how to get netflow from cisco 3750s and other non-netflow … · stealthwatch netflow replicator...
TRANSCRIPT
How to Get NetFlow from Cisco 3750s and Other Non-NetFlow Enabled Devicesand Other Non NetFlow Enabled Devices
Joe BuchananSystem Engineer Manager
www.lancope.com
Network Flow Collection
NetFlow Fields
src and dst IPInternet
src and dst port
start time
end time
packet count
byte count
...
NetFlowPackets
StealthWatchFlow CollectorFlow Collector
Flow Monitoring Dual Benefit to IT
Network Team Security TeamNetwork TeamhInterface Utilization
Z T ffi
Security TeamhBehavior-based IDS
PTP fil h i d t tihZone TraffichService Traffic
hPTP file sharing detectionWorm and Malware propagation detection
hQOS MonitoringhASN Monitoring
propagation detectionhNetwork Acceptable Use
policy enforcementASN MonitoringhIntra-site monitoringhMPLS i ibilit
p yhAttack context and 3rd
party correlationhMPLS visibility
p y
Flow monitoring dual benefit to IT
Network Team Security TeamhInterface UtilizationhZone Traffic
yhBehavior-based IDShPTP file sharing detectionhZone Traffic
hService TraffichPTP file sharing detection
Worm and Malware propagation detection
hQOS MonitoringhASN Monitoring
hNetwork Acceptable Use policy enforcementg
hIntra-site monitoringhMPLS visibility
hAttack context and 3rd
party correlationhMPLS visibility
NetFlow = Visibility
Traditional SNMPSNMP
NetFlow Reporting
NetFlow = Visibility
NetFlow Supported Devices
Cisco 800 Cisco 1900Cisco 2800Cisco 1700
N t S t d
Huawei Quidway
Cisco 2900
Cisco 3750
Not Supported
Juniper Networks
Cisco 7200 VXRCisco 7600
Cisco 3900Cisco 7200 VXR
Nortel Networks
Cisco Nexus 7000Cisco XR 12000Cisco Catalyst 6500
Cisco Nexus 7000Cisco XR 12000
How to Troubleshoot with NetFlow: An Example
How to Troubleshoot with NetFlow: An Example
How to Troubleshoot with NetFlow: An Example
How to Troubleshoot with NetFlow: An Example
How to Troubleshoot with NetFlow: An Example
How to Troubleshoot with NetFlow: An Example
The Layer-2 Visibility Problem
NetFlowCollector
FlowSensor(NetFlow Enabled)
NetFlowNetFlow
Catalyst 6500(NetFlow Enabled)Catalyst 3750
(No NetFlow)( )
How to Gain NetFlow From Your 3750
• FlowSensor AE• Light-weight, cost-effective 1U network
appliance
• Collects Ethernet frames andStealthWatch
Flow Collectorexports NetFlow v9
• Monitor up to (5) 3750s simultaneously
Works withNetFlow
FlowSensor
• Works withany NetFlow v9 capable flow collector
Model Capacity Disk InterfacesAE-1000 1 Gbps 73GB 3 or 5
AE-2000 2.5 Gbps 160GB 3 or 5
How to Measure Performance Between Hosts
SRCIP DSTIP PROTO DPORT SPORT PKTS BYTES RTT SRT ...
TCP 80 5749 73 9,092 65ms 230ms ...,
TCP 5749 80 103 78,020 65ms 230ms ...
StealthWatchStealthWatchFlowSensor
SPAN
RTTround trip time across the networksame as “ping” output
SRTtime it takes the server to process a request
Capturing NetFlow Per 3750 Link
FlowSensor capture portFlowSensor capture portSPAN interface description
Capturing NetFlow Per 3750 Link
Capturing Netflow Per 3750 Link
10G Monitoring with Stackable FlowSensors
10GFlowSensor
AE-2000
5.0G
7.5GFlowSensor
AE-2000
2.5G
5.0G
16x 1G
Fl S
2.5G
N tFl
2.5G
Ethernetloadbalancer vendors...
StealthWatchFl C ll t
FlowSensorAE-2000
2.5G
NetFlow
FlowSensorAE-2000
2.5G
Flow Collector
FlowSensor VE (Virtual Edition)
• Lightweight, virtual appliance for
• Captures and records all VM2VM communications within the virtual
VMware ESX 3.5 and 4.0
co u cat o s t t e tuanetwork environment
• Exports NetFlow v9
• FREE to download and try(visit lancope.com to register and download)
VMware Server
StealthWatchFlow
CollectorNetFlow
StealthWatch NetFlow Replicator
• Dedicated NetFlow replication appliance
• Designed to copy and redistribute flows of NetFlow packets based on a rule-set that you define
O i i l UDP IP d l d i d• Original UDP source IP and payload is preserved
• Simple, easy to configure, web-based, 1U network appliance
• “Promiscuous Mode” allows installation without changing NetFlow export IPs
• Search “Replicator” on NetFlow Ninjas blog for more infohttp://netflowninjas.typepad.com/blog/2009/09/stealthwatch-flow-replicator-holy-cow-this-thing-is-popular.html
NetFlowNetFlo
StealthWatchFlow Replicator
NetFlow NetFlowNetFlow
Flow Replicator
In Summary
Flow-based technologies provide unrivaled scale and cost effectiveness in large enterprise environments
NetFlow is not just for netops, its value extends across all IT from compliance auditing to helpdesk support
Enable NetFlow on as many devices as you can to maximize visibility the more Enable NetFlow on as many devices as you can to maximize visibility, the more the better
NetFlow is ideal for monitoring port dense datacenters and large distributed WAN NetFlow is ideal for monitoring port dense datacenters and large distributed WAN environments. No probes are required.
NetFlow 101 Boot Camp
22 New Cities in 2010!Event site: http://lancope.com/news/events/netflowseminar.aspx
Minneapolis, MNFebruary 17, 2010
Washington DCJuly, 22, 2010
Atlanta, GA February 25, 2010
Phoenix, AZ August 5, 2010
Hartford CT Chicago ILHartford, CTMarch 11, 2010
Chicago, IL August 12, 2010
Toronto, ON March 18, 2010
Cleveland, OH August 19, 2010
New York, NY April 1 2010
San Francisco, CA September 2 2010April 1, 2010 September 2, 2010
Houston, TX April 8, 2010
Pittsburgh, PA September 16, 2010
Denver, CO April 15, 2010
Charlotte, NC September 30, 2010
Baltimore, MD May 13, 2010
Boston, MA October 7, 2010
Seattle, WA May 20, 2010
Los Angeles, CA October 21, 2010
San Jose CA New York NYSan Jose, CA June 3, 2010
New York, NY November 11, 2010
Dallas, TX July 7, 2010
Miami, FLDecember 9, 2010
Thank You
J B hJoe BuchananSystem Engineer Manager
www lancope comwww.lancope.com