NetFlow
NetFlow is an important embedded Cisco IOS Software technology that provides visibility into network behavior and how network assets are being used. This section describes how both traditional and Flexible NetFlow can help the network manager understand the behavior of traffic in the network.
NetFlow Overview
Note | Some of the information in this section is derived from Authorized Self-Study Guide: Designing for Cisco Internetwork Solutions (DESGN), Second Edition, by Diane Teare, Cisco Press, 2007 (ISBN 1-58705-272-5). |
In 1996, Cisco developed and patented the Cisco IOS NetFlow measurement technology for measuring flows passing through Cisco devices. A network flow is a unidirectional sequence of packets between source and destination endpoints.
Note | NetFlow was originally implemented only on larger devices; it is now available on other devices, including Integrated Services Routers (ISR). |
NetFlow answers the questions of what, when, where, and how traffic is flowing in the network.
NetFlow data can be exported to network management applications for further processing of the collected information. Cisco IOS NetFlow-collected data is the basis for a key set of IP application services, including network traffic accounting, usage-based network billing, network planning, security, denial-of-service (DoS) monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. NetFlow also provides the measurement base for QoS applications: It captures the traffic classification (or precedence) associated with each flow, thereby enabling differentiated charging based on QoS.
There are a variety of formats for exporting packets, called export versions. The most common is version 5, but version 9 is the latest format.
The focus of NetFlow used to be on IP flow information. This is changing with the Cisco implementation of NetFlow Version 9, a generic export transport format. NetFlow Version 9 is a flexible and extensible export format that is now on the Internet Engineering Task Force (IETF) standards track in the IP Flow Information Export (IPFIX) working group. IPFIX export is a new generic data transport capability within Cisco routers. It can be used to transport a variety of performance information from a router or switch, including Layer 2 information, security detection and identification information, IP Version 6 (IPv6), multicast, Multiprotocol Label Switching (MPLS), and Border Gateway Protocol (BGP) information, and so forth.
Note | Export versions are detailed in the “NetFlow Export Versions” section later in this chapter. |
Organizations use NetFlow in different ways, depending on the focus of the organization. Both service providers and enterprises use NetFlow to analyze new applications and their impact on the network. Understanding who is using the network and the endpoints of traffic flows is important for service providers for network planning and traffic engineering, and important to enterprises for monitoring network resources, users, and applications. For example, NetFlow data can be used to determine application ports for ACLs.
While a service provider is concerned about customer accounting and billing, enterprises may be concerned about charge-back billing for their departments. In addition, NetFlow can help organizations avoid costly bandwidth upgrades by identifying the applications causing congestion and thus help reduce peak WAN traffic.
Both types of organizations use NetFlow for security monitoring and troubleshooting the network. NetFlow can help in diagnosing slow network performance, determining bandwidth hogs, and providing bandwidth utilization in real time, and can be used to confirm that appropriate bandwidth has been allocated to each class of service (CoS). NetFlow can help detect unauthorized WAN traffic and support anomaly detection and worm diagnosis.
NetFlow Flows
Each packet forwarded within a router or switch is part of a flow. Flows are very granular; a flow is identified as the combination of the following seven key fields:
-
Source IP address: The address of the originator of the traffic
-
Destination IP address: The address of the intended recipient of the traffic
-
Source port number: The source application port number
-
Destination port number: The destination application port number
-
Layer 3 protocol field: The protocol field in the Layer 3 packet, indicating the Layer 4 protocol
-
Type of service (ToS) byte: The CoS, defined as IP precedence or differentiated services code point (DSCP)
-
Input interface: The interface through which the traffic is flowing
These seven key fields define a unique flow. Two packets in which only one of these key fields is different belong to different flows. NetFlow is scalable because it uses key attributes to determine a flow and therefore condenses large amounts of network information. NetFlow may also keep other fields, and keeps track of the number of packets and bytes per flow.
Cisco IOS Flexible NetFlow is the next-generation in NetFlow technology. Flexible NetFlow supports additional flexibility, scalability, and aggregation of flow data beyond traditional NetFlow. Flexible NetFlow is described in the “Flexible NetFlow” section later in this chapter.
Traditional NetFlow IP Flows
Key components of NetFlow are the NetFlow cache that stores IP flow information and the NetFlow export or transport mechanism that sends NetFlow data to a network management collector. NetFlow information can be accessed using either Cisco IOS show commands or by viewing the exported information on the NetFlow collector server.
Switching of packets is handled differently on NetFlow-enabled devices. Non-NetFlow-enabled switching handles incoming packets independently, with separate serial tasks for switching, security services (ACLs), and traffic measurements that are applied to each packet. In contrast, the NetFlow cache on NetFlow-enabled devices contains a flow record for all active flows and is built by processing only the first packet of a flow through the standard switching path. Subsequent packets in the flow are handled via a single, streamlined task that handles switching, security services, and data collection concurrently.
Each flow record in the NetFlow cache contains key fields that can be later used for exporting data to a collection device. NetFlow export, unlike SNMP polling, pushes information periodically to the NetFlow reporting collector. The NetFlow cache constantly fills with flows. Software in the router or switch searches the cache for flows that have terminated or expired and exports these flow records to the NetFlow management collector server. Figure 12-4 shows this process.
The flow cache information is also exported to a flow collector server periodically based on flow timers. The collector therefore contains a history of flow information switched within the Cisco device. Depending on the network topology and the location of the collector server, NetFlow may utilize noticeable bandwidth, but it is relatively efficient: approximately 1.5 percent of switched traffic volume is exported to the collector server.
NetFlow can be configured to only provide NetFlow data for a specific subset of traffic (using filters) or for only a sampling of traffic. (Note, however, that not all reporting tools support these options.) When these features are not configured, NetFlow provides information for every packet, resulting in a highly condensed and detailed view of all network traffic that entered the router or switch.
NetFlow Flow Record Creation
When packets arrive at a NetFlow-enabled router, the router inspects the seven key field values of the packets and compares the results to existing flows in the NetFlow cache. If the values are unique, NetFlow creates a new flow record in the cache. In both traditional and Flexible NetFlow, additional information defined in the nonkey fields, such as the outbound interface, is added to the NetFlow cache. These nonkey fields can also be exported but are not used to create or characterize the flows. Only the first packet of the flow is typically used to populate the nonkey fields.
In Figure 12-5, two unique flows are created in the NetFlow cache because the two input packets have different values in the source IP address key field.
Figure 12-5: A New Flow Record Is Created When a Packet Has Unique Values for Any of the Seven Key Fields
As an example, Figure 12-6 illustrates a few of the flows in the NetFlow cache on a router. The ToS field in all of these flows is zero because QoS is not yet implemented in this network. The highlighted line in the figure shows the one traffic flow between a specific source and destination pair of devices, 172.16.21.2 and 10.0.227.12.
Note | The abbreviations used in Figure 12-6, Figure 12-7, and Figure 12-8 are as follows:
|
Figure 12-7 shows the NetFlow cache on the same device after QoS is implemented in the network. The highlighted lines show the multiple flows resulting because of the multiple ToS values between the specific source and destination pair 172.16.21.2 and 10.0.227.12; traffic is distributed per class.
Analyzing traffic based on ToS can be useful for verifying that a QoS configuration is working and that bandwidth levels are set appropriately for the volume of traffic in each class.
NetFlow Cache Management
The key to NetFlow-enabled switching scalability and performance is highly intelligent flow cache management.
The NetFlow cache management software contains a highly sophisticated set of algorithms for efficiently determining whether a packet is part of an existing flow or should generate a new flow cache entry. The algorithms are also capable of dynamically updating the per-flow accounting measurements residing in the NetFlow cache and determining cache aging and flow expiration.
Figure 12-8 shows an example of NetFlow cache management.
Rules for expiring NetFlow cache entries include the following:
-
Flows that have been idle for a specified time (15 seconds by default) are expired and removed from the cache.
-
Long-lived flows are expired and removed from the cache. (Flows are not allowed to live more than 30 minutes—1800 seconds—by default; the underlying packet conversation remains undisturbed.)
-
As the cache becomes full, a number of heuristics are applied to aggressively age groups of flows simultaneously; the oldest flows are expired first.
-
TCP connections that have reached the end-of-byte stream (FIN) or that have been reset (RST) are expired.
Expired flows are grouped together into NetFlow export datagrams for export from the NetFlow-enabled device. NetFlow export datagrams may consist of up to 30 flow records for NetFlow Version 5 or 9 flow export.
NetFlow Export Versions
As mentioned earlier, there are various versions of NetFlow export formats.
The early versions of NetFlow export support statically defined fields, as follows:
-
Version 1 is the original export version.
-
Version 5 is the most common and adds BGP autonomous system data and flow sequencing information to the NetFlow data export (NDE) packets. NetFlow Version 5 is used with traditional NetFlow and is a fixed export format that exports a limited set of information.
-
Version 7 is supported on Cisco Catalyst 6500 series switches with a Multilayer Switch Feature Card (MSFC) running the Catalyst Operating System (CatOS) version 5.5(7) and later.
-
Version 8 supports on-router aggregation of NetFlow cache information and includes a choice of 11 aggregation schemes.
The latest generation of NetFlow export, version 9, supports dynamically defined fields without requiring a new NDE version. NetFlow version 9 is template based; routers send out a template with field IDs and lengths that define the subsequent NDE packets.
Although the most common format used is NetFlow export version 5, version 9 has some key technology advantages, such as security, traffic analysis, and multicast. However, some reporting tools may prefer the nonaggregated version 5 to version 9 because version 9 requires more complicated processing.
Flexible NetFlow
Cisco IOS Flexible NetFlow is the next-generation flow technology from Cisco.
Flexible NetFlow is an important technology available in Cisco devices to help with visibility into the network behavior and how network assets are being used. Flexible NetFlow is an improved NetFlow, bringing better scalability, aggregation of data, and user customization. Flexible NetFlow enhances the ability to detect security incidents and understand the behavior of traffic in the network beyond what is possible in other flow-based technologies.
Flexible NetFlow Overview
Fields in a flow record that are not key fields are called nonkey fields. Nonkey fields are added to the flow record in the NetFlow cache and exported. With Flexible NetFlow, these nonkey fields are user configurable. Examples of nonkey fields include flow timestamps, BGP next-hop addresses, and IP address subnet masks.
Flexible NetFlow uses the flexible and extensible NetFlow Version 9 export format, illustrated in Figure 12-9, to provide enhanced optimization of the network infrastructure, and improved capacity planning and security detection. A NetFlow Version 9 template is periodically sent to the NetFlow collector telling it what data to expect from the router or switch. The data records are then sent to the collector for analysis. Matching ID numbers are used to help associate templates to the data records.
The NetFlow Version 9 record format consists of a packet header followed by at least one or more FlowSets. A FlowSet is a generic term for a collection of records that follow the packet header in an export packet. There are both template and data FlowSets in NetFlow Version 9. An export packet contains one or more FlowSets, and both template and data FlowSets can be mixed within the same export packet. A template FlowSet provides a description of the fields that will be present in future data FlowSets that may occur later within the same export packet or in subsequent export packets.
Because NetFlow Version 9 is configurable and customizable, any data available in the device can theoretically be sent in NetFlow Version 9 format. The network manager can configure the key and nonkey fields that define flows.
Flexible NetFlow Advantages
The Flexible NetFlow model has several advantages over traditional NetFlow.
By flexibly targeting specific information, Flexible NetFlow reduces the amount of information and the number of flows being exported, allowing enhanced scalability and aggregation of data beyond traditional NetFlow.
Flexible NetFlow can monitor a wider range of packet information, allowing the tracking of information at Layer 2 for switching environments, at Layer 3 and 4 for IP information, and up to Layer 7 with deep packet inspection for application monitoring.
In Flexible NetFlow, nonkey fields are configurable by the user, and the user can select which key and nonkey fields define flows, providing customization and flexibility beyond traditional NetFlow.
Flexible NetFlow provides an architecture that can track multiple NetFlow applications simultaneously by using different flow monitors. A flow monitor describes the NetFlow cache—information stored in the cache—and contains the flow records—key and nonkey fields within the cache. The flow monitor also contains the flow exporter, which includes information about the export of NetFlow information, including the destination address of the NetFlow collector. The flow monitor includes various cache characteristics, including the timers for exporting, the size of the cache, and if required, the packet sampling rate. Users can create simultaneous separate flow monitors for security analysis and for traffic analysis.
Flexible NetFlow provides enhanced security detection and network troubleshooting by allowing customization of flow information. For example, a user can create a specific flow monitor to analyze a particular network issue or incident. Flexible NetFlow allows a customizable active timer (to track long-lasting flows, such as a download) for the cache that can be set as low as 1 second, compared to the traditional NetFlow minimum value of 60 seconds. This customizable timer aids in tracking security incidents where open or partial flows might be recorded (for example, a SYN flood attack), and provides real-time monitoring with immediate flow cache capabilities and long-term or permanent tracking of flow data.
NetFlow Collectors
A large number of NetFlow collectors are available—including Cisco, freeware, and third-party commercial products—to report and use NetFlow data. Many solutions are available for both Microsoft Windows and Linux operating systems.
Some reporting systems offer a two-tier architecture where collectors are placed near key sites in the network and aggregate and forward the data to a main reporting server. Other solutions use multiple distributed collectors, a central database, a management server, and a reporting server. Smaller deployments may have a single server for reporting and collection.
Note | For a list of Cisco partners and freeware NetFlow reporting tools, refer to the Cisco white paper “Introduction to Cisco IOS NetFlow—A Technical Overview,” at http://www.cisco.com/en/US/products/ps6601/products_white_paper0900aecd80406232.shtml. Links to Cisco NetFlow partners are also available on the “Cisco IOS NetFlow Introduction” page, at http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html. |
NetFlow Deployment
The key to managing the NetFlow data volume is careful planning. NetFlow should be deployed incrementally (for example, interface by interface) and strategically (on well-chosen routers) instead of pervasively on every interface on every router in the network. The network designer should determine key routers and key interfaces where NetFlow should be activated, based on the customer traffic flow patterns, the network topology and architecture, and the data required for planning, monitoring, and accounting applications.
NetFlow is typically deployed at a central site to characterize all traffic from remote sites.
The location where NetFlow is deployed depends on the location of the reporting solution and the topology of the network. If the reporting collection server is centrally located, implementing NetFlow close to the reporting collector server is optimal. NetFlow can also be enabled at remote-branch locations. In this case, a two-tier architecture solution may be appropriate, allowing remote aggregation of exported data to minimize WAN bandwidth utilization. NetFlow collection and export should be enabled on carefully selected interfaces to ensure that flows are not double-counted.
NetFlow is in general an ingress measurement technology and therefore should be deployed on appropriate interfaces on edge, aggregation, or WAN access routers to gain a comprehensive view of originating and terminating traffic to meet customer needs for accounting, monitoring, or network planning data.
Egress NetFlow accounting is available in newer releases of the Cisco IOS Software, including Release 12.3(11)T and later.
No comments:
Post a Comment