Professional Documents
Culture Documents
Advanced Netflow Deployment: Brknms-3132
Advanced Netflow Deployment: Brknms-3132
BRKNMS-3132
BRKNMS-3132 14533_04_2008_c2
Cisco Public
Housekeeping
We value your feedbackdont forget to complete your online session evaluations after each session and complete the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions Please remember this is a non-smoking venue! Please switch off your mobile phones Please remember to wear your badge at all times including the Customer Appreciation Event
BRKNMS-3132 14533_04_2008_c2
Cisco Public
Session Abstract
This advanced session presents the latest NetFlow developments: new features, NetFlow version 9, and its standardization at the IETF. The new Flexible NetFlow feature is covered in detail. Technical details of the new features are addressed with configuration examples, show commands, tricks, and best practice advice. Scenarios such as NetFlow for security and NetFlow for capacity planning are covered. The NetFlow performance impact is also discussed, as well as the support matrix of all NetFlow features. This session is for enterprise, service provider, and NREN experts engaged in designing, maintaining, and troubleshooting security, capacity planning, and accounting solutions. Attendees should be familiar with network management basics and should already have some understanding of NetFlow, perhaps by already having taken the introductory session.
BRKNMS-3132 14533_04_2008_c2
Cisco Public
This Tutorial Is
Not about
A level 1 type of presentation Introduction to IP Accounting and NetFlow Marketing slides The NetFlow collector details The ecosystem partners applications and mediations Many platform specific details
About
New features Advanced information And scenario Assuming the NetFlow basics are known
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Agenda
Introduction NetFlow Version 9 New Features on Traditional NetFlow Flexible NetFlow NetFlow for Security NetFlow for Capacity Planning NetFlow Performance NetFlow Standardization Support Matrix Appendix
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction
BRKNMS-3132 14533_04_2008_c2
Cisco Public
Packet Count Byte Count Start sysUpTime End sysUpTime Input ifIndex Output ifIndex Type of Service TCP Flags Protocol
Source IP Address Destination IP Address Source TCP/UDP Port Destination TCP/UDP Port
Application
QoS
Next Hop Address Source AS Number Dest. AS Number Source Prefix Mask Dest. Prefix Mask
Routing and Peering
8
2. Expiration
Inactive Timer Expired (15 Sec Is Default) Active Timer Expired (30 Min Is Default) NetFlow Cache Is Full (Oldest Flows Are Expired) RST or FIN TCP Flag
DstlPadd Protocol 11 TOS 80 Flgs 10 Pkts 11000 Src Port 00A2 Src Msk /24 Src AS 5 Dst Port 00A2 Dst Msk /24 Dst AS 15 NextHop 10.0.23.2 Bytes/ Pkt 1528 Active 1800 Idle 4
Srclf Fa1/0
SrclPadd 173.100.21.2
Dstlf Fa0/0
10.0.227.12
No
Ye s
5. Transport protocol
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved.
Export Packet
Cisco Public
Header
Payload
(Flows)
BRKNMS-3132 14533_04_2008_c2
Cisco Public
10
11
Full
IP Protocol IP Protocol IP Protocol IP Protocol IP Protocol
12
NetFlow Version 9
BRKNMS-3132 14533_04_2008_c2
Cisco Public
13
Exporting Process
Metering Process
14
NetFlow Collector
Denial of Service
Billing
CS-Mars
15
16
NetFlow Version 9
Version 9 is an export protocol
No changes to the metering process
Support: 800, 1700, 1800, 2600, 2800, 3600, 6500/7600, 7200, 7300, 7500, cat6000, 7600, 10000, 12000, CRS-1, ASR 1000 RFC3954 Cisco Systems NetFlow Services Export Version 9
NetFlow patent: intellectual property right statement on the IETF website
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
17
Template FlowSet
H E A D E R
Template Record Template ID #1
(Specific Field Types and Lengths)
BRKNMS-3132 14533_04_2008_c2
Cisco Public
18
H E A D E R
BRKNMS-3132 14533_04_2008_c2
Cisco Public
19
BRKNMS-3132 14533_04_2008_c2
Cisco Public
20
10
(Options) Templates Sent Every 5 5 Minutes Sent Every Minutes or or 20 Packets 20 Packets
Should you export from the main cache with NetFlow version 5 or version 9?
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
21
router(config)# ip flow-aggregation cache bgp-nexthop-tos router(config-flow-cache)# export destination 11.11.11.11 9999 destination Specify the Destination IP address version configure aggregation cache export version router(config-flow-cache)# export version ? 9 Version 9 export format router(config-flow-cache)# export version 9 router(config-flow-cache)# enabled
22
11
NetFlow Collector
NetF low
23
Adds new NetFlow fields to represent security related parameters NetFlow is the logical evolution in logging technology
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
24
12
BRKNMS-3132 14533_04_2008_c2
Cisco Public
25
CISCO-NETFLOW-MIB
Not a mechanism to poll all flow records
Configuration: Flow cache, interface, export, peer-as versus origin-as Exception: no sampled NetFlow configuration Monitoring: Packet size distribution, number of bytes exported per second, number of flows/UDP datagrams exported, number of template active, export statistics, protocol statistics, size distribution, etc. Report the top flows more on this later
Note: dont forget the threshold mechanism with the RMON event/alarm or the EVENT-MIB
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
26
13
CISCO-NETFLOW-MIB
cnfESRecordsExported Router # show ip flow export cnfESPktsExported ... 479272 flows exported in 69204 udp datagrams 0 flows failed due to lack of export packet 3 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures 0 export packets were dropped enqueuing for the RP 0 export packets were dropped due to IPC rate limiting cnfESPktsFailed
cnfESPktsDropped
27
BRKNMS-3132 14533_04_2008_c2
Cisco Public
28
14
Pkts 5 5
BRKNMS-3132 14533_04_2008_c2
Cisco Public
29
30
15
BRKNMS-3132 14533_04_2008_c2
Cisco Public
31
SCTP: Reliable
Main Cache
DestinationPrefix Aggr.
BRKNMS-3132 14533_04_2008_c2
Cisco Public
32
16
Router(config)# ip flow-export destination 10.10.10.10 9999 sctp Router(config-flow-export-sctp)# reliability partial buffer-limit 100 Router(config-flow-export-sctp)# backup destination 11.11.11.11 9999 Router(config-flow-export-sctp)# backup fail-over 1000 Router(config-flow-export-sctp)# backup mode fail-over Router(config)# ip flow-aggregation cache destination-prefix Router(config-flow-cache)# export destination 12.12.12.12 9999 sctp Router(config-flow-export-sctp)# backup destination 13.13.13.13 9999 Router(config-flow-export-sctp)# backup mode redundant Router(config-flow-export-sctp)# backup restore-time 1 Router(config-flow-export-sctp)# exit Router(config-flow-cache)# enabled
BRKNMS-3132 14533_04_2008_c2
Cisco Public
33
34
17
Multicast NetFlow
Multicast NetFlow ingress
One flow with the replicated number of packets/bytes
Router(config-if)# ip multicast netflow ingress
Deduced the replication factor, multicast data that fails the RPF check No NetFlow export over multicast
BRKNMS-3132 14533_04_2008_c2
Cisco Public
35
BRKNMS-3132 14533_04_2008_c2
Cisco Public
36
18
Flexible NetFlow
BRKNMS-3132 14533_04_2008_c2
Cisco Public
37
ISP
NetFlow for Peering
BRKNMS-3132 14533_04_2008_c2
Cisco Public
38
19
Advantages:
Tailor a cache for specific applications, not covered by existing 21 NetFlow features Different NetFlow caches: per sub-interface, per direction (ingress, egress), per sampler, per Better scalability since flow record customization for particular application reduces number of flows to monitor
BRKNMS-3132 14533_04_2008_c2
Cisco Public
39
Key Fields Source IP Destination IP Source Port Destination Oort Layer 3 Protocol TOS Byte Input Interface
BRKNMS-3132 14533_04_2008_c2
Cisco Public
40
20
Monitor A
Monitor B
Monitor C
Record X
Exporter M
Exporter M
Exporter N Exporter N
Record Z
Record Y
A single record per monitor Potentially multiple monitors per interface Potentially multiple exporters per monitor
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
41
42
21
43
44
22
Routing
src or dest AS Peer AS Traffic Index Forwarding Status Is-Multicast IGP Next Hop BGP Next Hop
Transport
Destination Port Source Port ICMP Code ICMP Type IGMP Type TCP ACK Number TCP Header Length TCP Sequence Number TCP Window-Size TCP Source Port TCP Flag: ACK TCP Flag: CWR TCP Flag: ECE TCP Flag: FIN TCP Flag: PSH TCP Flag: RST TCP Flag: SYN TCP Flag: URG UDP Message Length UDP Source Port UDP Destination Port
Flow
Sampler ID Direction
Interface
Input Output
BRKNMS-3132 14533_04_2008_c2
Cisco Public
45
Routing
src or dest AS Peer AS Traffic Index Forwarding Status Is-Multicast IGP Next Hop BGP Next Hop
Transport
Destination Port Source Port ICMP Code ICMP Type TCP ACK Number TCP Header Length TCP Sequence Number TCP Window-Size TCP Source Port TCP Destination Port TCP Urgent Pointer TCP Flag: ACK TCP Flag: CWR TCP Flag: ECE TCP Flag: FIN TCP Flag: PSH TCP Flag: RST TCP Flag: SYN TCP Flag: URG UDP Message Length UDP Source Port UDP Destination Port
Flow
Sampler ID Direction
Interface
Input Output
46
23
Timestamp
sysUpTime First Packet sysUpTime First Packet
IPv4
Total Length Minimum Total Length Maximum TTL Minimum TTL Maximum
Plus any of the potential key field: will be the value from the first packet in the flow
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
47
48
24
flow monitor <monitor-name> record <record-name> exporter <exporter-name> cache type {normal | immediate | permanent} cache entries <number-of-entries> cache timeout {active | inactive | update} <value-in-sec> statistics packet protocol statistics packet size Collect Size Distribution Statistics Collect Protocol Distribution Statistics
BRKNMS-3132 14533_04_2008_c2
Cisco Public
49
Immediate cache
Flow accounts for a single packet Desirable for real-time traffic monitoring, DDoS detection, logging Desirable when only very small flows are expected (ex: sampling) Caution: may result in a large amount of export data
Permanent cache
To track a set of flows without expiring the flows from the cache Entire cache is periodically exported (update timer) After the cache is full (size configurable), new flows will not be monitored Uses update counters rather than delta counters
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
50
25
Router(config)# flow monitor my-dscp-monitor Router(config-flow-record)# description dscp:bytes and packets Router(config-flow-record)# record my-dscp-record Router(config-flow-record)# cache type permanent Router(config-flow-record)# cache entries 256 Router(config)# interface GigabitEthernet 0/1 Router(config)# ip flow monitor my-dscp-monitor input
51
1800 secs)
26
For the Input or Output Traffic. Does Not Determine the Flow Key
BRKNMS-3132 14533_04_2008_c2
Cisco Public
53
54
27
Template assignment
show flow exporter template
NetFlow configuration
show running flow [exporter | monitor | record]
Cache collisions
show flow monitor my-monitor internal
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
55
Deployment Example
Server Flow Monitor Standard 7 Keys
ISP
Peering Flow Monitor Destination AS Source Traffic Index BGP Next Hop DSCP
BRKNMS-3132 14533_04_2008_c2
Cisco Public
56
28
Platforms:
800, 1700, 1800, 2600, 2800, 3700, 3800, 7200, 7301: 12.4(9)T 12000: 12.0(33)S, on engine 3 and 5
BRKNMS-3132 14533_04_2008_c2
Cisco Public
57
Flexible NetFlow has no impact on the NetFlow version 9 collector, and no impact on the applications
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
58
29
BRKNMS-3132 14533_04_2008_c2
Cisco Public
59
Dont forget show ip cache verbose flow | include Export to a security oriented collector: CS-MARS, Arbor collector
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
60
30
61
BRKNMS-3132 14533_04_2008_c2
Cisco Public
62
31
BRKNMS-3132 14533_04_2008_c2
Cisco Public
63
Attacks That Use Consistent Packet Size or Worms That Use Consistent Packet Size
2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | Several +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Flows
with the Same | Source Address | Fragment Offset: Flow +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Packet Same Issued Sent over From | the Destination Address | and over Same +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Origin
| Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Very Large Packets or Attacks That Might Always Have the Same Generated Identification
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
64
32
Not flow keys, the value of the first packet of the flow
Exception for packet length: min/max Exception for the TTL: min/max Fragment-offset: the first fragmented packet
65
Cisco Public
66
33
Router B Host B
NetFlow
Internet
Host C
Router C
Router D
67
Match criteria for the top talkers, work like a filter The top talkers can be retrieved via the CISCO-NETFLOW-MIB (cnfTopFlowsTable) A new separate cache
Similar output of the show ip cache flow or show ip cache verbose flow command Generated on the fly Frozen for the cache-timeout value
BRKNMS-3132 14533_04_2008_c2
Cisco Public
68
34
Pkts
Active 56 171.0
12 2.8
1436
Cisco Public
69
Router# show ip flow top-talkers verbose SrcIf Port Msk AS Se0/0 0000 /30 0 ICMP type:
BRKNMS-3132 14533_04_2008_c2
SrcIPaddress
Pkts
Active 12 2.8
192.1.1.97 0
1436
Cisco Public
70
35
match [[source address | destination address | nexthop address] [ip-address] [mask | /nn]] [[source port | destination port] [port-number | min port | max port | min port max port]] [[source as | destination as] as-number] [[input-interface | output-interface] interface] [tos [tos-value | dscp dscp-value | precedence precedence-value]] [protocol [protocol-number | tcp | udp]] [flow-sampler flow-sampler-name] [class-map class] [packet-range | byte-range [[min-range-number max-range-number] [min minimum-range | max maximum-range | min minimum-range max maximum-range]]] [direction]
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
71
Even more useful than top talkers for security show ip flow top command:
show ip flow top <N> <aggregate-field> <sort-criteria> <match-criteria>
BRKNMS-3132 14533_04_2008_c2
Cisco Public
72
36
Top five destination addresses to which were routing most traffic from the 10.10.10.0/24 prefix
Router# show ip flow top 5 aggregate destination-address match source-prefix 10.10.10.0/24
Cisco Public
73
Routing
Payload Size Packet Section (Header) Packet Section (Payload) TTL Options Version Precedence DSCP TOS Destination AS Peer AS Traffic Index Forwarding Status Is-Multicast IGP Next Hop BGP Next Hop
Transport
Destination Port Source Port ICMP Code ICMP Type IGMP Type TCP ACK Number TCP Header Length TCP Sequence Number TCP Window-Size TCP Source Port TCP Flag: ACK TCP Flag: CWR TCP Flag: ECE TCP Flag: FIN TCP Flag: PSH TCP Flag: RST TCP Flag: SYN TCP Flag: URG UDP Message Length UDP Source Port UDP Destination Port
Flow
Sampler ID Direction
Interface
Input Output
Cisco Public
74
37
Routing
src or dest AS Peer AS Traffic Index Forwarding Status Is-Multicast IGP Next Hop BGP Next Hop
Transport
Destination Port Source Port ICMP Code ICMP Type TCP ACK Number TCP Header Length TCP Sequence Number TCP Window-Size TCP Source Port TCP Destination Port TCP Urgent Pointer TCP Flag: ACK TCP Flag: CWR TCP Flag: ECE TCP Flag: FIN TCP Flag: PSH TCP Flag: RST TCP Flag: SYN TCP Flag: URG UDP Message Length UDP Source Port UDP Destination Port
Flow
Sampler ID Direction
Interface
Input Output
BRKNMS-3132 14533_04_2008_c2
Cisco Public
75
Counters
Bytes Bytes Long Bytes Square Sum Packet Packet Long
Timestamp
sysUpTime First Packet sysUpTime First Packet
IPv4
Total Length Minimum Total Length Maximum TTL Minimum TTL Maximum
Plus any of the potential key field: will be the value of the first packet in the flow
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
76
38
Flexible NetFlow
The Forwarding Status Information Element
Router(config)# flow record forwarding-status Router(config-flow-record)# Router(config-flow-record)# match routing forwarding status
Unknown (00b) Forwarded (01b) Dropped (10b) Consumed (11b) -> ACL, QoS -> Destined to the router (ex: management traffic)
Cisco Public
BRKNMS-3132 14533_04_2008_c2
77
BRKNMS-3132 14533_04_2008_c2
Cisco Public
78
39
ISP-1 ISP-2
Destination
Best Effort Traffic
Best Effort
Munich POP
Rome Exit Point Rome Entry Point Paris Entry Point London Exit Point Munich Exit Point NA (*) Mb/s Mb/s Mb/s Paris Exit Point Mb/s NA (*) Mb/s Mb/s
London POP
London Exit Point Mb/s Mb/s NA (*) Mb/s Munich Exit Point Mb/s Mb/s Mb/s NA (*)
79
BRKNMS-3132 14533_04_2008_c2
Cisco Public
80
40
C u s t o m e r s
PE PE PE PoP Server Farm 1 Server Farm 2 PoP MPLS Core or IP Core with BGP Routes Only
PE PE PE
C u s t o m e r s
81
82
41
Less flow records, less CPU impact Potentially higher sampling rate for a better accuracy
(*) Before Any Recoloring
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
83
84
42
Router(config)# event manager applet periodicexport Router(config-applet)# event timer cron name "everyhour" cron-entry "0 * * * *" Router(config-applet)# action 1.0 cli command "clear flow monitor traffic-matrix-record force-export"
Router# debug flow exporter event Router# Nov 6 17:00:00.763: FLOW EXP: Exporting packet (ID: 256, Exporter: capacity-planning-collector)
BRKNMS-3132 14533_04_2008_c2
Cisco Public
85
NetFlow Performance
BRKNMS-3132 14533_04_2008_c2
Cisco Public
86
43
87
Having multiple exporters does not add significant CPU impact NetFlow v9 and NetFlow v5 export have similar CPU impact Flexible NetFlow does add a slight CPU load
More visible on lower end platforms However this difference is seen at large flow counts that are not expected to be seen on LES
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
88
44
cnfESExportRate, number of bytes exported per second Must add the Layer 2 encapsulation
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
89
CEF-MIB: cefPrefixPkts
CEF-MIB: cefPrefixBytes
Router# show ip cef 1.1.1.1 1.1.1.1/32, version 9, epoch 0, attached 100 packets, 11052 bytes via Null0, 0 dependencies valid null (drop) adjacency
Must add the Layer 2 encapsulation This method is also valid for traditional NetFlow
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
90
45
Cisco Catalyst 6500 and Cisco 7600 Capacities Across the Supervisor Family
Each of the supervisors support for NetFlow yields a different number of flows that can be stored in the NetFlow tables
Table Size Sup2 Sup720 Sup720-3B Sup720-3BXL Sup32-8GE Sup32-10GE Sup720-10GE-3C Sup720-10GE-3CXL 128K 128K 128K 256K 128K 128K 128K 256K Hash Efficiency 25% 50% 90% 90% 90% 90% 90% 90% Effective Size 32K 64K 115K 230K 115K 115K 115K 230K Hash Key Size 17 Bits 36 Bits 36 Bits 36 Bits 36 Bits 36 Bits 36 Bits 36 Bits
91
NetFlow Standardization
BRKNMS-3132 14533_04_2008_c2
Cisco Public
92
46
RFC3955 Evaluation of Candidate Protocols for IPFIX RFC5101 Specification of the IPFIX Protocol for the Exchange of IP Traffic Flow Information RFC5102 Information Model for IP Flow Information Export
BRKNMS-3132 14533_04_2008_c2
Cisco Public
93
94
47
95
Support Matrix
BRKNMS-3132 14533_04_2008_c2
Cisco Public
96
48
C6500
12.1(2)E 12.2(14)SX 12.2(18)SXF
C7600
12.1(2)E 12.2(14)SX 12.2(18)SXF
c12000
12.0(14)S 12.0(6)S 12.0(24)S
C10000
12.0(19)SL 12.0(19)SL 12.2(31)SB
C4500
12.1(13)EW 12.1(19)EW
12.2(15)BX 12.1(19)EW
12.3(4)T Reliable Export IPFIX Support 12.5(4th)T 12.2(2th)SXJ (for Flexible NetFlow)
Not Available
Roadmap
97
CRS-1
XR12000
ASR1000
RLS1 RLS1 RLS1 RLS1 RLS1
Available Now
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
98
49
Software
12.0(1) 12.3(7)T 12.3 12.3 Yes Yes 12.3(24) 12.1(2)T
C6500
12.1(27b)E1 12.2(33)SXH 12.2(18)SXF 12.2(18)SXF 12.2(33)SXH 12.2(17b)SXA
C7600
12.2(18)SXF 12.2(33)SRB 12.2(18)SXF 12.2(33)SRA 12.2(33)SRB 12.2(17b)SXA
C12000
12.0(22)S
C10000
12.2(15)BX
C4500
12.1(13)EW
BRKNMS-3132 14533_04_2008_c2
Available Now
Cisco Public
Not Available
Roadmap
99
CRS-1
3.2.0 3.5.0 3.2 3.3 3.3.0 3.2 3.2
XR12000
3.3.0 3.6.0 3.3 3.3 3.3.0 3.3 3.3
ASR1000
RLS1
Available Now
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
100
50
Software
12.3(11)T
C6500
C7600
C12000
C10000
C4500
Available Now
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
101
CRS-1
3.2
XR12000
3.3
ASR1000
RLS1
Available Now
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
102
51
Software
12.3(11)T 12.4(4)T
C6500
12.2(33)SXH
C7600
C12000
C10000
ASR1000
12.2(33)SRB
Available Now
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
103
Software
12.3(11)T 12.4(9)T
C6500
C7600
C12000
12.0(11)S 12.0(33)S 12.0(24)S
C10000
C4500
12.2(31)SB
K 1
Packet Sampling
Cache
Export
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved.
Available Now
Cisco Public
Not Available
Roadmap
104
52
CRS-1
XR12000
ASR1000
Available Now
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
105
f on
BRKNMS-3132 14533_04_2008_c2
Cisco Public
106
53
Software
12.4(9)T 12.4(9)T 12.4(9)T 12.4(9)T 12.4(9)T 12.4(9)T 12.4(9)T 12.4(9)T 12.4(9)T 12.4(9)T 12.4(20)T 12.5(Pi1)T 12.5(Pi2)T
C6500
12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ
C7600
C12000
12.0(33)S 12.0(33)S 12.0(33)S 12.0(33)S 12.0(33)S 12.0(33)S
C10K
C4500
BRKNMS-3132 14533_04_2008_c2
Available Now
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
107
CRS-1
3.2
XR12000
3.3.0
ASR1000
RLS3 RLS3 RLS3 RLS3 RLS3 RLS3 RLS3 RLS3 RLS3 RLS3 RLS3 RLS3
BRKNMS-3132 14533_04_2008_c2
Available Now
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
108
54
Software
12.5(Pi1)T 12.4(9)T
C6500
12.2(1st)SXJ 12.2(1st)SXJ
C7600
C12000
C10K
C4500
IOSXR
3.2
12.0(33)S
3.2
12.5(Pi3)T 12.2(2th)SXJ 12.5(Pi3)T 12.2(2th)SXJ 12.4(9)T 12.4(9)T 12.4(20)T 12.4(20)T 12.5(Pi1)T 12.5(Pi1)T 12.5(Pi1)T 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 3.6 12.0(33)S 3.5 12.0(33)S 12.0(33)S 3.2
Available Now
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
109
Software
12.5(Pi1)T 12.4(9)T 12.5(Pi3)T 12.5(Pi3)T 12.4(9)T 12.4(9)T 12.4(20)T 12.4(20)T 12.5(Pi1)T 12.5(Pi1)T 12.5(Pi1)T 12.5(Pi3)T 12.5(Pi1)T
C6500
12.2(1st)SXJ 12.2(1st)SXJ 12.2(2th)SXJ 12.2(2th)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(1st)SXJ 12.2(2th)SXJ
C7600
C12000
C10000
C4500
12.0(33)S
12.0(33)S 12.0(33)S
12.0(33)S
BRKNMS-3132 14533_04_2008_c2
Available Now
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
110
55
CRS-1
3.2 3.2
XR12000
3.3.0 3.3.0
ASR1000
RLS3 RLS3
Available Now
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
111
CRS-1
3.3.1 3.3.1 3.5.0 3.6.0
XR12000
3.5.0 3.5.0 3.6.0 3.6.0
ASR1000
Available Now
BRKNMS-3132 14533_04_2008_c2 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Not Available
Roadmap
112
56
Conclusion
BRKNMS-3132 14533_04_2008_c2
Cisco Public
113
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Network Management: Accounting and Performance Strategies, ISBN 1-58705-198-2 Preview: http://www.informit.com/store/ product.aspx?isbn=1587051982
114
57
BRKNMS-3132 14533_04_2008_c2
Cisco Public
115
References
NetFlow
http://www.cisco.com/go/netflow
BRKNMS-3132 14533_04_2008_c2
Cisco Public
116
58
BRKNMS-3132 14533_04_2008_c2
Cisco Public
117
Q and A
BRKNMS-3132 14533_04_2008_c2
Cisco Public
118
59
BRKNMS-3132 14533_04_2008_c2
Cisco Public
119
BRKNMS-3132 14533_04_2008_c2
Cisco Public
120
60
# of Active Flows
IP Flow Switching Cache, 278544 bytes 2728 active, 1368 inactive, 85310 added 463824 ager polls, 0 flow alloc failures Rates and Duration Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-X 2 0.0 1 1440 0.0 0.0 9.5 TCP-other 82580 11.2 1 1440 11.2 0.0 12.0 Total: 82582 11.2 1 Details 11.2 0.0 12.0 Flow 1440 SrcIf Et0/0 Et0/0 Et0/0
BRKNMS-3132 14533_04_2008_c2
Pr 06 06 06
Pkts 1 1 1
121
IP Flow Switching Cache, 278544 bytes 1323 active, 2773 inactive, 23533 added ToS Byte 151644 ager polls, 0 flow alloc failures Destination and TCP Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds Information Flags last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-other 22210 3.1 1 1440 3.1 0.0 12.9 Source Mask and AS Total: 22210 3.1 1 1440 3.1 0.0 12.9 SrcIf Port Msk AS Et0/0 5FA7 /0 0 Et0/0
BRKNMS-3132 14533_04_2008_c2
SrcIPaddress
61
Router # show ip flow export Flow export v5 is enabled for main cache Exporting flows to 10.48.71.129 (9991) Exporting using source interface Loopback0 Version 5 flow records 1303552 flows exported in 332208 udp datagrams 0 flows failed due to lack of export packet 2 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures 0 export packets were dropped enqueuing for the RP 0 export packets were dropped due to IPC rate limiting 0 export packets were dropped due to output drops
BRKNMS-3132 14533_04_2008_c2
Cisco Public
123
Router(config)# ip flow-aggregation cache <cache type> Router(config-flow-cache)# cache entries <number> Router(config-flow-cache)# cache timeout active <minutes> Router(config-flow-cache)# cache timeout inactive <seconds> Router(config-flow-cache)# mask destination minimum <value> Router(config-flow-cache)# mask source minimum <value> Router(config-flow-cache)# export destination 10.10.10.10 1234 Router(config-flow-cache)# enabled
BRKNMS-3132 14533_04_2008_c2
Cisco Public
124
62
Router # show ip flow export Cache for <cache-type> aggregation: Exporting flows to 1.1.1.1 (9999) Exporting using source IP address 192.1.1.5 1303631 flows exported in 332227 udp datagrams
BRKNMS-3132 14533_04_2008_c2
Cisco Public
125
BRKNMS-3132 14533_04_2008_c2
Cisco Public
126
63
BRKNMS-3132 14533_04_2008_c2
Cisco Public
127
Lo1 9.9.9.9
Router# show ip bgp Network *>i1.1.1.1/32 *>i9.9.9.9/32 Next Hop 1.4.0.40 1.1.72.1 Metric LocPrf Weight Path 0 100 0 1 i 0 100 0 1 7 i
BRKNMS-3132 14533_04_2008_c2
Cisco Public
128
64
C72d13-1
Network *>i1.1.1.1/32 *>i9.9.9.9/32 Next Hop 1.4.0.40 1.1.72.1 Metric LocPrf Weight Path 0 100 0 1 i 0 100 0 1 7 i
Src AS 2
Dst If Et1/0/2
Dst AS 1
TOS Flows 00 1
Pkts 5
B/Pk 100
Active 0.0
Src AS 2
Dst If Et1/0/2
Dst AS 1
TOS Flows 00 1
Pkts 5
B/Pk 100
Active 0.0
129
Leverages the new NetFlow version 9 export format Configure on ingress interface Supported on sampled/non-sampled NetFlow
BRKNMS-3132 14533_04_2008_c2
Cisco Public
130
65
Customers
MPLS Core
PE PE P P P
PE PE
CE CPE
BRKNMS-3132 14533_04_2008_c2
Cisco Public
Customers
131 132
PE PoP
PoP P P
PE
66
BRKNMS-3132 14533_04_2008_c2
Cisco Public
133
MPLS
Router# show mpls Local Outgoing tag tag or VC 486 Pop tag
BRKNMS-3132 14533_04_2008_c2
Cisco Public
134
67
MPLS
Router# show ip flow verbose cache SrcIf SrcIPaddress DstIf DstIPaddress Pr Port Msk AS Port Msk AS NextHop B/Pk PO2/0 0.0.0.0 PO3/0 0.0.0.0 00 0000 /0 0 0000 /0 0 0.0.0.0 792 Pos:Lbl-Exp-S 1:486-4-0 (LDP/10.10.10.10)
Pkts
1729
135
136
68