NetFlow Introduction to Flexible NetFlowfoxclan69.free.fr/eBook/Cisco/Cisco_Expo_2007/03... · Cisco Catalyst 6500; Cisco 7600 Series ASIC Cisco 10000 Series ASIC Cisco 12000 Series

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

NetFlowIntroduction to Flexible NetFlow

Jean-Charles GRIVIAUD

[email protected]

NSSTG Product Manager


Cisco IOS NetFlow – What is it?

� Developed and patented at Cisco®

Systems in 1996

� NetFlow is the defacto standard for acquiring IP operational data

� Provides network and security monitoring, network planning, traffic analysis, and IP accounting

Network World Article – NetFlow Adoption on the rais e

http://www.networkworld.com/newsletters/nsm/2005/03 14nsm1.html


� UnderstandProductivity and utilization of assets in the network

Improve Application and network usage

Impact of network changes and services

NetFlow answers the who, what, when, where, and how network traffic is flowing

� Detect and classify security incidents with proven threat defence

Why Cisco IOS NetFlow?Customer Benefits


Principle NetFlow Applications

Security Monitoring and Incident (DDoS) Detection

Security Monitoring and Incident (DDoS) Detection

Billing for DepartmentsAccounting and Billing

Application MonitoringTraffic Engineering

User Monitoring/ProfilingPeering Arrangements

Internet Access MonitoringNetwork Infrastructure Optimization and Planning

EnterpriseService Provider

Data at ANY granularity to understand network use: who, what, where, when and how


BillingDenial of Service

Cisco Applications and Partners

•Flow-Tools•FlowMon•Flowd•IPFlow

Traffic Analysis

CS-Mars

Open Source

NetFlow Collector

More info: http://www.cisco.com/warp/public/732/Tec h/nmp/netflow/partners/commercial/


Key Concept — NetFlow Scalability

� Packet capture is like a wiretap

� NetFlow is like a phone bill

� This level of granularity allows NetFlow to scale for very large amounts of traffic

We can learn a lot from studying the phone bill

Who’s talking to whom, over what protocols and ports, for how long, at what speed, for whatduration, etc.

NetFlow is a form of telemetry pushed from the routers/switches — each one can be a sensor


NetFlow Features

� Cisco NetFlow (NF) is group of IOS features for traffic accounting and monitoring on per flow basis

� NF includes 21 features with flows of different granularity:

– Traditional IP NF - individual TCP/UDP sessions

– MPLS aware NF - individual TCP/UDP session over MPLS

– 12 features of IP aggregated NF - per IP prefix, AS, etc

– IPv6 NF - individual IPv6 TCP/UDP sessions

– 6 features of IPv6 aggregated NF - per IPv6 prefix, AS, etc.


Flow Key Fields

� Each NF feature has unique set of flow key fields that may include MPLS, IPv4, IPv6, TCP, UDP, ICMP, IGMP packet header fields, routing attributes

� AS-TOS aggregated NF key fields are:– source and destination AS's

– input and output interfaces

– TOS

� Flow includes all/only packets that can not be distinguished based on key fields.


NetFlow Key Fields Creating Flow Records

Inspect Packet

Input Interface

TOS Byte

Layer 3 Protocol

Destination port

Source port

Destination IP

Source IP

Key Fields Packet 1

Ethernet 0

0

TCP - 6

1.1.1.1

2.2.2.2

23

22078

2.2.2.2

Dest. IP

E1

Dest. I/F

6

Protocol

0

TOS

…

…

1.1.1.1

Source IP Pkts

11000

1. Inspect packet for key field values

2. Compare set of values to NetFlow cache

3. If the set of values are unique create a flow in cache

4. Inspect the next packet

Inspect Packet

Input Interface

TOS Byte

Layer 3 Protocol

Destination port

Source port

Destination IP

Source IP

Key Fields Packet 2

Ethernet 0

0

TCP - 6

3.3.3.3

2.2.2.2

23

22078

11000…06E12.2.2.23.3.3.3

2.2.2.2

Dest. IP

E1

Dest. I/F

6

Protocol

0

TOS

…

…

1.1.1.1

Source IP Pkts

11000

Add new Flow to the NetFlow CacheCreate Flow record in the Cache

Example 1 Example 2


Flow Non-Key Fields and Statistics

� Non-key fields are used not to define a flow and are exported along with the flow and provide additional information

� Traditional IP NF non-key fields:

– source and destination AS's

– source and destination IP prefix masks

– IP address of next-hop router

– TCP flags

– output interface

� NF features provide per flow statistics:

– number of packets and bytes in flow

– time-stamps for first and last packets in flow


Traditional Layer 3 NetFlow Cache1. Create and update flows in NetFlow cache

31145.5142810.0.23.215/2400A1180/2400A11000010801110.0.227.12Fa0/0173.100.20.2Fa1/0

141.574010.0.23.215/2415196/26152491040610.0.227.12Fa0/0173.100.3.2Fa1/0

41745152810.0.23.215/2400A25/2400A21100010801110.0.227.12Fa0/0173.100.21.2Fa1/0

24.5

Active

14

Idle

10.0.23.2

NextHop

1040

Bytes/Pkt

15

DstAS

/24

DstMsk

19

DstPort

180

SrcAS

/30

SrcMsk

19

SrcPort

2210

Pkts

0

Flgs

40

TOS

10.0.227.12

DstlPadd

6

Protocol

Fa0/0173.100.6.2Fa1/0

DstlfSrclPaddSrclf

2. Expiration

41800152810.0.23.215/2400A25/2400A21100010801110.0.227.12Fa0/0173.100.21.2Fa1/0

Active IdleNextHop Bytes/Pkt

DstAS

DstMsk

DstPort

SrcAS

SrcMsk

SrcPortPktsFlgsTOSDstlPadd ProtocolDstlfSrclPaddSrclf

3. Aggregation

4. Export version

5. Transport protocol

E.g. Protocol-Port Aggregation Scheme Becomes

Aggregated Flows—Export Version 8 or 9

ExportPacket

Payload(Flows)

Non-aggregated flows—export v ersion 5 or 9

YesNo

152800A200A21100011

Bytes/PktDstPortSrcPortPktsProtocol

Hea

der

• Inactive Timer Expired (15 Sec Is Default)• Active Timer Expired (30 Min Is Default)• NetFlow Cache Is Full (Oldest Flows Are Expired)• RST or FIN TCP Flag

Key Fields in YellowNon-Key Fields white


Input

Ingress NetFlow Switching Path

Packet

buffer

• ACL• Policy• WCCP• NAT input

FAST+FLOW

Switching vector Flow lookup

NetFlow

cache

Input interfacefeature check

Src ASCEF+FLOW

Add inputflow fields

New flow

FIB

Route lookup Add outputflow fields

Dest AS,

nexthop,

BGP nexthop

Output interfacefeature check

• Qos• CAR• Crypto• NAT output

Packets

Output interfaceupdate

OutputInput bytes

Input packets

Sampling

1 out of NYes

No

Cisco 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers


Cisco 800Series

Cisco 17001800 Series

Cisco 37003800

Series

Cisco 26002800

Series

Cisco 7300Series

Cisco Catalyst 6500; Cisco 7600 Series

ASIC

Cisco 10000Series ASIC

Cisco 12000 SeriesASIC

Cisco 7200/7500Series

Cisco 4500Series ASIC

Cisco IOS Software Releases

Enterprise & aggregation/edge

Cisco IOS Software Release 12.2S

Cisco 7200/7300 Series

Access

Core

Release 12.0S/IOS-XR

CRS-1 ASIC

Comprehensive Hardware Support


NetFlow Versions

NetFlow Version Comments

1 Original

5 Standard and most common

7

Specific to Cisco Catalyst 6500 and 7600 Series Switches Similar to Version 5, but does not include AS, interface, TCP Flag & TOS information

8Choice of eleven aggregation schemesReduces resource usage

9

Flexible, extensible file export format to enable easier support of additional fields & technologies; coming out now MPLS, Multicast, & BGP Next Hop


Version 5 - Flow Export Format

• Source IP Address• Destination IP Address

• Packet Count• Byte Count

Usage

QoS

Timeof Day

Application

PortUtilization

From/To

Routing and

Peering

• Input ifIndex• Output ifIndex

• Type of Service• TCP Flags• Protocol

• Start sysUpTime• End sysUpTime

• Source TCP/UDP Port• Destination TCP/UDP Port

• Next Hop Address• Source AS Number• Dest. AS Number

• Source Prefix Mask• Dest. Prefix Mask

• Source IP Address• Destination IP Address

Version 5 used extensively today


Extensibility and FlexibilityPhased Approach

� Why a new export protocol?Build a flexible and extensible export format!

Advantage: we can add new technologies/data types very quickly

Example: MPLS, IPv6, BGP next HOP

� Phase 1: NetFlow Version 9Advantages: extensibility

Integrate new technologies/data types quicker

Integrate new aggregations quicker

Note: for now, the template definitions are fixed!

� Phase 2: User defined templates (Flexible NetFlow)Advantages: cache and export content flexibility

Selection of a subset of the 7 flow keys

Selection of the data types to export


NetFlow v9 Export Packet

• Matching ID numbers are the way to associate template to the Data Records

• The Header follows the same format as prior NetFlow versions so Collectors will be backward compatible

• Each data record represents one flow

• If exported flows have the same fields, then they can be contained in the same Template Record (ie: unicast traffic) can be combined with multicast records

• If exported flows have different fields, then they cannot be contained in the same Template Record (ie: BGP next-hop cannot be combined with MPLS Aware NetFlow records)

Data FlowSetTemplate FlowSet Option TemplateFlowSetFlowSet ID #1

Data FlowSetFlowSet ID #2

Template ID

(specific

Field types

and lengths)

(version,

# packets,sequence #,

Source ID)

Flows from Interface A

Flows from Interface B

To support technologies such asMPLS or Multicast, this export format canbe leveraged to easily insert new fields

FlowSet ID

Option Data

Record

(Field values)

Option Data

Record

(Field values)

Template Record

Template ID #2

(specific Field types and lengths)

Template Record

Template ID #1

(specific Field types and lengths)

Data Record

(Field values)

Data Record

(Field values)

Option Data FlowSet

Data Record

(Field values)


• Multicast NetFlowAvailability: Major Release 12.3(1) and 12.2(18)S

Ingress Accounting of replicated multicast packets

Egress Per user accounting of multicast packets

• MPLS Aware NetFlowAvailability: Release 12.0(26)S

Label and prefix export information

• BGP Next HopAvailability: Releases 12.0(26)S, 12.2(18)S, and 12 .3(1)

Edge to Edge Traffic Matrix

BGP traffic destination information

• NetFlow for IPv6Availability: Release 12.3(7)T

Export IPv6 source and destination information

NetFlow Features supported with Version 9


NetFlow Version 9 Platform Support

� Releases

12.0(24)S for the Cisco 7200 , 7500 and 12000 Series Routers

12.3(1) for the Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800 and 7200 Series Routers

12.2(18)S for the Cisco 7200, 7301 and 7500 Series Routers

12.2(18)SXF – Catalyst 6500/7600 Series Switch

12.2(x)SRB – Cisco 7600 Series Router

12.2(30)SB – Cisco 7304 and 10000 Series Routers

� NF v9 is an export feature, by itself it does’t add new capabilityNewer features under NetFlow require NFv9 (eg, MPLS, Flexible NetFlow)


Performance TestingNetFlow Version 9

� Similar CPU and throughput numbers result from configuration of both NetFlow Version 5 and 9

� No change in NetFlow performance after the addition of Version 9

Cisco IOS Software Releases 12.0(24)S, 12.2S, and 12.3

� CPU is slightly higher immediately following initial boot up or configuration

Caused by sending template flowsets to collector


NetFlow v9 and IETF

� Internet Protocol Flow Information eXport (IPFIX) is an IETF working group

www.ietf.org/html.charters/ipfix-charter.html

� Netflow Version9 is the basis for the standard in the IETF

� Standards track NewNew


Introduction of Flexible NetFlow


IOS Traffic Accounting Features

� IOS traffic accounting features can be sub-divided:

– Static features – number of accounting buckets is statically known and does not depend on traffic e.g. precedence, BGP PA accounting

– Dynamic features – number of accounting buckets (flows) depends on traffic, e.g. NetFlow, MAC accounting.

� New applications constantly require new accounting features

� Current approach of feature development one by one does not scale, does not deliver timely solution.


Scenario’s or Uses for Accounting Technologies

BGP PA, NetFlowDestination and Source-Sensitive Billing

AAA, NetFlowTime and Usage-Based Billing

SNMP, NetFlow, BGP PAPeering and Transit Agreements

NetFlow, NBARSecurity Analysis

CB-QoS MIB, IP SLAs, NetFlowQoS/CoS Monitoring

AAA, NetFlowUser Monitoring

NBAR, NetFlowApplication Monitoring

NetFlow, BGP PANetwork Planning and Traffic Engineering

NetFlow, BGP PANetwork Monitoring

TechnologyScenario


Flexible NetFlow Benefits

• Increased Flexibility, scalability, customization beyond today’s NetFlow

• The ability to monitor a wider range of packet information

• User configurable flow information to perform customized traffic identification and the ability to focus and monitor specific network attributes


Flexible NetFlow Tracking data with Flow Monitors

Different Flow monitors for detecting different information:

TELEWORKER

SiSi SiSi

WANDATA CENTER

CAMPUS

BRANCH

SecurityFlows

MulticastFlows

ApplicationFlows

ISP

PeeringFlows

IPFlows


Flexible NetFlow Advantage

Traditional NetFlow

One set of flow information, single cache used by all applications

Different NetFlow applications are tracked separately



•Track security, and traffic analysis data separately

•Export different Flow Monitors to different destinations

•Customers benefit from detailed analysis for each application


Flexible NetFlow Advantage (Cont.)

Traditional NetFlow

One cache may limit detailed problem isolation

Flexible NetFlow Benefits•Create virtual NetFlow caches to track and isolate issue

•Isolate security or traffic incidents in the network

•Customized traffic identification combined with input filtering

•Allows pinpoint accuracy in determining and isolating incidents

Focused network visibility and problem isolation



Flexible NetFlow Advantage (Cont.)

Traditional NetFlow

Limited data aggregation and fixed flow fields


•Select only information that is needed

•Better use of flow cache and aggregation

•New information from layer 2 and above including packet sections

User selected flow information increasing scalabilityVisibility into new types of data using version 9 export



Flexible NetFlow Tracking data with Flow Monitors

Different Flow monitors for detecting different information:

SiSi SiSi

WANDATA CENTER

CAMPUS

BRANCH

Security Flows•Protocol•Ports•IP Addresses•TCP Flags•Packet Section

Multicast Flows•Protocol•Ports•IP Subnets

•Packet Replication

ISPPeering Flows•Dest. AS•Dest. Traffic Index•BGP Next Hop•DSCP

IP Flows•IP Subnets•Ports•Protocol•Interfaces•Egress/Ingress


Flexible NetFlow Multiple Monitors with Unique Key Fields

Input Interface

TOS Byte

Layer 3 Protocol

Destination port

Source port

Destination IP

Source IP

Key Fields Packet 1

Ethernet 0

0

TCP - 6

3.3.3.3

2.2.2.2

23

22078

11000…06E12.2.2.23.3.3.3

2.2.2.2

Dest. IP

E1

Dest. I/F

6

Protocol

0

TOS

…

…

1.1.1.1

Source IP Pkts

11000

Traffic Analysis Cache

Flow monitor

1

Traffic

2.2.2.2Dest IP

Ethernet 0Input Interface

Packet Section

Source IP

Key Fields Packet 2

1010101

3.3.3.3

11000…101E1E12.2.2.23.3.3.3

Dest. IP Dest. I/F Input I/F Sec …Source IP Pkts

Security Analysis Cache

Next-Hop Address

Time Stamps

Bytes

Packets

Non Key Fields

Time Stamps

Packets

Non Key Fields

Flow monitor

2


Flexible NetFlow Components

• The Flow Monitor is a flow cache contains flow records Applied to an interfaceFlow monitors can be ingress or egressPacket sampling possible per flow monitor

• Flow Monitor Components:Flow Record – defines what is captured by NetFlow

Flow records have two formats:Pre-defined or user-defined schemesInclude Key and Non-Key Fields

Flow Exporter - where NetFlow will be exportedMultiple flow exporters per Flow Monitor


Flexible NetFlow Model

� A single record per monitor

� Potentially multiple monitors per interface

� Potentially multiple exporters per monitor

Interface

Monitor “A” Monitor “B” Monitor “C”

Record “X” Exporter “M” Exporter “M”

Record “Z”

Record “Y”

Exporter “N”Exporter “N”


Router(config)#flow exporter my-exporter

Router(config-flow-exporter)#destination 1.1.1.1

Configure the Exporter

Router(config)#flow record my-recordRouter(config-flow-record)#match ipv4 icmp typeRouter(config-flow-record)#match ipv4 icmp codeRouter(config-flow-record)#collect counter bytes

Configure the Flow Record

Router(config)#flow monitor my-monitor

Router(config-flow-monitor)#exporter my-exporter

Router(config-flow-monitor)#record my-record

Configure the Flow Monitor

Configure the InterfaceRouter(config)#int s3/0

Router(config-if)#ip flow monitor my-monitor input

Configure a User-Defined Flow Record


Flexible Monitor Configuration

� CLI:flow monitor <monitor-name>

record <record-name>

exporter <exporter-name>

cache type {normal | immediate | permanent}

cache entries <number-of-entries>

cache timeout {active | inactive | update} <value-in-sec>

size-distribution

exit

Define Flow monitor cache and associated with the m onitor is an exporter and a pre-defined or user defined NetFlow record


Flexible NetFlowUser Defined Record Configuration

Router(config)# flow record my-recordRouter(config-flow-record)# match -> Specify a key fieldRouter(config-flow-record)# collect -> Specify a non-key field

Router(config-flow-record)# match ?flow Flow identifying fieldsinterface Interface fieldsipv4 IPv4 fieldsrouting routing attributestransport Transport layer field

Router(config-flow-record)# collect ? counter Counter fieldsflow Flow identifying fieldsinterface Interface fieldsipv4 IPv4 fieldsrouting IPv4 routing attributestimestamp Timestamp fieldstransport Transport layer fields


Flexible Flow Record Configuration Example

Flow key fields: destination AS, IPv4 source prefix, output

interface index, maintain 32-bit packet and byte counters, no

timestamps:

(config)# flow record dst-as-src-prefix

(flow-record)# match routing destination as

(flow-record)# match ipv4 source prefix

(flow-record)# match ipv4 source mask

(flow-record)# match interface output

(flow-record)# collect counter packets

(flow-record)# collect counter bytes

(flow-record)# exit


Flexible Flow Record: Key Fields

DSCPID

VersionFragmentation Flags

OptionsProtocol

Payload SizeIP (Source or Destination)

Packet Section (Header)

Prefix (Source or Destination)

Packet Section (Payload)

Mask (Source or Destination)

TTLMinimum-Mask (Source or Destination)

PrecedenceFragmentation Offset

IPv4

Total Length

Header Length TOS Input

Output

Interface

BGP Next Hop

IGP Next Hop

Is-Multicast

Destination AS

Peer AS

Traffic Index

Forwarding Status

Routing

UDP Message LengthTCP Window-Size

TCP Flag: SYNTCP Header Length

TCP Flag: RSTTCP ACK Number

TCP Flag: PSHIGMP Type

TCP Flag: ACKDestination Port

TCP Flag: CWRSource Port

TCP Flag: ECEICMP Code

TCP Flag: FINICMP Type

TCP Flag: URGTCP Sequence Number

Transport

UDP Destination Port

TCP Destination Port

TCP Urgent Pointer

TCP Source Port UDP Source Port

Sampler ID

Direction

Flow


Flexible Flow RecordKey Fields for Traffic Analysis

DSCPID


OptionsProtocol








IPv4

Total Length


Output

Interface

BGP Next Hop

IGP Next Hop

Is-Multicast

Destination AS

Peer AS

Traffic Index

Forwarding Status

Routing










Transport



TCP Urgent Pointer


Sampler ID

Direction

Flow


Flexible Flow RecordKey Fields for Security

DSCPID


OptionsProtocol








IPv4

Total Length


Output

Interface

BGP Next Hop

IGP Next Hop

Is-Multicast

Destination AS

Peer AS

Traffic Index

Forwarding Status

Routing










Transport



TCP Urgent Pointer


Sampler ID

Direction

Flow


Flexible Flow RecordKey Fields for Peering arrangements

DSCPID


OptionsProtocol








IPv4

Total Length


Output

Interface

BGP Next Hop

IGP Next Hop

Is-Multicast

Destination AS

Peer AS

Traffic Index

Forwarding Status

Routing










Transport



TCP Urgent Pointer


Sampler ID

Direction

Flow


Flexible Flow RecordNon-Key Fields for Security

� Any of the potential “key” field: will be the value of the first packet in the flow

� Plus

Packet Long

Bytes

Bytes Long

Bytes Square Sum

Packet

Counters

sysUpTime First Packet

sysUpTime First Packet

Timestamp

Total Length Minimum

Total Length Maximum

TTL Minimum

TTL Maximum

IPv4


Flexible Flow Monitor Cache Types

� Three types of NetFlow caches are availableNormal

Similar to today’s NetFlow but active and inactive timers are more Flexible (e.g. Active timer of 1 second)

Immediate

1 second timer and no export delay

Flow accounts for 1 packet

Used for real-time traffic monitoring, DDoS detection, logging

Used for flow-records with packet sections or with large set of key fields

Permanent

A permanent flow cache can be used to track a set of flows over time without expiring the flows from the cache

The entire cache is periodically exported to the collector

After the cache is full flows will be dropped (size configurable)

Useful for accounting or security monitoring


Complete Permanent Flexible NetFlow Configuration Example

� Per DSCP accounting flow record definition:

Router(config)# flow record my-dscp-recordRouter(config-flow-record)# match ipv4 dscpRouter(config-flow-record)# match interface inputRouter(config-flow-record)# collect counter bytes longRouter(config-flow-record)# collect counter packets long

Router(config)# flow monitor my-dscp-monitorRouter(config-flow-record)# description dscp:bytes and packets Router(config-flow-record)# record my-dscp-recordRouter(config-flow-record)# cache type permanentRouter(config-flow-record)# cache entries 256

Router(config)# interface GigabitEthernet 0/1Router(config)# ip flow monitor my-dscp-monitor input

� This would replace “IP accounting precedence”

64 Bit Counter


Flexible NetFlow Activation on Interface

� Deterministic or random is available

Router(config-if)# ip flow monitor <monitor-name>[sampler <sampler-name>][input | output]

Send the “sampler-table”Option

Router(config)# sampler <sampler-name> mode [deterministic | random] <value N> out-of <value M>

For the Input or Output Traffic.Does Not Determine the Flow Key


Flow Exporters

� Flow export to collectors is defined using a Flow Exporter

� Each Flow monitor can use multiple flow exporters (export to many NetFlow Collectors) simultaneously

� Flow exporters can use different reliable and un-reliable transport protocols: UDP SCTP Flow exporters

� Different export protocols (v9 and IPFIX)

� Flow exporters are QOS aware and can be prioritized unlike today’s NetFlow


flow monitor <monitor-name>record <record-name>exporter <exporter-name>cache type {normal | immediate | permanent}cache entries <number-of-entries>cache timeout {active | inactive | update} <value-in-sec>statistics packet protocolstatistics packet size

Flexible Monitor Configuration

Collect Size Distribution Statistics

Collect Protocol Distribution Statistics

3 Types of Cache:See Next Slides

Potentially Multiple


Packet Section Fields

� Contiguous chunk of a packet of a user configurable size, used as a key or a non-key field

� Sections used for detailed traffic monitoring, DDoS attack investigation, worm detection, other security applications

� Chunk defined as flow key, should be used in sampled mode with immediate aging cache

� Starts at the beginning of the IPv4 header

� Immediately follows the IPv4 header

collect or match ipv4 payload <size in bytes>

collect or match ipv4 header <size in bytes>


Flexible NetFlow status

� Flexible NetFlow is FCS

� Flexible NetFlow is available in 12.4(9)T

Cisco 800, 1800, 2800, 3800, 7200 and 7301 Series

� Flexible NetFlow phase I provide :Multiple User Defined Caches

Complete IPv4 Header Info

UDP/Packet Section Exporters

Persistent Caches

Ingress/Egress Support

Common CLI

Sampled NetFlow


Flexible NetFlow Evolution

� Flexible NetFlow introduced on 7304 (12.2(31)SB2)

� Flexible NetFlow to be introduced on GSR (12.0(33)S)Engine 3 and Engine 5

� Flexible NetFlow IPv6 will be added in 12.4(7th)T

� Candidate Features for 12.5(2th)TQOS Output feature for FNF Exporter

IP Multicast traffic

NetFlow v5 Export

TopNTalkers

Input Filters/MQC Integration

� Radar FeaturesNBAR Integration, IPFIX support



Backup Slides


Cisco NetFlow Feature Overview

FeaturesCategory

�NetFlow Router Based Aggregation (v8/v9) �Origin and Peer AS�Bridged NetFlow�MAC Address Export�Egress NetFlow Accounting

Accounting

�Random Sampled NetFlow�Random and Time-based Flow Sampled NetFlow�BGP Next Hop NetFlow�Export Filters�Dual Export

Network Analysis & Capacity Planning

�NetFlow Export Versions 1, 5, 7, 8�Version 9 - latest Flexible and Extensible format

Export Formats


�NetFlow MIB and Top Talkers�Input filters�Security Exports (IPv4 Header)�Dynamic Top Talkers CLI

Security Monitoring

FeaturesCategory

�NetFlow Version 9 – basis for IPFIX WG Export format �Version 9 - RFC 3954�Reliable Export with SCTP�IPFIX Export standard for Packet Sampling WG (PSAMP)

Standard

Cisco NetFlow Feature Overview (2)


�Multicast NetFlowMulticast

FeaturesCategory

�IPv6 NetFlowIPv6

�MPLS Egress NetFlow�MPLS Aware NetFlow�MPLS Information Export (LFIB)�MPLS Aggregation (EXP, BGP-NH, Egress I/F)

MPLS

Cisco NetFlow Feature Overview (3)


NetFlow-Platform Export Feature Comparison (1)

Available Now Not Available Roadmap

Mac Address

Security Exports

VRF Destination

Dual Export

Version 5

Vlan Export

Version 8

Reliable Export

C4500

Version 9

CRSC10000C12000C7600C6500SoftwareFeature

12.3(14)T

12.4(4)T

12.3(4)T

12.2(1st)SRB12.2(1st)SXH12.3(14)T

12.0(26)S312.4(4)T

12.1(19)EW12.2(15)BX12.2(17d)SXB12.2(17d)SXB12.2(2)T

3.212.2(31)SB12.0(24)S12.2(18)SXF12.2(18)SXF12.3

12.1(19)EW12.0(19)SL12.0(6)S12.2(14)SX12.2(14)SX12.0(3)T

12.1(13)EW12.0(19)SL12.0(14)S12.1(2)E12.1(2)E12.0(1)


NetFlow - Platform Feature Comparison (2)

TCP Flags

NetFlow MIB with Top Talker

IFIndex to Name Map

Export Filters

Forwarding Status

Egress/Output NetFlow

Bridged NF

Input Filters

C4500

Dynamic Top Talker CLI



12.4(4)T

YesYesYesYes

YesYesYesYes

YesYes

12.3(4)T

12.2(25)EW12.2(18)SXE112.2(18)SXE1

3.212.2(31)SB12.0(10)ST12.3(11)T

12.3(4)T

12.2(1st)SRB12.2(1st)SXH12.3(7)T


NetFlow - Platform Feature Comparison (3)

Per Interface

TOS Support

MPLS Label Export

MPLS Aggregation

MPLS Egress

MPLS Aware

Min Prefix Aggr.

Flow Sampling

C4500

Packet Sampling

BGP Next Hop

Multicast

IPv6



12.2(31)SB

12.2(1st)SRB12.2SB

12.0(24)S12.3(8)T

3.2Output12.2(2)T

YesYes12.1(2)T

12.1(13)E12.1(13)E

12.2(31)SB12.0(11)S12.3(2)T

3.2YesYes12.2(17b)SXA12.2(17b)SXAYes

3.212.2(15)BXNo Sub12.2(1st)SRB12.2(1st)SXHYes

12.2(31)SB12.0(26)S12.2(33)SRA12.2(18)SXF12.3

3.212.2(18)SXF12.2(18)SXF12.3

12.2(1st)SRB12.2(1st)SXH12.3(7)T


Flexible NetFlow - Platform Feature Comparison

IPv6 Unicast

IPv4 Multicast

L2 FNF

MPLS FNF

Dyn. TopNTalkers

C4500

IPv6 Multicast

NetFlow v5 Export

NetFlow v9 Export

IPv4 Unicast



12.0(33)S

HalfDome12.5(2st)T

HalfDome12.5(2st)T

HalfDome12.5(2st)T

HalfDome12.4(13)T

HalfDome12.5(2st)T

HalfDome12.4(9)T

12.0(33)SHalfDome12.4(9)T

Documents

NetFlow Introduction to Flexible NetFlowfoxclan69.free.fr/eBook/Cisco/Cisco_Expo_2007/03... · Cisco Catalyst 6500; Cisco 7600 Series ASIC Cisco 10000 Series ASIC Cisco 12000 Series