NetFlow Introduction to Flexible NetFlow

NF includes 21 features with flows of different granularity: – Traditional IP NF ... Compare set of values to ... TOS … … 1.1.1.1. Source IP. Pkts. 11000. Add new Flow to the NetFlow Cache .... Specific to Cisco Catalyst 6500 and 7600 Series.
Télécharger le PDF
1MB taille 76 téléchargements 263 vues
commentaire
Report
NetFlow Introduction to Flexible NetFlow

Jean-Charles GRIVIAUD [email protected] NSSTG Product Manager

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

1

Cisco IOS NetFlow – What is it?  Developed and patented at Cisco® Systems in 1996  NetFlow is the defacto standard for acquiring IP operational data  Provides network and security monitoring, network planning, traffic analysis, and IP accounting

Network World Article – NetFlow Adoption on the raise http://www.networkworld.com/newsletters/nsm/2005/0314nsm1.html Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2

Why Cisco IOS NetFlow? Customer Benefits  Understand Productivity and utilization of assets in the network Improve Application and network usage Impact of network changes and services NetFlow answers the who, what, when, where, and how network traffic is flowing

 Detect and classify security incidents with proven threat defence

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

3

Principle NetFlow Applications Service Provider

Enterprise

Network Infrastructure Optimization and Planning

Internet Access Monitoring

Peering Arrangements

User Monitoring/Profiling

Traffic Engineering

Application Monitoring

Accounting and Billing

Billing for Departments

Security Monitoring and Incident (DDoS) Detection

Security Monitoring and Incident (DDoS) Detection

Data at ANY granularity to understand network use: who, what, where, when and how

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

4

Cisco Applications and Partners Traffic Analysis Open Source NetFlow Collector

•Flow-Tools •FlowMon •Flowd •IPFlow

Billing

Denial of Service

CS-Mars

More info: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercial/ Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

5

Key Concept — NetFlow Scalability  Packet capture is like a wiretap  NetFlow is like a phone bill  This level of granularity allows NetFlow to scale for very large amounts of traffic We can learn a lot from studying the phone bill Who’s talking to whom, over what protocols and ports, for how long, at what speed, for what duration, etc. NetFlow is a form of telemetry pushed from the routers/switches — each one can be a sensor

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

6

NetFlow Features  Cisco NetFlow (NF) is group of IOS features for traffic accounting and monitoring on per flow basis  NF includes 21 features with flows of different granularity: – Traditional IP NF - individual TCP/UDP sessions – MPLS aware NF - individual TCP/UDP session over MPLS – 12 features of IP aggregated NF - per IP prefix, AS, etc – IPv6 NF - individual IPv6 TCP/UDP sessions – 6 features of IPv6 aggregated NF - per IPv6 prefix, AS, etc.

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

7

Flow Key Fields  Each NF feature has unique set of flow key fields that may include MPLS, IPv4, IPv6, TCP, UDP, ICMP, IGMP packet header fields, routing attributes  AS-TOS aggregated NF key fields are: – source and destination AS's – input and output interfaces – TOS

 Flow includes all/only packets that can not be distinguished based on key fields.

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

8

NetFlow Key Fields Creating Flow Records Example 2

Example 1 1. Inspect Packet

Inspect packet for key field values Compare set of values to NetFlow cache If the set of values are unique create a flow in cache Inspect the next packet

2.

Key Fields

Packet 1

Source IP

1.1.1.1

Destination IP

2.2.2.2

Source port

23

Destination port

22078

Layer 3 Protocol

TCP - 6

TOS Byte

0

Input Interface

Ethernet 0

3. 4.

Source IP

Dest. IP

Dest. I/F

Protocol

TOS



Pkts

1.1.1.1

2.2.2.2

E1

6

0



11000

© 2006 Cisco Systems, Inc. All rights reserved.

Key Fields

Packet 2

Source IP

3.3.3.3

Destination IP

2.2.2.2

Source port

23

Destination port

22078

Layer 3 Protocol

TCP - 6

TOS Byte

0

Input Interface

Ethernet 0

Add new Flow to the NetFlow Cache

Create Flow record in the Cache

Presentation_ID

Inspect Packet

Cisco Confidential

Source IP

Dest. IP

Dest. I/F

Protocol

TOS



Pkts

3.3.3.3

2.2.2.2

E1

6

0



11000

1.1.1.1

2.2.2.2

E1

6

0



11000

9

Flow Non-Key Fields and Statistics  Non-key fields are used not to define a flow and are exported along with the flow and provide additional information  Traditional IP NF non-key fields: – source and destination AS's – source and destination IP prefix masks – IP address of next-hop router – TCP flags – output interface

 NF features provide per flow statistics: – number of packets and bytes in flow – time-stamps for first and last packets in flow

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

10

Traditional Layer 3 NetFlow Cache Key Fields in Yellow Non-Key Fields white

1. Create and update flows in NetFlow cache Srclf

SrclPadd

Dstlf

DstlPadd

Protocol

TOS

Flgs

Pkts

Src Port

Src Msk

Src AS

Dst Port

Dst Msk

Dst AS

NextHop

Bytes/ Pkt

Active

Idle

Fa1/0

173.100.21.2

Fa0/0

10.0.227.12

11

80

10

11000

00A 2

/24

5

00A2

/24

15

10.0.23.2

1528

1745

4

Fa1/0

173.100.3.2

Fa0/0

10.0.227.12

6

40

0

2491

15

/26

196

15

/24

15

10.0.23.2

740

41.5

1

Fa1/0

173.100.20.2

Fa0/0

10.0.227.12

11

80

10

10000

00A 1

/24

180

00A1

/24

15

10.0.23.2

1428

1145.5

3

Fa1/0

173.100.6.2

Fa0/0

10.0.227.12

6

40

0

2210

19

/30

180

19

/24

15

10.0.23.2

1040

24.5

14

• Inactive Timer Expired (15 Sec Is Default) • Active Timer Expired (30 Min Is Default) • NetFlow Cache Is Full (Oldest Flows Are Expired) • RST or FIN TCP Flag

2. Expiration

Srclf

SrclPadd

Dstlf

DstlPadd

Protocol

TOS

Flgs

Pkts

Src Port

Src Msk

Src AS

Dst Port

Dst Msk

Dst AS

NextHop

Bytes/ Pkt

Active

Idle

Fa1/0

173.100.21.2

Fa0/0

10.0.227.12

11

80

10

11000

00A2

/24

5

00A2

/24

15

10.0.23.2

1528

1800

4

3. Aggregation

Ye s

No

4. Export version 5. Transport protocol Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Export Packet Cisco Confidential

Header

Non-aggregated flows—export version 5 or 9 Payload (Flows)

E.g. Protocol-Port Aggregation Scheme Becomes Protocol

Pkts

SrcPort

DstPort

Bytes/Pkt

11

11000

00A2

00A2

1528

Aggregated Flows—Export Version 8 or 9 11

Ingress NetFlow Switching Path Sampling

Packets Packet Input

Flow lookup

Add input flow fields

Input interface feature check

No

Switching vector

buffer

CEF+FLOW

Yes

1 out of N

cache

FAST+FLOW

Route lookup

Add output flow fields Dest AS,

FIB

NetFlow

New flow

nexthop, BGP nexthop

Output interface feature check • • • •

Qos CAR Crypto NAT output

Src AS

• • • •

ACL Policy WCCP NAT input

Output interface update

Input bytes Input packets

Output

Cisco 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

12

Comprehensive Hardware Support Enterprise & aggregation/edge

Core Release

Cisco IOS Software Release 12.2S

Cisco 7200/7500 Series

Cisco 7300 Series

Cisco 4500 Series ASIC

Cisco 10000 Series ASIC

12.0S/IOS-XR

Cisco Catalyst 6500; Cisco 7600 Series ASIC

Cisco 12000 Series ASIC

CRS-1 ASIC

Access Cisco IOS Software Releases

Cisco 2600 Cisco 1700 Cisco 800 2800 1800 Series Series Series Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Cisco 3700 3800 Series

Cisco 7200/ 7300 Series

13

NetFlow Versions Comments

NetFlow Version

Presentation_ID

1

Original

5

Standard and most common

7

Specific to Cisco Catalyst 6500 and 7600 Series Switches Similar to Version 5, but does not include AS, interface, TCP Flag & TOS information

8

Choice of eleven aggregation schemes Reduces resource usage

9

Flexible, extensible file export format to enable easier support of additional fields & technologies; coming out now MPLS, Multicast, & BGP Next Hop

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

14

Version 5 - Flow Export Format Source IPIPAddress •• Source Address Destination IPIP Address •• Destination Address

Usage

• Packet Count • Byte Count

Time of Day

• Start sysUpTime • End sysUpTime

Port Utilization

QoS

• Input ifIndex • Output ifIndex

• Source TCP/UDP Port • Destination TCP/UDP Port

• Next Hop Address • Source AS Number • Dest. AS Number • Source Prefix Mask • Dest. Prefix Mask

• Type of Service • TCP Flags • Protocol

From/To

Application

Routing and Peering

Version 5 used extensively today Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

15

Extensibility and Flexibility Phased Approach  Why a new export protocol? Build a flexible and extensible export format! Advantage: we can add new technologies/data types very quickly Example: MPLS, IPv6, BGP next HOP

 Phase 1: NetFlow Version 9 Advantages: extensibility Integrate new technologies/data types quicker Integrate new aggregations quicker Note: for now, the template definitions are fixed!

 Phase 2: User defined templates (Flexible NetFlow) Advantages: cache and export content flexibility Selection of a subset of the 7 flow keys Selection of the data types to export Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

16

NetFlow v9 Export Packet To support technologies such as MPLS or Multicast, this export format can be leveraged to easily insert new fields

Template FlowSet

Flows from Interface A

Flows from Interface B

Data FlowSet

Data FlowSet

FlowSet ID #1 (version, # packets, sequence #, Source ID)

Template Record Template ID #1

Template Record Template ID #2

Data Record

Data Record

(specific Field types and lengths)

(specific Field types and lengths)

(Field values)

(Field values)

FlowSet ID #2

Option Template FlowSet

Data Record

Template ID

(Field values)

(specific Field types and lengths)

Option Data FlowSet FlowSet ID

Option Data Record

Option Data Record

(Field values)

(Field values)

• Matching ID numbers are the way to associate template to the Data Records • The Header follows the same format as prior NetFlow versions so Collectors will be backward compatible • Each data record represents one flow • If exported flows have the same fields, then they can be contained in the same Template Record (ie: unicast traffic) can be combined with multicast records • If exported flows have different fields, then they cannot be contained in the same Template Record (ie: BGP next-hop cannot be combined with MPLS Aware NetFlow records) Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

17

NetFlow Features supported with Version 9 • Multicast NetFlow Availability: Major Release 12.3(1) and 12.2(18)S Ingress Accounting of replicated multicast packets Egress Per user accounting of multicast packets

• MPLS Aware NetFlow Availability: Release 12.0(26)S Label and prefix export information

• BGP Next Hop Availability: Releases 12.0(26)S, 12.2(18)S, and 12.3(1) Edge to Edge Traffic Matrix BGP traffic destination information

• NetFlow for IPv6 Availability: Release 12.3(7)T Export IPv6 source and destination information Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

18

NetFlow Version 9 Platform Support  Releases 12.0(24)S for the Cisco 7200 , 7500 and 12000 Series Routers 12.3(1) for the Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800 and 7200 Series Routers 12.2(18)S for the Cisco 7200, 7301 and 7500 Series Routers 12.2(18)SXF – Catalyst 6500/7600 Series Switch 12.2(x)SRB – Cisco 7600 Series Router 12.2(30)SB – Cisco 7304 and 10000 Series Routers  NF v9 is an export feature, by itself it does’t add new capability Newer features under NetFlow require NFv9 (eg, MPLS, Flexible NetFlow)

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

19

Performance Testing NetFlow Version 9  Similar CPU and throughput numbers result from configuration of both NetFlow Version 5 and 9  No change in NetFlow performance after the addition of Version 9 Cisco IOS Software Releases 12.0(24)S, 12.2S, and 12.3

 CPU is slightly higher immediately following initial boot up or configuration Caused by sending template flowsets to collector

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

20

NetFlow v9 and IETF  Internet Protocol Flow Information eXport (IPFIX) is an IETF working group www.ietf.org/html.charters/ipfix-charter.html

 Netflow Version9 is the basis for the standard in the IETF  Standards track

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

w Ne

Cisco Confidential

21

Introduction of Flexible NetFlow

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

22

IOS Traffic Accounting Features  IOS traffic accounting features can be sub-divided: – Static features – number of accounting buckets is statically known and does not depend on traffic e.g. precedence, BGP PA accounting – Dynamic features – number of accounting buckets (flows) depends on traffic, e.g. NetFlow, MAC accounting.

 New applications constantly require new accounting features  Current approach of feature development one by one does not scale, does not deliver timely solution.

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

23

Scenario’s or Uses for Accounting Technologies Scenario

Technology

Network Monitoring

NetFlow, BGP PA

Network Planning and Traffic Engineering NetFlow, BGP PA Application Monitoring

NBAR, NetFlow

User Monitoring

AAA, NetFlow

QoS/CoS Monitoring

CB-QoS MIB, IP SLAs, NetFlow

Security Analysis

NetFlow, NBAR

Peering and Transit Agreements

SNMP, NetFlow, BGP PA

Time and Usage-Based Billing

AAA, NetFlow

Destination and Source-Sensitive Billing

BGP PA, NetFlow

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

24

Flexible NetFlow Benefits • Increased Flexibility, scalability, customization beyond today’s NetFlow • The ability to monitor a wider range of packet information • User configurable flow information to perform customized traffic identification and the ability to focus and monitor specific network attributes

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

25

Flexible NetFlow Tracking data with Flow Monitors Different Flow monitors for detecting different information:

ISP Peering Flows WAN

DATA CENTER Si

Si

CAMPUS

Application Flows

Presentation_ID

BRANCH

© 2006 Cisco Systems, Inc. All rights reserved.

IP Flows Security Flows

Cisco Confidential

Multicast Flows

TELEWORKER

26

Flexible NetFlow Advantage Traditional NetFlow One set of flow information, single cache used by all applications

Flexible NetFlow Advantage Different NetFlow applications are tracked separately

Flexible NetFlow Benefits •Track security, and traffic analysis data separately •Export different Flow Monitors to different destinations •Customers benefit from detailed analysis for each application Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

27

Flexible NetFlow Advantage (Cont.) Traditional NetFlow One cache may limit detailed problem isolation

Flexible NetFlow Advantage Focused network visibility and problem isolation

Flexible NetFlow Benefits •Create virtual NetFlow caches to track and isolate issue •Isolate security or traffic incidents in the network •Customized traffic identification combined with input filtering •Allows pinpoint accuracy in determining and isolating incidents Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

28

Flexible NetFlow Advantage (Cont.) Traditional NetFlow Limited data aggregation and fixed flow fields

Flexible NetFlow Advantage User selected flow information increasing scalability Visibility into new types of data using version 9 export

Flexible NetFlow Benefits •Select only information that is needed •Better use of flow cache and aggregation •New information from layer 2 and above including packet sections

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

29

Flexible NetFlow Tracking data with Flow Monitors Peering Flows

Different Flow monitors for detecting different information:

ISP

•Dest. AS •Dest. Traffic Index •BGP Next Hop •DSCP BRANCH

WAN

DATA CENTER Si

Si

CAMPUS

IP Flows Multicast Flows •Protocol •Ports •IP Subnets •Packet Replication

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Security Flows •Protocol •Ports •IP Addresses •TCP Flags •Packet Section

Cisco Confidential

•IP Subnets •Ports •Protocol •Interfaces •Egress/Ingress

30

Flexible NetFlow Multiple Monitors with Unique Key Fields Traffic

Flow monitor 1

Flow monitor 2

Key Fields

Packet 1

Non Key Fields

Key Fields

Packet 2

Non Key Fields

Source IP

3.3.3.3

Packets

Source IP

3.3.3.3

Packets

Destination IP

2.2.2.2

Bytes

Dest IP

2.2.2.2

Time Stamps

Source port

23

Time Stamps

Input Interface

Ethernet 0

Destination port

22078

Next-Hop Address

Packet Section

1010101

Layer 3 Protocol

TCP - 6

TOS Byte

0

Input Interface

Ethernet 0

Traffic Analysis Cache

Security Analysis Cache

Source IP

Dest. IP

Dest. I/F

Protocol

TOS



Pkts

Source IP

Dest. IP

Dest. I/F

Input I/F

Sec



Pkts

3.3.3.3

2.2.2.2

E1

6

0



11000

3.3.3.3

2.2.2.2

E1

E1

101



11000

1.1.1.1

2.2.2.2

E1

6

0



11000

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

31

Flexible NetFlow Components • The Flow Monitor is a flow cache contains flow records Applied to an interface Flow monitors can be ingress or egress Packet sampling possible per flow monitor

• Flow Monitor Components: Flow Record – defines what is captured by NetFlow Flow records have two formats: Pre-defined or user-defined schemes Include Key and Non-Key Fields

Flow Exporter - where NetFlow will be exported Multiple flow exporters per Flow Monitor

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

32

Flexible NetFlow Model Interface

Monitor “A”

Monitor “B”

Record “X”

Monitor “C”

Exporter “M”

Exporter “M”

Exporter “N” Exporter “N”

Record “Z”

Record “Y”

 A single record per monitor  Potentially multiple monitors per interface  Potentially multiple exporters per monitor Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

33

Configure a User-Defined Flow Record Configure the Exporter Router(config)#flow exporter my-exporter Router(config-flow-exporter)#destination 1.1.1.1

Configure the Flow Record Router(config)#flow record my-record Router(config-flow-record)#match ipv4 icmp type Router(config-flow-record)#match ipv4 icmp code Router(config-flow-record)#collect counter bytes

Configure the Flow Monitor Router(config)#flow monitor my-monitor Router(config-flow-monitor)#exporter my-exporter Router(config-flow-monitor)#record my-record

Configure the Interface Router(config)#int s3/0 Router(config-if)#ip flow monitor my-monitor input Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

34

Flexible Monitor Configuration Define Flow monitor cache and associated with the monitor is an exporter and a pre-defined or user defined NetFlow record

 CLI: flow monitor record exporter cache type {normal | immediate | permanent} cache entries cache timeout {active | inactive | update} size-distribution exit

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

35

Flexible NetFlow User Defined Record Configuration Router(config)# flow record my-record Router(config-flow-record)# match -> Specify a key field Router(config-flow-record)# collect -> Specify a non-key field Router(config-flow-record)# match ? flow Flow identifying fields interface Interface fields ipv4 IPv4 fields routing routing attributes transport Transport layer field Router(config-flow-record)# collect ? counter Counter fields flow Flow identifying fields interface Interface fields ipv4 IPv4 fields routing IPv4 routing attributes timestamp Timestamp fields transport Transport layer fields Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

36

Flexible Flow Record Configuration Example Flow key fields: destination AS, IPv4 source prefix, output interface index, maintain 32-bit packet and byte counters, no timestamps: (config)# flow record dst-as-src-prefix (flow-record)# match routing destination as (flow-record)# match ipv4 source prefix (flow-record)# match ipv4 source mask (flow-record)# match interface output (flow-record)# collect counter packets (flow-record)# collect counter bytes (flow-record)# exit

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

37

Flexible Flow Record: Key Fields IPv4

Routing

Transport

Destination AS

Destination Port

TCP Flag: ACK

Peer AS

Source Port

TCP Flag: CWR

ICMP Code

TCP Flag: ECE

Forwarding Status

ICMP Type

TCP Flag: FIN

Is-Multicast

IGMP Type

TCP Flag: PSH

IGP Next Hop

TCP ACK Number

TCP Flag: RST

BGP Next Hop

TCP Header Length

TCP Flag: SYN

TCP Sequence Number

TCP Flag: URG

TCP Window-Size

UDP Message Length

TCP Source Port

UDP Source Port

TCP Destination Port

UDP Destination Port

IP (Source or Destination)

Payload Size

Prefix (Source or Destination)

Packet Section (Header)

Mask (Source or Destination)

Packet Section (Payload)

Minimum-Mask (Source or Destination)

TTL

Protocol

Options

Fragmentation Flags

Flow

Version

Sampler ID

Fragmentation Offset

Precedence

ID

DSCP

Interface

Header Length

TOS

Input

Total Length

Presentation_ID

Traffic Index

Direction

Output

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

TCP Urgent Pointer

38

Flexible Flow Record Key Fields for Traffic Analysis IPv4

Routing

Transport

Destination AS

Destination Port

TCP Flag: ACK

Peer AS

Source Port

TCP Flag: CWR

ICMP Code

TCP Flag: ECE

Forwarding Status

ICMP Type

TCP Flag: FIN

Is-Multicast

IGMP Type

TCP Flag: PSH

IGP Next Hop

TCP ACK Number

TCP Flag: RST

BGP Next Hop

TCP Header Length

TCP Flag: SYN

TCP Sequence Number

TCP Flag: URG

TCP Window-Size

UDP Message Length

TCP Source Port

UDP Source Port

TCP Destination Port

UDP Destination Port

IP (Source or Destination)

Payload Size

Prefix (Source or Destination)

Packet Section (Header)

Mask (Source or Destination)

Packet Section (Payload)

Minimum-Mask (Source or Destination)

TTL

Protocol

Options

Fragmentation Flags

Flow

Version

Sampler ID

Fragmentation Offset

Precedence

ID

DSCP

Interface

Header Length

TOS

Input

Total Length

Presentation_ID

Traffic Index

Direction

Output

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

TCP Urgent Pointer

39

Flexible Flow Record Key Fields for Security IPv4

Routing

Transport

Destination AS

Destination Port

TCP Flag: ACK

Peer AS

Source Port

TCP Flag: CWR

ICMP Code

TCP Flag: ECE

Forwarding Status

ICMP Type

TCP Flag: FIN

Is-Multicast

IGMP Type

TCP Flag: PSH

IGP Next Hop

TCP ACK Number

TCP Flag: RST

BGP Next Hop

TCP Header Length

TCP Flag: SYN

TCP Sequence Number

TCP Flag: URG

TCP Window-Size

UDP Message Length

TCP Source Port

UDP Source Port

TCP Destination Port

UDP Destination Port

IP (Source or Destination)

Payload Size

Prefix (Source or Destination)

Packet Section (Header)

Mask (Source or Destination)

Packet Section (Payload)

Minimum-Mask (Source or Destination)

TTL

Protocol

Options

Fragmentation Flags

Flow

Version

Sampler ID

Fragmentation Offset

Precedence

ID

DSCP

Interface

Header Length

TOS

Input

Total Length

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Traffic Index

Direction

Output

Cisco Confidential

TCP Urgent Pointer

40

Flexible Flow Record Key Fields for Peering arrangements IPv4

Routing

Transport

Destination AS

Destination Port

TCP Flag: ACK

Peer AS

Source Port

TCP Flag: CWR

ICMP Code

TCP Flag: ECE

Forwarding Status

ICMP Type

TCP Flag: FIN

Is-Multicast

IGMP Type

TCP Flag: PSH

IGP Next Hop

TCP ACK Number

TCP Flag: RST

BGP Next Hop

TCP Header Length

TCP Flag: SYN

TCP Sequence Number

TCP Flag: URG

TCP Window-Size

UDP Message Length

TCP Source Port

UDP Source Port

TCP Destination Port

UDP Destination Port

IP (Source or Destination)

Payload Size

Prefix (Source or Destination)

Packet Section (Header)

Mask (Source or Destination)

Packet Section (Payload)

Minimum-Mask (Source or Destination)

TTL

Protocol

Options

Fragmentation Flags

Flow

Version

Sampler ID

Fragmentation Offset

Precedence

ID

DSCP

Interface

Header Length

TOS

Input

Total Length

Presentation_ID

Traffic Index

Direction

Output

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

TCP Urgent Pointer

41

Flexible Flow Record Non-Key Fields for Security  Any of the potential “key” field: will be the value of the first packet in the flow  Plus Counters

Timestamp

IPv4

Bytes

sysUpTime First Packet

Total Length Minimum

Bytes Long

sysUpTime First Packet

Total Length Maximum

Bytes Square Sum

TTL Minimum

Packet

TTL Maximum

Packet Long

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

42

Flexible Flow Monitor Cache Types  Three types of NetFlow caches are available Normal Similar to today’s NetFlow but active and inactive timers are more Flexible (e.g. Active timer of 1 second) Immediate 1 second timer and no export delay Flow accounts for 1 packet Used for real-time traffic monitoring, DDoS detection, logging Used for flow-records with packet sections or with large set of key fields Permanent A permanent flow cache can be used to track a set of flows over time without expiring the flows from the cache The entire cache is periodically exported to the collector After the cache is full flows will be dropped (size configurable) Useful for accounting or security monitoring

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

43

Complete Permanent Flexible NetFlow Configuration Example  Per DSCP accounting flow record definition: Router(config)# flow record Router(config-flow-record)# Router(config-flow-record)# Router(config-flow-record)# Router(config-flow-record)#

my-dscp-record 64 Bit match ipv4 dscp Counter match interface input collect counter bytes long collect counter packets long

Router(config)# flow monitor my-dscp-monitor Router(config-flow-record)# description dscp:bytes and packets Router(config-flow-record)# record my-dscp-record Router(config-flow-record)# cache type permanent Router(config-flow-record)# cache entries 256 Router(config)# interface GigabitEthernet 0/1 Router(config)# ip flow monitor my-dscp-monitor input

 This would replace “IP accounting precedence” Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

44

Flexible NetFlow Activation on Interface Send the “sampler-table” Option Router(config-if)# ip flow monitor

[sampler ] [input | output]

For the Input or Output Traffic. Does Not Determine the Flow Key

 Deterministic or random is available Router(config)# sampler mode [deterministic | random] out-of

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

45

Flow Exporters  Flow export to collectors is defined using a Flow Exporter  Each Flow monitor can use multiple flow exporters (export to many NetFlow Collectors) simultaneously  Flow exporters can use different reliable and un-reliable transport protocols: UDP SCTP Flow exporters  Different export protocols (v9 and IPFIX)  Flow exporters are QOS aware and can be prioritized unlike today’s NetFlow

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

46

Flexible Monitor Configuration Potentially Multiple

3 Types of Cache: See Next Slides

flow monitor record exporter cache type {normal | immediate | permanent} cache entries cache timeout {active | inactive | update} statistics packet protocol statistics packet size Collect Size Distribution Statistics

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Collect Protocol Distribution Statistics

47

Packet Section Fields  Contiguous chunk of a packet of a user configurable size, used as a key or a non-key field  Sections used for detailed traffic monitoring, DDoS attack investigation, worm detection, other security applications  Chunk defined as flow key, should be used in sampled mode with immediate aging cache  Starts at the beginning of the IPv4 header collect or match ipv4 header

 Immediately follows the IPv4 header collect or match ipv4 payload Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

48

Flexible NetFlow status  Flexible NetFlow is FCS  Flexible NetFlow is available in 12.4(9)T Cisco 800, 1800, 2800, 3800, 7200 and 7301 Series

 Flexible NetFlow phase I provide : Multiple User Defined Caches Complete IPv4 Header Info UDP/Packet Section Exporters Persistent Caches Ingress/Egress Support Common CLI Sampled NetFlow Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

49

Flexible NetFlow Evolution  Flexible NetFlow introduced on 7304 (12.2(31)SB2)  Flexible NetFlow to be introduced on GSR (12.0(33)S) Engine 3 and Engine 5

 Flexible NetFlow IPv6 will be added in 12.4(7th)T  Candidate Features for 12.5(2th)T QOS Output feature for FNF Exporter IP Multicast traffic NetFlow v5 Export TopNTalkers Input Filters/MQC Integration

 Radar Features NBAR Integration, IPFIX support Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

50

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

51

Backup Slides

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

52

Cisco NetFlow Feature Overview Category

Features

Export Formats

NetFlow Export Versions 1, 5, 7, 8 Version 9 - latest Flexible and Extensible format

Accounting

NetFlow Router Based Aggregation (v8/v9) Origin and Peer AS Bridged NetFlow MAC Address Export Egress NetFlow Accounting

Random Sampled NetFlow Random and Time-based Flow Sampled NetFlow Network Analysis & BGP Next Hop NetFlow Capacity Planning Export Filters Dual Export

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

53

Cisco NetFlow Feature Overview (2) Category

Features

NetFlow MIB and Top Talkers Security Input filters Monitoring Security Exports (IPv4 Header) Dynamic Top Talkers CLI

Standard

Presentation_ID

NetFlow Version 9 – basis for IPFIX WG Export format Version 9 - RFC 3954 Reliable Export with SCTP IPFIX Export standard for Packet Sampling WG (PSAMP)

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

54

Cisco NetFlow Feature Overview (3) Category

Features

MPLS

MPLS Egress NetFlow MPLS Aware NetFlow MPLS Information Export (LFIB) MPLS Aggregation (EXP, BGP-NH, Egress I/F)

Multicast

Multicast NetFlow

IPv6

Presentation_ID

IPv6 NetFlow

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

55

NetFlow-Platform Export Feature Comparison (1) Feature

Software

Version 5

12.0(1)

12.1(2)E

Version 8

12.0(3)T

Version 9 Dual Export VRF Destination

C6500

C12000

C10000

C4500

12.1(2)E

12.0(14)S

12.0(19)SL

12.1(13)EW

12.2(14)SX

12.2(14)SX

12.0(6)S

12.0(19)SL

12.1(19)EW

12.3

12.2(18)SXF

12.2(18)SXF

12.0(24)S

12.2(31)SB

12.2(2)T

12.2(17d)SX B

12.2(17d)SXB

12.4(4)T

Security Exports 12.3(14)T Reliable Export

12.3(4)T

Mac Address

12.3(14)T

Vlan Export

12.4(4)T

CRS

3.2

12.2(15)BX 12.1(19)EW 12.0(26)S3

12.2(1st)SXH 12.2(1st)SRB

Available Now

Presentation_ID

C7600

© 2006 Cisco Systems, Inc. All rights reserved.

Not Available

Cisco Confidential

Roadmap

56

NetFlow - Platform Feature Comparison (2) Feature

Software

C6500

C7600

NetFlow MIB with Top Talker

12.3(7)T

12.2(1st)SXH

12.2(1st)SRB

Dynamic Top Talker CLI

12.3(4)T

Egress/Output NetFlow

12.3(11)T

Bridged NF

C12000

C10000

12.0(10)ST 12.2(31)SB 12.2(18)SXE1 12.2(18)SXE1

Input Filters

C4500

CRS

3.2 12.2(25)EW

12.3(4)T

Export Filters

Yes

Yes

Forwarding Status

Yes

Yes

Yes

Yes

TCP Flags

Yes

Yes

Yes

Yes

IFIndex to Name Map

12.4(4)T

Available Now Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Not Available Cisco Confidential

Roadmap 57

NetFlow - Platform Feature Comparison (3) Feature

Software

C6500

C7600

12.3(7)T

12.2(1st)SXH

12.2(1st)SRB

Multicast

12.3

12.2(18)SXF

12.2(18)SXF

BGP Next Hop

12.3

12.2(18)SXF

12.2(33)SRA

Per Interface

Yes

12.2(1st)SXH

12.2(1st)SRB

No Sub

12.2(15)BX

3.2

TOS Support

Yes

12.2(17b)SXA

12.2(17b)SXA

Yes

Yes

3.2

IPv6

Packet Sampling

12.3(2)T

Flow Sampling

C12000

12.0(26)S 12.2(31)SB

12.0(11)S 12.2(31)SB 12.1(13)E

12.1(13)E

12.1(2)T

Yes

MPLS Egress

12.2(2)T

Output

MPLS Aware

12.3(8)T

12.0(24)S

MPLS Label Export

12.2SB

Available Now

Yes 3.2

12.2(1st)SRB

MPLS Aggregation © 2006 Cisco Systems, Inc. All rights reserved.

C4500 CRS

3.2

Min Prefix Aggr.

Presentation_ID

C10000

12.2(31)SB

Cisco Confidential

Not Available

Roadmap

58

Flexible NetFlow - Platform Feature Comparison Feature

Software

C6500

IPv4 Unicast

12.4(9)T

HalfDome

NetFlow v9 Export

12.4(9)T

HalfDome

NetFlow v5 Export 12.5(2st)T

HalfDome

IPv6 Unicast

12.4(13)T

HalfDome

IPv4 Multicast

12.5(2st)T

HalfDome

IPv6 Multicast

12.5(2st)T

HalfDome

Dyn. TopNTalkers

12.5(2st)T

HalfDome

MPLS FNF

C7600

C12000

C10000

C4500 CRS

12.0(33)S

12.0(33)S

L2 FNF

Presentation_ID

Available Now

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Not Available

Roadmap

59