Scribd
Upload
38 views23 pages

Catalyst 4948E Netflow-Lite: © 2010 Cisco And/Or Its Affiliates. All Rights Reserved. 1

6

Uploaded by

Dayron Torres
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
38 views23 pages

Catalyst 4948E Netflow-Lite: © 2010 Cisco And/Or Its Affiliates. All Rights Reserved. 1

6

Uploaded by

Dayron Torres
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Catalyst 4948E NetFlow-lite

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Application Visibility in Data Center
Why Application Visibility in Data
Center
Efficient Operation
•What applications are consuming Si Si
bandwidth
•Who is using them
•When they are being used
•What activities are prevalent Si Si

Visibility into the network & control


End-user experience management
Network and capacity planning
Troubleshooting
Network forensics

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Introducing NetFlow-lite

What is NetFlow-lite for?


NetFlow-lite Traffic monitoring capability for east-
Aggregator
west & north-south L2/L3 traffic.
Any NetFlow
Collector Identify top talkers (applications,
Si Si
servers, hosts)
Capacity planning thru insights of
link/network utilization
Si Si What does NetFlow-lite Provide?
NetFlow-lite 1:N Up to 1:32 sampling on all 1G downlink &
packet sampling
10G uplink ports
1:1 sampling on up to 2 downlink ports for
troubleshooting
Supported on L2/L3 ports, EtherChannel
NetFlow v9 and IPFIX format
NetFlow v9 or Optional packet section
IPFIX export

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
NetFlow-lite:
Building upon the flexibility of Flexible NetFlow

Flexible NetFlow NetFlow-lite

More selection of flow keys* Packet sampling


Metering User selection of flow keys +
More selection of flow keys*
Process User definition of flow records Packet packet Sampling
length section rate

Permanent cache
Flow
Normal cache Immediate cache
Cache
Immediate cache

Exporting NetFlow version 9 or NetFlow version 9 or


Process IPFIX IPFIX

•NetFlow-lite exports new keys such as raw packet section & sampling rate

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
NetFlow-lite: Metering Process

Packet forwarding

I-in-N samples (truncated)

NetFlow-lite export packet header


Other NetFlow-lite export (v9 or IPFIX)
fields (sampled packet length, # of
sampled packets, total # of packets
observed)
NetFlow-lite export packet

 Configurable sampling rate up to 1-in-32 on all 48 downlinks (1G) ad 4 uplinks (10G), AND 1-in-1
sampling on up to 2 ports (1G only)
 Configurable packet sample length (export truncated packet section to conserve bandwidth)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
NetFlow-lite: Export Format
 Example: NetFlow-lite in NetFlow version 9 export Format
 Version 9 is based on template and separate flow records
Templates composed of type and length Template 1
Flow records composed of template ID and value

Template FlowSet Data FlowSet


H FlowSet ID #1
E

Sample packet size


of packet sampled

output
Template Record

packet observed

Input interface
Packet length

packet section
Template ID #1
Sequence #

Total

Sampled
D

interface
(Specific Field
E Types and Lengths)
R # of

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
NetFlow-lite: Flow Cache

 There are 3 type of flow caches in Flexible NetFlow


Normal Cache (traditional NetFlow)
Permanent Cache
Immediate Cache

 NetFlow-lite uses immediate cache


Every packet creates a new flow
Good for packet section export in version 9/IPFIX format

 Additional Reference:
Cisco IOS Flexible NetFlow Technology White Paper
(http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/p
s6601/ps6965/prod_white_paper0900aecd804be1cc.html)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
NetFlow-lite vs. NetFlow
Catalyst 4500/4900 Switches NetFlow-lite vs NetFlow Support:
NetFlow-lite NetFlow (SupIV/V,
(4948E, 4948E-F) SupV-10GE, Sup7-E)
Technology Packet-based Flow-based
Hardware FPGA-assist NetFlow ASIC
Metering Method Sampling (configurable, Every packet accounted
up to 1-in-32*) for
Export format v5, v9, IPFIX** v5, v8, v9, IPFIX
Flow Cache Immediate Cache Norman cache/immediate
cache/permanent cache
Ecosystem Easily integrate with any NetFlow collector
NetFlow collector with
NetFlow-lite Aggregator
Platform Support 4948E, 4948E-F SupIV/V (with daughter
card)
SupV-10GE
Sup7-E (Flexible NetFlow)
* Supports 1-in-1 sampling for up to 2 ports for troubleshooting
**Catalyst 4948E/4948E-F is the first Cisco products supporting IPFIX 8
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Data Center-wide Monitoring
Integrating NetFlow-lite into Your Network
Integrating NetFlow-lite into existing NetFlow architecture is easy:
 Work with existing collectors & back-end tools through NetFlow-lite Aggregators
 NetFlow-lite Aggregators and collectors can sit anywhere in the network, as long as L3
reachable
 NetFlow-lite Aggregators are transparent to NetFlow collector (NetFlow collectors receive
aggregated flow data as if it’s coming directly from the switch)
 NetFlow collector analyzes & correlates both NetFow and aggregated NetFlow-lite data

Existing NetFlow Export


NF NF
Si Si
Any NetFlow
Collector
NetFlow-lite
Aggregator Back-end
NetFlow
Tools
Si Si v5/IPFIX

NetFlow-lite 1:N NF NetFlow enabled device


packet sampling
NFL NFL NFL NFL NFL NFL
NFL
NetFlow-lite enabled device

NetFlow v9 or
IPFIX export
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Why do I Need a NetFlow-lite Aggregator?
NetFlow-lite Aggregator serves the following purposes:
 Parse NetFlow-lite data to extract information such as src/dst IP
address, TCP/UDP port, packet length, etc.
 Construct temporary flow cache
 Extrapolate flow statistics by correlating sampling rate w/ sampled
packets
 Export aggregated and extrapolated data to NetFlow collectors in
standard IPFIX or NetFlow v5/v9 format
 Conserve valuable forwarding bandwidth by aggregating NetFlow-
lite data to more bandwidth efficient NetFlow export

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
NetFlow-lite Aggregator – Using nProbe
What is it?
NetFlow-lite
nProbe is an open source NetFlow aggregator
(nProbe)
collector/probe/NetFlow-lite Aggregator
Any NetFlow
and can be obtained from ntop.org Collector
5.5.5.10:5000
How Si Si

• nProbe can run on any linux


server by issuing the following Si Si

command:
# ./nprobe -i eth2 -b 1 -s 5 -t 60 -w
1000000 --nflite 2055:16 -n
5.5.5.10:2055 -O 2 -e 0

The command Indicates that nProbe will be collecting NetFlow-lite info


over eth2, on port 2055~2070, extract & aggregate info using 1MB of NetFlow v9 or
cache size, flow expiration time is 60 seconds, into NetFlow v5/v9/IPFIXIPFIX export
format, send to NetFlow collector located at 5.5.5.10, port 2055, whether
on the same server or other L3 reachable servers/appliances
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Designing NetFlow-lite in Large-scale DC
A Tiered Approach

 Deploy an nProbe per zone


to scale
Any NetFlow •NetFlow-lite data
Collector
Si Si
aggregated per zone to
conserve bandwidth
usage in data center
core/distribution
•Recommended to
Si Si

deploy nProbe as close


to the switches as
Zone1 Zone2 possible
 How many switches can be
in a zone?
• Depending on the
sampling rate, link
Zone3 Zone4 utilization, # of flows, the
horsepower of server
running nProbe

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Use Case Example:
Network Visibility with NetFlow-lite
Screenshot taken from Plixer Scrutinizer

Link utilization
over time

Top
talkers

Bandwidth usage per flow


Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
NetFlow-lite Configuration
netflow-lite exporter check
transport udp 2055 Configure exporter setting
transport udp load-share 16
NetFlow-lite to
template data timeout 60 NetFlow
options sampler-table timeout 60 Converter
Any NetFlow
source 9.9.9.10 Collector
destination 9.9.9.1
export-protocol ipfix Si Si

netflow-lite sampler check


packet-rate 32 Configure sampler setting
Si Si

packet-section size 64
packet-offset 0
!

interface GigabitEthernet1/1
no switchport
ip address 40.40.40.1 255.255.255.0
netflow-lite monitor 1
sampler check
exporter check
NetFlow v9 or
Apply sampler and exporter to IPFIX export
Netflow-lite monitor on the
interface
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Other Resources

 Catalyst 4948E NetFlow-lite configuration guide


http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2
/15.02SG/configuration/guide/nswich_l.html

 Ntop.org
http://www.ntop.org/nProbe.html

 Flexible NetFlow Technology White Paper


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6
555/ps6601/ps6965/prod_white_paper0900aecd804be1cc.html

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Using nProbe as
NetFlow-Lite Aggregator

Luca Deri <[email protected]>

© 2011 - ntop.org
Problem Statement
• NetFlow-Lite brings visibility to switched
networks.
• NetFlow-Lite are exports in v9/IPFIX
format and contain packets sections.
• Legacy NetFlow collectors need additional
support to understand and analyze
NetFlow-lite flows.

© 2011 - ntop.org 17
What is nProbe ?
Flow Collection
NetFlow-Lite Flows

“Classic” NetFlow
Flows (v5/v9/IPFIX)

© 2011 - ntop.org 18
Typical nProbe Deployment
NetFlow
Collector • Place nProbe as
close as possible
to the NetFlow-Lite
NetFlow v9 or Switch.
IPFIX exports
• Each nProbe
instance can
Deployed nProbes
collect flows from
multiple switches.

© 2011 - ntop.org 19
Converting NFLite to NetFlow
• nProbe implements a “real” flow cache
without converting each NFLite flow into a
single NetFlow “classic” flow.
• Interface Identifiers are preserved, as well
sampling rate is taken into account as
packets/bytes are scaled.
• Collectors are unaware of the
NFLite-to- NetFlow conversion that is
totally transparent for them.
© 2011 - ntop.org 20
NetFlow-Lite Support in nProbe
[1/2]
• nProbe collects NetFlow-Lite Flows over
IPv4/IPv6 UDP.
• 4948E balances flows on multiple UDP
destination ports

© 2011 - ntop.org 21
NetFlow-Lite Support in nProbe
[2/2]
• For collecting large number of NetFlow-Lite
Flows a kernel plugin (Linux only) has
been developed.

© 2011 - ntop.org 22
Final Remarks
• nProbe 6.5.x natively supports NetFlow-
Lite.
• It is available for both Windows and Unix.
• Typical NetFlow lite conversion speed
range from 250k to 1M flows/sec (Linux
only using the kernel plugin).
• nProbe supports transparent IP address
spoofing for impersonating the 4948E
switch.
© 2011 - ntop.org 23

You might also like