Scribd Logo
Upload

Welcome to Scribd!

  • Catalyst 4948E Netflow-Lite: © 2010 Cisco And/Or Its Affiliates. All Rights Reserved. 1

    Uploaded by

    Dayron Torres
    12 views23 pages
    6

    Original Title

    33634

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    6

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views23 pages

    Catalyst 4948E Netflow-Lite: © 2010 Cisco And/Or Its Affiliates. All Rights Reserved. 1

    Uploaded by

    Dayron Torres
    6

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Catalyst 4948E NetFlow-lite

    © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
    Application Visibility in Data Center
    Why Application Visibility in Data
    Center
    Efficient Operation
    •What applications are consuming Si Si
    bandwidth
    •Who is using them
    •When they are being used
    •What activities are prevalent Si Si

    Visibility into the network & control


    End-user experience management
    Network and capacity planning
    Troubleshooting
    Network forensics

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
    Introducing NetFlow-lite

    What is NetFlow-lite for?


    NetFlow-lite Traffic monitoring capability for east-
    Aggregator
    west & north-south L2/L3 traffic.
    Any NetFlow
    Collector Identify top talkers (applications,
    Si Si
    servers, hosts)
    Capacity planning thru insights of
    link/network utilization
    Si Si What does NetFlow-lite Provide?
    NetFlow-lite 1:N Up to 1:32 sampling on all 1G downlink &
    packet sampling
    10G uplink ports
    1:1 sampling on up to 2 downlink ports for
    troubleshooting
    Supported on L2/L3 ports, EtherChannel
    NetFlow v9 and IPFIX format
    NetFlow v9 or Optional packet section
    IPFIX export

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
    NetFlow-lite:
    Building upon the flexibility of Flexible NetFlow

    Flexible NetFlow NetFlow-lite

    More selection of flow keys* Packet sampling


    Metering User selection of flow keys +
    More selection of flow keys*
    Process User definition of flow records Packet packet Sampling
    length section rate

    Permanent cache
    Flow
    Normal cache Immediate cache
    Cache
    Immediate cache

    Exporting NetFlow version 9 or NetFlow version 9 or


    Process IPFIX IPFIX

    •NetFlow-lite exports new keys such as raw packet section & sampling rate

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
    NetFlow-lite: Metering Process

    Packet forwarding

    I-in-N samples (truncated)

    NetFlow-lite export packet header


    Other NetFlow-lite export (v9 or IPFIX)
    fields (sampled packet length, # of
    sampled packets, total # of packets
    observed)
    NetFlow-lite export packet

     Configurable sampling rate up to 1-in-32 on all 48 downlinks (1G) ad 4 uplinks (10G), AND 1-in-1
    sampling on up to 2 ports (1G only)
     Configurable packet sample length (export truncated packet section to conserve bandwidth)

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
    NetFlow-lite: Export Format
     Example: NetFlow-lite in NetFlow version 9 export Format
     Version 9 is based on template and separate flow records
    Templates composed of type and length Template 1
    Flow records composed of template ID and value

    Template FlowSet Data FlowSet


    H FlowSet ID #1
    E

    Sample packet size


    of packet sampled

    output
    Template Record

    packet observed

    Input interface
    Packet length

    packet section
    Template ID #1
    Sequence #

    Total

    Sampled
    D

    interface
    (Specific Field
    E Types and Lengths)
    R # of

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
    NetFlow-lite: Flow Cache

     There are 3 type of flow caches in Flexible NetFlow


    Normal Cache (traditional NetFlow)
    Permanent Cache
    Immediate Cache

     NetFlow-lite uses immediate cache


    Every packet creates a new flow
    Good for packet section export in version 9/IPFIX format

     Additional Reference:
    Cisco IOS Flexible NetFlow Technology White Paper
    (http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/p
    s6601/ps6965/prod_white_paper0900aecd804be1cc.html)

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
    NetFlow-lite vs. NetFlow
    Catalyst 4500/4900 Switches NetFlow-lite vs NetFlow Support:
    NetFlow-lite NetFlow (SupIV/V,
    (4948E, 4948E-F) SupV-10GE, Sup7-E)
    Technology Packet-based Flow-based
    Hardware FPGA-assist NetFlow ASIC
    Metering Method Sampling (configurable, Every packet accounted
    up to 1-in-32*) for
    Export format v5, v9, IPFIX** v5, v8, v9, IPFIX
    Flow Cache Immediate Cache Norman cache/immediate
    cache/permanent cache
    Ecosystem Easily integrate with any NetFlow collector
    NetFlow collector with
    NetFlow-lite Aggregator
    Platform Support 4948E, 4948E-F SupIV/V (with daughter
    card)
    SupV-10GE
    Sup7-E (Flexible NetFlow)
    * Supports 1-in-1 sampling for up to 2 ports for troubleshooting
    **Catalyst 4948E/4948E-F is the first Cisco products supporting IPFIX 8
    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
    Data Center-wide Monitoring
    Integrating NetFlow-lite into Your Network
    Integrating NetFlow-lite into existing NetFlow architecture is easy:
     Work with existing collectors & back-end tools through NetFlow-lite Aggregators
     NetFlow-lite Aggregators and collectors can sit anywhere in the network, as long as L3
    reachable
     NetFlow-lite Aggregators are transparent to NetFlow collector (NetFlow collectors receive
    aggregated flow data as if it’s coming directly from the switch)
     NetFlow collector analyzes & correlates both NetFow and aggregated NetFlow-lite data

    Existing NetFlow Export


    NF NF
    Si Si
    Any NetFlow
    Collector
    NetFlow-lite
    Aggregator Back-end
    NetFlow
    Tools
    Si Si v5/IPFIX

    NetFlow-lite 1:N NF NetFlow enabled device


    packet sampling
    NFL NFL NFL NFL NFL NFL
    NFL
    NetFlow-lite enabled device

    NetFlow v9 or
    IPFIX export
    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
    Why do I Need a NetFlow-lite Aggregator?
    NetFlow-lite Aggregator serves the following purposes:
     Parse NetFlow-lite data to extract information such as src/dst IP
    address, TCP/UDP port, packet length, etc.
     Construct temporary flow cache
     Extrapolate flow statistics by correlating sampling rate w/ sampled
    packets
     Export aggregated and extrapolated data to NetFlow collectors in
    standard IPFIX or NetFlow v5/v9 format
     Conserve valuable forwarding bandwidth by aggregating NetFlow-
    lite data to more bandwidth efficient NetFlow export

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
    NetFlow-lite Aggregator – Using nProbe
    What is it?
    NetFlow-lite
    nProbe is an open source NetFlow aggregator
    (nProbe)
    collector/probe/NetFlow-lite Aggregator
    Any NetFlow
    and can be obtained from ntop.org Collector
    5.5.5.10:5000
    How Si Si

    • nProbe can run on any linux


    server by issuing the following Si Si

    command:
    # ./nprobe -i eth2 -b 1 -s 5 -t 60 -w
    1000000 --nflite 2055:16 -n
    5.5.5.10:2055 -O 2 -e 0

    The command Indicates that nProbe will be collecting NetFlow-lite info


    over eth2, on port 2055~2070, extract & aggregate info using 1MB of NetFlow v9 or
    cache size, flow expiration time is 60 seconds, into NetFlow v5/v9/IPFIXIPFIX export
    format, send to NetFlow collector located at 5.5.5.10, port 2055, whether
    on the same server or other L3 reachable servers/appliances
    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
    Designing NetFlow-lite in Large-scale DC
    A Tiered Approach

     Deploy an nProbe per zone


    to scale
    Any NetFlow •NetFlow-lite data
    Collector
    Si Si
    aggregated per zone to
    conserve bandwidth
    usage in data center
    core/distribution
    •Recommended to
    Si Si

    deploy nProbe as close


    to the switches as
    Zone1 Zone2 possible
     How many switches can be
    in a zone?
    • Depending on the
    sampling rate, link
    Zone3 Zone4 utilization, # of flows, the
    horsepower of server
    running nProbe

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
    Use Case Example:
    Network Visibility with NetFlow-lite
    Screenshot taken from Plixer Scrutinizer

    Link utilization
    over time

    Top
    talkers

    Bandwidth usage per flow


    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
    NetFlow-lite Configuration
    netflow-lite exporter check
    transport udp 2055 Configure exporter setting
    transport udp load-share 16
    NetFlow-lite to
    template data timeout 60 NetFlow
    options sampler-table timeout 60 Converter
    Any NetFlow
    source 9.9.9.10 Collector
    destination 9.9.9.1
    export-protocol ipfix Si Si

    netflow-lite sampler check


    packet-rate 32 Configure sampler setting
    Si Si

    packet-section size 64
    packet-offset 0
    !

    interface GigabitEthernet1/1
    no switchport
    ip address 40.40.40.1 255.255.255.0
    netflow-lite monitor 1
    sampler check
    exporter check
    NetFlow v9 or
    Apply sampler and exporter to IPFIX export
    Netflow-lite monitor on the
    interface
    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
    Other Resources

     Catalyst 4948E NetFlow-lite configuration guide


    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2
    /15.02SG/configuration/guide/nswich_l.html

     Ntop.org
    http://www.ntop.org/nProbe.html

     Flexible NetFlow Technology White Paper


    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6
    555/ps6601/ps6965/prod_white_paper0900aecd804be1cc.html

    Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
    Using nProbe as
    NetFlow-Lite Aggregator

    Luca Deri <deri@ntop.org>

    © 2011 - ntop.org
    Problem Statement
    • NetFlow-Lite brings visibility to switched
    networks.
    • NetFlow-Lite are exports in v9/IPFIX
    format and contain packets sections.
    • Legacy NetFlow collectors need additional
    support to understand and analyze
    NetFlow-lite flows.

    © 2011 - ntop.org 17
    What is nProbe ?
    Flow Collection
    NetFlow-Lite Flows

    “Classic” NetFlow
    Flows (v5/v9/IPFIX)

    © 2011 - ntop.org 18
    Typical nProbe Deployment
    NetFlow
    Collector • Place nProbe as
    close as possible
    to the NetFlow-Lite
    NetFlow v9 or Switch.
    IPFIX exports
    • Each nProbe
    instance can
    Deployed nProbes
    collect flows from
    multiple switches.

    © 2011 - ntop.org 19
    Converting NFLite to NetFlow
    • nProbe implements a “real” flow cache
    without converting each NFLite flow into a
    single NetFlow “classic” flow.
    • Interface Identifiers are preserved, as well
    sampling rate is taken into account as
    packets/bytes are scaled.
    • Collectors are unaware of the
    NFLite-to- NetFlow conversion that is
    totally transparent for them.
    © 2011 - ntop.org 20
    NetFlow-Lite Support in nProbe
    [1/2]
    • nProbe collects NetFlow-Lite Flows over
    IPv4/IPv6 UDP.
    • 4948E balances flows on multiple UDP
    destination ports

    © 2011 - ntop.org 21
    NetFlow-Lite Support in nProbe
    [2/2]
    • For collecting large number of NetFlow-Lite
    Flows a kernel plugin (Linux only) has
    been developed.

    © 2011 - ntop.org 22
    Final Remarks
    • nProbe 6.5.x natively supports NetFlow-
    Lite.
    • It is available for both Windows and Unix.
    • Typical NetFlow lite conversion speed
    range from 250k to 1M flows/sec (Linux
    only using the kernel plugin).
    • nProbe supports transparent IP address
    spoofing for impersonating the 4948E
    switch.
    © 2011 - ntop.org 23

    You might also like