Advanced NetFlow Accounting

Transcription

1 1 Advanced NetFlow Accounting Session Copyright Printed in USA. 2

2 Table of Content NetFlow Basics NetFlow Versions NetFlow on the Router (Version 5) NetFlow on the Router (Version 8) NetFlow on the Switches (Version 7 Version 8) NetFlow Version 9 Advanced Concepts New Features Roadmap and Future Directions Appendix A: NetFlow Compared to Other Methods 3 This Tutorial Is Not about A level 1 type of presentation An (long) introduction about NetFlow Marketing slides NetFlow Collector details Ecosystem partners applications and mediations Prerequisite: NSC-1031, Introduction to Collecting Traffic Accounting Information Or previous NetFlow knowledge 4 Copyright Printed in USA.

3 NetFlow Basics 5 NetFlow Infrastructure Cisco Cisco and Partners Partners Network Planning RMON/NAM Accounting Billing Router: Cache creation Data export Aggregation Collector: Collection Filtering Aggregation Storage Applications: RMON Application Data processing Data presentation 6 Copyright Printed in USA.

4 NetFlow Partners Billing Traffic Analysis Denial of Service Collection 7 NetFlow Possible Applications Network Monitoring Network Planning Security Analysis Application Monitoring User Monitoring Traffic Engineering Peering Agreement Usage-Based Billing Destination Sensitive Billing NetFlow 8 Copyright Printed in USA.

5 What Is a NetFlow Flow? 7 Keys Define a Flow Source Address Destination Address Source Port Destination Port Layer 3 Protocol Type TOS byte (DSCP) Input Logical Interface (ifindex) Exported Data A Flow Is Unidirectional 9 How Does NetFlow Work? 7 Identifiers Other Data Flow Identifiers Flow Identifiers Flow Identifiers Flow Data Flow Data Flow Data Update Exported Data via UDP (*) (*) for Speed and Simplicity 10 Copyright Printed in USA.

6 NetFlow Principles Answers questions regarding your traffic: who, what, where, when, and how NetFlow became the de facto IP accounting standard throughout the industry Support on all interface types Supported on fast switching, Cisco Express Forwarding (CEF) and Distributed CEF 11 NetFlow Principles Not a switching path 7 flow identifiers Unidirectional traffic For ingress traffic only (*) IP unicast only (*) Export via UDP (*) (*) See Roadmap 12 Copyright Printed in USA.

7 NetFlow on the Router Version 5 13 Version 5 Version 5 adds BGP autonomous system Supported on router starting from 11.1 CA and 12.0 The most deployed version The most complete version in terms of exported data types No reason to use NetFlow version 1 unless supporting a legacy collection system 14 Copyright Printed in USA.

8 Version 5 Flow Format Usage Packet Count Byte Count Source IP Address Destination IP Address From/To Time of Day Start SysUpTime End SysUpTime Source TCP/UDP Port Destination TCP/UDP Port Port Utilization QoS Input IfIndex Output IfIndex Type of Service TCP Flags Protocol Next Hop Address Source AS AS Number Dest. AS AS Number Number Source Source Prefix Mask Prefix Mask Dest. Prefix Mask Dest. Prefix Mask Application Routing and Peering Also Available via RMON Available via NetFlow Only 15 Version 5 Export NetFlow Cache Flow Entries Flow 1 Flow 2 Flow 3 Flow expired Cache full Timer expired Export V5 Record UDP To Collector The Default Inactive Timeout: 15 Sec. The Default Active Timeout: 30 Min. 16 Copyright Printed in USA.

9 Version 5 Configuration router (config-if)#ip route-cache flow router (config)#ip flow-export destination router (config)#ip flow-export version 5 <peer-as origin-as> Optional configuration router (config)#ip flow-export source loopback 0 router (config)#ip flow-cache entries < > router (config)#ip flow-cache timeout 17 Version 5 Show Commands martel#sh ip cache verbose flow IP packet size distribution (94452 total packets): IP Flow Switching Cache, bytes 1 active, inactive, added ager polls, 0 flow alloc failures last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-BGP UDP-TFTP UDP-other ICMP Total: SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts Port Msk AS Port Msk AS NextHop B/Pk Active Se0/ Se0/ A1 / C628 / Copyright Printed in USA.

10 BGP Autonomous System NetFlow Enabled AS 101 AS 102 AS 103 AS 104 Configuring Peer-AS Source AS = AS 103 Destination AS = AS 105 AS 105 Router(config)#ip flow-export version 5 peer-as AS 106 Note: The AS Fields Will Remain Empty unless You Configure It Explicitly with peer-as or origin-as 19 BGP Autonomous System NetFlow Enabled AS 101 AS 102 AS 103 AS 104 Configuring Origin-AS Source AS = AS 101 Destination AS = AS 106 AS 105 Router(config)#ip flow-export version 5 origin-as AS 106 Note: The AS Fields Will Remain Empty unless You Configure It Explicitly with peer-as or origin-as 20 Copyright Printed in USA.

11 NetFlow on the Router Version 8 21 Introduction Router-based aggregation, i.e. version 8 Enables router to summarize NetFlow data Reduces NetFlow export data volume Decreases NetFlow export bandwidth requirements Making collection easier 22 Copyright Printed in USA.

12 Introduction Supported from 12.0(3)T, 12.0(3)S and 12.1 On-board aggregation, the router maintains extra NetFlow cache(s), for aggregation(s) Still needs the main cache (for export with version 5) When flows expire from the main cache, they are added to each enabled aggregation cache Several aggregations can be enabled at the same time 23 Version 8 Export NetFlow Main Cache Flow Entries Flow 1 Flow 2 Flow 3 Flow expired Cache full Timer expired Aggreg. Cache Export V5 Record UDP Export v5 Not Necessary To Collector Flow expired Cache full Timer expired AS-Matrix Prefix-Matrix... Cache full Timers expired Export V8 Record UDP To Collector 24 Copyright Printed in USA.

13 Version 8 Flow Format AS Protocol-Port Source -Prefix Destination-Prefix Prefix Source Prefix Source Prefix Mask Destination Prefix Destination Prefix Mask Source App Port Destination App Port Input Interface Output Interface IP Protocol Source AS Destination AS First Timestamp Last Timestamp Number of Flows Number of Packets Number of Bytes 25 Version 8 Flow Format Source-Prefix- TOS Protocol-Port- TOS Source Prefix Source Prefix Mask Destination Prefix Destination Prefix Mask Source App Port Destination App Port Input Interface Output Interface IP Protocol Source AS Destination AS TOS (Actually DSCP) First Timestamp Last Timestamp Number of Flows Number of Packets Number of Bytes Destination-Prefix- TOS Prefix- TOS AS- TOS 26 Copyright Printed in USA.

14 Version 8 Configuration router (config)# ip flow-aggregation cache as router (config-flow-cache)# export destination router (config-flow-cache)# enabled router#sh ip cache flow aggregation as IP Flow Switching Cache, bytes 2 active, 4094 inactive, 13 added 216 ager polls, 0 flow alloc failures SrcIf SrcAS DstIf DstAS Flows Pkts B/Pk Active Se0/0 0 Se0/ Se0/0 0 Null NetFlow on the Switches Version 7 Version 8 1. MLS Specific 2. CEF Specific 3. Generic Info 28 Copyright Printed in USA.

15 NetFlow Version 7 NetFlow version 7 is only export from the switches Support for Catalyst switches with a Layer 3 board: Catalyst 5000 with a RSM (Route Switch Module) Catalyst 6500/7600 with a MSFC (Multilayer Switching Feature Card) A Catalyst 6500/7600 uses: Multilayer Switching (MLS) with a SUP1 Cisco Express Forwarding (CEF) with SUP2 29 NetFlow on the Switches Version 7 Version 8 1. MLS Specific (SUP1) 30 Copyright Printed in USA.

16 MLS Example Candidate Packet Vlan1 Supervisor 1 Enable Packet MSFC Vlan14 Layer 3 Switched, after the Shortcut Creation 31 MLS Example Accounting Point of View Vlan1 Supervisor 1 MSFC Ping #1 Ping #2 Ping #3 Ping #4 Ping #5 Vlan14 32 Copyright Printed in USA.

17 Version 7 Flow Format Usage Packet Count Byte Count Source IP Address Destination IP Address From/To Time of Day Start SysUpTime End SysUpTime Source TCP/UDP Port Destination TCP/UDP Port Port Utilization QoS Input IfIndex Output IfIndex Type of Service TCP Flags Protocol Added from Version 5 Next Hop Address Source AS AS Number Dest. AS AS Number Number Source Source Prefix Mask Prefix Mask Dest. Prefix Mask Dest. Prefix Mask RouterSc (Router Shortcut) Application Routing and Peering Note that Some of Fields Are Not Populated; See Slide 53/54 33 Bad Design MLS (Not) Enabled and Export v5 from the MSFC NFC Vlan1 Supervisor 1 Export Only Export the First Packet of the Flow Unless You Don t Use MLS MSFC Vlan14 34 Copyright Printed in USA.

18 Approximate Design MLS Enabled and Export v7 from the SUP1 NFC Vlan1 Export Supervisor 1 Miss the Accounting of the First Packet of the Flow MSFC Vlan14 35 Better Design MLS Enabled and Export v7 from the SUP1 Export v5 from the MSFC NFC Vlan1 Export Export Supervisor 1 MSFC Vlan14 36 Copyright Printed in USA.

19 Best Design MLS Enabled and Export v7 from the SUP1 Export v5 from the MSFC And Export in the sc0 vlan (sc0 in vlan1) NFC Vlan1 Export Export Supervisor 1 Otherwise, You Will Also Count the Export Traffic MSFC Vlan14 37 Better/Best Design Problem Export from 2 Different Devices No supervisor/msfc flow records correlation # In case of V7, set USE_SHORT_CUT_ADDRESS_AS_SOURCE_IP # to "yes" so that FlowCollector will use the address # of the router being short-cut as the source of the # corresponding flow. Default is set to No USE_SHORT_CUT_ADDRESS_AS_SOURCE_IP No Change the nf.resources configuration file 38 Copyright Printed in USA.

20 NetFlow on the Switches Version 7 Version 8 2. CEF Specific (SUP2, MSFC2) 40 DCEF Example No Entry in the SUP2 FIB FIB Synchronisation Vlan1 Supervisor 2 Entry Created in the MSFC FIB MSFC2 Vlan14 All Entries Go through the SUP2 FIB 43 Copyright Printed in USA.

21 MLS Best Design Does It Still Make Sense for CEF? MLS Enabled and Export v7 from the SUP2 Export v5 from the MSFC2 And Export in the sc0 vlan NFC Vlan1 Export Export Supervisor 2 MSFC2 Vlan14 45 MLS Best Design Does it Still Make Sense for CEF? (Yes) the MSFC2 will count the first packet of a destination, the one which will complete the glean adjacency; needed for precise accounting (No) the MSFC2 will ONLY count the first packet of a destination, the one which will complete the glean adjacency With MLS, the MSFC will count the first packet of every single flow (No) the FIB entries remain the time of the ARP entries; not updated so often as the MLS entries! With MLS, the SUP shortcut disappears when the flow expires 46 Copyright Printed in USA.

22 MLS Best Design Does it Still Make Sense for CEF? (No) most NetFlow entries on the MSFC will have DstIf = Null (even if the packet is switched by the MSFC) Dstif = Local (destination = MSFC) With MLS, the DstIf correctly populated (Yes) some features will always go through the MSFC: NAT, IP access-list with log, etc Conclusion: The MSFC is needed for accounting accuracybut less important as for MLS, as it will report less flow records 47 Catalyst 6500 NetFlow Version 5 Support New Native mode: SUP2/PFC2 supports NetFlow version 5 from 12.1(13)E uct/lan/cat6000/12_1e/swconfig/nde.htm Hybrid mode: SUP2/PFC2 supports NetFlow version 5 from 7.5(1) As a consequence we don t have the better/best design issue that we had with MLS: i.e. the correlation from two different sources IP addresses 48 Copyright Printed in USA.

23 Version 7 Flow Format with CEF Don t Need the RouterSc Field = Version 5 Usage Packet Count Byte Count Source IP Address Destination IP Address From/To Time of Day Start SysUpTime End SysUpTime Source TCP/UDP Port Destination TCP/UDP Port Port Utilization QoS Input IfIndex Output IfIndex Type of Service TCP Flags Protocol Next Hop Address Source AS Number Dest. AS Number Source Prefix Mask Dest. Prefix Mask RouterSc (Router Shortcut) Application Routing and Peering Added Note that from Some Version of Fields 5 Are Not Populated 49 Catalyst 6500, Native Mode mls flow ip full -> flow mask mls nde src_address version 7 -> version 7 export source OR mls nde sender -> NDE enable + NDE from the PFC uses the source configured from the MSFC!!!!! interface vlan 1 ip address ip route-cache flow interface FastEthernet 3/2 ip address ip route-cache flow ip flow-export source vlan1 -> version 5 export source ip flow-export version 5 ip flow-export destination > both for version 5 and 7 export 50 Copyright Printed in USA.

24 NetFlow on the Switches Version 7 Version 8 3. Generic Info 51 Format Comparison Content Source IP Address Destination IP Address Source TCP/UDP Port DestinationTCP/UDP Port Next Hop Router IP Address Input Physical Interface Index Output Physical Interface Index Packet Count for This Flow Start of Flow Timestamps End of Flow Timestamps V5 V7(*) Zero in Case of Destination-Only Zero in Case of Destination-Only or Source-Destination Zero in Case of Destination-Only or Source-Destination New New New 12.1(13)E 12.1(13)E 12.1(13)E (*) Applies Also to the New Version 5 Specific to the Switches 52 Copyright Printed in USA.

25 Format Comparison Content IP Protocol (TCP=6, UDP=17) Type of Service Byte TCP Flags Source AS Number Destination AS Number Source Subnet Mask Destination Subnet Mask Flags (Indicate Invalid Field within the Flow) Shortcut Router IP Address V5 V7(*) Zero in Case of Destination-Only or Source-Destination PFC1: Set to the First Packet TOS; PFC2: Not Populated Always Zero New New Always Zero Always Zero 12.1(13)E 12.1(13)E (*) Applies Also to the New Version 5 Specific to the Switches 53 Cat6500 Aggregations Version 8 Source IP Address Destination IP Address Source App Port Destination App Port IP Protocol First Timestamp Last Timestamp # of Flows # of Packets # of Bytes RouterDstOnly RouterSrcDst Router Full Flow Since CatOS version 5.5(2); not yet on native For both SUP1 and SUP2 54 Copyright Printed in USA.

26 NetFlow Version 9 New 55 NetFlow Version 9 Why a New Version? Fixed formats (versions 5, 7, and 8) are not flexible and extensible: Cisco needed to build a new version each time a customer wanted to export new fields Both on the devices and the NetFlow Collector When new versions are created, partners need to reengineer to support the new export format Solution: Build a Flexible and Extensible Export Format! 56 Copyright Printed in USA.

27 NetFlow Version 9 Scenario #1 Template Definition Stored Templates Definition Export Decode and Interpretation Flow Records Export Flow Records Stored 57 NetFlow Version 9 Scenario #2 Template Definition Stored Templates Definition Export Decode and Interpretation Flow Records Export Flow Records Stored The NetFlow collector should store the flow record and decode it after the template definition is received 58 Copyright Printed in USA.

28 NetFlow Version 9 Principles Version 9 is an export protocol No changes to the metering process Can be used in conjunction with the main cache, For example, MPLS aware NetFlow Can be used in conjunction with an aggregation cache, For example, BGP Next Hop TOS aggregation Version 9 based on templates and separate flow records Templates composed of type and length Flow records composed of template ID and value Available in 12.0(24)S 59 NetFlow Version 9 Principles Still a push model Sent the template regularly (configurable) Because we still use UDP as transport protocol Independent of the underlying protocol, it is ready for any reliable protocol (i.e. TCP, SCTP) SCTP: Stream Control Transport Protocol Advantage: we can add new technologies/data types very quickly Example: MPLS, multicast, BGP next HOP Just update the information model, composed initially of the NetFlow version 5, 7 and 8 data types 60 Copyright Printed in USA.

29 Extensibility and Flexibility Phases Approach Phase 1: NetFlow version 9, completed Advantages: extensibility Integrate new technologies/data types quicker Integrate new aggregations quicker Note: for now, the template definitions are fixed! Phase 2: flexible flow keys, under investigation Advantages: cache content flexibility Selection of a subset of the 7 flow keys New flow keys will be defined and available Phase 3: user defined templates, radar Advantage: export content flexibility Selection of the data types to export 61 Version 9 Example for Template Definition Template A Flow Set ID (0 for Template) Length of Template Structure 1001 (Template ID) 3 (# of Fields) SRC_AS_NUMBER 2 DST_AS_NUMBER Template B Flow Set ID (0 for Template) Length of Template Structure 1002 (Template ID) 4 (# of Fields) SRC_IP_PREFI 4 SRC_AS_NUMBER 2 2 L4_PROTOCOL 2 PACKET_COUNT 2 BYTE_COUNT 2 62 Copyright Printed in USA.

30 Example for Export Packet As Defined in the Previous Slide Same as Template ID for Template B; Refer to Previous Slide Packet Header Template B (# of Records) Template A Record 1 Record 2 Data for Template B Data for Template A 63 NetFlow Version 9 Configuration Configuring Version 9 Export for the Main Cache router(config)# ip flow-export version? 1 Export Versions Available for 5 NetFlow Flows 9 router(config)# ip flow-export version 9. Configuring Version 9 Export for an Aggregation Scheme router(config)# ip flow-aggregation cache as router(config-flow-cache)# enabled router(config-flow-cache)# export? destination Specify the Destination IP address version configure aggregation cache export version router(config-flow-cache)# export version? 8 Version 8 export format Export Versions Available for 9 Version 9 export format Aggregated NetFlow Flows router(config-flow-cache)# export version 9 64 Copyright Printed in USA.

31 NetFlow Version 9 IETF Considerations 65 IETF: IP Flow Information Export WG (IPFI) IPFI is an effort to: Define the notion of a "standard IP flow" Devise data encoding for IP flows Consider the notion of IP flow information export based upon packet sampling Identify and address any security privacy concerns affecting flow data Specify the transport mapping for carrying IP flow information (IETF approved congestionaware transport protocol) 66 Copyright Printed in USA.

32 IETF: IP Flow Information Export WG (IPFI) IPFI web site for the charter, archive, drafts, etc. Requirements draft: NetFlow version 9 has recently been selected as a basis for the IPFI protocol Out of 5 existing protocols: CRANE from acct, LFAP from Riverstone, Diameter (RADIUS extension), IPDR Based on the requirements draft New 67 NetFlow Version 9 as the Basis for the IPFI Protocol We believe that the IPFI protocol, based on NetFlow v9, can be implemented in the most network elements because it makes the least demands of the exporter. The IPFI Evaluation Team Requested minor improvements to the NetFlow version 9 The initial IPFI protocol will run on the top of TCP, as an interim solution, while waiting for standardization of Stream Control Transport Protocol Partial Reliability (SCTP-PR) or Datagram Congestion Control Protocol (DCCP) 68 Copyright Printed in USA.

33 IETF: Packet SAMPling WG (PSAMP) PSAMP is an effort to: Specify a set of selection operations by which packets are sampled Specify the information that is to be made available for reporting on sampled packets Describe protocols by which information on sampled packets is reported to applications Describe protocols by which packet selection and reporting configured 69 IETF: Packet Sampling WG (PSAMP) PSAMP web site for the charter, archive, drafts, etc. Agreed to use IPFI for export protocol if suitable for PSAMP New To be improved: the variable length data type Note: NetFlow is already using some sampling mechanisms 70 Copyright Printed in USA.

34 Advanced Concepts 71 Main Cache(s) with VIP and Line Card FIB NetFlow FIB NetFlow RP VIP FIB NetFlow VIP2 73 Copyright Printed in USA.

35 Aggregation Cache(s) with VIP and Line Card FIB Main Agg. FIB Main Agg. RP.. VIP.. FIB Main Agg. VIP VIP/LC Caches Nothing to configure on the VIP/LC (use DCEF) VIP: if-con <slot-number> sh ip cache flow LC: attach <slot-number> sh ip cache flow Execute-on <slot-number> show Own independent sequence numbering per VIP/LC 75 Copyright Printed in USA.

36 NetFlow on the Router Engine 0 software support, both full and sampled NetFlow Engine 1 software support, both full and sampled NetFlow Engine 2 supported in ASICs, sampled NetFlow only Engine 3 version 5 support in software, version 8 support in ASICs, sampled NetFlow only Engine 4 not supported Engine 4+ supported in ASICs, sampled NetFlow v5/v8 only 76 Timing Issues When Is a Flow Expired? Transport is completed (TCP FIN or RST) After 15 sec of traffic inactivity (the only way for UDP); the inactive timer After 30 min of traffic activity; the active timer Note that 15sec/30min are the router default timers The cache is becoming full Note: Flow expiration from an aggregation cache will go through 2 sets of timer Firstly the main cache timer Secondly the aggregation cache timer 77 Copyright Printed in USA.

37 Timing Issues Various Time in NetFlow Flow End sysuptime Flow Start sysuptime Router sysuptime in Header UTC Time in Header 1970 Router Boots Flow Ends Flow Starts Flow Exported Time Deduced 78 Timing Issues Various Time in NetFlow The UTC depends on the clock Synchronization of the VIP clock, the line card clock (in sync. since 12.0) and the RSM/MSFC clock Attention to the time zone on the collector Conclusion: the device clocks must be synchronized NTP is a solution, NTP MIB in 12.1(4) Which synchronization time? Only important if you want to correlate flow records from different devices Note that NetFlow time granularity is msec 79 Copyright Printed in USA.

38 NetFlow Bypasses the Access-List NetFlow Acceleration Y First Packet in Flow? N ACL Acceleration Y Create an NetFlow Entry Forward the Packet with CEF Pass the ACL? N Create an NetFlow Entry with Output I/f Null Discard the Packet Lookup Entry in NetFlow Cache Y Update the NetFlow Entry Stats Go Through the ACL Maybe Deny Packet Output i/f Is Null? N Update the NetFlow Entry Stats Forward the Packet with CEF 80 NetFlow Performance Enabling NetFlow version 5 and exporting increases the CPU utilization by around 15% (with a max of 20% depending on the platform) Enabling NetFlow version 8 increases the CPU utilization by 2 to 5%, depending on the number of aggregations enabled with a multiple of 6% for multiple aggregations NetFlow is done in hardware on the Cat6500 supervisor; only the export takes CPU cycles NetFlow version 9: similar results as version 5 81 Copyright Printed in USA.

39 NetFlow Performance Results at a Glance CPU impact: 10,000 active flows: < 4% of additional CPU utilization 45,000 active flows: <12% of additional CPU utilization 65,000 active flows: <16% of additional CPU utilization NetFlow data export (single/dual): no real impact NetFlow feature acceleration: >200 lines of ACLs NetFlow sampled NetFlow on the Cisco 12000: 23% vs. 3% (65,000 flows, 1:100) 82 How to Reduce the CPU Utilization? Router Go for sampled NetFlow (packet sampling) Use the distributed feature card enable line card modules (VIP, LC) Use engine 3 and 4+ (hardware) Catalyst 6500 Go for sampled NetFlow (flow sampling) Use the distributed feature card to enable line card modules Reduce the flow mask 83 Copyright Printed in USA.

40 Troubleshooting Missing Flows? 2. NetFlow Collector Problem show tech-support Netstat -s 3. Transfer Problem (Only Remaining Explanation) Export 1. Router Problem Cache (show ip cache flow) Export (show ip flow export) 84 New Features 88 Copyright Printed in USA.

41 Dual Flow Export New Inserted into 12.2(2)T, 12.0(19)S and 12.0(19)ST, 2 redundant export destinations are allowed for version 5 router(config)#ip flow-export destination router(config)#ip flow-export destination If you try to configure more, you will get: Exceeded maximum export destinations Only for the routers (including GSR), not the Catalysts 89 NetFlow on Subinterface New Introduced in 12.2(14)S, 12.2(15)T For the 7200, 7400 and ware/ios122/122newft/122t/122t15/ft_nfsub.htm Router(config-if)#ip flow ingress Note: NetFlow reports the dot1q subinterface ifindex Introduced in 12.2(7), 12.2(7)S, 12.2(7)T 90 Copyright Printed in USA.

42 Egress Sampled NetFlow New Egress sampled NetFlow on engine 3, available in 12.0(24)S For both IP->IP and MPLS->IP traffic router (config-if)# ip route-cache flow sampled [input output] Egress sampled NetFlow on engine 3, available in 12.0(24) 91 NetFlow BGP Next Hop TOS Aggregation New New NetFlow aggregation on the router Configure on ingress interface Available in 12.0(26)S for the 7500 Key fields (uniquely identifies the flow) Origin AS Destination AS Inbound interface DSCP Next BGP hop Output interface Additional export fields Flows Packets Bytes First sysuptime Last sysuptime 92 Copyright Printed in USA.

43 NetFlow BGP Next Hop TOS Aggregation The Core Traffic Matrix AS1 AS2 AS3 AS4 AS5 Customers CPE PoP PE PE PoP PE PE CPE Customers Server Farm 1 Server Farm 2 PoP to PoP, the PoP being the CPE or CE 93 NetFlow in a MPLS Environment Traditional NetFlow (IP -> MPLS) New MPLS Aware NetFlow (MPLS -> MPLS) (IP -> IP) New MPLS Egress NetFlow (MPLS -> IP) MPLS IP IP PE P PE Traffic Flow 94 Copyright Printed in USA.

44 MPLS Egress NetFlow Description New Introduced in 12.0(10)ST, 12.1(5)T, 12.0(22)S For MPLS/VPN traffic only, i.e. the traffic coming from the core Caches traffic on the egress interface, not the ingress interface Valid for version 5 and version 8 router(config-if)#tag-switching ip flow egress Can be enabled on sub-interfaces All other NetFlow commands still apply 95 MPLS Aware NetFlow Description New Provides flow statistics per MPLS and IP packets MPLS packets: Labels information And the v5 fields of the underlying IP packet IP packets: Regular IP NetFlow records Configure on ingress interface Supported on 12.0(24)S on the 12000, then will be in 12.0(26)S on the 7200/ Copyright Printed in USA.

45 MPLS Aware NetFlow Flow Keys Key fields (uniquely identifies the flow) Source IP address Destination IP address IP protocol Input ifindex Source application port Destination application port DSCP Up to 3 incoming MPLS labels of interest with experimental bits and end-of-stack bit Positions of the above labels in the packet label stack Additional export fields Flows Packets Bytes First sysuptime Last sysuptime Output interface NetFlow version 5 fields of the underlying IP packet (TCP flags, etc ) Type of the top label: LDP, BGP, VPN, ATOM, TE Tunnel MID-PT, unknown The forwarding equivalent class mapping to the top label 97 MPLS Aware NetFlow The Core Traffic Matrix AS1 AS2 AS3 AS4 AS5 Customers CPE PE PE PE PoP P P WR MPLS PoP P P PE PE PE Customers CPE Server Farm 1 Server Farm 2 PoP to PoP, the PoP being the CPE or CE 98 Copyright Printed in USA.

46 MPLS Aware NetFlow Top Label Aggregation (12.0(25)S) New Key Fields (uniquely identifies the flow) Input ifindex The top incoming MPLS labels with experimental bits and end-of-stack bit Additional export fields Flows Packets Bytes First sysuptime Last sysuptime Output interface NetFlow version 5 fields of the underlying IP packet (TCP flags, etc ) Type of the top label: LDP, BGP, VPN, ATOM, TE tunnel MID-PT, unknown The forwarding equivalent class mapping to the top label 99 Multicast Traditional NetFlow (S, G) ( , ) Interface Ethernet 0 ip route-cache flow ip flow-export version 9 ip flow-export destination x.x.x.x <port> Eth 1 Eth 0 Eth 2 Eth 3 Srclf SrclPadd Dstlf Eth Null DstlPadd Protocol TOS FlgsSrcPort SrcMsk DstPortDstMskNextHopBytes PacketsActive Idle There is only one flow per NetFlow configured input interface The 7 key fields that define a unique flow are marked in red Destination interface is marked as null Bytes and packets are the incoming values 10 00A2 /24 00A2 / Copyright Printed in USA.

47 Multicast NetFlow Ingress (Early Field Test) New (S, G) ( , ) Interface Ethernet 0 ip multicast netflow ingress ip flow-export version Eth 1 Eth 0 Eth 3 ip flow-export destination x.x.x.x <port> Eth 2 Srclf SrclPadd Dstlf Eth Null DstlPadd Protocol TOS FlgsSrcPort SrcMsk DstPortDstMskNextHopBytes PacketsActive Idle There is only one flow per NetFlow configured input interface The 7 key fields that define a unique flow are marked in red Destination interface is marked as null Bytes and packets are the outgoing values 10 00A2 /24 00A2 / Multicast NetFlow Egress (Early Field Test) Interface Ethernet 0 (S, G) ( , ) Interface Ethernet 1 ip multicast netflow egress Interface Ethernet 2 ip multicast netflow egress Interface Ethernet 3 ip multicast netflow egress Eth 1 Eth 0 Eth 3 ip flow-export version 9 ip flow-export destination x.x.x.x <port> Eth 2 Srclf SrclPadd Dstlf DstlPadd Eth Null Protocol TOS FlgsSrcPort SrcMsk DstPortDstMskNextHopBytes PacketsActive Idle A2 /24 00A2 / Eth Null A2 /24 00A2 / Eth Null A2 /24 00A2 / There is one flow per multicast NetFlow egress configured output interface One of the 7 key fields that define a unique flow has changed from source interface to destination interface Bytes and packets are the outgoing values Copyright Printed in USA.

48 NetFlow Input Filters: Overview New Support pre-filtering for traffic for NetFlow processing Modular QoS Command Line (MQC) will provide the filtering mechanism for NetFlow Classification by IP source and destination addresses, layer 4 protocol and port numbers, incoming interface, MAC address, DSCP Layer 2 information such as Frame Relay DE bits, Ethernet 802.1p bits Network Based Application Recognition (NBAR) Ability to sample filtered data at different rates, depending on how interesting the traffic is Currently early field test 103 NetFlow Input Filters: Example Packets VOIP Tight Filter for Traffic of High Importance 1:1 Sampling VPN Moderately-Tight for Traffic of Medium Importance 1:100 Sampling NetFlow Cache Best Effort Default Wide Open Filter for Traffic of Low Importance 1:1000 Sampling 104 Copyright Printed in USA.

49 NetFlow and IPv6 New Currently in EFT for 3600, 7200, 7500 Based on NetFlow version 9 For both ingress and egress traffic Non sampled No data export over IPv6 (still IPv4) 105 Catalyst 6500 New Fields Population New The following CLI commands will be available in the release 7.3(1) Destination and source IfIndex support is enabled by default set mls nde {destination-index source-index} {enable disable} 106 Copyright Printed in USA.

50 Catalyst 6500 New Fields Population and Version 5 New SUP2/PFC2 (EARL6) supports from 12.1(13)E: Source and destination BGP AS Input and output if indexes Next hop Note: 12.1(13)E1 if any WAN cards Native mode: SUP2/PFC2 supports NetFlow version 5 from 12.1(13)E Hybrid mode: SUP2/PFC2 supports NetFlow version 5 from 7.5(1) 107 Catalyst 6500 Switched Traffic New The L2 switched traffic (from vlan x to vlan x) is now counted with NetFlow Hybrid mode: introduced in CatOS version 7.(2) Native mode: not yet available Doesn t require a MSFC set mls bridged-flow-statistics enable/disable <vlan> 108 Copyright Printed in USA.

51 Catalyst 6500 NetFlow Sampling New 12.1(13)E support both time and packet-based sampling Sampling rate is configurable only for the whole box Accuracy of NetFlow on the platform comes to tuning the aging timers correctly Note: A way of minimizing packet loss, is suggesting use of DFC cards, spreading the incoming packet load evenly onto different vlans (on diff cards) DFC: Distributed Forwarding Card 109 Cisco Catalyst 4000 NetFlow Services Card New Version 5 in 12.1(13)EW Supervisor IV is required Feature card is also required 110 Copyright Printed in USA.

52 Roadmap and Future Directions 111 Roadmap for NetFlow Software Platforms Scalability and Flexibility Technology Coverage Optimizing Data for Flow Processing Standardization Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Targeting 12.0(24)S NetFlow v9 Targeting 12.3M NetFlow v9 BGP Next hop NetFlow Multicast Statistical Sampling Targeting 12.3(1)T Statistical Sampling Targeting 12.2S NetFlow v9 BGP Nexthop NetFlow Multicast Statistical Sampling NetFlow IPv6 Targeting 12.0(26)S Statistical Sampling BGP Nexthop NetFlow MPLS Aware Targeting 12.3(2 nd )T NetFlow MPLS BGP Nexthop NetFlow Multicast Targeting 12.0(27)S NetFlow Input Filter NetFlow MPLS Top Label Targeting 12.2S NetFlow Input Filter Radar NetFlow MIB Congestion Aware Export (SCTP) Egress Flexible Input and Export NetFlow IPSec NB. Confirm Target Releases with Cisco IOS NetFlow PM Tom Zingale 112 Copyright Printed in USA.

53 Roadmap for NetFlow Software Scalability and Flexibility Technology Coverage Optimizing Data for Flow Processing Standardization Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Targeting 12.0(24)S NetFlow v9 MPLS Aware Output E3 AS Origin and Peer MPLS Egress E3 Targeting 12.0(26)S V8 TOS Agg BGP Nexthop Targeting 12.0(28)S Statistical Sampling Input Filters Packet Header Targeting 12.0(27)S Sampled on ATM Line Card NetFlow MPLS Top Label IPV6 Radar Congestion Aware Export Flexible Keys User Defined Export Multicast NB. Confirm Target Releases with Cisco IOS NetFlow PM Tom Zingale 114 Roadmap for NetFlow Catalyst 6500/7600 Scalability and Flexibility Technology Coverage Optimizing Data for Flow Processing Standardization Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Targeting 12.1(13)E Version 5 Sampling Source Dest I/F Fields Source Dest AS Fields V8 TOS Agg. PFC2 Cat 6.6(6) and 7.3(1) Source Dest I/F Fields Targeting 12.2(14)S Sup 720 V8 Agg Targeting 12.2S(RIs3) Sup 720 Version 9 Sup 720 IPV6 Targeting Native V8 Aggregation Radar Sup 3b NetFlow Multicast NB. Confirm Target Releases with Cisco IOS NetFlow PM Tom Zingale 115 Copyright Printed in USA.

54 Roadmap for NetFlow Catalyst 4000 Scalability and Flexibility Technology Coverage Optimizing Data for Flow Processing Standardization Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug (13)EW Version 5 Sup 4 Targeting Source Dest I/F Fields Source Dest AS Fields Version 8 BGP Next Hop NB. Confirm Target Releases with Cisco IOS NetFlow PM Tom Zingale 116 Conclusion/Summary NetFlow became the de facto IP accounting method The new NetFlow version 9 is extensible and flexible NetFlow version 9 has been adopted by the IETF A lot of new features recently added A lot of new features to come 117 Copyright Printed in USA.

55 Questions? 118 Other Network Management Sessions Network Management NSC-1001 NSC-2001 Fault NSC-1011 Configuration NSC-2021 NSC-4021 Accounting NSC-1031 NSC-4031 Performance NSC-1041 NSC-2041 NSC-4041 Security NSC-2051 Services NSC-1101 NSC-2102 High Availability NSC-1201 NSC-2201 Introduction to Network Management Network Troubleshooting Tools and Techniques Principles of Fault Management Configuration of Large-Scale Networks with CiscoWorks Advanced Configuration Methods Introduction to Collecting Traffic Accounting Information Advanced NetFlow Accounting Introduction to Performance Management Performance Measurement with Cisco IOS Software Advanced Performance Management with Cisco Service Assurance Agent Securely Managing Your Network Understanding DNS and DHCP Deploying and Troubleshooting NAT Improving Network Availability Deploying Highly Available Enterprise Networks 119 Copyright Printed in USA.

56 Advanced NetFlow Accounting Session 120 Please Complete Your Evaluation Form Session 121 Copyright Printed in USA.

57 122 Copyright Printed in USA.