Beruflich Dokumente
Kultur Dokumente
Agen%a
!et"lo# overvie# incl$ding %artners and a%%lications !et"lo# case st$dies Config$ration Cache &'%ort timers &'%ort versions Sec$rity ($lticast
Presentation_ID
Cisco Confidential
Agen%a 'Cont#(
!et"lo# (I* Sam%led !et"lo# !et"lo# Cisco 6+00,-600 and Catalyst .+00 Performance !e# feat$res Introd$ction to "le'i/le !et"lo#
Presentation_ID
Cisco Confidential
Detect and classify sec$rity incidents #ith %roven threat defence Im%rove net#or3 $sage and a%%lication %erformance
Presentation_ID
Cisco Confidential
&nter%rise
Internet Access (onitoring 7ser (onitoring,Profiling A%%lication (onitoring *illing for De%artments Sec$rity (onitoring and Incident 8DDoS9 Detection
Data at AN9 gran!larit6 to !n%erstan% networ, !se. who: what: where: when an% how
Presentation_ID
Cisco Confidential
Tra88ic
Ins-ect Pac,et
:So!rce IP a%%ress :Destination IP a%%ress :So!rce -ort :Destination -ort :?a6er 3 -rotocol :TOS >6te 'DSCP( :In-!t Inter8ace
NetFlow Cache
Flow In8or$ation A%%ress: -orts@
@
Pac,ets 44111
76tes/-ac,et 420A
Re-orting
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Pre-rocessing
Post-rocessing
: Aggregation sche$es : Non-,e6 8iel%s loo,!: =B-ort
Presentation_ID
Cisco Confidential
0# =B-iration
Srclf "a ,0 SrclPadd -). 00.2 .2 Dstlf "a0,0 DstlPadd
: : : :
Inacti e ti$er eB-ire% '42 sec is %e8a!lt( Acti e ti$er eB-ire% '31 $in '4A11 sec( is %e8a!lt( NetFlow cache is 8!ll 'ol%est 8lows are eB-ire%( RST or FIN TCP 8lag
Protocol 46S ;0 "lgs 0 P3ts 000 Src Port 00A2 Src (s3 ,2. Src AS + Dst Port 00A2 Dst (s3 ,2. Dst AS + !e't<o% 0.0.2).2 *ytes, P3t +2; Active ;00 Idle .
0.0.22-. 2
No
9e s
ie. Protocol--ort aggregation sche$e >eco$es
Protocol P3ts 000 SrcPort 00A2 DstPort 00A2 *ytes,P3t +2;
2# Trans-ort -rotocol
31 Flows -er 4211 >6te eB-ort -ac,et
Presentation_ID
=B-ort -ac,et
Cisco Confidential
Fea%e r
Pa6loa%
'8lows(
Sa$-ling
!o
Pac,et >!88er
C=FGF?O*
4 o!t o8 N
=es
NetFlow cache
FASTGF?O*
Src AS
Ro!te loo,!-
FI7
Cisco 4I11: 4A11: 0C11: 0A11: 3I11: 3A11: an% I011 Series Ro!ters
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Core
Release
40#1S/IOS-LR
CRS-4 ASIC
Access
Cisco IOS So8tware Releases T train
Cisco I011/ I311 Series
Cisco 0C11 Cisco 4I11 Cisco A11 0A11 4A11 Series Series Series
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
NetFlow Collector
7illing
CS-&ars
Be%orting 4ools 4raffic Analysis Collector Device Sec$rity (onitoring Be%orting for "lo#? 4ools 4raffic Analysis
NetHoS -ro%!cts
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
NetFlow Uses
Networ, ?a6er
Access
Distri>!tion
Core
Distri>!tion
Access
A--lications
: Attac, $itigation : User 'IP( $onitoring : A--lication $onitoring : Aggregation sche$es ' A( : Mshow i- cache 8lowN co$$an% : Ar>or Networ,s
: Attac, $itigation : User 'IP( $onitoring : A--lication $onitoring : Aggregation sche$es ' A( : Mshow i- cache 8lowN co$$an% : Ar>or Networ,s
: NetFlow &P?S egress acco!nting : 7GP neBtho- ' E( : &!lticast NetFlow ' E(
NetFlow Feat!res
Presentation_ID
Presentation_ID
Cisco Confidential
Cisco0 needed a more gran$lar $nderstanding of ho# Cisco /and#idth #as /eing $sed Port flo# #as monitored, /$t many ne#er a%%lications dynamically select ne# %orts for each $se
Presentation_ID
Cisco Confidential
Descri%tion
Detect SFA Slammer on day single
Pro/lem Sit$ation
Detrimental inca%acity of servers
!et"lo# Besol$tion
!et"lo# day?5ero anomaly detection
4raffic analysis
*and#idth hog
4raffic analysis
"$ll circ$it
F$ic3ly trac3ed %ro/lem and saved )00 ho$rs K H).I in la/or costs
? (ore servers and /and#idth added Ca%acity %lanning Slo# net#or3 %erformance ? 7sers still com%lained ? Bented B(6! %ro/es ? didnLt #or3 Ca%acity %lanning Poor net#or3 %erformance M lo# /and#idth
Cisco Confidential
Presentation_ID
!et"lo# Config$ration
Presentation_ID
Cisco Confidential
Defa$lt is the interface that #ill /est ro$te to collectorG it is recommended to config$re and set a loo%/ac3 interface
ip flow-export source <interface>
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
22
Sets the min$tes an active flo# #ill remain in the cache /efore e'%irationG )0 min$tes is defa$lt
ip flow-cache timeout active <minutes>
Presentation_ID
Cisco Confidential
2)
Presentation_ID
Cisco Confidential
2.
NetFlow Co$$an%s
Sho#s !et"lo# statistics
show ip cache [verbose] flow
Presentation_ID
Cisco Confidential
2+
Presentation_ID
Cisco Confidential
26
Pkts ! ! !
2-
Cisco Confidential
IP )low *witchin+ ,ache- #(8544 b.tes !3#3 acti/e- #((3 inacti/e- #3533 added ToS >6te !5!$44 a+er polls- & flow alloc failures Destination an% TCP Acti/e flows ti0eout in 3& 0inutes Inacti/e flows ti0eout in !5 seconds in8or$ation 8lags last clearin+ of statistics ne/er Protocol 1otal )lows Packets 2.tes Packets Acti/e(*ec) Idle(*ec) """""""" )lows 3*ec 3)low 3Pkt 3*ec 3)low 3)low 1,P"other ###!& 3'! ! !44& 3'! &'& !#'% So!rce $as,###!& an% ISP AS 1otal 3'! ! !44& 3'! &'& !#'% *rcIf Port 8sk A* 6t&3& 5)A( 3& & 6t&3&
Presentation_ID
*rcIPaddress
5stIf Port 8sk A* #!$'!#&'!!#'!!4 *e&3& &&&( 3& & !(5'!8#'#53'$5 *e&3&
Cisco Confidential
Pr 17* )l+s Pkts 23Pk Acti/e &$ && !& ! !44& &'& &$ && !& !
2;
RP
SP
In-!t inter8ace
F/*
O!t-!t inter8ace
Use M$ls n%e sen%erN c$% to set ND= ersion on SUP Use Mi- 8low-eB-ort ersionN to set ND= ersion on RP
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
21
,$5&&(confi+)#0ls nde sender /ersion < 5 ( ,$5&&(confi+)#0ls nde interface ,$5&&(confi+)#0ls a+in+ nor0al 3#
,$5&&(confi+)#ip flow"e:port destination !&'$$'#3!'!& Destination for PFC/ SFC E!ports ,$5&&(confi+)#interface +!3! ,$5&&(confi+"if)#ip route"cache flow
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
RP
Cisco IOS MSFC: interface POS8/0/0 description to wellington via 1/0 mtu 2048 ip address 42.50.31.1 255.255.255.252 ip pim sparse-dense-mode encapsulation ppp ip route-cache flow ... ip flow-export version 5 peer-as ip flow-export destination 10.1.1.209 9999
SP
In-!t inter8ace
F/*
O!t-!t inter8ace
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
)2
Presentation_ID
Cisco Confidential
))
Presentation_ID
Cisco Confidential
).
NetFlow Versions
!et"lo# @ersion
Comments 6riginal
Standard and most common S%ecific to Cisco Catalyst 6+00 and -600 Series S#itches Similar to @ersion +, /$t does not incl$de AS, interface, 4CP "lag and 46S information Choice of eleven aggregation schemes Bed$ces reso$rce $sage "le'i/le, e'tensi/le file e'%ort format to ena/le easier s$%%ort of additional fields and technologiesG coming o$t no# (PAS, ($lticast, and *CP ne't ho%
Presentation_ID
Cisco Confidential
)+
: Pac,et co!nt : 76te co!nt : Start s6sU-Ti$e : =n% s6sU-Ti$e : In-!t i8In%eB : O!t-!t i8In%eB : T6-e o8 Ser ice : TCP 8lags : Protocol
: Source So!rce IP a%%ress IP Address : Destination Destination IPIP a%%ress Address : So!rce TCP/UDP -ort : Destination TCP/UDP -ort : NeBt ho- a%%ress : So!rce AS n!$>er : Dest# AS n!$>er : So!rce Pre8iB $as, : Dest# Pre8iB $as,
From/to
Application
QoS
)6
Version I
@ersion + sho$ld /e $sed if s$%%orted on s$%ervisor and I6S release. Catalyst 6+00 Series S#itches #ith S$% $ses @ersion - in hy/rid mode 7ses ($lti?Aayer S#itching 8(AS9 or C&" #ith Cisco Catalyst 6+00 Series S#itches #ith S7P2
Presentation_ID
Cisco Confidential
)-
Packet count Byte count Start sysUpTime End sysUpTime Input ifIndex Output ifIndex Type of Service TCP flags Protocol
Source IP IP Address address Source Destination IP IP address Destination Address Source TCP/UDP port Destination TCP/UDP port Next hop address Source AS number Dest. AS number Source subnet mask Dest. subnet mask RouterSc (router shortcut)*
From/to
Application
QoS
Note: The ToS and TCP flags fields are not populated
* Additional field not in Version5
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
);
Version A
Bo$ter?/ased aggregation &na/les ro$ter to s$mmari5e !et"lo# data Bed$ces !et"lo# &'%ort data vol$me Decreases !et"lo# &'%ort /and#idth re2$irements C$rrently aggregation schemes
"ive original schemes Si' ne# schemes #ith the 46S /yte field
Note. Version E can >e !se% 8or ro!ter->ase% aggregation an% is reco$$en%e% i8 collector s!--orts E
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
)1
So!rce Pre8iB
So!rce Pre8iB &as, Destination Pre8iB Destination Pre8iB &as, So!rce A-- Port Destination A-- Port In-!t Inter8ace O!t-!t Inter8ace IP Protocol So!rce AS Destination AS First Ti$esta$?ast Ti$esta$R o8 Flows R o8 Pac,ets R o8 76tes
Presentation_ID
Cisco Confidential
.0
So!rce Pre8iB
So!rce Pre8iB &as, Destination Pre8iB Destination Pre8iB &as, So!rce A-- Port Destination A-- Port In-!t Inter8ace O!t-!t Inter8ace IP Protocol So!rce AS Destination AS TOS First Ti$esta$?ast Ti$esta$R o8 Flows R o8 Pac,ets R o8 76tes
Presentation_ID
Cisco Confidential
Version A - Con8ig!ration
3600- 4( c onf i g) # i p f l ow - aggr egat i on cache ?
as as-tos
%estination--re8iB-tos Destination Pre8iB TOS aggregation Pre8iB aggregation Pre8iB--ort aggregation Pre8iB-TOS aggregation Protocol an% -ort aggregation Protocol: -ort an% TOS aggregation So!rce Pre8iB aggregation So!rce Pre8iB TOS aggregation
Note. Do not eB-ort Version 2 at the sa$e ti$e Mi- 8low-eB-ort ersion 2N
.2
Presentation_ID
Cisco Confidential
Process
&etering Process
.)
NetFlow Version E
B"C)1+. NCisco Systems0 !et"lo# Services &'%ort @ersion 1O @ersion 1 is an e'%ort %rotocol
!o changes to the metering %rocess
..
Te$-late FlowSet
< & A D & B
Te$-late Recor% Te$-late ID R4
'S-eci8ic Fiel% T6-es an% ?engths(
Presentation_ID
Cisco Confidential
.+
Te$-late 3
Presentation_ID
Cisco Confidential
.6
w Ne
Instead of the collector %olling the if!ame (I* varia/le for a s%ecific ifInde', the matching 8ifInde', if!ame9 is sent in an o%tion data record Introd$ced in 2..8.94
Presentation_ID
Cisco Confidential
.-
'O-tions( Te$-lates Sent Sent == er6 er6 22 &in!tes &in!tes or or 01 01 Pac,ets Pac,ets
Sho$ld =o$ &'%ort from the (ain Cache #ith !et"lo# @ersion + or @ersion 1R
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
.;
.1
NetFlow Te$-late Recor% Details Te$-late 8or the 7GP NeBt FOP ToS Aggregation
T6-e an% 8iel% length %e8inition allows the collector to ,now %ata that will >e sent
!e# data tem%late from 0..1. +-.20.D idK2+-, fieldsK field idK2 8AAS4_SEI4C<&D9, offsetK0, lenK. field idK22 8"IBS4_SEI4C<&D9, offsetK., lenK. field idK 8*=4&S_)29, offsetK;, lenK. field idK2 8PI4S_)29, offsetK 2, lenK. field idK 0 8I!P74_S!(P9, offsetK 6, lenK2 field idK . 8674P74_S!(P9, offsetK ;, lenK2 field idK+ 846S9, offsetK20, lenK field idK) 8"A6ES9, offsetK2 , lenK. field idK - 8DS4_AS9, offsetK2+, lenK2 field idK ; 8*CP_!&>4_<6P9, offsetK2-, lenK. field idK 6 8SBC_AS9, offsetK) , lenK2
Presentation_ID
Cisco Confidential
+0
Presentation_ID
Cisco Confidential
+2
Presentation_ID
Cisco Confidential
+)
+.
Presentation_ID
Cisco Confidential
++
Presentation_ID
Cisco Confidential
+6
Presentation_ID
Cisco Confidential
+-
UDP =B-ort Pac,et containing 31-21 8lows 's6sU-Ti$e K UTC( 0n% Flow =B-ires 's6sU-Ti$e(
=B-ort
Ti$e
:S6sU-ti$e - C!rrent ti$e in $illisecon%s since ro!ter >oote% :Coor%inate% Uni ersal Ti$e 'UTC( can >e s6nchroniQe% to Networ, Ti$e Protocol 'NTP(
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
=B-ort
+;
Presentation_ID
Cisco Confidential
+1
Presentation_ID
Cisco Confidential
60
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
62
Sto% adS$sting the aging timers #hen the CP7 level gets a/ove #hat is comforta/leG this is very s$/Sective, for some c$stomers it is 20J, others it is ;0J.
Presentation_ID
Cisco Confidential
6)
!et"lo# Sec$rity
Presentation_ID
Cisco Confidential
6.
Presentation_ID
Cisco Confidential
6+
Presentation_ID
Cisco Confidential
66
!s t I f !s t I Paddr es s 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( %
Pr P"t s 6 ' 6 ' 6 ' 6 ' 6 ' 6 ' 6 ' 6 ' 6 '
#$ P" 40 40 40 40 40 40 40 40 40
6-
router# sh ip cache flow ? include !%4'#&'#'# B *rcIf *rcIPaddress *rcP *rcA* 5stIf 5stIPaddress #% !%#'!'$'$% (( aaa 4% !%4'#&'#'# #% !%#'!'$'### !#43 aaa 4% !%4'#&'#'# #% !%#'!'$'!&8 !&($ aaa 4% !%4'#&'#'# #% !%#'!'$'!5% %&3 aaa 4% !%4'#&'#'# B B B B B B
5stA* Pr Pkts 23Pk bbb $ ! 4& bbb $ ! 4& bbb $ ! 4& bbb $ ! 4& B B B 'B
). 4o loo3 for 3no#n attac3 signat$res ieD if #e 3no# of an attac3 $sing 7DP %ort 666 8<e' 021A9 #e r$n
ro$terQ sho# i% cache flo# T incl$de 021A
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
6;
ro$terQ sho# i% cache flo# T incl$de UdestinationV Se Uso$rceV &t0 UdestinationV 00 ) 000+1 W. 8lot of more flo#s to the same destination9
The 8lows co$e 8ro$ Serial 4
Bo$terQ sho# i% cef s Prefi' 0.0.0.0,0 0. 0. 0.0,)0 !e't <o% 0. 0. 0.2 attached Interface Serial Serial
61
Presentation_ID
Cisco Confidential
-0
7aseline tra88ic -atterns in the networ, 0# &onitor. Anal6Qe tra88ic 8or ano$alies 3# Detect. 5# Trace. 2# Filter.
Presentation_ID
4# Pro8ile.
IDS Firewall
Forwar% ano$al6 8inger-rints to controllers Trace the attac, to its so!rce Reco$$en%s 8ilters 'L(
Cisco Confidential
w Ne
4argeted for sec$rityD to hel% identify net#or3 attac3s and their origin Aayer 2 IP header fields
So$rce (AC address field from frames that are received /y the !et"lo# ro$ter Destination (AC address field from frames that are transmitted /y the !et"lo# ro$ter Beceived @AA! ID field 8;02. 2 and CiscoXs ISA9 4ransmitted @AA! ID field 8;02. 2 and CiscoXs ISA9
Presentation_ID
Cisco Confidential
-2
Cisco IOS 40#5'0(T ) Cisco A11: 4A11: 0A11: 3A11 an% I011 Series
IfInde' to interface name ma%%ing "ragment?offset information
Presentation_ID
Cisco Confidential
-)
Presentation_ID
Cisco Confidential
-.
Presentation_ID
Cisco Confidential
-+
Attac,s That Use Consistent Pac,et SiQe or *or$s That Use Consistent Pac,et SiQe
# 3
& ! # 3 4 5 $ ( 8 % & ! # 3 4 5 $ ( 8 % & ! # 3 4 5 $ ( 8 % & ! C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ?Aersion? ? ? ? Flow I;D ?1.pe of *er/ice? ?)la+s? ? 1otal Den+th )ra+0ent 7ffset ;eader ,hecksu0 ? ? ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C Identification 1i0e to Di/e ? Protocol C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
with the Sa$e ? O88set. Frag$ent Sa$e Pac,et Iss!e% C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C Sent o er Fro$ ? the 5estination Address ?o er an% Sa$e C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C Origin
*ource Address ? 7ptions ? Paddin+ ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
Ver6 ?arge Pac,ets or Attac,s That &ight Alwa6s Fa e the Sa$e Generate% I%enti8ication
Cisco Confidential
Presentation_ID
-6
!ot flo# 3eys, the val$e of the first %ac3et of the flo#
&'ce%tion for %ac3et lengthD min,ma' &'ce%tion for the 44AD min,ma' "ragment?offsetD the first fragmented %ac3et
--
Presentation_ID
Cisco Confidential
5stIPaddress !(#'!('#4$'%
Pr &!
: The %estination -ort n!$>er re-orte% 'IC&P t6-e S 02C( G 'the IC&P co%e(
IC&P t6-e W A: IC&P co%e W 1 Port W A S 02C G 1 W 015A W A11 heBa
-1
Presentation_ID
Cisco Confidential
;0
0 0 1 2 | |
Presentation_ID
! " # $ % & 0 1 | |
;
Ro!ter 7 Fost 7
NetFlow
Internet
Fost C
Ro!ter C
Ro!ter D
;2
ILP
ISP 0
!et"lo# sol$tion is more gran$lar than the NIP acco$nting (AC addressO feat$re
ISP 3
ISP 5
ISP 2
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
;)
w Ne
Presentation_ID
Cisco Confidential
;.
w Ne
94 on the lo#?end
Presentation_ID
Cisco Confidential
;+
4raffic analysis
4he to% tal3ers #hose destination IP address is my #e/ server
Ca%acity %lanning
4he to% tal3ers #hose destination is the *CP AS >
Presentation_ID
Cisco Confidential
;6
w Ne
Presentation_ID
Cisco Confidential
;-
Pr 17* )l+s 23Pk &! ,& 3 &! && & && !43$ !& 5$
!# #'8
Cisco Confidential
;;
*rcIPaddress
!%#'!'!'%( &
Cisco Confidential
;1
$atch YYso!rce a%%ress X %estination a%%ress X neBtho- a%%ressZ Yip-addressZ Ymask X /nnZZ YYso!rce -ort X %estination -ortZ Yport-number X $in port X $aB port X $in port $aB portZZ YYso!rce as X %estination asZ as-numberZ YYin-!t-inter8ace X o!t-!t-inter8aceZ interfaceZ Ytos Ytos-value X %sc- dscp-value X -rece%ence precedence-valueZZ Y-rotocol Yprotocol-number X tc- X !%-ZZ Y8low-sa$-ler flow-sampler-nameZ Yclass-$a- classZ Y-ac,et-range X >6te-range YYmin-range-number max-range-numberZ Y$in minimum-range X $aB maximum-range X $in minimum-range $aB maximum-rangeZZZ
Presentation_ID
Cisco Confidential
10
!ot a good trending tool $nless #e com%are all the flo# 3ey val$es
cnf4o%"lo#sInde' re%resents the to% flo# inde' /$t this is not 3ee%ing any correlation from the cnf4o%"lo#sInde' in the %revio$s of ne't %olling interval
Presentation_ID
Cisco Confidential
!et"lo# "eat$res
Presentation_ID
Cisco Confidential
12
w Ne
4he !et"lo# &gress feat$re allo#s !et"lo# acco$nting to /e im%lemented for egress 8o$tgoing9 traffic on an interface or s$/? interface Aocally generated traffic 8traffic that is generated /y the ro$ter9 #ill not /e co$nted 4he !et"lo# &gress feat$re ca%t$res !et"lo# statistics for IP traffic onlyG (PAS statistics are not ca%t$red in 4 train 4he egress or ingress interface may /e a flo# 3ey
Aggregate flo#s leaving the device
Post %rocessed !A4 and 46S e'%ort #ith the flo# Belease 2.)8 94, for the lo#?end ro$ters =outer(confi+"if)# ip flow e+ress
Presentation_ID
Cisco Confidential
1)
Ser ers IP
IP or &P?S
IP
NetFlow Ingress
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.
Release 40#3'44(T
Cisco Confidential
NetFlow =gress
1.
Pkts 5 5
A flo# is identified /y the o$t%$t interface 8amongst other9, /y defa$lt #ith egress !et"lo#
=outer(confi+)# ip flow"e+ress input"interface
Presentation_ID
Cisco Confidential
1+
4he direction match statement added 4he NdirectionO is a ne# information element
&gress val$e added in the tem%late &gress val$e not added for the aggregation caches &'isting ingress tem%lates are not modified
Presentation_ID
Cisco Confidential
16
&ven more $sef$l than to% tal3ers for sec$rity Nsho# i% flo# to%O commandD
sho# i% flo# to% U!V Uaggregate?fieldV Usort?criteriaV Umatch? criteriaV
1-
4o% five destination addresses to #hich #eXre ro$ting most traffic from the 0. 0. 0.0,2. %refi'
Ro!terR show i- 8low to- 2 aggregate %estination-a%%ress $atch so!rce--re8iB 41#41#41#1/05
Presentation_ID
Cisco Confidential
11
Pkts 5 5 5 # # 88
&'actly the same commands as IPv. for config$ration and monitoring, e'ce%t that Ni%O is re%laced /y Ni%v6O !e# !et"lo# @ersion 1 information elements
Presentation_ID
Cisco Confidential
00
VPN
4.411 Sa$-ling
NetFlow Cache
7est =88ort
4.4111 Sa$-ling
Presentation_ID
Cisco Confidential
A/ility to sam%le filtered data at different rates, de%ending on ho# interesting the traffic is 2.)8.94, 2.282+9S
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
02
0+
06
Presentation_ID
Cisco Confidential
0-
Presentation_ID
Cisco Confidential
0;
AS 414
AS 410
AS 413
AS 415
AS 412
AS 41C
Presentation_ID
Cisco Confidential
01
Tra88ic
NetFlow acco!nts 8or -ac,ets =na>le here. NetFlow -rior to IPsec t!nnel acco!nts 8or >oth the t!nnel NetFlow acco!nts 8or -ac,ets -rior to IPsec t!nnel
!et"lo# allo#s a /rea3 o$t of /oth %re and %ost encry%tion S$%%ort for /oth CB& and IPSec encry%tion Prod$ct Aiterat$re at ###.cisco.com,go,netflo#
0
Presentation_ID
Cisco Confidential
*ac3$%
"ail?over modeD o%en the /ac3$% connection #hen the %rimary fails Bed$ndant modeD o%en the /ac3$% connection in advance, and already send the tem%lates !ote that the /ac3$% inherits the relia/ility level from the %rimary
Presentation_ID
Cisco Confidential
SCTP. Relia>le
&ain Cache
DestinationPre8iB Aggr#
Presentation_ID
Cisco Confidential
=outer(confi+)# ip flow"e:port destination !&'!&'!&'!& %%%% sctp =outer(confi+"flow"e:port"sctp)# reliabilit. partial buffer"li0it !&& =outer(confi+"flow"e:port"sctp)# backup destination !!'!!'!!'!! %%%% =outer(confi+"flow"e:port"sctp)# backup fail"o/er !&&& =outer(confi+"flow"e:port"sctp)# backup 0ode fail"o/er =outer(confi+)# ip flow"a++re+ation cache destination"prefi: =outer(confi+"flow"cache)# e:port destination !#'!#'!#'!# %%%% sctp =outer(confi+"flow"e:port"sctp)# backup destination !3'!3'!3'!3 %%%% =outer(confi+"flow"e:port"sctp)# backup 0ode redundant =outer(confi+"flow"e:port"sctp)# backup restore"ti0e ! =outer(confi+"flow"e:port"sctp)# e:it =outer(confi+"flow"cache)# enabled
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
"rom,to B B2 B) B.
B 0 0 0 0
B2 + 0 0 0
B) + + 0 0
B. R4 0 0 0 R5 0
(r!-r#)F!5
R0
(r#-r3)F5
(r!-r3)F5
R3
(r3-r4)F!&
Presentation_ID
Cisco Confidential
ISP-4 ISP-0
Destination
7est =88ort Tra88ic
7est =88ort
&!nich POP
Bome &'it Point Bome &ntry Point Paris &ntry Point Aondon &'it Point ($nich &'it Point !A 8\9 W(/,s W(/,s W(/,s Paris &'it Point W(/,s !A 8\9 W(/,s W(/,s
?on%on POP
Aondon &'it Point W(/,s W(/,s !A 8\9 W(/,s ($nich &'it Point W(/,s W(/,s W(/,s !A 8\9
Presentation_ID
Cisco Confidential
C ! s t o $ e r s
PoP
PoP
C ! s t o $ e r s
Ser er Far$ 4
Ser er Far$ 0
20
C ! s t o $ e r s
P= P= P= PoP Ser er Far$ 4 Ser er Far$ 0 PoP &P?S Core or IP Core with 7GP Ro!tes Onl6
P= P= P=
C ! s t o $ e r s
22
Presentation_ID
Cisco Confidential
2)
Aeverages the ne# !et"lo# version 1 e'%ort format Config$re on ingress interface S$%%orted on sam%led,non?sam%led !et"lo# 2.08269S , 2.28 ;9S and 2.) on the soft#are /ased ro$ters
8-+00 and /elo#9
2000D 2.082.9S, 2.28 ;9S and 2.)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
2-
C!sto$ers
P= P= P
&P?S Core
P= P= P
C= CP=
C= CP=
Ser er Far$ 4
Ser er Far$ 0
Internal 4rafficD NPoP to PoPO &'ternal 4raffic (atri' PoP to *CP ASD not availa/le
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
C!sto$ers
2;
P= PoP
PoP
P=
&P?S
IP
IP
P=
Tra88ic 8low
P=
: =gress &P?S NetFlow acco!nting IP in8or$ation onl6 I%eal 8or >illing C!rrent a aila>ilit6. Releases 40#1'41(ST an% 40#4'2(T : &P?S aware NetFlow 'Version E( =B-orts !- to three &P?S la>els an% IP -ac,et in8or$ation I%eal 8or Tra88ic =ngineering 'T=(
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
21
Presentation_ID
Cisco Confidential
)0
Presentation_ID
Cisco Confidential
).
Presentation_ID
Cisco Confidential
)+
&!lticast NetFlow
4hree ty%es of !et"lo# im%lementations for ($lticast traffic
4raditional !et"lo# ($lticast !et"lo# Ingress ($lticast !et"lo# &gress
Presentation_ID
Cisco Confidential
)6
127. 0. 0. 1
SrcI8 SrcIPa%% DstI8 DstIPa%% Protocol TOS Flgs SrcPort Src&s, DstPort Dst&s, NeBtFo- 76tes Pac,ets Acti e I%le &th 0 0.0.0.2 N!ll 22.. 0. 0. 00 ;0 0 00A2 ,2. 00A2 ,2. 03411 04 -.+ .
: : :
Presentation_ID
There is onl6 one 8low -er NetFlow con8ig!re% in-!t inter8ace Destination inter8ace is $ar,e% as Mn!llN 76tes an% -ac,ets are the inco$ing al!es ) non re-licate%
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
)-
10. 0. 0. 2
127. 0. 0. 1
=th 0
: : :
Presentation_ID
There is onl6 one 8low -er NetFlow con8ig!re% in-!t inter8ace Destination inter8ace is $ar,e% as Mn!llN 76tes an% -ac,ets are the o!tgoing al!es: re-licate% co!nts
Cisco Confidential
);
127. 0. 0. 1
=th 0
: There is one 8low -er &!lticast NetFlow =gress con8ig!re% o!t-!t inter8ace : 76tes an% -ac,ets are the o!tgoing al!es
)1
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
.0
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
.2
Prece%ence >its
DS+ 2;
DS. 6.
DS) )2
DS2 6
DS ;
DS0 .
&C! 2
&C!
Presentation_ID
Cisco Confidential
.)
Dela6: Thro!gh-!t: an% Relia>ilit6 >its Delay /it ' ' ' 0 ' ' ' ' ' ' ' ' ' 4hro$gh%$t /it ' ' ' ' 0 ' ' ' ' ' ' ' ' Belia/ility /it ' ' ' ' ' 0 ' ' ' ' ' ' '
0 6 0 ; 0 .
Delay ? normal Delay ? lo# 4hro$gh%$t ? normal 4hro$ght%$t ? high Belia/ility ? normal Belia/ility ? high
=arl6 Congestion Noti8ication '=CN( >its &C!?ca%a/le 4rans%ort 8&C49 /it Congestion &'%erienced 8C&9 /it ' ' ' ' ' ' 0 0 0 ' ' ' ' ' ' 0 ' ' ' ' ' ' 0 2 ' ' ' ' ' ' )
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
!ot &C!?ca%a/le &nd%oints of trans%ort %rotocol &C!?ca%a/le &nd%oints of trans%ort %rotocol &C!?ca%a/le Congestion e'%erienced
..
Pr TOS Flgs Pkts B/Pk Active 01 55 10 3748 28 17.8 01 CC 10 3568 28 17.8 01 C0 10 1124 28 17.8
Hex
Decimal
Binary Precedence 2 - Immediate (Class 2), Delay - low, Reliability - high, Endpoints Precedence 6 - Internetwork Control (Routing Protocols) Precedence 6 - Internetwork Control (Routing Protocols), Throughput - high,
55 85 0101 0101 of transport protocol ECN-capable C0 192 1100 0000 1100 1100
Cisco Confidential
.+
!et"lo# (I*
Presentation_ID
Cisco Confidential
.6
CISCO-N=TF?O*-&I7
(anaged o/Sects to config$re the follo#ing !et"lo# information
"lo# cache, interface, e'%ort
w Ne
Presentation_ID
Cisco Confidential
.-
CISCO-N=TF?O*-&I7 'Cont#(
4he CISC6?!&4"A6E?(I*.my is !64D
A re%lacement for the traditional method of e'%orting a flo# cache A #ay to retrieve all the flo# records Sna% shot of !et"lo# cache at the moment
w Ne
!ote that CISC6?SEI4C<?&!CI!&?(I*, on the catalyst, allo#s to 2$ery the ($lti Aayer S#itching "lo# records Introd$ced in Belease 2.282+9S and 2.)8-94
Presentation_ID
Cisco Confidential
.;
Presentation_ID
Cisco Confidential
.1
cnfCI!etflo#&na/le
@al$es for ingress, egress, ingress ] egress, none Inde'ed /y interface 8ifInde'9 Bead?#rite (I* varia/le Ehich s$/?interfaces is !et"lo# ena/led on
Presentation_ID
Cisco Confidential
+0
Presentation_ID
Cisco Confidential
Ro!ter'con8ig(R i- 8low-aggregation cache <cache typeU Ro!ter'con8ig-8low-cache(R cache entries <number> Ro!ter'con8ig-8low-cache(R cache ti$eo!t inacti e <seconds> Ro!ter'con8ig-8low-cache(R $as, %estination $ini$!$ Tvalue> Ro!ter'con8ig-8low-cache(R $as, so!rce $ini$!$ Tvalue> Ro!ter'con8ig-8low-cache( R ena>le%
cn8CICache=na>le cn8CI&inSo!rce&as, cn8CI&inDestination&as, cn8CIActi eTi$eO!t
As many cnfCICache4y%e val$es as aggregation cache ty%es main809, as8 9, %rotocolPort829, so$rcePrefi'8)9, etc.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
+2
+.
cn8=SP,tsDro--e%
++
cn8PSPac,etSiQeDistri>!tion
4-30 C5 EC 40A 4C1 4E0 005 02C 0AA 301 320 3A5 54C 55A 5A1 #32C #34C #455 #442 #115 #113 #111 #11I #114 #111 #110 #14I #14A #11E #111 240 255 2IC 4105 423C 015A 02C1 31I0 32A5 51EC 5C1A #111 #111 #111 #111 #111 #111 #111 #111 #111 #111 #111
cn8PSProtocolStatTa>le
@ Protocol -------TCP-Telnet TCP-*** TCP-7GP TCP-other UDP-other IC&P Total.
Presentation_ID
Flows Pac,ets 76tes Pac,ets Acti e'Sec( I%le'Sec( /Sec 1#1 1#1 1#1 1#1 1#5 1#1 1#2 /Flow C2 2 0 0 0 E 0
Cisco Confidential
/P,t 51 52 5I 5A IC I4 I3
Sam%led !et"lo#
Presentation_ID
Cisco Confidential
+-
Presentation_ID
Cisco Confidential
+;
=B-ort 8low
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
+1
N"$llO !et"lo#
S$%%orted S$%%orted
Sam%led !et"lo#
S$%%orted S$%%orted S$%%orted
2 ) . .] Aggregated only
S$%%orted
S$%%orted
S!--orte%
Not s!--orte%
Presentation_ID
Cisco Confidential
60
loa% YVZ
; 6 . 2 0 . 0 ) 6 1 22 2+ 2; ) ). )- .0 .) .6 .1 +2
sa$-les
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
62
"lo# sam%ling
&'amine the hard#are cache and e'%ort a s$/set of the total flo#s Bandomly select flo#s to e'%ort Bed$ced CP7 and &'%ort vol$me /y sam%ling flo#s
Presentation_ID
Cisco Confidential
6)
Cisco Catal6st C211 Series an% Cisco IC11 Series Sa$-le% NetFlow
Sam%ling rate is config$ra/le only for the #hole /o' Acc$racy of !et"lo# on the %latform comes from t$ning the aging timers correctly A #ay of minimi5ing %ac3et loss, is $sing Distri/$ted "or#arding Cards 8D"Cs 9, s%reading the incoming %ac3et load evenly onto different @AA!s on different cards C$rrently availa/le in Belease 2. 8 )9&
Presentation_ID
Cisco Confidential
6.
Sa$-ling rate
6+
Presentation_ID
Cisco Confidential
66
Presentation_ID
Cisco Confidential
6-
Ehite%a%er #ill /e %$/lished soon !e't ste%, ho%e for the follo#ing gra%h Acc!rac6 0 3# De%!ce%
1
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Sa$-ling rate
6;
Presentation_ID
Cisco Confidential
61
-0
Presentation_ID
Cisco Confidential
Flow <e6
"lo# Iey
4he si' fields are a s$/set of the general fields $sed to identify a %ac3et flo#, this s$/set is called "lo# Iey
Presentation_ID
Cisco Confidential
-2
Presentation_ID
Cisco Confidential
-)
Flow &as,
"lo# (as3
A com/ination of the fields selected from the flo# 3ey and act$ally $sed to identify a flo# Eith 6 fields in flo# 3ey, there are total 6. %ossi/le com/inations -600 s$%%orts 6 com/inations 6 flo# mas3s "$ll?interface,f$ll, so$rce?only,destination?only, so$rce?destination, so$rce?destination?interface
Presentation_ID
Cisco Confidential
-.
Presentation_ID
Cisco Confidential
-+
"$ll
@AA! SBC IP DS4 IP IP Protocol Src Port Dst Port
Destination?So$rce?Interface
@AA! SBC IP DS4 IP IP Protocol Src Port Dst Port
So$rce?6nly
@AA! SBC IP DS4 IP IP Protocol Src Port Dst Port
Destination?6nly
@AA! SBC IP DS4 IP IP Protocol Src Port Dst Port
Destination?So$rce
@AA! SBC IP DS4 IP IP Protocol Src Port Dst Port
Presentation_ID
Cisco Confidential
-6
Presentation_ID
Cisco Confidential
--
Presentation_ID
Cisco Confidential
-;
&as,/hash 8!nction
A -ages A Pages B A Pages B entries A 4C:111 Pages B =ntries A 4C:111 Pages B =ntries A 4C:111 Pages B =ntries A 4C:111 Pages B =ntries 4C:111 B =ntries 4C:111 4C:111 =ntries
A hash 8!nction ta,es a large n!$>er as in-!t 'the ,e6( an% re%!ces it >6 a $athe$atical 8!nction 'the hash( to a s$aller n!$>er 'the in%eB( within a ,nown range: to >e store% into a ta>le#
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
-1
Net8low on PFC3
3A/37 s!--ort 40A, entr6 Net8low ta>le Pac,et ,e6
V?AN Src IP Dst IP IP Protocol Src K %st -ort
40A->it ,e6 hea%er 8iel% Fash 3C->it Fashe% ,e6 &atch in%eB
3A/37 has two C5, entr6 TCA& >an,s 37L? has two 40A< entr6 TCA& >an,s
TCA&
Net8low ta>le
Presentation_ID
Cisco Confidential
&as,e% ,e6
Fashe% ,e6
SUPI01 37L? ) IP 5
7ase ,e6 &as,e% ,e6
&as,ing logic
'ar$er (hashed keys) impro*e hash efficiency as the keys are more e*enly distrib"ted
Fashe% ,e6
'ar$er (hashed keys) pro*ide more efficient +C, "tili-ation as +C, is ./ bit wide
SUPI01 37L? ) IP C
7ase ,e6 &as,e% ,e6
&as,ing logic
Fashe% ,e6
3C >it in%eB
;
+C, match
SR, pointer
=NTR9 A =NTR9 C
Record co"nt
=NTR9 A
Fit
7an, 4 7an, 0
Fash
40A< entries =ntries 40A< entries =ntries
3C 7it in%eB In%eB
Fash Fashassiste% assiste%NetFlow NetFlowTCA& TCA& allows an e88icient $a--ing allows an e88icient $a--ing o8 o80\40A 0\40A-ossi>le -ossi>le,e6s ,e6sto to 02C< TCA& entries 02C< TCA& entries
;2
SR, pointer
=NTR9 A =NTR9 C
Record co"nt
=NTR9 A
Fit
Policing Policing8iel%. 8iel%.$anage $anage-olicer -olicer threshol%s: threshol%s:$ar,/%ro$ar,/%ro-co!nts: co!nts: lea, lea,rate rate
A%jacenc6 A%jacenc6control control8iel%. 8iel%.a%jacenc6 a%jacenc6 select: $o%!l!s: a%jacenc6 select:loa%share loa%share $o%!l!s: a%jacenc6 3C 7it In%eB -ointer -ointer
7an, 4 7an, 0
40A< entries =ntries 40A< entries =ntries
Policing 8iel% 5A
S/* K =CC 40
;)
40A< =ntries
40A< =ntries
Prot A
IP SA YC3.1Z C5
Cent PI 4 4 40A
IP DA 40A lan/VPN 40 Rs A
Fash F!nction
Prot/&s, 5 Prot/&s, 5
NeBt ?a>el 30
Rs 30
?0
lan/VPN Rs =NTR9 C 40 A
Cent PI 4 4 40A
: NetFlow ,e6 8iel% aries >ase% on -ac,et t6-e. IPV5: IPVC: &P?S: ?0
NetFlow Alias Internal CA& C5 entries NetFlow ta>le entr6
Policing 8iel% 5A
S/* K =CC 40
;.
Cisco Confidential
+C, match
SR, pointer
=NTR9 A =NTR9 C
Record co"nt
=NTR9 A
Fit
7an, 4 7an, 0
Fash
40A< entries =ntries 40A< entries =ntries
3C 7it in%eB
;+
76te Pac,et Threshol% 7!c,et RPF Control Total co!nt co!nt eBcee% cnt co!nt 8ail >its 51 30 3E 02 4 41
=CC A
;6
+C, match
SR, pointer
=NTR9 A =NTR9 C
Record co"nt
=NTR9 A
Fit
Net8low Net8low Net8low Net8low Ta>le statistics Ta>le ,e6 7an, 4 7an, 0 <e6 ta>le ta>le Statistics SRA& : The NetFlow internal CA& has C5 entries to acco$$o%ate SRA& SRA& Fash SRA& 7it In%eB hash 3C collisions
40A< =ntries 40A< =ntries
: Internal CA& entries hol% hash al!es : *hen collision occ!rs: one new entr6 gets =NTR9 7 =NTR9 7 create% in CA&: the internal CA& will also -rogra$ a new entr6 in >oth NetFlow ta>le/statistics SRA&
NetFlow alias internal CA& NetFlow alias CA& C5 entries Vali% >it Fash ,e6
4 3C >its
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
32
;-
Recor% 4
Recor% 0
=B-ort -rocess
Recor% 3
Recor% 5
IP hea%er
Recor% 4
Recor% 0
Recor% 3
Recor% 5
Switch -rocessor
Search/-!rge %ri er
Net8low collector
Presentation_ID
Cisco Confidential
;;
=B-ort -rocess
Recor% 0
Recor% 3
Recor% 5
Search/-!rge %ri er
Switch -rocessor
PFC
Presentation_ID
;1
Filters can >e a--lie% on so!rce an% %estination a%%ress: -ort n!$>ers or s-eci8ic TCP/UDP -orts
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
10
Cisco Catal6st C211 Series an% Cisco IC11 Series - Versions an% Feat!res
Belease 2. 8 )9& P"C2 so$rce,destination interface information 8hy/rid 6.)8699 P"C2 so$rce,destination AS information P"C2 s$%%ort for version + !et"lo# data e'%ort 8hy/rid -.+8 99 Sam%led !et"lo# is availa/le on P"C in Cisco I6S Soft#are Belease 2.28 .9S> @ersion ; in native mode and D$al &'%ort Belease 2.28 -/9S>A P"C)/ and )/>A 8S$%-209 cards "irst Pac3et 4oS field $sed for "lo# Belease 2.28 -d9S>* D$al e'%ort s$%%ort for S$%2
Presentation_ID
Cisco Confidential
Cisco Catal6st C211 Series an% Cisco IC11 Series - Versions an% Feat!res 'Cont#(
<y/rid Catalyst 6S -.28 9
*ridged A2 s#itched traffic 8@AA! ' to @AA! y9 s$%%ort 8(S"C not re2$ired9
7nder develo%ment
!et"lo# IP@6 !et"lo# 8F)C=L069 Per interface !et"lo# 8F)C=L069 &gress ($lticast !et"lo# 8F)C=L069
Presentation_ID
Cisco Confidential
12
: NetFlow Ser ice Car% Feat!res NetFlow statistics collection an% Data =B-ort 'ND=( V?AN statistics collection C?I s!--ort 8or NetFlow an% V?AN stats SN&P s!--ort 8or V?AN stats S!-er isor engine V-41G %oes not re;!ire car% 8or NetFlow Re;!ire$ents. s!-er isor engine IV or V: Release 40#4'43(=*: NetFlow Versions 4: 2 an% A w/ Release40#4#4E =*: >ri%ge% 8lows Release 40#0'02(=*A
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
1)
!et"lo# Performance
Presentation_ID
Cisco Confidential
1.
Presentation_ID
Cisco Confidential
1+
Do not e'%ort @ersions +,-, P 1 sim$ltaneo$sly #ith @ersion ; Plan !et"lo# de%loyment in the net#or3 to%ology to avoid a design that creates d$%licate flo#s for /illing 7se a dedicated interface , @AA! for data e'%ort (onitor lost %ac3et co$nter in !"C Chec3 the e'%ort lin3 /and#idth
&stimated e'%ort of )J to +J of the interface thro$gh%$t
Presentation_ID
Cisco Confidential
16
7%dated Performances doc$ment availa/le for "le'i/le !et"lo# ] ne# %latforms Cisco ;00, Cisco2;00, Cisco);00, Cisco -200 !P&?C2
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
1-
Presentation_ID
Cisco Confidential
1;
Presentation_ID
Cisco Confidential
11
Presentation_ID
Cisco Confidential
200
Presentation_ID
Cisco Confidential
20
Presentation_ID
Cisco Confidential
202
!e# a%%lications constantly re2$ire ne# acco$nting feat$res C$rrent a%%roach of feat$re develo%ment one /y one does not scale, does not deliver timely sol$tion.
Presentation_ID
Cisco Confidential
20)
Presentation_ID
Cisco Confidential
20.
ISP
DATA C=NT=R
Si Si
*AN
CA&PUS
IP Flows
Sec!rit6 Flows
:Protocol :Ports :IP A%%resses :TCP Flags :Pac,et Section
Presentation_ID
Cisco Confidential
20+
206
20-
20;
Iey "ields So$rce IP Destination IP So$rce Port Destination 6ort Aayer ) Protocol 46S *yte In%$t Interface
Presentation_ID
Cisco Confidential
201
&onitor MAN
&onitor M7N
&onitor MCN
Recor% MLN
=B-orter M&N
=B-orter M&N
Recor% M]N
Recor% M9N
A single record %er monitor Potentially m$lti%le monitors %er interface Potentially m$lti%le e'%orters %er monitor
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
2 0
Presentation_ID
Cisco Confidential
2 )
2 .
2 +
IPv.
IP 8So$rce or Destination9 Prefi' 8So$rce or Destination9 (as3 8So$rce or Destination9 (inim$m?(as3 8So$rce or Destination9 Protocol "ragmentation "lags "ragmentation 6ffset Identification <eader Aength 4otal Aength Payload Si5e Pac3et Section 8<eader9 Pac3et Section 8Payload9 44A 6%tions /itma% @ersion Precedence DSCP 46S
IPv6
IP 8So$rce or Destination9 Prefi' 8So$rce or Destination9 (as3 8So$rce or Destination9 (inim$m?(as3 8So$rce or Destination9 Protocol 4raffic Class "lo# Aa/el 6%tion <eader <eader Aength Payload Aength
2 6
Payload Si5e Pac3et Section 8<eader9 Pac3et Section 8Payload9 DSCP &'tension <eaders <o%?Aimit Aength !e't?header @ersion
Interface
In%$t 6$t%$t
Aayer 2
So$rce @AA! Destination @AA! So$rce (AC address Destination (AC address
Presentation_ID
Cisco Confidential
4rans%ort
Destination Port So$rce Port IC(P Code IC(P 4y%e IC(P 4y%e\ 4CP ACI !$m/er 4CP <eader Aength 4CP Se2$ence !$m/er 4CP Eindo#?Si5e 4CP So$rce Port 4CP Destination Port 4CP 7rgent Pointer 4CP "lagD ACI 4CP "lagD CEB 4CP "lagD &C& 4CP "lagD "I! 4CP "lagD PS< 4CP "lagD BS4 4CP "lagD S=! 4CP "lagD 7BC 7DP (essage Aength 7DP So$rce Port 7DP Destination Port
A%%lication
A%%lication ID\
"or#arding Stat$s
ICP !e't <o%
($lticast
Be%lication "actor\ BP" Chec3 Dro%\ Is?($lticast
S. IP 5 Flow onl6
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
2 -
4imestam%
sys7%4ime "irst Pac3et sys7%4ime "irst Pac3et
IPv.
4otal Aength (inim$m 4otal Aength (a'im$m 44A (inim$m 44A (a'im$m
Pl$s any of the %otential N3eyO fieldsD #ill /e the val$e from the first %ac3et in the flo#
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
2 ;
,1-sh flow monitor .*/0v!-01 cache format csv *ache t)pe1 2ormal *ache si3e1 !0&# *urrent entries1 4igh 5atermar+1 #! 6lows added1 22% 6lows aged1 22" - 7ctive timeout 8 2!0 secs9 2# - /nactive timeout 8 #0 secs9 1&& - :vent aged 0 - 5atermar+ aged 0 - :mergenc) aged 0 /0 65; <(7(=<>/0?! <,* 7;;,>/0?! ;<( 7;;,>(,2< <,* 0@,(>(,2< 6orward>#!B10 B 0B!">10B1"1B1"1B1> &$!>2 ><e0C C1>/nput>0x00 6orward>10B1"1B1B10">10B1"1B1"1B1> 2$%0>1#1><e0C C1>/nput>0x 6orward>10B1"1B2!B21>10B1"1B1"1B">112$!>2 ><e0C C1>/nput>0x*
Cisco Confidential
Presentation_ID
2 1
Presentation_ID
Cisco Confidential
220
flow 0onitor I0onitor"na0eH record Irecord"na0eH e:porter Ie:porter"na0eH cache t.pe Jnor0al ? i00ediate ? per0anentK cache entries Inu0ber"of"entriesH cache ti0eout Jacti/e ? inacti/e ? updateK I/alue"in"secH statistics packet protocol statistics packet size Collect SiQe Distri>!tion Statistics Collect Protocol Distri>!tion Statistics
Presentation_ID
Cisco Confidential
22
Immediate cache
"lo# acco$nts for a single %ac3et Desira/le for real?time traffic monitoring, DDoS detection, logging Desira/le #hen only very small flo#s are e'%ected 8e'D sam%ling9 Ca$tionD may res$lt in a large amo$nt of e'%ort data
Permanent cache
4o trac3 a set of flo#s #itho$t e'%iring the flo#s from the cache &ntire cache is %eriodically e'%orted 8$%date timer9 After the cache is f$ll 8si5e config$ra/le9, ne# flo#s #ill not /e monitored 7ses $%date co$nters rather than delta co$nters
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
222
=outer(confi+)# flow 0onitor my-dscp-monitor =outer(confi+"flow"record)# description dscp b.tes and packets =outer(confi+"flow"record)# record my-dscp-record =outer(confi+"flow"record)# cache t.pe per0anent =outer(confi+"flow"record)# cache entries #5$ =outer(confi+)# interface Gi+abit6thernet &3! =outer(confi+)# ip flow 0onitor my-dscp-monitor input
22)
!8&& secs)
For the In-!t or O!t-!t Tra88ic# Does Not Deter$ine the Flow <e6
Presentation_ID
Cisco Confidential
22+
226
!et"lo# v+ e'%ort format s$%%ort in "le'i/le !et"lo# #ill ena/le a smooth migration.
C$stomers #ill /e a/le to migrate to "le'i/le !et"lo# #hile e'%orting same "lo# records #ith !et"lo# v+ format, th$s eliminating the need of collector $%grade.
Presentation_ID
Cisco Confidential
22-
Presentation_ID
Cisco Confidential
22;
Presentation_ID
Cisco Confidential
221
"lo# "iltering, "lo# Aggregation and "lo# Sorting can /e com/ined to select #hat and ho# information #ill /e dis%layed
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
2)0
4o% five destination addresses to #hich #eXre ro$ting most traffic from the 0. 0. 0.0,2. %refi'
=outer# show flow 0onitor I0onitorH cache filter ip/4 destination address !&'!&'!&'&3#4 a++re+ate ip/4 destination address sort hi+hest counter b.tes top 5
2)
Presentation_ID
Cisco Confidential
2)2
ip nbar custo0 /irus_ho0e #& he: /ariable scid ! dest udp 5&&! 5&&5 class"0ap acti/e"craft 0atch protocol /irus_ho0e scid &:!5 0atch protocol /irus_ho0e scid &:#! class"0ap passi/e"craft 0atch protocol /irus_ho0e scid &:!! 0atch protocol /irus_ho0e scid &:##
Presentation_ID
Cisco Confidential
2))
router(confi+)# flow 0onitor app_0onitor rotuer(confi+"flow"0onitor)# record app_record router(confi+)# interface eth&3& router(confi+"if)# ip flow 0onitor app_0onitor in
4he e'%orted a%%lication ID and the !*AB?Protocol? Discovery?(I* inde' are similar
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
2).
4em%late assignment
Nsho# flo# e'%orter tem%lateO
!et"lo# config$ration
Nsho# r$nning flo# _e'%orter T monitor T record`
Cache collisions
Nsho# flo# monitor my?monitor internalO
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
2)6
7%dated Performances doc$ment availa/le for "le'i/le !et"lo# ] ne# %latforms Cisco ;00, Cisco2;00, Cisco);00, Cisco -200 !P&?C2
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
2)-
Presentation_ID
Cisco Confidential
2);
"eat$re
@ersion + @ersion ; @ersion 1 D$al &'%ort @B" Destination Belia/le &'%ort
Soft#are
2.08 9 2.08)94 2.) 2.28294 2..8.94 2.)8.94
C6+00
2. 829& 2.28 .9S> 2.28 ;9S>" 2.28 -d9S>*
C-600
2. 829& 2.28 .9S> 2.28 ;9S>" 2.28 -d9S>*
c 2000
2.08 .9S 2.0869S 2.082.9S
C 0000
2.08 19SA 2.08 19SA 2.28) 9S* 2.28 +9*>
C.+00
2. 8 )9&E 2. 8 19&E
2. 8 19&E
2.08269S
A aila>le Now
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not A aila>le
Roa%$a2)1
CBS?
>B 2000
ASB 000
2. 2. 2. 2.
A aila>le Now
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not A aila>le
Roa%$a2.0
Soft#are
2.08 9 2.)8-94 2.) 2.) =es =es 2.)82.9 2. 8294
C6+00
2. 82-/9& 2.28))9S>< 2.28 ;9S>" 2.28 ;9S>" 2.28))9S>< 2.28 -/9S>A
C-600
2.28 ;9S>" 2.28))9SB* 2.28 ;9S>" 2.28))9SBA 2.28))9SB* 2.28 -/9S>A
C 2000
2.08229 S
C 0000
2.28 +9*>
C.+00
2. 8 )9&E
2.28) 9S*
2.28) 9S*
Cisco Confidential
A aila>le
Not A aila>le
Roa%$a-
2.
CBS?
).2.0 ).+.0 ).2 ).) ).).0 ).2 ).2
>B 2000
).).0 ).6.0 ).) ).) ).).0 ).) ).)
ASB 000
2.
2. 2. 2. 2.
Presentation_ID
A aila>le
Cisco Confidential
Not A aila>le
Roa%$a-
2.2
Soft#are
2.)8 94
C6+00
C-600
C 2000
2.08 09S 4
C 0000
2.28) 9S*
C.+00
2.28 ;9S>&
2.28 ;9S>&
2.282+9& E
A aila>le Now
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not A aila>le
Roa%$a2.)
CBS?
).2
>B 2000
).)
ASB 000
2.
A aila>le Now
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not A aila>le
Roa%$a2..
Soft#are
2.)8 94
C6+00
2.28))9S><
C-600
C 2000
C 0000
ASB 000
2..8.94 2.28))9SB* R
A aila>le Now
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not A aila>le
Roa%$a2.+
Soft#are
2.)8 94
C6+00
C-600
C 2000
2.08 9S
C 0I
2.28) 9S*
C.+00
2..8194
2.08))9S 2.082.9S
Pac3et sam%ling
Cache
Presentation_ID
A aila>le Now
&'%ort
Cisco Confidential
Not A aila>le
Roa%$a-
2.6
CBS?
>B 2000
ASB 000
Pac3et sam%ling
Cache
Presentation_ID
A aila>le Now
&'%ort
Cisco Confidential
Not A aila>le
Roa%$a-
2.-
FleBi>le NetFlow
"eat$re
!e# "le'i/le !et"lo# CAI ($lti%le 7ser Defined Caches Immediate Cache Permanent Cache <eader Section &'%ort Payload Section &'%ort Ingress s$%%ort &gress s$%%ort Bandom Sam%ling "$ll "lo# s$%%ort "!" F6S o$t%$t feat$res Dynamic 4o%!4al3ers
Cisco ISB,-2''
2..8194 2..8194 2..8194 2..8194 2..8194 2..8194 2..8194 2..8194 2..8194 2..8194 2..82094 2..82294
C6+00
2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A
C 2000
2.08))9S 2.08))9S 2.08))9S 2.08))9S 2.08))9S 2.08))9S
C.+00,I 0
2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\
A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2.;
FleBi>le NetFlow
"eat$re
!e# "le'i/le !et"lo# CAI ($lti%le 7ser Defined Caches Immediate Cache Permanent Cache <eader Section &'%ort Payload Section &'%ort Ingress s$%%ort &gress s$%%ort Bandom Sam%ling "$ll "lo# s$%%ort "!" F6S o$t%$t feat$res Dynamic 4o%!4al3ers
CBS?
).2
!e'$s -000
..0 ..0
).2 ).2
).).0 ).).0
..08 9 ..08 9
A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2.1
FleBi>le NetFlow
"eat$re
!et"lo# v+ !et"lo# v1 IP"i' &'%ort Belia/le &'%ort 8SC4P9 IPv. 7nicast "lo#s IPv. Predefined Aggregations IPv6 7nicast "lo#s IPv6 Predefined Aggregations IPv. ($lticast "lo#s IPv6 ($lticast "lo#s Aayer 2 "lo#s Ingress @B" name
Cisco ISB,-2''
2..82294 2..8194 2..8Pi +94\ 2..8Pi +94\ 2..8194 2..8194 2..82094 2..82094 2..82294 2..8Pi .94\ 2..82294 2..8Pi 94
C6+00
2.28+09S=A 2.28+09S=A \ \ 2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A
C 2000
C.+00,I 0
2.2SC\
2.08))9S
2.08))9S 2.08))9S
2.08))9S
A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2+0
FleBi>le NetFlow
"eat$re
!et"lo# v+ !et"lo# v1 IP"i' &'%ort Belia/le &'%ort 8SC4P9 IPv. 7nicast "lo#s IPv. Predefined Aggregations IPv6 7nicast "lo#s IPv6 Predefined Aggregations IPv. ($lticast "lo#s IPv6 ($lticast "lo#s Aayer 2 "lo#s Ingress @B" name
CBS?
).2 ).2 \
>B 2000
).).0 ).).0 \
ASB1000
..08 9 ..08 9 \
ASB 000
Belease -\ Belease -\ \
!e'$s -000
..0 ..0 \
).+.0 ).6.0R
Presentation_ID
A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2+
FleBi>le NetFlow
"eat$re
(FC Integration !*AB Integration (PAS "lo#s (PAS ] IPv. "lo#s (PAS ] IPv6 "lo#s (PAS ] IPv6,IPv. "lo#s "!" &&( (onitor
Cisco ISB,-2''
2..8Pi )94\ 2..8Pi 94
C6+00
\
C 2000
C.+00,I 0
2.2SC\
2.2SC\
A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2+2
FleBi>le NetFlow
"eat$re
(FC Integration !*AB Integration (PAS "lo#s (PAS ] IPv. "lo#s (PAS ] IPv6 "lo#s (PAS ] IPv6,IPv. "lo#s "!" &&( (onitor ).). ).). ).+.0 ).6.0
CBS?
>B 2000
ASB1000
ASB 000
Belease ;\ Belease -\
!e'$s -000
\ \ \ \ Belease ;\
Presentation_ID
A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2+)
IPv.
IP 8So$rce or Destination9 Prefi' 8So$rce or Destination9 (as3 8So$rce or Destination9 (inim$m?(as3 8So$rce or Destination9 Protocol "ragmentation "lags "ragmentation 6ffset Identification <eader Aength 4otal Aength Payload Si5e Pac3et Section 8<eader9 Pac3et Section 8Payload9 44A 6%tions /itma% @ersion Precedence DSCP 46S
IPv6
IP 8So$rce or Destination9 Prefi' 8So$rce or Destination9 (as3 8So$rce or Destination9 (inim$m?(as3 8So$rce or Destination9 Protocol 4raffic Class "lo# Aa/el 6%tion <eader <eader Aength Payload Aength
2+.
Payload Si5e Pac3et Section 8<eader9 Pac3et Section 8Payload9 DSCP &'tension <eaders <o%?Aimit Aength !e't?header @ersion
Interface
In%$t 6$t%$t
Aayer 2
So$rce @AA! Destination @AA! So$rce (AC address Destination (AC address
Presentation_ID
Cisco Confidential
4rans%ort
Destination Port So$rce Port IC(P Code IC(P 4y%e IC(P 4y%e\ 4CP ACI !$m/er 4CP <eader Aength 4CP Se2$ence !$m/er 4CP Eindo#?Si5e 4CP So$rce Port 4CP Destination Port 4CP 7rgent Pointer 4CP "lagD ACI 4CP "lagD CEB 4CP "lagD &C& 4CP "lagD "I! 4CP "lagD PS< 4CP "lagD BS4 4CP "lagD S=! 4CP "lagD 7BC 7DP (essage Aength 7DP So$rce Port 7DP Destination Port
A%%lication
A%%lication ID\
"or#arding Stat$s
ICP !e't <o%
($lticast
Be%lication "actor\ BP" Chec3 Dro%\ Is?($lticast
S. IP 5 Flow onl6
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
2++
Presentation_ID
Cisco Confidential
2+6