NetFlow
-
Enabling NetFlow on a Catalyst 6500
http://nwannura.blogspot.com/2009/06/enabling-netflow-on-catalyst-6500.html
Configuring NetFlow on Cisco IOS XR Softwarehttp://www.cisco.com/en/US/docs/routers/xr12000/software/xr12k_r4.0/netflow/configuration/guide/nfc40flow.html
ManageEngine NetFlow Analyzer v8600http://archives.manageengine.com/netflow/8.6/ManageEngine_NetFlowAnalyzer_8600.exe
KeyGen -> java -jar xxx.jarhttp://thepiratebay.se/search/netflow/0/99/0
กำหนดให้อนุญาติการเก็บข้อมูล Flow ที่วิ่งเข้า (ingress) Interface
Router(config-if)#ip flow ingress
ดูข้อมูลโดยใช้คำสั่ง show ip cache flowRouter#sho ip cac flo<br />IP packet size distribution (11215434 total packets):<br /> 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480<br /> .001 .254 .685 .014 .000 .018 .008 .000 .005 .003 .000 .001 .001 .000 .000<br /><br /> 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608<br /> .000 .000 .001 .000 .000 .000 .000 .000 .000 .000 .000<br /><br />IP Flow Switching Cache, 278544 bytes<br /> 5 active, 4091 inactive, 3581241 added<br /> 59673255 ager polls, 0 flow alloc failures<br /> Active flows timeout in 30 minutes<br /> Inactive flows timeout in 15 seconds<br />IP Sub Flow Cache, 25800 bytes<br /> 5 active, 1019 inactive, 3581241 added, 3581241 added to flow<br /> 0 alloc failures, 0 force free<br /> 1 chunk, 2 chunks added<br /> last clearing of statistics never<br />Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)<br />-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow<br />TCP-other 340168 0.0 2 53 0.1 1.3 13.4<br />UDP-DNS 1495 0.0 1 64 0.0 0.0 15.5<br />UDP-other 872145 0.2 8 76 1.6 0.2 15.4<br />Total: 1213808 0.2 3 77 1.7 0.7 15.5<br /><br />SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts<br />Fa0/1 10.22.1.132 Local 172.28.101.46 01 0000 0800 1755 <br />Fa0/1 10.22.1.163 Local 172.28.101.46 01 0000 0800 1753 <br />Fa0/1 10.22.1.58 Local 172.28.101.46 11 103C 00A1 1 <br />Fa0/1 10.22.1.133 Local 172.28.101.46 06 E430 0016 41
มีรายละเอียดของข้อมูลดังต่อไปนี้- [li]IP packet size distribution จะเป็นการบอกจำนวน Packet ที่ขนาดต่างๆ[/li]
[li]IP Flow Switching Cache จะบอกจำนวนไบท์ทั้งหมดของ Flow ที่ถูกดักจับได้ รวมถึงบอกรายละเอียดของข้อกำหนด Flow เช่น Inactive flow จะมีเวลาในการเกิด timeout 15 วินาที และ ความยาวของ flow ที่ active จะไม่เกิน 30 นาที[/li]
[li]IP Sub Flow Cache จะบอกจำนวนไบท์ทั้งหมดจาก Sub Flow[/li]
[li]Protocol จะบอกว่าการดักจับพบ Protocol อะไรบ้างและรายละเอียดการทำงานเป็นอย่างไร[/li]
[li]ส่วนสุดท้ายจะบอกรายละเอียดของข้อมูล IP/Port ของ Packet ที่ดักจับได้จาก interface f0/1[/li]
Introduction to Accounting Principles with NetFlow and NBAR
Why do We Need Accounting?
Accounting Reports - Business Justification
Bandwidth/Capacity Reports- [li]What is eating up my network resources?[/li]
[li]When do I need a capacity upgrade?[/li]
[li]What is causing congestion?[/li]
Subscriber Demographic Reports- [li]What percentage is using P2P/gaming application?[/li]
[li]What are the usage patterns of different subscriber groups?[/li]
[li]What is the cost impact of my top subscribers?[/li]
Server Activity- [li]What are the popular Web hosts used?[/li]
[li]What are the popular streaming sites?[/li]
Voice Reports- [li]Quality of experience of VoIP calls[/li]
[li]Minutes spent on VoIP services[/li]
[li]Total and concurrent calls per VoIP service[/li]
[li]Compare managed vs. non-facility service[/li]
Security Reports- [li]Which subscribers are infected and attacking others?[/li]
[li]Which subscribers are spamming?[/li]
[li]Which subscriber is attacking network resources?[/li]
Accounting Architecture:
The Theory
The Reality
Distinguish Between Accounting and Billing
Why NetFlow?
Network Operation- [li]Capacity Planning[/li]
[li]Historic Data Collection and Trend Analysis[/li]
[li]Network Performance Analysis[/li]
[li]Unified Visibility Across Networks[/li]
Security Operation- [li]Real-time Anomaly Behavior Monitoring[/li]
[li]Eliminate Network Blind Spots[/li]
[li]Reduce Time, Cost, and Complexity for Threat Detection and Response[/li]
Compliance- [li]Provides User Accountability[/li]
[li]Supplies Risk Measurability and Reporting[/li]
[li]Enables Industry and Government Regulations: PCI, HIPAA, SCA.5DA, SOX, etc.[/li]
Typical NetFlow Deployment
NetFlow Architecture
What Is a Traditional IP Flow?
[list type=decimal][li]Inspect a packet's seven key fields and identify the values[/li]
[li]If the set of key field values is unique create a flow record or cache entry[/li]
[li]When the flow terminates export the flow to the collector[/li][/list]
NetFlow Key Fields Creating Flow Records
[list type=decimal][li]Inspect packet for key field values[/li]
[li]Compare set of values to NetFlow cache[/li]
[li]If the set of values are unique create a flow in cache[/li]
[li]Inspect the next packet[/li][/list]
There are Four Types of NetFlow Fields- [li]Key fields
Key fields define the flow record
An attribute in the packet used to create a flow record
If the set of key field values is unique a new flow is created[/li]
[li]Non-key fields
These are used not to define a flow, instead they provide additional information[/li]
[li]Value fields
These are additional fields and counters, such as packet and byte counter, start and stop time stamps[/li]
[li]Lookup fields
These are additional information that are added to the flow, such as next hop address, source/destination AS number, etc.[/li]
Traditional Layer 3 NetFlow Cache
NetFlow Processing Order
[list type=decimal][li]Pre-Processing- [li]Packet Sampling[/li]
[li]Filtering[/li]
[li]Features and Services- [li]IPv4[/li]
[li]Multicast[/li]
[li]MPLS[/li]
[li]IPv6[/li]
[li]Post-Processing- [li]Aggregation[/li]
[li]Non-key fields lookup[/li]
[li]Export[/li]
Comprehensive Hardware Support- [li]Not Supported Access Switches 37xx, 36xx, 35xx, 29xx[/li]
[li]Enterprise and Aggregation/Edge
Cisco IOS Software Release 12.2S
Cisco 7200/7500, 7300 Series
Cisco 4500, 10000, 7600 Series ASIC
Cisco Catalyst 6500[/li]
[li]Core
Release 12.0S/Cisco IOS-XR
Cisco 12000 Series ASIC
CRS-1 ASIC[/li]
[li]Access
Cisco IOS Software Releases T Train
Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800, 7200/7300 Series[/li]
NetFlow Versions
[table][tr][td]NetFlow Version[/td][td]Comments[/td][/tr]
[tr][td]1[/td][td]Original[/td][/tr]
[tr][td]5[/td][td]Most Common Version[/td][/tr]
[tr][td]7[/td][td]Specific to Cisco Catalyst 6500 and 7600 Series Switches
Similar to Version 5, but Does Not Include AS, Interface, TCP Flag, and ToS Information[/td][/tr]
[tr][td]8[/td][td]Choice 11 Aggregation Schemes
Reduces Resource Usage[/td][/tr]
[tr][td]9[/td][td]Flexible, Extensible File Export Format to Enable Easier
Support of Additional Fields and Technologies; Coming Out
Now MPLS, Multicast, and BGP Next Hop[/td][/tr][/table]
Version 5 - Fixed Export Format
Usage- [li]Packet count[/li]
[li]Byte count[/li]
Time of Day- [li]Start sysUpTime[/li]
[li]End sysUpTime[/li]
Port Utilization- [li]Input ifIndex[/li]
[li]Output ifIndex[/li]
QoS- [li]Type of service[/li]
[li]TCP flags[/li]
[li]Protocol[/li]
From/To- [li]Source IP address[/li]
[li]Destination IP address[/li]
Application- [li]Source TCP/UDP port[/li]
[li]Destination TCP/UDP port[/li]
Routing and Peering- [li]Next hop address[/li]
[li]Source AS number[/li]
[li]Dest. AS number[/li]
[li]Source prefix mask[/li]
[li]Dest. prefix mask[/li]
Version 5 is still used extensively
Version 8 - Fixed Aggregation Format- [li]Router-based aggregation[/li]
[li]Enables router to summarize NetFlow data[/li]
[li]Reduces NetFlow export data volume[/li]
[li]Decreases NetFlow export bandwidth requirements[/li]
[li]Currently 11 aggregation schemes
Five original schemes
Six new schemes with the ToS byte field[/li]
[li]Several aggregations can be enabled simultaneously[/li]
Note: NetFlow version 9 can be used for router-based aggregation and is recommended if the collector supports v9
Extensibility and Flexibility Phases Approach- [li]Why a new export protocol?
Build a flexible and extensible export format
Advantage: able to add new technologies/data types very quickly Example: MPLS, IPv6, BGP next hop, multicast, etc.[/li]
[li]NetFlow Version 9
New concept: template records, data records
Advantages: extensibility
Integrate new technologies/data types quicker
Integrate new aggregations quicker[/li]
Template Record - Example
Data Record - Example
NetFlow v9 Export Packet
- [li]Matching ID numbers are the way to associate template to the data records[/li]
[li]The header follows the same format as prior NetFlow versions so collectors will be backward compatible[/li]
[li]Each data record represents one flow[/li]
[li]If exported flows have different fields, they cannot be contained in the same template record (i.e., BGP next hop cannot be combined with MPLS-aware, NetFlow records)[/li]
IETF: IP Flow Information Export WG (IPFIX)- [li]IPFIX protocol specifications
Changes in terminology but same NetFlow Version 9 principles
Improvements vs. NetFlow version 9: SCTP-PR, security, variable length information element, IANA registration, etc.
Generic streaming protocol, not flow-centric anymore
Security:
Threat: confidentiality, integrity, authorization
Solution: DTLS on SCTP-PR[/li]
[li]IPFIX information model
Most NetFlow version 9 information elements ID are kept
Proprietary information element specification[/li]
[li]Is IPFIX important to you?[/li]
[li]RFC3954 "Cisco Systems NetFlow Services Export Version 9"[/li]
[li]RFC3917 "Requirements for IP Flow Information Export"[/li]
[li]RFC3955 "Evaluation of Candidate Protocols for IPFIX"[/li]
[li]RFC5101 "Specification of the IPFIX Protocol for the Exchange of IP Traffic Flow Information"[/li]
[li]RFC5102 "Information Model for IP Flow Information Export"[/li]
[li]RFC5103 "Bidirectional Flow Export using IP Flow Information Export (IPFIX)"[/li]
NetFlow Configuration Commands (Software Platforms)- [li]Configure Cisco Express Forward (CEF) Switching
ip cef[/li]
[li]Configure NetFlow per interface - NetFlow Collects Flows
ip flow ingress
(or ip route-cache flow) - Older Cisco IOS Versions Use This Command, Hidden in 12.4 and 12.4T[/li]
[li]Configure the export version - Set Export Packet Format
i.e., ip flow-export Version 5
ip flow-export version <version> [origin as|peer-as|bgp-nexthop][/li]
[li]Configure the export destination - Optional for Collector
i.e., ip flow-export destination 10.0.0.1 65001
ip flow-export destination <address> <port>[/li]
[li]Interface to define export devices, usually a loopback - Enables Collector to Identify the Exporting Device
ip flow-export source <interface>[/li]
- [li]IP packet size distribution จะเป็นการบอกจำนวน Packet ที่ขนาดต่างๆ[/li]
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
- All Discussions3,186
- Management11
- General Talk593
- Job11
- Language75
- Make money48
- Operating System102
- Programing & database30
- Networking2,316
- ↳ General Networking325
- ↳ Advance Network1,991
- ↳ OSPF327
- ↳ Service Provider163
- ↳ Service Provider Operations518
- ↳ Redistribution376
- ↳ IPv64
- ↳ EIGRP383
- ↳ BGP6