advanced netflowd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/brknms-3132.pdfrouting and peering source...

Session BRKNMS-3132

Advanced NetFlow

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2

The Content of This Session Is…

Not aboutA level one type of presentation Introduction to IP accounting and NetFlowMarketing slidesNetFlow collector details The ecosystem partners applications and mediationsMany platform specific details

AboutNew featuresAdvanced information And a few scenarios …

Assuming the NetFlow basics are known


Session Abstract

This advanced session presents the latest NetFlow developments: new features, NetFlow version 9, and its standardization at the IETF. The new Flexible NetFlow feature is covered in detail. Technical details of the new features are addressed with configuration examples, show commands, tricks, and best practice advice. Scenarios such as NetFlow for security, NetFlow for application visibility, and NetFlow for capacity planning are covered. The NetFlow performance impact is also discussed, as well as the support matrix of all NetFlow features.

This session is for enterprise, service provider, and NRENexperts engaged in designing, maintaining, and troubleshooting security, capacity planning, and accounting solutions. Attendees should be familiar with network management basics and should already have some understanding of NetFlow, perhaps by already having taken the introductory session.

For YourReference


Agenda

Introduction NetFlow Version 9 Interesting Features on Traditional NetFlow Flexible NetFlow NetFlow for Security NetFlow for Application Visibility NetFlow Performance NetFlow Standardization Support Matrix Appendix


Version 5 Flow Format

Application

From/to

Routing and

Peering

Source TCP/UDP port Destination TCP/UDP port

Next hop address Source AS number Dest. AS number Source prefix mask Dest. Prefix mask

Input ifIndex Output ifIndex

Packet count Byte count

Type of service TCP flags Protocol

Start sysUpTime End sysUpTime

Source IP address Destination IP address

Flow Key vs. Non-Key Field

PortUtilization

Usage

QoS

Timeof Day


NetFlow Cache Example1. Create and update flows in NetFlow cache

Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts SrcPort

SrcMsk

SrcAS

DstPort

DstMsk

DstAS NextHop Bytes/

Pkt Active Idle

Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4

Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1

Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3

Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14

3. Aggregation

5. Transport protocol(UDP, SCTP)

ExportPacket

Payload(Flows)

Hea

der

Aggregated Flows—Export Version 8 or 9

E.g., Protocol-Port Aggregation Scheme Becomes

Protocol Pkts SrcPort DstPort Bytes/Pkt

11 11000 00A2 00A2 1528

4. Export versionNon-aggregated flows—export version 5 or 9

2. Expiration

Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts SrcPort

SrcMsk

SrcAS

DstPort

DstMsk

DstAS NextHop Bytes/

Pkt Active Idle

Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4

Inactive timer expired (15 sec is default)Active timer expired (30 min is default)NetFlow cache is full (oldest flows are expired)RST or FIN TCP flag


NetFlow Export Version 5 and Main Cache Configuration Example

Router(config)# interface <slot/port/subinterface>

Router(config-if)# ip flow ingress

Router(config-if)# ip flow egress

Router(config)# ip flow-cache entries <number>

Router(config)# ip flow-cache timeout active <minutes>

Router(config)# ip flow-cache timeout inactive <seconds>

Router(config)# ip flow-export version 5 peer-as

Router(config)# ip flow-export destination 10.10.10.10 1234

Router(config)# ip flow-export source loopback 0


NetFlow Flow Keys on the Router

By default, the 7 flow keys are:Source IP address, destination IP address, source port, destination port, Layer 3 protocol type, TOS byte (DSCP), input interface

The 12 NetFlow aggregations allows to reduce/change the number of flow keys

Example: source prefix aggregation = source network, source interface

Can be seen as a different view of the main cache

Egress NetFlow, MPLS-aware NetFlow, etc.Will specify new flow keys

Note: on the Cisco Catalyst®, we speak of the flow maskDefine the flow keys


Flow Keys on the Cisco Catalyst 6500/7600 - The Flow Mask

Full-InterfaceVLAN SRC IP DST IP IP Protocol Src Port Dst Port

FullVLAN SRC IP DST IP IP Protocol Src Port Dst Port

Destination-Source-InterfaceVLAN SRC IP DST IP IP Protocol Src Port Dst Port

Source-OnlyVLAN SRC IP DST IP IP Protocol Src Port Dst Port

Destination-OnlyVLAN SRC IP DST IP IP Protocol Src Port Dst Port

Destination-SourceVLAN SRC IP DST IP IP Protocol Src Port Dst Port

Flow Keys in Orange


Extensibility and Flexibility Requirements Phases Approach

Traditional NetFlow with the v5 or v8 NetFlow exportNew requirements: build something flexible and extensible

Phase One: NetFlow Version 9Advantages: extensibility

Integrate new technologies/data types quicker(MPLS, IPv6, BGP next hop, etc.)Integrate new aggregations quicker

Note: for now, the template definitions are fixed

Phase Two: Flexible NetFlowAdvantages: cache and export content flexibility

User selection of flow keys

User definition of the records

Exporting Process

Metering Process


BillingDenial of Service

NetFlow Partners in CTDP Program

Traffic Analysis

CS-Mars

More info: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercial/

http://www.portal.com/�

http://www.cisco.com/logo/�

http://www.valenciasystems.com/index.htm�

http://www.ibm.com/us/�

http://www.netimonitor.com/index.php�


NetFlow Open Source Tools Product Name Primary Use Comment OS

Cflowd Traffic Analysis No longer supported UNIX

Flow-tools Collector Device Scalable UNIX

Flowd Collector Device Support V9 BSD, Linux

FlowScan Reporting for Flow-Tools

UNIX

IPFlow Traffic Analysis Support V9, IPv4, IPv6, MPLS, SCTP, etc..

Linux, FreeBSD, Solaris

NetFlow Guide Reporting Tools BSD, Linux

NetFlow Monitor Traffic Analysis Supports V9 UNIX

Netmet Collector Device V5, support v9 Linux

NTOP Security Monitoring UNIX

Stager Reporting for Flow-Tools

UNIX

Nfdump/nfsen Traffic Analysis Supprot V5 and v9 UNIX

Different costs: implementation and customization


Agenda



NetFlow Version 9

Version 9 is an export protocolNo changes to the metering process

Version 9 is based on templates and separate flow records

Templates composed of type and length

Flow records composed of template ID and value

Sent the template regularly (configurable), because of UDP

Support: 800, 1700, ISR (1800, 2800, 3800), ISR-G2 (1900, 2900, 3900), 2600, 3200, 3600, 3700, 6500/7600, 7200, 7300, 7500, cat6000, 7600, 10000, 12000 (IOS and IOS-XR), CRS-1, ASR 1000, ASA 5580, Nexus 7000 and Nexus 1000V

RFC3954 Cisco Systems® NetFlow Services Export Version 9NetFlow patent: intellectual property right statement at the IETF website


NetFlow Version 9 Export Packet

Template Record

Template ID #1

(Specific Field

Types and Lengths)

Template Record

Template ID #2

(Specific Field

Types and Lengths)

Template FlowSet

Template 1

Data Record

(Field Values)

Data Record

(Field Values)

Data FlowSetFlowSet ID #1

HEADER

FlowSet ID #1

Template 2

Data Record

(Field Values)

FlowSet ID #2Data FlowSet


NetFlow Version 9 Export Packet

Options Template FlowSet

Template 3

OptionData

Record

(Field Values)

OptionData

Record

(Field Values)

FlowSet ID #3Data FlowSet

HEADER

OptionTemplate Record

TemplateID #3

(Specific Scope, Field Types

and Lengths)

Options Template FlowSet Specifies the Scope: Cache, System, Template, etc.


Interface Name Export with NetFlow Version 9

Example of options template FlowSet

NetFlow exports the ifIndex

Instead of the collector polling the ifName MIB variable for a specific ifIndex, the matching (ifIndex, ifName) is sent in an option data record

Router(config)# ip flow-export interface-names


router(config)# ip flow-export version [5|9] [origin-as|peer-as]

[bgp-nexthop]

router(config)# ip flow-export template options export-stats

router(config)# ip flow-export template options timeout-rate 5

router(config)# ip flow-export template options refresh-rate 60

router(config)# ip flow-export template timeout-rate 5

router(config)# ip flow-export template refresh-rate 20

router(config)# ip flow-export destination 10.10.10.10 9996

NetFlow Version 9 Main Cache Configuration

Should you export from the main cache with NetFlow Version 5 or Version 9?

(Options) Templates Sent Every Five

Minutes or 20 Packets

(Options) Templates Sent Every Five Minutes or Every 20 Packets


router(config)# ip flow-aggregation cache bgp-nexthop-tos

router(config-flow-cache)# export destination 11.11.11.11 9999

router(config-flow-cache)# export version ?

9 Version 9 export format

router(config-flow-cache)# export version 9

router(config-flow-cache)# enabled

NetFlow Version 9 Aggregation Cache Configuration

In this case, we have only version 9. Why?


Agenda



Multicast NetFlow Multicast NetFlow ingress

One flow with the replicated number of packets/bytes

Multicast NetFlow egressOne per outgoing interface, with the nonreplicated number of packets/bytes

Deduced the replication factor

Display the multicast data that fails the Reverse Path Forwarding (RPF) check

No NetFlow export over multicast

Router(config-if)# ip multicast netflow ingress

Router(config-if)# ip multicast netflow egress


NetFlow: Monitoring IPv6 Traffic

Monitors the IPv6 traffic

Based on NetFlow version 9

For both ingress and egress traffic

Non-sampled

No NetFlow export over IPv6; still IPv4 (except Nexus 7000)

All configuration is the same: replace “ip” by “ipv6” in the CLI

12.3(7)T, 12.2(33)SXH, 12.2(33)SRB

Beginning with Cisco IOS® Release 12.4(20)T, traditional NetFlow for IPv6 is being replaced by flexible NetFlow for IPv6


NetFlow Reliable Export with SCTP

SCTP: stream control transport protocol (RFC4960)Reliable data transferCongestion control and avoidanceMultihoming supportOne association support for multi-streams

SCTP-PR: SCTP partially reliable (RFC3578)Three modes of reliability: reliable, partial reliable, unreliable

Advantages: (Options) templates sent reliably

Backup Options:Fail-over mode: open the backup connection when the primary failsRedundant mode: open the backup connection in advance, and already send the templates

Note: “An Introduction to SCTP”, RFC 3286


NetFlow Reliable Export with SCTP

Destination-Prefix Aggr.

MainCache

Billing

SCTP:Reliable

Security/Monitoring

SCTP:Partially Reliable SCTP Backup:

Redundant Mode

SCTP Backup:Fail-Over Mode


Agenda



Managed Services: Application Visibility ISP

NetFlow for Security

NetFlow for Peering

NetFlow for Monitoring

Typical NetFlow Deployment

NetFlow for Core Traffic Matrix


Flexible NetFlow High-Level Concepts and Advantages

Flexible NetFlow feature allows user configurable NetFlow record formats, selecting from a collection of fields:

Key, non-key, counter, timestamp

Advantages:Tailor a cache for specific applications, not covered by existing 21 NetFlow features in traditional NetFlow

Different NetFlow caches: per subinterface, per direction (ingress, egress), per sampler, per …

Better scalability since flow record customization for particular application reduces number of flows to monitor


SourceIP

Dest.IP

SourcePort

Dest.Port Protocol TOS Input

I/F … Pkts

3.3.3.3 2.2.2.2 23 22078 6 0 E0 … 1100

Traffic Analysis Cache

Flow Monitor

1

Traffic

Non-Key Fields

Packets

Bytes

Timestamps

Next Hop Address

Source IP Dest. IP Input I/F Flag … Pkts

3.3.3.3 2.2.2.2 E0 0 … 11000

Security Analysis Cache

Flow Monitor

2

Key Fields Packet 1

Source IP 3.3.3.3

Dest IP 2.2.2.2

Input Interface Ethernet 0

SYN Flag 0

Non-Key Fields

Packets

Timestamps

Flexible NetFlow Multiple Monitors with Unique Key Fields

Key Fields Packet 1

Source IP 3.3.3.3

Destination IP 2.2.2.2

Source Port 23

Destination Oort 22078

Layer 3 Protocol TCP - 6

TOS Byte 0

Input Interface Ethernet 0


Flexible NetFlow Model

A single record per monitor Potentially multiple monitors per interface Potentially multiple exporters per monitor

Interface

Monitor “A” Monitor “B”

Record “X” Exporter “M”

Record “Y”

Exporter “N”

Monitor “C”

Exporter “M”

Record “Z”


How do I want to cache information

Which interface do I want to monitor?

What data do I want to meter?Router(config)# flow record my-recordRouter(config-flow-record)# match ipv4 destination addressRouter(config-flow-record)# match ipv4 source addressRouter(config-flow-record)# collect counter bytes

Where do I want my data sent?Router(config)# flow exporter my-exporter

Router(config-flow-exporter)# destination 1.1.1.1

Router(config)# flow monitor my-monitor

Router(config-flow-monitor)# exporter my-exporter

Router(config-flow-monitor)# record my-record

Router(config)# interface s3/0

Router(config-if)# ip flow monitor my-monitor input

1. Configure the Exporter

2. Configure the Flow Record

3. Configure the Flow Monitor

4. Apply to an Interface

Service Planning FNF Configuration – Example


Router(config)# flow record my-recordRouter(config-flow-record)# matchRouter(config-flow-record)# collect

Router(config-flow-record)# match ?application Application Fieldsdatalink Datalink (layer 2) fieldsflow Flow identifying fieldsinterface Interface fieldsipv4 IPv4 fieldsipv6 IPv6 fieldsrouting routing attributestransport Transport layer field

Router(config-flow-record)# collect ? application Application Fieldscounter Counter fieldsdatalink Datalink (layer 2) fieldsflow Flow identifying fieldsinterface Interface fieldsipv4 IPv4 fieldsipv6 IPv6 fieldsrouting IPv4 routing attributestimestamp Timestamp fieldstransport Transport layer fields

Specify a Key Field

Specify a Non-Key Kield

Flexible NetFlowUser-Defined Record Configuration


Flexible Flow Record: Key Fields

IPv4IP (Source or Destination) Payload Size

Prefix (Source or Destination)

Packet Section (Header)

Mask (Source or Destination)

Packet Section (Payload)

Minimum-Mask (Source or Destination)

TTL

Protocol Options bitmap

Fragmentation Flags Version

Fragmentation Offset Precedence

Identification DSCP

Header Length TOS

Total Length

Interface Input

Output

FlowSampler ID

Direction

Source MAC address

Destination MAC address

Destination VLAN

Source VLAN

Layer 2

IPv6

IP (Source or Destination) Payload Size






DSCP

Protocol Extension Headers

Traffic Class Hop-Limit

Flow Label Length

Option Header Next-header

Header Length Version

Payload Length


MulticastReplication Factor*

RPF Check Drop*

Is-Multicast


Input VRF Name

BGP Next Hop

IGP Next Hop

src or dest AS

Peer AS

Traffic Index

Forwarding Status

Routing TransportDestination Port TCP Flag: ACK

Source Port TCP Flag: CWR

ICMP Code TCP Flag: ECE

ICMP Type TCP Flag: FIN

IGMP Type* TCP Flag: PSH

TCP ACK Number TCP Flag: RST

TCP Header Length TCP Flag: SYN

TCP Sequence Number TCP Flag: URG

TCP Window-Size UDP Message Length

TCP Source Port UDP Source Port

TCP Destination Port UDP Destination Port

TCP Urgent Pointer

Application

Application ID*

NEW

NEW

*: IPv4 Flow only


Flexible Flow Record: Non-Key Fields

Plus any of the potential “key” fields: will be the value from the first packet in the flow

Counters

Bytes

Bytes Long

Bytes Square Sum

Bytes Square Sum Long

Packets

Packets Long

Timestamp

sysUpTime First Packet


IPv4

Total Length Minimum (*)

Total Length Maximum (*)

TTL Minimum

TTL Maximum

(*) IPV4_TOTAL_LEN_MIN, IPV4_TOTAL_LEN_MAX (**)IP_LENGTH_TOTAL_MIN, IP_LENGTH_TOTAL_MAX

IPv4 and IPv6

Total Length Minimum (**)

Total Length Maximum (**)


flow exporter <exporter-name> destination <ipv4-address> [vrf <vrf-name>]dscp <value>export-protocol [netflow-v5 | netflow-v9]option {exporter-stats | interface-table | sampler-table |

vrf-table | application-table} timeout <value in sec>source <interface-name>template data timeout <value in sec>transport udp <destination-port> ttl <value>output-features

Flow Exporter Configuration

Five Types of Options Data Record

New in 12.4(20)T NetFlow Exported Packets Go

Through QoS, Crypto-Map, etc…


Transition Steps from Traditional NetFlow to Flexible NetFlow

Router(config)# flow monitor my-monitorRouter(config-flow-monitor)# record netflow ipv4 ?as AS aggregation schemesas-tos AS and TOS aggregation schemesbgp-nexthop-tos BGP next-hop and TOS aggregation schemesdestination-prefix Destination Prefix aggregation schemesdestination-prefix-tos Destination Prefix and TOS aggregation schemesoriginal-input Traditional IPv4 input NetFloworiginal-output Traditional IPv4 output NetFlow…

First, flexible NetFlow metering process with NetFlow Version 5 flow records and Version 5 export

Second, flexible NetFlow metering process with NetFlow Version 5 flow records and Version 9 export

Third, user-defined flow records with Version 9 export


flow monitor <monitor-name>record <record-name>exporter <exporter-name>cache type {normal | immediate | permanent}cache entries <number-of-entries>cache timeout {active | inactive | update} <value-in-sec>statistics packet protocolstatistics packet size

Flexible Monitor Configuration

Collect Size Distribution Statistics

Collect Protocol Distribution Statistics

Three Types of Cache:See Next Slides


Three Types of NetFlow Caches

Normal cache (traditional NetFlow)More flexible active and inactive timers: one second minimum

Immediate cacheFlow accounts for a single packetDesirable for real-time traffic monitoring, DDoS detection, loggingDesirable when only very small flows are expected (ex: sampling)Caution: may result in a large amount of export data

Permanent cacheTo track a set of flows without expiring the flows from the cacheEntire cache is periodically exported (update timer)After the cache is full (size configurable), new flows will not be monitoredUses update counters rather than delta counters


Complete Permanent Flexible NetFlow Configuration Example

Per DSCP accounting flow record definition:

This replaces the IP accounting precedence feature

Router(config)# flow record my-dscp-recordRouter(config-flow-record)# match ipv4 dscpRouter(config-flow-record)# match interface inputRouter(config-flow-record)# collect counter bytes longRouter(config-flow-record)# collect counter packets long

Router(config)# flow monitor my-dscp-monitorRouter(config-flow-record)# description dscp:bytes and packets Router(config-flow-record)# record my-dscp-recordRouter(config-flow-record)# cache type permanentRouter(config-flow-record)# cache entries 256

Router(config)# interface GigabitEthernet 0/1Router(config)# ip flow monitor my-dscp-monitor input

64-Bit Counter


Router#show flow monitor my-dscp-monitor cacheCache type: PermanentCache size: 256Current entries: 0High Watermark: 0

Flows added: 0Updates sent ( 1800 secs) 0

IP DSCP INTF INPUT bytes long perm pkts long perm======= ============ ================== ================0x00 Gi0/1 1000 100x01 Gi0/1 500 5

Extra Options: CSV, Table, Record

Flow Keys in Upper Case

Complete Permanent Flexible NetFlow Configuration Example


Flexible NetFlow Activation per Interface

Deterministic or random sampling

Router(config-if)# ip flow monitor <monitor-name[sampler <sampler-name>] [input | output] [unicast | multicast ]

Send the “Sampler-Table” Option

Router(config)# sampler <sampler-name> mode [deterministic | random] <value N> out-of <value M>

For the Input or Output Traffic.Does not Determine the Flow Key

Need the “Match Flow Sampler” in the Record for Accuracy Determination


Useful Show Commands

List of all possible information elementsshow flow exporter export-ids netflow-v9

Template assignment show flow exporter template

High watermark in the cacheshow flow monitor <flow-monitor> statistics

NetFlow configurationshow running flow [exporter | monitor | record]


ISP

Security Flow Monitor Protocol Ports IP addresses TCP flags

Peering Flow Monitor Destination AS Source traffic index BGP next hop DSCP

Server Flow Monitor Standard seven keys

NetFlow Deployment Scenarios

NetFlow for Core Traffic Matrix Source/destination AS IP addresses (src/dest) BGP next hop Protocols DSCP

Managed ServiceApplication Visibility IP addresses Application DSCP


Flexible NetFlow Platforms, Features

Platforms: 800, 1700, ISR (1800, 2800, 3800), ISR-G2 (1900, 2900, 3900), 2600, 2800, 3700, 3800, 7200, 7301, 12000, Nexus 7000, Nexus 1000V, CRS-1

Beginning with Cisco IOS Release 12.4(20)T, traditional NetFlow for IPv6 is being replaced by Flexible NetFlow for IPv6

Some traditional NetFlow features are not yet supported with flexible NetFlow:

Input filters (integration with modular QoS CLI)

SCTP

MIB


Agenda



Router# show ip cache flow…SrcIf SrcIPaddress SrcP SrcAS DstIf DstIPaddress DstP DstAS Pr Pkts B/Pk29 192.1.6.69 77 aaa 49 194.20.2.2 1308 bbb 6 1 4029 192.1.6.222 1243 aaa 49 194.20.2.2 1774 bbb 6 1 4029 192.1.6.108 1076 aaa 49 194.20.2.2 1869 bbb 6 1 4029 192.1.6.159 903 aaa 49 194.20.2.2 1050 bbb 6 1 4029 192.1.6.54 730 aaa 49 194.20.2.2 2018 bbb 6 1 4029 192.1.6.136 559 aaa 49 194.20.2.2 1821 bbb 6 1 4029 192.1.6.216 383 aaa 49 194.20.2.2 1516 bbb 6 1 4029 192.1.6.111 45 aaa 49 194.20.2.2 1894 bbb 6 1 4029 192.1.6.29 1209 aaa 49 194.20.2.2 1600 bbb 6 1 40

What Does a DoS Attack Look Like?

Typical DoS attacks have the same (or similar) entries:Input interface, destination IP, one packet per flow, constant bytes per packet (B/Pk)

Don’t forget show ip cache verbose flow | include …

Export to a security-oriented collector: CS-MARS, Lancope, Arbor



IPv4IP (Source or Destination) Payload Size






TTL

Protocol Options bitmap

Fragmentation Flags Version

Fragmentation Offset Precedence

Identification DSCP

Header Length TOS

Total Length

Interface Input

Output

FlowSampler ID

Direction

Source MAC address

Destination MAC address

Destination VLAN

Source VLAN

Layer 2

IPv6

IP (Source or Destination) Payload Size






DSCP

Protocol Extension Headers

Traffic Class Hop-Limit

Flow Label Length

Option Header Next-header

Header Length Version

Payload Length


MulticastReplication Factor*

RPF Check Drop*

Is-Multicast


Input VRF Name

BGP Next Hop

IGP Next Hop

src or dest AS

Peer AS

Traffic Index

Forwarding Status

Routing TransportDestination Port TCP Flag: ACK

Source Port TCP Flag: CWR

ICMP Code TCP Flag: ECE

ICMP Type TCP Flag: FIN

IGMP Type* TCP Flag: PSH

TCP ACK Number TCP Flag: RST

TCP Header Length TCP Flag: SYN

TCP Sequence Number TCP Flag: URG

TCP Window-Size UDP Message Length

TCP Source Port UDP Source Port

TCP Destination Port UDP Destination Port

TCP Urgent Pointer *: IPv4 Flow only

Application

Application ID*


Flexible Flow Record: Non-Key Fields

Plus any of the potential “key” fields: will be the value from the first packet in the flow

Counters

Bytes

Bytes Long

Bytes Square Sum

Bytes Square Sum Long

Packets

Packets Long

Timestamp



IPv4

Total Length Minimum (*)

Total Length Maximum (*)

TTL Minimum

TTL Maximum

(*) IPV4_TOTAL_LEN_MIN, IPV4_TOTAL_LEN_MAX (**)IP_LENGTH_TOTAL_MIN, IP_LENGTH_TOTAL_MAX

IPv4 and IPv6

Total Length Minimum (**)

Total Length Maximum (**)


Useful Fields for Security Monitoring

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

|Version| IHL |Type of Service| Total Length |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Identification |Flags| Fragment Offset |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Time to Live | Protocol | Header Checksum |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Source Address |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Destination Address |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Options | Padding |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Attacks that Use Consistent Packet Size or Worms that Use Consistent Packet Size

Several Flows with the Same Fragment Offset: Same Packet Sent Over and Over

Very Large Packets or Attacks that Might Always Have The Same Generated Identification

Flow Issued From the Same Origin


Router C

Source MAC Address Example

Internet

NetFlow

Router A

DoS Attack Arriving from the InternetEmail Server

Router B

Router D

Report the MAC Address for Ethernet, FastEthernet, and GigabitEthernet

Host A

Host B

Host C


The Forwarding Status

Unknown (00b)

Forwarded (01b)

Dropped (10b) ACL, QoS

Consumed (11b) Destined to the router (ex: management traffic)

Router(config)# flow record forwarding-status

Router(config-flow-record)# …

Router(config-flow-record)# match routing forwarding status


Packet Section Fields

Contiguous chunk of a packet of a user configurable size, used as a key or a non-key field

Sections used for detailed traffic monitoring, DDoS attack investigation, worm detection, other security applications

Chunk defined as flow key, should be used in sampled mode with immediate aging cache

Starts at the beginning of the IPv4 header

Immediately follows the IPv4 header collect or match ipv4 payload <size in bytes>

collect or match ipv4 header <size in bytes>


Flexible NetFlow TopTalkers

Advanced search capabilitiesFlow filtering: enables users to select flows based on specific values for any fields that are defined for that cache, or a predefined flow record

Flow aggregation: enables users to aggregate on a subset of the key and non-key fields present in the Flows of an FNF cache

Flow sorting: enables users to control how the displayed cache entries are sorted on any field present in the flows of an FNF cache and show in order or reverse order

Works with any type of flows/fields: IPv4, IPv6, L2, …


Router# show flow monitor <monitor> cache aggregate ipv4 source address sort highest counter bytes top 10

Router# show flow monitor <monitor> cache filter ipv4 destination address 10.10.10.0/24 aggregate ipv4 destination address sort highest counter bytes top 5

Router# show flow monitor <monitor> cache aggregate datalink dot1q vlan output sort lowest counter bytes top 5

Top five destination addresses to which we’re routing most traffic from the 10.10.10.0/24 prefix

Five VLANs that we’re sending the least bytes to:

Top 20 sources of one-packet flows:

Router# show flow monitor <monitor> cache filter counter packet 1 aggregate ipv4 source address sort highest flow packet top 20

Flexible NetFlow Top TalkersExamples

Top ten IP addresses that are sending the most packets


Router# show flow monitor <monitor> cache filter ipv4 destination address 10.10.10.0/24

counter packet regex[1-2] aggregate ipv4 source address

ipv4 destination address sort highest flow top 100

TCP SYN

Attacks

My Servers Network

10.10.10.0/24

Flexible NetFlow Top TalkersExample

The top 100 pairs of IP addresses with one or two packet(s) that are destined for My Servers Network


flow record <my-record>match ipv4 ttlmatch ipv4 source addressmatch ipv4 destination address

flow exporter <my-exporter>destination 10.10.10.10

flow monitor <my-monitor>record <my-record>exporter <my-exporter>

Embedded Event Manager 3.0Flexible NetFlow Event Detector

event manager applet security-appletevent nf monitor-name "<my-monitor>" event-type

create event1 entry-value "5" field ipv4 ttl entry-op lt action 1.0 syslog msg “flow record with low TTL"

If a flow record with TTL < 5, send a syslog message


router# show flow monitor <my-monitor> cache Cache type: Normal Cache size: 4096 Current entries: 5 High Watermark: 5

Flows added: 32 Flows aged: 27

- Active timeout ( 1800 secs) 0 - Inactive timeout ( 15 secs) 27 - Event aged 0 - Watermark aged 0 - Emergency aged 0

IPV4 SRC ADDR IPV4 DST ADDR IP TTL =============== =============== ====== 168.192.1.1 10.48.72.79 3

*Dec 18 2008 11:45:04.904 UTC: %HA_EM-6-LOG: security-applet: flow record with low TTL

Embedded Event Manager 3.0Flexible NetFlow Event Detector

Detect that some packets target the CPU…


NetFlow L2 and Security Monitoring(for Traditional NetFlow)

Layer 2 IP header fieldsSource MAC address field from frames that are received by the NetFlow routerDestination MAC address field from frames that are transmitted by the NetFlow routerReceived VLAN ID field (802.1q and Cisco’s ISL)Transmitted VLAN ID field (802.1q and Cisco’s ISL)

Extra Layer 3 IP header fieldsTime-to-live fieldIdentification fieldPacket length fieldICMP type and codeFragment offset

For IPv4 and IPv6


NetFlow Top Talkers (for Traditional NetFlow)

The flows that are generating the heaviest traffic in the cacheare known as the top talkers; prefer top flows

Allows flows to be sorted by either of the following criteria:By the total number of packets in each top talker

By the total number of bytes in each top talker

Match criteria for the top talkers, work like a filter

The top talkers can be retrieved via the CISCO-NETFLOW-MIB (cnfTopFlowsTable)

A new separate cacheSimilar output of the show ip cache flow or show ip cache verbose flow command

Generated on the fly

Frozen for the cache-timeout value


Router(config)# ip flow-top-talkers

Router(config-flow-top-talkers)# top 50

Router(config-flow-top-talkers)# sort-by <packets | bytes>

Router(config-flow-top-talkers)# cache-timeout 2000

Router# show ip flow top-talkers verbose

SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts

Port Msk AS Port Msk AS NextHop B/Pk Active

IPM: OPkts OBytes

Fa1/0 10.48.71.9 Local 10.48.71.9 01 C0 10 56

0000 /24 0 0303 /24 0 0.0.0.0 56 171.0

ICMP type: 3 ICMP code: 3

Se0/0 192.1.1.97 Se0/3 192.1.1.110 01 00 00 12

0000 /30 0 0000 /30 0 192.1.1.108 1436 2.8

ICMP type: 0 ICMP code: 0





Router(config-flow-top-talkers)# sort-by packets


Router(config-flow-top-talkers)# match source address 192.1.1.97/32

Router(config-flow-top-talkers)# match destination address 192.1.1.110/32

Router# show ip flow top-talkers verbose


Available via a new separate cache or via SNMPcnfTopFlowsTable in CISCO-NETFLOW-MIB

Match criteria for the top talkers, works like a filter

Must know what we are looking for




Router(config-flow-top-talkers)# sort-by packets


Router(config-flow-top-talkers)# match source address 192.1.1.97/32

Router(config-flow-top-talkers)# match destination address 192.1.1.110/32

match [[source address | destination address | nexthop address] [ip-address] [mask | /nn]] [[source port | destination port] [port-number | min port | max port | min port max port]] [[source as | destination as] as-number] [[input-interface | output-interface] interface] [tos[tos-value | dscp dscp-value | precedence precedence-value]] [protocol [protocol-number | tcp | udp]] [flow-sampler flow-sampler-name] [class-map class] [packet-range | byte-range [[min-range-number max-range-number] [min minimum-range | max maximum-range | min minimum-range max maximum-range]]] [direction]



NetFlow Dynamic Top Talkers(for Traditional NetFlow)

Somehow similar to the top talkersBut dynamic, done on the fly with show commands

But does not require modifications to the router config

But does not create a new cache

But not available with the MIB—obviously

Even more useful than top talkers for security

show ip flow top command:show ip flow top <N> <aggregate-field> <sort-criteria> <match-criteria>


NetFlow Dynamic Top Talkers(for Traditional NetFlow)

Top ten protocols currently flowing through the router:

Top ten IP addresses sending the most packets

Top five destination addresses to which we’re routing most traffic from the 10.10.10.0/24 prefix

Five VLANs that we’re sending the least bytes to:

Top 20 sources of one-packet flows:

Router# show ip flow top 10 aggregate protocol

Router# show ip flow top 10 aggregate source-address sorted-by packets

Router# show ip flow top 5 aggregate destination-address match source-prefix 10.10.10.0/24

Router# show ip flow top 5 aggregate destination-vlan sorted-by bytes ascending

Router# show ip flow top 50 aggregate source-address match packets 1


Cisco Adaptive Security Appliances (ASA) 5580—NetFlow Export Version 9

Logging in high-performance environments is nontrivial, NetFlow is replacing syslog

Flow event information can now be exported through NetFlow v9

Information about NAT modifications to the trafficInformation about Flows denied by security policyInformation about AAA/usernames associated with flowsbidirectional flows

Provides scalable logging10-Gbps flows, 100-k connections per second = lots of logs

Adds new NetFlow fields to represent security related parameters

NetFlow export is the logical evolution in logging technology


Agenda



Interface

Source IP Address

SourcePort

DestinationPort

Network Based Application RecognitionNetFlow and NBAR Differentiation

NetFlow Monitors data in Layers 2 thru 4 Determines applications by port Utilizes a seven-tuple for flow Flow information who, what, when,

whereNBAR Examines data from

Layers 3 thru 7 Utilizes Layers 3 and 4

plus packet inspection for classification

Stateful inspection of dynamic-port traffic

Packet and byte counts

Protocol

Link Layer Header

Deep Packet (Payload)Inspection

ToS NetFlow

NBAR

Destination IP Address

IP Header

TCP/UDP Header

Data Packet


NetFlow and NBAR Integration

NetFlow is the de-facto mechanism to provide visibility on network utilization—who/what/where/when

Applications can no longer be identify by just L3/L4 information

Application visibility is a mustExample: port 80 is overloaded

NBAR (Network Based Application Recognition) Offers a Deep Packet Inspection (DPI) mechanism

NBAR is integrated in flexible NetFlow on all software based platforms 800–3800/7200/7300, ASR1000, PISA


NBAR—Supported ProtocolsEnterprise Applications Security and Tunneling Network Mail Services Internet

Citrix ICA GRE IMAP FTP

PCAnywhere IPINIP POP3 Gopher

Novadigm IPsec Exchange HTTP

SAP L2TP Notes IRC

Routing Protocols MS-PPTP SMTP Telnet

BGP SFTP Directory TFTP

EGP SHTTP DHCP/BOOTP NNTP

EIGRP SIMAP Finger NetBIOS

OSPF SIRC DNS NTP

RIP SLDAP Kerberos Print

Network Management SNNTP LDAP X-Windows

ICMP SPOP3 Streaming Media Peer-to-Peer

SNMP STELNET CU-SeeMe BitTorrent

Syslog SOCKS Netshow Direct Connect

RPC SSH Real Audio eDonkey/eMule

NFS Voice StreamWorks FastTrack

SUN-RPC H.323 VDOLive Gnutella

Database RTCP RTSP KaZaA

SQL*NET RTP MGCP WinMX 2.0

MS SQL Server SIP Signaling

SCCP/Skinny RSVP

Skype

For YourReference


ip nbar custom lunar_light 8 ascii Moonbeamtcp range 2000 2999

class-map solar_system match protocol lunar_light

policy-map astronomy class solar_system set ip dscp AF21

interface Serial1service-policy output astronomy

ip nbar custom virus_home 20 hex variable scid 1 dest udp 5001 5005class-map active-craft

match protocol virus_home scid 0x15match protocol virus_home scid 0x21

class-map passive-craft match protocol virus_home scid 0x11match protocol virus_home scid 0x22

NBAR Custom Application Examples


Flexible NetFlow—NBAR Integration Configuration Examplerouter(config)# flow record app_recordrouter(config-flow-record)# match ipv4 source addressrouter(config-flow-record)# match ipv4 destination addressrouter(config-flow-record)# match application namerouter(config-flow-record)# collect counter packets router(config-flow-record)# collect counter bytes

router(config)# flow exporter app_collectorrouter(config-flow-monitor)# destination <ip address>router(config-flow-monitor)# option application-table

router(config)# flow monitor app_monitorrouter(config-flow-monitor)# record app_recordrouter(config-flow-monitor)# exporter app_collector

router(config)# interface eth0/0router(config-if)# ip flow monitor app_monitor in

The NetFlow application ID and the NBAR-PROTOCOL-DISCOVERY-MIB index are similar

NBAR protocol-discovery is enabled automatically when required


Flexible NetFlow—NBAR Integration Configuration Example

show flow mon <app_mon> cache

IPV4 SRC ADDR IPV4 DST ADDR APP NAME …=============== =============== ===============10.0.1.1 10.0.1.2 nbar rtcp10.0.1.1 10.0.1.2 nbar ssh10.0.1.1 10.0.1.2 nbar telnet10.0.1.1 10.0.1.2 NBAR lunar_light

nbar = Static Applications

NBAR = Custom Applications


Flexible NetFlow—NBAR Integration Configuration Example

show flow mon <app_mon> cache

IPV4 SRC ADDR IPV4 DST ADDR APP NAME …=============== =============== ===============10.0.1.1 10.0.1.2 nbar rtcp10.0.1.1 10.0.1.2 nbar ssh10.0.1.1 10.0.1.2 nbar telnet10.0.1.1 10.0.1.2 NBAR lunar_light

Classification Engine ID = 5, Selector = 48

Classification Engine ID = 6, Selector = 125

Options Record:5:48 rtcp Real-Time Control Protocol6:125 lunar_light User-Defined Protocol lunar_light


Reporting Example (Plixer)


Agenda



Performance ChallengeMoving Bottleneck

Consumes a lot of CPU- Packet sampling- Metering process in hardware

Collisions in the cache- Improved the hash function- Increased the cache size

Consumes much bandwidth- Flexible flow record per

… interface, per direction - Export cache type per collector- Flow sampling

CPU impact, bandwidth impact, and accuracy impact


CPU ImpactNetFlow Performance Paper Tests

Paper at www.cisco.com/go/netflow under Technical Documents

0, 1, and 2 NetFlow data export destinations

Initial performance after enabling

v8 aggregation vs. v5, v9 performance

Full NetFlow vs. 1:100 sampled NetFlow

Tested hardware: Cisco 1841, 2600, 2811, 2851, 3640, 3745, 3845, 7200, 7301, 7500, 12000

-> will be updated soon with newest platform

http://www.cisco.com/go/netflow�


CPU Impact Finding Summary

Larger number of cache entries will have an increasing level of impact to CPU

This is much more visible on the low end systems (LES)

Having multiple exporters does not add significant CPU impact

NetFlow v9 and NetFlow v5 export have similar CPU impact

Flexible NetFlow does add a slight CPU loadMore visible on lower end platforms

However this difference is seen at large flow counts that are not expected to be seen on LES


K K1 1 K1 Packet Sampling(Random or Systematic)

Cache Flow Samplingin the NetFlow Cache …

Export

CPU Impact NetFlow Sampling

Flow sampling only available on the Catalyst 6500 and 7600

With random packet based sampling, we can evaluate the accuracy of the observed flow records


flow record <my-record>match flow samplermatch ...collect counter bytes squared long collect ...

flow exporter <my-exporter>option sampler-table...

flow monitor <my-monitor>record <my-record>cache type normalexporter <my-exporter>...

flow sampler <my-sampler>mode random 1 out-of 100

interface pos3/0ip flow monitor <my-monitor> <my-sampler> ingress|egress

multicast|unicast

Configuring Packet Based Sampling

See next slide


Mean Packet Size µf

#Pac

kets

Nf

Estimation Accuracy (PLT_NZIX1, S24D00, Cisco, f=5%

Accuracy ImpactRandom Packet NetFlow Sampling

Packet Sampling for Flow Accounting: Challenges and Limitations, Tanja Zseby, Thomas Hirsch, Benoit Claise, PAM 2008

Square sum of bytes available in flexible NetFlow

http://www.springerlink.com/content/j4vq04vt13612862/fulltext.pdf�




Accuracy ImpactNetFlow Metering in Hardware Cisco Catalyst 6500 and Cisco 7600 supervisors

Table Size Hash Efficiency Effective Size Hash Key Size

Sup2 128K 25% 32K 17 Bits

Sup720 128K 50% 64K 36 Bits

Sup720-3B 128K 90% 115K 36 Bits

Sup720-3BXL 256K 90% 230K 36 Bits

Sup32-8GE 128K 90% 115K 36 Bits

Sup32-10GE 128K 90% 115K 36 Bits

Sup720-10GE-3C 128K 90% 115K 36 Bits

Sup720-10GE-3CXL 256K 90% 230K 36 Bits

Other metering process in hardware:

NEXUS 7000: Up to ~500K (with 95% utilization efficiency)

ASR1000: Up to ~1M cached flows

Etc.


Reducing Performance Impact

Flexible NetFlow (collect only what is really required)

Aging timers

Sampled NetFlow

Leverage distributed architectures (VIP, linecards)

Flow masks (only Cisco Catalyst 6500/7600)

Aggregation schemes (v8 on router or on collector)

Filters (router or collector)

Data compression (collector)

Increase collection bucket sizes (collector)

Place collector and router on the same LAN segment/ dedicated interface

CPU and Memory Impact on the Network Element, Collector, and Network


Router# show ip flow exportFlow export is enabledExporting flows to 1.1.1.1 (9999)Exporting using source IP address 198.198.198.11Version 5 flow records29 flows exported in 4 udp datagrams0 flows failed due to lack of export packet0 export packets were sent up to process level 0 export packets were dropped due to no fib0 export packets were dropped due to adjacency issues0 export packets were dropped due to fragmentation failures0 export packets were dropped due to encapsulation fixup failures

Router# clear ip flow stats

cnfESExportRate (NETFLOW-MIB), “number of bytes exported per second” The counter for this MIB object only contain L3 bytes: Layer 2 encapsulation needs to be added

NETFLOW-MiB: cnfESRecordsExported

cnfESPktsExported

Bandwidth ImpactCase 1: Traditional NetFlow


Router(config)# flow exporter <exporter>Router(config-flow-exporter)# destination 1.1.1.1Router(config)# ip route 1.1.1.1 255.255.255.255 Null 0

Router(config)# ip cef accounting per-prefix

The counter for this MIB object only contain L3 bytes, Layer 2 encapsulation needs to be added

This method is also valid for traditional NetFlow

CEF-MIB available in 12.4(20)T

Router# show ip cef 1.1.1.11.1.1.1/32, version 9, epoch 0, attached100 packets, 11052 bytes

via Null0, 0 dependenciesvalid null (drop) adjacency

CEF-MIB: cefPrefixBytesCEF-MIB: cefPrefixPkts

Bandwidth ImpactCase 2: Flexible NetFlow


Agenda



IETF: IP Flow Information Export WG (IPFIX)

RFC3954 Cisco Systems NetFlow Services Export Version 9

RFC3917 Requirements for IP Flow Information ExportGathers all IPFIX requirements for the IPFIX evaluation process

RFC3955 Evaluation of Candidate Protocols for IPFIX

RFC5101 Specification of the IPFIX Protocol for the Exchange of IP Traffic Flow Information

RFC5102 Information Model for IP Flow Information Export

RFC5103 “Bidirectional Flow Export using IP Flow Information Export (IPFIX)”


IETF: IP Flow Information Export WG (IPFIX)

IPFIX protocol specificationsChanges in terminology but same NetFlow Version 9 principlesImprovements vs. NetFlow Version 9: SCTP-PR, security, variable length information element, IANA registration, etc.

Generic streaming protocol, not flow-centric anymore

Security: Threat: confidentiality, integrity, authorization

Solution: DTLS on SCTP-PR

IPFIX information modelMost NetFlow Version 9 information elements ID are kept

Proprietary information element specification

Is IPFIX important to you?


IETF: Packet Sampling WG (PSAMP)

PSAMP is an effort to:Specify a set of selection operations by which packets are sampled, and describe protocols by which information on sampled packets is reported to applications

Sampling and filtering techniques for IP packet selectionTo be compliant with PSAMP, we must implement at least one of the mechanisms: sampled NetFlow, NetFlow input filters are already implemented

PSAMP protocol specificationsAgreed to use IPFIX for export protocol

Information model for packet sampling exportExtension of the IPFIX information model


Agenda



Product Manager Contact: [email protected]

Available Now Not Available Roadmap

Traditional NetFlow Exporting Process

Feature Software C6500 C7600 C12000 C10000 C4500

Version 5 12.0(1) 12.1(2)E 12.1(2)E 12.0(14)S 12.0(19)SL 12.1(13)EW

Version 8 12.0(3)T 12.2(14)SX 12.2(14)SX 12.0(6)S 12.0(19)SL 12.1(19)EW

Version 9 12.3 12.2(18)SXF 12.2(18)SXF 12.0(24)S 12.2(31)SB

Dual Export 12.2(2)T 12.2(17d)SXB12.2(17d)SXB 12.2(15)BX 12.1(19)EW

VRF Destination 12.4(4)T 12.2(33)SRA 12.0(32)S

Reliable Export 12.3(4)T

For YourReference

mailto:[email protected]�


Traditional NetFlow Exporting Process

Feature CRS-1 XR12000 ASR1000

Version 5 2.1

Version 8 2.1

Version 9 3.2 3.3.0 2.1

Dual Export 3.4.0 3.4.0 2.1

VRF Destination 3.2 3.3.0

Reliable Export

For YourReference



Traditional NetFlow Metering Process

Feature Software C6500 C7600 C12000 C10000 C4500IPv4 12.0(1) 12.1(27b)E1 12.2(18)SXF 12.0(22)S 12.2(15)BX 12.1(13)EW

IPv6 12.3(7)T 12.2(33)SXH 12.2(33)SRB

Multicast 12.3 12.2(18)SXF 12.2(18)SXF

BGP Next Hop 12.3 12.2(18)SXF 12.2(33)SRA 12.0(26)S 12.2(31)SB

Per Interface Yes 12.2(33)SXH 12.2(33)SRB No Sub 12.2(15)BX

Per VRF Interface Yes 12.2(33)SXH 12.2(33)SRB

TOS Support Yes 12.2(17b)SXA 12.2(17b)SXA Yes Yes

Min Prefix Aggr. 12.1(2)T Yes Yes

MPLS Egress with EXP 12.2(28)SB

MPLS Egress 12.2(2)T 12.2(33)SXJ

MPLS Aware 12.3(8)T 12.2(33)SRA 12.0(24)S

MPLS Label Exp. 12.2SB 12.2(33)SRB

MPLS Aggregate. 12.2(31)SB

No SUPVI

For YourReference




Feature CRS-1 XR12000 ASR1000IPv4 3.2.0 3.3.0 2.1

IPv6 3.5.0 3.6.0

Multicast 3.2 3.3

BGP Next Hop 3.3 3.3 2.1

Per Interface 3.3.0 3.3.0 2.1

TOS Support 3.2 3.3 2.1

Packet Sampling 3.2 3.3 2.1

Min Prefix Aggr.

MPLS Egress with EXP

MPLS Egress 3.2 3.5.0

MPLS Aware 3.3.1 3.5.0

MPLS Label Expo

MPLS Aggregate.

For YourReference





Egress/Output NetFlow 12.3(11)T 12.0(10)ST 12.2(31)SB

Bridged NF 12.2(18)SXE1 12.2(18)SXE1 12.2(25)EW

Input Filters 12.3(4)T

TCP Flags 12.1(2)T 12.0(10)ST 12.2(28)SB

Mac Address 12.3(14)T

Security Exports 12.3(14)T 12.2(33)SRA

Vlan Export 12.4(4)T

For YourReference





Egress/Output NetFlow 3.2 3.3 2.1

Bridged NF

Input Filters

TCP Flags 3.2 3.3 2.1

Mac Address

Security Exports

Vlan Export

For YourReference



Miscellaneous Features

Feature Software C6500 C7600 C12000 C10000 ASR1000

NetFlow MIB with Top Talker 12.3(11)T 12.2(33)SXH

Dynamic Top Talker CLI 12.4(4)T

ISSU NetFlow 12.2(33)SRB

ifIndex to Name Map 12.4(4)T

For YourReference



Traditional NetFlow Metering Process, Sampled NetFlow


Systematic Sampling 12.3(11)T 12.0(11)S

Random Sampling 12.4(9)T 12.0(33)S 12.2(31)SB

Output Sampled NetFlow 12.0(24)S

Flow Sampling 12.1(13)E 12.1(13)E

For YourReference




Systematic Sampling

Random Sampling 3.2 3.3 2.1

Output SampledNetFlow 2.1

Flow Sampling


Traditional NetFlow Metering Process, Sampled NetFlow For Your

Reference


Feature Cisco ISR Cisco ISR-G2 Cisco 72/73xx ASR1000

New Flexible NetFlow CLI 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Multiple User Defined Caches 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Normal Cache 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Immediate Cache 12.4(9)T 15.0(1)M 12.4(9)T Radar

Permanent Cache 12.4(9)T 15.0(1)M 12.4(9)T Radar

Dynamic TopNTalkers 12.4(22)T 15.0(1)M 12.4(22)T IOS XE 3.2.0S*

FNF EEM Monitor 12.4(22)T 15.0(1)M 12.4(22)T Radar

Available Now Not Available Roadmap*: not committed yet

Flexible NetFlowMetering Process


Feature C6500 (SUP2T) C4500 (SUP7) Nexus 7000 Nexus1000V

New Flexible NetFlow CLI 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

Multiple User Defined Caches 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

Normal Cache 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

Immediate Cache 12.2(50)SYA IOS XE 3.1.0SG

Permanent Cache 12.2(50)SYA IOS XE 3.1.0SG

Dynamic TopNTalkers 12.2(50)SYA IOS XE 3.1.0SG

FNF EEM Monitor Radar IOS XE 3.1.0SG




Feature CRS-1 XR12000 ASR9000 C12000

New Flexible NetFlow CLI 3.2 3.3.0 3.9(1) 12.0(33)S

Multiple User Defined Caches Radar Radar 3.9(1) 12.0(33)S

Normal Cache 3.2 3.3.0 3.9(1) 12.0(33)S

Immediate Cache 3.2 3.3.0 3.9(1) 12.0(33)S

Permanent Cache 3.2 3.3.0 3.9(1) 12.0(33)S

Dynamic TopNTalkers Radar Radar Radar

FNF EEM Monitor





Sampling

Full Flow support 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Random Sampling 1:M 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Random Sampling N:M

Activation

Ingress support 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Egress support 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Per Interface 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Per Sub-Interface 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

On VRF Interface 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Per Vlan

Per Class-map 15.1(4)T 15.1(4)T 15.1(4)T IOS XE 3.3.0S*




Sampling

Full Flow support 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

Random Sampling 1:M 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

Random Sampling N:M 4.0 4.0(4)SV1

Activation

Ingress support 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

Egress support 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

Per Interface 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

Per Sub-Interface 12.2(50)SYA IOS XE 3.1.0SG 4.0 N/A

On VRF Interface 12.2(50)SYA IOS XE 3.1.0SG N/A N/A

Per Vlan IOS XE 3.1.0SG

Per Class-map Radar*


Flexible NetFlowSampling and Activation



Sampling

Full Flow support 3.2 3.3.0 3.9(1) 12.0(33)S

Random Sampling 1:M 3.2 3.3.0 3.9(1) 12.0(33)S

Random Sampling N:M

Activation

Ingress support 3.2 3.3.0 3.9(1) 12.0(33)S

Egress support 3.2 3.3.0 3.9(1) 12.0(33)S

Per Interface 3.2 3.3.0 3.9(1) 12.0(33)S

Per Sub-Interface 3.2 3.3.0 3.9(1) 12.0(33)S

On VRF Interface 3.2 3.3.0 3.9(1) 12.0(33)S

Per Vlan

Per Class-map


Flexible NetFlowSampling and Activation



Exporter

NetFlow v5 Export Format 12.4(22)T 15.0(1)M 12.4(22)T IOS XE 3.1.1S

NetFlow v9 Export Format 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

IPFix Export Format Radar* Radar* Radar* Radar*

IPFix Structured Data Radar* Radar* Radar* Radar*

Export over UDP 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Export over SCTP (Reliable) Radar* Radar* Radar* Radar*

Export over IPv4 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

Export over IPv6 Radar* Radar* Radar* Radar*

Exporter MTU Configuration Radar* Radar* Radar* Radar*

Export in a VRF 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.2.0S

FNF QOS output features 12.4(20)T 15.0(1)M 12.4(20)T IOS XE 3.1.1S


Flexible NetFlowExporter



Exporter

NetFlow v5 Export Format 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

NetFlow v9 Export Format 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

IPFix Export Format Radar* Radar* Radar* Radar*

IPFix Structured Data Radar* Radar* Radar* Radar*

Export over UDP 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

Export over SCTP (Reliable) Radar* Radar* Radar Radar

Export over IPv4 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

Export over IPv6 Radar* Radar* 4.2(1)

Exporter MTU Configuration Radar* Radar* Radar* Radar*

Export in VRF 12.2(50)SYA IOS XE 3.1.0SG

FNF QOS output features 12.2(50)SYA IOS XE 3.1.0SG 4.0





Exporter

NetFlow v5 Export Format

NetFlow v9 Export Format 3.2 3.3.0 3.9(1) 12.0(33)S

IPFix Export Format Radar* Radar* Radar*

IPFix Structured Data

Export over UDP 3.2 3.3.0 3.9(1) 12.0(33)S

Export over SCTP (Reliable) Radar Radar Radar

Export over IPv4 3.2 3.3.0 3.9(1) 12.0(33)S

Export over IPv6 Radar Radar Radar

Exporter MTU Configuration Radar Radar Radar

Export in a VRF 3.2 3.3.0 3.9(1) 12.0(33)S

FNF QOS output features 3.2 3.3.0 3.9(1)





IPv4 Flows

IPv4 Unicast Flows 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

IPv4 Predefined Aggregations 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

IPv4 Multicast Flows 12.4(22)T 15.0(1)M 12.4(22)T Radar

IPv4 Multicast Replication Factor 12.4(22)T 15.0(1)M 12.4(22)T Radar

IPv4 Header Section Field 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

IPv4 Payload Section Field 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

UDP Fields 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

TCP Fields 12.4(9)T 15.0(1)M 12.4(9)T IOS XE 3.1.1S

SCTP Fields Radar Radar Radar Radar

Application Name (NBAR) Field 15.0(1)M 15.0(1)M 15.0(1)M IOS XE 3.1.1S


Flexible NetFlowIPv4 Flows


Feature C6500 (SUP2T) C4500 (SUP7) Nexus 7000 Nexus 1000V

IPv4 Flows

IPv4 Unicast Flows 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

IPv4 Predefined Aggregations 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

IPv4 Multicast Flows 12.2(50)SYA IOS XE 3.1.0SG Radar*

IPv4 Multicast Replication Factor 12.2(50)SYA IOS XE 3.1.0SG Radar*

IPv4 Header Section Field IOS XE 3.1.0SG

IPv4 Payload Section Field IOS XE 3.1.0SG

UDP Fields 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

TCP Fields 12.2(50)SYA IOS XE 3.1.0SG 4.0 4.0(4)SV1

SCTP Fields Radar*

Application Name (NBAR) Field





IPv4 Flows

IPv4 Unicast Flows 3.2 3.3.0 3.9(1) 12.0(33)S

IPv4 Predefined Aggregations 3.2 3.3.0 3.9(1) 12.0(33)S

IPv4 Multicast Flows 3.5.0 3.5.0 3.9(1) 12.0(33)S

IPv4 Multicast Flows 3.5.0 3.5.0 3.9(1) 12.0(33)S

IPv4 Header Section Field 12.0(33)S

IPv4 Payload Section Field 12.0(33)S

UDP Fields 3.2 3.3.0 3.9(1) 12.0(33)S

TCP Fields 3.2 3.3.0 3.9(1) 12.0(33)S

SCTP Fields Radar Radar Radar






IPv6 Flows

IPv6 Unicast Flows 12.4(20)T 15.0(1)M 12.4(20)T IOS XE 3.3.0S*

IPv6 Predefined Aggregations 12.4(20)T 15.0(1)M 12.4(20)T IOS XE 3.3.0S*

IPv6 Multicast Flows Radar Radar Radar Radar

IPv6 Multicast Replication Factor Radar Radar Radar Radar

IPv6 Header Section Field 12.4(20)T 15.0(1)M 12.4(20)T IOS XE 3.3.0S*

IPv6 Payload Section Field 12.4(20)T 15.0(1)M 12.4(20)T IOS XE 3.3.0S*

UDP Fields 12.4(20)T 15.0(1)M 12.4(20)T IOS XE 3.3.0S*

TCP Fields 12.4(20)T 15.0(1)M 12.4(20)T IOS XE 3.3.0S*

SCTP Fields Radar Radar Radar Radar

Application Name (NBAR) Field Radar Radar Radar IOS XE 3.3.0S*




Feature C6500 (SUP2T) C4500 (SUP 7) Nexus 7000 Nexus 1000V

IPv6 Flows

IPv6 Unicast Flows 12.2(50)SYA IOS XE 3.1.0SG 4.0 Radar

IPv6 Predefined Aggregations 12.2(50)SYA IOS XE 3.1.0SG 4.0 Radar

IPv6 Multicast Flows Radar Radar Radar Radar

IPv6 Multicast Replication Factor Radar Radar Radar Radar

IPv6 Header Section Field Radar

IPv6 Payload Section Field Radar

UDP Fields 12.2(50)SYA IOS XE 3.1.0SG 4.0 Radar

TCP Fields 12.2(50)SYA IOS XE 3.1.0SG 4.0 Radar

SCTP Fields Radar






IPv6 Flows

IPv6 Unicast Flows 3.5.0 3.6.0 3.9(1)

IPv6 Predefined Aggregations 3.5.0 3.6.0 3.9(1)

IPv6 Multicast Flows Radar Radar Radar

IPv6 Multicast Replication Factor Radar Radar Radar

IPv6 Header Section Field Radar Radar Radar

IPv6 Payload Section Field Radar Radar Radar

UDP Fields 3.5.0 3.6.0 3.9(1)

TCP Fields 3.5.0 3.6.0 3.9(1)

SCTP Fields Radar Radar Radar






Layer 2 Flows 12.4(22)T 15.0(1)M 12.4(22)T Radar

MPLS Flows Radar Radar Radar Radar

MPLS + IPv4 Flows Radar Radar Radar Radar

MPLS + IPv6 Flows Radar Radar Radar Radar

MPLS + IPv6/IPv4 Flows Radar Radar Radar Radar

Ingress VRF name Field 15.0(1)M 15.0(1)M 15.0(1)M IOS XE 3.3.0S*

Class-map Name (C3PL) Field 15.1(4)T 15.1(4)T 15.1(4)T IOS XE 3.3.0S*

4 Bytes AS Field 15.2(1)T 15.2(1)T 15.2(1)T IOS XE 3.2.0S*


Flexible NetFlowLayer 2, MPLS, Misc.



Layer 2 Flows 12.2(50)SYA IOS XE 3.1.0SG 4.2(1)

MPLS Flows Radar Radar Radar

MPLS + IPv4 Flows Radar Radar Radar

MPLS + IPv6 Flows Radar Radar Radar

MPLS + IPv6/IPv4 Flows

Ingress VRF name Field 12.2(50)SYA IOS XE 3.1.0SG

Class-map Name (C3PL) Field Radar IOS XE 3.3.0SG*

4 Bytes AS Field 12.2(50)SYA IOS XE 3.1.0SG 4.2(1) 4.2(1)





Layer 2 Flows Radar Radar Radar

MPLS Flows 3.3.1 3.5.0 3.9(1)

MPLS + IPv4 Flows 3.3.1 3.5.0 3.9(1)

MPLS + IPv6 Flows 3.5.0 3.6.0 3.9(1)

MPLS + IPv6/IPv4 Flows 3.6.0 3.6.0

Ingress VRF name Field Radar Radar Radar

Class-map Name (C3PL) Field Radar Radar Radar

4 Bytes AS Field 3.4.0 3.4.0 3.9(1)




Conclusion—What Did We Cover?

Introduction

NetFlow Version 9

Interesting Features on Traditional NetFlow

Flexible NetFlow

NetFlow for Security

NetFlow for Application Visibility

NetFlow Performance

NetFlow Standardization

Support Matrix

Appendix


NetFlow Summary and Conclusion

NetFlow is a mature Cisco IOS feature (in Cisco IOS since 1996)

NetFlow provides input for accounting, performance, security, and billing applications

NetFlow has IETF and industry leadership

NetFlow v9 eases the exporting of additional fields

Flexible NetFlow is a major enhancement

A lot of features have been addedStay tuned for more

NetFlow export will become THE push mechanism


References

NetFlowhttp://www.cisco.com/go/netflow

Cisco network accounting servicesComparison of Cisco NetFlow versus other available accounting technologieshttp://www.cisco.com/warp/public/cc/pd/iosw/prodlit/nwact_wp.htm

Cisco IT case studyhttp://business.cisco.com/prod/tree.taf%3Fasset_id=106882&IT=104252&public_view=true&kbns=1.html

A complete white paperhttp://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm

NetFlow product manager: Jean Charles [email protected]

http://www.cisco.com/go/netflow�

http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/nwact_wp.htm�

http://business.cisco.com/prod/tree.taf?asset_id=106882&IT=104252&public_view=true&kbns=1.html�

http://business.cisco.com/prod/tree.taf?asset_id=106882&IT=104252&public_view=true&kbns=1.html�

http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/�nfwhite.htm�

http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/�nfwhite.htm�

mailto:[email protected]�


Meet the Engineer

To make the most of your time at Networkers at Cisco Live 2010, schedule a Face-to-Face Meeting with a top Cisco Engineers.

Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth ofvaluable insights and ideas.

Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Network Management: Accounting and Performance Strategies, ISBN 1-58705-198-2

Preview: http://www.informit.com/store/product.aspx?isbn=1587051982

Available Onsite at the Cisco Company Store

http://www.informit.com/store/product.aspx?isbn=1587051982�




NMS sessions offered (1 of 2)

Session Title

BRKNMS-1030 ITIL v3 Foundation and Enhanced Telecom Operations Map (eTOM) frameworks

BRKNMS-1031Network Health Framework - A proactive solution for network health improvement

BRKNMS-1204Introduction to Network Performance Measurement with Cisco IOS IP Service Level Agent

BRKNMS-1532 Introduction to Accounting Principles with NetFlow and NBAR

BRKNMS-1640 Advanced DHCP and DNS Deployments

BRKNMS-1831 Network Performance Management: A proactive End-to-End approach

BRKNMS-1942 Managing Infrastructure as a Service (IaaS) for a Cloud environment

BRKNMS-2022UC Network Management: How to Ensure Your UC Services are Operating as Expected

BRKNMS-2025 Cisco Network Optimization


NMS sessions offered (2 of 2)

Session Title

BRKNMS-2030 Onboard Automation with Cisco IOS Embedded Event Manager

BRKNMS-2031 SYSLOG Design, Methodology and Best Practices

BRKNMS-2032 DHCP and DNS for Large Scale Network Architectures and Cloud Computing

BRKNMS-2361Accounting and Performance Management with Network Based Application Recognition

BRKNMS-2658 Securely Managing Your Networks and SNMPv3

BRKNMS-2784 Automatic Configuration Deployment using CCE

BRKNMS-3021 Advanced Cisco IOS Device Instrumentation

BRKNMS-3043Advanced Performance Measurement for Critical IP Traffic with Cisco IOS IP Service Level Agreements

BRKNMS-3132 Advanced Netflow

PNLNMS-3000 Implementing Effective Day-2 Network Operations Support with ITIL


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Preferred Access points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

http://www.ciscolivevirtual.com/�


Q and A

Appendix: Traditional NetFlow


router# show ip cache flow IP packet size distribution (85435 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.000 .000 .125 .125 .250 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .000 .000 .500 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes2728 active, 1368 inactive, 85310 added463824 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondslast clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-X 2 0.0 1 1440 0.0 0.0 9.5TCP-other 82580 11.2 1 1440 11.2 0.0 12.0Total: 82582 11.2 1 1440 11.2 0.0 12.0

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP PktsEt0/0 132.122.25.60 Se0/0 192.168.1.1 06 9AEE 0007 1 Et0/0 139.57.220.28 Se0/0 192.168.1.1 06 708D 0007 1 Et0/0 165.172.153.65 Se0/0 192.168.1.1 06 CB46 0007 1

‘show ip cache flow’

Packet Sizes

Rates and Duration

# of Active Flows

Flow Details


‘show ip cache verbose flow’

router# show ip cache verbose flow IP packet size distribution (23597 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .000 .000 1.00 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes1323 active, 2773 inactive, 23533 added151644 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondslast clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-other 22210 3.1 1 1440 3.1 0.0 12.9Total: 22210 3.1 1 1440 3.1 0.0 12.9

SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveEt0/0 216.120.112.114 Se0/0 192.168.1.1 06 00 10 1 5FA7 /0 0 0007 /0 0 0.0.0.0 1440 0.0Et0/0 175.182.253.65 Se0/0 192.168.1.1 06 00 10 1

ToS Byteand TCP

Flags

Flow Rate and Duration

Destination Information

Source Mask and AS


NetFlow Export Version 5 and Main Cache Configuration Example

Router # show ip flow exportFlow export v5 is enabled for main cacheExporting flows to 10.48.71.129 (9991) Exporting using source interface Loopback0Version 5 flow records1303552 flows exported in 332208 udp datagrams0 flows failed due to lack of export packet2 export packets were sent up to process level0 export packets were dropped due to no fib0 export packets were dropped due to adjacency issues0 export packets were dropped due to fragmentation failures0 export packets were dropped due to encapsulation fixup failures0 export packets were dropped enqueuing for the RP0 export packets were dropped due to IPC rate limiting0 export packets were dropped due to output drops


NetFlow Export Version 8 and Aggregation Configuration Example

Router(config)# ip flow-aggregation cache <cache type>

Router(config-flow-cache)# cache entries <number>

Router(config-flow-cache)# cache timeout active <minutes>

Router(config-flow-cache)# cache timeout inactive <seconds>

Router(config-flow-cache)# mask destination minimum <value>

Router(config-flow-cache)# mask source minimum <value>

Router(config-flow-cache)# export destination 10.10.10.10 1234

Router(config-flow-cache)# enabled


NetFlow Export Version 8 and Aggregation Configuration Example

Router # show ip flow export

… Cache for <cache-type> aggregation:

Exporting flows to 1.1.1.1 (9999) Exporting using source IP address 192.1.1.5

1303631 flows exported in 332227 udp datagrams…

Appendix: NetFlow for Capacity Planning


Rome Exit Point Paris Exit Point London Exit Point Munich Exit Point

Rome Entry Point NA (*) …Mb/s …Mb/s …Mb/s

Paris Entry Point …Mb/s NA (*) …Mb/s …Mb/s

London Exit Point …Mb/s …Mb/s NA (*) …Mb/s

Munich Exit Point …Mb/s …Mb/s …Mb/s NA (*)

Munich POP

Paris POP

London POP

ISP-1

ISP-2 DestinationSLA

Rome POP

Source

Best Effort

Best EffortTraffic

Business Critical Traffic

(*) Potentially Local Exchange Traffic

The Core Traffic Matrix Traffic Engineering and Capacity Planning


Core Capacity Planning the Big Picture

1. The ability to offer SLAs is dependent upon ensuring that core network bandwidth is adequately provisioned

2. Adequate provisioning (without gross over provisioning) is dependent upon accurate core capacity planning

3. Accurate core capacity planning is dependent upon understanding the core traffic matrix and flows and mapping these to the underlying topology

4. A tool for what if scenarios


PoP

PE

PE

PE

PE

PE

PoP

PE

MPLS Core or

IP Core with BGP Routes Only

Customers

Customers

Internal Traffic: PE to PEExternal Traffic Matrix PE to BGP AS

Server Farm 1 Server Farm 2

AS1 AS2 AS3 AS4 AS5

BGP Next Hop TOS AggregationTypical Example


Key Fields (UniquelyIdentifies the Flow)

Origin AS

Destination AS

Inbound Interface

Output Interface

ToS/DSCP (*)

BGP Next Hop

Additional Export Fields

Flows

Packets

Bytes

First SysUptime

Last SysUptime

NetFlow BGP Next Hop TOS Aggregation Flow Keys

(*) Before Any Recoloring


Core Traffic Matrix with Flexible NetFlow

Less flow records, less CPU impact

Potentially choose higher sampling rate for a better accuracy

(*) Before Any Recoloring

Key Fields (UniquelyIdentifies the Flow)

Origin AS

Destination AS

Inbound Interface

Output Interface

ToS/DSCP (*)

BGP Next Hop

Additional Export Fields

Flows

Packets

Bytes

First SysUptime

Last SysUptime


flow record traffic-matrix-recordmatch routing destination asmatch interface inputmatch ipv4 dscpmatch routing next-hop address ipv4 bgpcollect counter bytes longcollect timestamp sys-uptime firstcollect timestamp sys-uptime last

flow monitor traffic-matrix-monitorrecord traffic-matrix-recordcache entries 10000cache type normalexporter capacity-planning-collector

interface pos3/0ip flow monitor traffic-matrix-monitor

Core Traffic Matrix with Flexible NetFlow Configuration Example

Export less flow records with a permanent cache

However, must know the maximum number of entries

Permanent?


Router(config)# event manager applet periodicexport Router(config-applet)# event timer cron name

"everyhour" cron-entry "0 * * * *"Router(config-applet)# action 1.0 cli command

"clear flow monitor traffic-matrix-record force-export"

Minute (0 59)Hour (0 23)Day of the month (1 31)Month of the year (1 12)Day of the week (0 6 with 0=Sunday)

Permanent Flexible NetFlow Configuration Using EEM + Cron + CLI

Export the content the permanent cache every one hour

If the time is synchronized across routers (NTP), we have a synchronized export (snapshot)