NetFlow/IPFIX Various Thoughts



Similar documents
Configuring Flexible NetFlow

Introduction to Cisco IOS Flexible NetFlow

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Cisco IOS Flexible NetFlow Command Reference

Business and IT are Changing Like Never Before

Cisco IOS Flexible NetFlow Technology

Agenda. Cisco Research SCRIPT and the Big Picture. Building Blocks for the SCRIPT Project

Advanced NetFlow for Service Providers. Aamer Akhter Benoit Claise

Scalable Extraction, Aggregation, and Response to Network Intelligence

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

Configuring NetFlow-lite

Cisco Performance Monitor Commands

NetFlow-Lite offers network administrators and engineers the following capabilities:

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

Appendix A Remote Network Monitoring

Innominate mguard Version 6

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

How-To Configure NetFlow v5 & v9 on Cisco Routers

IP address format: Dotted decimal notation:

Internet Protocol: IP packet headers. vendredi 18 octobre 13

NetFlow v9 Export Format

Cisco IOS NetFlow Version 9 Flow-Record Format

Cisco IOS NetFlow Version 9 Flow-Record Format

Netflow Overview. PacNOG 6 Nadi, Fiji

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Network Management & Monitoring

Network layer: Overview. Network layer functions IP Routing and forwarding

Ethernet. Ethernet. Network Devices

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Cisco IOS Flexible NetFlow Overview

CISCO IOS NETFLOW AND SECURITY

Monitoring and analyzing audio, video, and multimedia traffic on the network

Network traffic monitoring and management. Sonia Panchen 11 th November 2010

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

The use of SNMP and other network management tools in UNINETT. Arne Øslebø March 4, 2014

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

How to securely operate an IPv6 network

Firewall Implementation

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Network Monitoring and Management NetFlow Overview

NetFlow Configuration Guide, Cisco IOS Release 12.2SR

SonicOS 5.8: NetFlow Reporting

NetFlow Configuration Guide, Cisco IOS Release 12.4

Understanding Slow Start

Configuring NetFlow Secure Event Logging (NSEL)

NetFlow Configuration Guide, Cisco IOS Release 15M&T

NetFlow The De Facto Standard for Traffic Analytics

Configuring NetFlow on Cisco ASR 9000 Series Aggregation Services Router

and reporting Slavko Gajin

Flow Analysis Versus Packet Analysis. What Should You Choose?

IPv6 Fundamentals Ch t ap 1 er I : ntroducti ti t on I o P IPv6 Copyright Cisco Academy Yannis Xydas

Introduction to IP v6

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

The Critical Role of Netflow/IPFIX Telemetry in the Next- Generation Network Security Infrastructure

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

OpenDaylight Project Proposal Dynamic Flow Management

- Multiprotocol Label Switching -

Configuring NetFlow Data Export (NDE)

Research on Errors of Utilized Bandwidth Measured by NetFlow

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004

TCP Performance Management for Dummies

Firewall Defaults and Some Basic Rules

Configuring NetFlow Secure Event Logging (NSEL)

Flow Monitor for WhatsUp Gold v16.2 User Guide

The Ecosystem of Computer Networks. Ripe 46 Amsterdam, The Netherlands

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Multi Stage Filtering

Introduction to Netflow

How To Mirror On An Ipfix On An Rspan Vlan On A Pc Or Mac Or Ipfix (Networking) On A Network On A Pnet (Netnet) On An Uniden (Netlan

Understanding and Configuring NAT Tech Note PAN-OS 4.1

Internet Protocols Fall Lectures 7-8 Andreas Terzis

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

Transport and Network Layer

Networking Fundamentals Part of the SolarWinds IT Management Educational Series

Network Measurement. Why Measure the Network? Types of Measurement. Traffic Measurement. Packet Monitoring. Monitoring a LAN Link. ScienLfic discovery

PANDORA FMS NETWORK DEVICE MONITORING

Configuring NetFlow on Cisco IOS XR Software

Integrated Traffic Monitoring

Wireshark Developer and User Conference

Flow Monitor for WhatsUp Gold v16.1 User Guide

Network congestion control using NetFlow

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

IP Addressing Introductory material.

NetFlow 101 Seminar Series, 2012

ISTANBUL. 1.1 MPLS overview. Alcatel Certified Business Network Specialist Part 2

AlliedWare Plus OS How To Use sflow in a Network

HP OpenFlow Protocol Overview

IP SLAs Overview. Finding Feature Information. Information About IP SLAs. IP SLAs Technology Overview

Transcription:

NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1

B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application QoS Treatment Forwarding Status Which applications are running in my network? What is port 80? The applications have the right QoS treatment? DSCP value versus class-map? Next requirement: performance metric (link with PMOL) 2

Flexible Flow Record: Key Fields Flow Sampler ID Direction Interface Input Output Layer 2 Source VLAN Destination VLAN Source MAC address Destination MAC address IPv4 IP (Source or Prefix (Source or Mask (Source or Minimum-Mask (Source or Protocol Fragmentation Flags Fragmentation Offset Identification Header Length Total Length Payload Size Packet Section (Header) Packet Section (Payload) TTL Options bitmap Version Precedence DSCP TOS IPv6 IP (Source or Prefix (Source or Mask (Source or Minimum-Mask (Source or Protocol Traffic Class Flow Label Option Header Header Length Payload Length Payload Size Packet Section (Header) Packet Section (Payload) DSCP Extension Headers Hop-Limit Length Next-header Version 3

Flexible Flow Record: Key Fields Routing Transport Application src or dest AS Peer AS Destination Port Source Port TCP Flag: ACK TCP Flag: CWR Application ID* Traffic Index Forwarding Status IGP Next Hop BGP Next Hop Input VRF Name ICMP Code ICMP Type IGMP Type* TCP ACK Number TCP Header Length TCP Sequence Number TCP Window-Size TCP Flag: ECE TCP Flag: FIN TCP Flag: PSH TCP Flag: RST TCP Flag: SYN TCP Flag: URG UDP Message Length Multicast Replication Factor* RPF Check Drop* Is-Multicast TCP Source Port TCP Destination Port TCP Urgent Pointer Near future: Class-map UDP Source Port UDP Destination Port *: IPv4 Flow only 4

Flexible Flow Record: Non-Key Fields Counters Timestamp IPv4 IPv4 and IPv6 Bytes Bytes Long Bytes Square Sum sysuptime First Packet sysuptime First Packet Total Length Minimum (*) Total Length Maximum (*) TTL Minimum Total Length Minimum (**) Total Length Maximum (**) Bytes Square Sum Long TTL Maximum Packets Packets Long Plus any of the potential key fields: will be the value from the first packet in the flow (*) IPV4_TOTAL_LEN_MIN, IPV4_TOTAL_LEN_MAX (**)IP_LENGTH_TOTAL_MIN, IP_LENGTH_TOTAL_MAX 5

#2 Mediation Function in Router B Mediation: Data aggregation, reduction, correlation, and analysis Aggregation in space (different line cards in the router) Aggregation in time (performance metrics) IPFIX export in branch offices + WAN export bandwidth limitation + performance metrics sent on regular basis for performance assurance + NetFlow export from different observation domains in the router = mediation function + IPFIX structured data 6

P #3 NetFlow as Alternative to syslog? Logging in high-performance environments is nontrivial, NetFlow is replacing syslog Flow event information can now be exported through NetFlow v9 Information about NAT modifications to the traffic Information about Flows denied by security policy Information about AAA/usernames associated with flows Provides scalable logging 10-Gbps flows, 100-k connections per second = lots of logs Firewall: gain in terms of connection/s and throughout Surprised by the gain NetFlow export is the logical evolution in logging technology? 7

#4 Performance Challenge Moving Bottleneck consume a lot of CPU -> packet sampling -> metering process in hardware collision in the cache -> improved the hash function -> increased the cache size consume much bandwidth -> flexible flow record -> per interface, per direction -> export cache type per collector -> flow selection method Next one: the collector? Scalable and Robust Decentralized IP Traffic Flow Collection and Analysis (SCRIPT) with the Zurich university 8 B

#5 Metering Process Challenge Flexible NetFlow is very Flexible P Easier to shoot yourself in the foot Let s not forget that the router still has to route packets Might need some consulting services for every customer No one size fits all Example match datalink mac {destination address input source address {input output}} 9

#5 Metering Process Challenge Flexible NetFlow is very Flexible match datalink mac {destination address input source address {input output}} destination address input destination MAC address of packets received by the router source address source MAC address input Packets received by the router output Packets transmitted by the router match datalink mac destination address output match datalink mac destination address input Example of MPLS PE with QoS and a distributed system 10

B #6 Options Template Overload Options Template is used for Reducing Redundancy Statistics Information in the IPFIX protocol (The Metering Process Statistics, The Metering Process Reliability Statistics, Exporting Process Reliability Statistics) The Flow Keys Option Template ifindex/interface name matching Yes everything is possible with Options Template Record This complicates the collecting process IPFIX Structured Data helps Example: reducing redundancy 11

#7 IPFIX Future Work? P IPFIX Doctors IPFIX Applicability Version 2 IPFIX Mediator protocol will have to be done Consistent application information export? 12

#8 Permanent Cache Type = user defined PUSH MIB B Next to normal and immediate cache types Permanent cache To track a set of flows without expiring the flows from the cache Entire cache is periodically exported (update timer) After the cache is full (size configurable), new flows will not be monitored Uses update counters rather than delta counters NetFlow/IPFIX SNMP Push Pull Regular export Polling time Information Element SNMP OID User Defined Information Element No equivalent 13

NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd EMANICS Workshop on Netflow/IPFIX Usage, July 2010 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information