How to Get NetFlow from Cisco 3750s and Other Non-NetFlow NetFlow Enabled Devices Joe Buchanan System Engineer Manager www.lancope.com
Network Flow Collection Internet NetFlow Fields src and dst IP src and dst port start time end time NetFlow Packets packet count byte count... StealthWatch Flow Collector
Flow Monitoring Dual Benefit to IT Network Team hinterface Utilization hzone Z Traffic hservice Traffic hqos Monitoring hasn Monitoring hintra-site monitoring hmpls visibility ibilit Security Team hbehavior-based IDS hptp file sharing detection ti Worm and Malware propagation detection hnetwork Acceptable Use policy enforcement hattack context and 3 rd party correlation
Flow monitoring dual benefit to IT Network Team hinterface Utilization hzone Traffic hservice Traffic hqos Monitoring hasn Monitoring hintra-site monitoring hmpls visibility Security Team hbehavior-based IDS hptp file sharing detection Worm and Malware propagation detection hnetwork Acceptable Use policy enforcement hattack context and 3 rd party correlation
NetFlow = Visibility Traditional SNMP NetFlow Reporting
NetFlow = Visibility
NetFlow Supported Devices Cisco 1700 Cisco 800 Cisco 1900 Cisco 2800 Not Supported Huawei Quidway Cisco 3750 Juniper Networks Cisco 2900 Cisco 7200 VXR Cisco 7600 Cisco 3900 Nortel Networks Cisco XR 12000 Cisco Nexus 7000 Cisco Catalyst 6500
How to Troubleshoot with NetFlow: An Example
How to Troubleshoot with NetFlow: An Example
How to Troubleshoot with NetFlow: An Example
How to Troubleshoot with NetFlow: An Example
How to Troubleshoot with NetFlow: An Example
How to Troubleshoot with NetFlow: An Example
The Layer-2 Visibility Problem FlowSensor (NetFlow Enabled) NetFlow Collector NetFlow NetFlow Catalyst 3750 (No NetFlow) Catalyst 6500 (NetFlow Enabled)
How to Gain NetFlow From Your 3750 FlowSensor AE Light-weight, cost-effective 1U network appliance Collects Ethernet frames and exports NetFlow v9 StealthWatch Flow Collector Monitor up to (5) 3750s simultaneously Works with any NetFlow v9 capable flow collector NetFlow FlowSensor Model Capacity Disk Interfaces AE-1000 1 Gbps 73GB 3 or 5 AE-2000 2.5 Gbps 160GB 3 or 5
How to Measure Performance Between Hosts SRCIP DSTIP PROTO DPORT SPORT PKTS BYTES RTT SRT... TCP 80 5749 73 9,092 65ms 230ms... TCP 5749 80 103 78,020 65ms 230ms... StealthWatch FlowSensor SPAN round trip time across the network same as ping output RTT time it takes the server to process a request SRT
Capturing NetFlow Per 3750 Link FlowSensor capture port SPAN interface description
Capturing NetFlow Per 3750 Link
Capturing Netflow Per 3750 Link
10G Monitoring with Stackable FlowSensors FlowSensor AE-2000 FlowSensor AE-2000 2.5G 10G 7.5G 5.0G 2.5G 16x 1G 2.5G StealthWatch Flow Collector NetFlow FlowSensor AE-2000 FlowSensor AE-2000 2.5G Ethernet loadbalancer vendors... 2.5G
FlowSensor VE (Virtual Edition) Lightweight, virtual appliance for VMware ESX 3.5 and 4.0 Captures and records all VM2VM communications cat o within the virtual network environment Exports NetFlow v9 FREE to download and try (visit lancope.com to register and download) VMware Server StealthWatch Flow Collector NetFlow
StealthWatch NetFlow Replicator Dedicated NetFlow replication appliance Designed to copy and redistribute flows of NetFlow packets based on a rule-set that you define Original i UDP source IP and payload is preserved Simple, easy to configure, web-based, 1U network appliance Promiscuous Mode allows installation without changing NetFlow export IPs Search Replicator on NetFlow Ninjas blog for more info http://netflowninjas.typepad.com/blog/2009/09/stealthwatch-flow-replicator-holy-cow-this-thing-is-popular.html NetFlow StealthWatch Flow Replicator NetFlow NetFlow NetFlow
In Summary Flow-based technologies provide unrivaled scale and cost effectiveness in large enterprise environments NetFlow is not just for netops, its value extends across all IT from compliance auditing to helpdesk support Enable NetFlow on as many devices as you can to maximize visibility, the more the better NetFlow is ideal for monitoring port dense datacenters and large distributed WAN NetFlow is ideal for monitoring port dense datacenters and large distributed WAN environments. No probes are required.
NetFlow 101 Boot Camp Event site: http://lancope.com/news/events/netflowseminar.aspx 22 New Cities in 2010! Minneapolis, MN February 17, 2010 Washington DC July, 22, 2010 Atlanta, GA February 25, 2010 Hartford, CT March 11, 2010 Toronto, ON March 18, 2010 Phoenix, AZ August 5, 2010 Chicago, IL August 12, 2010 Cleveland, OH August 19, 2010 New York, NY San Francisco, CA April 1, 2010 September 2, 2010 Houston, TX April 8, 2010 Denver, CO April 15, 2010 Baltimore, MD May 13, 2010 Seattle, WA May 20, 2010 San Jose, CA June 3, 2010 Dallas, TX July 7, 2010 Pittsburgh, PA September 16, 2010 Charlotte, NC September 30, 2010 Boston, MA October 7, 2010 Los Angeles, CA October 21, 2010 New York, NY November 11, 2010 Miami, FL December 9, 2010
Thank You Joe Buchanan System Engineer Manager www.lancope.com com