• Developed by Cisco Systems in 1996 • The value of information in the cache was a secondary discovery – Initially designed as a switching path • NetFlow is now the primary network a ccounting technology in the industry • Answers questions regarding IP traff ic: who, what, where, when, and how • NetFlow version 9 an IETF standard Netflow Overview
104
Embed
Developed by Cisco Systems in 1996 The value of information in the cache was a secondary discovery –Initially designed as a switching path NetFlow is now.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
• Developed by Cisco Systems in 1996
• The value of information in the cache was a secondary discovery– Initially designed as a switching path
• NetFlow is now the primary network accounting technology in the industry
• Answers questions regarding IP traffic: who, what, where, when, and how
• NetFlow version 9 an IETF standard
Netflow Overview
Traffic Analysis
• What we needs– application performance– application-based accounting – network security– Network behavior, application recognition
• ‘debug ip packet’ in router?• IP Sniffing in shared LAN (or using switch to do so)• Port Span in switch (how about port span in router?)• Circuit Sniffing• Netflow• What we prefer in backbone:
1. Create and update flows in NetFlow Cache2. Expiration
3. Aggregation?
4. Export Version
5. Transport Protocol
step1• Inactive timer expired (15 sec is default)• Active timer expired (30 min (1800 sec) is default)• NetFlow cache is full (oldest flows are expired)• RST or FIN TCP Flag
He
ad
er
ExportPacket
Payload(flows)
step2
step3
Protocol Pkts SrcPort DstPort Bytes/Pkt
11 11000 00A2 00A2 1528
SrcIf SrcIPadd DstIf DstIPadd Protocol TOS Flgs Pkts SrcPort SrcMsk SrcAS DstPort DstMsk DstAS NextHop Bytes/Pkt Active Idle
Router> sh ip flow exportFlow export v5 is enabled for main cache Exporting flows to 192.168.1.2 (2055) 192.168.2.3 (2054) Exporting using source interface Loopback0 Version 5 flow records, origin-as 998016649 flows exported in 33267252 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failure
s 0 export packets were dropped enqueuing for the RP 0 export packets were dropped due to IPC rate limiting
Version 7
• Adds NetFlow switching support for: Cisco Catalyst 5000 Series Switches with an RSM Cisco Catalyst 5000 Series Switches with an MSFC
• Uses MultiLayer Switching (MLS) or CEF with Cisco Catalyst 6000 Series Switches with SUP2
• IP unicast only No multicast or IPX, even if MLS can do all three
• MLS cache is the equivalent of the NetFlow cache
Version 8
• Router-based aggregation• Enables router to summarize NetFlow data• Reduces NetFlow Export data volume• Decreases NetFlow Export bandwidth requirements• Currently 11 aggregation schemes
Five original schemes Six new schemes with the TOS byte field
• Several aggregations can be enabled simultaneously
Version 9
Fixed formats (versions 1, 5, 7, and 8) are not flexible and adaptable
Cisco needed to build a new version each time a customer wanted to export new fields
When new versions are created, partners need to reengineer to support the new export format
Solution: Build a flexible and extensible export format!
Netflow v9 Principles
• Version 9 is an export format• Still a push model• Sent the template regularly (configurable)• Independent of the underlying protocol, it is
ready for any reliable protocol (ie: TCP, SCTP)
• Advantage: we can add new technologies and data types quickly• E.g. MPLS, IPv6, BGP Next Hop, Multicast
Netflow V9 Template
• NetFlow Version 9 Export format is template based. Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets. A template FlowSet (collection of one or more template) provides a description of the fields that will be present in future data FlowSets. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format.
• template composed of type and length• flow records composed of template ID and value
• sent the template regularly (configurable), because of UDP
Netflow Version 9 Scenario
Netflow v9: Example for Template Definition
Netflow Version9 Export Packet
Netflow v9: Example for 1 Export Packet
NetFlow v9 Export Packet
Data FlowSetTemplate FlowSet Option
Template
FlowSet
HeaderFlowSet ID #1
Data FlowSetFlowSet ID #2
Template ID
(specific
Field types
and lengths)
(version,
# packets,
sequence #,
Source ID)
• Matching ID #s is the way to associate Template to the Data Records
• The Header follows the same format as prior NetFlow versions so Collectors will be backward compatible
• Each Data Record represents one flow
• If exported flows have the same fields then they can be contained in the same Template Record e.g. unicast traffic can be combined with multicast records
• If exported flows have different fields then they can’t be contained in the same Template Record e.g. BGP next-hop can’t be combined with MPLS Aware NetFlow records
Flows from
Interface A
Flows from
Interface B
To support technologies such as
MPLS or Multicast, this export format can
be leveraged to easily insert new fields
Option Data
FlowSetFlowSet ID
Option Data
Record
(Field values)
Option Data
Record
(Field values)
Template Record
Template ID #2
(specific Field types and lengths)
Template Record
Template ID #1
(specific Field types and lengths)
Data Record
(Field values)
Data Record
(Field values)
Data Record
(Field values)
NetFlow v9 Export
test(config)# ip flow-export version ? 1 5 9 test(config)# ip flow-export version 9 .
Configuring Version 9 export
test(config)# ip flow-aggregation cache as
test(config-flow-cache)# enabled
test(config-flow-cache)# export ?
destination Specify the Destination IP address
version configure aggregation cache export version
test(config-flow-cache)# export version ?
8 Version 8 export format
9 Version 9 export format
test(config-flow-cache)# export version 9
Configuring Version 9 export for an aggregation scheme
Export versions available for standard NetFlow flows
Export versions available for aggregated NetFlow flows
IETF: IP Flow information Export(IPFIX) Working Group
• IPFIX is an effort to:– Define the notion of a "standard IP flow"– Devise data encoding for IP flows– Consider the notion of IP flow information export based upo
n packet sampling– Identify and address any security privacy concerns affectin
g flow data– Specify the transport mapping for carrying IP flow informati
on(IETF approved congestion-aware transport protocol)
– Netflow version 9 has been selected as a basis for the IPFIX protocol
IETF: Packet Sampling WG(PSAMP)
• PSAMP agreed to use IPFIX(Netflow version9) for export
• PSAMP is an effort to:– specify a set of selection operations by which pac
kets are sampled– describe protocols by which information on sampl
Flat-rate billing does not necessarily scaleCompetitive pricing models can be created with usage-based billing
Usage-based billing considerationsTime of dayWithin or outside of the network ApplicationDistance-basedQuality of Service (QoS) / Class of Service (CoS)Bandwidth usageTransit or peerData transferredTraffic class
Tracking Users
Who are my top N talkers, and what percentage of traffic do they represent?
How many users are on the network at a given time? When will upgrades affect the least number of users?
How long do users spend connected to the network? Where Internet sites do they use? What is a typical pattern of usage between sites? Are users staying within an acceptable usage
policy (AUP)? Alarm DOS attacks like smurf, fraggle, and SYN flood
Will watch for these attack, regardless of source / destination
Principle Netflow Benefits
Service ProviderService Provider EnterpriseEnterprise
• Internet access monitoring (protocol distribution, where traffic is going/coming)
• User Monitoring
• Application Monitoring
• Charge Back billing for departments
• Security Monitoring
• Internet access monitoring (protocol distribution, where traffic is going/coming)
• User Monitoring
• Application Monitoring
• Charge Back billing for departments
• Security Monitoring
• Peering arrangements
• Network Planning
• Traffic Engineering
• Accounting and billing
• Security Monitoring
• Peering arrangements
• Network Planning
• Traffic Engineering
• Accounting and billing
• Security Monitoring
NetFlow – Charge Back Billing
R&DHR
Finance
Account per network (rather that per IP addresses)
Internet
Example: charge the department for the cost of the Internet link
NetFlow – Peering Agreement
Account per BGP AS, to Review Peering Agreements
ISP
UunetDigexErolsBBNAT&T
AMUC&WJHUPACBell Internet ServiceRCNOARnetSURAnetCompuserve
OLABSNETWebTVWEC
Public Routers 1, 2, 3 Month of September—Outbound Traffic
NetFlow – Peering Agreement
20%
32%
4%6%
8%
8%
10%
1% 1%1%
1%1%
1%
2%1%
1%1%
MPLS Aware NetFlow (v9)
IP Fields
Source and destination IP address
Input and output sub-interfaces
Transport layer protocol
Source and destination application port numbers
8 bit IP Type of Service (ToS)
TCP Flags (accumulation from all packets in the flow)
MPLS Fields
Up to three incoming MPLS labels with experimental (EXP) bits and end-of-stack (S) bit
Position of each of the three labels
Type of the top label
IP address associated with the top label
Traditional NetFlow Fields
Number of packets
Number of bytes (count either IP or MPLS header / payload)
Time-stamps of first and last packets in the flow
MPLS
Traditional NetFlow for IP to MPLS traffic
PEPE PP PEPE
Egress MPLS NetFlow Accounting• IP information only• Ideal for billing• Current availability: Cisco IOS Software Releases 12.0(10)ST and 12.1(5)T
MPLS Aware NetFlow (version 9)• Exports up to three MPLS labels, and IP packet information• Ideal for Traffic Engineering• Will be available in Cisco IOS Software Releases 12.0(24)S, 12.2S, and 12.3
Traffic Flow
IP
IP
Egress MPLS NetFlow Accountingfor MPLS to IP traffic
MPLS Aware NetFlow (version 9)
MPLS
Autonomous System
3600-4(config)# ip flow-export version 5 ? origin-as record origin AS peer-as record peer AS <cr>
3600-4(config)#
• Origin-ASSpecifies that export statistics include the origin autonomous system (AS) for the source and destination
• Peer-ASSpecifies that export statistics include the peer AS for the source and destination
Autonomous System
AS 101
Configuring Peer-AS•Source AS = AS 103•Destination AS = AS 105
NetFlow enabled
AS 103 AS 104
AS 105
AS 106
AS 102
Router(config)#ip flow-export version 5 peer-as
Autonomous System
AS 101
NetFlow enabled
AS 103 AS 104
AS 105
AS 106Configuring Origin-AS
• Source AS = AS 101• Destination AS = AS 106
AS 102
Router(config)#ip flow-export version 5 origin-as
BGP next-hop
• Supported only in version 9 export• For traffic engineering/analysis and possible
billing applications• Fields that are exported include all those
found in version 5 export• Will be supported in Cisco IOS Software
Releases 12.0(26)S, 12.2S, and 12.3
BGP next-hop
Netflow BGP next-hop
BGP next-hop Details
• Supported only in version 9 export• For traffic engineering/analysis (traffic matrix) and p
ossible billing applications. "What is the Next hop IP address of my BGP traffic?"
• exported fields include all version 5 fields, including IP next hop
• Adds 16 bytes to each Netflow flow record (goes from 64 bytes to 80 bytes), while CPU increase is negligible
• Edge to Edge traffic matrix for engineering/analysis and possible billing applications
• Supported in Cisco IOS Software releases 12.0(26)S, 12.2(18)S, and 12.3(1)
BGP next-hop
pamela(config)# ip flow-export version ? 1 5 9 pamela(config)# ip flow-export version 9 .
Configuring Version 9 export
pamela(config)# ip flow-export version 9 ?
bgp-nexthop record BGP NextHop
origin-as record origin AS
peer-as record peer AS
<cr>
pamela(config)# ip flow-export version 9 bgp-nexthop
Configuring Version 9 export with BGP next-hop
Multicast NetFlow
Three types of NetFlow implementations for Multicast traffic:
1. Traditional NetFlow
2. Multicast NetFlow Ingress
3. Multicast NetFlow Egress
Multicast – Traditional NetFlow
Eth 0
Eth 3Eth 1
Eth 2
Interface Ethernet 0
ip route-cache flow
ip flow-export version 9
ip flow-export destination 127.0.0.1 9995
127.0.0.1
NetFlowCollector
server
Traditional NetFlow configuration
10.0.0.2
(S, G) - (10.0.0.2, 224.10.10.100)
Flow Record Created in NetFlow Cache
• There is only one flow per NetFlow configured input interface• The 7 Key fields that define a unique flow are marked in red • Destination interface is marked as “Null”• Bytes and Packets are the incoming values
SrcIf SrcIPadd DstIf DstIPadd Protocol TOS Flgs SrcPort SrcMsk DstPort DstMsk NextHop Bytes Packets Active Idle
• There is only one flow per NetFlow configured input interface• The 7 Key fields that define a unique flow are marked in red • Destination interface is marked as “Null”• Bytes and Packets are the outgoing values
SrcIf SrcIPadd DstIf DstIPadd Protocol TOS Flgs SrcPort SrcMsk DstPort DstMsk NextHop Bytes Packets Active Idle
• There is one flow per Multicast NetFlow Egress configured output interface• One of the 7 Key fields that define a unique flow has changed from Source Interface to Destination Interface • Bytes and Packets are the outgoing values
SrcIf SrcIPadd DstIf DstIPadd Protocol TOS Flgs SrcPort SrcMsk DstPort DstMsk NextHop Bytes Packets Active Idle
Eth 0 10.0.0.2 Eth 1 224.10.10.100 11 80 10 00A2 /24 00A2 /24 23100 21 1745 4
Eth 0 10.0.0.2 Eth 2 224.10.10.100 11 80 10 00A2 /24 00A2 /24 23100 21 1745 4
Eth 0 10.0.0.2 Eth 3 224.10.10.100 11 80 10 00A2 /24 00A2 /24 23100 21 1745 4
Eth 0
Eth 3Eth 1
Eth 2
127.0.0.1
NetFlowCollector
server
10.0.0.2
(S, G) - (10.0.0.2, 224.10.10.100)
Multicast NetFlow – Summary
Supported via NetFlow version 9 export formatAvailability
Cisco IOS Software Releases 12.0(27)S, 12.2S, and 12.3 Not supported in 120000
Performance: Ingress vs. EgressMulticast NetFlow Ingress and traditional NetFlow will have similar performance numbers Multicast NetFlow Egress will have performance impact that is proportional to the number of interfaces on which it is enabled (include input interface)
Cisco Catalyst 6500/7600 Series SwitchesDo not currently support the tracking of multicast traffic via NetFlow due to current ASIC limitationWill have this support in a future Supervisor
How to Identify a Security Attack?
• Suddenly highly-increased overall traffic in the network
• Higher CPU and memory utilization of network devices
• Unexpectedly large amount of traffic generated by individual hosts
• Increased number of accounting records generated• Multiple accounting records with abnormal content,
like one packet per flow record (e.g. TCP SYN flood)• A changed mix of traffic applications, e.g. a sudden
increase of "unknown" applications• An increase of certain traffic types and messages,
e.g. TCP resets or ICMP messages• An increasing number of ACL violations
What Does a DOS Attack Look Like?
NetFlow – Mitigating Attacks
1. Cost Saver• “sh ip cache flow” command to find top volume flows • Identify source of attack• Write access-list to block• Monitor via “show ip cache flow” & “Null” entry in DestIf field
to show that it is blocked• Prefix-port aggregation can be configured, while “sh ip cache
flow aggregation prefix-port” is used
2. Most Effective• Arbor Networks leverages NetFlow to provide a quicker
Precedence bits Decimal Precedence Function1 1 1 x x x x x 224 7 Network Control (link layer keepalives)1 1 0 x x x x x 192 6 Internetwork Control (Routing Protocols)1 0 1 x x x x x 160 5 CRITIC/ECP (Express Forwarding)1 0 0 x x x x x 128 4 Flash Override (Class 4)0 1 1 x x x x x 96 3 Flash (Class 3)0 1 0 x x x x x 64 2 Immediate (Class 2)0 0 1 x x x x x 32 1 Priority (Class 1)0 0 0 x x x x x 0 0 Routine (Best effort)
Delay, Throughput, and Reliability bitsDelay bit
x x x 0 x x x x 0 Delay - normalx x x 1 x x x x 16 Delay - low
Throughput bitx x x x 0 x x x 0 Throughput - normalx x x x 1 x x x 8 Throughtput - high
Reliability bitx x x x x 0 x x 0 Reliability - normalx x x x x 1 x x 4 Reliability - high
Early Congestion Notification (ECN) bitsECN-capable Transport (ECT) bit
Congestion Experienced (CE) bitx x x x x x 0 0 0 Not ECN-capablex x x x x x 0 1 1 Endpoints of transport protocol ECN-capablex x x x x x 1 0 2 Endpoints of transport protocol ECN-capablex x x x x x 1 1 3 Congestion experienced
Tracking TOS with NetFlow
7200-3-netflow# show ip cache verbose flowSrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveSR6/0 210.210.210.2 PO1/0 200.200.200.2 FF 00 10 21K0000 /0 0 0000 /0 0 0.0.0.0 1496 665.4SR6/0 210.210.210.2 PO1/0 200.200.200.2 06 C0 00 21K0000 /0 0 0000 /0 0 0.0.0.0 1496 666.0
7200-3-netflow# show ip cache verbose flow SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveEt1/1 52.52.52.1 Fd4/0 42.42.42.1 01 55 10 37480000 /8 50 0000 /8 40 202.120.130.2 28 17.8Et1/2 52.52.52.1 Fd4/0 42.42.42.1 01 CC 10 35680000 /8 50 0000 /8 40 202.120.130.2 28 17.8Et1/2 10.1.3.2 Fd4/0 42.42.42.1 01 C0 10 11240000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Hex Decimal Binary55 85 0101 0101 Precedence 2 - Immediate (Class 2), Delay - low, Reliability - high, Endpoints of transport protocol ECN-capableC0 192 1100 0000 Precedence 6 - Internetwork Control (Routing Protocols)CC 204 1100 1100 Precedence 6 - Internetwork Control (Routing Protocols), Throughput - high, Reliability - high
Sampled NetFlow
Deterministic Original typeCisco 12000 Series Internet RoutersCisco Catalyst 6500 Series Switches – Release 12.1(13)E
Random (recommended per statistical principles)Cisco IOS Software Releases 12.0(26)S, 12.2S, and 12.3 Cisco 2500, 2600, 3600, 7200, and 7500 Series RoutersCisco 12000 Series Internet Routers
Time-based Cisco Catalyst 6500 Series Switches – Release 12.1(13)E
Trajectory (Hash-based)in development
Sampling configuration
• GSR 12xxx (IOS Version: 12.0(31)S2:R1(config)# ip flow-sampling-mode packet-interval 256
5. cnfProtocolStatistics• Provides a summary of NetFlow cache statistics per protocol and po
rt. 6. cnfExportTemplate
• Provides Template based Version 9 flow export information and statistic.
7. cnfTopFlows • Provides top Netflow flows.
Netflow MIB Monitoring
Egress Netflow Accounting
Netflow and IPv6
• Collects IPv6 flow records• Based on Netflow Version9• Support or both ingress and egress traffic• "Full NetFlow" i.e. non-sampled• Data export is still IPv4• Available in release 12.3(7)T
Netflow Summary
• Netflow is a mature Cisco IOS feature (in Cisco IOS since 1996)
• Netflow provides input for Accounting, Performance, Fault, Security, and Billing Applications
• Cisco has IETF and industry leadership• Netflow v9 eases the exporting of additional f
ields• A lot of new features have been added
SFlow
• sFlow® is an industry standard technology for monitoring high speed switched networks, Juniper’s devices support it.
• similar to netflow• NetStream from Huawei Company
• SFlow Packet: Packet header (eg MAC,IPv4,IPv6,IPX,AppleTalk,TCP,UDP, ICMP) Sample process parameters (rate, pool etc.) Input/output ports Priority (802.1p and TOS) VLAN (802.1Q) Source/destination prefix Next hop address Source AS, Source Peer AS Destination AS Path Communities, local preference User IDs (TACACS/RADIUS) for source/destination URL associated with source/destination Interface statistics (RFC 1573, RFC 2233, and RFC 2358)
Tools for Netflow
• Cisco NFC• Arbor Peakflow
• Flow tools• Ntop
– http://ww.ntop.org
• Etc.
Flow-tools
• Flow-tools is library and a collection of programs used to collect, send, process, and generate reports from NetFlow data.
• Can be used together on a single server or distributed to multiple servers for large deployments.
• The flow-tools library provides an API for development of custom applications for NetFlow export versions 1,5,6 and the 14 currently defined version 8 subversions.
• Version 9 is not supported now
Flow-tools utilities
• flow-capture - Collect, compress, store, and manage disk space for exported flows from a router.
• flow-cat - Concatenate flow files. Typically flow files will contain a small window of 5 or 15 minutes of exports. Flow-cat can be used to append files for generating reports that span longer time periods.
• flow-fanout - Replicate NetFlow datagrams to unicast or multicast destinations. Flow-fanout is used to facilitate multiple collectors attached to a single router.
• flow-report - Generate reports for NetFlow data sets. Reports include source/destination IP pairs, source/destination AS, and top talkers. Over 50 reports are currently supported.
• flow-tag - Tag flows based on IP address or AS #. Flow-tag is used to group flows by customer network. The tags can later be used with flow-fanout or flow-report to generate customer based traffic reports.
• flow-filter - Filter flows based on any of the export fields. Flow-filter is used in-line with other programs to generate reports based on flows matching filter expressions.
• flow-import - Import data from ASCII or cflowd format.• flow-export - Export data to ASCII or cflowd format.
Flow-tools utilities( Cont.)
• flow-send - Send data over the network using the NetFlow protocol.
• flow-receive - Receive exports using the NetFlow protocol without storing to disk like flow-capture.
• flow-gen - Generate test data.• flow-dscan - Simple tool for detecting some types of network
scanning and Denial of Service attacks.• flow-merge - Merge flow files in chronoligical order.• flow-xlate - Perform translations on some flow fields.• flow-expire - Expire flows using the same policy of flow-captur
e.• flow-header - Display meta information in flow file.• flow-split - Split flow files into smaller files based on size, time,
or tags.
Configuration in Cisco Router
R1(config)# ip flow-export source Loopback0
R1(config)# ip flow-export version 5 origin-as
R1(config)# ip flow-export destination 202.112.xx.xx 9800
R1(config-if)# ip route-cache flow
flow-capture
• Flow-tools most useful and important command• flow-capture -w /flows/dat -m 255.255.248.0 -E5G 0/10.0.0.1/9800
– Receive flows from the exporter at 10.0.0.1 port 9800. Maintain 5 Gigabytes of flow files in /flows/dat. Mask the source and destination IP addresses contained in the flow exports with 255.255.248.0.
• flow-capture -w /flows/dat 0/0/9800 -S5– Receive flows from any exporter on port 9800. Do not perfo
rm any flow file space management. Store the exports in /flows/dat. Emit a stat log message every 5 minutes.
Flow-cat
Flow-print
FreeBSD1# flow-print < ft-v01.2006-09-02.134114+0800srcIP dstIP prot sPort dPort octets pkts