Scribd
Upload
143 views

2013 10 03 NetFlow JiriTesar

NetFlow Information

Uploaded by

nomoxps
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
143 views

2013 10 03 NetFlow JiriTesar

NetFlow Information

Uploaded by

nomoxps
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

NetFlow

Technology Overview
Jiří Tesař, CCIE #14558
Systems Engineering
[email protected]

Cisco Connect Club

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
•  Developed and patented at Cisco® Systems in 1996

•  NetFlow is the defacto standard for acquiring IP


operational data

•  Provides network and security monitoring, network


planning, traffic analysis, and IP accounting

Network World Article – NetFlow Adoption on the raise


http://www.networkworld.com/newsletters/nsm/2005/0314nsm1.html

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
IETF Scope

NetFlow v5, NetFlow v8,


NetFlow v9,
IPFIX Capacity Planning
Security
Performance Analysis
Visibility

Metering Process Export Process

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Monitoring
Feature Traditional Flexible Netflow
Netflow MMON ART

Need by AVC

Export
Protocol Netflow Netflow
IPFIX
Version 5 Version 9

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Version Major Advantage Limits/Weaknesses

V5 Defines 18 exported fields IPv4 only


Simple and compact format Fixed fields, fixed length fields only
Most commonly used format Single flow cache
V9 Template-based IPv6 flows transported in IPv4 packets
IPv6 flows transported in IPv4 packets Fixed length fields only
MPLS and BGP nexthop supported Uses more memory
Defines 104 fields, including L2 fields Slower performance
Reports flow direction Single flow cache
Flexible NetFlow (FNF) Template-based flow format (built on V9 Less common
protocol) Requires more sophisticated platform to produce
Supports flow monitors (discrete caches) Requires more sophisticated system to consume
Supports selectable key fields and IPv6
Supports NBAR data fields
IP Flow Information Export Standardized – RFC 5101, 5102, 6313 Even less common
(IPFIX) AKA NetFlow V10 Supports variable length fields, NBAR2 Only supported on a few Cisco platforms
Can export flows via IPv4 and IPv6 packets
NSEL (ASA only) Built on NetFlow v9 protocol Missing many standard fields
State-based flow logging (context) Limited support by collectors
Pre and Post NAT reporting

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
NetFlow v9 160+ fields to choose from including IPv6 and payload sections

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
NetFlow Enabled
Device

Traffic

Inspect
Packet NetFlow Cache
•Source IP address Flow Information Packets Bytes/packet

•Destination IP address
Address, ports… 11000 1528
•Source port …

•Destination port
•Layer 3 protocol
•TOS byte (DSCP) NetFlow
Create a flow from the packet Export Packets
•Input Interface
attributes

Cisco
NetFlow
Collector
Reporting
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
•  Key fields are unique per flow
2 1 record 2 1
•  Non-key fields are attributes or
Key Fields Packet 1 characteristics of a flow Key Fields Packet 2
Source IP 1.1.1.1 Source IP 3.3.3.3
Destination IP 2.2.2.2 •  If packet key fields are unique, new Destination IP 4.4.4.4
Source port 23 entry in flow record is created Source port 80
Destination port 22078 Destination port 22079
•  Otherwise, update the non-key
Layer 3 Protocol TCP - 6 Layer 3 Protocol TCP - 6
fields, i.e. packet count
TOS Byte 0 TOS Byte 0
Non-key Fields Packet 1 Non-key Fields Packet 2
Length 1250 Length 519

Netflow Cache After Packet 2


Netflow Cache After Packet 1 Source IP Dest. IP Dest. I/F Protocol TOS … Pkts

Source IP Dest. IP Dest. I/F Protocol TOS … Pkts 3.3.3.3 4.4.4.4 E1 6 0 … 50

1.1.1.1 2.2.2.2 E1 6 0 … 11000 1.1.1.1 2.2.2.2 E1 6 0 … 11000

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
1. Create and update flows in NetFlow cache
Src Src Src Dst DstM Dst Bytes/
Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts NextHop Active Idle
Port Msk AS Port sk AS Pkt
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4
Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1
Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3
Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14

•  Inactive timer expired (15 sec is default)


•  Active timer expired (30 min (1800 sec) is default)
2. Expiration •  NetFlow cache is full (oldest flows are expired)
•  RST or FIN TCP flag

Src Src Src Dst DstM Dst Bytes/


Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts NextHop Active Idle
Port Msk AS Port sk AS Pkt
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4

3. Aggregation
ie: Protocol-port aggregation
4. Export version scheme becomes
Non-aggregated flows—export Version 5 or 9 Protocol Pkts SrcPort DstPort Bytes/Pkt
Header

11 11000 00A2 00A2 1528


Export Payload
5. Transport protocol packet (flows) Aggregated flows—export Version8 or 9
30 Flows per 1500 byte export packet

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Traffic
Flow Flow
Monitor 1 Monitor 2

Non-Key Fields Non-Key Fields


Key Fields Packet 1 Key Fields Packet 1
Packets Packets
Source IP 3.3.3.3 Source IP 3.3.3.3
Bytes Timestamps
Destination IP 2.2.2.2 Destination IP 2.2.2.2
Timestamps
Source Port 23 Input Interface Gi0/1
Next Hop Address
Destination Port 22078 SYN Flag 0
Layer 3 Protocol TCP - 6

TOS Byte 0

Input Interface Ethernet 0

Traffic Analysis Cache Security Analysis Cache


Source Dest. Source Dest. Input Source Dest.
Protocol TOS … Pkts Input I/F Flag … Pkts
IP IP Port Port I/F IP IP

3.3.3.3 2.2.2.2 23 22078 6 0 E0 … 1100 3.3.3.3 2.2.2.2 Gi0/1 0 … 11000

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
RFC3954

NetFlow v9

IPFIX

Packet FlowSet FlowSet FlowSet FlowSet FlowSet


Header Template Data Data Template Data

•  The NetFlow v9 Exporter sends packets to Collectors

•  There are “Template FlowSets”, which define the following data formats by a set of Field Types and their lengths, and
“Data FlowSets”, which are sets of actual statistics data

•  The NetFlow v9 Exporter sends Templates separately (and less frequently) than data sets

•  There are another sets of Template/Data FlowSets called “Option Template/Data FlowSets”, by which an Exporter can
send a Collector meta-data related to NetFlow process and so on.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Interface

Monitor “C” Monitor “A” Monitor “B”

Exporter “M” Record “X” Exporter “M”

Record “Z” Exporter “N”

Record “Y”

•  A single record per monitor


•  Potentially multiple monitors per interface
•  Potentially multiple exporters per monitor

1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

2
Peering Flows
Different Flow monitors for detecting different • Dest. AS
ISP
information: • Dest. Traffic Index
• BGP Next Hop
• DSCP
BRANCH

DATA CENTER WAN


Si Si

CAMPUS
IP Flows
• IP Subnets
Multicast Flows • Ports
Security Flows • Protocol
• Protocol • Protocol
• Ports • Interfaces
• Ports • Egress/Ingress
• IP Subnets • IP Addresses
• Packet Replication • TCP Flags
• Packet Section

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Service Provider
Network Infrastructure Optimization
and Planning

Peering Arrangements
Traffic Engineering

Accounting and Billing

Security Monitoring and Incident


(DDoS) Detection

Data at ANY granularity to understand network use:


who, what, where, when and how

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Enterprise

Internet Access Monitoring

User Monitoring/Profiling
Application Monitoring

Billing for Departments

Security Monitoring and Incident


(DDoS) Detection

Data at ANY granularity to understand network use:


who, what, where, when and how
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Performance Agent
PfR
Performance Monitoring

CEF
QoS

DPI
Metadata

NetFlow Application Id QoS Classification Forwarding Performance


(L2, L3, L4) (Extracted Field) QoS Treatment Status Metrics

Which applications Do applications get Do applications get Do applications get


are running in my the right QoS the right QoS the right service
network? treatment? treatment? from the network?

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Integration
Link Layer Interface
Header NetFlow
ToS
NetFlow ü  Monitors data in Layers 2 thru 4
Protocol ü  Determines applications by combination of
IP Header Source Port or Port/IP Addressed
IP Address
ü  Flow information who,
Destination IP
Address
what, when, where
Source NBAR
TCP/UDP Port
Header Destination ü  Examines data from
Port Layers 3 thru 7
ü  Utilizes Layers 3 and 4
plus packet inspection for classification
ü  Stateful inspection of
Deep Packet
Data Packet (Payload) dynamic-port traffic
Inspection ü  Packet and byte counts
NBAR

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
15.0(1)M
IOS XE 3.1S

News

flow record app_record!


Key Fields Packet #1 Key Fields Packet #2
match ipv4 source address!
Source IP 10.1.1.1 match ipv4 destination address! Source IP 10.1.1.1
Destination IP 173.194.34.134 match …..! Destination IP 72.163.4.161
match application name!
Source Port 20457 ! Source Port 30307
Destination Port 23 Destination Port 80

Layer 3 protocol 6 Layer 3 protocol 6

TOS byte 0 TOS byte 0

Ingres Interface Ethernet 0 Ingres Interface Ethernet 0


NetFlow cache
Src. IP Dest.
Dest. IP
IP Src. Port Dest.
Dest. Port
Port Layer
Layer 33 Prot.
Prot. TOS
TOS Byte
Byte Ingress
Ingress Intf.
Intf. App Name Timesta Byttes Packets
mps
10.1.1.1 173.194.34.134. 20457 80 6 0 Ethernet 0
10.1.1.1 173.194.34.134 20457 80 6 0 Ethernet 0 HTTP

10.1.1.1 72.163.4.161 30307 80 6 0 Ethernet 0 Youtube

First packet of a flow will create the Flow entry using the Key Fields”
Remaining packets of this flow will only update statistics (bytes,
© 2012 Cisco and/or its affiliates. All rights reserved. counters, timestamps) Cisco Confidential 18
enable users to aggregate on a
subset of the key and non-key fields
§  Top 4 IPv4 destinations sorted by
number of bytes:
# show flow monitor <monitor> Switch# show flow monitor <monitor>
aggregate ipv4 destination address
SrcIPadd DstIPadd TOS pkts bytes sort counter bytes top 4
10.1.0.5 172.16.10.19 0x00 1 64
DesIPadd flows bytes pkts
10.1.0.5 172.16.0.20 0x00 10 800
172.16.10.2 12 1358370 6708
10.1.0.95 172.16.10.19 0x00 200 16000 172.16.10.19 2 44640 1116

10.1.0.34 172.16.10.4 0x0 100 4500 172.16.10.20 2 44640 1116


Top10.1.0.121
Talkers provide
172.16.10.4
quick,
0x00
easy,
1
and 64 172.16.10.4 1 22360 559
granular traffic analysis
10.1.0.333 172.16.10.2 0x00 367 23488 enable users to select flows based
by displaying a subset of flow monitor
on specific values for any fields
in real time 172.16.0.2
10.1.0.100 0x00 111 7104 §  Top 5 sources of 1-packet flows:
Benefits and Applications
10.1.0.121 172.16.10.21 0x00 5 350 Switch# show flow monitor <monitor> cache
Security filter counter packet 1
See if traffic172.16.10.2
patterns are consistent aggregate ipv4 source address
10.1.0.34 0x00 35with a 200
DoS
or other undesirable behavior sort highest flow packet top 5
Traffic load 172.16.10.2
10.1.0.95 0x00 30 200
Identify heavily used parts of the network so SrcIPadd flows bytes pkts
you can redistribute load accordingly 10.1.0.5 135 8640 135
Traffic analysis
10.1.0.100 100 6400 100
Baseline network traffic for capacity planning
and network engineering 10.1.0.95 95 6080 95
Granularity
Flow information displayed per monitor and 10.1.0.121 80 5120 80
per interface (port or VLAN) 10.1.0.34 79 5056 79

enable users to control how the displayed cache entries are


© 2012 Cisco and/or its affiliates. All rights reserved.
sorted on any field and show in order or reverse order Cisco Confidential 19
•  Quick Example I: Malformed Packets Detection & Reporting
Attacker sending TTL = 0 triggers an EEM event
Instant, on board traffic Netflow cache
malformed pkts with
anomaly detection and TTL=0 srcIf SrcIPadd DstIf DstIPadd TLL
*MAR 29 2010 12:29:02.604 UTC:
reaction Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 0
%HA_EM-6-LOG: my-ttl-applet: flow
Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 10 record with zero TTL
•  Detailed Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 200
syslog message generated based
Granular view of flow info on pre-configured policies
enables a wide range of
applications

•  Flexible Example II : Anomaly Flow Detection and Mitigation


Compromised phone
Custom policies written in sending traffic with NetFlow ED triggers policies to monitor flow rate.
CLI or TCL high rate Typically, voice conversations are 64kbps
Netflow cache
•  Event-driven srcIf SrcIPadd DstIf DstIPadd bytes *Feb 18 01:24:30.455: %LINK-5-
Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 34346 CHANGED: Interface FastEthernet
NF event detector triggers 1/0, changed state to
policies locally on network Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 300
administratively down
devices instead Fa1/0 173.1.1.2 Fa0/0 10.0.277.1 1000
interface Fa1/0 is shut down when
the flow rate exceeds 1Mbps

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
StealthWatch Reputation Feed
Management (Optional)
Console

StealthWatch Labs
Other tools/ Information Center
collectors

Cisco ISE
StealthWatch StealthWatch
FlowReplicator FlowCollector

NetFlow
NetFlo
w

NBAR NSEL
StealthWatch StealthWatch
FlowSensor FlowSensor VE
Users/Devices

Cisco Network
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Who is 10.10.101.89?

Policy Start Active Alarm Source Source Host Target Details


Time Groups

Desktops Jan 3, 2013 Suspect Data 10.10.101.89 Atlanta, Multiple Hosts Observed 5.33G bytes.
& Trusted Loss Desktops Policy maximum allows up
Wireless to 500M bytes.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Policy Start Active Alarm Source Source Host Source User Device Target
Time Groups Name Type

Desktops Jan 3, 2013 Suspect Data 10.10.101.89 Atlanta, John Chambers Apple-iPad Multiple
& Trusted Loss Desktops Hosts
Wireless

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
•  Flow Action field can provide additional context

•  State-based NSEL reporting is taken into consideration in StealthWatch’s behavioral


analysis
•  Concern Index points accumulated for Flow Denied events

•  NAT stitching

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
•  NetFlow is a mature Cisco IOS feature (in Cisco IOS since 1996)
•  NetFlow provides input for accounting, performance, security, application
visibility, and billing applications
•  Cisco standardizes on NetFlow/IPFIX: NetFlow 9 and Flexible NetFlow
consistency across many devices, including in hardware now
NetFlow v9 eases the exporting of additional fields
Flexible NetFlow is a major enhancement

•  NetFlow is deployable today!


•  NetFlow has IETF and industry leadership

2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

6
TNF = Traditional (Non-Flexible) Netflow and FNF = Flexible Netflow
Enterprise & aggregation/edge Core
Release 12.0S/IOS-XR
Cisco IOS Software Release 12.2S
FNF
TNF TNF TNF FNF FNF
TNF
FNF

TNF FNF
TNF FNF
Cisco 12000 ASR9000
Catalyst 6K
Cisco 4500 Cisco Catalyst 6K Sup2T Series CRS-1
Cisco 4500 < Sup2T ASIC CRS-3
Cisco 7x00 ASR1000 Sup7 <= Sup5 7600 Series
QFP based ASIC
Series
NO FNF support Hardware limitation

Access DataCenter
Cisco IOS Software Releases FNF
TNF FNF Catalyst 29xx
TNF FNF Catalyst 3750
TNF FNF FNF
TNF FNF NO FNF support
TNF FNF Hardware limitation FNF
TNF FNF Cisco 7200/ Cat 6K
Cisco 2800 ASR1000 FNF
Cisco 3800 7300 Series QFP based
Sup2T
Cisco 1800 2900
3900 Catalyst 3750X Nexus 7000
Cisco 800 1900 Series
Series Next Gen Cat3K
Series Series
Nexus 1000V

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
For Your
Reference

•  System Scalability. Up to ~512K (with 99% utilization efficiency) cached


flows for Forwarding Engine. Per direction, per DFC => 13 million flow
entries

•  Sampled NetFlow. Effective hardware-based sampling to improve and


preserve NetFlow table utilization

•  Ingress & Egress NetFlow. Useful for example to track packets de-
capsulated after tunneling mechanisms

•  Per Interface or Sub-Interface activation

•  Bridged NetFlow. Capability of creating and tracking bridged IP flows

•  TCP Flags are now exported as part of the flow information. Very useful to
understand TCP flow directions and to detect denial of service attacks

•  IPv4, IPv6 and Layer 2 Flows support

•  Export version 5 (the most used) and export version 9 (the most flexible)
are both supported

•  VRF aware export

•  Hitless ISSU

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
For Your
Reference

•  System Scalability. Up to ~1M cached flows for Forwarding


Engine, in hardware
•  Sampled NetFlow. Effective hardware-based sampling
•  Ingress & Egress NetFlow.
•  Per Interface or Sub-Interface activation
•  TCP Flags are now exported as part of the flow information. Very
useful to understand TCP flow directions and to detect denial of
service attacks
•  Hardware based Export hardware acceleration for export
•  Export version 5 (the most used) and export version 9 (the most
flexible) are both supported
•  IPv4, Application layer (NBAR) Flow support in XE 3.1.1S
•  VRF aware export
•  Hitless ISSU in IOS XE 3.2.0S

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
For Your
Reference

•  System Scalability. Up to ~500K (with 95% utilization efficiency) cached


flows for Forwarding Engine
•  Sampled NetFlow. Effective hardware-based sampling to improve and
preserve NetFlow table utilization
•  Egress NetFlow. Useful for example to track packets de-capsulated
after tunneling mechanisms
•  Per Interface or Sub-Interface activation

•  Bridged NetFlow. Capability of creating and tracking bridged IP flows

•  TCP Flags are now exported as part of the flow information. Very useful
to understand TCP flow directions and to detect denial of service
attacks
•  IPv4, IPv6 and Layer 2 Flows support

•  Export version 5 (the most used) and export version 9 (the most
flexible) are both supported
•  VRF aware export

•  Hitless ISSU and process restartability

•  Flexible NetFlow CLI look & feel

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
For Your
Reference

•  System Scalability. Up to ~128K cached flows


•  Sampled NetFlow. Effective hardware-based sampling
to improve and preserve NetFlow table utilization
•  Ingress & Egress NetFlow, IPv4, IPv6 and Layer 2 Flows
support
•  Per Interface, Sub-Interface or VLAN activation
•  Bridged NetFlow. Capability of creating and tracking
bridged IP flows
•  TCP Flags are now exported as part of the flow
information. Very useful to understand TCP flow
directions and to detect denial of service attacks
•  Export version 5 (the most used) and export version 9
(the most flexible) are both supported
•  VRF aware export, Hitless ISSU
•  Note: on SUP2, Netflow Lite: packet sampling + no
caching, exported with IPFIX

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
For Your
Reference
3KX-SM-10G Service Module •  System Scalability. Up to ~32K cached flows
Both
Full flow accounting •  Sampled NetFlow. Effective hardware-based sampling to
and improve and preserve NetFlow table utilization
sampled NetFlow accounting •  Ingress & Egress NetFlow
are supported
•  Per Interface, Sub-Interface or Vlan activation

•  Bridged NetFlow. Capability of creating and tracking bridged


IP flows
•  TCP Flags are now exported as part of the flow information.
Very useful to understand TCP flow directions and to detect
denial of service attacks
•  IPv4, IPv6 and Layer 2 Flows support

•  Export version 9

•  VRF aware export

•  3KX-SM-10G

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
For Your
Reference

•  System Scalability. Up to ~1M cached flows per Line Card

•  Sampled NetFlow. Effective hardware-based sampling


from 1:1 to 1:64K – 100kpps/LC (ingress + egress)
•  Ingress & Egress NetFlow

•  Per Interface or Sub-Interface support

•  TCP Flags Very useful to understand TCP flow directions


and to detect denial of service attacks
•  Export version 9 – 50K Flows/s export per LC

•  IPv4, IPv6, MPLS Flows support

•  VRF aware export

•  Hitless ISSU and process restartability

•  Flexible NetFlow Pre-defined aggregation only

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
NetFlow in Hardware on Catalyst 3850 New
Platform
•  System Scalability NetFlow V4 / V6
Both
WS-C3850-24: up to 24k /12k cached Flows
Full flow accounting
and WS-C3850-48: up to 48k / 24k cached Flows
sampled NetFlow accounting •  Sampled NetFlow. Effective hardware-based sampling to improve and
are supported preserve NetFlow table utilization

•  Ingress & Egress NetFlow


Feature se: IP Base or IP Services)
•  Per Interface activation, NetFlow support on all ports

•  Bridged NetFlow. Capability of creating and tracking bridged IP flows

•  Key Fields: IP address, MAC address, TOS, TCP Flags, and VLan

•  IPv4, IPv6 and Layer 2 Flows support

•  Multicast Flow support

•  Export version 9

•  Dynamic top talker support

•  If stacked, Individual stack members export their own NetFlow records


directly to the Collector
© 2012 Cisco and/or its affiliates. All rights reserved. •  15.0(1)EX Cisco Confidential 34
NetFlow in Hardware on Catalyst 2960X/2960-XR New
Platform
Sampled NetFlow accounting •  NetFlow-Lite is natively supported on all downlink and uplink ports
Feature se: LAN Base or IP Lite •  NetFlow-Lite uses sampled flows to provide statistics for network traffic
accounting, network monitoring and network planning. A flow is created
using a flow record, which define the unique keys of the flow. NetFlow-Lite
provides valuable information about network users and applications, peak
usage times, and traffic routing.

•  NetFlow-Lite is supported on Mixed Stack (stack of Cisco Catalyst 2960-S


and 2960-X/XR series switches). But NetFlow-Lite monitor can be attached
only on Cisco Catalyst 2960-X/XR Series ports

•  Only NetFlow Version 9 is supported for NetFlow exporter using the export-
protocol command option.

•  16K NetFlow-Lite Flows are supported

•  Only Ingress flow monitors are supported

•  The Flow monitors can be attached to physical interfaces and VLAN


interfaces

•  The Flow monitor can’t be attached to logical interfaces like EtherChannel


or Layer2 VLANs.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
NetFlow in Hardware on cat 5760 New
Platform
•  System Scalability: NetFlow v4/V6 Up to ~72K / 36k cached
flows
•  Sampled NetFlow. Effective hardware-based sampling to
improve and preserve NetFlow table utilization
•  Ingress & Egress NetFlow

•  Per Interface , SSID activation

•  Bridged NetFlow. Capability of creating and tracking bridged IP


flows
•  Key Fields: IP address, MAC address, TOS, TCP Flags,
security fields and VLan
•  IPv4, IPv6 and Layer 2 Flows support

•  Multicast Flow support

•  Export version 9

•  Dynamic top talker support


© 2012 Cisco and/or its affiliates. All rights reserved.
•  15.0(1)EX Cisco Confidential 36

• 
•  NetFlow
http://www.cisco.com/go/netflow

•  Cisco network accounting services


Comparison of Cisco NetFlow versus other available
accounting technologies
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/nwact_wp.htm

•  Cisco IT case study


http://business.cisco.com/prod/tree.taf%3Fasset_id=106882&IT=104252&public_view=true&kbns=1.html

•  A complete white paper


http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/
nfwhite.htm

•  NetFlow product manager: Jean Charles Griviaud


[email protected]

3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

7
Thank you.

You might also like