Embed Size (px)
Citation preview
1© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
NetflowNetflow
Michael LinMichael Lin
2© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
AgendaAgenda
• What Is NetFlow?
• Application Discussion
• What’s New and Road Map
• Quickie on SLM/SAA—NetFlow Vision
3© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
NetFlow ComponentsNetFlow Components
What Is NetFlow?What Is NetFlow?
3© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
4© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
NetFlow EnablesNetFlow Enables
• NetFlow statistics empowers users with the ability to characterize their IP data flows
• The who, what, where, when, and how much IP traffic questions are answered
Usage-BasedBilling
Usage-BasedBilling
Traffic Analysisand Monitoring for Network Planning
Traffic Analysisand Monitoring for Network Planning
Router FeatureAcceleration
Router FeatureAcceleration
5© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
NetFlow’s ValueNetFlow’s Value
• NetFlow enables IP traffic flow analysis without probes
• Offers a rich data set to be mined for network management, traffic engineering, and value-added service offerings(i.e. marketing data, personal NMS data)
• Increasing margins on existing Cisco infrastructure is possible and economical with NetFlow usage based billing
6© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
Flow-Based AnalysisFlow-Based Analysis
1. Source Address2. Destination Address3. Source Port4. Destination Port5. Layer 3 Protocol6. TOS Byte (DSCP)7. Input Interface
1. Source Address2. Destination Address3. Source Port4. Destination Port5. Layer 3 Protocol6. TOS Byte (DSCP)7. Input Interface
Seven KeysDefine a Flow:
NetFlow Data Exported
7© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
• Source IP Address• Destination IP Address• Source IP Address• Destination IP Address
• Next Hop Address• Source AS Number• Dest. AS Number• Source Prefix Mask• Dest. Prefix Mask
• Next Hop Address• Source AS Number• Dest. AS Number• Source Prefix Mask• Dest. Prefix Mask
• Input Interface Port• Output Interface Port• Input Interface Port• Output Interface Port
• Type of Service• TCP Flags• Protocol
• Type of Service• TCP Flags• Protocol
• Packet Count• Byte Count• Packet Count• Byte Count
• Start Timestamp• End Timestamp• Start Timestamp• End Timestamp
• Source TCP/UDP Port• Destination TCP/UDP Port• Source TCP/UDP Port• Destination TCP/UDP Port
Usage
QoS
Timeof Day
Application
RoutingandPeering
PortUtilization
From/To
NetFlow Data RecordNetFlow Data Record
8© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
Configuring NetFlow in 12.0 code(partial command list)
Configuring NetFlow in 12.0 code(partial command list)
Enable an interface for flow switching
ip route-cache flow
Set the export destination
ip flow-export destination <dest IP> <dest port>
ip flow-export version <1, 5> [origin-as | peer-as]
Set as 5, it is 1 by default.
Set the source address to use for export packets
ip flow-export source <interface>
default is the ip address of the interface with the best route to the destination (collection device)
ip flow-cache feature-accelerate
show ip cache flow
• Router Based Aggregation
ip flow-aggregation cache <name of the defined aggregation cache>
cache timeout active <number of minutes allowed for active flow to remain in flow cache> [15 minutes is the default]
sh ip cache flow aggregation <name of the defined aggregation cache>
export destination <ip address> <destination udp port> enable
9© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
NetFlow InfrastructureNetFlow Infrastructure
Network Data Analyzer:• Data Presentation
• NFC Control and Configuration
Partner Applications
NetFlow Accounting:• Data Switching
• Data Export
• Data Aggregation
NetFlowFlowCollector:• Data Collection
• Data Filtering
• Data Aggregation
• Data Storage
• File System Management
RMON ProbeRMON Probe
Accounting/Billing
Network Planning
10© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
SiSiSiSi
Platform Support in Cisco IOS® Release 12.0T and 12.0S
Platform Support in Cisco IOS® Release 12.0T and 12.0S
CiscoGSR
12.0(6)S
CiscoGSR
12.0(6)SCiscoMGX™
8850/Cisco
BPX8650
CiscoMGX™
8850/Cisco
BPX8650
Cisco7200/7500/
uBR7200Available
Since11.1CC/CA
Cisco7200/7500/
uBR7200Available
Since11.1CC/CA
Cisco1720
Cisco1720
Cisco2500/2600
Cisco2500/2600
Cisco3600
Cisco3600
CiscoAS5300/
5800
CiscoAS5300/
5800Cisco4500/4700
Cisco4500/4700
Cisco1400/1600
Cisco1400/1600
Catalyst® 5000/6000
with NFFC
Catalyst® 5000/6000
with NFFC
11© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
NetFlow FlowCollectorNetFlow FlowCollector
• Flow record reception
• Data volume reduction
Filtering
Aggregation
• Flat file, binary,and/or compressedfile storage
• File cleanup
• Solaris and HP-UX ApplicationsApplications
NetFlowFlowCollector
12© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
Network Data AnalyzerNetwork Data Analyzer
• Graphical display of NetFlow data
• Consumes from NetFlow FlowCollector(s)
• Time-based analysis ands data sorting
• Configure routers and FlowCollectors
• Histograms, bar charts, and pie charts
• Spreadsheet data export
NetFlowFlowCollectors
NetFlowFlowCollectors
NetFlowFlowAnalyzer
NetFlowFlowAnalyzer
13© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
ApplicationsApplications
13© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
14© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
NetFlow UsersNetFlow Users
• E-commerce companies
• Large and medium enterprises
• ISPs of all sizes
• CLECs
• Service providers
15© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
Applications Mine NetFlow Data and Find:
Applications Mine NetFlow Data and Find:
• Who are my top N talkers What percentage of traffic are they?
• How many users are on the network at any given time?When will upgrades effect the least number of users?
• How long do my users surf?
• Where do they go?
• Where did they come from?
• Are users staying within an acceptable usage policy (AUP)?
• Alarm DOS attacks like smurf, fraggle, and SYN floodWill watch for these attacks destined for anywhere or coming from anywhere!
16© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
UunetDigexErolsBBNAT&T
AMUC&WJHUPACBell Internet ServiceRCNOARnetSURAnetCompuserve
OLABSNETWebTVWEC
Public Routers 1, 2, 3 Month of September—Outbound Traffic
Used For Traffic Engineering and Capacity Planning
Used For Traffic Engineering and Capacity Planning
20%
32%
4%6%
8%
8%
10%
1% 1%1%
1%1%
1%
2%1%
1%1%
17© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
Web Hosting and ASP UsersWeb Hosting and ASP Users
• Up-sale opportunities
Larger and more servers needed
More bandwidth into location
• Sell value-added services
Marketing data
Usage-based billing
Use this Valuable Information:
18© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
IP Accounting/BillingMany Different Flavors!IP Accounting/Billing
Many Different Flavors!
• Flat-rate billing doesn’t always scaleCompetitive pricing models can be createdwith usage-based billing
• Usage-based billing considerationsTime of day Within my network or off
Application Distance-based
QoS/CoS Bandwidth usage
Transit or peer Data transferred
Traffic class (i.e. going through a secure tunnel, high-speed link, or special arrangement)
19© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
POP NetFlow Data CollectionPOP NetFlow Data Collection
Carrier ACarrier A
Carrier ZCarrier Z
Network CoreNetwork Core
Edge Aggregation
NFCNFC
Access DevicesHead End, MUX,
Customers, Routers???
Access DevicesHead End, MUX,
Customers, Routers???
20© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
Server Farm—Access RouterServer Farm—Access Router
Carrier A Carrier X
ServerServer
ServerServer
ServerServer
ServerServer
ServerServer
NFCNFC
21© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
Metered ServiceMetered Service
Collector Can Be at Customer Siteor POP Depending on
POP Ownership/Co-Location Issues
On-net
Internet
Off-net
NFCNFC
22© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
Road Map DirectionRoad Map Direction
22© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
23© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
CharterCharter
Built in IP Accounting Mechanism
•MPLS support•Multicast support
24© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
Recent Deliveries and RoadmapRecent Deliveries and Roadmap
• Scalability
Sampled NetFlow forGSR (Engine 0 and 1)
Minimum prefix
RBA/TOS support
• Availability
ifIndex persistence
Redundant data streams
• MPLS support
Phase 1 egress PEonly and no label information provided
Phase 2, MPLSdetails—definition phase
12.0(11)S12.0(11)S
12.0(11)S12.1(2)T
12.0(11)S12.1(2)T
August EFT
August EFT
12.1(2)T12.1(2)T
12.0(11)S12.1(4)T
12.0(11)S12.1(4)T
12.0(10)ST12.0(10)ST
25© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
PartnershipPartnership
25© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
26© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
InfrastructureNetFlow Partners
InfrastructureNetFlow Partners
MediationMediation
Traffic AnalysisTraffic
AnalysisBillingBilling
ConsultingConsulting
* Bought by Amdocs
27© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
28© 2000, Cisco Systems, Inc.
22181203_05_2000_c3
NetFlow Platform Support(Not Presented)
NetFlow Platform Support(Not Presented)
*Support for NetFlow Export v1, v5, and v8 on 1600 and 2500 platforms is targeted for Cisco IOS software release 12.0(5)T. NetFlow support for these platforms will not be available in the Cisco IOS 12.0 mainline release.
Cisco IOS™ Software Release Version
Supported NetFlow Export Version(s)
Supported Cisco Hardware Platforms
11.1CA, 11.1CC
11.2, 11.2P
11.2P
11.3, 11.3T
12.0
12.0T12.0S
12.0(3)T and later12.0(3)S and later
12.04XE
N/A
12.0(6)S
11.1CA, 11.1CC
11.2, 11.2P
11.2P
11.3, 11.3T
12.0
12.0T12.0S
12.0(3)T and later12.0(3)S and later
12.04XE
N/A
12.0(6)S
v1, v5
v1
v1
v1
v1, v5
v1, v5
v1, v5, v8
v1, v5, v8
v7
v8
v1, v5
v1
v1
v1
v1, v5
v1, v5
v1, v5, v8
v1, v5, v8
v7
v8
7200, 7500, RSP7000
7200, 7500, RSP7000
Route Switch Module (RSM), 11.2(10)P and later
7200, 7500, RSP7000
1720, 2600, 3600, 4500, 4700, AS5800, 7200, uBR7200, 7500, RSP7000, RSM
1720, 2600, 3600, 4500, 4700, AS5800, 7200, uBR7200, 7500, RSP7000, RSM, MGX 8800 RPM, BPX 8600
1400*, 1600*, 1720, 2500*,2600, 3600, 4500, 4700, AS5800, AS5300**, 7200, uBR7200, 7500, RSP7000, RSM, MGX8800 RPM, BPX 8650
7100
Catalyst 5K NetFlow Feature Card (NFFC)Catalyst 6K with MSFC card
12000
7200, 7500, RSP7000
7200, 7500, RSP7000
Route Switch Module (RSM), 11.2(10)P and later
7200, 7500, RSP7000
1720, 2600, 3600, 4500, 4700, AS5800, 7200, uBR7200, 7500, RSP7000, RSM
1720, 2600, 3600, 4500, 4700, AS5800, 7200, uBR7200, 7500, RSP7000, RSM, MGX 8800 RPM, BPX 8600
1400*, 1600*, 1720, 2500*,2600, 3600, 4500, 4700, AS5800, AS5300**, 7200, uBR7200, 7500, RSP7000, RSM, MGX8800 RPM, BPX 8650
7100
Catalyst 5K NetFlow Feature Card (NFFC)Catalyst 6K with MSFC card
12000
**Support for NetFlow Export v1, v5, and v8 on AS5300 platform is targeted for Cisco IOS software release 12.0(7)XR.
