FLEXIBLE NETFLOW
NetFlow is a Cisco traffic accounting technology built into the software and hardware of many Cisco switches and routers. Before proceeding further let’s understand what a flow is.A flow is a stream of packets between a given source and a given destination. An IP flow is based on a set of seven IP packet attributes.
IP Packet attributes used by NetFlow are:
• IP source address
• IP destination address
• Source port
• Destination port
• Layer 3 protocol type
• Class of Service
• Router or switch interface
These are the fields that are tracked and if any one of the packet values for these fields is found to be unique, a new flow record is created in the NetFlow cache.
Understanding of what a key field and non key field in netflow is essential before we discuss traditional and flexible netflow. So let’s discuss them now.
Key fields are IP addresses and ports; if the set of key fields are unique a new flow is created. Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or key fields for the flow and determine if the packet information is unique or similar to other packets. The non-key field information is collected and attached to the flow. Typical non-key fields include timestamps, packet and byte counters.
Original/Traditional NetFlow and Flexible NetFlow both use the values in key fields in IP datagrams, such as the IP source or destination address and the source or destination transport protocol port, as the criteria for determining when a new flow must be created in the cache while network traffic is being monitored. As already discussed when the value of the data in the key field of a datagram is unique with respect to the flows that already exist, a new flow is created.
Original NetFlow and Flexible NetFlow both use non key fields as the criteria for identifying fields from which data is captured from the flows. The flows are populated with data that is captured from the values in the non key fields.
Then the questions what is flexible netflow? Why migrate to flexible netflow? What are the benefits? Let’s start answering one by one.
The word “Flexible” says it allJ . We can just say "Traditional NetFlow" everything that is not "Flexible NetFlow". Flexible NetFlow provides flexibility, scalability of flow data beyond traditional NetFlow. We should be able to understand the difference rather benefits between traditional netflow and flexible netflow when we go further.
As already discussed traditional NetFlow uses fixed seven attributes of IP information to identify a flow. A big advantage of the new Flexible NetFlow concept is that the flow can be user defined. Let’s now look at other benefits of flexible netflow.
The benefits of Flexible NetFlow
- Because only interesting flows with selected key-fields will be analyzed, Flexible NetFlow generally offers better performance, scalability, and aggregation of flow information.
- Enhanced flow infrastructure for security monitoring and DDoS detection and identification.
- Flexible NetFlow will integrate with NBAR to provide application visibility rather than just flow visibility
- New information from packets to adapt flow information to a particular service or operation in the network. The flow information available will be customizable by Flexible NetFlow users.
- A comprehensive IP accounting feature that can be used to replace many accounting features, such as IP accounting, Border Gateway Protocol (BGP) Policy Accounting, and persistent caches.
STEP 1: Define NETFLOW RECORD
In Flexible NetFlow a combination of key and nonkey fields is called a record. The flow record defines what information NetFlow will track. The flow record may be user defined or a pre-defined scheme available in IOS. Flexible NetFlow records are assigned to Flexible NetFlow flow monitors to define the cache that is used for storing flow data.
Example:
Flow record Record_name
Match ipv4 protocol
Match ipv4 source address
Match ipv4 destination address
Collect ipv4 dscp
Collect interface output
As already discussed a key field is a field that you want to match on. If one of the incoming packets doesn’t match a key field in the flow cache, a new entry is made. Okie then what is the difference with traditional netflow? Remember here we can define a record with the attributes we want to match for a flow to be unique. The configuration example below will not create a new flow until source or destination IP addresses change.
Example: Match ipv4 source address
Match ipv4 destination address
Now non key field, additional information can be added to the Flow Record and this information is named non-key fields. Non-key fields are added to the flow entry in the NetFlow cache and exported. The non-key fields are not used to create or characterize the flows but are exported and just added to the flow. Example: collect counter bytes
Now what does match and collect mean?
All packets with the same matching attributes (i.e. the same source/destination IP address, source/destination ports, protocol, interface and class of service) are grouped into a flow and then packets and bytes are tallied. The default 7 attributes are the IP packet identity or key fields for the flow and determine if the packet information is unique or similar to other packets. Items such as TCP flags, subnet masks, packets, bytes, etc. are non key fields, but are often still collected and exported in NetFlow.
Remember “Everything matched is also collected”.
STEP2 : configuring FLOW EXPORTER
Flow exporters are used to send the data that you collect with Flexible NetFlow to a remote system such as a NetFlow Collection Engine. Exporters use UDP as the transport protocol and use the Version 9 export format. The export protocol for Flexible NetFlow is NetFlow v9 export protocol, Flexible NetFlow can also be configured to export some predefined flow records using the NetFlow v5 protocol format for backward compatibility. The NetFlow exporter includes the destination address of the reporting server, the type of transport and the export format
Flow exporter exporter_ name
Destination {hostname | ip-address}
Transport udp udp-port
Flow monitor monitor-name
Exporter exporter-name //Apply exporter to a flow monitor
STEP3: configure FLOW MONITORS
A flow monitor is essentially a NetFlow cache. The flow monitor has two major components the flow monitor and the flow exporter. The flow monitor can track both ingress and egress information. The Flow exporter describes the NetFlow export.
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. A cache that is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic and added to the flow monitor cache during the monitoring process based on the key and nonkey fields in the flow record.
There are three types of flow monitor caches
- Normal: The default cache type is normal. In this mode, the entries in the cache are aged out according to the timeout active and timeout inactive settings
- Immediate: A cache of type immediate ages out every record as soon as it is created. As a result, every flow contains just one packet
- Permanent: A cache of type permanent never ages out any flows. A permanent cache is useful when the number of flows you expect to see is low and there is a need to keep long-term statistics on the router.
Example :
flow monitor Monitor_name
record Record_name
Exporter exporter-name
Cache type TYPE
STEP4: Apply flow monitor on interface
Select the interface on which traffic needs to be analyzed and apply flow monitor in in or out direction.
Interface interface_name
Ip flow monitor Monitor_name input/outputRestrictions for Getting Started with Configuring Flexible NetFlow
• Locally generated traffic (traffic that is generated by the router on which the Flexible NetFlow Output Accounting feature is configured) is not counted as flow traffic for the Output Flexible NetFlow Accounting feature.
• The Flexible NetFlow Output Accounting feature counts CEF-switched packets only. Process- switched transit packets are not counted.
Finally some show commands to verify.
- Show flow monitor monitor_name cache format table
- show flow exporterexporter-name
- show flow record name record_name
Reference :
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/get_start_cfg_fnflow.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/prod_qas0900aecd804be091.html
IOS support:
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/fnetflow_feat_rdmap_support_TSD_Island_of_Content_Chapter.html#wp1056007
No comments:
Post a Comment