© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
NetFlowIntroduction to Flexible NetFlow
Jean-Charles GRIVIAUD
NSSTG Product Manager
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Cisco IOS NetFlow – What is it?
� Developed and patented at Cisco®
Systems in 1996
� NetFlow is the defacto standard for acquiring IP operational data
� Provides network and security monitoring, network planning, traffic analysis, and IP accounting
Network World Article – NetFlow Adoption on the rais e
http://www.networkworld.com/newsletters/nsm/2005/03 14nsm1.html
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
� UnderstandProductivity and utilization of assets in the network
Improve Application and network usage
Impact of network changes and services
NetFlow answers the who, what, when, where, and how network traffic is flowing
� Detect and classify security incidents with proven threat defence
Why Cisco IOS NetFlow?Customer Benefits
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Principle NetFlow Applications
Security Monitoring and Incident (DDoS) Detection
Security Monitoring and Incident (DDoS) Detection
Billing for DepartmentsAccounting and Billing
Application MonitoringTraffic Engineering
User Monitoring/ProfilingPeering Arrangements
Internet Access MonitoringNetwork Infrastructure Optimization and Planning
EnterpriseService Provider
Data at ANY granularity to understand network use: who, what, where, when and how
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
BillingDenial of Service
Cisco Applications and Partners
•Flow-Tools•FlowMon•Flowd•IPFlow
Traffic Analysis
CS-Mars
Open Source
NetFlow Collector
More info: http://www.cisco.com/warp/public/732/Tec h/nmp/netflow/partners/commercial/
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Key Concept — NetFlow Scalability
� Packet capture is like a wiretap
� NetFlow is like a phone bill
� This level of granularity allows NetFlow to scale for very large amounts of traffic
We can learn a lot from studying the phone bill
Who’s talking to whom, over what protocols and ports, for how long, at what speed, for whatduration, etc.
NetFlow is a form of telemetry pushed from the routers/switches — each one can be a sensor
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
NetFlow Features
� Cisco NetFlow (NF) is group of IOS features for traffic accounting and monitoring on per flow basis
� NF includes 21 features with flows of different granularity:
– Traditional IP NF - individual TCP/UDP sessions
– MPLS aware NF - individual TCP/UDP session over MPLS
– 12 features of IP aggregated NF - per IP prefix, AS, etc
– IPv6 NF - individual IPv6 TCP/UDP sessions
– 6 features of IPv6 aggregated NF - per IPv6 prefix, AS, etc.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Flow Key Fields
� Each NF feature has unique set of flow key fields that may include MPLS, IPv4, IPv6, TCP, UDP, ICMP, IGMP packet header fields, routing attributes
� AS-TOS aggregated NF key fields are:– source and destination AS's
– input and output interfaces
– TOS
� Flow includes all/only packets that can not be distinguished based on key fields.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
NetFlow Key Fields Creating Flow Records
Inspect Packet
Input Interface
TOS Byte
Layer 3 Protocol
Destination port
Source port
Destination IP
Source IP
Key Fields Packet 1
Ethernet 0
0
TCP - 6
1.1.1.1
2.2.2.2
23
22078
2.2.2.2
Dest. IP
E1
Dest. I/F
6
Protocol
0
TOS
…
…
1.1.1.1
Source IP Pkts
11000
1. Inspect packet for key field values
2. Compare set of values to NetFlow cache
3. If the set of values are unique create a flow in cache
4. Inspect the next packet
Inspect Packet
Input Interface
TOS Byte
Layer 3 Protocol
Destination port
Source port
Destination IP
Source IP
Key Fields Packet 2
Ethernet 0
0
TCP - 6
3.3.3.3
2.2.2.2
23
22078
11000…06E12.2.2.23.3.3.3
2.2.2.2
Dest. IP
E1
Dest. I/F
6
Protocol
0
TOS
…
…
1.1.1.1
Source IP Pkts
11000
Add new Flow to the NetFlow CacheCreate Flow record in the Cache
Example 1 Example 2
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Flow Non-Key Fields and Statistics
� Non-key fields are used not to define a flow and are exported along with the flow and provide additional information
� Traditional IP NF non-key fields:
– source and destination AS's
– source and destination IP prefix masks
– IP address of next-hop router
– TCP flags
– output interface
� NF features provide per flow statistics:
– number of packets and bytes in flow
– time-stamps for first and last packets in flow
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Traditional Layer 3 NetFlow Cache1. Create and update flows in NetFlow cache
31145.5142810.0.23.215/2400A1180/2400A11000010801110.0.227.12Fa0/0173.100.20.2Fa1/0
141.574010.0.23.215/2415196/26152491040610.0.227.12Fa0/0173.100.3.2Fa1/0
41745152810.0.23.215/2400A25/2400A21100010801110.0.227.12Fa0/0173.100.21.2Fa1/0
24.5
Active
14
Idle
10.0.23.2
NextHop
1040
Bytes/Pkt
15
DstAS
/24
DstMsk
19
DstPort
180
SrcAS
/30
SrcMsk
19
SrcPort
2210
Pkts
0
Flgs
40
TOS
10.0.227.12
DstlPadd
6
Protocol
Fa0/0173.100.6.2Fa1/0
DstlfSrclPaddSrclf
2. Expiration
41800152810.0.23.215/2400A25/2400A21100010801110.0.227.12Fa0/0173.100.21.2Fa1/0
Active IdleNextHop Bytes/Pkt
DstAS
DstMsk
DstPort
SrcAS
SrcMsk
SrcPortPktsFlgsTOSDstlPadd ProtocolDstlfSrclPaddSrclf
3. Aggregation
4. Export version
5. Transport protocol
E.g. Protocol-Port Aggregation Scheme Becomes
Aggregated Flows—Export Version 8 or 9
ExportPacket
Payload(Flows)
Non-aggregated flows—export v ersion 5 or 9
YesNo
152800A200A21100011
Bytes/PktDstPortSrcPortPktsProtocol
Hea
der
• Inactive Timer Expired (15 Sec Is Default)• Active Timer Expired (30 Min Is Default)• NetFlow Cache Is Full (Oldest Flows Are Expired)• RST or FIN TCP Flag
Key Fields in YellowNon-Key Fields white
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Input
Ingress NetFlow Switching Path
Packet
buffer
• ACL• Policy• WCCP• NAT input
FAST+FLOW
Switching vector Flow lookup
NetFlow
cache
Input interfacefeature check
Src ASCEF+FLOW
Add inputflow fields
New flow
FIB
Route lookup Add outputflow fields
Dest AS,
nexthop,
BGP nexthop
Output interfacefeature check
• Qos• CAR• Crypto• NAT output
Packets
Output interfaceupdate
OutputInput bytes
Input packets
Sampling
1 out of NYes
No
Cisco 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Cisco 800Series
Cisco 17001800 Series
Cisco 37003800
Series
Cisco 26002800
Series
Cisco 7300Series
Cisco Catalyst 6500; Cisco 7600 Series
ASIC
Cisco 10000Series ASIC
Cisco 12000 SeriesASIC
Cisco 7200/7500Series
Cisco 4500Series ASIC
Cisco IOS Software Releases
Enterprise & aggregation/edge
Cisco IOS Software Release 12.2S
Cisco 7200/7300 Series
Access
Core
Release 12.0S/IOS-XR
CRS-1 ASIC
Comprehensive Hardware Support
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
NetFlow Versions
NetFlow Version Comments
1 Original
5 Standard and most common
7
Specific to Cisco Catalyst 6500 and 7600 Series Switches Similar to Version 5, but does not include AS, interface, TCP Flag & TOS information
8Choice of eleven aggregation schemesReduces resource usage
9
Flexible, extensible file export format to enable easier support of additional fields & technologies; coming out now MPLS, Multicast, & BGP Next Hop
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Version 5 - Flow Export Format
• Source IP Address• Destination IP Address
• Packet Count• Byte Count
Usage
QoS
Timeof Day
Application
PortUtilization
From/To
Routing and
Peering
• Input ifIndex• Output ifIndex
• Type of Service• TCP Flags• Protocol
• Start sysUpTime• End sysUpTime
• Source TCP/UDP Port• Destination TCP/UDP Port
• Next Hop Address• Source AS Number• Dest. AS Number
• Source Prefix Mask• Dest. Prefix Mask
• Source IP Address• Destination IP Address
Version 5 used extensively today
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Extensibility and FlexibilityPhased Approach
� Why a new export protocol?Build a flexible and extensible export format!
Advantage: we can add new technologies/data types very quickly
Example: MPLS, IPv6, BGP next HOP
� Phase 1: NetFlow Version 9Advantages: extensibility
Integrate new technologies/data types quicker
Integrate new aggregations quicker
Note: for now, the template definitions are fixed!
� Phase 2: User defined templates (Flexible NetFlow)Advantages: cache and export content flexibility
Selection of a subset of the 7 flow keys
Selection of the data types to export
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
NetFlow v9 Export Packet
• Matching ID numbers are the way to associate template to the Data Records
• The Header follows the same format as prior NetFlow versions so Collectors will be backward compatible
• Each data record represents one flow
• If exported flows have the same fields, then they can be contained in the same Template Record (ie: unicast traffic) can be combined with multicast records
• If exported flows have different fields, then they cannot be contained in the same Template Record (ie: BGP next-hop cannot be combined with MPLS Aware NetFlow records)
Data FlowSetTemplate FlowSet Option TemplateFlowSetFlowSet ID #1
Data FlowSetFlowSet ID #2
Template ID
(specific
Field types
and lengths)
(version,
# packets,sequence #,
Source ID)
Flows from Interface A
Flows from Interface B
To support technologies such asMPLS or Multicast, this export format canbe leveraged to easily insert new fields
FlowSet ID
Option Data
Record
(Field values)
Option Data
Record
(Field values)
Template Record
Template ID #2
(specific Field types and lengths)
Template Record
Template ID #1
(specific Field types and lengths)
Data Record
(Field values)
Data Record
(Field values)
Option Data FlowSet
Data Record
(Field values)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
• Multicast NetFlowAvailability: Major Release 12.3(1) and 12.2(18)S
Ingress Accounting of replicated multicast packets
Egress Per user accounting of multicast packets
• MPLS Aware NetFlowAvailability: Release 12.0(26)S
Label and prefix export information
• BGP Next HopAvailability: Releases 12.0(26)S, 12.2(18)S, and 12 .3(1)
Edge to Edge Traffic Matrix
BGP traffic destination information
• NetFlow for IPv6Availability: Release 12.3(7)T
Export IPv6 source and destination information
NetFlow Features supported with Version 9
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
NetFlow Version 9 Platform Support
� Releases
12.0(24)S for the Cisco 7200 , 7500 and 12000 Series Routers
12.3(1) for the Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800 and 7200 Series Routers
12.2(18)S for the Cisco 7200, 7301 and 7500 Series Routers
12.2(18)SXF – Catalyst 6500/7600 Series Switch
12.2(x)SRB – Cisco 7600 Series Router
12.2(30)SB – Cisco 7304 and 10000 Series Routers
� NF v9 is an export feature, by itself it does’t add new capabilityNewer features under NetFlow require NFv9 (eg, MPLS, Flexible NetFlow)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Performance TestingNetFlow Version 9
� Similar CPU and throughput numbers result from configuration of both NetFlow Version 5 and 9
� No change in NetFlow performance after the addition of Version 9
Cisco IOS Software Releases 12.0(24)S, 12.2S, and 12.3
� CPU is slightly higher immediately following initial boot up or configuration
Caused by sending template flowsets to collector
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
NetFlow v9 and IETF
� Internet Protocol Flow Information eXport (IPFIX) is an IETF working group
www.ietf.org/html.charters/ipfix-charter.html
� Netflow Version9 is the basis for the standard in the IETF
� Standards track NewNew
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Introduction of Flexible NetFlow
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
IOS Traffic Accounting Features
� IOS traffic accounting features can be sub-divided:
– Static features – number of accounting buckets is statically known and does not depend on traffic e.g. precedence, BGP PA accounting
– Dynamic features – number of accounting buckets (flows) depends on traffic, e.g. NetFlow, MAC accounting.
� New applications constantly require new accounting features
� Current approach of feature development one by one does not scale, does not deliver timely solution.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Scenario’s or Uses for Accounting Technologies
BGP PA, NetFlowDestination and Source-Sensitive Billing
AAA, NetFlowTime and Usage-Based Billing
SNMP, NetFlow, BGP PAPeering and Transit Agreements
NetFlow, NBARSecurity Analysis
CB-QoS MIB, IP SLAs, NetFlowQoS/CoS Monitoring
AAA, NetFlowUser Monitoring
NBAR, NetFlowApplication Monitoring
NetFlow, BGP PANetwork Planning and Traffic Engineering
NetFlow, BGP PANetwork Monitoring
TechnologyScenario
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Flexible NetFlow Benefits
• Increased Flexibility, scalability, customization beyond today’s NetFlow
• The ability to monitor a wider range of packet information
• User configurable flow information to perform customized traffic identification and the ability to focus and monitor specific network attributes
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Flexible NetFlow Tracking data with Flow Monitors
Different Flow monitors for detecting different information:
TELEWORKER
SiSi SiSi
WANDATA CENTER
CAMPUS
BRANCH
SecurityFlows
MulticastFlows
ApplicationFlows
ISP
PeeringFlows
IPFlows
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Flexible NetFlow Advantage
Traditional NetFlow
One set of flow information, single cache used by all applications
Different NetFlow applications are tracked separately
Flexible NetFlow Advantage
Flexible NetFlow Benefits
•Track security, and traffic analysis data separately
•Export different Flow Monitors to different destinations
•Customers benefit from detailed analysis for each application
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Flexible NetFlow Advantage (Cont.)
Traditional NetFlow
One cache may limit detailed problem isolation
Flexible NetFlow Benefits•Create virtual NetFlow caches to track and isolate issue
•Isolate security or traffic incidents in the network
•Customized traffic identification combined with input filtering
•Allows pinpoint accuracy in determining and isolating incidents
Focused network visibility and problem isolation
Flexible NetFlow Advantage
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
Flexible NetFlow Advantage (Cont.)
Traditional NetFlow
Limited data aggregation and fixed flow fields
Flexible NetFlow Benefits
•Select only information that is needed
•Better use of flow cache and aggregation
•New information from layer 2 and above including packet sections
User selected flow information increasing scalabilityVisibility into new types of data using version 9 export
Flexible NetFlow Advantage
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
Flexible NetFlow Tracking data with Flow Monitors
Different Flow monitors for detecting different information:
SiSi SiSi
WANDATA CENTER
CAMPUS
BRANCH
Security Flows•Protocol•Ports•IP Addresses•TCP Flags•Packet Section
Multicast Flows•Protocol•Ports•IP Subnets
•Packet Replication
ISPPeering Flows•Dest. AS•Dest. Traffic Index•BGP Next Hop•DSCP
IP Flows•IP Subnets•Ports•Protocol•Interfaces•Egress/Ingress
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Flexible NetFlow Multiple Monitors with Unique Key Fields
Input Interface
TOS Byte
Layer 3 Protocol
Destination port
Source port
Destination IP
Source IP
Key Fields Packet 1
Ethernet 0
0
TCP - 6
3.3.3.3
2.2.2.2
23
22078
11000…06E12.2.2.23.3.3.3
2.2.2.2
Dest. IP
E1
Dest. I/F
6
Protocol
0
TOS
…
…
1.1.1.1
Source IP Pkts
11000
Traffic Analysis Cache
Flow monitor
1
Traffic
2.2.2.2Dest IP
Ethernet 0Input Interface
Packet Section
Source IP
Key Fields Packet 2
1010101
3.3.3.3
11000…101E1E12.2.2.23.3.3.3
Dest. IP Dest. I/F Input I/F Sec …Source IP Pkts
Security Analysis Cache
Next-Hop Address
Time Stamps
Bytes
Packets
Non Key Fields
Time Stamps
Packets
Non Key Fields
Flow monitor
2
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
Flexible NetFlow Components
• The Flow Monitor is a flow cache contains flow records Applied to an interfaceFlow monitors can be ingress or egressPacket sampling possible per flow monitor
• Flow Monitor Components:Flow Record – defines what is captured by NetFlow
Flow records have two formats:Pre-defined or user-defined schemesInclude Key and Non-Key Fields
Flow Exporter - where NetFlow will be exportedMultiple flow exporters per Flow Monitor
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Flexible NetFlow Model
� A single record per monitor
� Potentially multiple monitors per interface
� Potentially multiple exporters per monitor
Interface
Monitor “A” Monitor “B” Monitor “C”
Record “X” Exporter “M” Exporter “M”
Record “Z”
Record “Y”
Exporter “N”Exporter “N”
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
Router(config)#flow exporter my-exporter
Router(config-flow-exporter)#destination 1.1.1.1
Configure the Exporter
Router(config)#flow record my-recordRouter(config-flow-record)#match ipv4 icmp typeRouter(config-flow-record)#match ipv4 icmp codeRouter(config-flow-record)#collect counter bytes
Configure the Flow Record
Router(config)#flow monitor my-monitor
Router(config-flow-monitor)#exporter my-exporter
Router(config-flow-monitor)#record my-record
Configure the Flow Monitor
Configure the InterfaceRouter(config)#int s3/0
Router(config-if)#ip flow monitor my-monitor input
Configure a User-Defined Flow Record
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
Flexible Monitor Configuration
� CLI:flow monitor <monitor-name>
record <record-name>
exporter <exporter-name>
cache type {normal | immediate | permanent}
cache entries <number-of-entries>
cache timeout {active | inactive | update} <value-in-sec>
size-distribution
exit
Define Flow monitor cache and associated with the m onitor is an exporter and a pre-defined or user defined NetFlow record
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Flexible NetFlowUser Defined Record Configuration
Router(config)# flow record my-recordRouter(config-flow-record)# match -> Specify a key fieldRouter(config-flow-record)# collect -> Specify a non-key field
Router(config-flow-record)# match ?flow Flow identifying fieldsinterface Interface fieldsipv4 IPv4 fieldsrouting routing attributestransport Transport layer field
Router(config-flow-record)# collect ? counter Counter fieldsflow Flow identifying fieldsinterface Interface fieldsipv4 IPv4 fieldsrouting IPv4 routing attributestimestamp Timestamp fieldstransport Transport layer fields
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
Flexible Flow Record Configuration Example
Flow key fields: destination AS, IPv4 source prefix, output
interface index, maintain 32-bit packet and byte counters, no
timestamps:
(config)# flow record dst-as-src-prefix
(flow-record)# match routing destination as
(flow-record)# match ipv4 source prefix
(flow-record)# match ipv4 source mask
(flow-record)# match interface output
(flow-record)# collect counter packets
(flow-record)# collect counter bytes
(flow-record)# exit
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Flexible Flow Record: Key Fields
DSCPID
VersionFragmentation Flags
OptionsProtocol
Payload SizeIP (Source or Destination)
Packet Section (Header)
Prefix (Source or Destination)
Packet Section (Payload)
Mask (Source or Destination)
TTLMinimum-Mask (Source or Destination)
PrecedenceFragmentation Offset
IPv4
Total Length
Header Length TOS Input
Output
Interface
BGP Next Hop
IGP Next Hop
Is-Multicast
Destination AS
Peer AS
Traffic Index
Forwarding Status
Routing
UDP Message LengthTCP Window-Size
TCP Flag: SYNTCP Header Length
TCP Flag: RSTTCP ACK Number
TCP Flag: PSHIGMP Type
TCP Flag: ACKDestination Port
TCP Flag: CWRSource Port
TCP Flag: ECEICMP Code
TCP Flag: FINICMP Type
TCP Flag: URGTCP Sequence Number
Transport
UDP Destination Port
TCP Destination Port
TCP Urgent Pointer
TCP Source Port UDP Source Port
Sampler ID
Direction
Flow
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
Flexible Flow RecordKey Fields for Traffic Analysis
DSCPID
VersionFragmentation Flags
OptionsProtocol
Payload SizeIP (Source or Destination)
Packet Section (Header)
Prefix (Source or Destination)
Packet Section (Payload)
Mask (Source or Destination)
TTLMinimum-Mask (Source or Destination)
PrecedenceFragmentation Offset
IPv4
Total Length
Header Length TOS Input
Output
Interface
BGP Next Hop
IGP Next Hop
Is-Multicast
Destination AS
Peer AS
Traffic Index
Forwarding Status
Routing
UDP Message LengthTCP Window-Size
TCP Flag: SYNTCP Header Length
TCP Flag: RSTTCP ACK Number
TCP Flag: PSHIGMP Type
TCP Flag: ACKDestination Port
TCP Flag: CWRSource Port
TCP Flag: ECEICMP Code
TCP Flag: FINICMP Type
TCP Flag: URGTCP Sequence Number
Transport
UDP Destination Port
TCP Destination Port
TCP Urgent Pointer
TCP Source Port UDP Source Port
Sampler ID
Direction
Flow
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
Flexible Flow RecordKey Fields for Security
DSCPID
VersionFragmentation Flags
OptionsProtocol
Payload SizeIP (Source or Destination)
Packet Section (Header)
Prefix (Source or Destination)
Packet Section (Payload)
Mask (Source or Destination)
TTLMinimum-Mask (Source or Destination)
PrecedenceFragmentation Offset
IPv4
Total Length
Header Length TOS Input
Output
Interface
BGP Next Hop
IGP Next Hop
Is-Multicast
Destination AS
Peer AS
Traffic Index
Forwarding Status
Routing
UDP Message LengthTCP Window-Size
TCP Flag: SYNTCP Header Length
TCP Flag: RSTTCP ACK Number
TCP Flag: PSHIGMP Type
TCP Flag: ACKDestination Port
TCP Flag: CWRSource Port
TCP Flag: ECEICMP Code
TCP Flag: FINICMP Type
TCP Flag: URGTCP Sequence Number
Transport
UDP Destination Port
TCP Destination Port
TCP Urgent Pointer
TCP Source Port UDP Source Port
Sampler ID
Direction
Flow
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Flexible Flow RecordKey Fields for Peering arrangements
DSCPID
VersionFragmentation Flags
OptionsProtocol
Payload SizeIP (Source or Destination)
Packet Section (Header)
Prefix (Source or Destination)
Packet Section (Payload)
Mask (Source or Destination)
TTLMinimum-Mask (Source or Destination)
PrecedenceFragmentation Offset
IPv4
Total Length
Header Length TOS Input
Output
Interface
BGP Next Hop
IGP Next Hop
Is-Multicast
Destination AS
Peer AS
Traffic Index
Forwarding Status
Routing
UDP Message LengthTCP Window-Size
TCP Flag: SYNTCP Header Length
TCP Flag: RSTTCP ACK Number
TCP Flag: PSHIGMP Type
TCP Flag: ACKDestination Port
TCP Flag: CWRSource Port
TCP Flag: ECEICMP Code
TCP Flag: FINICMP Type
TCP Flag: URGTCP Sequence Number
Transport
UDP Destination Port
TCP Destination Port
TCP Urgent Pointer
TCP Source Port UDP Source Port
Sampler ID
Direction
Flow
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
Flexible Flow RecordNon-Key Fields for Security
� Any of the potential “key” field: will be the value of the first packet in the flow
� Plus
Packet Long
Bytes
Bytes Long
Bytes Square Sum
Packet
Counters
sysUpTime First Packet
sysUpTime First Packet
Timestamp
Total Length Minimum
Total Length Maximum
TTL Minimum
TTL Maximum
IPv4
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
Flexible Flow Monitor Cache Types
� Three types of NetFlow caches are availableNormal
Similar to today’s NetFlow but active and inactive timers are more Flexible (e.g. Active timer of 1 second)
Immediate
1 second timer and no export delay
Flow accounts for 1 packet
Used for real-time traffic monitoring, DDoS detection, logging
Used for flow-records with packet sections or with large set of key fields
Permanent
A permanent flow cache can be used to track a set of flows over time without expiring the flows from the cache
The entire cache is periodically exported to the collector
After the cache is full flows will be dropped (size configurable)
Useful for accounting or security monitoring
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
Complete Permanent Flexible NetFlow Configuration Example
� Per DSCP accounting flow record definition:
Router(config)# flow record my-dscp-recordRouter(config-flow-record)# match ipv4 dscpRouter(config-flow-record)# match interface inputRouter(config-flow-record)# collect counter bytes longRouter(config-flow-record)# collect counter packets long
Router(config)# flow monitor my-dscp-monitorRouter(config-flow-record)# description dscp:bytes and packets Router(config-flow-record)# record my-dscp-recordRouter(config-flow-record)# cache type permanentRouter(config-flow-record)# cache entries 256
Router(config)# interface GigabitEthernet 0/1Router(config)# ip flow monitor my-dscp-monitor input
� This would replace “IP accounting precedence”
64 Bit Counter
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
Flexible NetFlow Activation on Interface
� Deterministic or random is available
Router(config-if)# ip flow monitor <monitor-name>[sampler <sampler-name>][input | output]
Send the “sampler-table”Option
Router(config)# sampler <sampler-name> mode [deterministic | random] <value N> out-of <value M>
For the Input or Output Traffic.Does Not Determine the Flow Key
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Flow Exporters
� Flow export to collectors is defined using a Flow Exporter
� Each Flow monitor can use multiple flow exporters (export to many NetFlow Collectors) simultaneously
� Flow exporters can use different reliable and un-reliable transport protocols: UDP SCTP Flow exporters
� Different export protocols (v9 and IPFIX)
� Flow exporters are QOS aware and can be prioritized unlike today’s NetFlow
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
flow monitor <monitor-name>record <record-name>exporter <exporter-name>cache type {normal | immediate | permanent}cache entries <number-of-entries>cache timeout {active | inactive | update} <value-in-sec>statistics packet protocolstatistics packet size
Flexible Monitor Configuration
Collect Size Distribution Statistics
Collect Protocol Distribution Statistics
3 Types of Cache:See Next Slides
Potentially Multiple
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
Packet Section Fields
� Contiguous chunk of a packet of a user configurable size, used as a key or a non-key field
� Sections used for detailed traffic monitoring, DDoS attack investigation, worm detection, other security applications
� Chunk defined as flow key, should be used in sampled mode with immediate aging cache
� Starts at the beginning of the IPv4 header
� Immediately follows the IPv4 header
collect or match ipv4 payload <size in bytes>
collect or match ipv4 header <size in bytes>
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
Flexible NetFlow status
� Flexible NetFlow is FCS
� Flexible NetFlow is available in 12.4(9)T
Cisco 800, 1800, 2800, 3800, 7200 and 7301 Series
� Flexible NetFlow phase I provide :Multiple User Defined Caches
Complete IPv4 Header Info
UDP/Packet Section Exporters
Persistent Caches
Ingress/Egress Support
Common CLI
Sampled NetFlow
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
Flexible NetFlow Evolution
� Flexible NetFlow introduced on 7304 (12.2(31)SB2)
� Flexible NetFlow to be introduced on GSR (12.0(33)S)Engine 3 and Engine 5
� Flexible NetFlow IPv6 will be added in 12.4(7th)T
� Candidate Features for 12.5(2th)TQOS Output feature for FNF Exporter
IP Multicast traffic
NetFlow v5 Export
TopNTalkers
Input Filters/MQC Integration
� Radar FeaturesNBAR Integration, IPFIX support
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
Backup Slides
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53
Cisco NetFlow Feature Overview
FeaturesCategory
�NetFlow Router Based Aggregation (v8/v9) �Origin and Peer AS�Bridged NetFlow�MAC Address Export�Egress NetFlow Accounting
Accounting
�Random Sampled NetFlow�Random and Time-based Flow Sampled NetFlow�BGP Next Hop NetFlow�Export Filters�Dual Export
Network Analysis & Capacity Planning
�NetFlow Export Versions 1, 5, 7, 8�Version 9 - latest Flexible and Extensible format
Export Formats
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
�NetFlow MIB and Top Talkers�Input filters�Security Exports (IPv4 Header)�Dynamic Top Talkers CLI
Security Monitoring
FeaturesCategory
�NetFlow Version 9 – basis for IPFIX WG Export format �Version 9 - RFC 3954�Reliable Export with SCTP�IPFIX Export standard for Packet Sampling WG (PSAMP)
Standard
Cisco NetFlow Feature Overview (2)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
�Multicast NetFlowMulticast
FeaturesCategory
�IPv6 NetFlowIPv6
�MPLS Egress NetFlow�MPLS Aware NetFlow�MPLS Information Export (LFIB)�MPLS Aggregation (EXP, BGP-NH, Egress I/F)
MPLS
Cisco NetFlow Feature Overview (3)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
NetFlow-Platform Export Feature Comparison (1)
Available Now Not Available Roadmap
Mac Address
Security Exports
VRF Destination
Dual Export
Version 5
Vlan Export
Version 8
Reliable Export
C4500
Version 9
CRSC10000C12000C7600C6500SoftwareFeature
12.3(14)T
12.4(4)T
12.3(4)T
12.2(1st)SRB12.2(1st)SXH12.3(14)T
12.0(26)S312.4(4)T
12.1(19)EW12.2(15)BX12.2(17d)SXB12.2(17d)SXB12.2(2)T
3.212.2(31)SB12.0(24)S12.2(18)SXF12.2(18)SXF12.3
12.1(19)EW12.0(19)SL12.0(6)S12.2(14)SX12.2(14)SX12.0(3)T
12.1(13)EW12.0(19)SL12.0(14)S12.1(2)E12.1(2)E12.0(1)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
NetFlow - Platform Feature Comparison (2)
TCP Flags
NetFlow MIB with Top Talker
IFIndex to Name Map
Export Filters
Forwarding Status
Egress/Output NetFlow
Bridged NF
Input Filters
C4500
Dynamic Top Talker CLI
CRSC10000C12000C7600C6500SoftwareFeature
Available Now Not Available Roadmap
12.4(4)T
YesYesYesYes
YesYesYesYes
YesYes
12.3(4)T
12.2(25)EW12.2(18)SXE112.2(18)SXE1
3.212.2(31)SB12.0(10)ST12.3(11)T
12.3(4)T
12.2(1st)SRB12.2(1st)SXH12.3(7)T
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58
NetFlow - Platform Feature Comparison (3)
Per Interface
TOS Support
MPLS Label Export
MPLS Aggregation
MPLS Egress
MPLS Aware
Min Prefix Aggr.
Flow Sampling
C4500
Packet Sampling
BGP Next Hop
Multicast
IPv6
CRSC10000C12000C7600C6500SoftwareFeature
Available Now Not Available Roadmap
12.2(31)SB
12.2(1st)SRB12.2SB
12.0(24)S12.3(8)T
3.2Output12.2(2)T
YesYes12.1(2)T
12.1(13)E12.1(13)E
12.2(31)SB12.0(11)S12.3(2)T
3.2YesYes12.2(17b)SXA12.2(17b)SXAYes
3.212.2(15)BXNo Sub12.2(1st)SRB12.2(1st)SXHYes
12.2(31)SB12.0(26)S12.2(33)SRA12.2(18)SXF12.3
3.212.2(18)SXF12.2(18)SXF12.3
12.2(1st)SRB12.2(1st)SXH12.3(7)T
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 59
Flexible NetFlow - Platform Feature Comparison
IPv6 Unicast
IPv4 Multicast
L2 FNF
MPLS FNF
Dyn. TopNTalkers
C4500
IPv6 Multicast
NetFlow v5 Export
NetFlow v9 Export
IPv4 Unicast
CRSC10000C12000C7600C6500SoftwareFeature
Available Now Not Available Roadmap
12.0(33)S
HalfDome12.5(2st)T
HalfDome12.5(2st)T
HalfDome12.5(2st)T
HalfDome12.4(13)T
HalfDome12.5(2st)T
HalfDome12.4(9)T
12.0(33)SHalfDome12.4(9)T