sources, which prevents time-skewed correlations.
Real-world note: In production, use dedicated, redundant NTP servers (and authenticated NTP) to prevent spoofing or clock drift affecting detection.
Verify:
R1# show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.1.100 .GPS. 1 12 64 377 0.123 -0.004 0.020
SW1# show ntp status
Clock is synchronized, stratum 2, reference is 192.168.1.100
nominal freq is 250.0000 Hz, precision is 2**18
Step 3: Configure Syslog to the SIEM (UDP/514)
What we are doing: Send device syslog messages to the central SIEM so logs feed the AI pipeline for anomaly detection and alert enrichment.
R1# configure terminal
R1(config)# logging host 192.168.1.100
R1(config)# logging trap informational
R1(config)# service timestamps log datetime msec localtime show-timezone
R1(config)# exit
SW1# configure terminal
SW1(config)# logging host 192.168.1.100
SW1(config)# logging trap informational
SW1(config)# service timestamps log datetime msec localtime show-timezone
SW1(config)# exit
What just happened: Each device will forward syslog messages (severity informational and above) to the SIEM at 192.168.1.100. The timestamp format is set to include milliseconds and time zone — improving temporal precision for ML.
Real-world note: In production, consider TLS-encrypted syslog or a syslog-ng forwarder to protect logs in transit.
Verify:
R1# show running-config | include logging
logging host 192.168.1.100
logging trap informational
R1# show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: disabled
Exceptions logging: disabled
Discriminator logging: disabled
Default logging origin: R1.lab.nhprep.com
Syslog logging host: 192.168.1.100
Trap logging level: informational
SW1# show logging
Syslog logging: enabled
Syslog logging host: 192.168.1.100
Trap logging level: informational
<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9IkRFU0NSSVBUSU9OIiBoZWlnaHQ9IjYxOXB4IiBwcmVzZXJ2ZUFzcGVjdFJhdGlvPSJub25lIiBzdHlsZT0id2lkdGg6MzA2cHg7aGVpZ2h0OjYxOXB4O2JhY2tncm91bmQ6I0ZBRkFGQTsiIHZlcnNpb249IjEuMSIgdmlld0JveD0iMCAwIDMwNiA2MTkiIHdpZHRoPSIzMDZweCIgem9vbUFuZFBhbj0ibWFnbmlmeSI+PHRpdGxlPkxhYiA2MDogQUktRHJpdmVuIE5ldHdvcmsgU2VjdXJpdHk8L3RpdGxlPjxkZWZzLz48Zz48cmVjdCBmaWxsPSIjRkFGQUZBIiBoZWlnaHQ9IjYxOSIgc3R5bGU9InN0cm9rZTpub25lO3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjMwNiIgeD0iMCIgeT0iMCIvPjxnIGNsYXNzPSJ0aXRsZSIgZGF0YS1zb3VyY2UtbGluZT0iOCI+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTQiIGZvbnQtd2VpZ2h0PSJib2xkIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3OC43Njk1IiB4PSIxMCIgeT0iMjIuOTk1MSI+TGFiIDYwOiBBSS1Ecml2ZW4gTmV0d29yayBTZWN1cml0eTwvdGV4dD48L2c+PCEtLWNsdXN0ZXIgTGFiIE1vZHVsZXMtLT48ZyBjbGFzcz0iY2x1c3RlciIgZGF0YS1xdWFsaWZpZWQtbmFtZT0iTGFiIE1vZHVsZXMiIGRhdGEtc291cmNlLWxpbmU9IjEwIiBpZD0iZW50MDAwMiI+PHBhdGggZD0iTTIzLjM4NDgsNDMuMjk2OSBMMTIzLjgxMzUsNDMuMjk2OSBBMy43NSwzLjc1IDAgMCAxIDEyNi4zMTM1LDQ1Ljc5NjkgTDEzMy4zMTM1LDY1LjU5MzggTDI4OC4zODQ4LDY1LjU5MzggQTIuNSwyLjUgMCAwIDEgMjkwLjg4NDgsNjguMDkzOCBMMjkwLjg4NDgsNjA5LjU3NjkgQTIuNSwyLjUgMCAwIDEgMjg4LjM4NDgsNjEyLjA3NjkgTDIzLjM4NDgsNjEyLjA3NjkgQTIuNSwyLjUgMCAwIDEgMjAuODg0OCw2MDkuNTc2OSBMMjAuODg0OCw0NS43OTY5IEEyLjUsMi41IDAgMCAxIDIzLjM4NDgsNDMuMjk2OSIgZmlsbD0ibm9uZSIgc3R5bGU9InN0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxLjU7Ii8+PGxpbmUgc3R5bGU9InN0cm9rZTojMDAwMDAwO3N0cm9rZS13aWR0aDoxLjU7IiB4MT0iMjAuODg0OCIgeDI9IjEzMy4zMTM1IiB5MT0iNjUuNTkzOCIgeTI9IjY1LjU5MzgiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxNCIgZm9udC13ZWlnaHQ9ImJvbGQiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iOTkuNDI4NyIgeD0iMjQuODg0OCIgeT0iNTguMjkyIj5MYWIgTW9kdWxlczwvdGV4dD48L2c+PCEtLWVudGl0eSBBSV9pbl9OZXR3b3JrX1NlY3VyaXR5X0xhLS0+PGcgY2xhc3M9ImVudGl0eSIgZGF0YS1xdWFsaWZpZWQtbmFtZT0iTGFiIE1vZHVsZXMuQUlfaW5fTmV0d29ya19TZWN1cml0eV9MYSIgZGF0YS1zb3VyY2UtbGluZT0iMTEiIGlkPSJlbnQwMDAzIj48cmVjdCBmaWxsPSIjRThGNEZEIiBoZWlnaHQ9IjM2LjI5NjkiIHJ4PSIyLjUiIHJ5PSIyLjUiIHN0eWxlPSJzdHJva2U6IzI1NjNFQjtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjIzNy45MjI5IiB4PSIzNi45MjQ4IiB5PSI3OC4yOTY5Ii8+PHRleHQgZmlsbD0iIzFFM0E1RiIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTQiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjE3LjkyMjkiIHg9IjQ2LjkyNDgiIHk9IjEwMS4yOTIiPkFJIGluIE5ldHdvcmsgU2VjdXJpdHkgTGFuZHNjYTwvdGV4dD48L2c+PCEtLWVudGl0eSBNTEJhc2VkX1RocmVhdF9EZXRlY3Rpb24tLT48ZyBjbGFzcz0iZW50aXR5IiBkYXRhLXF1YWxpZmllZC1uYW1lPSJMYWIgTW9kdWxlcy5NTEJhc2VkX1RocmVhdF9EZXRlY3Rpb24iIGRhdGEtc291cmNlLWxpbmU9IjEyIiBpZD0iZW50MDAwNCI+PHJlY3QgZmlsbD0iI0U4RjRGRCIgaGVpZ2h0PSIzNi4yOTY5IiByeD0iMi41IiByeT0iMi41IiBzdHlsZT0ic3Ryb2tlOiMyNTYzRUI7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSIyMTAuNjgxNiIgeD0iNTAuNTQ0OCIgeT0iMTc0LjU5NjkiLz48dGV4dCBmaWxsPSIjMUUzQTVGIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxNCIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIxOTAuNjgxNiIgeD0iNjAuNTQ0OCIgeT0iMTk3LjU5MiI+TUwtQmFzZWQgVGhyZWF0IERldGVjdGlvbjwvdGV4dD48L2c+PCEtLWVudGl0eSBFbmNyeXB0ZWRfVHJhZmZpY19BbmFseXRpLS0+PGcgY2xhc3M9ImVudGl0eSIgZGF0YS1xdWFsaWZpZWQtbmFtZT0iTGFiIE1vZHVsZXMuRW5jcnlwdGVkX1RyYWZmaWNfQW5hbHl0aSIgZGF0YS1zb3VyY2UtbGluZT0iMTMiIGlkPSJlbnQwMDA1Ij48cmVjdCBmaWxsPSIjRThGNEZEIiBoZWlnaHQ9IjM2LjI5NjkiIHJ4PSIyLjUiIHJ5PSIyLjUiIHN0eWxlPSJzdHJva2U6IzI1NjNFQjtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjIwOC4xMzg3IiB4PSI1MS44MTQ4IiB5PSIyNzAuODg2OSIvPjx0ZXh0IGZpbGw9IiMxRTNBNUYiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjE0IiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE4OC4xMzg3IiB4PSI2MS44MTQ4IiB5PSIyOTMuODgyIj5FbmNyeXB0ZWQgVHJhZmZpYyBBbmFseXRpY3M8L3RleHQ+PC9nPjwhLS1lbnRpdHkgU2VjdXJpdHlfQXV0b21hdGlvbl93aXRoXy0tPjxnIGNsYXNzPSJlbnRpdHkiIGRhdGEtcXVhbGlmaWVkLW5hbWU9IkxhYiBNb2R1bGVzLlNlY3VyaXR5X0F1dG9tYXRpb25fd2l0aF8iIGRhdGEtc291cmNlLWxpbmU9IjE0IiBpZD0iZW50MDAwNiI+PHJlY3QgZmlsbD0iI0U4RjRGRCIgaGVpZ2h0PSIzNi4yOTY5IiByeD0iMi41IiByeT0iMi41IiBzdHlsZT0ic3Ryb2tlOiMyNTYzRUI7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSIyMTUuNzg4MSIgeD0iNDcuOTk0OCIgeT0iMzY3LjE4NjkiLz48dGV4dCBmaWxsPSIjMUUzQTVGIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxNCIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIxOTUuNzg4MSIgeD0iNTcuOTk0OCIgeT0iMzkwLjE4MiI+U2VjdXJpdHkgQXV0b21hdGlvbiB3aXRoIEFJPC90ZXh0PjwvZz48IS0tZW50aXR5IEFJX2Zvcl9GaXJld2FsbF9Qb2xpY3lfT3AtLT48ZyBjbGFzcz0iZW50aXR5IiBkYXRhLXF1YWxpZmllZC1uYW1lPSJMYWIgTW9kdWxlcy5BSV9mb3JfRmlyZXdhbGxfUG9saWN5X09wIiBkYXRhLXNvdXJjZS1saW5lPSIxNSIgaWQ9ImVudDAwMDciPjxyZWN0IGZpbGw9IiNFOEY0RkQiIGhlaWdodD0iMzYuMjk2OSIgcng9IjIuNSIgcnk9IjIuNSIgc3R5bGU9InN0cm9rZTojMjU2M0VCO3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMjE5LjgwNzYiIHg9IjQ1Ljk4NDgiIHk9IjQ2My40ODY5Ii8+PHRleHQgZmlsbD0iIzFFM0E1RiIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTQiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTk5LjgwNzYiIHg9IjU1Ljk4NDgiIHk9IjQ4Ni40ODIiPkFJIGZvciBGaXJld2FsbCBQb2xpY3kgT3B0aW1pejwvdGV4dD48L2c+PCEtLWVudGl0eSBGdXR1cmVfb2ZfQUlfaW5fTmV0d29ya19TLS0+PGcgY2xhc3M9ImVudGl0eSIgZGF0YS1xdWFsaWZpZWQtbmFtZT0iTGFiIE1vZHVsZXMuRnV0dXJlX29mX0FJX2luX05ldHdvcmtfUyIgZGF0YS1zb3VyY2UtbGluZT0iMTYiIGlkPSJlbnQwMDA4Ij48cmVjdCBmaWxsPSIjRThGNEZEIiBoZWlnaHQ9IjM2LjI5NjkiIHJ4PSIyLjUiIHJ5PSIyLjUiIHN0eWxlPSJzdHJva2U6IzI1NjNFQjtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjIzMC4wNDEiIHg9IjQwLjg2NDgiIHk9IjU1OS43NzY5Ii8+PHRleHQgZmlsbD0iIzFFM0E1RiIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTQiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjEwLjA0MSIgeD0iNTAuODY0OCIgeT0iNTgyLjc3MiI+RnV0dXJlIG9mIEFJIGluIE5ldHdvcmsgU2VjdXJpPC90ZXh0PjwvZz48IS0tbGluayBBSV9pbl9OZXR3b3JrX1NlY3VyaXR5X0xhIHRvIE1MQmFzZWRfVGhyZWF0X0RldGVjdGlvbi0tPjxnIGNsYXNzPSJsaW5rIiBkYXRhLWVudGl0eS0xPSJlbnQwMDAzIiBkYXRhLWVudGl0eS0yPSJlbnQwMDA0IiBkYXRhLWxpbmstdHlwZT0iZGVwZW5kZW5jeSIgZGF0YS1zb3VyY2UtbGluZT0iMTkiIGlkPSJsbms5Ij48cGF0aCBkPSJNMTU1Ljg4NDgsMTE0LjczNjkgQzE1NS44ODQ4LDEzMS42NDY5IDE1NS44ODQ4LDE1MS4yNTY5IDE1NS44ODQ4LDE2OC4yMzY5IiBmaWxsPSJub25lIiBpZD0iQUlfaW5fTmV0d29ya19TZWN1cml0eV9MYS10by1NTEJhc2VkX1RocmVhdF9EZXRlY3Rpb24iIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48cG9seWdvbiBmaWxsPSIjMTgxODE4IiBwb2ludHM9IjE1NS44ODQ4LDE3NC4yMzY5LDE1OS44ODQ4LDE2NS4yMzY5LDE1NS44ODQ4LDE2OS4yMzY5LDE1MS44ODQ4LDE2NS4yMzY5LDE1NS44ODQ4LDE3NC4yMzY5IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PC9nPjwhLS1saW5rIE1MQmFzZWRfVGhyZWF0X0RldGVjdGlvbiB0byBFbmNyeXB0ZWRfVHJhZmZpY19BbmFseXRpLS0+PGcgY2xhc3M9ImxpbmsiIGRhdGEtZW50aXR5LTE9ImVudDAwMDQiIGRhdGEtZW50aXR5LTI9ImVudDAwMDUiIGRhdGEtbGluay10eXBlPSJkZXBlbmRlbmN5IiBkYXRhLXNvdXJjZS1saW5lPSIyMCIgaWQ9ImxuazEwIj48cGF0aCBkPSJNMTU1Ljg4NDgsMjExLjAzNjkgQzE1NS44ODQ4LDIyNy45NDY5IDE1NS44ODQ4LDI0Ny41NTY5IDE1NS44ODQ4LDI2NC41MzY5IiBmaWxsPSJub25lIiBpZD0iTUxCYXNlZF9UaHJlYXRfRGV0ZWN0aW9uLXRvLUVuY3J5cHRlZF9UcmFmZmljX0FuYWx5dGkiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48cG9seWdvbiBmaWxsPSIjMTgxODE4IiBwb2ludHM9IjE1NS44ODQ4LDI3MC41MzY5LDE1OS44ODQ4LDI2MS41MzY5LDE1NS44ODQ4LDI2NS41MzY5LDE1MS44ODQ4LDI2MS41MzY5LDE1NS44ODQ4LDI3MC41MzY5IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PC9nPjwhLS1saW5rIEVuY3J5cHRlZF9UcmFmZmljX0FuYWx5dGkgdG8gU2VjdXJpdHlfQXV0b21hdGlvbl93aXRoXy0tPjxnIGNsYXNzPSJsaW5rIiBkYXRhLWVudGl0eS0xPSJlbnQwMDA1IiBkYXRhLWVudGl0eS0yPSJlbnQwMDA2IiBkYXRhLWxpbmstdHlwZT0iZGVwZW5kZW5jeSIgZGF0YS1zb3VyY2UtbGluZT0iMjEiIGlkPSJsbmsxMSI+PHBhdGggZD0iTTE1NS44ODQ4LDMwNy4zMzY5IEMxNTUuODg0OCwzMjQuMjM2OSAxNTUuODg0OCwzNDMuODQ2OSAxNTUuODg0OCwzNjAuODI2OSIgZmlsbD0ibm9uZSIgaWQ9IkVuY3J5cHRlZF9UcmFmZmljX0FuYWx5dGktdG8tU2VjdXJpdHlfQXV0b21hdGlvbl93aXRoXyIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIvPjxwb2x5Z29uIGZpbGw9IiMxODE4MTgiIHBvaW50cz0iMTU1Ljg4NDgsMzY2LjgyNjksMTU5Ljg4NDgsMzU3LjgyNjksMTU1Ljg4NDgsMzYxLjgyNjksMTUxLjg4NDgsMzU3LjgyNjksMTU1Ljg4NDgsMzY2LjgyNjkiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48L2c+PCEtLWxpbmsgU2VjdXJpdHlfQXV0b21hdGlvbl93aXRoXyB0byBBSV9mb3JfRmlyZXdhbGxfUG9saWN5X09wLS0+PGcgY2xhc3M9ImxpbmsiIGRhdGEtZW50aXR5LTE9ImVudDAwMDYiIGRhdGEtZW50aXR5LTI9ImVudDAwMDciIGRhdGEtbGluay10eXBlPSJkZXBlbmRlbmN5IiBkYXRhLXNvdXJjZS1saW5lPSIyMiIgaWQ9ImxuazEyIj48cGF0aCBkPSJNMTU1Ljg4NDgsNDAzLjYyNjkgQzE1NS44ODQ4LDQyMC41MzY5IDE1NS44ODQ4LDQ0MC4xNDY5IDE1NS44ODQ4LDQ1Ny4xMjY5IiBmaWxsPSJub25lIiBpZD0iU2VjdXJpdHlfQXV0b21hdGlvbl93aXRoXy10by1BSV9mb3JfRmlyZXdhbGxfUG9saWN5X09wIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHBvbHlnb24gZmlsbD0iIzE4MTgxOCIgcG9pbnRzPSIxNTUuODg0OCw0NjMuMTI2OSwxNTkuODg0OCw0NTQuMTI2OSwxNTUuODg0OCw0NTguMTI2OSwxNTEuODg0OCw0NTQuMTI2OSwxNTUuODg0OCw0NjMuMTI2OSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIvPjwvZz48IS0tbGluayBBSV9mb3JfRmlyZXdhbGxfUG9saWN5X09wIHRvIEZ1dHVyZV9vZl9BSV9pbl9OZXR3b3JrX1MtLT48ZyBjbGFzcz0ibGluayIgZGF0YS1lbnRpdHktMT0iZW50MDAwNyIgZGF0YS1lbnRpdHktMj0iZW50MDAwOCIgZGF0YS1saW5rLXR5cGU9ImRlcGVuZGVuY3kiIGRhdGEtc291cmNlLWxpbmU9IjIzIiBpZD0ibG5rMTMiPjxwYXRoIGQ9Ik0xNTUuODg0OCw0OTkuOTI2OSBDMTU1Ljg4NDgsNTE2LjgzNjkgMTU1Ljg4NDgsNTM2LjQ0NjkgMTU1Ljg4NDgsNTUzLjQyNjkiIGZpbGw9Im5vbmUiIGlkPSJBSV9mb3JfRmlyZXdhbGxfUG9saWN5X09wLXRvLUZ1dHVyZV9vZl9BSV9pbl9OZXR3b3JrX1MiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48cG9seWdvbiBmaWxsPSIjMTgxODE4IiBwb2ludHM9IjE1NS44ODQ4LDU1OS40MjY5LDE1OS44ODQ4LDU1MC40MjY5LDE1NS44ODQ4LDU1NC40MjY5LDE1MS44ODQ4LDU1MC40MjY5LDE1NS44ODQ4LDU1OS40MjY5IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PC9nPjw/cGxhbnR1bWwtc3JjIFZQN0hJaUNtNThSbC1uSTdVTHJHdnVQdThOSWtYSzdkWDdhZDRoOHF0U0JJZkFJZFpZZy1rcWRNVEozTnFoanlfdFRveWhWUTJyTElHbWxPS0JSVjZic2h4NExCUlUwY1lUbU5MNXMyd1FCS1lZalNPb0N2NkN3R2dndGFyb0JtNG0zQ0JhVjZaeWIzQ2RUNGN1b1J6bEgtQ1h0N0N0a1FROE5qc0xxeVpZUDl5MWtXRzdqTklaU21sTnMyUTE3RVpWWlkyYnV2N2hKUG12Z3BzV1hpV2cycWp6NGpYdjRCQnRMTUlyd0RfMXVWcUdCNFZ5TEVMTGQ1dzJWR29hdWNHZjRzR2F1SGFiQmRCekRtSFlrVW1WbEVTOGVtdnNXVkJ4Sm93WkJyYTFtWHdRMHBPeUxDS3c5SjNTcnBtSTFJTDNPZU1FTlRaZkVNYXZPeGtMaXFnYjROckNzNFd5MlROVFJCdFBQZEpYbWR4UGpwc3NHWTMzekdBVTVESXk0UU05S2UybDV6VWhFRGE1RTQ3MkRhTEplX2dSNHM3N0dFcnpocF9aNTJUNHVrc2hGX3BPeGVoSEoyeTdjZWpKeGFsUTc2VWZhdFgtaGdQVHVTQWdnTlVSRXRlWnkwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>
cisco
R1# configure terminal
R1(config)# ip flow-export destination 192.168.1.100 2055
R1(config)# ip flow-export version 9
R1(config)# ip flow-cache timeout active 60
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip flow ingress
R1(config-if)# exit
R1(config)# exit
What just happened: R1 will export NetFlow v9 records to 192.168.1.100:2055. Enabling ip flow ingress on the access interface causes the router to generate flow records for incoming traffic. The active timeout controls how often flow records for active flows are exported.
Real-world note: NetFlow traffic is UDP-based; in high-throughput environments consider IPFIX or sampled flow to reduce collector load.
Verify:
R1# show ip flow export
Export source interface: GigabitEthernet0/0
Version: 9, Transport: UDP
Destination: 192.168.1.100, Port: 2055
Export packets queued for processing 0
Template data timeout (seconds): 300
R1# show ip cache flow
IP packet size distribution (bytes):
0 - 64 10
65 - 127 20
128 - 255 5
...
Total packets accounted: 35
(Above show ip cache flow confirms flow cache activity; counts will vary in your lab.)
Step 5: Configure SNMP (v2c) for monitoring and traps
What we are doing: Allow the SIEM to poll device metrics (CPU, interface counters) and receive traps. These metrics feed ML models for resource and behavior baselining.
R1# configure terminal
R1(config)# snmp-server community NHPREP RO
R1(config)# snmp-server host 192.168.1.100 version 2c NHPREP
R1(config)# exit
SW1# configure terminal
SW1(config)# snmp-server community NHPREP RO
SW1(config)# snmp-server host 192.168.1.100 version 2c NHPREP
SW1(config)# exit
What just happened: SNMP community NHPREP (read-only) is configured and the SIEM is registered as a manager. The SIEM can poll OIDs for counters and receive traps (if configured). This periodic data helps ML establish normal performance baselines.
Real-world note: For production, use SNMPv3 with authentication and privacy to avoid credential exposure.
Verify:
R1# show snmp community
Community name: NHPREP
Community name: NHPREP access: ro users: 0 groups: 0
R1# show snmp host
Host: 192.168.1.100 version: v2c
community: NHPREP
Verification Checklist
-
Check 1: Syslog sends messages to the SIEM — verify with
show loggingon each device and confirm SIEM receives events (SIEM UI).
How to verify:show loggingshould listSyslog logging host: 192.168.1.100. -
Check 2: NetFlow export is active — verify
show ip flow exportshows destination 192.168.1.100 and templates being exported.
How to verify:show ip flow export(see earlier expected output). -
Check 3: NTP is synchronized and timestamps are correct — verify
show ntp statusand check log timestamps.
How to verify:show ntp status; logs should show accurate timestamps with milliseconds. -
Check 4: SNMP polling works — use the SIEM or an SNMP walk from the SIEM to confirm OIDs are readable (e.g., interface counters).
How to verify:show snmp hoston the device and SNMP walk from 192.168.1.100.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| SIEM shows no syslog messages | logging host not configured or UDP/514 blocked by firewall | Configure logging host 192.168.1.100 and check ACLs/firewall rules allowing UDP/514 |
| Flow records not arriving | NetFlow export destination/port mismatch or NetFlow not enabled on interfaces | Check show ip flow export; ensure ip flow export destination uses the same port as collector and ip flow ingress applied to relevant interfaces |
| Timestamps do not align across devices | NTP not configured or unreachable | Configure ntp server 192.168.1.100 on all devices and ensure NTP traffic allowed |
| SNMP inaccessible | Wrong community string or SNMP host not configured | Verify snmp-server community NHPREP RO and snmp-server host 192.168.1.100 version 2c NHPREP; consider SNMPv3 for production |
Key Takeaways
- Telemetry (syslog, NetFlow/IPFIX, SNMP) is the lifeblood of AI-driven network security; accuracy and consistency (e.g., timestamps, hostnames) directly impact ML model quality.
- Syslog provides event context; NetFlow provides behavioral context; SNMP provides health/telemetry context — combining all three enables richer detection and prioritization.
- In production, protect telemetry in transit (TLS/VPN) and tune sampling/retention to balance detection capability with storage/cost.
- AI-based systems prioritize and recommend actions, but reliable automation requires predictable, auditable device configuration and secure integrations.
Tip: Think of telemetry as sensor data for your AI “brain” — inaccurate sensors (bad timestamps, missing flows) will train poor models. Invest time in consistent naming, clock sync, and secure transport before building AI detection logic.
This lesson established the foundational telemetry and device configuration needed to feed an AI-driven SIEM/XDR. In subsequent lessons we will cover SIEM ingestion, enrichment pipelines, ML-assisted alerting, and automated response playbooks using the same topology.