Net Flow Tech

Cisco IOS NetFlow Technical Presentation
Jean-Charles GRIVIAUD jgri ia!"cisco#co$

NSSTG Pro%!ct &anager
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Agen%a
!et"lo# overvie# incl$ding %artners and a%%lications !et"lo# case st$dies Config$ration Cache &'%ort timers &'%ort versions Sec$rity ($lticast
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Agen%a 'Cont#(
!et"lo# (I* Sam%led !et"lo# !et"lo# Cisco 6+00,-600 and Catalyst .+00 Performance !e# feat$res Introd$ction to "le'i/le !et"lo#
Presentation_ID
Cisco Confidential
Cisco IOS NetFlow ) *hat is it+

Develo%ed and %atented at Cisco0 Systems in 116 !et"lo# is the defacto standard for ac2$iring IP o%erational data Provides net#or3 and sec$rity monitoring, net#or3 %lanning, traffic analysis, and IP acco$nting
Networ, *orl% article ) NetFlow A%o-tion on the Rise htt-.//www#networ,worl%#co$/newsletters/ns$/0112/1345ns$4#ht$l

*h6 Cisco IOS NetFlow+ C!sto$er 7ene8its

4o /etter $nderstand
Prod$ctivity and $tili5ation of assets in the net#or3 A%%lication and net#or3 $sage Im%act of net#or3 changes and services !et"lo# ans#ers the #ho, #hat, #hen, #here, and ho# net#or3 traffic is flo#ing
Detect and classify sec$rity incidents #ith %roven threat defence Im%rove net#or3 $sage and a%%lication %erformance
Presentation_ID
Cisco Confidential
Princi-le NetFlow A--lications

Service Provider
!et#or3 Infrastr$ct$re 6%timi5ation and Planning Peering Arrangements 4raffic &ngineering Acco$nting and *illing Sec$rity (onitoring and Incident 8DDoS9 Detection
&nter%rise
Internet Access (onitoring 7ser (onitoring,Profiling A%%lication (onitoring *illing for De%artments Sec$rity (onitoring and Incident 8DDoS9 Detection
Data at AN9 gran!larit6 to !n%erstan% networ, !se. who: what: where: when an% how
Presentation_ID
Cisco Confidential
Flow Is De8ine% 76 Se en Uni;!e <e6s

NetFlow =na>le% De ice
Tra88ic
Ins-ect Pac,et
:So!rce IP a%%ress :Destination IP a%%ress :So!rce -ort :Destination -ort :?a6er 3 -rotocol :TOS >6te 'DSCP( :In-!t Inter8ace
NetFlow Cache
Flow In8or$ation A%%ress: -orts@
@
Pac,ets 44111
76tes/-ac,et 420A
Create a 8low 8ro$ the -ac,et attri>!tes
NetFlow =B-ort Pac,ets
Re-orting
NetFlow Processing Or%er
Pre-rocessing
Feat!res an% ser ices

: : : : IP &!lticast &P?S IP C
Post-rocessing
: Aggregation sche$es : Non-,e6 8iel%s loo,!: =B-ort
: Pac,et sa$-ling : Filtering
Presentation_ID
Cisco Confidential
NetFlow Cache =Ba$-le

4# Create an% !-%ate 8lows in NetFlow cache
Srclf "a ,0 "a ,0 "a ,0 "a ,0 SrclPadd -). 00.2 .2 -). 00.).2 -). 00.20.2 -). 00.6.2 Dstlf "a0,0 "a0,0 "a0,0 "a0,0 DstlPadd 0.0.22-. 2 0.0.22-. 2 0.0.22-. 2 0.0.22-. 2 6 6 Protocol 46S ;0 .0 ;0 .0 "lgs 0 0 0 0 P3ts 000 2.1 0000 22 0 Src Port 00A2 + 00A 1 Src (s3 ,2. ,26 ,2. ,)0 Src AS + 16 ;0 ;0 Dst Port 00A2 + 00A 1 Dst (s3 ,2. ,2. ,2. ,2. Dst AS + + + + !e't<o% 0.0.2).2 0.0.2).2 0.0.2).2 0.0.2).2 *ytes, P3t +2; -.0 .2; 0.0 Active -.+ . .+ .+.+ 2..+ ) . Idle .
0# =B-iration
Srclf "a ,0 SrclPadd -). 00.2 .2 Dstlf "a0,0 DstlPadd
: : : :
Inacti e ti$er eB-ire% '42 sec is %e8a!lt( Acti e ti$er eB-ire% '31 $in '4A11 sec( is %e8a!lt( NetFlow cache is 8!ll 'ol%est 8lows are eB-ire%( RST or FIN TCP 8lag
Protocol 46S ;0 "lgs 0 P3ts 000 Src Port 00A2 Src (s3 ,2. Src AS + Dst Port 00A2 Dst (s3 ,2. Dst AS + !e't<o% 0.0.2).2 *ytes, P3t +2; Active ;00 Idle .
0.0.22-. 2
3# Aggregation 5# =B-ort ersion
No
9e s
ie. Protocol--ort aggregation sche$e >eco$es
Protocol P3ts 000 SrcPort 00A2 DstPort 00A2 *ytes,P3t +2;
Non-aggregate% 8lowsDeB-ort Version2 or E
2# Trans-ort -rotocol
31 Flows -er 4211 >6te eB-ort -ac,et
Presentation_ID
=B-ort -ac,et
Cisco Confidential
Fea%e r
Pa6loa%
'8lows(
Aggregate% 8lowsDeB-ort VersionA or E

1
Ingress NetFlow Switching Path

Switching ector Pac,ets
In-!t
Sa$-ling
!o
Flow loo,!!e# flo#
A%% in-!t 8low 8iel%s
In-!t inter8ace 8eat!re chec,

: : : : AC? Polic6 *CCP NAT in-!t
Pac,et >!88er
C=FGF?O*
4 o!t o8 N
=es
NetFlow cache
FASTGF?O*
Src AS
Ro!te loo,!-
A%% o!t-!t 8low 8iel%s Dest AS:
O!t-!t inter8ace 8eat!re chec,

: : : : Hos CAR Cr6-to NAT o!t-!t
O!t-!t inter8ace !-%ate
FI7
neBtho-: 7GP neBtho-
In-!t >6tes In-!t -ac,ets

O!t-!t
Cisco 4I11: 4A11: 0C11: 0A11: 3I11: 3A11: an% I011 Series Ro!ters
Co$-rehensi e Far%ware S!--ort

=nter-rise K aggregation/e%ge
Cisco IOS So8tware Release 40#0S
Core
Release
40#1S/IOS-LR
Cisco I011/I211 Series
Cisco I311 Series
Cisco 5211 Series ASIC
Cisco Catal6st C211J Cisco IC11 Series ASIC
CRS-4 ASIC
Access
Cisco IOS So8tware Releases T train
Cisco I011/ I311 Series
Cisco 0C11 Cisco 4I11 Cisco A11 0A11 4A11 Series Series Series
Cisco 3I11 3A11 Series
Cisco A--lications an% Partners

Tra88ic Anal6sis
NetFlow Collector
Denial o8 Ser ice
7illing
CS-&ars
&ore in8o. htt-.//www#cisco#co$/war-/-!>lic/I30/Tech/n$-/net8low/-artners/co$$ercial/

NetFlow O-en So!rce Tools

Pro%!ct Na$e Cflo#d "lo#?tools "lo#d "lo#Scan IP"lo# Pri$ar6 Use 4raffic Analysis Collector Device Collector Device Be%orting for "lo#? 4ools 4raffic Analysis S$%%ort @1, IPv., IPv6, (PAS, SC4P, etc.. S$%%orts @1 @+, s$%%ort v1 Co$$ent !o longer s$%%orted Scala/le S$%%ort @1 OS 7!I> 7!I> *SD, Ain$' 7!I> Ain$', "ree*SD, Solaris *SD, Ain$' 7!I> Ain$' 7!I> 7!I> S$%%rot @+ and v1 7!I>
!et"lo# C$ide !et"lo# (onitor !etmet !46P Stager !fd$m%,nfsen
Be%orting 4ools 4raffic Analysis Collector Device Sec$rity (onitoring Be%orting for "lo#? 4ools 4raffic Analysis
Different costsD im%lementation and c$stomi5ation

&a,ing Sense o8 9o!r Networ, Tra88ic
NetHoS -ro%!cts
NetFlow Uses
Networ, ?a6er
Access
Distri>!tion
Core
Distri>!tion
Access
A--lications
: Attac, $itigation : User 'IP( $onitoring : A--lication $onitoring : Aggregation sche$es ' A( : Mshow i- cache 8lowN co$$an% : Ar>or Networ,s
: 7illing : Charge>ac, : AS -eer $onitoring
: Tra88ic =ngineering : Tra88ic anal6sis
: 7illing : Charge>ac, : AS -eer $onitoring
: Attac, $itigation : User 'IP( $onitoring : A--lication $onitoring : Aggregation sche$es ' A( : Mshow i- cache 8lowN co$$an% : Ar>or Networ,s
: NetFlow &P?S egress Acco!nting : 7GP neBt-ho' E( : &!lticast NetFlow ' E(

Cisco Confidential
: &P?S aware NetFlow ' E( : 7GP neBt-ho' E( : Sa$-le% NetFlow
: NetFlow &P?S egress acco!nting : 7GP neBtho- ' E( : &!lticast NetFlow ' E(
NetFlow Feat!res
Presentation_ID
!et"lo# Case St$dies
Presentation_ID
Cisco Confidential
Cisco IT Challenge No A--lication Flow In8or$ation

Cisco Systems0 relied almost e'cl$sively on Sim%le !et#or3 (anagement Protocol 8S!(P9 to monitor Internet /and#idth
Altho$gh S!(P facilitates ca%acity %lanning, it does little to characteri5e traffic a%%lications, essential for $nderstanding ho# #ell the net#or3 s$%%orts the /$siness
Cisco0 needed a more gran$lar $nderstanding of ho# Cisco /and#idth #as /eing $sed Port flo# #as monitored, /$t many ne#er a%%lications dynamically select ne# %orts for each $se
Presentation_ID
Cisco Confidential
Cisco IT Case St!%6 Res!lts

Sec$rity (onitoring for Internet Cate#ays
Cisco I4 detects #orms and DD6S attac3s #ith !et"lo#
Detection of 7na$thori5ed EA! 4raffic

Cisco0 has avoided costly $%grades /y identifying the a%%lications ca$sing congestion and, if a%%ro%riate, changing the $sage %olicy
Bed$ction in Pea3 EA! 4raffic

Cisco I4 $ses !et"lo# statistics to meas$re EA! traffic im%rovement from a%%lication?%olicy changes
Case st!%ies. htt-.//wwwin#cisco#co$/ios/tech/$g$t/net8low/-ress/

Cisco IT Case St!%6 Res!lts 'Cont#(

@alidation of FoS Parameters
*y $sing Cisco !et"lo# and !etFoS Be%orterAnaly5er, I4 is a/le to confirm that a%%ro%riate /and#idth has /een allocated to each Class of Service 8CoS9 and that no CoS is over? or $nder?s$/scri/ed
Analysis of @P! 4raffic and 4ele#or3er *ehavior

Cisco I4 can easily identify tele#or3er traffic /eca$se it all travels over identifia/le t$nnelsG this ty%e of traffic analysis facilitates ca%acity %lanning for Internet access, and $nderstanding of home #or3er /ehavior
Case st!%ies. htt-.//wwwin#cisco#co$/ios/tech/$g$t/net8low/-ress/

Cisco IOS NetFlow ) Other Case St!%ies

C$stomer Challenge
Sec$rity
Descri%tion
Detect SFA Slammer on day single
Pro/lem Sit$ation
Detrimental inca%acity of servers
!et"lo# Besol$tion
!et"lo# day?5ero anomaly detection
4raffic analysis
*and#idth hog
? Sl$ggish net#or3 %erformance ? Single $ser a%%lication mono%oli5ing net#or3
Cost savings of H-I in la/or costs
4raffic analysis
"$ll circ$it
Circ$it 00J $tili5ed
F$ic3ly trac3ed %ro/lem and saved )00 ho$rs K H).I in la/or costs
? (ore servers and /and#idth added Ca%acity %lanning Slo# net#or3 %erformance ? 7sers still com%lained ? Bented B(6! %ro/es ? didnLt #or3 Ca%acity %lanning Poor net#or3 %erformance M lo# /and#idth
Cisco Confidential
Cost savings of H 26I in %ro/e costs
Ee need more /and#idth
4rac3ed %oint of slo#do#n M saved H)6I %er yr. circ$its

20
Presentation_ID
!et"lo# Config$ration
Presentation_ID
Cisco Confidential
NetFlow Con8ig!ration Co$$an%s 'So8tware Plat8or$s(

Config$re !et"lo# Per interface
ip route-cache flow
ieD i% flo#?e'%ort @ersion+

ip flow-export version <version> [origin as| peer-as|bgp-nexthop]
ieD i% flo#?e'%ort destination 0.0.0. 6+00

ip flow-export destination <address> <port>
Defa$lt is the interface that #ill /est ro$te to collectorG it is recommended to config$re and set a loo%/ac3 interface
ip flow-export source <interface>
22
NetFlow Con8ig!ration Co$$an%s 'So8tware Plat8or$s(

Sets the seconds an inactive flo# #ill remain in the cache /efore e'%irationG + seconds is defa$lt
ip flow-cache timeout inactive <seconds>
Sets the min$tes an active flo# #ill remain in the cache /efore e'%irationG )0 min$tes is defa$lt
ip flow-cache timeout active <minutes>
Presentation_ID
Cisco Confidential
2)
NetFlow Con8ig!ration Co$$an%s 'So8tware Plat8or$s( 'Cont#(

Sets the ma'im$m n$m/er of flo# entries in the cache. 4he defa$lt varies de%endent on %latformG normally 2+J of the memory in the /o' is the ma'im$m that can /e allocated to the !et"lo# cache
ip flow-cache entries <number>
Selects the v; or v1 aggregation cache scheme

ip flow-aggregation cache <name of scheme>
Presentation_ID
Cisco Confidential
2.
NetFlow Co$$an%s
Sho#s !et"lo# statistics
show ip cache [verbose] flow
Sho#s !et"lo# statistics for the config$red aggregation scheme

show ip cache flow aggregation <name aggregation scheme> of
Sho#s e'%ort statistics

show ip flow export
Presentation_ID
Cisco Confidential
2+
NetFlow Co$$an%s 'Cont#(

Clears !et"lo# statistics
clear ip cache flow
Clears e'%ort statistics

clear ip flow stats
Presentation_ID
Cisco Confidential
26
Show NetFlow In8or$ation Oshow i- cache 8lowP

Pac,et siQes router_A#sh ip cache flow IP packet size distribution (85435 total packets) !"3# $4 %$ !#8 !$& !%# ##4 #5$ #88 3#& 35# 384 4!$ 448 48& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&&
5!# 544 5($ !&#4 !53$ #&48 #5$& 3&(# 3584 4&%$ 4$&8 '&&& '&&& '&&& '&&& !'&& '&&& '&&& '&&& '&&& '&&& '&&& IP )low *witchin+ ,ache- #(8544 b.tes R o8 acti e 8lows #(#8 acti/e- !3$8 inacti/e- 853!& added 4$38#4 a+er polls- & flow alloc failures Rates an% %!ration Acti/e flows ti0eout in 3& 0inutes Inacti/e flows ti0eout in !5 seconds last clearin+ of statistics ne/er Protocol 1otal )lows Packets 2.tes Packets Acti/e(*ec) Idle(*ec) """""""" )lows 3*ec 3)low 3Pkt 3*ec 3)low 3)low 1,P"4 # &'& ! !44& &'& &'& %'5 1,P"other 8#58& !!'# ! !44& !!'# &'& !#'& 1otal 8#58# !!'# !44& cache !!'# &'& !#'& Flow ! %etails *rcIf 6t&3& 6t&3& 6t&3&
Presentation_ID
*rcIPaddress !3#'!##'#5'$& !3%'5('##&'#8 !$5'!(#'!53'$5

5stIf *e&3& *e&3& *e&3&
5stIPaddress !%#'!$8'!'! !%#'!$8'!'! !%#'!$8'!'!
Pr &$ &$ &$
*rcP %A66 (&85 ,24$
5stP &&&( &&&( &&&(
Pkts ! ! !
2-
Cisco Confidential
Oshow i- cache er>ose 8lowP

router_A#sh ip cache /erbose flow IP packet size distribution (#35%( total packets) !"3# $4 %$ !#8 !$& !%# ##4 #5$ #88 3#& 35# 384 4!$ 448 48& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& '&&& 5!# 544 5($ !&#4 !53$ #&48 #5$& 3&(# 3584 4&%$ 4$&8 '&&& '&&& '&&& '&&& !'&& '&&& '&&& '&&& '&&& '&&& '&&&
IP )low *witchin+ ,ache- #(8544 b.tes !3#3 acti/e- #((3 inacti/e- #3533 added ToS >6te !5!$44 a+er polls- & flow alloc failures Destination an% TCP Acti/e flows ti0eout in 3& 0inutes Inacti/e flows ti0eout in !5 seconds in8or$ation 8lags last clearin+ of statistics ne/er Protocol 1otal )lows Packets 2.tes Packets Acti/e(*ec) Idle(*ec) """""""" )lows 3*ec 3)low 3Pkt 3*ec 3)low 3)low 1,P"other ###!& 3'! ! !44& 3'! &'& !#'% So!rce $as,###!& an% ISP AS 1otal 3'! ! !44& 3'! &'& !#'% *rcIf Port 8sk A* 6t&3& 5)A( 3& & 6t&3&
Presentation_ID
Flow rate an% %!ration
*rcIPaddress
5stIf Port 8sk A* #!$'!#&'!!#'!!4 *e&3& &&&( 3& & !(5'!8#'#53'$5 *e&3&
Cisco Confidential
5stIPaddress 9e:t;op !%#'!$8'!'! &'&'&'& !%#'!$8'!'!
Pr 17* )l+s Pkts 23Pk Acti/e &$ && !& ! !44& &'& &$ && !& !
2;
Cisco C211 ND= Con8ig!ration Cisco IOS So8tware

mls aging fast time 4 threshold 128 mls aging normal 32 mls flow ip interface-full mls nde sender version 5 mls nde interface SNetFlow ena>le% on all inter8aces when con8ig!re% ... interface POS9/14 description to wellington via 3/3 mtu 2048 ip address 42.50.31.1 255.255.255.252 ip pim sparse-dense-mode encapsulation ppp ip route-cache flow ... ip flow-export version 5 peer-as ip flow-export destination 10.1.1.209 9999
RP
SP
In-!t inter8ace
F/*
O!t-!t inter8ace
Use M$ls n%e sen%erN c$% to set ND= ersion on SUP Use Mi- 8low-eB-ort ersionN to set ND= ersion on RP
21
Con8ig!ring NetFlow Cisco IOS on IC11/Catal6st C211

,$5&&(confi+)#0ls netflow
Enable Netflow Optionally set the flow mask

destination flow ke.word destination"source flow ke.word full flow ke.word interface"destination"source flow ke.word interface full flow ke.word source onl. flow ke.word
,$5&&(confi+)#0ls flow ip < destination destination"source full interface"destination"source interface"full source
,$5&&(confi+)#0ls nde sender /ersion < 5 ( ,$5&&(confi+)#0ls nde interface ,$5&&(confi+)#0ls a+in+ nor0al 3#
Set the NetFlow Record Version on PFC
Pop"late interface field in NDE packet Chan$e Defa"lt %& timer
,$5&&(confi+)#ip flow"e:port destination !&'$$'#3!'!& Destination for PFC/ SFC E!ports ,$5&&(confi+)#interface +!3! ,$5&&(confi+"if)#ip route"cache flow
Software Flows #nterface Capt"re

)0
ND= Con8ig!ration Catal6st OS an% Cisco IOS So8tware

CatOS: #mls set mls set mls set mls set mls set mls nde version 7 nde 10.1.1.209 9999 agingtime 32 agingtime fast 8 1 nde enable
RP
*NetFlow ena>le% on all inter8aces when con8ig!re%
Cisco IOS MSFC: interface POS8/0/0 description to wellington via 1/0 mtu 2048 ip address 42.50.31.1 255.255.255.252 ip pim sparse-dense-mode encapsulation ppp ip route-cache flow ... ip flow-export version 5 peer-as ip flow-export destination 10.1.1.209 9999
SP
In-!t inter8ace
F/*
O!t-!t inter8ace
Presentation_ID
Cisco Confidential
&onitoring NetFlow ta>le Usage Cisco IOS on IC11/Catal6st C211

S!-er isor I01. 40#0S
CC211Rshow $ls net8low iDis-la6ing Net8low entries in S!-er isor =arl DstIP SrcIP Prot.Src Port.DstPort Src i/8 .A%jPtr P,ts Attri>!tes --------------------------------------------------41#410#431#043 41#045#3E#IE tc-.5C20A .www .1B1 I 3ICC 41#031#042#45A 41#422#00#004 tc-.24A43 .52E40 .1B1 02 0430E 41#EI#3C#011 41#4I#C5#4II tc-.C2044 .www .1B1 E ICC5 41#E1#33#4A2 41#5C#43#044 tc-.0I1II .C1502 .1B1 41 2I35 T@U 76tes Age ?astSeen
4I 42.5I.3I ?3 - D6na$ic 5I 42.5I.3E ?3 - D6na$ic 4I 42.5I.3A ?3 - D6na$ic 4I 42.5I.3A ?3 - D6na$ic
CC211Ushow -rocess c-!

CPU !tiliQation 8or 8i e secon%s. 31V/AVJ one $in!te. 4AVJ 8i e $in!tes. 4AV PID R!nti$e'$s( In o,e% !Secs 2Sec 4&in 2&in TT9 Process 2 004011 013II 41A22 1#11V 1#03V 1#4AV 1 Chec, hea-s 0I C4I30 E430C3 CI 1#05V 1#15V 1#12V 1 SCP Downloa% ?is 35 3102A40 400A0AI1 05C 0#23V 0#24V 0#24V 1 slc- -rocess I3 A2CI455 05AE30I 3554 42#C5V C#A3V C#A4V 1 ND= - IPV5
Presentation_ID
Cisco Confidential
)2
&onitoring NetFlow ta>le Usage Cisco IOS on IC11/Catal6st C211

S!-er isor I01. 40#0S
sh $ls net8low ta>le-contention %etaile%
Detaile% Net8low CA& 'TCA& an% ICA&( UtiliQation WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW TCA& UtiliQation . 411V ICA& UtiliQation . 0V Net8low TCA& co!nt . 0C014E Net8low ICA& co!nt . 3 Net8low Creation Fail!res . 4021A002 Net8low CA& aliases . 1
Fail"res to create Flows
CC211Ushow $ls i- co!nt

Dis-la6ing Net8low entries in S!-er isor =arl N!$>er o8 shortc!ts W 223E
N"mber of Flows in hardware cache
Presentation_ID
Cisco Confidential
))
!et"lo# &'%ort @ersions
Presentation_ID
Cisco Confidential
).
NetFlow Versions
!et"lo# @ersion
Comments 6riginal
Standard and most common S%ecific to Cisco Catalyst 6+00 and -600 Series S#itches Similar to @ersion +, /$t does not incl$de AS, interface, 4CP "lag and 46S information Choice of eleven aggregation schemes Bed$ces reso$rce $sage "le'i/le, e'tensi/le file e'%ort format to ena/le easier s$%%ort of additional fields and technologiesG coming o$t no# (PAS, ($lticast, and *CP ne't ho%
Presentation_ID
Cisco Confidential
)+
Version 2 - Flow =B-ort For$at

Usage
: Pac,et co!nt : 76te co!nt : Start s6sU-Ti$e : =n% s6sU-Ti$e : In-!t i8In%eB : O!t-!t i8In%eB : T6-e o8 Ser ice : TCP 8lags : Protocol
: Source So!rce IP a%%ress IP Address : Destination Destination IPIP a%%ress Address : So!rce TCP/UDP -ort : Destination TCP/UDP -ort : NeBt ho- a%%ress : So!rce AS n!$>er : Dest# AS n!$>er : So!rce Pre8iB $as, : Dest# Pre8iB $as,
From/to
Time of day Port utilization
Application
Routing and peering
QoS
Version 2 !se% eBtensi el6 to%a6

)6
Version I
@ersion + sho$ld /e $sed if s$%%orted on s$%ervisor and I6S release. Catalyst 6+00 Series S#itches #ith S$% $ses @ersion - in hy/rid mode 7ses ($lti?Aayer S#itching 8(AS9 or C&" #ith Cisco Catalyst 6+00 Series S#itches #ith S7P2
Presentation_ID
Cisco Confidential
)-
Version I - Flow For$at

Usage
Packet count Byte count Start sysUpTime End sysUpTime Input ifIndex Output ifIndex Type of Service TCP flags Protocol
Source IP IP Address address Source Destination IP IP address Destination Address Source TCP/UDP port Destination TCP/UDP port Next hop address Source AS number Dest. AS number Source subnet mask Dest. subnet mask RouterSc (router shortcut)*
From/to
Time of day Port utilization
Application
Routing and peering
QoS
Note: The ToS and TCP flags fields are not populated
* Additional field not in Version5
);
Version A
Bo$ter?/ased aggregation &na/les ro$ter to s$mmari5e !et"lo# data Bed$ces !et"lo# &'%ort data vol$me Decreases !et"lo# &'%ort /and#idth re2$irements C$rrently aggregation schemes
"ive original schemes Si' ne# schemes #ith the 46S /yte field
Several aggregations can /e ena/led sim$ltaneo$sly
Note. Version E can >e !se% 8or ro!ter->ase% aggregation an% is reco$$en%e% i8 collector s!--orts E
)1
Version A - Flow For$at

AS Protocol-Port So!rce-Pre8iB Destination-Pre8iB Pre8iB
So!rce Pre8iB
So!rce Pre8iB &as, Destination Pre8iB Destination Pre8iB &as, So!rce A-- Port Destination A-- Port In-!t Inter8ace O!t-!t Inter8ace IP Protocol So!rce AS Destination AS First Ti$esta$?ast Ti$esta$R o8 Flows R o8 Pac,ets R o8 76tes
Presentation_ID
Cisco Confidential
.0
Version A - Flow For$at

ASTOS Protocol-PortTOS So!rce-Pre8iBTOS DestinationPre8iB-TOS Pre8iB-TOS Pre8iB-Port
So!rce Pre8iB
So!rce Pre8iB &as, Destination Pre8iB Destination Pre8iB &as, So!rce A-- Port Destination A-- Port In-!t Inter8ace O!t-!t Inter8ace IP Protocol So!rce AS Destination AS TOS First Ti$esta$?ast Ti$esta$R o8 Flows R o8 Pac,ets R o8 76tes
Presentation_ID
Cisco Confidential
Version A - Con8ig!ration
3600- 4( c onf i g) # i p f l ow - aggr egat i on cache ?
as as-tos
AS aggregation AS-TOS aggregation Destination Pre8iB aggregation
%estination--re8iB -re8iB -re8iB--ort -re8iB-tos -rotocol--ort -rotocol--ort-tos so!rce--re8iB so!rce--re8iB-tos
%estination--re8iB-tos Destination Pre8iB TOS aggregation Pre8iB aggregation Pre8iB--ort aggregation Pre8iB-TOS aggregation Protocol an% -ort aggregation Protocol: -ort an% TOS aggregation So!rce Pre8iB aggregation So!rce Pre8iB TOS aggregation
Note. Do not eB-ort Version 2 at the sa$e ti$e Mi- 8low-eB-ort ersion 2N
.2
Presentation_ID
Cisco Confidential
=Btensi>ilit6 an% FleBi>ilit6 Re;!ire$ents Phases A--roach

!e# re2$irementsD /$ild a fle'i/le and e'tensi/le !et"lo# Phase D !et"lo# version 1, com%leted
AdvantagesD e'tensi/ility Integrate ne# technologies,data ty%es 2$ic3er =B-orting 8(PAS, IPv6, *CP ne't ho%, etc.9 Integrate ne# aggregations 2$ic3er !oteD for no#, the tem%late definitions are fi'ed
Process
Phase 2D "le'i/le !et"lo#, com%leted

AdvantagesD cache and e'%ort content fle'i/ility 7ser selection of flo# 3eys 7ser definition of the records
&etering Process
.)
NetFlow Version E
B"C)1+. NCisco Systems0 !et"lo# Services &'%ort @ersion 1O @ersion 1 is an e'%ort %rotocol
!o changes to the metering %rocess
@ersion 1 /ased on tem%lates and se%arate flo# records

4em%lates com%osed of ty%e and length "lo# records com%osed of tem%late ID and val$e Sent the tem%late reg$larly 8config$ra/le9, /eca$se of 7DP Releases
2.082.9S for the Cisco -200 , -+00 and 2000 2.)8 9 for the Cisco ;00, -00, ;00, 2600, 2;00, )-00, );00, -200 Series 2.28 ;9S for the Cisco -200, -)0 and -+00 Series 2.28 ;9S>" M Catalyst 6+00,-600 Series 8IPv. aggregation P ($lticast9 2.28) 9S* M Cisco -)0. and 0000 Series Bo$ters 2.28))9S>< M Cisco 6+00 Series 8IPv6 aggregation9 2.28))9SB* M Cisco -600 Series 8IPv6 aggregation9 I6S0?>B ).2 M CBS? , >B 2000
..
NetFlow Version E =B-ort Pac,et

Te$-late 4 Te$-late 0
Te$-late FlowSet
< & A D & B
Te$-late Recor% Te$-late ID R4
'S-eci8ic Fiel% T6-es an% ?engths(
Data FlowSet FlowSet ID R4

Data Recor% 'Fiel% Val!es( Data Recor% 'Fiel% Val!es(
Data FlowSet "lo#Set ID Q FlowSet ID R0

Data Recor% 'Fiel% Val!es(
Te$-late Recor% Te$-late ID R0

'S-eci8ic Fiel% T6-es an% ?engths(
Presentation_ID
Cisco Confidential
.+
NetFlow Version E =B-ort Pac,et

O-tions Te$-late FlowSet S-eci8ies the Sco-e. Cache: S6ste$: Te$-late: =tc#
O-tions Te$-late FlowSet
O-tion Te$-late Recor% Te$-late ID R3 'S-eci8ic Sco-e: Fiel% T6-es an% ?engths(
Te$-late 3
< & A D & B
Data FlowSet FlowSet ID R3

O-tion Data Recor% 'Fiel% Val!es( O-tion Data Recor% 'Fiel% Val!es(
Presentation_ID
Cisco Confidential
.6
Inter8ace Na$e =B-ort with NetFlow Version E

!et"lo# has /een e'%orting the ifInde'
w Ne
Instead of the collector %olling the if!ame (I* varia/le for a s%ecific ifInde', the matching 8ifInde', if!ame9 is sent in an o%tion data record Introd$ced in 2..8.94
=outer(confi+)# ip flow"e:port interface"na0es
Presentation_ID
Cisco Confidential
.-
NetFlow Version E &ain Cache Con8ig!ration

router(confi+)# ip flow"e:port /ersion >5?%@ >ori+in"as?peer"as@ >b+p"ne:thop@ router(confi+)# ip flow"e:port te0plate options e:port"stats router(confi+)# ip flow"e:port te0plate options ti0eout"rate 5 router(confi+)# ip flow"e:port te0plate options refresh"rate $& router(confi+)# ip flow"e:port te0plate ti0eout"rate 5 router(confi+)# ip flow"e:port te0plate refresh"rate #& router(confi+)# ip flow"e:port destination !&'!&'!&'!& %%%$
'O-tions( Te$-lates Sent Sent == er6 er6 22 &in!tes &in!tes or or 01 01 Pac,ets Pac,ets
Sho$ld =o$ &'%ort from the (ain Cache #ith !et"lo# @ersion + or @ersion 1R
.;
NetFlow Version E Aggregation Cache Con8ig!ration
ter(confi+)# ip flow"a++re+ation cache b+p"ne:thop"tos
ter(confi+"flow"cache)# e:port destination !!'!!'!!'!! %%%%
estination *pecif. the 5estination IP address
ersion confi+ure a++re+ation cache e:port /ersion Aersion % e:port for0at
ter(confi+"flow"cache)# e:port /ersion <
ter(confi+"flow"cache)# e:port /ersion % ter(confi+"flow"cache)# enabled
So$eti$es A aila>le. in This Case *e Fa e Onl6 Version E# *h6+

.1
NetFlow Te$-late Recor% Details Te$-late 8or the 7GP NeBt FOP ToS Aggregation
T6-e an% 8iel% length %e8inition allows the collector to ,now %ata that will >e sent
!e# data tem%late from 0..1. +-.20.D idK2+-, fieldsK field idK2 8AAS4_SEI4C<&D9, offsetK0, lenK. field idK22 8"IBS4_SEI4C<&D9, offsetK., lenK. field idK 8*=4&S_)29, offsetK;, lenK. field idK2 8PI4S_)29, offsetK 2, lenK. field idK 0 8I!P74_S!(P9, offsetK 6, lenK2 field idK . 8674P74_S!(P9, offsetK ;, lenK2 field idK+ 846S9, offsetK20, lenK field idK) 8"A6ES9, offsetK2 , lenK. field idK - 8DS4_AS9, offsetK2+, lenK2 field idK ; 8*CP_!&>4_<6P9, offsetK2-, lenK. field idK 6 8SBC_AS9, offsetK) , lenK2
Presentation_ID
Cisco Confidential
+0
NetFlow Version E Partner S!--ort

Partners
Cisco !et"lo# Collector, Ar/or !et#or3s, Aanco%e, Infovista, !etF6S, "lo#(on, "l$3e !et#or3s, IP"lo#, &vident Soft#are, Concord, <P and (icrom$se $sing Cisco Collector
Presentation_ID
Cisco Confidential
+2
I=TF. IP Flow In8or$ation =B-ort *G 'IPFIL(

B"C)1+. NCisco Systems !et"lo# Services &'%ort @ersion 1O
!et"lo# %atentD intellect$al %ro%erty right statement on the I&4" #e/site
IP"I> is an effort toD

Define the notion of a Nstandard IP flo#O, along #ith data encoding for IP flo#s htt%D,,###.ietf.org,html.charters,i%fi'?charter.html
B"C)1 - NBe2$irements for IP "lo# Information &'%ortO

Cathers all IP"I> re2$irements for the IP"I> eval$ation %rocess
B"C)1++ N&val$ation of Candidate Protocols for IP"I>O
Presentation_ID
Cisco Confidential
+)
I=TF. IP Flow In8or$ation =B-ort *G 'IPFIL(

IP"I> %rotocol s%ecifications
Changed in terminology /$t same %rinci%les as !et"lo# version 1 Im%rovements vers$s !et"lo# version 1D SC4P?PB, sec$rity, varia/le length information element, IA!A registration, etc. Ceneric streaming %rotocol, not flo#?centric anymore Sec$rityD 4hreatD confidentiality, integrity, a$thori5ation Sol$tionD D4AS on PB?SC4P
IP"I> information model

(ost !et"lo# version 1 information elements ID are 3e%t Pro%rietary information element s%ecification
+.
I=TF. IPFIL Stat!s

All IP"I> drafts transmitted to the I&SC 8Internet engineering tas3 force9
IP"I> Protocol draft in the B"C?&ditor 2$e$e IP"I> Architect$re draftD one more correction and then B"C? editor 2$e$e IP"I> InformationD some comments from the I&SC
IP"I> Prototy%e done d$ring intero%
Presentation_ID
Cisco Confidential
++
I=TF. Pac,et Sa$-ling *G 'PSA&P(

PSA(P is an effort toD
S%ecify a set of selection o%erations /y #hich %ac3ets are sam%led, and descri/e %rotocols /y #hich information on sam%led %ac3ets is re%orted to a%%lications
Sam%ling and filtering techni2$es for IP %ac3et selection

4o /e com%liant #ith PSA(P, #e m$st im%lement at least one of the mechanismsD sam%led !et"lo#, !et"lo# in%$t filters are already im%lemented
PSA(P %rotocol s%ecifications

Agreed to $se IP"I> for e'%ort %rotocol
Information model for %ac3et sam%ling e'%ort

&'tension of the IP"I> information model
Presentation_ID
Cisco Confidential
+6
!et"lo# Cache Aging 4imers
Presentation_ID
Cisco Confidential
+-
Flow Ti$ers an% =B-iration

4st K 3r% Flows ) Src 41#4#4#4: Dst 01#0#0#0: Prot C: Src K Dst -ort 42: InIF F=1/1: ToS 40A 0n% Flow ) Src 41#4#4#4: Dst 01#0#0#0: Prot C: Src K Dst -ort 42: InIF F=1/1: ToS 4E0 Ro!ter 7oots 's6sU-Ti$e ti$er >egins( 0n% Flow Start 's6sU-Ti$e( 0n% Flow =n% 's6sU-Ti$e(
W -ac,et 8ro$ 4st or 3r% 8low W -ac,et 8ro$ 0n% 8low
UDP =B-ort Pac,et containing 31-21 8lows 's6sU-Ti$e K UTC( 0n% Flow =B-ires 's6sU-Ti$e(
15 seconds Inactive 15 seconds Inactive 4 Flow Start 's6sU-Ti$e(

st
4 Flow =n% 's6sU-Ti$e(

st
4 Flow =B-ires 's6sU-Ti$e(

st
=B-ort
3 Flow Start 's6sU-Ti$e(

r%
Ti$e
:S6sU-ti$e - C!rrent ti$e in $illisecon%s since ro!ter >oote% :Coor%inate% Uni ersal Ti$e 'UTC( can >e s6nchroniQe% to Networ, Ti$e Protocol 'NTP(
=B-ort
+;
Acti e/Inacti e Ti$ers

Inactive time K 4he flo# e'%ires once no %ac3ets are seen for this time d$ration Active time K If %ac3ets contin$e to /e received on this flo# /eyond this active time setting then the flo# #ill e'%ire and /e e'%orted #hile a ne# flo# is created. "or sec$rity monitoring this timer may /e set to minim$m val$e of one min$te Defa$lt val$es on soft#are?/ased and 0I, 2I ro$ters
Inactive timerD + seconds 8minim$m Active timerD )0 min$tes 8minim$m second9 min$te9
Presentation_ID
Cisco Confidential
+1
Cisco Catal6st C211 Series Switch Aging Ti$ers

!ormal aging 8e2$ivalent to inactive timer9
4he amo$nt of time the system has not seen another %ac3et for a %artic$lar flo# /efore the flo# is e'%ortedG the defa$lt is 2+6 seconds 8)2?.012 seconds9
Aong aging 8e2$ivalent to active timer9

4he ma'im$m time a flo# can e'ist in the !et"lo# ta/le /efore it is e'%orted o$tG long lived flo#s #ith constant traffic fall into this categoryG e'am%le an ft% going for many ho$rsG the defa$lt val$e is )2 min$tes 86. M 120 seconds9. "or sec$rity monitoring this timer may /e set to minim$m val$e of 6. seconds
Presentation_ID
Cisco Confidential
60
Cisco Catal6st C211 Series Switch Aging Ti$ers 'Cont#(

"ast aging 8Cisco Catalyst 6+00 Series S#itch s%ecific9
Is $sed to age o$t short lived flo#s in the !et"lo# ta/leG it ta3es t#o %arametersD the n$m/er of %ac3ets and a time intervalG if less than ! %ac3ets are seen for a flo# in > time interval the flo# is e'%orted
Presentation_ID
Cisco Confidential

Eithin a high flo# environment timers may need to /e changed !ormal aging
Bed$ce normal aging timer $ntil no misses are seen or $ntil yo$ hit the minim$m val$e for normal aging, or the CP7 $tili5ation is near yo$r threshold Still seeing misses at minim$m normal aging time, then ena/le Fast Aging
BecommendationD Change normal aging time to )2 seconds

If there are flow drops with normal aging set to a low value then fast aging is needed. For fast aging time start with 32 seconds and 10 packets
Presentation_ID
Cisco Confidential
62

"ast Aging
&na/le "ast Aging, start #ith timeK)2, %ac3ets K 0 Bed$ce start time $ntil misses cease, or timeK. is reached If yo$ reach timeK., and still misses they try increasing %ac3et co$nt
Sto% adS$sting the aging timers #hen the CP7 level gets a/ove #hat is comforta/leG this is very s$/Sective, for some c$stomers it is 20J, others it is ;0J.
Presentation_ID
Cisco Confidential
6)
!et"lo# Sec$rity
Presentation_ID
Cisco Confidential
6.
Fow to I%enti86 a Sec!rit6 Attac,+

S$dden increase in overall traffic in the net#or3 <igher CP7 and memory $tili5ation of net#or3 devices 7ne'%ectedly large amo$nt of traffic generated /y individ$al hosts Increased n$m/er of !et"lo# flo#s generated
Presentation_ID
Cisco Confidential
6+
Fow to I%enti86 a Sec!rit6 Attac,+ 'Cont#(

($lti%le !et"lo# records #ith a/normal content, li3e one %ac3et %er flo# record 8ieD 4CP S=! flood9 A changed mi' of traffic a%%lications, ieD a s$dden increase of N$n3no#nO a%%lications An increase of certain traffic ty%es and messages, ieD 4CP resets or IC(P messages An increasing n$m/er of ACA violations
Presentation_ID
Cisco Confidential
66
*hat Does a DoS Attac, ?oo, ?i,e+

Rout er # s how i p c ac he f l ow Sr c I f Sr c I Paddr es s Sr c P Sr c S %& '&%( '( 6( 6& )) aaa %& '&%( '( 6( %%% '%43 aaa %& '&%( '( 6( '0* '0)6 aaa %& '&%( '( 6( ',& &03 aaa %& '&%( '( 6( ,4 )30 aaa %& '&%( '( 6( '36 ,,& aaa %& '&%( '( 6( %'6 3*3 aaa %& '&%( '( 6( ''' 4, aaa %& '&%( '( 6( %& '%0& aaa
!s t I f !s t I Paddr es s 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( % 4& '&4( %0( %( %
!s t P '30* '))4 '*6& '0,0 %0'* '*%' ','6 '*&4 '600
!s t S +++ +++ +++ +++ +++ +++ +++ +++ +++
Pr P"t s 6 ' 6 ' 6 ' 6 ' 6 ' 6 ' 6 ' 6 ' 6 '
#$ P" 40 40 40 40 40 40 40 40 40
4y%ical DoS attac3s have the same 8or similar9 entries

In%$t interface 8SrcIf9 Destination IP 8DstIf9 %ac3et %er flo# 8P3ts9 *ytes %er %ac3et 8*,P39
6-
Tracing DoS Attac, with NetFlow 'Cont#(

. 2. 4o sho# high rate flo#s
ro$terQ sho# i% cache flo# T incl$de 8IT(9
4o sho# all flo#s to one destination leverage

Nro$terQ sh i% cache 8ver/ose9 flo# T incl$de UdestinationVO
router# sh ip cache flow ? include !%4'#&'#'# B *rcIf *rcIPaddress *rcP *rcA* 5stIf 5stIPaddress #% !%#'!'$'$% (( aaa 4% !%4'#&'#'# #% !%#'!'$'### !#43 aaa 4% !%4'#&'#'# #% !%#'!'$'!&8 !&($ aaa 4% !%4'#&'#'# #% !%#'!'$'!5% %&3 aaa 4% !%4'#&'#'# B B B B B B
5stP !3&8 !((4 !8$% !&5& B
5stA* Pr Pkts 23Pk bbb $ ! 4& bbb $ ! 4& bbb $ ! 4& bbb $ ! 4& B B B 'B
). 4o loo3 for 3no#n attac3 signat$res ieD if #e 3no# of an attac3 $sing 7DP %ort 666 8<e' 021A9 #e r$n
ro$terQ sho# i% cache flo# T incl$de 021A
6;
Tracing DoS Attac, with NetFlow 'Cont#(

&na/le !et"lo# on relevant ro$ters,s#itches
Victi$
ro$terQ sho# i% cache flo# T incl$de UdestinationV Se Uso$rceV &t0 UdestinationV 00 ) 000+1 W. 8lot of more flo#s to the same destination9
The 8lows co$e 8ro$ Serial 4
Bo$terQ sho# i% cef s Prefi' 0.0.0.0,0 0. 0. 0.0,)0 !e't <o% 0. 0. 0.2 attached Interface Serial Serial
Fin% the !-strea$ ro!ter on Serial 4
Contin!e on this ro!ter

61
CS-&ars Networ,s Tracing Attac,
Presentation_ID
Cisco Confidential
-0
DoS Attac, =Ba$-le. Ar>or Networ,s

Con8ig!re NetFlow eB-ort to Ar>or DoS Collector's(
Ser ice Pro i%er A Ser ice Pro i%er 7 Ser ice Pro i%er C
7aseline tra88ic -atterns in the networ, 0# &onitor. Anal6Qe tra88ic 8or ano$alies 3# Detect. 5# Trace. 2# Filter.
Presentation_ID
4# Pro8ile.
IDS Firewall
Forwar% ano$al6 8inger-rints to controllers Trace the attac, to its so!rce Reco$$en%s 8ilters 'L(
Cisco Confidential
C!sto$er *e> ser er
NetFlow ?0 an% Sec!rit6 &onitoring
w Ne
4argeted for sec$rityD to hel% identify net#or3 attac3s and their origin Aayer 2 IP header fields
So$rce (AC address field from frames that are received /y the !et"lo# ro$ter Destination (AC address field from frames that are transmitted /y the !et"lo# ro$ter Beceived @AA! ID field 8;02. 2 and CiscoXs ISA9 4ransmitted @AA! ID field 8;02. 2 and CiscoXs ISA9
&'tra layer ) IP header fields

4ime?to?live field Identification field Pac3et length field IC(P ty%e and code "ragment offset
Presentation_ID
Cisco Confidential
-2
NetFlow ?a6er 0 an% Sec!rit6 =B-orts

Cisco IOS 40#3'45(T ) Cisco A11: 4I11: 4A11: 0C11: 0A11: 3C11: 3I11: 3A11: I011 an% I211 Series
So$rce (AC address field from frames that are received /y the !et"lo# ro$ter Destination (AC address field from frames that are transmitted /y the !et"lo# ro$ter Beceived @AA! ID field 8;02. 2 and CiscoXs ISA9 4ransmitted @AA! ID field 8;02. 2 and CiscoXs ISA9 (inim$m,ma'im$m %ac3et length in the flo# (inim$m,ma'im$m 44A of %ac3ets in the flo# IC(P ty%e and code IP identification "ield
Cisco IOS 40#5'0(T ) Cisco A11: 4A11: 0A11: 3A11 an% I011 Series
IfInde' to interface name ma%%ing "ragment?offset information
Presentation_ID
Cisco Confidential
-)
NetFlow ?0 an% Sec!rit6 &onitoring ?3 Pac,et For$at

& ! # 3 & ! # 3 4 5 $ ( 8 % & ! # 3 4 5 $ ( 8 % & ! # 3 4 5 $ ( 8 % & ! C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ?Aersion? ? ? ? ? ? I;D ?1.pe of *er/ice? ?)la+s? ? 1otal Den+th )ra+0ent 7ffset ;eader ,hecksu0 ? ? ? ? ? ? Paddin+ ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C Identification 1i0e to Di/e ? Protocol C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C *ource Address 5estination Address 7ptions C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
Presentation_ID
Cisco Confidential
-.
NetFlow ?0 an% Sec!rit6 &onitoring C!rrent NetFlow ?3 Fiel%s

& ! # 3 & ! # 3 4 5 $ ( 8 % & ! # 3 4 5 $ ( 8 % & ! # 3 4 5 $ ( 8 % & ! C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ?Aersion? ? ? ? ? ? I;D ?1.pe of *er/ice? ?)la+s? ? 1otal Den+th )ra+0ent 7ffset ;eader ,hecksu0 ? ? ? ? ? ? Paddin+ ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C Identification 1i0e to Di/e ? Protocol C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C *ource Address 5estination Address 7ptions C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
Presentation_ID
Cisco Confidential
-+
NetFlow ?0 an% Sec!rit6 &onitoring =Btra NetFlow ?3 Fiel%s

& !
Attac,s That Use Consistent Pac,et SiQe or *or$s That Use Consistent Pac,et SiQe
# 3
& ! # 3 4 5 $ ( 8 % & ! # 3 4 5 $ ( 8 % & ! # 3 4 5 $ ( 8 % & ! C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C ?Aersion? ? ? ? Flow I;D ?1.pe of *er/ice? ?)la+s? ? 1otal Den+th )ra+0ent 7ffset ;eader ,hecksu0 ? ? ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C Identification 1i0e to Di/e ? Protocol C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
with the Sa$e ? O88set. Frag$ent Sa$e Pac,et Iss!e% C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C Sent o er Fro$ ? the 5estination Address ?o er an% Sa$e C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C Origin
*ource Address ? 7ptions ? Paddin+ ? C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
Se eral Flows C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C"C
Ver6 ?arge Pac,ets or Attac,s That &ight Alwa6s Fa e the Sa$e Generate% I%enti8ication
Cisco Confidential
Presentation_ID
-6

Ro!ter'con8ig(R i- 8low-ca-t!re ic$Ro!ter'con8ig(R i- 8low-ca-t!re i--i% Ro!ter'con8ig(R i- 8low-ca-t!re $ac-a%%resses Ro!ter'con8ig(R i- 8low-ca-t!re -ac,et-length Ro!ter'con8ig(R i- 8low-ca-t!re ttl Ro!ter'con8ig(R i- 8low-ca-t!re lan-i% Ro!ter'con8ig(R i- 8low-ca-t!re 8rag$ent-o88set
!ot flo# 3eys, the val$e of the first %ac3et of the flo#
&'ce%tion for %ac3et lengthD min,ma' &'ce%tion for the 44AD min,ma' "ragment?offsetD the first fragmented %ac3et
Com%lete the main cache, not the aggregation caches

Info lost if an aggregation cache is $sed
C$rrently not availa/le #ith the (I*

--

=outer# show ip cache /erbose flow B *rcIf Port 8sk A* 6t&3&'! &&!5 3& 8A, 8in plen 8in 11D IP id & 84& 5% & !&'#5!'!38'#!8 *rcIPaddress 5stIf Port 8sk A* 6t!3&'! &&!5 3& (&&5) & 5stIPaddress 9e:t;op !(#'!$'!&'# &'&'&'& aaaa'bbbb'cc&$ 8a: plen 8a: 11D (&&$) 84& 5% &$ 8& Pr 17* )l+s 23Pk && 84& Pkts Acti/e $5 !&'8
(ADA9 id) aaaa'bbbb'cc&3
One Flow =ntr6

-;
Presentation_ID
Cisco Confidential
NetFlow an% IC&P In8or$ation

IC(P is the %rotocol Identifier
=outer# show ip cache flow *rcIf *rcIPaddress 5stIf )a!3& !44'#54'!#'#&% Docal
5stIPaddress !(#'!('#4$'%
Pr &!
*rcP 5stP Pkts &&&& &8&& 4
: The %estination -ort n!$>er re-orte% 'IC&P t6-e S 02C( G 'the IC&P co%e(
IC&P t6-e W A: IC&P co%e W 1 Port W A S 02C G 1 W 015A W A11 heBa
: Onl6 8or the ro!ters

-1

=outer# show ip cache /erbose flow B *rcIf Port 8sk A* 6t&3&'! &&!5 3& 8A, 8in plen 8in 11D I,8P t.pe IP id & 84& 5% & & !&'#5!'!38'#!8 *rcIPaddress 5stIf Port 8sk A* 6t!3&'! &&!5 3& (&&5) & 5stIPaddress 9e:t;op !(#'!$'!&'# &'&'&'& aaaa'bbbb'cc&$ 8a: plen 8a: 11D I,8P code (&&$) 84& 5% & Pr 17* )l+s 23Pk &! 8& && 84& Pkts Acti/e $5 !&'8
(ADA9 id) aaaa'bbbb'cc&3
IC(P ty%e 0, IC(P code 0D &cho Be%ly
Presentation_ID
Cisco Confidential
;0
NetFlow ?0 an% Sec!rit6 &onitoring IC&P T6-e an% Co%e

=cho re-l6 Destination !nreacha>le So!rce ;!ench Re%irect Ti$e eBcee%e% Para$eter -ro>le$ etc# 4# Fost !nreacha>le 0# Protocol !nreacha>le 3# Port !nreacha>le 5# Frag$entation nee%e% an% DF >it set 2# So!rce ro!te 8aile% C# Destination networ, !n,nown I# Destination host !n,nown A# So!rce host isolate% E# Co$$!nication with %estination networ, is a%$inistrati el6 -rohi>ite% 41# Co$$!nication with %estination host is a%$inistrati el6 -rohi>ite% 44# Destination networ, !nreacha>le 8or TOS 40# Destination host !nreacha>le 8or TOS
2 ! " # $ % & 0 1 2 | data
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
0 0 1 2 | |
Presentation_ID
1 ! " # $ % & 0 1 2 ()pe | *ode
! " # $ % & 0 1 | |
;
'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-' *hec+sum '-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-' '-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'-'
NetFlow ?0 an% Sec!rit6 &onitoring So!rce &AC A%%ress

=$ail ser er DoS attac, arri ing 8ro$ the Internet
Fost A Ro!ter A
Ro!ter 7 Fost 7
NetFlow
Internet
Fost C
Ro!ter C
Ro!ter D
Re-ort the &AC a%%ress 8or ethernet: 8astethernet: an% Gig=thernet

;2
NetFlow ?0 an% Sec!rit6 &onitoring Internet =Bchange Point

Internet &'change Points 8I>P9 re2$ire the acco$nting %er (AC address
Incoming 6$tgoing
ISP 4
ILP
ISP 0
!et"lo# sol$tion is more gran$lar than the NIP acco$nting (AC addressO feat$re
ISP 3
ISP 5
ISP 2
;)
NetFlow &I7 an% To- Tal,ers

4he flo#s that are generating the heaviest traffic are 3no#n as the Yto% tal3ersY Allo#s flo#s to /e sorted /y either of the follo#ing criteria
*y the total n$m/er of %ac3ets in each to% tal3er *y the total n$m/er of /ytes in each to% tal3er
w Ne
Sna% shot of the cache /y %olling (I*
Presentation_ID
Cisco Confidential
;.
NetFlow &I7 an% To- Tal,ers 'Cont#(

(atch criteria for the to% tal3ersD s%ecific flo# field val$es
Eor3 li3e a filter
w Ne
A ne# se%arate cache

Similar o$t%$t of the sho# i% cache flo# or sho# i% cache ver/ose flo# command Cenerated Zon demandL "ro5en for the Ncache?timeo$tO val$e
Introd$ced in Beleases 2.282+9S and 2.)8 ro$ters
94 on the lo#?end
Presentation_ID
Cisco Confidential
;+
NetFlow &I7 an% To- Tal,ers A--lications

!eeded #hen e'%ort is not %ractical 4ro$/leshooting and fast analysis Sec$rity
Aist of to% tal3ers to see if traffic %atterns consistent #ith a Denial of Service 8DoS9 attac3 are %resent in yo$r net#or3
4raffic analysis
4he to% tal3ers #hose destination IP address is my #e/ server
Ca%acity %lanning
4he to% tal3ers #hose destination is the *CP AS >
Presentation_ID
Cisco Confidential
;6
NetFlow To- Tal,ers =Ba$-le

Bo$ter8config9Qi% flo#?to%?tal3ers Bo$ter8config?flo#?to%?tal3ers9Qto% 0
B)Qsho# i% flo# to%?tal3ers SrcIf &t ,0 &t ,0 &t ,0 &t ,0 &t ,0 &t ,0 SrcIPaddress -2. 6. 0.2 -2. 6. 0.+ -2. 6. 0. -2. 6. 0.; -2. 6. 0.. -2. 6. 0.DstIf &t0,0 &t0,0 &t0,0 &t0,0 &t0,0 &t0,0 DstIPaddress -2. 6. .;. -2. 6. .;+ -2. 6. .;6 -2. 6. .;6 -2. 6. .;. -2. 6. .;+ Pr SrcP DstP P3ts 06 00;- 00;- 2 00 06 00;1 00;1 06 0 ;+ 0 ;+ 06 00*) 00*) 06 00+0 00+0 06 00+0 00+0 ;12 -62 2
w Ne
- of 0 to% tal3ers sho#n. - flo#s %rocessed.
Presentation_ID
Cisco Confidential
;-
NetFlow To- Tal,ers =Ba$-le 4

Ro!ter'con8ig(R i- 8low-to--tal,ers Ro!ter'con8ig-8low-to--tal,ers(R to- 21 Ro!ter'con8ig-8low-to--tal,ers(R sort->6 T-ac,ets X >6tesU Ro!ter'con8ig-8low-to--tal,ers(R cache-ti$eo!t 0111
=outer# show ip flow top"talkers /erbose *rcIf Port 8sk A* IP8 )a!3& &&&& 3#4 & I,8P t.pe *e&3& &&&& 33& & I,8P t.pe
Presentation_ID
*rcIPaddress 7Pkts 72.tes !&'48'(!'% 3 !%#'!'!'%( &
5stIf Port 8sk A* Docal &3&3 3#4 &
5stIPaddress 9e:t;op !&'48'(!'% &'&'&'& I,8P code
Pr 17* )l+s 23Pk &! ,& 3 &! && & && !43$ !& 5$
Pkts Acti/e 5$ !(!'&
*e&33 &&&& 33& &
!%#'!'!'!!& !%#'!'!'!&8 I,8P code
!# #'8
Cisco Confidential
;;

Ro!ter'con8ig(R i- 8low-to--tal,ers Ro!ter'con8ig-8low-to--tal,ers(R to- 21 Ro!ter'con8ig-8low-to--tal,ers(R sort->6 -ac,ets Ro!ter'con8ig-8low-to--tal,ers(R cache-ti$eo!t 0111 Ro!ter'con8ig-8low-to--tal,ers(R $atch so!rce a%%ress 4E0#4#4#EI/30 Ro!ter'con8ig-8low-to--tal,ers(R $atch %estination a%%ress 4E0#4#4#441/30
=outer# show ip flow top"talkers /erbose *rcIf Port 8sk A* *e&3& &&&& 33& & I,8P t.pe
Presentation_ID
*rcIPaddress
5stIf Port 8sk A*
5stIPaddress 9e:t;op !%#'!'!'!!& !%#'!'!'!&8 I,8P code
Pr 17* )l+s 23Pk &! && & && !43$
Pkts Acti/e !# #'8
!%#'!'!'%( &
*e&33 &&&& 33& &
Cisco Confidential
;1

Ro!ter'con8ig(R i- 8low-to--tal,ers Ro!ter'con8ig-8low-to--tal,ers(R to- 21 Ro!ter'con8ig-8low-to--tal,ers(R sort->6 -ac,ets Ro!ter'con8ig-8low-to--tal,ers(R cache-ti$eo!t 0111 Ro!ter'con8ig-8low-to--tal,ers(R $atch so!rce a%%ress 4E0#4#4#EI/30 Ro!ter'con8ig-8low-to--tal,ers(R $atch %estination a%%ress 4E0#4#4#441/30
$atch YYso!rce a%%ress X %estination a%%ress X neBtho- a%%ressZ Yip-addressZ Ymask X /nnZZ YYso!rce -ort X %estination -ortZ Yport-number X $in port X $aB port X $in port $aB portZZ YYso!rce as X %estination asZ as-numberZ YYin-!t-inter8ace X o!t-!t-inter8aceZ interfaceZ Ytos Ytos-value X %sc- dscp-value X -rece%ence precedence-valueZZ Y-rotocol Yprotocol-number X tc- X !%-ZZ Y8low-sa$-ler flow-sampler-nameZ Yclass-$a- classZ Y-ac,et-range X >6te-range YYmin-range-number max-range-numberZ Y$in minimum-range X $aB maximum-range X $in minimum-range $aB maximum-rangeZZZ
Presentation_ID
Cisco Confidential
10
NetFlow &I7 an% To- Tal,ers

4he to% tal3ers can /e config$red via S!(P #ith the CISC6?!&4"A6E?(I* 4he to% tal3ers can /e retrieved via the (I*
cnf4o%"lo#s4a/le
!ot a good trending tool $nless #e com%are all the flo# 3ey val$es
cnf4o%"lo#sInde' re%resents the to% flo# inde' /$t this is not 3ee%ing any correlation from the cnf4o%"lo#sInde' in the %revio$s of ne't %olling interval
Presentation_ID
Cisco Confidential
!et"lo# "eat$res
Presentation_ID
Cisco Confidential
12
=gress NetFlow Acco!nting
w Ne
4he !et"lo# &gress feat$re allo#s !et"lo# acco$nting to /e im%lemented for egress 8o$tgoing9 traffic on an interface or s$/? interface Aocally generated traffic 8traffic that is generated /y the ro$ter9 #ill not /e co$nted 4he !et"lo# &gress feat$re ca%t$res !et"lo# statistics for IP traffic onlyG (PAS statistics are not ca%t$red in 4 train 4he egress or ingress interface may /e a flo# 3ey
Aggregate flo#s leaving the device
Post %rocessed !A4 and 46S e'%ort #ith the flo# Belease 2.)8 94, for the lo#?end ro$ters =outer(confi+"if)# ip flow e+ress
Presentation_ID
Cisco Confidential
1)

: Acco!nting 8or -ac,ets eBiting the networ, : Use8!l 8or !n%erstan%ing ser er tra88ic : Use% 8or tra88ic $atriB statistics
NetFlow =gress NetFlow =gress an% Ingress
Ser ers IP
IP or &P?S
IP
NetFlow Ingress
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.
Release 40#3'44(T
Cisco Confidential
NetFlow =gress
1.

=outer# show ip cache flow B *rcIf *rcIPaddress 5stIf 5stIPaddress Pr *rcP 5stP 6t&3& !&'&'&'! 6t&3&E !&'&'!'! &! &&&& &&&& 6t&3! !&'&'&'# 6t&3! !&'&'!'# &! &&&& &&&&
Pkts 5 5
The asteris, 'S( in%icates an egress 8low
A flo# is identified /y the o$t%$t interface 8amongst other9, /y defa$lt #ith egress !et"lo#
=outer(confi+)# ip flow"e+ress input"interface
Presentation_ID
Cisco Confidential
1+
=gress NetFlow an% To- Tal,ers

Ro!ter'con8ig(R i- 8low-to--tal,ers Ro!ter'con8ig-8low-to--tal,ers(R $atch so!rce a%%ress 4E0#4#4#EI/30 Ro!ter'con8ig-8low-to--tal,ers(R $atch %irection + egress &atch egress 8lows ingress &atch ingress 8lows
4he direction match statement added 4he NdirectionO is a ne# information element
&gress val$e added in the tem%late &gress val$e not added for the aggregation caches &'isting ingress tem%lates are not modified
Presentation_ID
Cisco Confidential
16
NetFlow D6na$ic To- Tal,ers

Someho# similar to the to% tal3ers
*$t dynamic, done on the fly #ith sho# commands *$t does not re2$ire modifications to the ro$ter config *$t does not create a ne# cache *$t no availa/le #ith the (I*[o/vio$sly
&ven more $sef$l than to% tal3ers for sec$rity Nsho# i% flo# to%O commandD
sho# i% flo# to% U!V Uaggregate?fieldV Usort?criteriaV Umatch? criteriaV
Introd$ced in 2..8.94 on the soft#are /ased ro$ters 8-+00 and /elo#9

1-
NetFlow D6na$ic To- Tal,ers =Ba$-les

4o% ten %rotocols c$rrently flo#ing thro$gh the ro$terD
Ro!terR show i- 8low to- 41 aggregate -rotocol
4o% ten IP addresses #hich are sending the most %ac3ets

Ro!terR show i- 8low to- 41 aggregate so!rce-a%%ress sorte%->6 -ac,ets
4o% five destination addresses to #hich #eXre ro$ting most traffic from the 0. 0. 0.0,2. %refi'
Ro!terR show i- 8low to- 2 aggregate %estination-a%%ress $atch so!rce--re8iB 41#41#41#1/05
+0 @AA!Xs that #eXre sending the least /ytes toD

Ro!terR show i- 8low to- 21 aggregate %estination- lan sorte%->6 >6tes ascen%ing
4o% 20 so$rces of ?%ac3et flo#sD

ro!terR show i- 8low to- 21 aggregate so!rce-a%%ress $atch -ac,ets 4
1;
Presentation_ID
Cisco Confidential
NetFlow an% IPVC

(onitors the IPv6 traffic *ased on !et"lo# @ersion 1 "or /oth ingress and egress traffic !on sam%led !o data e'%ort over IP@6G Still IPv. !et"lo# A2 and sec$rity monitoring availa/le for IPv6
IC(P, IP Identification, mac?addresses, %ac3et?length, 44A, vlan?id
Belease 2.)8-94, lo# end devices

11
NetFlow an% IPVC

=outer#show ip/$ flow cache B *rcAddress InpIf 5stAddress 7utIf Prot #&&! 4&& # Docal #&&! 4&& ! 6t33& &:3A #&&! 3&& # Docal #&&! 3&& ! 6t33& &:3A #&&! #&& # Docal #&&! #&& ! 6t33& &:3A #&&! 3&& ! 6t33& ))&# ! ))&& # Docal &:3A #&&! 4&& ! 6t33& ))&# ! ))&& # Docal &:3A #&&! 4&& ! 6t33& #&&! 4&& # Docal &:&$
*rcPrt &:&&&& &:&&&& &:&&&& &:&&&& &:&&&& &:#2&&
5stPrt &:8!&& &:8!&& &:8!&& &:8(&& &:8(&& &:&&!(
Pkts 5 5 5 # # 88
&'actly the same commands as IPv. for config$ration and monitoring, e'ce%t that Ni%O is re%laced /y Ni%v6O !e# !et"lo# @ersion 1 information elements
Presentation_ID
Cisco Confidential
00
NetFlow In-!t Filters =Ba$-le

Pac,ets VOIP Tight Filter 8or Tra88ic o8 Figh I$-ortance &o%eratel6-Tight 8or Tra88ic o8 &e%i!$ I$-ortance 4.4 Sa$-ling
VPN
4.411 Sa$-ling
NetFlow Cache
7est =88ort
De8a!lt *i%e O-en Filter 8or Tra88ic o8 ?ow I$-ortance
4.4111 Sa$-ling
Presentation_ID
Cisco Confidential
NetFlow In-!t Filters

S$%%ort %refiltering for traffic for !et"lo# %rocessing (od$lar FoS command line 8(FC9 #ill %rovide the filtering mechanism for !et"lo#
Classification /y IP so$rce and destination addresses, layer . %rotocol and %ort n$m/ers, Incoming interface, (AC address, DSCP Aayer 2 information s$ch as "rame Belay D& /its, &thernet ;02. % /its !et#or3 /ased a%%lication recognition 8!*AB9
A/ility to sam%le filtered data at different rates, de%ending on ho# interesting the traffic is 2.)8.94, 2.282+9S
02
S!> an% Virt!al Inter8ace Trac,ing

4he follo#ing interfaces are trac3ed
"rame relay s$/?interfaces A4( s$/?interfaces Inter?S#itch Ain3 8ISA9 s$/?interfaces ;02. 2 s$/?interfaces ($ltilin3 PPP interfaces
NetFlow *hite-a-ers. htt-.//www#cisco#co$/en/US/-ro%!cts/-sCC14/-ro%[white[-a-ers[list#ht$l

0+
S!> an% Virt!al Inter8ace Trac,ing 'Cont#(

4he follo#ing interfaces are trac3ed
Ceneric Bo$ting &nca%s$lation 8CB&9 t$nnel interfaces Aayer 2 4$nneling Protocol 8A24P9 @PD!?gro$% interfaces (PAS?@P! interfaces 4$nnel ho%%ing
Pac3et arrived on one t$nnel interface of a ro$ter and #as ro$ted to a different t$nnel interface on the same ro$ter
NetFlow *hite-a-ers. htt-.//www#cisco#co$/en/US/-ro%!cts/-sCC14/-ro%[white[-a-ers[list#ht$l

06
NetFlow =na>le% Inter8aces

=outer# show ip flow interface *erial&3& ip route"cache flow *erial&3&'! ip flow e+ress *erial&33 ip route"cache flow )ast6thernet!3& ip flow in+ress flow"sa0pler benoit e+ress Introd$ced in Belease 2.)8-94 for lo#?end devices
Presentation_ID
Cisco Confidential
0-
NetFlow VRF =B-ort

Allo# the e'%ort of flo# records #ithin a @B" @alid for /oth SC4P and 7DP e'%ort
Ro!ter'con8ig(R i- 8low-eB-ort %estination 41#41#41#41 EEEE r8 >enoit Tsct-X!%-U
Ro!ter'con8ig-8low-cache(ReB-ort %estination 41#41#41#41 EEEE r8 >enoit Tsct-X!%-U
Introd$ced in 2..8.94 on the soft#are /ased ro$ters 8-+00 and /elo#9
Presentation_ID
Cisco Confidential
0;
A!tono$o!s S6ste$ Peer an% Origin AS

F!ll AS -ath is -ossi>le with collectors as 7GP -assi e -eer incl!%ing Cisco collector an% Ar>or Networ,s
NetFlow ena>le%
AS 414
AS 410
AS 413
AS 415
Con8ig!ring Peer-AS : So!rce AS W AS 413 : Destination AS W AS 412
AS 412
Con8ig!ring Origin-AS : So!rce AS W AS 414 : Destination AS W AS 41C
AS 41C
Presentation_ID
Cisco Confidential
01
Power8!l Insight into T!nnels with NetFlow

NetFlow totals t!nnel -ac,ets into one 8low Non-t!nnel ro!ter T!nnel hea% T!nnel $i%-oint T!nnel T!nnel tail Non-t!nnel ro!ter
Tra88ic
NetFlow acco!nts 8or -ac,ets =na>le here. NetFlow -rior to IPsec t!nnel acco!nts 8or >oth the t!nnel NetFlow acco!nts 8or -ac,ets -rior to IPsec t!nnel
an% -ost-t!nnel 8lows
!et"lo# allo#s a /rea3 o$t of /oth %re and %ost encry%tion S$%%ort for /oth CB& and IPSec encry%tion Prod$ct Aiterat$re at ###.cisco.com,go,netflo#
0
Presentation_ID
Cisco Confidential
NetFlow Relia>le =B-ort with SCTP SCTP Intro%!ction

7DP
Aac3 of sec$rity, congestion a#areness, and relia/ility <o#ever, s%eed and sim%licity
SC4PD stream control trans%ort %rotocol 8B"C21609
Belia/le data transfer Congestion control and avoidance ($ltihoming s$%%ort 6ne association s$%%ort for m$lti?streams Sec$rity coo3ie against connection flood attac3 8S=! flood9
SC4P?PBD SC4P %artially relia/le 8B"C)+-;9

4hree modes of relia/ilityD relia/le, %artial relia/le, $nrelia/le &ach stream selects its mode of relia/ility
Note. MAn Intro%!ction to SCTPN: RFC30AC
NetFlow Relia>le =B-ort with SCTP

SC4P?PB s$%%ort for !et"lo# version +, ;, 1 86%tions9 tem%lates sent relia/ly 4#o %rimary SC4P e'%ort destinations 8collectors9 and t#o /ac3$% SC4P e'%ort destinations
"or each cacheD either main cache or aggregation cache8s9
*ac3$%
"ail?over modeD o%en the /ac3$% connection #hen the %rimary fails Bed$ndant modeD o%en the /ac3$% connection in advance, and already send the tem%lates !ote that the /ac3$% inherits the relia/ility level from the %rimary
2..8.94 on the soft#are /ased ro$ters 8-+00 and /elo#9
!et"lo# collector SC4P s$%%ort in version 6.0
Presentation_ID
Cisco Confidential
Relia>le =B-ort with SCTP =Ba$-le

Sec!rit6/&onitoring 7illing
SCTP 7ac,!-. Fail-o er &o%e
SCTP. Partiall6 Relia>le
SCTP. Relia>le
SCTP 7ac,!-. Re%!n%ant &o%e
&ain Cache
DestinationPre8iB Aggr#
Presentation_ID
Cisco Confidential
Relia>le =B-ort with SCTP =Ba$-le Con8ig!ration
=outer(confi+)# ip flow"e:port destination !&'!&'!&'!& %%%% sctp =outer(confi+"flow"e:port"sctp)# reliabilit. partial buffer"li0it !&& =outer(confi+"flow"e:port"sctp)# backup destination !!'!!'!!'!! %%%% =outer(confi+"flow"e:port"sctp)# backup fail"o/er !&&& =outer(confi+"flow"e:port"sctp)# backup 0ode fail"o/er =outer(confi+)# ip flow"a++re+ation cache destination"prefi: =outer(confi+"flow"cache)# e:port destination !#'!#'!#'!# %%%% sctp =outer(confi+"flow"e:port"sctp)# backup destination !3'!3'!3'!3 %%%% =outer(confi+"flow"e:port"sctp)# backup 0ode redundant =outer(confi+"flow"e:port"sctp)# backup restore"ti0e ! =outer(confi+"flow"e:port"sctp)# e:it =outer(confi+"flow"cache)# enabled
Presentation_ID
Cisco Confidential
Relia>le =B-ort with SCTP =Ba$-le Show Co$$an%

=outer# show ip flow e:port sctp /erbose IP/4 0ain cache e:portin+ to !&'!&'!&'!&- port %%%%- partial status connected backup 0ode fail"o/er !&4 flows e:ported in 84 sctp 0essa+es' & packets dropped due to lack of *,1P resources fail"o/er ti0e !&&& 0illi"seconds restore ti0e #5 seconds backup !!'!!'!!'!!- port %%%% status not connected fail"o/ers & & flows e:ported in & sctp 0essa+es' & packets dropped due to lack of *,1P resources destination"prefi: cache e:portin+ to !#'!#'!#'!#- port %%%%- full status connected backup 0ode redundant 5( flows e:ported in 4# sctp 0essa+es' & packets dropped due to lack of *,1P resources fail"o/er ti0e #5 0illi"seconds restore ti0e ! seconds backup !3'!3'!3'!3- port %%%% status connected fail"o/ers & & flows e:ported in & sctp 0essa+es' & packets dropped due to lack of *,1P resources
!et"lo# for Ca%acity Planning
Presentation_ID
Cisco Confidential
*hat Is the Tra88ic &atriB+
"rom,to B B2 B) B.
B 0 0 0 0
B2 + 0 0 0
B) + + 0 0
B. R4 0 0 0 R5 0
(r!-r#)F!5
R0
(r#-r3)F5
(r!-r3)F5
R3
(r3-r4)F!&
Presentation_ID
Cisco Confidential
The Core Tra88ic &atriB Tra88ic =ngineering an% Ca-acit6 Planning

Paris POP Ro$e POP
So!rce
S?A
ISP-4 ISP-0
7!siness Critical Tra88ic
Destination
7est =88ort Tra88ic
7est =88ort
&!nich POP
Bome &'it Point Bome &ntry Point Paris &ntry Point Aondon &'it Point ($nich &'it Point !A 8\9 W(/,s W(/,s W(/,s Paris &'it Point W(/,s !A 8\9 W(/,s W(/,s
?on%on POP
Aondon &'it Point W(/,s W(/,s !A 8\9 W(/,s ($nich &'it Point W(/,s W(/,s W(/,s !A 8\9
'S( Potentiall6 ?ocal =Bchange Tra88ic

Core Ca-acit6 Planning The 7ig Pict!re

. 4he a/ility to offer SAAs is de%endent $%on ens$ring that core net#or3 /and#idth is ade2$ately %rovisioned 2. Ade2$ate %rovisioning 8#itho$t gross over %rovisioning9 is de%endent $%on acc$rate core ca%acity %lanning ). Acc$rate core ca%acity %lanning is de%endent $%on $nderstanding the core traffic matri' and flo#s and ma%%ing these to the $nderlying to%ology .. A tool for N#hat ifO scenarios
1
Presentation_ID
Cisco Confidential
*e Nee% the Core Tra88ic &atriB

AS4 AS0 AS3 AS5 AS2
C ! s t o $ e r s
PoP
PoP
C ! s t o $ e r s
Ser er Far$ 4
Ser er Far$ 0
20
MPoP to PoPN. Access Ro!ter or Core Ro!ter

NetFlow 7GP NeBt Fo- TOS Aggregation

Aets yo$ meas$re net#or3 traffic on a %er *CP ne't ho% /asis, %er 46S Aets yo$ trac3 #hich service %rovider the traffic is going thro$gh 8e'it %oint9 Config$re on ingress interface Aeverages the ne# !et"lo# version 1 e'%ort format S$%%ort #ith sam%led and non?sam%led !et"lo# 2.08269S, 2.28 ;9S and 2.) on the soft#are /ased ro$ters 8-+00 and /elo#9 2.082-9S for the 2000
7GP NeBt Fo- TOS Aggregation T6-ical =Ba$-le

AS4 AS0 AS3 AS5 AS2
C ! s t o $ e r s
P= P= P= PoP Ser er Far$ 4 Ser er Far$ 0 PoP &P?S Core or IP Core with 7GP Ro!tes Onl6
P= P= P=
C ! s t o $ e r s
Internal 4rafficD NPoP to PoPO &'ternal 4raffic (atri' PoP to *CP AS

22
NetFlow 7GP NeBt Fo- TOS Aggregation Flow <e6s

Iey "ields 87ni2$ely Identifies the "lo#9
: 6rigin AS : Destination AS : In/o$nd Interface : 6$t%$t Interface : 4oS,DSCP 8\9 : !e't *CP <o%
'S( 7e8ore An6 Recoloring
Additional &'%ort "ields

: "lo#s : Pac3ets : *ytes : "irst Sys7%time : Aast Sys7%time
Presentation_ID
Cisco Confidential
2)
&P?S Aware NetFlow Descri-tion

Provides flo# statistics %er (PAS and IP %ac3ets
(PAS %ac3etsD Aa/els information And !et"lo# v+ fields for $nderlying IP %ac3et IP %ac3etsD Beg$lar IP !et"lo# records
Aeverages the ne# !et"lo# version 1 e'%ort format Config$re on ingress interface S$%%orted on sam%led,non?sam%led !et"lo# 2.08269S , 2.28 ;9S and 2.) on the soft#are /ased ro$ters
8-+00 and /elo#9
2000D 2.082.9S, 2.28 ;9S and 2.)
2-
&P?S Aware NetFlow The Core Tra88ic &atriB

AS4 AS0 AS3 AS5 AS2
C!sto$ers
P= P= P
&P?S Core
P= P= P
C= CP=
C= CP=
Ser er Far$ 4
Ser er Far$ 0
Internal 4rafficD NPoP to PoPO &'ternal 4raffic (atri' PoP to *CP ASD not availa/le
C!sto$ers
2;
P= PoP
PoP
P=
&!lti-rotocol ?a>el Switching

Tra%itional NetFlow 8or IP to &P?S tra88ic &P?S aware NetFlow 'Version E( =gress &P?S NetFlow acco!nting 8or &P?S to IP tra88ic
&P?S
IP
IP
P=
Tra88ic 8low
P=
: =gress &P?S NetFlow acco!nting IP in8or$ation onl6 I%eal 8or >illing C!rrent a aila>ilit6. Releases 40#1'41(ST an% 40#4'2(T : &P?S aware NetFlow 'Version E( =B-orts !- to three &P?S la>els an% IP -ac,et in8or$ation I%eal 8or Tra88ic =ngineering 'T=(
21
&P?S Aware NetFlow To- ?a>el Aggregation

Iey "ields 87ni2$ely Identifies the "lo#9
: In%$t interface 8ifInde'9 : 4he to% incoming (PAS la/els #ith e'%erimental /its and end?of?stac3 /it
Additional &'%ort "ields

: "lo#s : Pac3ets : *ytes : "irst timestam% 8Sys7%time9 : Aast timestam% 8Sys7%time9 : 6$t%$t interface : !et"lo# version five fields of the $nderlying IP %ac3et 84CP flags, etc.9 : 4y%e of the to% la/elD ADP, *CP, @P!, A46(, 4& t$nnel (ID?P4, $n3no#n : 4he for#arding e2$ivalent class ma%%ing to the to% la/el
Presentation_ID
Cisco Confidential
)0
&P?S In8or$ation =B-ort

(PAS Aa/el "or#arding Information *ase 8A"I*9 e'%ort
Per la/el destination %refi', o#ning a%%lication 84&, ADP, *CP9, system $%time for la/el &'%orts all la/els %eriodically #ith timer Collector receives A"I* from P& and (PAS a#are !et"lo# from core &ffectively sho#s P& traffic matri' Belease 2.282;9S*DG Cisco -200, -)00, -+00 and 0000 Series Bo$ters Belease 2.08))9SG Cisco 2000 Series Bo$ter Belease 2.28'9SBAG Cisco -600 Series Bo$ter
Presentation_ID
Cisco Confidential
).
!et"lo# for ($lticast
Presentation_ID
Cisco Confidential
)+
&!lticast NetFlow
4hree ty%es of !et"lo# im%lementations for ($lticast traffic
4raditional !et"lo# ($lticast !et"lo# Ingress ($lticast !et"lo# &gress
Presentation_ID
Cisco Confidential
)6
&!lticast ) Tra%itional NetFlow

Tra%itional NetFlow con8ig!ration
I nt er f ace Et her net 0 i p r out e- cache f l ow 10. 0. 0. 2 i p f l ow - expor t ver si on 9 i p f l ow - expor t dest i nat i on 127. 0. 0. 1 9995 8S, C9 ? 8 0.0.0.2, 22.. 0. 0. 009
NetFlow collector ser er
=th 1 =th 4 =th 3
127. 0. 0. 1
=th 0 Flow recor% create% in NetFlow cache
SrcI8 SrcIPa%% DstI8 DstIPa%% Protocol TOS Flgs SrcPort Src&s, DstPort Dst&s, NeBtFo- 76tes Pac,ets Acti e I%le &th 0 0.0.0.2 N!ll 22.. 0. 0. 00 ;0 0 00A2 ,2. 00A2 ,2. 03411 04 -.+ .
: : :
Presentation_ID
There is onl6 one 8low -er NetFlow con8ig!re% in-!t inter8ace Destination inter8ace is $ar,e% as Mn!llN 76tes an% -ac,ets are the inco$ing al!es ) non re-licate%
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
)-
&!lticast NetFlow Ingress

&!lticast NetFlow Ingress con8ig!ration
8S, C9 ? 8 0.0.0.2, 22.. 0. 0. 009
I nt er f ace Et her net 0 ip ul t i cast net f l ow i ngr ess
10. 0. 0. 2
=th 1 =th 4 =th 3
127. 0. 0. 1
i p f l ow - expor t ver si on 9 i p f l ow - expor t dest i nat i on 127. 0. 0. 1 9995
=th 0
Flow recor% create% in NetFlow cache

SrcI8 SrcIPa%% DstI8 DstIPa%% Protocol TOS Flgs SrcPort Src&s, DstPort Dst&s, NeBtFo- 76tes Pac,ets Acti e I%le &th 0 0.0.0.2 N!ll 22.. 0. 0. 00 ;0 0 00A2 ,2. 00A2 ,2. CE311 C3 -.+ .
: : :
Presentation_ID
There is onl6 one 8low -er NetFlow con8ig!re% in-!t inter8ace Destination inter8ace is $ar,e% as Mn!llN 76tes an% -ac,ets are the o!tgoing al!es: re-licate% co!nts
Cisco Confidential
);
&!lticast NetFlow =gress

&!lticast NetFlow =gress con8ig!ration
I nt er f ace Et her net 1 ip ip ip ul t i cast net f l ow egr ess 10. 0. 0. 2 ul t i cast net f l ow egr ess ul t i cast net f l ow egr ess I nt er f ace Et her net 2 I nt er f ace Et her net ! 8S, C9 ? 8 0.0.0.2, 22.. 0. 0. 009
=th 1 =th 4 =th 3
127. 0. 0. 1
i p f l ow - expor t ver si on 9 i p f l ow - expor t dest i nat i on 127. 0. 0. 1 9995
=th 0
Flow recor%s create% in NetFlow cache

SrcI8 SrcIPa%% DstI8 DstIPa%% Protocol TOS Flgs SrcPort &th 0 0.0.0.2 =th 4 22.. 0. 0. 00 ;0 0 00A2 &th 0 0.0.0.2 =th 0 22.. 0. 0. 00 ;0 0 00A2 &th 0 0.0.0.2 =th 3 22.. 0. 0. 00 ;0 0 00A2 Src&s, ,2. ,2. ,2. DstPort 00A2 00A2 00A2 Dst&s, NeBtFo- 76tes Pac,ets Acti e ,2. 03411 04 -.+ ,2. 03411 04 -.+ ,2. 03411 04 -.+ I%le . . .
: There is one 8low -er &!lticast NetFlow =gress con8ig!re% o!t-!t inter8ace : 76tes an% -ac,ets are the o!tgoing al!es
)1
Presentation_ID
Cisco Confidential
&!lticast NetFlow ) RPF Fail!res

"lo# is /loc3ed /eca$se it has the same 3ey fields as another flo#G ho#ever, it is coming from the #rong %hysical interface Can /e co$nted $sing ($lticast !et"lo# &gress if config$red Ni% m$lticast netflo# r%f?fail$reO glo/ally 6nce config$red, there #ill /e a ne# field in the !et"lo# cache called NBP" "ailO to co$nt flo#s that fail and ho# many times
Presentation_ID
Cisco Confidential
.0
&!lticast NetFlow S!$$ar6

S$%%orted via !et"lo# @ersion 1 e'%ort format Availa/ility
Beleases 2.2S, and 2.) Cisco ;00, -00, ;00, 2600, 2;00, )-00, );00, -200, and -+00 Series Bo$ters Cisco Catalyst 6+00 Series S#itch, Belease 2.28 ;9S>"
PerformanceD Ingress vs. &gress

($lticast !et"lo# Ingress and traditional !et"lo# #ill have similar %erformance n$m/ers ($lticast !et"lo# &gress #ill have %erformance im%act that is %ro%ortional to the n$m/er of interfaces on #hich it is ena/led 8incl$de in%$t interface9
Presentation_ID
Cisco Confidential
!et"lo# F6S 4rac3ing
Presentation_ID
Cisco Confidential
.2
H!alit6 o8 Ser ice =Ba$-le

ToS >its
Prece%ence >its
DS+ 2;
DS. 6.
DS) )2
DS2 6
DS ;
DS0 .
&C! 2
&C!
Di88Ser 8iel% A<A IP DSCP $ar,ings
=arl6 Congestion Noti8ication '=CN( >its
Presentation_ID
Cisco Confidential
.)
H!alit6 o8 Ser ice =Ba$-le

TOS >6te
DS+ DS. DS) DS2 DS 2; 6. )2 6 ; Prece%ence >its 0 0 0 0 0 0 0 0 0 0 0 0 ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' DS0 &C! &C! . 2 Deci$al 22. 12 60 2; 16 6. )2 0 Prece%ence 6 + . ) 2 0 F!nction !et#or3 Control 8lin3 layer 3ee%alives9 Internet#or3 Control 8Bo$ting Protocols9 CBI4IC,&CP 8&'%ress "or#arding9 "lash 6verride 8Class .9 "lash 8Class )9 Immediate 8Class 29 Priority 8Class 9 Bo$tine 8*est effort9
Dela6: Thro!gh-!t: an% Relia>ilit6 >its Delay /it ' ' ' 0 ' ' ' ' ' ' ' ' ' 4hro$gh%$t /it ' ' ' ' 0 ' ' ' ' ' ' ' ' Belia/ility /it ' ' ' ' ' 0 ' ' ' ' ' ' '
' ' ' ' ' '
0 6 0 ; 0 .
Delay ? normal Delay ? lo# 4hro$gh%$t ? normal 4hro$ght%$t ? high Belia/ility ? normal Belia/ility ? high
=arl6 Congestion Noti8ication '=CN( >its &C!?ca%a/le 4rans%ort 8&C49 /it Congestion &'%erienced 8C&9 /it ' ' ' ' ' ' 0 0 0 ' ' ' ' ' ' 0 ' ' ' ' ' ' 0 2 ' ' ' ' ' ' )
!ot &C!?ca%a/le &nd%oints of trans%ort %rotocol &C!?ca%a/le &nd%oints of trans%ort %rotocol &C!?ca%a/le Congestion e'%erienced
..
Trac,ing TOS with NetFlow

7200-3-netflow# show ip cache verbose flow SrcIf SrcIPaddress DstIf Port Msk AS Port Msk AS SR6/0 210.210.210.2 PO1/0 0000 /0 0 0000 /0 0 SR6/0 210.210.210.2 PO1/0 0000 /0 0 0000 /0 0 7200-3-netflow# show ip cache verbose flow SrcIf SrcIPaddress DstIf Port Msk AS Port Msk AS Et1/1 52.52.52.1 Fd4/0 0000 /8 50 0000 /8 40 Et1/2 52.52.52.1 Fd4/0 0000 /8 50 0000 /8 40 Et1/2 10.1.3.2 Fd4/0 0000 /0 0 0000 /8 40 DstIPaddress NextHop 200.200.200.2 0.0.0.0 200.200.200.2 0.0.0.0 Pr TOS Flgs Pkts B/Pk Active FF 00 10 21K 1496 665.4 06 C0 00 21K 1496 666.0
DstIPaddress NextHop 42.42.42.1 202.120.130.2 42.42.42.1 202.120.130.2 42.42.42.1 202.120.130.2
Pr TOS Flgs Pkts B/Pk Active 01 55 10 3748 28 17.8 01 CC 10 3568 28 17.8 01 C0 10 1124 28 17.8
Hex
Decimal
Binary Precedence 2 - Immediate (Class 2), Delay - low, Reliability - high, Endpoints Precedence 6 - Internetwork Control (Routing Protocols) Precedence 6 - Internetwork Control (Routing Protocols), Throughput - high,
55 85 0101 0101 of transport protocol ECN-capable C0 192 1100 0000 1100 1100
CC 204 Reliability - high

Presentation_ID
Cisco Confidential
.+
!et"lo# (I*
Presentation_ID
Cisco Confidential
.6
CISCO-N=TF?O*-&I7
(anaged o/Sects to config$re the follo#ing !et"lo# information
"lo# cache, interface, e'%ort
w Ne
(anaged o/Sects to monitor the follo#ing !et"lo# information

Config$ration information, general statistics
&'am%le o/Sects availa/le

Pac3et si5e distri/$tion, n$m/er of /ytes e'%orted %er second, n$m/er of flo#s,7DP datagrams e'%orted, n$m/er of tem%late active, etc.
Presentation_ID
Cisco Confidential
.-
CISCO-N=TF?O*-&I7 'Cont#(
4he CISC6?!&4"A6E?(I*.my is !64D
A re%lacement for the traditional method of e'%orting a flo# cache A #ay to retrieve all the flo# records Sna% shot of !et"lo# cache at the moment
w Ne
!ote that CISC6?SEI4C<?&!CI!&?(I*, on the catalyst, allo#s to 2$ery the ($lti Aayer S#itching "lo# records Introd$ced in Belease 2.282+9S and 2.)8-94
Presentation_ID
Cisco Confidential
.;
NetFlow &I7 A--lications

!et"lo# config$ration Chec3ing !et"lo# config$ration
ieD %eer?as or origin?as
(onitoring and sec$rity

&'%ort statistics Protocol statistics 4o% flo#s information &m/edded event manager M 4CA scri%ts 4hresholds #ith the B(6! event,alarm or the &@&!4?(I*
Presentation_ID
Cisco Confidential
.1
NetFlow &I7 NetFlow Con8ig!ration

Ro!ter'con8ig(R inter8ace <slot/portU Ro!ter'con8ig-i8(R i- 8low ingress Ro!ter'con8ig-i8(R i- 8low egress cn8CINet8low=na>le
cnfCI!etflo#&na/le
@al$es for ingress, egress, ingress ] egress, none Inde'ed /y interface 8ifInde'9 Bead?#rite (I* varia/le Ehich s$/?interfaces is !et"lo# ena/led on
Presentation_ID
Cisco Confidential
+0
NetFlow &I7 &ain Cache Con8ig!ration

cn8CICache=ntries Ro!ter'con8ig(R i- 8low-cache entries Tnumber> Ro!ter'con8ig(R i- 8low-cache ti$eo!t acti e <minutes> Ro!ter'con8ig(R i- 8low-cache ti$eo!t inacti e <seconds> cn8CIInacti eTi$eO!t cn8CIActi eTi$eO!t
Inde'ed /y the cache ty%e cnfCICache4y%e

cnfCICache4y%e K 0 means the main cache
Presentation_ID
Cisco Confidential
NetFlow &I7 Aggregation Cache Con8ig!ration

cn8CICacheT6-e cn8CICache=ntries
Ro!ter'con8ig(R i- 8low-aggregation cache <cache typeU Ro!ter'con8ig-8low-cache(R cache entries <number> Ro!ter'con8ig-8low-cache(R cache ti$eo!t inacti e <seconds> Ro!ter'con8ig-8low-cache(R $as, %estination $ini$!$ Tvalue> Ro!ter'con8ig-8low-cache(R $as, so!rce $ini$!$ Tvalue> Ro!ter'con8ig-8low-cache( R ena>le%
cn8CICache=na>le cn8CI&inSo!rce&as, cn8CI&inDestination&as, cn8CIActi eTi$eO!t
Ro!ter'con8ig-8low-cache(R cache ti$eo!t acti e <minutes> cn8CIInacti eTi$eO!t
Inde'ed /y the cache ty%e
As many cnfCICache4y%e val$es as aggregation cache ty%es main809, as8 9, %rotocolPort829, so$rcePrefi'8)9, etc.
+2
NetFlow &I7 &ain Cache =B-ort Con8ig!ration

Ro!ter'con8ig(R i- 8low-eB-ort ersion E -eer-as >g--neBthoRo!ter'con8ig(R i- 8low-eB-ort %estination 41#41#41#41 4035 Ro!ter R show i- 8low eB-ort Flow eB-ort E is ena>le% 8or $ain cache =B-orting 8lows to 41#41#41#41 '4035( =B-orting !sing so!rce inter8ace ?oo->ac,1 Version E 8low recor%s: -eer-as
cnf&I&'%ortInfo4a/le cnf&I&'%ortInfo&ntry I!D&> cnfCICache4y%e cnf&I&'%ort@ersion cnf&IPeerAS cnf&I6riginAS cnf&I*g%!e't<o%
cnf&ICollector4a/le cnf&ICollector&ntry I!D&> cnfCICache4y%e cnf&ICollectorAddress4y%e cnf&ICollectorAddress cnf&ICollectorPort cnf&ICollectorStat$s

+)
NetFlow &I7 Aggregation Cache =B-ort Con8ig!ration

Ro!ter'con8ig(R i- 8low-aggregation cache <cache typeU Ro!ter'con8ig-8low-cache(R eB-ort ersion E Ro!ter'con8ig-8low-cache(R eB-ort %estination 41#41#41#41 4035 Ro!ter R show i- 8low eB-ort @ Cache 8or <cache typeU aggregation. =B-orting 8lows to 41#41#41#41 '4035( =B-orting !sing so!rce IP a%%ress 4E0#0#4#2
Same %rinci%le, inde'ed /y cnfCICache4y%e for the cache ty%e

+.
NetFlow &I7 &onitoring

cn8=SRecor%s=B-orte% Ro!ter R sh i- 8low eB-ort ### 1 8lows 8aile% %!e to lac, o8 eB-ort -ac,et 3 eB-ort -ac,ets were sent !- to -rocess le el 1 eB-ort -ac,ets were %ro--e% %!e to no 8i> 1 eB-ort -ac,ets were %ro--e% %!e to a%jacenc6 iss!es 1 eB-ort -ac,ets were %ro--e% %!e to 8rag$entation 8ail!res 1 eB-ort -ac,ets were %ro--e% %!e to enca-s!lation 8iB!- 8ail!res 1 eB-ort -ac,ets were %ro--e% en;!e!ing 8or the RP 1 eB-ort -ac,ets were %ro--e% %!e to IPC rate li$iting cn8=SP,tsFaile% cn8=SP,ts=B-orte% 5IE0I0 8lows eB-orte% in CE015 !%- %atagra$s
4he e'%ort rate ratecnf&S&'%ortBate

7sef$l to estimate the re2$ired /and#idth
cn8=SP,tsDro--e%
++
NetFlow &I7 &onitoring

Ro!terR sh i- cache 8low IP -ac,et siQe %istri>!tion '344C2C total -ac,ets(.
cn8PSPac,etSiQeDistri>!tion
4-30 C5 EC 40A 4C1 4E0 005 02C 0AA 301 320 3A5 54C 55A 5A1 #32C #34C #455 #442 #115 #113 #111 #11I #114 #111 #110 #14I #14A #11E #111 240 255 2IC 4105 423C 015A 02C1 31I0 32A5 51EC 5C1A #111 #111 #111 #111 #111 #111 #111 #111 #111 #111 #111
cn8PSProtocolStatTa>le
@ Protocol -------TCP-Telnet TCP-*** TCP-7GP TCP-other UDP-other IC&P Total.
Presentation_ID
Total Flows 33 3 2353 544 EAC45 E24E 443E03
Flows Pac,ets 76tes Pac,ets Acti e'Sec( I%le'Sec( /Sec 1#1 1#1 1#1 1#1 1#5 1#1 1#2 /Flow C2 2 0 0 0 E 0
Cisco Confidential
/P,t 51 52 5I 5A IC I4 I3
/Sec 1#1 1#1 1#1 1#1 1#E 1#5 4#5
/Flow 4A#5 3#1 2#4 4#1 0#4 04#3 3#A
/Flow 41#1 4#0 44#4 41#E 41#A 44#2 41#E

+6
Sam%led !et"lo#
Presentation_ID
Cisco Confidential
+-
Ran%o$ Sa$-le% NetFlow

Ca%acity %lanning may not need every %ac3et %er flo# Sam%ling on high s%eed interfaces #ill red$ce CP7 cons$m%tion Bandom 8select %ac3et to e'%ort %er statistical %rinci%les9
Beleases 2.08269S, 2.2S8 ;9, and 2.)8294 Cisco ;00, -00, ;00, 2600, 2;00, )-00, );00, -200, and -+00 Series Bo$ters
Presentation_ID
Cisco Confidential
+;
Ran%o$ Vers!s Deter$inistic Sa$-ling

Ran%o$ sa$-le% NetFlow - sa$-ling 4 o!t o8 41 -ac,ets
NetFlow ran%o$l6 sa$-les 4o8 41 -ac,ets to create a 8low
NetFlow ran%o$l6 chooses 3r% -ac,et 8or eB-ort
NetFlow ran%o$l6 chooses 2th -ac,et 8or eB-ort
=B-ort 8low Deter$inistic sa$-le% NetFlow sa$-ling 4 o!t o8 41 -ac,ets

NetFlow sa$-les 41th -ac,et to create a 8low
NetFlow alwa6s chooses 41th -ac,et 8or eB-ort
=B-ort 8low
+1
Cisco 40111 Series Internet Ro!ter Deter$inistic Sa$-le% NetFlow

&ngine
0
N"$llO !et"lo#
S$%%orted S$%%orted
Sam%led !et"lo#
S$%%orted S$%%orted S$%%orted
2 ) . .] Aggregated only
S$%%orted
S$%%orted
S!--orte%
Not s!--orte%
Presentation_ID
Cisco Confidential
60
Sa$-le% NetFlow CPU Re%!ction

Cisco -+0+ and )620 Bo$ters
CP7 im%act red$ced /y at least -+J Sam%ling rate of 00 and ;2J #ith sam%ling rate of 000
. 2 0
loa% YVZ
; 6 . 2 0 . 0 ) 6 1 22 2+ 2; ) ). )- .0 .) .6 .1 +2
No sa$-ling 4.4111 sa$-ling 4.411 sa$-ling No NetFlow
sa$-les
Presentation_ID
Cisco Confidential
Ran%o$ Pac,et Sa$-le% NetFlow

router(conf)# flow"sa0pler"0ap 0.sa0pler! =outer(confi+"sa0pler)# 0ode rando0 one"out"of !&& =outer(confi+)# interface ethernet ! =outer(confi+"if)# flow"sa0pler 0.sa0pler! =outer(confi+)# ip flow"e:port te0plate options sa0plin+ =outer# show flow"sa0pler *a0pler 0.sa0pler!- id !- packets 0atched 0ode rando0 sa0plin+ 0ode sa0plin+ inter/al is !&& !&
($st e'%licitly config$re it on s$/?interfaces
Presentation_ID
Cisco Confidential
62
Sa$-ling NetFlow on the Catal6st Flow Sa$-ling

!ot %ac3et sam%ling /$t flo# sam%ling
BeasonD !et"lo# in hard#are on the catalyst
Bandom 4ime /ased flo# sam%ling

4a3e a sna%shot of the !et"lo# cache at different time
"lo# sam%ling
&'amine the hard#are cache and e'%ort a s$/set of the total flo#s Bandomly select flo#s to e'%ort Bed$ced CP7 and &'%ort vol$me /y sam%ling flo#s
Presentation_ID
Cisco Confidential
6)
Cisco Catal6st C211 Series an% Cisco IC11 Series Sa$-le% NetFlow
Sam%ling rate is config$ra/le only for the #hole /o' Acc$racy of !et"lo# on the %latform comes from t$ning the aging timers correctly A #ay of minimi5ing %ac3et loss, is $sing Distri/$ted "or#arding Cards 8D"Cs 9, s%reading the incoming %ac3et load evenly onto different @AA!s on different cards C$rrently availa/le in Belease 2. 8 )9&
Presentation_ID
Cisco Confidential
6.
Acc!rac6 o8 Sa$-le% NetFlow

Ehat is the acc$racy of sam%led !et"lo#R
is the estimated n$m/er of /ytes %er flo# record acc$rateR
Ehich sam%le rate sho$ld /e $sedR 4here is no easy ans#er

Acc!rac6 3 O>ser ation ti$e 0 5# De%!ce%
1
For 8low ,e6s For tra88ic t6-e
Sa$-ling rate
6+
Acc!rac6 o8 Sa$-le% NetFlow Research Project

Cisco f$nded an research /y an e'ternal com%any State of the art analysis
Analysed many sam%ling researcher #hite%a%ers
Develo%ed an mathematical model

4his model is only valid for random sam%led !et"lo#^ Systematic sam%led !et"lo# #o$ld re2$ire some 3no#ledge a/o$t the traffic %atterns A %atent is in %rocess of /eing filed
Presentation_ID
Cisco Confidential
66

&m%irical testing #ith real live testing
(athematical model validity (athematical model ass$m%tions Bes$lts confidence interval Cra%h the res$lts
<igher acc$racy for flo#s #ith

(any %ac3ets "lo# %ro%ortion is high 6/serve longer 8A!D characteristics remain9 Aarge %ac3et si5e mean Small %ac3et si5e variation
Presentation_ID
Cisco Confidential
6-

Ehat is the acc$racy of sam%led !et"lo#R
. De%ends on the sam%ling rateR =es 2. De%ends on the flo# definitionR !ot directly ). De%ends on the traffic ty%e 8IPv. vers$s (PAS9R De%ends on traffic 8flo# characteristics9 .. De%ends on the o/servation %eriod =es, if characteristics remain
Ehite%a%er #ill /e %$/lished soon !e't ste%, ho%e for the follo#ing gra%h Acc!rac6 0 3# De%!ce%
1
&in R -ac,ets 4 -er classi8ication
Sa$-ling rate
6;
!et"lo# on the Catalyst 6+00,-600
Presentation_ID
Cisco Confidential
61
Cisco C211 Series Switch an% Cisco IC11 Series Ro!ter

<y/ridD Cisco Catalyst 6S on P"C,s$%ervisor and Cisco I6S Soft#are on (S"C !ative Cisco I6S Soft#areD P"C,s$%ervisor and the (S"C /oth r$n a single /$ndled Cisco I6S Soft#are image &'%ort is centrally via the s$%ervisor and (S"C, each linecard has its o#n hard#are !et"lo# cache and for#arding ta/le, ieD distri/$ted %latform
<y/rid (S"C' S$% a S$%2 S$%-20 v+ @-, v; @-, v; v+, v-, v; !ative 2. & v+ vv+, vv+, v!ative 2.2S> v+, v; !,A\ v+, v-, v; v+, v-, v;, v1
SNo NetFlow s!--ort on &SFC with S!-4a

-0
Far%ware / So8tware Di ision

Soft#are controls the aging %rocess Soft#are $ses a hard#are search engine to locate entries that it #ants to %rocess 8ieD all flo#s #ith no %ac3ets for the last )2 seconds9 <ard#are ret$rns the res$lts of the search to the soft#are to e'%ort Ehen the Catalyst 6+00 cache is f$ll flo#s #ill /e dro%%ed Ao#er aging timers #ill drive CP7 higher and can /e $sed to e'%ort and 3ee% free s%ace in the hard#are cache 4y%e of s$%ervisor #ill dictate flo# cache si5e and ca%acity
Presentation_ID
Cisco Confidential
Flow <e6
"lo# Iey
4he si' fields are a s$/set of the general fields $sed to identify a %ac3et flo#, this s$/set is called "lo# Iey
Presentation_ID
Cisco Confidential
-2
Flow <e6 'Cont#(

4he P"C Aogic $ses the follo#ing si' fields to identify a flo#
So$rce IP address Destination IP address So$rce 4CP,7DP %ort n$m/er Destination 4CP,7DP %ort n$m/er IP %rotocol ty%e In%$t @AA! 4oS /it is s$%%orted /y, /$t not co$nted as, flo#?3eyG it is co$nted only /y P"C?)* and )*>A to s$%%ort 4oS /it as a flo# identifierG P"C2 and P"C)A do not s$%%ort it
Presentation_ID
Cisco Confidential
-)
Flow &as,
"lo# (as3
A com/ination of the fields selected from the flo# 3ey and act$ally $sed to identify a flo# Eith 6 fields in flo# 3ey, there are total 6. %ossi/le com/inations -600 s$%%orts 6 com/inations 6 flo# mas3s "$ll?interface,f$ll, so$rce?only,destination?only, so$rce?destination, so$rce?destination?interface
Presentation_ID
Cisco Confidential
-.
Flow &as, 'Cont#(

So$rce?only, destination?only, f$ll, so$rce?destination are s$%%orted /y /oth S$%2 and S$%-20 for all releases Ninterface?destination?so$rceO and Ninterface?f$llO flo# mas3 are s$%%orted in Belease 2.28 )9& and later image
Presentation_ID
Cisco Confidential
-+
Flow $as,s on the Cisco C211/CIC11

"$ll?Interface
@AA! SBC IP DS4 IP IP Protocol Src Port Dst Port
"$ll
Destination?So$rce?Interface
So$rce?6nly
Destination?6nly
Destination?So$rce
Presentation_ID
Cisco Confidential
-6
Net8low Ta>le S-eci8ication S!$$ar6

Ta>le SiQe S!-0 S!-I01 S!-I01-37 S!-I01-37L? S!-30-AG= S!-30-41G= S!-I01-41G=-3C S!-I01-41G=-3CL? 40A< 40A< 40A< 02C< 40A< 40A< 40A< 02C< Fash =88icienc6 02V 21V E1V E1V E1V E1V E1V E1V =88ecti e SiQe 30< C5< 442< 031< 442< 442< 442< 031< Fash <e6 SiQe 4I >its 3C >its 3C >its 3C >its 3C >its 3C >its 3C >its 3C >its
Presentation_ID
Cisco Confidential
--
Re%!cing =B-ort Vol!$e

&'%ort filters can /e $sed to limit the ty%e of traffic e'%orted from the !et"lo# cache "lo# mas3s can /e $sed to aggregate traffic and limit #hat fields are $sed to create flo#s in the !et"lo# cache Bandom or time /ased flo# sam%led !et"lo# #ill select a s$/set of the flo#s in the cache and e'%ort these.
Presentation_ID
Cisco Confidential
-;
Fow NetFlow *or,s on the PFC0

44A >its
IP DST IP SRC IP Proto TCP DST TCP SRC
&as,/hash 8!nction
4I 7it in%eB 3 >its -age select 45 >its in%eB
0\44A -ossi>le ,e6s $a- to 40A< entries
A -ages A Pages B A Pages B entries A 4C:111 Pages B =ntries A 4C:111 Pages B =ntries A 4C:111 Pages B =ntries A 4C:111 Pages B =ntries 4C:111 B =ntries 4C:111 4C:111 =ntries
A hash 8!nction ta,es a large n!$>er as in-!t 'the ,e6( an% re%!ces it >6 a $athe$atical 8!nction 'the hash( to a s$aller n!$>er 'the in%eB( within a ,nown range: to >e store% into a ta>le#
-1
Net8low on PFC3
3A/37 s!--ort 40A, entr6 Net8low ta>le Pac,et ,e6
V?AN Src IP Dst IP IP Protocol Src K %st -ort
37L? has 02C, entr6 NetFlow ta>le
40A->it ,e6 hea%er 8iel% Fash 3C->it Fashe% ,e6 &atch in%eB
3A/37 has two C5, entr6 TCA& >an,s 37L? has two 40A< entr6 TCA& >an,s
TCA&
Net8low ta>le
Net8low statistics ta>le

;0
Presentation_ID
Cisco Confidential
IC11 &as,ing an% Fashing Strategies

SUP0
7ase ,e6
&as,ing logic
&as,e% ,e6
Fashe% ,e6
Fash 44A >it al!e 4I >it in%eB
44A >it al!e
SUPI01 37L? ) IP 5
7ase ,e6 &as,e% ,e6
&as,ing logic
'ar$er (hashed keys) impro*e hash efficiency as the keys are more e*enly distrib"ted
Fashe% ,e6
Fash 40A >it al!e 3C >it in%eB
40A >it al!e
'ar$er (hashed keys) pro*ide more efficient +C, "tili-ation as +C, is ./ bit wide
SUPI01 37L? ) IP C
7ase ,e6 &as,e% ,e6
&as,ing logic
Fashe% ,e6
Fash 301 >it al!e

Cisco Confidential
301 >it al!e

Presentation_ID
3C >it in%eB
;
PFC37L? TCA& Assiste% NetFlow

40A 7it ,e6 <e6 &as,ing logic
+C, match
SR, pointer
=NTR9 A =NTR9 C
Record co"nt
=NTR9 A
Fit
7an, 4 7an, 0
Fash
40A< entries =ntries 40A< entries =ntries
3C 7it in%eB In%eB
Net8low Net8low Ta>le ,e6 <e6 ta>le SRA& SRA&

=NTR9 7
Net8low Net8low statistics Ta>le ta>le Statistics SRA& SRA&

=NTR9 7
TCA& entr6 Vali% >it Fash ,e6 4 32 3C >its

Fash Fashassiste% assiste%NetFlow NetFlowTCA& TCA& allows an e88icient $a--ing allows an e88icient $a--ing o8 o80\40A 0\40A-ossi>le -ossi>le,e6s ,e6sto to 02C< TCA& entries 02C< TCA& entries
;2
PFC3 NetFlow Ta>le SRA&

+C, match
NetFlow NetFlowta>le ta>leentr6 entr6incl!%es. incl!%es. <e6 8iel%. $atch the <e6 8iel%. $atch theinco$ing inco$ing-ac,et -ac,et
SR, pointer
=NTR9 A =NTR9 C
Record co"nt
=NTR9 A
Fit
Policing Policing8iel%. 8iel%.$anage $anage-olicer -olicer threshol%s: threshol%s:$ar,/%ro$ar,/%ro-co!nts: co!nts: lea, lea,rate rate
A%jacenc6 A%jacenc6control control8iel%. 8iel%.a%jacenc6 a%jacenc6 select: $o%!l!s: a%jacenc6 select:loa%share loa%share $o%!l!s: a%jacenc6 3C 7it In%eB -ointer -ointer
7an, 4 7an, 0

=NTR9 7

=NTR9 7
NetFlow Alias Internal CA& C5 entries NetFlow ta>le entr6
<e6 8iel% 40A

Presentation_ID
Policing 8iel% 5A
A%j control 8iel% 0A 04C >its

Cisco Confidential
S/* K =CC 40
;)
PFC-37L? NetFlow Ta>le. <e6 Fiel%

<e6 IP 5 Prot/&s, 5 lan/VPN 40 lan/VPN 40 Prot A Fiel%s IP DA IP SA Src PortR Dst PortR 30 30 4C 4C Btag VPN Vl% Recirc Cent PI 5 4 4 Rs 4 4 4 40A Total
40A< =ntries
40A< =ntries
NetFlow &as, IP C <e61 Prot/&s, Selection

5 <e64 Prot/&s, 5 &P?S
Prot A
IP SA YC3.1Z C5
Src PortR Dst PortR Btag VPN Vl% 4C 4C 5 4
Cent PI 4 4 40A
IP DA 40A lan/VPN 40 Rs A
IP SA Y40I.C5Z C5 4EC Btag VPN Vl% 5 4 Rs 4 Rs 4 Cent PI 4 4 40A
Fash F!nction
Prot/&s, 5 Prot/&s, 5
To- ?a>el 30 &AC% Pc, 5A
NeBt ?a>el 30
Rs 30
?0
lan/VPN Rs =NTR9 C 40 A
&ACs Pc, =NTR9 C 5A
Btag VPN Vl% 5 4
Cent PI 4 4 40A
: NetFlow ,e6 8iel% aries >ase% on -ac,et t6-e. IPV5: IPVC: &P?S: ?0
NetFlow Alias Internal CA& C5 entries NetFlow ta>le entr6
<e6 8iel% 40A

Presentation_ID
Policing 8iel% 5A
Control 8iel% 0A 04C >its
S/* K =CC 40
;.
Cisco Confidential
PFC3 NetFlow Statistics SRA&

+C, match
SR, pointer
=NTR9 A =NTR9 C
Record co"nt
=NTR9 A
Fit
7an, 4 7an, 0
Fash
3C 7it in%eB

=NTR9 7

=NTR9 7
NetFlow statistics entr6 Statistics 8iel% =CC 4E2 E 015 >its

;+
PFC3 NetFlow Statistics Fiel%

: NetFlow statistics 8iel% incl!%es Flow creation an% last seen ti$esta$-s 76te an% -ac,et co!nts Figh threshol% eBcee% in%icator Policer >!c,et co!nt TCP FIN/RST in%icator 8or 8low %eletion 'stic,6 >it( RPF 8ail!re in%icator 8or 8low %eletion 'stic,6 >it(
4st -,t Fin/rst Create seen ti$e 4 4 00 4E2
?ast seen ti$e sta$05
76te Pac,et Threshol% 7!c,et RPF Control Total co!nt co!nt eBcee% cnt co!nt 8ail >its 51 30 3E 02 4 41
NetFlow Alias Internal CA& C5 entries NetFlow statistics entr6
Statistics 8iel% 4E2 015 >its

=CC A
;6
PFC3 NetFlow Alias CA&

+C, match
SR, pointer
=NTR9 A =NTR9 C
Record co"nt
=NTR9 A
Fit
Net8low Net8low Net8low Net8low Ta>le statistics Ta>le ,e6 7an, 4 7an, 0 <e6 ta>le ta>le Statistics SRA& : The NetFlow internal CA& has C5 entries to acco$$o%ate SRA& SRA& Fash SRA& 7it In%eB hash 3C collisions
40A< =ntries 40A< =ntries
: Internal CA& entries hol% hash al!es : *hen collision occ!rs: one new entr6 gets =NTR9 7 =NTR9 7 create% in CA&: the internal CA& will also -rogra$ a new entr6 in >oth NetFlow ta>le/statistics SRA&
NetFlow alias internal CA& NetFlow alias CA& C5 entries Vali% >it Fash ,e6
4 3C >its
32
;-
ND= Process in the Nati e Con8ig!ration

Ro!te -rocessor
Recor% 4
Recor% 0
=B-ort -rocess
Recor% 3
Recor% 5
IP hea%er
Recor% 4
Recor% 0
Recor% 3
Recor% 5
Switch -rocessor
Search/-!rge %ri er
ND= is han%le% >6 >oth SP an% RP
F/* 8orwar%ing engine
Net8low collector
SP and BP CP7 $tili5ation /ased on !et"lo# flo# aging,collection %arameters PFC

!etflo# 3ey ta/le !etflo# statistic ta/le
Presentation_ID
Cisco Confidential
;;
ND= Process in the F6>ri% Con8ig!ration

IP hea%er Recor% 4 Recor% 0 Recor% 3 Recor% 5
Net8low collector ND= is han%le% >6 SP onl6

Recor% 4
=B-ort -rocess
Recor% 0
Recor% 3
Recor% 5
F/* 8orwar%ing engine
Search/-!rge %ri er
Switch -rocessor
PFC
Presentation_ID
!etflo# 3ey ta/le
!etflo# statistic ta/le

Cisco Confidential
;1
NetFlow =B-ort Filters on the PFC3

Nor$all6 ND= will eB-ort A?? eB-ire% recor%s - ND= s!--orts the !se o8 8ilters to 8ilter what eB-ort recor%s will >e sent to the collector ) !se o8 8ilters i%enti8ies which eB-ire% 'an% -!rge%( recor%s will >e sent to the collector
Netflow table Netflow en$ine Records Filter Netflow collector
Filters can >e a--lie% on so!rce an% %estination a%%ress: -ort n!$>ers or s-eci8ic TCP/UDP -orts
10
Cisco Catal6st C211 Series an% Cisco IC11 Series - Versions an% Feat!res
Belease 2. 8 )9& P"C2 so$rce,destination interface information 8hy/rid 6.)8699 P"C2 so$rce,destination AS information P"C2 s$%%ort for version + !et"lo# data e'%ort 8hy/rid -.+8 99 Sam%led !et"lo# is availa/le on P"C in Cisco I6S Soft#are Belease 2.28 .9S> @ersion ; in native mode and D$al &'%ort Belease 2.28 -/9S>A P"C)/ and )/>A 8S$%-209 cards "irst Pac3et 4oS field $sed for "lo# Belease 2.28 -d9S>* D$al e'%ort s$%%ort for S$%2
Presentation_ID
Cisco Confidential
Cisco Catal6st C211 Series an% Cisco IC11 Series - Versions an% Feat!res 'Cont#(
<y/rid Catalyst 6S -.28 9
*ridged A2 s#itched traffic 8@AA! ' to @AA! y9 s$%%ort 8(S"C not re2$ired9
!ative 2.28 ;9S>&

*ridged !et"lo#, S$%)2 or S$%-208P"C)*9
<y/rid Catalyst 6S -.)8 9 and 6.)869

Destination and so$rce IfInde' e'%ort
<y/rid Catalyst 6S ;..

Per @AA! !et"lo# config$ration
2.28 ;9S>", Dec 200+

Ingress ($lticast !et"lo# and version 1
7nder develo%ment
!et"lo# IP@6 !et"lo# 8F)C=L069 Per interface !et"lo# 8F)C=L069 &gress ($lticast !et"lo# 8F)C=L069
Presentation_ID
Cisco Confidential
12
Cisco Catal6st 5211 S!-er isor IV or V NetFlow Ser ices Car%
: NetFlow Ser ice Car% Feat!res NetFlow statistics collection an% Data =B-ort 'ND=( V?AN statistics collection C?I s!--ort 8or NetFlow an% V?AN stats SN&P s!--ort 8or V?AN stats S!-er isor engine V-41G %oes not re;!ire car% 8or NetFlow Re;!ire$ents. s!-er isor engine IV or V: Release 40#4'43(=*: NetFlow Versions 4: 2 an% A w/ Release40#4#4E =*: >ri%ge% 8lows Release 40#0'02(=*A
1)
!et"lo# Performance
Presentation_ID
Cisco Confidential
1.
NetFlow De-lo6$ent &anagerial A% ice

C$rrent economic environment drives the need to S$stify the cost of %remi$m service8s9 acco$nting I4 and management need to agree on #hich fields to trac3 Ehere in the net#or3 8access, distri/$tion, or core9R Cr$cial to set a%%ro%riate e'%ectations for management #ith regards to fre2$ency of !et"lo# re%orts Cisco recommends a trial de%loyment in one de%artment,area /efore net#or3?#ide im%lementation
Presentation_ID
Cisco Confidential
1+
NetFlow De-lo6$ent Technical A% ice

I4 and management need to agree on #hich fields to trac3
C$rrently and in the f$t$re
Do not e'%ort @ersions +,-, P 1 sim$ltaneo$sly #ith @ersion ; Plan !et"lo# de%loyment in the net#or3 to%ology to avoid a design that creates d$%licate flo#s for /illing 7se a dedicated interface , @AA! for data e'%ort (onitor lost %ac3et co$nter in !"C Chec3 the e'%ort lin3 /and#idth
&stimated e'%ort of )J to +J of the interface thro$gh%$t
Presentation_ID
Cisco Confidential
16
NetFlow Per8or$ance Pa-er Tests

!et"lo# %erformance on soft#are %latforms de%ends on n$m/er of flo#s in the cache. !et"lo# Performance %a%er covers data on the to%ic
Pa%er at ###.cisco.com,go,netflo# $nder N4echnical Doc$mentsO 0, , and 2 !et"lo# data e'%ort destinations Initial %erformance after ena/ling @; Aggregation vs. v+, @1 %erformance N"$llO !et"lo# vs. D 00 sam%led !et"lo# <ard#areD Cisco 2600, )600, -200 !P&?.00 and !S&? , -+00 BSP; @IP.?;0 #ith C&" and dC&", 2000 &ngine Ainecard dC&"
7%dated Performances doc$ment availa/le for "le'i/le !et"lo# ] ne# %latforms Cisco ;00, Cisco2;00, Cisco);00, Cisco -200 !P&?C2
1-
Per8or$ance Testing Concl!sions

: A erage a%%itional CPU !tiliQation across all -lat8or$s teste%
!$m/er of Active "lo#s 0,000 .+,000 6+,000 Additional CP7 7tili5ation U.J U 2J U 6J
: NetFlow %ata eB-ort 'single/%!al(

No signi8icant i$-act
: NetFlow 2 ers!s A. little or no i$-act
Presentation_ID
Cisco Confidential
1;
Per8or$ance Testing NetFlow Version E

Similar CP7 and thro$gh%$t n$m/ers res$lt from config$ration of /oth !et"lo# @ersion + and 1 !o change in !et"lo# %erformance after the addition of @ersion 1
Cisco I6S Soft#are Beleases 2.082.9S, 2.2S, and 2.)
CP7 is slightly higher immediately follo#ing initial /oot $% or config$ration

Ca$sed /y sending tem%late flo#sets to collector
Presentation_ID
Cisco Confidential
11
Re%!cing Per8or$ance I$-act

Bed$ce CP7 and memory im%act on the ro$ter, collector, or net#or3
Aging timers 8ro$ter9 Sam%led !et"lo# 8ro$ter9 "lo# mas3s 8only Catalyst 6000,-6009 &na/le on s%ecific s$/?interface 8$%coming ro$ter feat$re9
Presentation_ID
Cisco Confidential
200
Re%!cing Per8or$ance I$-act 'Cont#(

Bed$ce CP7 and memory im%act on the ro$ter, collector, or net#or3
Aggregation schemes 8v; on ro$ter or on collector9 "ilters 8ro$ter or collector9 Data com%ression 8collector9 Increase collection /$c3et si5es 8collector9 Collector and ro$ter can /e %laced on the same AA! segment 8net#or39
Presentation_ID
Cisco Confidential
20
Introd$ction of "le'i/le !et"lo#
Presentation_ID
Cisco Confidential
202
IOS Tra88ic Acco!nting Feat!res

I6S traffic acco$nting feat$res can /e s$/?dividedD
M Static feat$res M n$m/er of acco$nting /$c3ets is statically 3no#n and does not de%end on traffic e.g. %recedence, *CP PA acco$nting M Dynamic feat$res M n$m/er of acco$nting /$c3ets 8flo#s9 de%ends on traffic, e.g. !et"lo#, (AC acco$nting.
!e# a%%lications constantly re2$ire ne# acco$nting feat$res C$rrent a%%roach of feat$re develo%ment one /y one does not scale, does not deliver timely sol$tion.
Presentation_ID
Cisco Confidential
20)
FleBi>le NetFlow 7ene8its

S!-erset o8 Cisco IOS Acco!nting 8eat!res Increase% FleBi>ilit6: scala>ilit6: c!sto$iQation >e6on% to%a6Ps NetFlow The a>ilit6 to $onitor a wi%er range o8 -ac,et in8or$ation ) >e6on% ?0/?3/?5 User con8ig!ra>le 8low in8or$ation to -er8or$ c!sto$iQe% tra88ic i%enti8ication an% the a>ilit6 to 8oc!s an% $onitor s-eci8ic networ, attri>!tes Consistent C?I across 8eat!res K -lat8or$s
Presentation_ID
Cisco Confidential
20.
FleBi>le NetFlow Trac,ing %ata with Flow &onitors

Di88erent Flow $onitors 8or %etecting %i88erent in8or$ation.
Peering Flows
ISP
:Dest# AS :Dest# Tra88ic In%eB :7GP NeBt Fo:DSCP

7RANCF
DATA C=NT=R
Si Si
*AN
CA&PUS
IP Flows
&!lticast Flows :Protocol :Ports :IP S!>nets :Pac,et Re-lication
Sec!rit6 Flows
:Protocol :Ports :IP A%%resses :TCP Flags :Pac,et Section
:IP S!>nets :Ports :Protocol :Inter8aces :=gress/Ingress
Presentation_ID
Cisco Confidential
20+
FleBi>le NetFlow A% antage

4raditional !et"lo#
6ne set of flo# information, single cache $sed /y all a%%lications
"le'i/le !et"lo# Advantage

Different !et"lo# a%%lications are trac3ed se%arately
"le'i/le !et"lo# *enefits

:4rac3 sec$rity, and traffic analysis data se%arately :&'%ort different "lo# (onitors to different destinations :C$stomers /enefit from detailed analysis for each a%%lication
206
FleBi>le NetFlow A% antage 'Cont#(

4raditional !et"lo#
6ne cache may limit detailed %ro/lem isolation

"oc$sed net#or3 visi/ility and %ro/lem isolation

:Create virt$al !et"lo# caches to trac3 and isolate iss$e :Isolate sec$rity or traffic incidents in the net#or3 :C$stomi5ed traffic identification com/ined #ith in%$t filtering :Allo#s %in%oint acc$racy in determining and isolating incidents
20-
FleBi>le NetFlow A% antage 'Cont#(

4raditional !et"lo#
Aimited data aggregation and fi'ed flo# fields

7ser selected flo# information increasing scala/ility @isi/ility into ne# ty%es of data $sing version 1 e'%ort

:Select only information that is needed :*etter $se of flo# cache and aggregation :!e# information from layer 2 and a/ove incl$ding %ac3et sections
20;
FleBi>le NetFlow &!lti-le &onitors with Uni;!e <e6 Fiel%s

Tra88ic
Flow &onitor 4 Flow &onitor 0
Iey "ields So$rce IP Destination IP So$rce Port Destination 6ort Aayer ) Protocol 46S *yte In%$t Interface
Pac3et ).).).) 2.2.2.2 2) 220-; 4CP ? 6 0 &thernet 0
!on?Iey "ields Pac3ets *ytes 4imestam%s !e't <o% Address
Iey "ields So$rce IP Dest IP In%$t Interface S=! "lag
Pac3et ).).).) 2.2.2.2 &thernet 0 0
!on?Iey "ields Pac3ets 4imestam%s
Tra88ic Anal6sis Cache

So$rce IP ).).).) Dest. IP 2.2.2.2 So$rce Port 2) Dest. Port 220-; Protocol 6 46S 0 In%$t I," &0 W W P3ts 00
Sec!rit6 Anal6sis Cache

So$rce IP ).).).) Dest. IP 2.2.2.2 In%$t I," &0 "lag 0 W W P3ts 000
Presentation_ID
Cisco Confidential
201
FleBi>le NetFlow &o%el

Inter8ace
&onitor MAN
&onitor M7N
&onitor MCN
Recor% MLN
=B-orter M&N
=B-orter M&N
=B-orter MNN =B-orter MNN
Recor% M]N
Recor% M9N
A single record %er monitor Potentially m$lti%le monitors %er interface Potentially m$lti%le e'%orters %er monitor
2 0
FleBi>le NetFlow Con8ig!ration

Con8ig!re the =B-orter : *here %o I want $6 %ata sent+ Con8ig!re the Flow Recor% : *hat %ata %o I want to $eter+ Con8ig!re the Flow &onitor :Creates a new NetFlow cache :Attach the 8low recor% :=B-orter is attache% to the cache :Potential sa$-ling con8ig!ration Con8ig!re the Inter8ace :Con8ig!re NetFlow on the inter8ace
Pre%e8ine% Recor% 8or Tra%itional NetFlow

All aggregations are %ossi/le, for 2$ic3 /ac3#ards com%ati/ility
=outer(confi+)# flow 0onitor my-monitor =outer(confi+"flow"0onitor)# record netflow ip/4 < as A* a++re+ation sche0es as"tos A* and 17* a++re+ation sche0es b+p"ne:thop"tos 2GP ne:t"hop and 17* a++re+ation sche0es destination"prefi: 5estination Prefi: a++re+ation sche0es destination"prefi:"tos 5estination Prefi: and 17* a++re+ation sche0es ori+inal"input 1raditional IP/4 input 9et)low ori+inal"output 1raditional IP/4 output 9et)low prefi: *ource and 5estination Prefi:es a++re+ation sche0es prefi:"port Prefi:es and Ports a++re+ation sche0e prefi:"tos Prefi:es and 17* a++re+ation sche0es protocol"port Protocol and Ports a++re+ation sche0e protocol"port"tos Protocol- Ports and 17* a++re+ation sche0e source"prefi: *ource A* and Prefi: a++re+ation sche0es source"prefi:"tos *ource Prefi: and 17* a++re+ation sche0es
Presentation_ID
Cisco Confidential
2 )
Con8ig!re a User-De8ine% Flow Recor%

Con8ig!re the =B-orter
=outer(confi+)#flow e:porter my-exporter =outer(confi+"flow"e:porter)#destination !'!'!'!
Con8ig!re the Flow Recor%

=outer(confi+)#flow record my-record =outer(confi+"flow"record)#0atch ip/4 destination address =outer(confi+"flow"record)#0atch ip/4 source address =outer(confi+"flow"record)#collect counter b.tes
Con8ig!re the Flow &onitor

=outer(confi+)#flow 0onitor my-monitor =outer(confi+"flow"0onitor)#e:porter my-exporter =outer(confi+"flow"0onitor)#record my-record
Con8ig!re the Inter8ace

=outer(confi+)#int s33& =outer(confi+"if)#ip flow 0onitor my-monitor input
2 .
FleBi>le NetFlow User De8ine% Recor% Con8ig!ration

=outer(confi+)# flow record my-record =outer(confi+"flow"record)# 0atch "H *pecif. a ke. field =outer(confi+"flow"record)# collect "H *pecif. a non"ke. field =outer(confi+"flow"record)# 0atch < flow )low identif.in+ fields interface Interface fields ip/4 IP/4 fields routin+ routin+ attributes transport 1ransport la.er field =outer(confi+"flow"record)# collect < counter ,ounter fields flow )low identif.in+ fields interface Interface fields ip/4 IP/4 fields routin+ IP/4 routin+ attributes ti0esta0p 1i0esta0p fields transport 1ransport la.er fields
2 +
FleBi>le Flow Recor%. <e6 Fiel%s

"lo#
Sam%ler ID Direction
IPv.
IP 8So$rce or Destination9 Prefi' 8So$rce or Destination9 (as3 8So$rce or Destination9 (inim$m?(as3 8So$rce or Destination9 Protocol "ragmentation "lags "ragmentation 6ffset Identification <eader Aength 4otal Aength Payload Si5e Pac3et Section 8<eader9 Pac3et Section 8Payload9 44A 6%tions /itma% @ersion Precedence DSCP 46S
IPv6
IP 8So$rce or Destination9 Prefi' 8So$rce or Destination9 (as3 8So$rce or Destination9 (inim$m?(as3 8So$rce or Destination9 Protocol 4raffic Class "lo# Aa/el 6%tion <eader <eader Aength Payload Aength
2 6
Payload Si5e Pac3et Section 8<eader9 Pac3et Section 8Payload9 DSCP &'tension <eaders <o%?Aimit Aength !e't?header @ersion
Interface
In%$t 6$t%$t
Aayer 2
So$rce @AA! Destination @AA! So$rce (AC address Destination (AC address
Presentation_ID
Cisco Confidential

Bo$ting
src or dest AS Peer AS 4raffic Inde'
4rans%ort
Destination Port So$rce Port IC(P Code IC(P 4y%e IC(P 4y%e\ 4CP ACI !$m/er 4CP <eader Aength 4CP Se2$ence !$m/er 4CP Eindo#?Si5e 4CP So$rce Port 4CP Destination Port 4CP 7rgent Pointer 4CP "lagD ACI 4CP "lagD CEB 4CP "lagD &C& 4CP "lagD "I! 4CP "lagD PS< 4CP "lagD BS4 4CP "lagD S=! 4CP "lagD 7BC 7DP (essage Aength 7DP So$rce Port 7DP Destination Port
A%%lication
A%%lication ID\
"or#arding Stat$s
ICP !e't <o%
*CP !e't <o%
($lticast
Be%lication "actor\ BP" Chec3 Dro%\ Is?($lticast
S. IP 5 Flow onl6
2 -
FleBi>le Flow Recor%. Non-<e6 Fiel%s

Co$nters
*ytes *ytes Aong *ytes S2$are S$m *ytes S2$are S$m Aong Pac3ets Pac3ets Aong
4imestam%
sys7%4ime "irst Pac3et sys7%4ime "irst Pac3et
IPv.
4otal Aength (inim$m 4otal Aength (a'im$m 44A (inim$m 44A (a'im$m
Pl$s any of the %otential N3eyO fieldsD #ill /e the val$e from the first %ac3et in the flo#
2 ;
Forwar%ing Stat!s Stat$s Beason Code
Stat!sD 00 K 7n3no#n 0 K "or#arded 0 K Dro%%ed K Cons$med
,1-sh flow monitor .*/0v!-01 cache format csv *ache t)pe1 2ormal *ache si3e1 !0&# *urrent entries1 4igh 5atermar+1 #! 6lows added1 22% 6lows aged1 22" - 7ctive timeout 8 2!0 secs9 2# - /nactive timeout 8 #0 secs9 1&& - :vent aged 0 - 5atermar+ aged 0 - :mergenc) aged 0 /0 65; <(7(=<>/0?! <,* 7;;,>/0?! ;<( 7;;,>(,2< <,* 0@,(>(,2< 6orward>#!B10 B 0B!">10B1"1B1"1B1> &$!>2 ><e0C C1>/nput>0x00 6orward>10B1"1B1B10">10B1"1B1"1B1> 2$%0>1#1><e0C C1>/nput>0x 6orward>10B1"1B2!B21>10B1"1B1"1B">112$!>2 ><e0C C1>/nput>0x*
Cisco Confidential
Presentation_ID
2 1
Flow =B-orter Con8ig!ration

3 T6-es o8 O-tions Data Recor%
flow e:porter Ie:porter"na0eH destination Iip/4"addressH >/rf I/rf"na0eH@ dscp I/alueH option Je:porter"stats ? interface"table ? sa0pler"tableK ti0eout I/alue in secH source Iinterface"na0eH te0plate resend ti0eout I/alue in secH transport udp Idestination"portH ttl I/alueH
'O-tion( Te$-late Sent = er6 L Secon%s
Presentation_ID
Cisco Confidential
220
FleBi>le &onitor Con8ig!ration

Potentiall6 &!lti-le 3 T6-es o8 Cache. See NeBt Sli%es
flow 0onitor I0onitor"na0eH record Irecord"na0eH e:porter Ie:porter"na0eH cache t.pe Jnor0al ? i00ediate ? per0anentK cache entries Inu0ber"of"entriesH cache ti0eout Jacti/e ? inacti/e ? updateK I/alue"in"secH statistics packet protocol statistics packet size Collect SiQe Distri>!tion Statistics Collect Protocol Distri>!tion Statistics
Presentation_ID
Cisco Confidential
22
FleBi>le Flow &onitor Caches t6-es

!ormal cache
Similar to todayLs !et"lo# (ore fle'i/le active and inactive timersD one second minim$m
Immediate cache
"lo# acco$nts for a single %ac3et Desira/le for real?time traffic monitoring, DDoS detection, logging Desira/le #hen only very small flo#s are e'%ected 8e'D sam%ling9 Ca$tionD may res$lt in a large amo$nt of e'%ort data
Permanent cache
4o trac3 a set of flo#s #itho$t e'%iring the flo#s from the cache &ntire cache is %eriodically e'%orted 8$%date timer9 After the cache is f$ll 8si5e config$ra/le9, ne# flo#s #ill not /e monitored 7ses $%date co$nters rather than delta co$nters
222
Co$-lete Per$anent FleBi>le NetFlow Con8ig!ration =Ba$-le

Per DSCP acco$nting flo# record definitionD
=outer(confi+)# flow record =outer(confi+"flow"record)# =outer(confi+"flow"record)# =outer(confi+"flow"record)# =outer(confi+"flow"record)# my-dscp-record C5 7it 0atch ip/4 dscp Co!nter 0atch interface input collect counter b.tes lon+ collect counter packets lon+
=outer(confi+)# flow 0onitor my-dscp-monitor =outer(confi+"flow"record)# description dscp b.tes and packets =outer(confi+"flow"record)# record my-dscp-record =outer(confi+"flow"record)# cache t.pe per0anent =outer(confi+"flow"record)# cache entries #5$ =outer(confi+)# interface Gi+abit6thernet &3! =outer(confi+)# ip flow 0onitor my-dscp-monitor input
4his #o$ld re%lace NIP acco$nting %recedenceO

22)
Co$-lete Per$anent FleBi>le NetFlow Con8ig!ration =Ba$-le

=Btra O-tions. CSV: Ta>le: Recor%
=outer#show flow 0onitor 0."dscp"0onitor cache ,ache t.pe Per0anent ,ache size #5$ ,urrent entries & ;i+h Later0ark & )lows added Mpdates sent IP 5*,P FFFFFFF &:&& &:&!
Presentation_ID
!8&& secs)
& & pkts lon+ per0 FFFFFFFFFFFFFFFF !& 5

22.
I91) I9PM1 FFFFFFFFFFFF Gi&3! Gi&3!

b.tes lon+ per0 FFFFFFFFFFFFFFFFFF !&&& 5&&
Flow <e6s in U--er Case

Cisco Confidential
FleBi>le NetFlow Acti ation on Inter8ace

Sen% the Msa$-ler-ta>leN O-tion
=outer(confi+"if)# ip flow 0onitor I0onitor"na0eH
>sa0pler Isa0pler"na0eH@ >input ? output@
For the In-!t or O!t-!t Tra88ic# Does Not Deter$ine the Flow <e6
Deterministic or random is availa/le

=outer(confi+)# sa0pler Isa0pler"na0eH 0ode >deter0inistic ? rando0@ I/alue 9H out"of I/alue 8H
Presentation_ID
Cisco Confidential
22+
Pac,et Section Fiel%s

Contig$o$s ch$n3 of a %ac3et of a $ser config$ra/le si5e, $sed as a 3ey or a non?3ey field Sections $sed for detailed traffic monitoring, DDoS attac3 investigation, #orm detection, other sec$rity a%%lications Ch$n3 defined as flo# 3ey, sho$ld /e $sed in sam%led mode #ith immediate aging cache Starts at the /eginning of the IPv. header
collect or 0atch ip/4 header Isize in bytesH
Immediately follo#s the IPv. header

collect or 0atch ip/4 pa.load Isize in bytesH
226
FleBi>le NetFlow - NetFlow 2 =B-ort 8or$at

(ost c$stomers are today e'%orting "lo# records $sing !et"lo# v+ &'%ort "ormat. Prior 2..82294, "le'i/le !et"lo# did only s$%%ort !et"lo# v1
(igration from 4raditional !et"lo# to "le'i/le !et"lo# re2$ires c$stomers sim$ltaneo$sly to change I6S config$ration and to $%grade their collectors to s$%%ort v1
!et"lo# v+ e'%ort format s$%%ort in "le'i/le !et"lo# #ill ena/le a smooth migration.
C$stomers #ill /e a/le to migrate to "le'i/le !et"lo# #hile e'%orting same "lo# records #ith !et"lo# v+ format, th$s eliminating the need of collector $%grade.
Presentation_ID
Cisco Confidential
22-
FleBi>le NetFlow IP 5 &!lticast s!--ort

($lticast "!" #ill %rovide the a/ility to collect s%ecific characteristics of ($lticast "lo#s.
S$%%ort IPv. ($lticast "lo#s Acco$nt for re%licated %ac3ets in /oth ingress and egress directions. Ca%t$re ingress BP" dro%s. &'%ort m$lticast related information in @1 format. Allo# re%lication factor to /e collected as /oth a 3ey and non? 3ey field.
Presentation_ID
Cisco Confidential
22;
FleBi>le NetFlow To-Tal,ers

"le'i/le !et"lo# allo#s $sers to gather a lot of information a/o$t the traffic in the net#or3. 4o facilitate tro$/leshooting, $sers need advanced filtering ca%a/ilities to dis%lay a s$/set of "lo# monitor cache in real time. "le'i/le !et"lo# 4o%4al3ers is a generic instr$mentation to dis%lay "lo# (onitor content.
Eor3s #ith any ty%e of "lo#s,"ields 8IPv., IPv6, A2, W9
Presentation_ID
Cisco Confidential
221
FleBi>le NetFlow To-Tal,ers

"le'i/le !et"lo# 4o%4al3ers introd$ces advanced search ca%a/ilities
"lo# "ilteringD ena/le $sers to select flo#s /ased on s%ecific val$es for any fields that are defined for that cache "lo# AggregationD ena/le $sers to aggregate on a s$/set of the 3ey and non?3ey fields %resent in the "lo#s of an "!" Cache "lo# SortingD ena/le $sers to control ho# the dis%layed cache entries are sorted on any field %resent in the "lo#s of an "!" Cache and sho# in order or reverse order.
"lo# "iltering, "lo# Aggregation and "lo# Sorting can /e com/ined to select #hat and ho# information #ill /e dis%layed
2)0
FleBi>le NetFlow To- Tal,ers - =Ba$-les

4o% ten IP addresses that are sending the most %ac3ets
=outer# show flow 0onitor I0onitorH cache a++re+ate ip/4 source address sort hi+hest counter b.tes top !&
4o% five destination addresses to #hich #eXre ro$ting most traffic from the 0. 0. 0.0,2. %refi'
=outer# show flow 0onitor I0onitorH cache filter ip/4 destination address !&'!&'!&'&3#4 a++re+ate ip/4 destination address sort hi+hest counter b.tes top 5
+ @AA!Xs that #eXre sending the least /ytes toD

=outer# show flow 0onitor I0onitorH cache a++re+ate datalink dot!N /lan output sort lowest counter b.tes top 5
4o% 20 so$rces of ?%ac3et flo#sD

=outer# show flow 0onitor I0onitorH cache filter counter packet ! a++re+ate ip/4 source address sort hi+hest flow packet top #&
2)
N7AR Integration in FleBi>le NetFlow

!et"lo# has /een $sed to %rovide visi/ility on !et#or3 $tili5ation M #ho,#hat,#here,#hen A%%lication co$ld not /e longer identify /y A),A. information
A%%lication visi/ility is a (7S4 &'am%leD the %ort ;0 is overloaded
!*AB 8!et#or3 *ased A%%lication Becognition9

offers a Dee% Pac3et Ins%ection mechanism
!*AB is integrated in "le'i/le !et"lo# in the coming 2..4 images
Presentation_ID
Cisco Confidential
2)2
N7AR C!sto$ A--lication =Ba$-les

ip nbar custo0 lunar_li+ht 8 ascii 8oonbea0 tcp ran+e #&&& #%%% class"0ap solar_s.ste0 0atch protocol lunar_li+ht polic."0ap astrono0. class solar_s.ste0 set ip dscp A)#! interface Serial1 ser/ice"polic. output astrono0.
ip nbar custo0 /irus_ho0e #& he: /ariable scid ! dest udp 5&&! 5&&5 class"0ap acti/e"craft 0atch protocol /irus_ho0e scid &:!5 0atch protocol /irus_ho0e scid &:#! class"0ap passi/e"craft 0atch protocol /irus_ho0e scid &:!! 0atch protocol /irus_ho0e scid &:##
Presentation_ID
Cisco Confidential
2))
FleBi>le NetFlow Con8ig!ration =Ba$-le Con8ig!ration =Ba$-le

router(confi+)# flow record router(confi+"flow"record)# router(confi+"flow"record)# router(confi+"flow"record)# router(confi+"flow"record)# router(confi+"flow"record)# app_record 0atch ip/4 source address 0atch ip/4 destination address 0atch application na0e collect counter packets collect counter b.tes
router(confi+)# flow 0onitor app_0onitor rotuer(confi+"flow"0onitor)# record app_record router(confi+)# interface eth&3& router(confi+"if)# ip flow 0onitor app_0onitor in
4he e'%orted a%%lication ID and the !*AB?Protocol? Discovery?(I* inde' are similar
2).
Use8!l Show Co$$an%s

Aist of all %ossi/le information elements
Nsho# flo# e'%orter e'%ort?ids netflo#?v1O
4em%late assignment
Nsho# flo# e'%orter tem%lateO
<igh #atermar3 in the cache

Nsho# flo# monitor Uflo#?monitorV statistics
!et"lo# config$ration
Nsho# r$nning flo# _e'%orter T monitor T record`
Cache collisions
Nsho# flo# monitor my?monitor internalO
2)6
NetFlow Per8or$ance Pa-er Tests

!et"lo# %erformance on soft#are %latforms de%ends on n$m/er of flo#s in the cache. !et"lo# Performance %a%er covers data on the to%ic
Pa%er at ###.cisco.com,go,netflo# $nder N4echnical Doc$mentsO 0, , and 2 !et"lo# data e'%ort destinations Initial %erformance after ena/ling @; Aggregation vs. v+, @1 %erformance N"$llO !et"lo# vs. D 00 sam%led !et"lo# <ard#areD Cisco 2600, )600, -200 !P&?.00 and !S&? , -+00 BSP; @IP.?;0 #ith C&" and dC&", 2000 &ngine Ainecard dC&"
7%dated Performances doc$ment availa/le for "le'i/le !et"lo# ] ne# %latforms Cisco ;00, Cisco2;00, Cisco);00, Cisco -200 !P&?C2
2)-
!et"lo# P "le'i/le !et"lo# Boadma%
Presentation_ID
Cisco Confidential
2);
Plat8or$ Feat!re Co$-arison =B-orting Process
"eat$re
@ersion + @ersion ; @ersion 1 D$al &'%ort @B" Destination Belia/le &'%ort
Soft#are
2.08 9 2.08)94 2.) 2.28294 2..8.94 2.)8.94
C6+00
2. 829& 2.28 .9S> 2.28 ;9S>" 2.28 -d9S>*
C-600
2. 829& 2.28 .9S> 2.28 ;9S>" 2.28 -d9S>*
c 2000
2.08 .9S 2.0869S 2.082.9S
C 0000
2.08 19SA 2.08 19SA 2.28) 9S* 2.28 +9*>
C.+00
2. 8 )9&E 2. 8 19&E
2. 8 19&E
2.08269S
A aila>le Now
Not A aila>le
Roa%$a2)1
Plat8or$ Feat!re Co$-arison =B-orting Process

"eat$re
@ersion + @ersion ; @ersion 1 D$al &'%ort @B" Destination Belia/le &'%ort
).2 )...0 ).2 ).).0 )...0 ).).0
CBS?
>B 2000
ASB 000
2. 2. 2. 2.
A aila>le Now
Not A aila>le
Roa%$a2.0
Plat8or$ Feat!re Co$-arison Tra%itional NetFlow &etering Process

"eat$re
IPv. IPv6 ($lticast *CP !e't <o% Per Interface 46S S$%%ort Pac3et Sam%ling (in Prefi' Aggr. (PAS &gress #ith &>P (PAS &gress (PAS A#are (PAS Aa/el &'%o (PAS Aggregat.
Presentation_ID
Soft#are
2.08 9 2.)8-94 2.) 2.) =es =es 2.)82.9 2. 8294
C6+00
2. 82-/9& 2.28))9S>< 2.28 ;9S>" 2.28 ;9S>" 2.28))9S>< 2.28 -/9S>A
C-600
2.28 ;9S>" 2.28))9SB* 2.28 ;9S>" 2.28))9SBA 2.28))9SB* 2.28 -/9S>A
C 2000
2.08229 S
C 0000
2.28 +9*>
C.+00
2. 8 )9&E
2.08269 S !o S$/ =es 2.08 S =es 9
2.28) 9S* 2.28 +9*> =es 2.28) 9S* =es 2.282;9S*
2.28294 2.)8;94 2.2S*
2.28))9S>a 2.28))9SBA 2.28))9SB* 2.082.9 S
2.28) 9S*
2.28) 9S*
Cisco Confidential
A aila>le
Not A aila>le
Roa%$a-
2.

"eat$re
IPv. IPv6 ($lticast *CP !e't <o% Per Interface 46S S$%%ort Pac3et Sam%ling (in Prefi' Aggr. (PAS &gress #ith &>P (PAS &gress (PAS A#are (PAS Aa/el &'%o (PAS Aggregat.
).2 ).). ).+.0 ).+.0
CBS?
).2.0 ).+.0 ).2 ).) ).).0 ).2 ).2
>B 2000
).).0 ).6.0 ).) ).) ).).0 ).) ).)
ASB 000
2.
2. 2. 2. 2.
Presentation_ID
A aila>le
Cisco Confidential
Not A aila>le
Roa%$a-
2.2

"eat$re
&gress,6$t%$t !et"lo# *ridged !" In%$t "ilters 4CP "lags (ac Address Sec$rity &'%orts @lan &'%ort
2.)8.94 2. 8294 2.)8 .94 2.)8 .94 2..8.94 2.28))9SBA 2.08 09S 4 2.282;9S*
Soft#are
2.)8 94
C6+00
C-600
C 2000
2.08 09S 4
C 0000
2.28) 9S*
C.+00
2.28 ;9S>&
2.28 ;9S>&
2.282+9& E
A aila>le Now
Not A aila>le
Roa%$a2.)

"eat$re
&gress,6$t%$t !et"lo# *ridged !" In%$t "ilters 4CP "lags (ac Address Sec$rity &'%orts @lan &'%ort
).2 ).) 2.
CBS?
).2
>B 2000
).)
ASB 000
2.
A aila>le Now
Not A aila>le
Roa%$a2..
Plat8or$ Feat!re Co$-arison &iscellaneo!s Feat!res

"eat$re
!et"lo# (I* #ith 4o% 4al3er Dynamic 4o% 4al3er CAI ISS7 !et"lo# ifInde' to !ame (a%
2..8.94
Soft#are
2.)8 94
C6+00
2.28))9S><
C-600
C 2000
C 0000
ASB 000
2..8.94 2.28))9SB* R
A aila>le Now
Not A aila>le
Roa%$a2.+
Sa$-le% NetFlow - Plat8or$ Feat!re Co$-arison

"eat$re
Systematic Sam%ling Bandom Sam%ling 6$t%$t Sam%led !et"lo# "lo# Sam%ling 2. 8 )9& 2. 8 )9&
Soft#are
2.)8 94
C6+00
C-600
C 2000
2.08 9S
C 0I
2.28) 9S*
C.+00
2..8194
2.08))9S 2.082.9S
Pac3et sam%ling
Cache
"lo# sam%ling in the !et"lo# cache
Presentation_ID
A aila>le Now
&'%ort
Cisco Confidential
Not A aila>le
Roa%$a-
2.6
Sa$-le% NetFlow - Plat8or$ Feat!re Co$-arison

"eat$re
Systematic Sam%ling Bandom Sam%ling 6$t%$t Sam%led !et"lo# "lo# Sam%ling ).2 ).) 2. 2.
CBS?
>B 2000
ASB 000
Pac3et sam%ling
Cache
"lo# sam%ling in the !et"lo# cache
Presentation_ID
A aila>le Now
&'%ort
Cisco Confidential
Not A aila>le
Roa%$a-
2.-
Plat8or$ Feat!re Co$-arison
FleBi>le NetFlow
"eat$re
!e# "le'i/le !et"lo# CAI ($lti%le 7ser Defined Caches Immediate Cache Permanent Cache <eader Section &'%ort Payload Section &'%ort Ingress s$%%ort &gress s$%%ort Bandom Sam%ling "$ll "lo# s$%%ort "!" F6S o$t%$t feat$res Dynamic 4o%!4al3ers
Cisco ISB,-2''
2..8194 2..8194 2..8194 2..8194 2..8194 2..8194 2..8194 2..8194 2..8194 2..8194 2..82094 2..82294
C6+00
2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A
C 2000
2.08))9S 2.08))9S 2.08))9S 2.08))9S 2.08))9S 2.08))9S
C.+00,I 0
2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\
2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A
2.08))9S 2.08))9S 2.08))9S 2.08))9S
S. not co$$itte% 6et

A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2.;
FleBi>le NetFlow
"eat$re
!e# "le'i/le !et"lo# CAI ($lti%le 7ser Defined Caches Immediate Cache Permanent Cache <eader Section &'%ort Payload Section &'%ort Ingress s$%%ort &gress s$%%ort Bandom Sam%ling "$ll "lo# s$%%ort "!" F6S o$t%$t feat$res Dynamic 4o%!4al3ers
CBS?
).2
>B 2000 ASB1000 ASB 000

).).0 ..08 9 ..08 9 Belease -\ Belease -\ Belease -\ Belease -\ Belease ;\ Belease ;\
!e'$s -000
..0 ..0
).2 ).2
).).0 ).).0
..08 9 ..08 9
).2 ).2 ).2 ).2 ).2
).).0 ).).0 ).).0 ).).0 ).).0
..08 9 ..08 9 ..08 9 ..08 9 ..08 9 ..08 9
Belease -\ Belease -\ Belease -\ Belease -\ Belease -\ Belease -\
..0 ..0 ..0 ..0 ..0

A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2.1
FleBi>le NetFlow
"eat$re
!et"lo# v+ !et"lo# v1 IP"i' &'%ort Belia/le &'%ort 8SC4P9 IPv. 7nicast "lo#s IPv. Predefined Aggregations IPv6 7nicast "lo#s IPv6 Predefined Aggregations IPv. ($lticast "lo#s IPv6 ($lticast "lo#s Aayer 2 "lo#s Ingress @B" name
Cisco ISB,-2''
2..82294 2..8194 2..8Pi +94\ 2..8Pi +94\ 2..8194 2..8194 2..82094 2..82094 2..82294 2..8Pi .94\ 2..82294 2..8Pi 94
C6+00
2.28+09S=A 2.28+09S=A \ \ 2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A 2.28+09S=A
C 2000
C.+00,I 0
2.2SC\
2.08))9S
2.2SC\ 2.2SC\ 2.2SC\
2.08))9S 2.08))9S
2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\
2.08))9S
2.2SC\ 2.2SC\ 2.2SC\ 2.2SC\

A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2+0
FleBi>le NetFlow
"eat$re
!et"lo# v+ !et"lo# v1 IP"i' &'%ort Belia/le &'%ort 8SC4P9 IPv. 7nicast "lo#s IPv. Predefined Aggregations IPv6 7nicast "lo#s IPv6 Predefined Aggregations IPv. ($lticast "lo#s IPv6 ($lticast "lo#s Aayer 2 "lo#s Ingress @B" name
CBS?
).2 ).2 \
>B 2000
).).0 ).).0 \
ASB1000
..08 9 ..08 9 \
ASB 000
Belease -\ Belease -\ \
!e'$s -000
..0 ..0 \
).2 ).2 ).+.0
).).0 ).).0 ).6.0
..08 9 ..08 9 ..08 9 ..08 9
Belease ;\ Belease -\ Belease ;\ Belease ;\ Belease ;\
..0 ..0 ..0 ..0
).+.0 ).6.0R
).+.0 ).6.0R ..08 9 ..08 9
Belease -\ S. not co$$itte% 6et
Presentation_ID
A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2+
FleBi>le NetFlow
"eat$re
(FC Integration !*AB Integration (PAS "lo#s (PAS ] IPv. "lo#s (PAS ] IPv6 "lo#s (PAS ] IPv6,IPv. "lo#s "!" &&( (onitor
Cisco ISB,-2''
2..8Pi )94\ 2..8Pi 94
C6+00
\
C 2000
C.+00,I 0
2.2SC\
2..8Pi .94\ 2..8Pi .94\ 2..8Pi .94\ 2..8Pi .94\ 2..82294
2.2SC\ 2.2SC\ 2.2SC\
2.2SC\

A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2+2
FleBi>le NetFlow
"eat$re
(FC Integration !*AB Integration (PAS "lo#s (PAS ] IPv. "lo#s (PAS ] IPv6 "lo#s (PAS ] IPv6,IPv. "lo#s "!" &&( (onitor ).). ).). ).+.0 ).6.0
CBS?
>B 2000
ASB1000
ASB 000
Belease ;\ Belease -\
!e'$s -000
).+.0 ).+.0 ).6.0 ).6.0
..08 9 ..08 9 ..08 9
\ \ \ \ Belease ;\
Presentation_ID
A aila>le Now
Cisco Confidential
Not A aila>le
Roa%$a-
2+)

"lo#
Sam%ler ID Direction
IPv.
IP 8So$rce or Destination9 Prefi' 8So$rce or Destination9 (as3 8So$rce or Destination9 (inim$m?(as3 8So$rce or Destination9 Protocol "ragmentation "lags "ragmentation 6ffset Identification <eader Aength 4otal Aength Payload Si5e Pac3et Section 8<eader9 Pac3et Section 8Payload9 44A 6%tions /itma% @ersion Precedence DSCP 46S
IPv6
IP 8So$rce or Destination9 Prefi' 8So$rce or Destination9 (as3 8So$rce or Destination9 (inim$m?(as3 8So$rce or Destination9 Protocol 4raffic Class "lo# Aa/el 6%tion <eader <eader Aength Payload Aength
2+.
Payload Si5e Pac3et Section 8<eader9 Pac3et Section 8Payload9 DSCP &'tension <eaders <o%?Aimit Aength !e't?header @ersion
Interface
In%$t 6$t%$t
Aayer 2
So$rce @AA! Destination @AA! So$rce (AC address Destination (AC address
Presentation_ID
Cisco Confidential

Bo$ting
src or dest AS Peer AS 4raffic Inde'
4rans%ort
Destination Port So$rce Port IC(P Code IC(P 4y%e IC(P 4y%e\ 4CP ACI !$m/er 4CP <eader Aength 4CP Se2$ence !$m/er 4CP Eindo#?Si5e 4CP So$rce Port 4CP Destination Port 4CP 7rgent Pointer 4CP "lagD ACI 4CP "lagD CEB 4CP "lagD &C& 4CP "lagD "I! 4CP "lagD PS< 4CP "lagD BS4 4CP "lagD S=! 4CP "lagD 7BC 7DP (essage Aength 7DP So$rce Port 7DP Destination Port
A%%lication
A%%lication ID\
"or#arding Stat$s
ICP !e't <o%
*CP !e't <o%
($lticast
Be%lication "actor\ BP" Chec3 Dro%\ Is?($lticast
S. IP 5 Flow onl6
2++
Presentation_ID
Cisco Confidential
2+6

Net Flow Tech

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Net Flow Tech

Încărcat de

Drepturi de autor:

Formate disponibile

Cisco IOS NetFlow Technical Presentation

Jean-Charles GRIVIAUD jgri ia!"cisco#co$

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Cisco IOS NetFlow ) *hat is it+

Networ, *orl% article ) NetFlow A%o-tion on the Rise htt-.//www#networ,worl%#co$/newsletters/ns$/0112/1345ns$4#ht$l

*h6 Cisco IOS NetFlow+ C!sto$er 7ene8its

2006 Cisco Systems, Inc. All rights reserved.

Princi-le NetFlow A--lications

2006 Cisco Systems, Inc. All rights reserved.

Flow Is De8ine% 76 Se en Uni;!e <e6s

Create a 8low 8ro$ the -ac,et attri>!tes

NetFlow =B-ort Pac,ets

NetFlow Processing Or%er

Feat!res an% ser ices

: Pac,et sa$-ling : Filtering

2006 Cisco Systems, Inc. All rights reserved.

NetFlow Cache =Ba$-le

3# Aggregation 5# =B-ort ersion

Non-aggregate% 8lowsDeB-ort Version2 or E

Aggregate% 8lowsDeB-ort VersionA or E

2006 Cisco Systems, Inc. All rights reserved.

Ingress NetFlow Switching Path

Flow loo,!!e# flo#

A%% in-!t 8low 8iel%s

In-!t inter8ace 8eat!re chec,

A%% o!t-!t 8low 8iel%s Dest AS:

O!t-!t inter8ace 8eat!re chec,

O!t-!t inter8ace !-%ate

neBtho-: 7GP neBtho-

In-!t >6tes In-!t -ac,ets

Co$-rehensi e Far%ware S!--ort

Cisco I011/I211 Series

Cisco I311 Series

Cisco 5211 Series ASIC

Cisco 41111 Series ASIC

Cisco Catal6st C211J Cisco IC11 Series ASIC

Cisco 40111 Series ASIC

Cisco 3I11 3A11 Series

Cisco A--lications an% Partners

Denial o8 Ser ice

&ore in8o. htt-.//www#cisco#co$/war-/-!>lic/I30/Tech/n$-/net8low/-artners/co$$ercial/

NetFlow O-en So!rce Tools

!et"lo# C$ide !et"lo# (onitor !etmet !46P Stager !fd$m%,nfsen

Different costsD im%lementation and c$stomi5ation

&a,ing Sense o8 9o!r Networ, Tra88ic

: 7illing : Charge>ac, : AS -eer $onitoring

: Tra88ic =ngineering : Tra88ic anal6sis

: 7illing : Charge>ac, : AS -eer $onitoring

: NetFlow &P?S egress Acco!nting : 7GP neBt-ho' E( : &!lticast NetFlow ' E(

: &P?S aware NetFlow ' E( : 7GP neBt-ho' E( : Sa$-le% NetFlow

2006 Cisco Systems, Inc. All rights reserved.

!et"lo# Case St$dies

2006 Cisco Systems, Inc. All rights reserved.

Cisco IT Challenge No A--lication Flow In8or$ation

2006 Cisco Systems, Inc. All rights reserved.

Cisco IT Case St!%6 Res!lts

Detection of 7na$thori5ed EA! 4raffic

Bed$ction in Pea3 EA! 4raffic

Case st!%ies. htt-.//wwwin#cisco#co$/ios/tech/$g$t/net8low/-ress/

Cisco IT Case St!%6 Res!lts 'Cont#(

Analysis of @P! 4raffic and 4ele#or3er *ehavior

Case st!%ies. htt-.//wwwin#cisco#co$/ios/tech/$g$t/net8low/-ress/

Cisco IOS NetFlow ) Other Case St!%ies

5stIf e&3& e&3& *e&3&