INE OLS - NETFLOW w/ KEITH BARKER

• WHAT DOES NETFLOW DO?
  • NetFlow is an ACCOUNTING feature ON TOP of an existing switching path. Eg. CEF.
  • NetFlow provides STATISTICS on packets flowing through the router.
    • INGRESS : IP, IP to MPLS, FR/ATM and traffic destined TO THE ROUTER ITSELF.
    • EGRESS : Traffic generated BY THE ROUTER IS NOT CAPTURED.

______________________________________________________________

• USING NETFLOW DATA
  • NetFlow data can be used for :-
    • Network application and user MONITORING.
    • Network PLANNING.
    • DOS and security ANALYSIS.
    • ACCOUNTING and BILLING.
    • TRAFFIC ENGINEERING.

____________________________________________________________

• WHAT IS A FLOW?
  • Initially, a single flow is the combination of SEVEN key fields.
    • SOURCE IP.
    • DESTINATION IP.
    • SOURCE PORT.
    • DESTINATION PORT.
    • LAYER-3 PROTOCOL TYPE.
    • TOS BIT.
    • LOGICAL INTERFACE (ifIndex).
  • Flows are subject to TIMEOUTS. 15 seconds by default.
  • Flows are STORED in NETFLOW CACHE.

______________________________________________________________

• LIFE CYCLE
  • Router notices network traffic and CREATES flows in NetFlow cache LOCALLY.
  • ACTIVE FLOWS EXPIRE. Nothing lasts forever.
  • Router EXPORTS flow records to COLLECTORS.
    • Non aggregated flows only in Version 5 or 9.
    • Aggregated flows in Version 8 and 9.
    • Transparent protocol UDP or SCTP is used.
      • SCTP – Stream Control Transparent Protocol.
    • An OPTIONAL aggregation cache may be created and exported as well.
  • FLOW HAS TO EXPIRE BEFORE IT IS EXPORTED.
  • Flows can be AGGREGATED OR SUMMARIZED on SOME of the key-fields.

________________________________________________________________

• NETFLOW PRE-PROCESSING
  • Packet sampling.
    • Sets up STATISTICAL SAMPLING of network traffic for TE or capacity planning.
  • Filtering.
    • Sets up a SPECIFIC SUBSET of network traffic for CLASS-BASED traffic analysis.

__________________________________________________________________

• EXPIRATION OF A FLOW
  
  
  • Inactivity timer – 15 seconds by default.
  • Active timer expiration – 30 mins by default.
    
    
    • Simply means that the information is sent for a flow active for LONGER than 30 mins.
    • Router NO LONGER waits for expiration.
    • SESSION IS NOT BROKEN. Just the information about it is sent.
  • NetFlow cache is FULL (FIFO).
  • TCP RST or FIN is observed.

_________________________________________________________________

• NETFLOW POST PROCESSING
  
  
  • Aggregation schemes.
    
    
    • Quite simply summarization.
    • Sets up EXTRA aggregation caches with different combinations of fields that determine WHICH TRADITIONAL FLOWS are GROUPED TOGATHER.
      
      
      • Several NON-TOS and TOS based schemes.
      • Uses ADMIN-DEFINED NON-STANDARD KEY-FIELDS.
  • Export to MULTIPLE destinations.
    
    
    • Sets up IDENTICAL streams of NetFlow data to be sent to MULTIPLE hosts.

__________________________________________________________________________

• EXPORTING NETFLOW
  
  
  • Version 5 INCLUDES BGP AS information.
  • Version 7 ONLY supported on CATALYST switches.
  • Version 9 defined in RFC 3954.
    
    
    • FLEXIBLE AND EXTENSIBLE using templates.
  • Version 10 – IETF IP Flow Information eXport – IPFIX.

___________________________________________________________________________

• TERMINOLOGY
  
  
  • FLOW
    
    
    • The ACTUAL traffic that occurred.
  • FLOW-RECORD
    
    
    • Information about the traffic.
  • EXPORT-PACKET
    
    
    • Transported to the collector.
  • PACKET HEADER
    
    
    • Has VERSION, SEQ #, # OF RECORDS etc.
  • TEMPLATE RECORD (SCHEMA)
    
    
    • DEFINES fields and structure in flow-record.
  • OPTIONS RECORD
    
    
    • Data ABOUT the CONFIGURATION OF NETFLOW.
    • Examples include – SCOPE, SAMPLING LEVELS etc.

______________________________________________________________________________

• STREAM CONTROL TRANSPORT PROTOCOL
  
  
  • RFC 2960 and extension RFC 3758.
  • Reliable transport protocol for EXPORT.
  • Stream 0 is the CONTROL channel.
  • Additional streams are for carrying data.

____________________________________________________________________________

• COMMANDS.
  
  
  • Ip flow-capture
  • ip flow-cache
  • ip flow-export
  • (config-if)# ip flow ingress|egress
  • show ip flow export|interface
  • show ip cache flow <------------------ IMPORTANT
  • show ip cache flow verbose flow
  • sho ip flow top-talkers
  • flow-sampler-map
    
    
    • mode
  • (config-if)# flow-sampler egress|ingress

_______________________________________________________________________________

• FLEXIBLE NETFLOW
  
  
  • Basic ingredients are :
    
    
    • RECORDS.
      
      
      • Pre-defined.
      • User-defined.
    • Flow exporters.
      
      
      • Used by FLOW MONITORS for exporting NetFlow data.
    • Flow MONITORS.
      
      
      • Linked to an exporter and record.
      • Applied to interfaces.
      • Creates its OWN cache.
        
        
        • Normal.
        • Immediate
        • Permanent.