Upload
manish-godawat
View
134
Download
7
Tags:
Embed Size (px)
Citation preview
Calling all Cisco Catalyst 3750s, where is your NetFlow?
Adam PowersCTO, [email protected]
blog: netflowninjas.typepad.com email: [email protected]
Network Flow Collection
NetFlow Fields
src and dst IP
src and dst port
start time
end time
packet count
byte count
...
Internet
NetFlowPackets
2
StealthWatchFlow Collector
blog: netflowninjas.typepad.com email: [email protected]
NetFlow == Visibility
4 blog: netflowninjas.typepad.com email: [email protected]
NetFlow Support
5
Nortel Networks
Cisco 3900
Juniper Networks
Cisco 800
Huawei Quidway
Cisco 2900
Cisco 1900
Cisco 7200 VXR
Cisco Nexus 7000
Cisco XR 12000
Cisco 2800
Cisco 7600
Cisco 1700
Cisco Catalyst 6500
Cisco 3750
blog: netflowninjas.typepad.com email: [email protected]
Poll Question #1
blog: netflowninjas.typepad.com email: [email protected]
The Layer-2 Visibility Problem
Catalyst 6500(NetFlow Enabled)Catalyst 3750
(No NetFlow)
NetFlowCollector
NetFlow
FlowSensor(NetFlow Enabled)
NetFlow
blog: netflowninjas.typepad.com email: [email protected]
FlowSensor AE
FlowSensor
Model Capacity Disk Interfaces List Price
AE-500 200 Mbps ** AVAILABLE Q3-2010 **
AE-1000 1 Gbps 73GB 3 or 5 $6,995
AE-2000 2.5 Gbps 160GB 3 or 5 $12,995
AE-3000 5.0 Gbps ** AVAILABLE Q2-2010 **
• Light-weight, cost-effective 1U networkappliance
• Collects Ethernet frames andexports NetFlow v9
• Monitor up to (5) 3750s simultaneously
• Works withany NetFlow v9 capable flow collector
StealthWatchFlow Collector
NetFlow
blog: netflowninjas.typepad.com email: [email protected]
Works with any NetFlow v9 collector!
!flow record lancope_template match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect ipv4 section header size 60 collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!
• 1,000,000 record cache size>> dynamically expands with increased load
• 60 second active timeout,15 second inactive>> follows Cisco IOS rules for aging
• Very similar to Cisco’s NetFlow v9>> see equivalent IOS config at right
• IPv6 aware>> your collector much be IPv6 capable
• VLAN aware>> export VLAN tags in NetFlow
Cisco Flexible NetFlow Equivalent:
blog: netflowninjas.typepad.com email: [email protected]
Works Best with Lancope’s Collector
SRCIP
DSTIP PROTO DPORT SPORT PKTS BYTES RTT SRT ...
TCP 80 5749 73 9,092 65ms230m
s...
TCP 5749 80 10378,02
065ms
230ms
...
StealthWatchFlowSensor
SPAN
RTTround trip time across the network
same as “ping” outputSRT
time it takes the server to process a request
blog: netflowninjas.typepad.com email: [email protected]
Poll Question #2
blog: netflowninjas.typepad.com email: [email protected]
Simple Web-UI for Local Status
12 blog: netflowninjas.typepad.com email: [email protected]
Caching Per Capture Port
FlowSensor capture port SPAN interface
description
blog: netflowninjas.typepad.com email: [email protected]
Caching Per Capture Port
blog: netflowninjas.typepad.com email: [email protected]
Caching Per Capture Port
blog: netflowninjas.typepad.com email: [email protected]
10G Monitoring with Stackable FlowSensors
5.0G
FlowSensorAE-2000
2.5G
Ethernet loadbalancer vendors...
16x 1G
StealthWatchFlow Collector
FlowSensorAE-2000
2.5G
2.5G
7.5G
10G
NetFlow
FlowSensorAE-2000
2.5G
blog: netflowninjas.typepad.com email: [email protected]
StealthWatchFlow Collector
FlowSensor VE (Virtual Edition)
• Captures and records all VM2VM communications within the virtual network environment
VMware Server
• Lightweight, virtual appliance for VMware ESX 3.5 and 4.0
• Exports NetFlow v9 from within the VMware ESX host
• FREE to download and try(visit lancope.com to register and download)
NetFlow
17 blog: netflowninjas.typepad.com email: [email protected]
• Dedicated NetFlow replication appliance• Designed to copy and redistribute flows of NetFlow packets
based on a rule-set that you define• Original UDP source IP and payload is preserved• Simple, easy to configure, web-based, 1U network appliance• “Promiscuous Mode” allows installation without changing
NetFlow export IPs• Search “Replicator” on NetFlow Ninjas blog for more info
StealthWatchFlow Replicator
NetFlow
StealthWatch NetFlow Replicator
http://netflowninjas.typepad.com/blog/2009/09/stealthwatch-flow-replicator-holy-cow-this-thing-is-popular.html
NetFlow
NetFlow
NetFlow
18 blog: netflowninjas.typepad.com email: [email protected]
19
NetFlow 101 Boot Camp
22 New Cities in 2010!Minneapolis, MNFebruary 17, 2010
Washington DCJuly, 22, 2010
Atlanta, GA February 25, 2010
Phoenix, AZ August 5, 2010
Hartford, CTMarch 11, 2010
Chicago, IL August 12, 2010
Toronto, ON March 18, 2010
Cleveland, OH August 19, 2010
New York, NY April 1, 2010
San Francisco, CA September 2, 2010
Houston, TX April 8, 2010
Pittsburgh, PA September 16, 2010
Denver, CO April 15, 2010
Charlotte, NC September 30, 2010
Baltimore, MD May 13, 2010
Boston, MA October 7, 2010
Seattle, WA May 20, 2010
Los Angeles, CA October 21, 2010
San Jose, CA June 3, 2010
New York, NY November 11, 2010
Dallas, TX July 7, 2010
Miami, FLDecember 9, 2010
Event site: http://lancope.com/news/events/netflowseminar.aspx
blog: netflowninjas.typepad.com email: [email protected]
NetFlow Tools and Resources
White Paper: Bringing Enterprise-class Network Performance and Security Management Together using NetFlow
http://www.lancope.com/resource/downloads/NetFlow_WP.aspx
NetFlow Ninjas Blog http://netflowninjas.typepad.com/
Linkedin NetFlow Ninja Discussion Grouphttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grppro
NetFlow Bandwidth Calculatorhttp://www.lancope.com/netflowcalculator.aspx
Contact [email protected] for additional info.
20 blog: netflowninjas.typepad.com email: [email protected]