NetFlow:What is it, why and how to use it?

Miloš Zeković,milos.zekovic@soneco.rs

ICmyNet Chief Customer Officer

Soneco d.o.o. Serbia

2 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Agenda

What is NetFlow?

What are the benefits?

How to deploy NetFlow?

Questions

3 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

What is NetFlow?

NetFlow protocol

IP Flow

How it works

NetFlow equivalents

4 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NetFlow protocol

Developed by Cisco Systems

Classifies network traffic into 'flows'

v5 - most common version, IPv4

v9 - template based, IPv6 and MPLS

v10 (IPFIX) – standardised, flexible fields

5 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

IP Flow – RFC 3954

An IP Flow, ..., is defined as a set of IP packets passing an Observation Point in the network during a certain time interval. All packets that belong to a particular Flow have a set of common properties ... at the Observation Point.

6 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

IP Flow – Cisco NF v5

Unidirectional sequence of packets that all share the following 7 values:

Ingress interface (SNMP ifIndex)

Source IP address and Destination IP address

IP protocol

Source and destination port for UDP or TCP, 0 for other protocols

IP Type of Service

7 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

How it works?

Flow record

Exporter

Flow Collector

Netflow Server (flow collection + aggregation)

8 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

How it works? (2)

9 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NetFlow equivalents

Jflow – Juniper Networks

NetStream - 3Com/HP

NetStream - Huawei Technologies

sFlow – Cisco, Juniper, HP, IBM, Huawei...

10 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

What are the benefits?

Bandwidth utilization understandingApplication monitoring

Top consumers by host, service, QoS...

Accounting/Billing

Network optimization and planningTraffic trend visualization

Traffic engineering

11 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

What are the benefits? (2)

Faster network troubleshooting Faster, better diagnostics

Complements network monitoring systems

Network securityTraffic anomaly analysis

Flow records inspection

Lower operational cost

12 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

How to deploy NetFlow?

Netflow capability

Configuring netflow export

NetFlow Analyzers

13 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NetFlow capability

NetFlow capable devices: Routers

L3 switches

NetFlow probes – e.g. softflowd

Capability issuesNetflow protocol conversion – e.g. nprobe

Multiple exporting – e.g. samplicator

Sampling

14 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Configuring netflow export

Export planningOn what routers/interfaces to enable netflow

Duplication issues

Exporter configurationConfigure exporters

Setup sampling, conversion, probes

Choose and setup netflow collector/analyser

15 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Exporter configuration

← INCORRECT

CORRECT →

16 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Double export example

17 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

De-duplication of netflow

Duplication is usually a problem for network-wide statistics

Some NetFlow analysers have automatic de-duplication

Some Netflow analysers can be configured to avoid duplication

18 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NetFlow Analysers - approaches

Statistics per/by:exporter/interface

application/service

IP address group

routers/interfaces group

specific traffic

host

19 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NetFlow Analysers

Commercial applications:ManageEngine – NetFlow Analyzer

SolarWinds – NetFlow Traffic Analyzer

Plixer - Scrutinizer

Peassler – PRTG Traffic Grapher

Fluke Networks

Soneco - ICmyNet/NetVizura

...

20 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Question time

Questions?

21 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Thank you

NetFlow:What is it, why and how to use it?

Miloš Zeković,milos.zekovic@soneco.rs

ICmyNet Chief Customer Officer

Soneco d.o.o. Serbia