NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
1
Advanced NetFlow Accounting Session NMS-4031
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
2
Table of Content • NetFlow Basics • NetFlow Versions NetFlow on the Router (Version 5) NetFlow on the Router (Version 8) NetFlow on the Switches (Version 7…Version 8) NetFlow Version 9
• Advanced Concepts • New Features • Roadmap and Future Directions • Appendix A: NetFlow Compared to Other Methods NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
3
This Tutorial Is Not about… • • • • •
A level 1 type of presentation An (long) introduction about NetFlow Marketing slides NetFlow Collector details Ecosystem partners applications and mediations • Prerequisite: NSC-1031, “Introduction to Collecting Traffic Accounting Information” Or previous NetFlow knowledge NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
4
NetFlow Basics
NMS-4031 7949_05_2003_c2
5
© 2003, Cisco Systems, Inc. All rights reserved.
NetFlow Infrastructure Cisco
Cisco and Partners
Partners Network Planning
RMON/NAM
Collector: Router: • Cache creation • Data export • Aggregation NMS-4031 7949_05_2003_c2
• Collection • Filtering • Aggregation • Storage
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Accounting Billing
RMON Application
Applications: • Data processing • Data presentation 6
NetFlow Partners Billing
Traffic Analysis
Denial of Service
Collection
NMS-4031 7949_05_2003_c2
7
© 2003, Cisco Systems, Inc. All rights reserved.
NetFlow Possible Applications NetFlow
NMS-4031 7949_05_2003_c2
Network Monitoring
X
Network Planning
X
Security Analysis
X
Application Monitoring
X
User Monitoring
X
Traffic Engineering
X
Peering Agreement
X
Usage-Based Billing
X
Destination Sensitive Billing
X
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
8
What Is a NetFlow Flow? 7 Keys Define a Flow • • • • • • •
Source Address Destination Address Source Port Destination Port Layer 3 Protocol Type TOS byte (DSCP) Input Logical Interface (ifIndex)
Exported Data
A Flow Is Unidirectional NMS-4031 7949_05_2003_c2
9
© 2003, Cisco Systems, Inc. All rights reserved.
How Does NetFlow Work?
7 Identifiers
Other Data
Flow Identifiers
Flow Data Update
Flow Identifiers
Flow Data
Flow Identifiers
Flow Data
Exported Data via UDP (*) (*) for Speed and Simplicity NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
10
NetFlow Principles • Answers questions regarding your traffic: who, what, where, when, and how • NetFlow became the de facto IP accounting standard throughout the industry • Support on all interface types • Supported on fast switching, Cisco Express Forwarding (CEF) and Distributed CEF NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
11
NetFlow Principles
• Not a switching path • 7 flow identifiers • Unidirectional traffic • For ingress traffic only (*) • IP unicast only (*) • Export via UDP (*) (*) See Roadmap NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
12
NetFlow on the Router Version 5
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
13
Version 5 • Version 5 adds BGP autonomous system • Supported on router starting from 11.1 CA and 12.0 • The most deployed version • The most complete version in terms of exported data types • No reason to use NetFlow version 1 unless supporting a legacy collection system NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
14
Version 5 Flow Format
Usage
• Packet Count • Byte Count
• Source IP Address • Destination IP Address
Time of Day
• Start SysUpTime • End SysUpTime
• Source TCP/UDP Port • Destination TCP/UDP Port
Port Utilization
QoS
• Input IfIndex • Output IfIndex • Type of Service • TCP Flags • Protocol
• Next Next Hop HopAddress Address •• Source SourceAS ASNumber Number •• Dest. Dest.AS ASNumber Number • Source Prefix Mask • Source Prefix Mask • Dest. Prefix Mask
Application Routing and Peering
• Dest. Prefix Mask
Also Available via RMON NMS-4031 7949_05_2003_c2
From/To
Available via NetFlow Only 15
© 2003, Cisco Systems, Inc. All rights reserved.
Version 5 Export
NetFlow Cache Flow Entries Flow 1
• Flow expired • Cache full • Timer expired
Flow 2
Export V5 Record
Flow 3
UDP
To Collector
The Default Inactive Timeout: 15 Sec. The Default Active Timeout: 30 Min.
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
16
Version 5 Configuration router (config-if)#ip route-cache flow router (config)#ip flow-export destination 172.17.246.225 9996 router (config)#ip flow-export version 5
Optional configuration router (config)#ip flow-export source loopback 0 router (config)#ip flow-cache entries <1024-524288> router (config)#ip flow-cache timeout …
NMS-4031 7949_05_2003_c2
17
© 2003, Cisco Systems, Inc. All rights reserved.
Version 5 Show Commands martel#sh ip cache verbose flow IP packet size distribution (94452 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .199 .342 .300 .094 .028 .012 .005 .013 .000 .001 .000 . 000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 4456704 bytes 1 active, 65535 inactive, 25322 added 525430 ager polls, 0 flow alloc failures last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active( Sec) Idle(Sec) -------Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-BGP 7 0.0 2 41 0.0 1.6 7.5 UDP-TFTP 1 0.0 1 67 0.0 0.0 15.1 UDP-other 19884 0.0 3 111 0.1 5.6 15.4 ICMP 5429 0.0 3 41 0.0 0 .9 15.5 Total: 25321 0.0 3 97 0.2 4 .6 15.4 SrcIf Port Msk AS Se0/1 00A1 /24 193
NMS-4031 7949_05_2003_c2
SrcIPaddress 193.1.1.3
DstIf Port Msk AS Se0/0 C628 /0 0
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
DstIPaddress NextHop 172.17.246.228 0.0.0.0
Pr TOS Flgs Pkts B/Pk Active 11 00 10 5 84 39.7
18
BGP Autonomous System NetFlow Enabled
AS 101
AS 102
AS 103
AS 104
Configuring Peer-AS • Source AS = AS 103 • Destination AS = AS 105
AS 105
Router(config)#ip flow-export version 5 peer-as
AS 106 Note: The AS Fields Will Remain Empty unless You Configure It Explicitly with peer -as or origin-as NMS-4031 7949_05_2003_c2
19
© 2003, Cisco Systems, Inc. All rights reserved.
BGP Autonomous System NetFlow Enabled
AS 101
AS 102
AS 103
AS 104
Configuring Origin-AS • Source AS = AS 101 • Destination AS = AS 106
AS 105
Router(config)#ip flow-export version 5 origin-as
AS 106 Note: The AS Fields Will Remain Empty unless You Configure It Explicitly with peer -as or origin-as NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
20
NetFlow on the Router Version 8
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
21
Introduction
• Router-based aggregation, i.e. version 8 • Enables router to summarize NetFlow data • Reduces NetFlow export data volume • Decreases NetFlow export bandwidth requirements • Making collection easier
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
22
Introduction • Supported from 12.0(3)T, 12.0(3)S and 12.1 On-board aggregation, the router maintains extra NetFlow cache(s), for aggregation(s) • Still needs the main cache (for export with version 5) • When flows expire from the main cache, they are added to each enabled aggregation cache • Several aggregations can be enabled at the same time NMS-4031 7949_05_2003_c2
23
© 2003, Cisco Systems, Inc. All rights reserved.
Version 8 Export NetFlow Main Cache Flow Entries Flow 1
• Flow expired • Cache full • Timer expired
Flow 2 Flow 3
v5 y t r Export V5o ar p sUDP s Record x E ecToeCollector tN o N
Aggreg. Cache • Cache full • Timers expired
AS-Matrix • Flow expired • Cache full • Timer expired NMS-4031 7949_05_2003_c2
Prefix-Matrix
...
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Export V8 Record
UDP
To Collector 24
Version 8 Flow Format AS Protocol-Port Source -Prefix Destination-Prefix Prefix
X X
Source Source Prefix Prefix Source Source Prefix Prefix Mask Mask Destination Destination Prefix Prefix Destination Destination Prefix Prefix Mask Mask Source Source App App Port Port
X X
X X
X X X X X X
X X X X X X X
X X
IP IP Protocol Protocol Source Source AS AS Destination Destination AS AS First First Timestamp Timestamp Last Last Timestamp Timestamp Number Number of of Flows Flows Number Number of of Packets Packets Number Number of of Bytes Bytes NMS-4031 7949_05_2003_c2
X
X X
Destination Destination App App Port Port Input Input Interface Interface Output Output Interface Interface
X X
X X X X
X X X X X X X
X X X X X X
X X X X X
25
© 2003, Cisco Systems, Inc. All rights reserved.
Version 8 Flow Format ASASTOS TOS
Protocol-PortProtocol-PortTOS TOS
Source-PrefixSource-PrefixTOS TOS
X X
Source Source Prefix Prefix Source Source Prefix Prefix Mask Mask Destination Destination Prefix Prefix
X X
Destination Destination Prefix Prefix Mask Mask Source Source App App Port Port Destination Destination App App Port Port
X X
Input Input Interface Interface Output Output Interface Interface IP IP Protocol Protocol Source Source AS AS Destination Destination AS AS TOS TOS (Actually (Actually DSCP) DSCP) First First Timestamp Timestamp Last Last Timestamp Timestamp Number Number of of Flows Flows Number Number of of Packets Packets Number Number of of Bytes Bytes NMS-4031 7949_05_2003_c2
Destination-PrefixDestination-PrefixTOS TOS
X X X X X X X X
X X X X X
X X
PrefixPrefixTOS TOS
X X X X X X X X X
X X X X X X X
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
X X X X X X
X X X X X X X
X X X X X X 26
Version 8 Configuration router (config)# ip flow-aggregation cache as router (config-flow-cache)# export destination 172.17.246.225 9996 router (config-flow-cache)# enabled
router#sh ip cache flow aggregation as IP Flow Switching Cache, 278528 bytes 2 active, 4094 inactive, 13 added 216 ager polls, 0 flow alloc failures SrcIf
NMS-4031 7949_05_2003_c2
SrcAS
DstIf
DstAS Flows Pkts
B/Pk Active
Se0/0
0
Se0/2.1
0
1
1
104
0.0
Se0/0
0
Null
0
1
1
59
0.0
© 2003, Cisco Systems, Inc. All rights reserved.
27
NetFlow on the Switches Version 7…Version 8 1. MLS Specific 2. CEF Specific 3. Generic Info NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
28
NetFlow Version 7 • NetFlow version 7 is only export from the switches • Support for Catalyst® switches with a Layer 3 board: Catalyst 5000 with a RSM (Route Switch Module) Catalyst 6500/7600 with a MSFC (Multilayer Switching Feature Card)
• A Catalyst 6500/7600 uses: Multilayer Switching (MLS) with a SUP1 Cisco Express Forwarding (CEF) with SUP2 NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
29
NetFlow on the Switches Version 7…Version 8 1. MLS Specific (SUP1)
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
30
MLS Example Candidate Packet Vlan1
Supervisor 1
Enable Packet
MSFC Vlan14
Layer 3 Switched, after the Shortcut Creation NMS-4031 7949_05_2003_c2
31
© 2003, Cisco Systems, Inc. All rights reserved.
MLS Example Accounting Point of View
Vlan1 Ping #1 Supervisor 1
Ping #2 Ping #3 Ping #4
MSFC
Ping #5 Vlan14
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
32
Version 7 Flow Format
Usage
• Packet Count • Byte Count
• Source IP Address • Destination IP Address
Time of Day
• Start SysUpTime • End SysUpTime
• Source TCP/UDP Port • Destination TCP/UDP Port
Port Utilization
QoS
• Input IfIndex • Output IfIndex • Type of Service • TCP Flags • Protocol
• Next Next Hop HopAddress Address •• Source SourceAS ASNumber Number •• Dest. Dest.AS ASNumber Number • Source Prefix Mask • Source Prefix Mask • Dest. Prefix Mask •• Dest. Prefix Mask RouterSc (Router Shortcut)
From/To
Application Routing and Peering
Added from Version 5 Note that Some of Fields Are Not Populated; See Slide 53/54 NMS-4031 7949_05_2003_c2
33
© 2003, Cisco Systems, Inc. All rights reserved.
Bad Design MLS (Not) Enabled and Export v5 from the MSFC
NFC Vlan1
Supervisor 1 Export
Only Export the First Packet of the Flow Unless You Don’t Use MLS… NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
MSFC Vlan14 34
Approximate Design MLS Enabled and Export v7 from the SUP1
NFC Vlan1 Export
Miss the Accounting of the First Packet of the Flow NMS-4031 7949_05_2003_c2
Supervisor 1
MSFC Vlan14 35
© 2003, Cisco Systems, Inc. All rights reserved.
Better Design MLS Enabled and Export v7 from the SUP1 Export v5 from the MSFC NFC Vlan1 Export
Supervisor 1
Export MSFC Vlan14 NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
36
Best Design MLS Enabled and Export v7 from the SUP1 Export v5 from the MSFC And Export in the sc0 vlan (sc0 in vlan1) NFC Vlan1 Export
Supervisor 1
Export
Otherwise, You Will Also Count the Export Traffic NMS-4031 7949_05_2003_c2
MSFC Vlan14
© 2003, Cisco Systems, Inc. All rights reserved.
37
Better/Best Design Problem Export from 2 Different “Devices” • No supervisor/MSFC flow records correlation # # # #
In case of V7, set USE_SHORT_CUT_ADDRESS_AS_SOURCE_IP to "yes" so that FlowCollector will use the address of the router being short-cut as the source of the corresponding flow. Default is set to No
USE_SHORT_CUT_ADDRESS_AS_SOURCE_IP No
• Change the nf.resources configuration file NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
38
NetFlow on the Switches Version 7…Version 8 2. CEF Specific (SUP2, MSFC2)
NMS-4031 7949_05_2003_c2
40
© 2003, Cisco Systems, Inc. All rights reserved.
DCEF Example FIB Synchronisation No Entry in the SUP2 FIB Vlan1
Supervisor 2
Entry Created in the MSFC FIB
MSFC2 Vlan14
All Entries Go through the SUP2 FIB NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
43
MLS Best Design Does It Still Make Sense for CEF? MLS Enabled and Export v7 from the SUP2 Export v5 from the MSFC2 And Export in the sc0 vlan NFC Vlan1 Export
Supervisor 2
Export MSFC2 Vlan14 NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
45
MLS Best Design Does it Still Make Sense for CEF? • (Yes) the MSFC2 will count the first packet of a destination, the one which will complete the glean adjacency; needed for precise accounting • (No) the MSFC2 will ONLY count the first packet of a destination, the one which will complete the glean adjacency With MLS, the MSFC will count the first packet of every single flow
• (No) the FIB entries remain the time of the ARP entries; not updated so often as the MLS entries! With MLS, the SUP shortcut disappears when the flow expires NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
46
MLS Best Design Does it Still Make Sense for CEF? • (No) most NetFlow entries on the MSFC will have DstIf = Null (even if the packet is switched by the MSFC) Dstif = Local (destination = MSFC) With MLS, the DstIf correctly populated
• (Yes) some features will always go through the MSFC: NAT, IP access-list with log, etc… • Conclusion: The MSFC is needed for accounting accuracy but less important as for MLS, as it will report less flow records
NMS-4031 7949_05_2003_c2
47
© 2003, Cisco Systems, Inc. All rights reserved.
Catalyst 6500 NetFlow Version 5 Support
New
• Native mode: SUP2/PFC2 supports NetFlow version 5 from 12.1(13)E http://www.cisco.com/univercd/cc/td/doc/prod uct/lan/cat6000/12_1e/swconfig/nde.htm
• Hybrid mode: SUP2/PFC2 supports NetFlow version 5 from 7.5(1) • As a consequence…we don’t have the better/best design issue that we had with MLS: i.e. the correlation from two different sources IP addresses NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
48
Version 7 Flow Format with CEF Don’t Need the RouterSc Field = Version 5
Usage
• Packet Count • Byte Count
• Source IP Address • Destination IP Address
Time of Day
• Start SysUpTime • End SysUpTime
• Source TCP/UDP Port • Destination TCP/UDP Port
Port Utilization
QoS
• Input IfIndex • Output IfIndex • Type of Service • TCP Flags • Protocol
• Next Hop Address • Source AS Number • Dest. AS Number • Source Prefix Mask • Dest. Prefix Mask • RouterSc (Router Shortcut)
From/To
Application Routing and Peering
Added from Version 5 Note that Some of Fields Are Not Populated NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
49
Catalyst 6500, Native Mode mls flow ip full -> flow mask mls nde src_address 10.200.8.127 version 7 -> version 7 export source OR mls nde sender -> NDE enable + NDE from the PFC uses the source configured from the MSFC!!!!! interface vlan 1 ip address 10.200.8.127 255.255.255.0 ip route-cache flow interface FastEthernet 3/2 ip address 10.300.8.2 255.255.255.0 ip route-cache flow ip flow-export source vlan1 -> version 5 export source ip flow-export version 5 ip flow-export destination 172.17.246.244 9996 -> both for version 5 and 7 export NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
50
NetFlow on the Switches Version 7…Version 8 3. Generic Info
NMS-4031 7949_05_2003_c2
51
© 2003, Cisco Systems, Inc. All rights reserved.
Format Comparison Content
V7(*)
Source IP Address
V5 X
Destination IP Address
X
X
Source TCP/UDP Port
X
DestinationTCP/UDP Port
X
Zero Zero in in Case Case of of Destination Destination-Only -Only or or Source-Destination Source-Destination Zero Zero in in Case Case of of Destination Destination-Only -Only or or Source-Destination Source-Destination
Next Hop Router IP Address
X
X New 12.1(13)E
Input Physical Interface Index
X
Output Physical Interface Index
X
X New 12.1(13)E X New 12.1(13)E
Packet Count for This Flow
X
X
Start of Flow Timestamps
X
X
End of Flow Timestamps
X
X
Zero in Case of Destination-Only
(*) Applies Also to the New Version 5 Specific to the Switches NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
52
Format Comparison Content
V5
V7(*)
IP Protocol (TCP=6, UDP=17)
X
Zero Zero in in Case Case of of Destination Destination-Only -Only or or Source-Destination Source-Destination
Type of Service Byte
X
PFC1: PFC1: Set Set to to the the First First Packet Packet TOS; TOS; PFC2: PFC2: Not Not Populated Populated
TCP Flags
X
Always Zero
Source AS Number
X
X
Destination AS Number
X
X
Source Subnet Mask
X
Always Zero
Destination Subnet Mask
X
Always Zero
Flags (Indicate Invalid Field within the Flow)
X
Shortcut Router IP Address
X
12.1(13)E New 12.1(13)E New
(*) Applies Also to the New Version 5 Specific to the Switches NMS-4031 7949_05_2003_c2
53
© 2003, Cisco Systems, Inc. All rights reserved.
Cat6500 Aggregations—Version 8 RouterDstOnly Source IP Address Destination IP Address Source App Port Destination App Port IP Protocol First Timestamp Last Timestamp # of Flows # of Packets # of Bytes
X
X X X X X
RouterSrcDst Router Full Flow X X
X X
X X X X X X X
X X X
X X X
• Since CatOS version 5.5(2); not yet on native • For both SUP1 and SUP2 NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
54
NetFlow Version 9
NMS-4031 7949_05_2003_c2
New
© 2003, Cisco Systems, Inc. All rights reserved.
55
NetFlow Version 9 Why a New Version? • Fixed formats (versions 5, 7, and 8) are not flexible and extensible: Cisco needed to build a new version each time a customer wanted to export new fields Both on the devices and the NetFlow Collector
• When new versions are created, partners need to reengineer to support the new export format
Solution: Build a Flexible and Extensible Export Format! NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
56
NetFlow Version 9 Scenario #1 Template Definition Stored Decode and Interpretation
Templates Definition Export
Flow Records Stored Flow Records Export
NMS-4031 7949_05_2003_c2
57
© 2003, Cisco Systems, Inc. All rights reserved.
NetFlow Version 9 Scenario #2 Template Definition Stored Decode and Interpretation
Templates Definition Export
Flow Records Stored Flow Records Export
• The NetFlow collector should store the flow record and decode it after the template definition is received NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
58
NetFlow Version 9 Principles • Version 9 is an export protocol No changes to the metering process Can be used in conjunction with the main cache, For example, MPLS aware NetFlow Can be used in conjunction with an aggregation cache, For example, BGP Next Hop TOS aggregation
• Version 9 based on templates and separate flow records Templates composed of type and length Flow records composed of template ID and value
• Available in 12.0(24)S NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
59
NetFlow Version 9 Principles • Still a push model • Sent the template regularly (configurable) Because we still use UDP as transport protocol
• Independent of the underlying protocol, it is ready for any reliable protocol (i.e. TCP, SCTP) SCTP: Stream Control Transport Protocol
• Advantage: we can add new technologies/data types very quickly Example: MPLS, multicast, BGP next HOP Just update the information model, composed initially of the NetFlow version 5, 7 and 8 data types • http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
60
Extensibility and Flexibility Phases Approach • Phase 1: NetFlow version 9, completed Advantages: extensibility Integrate new technologies/data types quicker Integrate new aggregations quicker Note: for now, the template definitions are fixed!
• Phase 2: flexible flow keys, under investigation Advantages: cache content flexibility Selection of a subset of the 7 flow keys New flow keys will be defined and available
• Phase 3: user defined templates, radar Advantage: export content flexibility Selection of the data types to export NMS-4031 7949_05_2003_c2
61
© 2003, Cisco Systems, Inc. All rights reserved.
Version 9 Example for Template Definition
NMS-4031 7949_05_2003_c2
Template A
Template B
Flow Set ID (0 for Template)
Flow Set ID (0 for Template)
Length of Template Structure
Length of Template Structure
1001 (Template ID) 3 (# of Fields) SRC_AS_NUMBER
1002 (Template ID) 4 (# of Fields) SRC_IP_PREFIX
2 DST_AS_NUMBER
4 SRC_AS_NUMBER
2
2
L4_PROTOCOL
PACKET_COUNT
2
2 BYTE_COUNT 2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
62
Example for Export Packet As Defined in the Previous Slide
Same as Template ID for Template B; Refer to Previous Slide
1002 2(# of Records)
20
64
365
20
Template A
Packet Header
Template B
1.1.1.1 2.2.1.1 1001 1
35
700
92894 1000
23
Record 1 Record 2
Data for Template B NMS-4031 7949_05_2003_c2
Data for Template A 63
© 2003, Cisco Systems, Inc. All rights reserved.
NetFlow Version 9 Configuration Configuring Version 9 Export for the Main Cache router(config)# ip flow-export version ? 1
Export Versions Available for NetFlow Flows
5 9
router(config)# ip flow-export version 9
.
Configuring Version 9 Export for an Aggregation Scheme router(config)# ip flow-aggregation cache as router(config-flow-cache)# enabled router(config-flow-cache)# export ? destination Specify the Destination IP address version configure aggregation cache export version router(config-flow-cache)# export version ? 8
Version 8 export format
9
Version 9 export format
Export Versions Available for Aggregated NetFlow Flows
router(config-flow-cache)# export version 9 NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
64
NetFlow Version 9 IETF Considerations
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
65
IETF: IP Flow Information Export WG (IPFIX) • IPFIX is an effort to: Define the notion of a "standard IP flow" Devise data encoding for IP flows Consider the notion of IP flow information export based upon packet sampling Identify and address any security privacy concerns affecting flow data Specify the transport mapping for carrying IP flow information (IETF approved congestionaware transport protocol) NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
66
IETF: IP Flow Information Export WG (IPFIX) • IPFIX web site for the charter, email archive, drafts, etc. http://ipfix.doit.wisc.edu/
• Requirements draft: http://www.ietf.org/internet-drafts/draft-ietf-ipfix-reqs-09.txt
• NetFlow version 9 has recently been selected as a basis for the IPFIX protocol New
Out of 5 existing protocols: CRANE from Xacct, LFAP from Riverstone, Diameter (RADIUS extension), IPDR Based on the requirements draft
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
67
NetFlow Version 9 as the Basis for the IPFIX Protocol “We believe that the IPFIX protocol, based on NetFlow v9, can be implemented in the most network elements because it makes the least demands of the exporter.” The IPFIX Evaluation Team
• Requested minor improvements to the NetFlow version 9 • The initial IPFIX protocol will run on the top of TCP, as an interim solution, while waiting for standardization of Stream Control Transport Protocol Partial Reliability (SCTP-PR) or Datagram Congestion Control Protocol (DCCP) NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
68
IETF: Packet SAMPling WG (PSAMP) • PSAMP is an effort to: Specify a set of selection operations by which packets are sampled Specify the information that is to be made available for reporting on sampled packets Describe protocols by which information on sampled packets is reported to applications Describe protocols by which packet selection and reporting configured NMS-4031 7949_05_2003_c2
69
© 2003, Cisco Systems, Inc. All rights reserved.
IETF: Packet Sampling WG (PSAMP) • PSAMP web site for the charter, email archive, drafts, etc. http://psamp.ccrle.nec.de/
• Agreed to use IPFIX for export protocol if suitable for PSAMP
New
To be improved: the variable length data type
• Note: NetFlow is already using some sampling mechanisms NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
70
Advanced Concepts
NMS-4031 7949_05_2003_c2
71
© 2003, Cisco Systems, Inc. All rights reserved.
Main Cache(s) with VIP and Line Card FIB
NetFlow
FIB
RP
NetFlow
VIP FIB
NetFlow
VIP2 NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
73
Aggregation Cache(s) with VIP and Line Card FIB
Main
RP
Agg.
FIB
. .
Main
Agg.
. .
VIP
FIB
Main
Agg.
VIP2 NMS-4031 7949_05_2003_c2
. .
© 2003, Cisco Systems, Inc. All rights reserved.
74
VIP/LC Caches • Nothing to configure on the VIP/LC (use DCEF) • VIP: if-con sh ip cache flow
• LC: attach sh ip cache flow Execute-on show…
• Own independent sequence numbering per VIP/LC NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
75
NetFlow on the 12000 Router • Engine 0—software support, both “full” and sampled NetFlow • Engine 1—software support, both “full” and sampled NetFlow • Engine 2—supported in ASICs, sampled NetFlow only • Engine 3—version 5 support in software, version 8 support in ASICs, sampled NetFlow only • Engine 4—not supported • Engine 4+ —supported in ASICs, sampled NetFlow v5/v8 only NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
76
Timing Issues When Is a Flow Expired? • Transport is completed (TCP FIN or RST) • After 15 sec of traffic inactivity (the only way for UDP); the inactive timer • After 30 min of traffic activity; the active timer Note that 15sec/30min are the router default timers
• The cache is becoming full • Note: Flow expiration from an aggregation cache will go through 2 sets of timer Firstly the main cache timer Secondly the aggregation cache timer NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
77
Timing Issues Various Time in NetFlow
Flow End sysUpTime Flow Start sysUpTime Router sysUpTime in Header UTC Time in Header Time Flow Exported
1970
Flow Ends Router Boots NMS-4031 7949_05_2003_c2
Flow Starts
Deduced
© 2003, Cisco Systems, Inc. All rights reserved.
78
Timing Issues Various Time in NetFlow • The UTC depends on the clock • Synchronization of the VIP clock, the line card clock (in sync. since 12.0) and the RSM/MSFC clock • Attention to the time zone on the collector • Conclusion: the device clocks must be synchronized • NTP is a solution, NTP MIB in 12.1(4) • Which synchronization time? Only important if you want to correlate flow records from different devices Note that NetFlow time granularity is msec NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
79
NetFlow Bypasses the Access-List NetFlow Acceleration ACL Acceleration Y
Y
Pass the ACL?
First Packet in Flow?
N
Lookup Entry in NetFlow Cache
N
Y Create an NetFlow Entry
Forward the Packet with CEF
Create an NetFlow Entry with Output I/f Null
Discard the Packet
Output i/f Is Null?
Update the NetFlow Entry Stats Go Through the ACL Maybe Deny Packet
NMS-4031 7949_05_2003_c2
N
Update the NetFlow Entry Stats Forward the Packet with CEF
© 2003, Cisco Systems, Inc. All rights reserved.
80
NetFlow Performance • Enabling NetFlow version 5 and exporting increases the CPU utilization by around 15% (with a max of 20% depending on the platform) • Enabling NetFlow version 8 increases the CPU utilization by 2 to 5%, depending on the number of aggregations enabled with a multiple of 6% for multiple aggregations • NetFlow is done in hardware on the Cat6500 supervisor; only the export takes CPU cycles • http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/ntfo_wp.htm
• NetFlow version 9: similar results as version 5 NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
81
NetFlow Performance Results at a Glance • CPU impact: 10,000 active flows: < 4% of additional CPU utilization 45,000 active flows: <12% of additional CPU utilization 65,000 active flows: <16% of additional CPU utilization
• NetFlow data export (single/dual): no real impact • NetFlow feature acceleration: >200 lines of ACLs • NetFlow sampled NetFlow on the Cisco 12000: 23% vs. 3% (65,000 flows, 1:100) NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
82
How to Reduce the CPU Utilization? • Router Go for sampled NetFlow (packet sampling) Use the distributed feature card enable line card modules (VIP, LC) Use 12000 engine 3 and 4+ (hardware)
• Catalyst 6500 Go for sampled NetFlow (flow sampling) Use the distributed feature card to enable line card modules Reduce the flow mask NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
83
Troubleshooting Missing Flows? 2. NetFlow Collector Problem show tech-support Netstat -s 3. Transfer Problem (Only Remaining Explanation)
Export
1. Router Problem Cache (show ip cache flow) Export (show ip flow export) NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
84
New Features
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
88
Dual Flow Export
New
• Inserted into 12.2(2)T, 12.0(19)S and 12.0(19)ST, 2 redundant export destinations are allowed for version 5 router(config)#ip flow-export destination 1.1.1.1 9996 router(config)#ip flow-export destination 2.2.2.2 9997
If you try to configure more, you will get: “Exceeded maximum export destinations”
• Only for the routers (including GSR), not the Catalysts
NMS-4031 7949_05_2003_c2
89
© 2003, Cisco Systems, Inc. All rights reserved.
NetFlow on Subinterface
New
• Introduced in 12.2(14)S, 12.2(15)T • For the 7200, 7400 and 7500 • http://www.cisco.com/univercd/cc/td/doc/product/soft ware/ios122/122newft/122t/122t15/ft_nfsub.htm Router(config-if)#ip flow ingress
• Note: NetFlow reports the dot1Q subinterface ifIndex Introduced in 12.2(7), 12.2(7)S, 12.2(7)T NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
90
New
Egress Sampled NetFlow
• Egress sampled NetFlow on 12000 engine 3, available in 12.0(24)S • For both IP->IP and MPLS->IP traffic router (config-if)# ip route-cache flow sampled [input|output]
• Egress sampled NetFlow on 12000 engine 3, available in 12.0(24)
NMS-4031 7949_05_2003_c2
91
© 2003, Cisco Systems, Inc. All rights reserved.
NetFlow BGP Next Hop TOS Aggregation
New
• New NetFlow aggregation on the router • Configure on ingress interface • Available in 12.0(26)S for the 7500 • Key fields (uniquely identifies the flow)
• Additional export fields
Origin AS
Flows
Destination AS
Packets
Inbound interface
Bytes
DSCP
First sysUptime
Next BGP hop
Last sysUptime
Output interface NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
92
NetFlow BGP Next Hop TOS Aggregation The Core Traffic Matrix AS2
AS3
AS4
AS5
Customers
PoP
CPE
PE
PoP PE
PE
PE
Server Farm 1
Customers
AS1
CPE
Server Farm 2
• “PoP to PoP”, the PoP being the CPE or CE NMS-4031 7949_05_2003_c2
93
© 2003, Cisco Systems, Inc. All rights reserved.
NetFlow in a MPLS Environment New Traditional NetFlow (IP -> MPLS)
MPLS Aware NetFlow (MPLS -> MPLS) (IP -> IP)
New MPLS Egress NetFlow (MPLS -> IP)
IP
MPLS
IP PE
P
PE
Traffic Flow NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
94
MPLS Egress NetFlow Description
New
• Introduced in 12.0(10)ST, 12.1(5)T, 12.0(22)S • For MPLS/VPN traffic only, i.e. the traffic coming from the core • Caches traffic on the egress interface, not the ingress interface • Valid for version 5 and version 8 router(config-if)#tag-switching ip flow egress
• Can be enabled on sub-interfaces • All other NetFlow commands still apply NMS-4031 7949_05_2003_c2
95
© 2003, Cisco Systems, Inc. All rights reserved.
MPLS Aware NetFlow Description
New
• Provides flow statistics per MPLS and IP packets MPLS packets: Labels information And the v5 fields of the underlying IP packet IP packets: Regular IP NetFlow records
• Configure on ingress interface • Supported on 12.0(24)S on the 12000, then will be in 12.0(26)S on the 7200/7500 NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
96
MPLS Aware NetFlow Flow Keys • Additional export fields
• Key fields (uniquely identifies the flow) Source IP address Destination IP address IP protocol Input ifIndex Source application port Destination application port DSCP Up to 3 incoming MPLS labels of interest with experimental bits and end-of-stack bit Positions of the above labels in the packet label stack
NMS-4031 7949_05_2003_c2
Flows Packets Bytes First sysUptime Last sysUptime Output interface NetFlow version 5 fields of the underlying IP packet (TCP flags, etc…) Type of the top label: LDP, BGP, VPN, ATOM, TE Tunnel MID-PT, unknown The forwarding equivalent class mapping to the top label
97
© 2003, Cisco Systems, Inc. All rights reserved.
MPLS Aware NetFlow The Core Traffic Matrix AS2
PE PoP
AS3
AS4
AS5
PoP P
P
PE
WR
PE
PE
PE MPLS
P
CPE
PE
P
Customers
Customers
AS1
CPE
Server Farm 1
Server Farm 2
• “PoP to PoP”, the PoP being the CPE or CE NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
98
MPLS Aware NetFlow Top Label Aggregation (12.0(25)S)
• Additional export fields
• Key Fields (uniquely identifies the flow)
Flows Packets Bytes First sysUptime Last sysUptime Output interface NetFlow version 5 fields of the underlying IP packet (TCP flags, etc…) Type of the top label: LDP, BGP, VPN, ATOM, TE tunnel MID-PT, unknown The forwarding equivalent class mapping to the top label
Input ifIndex The top incoming MPLS labels with experimental bits and end-of-stack bit
NMS-4031 7949_05_2003_c2
New
99
© 2003, Cisco Systems, Inc. All rights reserved.
Multicast—Traditional NetFlow (S, G)—(10.0.0.2, 224.10.10.100) Interface Ethernet 0
10.0.0.2
ip route-cache flow
Eth 0 Eth 3
Eth 1 ip flow-export version 9 ip flow-export destination x.x.x.x
Eth 2
Srclf Srclf SrclPadd SrclPadd Dstlf DstlPadd DstlPadd Protocol ProtocolTOS TOS Flgs SrcPort SrcPortSrcMsk DstPort DstPortDstMskNextHopBytes PacketsActive Idle Eth 0 10.0.0.2 Null Null 224.10.10.100
11
80
10
00A2
/24
00A2
/24
23100 23100
21 21
1745
4
• There is only one flow per NetFlow configured input interface • The 7 key fields that define a unique flow are marked in red • Destination interface is marked as “null” • Bytes and packets are the incoming values NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
100
Multicast NetFlow Ingress (Early Field Test)
New
(S, G)—(10.0.0.2, 224.10.10.100) Interface Ethernet 0
10.0.0.2
ip multicast netflow ingress
Eth 0 Eth 3
Eth 1 ip flow-export version 9 ip flow-export destination x.x.x.x
Eth 2
Srclf Srclf SrclPadd SrclPadd Dstlf DstlPadd DstlPadd Protocol ProtocolTOS TOS Flgs SrcPort SrcPortSrcMsk DstPort DstPortDstMskNextHopBytes PacketsActive Idle Eth 0 10.0.0.2 Null Null 224.10.10.100
11
80
10
00A2
/24
00A2
/24
69300 69300
63 63
1745
4
• There is only one flow per NetFlow configured input interface • The 7 key fields that define a unique flow are marked in red • Destination interface is marked as “null” • Bytes and packets are the outgoing values NMS-4031 7949_05_2003_c2
101
© 2003, Cisco Systems, Inc. All rights reserved.
Multicast NetFlow Egress (Early Field Test) (S, G)—(10.0.0.2, 224.10.10.100)
Interface Ethernet 0 Interface Ethernet 1 ip multicast netflow egress Interface Ethernet 2 ip multicast netflow egress Interface Ethernet 3 ip multicast netflow egress
10.0.0.2 Eth 0 Eth 3
Eth 1 Eth 2
ip flow-export version 9 ip flow-export destination x.x.x.x
Srclf Srclf SrclPadd SrclPadd Dstlf DstlPadd DstlPadd Protocol ProtocolTOS TOS Flgs SrcPort SrcPortSrcMsk DstPort DstPortDstMskNextHopBytes PacketsActive Idle Eth 0 10.0.0.2 Null Null 11 224.10.10.100
11
80
10
00A2
/24
00A2
/24
80
10
00A2
/24
00A2
/24
21 21 21 21
4
11
23100 23100 23100 23100
1745
Eth 0 10.0.0.2 Null Null 22 224.10.10.100
1745
4
Eth 0 10.0.0.2 Null Null 33 224.10.10.100
11
80
10
00A2
/24
00A2
/24
23100 23100
21 21
1745
4
• • •
There is one flow per multicast NetFlow egress configured output interface One of the 7 key fields that define a unique flow has changed from source interface to destination interface Bytes and packets are the outgoing values
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
102
NetFlow Input Filters: Overview
New
• Support pre-filtering for traffic for NetFlow processing • Modular QoS Command Line (MQC) will provide the filtering mechanism for NetFlow Classification by IP source and destination addresses, layer 4 protocol and port numbers, incoming interface, MAC address, DSCP Layer 2 information such as Frame Relay DE bits, Ethernet 802.1p bits Network Based Application Recognition (NBAR)
• Ability to sample filtered data at different rates, depending on how interesting the traffic is • Currently early field test NMS-4031 7949_05_2003_c2
103
© 2003, Cisco Systems, Inc. All rights reserved.
NetFlow Input Filters: Example Packets VOIP
Tight Filter for Traffic of High Importance
1:1 Sampling
VPN
Moderately-Tight for Traffic of Medium Importance
1:100 Sampling
Default Wide Open Filter for Traffic of Low Importance
1:1000 Sampling
Best Effort
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
NetFlow Cache
104
NetFlow and IPv6
New
• Currently in EFT for 3600, 7200, 7500 • Based on NetFlow version 9 • For both ingress and egress traffic • Non sampled • No data export over IPv6 (still IPv4)
NMS-4031 7949_05_2003_c2
105
© 2003, Cisco Systems, Inc. All rights reserved.
Catalyst 6500 New Fields Population
New
• The following CLI commands will be available in the release 7.3(1) • Destination and source IfIndex support is enabled by default set mls nde {destination-index|source-index} {enable|disable}
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
106
Catalyst 6500 New Fields Population and Version 5
New
• SUP2/PFC2 (EARL6) supports from 12.1(13)E: Source and destination BGP AS Input and output if indexes Next hop Note: 12.1(13)E1 if any WAN cards
• Native mode: SUP2/PFC2 supports NetFlow version 5 from 12.1(13)E • Hybrid mode: SUP2/PFC2 supports NetFlow version 5 from 7.5(1) NMS-4031 7949_05_2003_c2
107
© 2003, Cisco Systems, Inc. All rights reserved.
Catalyst 6500 Switched Traffic
New
• The L2 switched traffic (from vlan x to vlan x) is now counted with NetFlow • Hybrid mode: introduced in CatOS version 7.(2) • Native mode: not yet available • Doesn’t require a MSFC set mls bridged-flow-statistics enable/disable
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
108
Catalyst 6500 NetFlow Sampling
New
• 12.1(13)E support both time and packet-based sampling • Sampling rate is configurable only for the whole box • Accuracy of NetFlow on the platform comes to tuning the aging timers correctly • Note: A way of minimizing packet loss, is suggesting use of DFC cards, spreading the incoming packet load evenly onto different vlans (on diff cards) DFC: Distributed Forwarding Card NMS-4031 7949_05_2003_c2
109
© 2003, Cisco Systems, Inc. All rights reserved.
Cisco Catalyst 4000 NetFlow Services Card
New
• Version 5 in 12.1(13)EW • Supervisor IV is required • Feature card is also required
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
110
Roadmap and Future Directions
NMS-4031 7949_05_2003_c2
111
© 2003, Cisco Systems, Inc. All rights reserved.
Roadmap for NetFlow Software Platforms Scalability and Flexibility
Technology Coverage
Optimizing Data for Flow Processing
Standardization
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2004 2004 2004 2004 2004 2004 2004 2004
Targeting 12.0(24)S • NetFlow v9
Targeting 12.3(2nd)T Targeting 12.2S
Targeting 12.3M • • • •
NetFlow v9 BGP Next hop NetFlow Multicast Statistical Sampling Targeting 12.3(1)T • Statistical Sampling
• • • • •
NetFlow v9 BGP Nexthop NetFlow Multicast Statistical Sampling NetFlow IPv6
Targeting 12.0(26)S • Statistical Sampling • BGP Nexthop • NetFlow MPLS Aware
• NetFlow MPLS • BGP Nexthop • NetFlow Multicast Targeting 12.0(27)S • NetFlow Input Filter • NetFlow MPLS Top Label Targeting 12.2S • NetFlow Input Filter
Radar • NetFlow MIB • Congestion Aware Export (SCTP) • Egress • Flexible Input and Export • NetFlow IPSec
NB. Confirm Target Releases with Cisco IOS® NetFlow PM—Tom Zingale NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
112
Roadmap for NetFlow Software 12000 Scalability and Flexibility
Technology Coverage
Optimizing Data for Flow Processing
Standardization
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2004 2004 2004 2004 2004 2004 2004 2004
• • • • •
Targeting 12.0(24)S NetFlow v9 MPLS Aware Output E3 AS Origin and Peer MPLS Egress E3
Targeting 12.0(26)S
Targeting 12.0(28)S
Radar
• V8 TOS Agg
• Statistical Sampling • IPV6
• BGP Nexthop
• Input Filters • Packet Header
• Congestion Aware Export • Flexible Keys
Targeting 12.0(27)S • Sampled on ATM Line Card • NetFlow MPLS Top Label
• User Defined Export • Multicast
NB. Confirm Target Releases with Cisco IOS NetFlow PM—Tom Zingale NMS-4031 7949_05_2003_c2
114
© 2003, Cisco Systems, Inc. All rights reserved.
Roadmap for NetFlow Catalyst 6500/7600 Scalability and Flexibility
Technology Coverage
Optimizing Data for Flow Processing
Standardization
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2004 2004 2004 2004 2004 2004 2004 2004
Targeting Targeting 12.1(13)E Targeting Radar 12.2S(RIs3) 12.2(14)SX • Version 5 • Sup 3b • Sup 720 Version 9 NetFlow • Sampling • Sup 720 V8 Agg Multicast • Sup 720 IPV6 • Source Dest I/F Fields • Source Dest AS Targeting Fields • Native V8 Aggregation • V8 TOS Agg. PFC2 Cat 6.6(6) and 7.3(1) • Source Dest I/F Fields
NB. Confirm Target Releases with Cisco IOS NetFlow PM—Tom Zingale NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
115
Roadmap for NetFlow Catalyst 4000 Scalability and Flexibility
Technology Coverage
Optimizing Data for Flow Processing
Standardization
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2004 2004 2004 2004 2004 2004 2004 2004
12.1(13)EW • Version 5 Sup 4
Targeting • Source Dest I/F Fields • Source Dest AS Fields • Version 8 • BGP Next Hop
NB. Confirm Target Releases with Cisco IOS NetFlow PM—Tom Zingale NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
116
Conclusion/Summary • NetFlow became the de facto IP accounting method • The new NetFlow version 9 is extensible and flexible • NetFlow version 9 has been adopted by the IETF • A lot of new features recently added • A lot of new features to come NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
117
Questions?
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
118
Other Network Management Sessions •
Network Management NSC-1001 NSC-2001
Introduction to Network Management Network Troubleshooting Tools and Techniques
•
Fault
•
Configuration
NSC-1011 NSC-2021 NSC-4021
•
•
Security
•
Services
NSC-2051 NSC-1101 NSC-2102
Introduction to Performance Management Performance Measurement with Cisco IOS Software Advanced Performance Management with Cisco Service Assurance Agent Securely Managing Your Network Understanding DNS and DHCP Deploying and Troubleshooting NAT
High Availability NSC-1201 NSC-2201
NMS-4031 7949_05_2003_c2
Introduction to Collecting Traffic Accounting Information Advanced NetFlow Accounting
Performance NSC-1041 NSC-2041 NSC-4041
•
Configuration of Large-Scale Networks with CiscoWorks Advanced Configuration Methods
Accounting NSC-1031 NSC-4031
•
Principles of Fault Management
Improving Network Availability Deploying Highly Available Enterprise Networks
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
119
Advanced NetFlow Accounting Session NMS-4031
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
120
Please Complete Your Evaluation Form Session NMS-4031
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
121
NMS-4031 7949_05_2003_c2
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
122
