1 / 38

Product Introduction

Catapult NetFlow Probe. Product Introduction. Agenda. Why NetFlow ... What is an IP Flow and how is it managed NetFlow versions What you can do with NetFlow information ... Catapult Probe Product Overview Base technology Integration into Network Architecture Performance

nedaa
Download Presentation

Product Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Catapult NetFlow Probe Product Introduction

  2. Agenda • Why NetFlow ... • What is an IP Flow and how is it managed • NetFlow versions • What you can do with NetFlow information ... • Catapult Probe Product Overview • Base technology • Integration into Network Architecture • Performance • Manageability and High Availability • Catapult Probe portfolio

  3. What is a flow? A flow is a uni-directional description of the packet stream (“uni-directional conversation”). It is defined by seven unique keys: • Source IP address • Destination IP address • Source port • Destination port • Layer 3 protocol type • Type of Service • Interface Index

  4. When: • Session is finished (RST or FIN TCP Flag) - Inactivity timer expired [nProbe/nBox default: 30s] - Active timer expired (flow too long) [nProbe/nBox default: 120s ] • theprobe marks the flow asclosed and ... Timer How Flow Management Works(1/2) A flow is stateful, meaning that the probe (or any netflow agent like a router) maintains counters for it whilst it is active. Probe (NetFlow agent)

  5. ... once a flow is closed the router can generate aflow-export record, which hassummary information about the session (e.g. how many packets were sent, whothe source was, what the destination was and what the application was). NetFlow Collector UDP Flow Export Record Once the flow-export record has been transmitted by the probe, it can removethe flow entry from it's memory (table) to make space for new ones. How Flow Management Works (2/2) Probe (NetFlow agent)

  6. Why NetFlow ? • NetFlow is the primary traffic flow-based monitoring and network accounting technologyin the industry • NetFlow answers questions regarding IP traffic: who, what, where, when, and how • Standard de-facto for flow analysis • Developed by Darren Kerr and Barry Bruins at Cisco Systems in 1996 • Available in different versions since ‘96, from v1 for IP traffic up to v9 to assure full flexibility and extensibility of multiprotocol flow analysis

  7. Agenda • Why NetFlow ... • What is an IP Flow and how is it managed • NetFlow versions • What you can do with NetFlow information ... • Catapult Probe Product Overview • Base technology • Integration into Network Architecture • Performance • Manageability and High Availability • Catapult Probe portfolio

  8. NetFlow Versions Supported by Catapult Probe (*) Probe supports aggregation also with v5 (IP Address, Port, Protocol, IP Address + Protocol).

  9. NetFlow Version 5 – Flow Entry • Time of Day: • Start time of flow • End time of flow • From/To: • Source IP Address • Destination IP Address • Application: • Source Port • Destination Port • QoS: • IP protocol • Type of Service • Usage • Packet Count • Byte Count • Routing / Peering: • Source AS number • Dest. AS number • Next-Hop IP address • ...

  10. NetFlow v9 – Flow Entry Options %FIRST_SWITCHED %LAST_SWITCHED %IPV6_SRC_ADDR %IPV6_DST_ADDR %ICMP_TYPE %SAMPLING_INTERVAL %SAMPLING_ALGORITHM %FLOW_ACTIVE_TIMEOUT %FLOW_INACTIVE_TIMEOUT %ENGINE_TYPE %ENGINE_ID %TOTAL_BYTES_EXP %TOTAL_PKTS_EXP %TOTAL_FLOWS_EXP %IP_PROTOCOL_VERSION %DIRECTION %MPLS_LABEL_1 %BYTES %PKTS %FLOWS %PROT %TOS %TCP_FLAGS %L4_SRC_PORT %IP_SRC_ADDR %SRC_MASK %INPUT_SNMP %L4_DST_PORT %IP_DST_ADDR %DST_MASK %OUTPUT_SNMP %IP_NEXT_HOP %SRC_AS %DST_AS %MPLS_LABEL_2 %MPLS_LABEL_3 %MPLS_LABEL_4 ... %MPLS_LABEL_10 %SRC_MAC %DST_MAC %VLAN_TAG %FRAGMENTED %FINGERPRINT %VLAN_TAG %NW_LATENCY_SEC %NW_LATENCY_NSEC %APPL_LATENCY_SEC %APPL_LATENCY_NSEC %PAYLOAD

  11. Agenda • Why NetFlow ... • What is an IP Flow and how is it managed • NetFlow versions • What you can do with NetFlow information ... • Catapult Probe Product Overview • Base technology • Integration into Network Architecture • Performance • Manageability and High Availability • Catapult Probe portfolio

  12. NetFlow benefits Service Provider Enterprise • Accounting & Billing • Traffic Monitoring • Security Monitoring • SLA Analysis & Reporting • Traffic Engineering • Capacity Planning • Traffic Interception • Network utilization • Internet access monitoring • User Monitoring • Application Monitoring • Internal cost distribution for departments • Security Monitoring • Network utilization

  13. Accounting & Billing • Current billing policies are: • Flat-rate billing, simple and basic. No opportunity to differentiate for applications, bandwidth utilization, direction (e.g. local network/national/international), ... • Usage-based billing: competitive pricing models can be created and customized • Usage-based billing considerations • Time of day • Within or outside of the network • Application • Distance-based • Quality of Service (QoS) / Class of Service (CoS) • Bandwidth usage • Transit or peer • Data transferred • Full documentation about each conversation (flows) as for traditional telephone services

  14. Traffic Monitoring & Network Utilization • Monitoring Network (& Applications) • Top Applications • Traffic distribution • Bandwidth x application • Typical pattern of usage between sites • Network / Application Latency • Monitoring Users • Users on the network at a given time • How long users spend connected to the network • Where Internet sites do they use? • User usage patterns • Peer-to-Peer traffic (WinMX, Morpheus, Gnutella, Kazaa, ...) • Aggregation • Summary of traffic information for Autonomous System, Protocols, Source or Destination subnets, etc.

  15. Security Monitoring - Anomaly detection • Top volume flows • Atypical traffic distribution • Host fingerprints • Monitoring Top Applications and related users - DoS-Attack detection • Identify source of attack • Alarm DOS attacks like smurf, fraggle, and SYN flood • Suggest access-list/filters on Edge or Internet Peering - Input for specific DoS-Attack Detection or security tools

  16. SLA Monitoring and Reporting - Service Level Agreement • Bandwidth per-connection/circuit • Network Latency • Application Latency • Quality of Service measurements • End-to-end traffic flows • Minimum/Peak bps • per user • per application • per conversation - Traffic documentation • Each conversation/flow is reported with full information about dates, traffic, directions, etc, (e.g. normal telephone service bill we are usual to get)

  17. Interception / Traffic Documentation - Splitter/Network TAP can be included in network links to allow passive and trasparent monitor of traffic flows • NetFlow v9 extensions by nMon.net includes payload information (full/partial) • ‘Selected’/’Filtered’ users or applications or conversations may be processed as flow • NetFlow data may be sent to Interception Systems for evaluations - Traffic documentation • Each conversation/flow is reported with full information about dates, traffic, directions, .. • Easy way to find destinations or applications on a per-user basis

  18. Capacity Planning & Traffic Engineering • Key areas to monitor for capacity planning • Top user and Top applications consuming bandwidth • Traffic distribution and direction of flows • Network traffic analysis by application • Network utilization and capacity • Traffic distribution between peerings • Link and bandwidth inventory • Routing and Peering information (v5/v9) • Source and Destination AS number • Advanced monitoring via NetFlow v9 • MPLS, Multicast, IPv6 • Aggregation • Summary of traffic information for Autonomous System, Protocols, Source or Destination subnets, etc.

  19. Others • Departmental chargeback / Cost Distribution • Distribute ‘cost’ for Internet connection to different internal departments • Network traffic analysis by application on per-department basis • CoS Measurements • Confirm appropriate bandwidth has been allocated to each Class of Service • Verify that no CoS is over- or under-subscribed • Network Latency and Application Latency measurements with v9

  20. Agenda • Why NetFlow ... • What is an IP Flow and how is it managed • NetFlow versions • What you can do with NetFlow information ... • Catapult Probe Product Overview • Base technology • Integration into Network Architectures • Performance • Manageability and High Availability • Catapult Probe portfolio

  21. Catapult Probe – Main Points • Capture rate at wire-speed on Gigabit Ethernet • nCap technology (network card drivers/firmware to Monitoring applications, no CPU involved) • Hardware acceleration in 2-port models • Analysis (NetFlow, IPFIX) at high speed • Software & RAM ... • Support for IPv4, IPv6 and MPLS. • Optimization for NetFlow v5, with and without aggregation, and v9. • 1U Rack unit version • Tested and fully interoperable with main NetFlow Collectors in the market including Cisco FlowCollector, HP, etc.

  22. Network Integration (1/2) • Catapult Probe captures traffic from: • Span/Mirror port (router, switch) • Network Tap/Splitter or even Hub (UTP or Fiber) Probe

  23. Inside Outside Inside Outside Cisco (Span port) Extreme (Mirror port) Inside Outside Juniper (PortMirror) Network Integration (2/2) • Catapult Probe captures traffic from: • Span/Mirror port (router, switch) • Network Tap/Splitter or even Hub (UTP or Fiber)

  24. Agenda • Why NetFlow ... • What is an IP Flow and how is it managed • NetFlow versions • What you can do with NetFlow information ... • Catapult Probe Product Overview • Base technology • Integration into Network Architecture • Performance • Manageability and High Availability • Catapult Probe portfolio

  25. Catapult Probe - Performance • Capture (Mpps): • NP-1410 (Accelerated Probe) reaches 3Mpps on Gigabit Ethernet (independent of packet size) • NetFlow Analysis (Flow per second) • depends from type/nature of traffic, aggregation (and Flow-template for NetFlow v9). • typical environment performance: 75k-200k Flows per second (conservative data). • important to evaluate capacity of Flow Collectors to receive and manage a large number of flows/s

  26. Flow Collection Optimization(1/2) • The main argument in evaluating a scalable NetFlow Accounting solution is the capacity of Flow Collector (Cisco, HP, InfoVista, ...) • Some of the special features provided by Catapult Probe to minimize impact and efforts on the Flow Collector side are: • Multiple Collectors • Catapult Probe can be configured to send flows to multiple collectors in round-robin (split load between different Collectors) or redirector (replication to multiple redundant Collectors) • Flow Export Delay • Some collectors cannot keep up with Catapult Probe speed. This feature allows flow export to be slow down by waiting a short delay (ms) between two consecutive exports towards the same Collector. • Minimum TCP size • Peer-to-peer applications, attacks or misconfigured applications often generate a lot of tiny TCP flows that can cause significant load on the Collector side. It’s possible to configure Catapult Probe to not emit such flows (note: that’s only for TCP while UDP, ICMP and other protocols are not affected)

  27. Flow Collection Optimization(2/2) • Minimum number of flows per netflow packet • In order to minimize the number of emitted packets containing flows, it can be specified the minimum number of flows that need to be contained in a netflow packet towards the Collector(s). • Sampling rate • Catapult Probe usually capture all packets for calculating flows. In some situations (e.g. cost distribution / sharing, heavy DoS Attack condition) it’s not needed to work with all packets but could be enough a sampling rate (number of packets to be discarded before two packets used to produce flows) • Packet Capture Filter • Filtering to allow Catapult Probe to take into account only those packet that match the filter. The list of filter expression primitives can be found in product documentation, 30+ primitives such as source-address, dest-address, ports, protocols, packet size (less than/greater than), ... see next slide • Export Flow Filtering and Aggregation • The probe can manage aggregation (netflow v5, v9) or even a Flow Export Filtering in order to export only flows with IP addresses in certain ranges, while all the other are aggregated as 0.0.0.0

  28. Packet Capture Filter • These are the main conditions (primitives) that is possible to apply in order to filter packet capture: • IP Host/Subnet • IP Destination Host/Subnet • IP Source Host/Subnet • MAC Host • MAC Destination Host • MAC Source Host • Port • Source Port • Destination Port • Packet Length • Protocol • Multicast • Broadcast • ... • Primitives may be combined using: • Negation (`!' or `not'). • Concatenation (`&&' or `and'). • Alternation (`||' or `or').

  29. Agenda • Why NetFlow ... • What is an IP Flow and how is it managed • NetFlow versions • What you can do with NetFlow information ... • Catapult Probe Product Overview • Base technology • Integration into Network Architecture • Performance • Manageability and High Availability • Catapult Probe portfolio

  30. Single Catapult Probe solution (via Tap) • Multi Catapult Probe solution (Regeneration Tap) High Availability via a dedicated ethernet link HA & Redundancy (1/2) Probe Same results even with a single-port tap and an external hub (shared): Probe Probe Probe Probe

  31. HA & Redundancy (2/2) Not only network monitoring… Probe

  32. Catapult Probe: Manageability • Access: • Console • Telnet • SSH • EmbeddedWeb Interface • http/https • SNMP • SNMPv1 • SNMPv2c • SNMPv3 • Syslog

  33. NetFlow Collector vendors (examples) Billing Traffic Analysis Denial of Service Collection Flow-Tools

  34. Open Source NetFlow Collector nTop • Network Monitoring application • IPv4/v6 • NetFlow (v5/7/9) • sFlow (v2/v4/v5) • 7 years of experience • Customized/Contributions from people in 10+ countries all around the world • Thousands of users across the world • Available for: BSD, Linux, Windows, MacOS X, Solaris.

  35. Agenda • Why NetFlow ... • What is an IP Flow and how is it managed • NetFlow versions • What you can do with NetFlow information ... • Catapult Probe Product Overview • Base technology • Integration into Network Architecture • Performance • Manageability and High Availability • Catapult Probe portfolio

  36. Probe Portfolio Catapult NetFlow Probe • High-performance Gigabit NetFlow v5/v9/IPFIX probe • Standard (1-port) and Accelerated (2-port) models • Over 75,000 flows per second in base model • Capture >1 million packets/sec in standard model • Up to 3 million packets/sec in accelerated model • Supports IPv4,IPv6 and MPLS traffic • VoIP (SIP and RTP) traffic analysis • Easy customization and extensions • Full flow capture or sampling models • Export flow filtering and buffering to manage collector loading • Multiple Collector mode for load balancing or redundancy • Management Access via Embedded Web GUI, Console, Telnet, SSH, SNMP or Syslog • Fully interoperable with commercial NetFlow collectors from all major vendors Applications

  37. Catapult Probe - Unique Features • Capture • Wire-speed capture (nCap technology – no CPU). • Analysis • NetFlow v5, v9, Row Data (file) • software & RAM, Differentiation between HC,MC,LC • up to 50k+ Flows per second • Support of IPv4, IPv6 (NetFlow v9 only), MPLS • NetFlow v9 extensions: • Application Latency, Network Latency, First payload packets (good to identify P2P traffic), Host fingerprints • NetFlow v9: extensive flow template support • Easy customization and extensions – nCap technology is independent from monitoring applications • Support of IPFIX (draft 3) over SCTP/TCP/UDP.

  38. Catapult NetFlow Probe Thank You

More Related