net flow tech

8/13/2019 Net Flow Tech

1/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Cisco IOS NetFlowTechnical Presentation

Jean-Charles GRIVIAUD

jgri ia!"cisco#co$NSSTG Pro%!ct &anager
mailto:[email protected]:[email protected]


2/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2

Agen%a

!et"lo# overvie# incl$ding %artners and a%%lications

!et"lo# case st$dies

Config$ration

Cache &'%ort timers

&'%ort versions

Sec$rity

($lticast


3/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )

Agen%a 'Cont#(

!et"lo# (I*

Sam%led !et"lo#

!et"lo# Cisco 6+00 -600 and Catalyst +00

Performance

!e# feat$res

Introd$ction to "le'i/le !et"lo#


4/245


5/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +

*h6 Cisco IOS NetFlow+C!sto$er 7ene8its

4o /etter $nderstandProd$ctivity and $tili5ation of assets in the net#or3

A%%lication and net#or3 $sage

Im%act of net#or3 changes and services

!et"lo# ans#ers the #ho, #hat, #hen, #here, and ho# net#or3 trafficis flo#ing

Detect and classify sec$rity incidents #ith %roven threat defence

Im%rove net#or3 $sage and a%%lication %erformance


6/245


Princi le NetFlow A lications

Service Provider &nter%rise

!et#or3 Infrastr$ct$re %timi5ationand Planning Internet Access (onitoring

Peering Arrangements 7ser (onitoring Profiling

4raffic &ngineering A%%lication (onitoring

Acco$nting and *illing *illing for De%artments

Sec$rity (onitoring and Incident8DDoS9 Detection

Sec$rity (onitoring and Incident8DDoS9 Detection

Data at AN9 gran!larit6 to !n%erstan% networ, !se.who: what: where: when an% how


7/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -

Flow Is De8ine% 76 Se en Uni;!e le%

De ice

Tra88ic

: In !t Inter8ace

:TOS >6te 'DSCP(

:?a6er 3 rotocol

:Destination ort

:So!rce ort

:Destination IP a%%ress

:So!rce IP a%%ress

: In !t Inter8ace

:TOS >6te 'DSCP(

:?a6er 3 rotocol

:Destination ort

:So!rce ort

:Destination IP a%%ress

:So!rce IP a%%ress

Create a 8low 8ro$ the -ac,etattri>!tes

@

42044111A%%ress: orts@

76tes/ ac,etPac,etsFlow In8or$ation

@

42044111A%%ress: orts@

76tes/ ac,etPac,etsFlow In8or$ation

NetFlow CacheIns-ectPac,et

NetFlow

=B ortPac,ets

Re orting


8/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;

Feat!resFeat!res

an%an%ser icesser ices

NetFlow Processing Or%er

: Pac,et sa$ ling: Filtering

: IP: &!lticast

: &P?S: IP

: Aggregationsche$es

: Non-,e6 8iel%sloo,!: =B ort

Post-rocessing

Pre-Pre-rocessingrocessing


9/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

NetFlow Cache =Ba$ le4# Create an% ! %ate 8lows in NetFlow cache

Srclf SrclPadd Dstlf DstlPadd Protocol 4 S "lgs P3ts SrcPortSrc(s3

Src AS

DstPort

Dst(s3

Dst AS !e't



In !t

Ingress NetFlow Switching Path

Pac,et

>!88er

: AC?: Polic6: *CCP: NAT in !t

FAST F?O*

Switching ector Flow loo,!

NetFlow

cache

In !t inter8ace8eat!re chec,

Src ASC=F F?O*

A%% in !t8low 8iel%s

!e#flo#

FI7

Ro!te loo,! A%% o!t !t8low 8iel%s

Dest AS:neBtho :

7GP neBtho

O!t !tinter8ace

8eat!re chec,

: Hos: CAR: Cr6 to: NAT o!t !t

Pac,ets

O!t !t inter8ace! %ate

O!t !tIn !t >6tes

In !t ac,ets

Sa$ ling

4 o!t o8 N=es

! o

Cisco 4 11: 4 11: 0 11: 0 11: 3 11: 3 11: an% 011 Series Ro!ters


11/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Cisco 11Series

Cisco 4 114 11

Series

Cisco 3 113 11

Series

Cisco 0 110 11

Series

Cisco 311Series

Cisco Catal6st211 Cisco

11 SeriesASIC

Cisco 41111Series ASIC

Cisco 40111SeriesASIC

Cisco 011/ 211Series

Cisco 5211Series ASIC

Cisco IOS So8tware Releases T train

=nter rise K aggregation/e%ge

Cisco IOS So8tware Release 40#0S

Cisco 011/311 Series

Access

CoreRelease

40#1S/IOS-LR

CRS-4ASIC

Co$ rehensi e ar%ware S! ort



7illingDenial o8 Ser ice

Cisco A lications an% Partners

Tra88ic Anal6sis

CS-&ars

NetFlow Collecto r

&ore in8o. htt .//www#cisco#co$/war / !>lic/ 30/Tech/n$ /net8low/ artners/co$$ercial/
http://www.cisco.com/logo/http://www.cisco.com/logo/http://www.netimonitor.com/index.phphttp://www.ibm.com/us/http://www.cisco.com/logo/http://www.valenciasystems.com/index.htmhttp://www.cisco.com/logo/http://www.portal.com/


13/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )

NetFlow O en So!rce ToolsPro%!ct Na$e Pri$ar6 Use Co$$ent OS

Cflo#d 4raffic Analysis !o longer s$%%orted 7!I>"lo#?tools Collector Device Scala/le 7!I>"lo#d Collector Device S$%%ort @1 *SD, in$'"lo#Scan Be%orting for "lo#?

4ools7!I>

IP"lo# 4raffic Analysis S$%%ort @1, IPv ,IPv6, (P S, SC4P,etc..

in$',"ree*SD,Solaris

!et"lo# $ide Be%orting 4ools *SD, in$'!et"lo# (onitor 4raffic Analysis S$%%orts @1 7!I>!etmet Collector Device @+, s$%%ort v1 in$'!4 P Sec$rity (onitoring 7!I>Stager Be%orting for "lo#?

4ools7!I>

!fd$m% nfsen 4raffic Analysis S$%%rot @+ and v1 7!I>

Different costs im%lementation and c$stomi5ation


14/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

&a,ing Sense o8 9o!r Networ, Tra88ic

NetHoS ro%!cts


15/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +

NetFlow Uses

: Attac, $itigation: User 'IP(

$onitoring: A lication

$onitoring

: 7illing: Charge>ac,: AS eer

$onitoring

: Tra88ic=ngineering

: Tra88icanal6sis

A - -

l i c a

t i o n s : Attac, $itigation

: User 'IP($onitoring

: A lication$onitoring

: 7illing: Charge>ac,: AS eer

$onitoring

N e

t w o r ,

? a 6 e r

Access Distri>!tion Distri>!tion AccessCore

N e

t F l o w

F e a

t ! r e s

: Aggregationsche$es ' (

: Mshow i cache8low co$$an%

: Ar>or Networ,s

: NetFlow&P?S egressAcco!nting

: 7GP neBt-ho' E(

: &!lticastNetFlow ' E(

: &P?S awareNetFlow ' E(

: 7GP neBt-ho' E(

: Sa$ le%NetFlow

: NetFlow&P?S egressacco!nting

: 7GP neBt-ho ' E(

: &!lticastNetFlow ' E(

: Aggregationsche$es ' (

: Mshow i cache8low co$$an%

: Ar>or Networ,s



!et"lo# Case St$dies


17/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -

Cisco IT ChallengeNo A lication Flow In8or$ation

Cisco Systems relied almost e'cl$sively on Sim%le!et#or3 (anagement Protocol 8S!(P9 to monitorInternet /and#idth

Altho$gh S!(P facilitates ca%acity %lanning, it does little to

characteri5e traffic a%%lications, essential for $nderstandingho# #ell the net#or3 s$%%orts the /$siness

Cisco needed a more gran$lar $nderstanding of ho#Cisco /and#idth #as /eing $sed

Port flo# #as monitored, /$t many ne#er a%%licationsdynamically select ne# %orts for each $se


18/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;

Cisco IT Case St!%6 Res!lts

Sec$rity (onitoring for Internet ate#aysCisco I4 detects #orms and DD S attac3s #ith !et"lo#

Detection of 7na$thori5ed EA! 4rafficCisco has avoided costly $%grades /y identifying thea%%lications ca$sing congestion and, if a%%ro%riate, changingthe $sage %olicy

Bed$ction in Pea3 EA! 4rafficCisco I4 $ses !et"lo# statistics to meas$re EA! traffic

im%rovement from a%%lication?%olicy changes

Case st!%ies. htt .//wwwin#cisco#co$/ios/tech/$g$t/net8low/ ress/
http://wwwin.cisco.com/ios/tech/mgmt/netflow/press/http://wwwin.cisco.com/ios/tech/mgmt/netflow/press/



Cisco IT Case St!%6 Res!lts 'Cont#(

@alidation of FoS Parameters*y $sing Cisco !et"lo# and !etFoS Be%orterAnaly5er, I4 isa/le to confirm that a%%ro%riate /and#idth has /een allocatedto each Class of Service 8CoS9 and that no CoS is over? or$nder?s$/scri/ed

Analysis of @P! 4raffic and 4ele#or3er *ehavior Cisco I4 can easily identify tele#or3er traffic /eca$se it alltravels over identifia/le t$nnelsG this ty%e of traffic analysisfacilitates ca%acity %lanning for Internet access, and$nderstanding of home #or3er /ehavior

Case st!%ies. htt .//wwwin#cisco#co$/ios/tech/$g$t/net8low/ ress/



Cisco IOS NetFlow ) Other Case St!%ies

Sec$rity Detect SF Slammer on daysingleDetrimental inca%acity ofservers

!et"lo# day?5ero anomalydetection

4raffic analysis *and#idth hog

? Sl$ggish net#or3

%erformance? Single $ser a%%lication

mono%oli5ing net#or3

Cost savings of H- in la/orcosts

4raffic analysis "$ll circ$it Circ$it 00J $tili5edF$ic3ly trac3ed %ro/lem andsaved )00 ho$rs K H) inla/or costs

Ca%acity %lanning Slo# net#or3 %erformance

? (ore servers and/and#idth added

? 7sers still com%lained

? Bented B( ! %ro/es ?didnLt #or3

Cost savings of H 26 in %ro/ecosts

Ca%acity %lanning Poor net#or3 %erformance Mlo# /and#idth Ee need more /and#idth4rac3ed %oint of slo#do#n Msaved H)6 %er yr. circ$its

C$stomer Challenge Descri%tion Pro/lem Sit$ation !et"lo# Besol$tion



!et"lo# Config$ration



NetFlow Con8ig!ration Co$$an%s'So8tware Plat8or$s(

Config$re !et"lo# Per interfaceip route-cache flow

ie i% flo#?e'%ort @ersion+

ip flow-export version [origin as|peer-as|bgp-nexthop]

ie i% flo#?e'%ort destination 0.0.0. 6+00ip flow-export destination

Defa$lt is the interface that #ill /est ro$te to collectorG itis recommended to config$re and set a loo%/ac3interface

ip flow-export source


23/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2)

NetFlow Con8ig!ration Co$$an%s'So8tware Plat8or$s(

Sets the seconds an inactive flo# #ill remain in thecache /efore e'%irationG + seconds is defa$lt

ip flow-cache timeout inactive

Sets the min$tes an active flo# #ill remain in the cache/efore e'%irationG )0 min$tes is defa$lt

ip flow-cache timeout active



NetFlow Con8ig!ration Co$$an%s'So8tware Plat8or$s( 'Cont#(

Sets the ma'im$m n$m/er of flo# entries in the cache.4he defa$lt varies de%endent on %latformG normally2+J of the memory in the /o' is the ma'im$m that can/e allocated to the !et"lo# cache

ip flow-cache entries

Selects the v; or v1 aggregation cache schemeip flow-aggregation cache


25/245 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2+

NetFlow Co$$an%s

Sho#s !et"lo# statisticsshow ip cache [verbose] flow

Sho#s !et"lo# statistics for the config$red aggregationscheme

show ip cache flow aggregation

Sho#s e'%ort statistics

show ip flow export


26/245


NetFlow Co$$an%s 'Cont#(

Clears !et"lo# statisticsclear ip cache flow

Clears e'%ort statistics

clear ip flow stats


27/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2-

router_A#sh ip cache flowIP packet size distribution (85435 total packets) !"3 $4 %$ ! 8 !$& !% 4 5$ 88 3 & 35 384 4!$ 448 48& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&&

5! 544 5 $ !& 4 !53$ &48 5$& 3& 3584 4&%$ 4$&8 '&&& '&&& '&&& '&&& !'&& '&&& '&&& '&&& '&&& '&&& '&&&

IP low *witchin+ ,ache- 8544 b.tes 8 acti/e- !3$8 inacti/e- 853!& added 4$38 4 a+er polls- & flow alloc failures Acti/e flows ti0eout in 3& 0inutes Inacti/e flows ti0eout in !5 seconds last clearin+ of statistics ne/erProtocol 1otal lows Packets 2.tes Packets Acti/e(*ec) Idle(*ec)"""""""" lows *ec low Pkt *ec low low

1,P" &'& ! !44& &'& &'& %'51,P"other 8 58& !!' ! !44& !!' &'& ! '&1otal 8 58 !!' ! !44& !!' &'& ! '&

*rcIf *rcIPaddress stIf stIPaddress Pr *rcP stP Pkts6t& & !3 '! ' 5'$& *e& & !% '!$8'!'! &$ %A66 &&& !6t& & !3%'5 ' &' 8 *e& & !% '!$8'!'! &$ &8 &&& !6t& & !$5'! '!53'$5 *e& & !% '!$8'!'! &$ ,24$ &&& !

Show NetFlow In8or$ationshow i cache 8low

Pac,et siQes

o8 acti e 8lows

Rates an% %!ration

Flow %etails cache


28/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2;

show i cache er>ose 8low

router_A#sh ip cache /erbose flowIP packet size distribution ( 35% total packets) !"3 $4 %$ ! 8 !$& !% 4 5$ 88 3 & 35 384 4!$ 448 48& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&&

5! 544 5 $ !& 4 !53$ &48 5$& 3& 3584 4&%$ 4$&8 '&&& '&&& '&&& '&&& !'&& '&&& '&&& '&&& '&&& '&&& '&&&

IP low *witchin+ ,ache- 8544 b.tes !3 3 acti/e- 3 inacti/e- 3533 added !5!$44 a+er polls- & flow alloc failures Acti/e flows ti0eout in 3& 0inutes Inacti/e flows ti0eout in !5 seconds last clearin+ of statistics ne/erProtocol 1otal lows Packets 2.tes Packets Acti/e(*ec) Idle(*ec)"""""""" lows *ec low Pkt *ec low low

1,P"other !& 3'! ! !44& 3'! &'& ! '%1otal !& 3'! ! !44& 3'! &'& ! '%

*rcIf *rcIPaddress stIf stIPaddress Pr 17* l+s PktsPort sk A* Port sk A* 9e:t;op 2 Pk Acti/e6t& & !$'! &'!! '!!4 *e& & !% '!$8'!'! &$ && !& !5 A & & &&& & & &'&'&'& !44& &'&6t& & ! 5'!8 ' 53'$5 *e& & !% '!$8'!'! &$ && !& !

So!rce $as, an% ISP AS

Destinationin8or$ation

ToS >6tean% TCP

8lags

Flow rate an%%!ration


29/245


Cisco 211 ND= Con8ig!rationCisco IOS So8tware

mls aging fast time 4 threshold 128 mls aging normal 32 mls flow ip interface-full mls nde sender version 5 mls nde interface

NetFlow ena>le% on all inter8aces when con8ig!re%

...interface POS9/14 description to wellington via 3/3 mtu 2048 ip address 42.50.31.1 255.255.255.252 ip pim sparse-dense-mode encapsulation ppp

ip route-cache flow...ip flow-export version 5 peer-asip flow-export destination 10.1.1.209 9999

RP

SP

/*In !tinter8ace

O!t !tinter8ace

Use M$ls n%e sen%er c$% to set ND= ersion on SUP

Use Mi 8low-eB ort ersion to set ND= ersion on RP


30/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )0

Con8ig!ring NetFlowCisco IOS on 11/Catal6st 211

,$5&&(confi+)# 0ls netflow

,$5&&(confi+)# 0ls flow ip < destination destination flow ke.word destination"source destination"source flow ke.word full full flow ke.word interface"destination"source interface"destination"source flow ke.word interface"full interface full flow ke.word source source onl. flow ke.word

,$5&&(confi+)# 0ls nde sender /ersion < 5

,$5&&(confi+)# 0ls nde interface

,$5&&(confi+)# 0ls a+in+ nor0al 3

,$5&&(confi+)# ip flow"e:port destination !&'$$' 3!'!&

,$5&&(confi+)# interface +! !,$5&&(confi+"if)# ip route"cache flow

Enable NetflowEnable NetflowOptionally set the flow maskOptionally set the flow mask

Set the NetFlow Record Version on PFCSet the NetFlow Record Version on PFC

Destination for PFC/ SFC E!portsDestination for PFC/ SFC E!ports

Pop"late interface field in NDE packetPop"late interface field in NDE packet

Software Flows #nterface Capt"reSoftware Flows #nterface Capt"re

Chan$e Defa"lt %& timerChan$e Defa"lt %& timer


31/245


ND= Con8ig!rationCatal6st OS an% Cisco IOS So8tware

CatOS:#mlsset mls nde version 7set mls nde 10.1.1.209 9999set mls agingtime 32set mls agingtime fast 8 1set mls nde enable* NetFlow ena>le% on all inter8aces when con8ig!re%

Cisco IOS MSFC:interface POS8/0/0 description to wellington via 1/0 mtu 2048 ip address 42.50.31.1 255.255.255.252 ip pim sparse-dense-mode encapsulation ppp

ip route-cache flow...ip flow-export version 5 peer-asip flow-export destination 10.1.1.209 9999

RP

SP

/*In !tinter8ace

O!t !tinter8ace


32/245


S! er isor 01. 40#0S

&onitoring NetFlow ta>le UsageCisco IOS on 11/Catal6st 211

C 211 show $ls net8low iDis la6ing Net8low entries in S! er isor =arlDstIP SrcIP Prot.Src Port.DstPort Src i/8 .A%jPtr P,ts 76tes Age ?astSeenAttri>!tes---------------------------------------------------41#410#431#043 41#045#3E# E tc .5 20 .www .1B1 3 4 42.5 .3 ?3 - D6na$ic41#031#042#45 41#422#00#004 tc .24 43 .52E40 .1B1 02 0430E 5 42.5 .3E ?3 - D6na$ic41#E #3 #011 41#4 # 5#4 tc . 2044 .www .1B1 E 5 4 42.5 .3 ?3 - D6na$ic41#E1#33#4 2 41#5 #43#044 tc .0 1 . 1502 .1B1 41 2 35 4 42.5 .3 ?3 - D6na$ic

@

C 211 show rocess c !

CPU !tiliQation 8or 8i e secon%s. 31 / one $in!te. 4 8i e $in!tes. 4 PID R!nti$e'$s( In o,e% !Secs 2Sec 4&in 2&in TT9 Process 2 004011 013 41 22 1#11 1#03 1#4 1 Chec, hea s 0 4 30 E430 3 1#05 1#15 1#12 1 SCP Downloa% ?is 35 3102 40 400 0 1 05 0#23 0#24 0#24 1 slc rocess 3 2 455 05 E30 3554 42# 5 # 3 # 4 1 ND= - IPV5


33/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ))

S! er isor 01. 40#0S

&onitoring NetFlow ta>le UsageCisco IOS on 11/Catal6st 211

C 211 show $ls i co!nt

Dis la6ing Net8low entries in S! er isor =arlN!$>er o8 shortc!ts W 223E

sh $ls net8low ta>le-contention %etaile%

Detaile% Net8low CA& 'TCA& an% ICA&( UtiliQationWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWTCA& UtiliQation . 411ICA& UtiliQation . 0Net8low TCA& co!nt . 0 014ENet8low ICA& co!nt . 3Net8low Creation Fail!res . 4021 002Net8low CA& aliases . 1 Fail"res to create FlowsFail"res to create Flows

N"mber of Flows in hardware cacheN"mber of Flows in hardware cache


34/245


!et"lo# &'%ort @ersions


35/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )+

NetFlow Versions

!et"lo# @ersion Comments

riginal

+ Standard and most common

-

S%ecific to Cisco Catalyst 6+00 and -600 SeriesS#itchesSimilar to @ersion +, /$t does not incl$de AS,interface, 4CP "lag and 4 S information

;Choice of eleven aggregation schemesBed$ces reso$rce $sage

1"le'i/le, e'tensi/le file e'%ort format to ena/leeasier s$%%ort of additional fields andtechnologiesG coming o$t no# (P S, ($lticast,and * P ne't ho%


36/245


Version 2 - Flow =B ort For$at

Source IP Address Destination IP Address

: Pac,et co!nt: 76te co!nt

Usage

QoS

Time

of day

Application

Portutilization

From/to

Routingand

peering

: In !t i8In%eB: O!t !t i8In%eB

: T6 e o8 Ser ice: TCP 8lags: Protocol

: Start s6sU Ti$e

: =n% s6sU Ti$e

: So!rce TCP/UDP ort

: Destination TCP/UDP ort

: NeBt ho a%%ress: So!rce AS n!$>er : Dest# AS n!$>er

: So!rce Pre8iB $as,: Dest# Pre8iB $as,

: So!rce IP a%%ress: Destination IP a%%ress

Version 2 !se% eBtensi el6 to%a6


37/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )-

Version

@ersion + sho$ld /e $sed if s$%%orted on s$%ervisorand I S release.

Catalyst 6+00 Series S#itches #ith S$% $ses @ersion- in hy/rid mode

7ses ($lti? ayer S#itching 8( S9 or C&" #ith CiscoCatalyst 6+00 Series S#itches #ith S7P2


38/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID );

Version - Flow For$at

Source IP Address Destination IP Address

Usage

QoS

Timeof day

Application

Portutilization

From/to

Routingand

peering

Source IP address Destination IP address

Input ifIndex Output ifIndex

Type of Service

TCP flags Protocol

Packet count Byte count

Start sysUpTime End sysUpTime

Source TCP/UDP port Destination TCP/UDP port

Next hop address Source AS number Dest. AS number Source subnet mask

Dest. subnet mask RouterSc (router shortcut)*

* Additional field not in Version5

Note: The ToS and TCP flags fields are not populated


39/245


Version

Bo$ter?/ased aggregation&na/les ro$ter to s$mmari5e !et"lo# data

Bed$ces !et"lo# &'%ort data vol$me

Decreases !et"lo# &'%ort /and#idth re $irements

C$rrently aggregation schemes

"ive original schemes

Si' ne# schemes #ith the 4 S /yte field

Several aggregations can /e ena/led sim$ltaneo$sly

Note. Version E can >e !se% 8or ro!ter->ase% aggregation an% is reco$$en%e%i8 collector s! orts E


40/245



AS Protocol-Port So!rce-Pre8iB Destination-Pre8iB Pre8iB

So!rce Pre8iBSo!rce Pre8iB &as,Destination Pre8iBDestination Pre8iB &as,So!rce A Port

Destination A PortIn !t Inter8aceO!t !t Inter8aceIP ProtocolSo!rce ASDestination AS

First Ti$esta$?ast Ti$esta$

o8 Flows o8 Pac,ets o8 76tes


41/245


AS -TOS

Protocol-Port -TOS

So!rce-Pre8iB -TOS

Destination-Pre8iB -TOS

Pre8iB -TOS Pre8iB-Port

So!rce Pre8iBSo!rce Pre8iB &as,Destination Pre8iBDestination Pre8iB &as,

So!rce A PortDestination A PortIn !t Inter8aceO!t !t Inter8aceIP ProtocolSo!rce ASDestination AS

TOSFirst Ti$esta$?ast Ti$esta$

o8 Flows o8 Pac,ets o8 76tes



42/245


Version - Con8ig!ration

3600- 4( conf i g) # i p f l ow- aggr egat i on cache ?

as AS aggregation

as-tos AS-TOS aggregation

%estination- re8iB Destination Pre8iB aggregation

%estination- re8iB-tos Destination Pre8iB TOS aggregation

re8iB Pre8iB aggregation

re8iB- ort Pre8iB- ort aggregation

re8iB-tos Pre8iB-TOS aggregation

rotocol- ort Protocol an% ort aggregation

rotocol- ort-tos Protocol: ort an% TOS aggregation

so!rce- re8iB So!rce Pre8iB aggregation

so!rce- re8iB-tos So!rce Pre8iB TOS aggregation

Note. Do not eB ort Version 2 at the sa$e ti$eMi 8low-eB ort ersion 2

l l l $


43/245


=Btensi>ilit6 an% FleBi>ilit6 Re;!ire$entsPhases A roach

!e# re $irements /$ild a fle'i/le ande'tensi/le !et"lo#Phase !et"lo# version 1 , com%leted

Advantages e'tensi/ility

Integrate ne# technologies data ty%es $ic3er 8(P S, IPv6, * P ne't ho%, etc.9

Integrate ne# aggregations $ic3er !ote for no#, the tem%late definitions are fi'ed

Phase 2 "le'i/le !et"lo# , com%leted Advantages cache and e'%ort content fle'i/ility

7ser selection of flo# 3eys7ser definition of the records

=B ortingProcess

&eteringProcess


44/245


NetFlow Version EB"C)1+ NCisco Systems !et"lo# Services &'%ort @ersion 1O@ersion 1 is an e'%ort %rotocol

!o changes to the metering %rocess

@ersion 1 /ased on tem%lates and se%arate flo# records4em%lates com%osed of ty%e and length

"lo# records com%osed of tem%late ID and val$eSent the tem%late reg$larly 8config$ra/le9, /eca$se of 7DP

Releases2.082 9S for the Cisco -200 , -+00 and 20002.)8 9 for the Cisco ;00, -00, ;00, 2600, 2;00, )-00, );00, -200 Series

2.28 ;9S for the Cisco -200, -)0 and -+00 Series2.28 ;9S>" M Catalyst 6+00 -600 Series 8IPv aggregation ($lticast92.28) 9S* M Cisco -)0 and 0000 Series Bo$ters2.28))9S>< M Cisco 6+00 Series 8IPv6 aggregation92.28))9SB* M Cisco -600 Series 8IPv6 aggregation9

I S ?>B ).2 M CBS? , >B 2000


45/245


NetFlow Version E =B ort Pac,et

Te$ lateRecor%

Te$ lateID 4

'S eci8ic

Fiel%T6 es an%?engths(

Te$ lateRecor%

Te$ lateID 0

'S eci8ic

Fiel%T6 es an%?engths(

Te$ late FlowSet

Te$ late 4

DataRecor%

'Fiel%

Val!es(

DataRecor%

'Fiel%

Val!es(

Data FlowSetFlowSet ID 4

is an effort to

Define the notion of a Nstandard IP flo#O, along #ith data encoding for IPflo#s

htt% ###.ietf.org html.charters i%fi'?charter.html

B"C)1 - NBe $irements for IP "lo#Information &'%ortO

athers all IP"I> re $irements for the IP"I> eval$ation %rocess

B"C)1++ N&val$ation of Candidate Protocols for IP"I>O

I=TF IP Flow In8or$ation =B ort *G


53/245


I=TF. IP Flow In8or$ation =B ort *G'IPFIL(

IP"I> %rotocol s%ecificationsChanged in terminology /$t same %rinci%les as !et"lo# version 1

Im%rovements vers$s !et"lo# version 1 SC4P?PB, sec$rity,varia/le length information element, IA!A registration, etc.

eneric streaming %rotocol , not flo#?centric anymoreSec$rity

4hreat confidentiality, integrity, a$thori5ation

Sol$tion D4 S on PB?SC4P

IP"I> information model(ost !et"lo# version 1 information elements ID are 3e%t

Pro%rietary information element s%ecification
http://www.ietf.org/html.charters/ipfix-charter.html


54/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ++

I=TF. IPFIL Stat!s

All IP"I> drafts transmitted to the I&S 8Internetengineering tas3 force9

IP"I> Protocol draft in the B"C?&ditor $e$e

IP"I> Architect$re draft one more correction and then B"C?

editor $e$eIP"I> Information some comments from the I&S

IP"I> Prototy%e done d$ring intero%


55/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +6

I=TF. Pac,et Sa$ ling *G 'PSA&P(

PSA(P is an effort toS%ecify a set of selection o%erations /y #hich %ac3ets are sam%led,and descri/e %rotocols /y #hich information on sam%led %ac3ets isre%orted to a%%lications

Sam%ling and filtering techni $es for IP %ac3et selection4o /e com%liant #ith PSA(P, #e m$st im%lement at least one of themechanisms sam%led !et"lo#, !et"lo# in%$t filters are alreadyim%lemented

PSA(P %rotocol s%ecifications Agreed to $se IP"I> for e'%ort %rotocol

Information model for %ac3et sam%ling e'%ort&'tension of the IP"I> information model


56/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +-

!et"lo# Cache Aging 4imers


57/245


58/245


Acti e/Inacti e Ti$ers

Inactive time K 4he flo# e'%ires once no %ac3ets are seen for thistime d$ration

Active time K If %ac3ets contin$e to /e received on this flo#/eyond this active time setting then the flo# #ill e'%ire and /ee'%orted #hile a ne# flo# is created. "or sec$rity monitoring thistimer may /e set to minim$m val$e of one min$teDefa$lt val$es on soft#are?/ased and 0 2 ro$ters

Inactive timer + seconds 8minim$m second9

Active timer )0 min$tes 8minim$m min$te9

Cisco Catal6st 211 Series Switch


59/245


Cisco Catal6st 211 Series SwitchAging Ti$ers

!ormal aging 8e $ivalent to inactive timer94he amo$nt of time the system has not seen another %ac3et fora %artic$lar flo# /efore the flo# is e'%ortedG the defa$lt is 2+6seconds 8)2? 012 seconds9

ong aging 8e $ivalent to active timer94he ma'im$m time a flo# can e'ist in the !et"lo# ta/le /eforeit is e'%orted o$tG long lived flo#s #ith constant traffic fall intothis categoryG e'am%le an ft% going for many ho$rsG the defa$ltval$e is )2 min$tes 86 M 120 seconds9. "or sec$ritymonitoring this timer may /e set to minim$m val$e of 6

seconds



60/245


Cisco Catal6st 211 Series SwitchAging Ti$ers 'Cont#(

"ast aging 8Cisco Catalyst 6+00 Series S#itch s%ecific9Is $sed to age o$t short lived flo#s in the !et"lo# ta/leG it ta3est#o %arameters the n$m/er of %ac3ets and a time interval G ifless than ! %ac3ets are seen for a flo# in > time interval theflo# is e'%orted



61/245



Eithin a high flo# environment timers may need to /e changed!ormal aging

Bed$ce normal aging timer $ntil no misses are seen or $ntil yo$ hit theminim$m val$e for normal aging, or the CP7 $tili5ation is near yo$rthresholdStill seeing misses at minim$m normal aging time, then ena/le Fast

Aging Becommendation Change normal aging time to )2 seconds

If there are flow drops with normal aging set to a low value then fastaging is needed. For fast aging time start with 32 seconds and 10

packets



62/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6)


"ast Aging&na/le "ast Aging, start #ith timeK)2, %ac3ets K 0

Bed$ce start time $ntil misses cease, or timeK is reached

If yo$ reach timeK , and still misses they try increasing %ac3etco$nt

Sto% ad $sting the aging timers #hen the CP7 levelgets a/ove #hat is comforta/leG this is very s$/ ective,for some c$stomers it is 20J, others it is ;0J.


63/245


!et"lo# Sec$rity


64/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6+

ow to I%enti86 a Sec!rit6 Attac,+

S$dden increase in overall traffic in the net#or3


65/245


ow to I%enti86 a Sec!rit6 Attac,+'Cont#(

($lti%le !et"lo# records #ith a/normal content,li3e one %ac3et %er flo# record 8ie 4CP S=! flood9

A changed mi' of traffic a%%lications, ie a s$ddenincrease of N$n3no#nO a%%lications

An increase of certain traffic ty%es and messages,ie 4CP resets or IC(P messages

An increasing n$m/er of AC violations


66/245


Rout er # show i p cache f l owSr cI f Sr cI Paddr ess Sr cP Sr c S !st I f !st I Paddr ess !st P !st S Pr P"t s $P" %& '&% ' 6 6& aaa 4& '&4 %0 % % '30* +++ 6 ' 40%& '&% ' 6 %%% '%43 aaa 4& '&4 %0 % % ' 4 +++ 6 ' 40%& '&% ' 6 '0* '0 6 aaa 4& '&4 %0 % % '*6& +++ 6 ' 40%& '&% ' 6 ',& &03 aaa 4& '&4 %0 % % '0,0 +++ 6 ' 40%& '&% ' 6 ,4 30 aaa 4& '&4 %0 % % %0'* +++ 6 ' 40%& '&% ' 6 '36 ,,& aaa 4& '&4 %0 % % '*%' +++ 6 ' 40%& '&% ' 6 %'6 3*3 aaa 4& '&4 %0 % % ','6 +++ 6 ' 40%& '&% ' 6 ''' 4, aaa 4& '&4 %0 % % '*&4 +++ 6 ' 40%& '&% ' 6 %& '%0& aaa 4& '&4 %0 % % '600 +++ 6 ' 40

*hat Does a DoS Attac, ?oo, ?i,e+

4y%ical DoS attac3s have the same 8or similar9 entriesIn%$t interface 8SrcIf9

Destination IP 8DstIf9

%ac3et %er flo# 8P3ts9

*ytes %er %ac3et 8* P39


67/245


Tracing DoS Attac, with NetFlow 'Cont#(

. 4o sho# high rate flo#sro$terQ sho# i% cache flo# T incl$de 8 T(9

2. 4o sho# all flo#s to one destination leverageNro$terQ sh i% cache 8ver/ose9 flo# T incl$de UdestinationVO

router# sh ip cache flow ? include !%4' &' 'B*rcIf *rcIPaddress *rcP *rcA* stIf stIPaddress stP stA* Pr Pkts 2 Pk

% !% '!'$'$% aaa 4% !%4' &' ' !3&8 bbb $ ! 4&% !% '!'$' ! 43 aaa 4% !%4' &' ' ! 4 bbb $ ! 4&% !% '!'$'!&8 !& $ aaa 4% !%4' &' ' !8$% bbb $ ! 4&% !% '!'$'!5% %&3 aaa 4% !%4' &' ' !&5& bbb $ ! 4&

B B B B B B B B B B 'B

). 4o loo3 for 3no#n attac3 signat$res ie if #e 3no# of an attac3 $sing 7DP %ort 666 8


68/245


ro$terQ sho# i% cache flo# T incl$de UdestinationV

Se Uso$rceV &t0 UdestinationV 00 ) 000- +1

W. 8lot of more flo#s to the same destination9

Tracing DoS Attac, with NetFlow 'Cont#(

&na/le !et"lo# on relevant ro$ters s#itches

Bo$terQ sho# i% cef s

Prefi' !e't


69/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -0

CS-&ars Networ,s Tracing Attac,


70/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -

DoS Attac, =Ba$ le. Ar>or Networ,s

Ser ice Pro i%er ASer ice Pro i%er 7

Ser ice Pro i%er C

2# Filter. Reco$$en%s 8ilters ' L(

0# &onitor. Anal6Qe tra88ic 8or ano$alies

4# Pro8ile. 7aseline tra88ic

atterns in the networ,

5# Trace. Trace the attac, to its so!rce3# Detect. Forwar% ano$al6 8inger rints to controllers

L

C!sto$er*e> ser er

IDS

Firewall

Con8ig!re NetFlow eB ort to Ar>orDoS Collector's(


71/245


NetFlow ?0 an% Sec!rit6 &onitoring

4argeted for sec$rity to hel% identify net#or3 attac3s and their originayer 2 IP header fields

So$rce (AC address field from frames that are received /y the !et"lo# ro$ter Destination (AC address field from frames that are transmitted /y the!et"lo# ro$ter

Beceived @ A! ID field 8;02. and CiscoXs IS 94ransmitted @ A! ID field 8;02. and CiscoXs IS 9

&'tra layer ) IP header fields4ime?to?live fieldIdentification field

Pac3et length fieldIC(P ty%e and code"ragment offset

N e w


72/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -)

NetFlow ?a6er 0 an% Sec!rit6 =B ortsCisco IOS 40#3'45(T ) Cisco 11: 4 11: 4 11: 0 11: 0 11: 3 11:3 11: 3 11: 011 an% 211 Series

So$rce (AC address field from frames that are received /y the !et"lo# ro$ter Destination (AC address field from frames that are transmitted /y the!et"lo# ro$ter Beceived @ A! ID field 8;02. and CiscoXs IS 9

4ransmitted @ A! ID field 8;02. and CiscoXs IS 9(inim$m ma'im$m %ac3et length in the flo#

(inim$m ma'im$m 44 of %ac3ets in the flo#

IC(P ty%e and code

IP identification "ield

Cisco IOS 40#5'0(T ) Cisco 11: 4 11: 0 11: 3 11 an% 011 SeriesIfInde' to interface name ma%%ing

"ragment?offset information



73/245


et ow ?0 a % Sec! t6 &o to g?3 Pac,et For$at

& ! 3& ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & !

C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? ersion? I;D ?1.pe of *er/ice? 1otal Den+th ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? Identification ? la+s? ra+0ent 7ffset ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C

? 1i0e to Di/e ? Protocol ? ;eader ,hecksu0 ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? *ource Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? estination Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? 7ptions ? Paddin+ ?

C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C



74/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -+

gC!rrent NetFlow ?3 Fiel%s

& ! 3& ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & !

C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? ersion? I;D ? 1.pe of *er/ice ? 1otal Den+th ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? Identification ? la+s? ra+0ent 7ffset ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C

? 1i0e to Di/e ? Protocol ? ;eader ,hecksu0 ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? *ource Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? estination Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? 7ptions ? Paddin+ ?

C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C



75/245


g=Btra NetFlow ?3 Fiel%s

& ! 3& ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & ! 3 4 5 $ 8 % & !

C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? ersion? I;D ? 1.pe of *er/ice ? 1otal Den+th ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C

? Identification ? la+s? ra+0ent 7ffset ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? 1i0e to Di/e ? Protocol ? ;eader ,hecksu0 ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? *ource Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? estination Address ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ? 7ptions ? Paddin+ ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C

Ver6 ?arge Pac,ets or Attac,s That &ight Alwa6sa e the Sa$e Generate% I%enti8ication

Attac,s That Use Consistent Pac,et SiQe or

*or$s That Use Consistent Pac,et SiQe

FlowIss!e%

Fro$ theSa$eOrigin

Se eral Flowswith the Sa$e

Frag$ent O88set.Sa$e Pac,et

Sent o eran% o er


76/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID --


!ot flo# 3eys, the val$e of the first %ac3et of the flo#&'ce%tion for %ac3et length min ma'

&'ce%tion for the 44 min ma'"ragment?offset the first fragmented %ac3et

Com%lete the main cache, not the aggregation cachesInfo lost if an aggregation cache is $sed

C$rrently not availa/le #ith the (I*

Ro!ter'con8ig( i 8low-ca t!re ic$

Ro!ter'con8ig( i 8low-ca t!re i -i%

Ro!ter'con8ig( i 8low-ca t!re $ac-a%%resses

Ro!ter'con8ig( i 8low-ca t!re ac,et-length

Ro!ter'con8ig( i 8low-ca t!re ttl

Ro!ter'con8ig( i 8low-ca t!re lan-i%Ro!ter'con8ig( i 8low-ca t!re 8rag$ent-o88set


77/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID -;


=outer# show ip cache /erbose flow

B

*rcIf *rcIPaddress stIf stIPaddress Pr 17* l+s Pkts

Port sk A* Port sk A* 9e:t;op 2 Pk Acti/e

6t& &'! !&' 5!'!38' !8 6t! &'! ! '!$'!&' &$ 8& && $5

&&!5 & & &&!5 & & &'&'&'& 84& !&'8

A, ( DA9 id) aaaa'bbbb'cc&3 (&&5) aaaa'bbbb'cc&$ (&&$)

in plen 84& a: plen 84&

in 11D 5% a: 11D 5%

IP id &

One Flow =ntr6


78/245


NetFlow an% IC&P In8or$ation

IC(P is the %rotocol Identifier

: The %estination ort n!$>er re orte%'IC&P t6 e 02 ( 'the IC&P co%e(

IC&P t6 e W : IC&P co%e W 1

Port W 02 1 W 015 W 11 heBa

: Onl6 8or the ro!ters

=outer# show ip cache flow*rcIf *rcIPaddress stIf stIPaddress Pr *rcP stP Pkts

a! & !44' 54'! ' &% Docal ! '! ' 4$'% &! &&&& &8&& 4


79/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;0

=outer# show ip cache /erbose flowB



6t& &'! !&' 5!'!38' !8 6t! &'! ! '!$'!&' &! 8& && $5

&&!5 & & &&!5 & & &'&'&'& 84& !&'8

A, ( DA9 id) aaaa'bbbb'cc&3 (&&5) aaaa'bbbb'cc&$ (&&$)

in plen 84& a: plen 84&

in 11D 5% a: 11D 5%

I, P t.pe & I, P code &

IP id &


IC(P ty%e 0, IC(P code 0 &cho Be%ly



80/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;

gIC&P T6 e an% Co%e

0 1 2

0 1 2 ! " # $ % & 0 1 2 ! " # $ % & 0 1 2 ! " # $ % & 0 1

'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'

| ()pe | *ode | *hec+sum |

'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'

| data |

'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'

=cho re l6Destination !nreacha>le

So!rce ;!enchRe%irect

Ti$e eBcee%e%Para$eter ro>le$

etc#

4# ost !nreacha>le

0# Protocol !nreacha>le3# Port !nreacha>le5# Frag$entation nee%e% an% DF >it set2# So!rce ro!te 8aile%

# Destination networ, !n,nown# Destination host !n,nown# So!rce host isolate%

E# Co$$!nication with %estination networ,is a%$inistrati el6 rohi>ite%

41# Co$$!nication with %estination host isa%$inistrati el6 rohi>ite%

44# Destination networ, !nreacha>le 8or TOS40# Destination host !nreacha>le 8or TOS



81/245


Ro!ter C

gSo!rce &AC A%%ress

Internet

NetFlow

Ro!ter A

DoS attac, arri ing 8ro$ the Internet

=$ail ser er

Ro!ter 7

Ro!ter D

Re ort the &AC a%%ress 8or ethernet: 8astethernet: an% Gig=thernet

ost A

ost 7

ost C



82/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;)

gInternet =Bchange Point

Internet &'change Points 8I>P9re $ire the acco$nting %er(AC address

Incoming

$tgoing

!et"lo# sol$tion is moregran$lar than the NIPacco$nting (AC addressOfeat$re

ILP

ISP 0

ISP 3

ISP 5

ISP 4

ISP 2

N e w


83/245


NetFlow &I7 an% To Tal,ers

4he flo#s that are generating the heaviest traffic are3no#n as the Yto% tal3ersY

Allo#s flo#s to /e sorted /y either of the follo#ingcriteria

*y the total n$m/er of %ac3ets in each to% tal3er

*y the total n$m/er of /ytes in each to% tal3er

Sna% shot of the cache /y %olling (I*

N

N e w


84/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;+

NetFlow &I7 an% To Tal,ers 'Cont#(

(atch criteria for the to% tal3ers s%ecific flo# field val$esEor3 li3e a filter

A ne# se%arate cache

Similar o$t%$t of the sho# i% cache flo# or sho# i% cache ver/ose flo#command

enerated Zon demandL

"ro5en for the Ncache?timeo$tO val$e

Introd$ced in Beleases 2.282+9S and 2.)8 94 on the lo#?endro$ters

N



85/245


A lications

!eeded #hen e'%ort is not %ractical4ro$/leshooting and fast analysis

Sec$rity

ist of to% tal3ers to see if traffic %atterns consistent #ith aDenial of Service 8DoS9 attac3 are %resent in yo$r net#or3

4raffic analysis4he to% tal3ers #hose destination IP address is my

#e/ serverCa%acity %lanning

4he to% tal3ers #hose destination is the * P AS >

N e w


86/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;-

NetFlow To Tal,ers =Ba$ le

Bo$ter8config9Qi% flo#?to%?tal3ersBo$ter8config?flo#?to%?tal3ers9Qto% 0

B)Qsho# i% flo# to%?tal3ersSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP P3ts

&t 0 -2. 6. 0.2 &t0 0 -2. 6. .; 06 00;- 00;- 2 00&t 0 -2. 6. 0.+ &t0 0 -2. 6. .;+ 06 00;1 00;1 ;12&t 0 -2. 6. 0. &t0 0 -2. 6. .;6 06 0 ;+ 0 ;+ -62&t 0 -2. 6. 0.; &t0 0 -2. 6. .;6 06 00*) 00*) 2&t 0 -2. 6. 0. &t0 0 -2. 6. .; 06 00+0 00+0

&t 0 -2. 6. 0.- &t0 0 -2. 6. .;+ 06 00+0 00+0 - of 0 to% tal3ers sho#n. - flo#s %rocessed.

N

NetFlow To Tal,ers


87/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID ;;

=Ba$ le 4Ro!ter'con8ig( i 8low-to -tal,ers

Ro!ter'con8ig-8low-to -tal,ers( to 21

Ro!ter'con8ig-8low-to -tal,ers( sort->6 ac,ets X >6tes

Ro!ter'con8ig-8low-to -tal,ers( cache-ti$eo!t 0111

=outer# show ip flow top"talkers /erbose



IP 7Pkts 72.tes

a! & !&'48' !'% Docal !&'48' !'% &! ,& !& 5$

&&&& 4 & &3&3 4 & &'&'&'& 5$ ! !'&I, P t.pe 3 I, P code 3

*e& & !% '!'!'% *e& 3 !% '!'!'!!& &! && && !

&&&& 3& & &&&& 3& & !% '!'!'!&8 !43$ '8


NetFlow To Tal,ers


88/245


=Ba$ le 0

Ro!ter'con8ig( i 8low-to -tal,ers

Ro!ter'con8ig-8low-to -tal,ers( to 21

Ro!ter'con8ig-8low-to -tal,ers( sort->6 ac,ets


Ro!ter'con8ig-8low-to -tal,ers( $atch so!rce a%%ress 4E0#4#4#E /30

Ro!ter'con8ig-8low-to -tal,ers( $atch %estination a%%ress 4E0#4#4#441/30

=outer# show ip flow top"talkers /erbose



*e& & !% '!'!'% *e& 3 !% '!'!'!!& &! && && !

&&&& 3& & &&&& 3& & !% '!'!'!&8 !43$ '8


NetFlow To Tal,ers


89/245


=Ba$ le 0

Ro!ter'con8ig( i 8low-to -tal,ersRo!ter'con8ig-8low-to -tal,ers( to 21

Ro!ter'con8ig-8low-to -tal,ers( sort->6 ac,ets


Ro!ter'con8ig-8low-to -tal,ers( $atch so!rce a%%ress 4E0#4#4#E /30Ro!ter'con8ig-8low-to -tal,ers( $atch %estination a%%ress 4E0#4#4#441/30

$atch YYso!rce a%%ress X %estination a%%ress X neBtho a%%ressZYip-address Z Ymask X /nn ZZ YYso!rce ort X %estination ortZ Y port-number X

$in port X $aB port X $in port $aB port ZZ YYso!rce as X %estination asZas-number Z YYin !t-inter8ace X o!t !t-inter8aceZ interface Z YtosYtos-value X %sc dscp-value X rece%ence precedence-value ZZY rotocol Y protocol-number X tc X !% ZZ Y8low-sa$ ler flow-sampler-name ZYclass-$a class Z Y ac,et-range X >6te-range YY min-range-numbermax-range-number Z Y$in minimum-range X $aB maximum-range X$in minimum-range $aB maximum-range ZZZ


90/245



4he to% tal3ers can /e config$red via S!(P #ith theCISC ?!&4" E?(I*

4he to% tal3ers can /e retrieved via the (I*cnf4o%"lo#s4a/le

!ot a good trending tool $nless #e com%are all the flo#3ey val$es

cnf4o%"lo#sInde' re%resents the to% flo# inde' /$t this is not3ee%ing any correlation from the cnf4o%"lo#sInde' in the%revio$s of ne't %olling interval


91/245


!et"lo# "eat$res

N e w


92/245


=gress NetFlow Acco!nting

4he !et"lo# &gress feat$re allo#s !et"lo# acco$nting to /eim%lemented for egress 8o$tgoing9 traffic on an interface or s$/?interface

ocally generated traffic 8traffic that is generated /y the ro$ter9 #illnot /e co$nted4he !et"lo# &gress feat$re ca%t$res !et"lo# statistics for IPtraffic onlyG (P S statistics are not ca%t$red in 4 train4he egress or ingress interface may /e a flo# 3ey

Aggregate flo#s leaving the device

Post %rocessed !A4 and 4 S e'%ort #ith the flo#Belease 2.)8 94, for the lo#?end ro$ters

=outer(confi+"if)# ip flow e+ress

l


93/245



IP IP

NetFlowIngress

NetFlow=gress

Ser ers

IP or &P?S

NetFlow=gress an% Ingress

: Acco!nting 8or ac,ets eBiting the networ,

: Use8!l 8or !n%erstan%ing ser er tra88ic: Use% 8or tra88ic $atriB statistics

Release 40#3'44(T

NetFlow=gress

l i


94/245



=outer# show ip cache flowB*rcIf *rcIPaddress stIf stIPaddress Pr *rcP stP Pkts6t& & !&'&'&'! 6t& &E !&'&'!'! &! &&&& &&&& 56t& ! !&'&'&' 6t& ! !&'&'!' &! &&&& &&&& 5

A flo# is identified /y the o$t%$t interface 8amongstother9, /y defa$lt #ith egress !et"lo#

=outer(confi+)# ip flow"e+ress input"interface

The asteris, ' ( in%icates an egress 8low

N Fl % T T l


95/245


=gress NetFlow an% To Tal,ers

4he direction match statement added

4he NdirectionO is a ne# information element

&gress val$e added in the tem%late&gress val$e not added for the aggregation caches

&'isting ingress tem%lates are not modified

Ro!ter'con8ig( i 8low-to -tal,ers

Ro!ter'con8ig-8low-to -tal,ers( $atch so!rce a%%ress 4E0#4#4#E /30

Ro!ter'con8ig-8low-to -tal,ers( $atch %irection +egress &atch egress 8lows

ingress &atch ingress 8lows

N Fl D6 $i T T l


96/245


NetFlow D6na$ic To Tal,ers

Someho# similar to the to% tal3ers*$t dynamic, done on the fly #ith sho# commands

*$t does not re $ire modifications to the ro$ter config

*$t does not create a ne# cache

*$t no availa/le #ith the (I*[o/vio$sly

&ven more $sef$l than to% tal3ers for sec$rity

Nsho# i% flo# to%O commandsho# i% flo# to% U!V Uaggregate?fieldV Usort?criteriaV Umatch?criteriaV

Introd$ced in 2. 8 94 on the soft#are /ased ro$ters8-+00 and /elo#9

NetFlow D6na$ic To Tal,ersB $ l


97/245


=Ba$ les

4o% ten %rotocols c$rrently flo#ing thro$gh the ro$ter

4o% ten IP addresses #hich are sending the most %ac3ets

4o% five destination addresses to #hich #eXre ro$ting most trafficfrom the 0. 0. 0.0 2 %refi'

+0 @ A!Xs that #eXre sending the least /ytes to

4o% 20 so$rces of ?%ac3et flo#s

Ro!ter show i 8low to 41 aggregate rotocol

Ro!ter show i 8low to 41 aggregate so!rce-a%%ress sorte%->6 ac,ets

Ro!ter show i 8low to 2 aggregate %estination-a%%ress $atch so!rce- re8iB 41#41#41#1/05

Ro!ter show i 8low to 21 aggregate %estination- lan sorte%->6 >6tes ascen%ing

ro!ter show i 8low to 21 aggregate so!rce-a%%ress $atch ac,ets 4

N Fl % IPV


98/245


NetFlow an% IPV

(onitors the IPv6 traffic*ased on !et"lo# @ersion 1

"or /oth ingress and egress traffic

!on sam%led!o data e'%ort over IP@6G Still IPv

!et"lo# 2 and sec$rity monitoring availa/lefor IPv6

IC(P, IP Identification, mac?addresses, %ac3et?length, 44 ,vlan?id

Belease 2.)8-94, lo# end devices

N tFl % IPV


99/245


=outer#show ip/$ flow cacheB*rcAddress InpIf stAddress 7utIf Prot *rcPrt stPrt Pkts

&&! 4&& Docal &&! 4&& ! 6t3 & &:3A &:&&&& &:8!&& 5&&! 3&& Docal &&! 3&& ! 6t3 & &:3A &:&&&& &:8!&& 5&&! && Docal &&! && ! 6t3 & &:3A &:&&&& &:8!&& 5&&! 3&& ! 6t3 & & ! && Docal &:3A &:&&&& &:8 && &&! 4&& ! 6t3 & & ! && Docal &:3A &:&&&& &:8 && &&! 4&& ! 6t3 & &&! 4&& Docal &:&$ &: 2&& &:&&! 88

NetFlow an% IPV

&'actly the same commands as IPv for config$ration

and monitoring, e'ce%t that Ni%O is re%laced /y Ni%v6O!e# !et"lo# @ersion 1 information elements

NetFlow In !t FiltersB $ l


100/245


=Ba$ le

7est=88ort

VOIP

VPN NetFlowCache

4.4Sa$ ling

4.4111Sa$ ling

4.411Sa$ ling

Tight Filter 8orTra88ic o8 igh

I$ ortance

&o%eratel6-Tight8or Tra88ic o8

&e%i!$ I$ ortance

De8a!lt *i%e O enFilter 8or Tra88ic o8?ow I$ ortance

Pac,ets


101/245

S!> % Vi t! l I t 8 T i g


102/245


S!> an% Virt!al Inter8ace Trac,ing

4he follo#ing interfaces are trac3ed"rame relay s$/?interfaces

A4( s$/?interfaces

Inter?S#itch in3 8IS 9 s$/?interfaces;02. s$/?interfaces

($ltilin3 PPP interfaces

NetFlow *hite a ers.htt .//www#cisco#co$/en/US/ ro%!cts/ s 14/ ro%[white[ a ers[list#ht$l

S!> % Vi t! l I t 8 T i 'C t#(


103/245


S!> an% Virt!al Inter8ace Trac,ing 'Cont#(

4he follo#ing interfaces are trac3edeneric Bo$ting &nca%s$lation 8 B&9 t$nnel interfacesayer 2 4$nneling Protocol 8 24P9 @PD!?gro$%

interfaces

(P S?@P! interfaces4$nnel ho%%ing

Pac3et arrived on one t$nnel interface of a ro$ter and #asro$ted to a different t$nnel interface on the same ro$ter



NetFlow =na>le% Inter8aces


104/245


=outer# show ip flow interface *erial& & ip route"cache flow *erial& &'!

ip flow e+ress *erial& 3 ip route"cache flow ast6thernet! & ip flow in+ress

flow"sa0pler benoit e+ress

NetFlow =na>le% Inter8aces

Introd$ced in Belease 2.)8-94 for lo#?end devices

NetFlow VRF =B ort


105/245


NetFlow VRF =B ort

Allo# the e'%ort of flo# records #ithin a @B"@alid for /oth SC4P and 7DP e'%ort

Introd$ced in 2. 8 94 on the soft#are /ased ro$ters8-+00 and /elo#9

Ro!ter'con8ig( i 8low-eB ort %estination 41#41#41#41 EEEE r8 >enoit sct X!%

Ro!ter'con8ig-8low-cache( eB ort %estination 41#41#41#41 EEEE r8 >enoit sct X!%

A!tono$o!s S6ste$ Peer an% Origin AS
http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html


106/245


A!tono$o!s S6ste$ Peer an% Origin AS

AS 414

Con8ig!ring Peer-AS: So!rce AS W AS 413: Destination AS W AS 412

NetFlow ena>le%

AS 413 AS 415

AS 412

AS 41Con8ig!ring Origin-AS

: So!rce AS W AS 414: Destination AS W AS 41

AS 410

F!ll AS ath is ossi>le with collectors as7GP assi e eer incl!%ing Cisco collectoran% Ar>or Networ,s

Power8!l Insight into T!nnels with NetFlow
http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.htmlhttp://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html


107/245


Power8!l Insight into T!nnels with NetFlow

!et"lo# allo#s a /rea3 o$t of /oth %re and %ost encry%tionS$%%ort for /oth B& and IPSec encry%tion

Prod$ct iterat$re at ###.cisco.com go netflo#

=na>le here. NetFlowacco!nts 8or >oth the t!nnel

an% ost-t!nnel 8lows

NetFlow acco!nts 8or ac,etsrior to IPsec t!nnel

NetFlow totals t!nnel ac,ets into one 8low

NetFlow acco!nts 8or ac,etsrior to IPsec t!nnel

Tra88ic

T!nnel$i% oint

T!nneltail

Non-t!nnelro!ter

T!nnelhea%

Non-t!nnelro!ter

T!nnel

NetFlow Relia>le =B ort with SCTPSCTP Intro%!ction


108/245


SCTP Intro%!ction

7DPac3 of sec$rity, congestion a#areness, and relia/ility

le =B ort with SCTP


109/245


NetFlow Relia>le =B ort with SCTP

SC4P?PB s$%%ort for !et"lo# version +, ;, 18 %tions9 tem%lates sent relia/ly4#o %rimary SC4P e'%ort destinations 8collectors9 and t#o /ac3$%SC4P e'%ort destinations

"or each cache either main cache or aggregation cache8s9

*ac3$%"ail?over mode o%en the /ac3$% connection #hen the %rimary failsBed$ndant mode o%en the /ac3$% connection in advance, and already sendthe tem%lates!ote that the /ac3$% inherits the relia/ility level from the %rimary

2. 8 94 on the soft#are /ased ro$ters 8-+00 and /elo#9!et"lo# collector SC4P s$%%ort in version 6.0

Relia>le =B ort with SCTP =Ba$ le


110/245


Relia>le =B ort with SCTP =Ba$ le

Destination-Pre8iB Aggr#

&ainCache

7illing

SCTP.Relia>le

Sec!rit6/&onitoring

SCTP.Partiall6Relia>le SCTP 7ac,! .

Re%!n%ant &o%e

SCTP 7ac,! .

Fail-o er &o%e

Relia>le =B ort with SCTP =Ba$ leCon8ig!ration
http://www.cisco.com/go/netflow


111/245


Con8ig!ration

=outer(confi+)# ip flow"e:port destination !&'!&'!&'!& %%%% sctp=outer(confi+"flow"e:port"sctp)# reliabilit. partial buffer"li0it !&&=outer(confi+"flow"e:port"sctp)# backup destination !!'!!'!!'!! %%%%=outer(confi+"flow"e:port"sctp)# backup fail"o/er !&&&=outer(confi+"flow"e:port"sctp)# backup 0ode fail"o/er

=outer(confi+)# ip flow"a++re+ation cache destination"prefi:=outer(confi+"flow"cache)# e:port destination ! '! '! '! %%%% sctp=outer(confi+"flow"e:port"sctp)# backup destination !3'!3'!3'!3 %%%%=outer(confi+"flow"e:port"sctp)# backup 0ode redundant=outer(confi+"flow"e:port"sctp)# backup restore"ti0e !=outer(confi+"flow"e:port"sctp)# e:it=outer(confi+"flow"cache)# enabled

Relia>le =B ort with SCTP =Ba$ leShow Co$$an%


112/245


=outer# show ip flow e:port sctp /erboseIP/4 0ain cache e:portin+ to !&'!&'!&'!&- port %%%%- partialstatus connected backup 0ode fail"o/er!&4 flows e:ported in 84 sctp 0essa+es'& packets dropped due to lack of *,1P resourcesfail"o/er ti0e !&&& 0illi"secondsrestore ti0e 5 seconds

backup !!'!!'!!'!!- port %%%% status not connected fail"o/ers & & flows e:ported in & sctp 0essa+es' & packets dropped due to lack of *,1P resourcesdestination"prefi: cache e:portin+ to ! '! '! '! - port %%%%- fullstatus connected

backup 0ode redundant5 flows e:ported in 4 sctp 0essa+es'& packets dropped due to lack of *,1P resourcesfail"o/er ti0e 5 0illi"secondsrestore ti0e ! seconds

backup !3'!3'!3'!3- port %%%% status connected fail"o/ers & & flows e:ported in & sctp 0essa+es' & packets dropped due to lack of *,1P resources

Show Co$$an%


113/245


!et"lo# for Ca%acity Planning

*hat Is the Tra88ic &atriB+


114/245


hat Is the Tra88ic &atriB+

"rom to B B2 B) B

B 0 + + 0

B2 0 0 + 0

B) 0 0 0 0

B 0 0 0 0

R4

R5 R3

R0(r!-r )F!5

(r!-r3)F5(r -r3)F5

(r3-r4)F!&

The Core Tra88ic &atriBTra88ic =ngineering an% Ca acit6 Planning


115/245


Bome &'it Point Paris &'it Point ondon &'it Point ($nich &'it PointBome &ntry Point !A 8\9 W(/ s W(/ s W(/ sParis &ntry Point W(/ s !A 8\9 W(/ s W(/ s

ondon &'it Point W(/ s W(/ s !A 8\9 W(/ s($nich &'it Point W(/ s W(/ s W(/ s !A 8\9

Tra88ic ngineering an% Ca acit6 Planning

&!nich POP

Paris POP

?on%on POP

ISP-4

ISP-0 DestinationS?A

7est =88ort

Ro$e POP

So!rce

7est =88ortTra88ic

7!sinessCritical Tra88ic

' ( Potentiall6 ?ocal =Bchange Tra88ic

Core Ca acit6 PlanningThe 7ig Pict!re


116/245


The 7ig Pict!re

. 4he a/ility to offer S As is de%endent $%on ens$ringthat core net#or3 /and#idth is ade $ately%rovisioned

2. Ade $ate %rovisioning 8#itho$t gross over

%rovisioning9 is de%endent $%on acc$ratecore ca%acity %lanning

). Acc$rate core ca%acity %lanning is de%endent $%on$nderstanding the core traffic matri'

and flo#s and ma%%ing these to the$nderlying to%ology

. A tool for N#hat ifO scenarios

*e Nee% the Core Tra88ic &atriB


117/245


e Nee% the Core Tra88ic &atriB

PoP PoP

C!sto$er s

AS4 AS0 AS3 AS5 AS2

Ser er Far$ 4 Ser er Far$ 0

C!sto$er s

MPoP to PoP . Access Ro!ter or Core Ro!ter

NetFlow 7GP NeBt o TOS Aggregation


118/245


NetFlow 7GP NeBt o TOS Aggregation

ets yo$ meas$re net#or3 traffic on a %er * P ne't ho% /asis, %er 4 S

ets yo$ trac3 #hich service %rovider the trafficis going thro$gh 8e'it %oint9

Config$re on ingress interfaceeverages the ne# !et"lo# version 1 e'%ort format

S$%%ort #ith sam%led and non?sam%led !et"lo#

2.08269S, 2.28 ;9S and 2.) on the soft#are /asedro$ters 8-+00 and /elo#9

2.082-9S for the 2000

7GP NeBt o TOS AggregationT6 ical =Ba$ le


119/245


T6 ical Ba$ le

PoP

P=

P=

P=

P=

P=

PoP

P=

&P?S Coreor

IP Core with 7GP Ro!tes Onl6

C!sto$er s

C!sto$er s

Internal 4raffic NPoP to PoPO&'ternal 4raffic (atri' PoP to * P AS


AS4 AS0 AS3 AS5 AS2

NetFlow 7GP NeBt o TOS AggregationFlow


120/245


Flow e6s

ey "ields 87ni $elyIdentifies the "lo#9: rigin AS

: Destination AS

: In/o$nd Interface

: $t%$t Interface

: 4oS DSCP 8\9

: !e't * P


121/245


Descri tion

Provides flo# statistics %er (P S and IP %ac3ets(P S %ac3etsa/els information

And !et"lo# v+ fields for $nderlying IP %ac3et

IP %ac3ets

Beg$lar IP !et"lo# records

everages the ne# !et"lo# version 1 e'%ort format

Config$re on ingress interface

S$%%orted on sam%led non?sam%led !et"lo#2.08269S , 2.28 ;9S and 2.) on the soft#are /ased ro$ters

8-+00 and /elo#92000 2.082 9S, 2.28 ;9S and 2.)

&P?S Aware NetFlowThe Core Tra88ic &atriB


122/245


P

P

PoP

C ! s

t o $ e r s

P=

P=

PoP

C ! s

t o $ e r s


AS4 AS0 AS3 AS5 AS2

The Core Tra88ic &atriB

P

&P?S CoreP=

P

P

P=

P=

P=

C=CP=

C=

CP=

Internal 4raffic NPoP to PoPO&'ternal 4raffic (atri' PoP to * P AS not availa/le

&!lti rotocol ?a>el Switching


123/245


&P?S

Tra%itional NetFlow 8or IP to &P?S tra88ic

P= P P=

: =gress &P?S NetFlow acco!ntingIP in8or$ation onl6I%eal 8or >illingC!rrent a aila>ilit6. Releases 40#1'41(ST an% 40#4'2(T

: &P?S aware NetFlow 'Version E(=B orts ! to three &P?S la>els an% IP ac,et in8or$ationI%eal 8or Tra88ic =ngineering 'T=(

Tra88ic 8low

IP

IP

=gress &P?S NetFlow acco!nting8or &P?S to IP tra88ic

&P?S aware NetFlow 'Version E(

&!lti rotocol ?a el Switching

&P?S Aware NetFlowTo ?a>el Aggregation


124/245


gg g

ey "ields 87ni $elyIdentifies the "lo#9

: In%$t interface 8ifInde'9: 4he to% incoming (P S

la/els #ith e'%erimental /its andend?of?stac3 /it

Additional &'%ort "ields

: "lo#s: Pac3ets: *ytes: "irst timestam% 8Sys7%time9: ast timestam% 8Sys7%time9: $t%$t interface: !et"lo# version five fields of

the $nderlying IP %ac3et

84CP flags, etc.9: 4y%e of the to% la/el

DP, * P, @P!, A4 (, 4&t$nnel (ID?P4, $n3no#n

: 4he for#arding e $ivalentclass ma%%ing to the to% la/el

&P?S In8or$ation =B ort


125/245


$

(P S a/el "or#arding Information*ase 8 "I*9 e'%ort

Per la/el destination %refi', o#ning a%%lication 84&, DP, * P9,system $%time for la/el&'%orts all la/els %eriodically #ith timer Collector receives "I* from P& and (P S a#are !et"lo# from core

&ffectively sho#s P& traffic matri'Belease 2.282;9S*DG Cisco -200, -)00, -+00 and 0000 SeriesBo$tersBelease 2.08))9SG Cisco 2000 Series Bo$terBelease 2.28'9SBAG Cisco -600 Series Bo$ter


127/245


4hree ty%es of !et"lo# im%lementations for ($lticasttraffic4raditional !et"lo#

($lticast !et"lo# Ingress

($lticast !et"lo# &gress

&!lticast ) Tra%itional NetFlow


128/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID )-

)

=th 1

=th 3=th 4

=th 0

I nt er f ace Et her net 0

i p r out e- cache f l ow

i p f l ow- expor t ver si on 9

i p f l ow- expor t dest i nat i on 127. 0. 0. 1 9995

127. 0. 0. 1

NetFlowcollector

ser er

Tra%itional NetFlow con8ig!ration

10. 0. 0. 2

8S, 9 ? 8 0.0.0.2, 22 . 0. 0. 009

Flow recor% create% in NetFlow cache

: There is onl6 one 8low er NetFlow con8ig!re% in !t inter8ace: Destination inter8ace is $ar,e% as Mn!ll: 76tes an% ac,ets are the inco$ing al!es ) non re licate%

SrcI8 SrcIPa%% DstI8 DstIPa%% Protocol TOS Flgs SrcPort Src&s, DstPort Dst&s, NeBt o 76tes Pac,ets Acti e I%le&th 0 0.0.0.2 N!ll 22 . 0. 0. 00 ;0 0 00A2 ,2 00A2 ,2 03411 04 - +

&!lticast NetFlow Ingress


129/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID );

g


i p ul t i cast net f l ow i ngr ess



&!lticast NetFlow Ingress con8ig!ration

Flow recor% create% in NetFlow cache

: There is onl6 one 8low er NetFlow con8ig!re% in !t inter8ace: Destination inter8ace is $ar,e% as Mn!ll: 76tes an% ac,ets are the o!tgoing al!es: re licate% co!nts

SrcI8 SrcIPa%% DstI8 DstIPa%% Protocol TOS Flgs SrcPort Src&s, DstPort Dst&s, NeBt o 76tes Pac,ets Acti e I%le&th 0 0.0.0.2 N!ll 22 . 0. 0. 00 ;0 0 00A2 ,2 00A2 ,2 E311 3 - +

=th 1

=th 3=th 4

=th 0

127. 0. 0. 1

NetFlowcollector

ser er

10. 0. 0. 2

8S, 9 ? 8 0.0.0.2, 22 . 0. 0. 009

&!lticast NetFlow =gress


130/245


g


i p ul t i cast net f l ow egr ess



I nt er f ace Et her net !




&!lticast NetFlow =gress con8ig!ration

Flow recor%s create% in NetFlow cache

: There is one 8low er &!lticast NetFlow =gress con8ig!re% o!t !t inter8ace: 76tes an% ac,ets are the o!tgoing al!es

SrcI8 SrcIPa%% DstI8 DstIPa%% Protocol TOS Flgs SrcPort Src&s, DstPort Dst&s, NeBt o- 76tes Pac,ets Acti e I%le&th 0 0.0.0.2 =th 4 22 . 0. 0. 00 ;0 0 00A2 ,2 00A2 ,2 03411 04 - +&th 0 0.0.0.2 =th 0 22 . 0. 0. 00 ;0 0 00A2 ,2 00A2 ,2 03411 04 - +&th 0 0.0.0.2 =th 3 22 . 0. 0. 00 ;0 0 00A2 ,2 00A2 ,2 03411 04 - +

=th 1

=th 3=th 4

=th 0

127. 0. 0. 1

NetFlowcollector

ser er

10. 0. 0. 2

8S, 9 ? 8 0.0.0.2, 22 . 0. 0. 009

&!lticast NetFlow ) RPF Fail!res


131/245


)

"lo# is /loc3ed /eca$se it has the same 3ey fields asanother flo#G ho#ever, it is coming from the #rong%hysical interface

Can /e co$nted $sing ($lticast !et"lo# &gress ifconfig$red Ni% m$lticast netflo# r%f?fail$reO glo/ally

nce config$red, there #ill /e a ne# field in the!et"lo# cache called NBP" "ailO to co$nt flo#s that failand ho# many times

&!lticast NetFlow S!$$ar6


132/245


S$%%orted via !et"lo# @ersion 1 e'%ort format

Availa/ilityBeleases 2.2S, and 2.)

Cisco ;00, -00, ;00, 2600, 2;00, )-00, );00, -200, and -+00 Series Bo$ters

Cisco Catalyst 6+00 Series S#itch, Belease 2.28 ;9S>"

Performance Ingress vs. &gress($lticast !et"lo# Ingress and traditional !et"lo# #ill have similar %erformancen$m/ers

($lticast !et"lo# &gress #ill have %erformance im%act that is %ro%ortional tothe n$m/er of interfaces on #hich it is ena/led 8incl$de in%$t interface9


133/245


!et"lo# F S 4rac3ing

H!alit6 o8 Ser ice =Ba$ le


134/245


Di88Ser 8iel%A


135/245


TOS >6teDS+ DS DS) DS2 DS DS0 &C! &C!

2; 6 )2 6 ; 2

Prece%ence >its Deci$al Prece%ence F!nction' ' ' ' ' 22 - !et#or3 Control 8lin3 layer 3ee%alives9

0 ' ' ' ' ' 12 6 Internet#or3 Control 8Bo$ting Protocols90 ' ' ' ' ' 60 + CBI4IC,&CP 8&'%ress "or#arding90 0 ' ' ' ' ' 2; "lash verride 8Class 9

0 ' ' ' ' ' 16 ) "lash 8Class )90 0 ' ' ' ' ' 6 2 Immediate 8Class 290 0 ' ' ' ' ' )2 Priority 8Class 90 0 0 ' ' ' ' ' 0 0 Bo$tine 8*est effort9

Dela6: Thro!gh !t: an% Relia>ilit6 >itsDelay /it

' ' ' 0 ' ' ' ' 0 Delay ? normal' ' ' ' ' ' ' 6 Delay ? lo#

4hro$gh%$t /it' ' ' ' 0 ' ' ' 0 4hro$gh%$t ? normal' ' ' ' ' ' ' ; 4hro$ght%$t ? high

Belia/ility /it' ' ' ' ' 0 ' ' 0 Belia/ility ? normal

' ' ' ' ' ' ' Belia/ility ? high

=arl6 Congestion Noti8ication '=CN( >its&C!?ca%a/le 4rans%ort 8&C49 /it

Congestion &'%erienced 8C&9 /it' ' ' ' ' ' 0 0 0 !ot &C!?ca%a/le' ' ' ' ' ' 0 &nd%oints of trans%ort %rotocol &C!?ca%a/le' ' ' ' ' ' 0 2 &nd%oints of trans%ort %rotocol &C!?ca%a/le' ' ' ' ' ' ) Congestion e'%erienced

Trac,ing TOS with NetFlow


136/245


7200-3-netflow# show ip cache verbose flowSrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts

Port Msk AS Port Msk AS NextHop B/Pk Active

SR6/0 210.210.210.2 PO1/0 200.200.200.2 FF 00 10 21K0000 /0 0 0000 /0 0 0.0.0.0 1496 665.4

SR6/0 210.210.210.2 PO1/0 200.200.200.2 06 C0 00 21K0000 /0 0 0000 /0 0 0.0.0.0 1496 666.0

7200-3-netflow# show ip cache verbose flow

SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk Active

Et1/1 52.52.52.1 Fd4/0 42.42.42.1 01 55 10 37480000 /8 50 0000 /8 40 202.120.130.2 28 17.8

Et1/2 52.52.52.1 Fd4/0 42.42.42.1 01 CC 10 35680000 /8 50 0000 /8 40 202.120.130.2 28 17.8

Et1/2 10.1.3.2 Fd4/0 42.42.42.1 01 C0 10 11240000 /0 0 0000 /8 40 202.120.130.2 28 17.8

Hex Decimal Binary

55 85 0101 0101 Precedence 2 - Immediate (Class 2), Delay - low, Reliability - high, Endpointsof transport protocol ECN-capable

C0 192 1100 0000 Precedence 6 - Internetwork Control (Routing Protocols)

CC 204 1100 1100 Precedence 6 - Internetwork Control (Routing Protocols), Throughput - high,Reliability - high


137/245


!et"lo# (I*

CISCO-N=TF?O*-&I7 N e w


138/245


(anaged o/ ects to config$re the follo#ing !et"lo#information"lo# cache, interface, e'%ort

(anaged o/ ects to monitor the follo#ing !et"lo#

informationConfig$ration information, general statistics

&'am%le o/ ects availa/lePac3et si5e distri/$tion, n$m/er of /ytes e'%orted %er second,n$m/er of flo#s 7DP datagrams e'%orted, n$m/er of tem%lateactive, etc.

CISCO-N=TF?O*-&I7 'Cont#( N e w


139/245


4he CISC ?!&4" E?(I*.my is ! 4 A re%lacement for the traditional method of e'%orting a flo#cache

A #ay to retrieve all the flo# records

Sna% shot of !et"lo# cache at the moment

!ote that CISC ?SEI4C


140/245


!et"lo# config$rationChec3ing !et"lo# config$ration

ie %eer?as or origin?as

(onitoring and sec$rity&'%ort statistics

Protocol statistics

4o% flo#s information

&m/edded event manager M 4C scri%ts4hresholds #ith the B( ! event alarm orthe &@&!4?(I*

NetFlow &I7NetFlow Con8ig!ration


141/245


cnfCI!etflo#&na/le@al$es for ingress, egress, ingress ] egress, none

Inde'ed /y interface 8ifInde'9

Bead?#rite (I* varia/leEhich s$/?interfaces is !et"lo# ena/led on

Ro!ter'con8ig( inter8ace le

NetFlow &I7&ain Cache Con8ig!ration


142/245


Inde'ed /y the cache ty%e cnfCICache4y%ecnfCICache4y%e K 0 means the main cache

Ro!ter'con8ig( i 8low-cache entries number>

Ro!ter'con8ig( i 8low-cache ti$eo!t acti e

Ro!ter'con8ig( i 8low-cache ti$eo!t inacti e

cn8CIActi eTi$eO!tcn8CICache=ntries

cn8CIInacti eTi$eO!t

NetFlow &I7Aggregation Cache Con8ig!ration


143/245


Inde'ed /y the cache ty%e As many cnfCICache4y%e val$es as aggregationcache ty%esmain809, as8 9, %rotocolPort829, so$rcePrefi'8)9, etc.

Ro!ter'con8ig( i 8low-aggregation cache

Ro!ter'con8ig-8low-cache( $as, so!rce $ini$!$ value>

Ro!ter'con8ig-8low-cache( ena>le%

cn8CIActi eTi$eO!t

cn8CICache=ntries

cn8CIInacti eTi$eO!t

cn8CICacheT6 e

cn8CI&inDestination&as,cn8CICache=na>le

cn8CI&inSo!rce&as,

NetFlow &I7&ain Cache =B ort Con8ig!ration


144/245

2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID +)

cnf&I&'%ortInfo4a/le cnf&I&'%ortInfo&ntry

I!D&> cnfCICache4y%e cnf&I&'%ort@ersion cnf&IPeerAS cnf&I riginAS cnf&I*g%!e't cnfCICache4y%e cnf&ICollectorAddress4y%e

cnf&ICollectorAddress cnf&ICollectorPort cnf&ICollectorStat$s

Ro!ter'con8ig( i 8low-eB ort ersion E eer-as >g -neBtho

Ro!ter'con8ig( i 8low-eB ort %estination 41#41#41#41 4035

Ro!ter show i 8low eB ort

Flow eB ort E is ena>le% 8or $ain cache

=B orting 8lows to 41#41#41#41 '4035(

=B orting !sing so!rce inter8ace ?oo >ac,1

Version E 8low recor%s: eer-as

NetFlow &I7Aggregation Cache =B ort Con8ig!ration


145/245


Same %rinci%le, inde'ed /y cnfCICache4y%e forthe cache ty%e

Ro!ter'con8ig( i 8low-aggregation cache

net flow tech

Documents