Enabling NetFlow on a Catalyst 6500


Configuring NetFlow on Cisco IOS XR Software


ManageEngine NetFlow Analyzer v8600


KeyGen -> java -jar xxx.jar


กำหนดให้อนุญาติการเก็บข้อมูล Flow ที่วิ่งเข้า (ingress) Interface

Router(config-if)#ip flow ingress

ดูข้อมูลโดยใช้คำสั่ง show ip cache flow

Router#sho ip cac flo
IP packet size distribution (11215434 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.001 .254 .685 .014 .000 .018 .008 .000 .005 .003 .000 .001 .001 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .001 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
5 active, 4091 inactive, 3581241 added
59673255 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
5 active, 1019 inactive, 3581241 added, 3581241 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-other 340168 0.0 2 53 0.1 1.3 13.4
UDP-DNS 1495 0.0 1 64 0.0 0.0 15.5
UDP-other 872145 0.2 8 76 1.6 0.2 15.4
Total: 1213808 0.2 3 77 1.7 0.7 15.5

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/1 Local 01 0000 0800 1755
Fa0/1 Local 01 0000 0800 1753
Fa0/1 Local 11 103C 00A1 1
Fa0/1 Local 06 E430 0016 41



[li]IP packet size distribution จะเป็นการบอกจำนวน Packet ที่ขนาดต่างๆ[/li]
[li]IP Flow Switching Cache จะบอกจำนวนไบท์ทั้งหมดของ Flow ที่ถูกดักจับได้ รวมถึงบอกรายละเอียดของข้อกำหนด Flow เช่น Inactive flow จะมีเวลาในการเกิด timeout 15 วินาที และ ความยาวของ flow ที่ active จะไม่เกิน 30 นาที[/li]
[li]IP Sub Flow Cache จะบอกจำนวนไบท์ทั้งหมดจาก Sub Flow[/li]
[li]Protocol จะบอกว่าการดักจับพบ Protocol อะไรบ้างและรายละเอียดการทำงานเป็นอย่างไร[/li]
[li]ส่วนสุดท้ายจะบอกรายละเอียดของข้อมูล IP/Port ของ Packet ที่ดักจับได้จาก interface f0/1[/li][/list]

Introduction to Accounting Principles with NetFlow and NBAR

Why do We Need Accounting?


Accounting Reports - Business Justification


Bandwidth/Capacity Reports

[li]What is eating up my network resources?[/li]
[li]When do I need a capacity upgrade?[/li]
[li]What is causing congestion?[/li][/list]

Subscriber Demographic Reports

[li]What percentage is using P2P/gaming application?[/li]
[li]What are the usage patterns of different subscriber groups?[/li]
[li]What is the cost impact of my top subscribers?[/li][/list]

Server Activity

[li]What are the popular Web hosts used?[/li]
[li]What are the popular streaming sites?[/li][/list]

Voice Reports

[li]Quality of experience of VoIP calls[/li]
[li]Minutes spent on VoIP services[/li]
[li]Total and concurrent calls per VoIP service[/li]
[li]Compare managed vs. non-facility service[/li][/list]

Security Reports

[li]Which subscribers are infected and attacking others?[/li]
[li]Which subscribers are spamming?[/li]
[li]Which subscriber is attacking network resources?[/li][/list]

Accounting Architecture:

The Theory


The Reality


Distinguish Between Accounting and Billing


Why NetFlow?


Network Operation

[li]Capacity Planning[/li]
[li]Historic Data Collection and Trend Analysis[/li]
[li]Network Performance Analysis[/li]
[li]Unified Visibility Across Networks[/li][/list]

Security Operation

[li]Real-time Anomaly Behavior Monitoring[/li]
[li]Eliminate Network Blind Spots[/li]
[li]Reduce Time, Cost, and Complexity for Threat Detection and Response[/li][/list]


[li]Provides User Accountability[/li]
[li]Supplies Risk Measurability and Reporting[/li]
[li]Enables Industry and Government Regulations: PCI, HIPAA, SCA.5DA, SOX, etc.[/li][/list]

Typical NetFlow Deployment


NetFlow Architecture


What Is a Traditional IP Flow?


[li]Inspect a packet's seven key fields and identify the values[/li]
[li]If the set of key field values is unique create a flow record or cache entry[/li]
[li]When the flow terminates export the flow to the collector[/li][/list]

NetFlow Key Fields Creating Flow Records


[li]Inspect packet for key field values[/li]
[li]Compare set of values to NetFlow cache[/li]
[li]If the set of values are unique create a flow in cache[/li]
[li]Inspect the next packet[/li][/list]

There are Four Types of NetFlow Fields

[li]Key fields
Key fields define the flow record
An attribute in the packet used to create a flow record
If the set of key field values is unique a new flow is created[/li]
[li]Non-key fields
These are used not to define a flow, instead they provide additional information[/li]
[li]Value fields
These are additional fields and counters, such as packet and byte counter, start and stop time stamps[/li]
[li]Lookup fields
These are additional information that are added to the flow, such as next hop address, source/destination AS number, etc.[/li][/list]

Traditional Layer 3 NetFlow Cache


NetFlow Processing Order


[li]Packet Sampling[/li]
[li]Features and Services


[li]Non-key fields lookup[/li]


Comprehensive Hardware Support

[li]Not Supported Access Switches 37xx, 36xx, 35xx, 29xx[/li]
[li]Enterprise and Aggregation/Edge
Cisco IOS Software Release 12.2S
Cisco 7200/7500, 7300 Series
Cisco 4500, 10000, 7600 Series ASIC
Cisco Catalyst 6500[/li]
Release 12.0S/Cisco IOS-XR
Cisco 12000 Series ASIC
CRS-1 ASIC[/li]
Cisco IOS Software Releases T Train
Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800, 7200/7300 Series[/li][/list]

NetFlow Versions
NetFlow VersionComments
5Most Common Version
7Specific to Cisco Catalyst 6500 and 7600 Series Switches
Similar to Version 5, but Does Not Include AS, Interface, TCP Flag, and ToS Information
8Choice 11 Aggregation Schemes
Reduces Resource Usage
9Flexible, Extensible File Export Format to Enable Easier
Support of Additional Fields and Technologies; Coming Out
Now MPLS, Multicast, and BGP Next Hop

Version 5 - Fixed Export Format


[li]Packet count[/li]
[li]Byte count[/li][/list]

Time of Day

[li]Start sysUpTime[/li]
[li]End sysUpTime[/li][/list]

Port Utilization

[li]Input ifIndex[/li]
[li]Output ifIndex[/li][/list]


[li]Type of service[/li]
[li]TCP flags[/li]


[li]Source IP address[/li]
[li]Destination IP address[/li][/list]


[li]Source TCP/UDP port[/li]
[li]Destination TCP/UDP port[/li][/list]

Routing and Peering

[li]Next hop address[/li]
[li]Source AS number[/li]
[li]Dest. AS number[/li]
[li]Source prefix mask[/li]
[li]Dest. prefix mask[/li][/list]

Version 5 is still used extensively

Version 8 - Fixed Aggregation Format

[li]Router-based aggregation[/li]
[li]Enables router to summarize NetFlow data[/li]
[li]Reduces NetFlow export data volume[/li]
[li]Decreases NetFlow export bandwidth requirements[/li]
[li]Currently 11 aggregation schemes
Five original schemes
Six new schemes with the ToS byte field[/li]
[li]Several aggregations can be enabled simultaneously[/li][/list]

Note: NetFlow version 9 can be used for router-based aggregation and is recommended if the collector supports v9

Extensibility and Flexibility Phases Approach

[li]Why a new export protocol?
Build a flexible and extensible export format
Advantage: able to add new technologies/data types very quickly Example: MPLS, IPv6, BGP next hop, multicast, etc.[/li]
[li]NetFlow Version 9
New concept: template records, data records
Advantages: extensibility
Integrate new technologies/data types quicker
Integrate new aggregations quicker[/li][/list]

Template Record - Example


Data Record - Example


NetFlow v9 Export Packet


[li]Matching ID numbers are the way to associate template to the data records[/li]
[li]The header follows the same format as prior NetFlow versions so collectors will be backward compatible[/li]
[li]Each data record represents one flow[/li]
[li]If exported flows have different fields, they cannot be contained in the same template record (i.e., BGP next hop cannot be combined with MPLS-aware, NetFlow records)[/li][/list]

IETF: IP Flow Information Export WG (IPFIX)

[li]IPFIX protocol specifications
Changes in terminology but same NetFlow Version 9 principles
Improvements vs. NetFlow version 9: SCTP-PR, security, variable length information element, IANA registration, etc.
Generic streaming protocol, not flow-centric anymore
Threat: confidentiality, integrity, authorization
Solution: DTLS on SCTP-PR[/li]
[li]IPFIX information model
Most NetFlow version 9 information elements ID are kept
Proprietary information element specification[/li]
[li]Is IPFIX important to you?[/li]
[li]RFC3954 "Cisco Systems NetFlow Services Export Version 9"[/li]
[li]RFC3917 "Requirements for IP Flow Information Export"[/li]
[li]RFC3955 "Evaluation of Candidate Protocols for IPFIX"[/li]
[li]RFC5101 "Specification of the IPFIX Protocol for the Exchange of IP Traffic Flow Information"[/li]
[li]RFC5102 "Information Model for IP Flow Information Export"[/li]
[li]RFC5103 "Bidirectional Flow Export using IP Flow Information Export (IPFIX)"[/li][/list]

NetFlow Configuration Commands (Software Platforms)

[li]Configure Cisco Express Forward (CEF) Switching
ip cef[/li]
[li]Configure NetFlow per interface - NetFlow Collects Flows
ip flow ingress
(or ip route-cache flow) - Older Cisco IOS Versions Use This Command, Hidden in 12.4 and 12.4T[/li]
[li]Configure the export version - Set Export Packet Format
i.e., ip flow-export Version 5
ip flow-export version [origin as|peer-as|bgp-nexthop][/li]
[li]Configure the export destination - Optional for Collector
i.e., ip flow-export destination 65001
ip flow-export destination [/li]
[li]Interface to define export devices, usually a loopback - Enables Collector to Identify the Exporting Device
ip flow-export source [/li][/list]