1 / 30

Practical use of Netflow technology

Practical use of Netflow technology. Ivan Ivanovic, RCUB/AMRES Géant3, Skopje, September 2011. Content. Netflow technology Configuration of netflow Data duplication Timers Data aggregation How to solve L2 problem Netflow probes Future of netflow Case study.

anka
Download Presentation

Practical use of Netflow technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical use of Netflow technology Ivan Ivanovic, RCUB/AMRES Géant3, Skopje, September 2011.

  2. Content Netflow technology Configuration of netflow Data duplication Timers Data aggregation How to solve L2 problem Netflow probes Future of netflow Case study

  3. Netflow Technology – Terminology What is flow? Src/dst IP Src/dst ports Protocol QoS Total bytes, packets, fllows BGP src/dst AS Exporter ip In/out ports Timestamp …. …. Flow NetFlow statistic Router (Exporter)

  4. Netflow Technology – Overview • Developed by Cisco • IETF standardization – IPFIX. • Netflow V5 and V9 are commonly used. • By default provide us information on the higher levels (L3-L4). • IPFIX (netflow V9) – Also called flexible netflow. • Netflow V9 has support for mpls, mac and IPV6… • In AMRES netflow is only protocol used for IPV6 monitoring. • Other vendors also support netflow protocol (netstream, jflow…). • Less than 1% of total traffic in network

  5. How to start NetFlow data collection? • Most of the routers that are forwarding packets “in software” support NetFlow protocol. • Some of the switches support NetFlow protocol (Require specialized hardware) • Two groups of dvices regarding NetFlow configuration • Global control (older devices, in direction is commonly used) • Per interface control (newer devices, in or out direction can be used) • Globaly controlled allows statistic collecton only on all interfaces in one direction (commonly in/ingress) • Per interface control allows statistic collecton on the interface in in/ingress or out/egress direction.

  6. NetFlow data duplication - Ingrees direction Host A NetFlow Collector

  7. NetFlow data duplication - Ingrees direction Host A

  8. Netflow data duplication - Ingrees direction Gi0/3 Gi0/2 Gi0/1 Gi0/1 Host A

  9. Netflow data duplication - Ingrees direction

  10. Netflow data duplication - Solution • Problem can be solved if device can control collection of netflow statistic per interface. • Using Ingress/Egress commands we can control collection of netflow statistic. • Some of the applications that collect netflow statistic have capabilities to automatically detect duplicated netflow statistic using combination of exported fields (src ip, dst ip , src port, dst port, protocol, QoS). • Applications (collectors) that support filtering based on static netflow fields provide very good solution against data duplication. • ICmyNet.Flow - http://netflow.rcub.bg.ac.rs

  11. Netflow data duplication - Solution • Don’t use netflow statistic that has exporter ip address of device R2 and ingress interface Gi0/1 of device R2! Ignore this statistic Use this statistic Gi0/1 Gi0/1 Host A Host B

  12. Netflow data duplication - Solution • Don’t use netlfow statistic that has exporter ip address of device R1 and in interface Gi0/1 of device R1! Ignore this statistic Use this statistic Gi0/1 Gi0/1 Host A Host B

  13. Netflow Timers and Aggregation -Timestamp problem

  14. Netflow Timers and Aggregation • Most people don't use them. • Some of the applications for netflow collection doesn't use timestamp fields in exported statistic. • Reasons for that are large amount of netflow data, solution is data aggregation. • Benefits of using aggregation are small databases and fast applications. • Shortcomings of using aggregation is lack of detail information. • What are netflow timers (aging)? • E.g. Cisco • Normal • Long • Fast (threshold ~100packets)

  15. Netflow Timers – Long aging • Receiving application is using 5 minute aggregation

  16. Netflow Timers – Fast aging(If your application can detect attack!)

  17. Netflow timers • Exporter is collecting netflow statistic in local memory. • When memory table gets overloaded exporter ages out all flows in the memory. Then exporter sends all information to the collector and clears local memory • Special situation can cause memory overload: • Ping sweep • DNS lookups • Exporter can easily detect end of flows that use connection oriented protocol. • Exporter can only assume when flow, that use connectionless protocol, ended. • Memory overloading can have influence to the exporter behavior. • Using timers is the only way to age out some flows!

  18. Netflow Probes • Very useful tool! • Lot of useful information can be found on the web page of the Swiss academic network • http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html • What is netflow probe? • How to use it? • Where to use it? • What do I get? • What do I lose?

  19. Netflow Probe - L2 segment of the network! • L2 switches usually do not support netflow protocol. • L2 switches usually support port mirroring (SPAN)! • E.g. softflowd • http://www.mindrot.org/projects/softflowd/ • http://code.google.com/p/softflowd/

  20. Netflow Probe – Port mirroring • Extra server (desktop pc). • Two Nic cards. • Two ports on the switch. eth1 eth0

  21. Netflow Probe – Port mirroring • Institutions on the L2 segment.

  22. Netflow Probe – Virtualization • Tested on Citrix XenServer • Older version of VmWare (3.5) support netflow protocol. eth0 eth0 eth0 eth0

  23. AMRES configuration

  24. Future of netflow • More and more netflow fields are becoming popular • Cisco is already using netflow to gather statistic about media traffic (Medianet) • Information’s like jitter, packet delay, packet loss could be also exported via netflow.

  25. Problem analysis – example I

  26. Problem analysis – example I

  27. Problem analysis – example II

  28. Problem analysis – example II

  29. Problem analysis – example II

  30. END

More Related