NetFlow Introduction to Flexible NetFlow
Jean-Charles GRIVIAUD
[email protected] NSSTG Product Manager
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Cisco IOS NetFlow – What is it? Developed and patented at Cisco® Systems in 1996 NetFlow is the defacto standard for acquiring IP operational data Provides network and security monitoring, network planning, traffic analysis, and IP accounting
Network World Article – NetFlow Adoption on the raise http://www.networkworld.com/newsletters/nsm/2005/0314nsm1.html Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Why Cisco IOS NetFlow? Customer Benefits Understand Productivity and utilization of assets in the network Improve Application and network usage Impact of network changes and services NetFlow answers the who, what, when, where, and how network traffic is flowing
Detect and classify security incidents with proven threat defence
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Principle NetFlow Applications Service Provider
Enterprise
Network Infrastructure Optimization and Planning
Internet Access Monitoring
Peering Arrangements
User Monitoring/Profiling
Traffic Engineering
Application Monitoring
Accounting and Billing
Billing for Departments
Security Monitoring and Incident (DDoS) Detection
Security Monitoring and Incident (DDoS) Detection
Data at ANY granularity to understand network use: who, what, where, when and how
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Cisco Applications and Partners Traffic Analysis Open Source NetFlow Collector
•Flow-Tools •FlowMon •Flowd •IPFlow
Billing
Denial of Service
CS-Mars
More info: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercial/ Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
Key Concept — NetFlow Scalability Packet capture is like a wiretap NetFlow is like a phone bill This level of granularity allows NetFlow to scale for very large amounts of traffic We can learn a lot from studying the phone bill Who’s talking to whom, over what protocols and ports, for how long, at what speed, for what duration, etc. NetFlow is a form of telemetry pushed from the routers/switches — each one can be a sensor
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
NetFlow Features Cisco NetFlow (NF) is group of IOS features for traffic accounting and monitoring on per flow basis NF includes 21 features with flows of different granularity: – Traditional IP NF - individual TCP/UDP sessions – MPLS aware NF - individual TCP/UDP session over MPLS – 12 features of IP aggregated NF - per IP prefix, AS, etc – IPv6 NF - individual IPv6 TCP/UDP sessions – 6 features of IPv6 aggregated NF - per IPv6 prefix, AS, etc.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Flow Key Fields Each NF feature has unique set of flow key fields that may include MPLS, IPv4, IPv6, TCP, UDP, ICMP, IGMP packet header fields, routing attributes AS-TOS aggregated NF key fields are: – source and destination AS's – input and output interfaces – TOS
Flow includes all/only packets that can not be distinguished based on key fields.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
NetFlow Key Fields Creating Flow Records Example 2
Example 1 1. Inspect Packet
Inspect packet for key field values Compare set of values to NetFlow cache If the set of values are unique create a flow in cache Inspect the next packet
2.
Key Fields
Packet 1
Source IP
1.1.1.1
Destination IP
2.2.2.2
Source port
23
Destination port
22078
Layer 3 Protocol
TCP - 6
TOS Byte
0
Input Interface
Ethernet 0
3. 4.
Source IP
Dest. IP
Dest. I/F
Protocol
TOS
…
Pkts
1.1.1.1
2.2.2.2
E1
6
0
…
11000
© 2006 Cisco Systems, Inc. All rights reserved.
Key Fields
Packet 2
Source IP
3.3.3.3
Destination IP
2.2.2.2
Source port
23
Destination port
22078
Layer 3 Protocol
TCP - 6
TOS Byte
0
Input Interface
Ethernet 0
Add new Flow to the NetFlow Cache
Create Flow record in the Cache
Presentation_ID
Inspect Packet
Cisco Confidential
Source IP
Dest. IP
Dest. I/F
Protocol
TOS
…
Pkts
3.3.3.3
2.2.2.2
E1
6
0
…
11000
1.1.1.1
2.2.2.2
E1
6
0
…
11000
9
Flow Non-Key Fields and Statistics Non-key fields are used not to define a flow and are exported along with the flow and provide additional information Traditional IP NF non-key fields: – source and destination AS's – source and destination IP prefix masks – IP address of next-hop router – TCP flags – output interface
NF features provide per flow statistics: – number of packets and bytes in flow – time-stamps for first and last packets in flow
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Traditional Layer 3 NetFlow Cache Key Fields in Yellow Non-Key Fields white
1. Create and update flows in NetFlow cache Srclf
SrclPadd
Dstlf
DstlPadd
Protocol
TOS
Flgs
Pkts
Src Port
Src Msk
Src AS
Dst Port
Dst Msk
Dst AS
NextHop
Bytes/ Pkt
Active
Idle
Fa1/0
173.100.21.2
Fa0/0
10.0.227.12
11
80
10
11000
00A 2
/24
5
00A2
/24
15
10.0.23.2
1528
1745
4
Fa1/0
173.100.3.2
Fa0/0
10.0.227.12
6
40
0
2491
15
/26
196
15
/24
15
10.0.23.2
740
41.5
1
Fa1/0
173.100.20.2
Fa0/0
10.0.227.12
11
80
10
10000
00A 1
/24
180
00A1
/24
15
10.0.23.2
1428
1145.5
3
Fa1/0
173.100.6.2
Fa0/0
10.0.227.12
6
40
0
2210
19
/30
180
19
/24
15
10.0.23.2
1040
24.5
14
• Inactive Timer Expired (15 Sec Is Default) • Active Timer Expired (30 Min Is Default) • NetFlow Cache Is Full (Oldest Flows Are Expired) • RST or FIN TCP Flag
2. Expiration
Srclf
SrclPadd
Dstlf
DstlPadd
Protocol
TOS
Flgs
Pkts
Src Port
Src Msk
Src AS
Dst Port
Dst Msk
Dst AS
NextHop
Bytes/ Pkt
Active
Idle
Fa1/0
173.100.21.2
Fa0/0
10.0.227.12
11
80
10
11000
00A2
/24
5
00A2
/24
15
10.0.23.2
1528
1800
4
3. Aggregation
Ye s
No
4. Export version 5. Transport protocol Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Export Packet Cisco Confidential
Header
Non-aggregated flows—export version 5 or 9 Payload (Flows)
E.g. Protocol-Port Aggregation Scheme Becomes Protocol
Pkts
SrcPort
DstPort
Bytes/Pkt
11
11000
00A2
00A2
1528
Aggregated Flows—Export Version 8 or 9 11
Ingress NetFlow Switching Path Sampling
Packets Packet Input
Flow lookup
Add input flow fields
Input interface feature check
No
Switching vector
buffer
CEF+FLOW
Yes
1 out of N
cache
FAST+FLOW
Route lookup
Add output flow fields Dest AS,
FIB
NetFlow
New flow
nexthop, BGP nexthop
Output interface feature check • • • •
Qos CAR Crypto NAT output
Src AS
• • • •
ACL Policy WCCP NAT input
Output interface update
Input bytes Input packets
Output
Cisco 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
Comprehensive Hardware Support Enterprise & aggregation/edge
Core Release
Cisco IOS Software Release 12.2S
Cisco 7200/7500 Series
Cisco 7300 Series
Cisco 4500 Series ASIC
Cisco 10000 Series ASIC
12.0S/IOS-XR
Cisco Catalyst 6500; Cisco 7600 Series ASIC
Cisco 12000 Series ASIC
CRS-1 ASIC
Access Cisco IOS Software Releases
Cisco 2600 Cisco 1700 Cisco 800 2800 1800 Series Series Series Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Cisco 3700 3800 Series
Cisco 7200/ 7300 Series
13
NetFlow Versions Comments
NetFlow Version
Presentation_ID
1
Original
5
Standard and most common
7
Specific to Cisco Catalyst 6500 and 7600 Series Switches Similar to Version 5, but does not include AS, interface, TCP Flag & TOS information
8
Choice of eleven aggregation schemes Reduces resource usage
9
Flexible, extensible file export format to enable easier support of additional fields & technologies; coming out now MPLS, Multicast, & BGP Next Hop
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Version 5 - Flow Export Format Source IPIPAddress •• Source Address Destination IPIP Address •• Destination Address
Usage
• Packet Count • Byte Count
Time of Day
• Start sysUpTime • End sysUpTime
Port Utilization
QoS
• Input ifIndex • Output ifIndex
• Source TCP/UDP Port • Destination TCP/UDP Port
• Next Hop Address • Source AS Number • Dest. AS Number • Source Prefix Mask • Dest. Prefix Mask
• Type of Service • TCP Flags • Protocol
From/To
Application
Routing and Peering
Version 5 used extensively today Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Extensibility and Flexibility Phased Approach Why a new export protocol? Build a flexible and extensible export format! Advantage: we can add new technologies/data types very quickly Example: MPLS, IPv6, BGP next HOP
Phase 1: NetFlow Version 9 Advantages: extensibility Integrate new technologies/data types quicker Integrate new aggregations quicker Note: for now, the template definitions are fixed!
Phase 2: User defined templates (Flexible NetFlow) Advantages: cache and export content flexibility Selection of a subset of the 7 flow keys Selection of the data types to export Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
NetFlow v9 Export Packet To support technologies such as MPLS or Multicast, this export format can be leveraged to easily insert new fields
Template FlowSet
Flows from Interface A
Flows from Interface B
Data FlowSet
Data FlowSet
FlowSet ID #1 (version, # packets, sequence #, Source ID)
Template Record Template ID #1
Template Record Template ID #2
Data Record
Data Record
(specific Field types and lengths)
(specific Field types and lengths)
(Field values)
(Field values)
FlowSet ID #2
Option Template FlowSet
Data Record
Template ID
(Field values)
(specific Field types and lengths)
Option Data FlowSet FlowSet ID
Option Data Record
Option Data Record
(Field values)
(Field values)
• Matching ID numbers are the way to associate template to the Data Records • The Header follows the same format as prior NetFlow versions so Collectors will be backward compatible • Each data record represents one flow • If exported flows have the same fields, then they can be contained in the same Template Record (ie: unicast traffic) can be combined with multicast records • If exported flows have different fields, then they cannot be contained in the same Template Record (ie: BGP next-hop cannot be combined with MPLS Aware NetFlow records) Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
NetFlow Features supported with Version 9 • Multicast NetFlow Availability: Major Release 12.3(1) and 12.2(18)S Ingress Accounting of replicated multicast packets Egress Per user accounting of multicast packets
• MPLS Aware NetFlow Availability: Release 12.0(26)S Label and prefix export information
• BGP Next Hop Availability: Releases 12.0(26)S, 12.2(18)S, and 12.3(1) Edge to Edge Traffic Matrix BGP traffic destination information
• NetFlow for IPv6 Availability: Release 12.3(7)T Export IPv6 source and destination information Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
NetFlow Version 9 Platform Support Releases 12.0(24)S for the Cisco 7200 , 7500 and 12000 Series Routers 12.3(1) for the Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800 and 7200 Series Routers 12.2(18)S for the Cisco 7200, 7301 and 7500 Series Routers 12.2(18)SXF – Catalyst 6500/7600 Series Switch 12.2(x)SRB – Cisco 7600 Series Router 12.2(30)SB – Cisco 7304 and 10000 Series Routers NF v9 is an export feature, by itself it does’t add new capability Newer features under NetFlow require NFv9 (eg, MPLS, Flexible NetFlow)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
Performance Testing NetFlow Version 9 Similar CPU and throughput numbers result from configuration of both NetFlow Version 5 and 9 No change in NetFlow performance after the addition of Version 9 Cisco IOS Software Releases 12.0(24)S, 12.2S, and 12.3
CPU is slightly higher immediately following initial boot up or configuration Caused by sending template flowsets to collector
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
NetFlow v9 and IETF Internet Protocol Flow Information eXport (IPFIX) is an IETF working group www.ietf.org/html.charters/ipfix-charter.html
Netflow Version9 is the basis for the standard in the IETF Standards track
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
w Ne
Cisco Confidential
21
Introduction of Flexible NetFlow
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
IOS Traffic Accounting Features IOS traffic accounting features can be sub-divided: – Static features – number of accounting buckets is statically known and does not depend on traffic e.g. precedence, BGP PA accounting – Dynamic features – number of accounting buckets (flows) depends on traffic, e.g. NetFlow, MAC accounting.
New applications constantly require new accounting features Current approach of feature development one by one does not scale, does not deliver timely solution.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
Scenario’s or Uses for Accounting Technologies Scenario
Technology
Network Monitoring
NetFlow, BGP PA
Network Planning and Traffic Engineering NetFlow, BGP PA Application Monitoring
NBAR, NetFlow
User Monitoring
AAA, NetFlow
QoS/CoS Monitoring
CB-QoS MIB, IP SLAs, NetFlow
Security Analysis
NetFlow, NBAR
Peering and Transit Agreements
SNMP, NetFlow, BGP PA
Time and Usage-Based Billing
AAA, NetFlow
Destination and Source-Sensitive Billing
BGP PA, NetFlow
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
Flexible NetFlow Benefits • Increased Flexibility, scalability, customization beyond today’s NetFlow • The ability to monitor a wider range of packet information • User configurable flow information to perform customized traffic identification and the ability to focus and monitor specific network attributes
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
Flexible NetFlow Tracking data with Flow Monitors Different Flow monitors for detecting different information:
ISP Peering Flows WAN
DATA CENTER Si
Si
CAMPUS
Application Flows
Presentation_ID
BRANCH
© 2006 Cisco Systems, Inc. All rights reserved.
IP Flows Security Flows
Cisco Confidential
Multicast Flows
TELEWORKER
26
Flexible NetFlow Advantage Traditional NetFlow One set of flow information, single cache used by all applications
Flexible NetFlow Advantage Different NetFlow applications are tracked separately
Flexible NetFlow Benefits •Track security, and traffic analysis data separately •Export different Flow Monitors to different destinations •Customers benefit from detailed analysis for each application Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
Flexible NetFlow Advantage (Cont.) Traditional NetFlow One cache may limit detailed problem isolation
Flexible NetFlow Advantage Focused network visibility and problem isolation
Flexible NetFlow Benefits •Create virtual NetFlow caches to track and isolate issue •Isolate security or traffic incidents in the network •Customized traffic identification combined with input filtering •Allows pinpoint accuracy in determining and isolating incidents Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
Flexible NetFlow Advantage (Cont.) Traditional NetFlow Limited data aggregation and fixed flow fields
Flexible NetFlow Advantage User selected flow information increasing scalability Visibility into new types of data using version 9 export
Flexible NetFlow Benefits •Select only information that is needed •Better use of flow cache and aggregation •New information from layer 2 and above including packet sections
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Flexible NetFlow Tracking data with Flow Monitors Peering Flows
Different Flow monitors for detecting different information:
ISP
•Dest. AS •Dest. Traffic Index •BGP Next Hop •DSCP BRANCH
WAN
DATA CENTER Si
Si
CAMPUS
IP Flows Multicast Flows •Protocol •Ports •IP Subnets •Packet Replication
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Security Flows •Protocol •Ports •IP Addresses •TCP Flags •Packet Section
Cisco Confidential
•IP Subnets •Ports •Protocol •Interfaces •Egress/Ingress
30
Flexible NetFlow Multiple Monitors with Unique Key Fields Traffic
Flow monitor 1
Flow monitor 2
Key Fields
Packet 1
Non Key Fields
Key Fields
Packet 2
Non Key Fields
Source IP
3.3.3.3
Packets
Source IP
3.3.3.3
Packets
Destination IP
2.2.2.2
Bytes
Dest IP
2.2.2.2
Time Stamps
Source port
23
Time Stamps
Input Interface
Ethernet 0
Destination port
22078
Next-Hop Address
Packet Section
1010101
Layer 3 Protocol
TCP - 6
TOS Byte
0
Input Interface
Ethernet 0
Traffic Analysis Cache
Security Analysis Cache
Source IP
Dest. IP
Dest. I/F
Protocol
TOS
…
Pkts
Source IP
Dest. IP
Dest. I/F
Input I/F
Sec
…
Pkts
3.3.3.3
2.2.2.2
E1
6
0
…
11000
3.3.3.3
2.2.2.2
E1
E1
101
…
11000
1.1.1.1
2.2.2.2
E1
6
0
…
11000
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
Flexible NetFlow Components • The Flow Monitor is a flow cache contains flow records Applied to an interface Flow monitors can be ingress or egress Packet sampling possible per flow monitor
• Flow Monitor Components: Flow Record – defines what is captured by NetFlow Flow records have two formats: Pre-defined or user-defined schemes Include Key and Non-Key Fields
Flow Exporter - where NetFlow will be exported Multiple flow exporters per Flow Monitor
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32
Flexible NetFlow Model Interface
Monitor “A”
Monitor “B”
Record “X”
Monitor “C”
Exporter “M”
Exporter “M”
Exporter “N” Exporter “N”
Record “Z”
Record “Y”
A single record per monitor Potentially multiple monitors per interface Potentially multiple exporters per monitor Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
33
Configure a User-Defined Flow Record Configure the Exporter Router(config)#flow exporter my-exporter Router(config-flow-exporter)#destination 1.1.1.1
Configure the Flow Record Router(config)#flow record my-record Router(config-flow-record)#match ipv4 icmp type Router(config-flow-record)#match ipv4 icmp code Router(config-flow-record)#collect counter bytes
Configure the Flow Monitor Router(config)#flow monitor my-monitor Router(config-flow-monitor)#exporter my-exporter Router(config-flow-monitor)#record my-record
Configure the Interface Router(config)#int s3/0 Router(config-if)#ip flow monitor my-monitor input Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
34
Flexible Monitor Configuration Define Flow monitor cache and associated with the monitor is an exporter and a pre-defined or user defined NetFlow record
CLI: flow monitor record exporter cache type {normal | immediate | permanent} cache entries cache timeout {active | inactive | update} size-distribution exit
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
35
Flexible NetFlow User Defined Record Configuration Router(config)# flow record my-record Router(config-flow-record)# match -> Specify a key field Router(config-flow-record)# collect -> Specify a non-key field Router(config-flow-record)# match ? flow Flow identifying fields interface Interface fields ipv4 IPv4 fields routing routing attributes transport Transport layer field Router(config-flow-record)# collect ? counter Counter fields flow Flow identifying fields interface Interface fields ipv4 IPv4 fields routing IPv4 routing attributes timestamp Timestamp fields transport Transport layer fields Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
36
Flexible Flow Record Configuration Example Flow key fields: destination AS, IPv4 source prefix, output interface index, maintain 32-bit packet and byte counters, no timestamps: (config)# flow record dst-as-src-prefix (flow-record)# match routing destination as (flow-record)# match ipv4 source prefix (flow-record)# match ipv4 source mask (flow-record)# match interface output (flow-record)# collect counter packets (flow-record)# collect counter bytes (flow-record)# exit
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
37
Flexible Flow Record: Key Fields IPv4
Routing
Transport
Destination AS
Destination Port
TCP Flag: ACK
Peer AS
Source Port
TCP Flag: CWR
ICMP Code
TCP Flag: ECE
Forwarding Status
ICMP Type
TCP Flag: FIN
Is-Multicast
IGMP Type
TCP Flag: PSH
IGP Next Hop
TCP ACK Number
TCP Flag: RST
BGP Next Hop
TCP Header Length
TCP Flag: SYN
TCP Sequence Number
TCP Flag: URG
TCP Window-Size
UDP Message Length
TCP Source Port
UDP Source Port
TCP Destination Port
UDP Destination Port
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol
Options
Fragmentation Flags
Flow
Version
Sampler ID
Fragmentation Offset
Precedence
ID
DSCP
Interface
Header Length
TOS
Input
Total Length
Presentation_ID
Traffic Index
Direction
Output
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
TCP Urgent Pointer
38
Flexible Flow Record Key Fields for Traffic Analysis IPv4
Routing
Transport
Destination AS
Destination Port
TCP Flag: ACK
Peer AS
Source Port
TCP Flag: CWR
ICMP Code
TCP Flag: ECE
Forwarding Status
ICMP Type
TCP Flag: FIN
Is-Multicast
IGMP Type
TCP Flag: PSH
IGP Next Hop
TCP ACK Number
TCP Flag: RST
BGP Next Hop
TCP Header Length
TCP Flag: SYN
TCP Sequence Number
TCP Flag: URG
TCP Window-Size
UDP Message Length
TCP Source Port
UDP Source Port
TCP Destination Port
UDP Destination Port
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol
Options
Fragmentation Flags
Flow
Version
Sampler ID
Fragmentation Offset
Precedence
ID
DSCP
Interface
Header Length
TOS
Input
Total Length
Presentation_ID
Traffic Index
Direction
Output
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
TCP Urgent Pointer
39
Flexible Flow Record Key Fields for Security IPv4
Routing
Transport
Destination AS
Destination Port
TCP Flag: ACK
Peer AS
Source Port
TCP Flag: CWR
ICMP Code
TCP Flag: ECE
Forwarding Status
ICMP Type
TCP Flag: FIN
Is-Multicast
IGMP Type
TCP Flag: PSH
IGP Next Hop
TCP ACK Number
TCP Flag: RST
BGP Next Hop
TCP Header Length
TCP Flag: SYN
TCP Sequence Number
TCP Flag: URG
TCP Window-Size
UDP Message Length
TCP Source Port
UDP Source Port
TCP Destination Port
UDP Destination Port
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol
Options
Fragmentation Flags
Flow
Version
Sampler ID
Fragmentation Offset
Precedence
ID
DSCP
Interface
Header Length
TOS
Input
Total Length
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Traffic Index
Direction
Output
Cisco Confidential
TCP Urgent Pointer
40
Flexible Flow Record Key Fields for Peering arrangements IPv4
Routing
Transport
Destination AS
Destination Port
TCP Flag: ACK
Peer AS
Source Port
TCP Flag: CWR
ICMP Code
TCP Flag: ECE
Forwarding Status
ICMP Type
TCP Flag: FIN
Is-Multicast
IGMP Type
TCP Flag: PSH
IGP Next Hop
TCP ACK Number
TCP Flag: RST
BGP Next Hop
TCP Header Length
TCP Flag: SYN
TCP Sequence Number
TCP Flag: URG
TCP Window-Size
UDP Message Length
TCP Source Port
UDP Source Port
TCP Destination Port
UDP Destination Port
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol
Options
Fragmentation Flags
Flow
Version
Sampler ID
Fragmentation Offset
Precedence
ID
DSCP
Interface
Header Length
TOS
Input
Total Length
Presentation_ID
Traffic Index
Direction
Output
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
TCP Urgent Pointer
41
Flexible Flow Record Non-Key Fields for Security Any of the potential “key” field: will be the value of the first packet in the flow Plus Counters
Timestamp
IPv4
Bytes
sysUpTime First Packet
Total Length Minimum
Bytes Long
sysUpTime First Packet
Total Length Maximum
Bytes Square Sum
TTL Minimum
Packet
TTL Maximum
Packet Long
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
42
Flexible Flow Monitor Cache Types Three types of NetFlow caches are available Normal Similar to today’s NetFlow but active and inactive timers are more Flexible (e.g. Active timer of 1 second) Immediate 1 second timer and no export delay Flow accounts for 1 packet Used for real-time traffic monitoring, DDoS detection, logging Used for flow-records with packet sections or with large set of key fields Permanent A permanent flow cache can be used to track a set of flows over time without expiring the flows from the cache The entire cache is periodically exported to the collector After the cache is full flows will be dropped (size configurable) Useful for accounting or security monitoring
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
43
Complete Permanent Flexible NetFlow Configuration Example Per DSCP accounting flow record definition: Router(config)# flow record Router(config-flow-record)# Router(config-flow-record)# Router(config-flow-record)# Router(config-flow-record)#
my-dscp-record 64 Bit match ipv4 dscp Counter match interface input collect counter bytes long collect counter packets long
Router(config)# flow monitor my-dscp-monitor Router(config-flow-record)# description dscp:bytes and packets Router(config-flow-record)# record my-dscp-record Router(config-flow-record)# cache type permanent Router(config-flow-record)# cache entries 256 Router(config)# interface GigabitEthernet 0/1 Router(config)# ip flow monitor my-dscp-monitor input
This would replace “IP accounting precedence” Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
44
Flexible NetFlow Activation on Interface Send the “sampler-table” Option Router(config-if)# ip flow monitor
[sampler ] [input | output]
For the Input or Output Traffic. Does Not Determine the Flow Key
Deterministic or random is available Router(config)# sampler mode [deterministic | random] out-of
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
45
Flow Exporters Flow export to collectors is defined using a Flow Exporter Each Flow monitor can use multiple flow exporters (export to many NetFlow Collectors) simultaneously Flow exporters can use different reliable and un-reliable transport protocols: UDP SCTP Flow exporters Different export protocols (v9 and IPFIX) Flow exporters are QOS aware and can be prioritized unlike today’s NetFlow
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
46
Flexible Monitor Configuration Potentially Multiple
3 Types of Cache: See Next Slides
flow monitor record exporter cache type {normal | immediate | permanent} cache entries cache timeout {active | inactive | update} statistics packet protocol statistics packet size Collect Size Distribution Statistics
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Collect Protocol Distribution Statistics
47
Packet Section Fields Contiguous chunk of a packet of a user configurable size, used as a key or a non-key field Sections used for detailed traffic monitoring, DDoS attack investigation, worm detection, other security applications Chunk defined as flow key, should be used in sampled mode with immediate aging cache Starts at the beginning of the IPv4 header collect or match ipv4 header
Immediately follows the IPv4 header collect or match ipv4 payload Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
48
Flexible NetFlow status Flexible NetFlow is FCS Flexible NetFlow is available in 12.4(9)T Cisco 800, 1800, 2800, 3800, 7200 and 7301 Series
Flexible NetFlow phase I provide : Multiple User Defined Caches Complete IPv4 Header Info UDP/Packet Section Exporters Persistent Caches Ingress/Egress Support Common CLI Sampled NetFlow Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
49
Flexible NetFlow Evolution Flexible NetFlow introduced on 7304 (12.2(31)SB2) Flexible NetFlow to be introduced on GSR (12.0(33)S) Engine 3 and Engine 5
Flexible NetFlow IPv6 will be added in 12.4(7th)T Candidate Features for 12.5(2th)T QOS Output feature for FNF Exporter IP Multicast traffic NetFlow v5 Export TopNTalkers Input Filters/MQC Integration
Radar Features NBAR Integration, IPFIX support Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
50
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
51
Backup Slides
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
52
Cisco NetFlow Feature Overview Category
Features
Export Formats
NetFlow Export Versions 1, 5, 7, 8 Version 9 - latest Flexible and Extensible format
Accounting
NetFlow Router Based Aggregation (v8/v9) Origin and Peer AS Bridged NetFlow MAC Address Export Egress NetFlow Accounting
Random Sampled NetFlow Random and Time-based Flow Sampled NetFlow Network Analysis & BGP Next Hop NetFlow Capacity Planning Export Filters Dual Export
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
53
Cisco NetFlow Feature Overview (2) Category
Features
NetFlow MIB and Top Talkers Security Input filters Monitoring Security Exports (IPv4 Header) Dynamic Top Talkers CLI
Standard
Presentation_ID
NetFlow Version 9 – basis for IPFIX WG Export format Version 9 - RFC 3954 Reliable Export with SCTP IPFIX Export standard for Packet Sampling WG (PSAMP)
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
54
Cisco NetFlow Feature Overview (3) Category
Features
MPLS
MPLS Egress NetFlow MPLS Aware NetFlow MPLS Information Export (LFIB) MPLS Aggregation (EXP, BGP-NH, Egress I/F)
Multicast
Multicast NetFlow
IPv6
Presentation_ID
IPv6 NetFlow
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
55
NetFlow-Platform Export Feature Comparison (1) Feature
Software
Version 5
12.0(1)
12.1(2)E
Version 8
12.0(3)T
Version 9 Dual Export VRF Destination
C6500
C12000
C10000
C4500
12.1(2)E
12.0(14)S
12.0(19)SL
12.1(13)EW
12.2(14)SX
12.2(14)SX
12.0(6)S
12.0(19)SL
12.1(19)EW
12.3
12.2(18)SXF
12.2(18)SXF
12.0(24)S
12.2(31)SB
12.2(2)T
12.2(17d)SX B
12.2(17d)SXB
12.4(4)T
Security Exports 12.3(14)T Reliable Export
12.3(4)T
Mac Address
12.3(14)T
Vlan Export
12.4(4)T
CRS
3.2
12.2(15)BX 12.1(19)EW 12.0(26)S3
12.2(1st)SXH 12.2(1st)SRB
Available Now
Presentation_ID
C7600
© 2006 Cisco Systems, Inc. All rights reserved.
Not Available
Cisco Confidential
Roadmap
56
NetFlow - Platform Feature Comparison (2) Feature
Software
C6500
C7600
NetFlow MIB with Top Talker
12.3(7)T
12.2(1st)SXH
12.2(1st)SRB
Dynamic Top Talker CLI
12.3(4)T
Egress/Output NetFlow
12.3(11)T
Bridged NF
C12000
C10000
12.0(10)ST 12.2(31)SB 12.2(18)SXE1 12.2(18)SXE1
Input Filters
C4500
CRS
3.2 12.2(25)EW
12.3(4)T
Export Filters
Yes
Yes
Forwarding Status
Yes
Yes
Yes
Yes
TCP Flags
Yes
Yes
Yes
Yes
IFIndex to Name Map
12.4(4)T
Available Now Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Not Available Cisco Confidential
Roadmap 57
NetFlow - Platform Feature Comparison (3) Feature
Software
C6500
C7600
12.3(7)T
12.2(1st)SXH
12.2(1st)SRB
Multicast
12.3
12.2(18)SXF
12.2(18)SXF
BGP Next Hop
12.3
12.2(18)SXF
12.2(33)SRA
Per Interface
Yes
12.2(1st)SXH
12.2(1st)SRB
No Sub
12.2(15)BX
3.2
TOS Support
Yes
12.2(17b)SXA
12.2(17b)SXA
Yes
Yes
3.2
IPv6
Packet Sampling
12.3(2)T
Flow Sampling
C12000
12.0(26)S 12.2(31)SB
12.0(11)S 12.2(31)SB 12.1(13)E
12.1(13)E
12.1(2)T
Yes
MPLS Egress
12.2(2)T
Output
MPLS Aware
12.3(8)T
12.0(24)S
MPLS Label Export
12.2SB
Available Now
Yes 3.2
12.2(1st)SRB
MPLS Aggregation © 2006 Cisco Systems, Inc. All rights reserved.
C4500 CRS
3.2
Min Prefix Aggr.
Presentation_ID
C10000
12.2(31)SB
Cisco Confidential
Not Available
Roadmap
58
Flexible NetFlow - Platform Feature Comparison Feature
Software
C6500
IPv4 Unicast
12.4(9)T
HalfDome
NetFlow v9 Export
12.4(9)T
HalfDome
NetFlow v5 Export 12.5(2st)T
HalfDome
IPv6 Unicast
12.4(13)T
HalfDome
IPv4 Multicast
12.5(2st)T
HalfDome
IPv6 Multicast
12.5(2st)T
HalfDome
Dyn. TopNTalkers
12.5(2st)T
HalfDome
MPLS FNF
C7600
C12000
C10000
C4500 CRS
12.0(33)S
12.0(33)S
L2 FNF
Presentation_ID
Available Now
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Not Available
Roadmap
59