net flow tech
TRANSCRIPT
-
8/13/2019 Net Flow Tech
1/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco IOS NetFlowTechnical Presentation
Jean-Charles GRIVIAUD
jgri ia!"cisco#co$NSSTG Pro%!ct &anager
mailto:[email protected]:[email protected] -
8/13/2019 Net Flow Tech
2/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Agen%a
!et"lo# overvie# incl$ding %artners and a%%lications
!et"lo# case st$dies
Config$ration
Cache &'%ort timers
&'%ort versions
Sec$rity
($lticast
-
8/13/2019 Net Flow Tech
3/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )
Agen%a 'Cont#(
!et"lo# (I*
Sam%led !et"lo#
!et"lo# Cisco 6+00 -600 and Catalyst +00
Performance
!e# feat$res
Introd$ction to "le'i/le !et"lo#
-
8/13/2019 Net Flow Tech
4/245
-
8/13/2019 Net Flow Tech
5/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +
*h6 Cisco IOS NetFlow+C!sto$er 7ene8its
4o /etter $nderstandProd$ctivity and $tili5ation of assets in the net#or3
A%%lication and net#or3 $sage
Im%act of net#or3 changes and services
!et"lo# ans#ers the #ho, #hat, #hen, #here, and ho# net#or3 trafficis flo#ing
Detect and classify sec$rity incidents #ith %roven threat defence
Im%rove net#or3 $sage and a%%lication %erformance
-
8/13/2019 Net Flow Tech
6/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Princi le NetFlow A lications
Service Provider &nter%rise
!et#or3 Infrastr$ct$re %timi5ationand Planning Internet Access (onitoring
Peering Arrangements 7ser (onitoring Profiling
4raffic &ngineering A%%lication (onitoring
Acco$nting and *illing *illing for De%artments
Sec$rity (onitoring and Incident8DDoS9 Detection
Sec$rity (onitoring and Incident8DDoS9 Detection
Data at AN9 gran!larit6 to !n%erstan% networ, !se.who: what: where: when an% how
-
8/13/2019 Net Flow Tech
7/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -
Flow Is De8ine% 76 Se en Uni;!e le%
De ice
Tra88ic
: In !t Inter8ace
:TOS >6te 'DSCP(
:?a6er 3 rotocol
:Destination ort
:So!rce ort
:Destination IP a%%ress
:So!rce IP a%%ress
: In !t Inter8ace
:TOS >6te 'DSCP(
:?a6er 3 rotocol
:Destination ort
:So!rce ort
:Destination IP a%%ress
:So!rce IP a%%ress
Create a 8low 8ro$ the -ac,etattri>!tes
@
42044111A%%ress: orts@
76tes/ ac,etPac,etsFlow In8or$ation
@
42044111A%%ress: orts@
76tes/ ac,etPac,etsFlow In8or$ation
NetFlow CacheIns-ectPac,et
NetFlow
=B ortPac,ets
Re orting
-
8/13/2019 Net Flow Tech
8/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;
Feat!resFeat!res
an%an%ser icesser ices
NetFlow Processing Or%er
: Pac,et sa$ ling: Filtering
: IP: &!lticast
: &P?S: IP
: Aggregationsche$es
: Non-,e6 8iel%sloo,!: =B ort
Post-rocessing
Pre-Pre-rocessingrocessing
-
8/13/2019 Net Flow Tech
9/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
NetFlow Cache =Ba$ le4# Create an% ! %ate 8lows in NetFlow cache
Srclf SrclPadd Dstlf DstlPadd Protocol 4 S "lgs P3ts SrcPortSrc(s3
Src AS
DstPort
Dst(s3
Dst AS !e't
-
8/13/2019 Net Flow Tech
10/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 0
In !t
Ingress NetFlow Switching Path
Pac,et
>!88er
: AC?: Polic6: *CCP: NAT in !t
FAST F?O*
Switching ector Flow loo,!
NetFlow
cache
In !t inter8ace8eat!re chec,
Src ASC=F F?O*
A%% in !t8low 8iel%s
!e#flo#
FI7
Ro!te loo,! A%% o!t !t8low 8iel%s
Dest AS:neBtho :
7GP neBtho
O!t !tinter8ace
8eat!re chec,
: Hos: CAR: Cr6 to: NAT o!t !t
Pac,ets
O!t !t inter8ace! %ate
O!t !tIn !t >6tes
In !t ac,ets
Sa$ ling
4 o!t o8 N=es
! o
Cisco 4 11: 4 11: 0 11: 0 11: 3 11: 3 11: an% 011 Series Ro!ters
-
8/13/2019 Net Flow Tech
11/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco 11Series
Cisco 4 114 11
Series
Cisco 3 113 11
Series
Cisco 0 110 11
Series
Cisco 311Series
Cisco Catal6st211 Cisco
11 SeriesASIC
Cisco 41111Series ASIC
Cisco 40111SeriesASIC
Cisco 011/ 211Series
Cisco 5211Series ASIC
Cisco IOS So8tware Releases T train
=nter rise K aggregation/e%ge
Cisco IOS So8tware Release 40#0S
Cisco 011/311 Series
Access
CoreRelease
40#1S/IOS-LR
CRS-4ASIC
Co$ rehensi e ar%ware S! ort
-
8/13/2019 Net Flow Tech
12/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
7illingDenial o8 Ser ice
Cisco A lications an% Partners
Tra88ic Anal6sis
CS-&ars
NetFlow Collecto r
&ore in8o. htt .//www#cisco#co$/war / !>lic/ 30/Tech/n$ /net8low/ artners/co$$ercial/
http://www.cisco.com/logo/http://www.cisco.com/logo/http://www.netimonitor.com/index.phphttp://www.ibm.com/us/http://www.cisco.com/logo/http://www.valenciasystems.com/index.htmhttp://www.cisco.com/logo/http://www.portal.com/ -
8/13/2019 Net Flow Tech
13/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )
NetFlow O en So!rce ToolsPro%!ct Na$e Pri$ar6 Use Co$$ent OS
Cflo#d 4raffic Analysis !o longer s$%%orted 7!I>"lo#?tools Collector Device Scala/le 7!I>"lo#d Collector Device S$%%ort @1 *SD, in$'"lo#Scan Be%orting for "lo#?
4ools7!I>
IP"lo# 4raffic Analysis S$%%ort @1, IPv ,IPv6, (P S, SC4P,etc..
in$',"ree*SD,Solaris
!et"lo# $ide Be%orting 4ools *SD, in$'!et"lo# (onitor 4raffic Analysis S$%%orts @1 7!I>!etmet Collector Device @+, s$%%ort v1 in$'!4 P Sec$rity (onitoring 7!I>Stager Be%orting for "lo#?
4ools7!I>
!fd$m% nfsen 4raffic Analysis S$%%rot @+ and v1 7!I>
Different costs im%lementation and c$stomi5ation
-
8/13/2019 Net Flow Tech
14/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
&a,ing Sense o8 9o!r Networ, Tra88ic
NetHoS ro%!cts
-
8/13/2019 Net Flow Tech
15/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +
NetFlow Uses
: Attac, $itigation: User 'IP(
$onitoring: A lication
$onitoring
: 7illing: Charge>ac,: AS eer
$onitoring
: Tra88ic=ngineering
: Tra88icanal6sis
A - -
l i c a
t i o n s : Attac, $itigation
: User 'IP($onitoring
: A lication$onitoring
: 7illing: Charge>ac,: AS eer
$onitoring
N e
t w o r ,
? a 6 e r
Access Distri>!tion Distri>!tion AccessCore
N e
t F l o w
F e a
t ! r e s
: Aggregationsche$es ' (
: Mshow i cache8low co$$an%
: Ar>or Networ,s
: NetFlow&P?S egressAcco!nting
: 7GP neBt-ho' E(
: &!lticastNetFlow ' E(
: &P?S awareNetFlow ' E(
: 7GP neBt-ho' E(
: Sa$ le%NetFlow
: NetFlow&P?S egressacco!nting
: 7GP neBt-ho ' E(
: &!lticastNetFlow ' E(
: Aggregationsche$es ' (
: Mshow i cache8low co$$an%
: Ar>or Networ,s
-
8/13/2019 Net Flow Tech
16/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
!et"lo# Case St$dies
-
8/13/2019 Net Flow Tech
17/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -
Cisco IT ChallengeNo A lication Flow In8or$ation
Cisco Systems relied almost e'cl$sively on Sim%le!et#or3 (anagement Protocol 8S!(P9 to monitorInternet /and#idth
Altho$gh S!(P facilitates ca%acity %lanning, it does little to
characteri5e traffic a%%lications, essential for $nderstandingho# #ell the net#or3 s$%%orts the /$siness
Cisco needed a more gran$lar $nderstanding of ho#Cisco /and#idth #as /eing $sed
Port flo# #as monitored, /$t many ne#er a%%licationsdynamically select ne# %orts for each $se
-
8/13/2019 Net Flow Tech
18/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;
Cisco IT Case St!%6 Res!lts
Sec$rity (onitoring for Internet ate#aysCisco I4 detects #orms and DD S attac3s #ith !et"lo#
Detection of 7na$thori5ed EA! 4rafficCisco has avoided costly $%grades /y identifying thea%%lications ca$sing congestion and, if a%%ro%riate, changingthe $sage %olicy
Bed$ction in Pea3 EA! 4rafficCisco I4 $ses !et"lo# statistics to meas$re EA! traffic
im%rovement from a%%lication?%olicy changes
Case st!%ies. htt .//wwwin#cisco#co$/ios/tech/$g$t/net8low/ ress/
http://wwwin.cisco.com/ios/tech/mgmt/netflow/press/http://wwwin.cisco.com/ios/tech/mgmt/netflow/press/ -
8/13/2019 Net Flow Tech
19/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cisco IT Case St!%6 Res!lts 'Cont#(
@alidation of FoS Parameters*y $sing Cisco !et"lo# and !etFoS Be%orterAnaly5er, I4 isa/le to confirm that a%%ro%riate /and#idth has /een allocatedto each Class of Service 8CoS9 and that no CoS is over? or$nder?s$/scri/ed
Analysis of @P! 4raffic and 4ele#or3er *ehavior Cisco I4 can easily identify tele#or3er traffic /eca$se it alltravels over identifia/le t$nnelsG this ty%e of traffic analysisfacilitates ca%acity %lanning for Internet access, and$nderstanding of home #or3er /ehavior
Case st!%ies. htt .//wwwin#cisco#co$/ios/tech/$g$t/net8low/ ress/
-
8/13/2019 Net Flow Tech
20/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Cisco IOS NetFlow ) Other Case St!%ies
Sec$rity Detect SF Slammer on daysingleDetrimental inca%acity ofservers
!et"lo# day?5ero anomalydetection
4raffic analysis *and#idth hog
? Sl$ggish net#or3
%erformance? Single $ser a%%lication
mono%oli5ing net#or3
Cost savings of H- in la/orcosts
4raffic analysis "$ll circ$it Circ$it 00J $tili5edF$ic3ly trac3ed %ro/lem andsaved )00 ho$rs K H) inla/or costs
Ca%acity %lanning Slo# net#or3 %erformance
? (ore servers and/and#idth added
? 7sers still com%lained
? Bented B( ! %ro/es ?didnLt #or3
Cost savings of H 26 in %ro/ecosts
Ca%acity %lanning Poor net#or3 %erformance Mlo# /and#idth Ee need more /and#idth4rac3ed %oint of slo#do#n Msaved H)6 %er yr. circ$its
C$stomer Challenge Descri%tion Pro/lem Sit$ation !et"lo# Besol$tion
-
8/13/2019 Net Flow Tech
21/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
!et"lo# Config$ration
-
8/13/2019 Net Flow Tech
22/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
NetFlow Con8ig!ration Co$$an%s'So8tware Plat8or$s(
Config$re !et"lo# Per interfaceip route-cache flow
ie i% flo#?e'%ort @ersion+
ip flow-export version [origin as|peer-as|bgp-nexthop]
ie i% flo#?e'%ort destination 0.0.0. 6+00ip flow-export destination
Defa$lt is the interface that #ill /est ro$te to collectorG itis recommended to config$re and set a loo%/ac3interface
ip flow-export source
-
8/13/2019 Net Flow Tech
23/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2)
NetFlow Con8ig!ration Co$$an%s'So8tware Plat8or$s(
Sets the seconds an inactive flo# #ill remain in thecache /efore e'%irationG + seconds is defa$lt
ip flow-cache timeout inactive
Sets the min$tes an active flo# #ill remain in the cache/efore e'%irationG )0 min$tes is defa$lt
ip flow-cache timeout active
-
8/13/2019 Net Flow Tech
24/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
NetFlow Con8ig!ration Co$$an%s'So8tware Plat8or$s( 'Cont#(
Sets the ma'im$m n$m/er of flo# entries in the cache.4he defa$lt varies de%endent on %latformG normally2+J of the memory in the /o' is the ma'im$m that can/e allocated to the !et"lo# cache
ip flow-cache entries
Selects the v; or v1 aggregation cache schemeip flow-aggregation cache
-
8/13/2019 Net Flow Tech
25/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2+
NetFlow Co$$an%s
Sho#s !et"lo# statisticsshow ip cache [verbose] flow
Sho#s !et"lo# statistics for the config$red aggregationscheme
show ip cache flow aggregation
Sho#s e'%ort statistics
show ip flow export
-
8/13/2019 Net Flow Tech
26/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
NetFlow Co$$an%s 'Cont#(
Clears !et"lo# statisticsclear ip cache flow
Clears e'%ort statistics
clear ip flow stats
-
8/13/2019 Net Flow Tech
27/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2-
router_A#sh ip cache flowIP packet size distribution (85435 total packets) !"3 $4 %$ ! 8 !$& !% 4 5$ 88 3 & 35 384 4!$ 448 48& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&&
5! 544 5 $ !& 4 !53$ &48 5$& 3& 3584 4&%$ 4$&8 '&&& '&&& '&&& '&&& !'&& '&&& '&&& '&&& '&&& '&&& '&&&
IP low *witchin+ ,ache- 8544 b.tes 8 acti/e- !3$8 inacti/e- 853!& added 4$38 4 a+er polls- & flow alloc failures Acti/e flows ti0eout in 3& 0inutes Inacti/e flows ti0eout in !5 seconds last clearin+ of statistics ne/erProtocol 1otal lows Packets 2.tes Packets Acti/e(*ec) Idle(*ec)"""""""" lows *ec low Pkt *ec low low
1,P" &'& ! !44& &'& &'& %'51,P"other 8 58& !!' ! !44& !!' &'& ! '&1otal 8 58 !!' ! !44& !!' &'& ! '&
*rcIf *rcIPaddress stIf stIPaddress Pr *rcP stP Pkts6t& & !3 '! ' 5'$& *e& & !% '!$8'!'! &$ %A66 &&& !6t& & !3%'5 ' &' 8 *e& & !% '!$8'!'! &$ &8 &&& !6t& & !$5'! '!53'$5 *e& & !% '!$8'!'! &$ ,24$ &&& !
Show NetFlow In8or$ationshow i cache 8low
Pac,et siQes
o8 acti e 8lows
Rates an% %!ration
Flow %etails cache
-
8/13/2019 Net Flow Tech
28/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2;
show i cache er>ose 8low
router_A#sh ip cache /erbose flowIP packet size distribution ( 35% total packets) !"3 $4 %$ ! 8 !$& !% 4 5$ 88 3 & 35 384 4!$ 448 48& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&&
5! 544 5 $ !& 4 !53$ &48 5$& 3& 3584 4&%$ 4$&8 '&&& '&&& '&&& '&&& !'&& '&&& '&&& '&&& '&&& '&&& '&&&
IP low *witchin+ ,ache- 8544 b.tes !3 3 acti/e- 3 inacti/e- 3533 added !5!$44 a+er polls- & flow alloc failures Acti/e flows ti0eout in 3& 0inutes Inacti/e flows ti0eout in !5 seconds last clearin+ of statistics ne/erProtocol 1otal lows Packets 2.tes Packets Acti/e(*ec) Idle(*ec)"""""""" lows *ec low Pkt *ec low low
1,P"other !& 3'! ! !44& 3'! &'& ! '%1otal !& 3'! ! !44& 3'! &'& ! '%
*rcIf *rcIPaddress stIf stIPaddress Pr 17* l+s PktsPort sk A* Port sk A* 9e:t;op 2 Pk Acti/e6t& & !$'! &'!! '!!4 *e& & !% '!$8'!'! &$ && !& !5 A & & &&& & & &'&'&'& !44& &'&6t& & ! 5'!8 ' 53'$5 *e& & !% '!$8'!'! &$ && !& !
So!rce $as, an% ISP AS
Destinationin8or$ation
ToS >6tean% TCP
8lags
Flow rate an%%!ration
-
8/13/2019 Net Flow Tech
29/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Cisco 211 ND= Con8ig!rationCisco IOS So8tware
mls aging fast time 4 threshold 128 mls aging normal 32 mls flow ip interface-full mls nde sender version 5 mls nde interface
NetFlow ena>le% on all inter8aces when con8ig!re%
...interface POS9/14 description to wellington via 3/3 mtu 2048 ip address 42.50.31.1 255.255.255.252 ip pim sparse-dense-mode encapsulation ppp
ip route-cache flow...ip flow-export version 5 peer-asip flow-export destination 10.1.1.209 9999
RP
SP
/*In !tinter8ace
O!t !tinter8ace
Use M$ls n%e sen%er c$% to set ND= ersion on SUP
Use Mi 8low-eB ort ersion to set ND= ersion on RP
-
8/13/2019 Net Flow Tech
30/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )0
Con8ig!ring NetFlowCisco IOS on 11/Catal6st 211
,$5&&(confi+)# 0ls netflow
,$5&&(confi+)# 0ls flow ip < destination destination flow ke.word destination"source destination"source flow ke.word full full flow ke.word interface"destination"source interface"destination"source flow ke.word interface"full interface full flow ke.word source source onl. flow ke.word
,$5&&(confi+)# 0ls nde sender /ersion < 5
,$5&&(confi+)# 0ls nde interface
,$5&&(confi+)# 0ls a+in+ nor0al 3
,$5&&(confi+)# ip flow"e:port destination !&'$$' 3!'!&
,$5&&(confi+)# interface +! !,$5&&(confi+"if)# ip route"cache flow
Enable NetflowEnable NetflowOptionally set the flow maskOptionally set the flow mask
Set the NetFlow Record Version on PFCSet the NetFlow Record Version on PFC
Destination for PFC/ SFC E!portsDestination for PFC/ SFC E!ports
Pop"late interface field in NDE packetPop"late interface field in NDE packet
Software Flows #nterface Capt"reSoftware Flows #nterface Capt"re
Chan$e Defa"lt %& timerChan$e Defa"lt %& timer
-
8/13/2019 Net Flow Tech
31/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )
ND= Con8ig!rationCatal6st OS an% Cisco IOS So8tware
CatOS:#mlsset mls nde version 7set mls nde 10.1.1.209 9999set mls agingtime 32set mls agingtime fast 8 1set mls nde enable* NetFlow ena>le% on all inter8aces when con8ig!re%
Cisco IOS MSFC:interface POS8/0/0 description to wellington via 1/0 mtu 2048 ip address 42.50.31.1 255.255.255.252 ip pim sparse-dense-mode encapsulation ppp
ip route-cache flow...ip flow-export version 5 peer-asip flow-export destination 10.1.1.209 9999
RP
SP
/*In !tinter8ace
O!t !tinter8ace
-
8/13/2019 Net Flow Tech
32/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )2
S! er isor 01. 40#0S
&onitoring NetFlow ta>le UsageCisco IOS on 11/Catal6st 211
C 211 show $ls net8low iDis la6ing Net8low entries in S! er isor =arlDstIP SrcIP Prot.Src Port.DstPort Src i/8 .A%jPtr P,ts 76tes Age ?astSeenAttri>!tes---------------------------------------------------41#410#431#043 41#045#3E# E tc .5 20 .www .1B1 3 4 42.5 .3 ?3 - D6na$ic41#031#042#45 41#422#00#004 tc .24 43 .52E40 .1B1 02 0430E 5 42.5 .3E ?3 - D6na$ic41#E #3 #011 41#4 # 5#4 tc . 2044 .www .1B1 E 5 4 42.5 .3 ?3 - D6na$ic41#E1#33#4 2 41#5 #43#044 tc .0 1 . 1502 .1B1 41 2 35 4 42.5 .3 ?3 - D6na$ic
@
C 211 show rocess c !
CPU !tiliQation 8or 8i e secon%s. 31 / one $in!te. 4 8i e $in!tes. 4 PID R!nti$e'$s( In o,e% !Secs 2Sec 4&in 2&in TT9 Process 2 004011 013 41 22 1#11 1#03 1#4 1 Chec, hea s 0 4 30 E430 3 1#05 1#15 1#12 1 SCP Downloa% ?is 35 3102 40 400 0 1 05 0#23 0#24 0#24 1 slc rocess 3 2 455 05 E30 3554 42# 5 # 3 # 4 1 ND= - IPV5
-
8/13/2019 Net Flow Tech
33/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ))
S! er isor 01. 40#0S
&onitoring NetFlow ta>le UsageCisco IOS on 11/Catal6st 211
C 211 show $ls i co!nt
Dis la6ing Net8low entries in S! er isor =arlN!$>er o8 shortc!ts W 223E
sh $ls net8low ta>le-contention %etaile%
Detaile% Net8low CA& 'TCA& an% ICA&( UtiliQationWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWTCA& UtiliQation . 411ICA& UtiliQation . 0Net8low TCA& co!nt . 0 014ENet8low ICA& co!nt . 3Net8low Creation Fail!res . 4021 002Net8low CA& aliases . 1 Fail"res to create FlowsFail"res to create Flows
N"mber of Flows in hardware cacheN"mber of Flows in hardware cache
-
8/13/2019 Net Flow Tech
34/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )
!et"lo# &'%ort @ersions
-
8/13/2019 Net Flow Tech
35/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )+
NetFlow Versions
!et"lo# @ersion Comments
riginal
+ Standard and most common
-
S%ecific to Cisco Catalyst 6+00 and -600 SeriesS#itchesSimilar to @ersion +, /$t does not incl$de AS,interface, 4CP "lag and 4 S information
;Choice of eleven aggregation schemesBed$ces reso$rce $sage
1"le'i/le, e'tensi/le file e'%ort format to ena/leeasier s$%%ort of additional fields andtechnologiesG coming o$t no# (P S, ($lticast,and * P ne't ho%
-
8/13/2019 Net Flow Tech
36/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )6
Version 2 - Flow =B ort For$at
Source IP Address Destination IP Address
: Pac,et co!nt: 76te co!nt
Usage
QoS
Time
of day
Application
Portutilization
From/to
Routingand
peering
: In !t i8In%eB: O!t !t i8In%eB
: T6 e o8 Ser ice: TCP 8lags: Protocol
: Start s6sU Ti$e
: =n% s6sU Ti$e
: So!rce TCP/UDP ort
: Destination TCP/UDP ort
: NeBt ho a%%ress: So!rce AS n!$>er : Dest# AS n!$>er
: So!rce Pre8iB $as,: Dest# Pre8iB $as,
: So!rce IP a%%ress: Destination IP a%%ress
Version 2 !se% eBtensi el6 to%a6
-
8/13/2019 Net Flow Tech
37/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )-
Version
@ersion + sho$ld /e $sed if s$%%orted on s$%ervisorand I S release.
Catalyst 6+00 Series S#itches #ith S$% $ses @ersion- in hy/rid mode
7ses ($lti? ayer S#itching 8( S9 or C&" #ith CiscoCatalyst 6+00 Series S#itches #ith S7P2
-
8/13/2019 Net Flow Tech
38/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID );
Version - Flow For$at
Source IP Address Destination IP Address
Usage
QoS
Timeof day
Application
Portutilization
From/to
Routingand
peering
Source IP address Destination IP address
Input ifIndex Output ifIndex
Type of Service
TCP flags Protocol
Packet count Byte count
Start sysUpTime End sysUpTime
Source TCP/UDP port Destination TCP/UDP port
Next hop address Source AS number Dest. AS number Source subnet mask
Dest. subnet mask RouterSc (router shortcut)*
* Additional field not in Version5
Note: The ToS and TCP flags fields are not populated
-
8/13/2019 Net Flow Tech
39/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )1
Version
Bo$ter?/ased aggregation&na/les ro$ter to s$mmari5e !et"lo# data
Bed$ces !et"lo# &'%ort data vol$me
Decreases !et"lo# &'%ort /and#idth re $irements
C$rrently aggregation schemes
"ive original schemes
Si' ne# schemes #ith the 4 S /yte field
Several aggregations can /e ena/led sim$ltaneo$sly
Note. Version E can >e !se% 8or ro!ter->ase% aggregation an% is reco$$en%e%i8 collector s! orts E
-
8/13/2019 Net Flow Tech
40/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 0
Version - Flow For$at
AS Protocol-Port So!rce-Pre8iB Destination-Pre8iB Pre8iB
So!rce Pre8iBSo!rce Pre8iB &as,Destination Pre8iBDestination Pre8iB &as,So!rce A Port
Destination A PortIn !t Inter8aceO!t !t Inter8aceIP ProtocolSo!rce ASDestination AS
First Ti$esta$?ast Ti$esta$
o8 Flows o8 Pac,ets o8 76tes
-
8/13/2019 Net Flow Tech
41/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
AS -TOS
Protocol-Port -TOS
So!rce-Pre8iB -TOS
Destination-Pre8iB -TOS
Pre8iB -TOS Pre8iB-Port
So!rce Pre8iBSo!rce Pre8iB &as,Destination Pre8iBDestination Pre8iB &as,
So!rce A PortDestination A PortIn !t Inter8aceO!t !t Inter8aceIP ProtocolSo!rce ASDestination AS
TOSFirst Ti$esta$?ast Ti$esta$
o8 Flows o8 Pac,ets o8 76tes
Version - Flow For$at
-
8/13/2019 Net Flow Tech
42/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Version - Con8ig!ration
3600- 4( conf i g) # i p f l ow- aggr egat i on cache ?
as AS aggregation
as-tos AS-TOS aggregation
%estination- re8iB Destination Pre8iB aggregation
%estination- re8iB-tos Destination Pre8iB TOS aggregation
re8iB Pre8iB aggregation
re8iB- ort Pre8iB- ort aggregation
re8iB-tos Pre8iB-TOS aggregation
rotocol- ort Protocol an% ort aggregation
rotocol- ort-tos Protocol: ort an% TOS aggregation
so!rce- re8iB So!rce Pre8iB aggregation
so!rce- re8iB-tos So!rce Pre8iB TOS aggregation
Note. Do not eB ort Version 2 at the sa$e ti$eMi 8low-eB ort ersion 2
l l l $
-
8/13/2019 Net Flow Tech
43/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )
=Btensi>ilit6 an% FleBi>ilit6 Re;!ire$entsPhases A roach
!e# re $irements /$ild a fle'i/le ande'tensi/le !et"lo#Phase !et"lo# version 1 , com%leted
Advantages e'tensi/ility
Integrate ne# technologies data ty%es $ic3er 8(P S, IPv6, * P ne't ho%, etc.9
Integrate ne# aggregations $ic3er !ote for no#, the tem%late definitions are fi'ed
Phase 2 "le'i/le !et"lo# , com%leted Advantages cache and e'%ort content fle'i/ility
7ser selection of flo# 3eys7ser definition of the records
=B ortingProcess
&eteringProcess
-
8/13/2019 Net Flow Tech
44/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NetFlow Version EB"C)1+ NCisco Systems !et"lo# Services &'%ort @ersion 1O@ersion 1 is an e'%ort %rotocol
!o changes to the metering %rocess
@ersion 1 /ased on tem%lates and se%arate flo# records4em%lates com%osed of ty%e and length
"lo# records com%osed of tem%late ID and val$eSent the tem%late reg$larly 8config$ra/le9, /eca$se of 7DP
Releases2.082 9S for the Cisco -200 , -+00 and 20002.)8 9 for the Cisco ;00, -00, ;00, 2600, 2;00, )-00, );00, -200 Series
2.28 ;9S for the Cisco -200, -)0 and -+00 Series2.28 ;9S>" M Catalyst 6+00 -600 Series 8IPv aggregation ($lticast92.28) 9S* M Cisco -)0 and 0000 Series Bo$ters2.28))9S>< M Cisco 6+00 Series 8IPv6 aggregation92.28))9SB* M Cisco -600 Series 8IPv6 aggregation9
I S ?>B ).2 M CBS? , >B 2000
-
8/13/2019 Net Flow Tech
45/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +
NetFlow Version E =B ort Pac,et
Te$ lateRecor%
Te$ lateID 4
'S eci8ic
Fiel%T6 es an%?engths(
Te$ lateRecor%
Te$ lateID 0
'S eci8ic
Fiel%T6 es an%?engths(
Te$ late FlowSet
Te$ late 4
DataRecor%
'Fiel%
Val!es(
DataRecor%
'Fiel%
Val!es(
Data FlowSetFlowSet ID 4
is an effort to
Define the notion of a Nstandard IP flo#O, along #ith data encoding for IPflo#s
htt% ###.ietf.org html.charters i%fi'?charter.html
B"C)1 - NBe $irements for IP "lo#Information &'%ortO
athers all IP"I> re $irements for the IP"I> eval$ation %rocess
B"C)1++ N&val$ation of Candidate Protocols for IP"I>O
I=TF IP Flow In8or$ation =B ort *G
-
8/13/2019 Net Flow Tech
53/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +
I=TF. IP Flow In8or$ation =B ort *G'IPFIL(
IP"I> %rotocol s%ecificationsChanged in terminology /$t same %rinci%les as !et"lo# version 1
Im%rovements vers$s !et"lo# version 1 SC4P?PB, sec$rity,varia/le length information element, IA!A registration, etc.
eneric streaming %rotocol , not flo#?centric anymoreSec$rity
4hreat confidentiality, integrity, a$thori5ation
Sol$tion D4 S on PB?SC4P
IP"I> information model(ost !et"lo# version 1 information elements ID are 3e%t
Pro%rietary information element s%ecification
http://www.ietf.org/html.charters/ipfix-charter.html -
8/13/2019 Net Flow Tech
54/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ++
I=TF. IPFIL Stat!s
All IP"I> drafts transmitted to the I&S 8Internetengineering tas3 force9
IP"I> Protocol draft in the B"C?&ditor $e$e
IP"I> Architect$re draft one more correction and then B"C?
editor $e$eIP"I> Information some comments from the I&S
IP"I> Prototy%e done d$ring intero%
-
8/13/2019 Net Flow Tech
55/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +6
I=TF. Pac,et Sa$ ling *G 'PSA&P(
PSA(P is an effort toS%ecify a set of selection o%erations /y #hich %ac3ets are sam%led,and descri/e %rotocols /y #hich information on sam%led %ac3ets isre%orted to a%%lications
Sam%ling and filtering techni $es for IP %ac3et selection4o /e com%liant #ith PSA(P, #e m$st im%lement at least one of themechanisms sam%led !et"lo#, !et"lo# in%$t filters are alreadyim%lemented
PSA(P %rotocol s%ecifications Agreed to $se IP"I> for e'%ort %rotocol
Information model for %ac3et sam%ling e'%ort&'tension of the IP"I> information model
-
8/13/2019 Net Flow Tech
56/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +-
!et"lo# Cache Aging 4imers
-
8/13/2019 Net Flow Tech
57/245
-
8/13/2019 Net Flow Tech
58/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +1
Acti e/Inacti e Ti$ers
Inactive time K 4he flo# e'%ires once no %ac3ets are seen for thistime d$ration
Active time K If %ac3ets contin$e to /e received on this flo#/eyond this active time setting then the flo# #ill e'%ire and /ee'%orted #hile a ne# flo# is created. "or sec$rity monitoring thistimer may /e set to minim$m val$e of one min$teDefa$lt val$es on soft#are?/ased and 0 2 ro$ters
Inactive timer + seconds 8minim$m second9
Active timer )0 min$tes 8minim$m min$te9
Cisco Catal6st 211 Series Switch
-
8/13/2019 Net Flow Tech
59/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 60
Cisco Catal6st 211 Series SwitchAging Ti$ers
!ormal aging 8e $ivalent to inactive timer94he amo$nt of time the system has not seen another %ac3et fora %artic$lar flo# /efore the flo# is e'%ortedG the defa$lt is 2+6seconds 8)2? 012 seconds9
ong aging 8e $ivalent to active timer94he ma'im$m time a flo# can e'ist in the !et"lo# ta/le /eforeit is e'%orted o$tG long lived flo#s #ith constant traffic fall intothis categoryG e'am%le an ft% going for many ho$rsG the defa$ltval$e is )2 min$tes 86 M 120 seconds9. "or sec$ritymonitoring this timer may /e set to minim$m val$e of 6
seconds
Cisco Catal6st 211 Series Switch
-
8/13/2019 Net Flow Tech
60/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Cisco Catal6st 211 Series SwitchAging Ti$ers 'Cont#(
"ast aging 8Cisco Catalyst 6+00 Series S#itch s%ecific9Is $sed to age o$t short lived flo#s in the !et"lo# ta/leG it ta3est#o %arameters the n$m/er of %ac3ets and a time interval G ifless than ! %ac3ets are seen for a flo# in > time interval theflo# is e'%orted
Cisco Catal6st 211 Series Switch
-
8/13/2019 Net Flow Tech
61/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 62
Cisco Catal6st 211 Series SwitchAging Ti$ers 'Cont#(
Eithin a high flo# environment timers may need to /e changed!ormal aging
Bed$ce normal aging timer $ntil no misses are seen or $ntil yo$ hit theminim$m val$e for normal aging, or the CP7 $tili5ation is near yo$rthresholdStill seeing misses at minim$m normal aging time, then ena/le Fast
Aging Becommendation Change normal aging time to )2 seconds
If there are flow drops with normal aging set to a low value then fastaging is needed. For fast aging time start with 32 seconds and 10
packets
Cisco Catal6st 211 Series Switch
-
8/13/2019 Net Flow Tech
62/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6)
Cisco Catal6st 211 Series SwitchAging Ti$ers 'Cont#(
"ast Aging&na/le "ast Aging, start #ith timeK)2, %ac3ets K 0
Bed$ce start time $ntil misses cease, or timeK is reached
If yo$ reach timeK , and still misses they try increasing %ac3etco$nt
Sto% ad $sting the aging timers #hen the CP7 levelgets a/ove #hat is comforta/leG this is very s$/ ective,for some c$stomers it is 20J, others it is ;0J.
-
8/13/2019 Net Flow Tech
63/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
!et"lo# Sec$rity
-
8/13/2019 Net Flow Tech
64/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6+
ow to I%enti86 a Sec!rit6 Attac,+
S$dden increase in overall traffic in the net#or3
-
8/13/2019 Net Flow Tech
65/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 66
ow to I%enti86 a Sec!rit6 Attac,+'Cont#(
($lti%le !et"lo# records #ith a/normal content,li3e one %ac3et %er flo# record 8ie 4CP S=! flood9
A changed mi' of traffic a%%lications, ie a s$ddenincrease of N$n3no#nO a%%lications
An increase of certain traffic ty%es and messages,ie 4CP resets or IC(P messages
An increasing n$m/er of AC violations
-
8/13/2019 Net Flow Tech
66/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6-
Rout er # show i p cache f l owSr cI f Sr cI Paddr ess Sr cP Sr c S !st I f !st I Paddr ess !st P !st S Pr P"t s $P" %& '&% ' 6 6& aaa 4& '&4 %0 % % '30* +++ 6 ' 40%& '&% ' 6 %%% '%43 aaa 4& '&4 %0 % % ' 4 +++ 6 ' 40%& '&% ' 6 '0* '0 6 aaa 4& '&4 %0 % % '*6& +++ 6 ' 40%& '&% ' 6 ',& &03 aaa 4& '&4 %0 % % '0,0 +++ 6 ' 40%& '&% ' 6 ,4 30 aaa 4& '&4 %0 % % %0'* +++ 6 ' 40%& '&% ' 6 '36 ,,& aaa 4& '&4 %0 % % '*%' +++ 6 ' 40%& '&% ' 6 %'6 3*3 aaa 4& '&4 %0 % % ','6 +++ 6 ' 40%& '&% ' 6 ''' 4, aaa 4& '&4 %0 % % '*&4 +++ 6 ' 40%& '&% ' 6 %& '%0& aaa 4& '&4 %0 % % '600 +++ 6 ' 40
*hat Does a DoS Attac, ?oo, ?i,e+
4y%ical DoS attac3s have the same 8or similar9 entriesIn%$t interface 8SrcIf9
Destination IP 8DstIf9
%ac3et %er flo# 8P3ts9
*ytes %er %ac3et 8* P39
-
8/13/2019 Net Flow Tech
67/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6;
Tracing DoS Attac, with NetFlow 'Cont#(
. 4o sho# high rate flo#sro$terQ sho# i% cache flo# T incl$de 8 T(9
2. 4o sho# all flo#s to one destination leverageNro$terQ sh i% cache 8ver/ose9 flo# T incl$de UdestinationVO
router# sh ip cache flow ? include !%4' &' 'B*rcIf *rcIPaddress *rcP *rcA* stIf stIPaddress stP stA* Pr Pkts 2 Pk
% !% '!'$'$% aaa 4% !%4' &' ' !3&8 bbb $ ! 4&% !% '!'$' ! 43 aaa 4% !%4' &' ' ! 4 bbb $ ! 4&% !% '!'$'!&8 !& $ aaa 4% !%4' &' ' !8$% bbb $ ! 4&% !% '!'$'!5% %&3 aaa 4% !%4' &' ' !&5& bbb $ ! 4&
B B B B B B B B B B 'B
). 4o loo3 for 3no#n attac3 signat$res ie if #e 3no# of an attac3 $sing 7DP %ort 666 8
-
8/13/2019 Net Flow Tech
68/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 61
ro$terQ sho# i% cache flo# T incl$de UdestinationV
Se Uso$rceV &t0 UdestinationV 00 ) 000- +1
W. 8lot of more flo#s to the same destination9
Tracing DoS Attac, with NetFlow 'Cont#(
&na/le !et"lo# on relevant ro$ters s#itches
Bo$terQ sho# i% cef s
Prefi' !e't
-
8/13/2019 Net Flow Tech
69/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -0
CS-&ars Networ,s Tracing Attac,
-
8/13/2019 Net Flow Tech
70/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -
DoS Attac, =Ba$ le. Ar>or Networ,s
Ser ice Pro i%er ASer ice Pro i%er 7
Ser ice Pro i%er C
2# Filter. Reco$$en%s 8ilters ' L(
0# &onitor. Anal6Qe tra88ic 8or ano$alies
4# Pro8ile. 7aseline tra88ic
atterns in the networ,
5# Trace. Trace the attac, to its so!rce3# Detect. Forwar% ano$al6 8inger rints to controllers
L
C!sto$er*e> ser er
IDS
Firewall
Con8ig!re NetFlow eB ort to Ar>orDoS Collector's(
-
8/13/2019 Net Flow Tech
71/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -2
NetFlow ?0 an% Sec!rit6 &onitoring
4argeted for sec$rity to hel% identify net#or3 attac3s and their originayer 2 IP header fields
So$rce (AC address field from frames that are received /y the !et"lo# ro$ter Destination (AC address field from frames that are transmitted /y the!et"lo# ro$ter
Beceived @ A! ID field 8;02. and CiscoXs IS 94ransmitted @ A! ID field 8;02. and CiscoXs IS 9
&'tra layer ) IP header fields4ime?to?live fieldIdentification field
Pac3et length fieldIC(P ty%e and code"ragment offset
N e w
-
8/13/2019 Net Flow Tech
72/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -)
NetFlow ?a6er 0 an% Sec!rit6 =B ortsCisco IOS 40#3'45(T ) Cisco 11: 4 11: 4 11: 0 11: 0 11: 3 11:3 11: 3 11: 011 an% 211 Series
So$rce (AC address field from frames that are received /y the !et"lo# ro$ter Destination (AC address field from frames that are transmitted /y the!et"lo# ro$ter Beceived @ A! ID field 8;02. and CiscoXs IS 9
4ransmitted @ A! ID field 8;02. and CiscoXs IS 9(inim$m ma'im$m %ac3et length in the flo#
(inim$m ma'im$m 44 of %ac3ets in the flo#
IC(P ty%e and code
IP identification "ield
Cisco IOS 40#5'0(T ) Cisco 11: 4 11: 0 11: 3 11 an% 011 SeriesIfInde' to interface name ma%%ing
"ragment?offset information
NetFlow ?0 an% Sec!rit6 &onitoring
-
8/13/2019 Net Flow Tech
73/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -
et ow ?0 a % Sec! t6 &o to g?3 Pac,et For$at
& ! 3& ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & !
C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? ersion? I;D ?1.pe of *er/ice? 1otal Den+th ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? Identification ? la+s? ra+0ent 7ffset ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
? 1i0e to Di/e ? Protocol ? ;eader ,hecksu0 ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? *ource Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? estination Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? 7ptions ? Paddin+ ?
C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
NetFlow ?0 an% Sec!rit6 &onitoring
-
8/13/2019 Net Flow Tech
74/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -+
gC!rrent NetFlow ?3 Fiel%s
& ! 3& ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & !
C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? ersion? I;D ? 1.pe of *er/ice ? 1otal Den+th ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? Identification ? la+s? ra+0ent 7ffset ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
? 1i0e to Di/e ? Protocol ? ;eader ,hecksu0 ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? *ource Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? estination Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? 7ptions ? Paddin+ ?
C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
NetFlow ?0 an% Sec!rit6 &onitoring
-
8/13/2019 Net Flow Tech
75/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -6
g=Btra NetFlow ?3 Fiel%s
& ! 3& ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & !
C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? ersion? I;D ? 1.pe of *er/ice ? 1otal Den+th ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
? Identification ? la+s? ra+0ent 7ffset ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? 1i0e to Di/e ? Protocol ? ;eader ,hecksu0 ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? *ource Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? estination Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? 7ptions ? Paddin+ ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
Ver6 ?arge Pac,ets or Attac,s That &ight Alwa6sa e the Sa$e Generate% I%enti8ication
Attac,s That Use Consistent Pac,et SiQe or
*or$s That Use Consistent Pac,et SiQe
FlowIss!e%
Fro$ theSa$eOrigin
Se eral Flowswith the Sa$e
Frag$ent O88set.Sa$e Pac,et
Sent o eran% o er
-
8/13/2019 Net Flow Tech
76/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID --
NetFlow ?0 an% Sec!rit6 &onitoring
!ot flo# 3eys, the val$e of the first %ac3et of the flo#&'ce%tion for %ac3et length min ma'
&'ce%tion for the 44 min ma'"ragment?offset the first fragmented %ac3et
Com%lete the main cache, not the aggregation cachesInfo lost if an aggregation cache is $sed
C$rrently not availa/le #ith the (I*
Ro!ter'con8ig( i 8low-ca t!re ic$
Ro!ter'con8ig( i 8low-ca t!re i -i%
Ro!ter'con8ig( i 8low-ca t!re $ac-a%%resses
Ro!ter'con8ig( i 8low-ca t!re ac,et-length
Ro!ter'con8ig( i 8low-ca t!re ttl
Ro!ter'con8ig( i 8low-ca t!re lan-i%Ro!ter'con8ig( i 8low-ca t!re 8rag$ent-o88set
-
8/13/2019 Net Flow Tech
77/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -;
NetFlow ?0 an% Sec!rit6 &onitoring
=outer# show ip cache /erbose flow
B
*rcIf *rcIPaddress stIf stIPaddress Pr 17* l+s Pkts
Port sk A* Port sk A* 9e:t;op 2 Pk Acti/e
6t& &'! !&' 5!'!38' !8 6t! &'! ! '!$'!&' &$ 8& && $5
&&!5 & & &&!5 & & &'&'&'& 84& !&'8
A, ( DA9 id) aaaa'bbbb'cc&3 (&&5) aaaa'bbbb'cc&$ (&&$)
in plen 84& a: plen 84&
in 11D 5% a: 11D 5%
IP id &
One Flow =ntr6
-
8/13/2019 Net Flow Tech
78/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -1
NetFlow an% IC&P In8or$ation
IC(P is the %rotocol Identifier
: The %estination ort n!$>er re orte%'IC&P t6 e 02 ( 'the IC&P co%e(
IC&P t6 e W : IC&P co%e W 1
Port W 02 1 W 015 W 11 heBa
: Onl6 8or the ro!ters
=outer# show ip cache flow*rcIf *rcIPaddress stIf stIPaddress Pr *rcP stP Pkts
a! & !44' 54'! ' &% Docal ! '! ' 4$'% &! &&&& &8&& 4
-
8/13/2019 Net Flow Tech
79/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;0
=outer# show ip cache /erbose flowB
*rcIf *rcIPaddress stIf stIPaddress Pr 17* l+s Pkts
Port sk A* Port sk A* 9e:t;op 2 Pk Acti/e
6t& &'! !&' 5!'!38' !8 6t! &'! ! '!$'!&' &! 8& && $5
&&!5 & & &&!5 & & &'&'&'& 84& !&'8
A, ( DA9 id) aaaa'bbbb'cc&3 (&&5) aaaa'bbbb'cc&$ (&&$)
in plen 84& a: plen 84&
in 11D 5% a: 11D 5%
I, P t.pe & I, P code &
IP id &
NetFlow ?0 an% Sec!rit6 &onitoring
IC(P ty%e 0, IC(P code 0 &cho Be%ly
NetFlow ?0 an% Sec!rit6 &onitoring
-
8/13/2019 Net Flow Tech
80/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;
gIC&P T6 e an% Co%e
0 1 2
0 1 2 ! " # $ % & 0 1 2 ! " # $ % & 0 1 2 ! " # $ % & 0 1
'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'
| ()pe | *ode | *hec+sum |
'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'
| data |
'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'
=cho re l6Destination !nreacha>le
So!rce ;!enchRe%irect
Ti$e eBcee%e%Para$eter ro>le$
etc#
4# ost !nreacha>le
0# Protocol !nreacha>le3# Port !nreacha>le5# Frag$entation nee%e% an% DF >it set2# So!rce ro!te 8aile%
# Destination networ, !n,nown# Destination host !n,nown# So!rce host isolate%
E# Co$$!nication with %estination networ,is a%$inistrati el6 rohi>ite%
41# Co$$!nication with %estination host isa%$inistrati el6 rohi>ite%
44# Destination networ, !nreacha>le 8or TOS40# Destination host !nreacha>le 8or TOS
NetFlow ?0 an% Sec!rit6 &onitoring
-
8/13/2019 Net Flow Tech
81/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;2
Ro!ter C
gSo!rce &AC A%%ress
Internet
NetFlow
Ro!ter A
DoS attac, arri ing 8ro$ the Internet
=$ail ser er
Ro!ter 7
Ro!ter D
Re ort the &AC a%%ress 8or ethernet: 8astethernet: an% Gig=thernet
ost A
ost 7
ost C
NetFlow ?0 an% Sec!rit6 &onitoring
-
8/13/2019 Net Flow Tech
82/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;)
gInternet =Bchange Point
Internet &'change Points 8I>P9re $ire the acco$nting %er(AC address
Incoming
$tgoing
!et"lo# sol$tion is moregran$lar than the NIPacco$nting (AC addressOfeat$re
ILP
ISP 0
ISP 3
ISP 5
ISP 4
ISP 2
N e w
-
8/13/2019 Net Flow Tech
83/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;
NetFlow &I7 an% To Tal,ers
4he flo#s that are generating the heaviest traffic are3no#n as the Yto% tal3ersY
Allo#s flo#s to /e sorted /y either of the follo#ingcriteria
*y the total n$m/er of %ac3ets in each to% tal3er
*y the total n$m/er of /ytes in each to% tal3er
Sna% shot of the cache /y %olling (I*
N
N e w
-
8/13/2019 Net Flow Tech
84/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;+
NetFlow &I7 an% To Tal,ers 'Cont#(
(atch criteria for the to% tal3ers s%ecific flo# field val$esEor3 li3e a filter
A ne# se%arate cache
Similar o$t%$t of the sho# i% cache flo# or sho# i% cache ver/ose flo#command
enerated Zon demandL
"ro5en for the Ncache?timeo$tO val$e
Introd$ced in Beleases 2.282+9S and 2.)8 94 on the lo#?endro$ters
N
NetFlow &I7 an% To Tal,ers
-
8/13/2019 Net Flow Tech
85/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;6
A lications
!eeded #hen e'%ort is not %ractical4ro$/leshooting and fast analysis
Sec$rity
ist of to% tal3ers to see if traffic %atterns consistent #ith aDenial of Service 8DoS9 attac3 are %resent in yo$r net#or3
4raffic analysis4he to% tal3ers #hose destination IP address is my
#e/ serverCa%acity %lanning
4he to% tal3ers #hose destination is the * P AS >
N e w
-
8/13/2019 Net Flow Tech
86/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;-
NetFlow To Tal,ers =Ba$ le
Bo$ter8config9Qi% flo#?to%?tal3ersBo$ter8config?flo#?to%?tal3ers9Qto% 0
B)Qsho# i% flo# to%?tal3ersSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP P3ts
&t 0 -2. 6. 0.2 &t0 0 -2. 6. .; 06 00;- 00;- 2 00&t 0 -2. 6. 0.+ &t0 0 -2. 6. .;+ 06 00;1 00;1 ;12&t 0 -2. 6. 0. &t0 0 -2. 6. .;6 06 0 ;+ 0 ;+ -62&t 0 -2. 6. 0.; &t0 0 -2. 6. .;6 06 00*) 00*) 2&t 0 -2. 6. 0. &t0 0 -2. 6. .; 06 00+0 00+0
&t 0 -2. 6. 0.- &t0 0 -2. 6. .;+ 06 00+0 00+0 - of 0 to% tal3ers sho#n. - flo#s %rocessed.
N
NetFlow To Tal,ers
-
8/13/2019 Net Flow Tech
87/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;;
=Ba$ le 4Ro!ter'con8ig( i 8low-to -tal,ers
Ro!ter'con8ig-8low-to -tal,ers( to 21
Ro!ter'con8ig-8low-to -tal,ers( sort->6 ac,ets X >6tes
Ro!ter'con8ig-8low-to -tal,ers( cache-ti$eo!t 0111
=outer# show ip flow top"talkers /erbose
*rcIf *rcIPaddress stIf stIPaddress Pr 17* l+s Pkts
Port sk A* Port sk A* 9e:t;op 2 Pk Acti/e
IP 7Pkts 72.tes
a! & !&'48' !'% Docal !&'48' !'% &! ,& !& 5$
&&&& 4 & &3&3 4 & &'&'&'& 5$ ! !'&I, P t.pe 3 I, P code 3
*e& & !% '!'!'% *e& 3 !% '!'!'!!& &! && && !
&&&& 3& & &&&& 3& & !% '!'!'!&8 !43$ '8
I, P t.pe & I, P code &
NetFlow To Tal,ers
-
8/13/2019 Net Flow Tech
88/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;1
=Ba$ le 0
Ro!ter'con8ig( i 8low-to -tal,ers
Ro!ter'con8ig-8low-to -tal,ers( to 21
Ro!ter'con8ig-8low-to -tal,ers( sort->6 ac,ets
Ro!ter'con8ig-8low-to -tal,ers( cache-ti$eo!t 0111
Ro!ter'con8ig-8low-to -tal,ers( $atch so!rce a%%ress 4E0#4#4#E /30
Ro!ter'con8ig-8low-to -tal,ers( $atch %estination a%%ress 4E0#4#4#441/30
=outer# show ip flow top"talkers /erbose
*rcIf *rcIPaddress stIf stIPaddress Pr 17* l+s Pkts
Port sk A* Port sk A* 9e:t;op 2 Pk Acti/e
*e& & !% '!'!'% *e& 3 !% '!'!'!!& &! && && !
&&&& 3& & &&&& 3& & !% '!'!'!&8 !43$ '8
I, P t.pe & I, P code &
NetFlow To Tal,ers
-
8/13/2019 Net Flow Tech
89/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
=Ba$ le 0
Ro!ter'con8ig( i 8low-to -tal,ersRo!ter'con8ig-8low-to -tal,ers( to 21
Ro!ter'con8ig-8low-to -tal,ers( sort->6 ac,ets
Ro!ter'con8ig-8low-to -tal,ers( cache-ti$eo!t 0111
Ro!ter'con8ig-8low-to -tal,ers( $atch so!rce a%%ress 4E0#4#4#E /30Ro!ter'con8ig-8low-to -tal,ers( $atch %estination a%%ress 4E0#4#4#441/30
$atch YYso!rce a%%ress X %estination a%%ress X neBtho a%%ressZYip-address Z Ymask X /nn ZZ YYso!rce ort X %estination ortZ Y port-number X
$in port X $aB port X $in port $aB port ZZ YYso!rce as X %estination asZas-number Z YYin !t-inter8ace X o!t !t-inter8aceZ interface Z YtosYtos-value X %sc dscp-value X rece%ence precedence-value ZZY rotocol Y protocol-number X tc X !% ZZ Y8low-sa$ ler flow-sampler-name ZYclass-$a class Z Y ac,et-range X >6te-range YY min-range-numbermax-range-number Z Y$in minimum-range X $aB maximum-range X$in minimum-range $aB maximum-range ZZZ
-
8/13/2019 Net Flow Tech
90/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
NetFlow &I7 an% To Tal,ers
4he to% tal3ers can /e config$red via S!(P #ith theCISC ?!&4" E?(I*
4he to% tal3ers can /e retrieved via the (I*cnf4o%"lo#s4a/le
!ot a good trending tool $nless #e com%are all the flo#3ey val$es
cnf4o%"lo#sInde' re%resents the to% flo# inde' /$t this is not3ee%ing any correlation from the cnf4o%"lo#sInde' in the%revio$s of ne't %olling interval
-
8/13/2019 Net Flow Tech
91/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
!et"lo# "eat$res
N e w
-
8/13/2019 Net Flow Tech
92/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1)
=gress NetFlow Acco!nting
4he !et"lo# &gress feat$re allo#s !et"lo# acco$nting to /eim%lemented for egress 8o$tgoing9 traffic on an interface or s$/?interface
ocally generated traffic 8traffic that is generated /y the ro$ter9 #illnot /e co$nted4he !et"lo# &gress feat$re ca%t$res !et"lo# statistics for IPtraffic onlyG (P S statistics are not ca%t$red in 4 train4he egress or ingress interface may /e a flo# 3ey
Aggregate flo#s leaving the device
Post %rocessed !A4 and 4 S e'%ort #ith the flo#Belease 2.)8 94, for the lo#?end ro$ters
=outer(confi+"if)# ip flow e+ress
l
-
8/13/2019 Net Flow Tech
93/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
=gress NetFlow Acco!nting
IP IP
NetFlowIngress
NetFlow=gress
Ser ers
IP or &P?S
NetFlow=gress an% Ingress
: Acco!nting 8or ac,ets eBiting the networ,
: Use8!l 8or !n%erstan%ing ser er tra88ic: Use% 8or tra88ic $atriB statistics
Release 40#3'44(T
NetFlow=gress
l i
-
8/13/2019 Net Flow Tech
94/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1+
=gress NetFlow Acco!nting
=outer# show ip cache flowB*rcIf *rcIPaddress stIf stIPaddress Pr *rcP stP Pkts6t& & !&'&'&'! 6t& &E !&'&'!'! &! &&&& &&&& 56t& ! !&'&'&' 6t& ! !&'&'!' &! &&&& &&&& 5
A flo# is identified /y the o$t%$t interface 8amongstother9, /y defa$lt #ith egress !et"lo#
=outer(confi+)# ip flow"e+ress input"interface
The asteris, ' ( in%icates an egress 8low
N Fl % T T l
-
8/13/2019 Net Flow Tech
95/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
=gress NetFlow an% To Tal,ers
4he direction match statement added
4he NdirectionO is a ne# information element
&gress val$e added in the tem%late&gress val$e not added for the aggregation caches
&'isting ingress tem%lates are not modified
Ro!ter'con8ig( i 8low-to -tal,ers
Ro!ter'con8ig-8low-to -tal,ers( $atch so!rce a%%ress 4E0#4#4#E /30
Ro!ter'con8ig-8low-to -tal,ers( $atch %irection +egress &atch egress 8lows
ingress &atch ingress 8lows
N Fl D6 $i T T l
-
8/13/2019 Net Flow Tech
96/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1-
NetFlow D6na$ic To Tal,ers
Someho# similar to the to% tal3ers*$t dynamic, done on the fly #ith sho# commands
*$t does not re $ire modifications to the ro$ter config
*$t does not create a ne# cache
*$t no availa/le #ith the (I*[o/vio$sly
&ven more $sef$l than to% tal3ers for sec$rity
Nsho# i% flo# to%O commandsho# i% flo# to% U!V Uaggregate?fieldV Usort?criteriaV Umatch?criteriaV
Introd$ced in 2. 8 94 on the soft#are /ased ro$ters8-+00 and /elo#9
NetFlow D6na$ic To Tal,ersB $ l
-
8/13/2019 Net Flow Tech
97/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1;
=Ba$ les
4o% ten %rotocols c$rrently flo#ing thro$gh the ro$ter
4o% ten IP addresses #hich are sending the most %ac3ets
4o% five destination addresses to #hich #eXre ro$ting most trafficfrom the 0. 0. 0.0 2 %refi'
+0 @ A!Xs that #eXre sending the least /ytes to
4o% 20 so$rces of ?%ac3et flo#s
Ro!ter show i 8low to 41 aggregate rotocol
Ro!ter show i 8low to 41 aggregate so!rce-a%%ress sorte%->6 ac,ets
Ro!ter show i 8low to 2 aggregate %estination-a%%ress $atch so!rce- re8iB 41#41#41#1/05
Ro!ter show i 8low to 21 aggregate %estination- lan sorte%->6 >6tes ascen%ing
ro!ter show i 8low to 21 aggregate so!rce-a%%ress $atch ac,ets 4
N Fl % IPV
-
8/13/2019 Net Flow Tech
98/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
NetFlow an% IPV
(onitors the IPv6 traffic*ased on !et"lo# @ersion 1
"or /oth ingress and egress traffic
!on sam%led!o data e'%ort over IP@6G Still IPv
!et"lo# 2 and sec$rity monitoring availa/lefor IPv6
IC(P, IP Identification, mac?addresses, %ac3et?length, 44 ,vlan?id
Belease 2.)8-94, lo# end devices
N tFl % IPV
-
8/13/2019 Net Flow Tech
99/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 00
=outer#show ip/$ flow cacheB*rcAddress InpIf stAddress 7utIf Prot *rcPrt stPrt Pkts
&&! 4&& Docal &&! 4&& ! 6t3 & &:3A &:&&&& &:8!&& 5&&! 3&& Docal &&! 3&& ! 6t3 & &:3A &:&&&& &:8!&& 5&&! && Docal &&! && ! 6t3 & &:3A &:&&&& &:8!&& 5&&! 3&& ! 6t3 & & ! && Docal &:3A &:&&&& &:8 && &&! 4&& ! 6t3 & & ! && Docal &:3A &:&&&& &:8 && &&! 4&& ! 6t3 & &&! 4&& Docal &:&$ &: 2&& &:&&! 88
NetFlow an% IPV
&'actly the same commands as IPv for config$ration
and monitoring, e'ce%t that Ni%O is re%laced /y Ni%v6O!e# !et"lo# @ersion 1 information elements
NetFlow In !t FiltersB $ l
-
8/13/2019 Net Flow Tech
100/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 0
=Ba$ le
7est=88ort
VOIP
VPN NetFlowCache
4.4Sa$ ling
4.4111Sa$ ling
4.411Sa$ ling
Tight Filter 8orTra88ic o8 igh
I$ ortance
&o%eratel6-Tight8or Tra88ic o8
&e%i!$ I$ ortance
De8a!lt *i%e O enFilter 8or Tra88ic o8?ow I$ ortance
Pac,ets
-
8/13/2019 Net Flow Tech
101/245
S!> % Vi t! l I t 8 T i g
-
8/13/2019 Net Flow Tech
102/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 0+
S!> an% Virt!al Inter8ace Trac,ing
4he follo#ing interfaces are trac3ed"rame relay s$/?interfaces
A4( s$/?interfaces
Inter?S#itch in3 8IS 9 s$/?interfaces;02. s$/?interfaces
($ltilin3 PPP interfaces
NetFlow *hite a ers.htt .//www#cisco#co$/en/US/ ro%!cts/ s 14/ ro%[white[ a ers[list#ht$l
S!> % Vi t! l I t 8 T i 'C t#(
-
8/13/2019 Net Flow Tech
103/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 06
S!> an% Virt!al Inter8ace Trac,ing 'Cont#(
4he follo#ing interfaces are trac3edeneric Bo$ting &nca%s$lation 8 B&9 t$nnel interfacesayer 2 4$nneling Protocol 8 24P9 @PD!?gro$%
interfaces
(P S?@P! interfaces4$nnel ho%%ing
Pac3et arrived on one t$nnel interface of a ro$ter and #asro$ted to a different t$nnel interface on the same ro$ter
NetFlow *hite a ers.htt .//www#cisco#co$/en/US/ ro%!cts/ s 14/ ro%[white[ a ers[list#ht$l
NetFlow *hite a ers.htt .//www#cisco#co$/en/US/ ro%!cts/ s 14/ ro%[white[ a ers[list#ht$l
NetFlow =na>le% Inter8aces
-
8/13/2019 Net Flow Tech
104/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 0-
=outer# show ip flow interface *erial& & ip route"cache flow *erial& &'!
ip flow e+ress *erial& 3 ip route"cache flow ast6thernet! & ip flow in+ress
flow"sa0pler benoit e+ress
NetFlow =na>le% Inter8aces
Introd$ced in Belease 2.)8-94 for lo#?end devices
NetFlow VRF =B ort
-
8/13/2019 Net Flow Tech
105/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 0;
NetFlow VRF =B ort
Allo# the e'%ort of flo# records #ithin a @B"@alid for /oth SC4P and 7DP e'%ort
Introd$ced in 2. 8 94 on the soft#are /ased ro$ters8-+00 and /elo#9
Ro!ter'con8ig( i 8low-eB ort %estination 41#41#41#41 EEEE r8 >enoit sct X!%
Ro!ter'con8ig-8low-cache( eB ort %estination 41#41#41#41 EEEE r8 >enoit sct X!%
A!tono$o!s S6ste$ Peer an% Origin AS
http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html -
8/13/2019 Net Flow Tech
106/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 01
A!tono$o!s S6ste$ Peer an% Origin AS
AS 414
Con8ig!ring Peer-AS: So!rce AS W AS 413: Destination AS W AS 412
NetFlow ena>le%
AS 413 AS 415
AS 412
AS 41Con8ig!ring Origin-AS
: So!rce AS W AS 414: Destination AS W AS 41
AS 410
F!ll AS ath is ossi>le with collectors as7GP assi e eer incl!%ing Cisco collectoran% Ar>or Networ,s
Power8!l Insight into T!nnels with NetFlow
http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.htmlhttp://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html -
8/13/2019 Net Flow Tech
107/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 0
Power8!l Insight into T!nnels with NetFlow
!et"lo# allo#s a /rea3 o$t of /oth %re and %ost encry%tionS$%%ort for /oth B& and IPSec encry%tion
Prod$ct iterat$re at ###.cisco.com go netflo#
=na>le here. NetFlowacco!nts 8or >oth the t!nnel
an% ost-t!nnel 8lows
NetFlow acco!nts 8or ac,etsrior to IPsec t!nnel
NetFlow totals t!nnel ac,ets into one 8low
NetFlow acco!nts 8or ac,etsrior to IPsec t!nnel
Tra88ic
T!nnel$i% oint
T!nneltail
Non-t!nnelro!ter
T!nnelhea%
Non-t!nnelro!ter
T!nnel
NetFlow Relia>le =B ort with SCTPSCTP Intro%!ction
-
8/13/2019 Net Flow Tech
108/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
SCTP Intro%!ction
7DPac3 of sec$rity, congestion a#areness, and relia/ility
le =B ort with SCTP
-
8/13/2019 Net Flow Tech
109/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
NetFlow Relia>le =B ort with SCTP
SC4P?PB s$%%ort for !et"lo# version +, ;, 18 %tions9 tem%lates sent relia/ly4#o %rimary SC4P e'%ort destinations 8collectors9 and t#o /ac3$%SC4P e'%ort destinations
"or each cache either main cache or aggregation cache8s9
*ac3$%"ail?over mode o%en the /ac3$% connection #hen the %rimary failsBed$ndant mode o%en the /ac3$% connection in advance, and already sendthe tem%lates!ote that the /ac3$% inherits the relia/ility level from the %rimary
2. 8 94 on the soft#are /ased ro$ters 8-+00 and /elo#9!et"lo# collector SC4P s$%%ort in version 6.0
Relia>le =B ort with SCTP =Ba$ le
-
8/13/2019 Net Flow Tech
110/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )
Relia>le =B ort with SCTP =Ba$ le
Destination-Pre8iB Aggr#
&ainCache
7illing
SCTP.Relia>le
Sec!rit6/&onitoring
SCTP.Partiall6Relia>le SCTP 7ac,! .
Re%!n%ant &o%e
SCTP 7ac,! .
Fail-o er &o%e
Relia>le =B ort with SCTP =Ba$ leCon8ig!ration
http://www.cisco.com/go/netflow -
8/13/2019 Net Flow Tech
111/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Con8ig!ration
=outer(confi+)# ip flow"e:port destination !&'!&'!&'!& %%%% sctp=outer(confi+"flow"e:port"sctp)# reliabilit. partial buffer"li0it !&&=outer(confi+"flow"e:port"sctp)# backup destination !!'!!'!!'!! %%%%=outer(confi+"flow"e:port"sctp)# backup fail"o/er !&&&=outer(confi+"flow"e:port"sctp)# backup 0ode fail"o/er
=outer(confi+)# ip flow"a++re+ation cache destination"prefi:=outer(confi+"flow"cache)# e:port destination ! '! '! '! %%%% sctp=outer(confi+"flow"e:port"sctp)# backup destination !3'!3'!3'!3 %%%%=outer(confi+"flow"e:port"sctp)# backup 0ode redundant=outer(confi+"flow"e:port"sctp)# backup restore"ti0e !=outer(confi+"flow"e:port"sctp)# e:it=outer(confi+"flow"cache)# enabled
Relia>le =B ort with SCTP =Ba$ leShow Co$$an%
-
8/13/2019 Net Flow Tech
112/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +
=outer# show ip flow e:port sctp /erboseIP/4 0ain cache e:portin+ to !&'!&'!&'!&- port %%%%- partialstatus connected backup 0ode fail"o/er!&4 flows e:ported in 84 sctp 0essa+es'& packets dropped due to lack of *,1P resourcesfail"o/er ti0e !&&& 0illi"secondsrestore ti0e 5 seconds
backup !!'!!'!!'!!- port %%%% status not connected fail"o/ers & & flows e:ported in & sctp 0essa+es' & packets dropped due to lack of *,1P resourcesdestination"prefi: cache e:portin+ to ! '! '! '! - port %%%%- fullstatus connected
backup 0ode redundant5 flows e:ported in 4 sctp 0essa+es'& packets dropped due to lack of *,1P resourcesfail"o/er ti0e 5 0illi"secondsrestore ti0e ! seconds
backup !3'!3'!3'!3- port %%%% status connected fail"o/ers & & flows e:ported in & sctp 0essa+es' & packets dropped due to lack of *,1P resources
Show Co$$an%
-
8/13/2019 Net Flow Tech
113/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
!et"lo# for Ca%acity Planning
*hat Is the Tra88ic &atriB+
-
8/13/2019 Net Flow Tech
114/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -
hat Is the Tra88ic &atriB+
"rom to B B2 B) B
B 0 + + 0
B2 0 0 + 0
B) 0 0 0 0
B 0 0 0 0
R4
R5 R3
R0(r!-r )F!5
(r!-r3)F5(r -r3)F5
(r3-r4)F!&
The Core Tra88ic &atriBTra88ic =ngineering an% Ca acit6 Planning
-
8/13/2019 Net Flow Tech
115/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;
Bome &'it Point Paris &'it Point ondon &'it Point ($nich &'it PointBome &ntry Point !A 8\9 W(/ s W(/ s W(/ sParis &ntry Point W(/ s !A 8\9 W(/ s W(/ s
ondon &'it Point W(/ s W(/ s !A 8\9 W(/ s($nich &'it Point W(/ s W(/ s W(/ s !A 8\9
Tra88ic ngineering an% Ca acit6 Planning
&!nich POP
Paris POP
?on%on POP
ISP-4
ISP-0 DestinationS?A
7est =88ort
Ro$e POP
So!rce
7est =88ortTra88ic
7!sinessCritical Tra88ic
' ( Potentiall6 ?ocal =Bchange Tra88ic
Core Ca acit6 PlanningThe 7ig Pict!re
-
8/13/2019 Net Flow Tech
116/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
The 7ig Pict!re
. 4he a/ility to offer S As is de%endent $%on ens$ringthat core net#or3 /and#idth is ade $ately%rovisioned
2. Ade $ate %rovisioning 8#itho$t gross over
%rovisioning9 is de%endent $%on acc$ratecore ca%acity %lanning
). Acc$rate core ca%acity %lanning is de%endent $%on$nderstanding the core traffic matri'
and flo#s and ma%%ing these to the$nderlying to%ology
. A tool for N#hat ifO scenarios
*e Nee% the Core Tra88ic &atriB
-
8/13/2019 Net Flow Tech
117/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
e Nee% the Core Tra88ic &atriB
PoP PoP
C!sto$er s
AS4 AS0 AS3 AS5 AS2
Ser er Far$ 4 Ser er Far$ 0
C!sto$er s
MPoP to PoP . Access Ro!ter or Core Ro!ter
NetFlow 7GP NeBt o TOS Aggregation
-
8/13/2019 Net Flow Tech
118/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
NetFlow 7GP NeBt o TOS Aggregation
ets yo$ meas$re net#or3 traffic on a %er * P ne't ho% /asis, %er 4 S
ets yo$ trac3 #hich service %rovider the trafficis going thro$gh 8e'it %oint9
Config$re on ingress interfaceeverages the ne# !et"lo# version 1 e'%ort format
S$%%ort #ith sam%led and non?sam%led !et"lo#
2.08269S, 2.28 ;9S and 2.) on the soft#are /asedro$ters 8-+00 and /elo#9
2.082-9S for the 2000
7GP NeBt o TOS AggregationT6 ical =Ba$ le
-
8/13/2019 Net Flow Tech
119/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
T6 ical Ba$ le
PoP
P=
P=
P=
P=
P=
PoP
P=
&P?S Coreor
IP Core with 7GP Ro!tes Onl6
C!sto$er s
C!sto$er s
Internal 4raffic NPoP to PoPO&'ternal 4raffic (atri' PoP to * P AS
Ser er Far$ 4 Ser er Far$ 0
AS4 AS0 AS3 AS5 AS2
NetFlow 7GP NeBt o TOS AggregationFlow
-
8/13/2019 Net Flow Tech
120/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2)
Flow e6s
ey "ields 87ni $elyIdentifies the "lo#9: rigin AS
: Destination AS
: In/o$nd Interface
: $t%$t Interface
: 4oS DSCP 8\9
: !e't * P
-
8/13/2019 Net Flow Tech
121/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2-
Descri tion
Provides flo# statistics %er (P S and IP %ac3ets(P S %ac3etsa/els information
And !et"lo# v+ fields for $nderlying IP %ac3et
IP %ac3ets
Beg$lar IP !et"lo# records
everages the ne# !et"lo# version 1 e'%ort format
Config$re on ingress interface
S$%%orted on sam%led non?sam%led !et"lo#2.08269S , 2.28 ;9S and 2.) on the soft#are /ased ro$ters
8-+00 and /elo#92000 2.082 9S, 2.28 ;9S and 2.)
&P?S Aware NetFlowThe Core Tra88ic &atriB
-
8/13/2019 Net Flow Tech
122/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2;
P
P
PoP
C ! s
t o $ e r s
P=
P=
PoP
C ! s
t o $ e r s
Ser er Far$ 4 Ser er Far$ 0
AS4 AS0 AS3 AS5 AS2
The Core Tra88ic &atriB
P
&P?S CoreP=
P
P
P=
P=
P=
C=CP=
C=
CP=
Internal 4raffic NPoP to PoPO&'ternal 4raffic (atri' PoP to * P AS not availa/le
&!lti rotocol ?a>el Switching
-
8/13/2019 Net Flow Tech
123/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
&P?S
Tra%itional NetFlow 8or IP to &P?S tra88ic
P= P P=
: =gress &P?S NetFlow acco!ntingIP in8or$ation onl6I%eal 8or >illingC!rrent a aila>ilit6. Releases 40#1'41(ST an% 40#4'2(T
: &P?S aware NetFlow 'Version E(=B orts ! to three &P?S la>els an% IP ac,et in8or$ationI%eal 8or Tra88ic =ngineering 'T=(
Tra88ic 8low
IP
IP
=gress &P?S NetFlow acco!nting8or &P?S to IP tra88ic
&P?S aware NetFlow 'Version E(
&!lti rotocol ?a el Switching
&P?S Aware NetFlowTo ?a>el Aggregation
-
8/13/2019 Net Flow Tech
124/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )0
gg g
ey "ields 87ni $elyIdentifies the "lo#9
: In%$t interface 8ifInde'9: 4he to% incoming (P S
la/els #ith e'%erimental /its andend?of?stac3 /it
Additional &'%ort "ields
: "lo#s: Pac3ets: *ytes: "irst timestam% 8Sys7%time9: ast timestam% 8Sys7%time9: $t%$t interface: !et"lo# version five fields of
the $nderlying IP %ac3et
84CP flags, etc.9: 4y%e of the to% la/el
DP, * P, @P!, A4 (, 4&t$nnel (ID?P4, $n3no#n
: 4he for#arding e $ivalentclass ma%%ing to the to% la/el
&P?S In8or$ation =B ort
-
8/13/2019 Net Flow Tech
125/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )
$
(P S a/el "or#arding Information*ase 8 "I*9 e'%ort
Per la/el destination %refi', o#ning a%%lication 84&, DP, * P9,system $%time for la/el&'%orts all la/els %eriodically #ith timer Collector receives "I* from P& and (P S a#are !et"lo# from core
&ffectively sho#s P& traffic matri'Belease 2.282;9S*DG Cisco -200, -)00, -+00 and 0000 SeriesBo$tersBelease 2.08))9SG Cisco 2000 Series Bo$terBelease 2.28'9SBAG Cisco -600 Series Bo$ter
-
8/13/2019 Net Flow Tech
126/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )+
!et"lo# for ($lticast
&!lticast NetFlow
-
8/13/2019 Net Flow Tech
127/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )6
4hree ty%es of !et"lo# im%lementations for ($lticasttraffic4raditional !et"lo#
($lticast !et"lo# Ingress
($lticast !et"lo# &gress
&!lticast ) Tra%itional NetFlow
-
8/13/2019 Net Flow Tech
128/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )-
)
=th 1
=th 3=th 4
=th 0
I nt er f ace Et her net 0
i p r out e- cache f l ow
i p f l ow- expor t ver si on 9
i p f l ow- expor t dest i nat i on 127. 0. 0. 1 9995
127. 0. 0. 1
NetFlowcollector
ser er
Tra%itional NetFlow con8ig!ration
10. 0. 0. 2
8S, 9 ? 8 0.0.0.2, 22 . 0. 0. 009
Flow recor% create% in NetFlow cache
: There is onl6 one 8low er NetFlow con8ig!re% in !t inter8ace: Destination inter8ace is $ar,e% as Mn!ll: 76tes an% ac,ets are the inco$ing al!es ) non re licate%
SrcI8 SrcIPa%% DstI8 DstIPa%% Protocol TOS Flgs SrcPort Src&s, DstPort Dst&s, NeBt o 76tes Pac,ets Acti e I%le&th 0 0.0.0.2 N!ll 22 . 0. 0. 00 ;0 0 00A2 ,2 00A2 ,2 03411 04 - +
&!lticast NetFlow Ingress
-
8/13/2019 Net Flow Tech
129/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID );
g
I nt er f ace Et her net 0
i p ul t i cast net f l ow i ngr ess
i p f l ow- expor t ver si on 9
i p f l ow- expor t dest i nat i on 127. 0. 0. 1 9995
&!lticast NetFlow Ingress con8ig!ration
Flow recor% create% in NetFlow cache
: There is onl6 one 8low er NetFlow con8ig!re% in !t inter8ace: Destination inter8ace is $ar,e% as Mn!ll: 76tes an% ac,ets are the o!tgoing al!es: re licate% co!nts
SrcI8 SrcIPa%% DstI8 DstIPa%% Protocol TOS Flgs SrcPort Src&s, DstPort Dst&s, NeBt o 76tes Pac,ets Acti e I%le&th 0 0.0.0.2 N!ll 22 . 0. 0. 00 ;0 0 00A2 ,2 00A2 ,2 E311 3 - +
=th 1
=th 3=th 4
=th 0
127. 0. 0. 1
NetFlowcollector
ser er
10. 0. 0. 2
8S, 9 ? 8 0.0.0.2, 22 . 0. 0. 009
&!lticast NetFlow =gress
-
8/13/2019 Net Flow Tech
130/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )1
g
I nt er f ace Et her net 1
i p ul t i cast net f l ow egr ess
I nt er f ace Et her net 2
i p ul t i cast net f l ow egr ess
I nt er f ace Et her net !
i p ul t i cast net f l ow egr ess
i p f l ow- expor t ver si on 9
i p f l ow- expor t dest i nat i on 127. 0. 0. 1 9995
&!lticast NetFlow =gress con8ig!ration
Flow recor%s create% in NetFlow cache
: There is one 8low er &!lticast NetFlow =gress con8ig!re% o!t !t inter8ace: 76tes an% ac,ets are the o!tgoing al!es
SrcI8 SrcIPa%% DstI8 DstIPa%% Protocol TOS Flgs SrcPort Src&s, DstPort Dst&s, NeBt o- 76tes Pac,ets Acti e I%le&th 0 0.0.0.2 =th 4 22 . 0. 0. 00 ;0 0 00A2 ,2 00A2 ,2 03411 04 - +&th 0 0.0.0.2 =th 0 22 . 0. 0. 00 ;0 0 00A2 ,2 00A2 ,2 03411 04 - +&th 0 0.0.0.2 =th 3 22 . 0. 0. 00 ;0 0 00A2 ,2 00A2 ,2 03411 04 - +
=th 1
=th 3=th 4
=th 0
127. 0. 0. 1
NetFlowcollector
ser er
10. 0. 0. 2
8S, 9 ? 8 0.0.0.2, 22 . 0. 0. 009
&!lticast NetFlow ) RPF Fail!res
-
8/13/2019 Net Flow Tech
131/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 0
)
"lo# is /loc3ed /eca$se it has the same 3ey fields asanother flo#G ho#ever, it is coming from the #rong%hysical interface
Can /e co$nted $sing ($lticast !et"lo# &gress ifconfig$red Ni% m$lticast netflo# r%f?fail$reO glo/ally
nce config$red, there #ill /e a ne# field in the!et"lo# cache called NBP" "ailO to co$nt flo#s that failand ho# many times
&!lticast NetFlow S!$$ar6
-
8/13/2019 Net Flow Tech
132/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
S$%%orted via !et"lo# @ersion 1 e'%ort format
Availa/ilityBeleases 2.2S, and 2.)
Cisco ;00, -00, ;00, 2600, 2;00, )-00, );00, -200, and -+00 Series Bo$ters
Cisco Catalyst 6+00 Series S#itch, Belease 2.28 ;9S>"
Performance Ingress vs. &gress($lticast !et"lo# Ingress and traditional !et"lo# #ill have similar %erformancen$m/ers
($lticast !et"lo# &gress #ill have %erformance im%act that is %ro%ortional tothe n$m/er of interfaces on #hich it is ena/led 8incl$de in%$t interface9
-
8/13/2019 Net Flow Tech
133/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
!et"lo# F S 4rac3ing
H!alit6 o8 Ser ice =Ba$ le
-
8/13/2019 Net Flow Tech
134/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )
Di88Ser 8iel%A
-
8/13/2019 Net Flow Tech
135/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
TOS >6teDS+ DS DS) DS2 DS DS0 &C! &C!
2; 6 )2 6 ; 2
Prece%ence >its Deci$al Prece%ence F!nction' ' ' ' ' 22 - !et#or3 Control 8lin3 layer 3ee%alives9
0 ' ' ' ' ' 12 6 Internet#or3 Control 8Bo$ting Protocols90 ' ' ' ' ' 60 + CBI4IC,&CP 8&'%ress "or#arding90 0 ' ' ' ' ' 2; "lash verride 8Class 9
0 ' ' ' ' ' 16 ) "lash 8Class )90 0 ' ' ' ' ' 6 2 Immediate 8Class 290 0 ' ' ' ' ' )2 Priority 8Class 90 0 0 ' ' ' ' ' 0 0 Bo$tine 8*est effort9
Dela6: Thro!gh !t: an% Relia>ilit6 >itsDelay /it
' ' ' 0 ' ' ' ' 0 Delay ? normal' ' ' ' ' ' ' 6 Delay ? lo#
4hro$gh%$t /it' ' ' ' 0 ' ' ' 0 4hro$gh%$t ? normal' ' ' ' ' ' ' ; 4hro$ght%$t ? high
Belia/ility /it' ' ' ' ' 0 ' ' 0 Belia/ility ? normal
' ' ' ' ' ' ' Belia/ility ? high
=arl6 Congestion Noti8ication '=CN( >its&C!?ca%a/le 4rans%ort 8&C49 /it
Congestion &'%erienced 8C&9 /it' ' ' ' ' ' 0 0 0 !ot &C!?ca%a/le' ' ' ' ' ' 0 &nd%oints of trans%ort %rotocol &C!?ca%a/le' ' ' ' ' ' 0 2 &nd%oints of trans%ort %rotocol &C!?ca%a/le' ' ' ' ' ' ) Congestion e'%erienced
Trac,ing TOS with NetFlow
-
8/13/2019 Net Flow Tech
136/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +
7200-3-netflow# show ip cache verbose flowSrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
SR6/0 210.210.210.2 PO1/0 200.200.200.2 FF 00 10 21K0000 /0 0 0000 /0 0 0.0.0.0 1496 665.4
SR6/0 210.210.210.2 PO1/0 200.200.200.2 06 C0 00 21K0000 /0 0 0000 /0 0 0.0.0.0 1496 666.0
7200-3-netflow# show ip cache verbose flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk Active
Et1/1 52.52.52.1 Fd4/0 42.42.42.1 01 55 10 37480000 /8 50 0000 /8 40 202.120.130.2 28 17.8
Et1/2 52.52.52.1 Fd4/0 42.42.42.1 01 CC 10 35680000 /8 50 0000 /8 40 202.120.130.2 28 17.8
Et1/2 10.1.3.2 Fd4/0 42.42.42.1 01 C0 10 11240000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Hex Decimal Binary
55 85 0101 0101 Precedence 2 - Immediate (Class 2), Delay - low, Reliability - high, Endpointsof transport protocol ECN-capable
C0 192 1100 0000 Precedence 6 - Internetwork Control (Routing Protocols)
CC 204 1100 1100 Precedence 6 - Internetwork Control (Routing Protocols), Throughput - high,Reliability - high
-
8/13/2019 Net Flow Tech
137/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
!et"lo# (I*
CISCO-N=TF?O*-&I7 N e w
-
8/13/2019 Net Flow Tech
138/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -
(anaged o/ ects to config$re the follo#ing !et"lo#information"lo# cache, interface, e'%ort
(anaged o/ ects to monitor the follo#ing !et"lo#
informationConfig$ration information, general statistics
&'am%le o/ ects availa/lePac3et si5e distri/$tion, n$m/er of /ytes e'%orted %er second,n$m/er of flo#s 7DP datagrams e'%orted, n$m/er of tem%lateactive, etc.
CISCO-N=TF?O*-&I7 'Cont#( N e w
-
8/13/2019 Net Flow Tech
139/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;
4he CISC ?!&4" E?(I*.my is ! 4 A re%lacement for the traditional method of e'%orting a flo#cache
A #ay to retrieve all the flo# records
Sna% shot of !et"lo# cache at the moment
!ote that CISC ?SEI4C
-
8/13/2019 Net Flow Tech
140/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
!et"lo# config$rationChec3ing !et"lo# config$ration
ie %eer?as or origin?as
(onitoring and sec$rity&'%ort statistics
Protocol statistics
4o% flo#s information
&m/edded event manager M 4C scri%ts4hresholds #ith the B( ! event alarm orthe &@&!4?(I*
NetFlow &I7NetFlow Con8ig!ration
-
8/13/2019 Net Flow Tech
141/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +0
cnfCI!etflo#&na/le@al$es for ingress, egress, ingress ] egress, none
Inde'ed /y interface 8ifInde'9
Bead?#rite (I* varia/leEhich s$/?interfaces is !et"lo# ena/led on
Ro!ter'con8ig( inter8ace le
NetFlow &I7&ain Cache Con8ig!ration
-
8/13/2019 Net Flow Tech
142/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +
Inde'ed /y the cache ty%e cnfCICache4y%ecnfCICache4y%e K 0 means the main cache
Ro!ter'con8ig( i 8low-cache entries number>
Ro!ter'con8ig( i 8low-cache ti$eo!t acti e
Ro!ter'con8ig( i 8low-cache ti$eo!t inacti e
cn8CIActi eTi$eO!tcn8CICache=ntries
cn8CIInacti eTi$eO!t
NetFlow &I7Aggregation Cache Con8ig!ration
-
8/13/2019 Net Flow Tech
143/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +2
Inde'ed /y the cache ty%e As many cnfCICache4y%e val$es as aggregationcache ty%esmain809, as8 9, %rotocolPort829, so$rcePrefi'8)9, etc.
Ro!ter'con8ig( i 8low-aggregation cache
Ro!ter'con8ig-8low-cache( $as, so!rce $ini$!$ value>
Ro!ter'con8ig-8low-cache( ena>le%
cn8CIActi eTi$eO!t
cn8CICache=ntries
cn8CIInacti eTi$eO!t
cn8CICacheT6 e
cn8CI&inDestination&as,cn8CICache=na>le
cn8CI&inSo!rce&as,
NetFlow &I7&ain Cache =B ort Con8ig!ration
-
8/13/2019 Net Flow Tech
144/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +)
cnf&I&'%ortInfo4a/le cnf&I&'%ortInfo&ntry
I!D&> cnfCICache4y%e cnf&I&'%ort@ersion cnf&IPeerAS cnf&I riginAS cnf&I*g%!e't cnfCICache4y%e cnf&ICollectorAddress4y%e
cnf&ICollectorAddress cnf&ICollectorPort cnf&ICollectorStat$s
Ro!ter'con8ig( i 8low-eB ort ersion E eer-as >g -neBtho
Ro!ter'con8ig( i 8low-eB ort %estination 41#41#41#41 4035
Ro!ter show i 8low eB ort
Flow eB ort E is ena>le% 8or $ain cache
=B orting 8lows to 41#41#41#41 '4035(
=B orting !sing so!rce inter8ace ?oo >ac,1
Version E 8low recor%s: eer-as
NetFlow &I7Aggregation Cache =B ort Con8ig!ration
-
8/13/2019 Net Flow Tech
145/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +
Same %rinci%le, inde'ed /y cnfCICache4y%e forthe cache ty%e
Ro!ter'con8ig( i 8low-aggregation cache
-
8/13/2019 Net Flow Tech
146/245
2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ++
Ro!ter sh i 8low e