© 2007 nPulse Network Systems LLC 1 Product Introduction Catapult NetFlow Probe.

© 2007 nPulse Network Systems LLC 1 www.npulsenetworks.com

Product Introduction

Catapult NetFlow Probe


Agenda

• Why NetFlow ...• What is an IP Flow and how is it managed• NetFlow versions• What you can do with NetFlow information ...

• Catapult Probe Product Overview• Base technology• Integration into Network Architecture• Performance• Manageability and High Availability

• Catapult Probe portfolio


• Source IP address

• Destination IP address

• Source port

• Destination port

• Layer 3 protocol type

• Type of Service

• Interface Index

What is a flow?

A flow is a uni-directional description of the packet stream (“uni-directional conversation”).

It is defined by seven unique keys:


How Flow Management Works(1/2)

If Source Destination Proto Port TOS Pkts Octets Timer

Ge0 192.168.175.143

172.20.15.23 TCP 43060 0 84 4564 11

Ge0 192.168.175.143

172.20.15.23 TCP 43061 0 43 2567 57

Ge0 192.168.175.143

172.20.15.23 TCP 43067 0 1 45 24

Ge0 172.20.15.23 192.168.175.143

TCP 23 0 13 745 13

A flow is stateful, meaning that the probe (or any netflow agent like a router) maintains counters for it whilst it is active.

Probe (NetFlow agent)

Timer

When:

- Session is finished (RST or FIN TCP Flag) - Inactivity timer expired [nProbe/nBox default: 30s] - Active timer expired (flow too long) [nProbe/nBox default: 120s ]

the probe marks the flow as closed and ...


How Flow Management Works (2/2)

If Source Destination Proto Port TOS Pkts Octets Timer

Ge0 192.168.175.143

172.20.15.23 TCP 43060 0 84 4564 11

Ge0 192.168.175.143

172.20.15.23 TCP 43061 0 43 2567 57

Ge0 192.168.175.143

172.20.15.23 TCP 43067 0 1 45 24

Ge0 172.20.15.23 192.168.175.143

TCP 23 0 13 745 13

Probe (NetFlow agent)

Once the flow-export record has been transmitted by the probe, it can remove the flow entry from it's memory (table) to make space for new ones.

... once a flow is closed the router can generate a flow-export record, which has summary information about the session (e.g. how many packets were sent, who the source was, what the destination was and what the application was).

Flow Export Record

UDPNetFlow Collecto

r


Why NetFlow ?

• NetFlow is the primary traffic flow-based monitoring and network accounting technology in the industry

• NetFlow answers questions regarding IP traffic: who, what, where, when, and how

• Standard de-facto for flow analysis • Developed by Darren Kerr and Barry Bruins

at Cisco Systems in 1996• Available in different versions since ‘96,

from v1 for IP traffic up to v9 to assure full flexibility and extensibility of multiprotocol flow analysis


Agenda





NetFlow Versions

NetFlow Version

Comments

1 Original

5 Standard and most common

7 Cisco-specific version for Catalyst (similar to v5)

8 Choice of aggregation schemes in order to reduce resource usage (*)

9 Flexible, extensible file export format to enable easier support of additional fields & technologies such as MPLS and IPv6

(*) Probe supports aggregation also with v5 (IP Address, Port, Protocol, IP Address + Protocol).

Supported by Catapult Probe


NetFlow Version 5 – Flow Entry

• Time of Day:– Start time of flow– End time of flow

• From/To:– Source IP Address– Destination IP Address

• Application:– Source Port– Destination Port

• QoS:– IP protocol– Type of Service

• Usage– Packet Count– Byte Count

• Routing / Peering:– Source AS number– Dest. AS number– Next-Hop IP address– ...


NetFlow v9 – Flow Entry Options

%BYTES%PKTS%FLOWS%PROT%TOS%TCP_FLAGS%L4_SRC_PORT%IP_SRC_ADDR%SRC_MASK%INPUT_SNMP%L4_DST_PORT%IP_DST_ADDR%DST_MASK%OUTPUT_SNMP%IP_NEXT_HOP%SRC_AS%DST_AS

%FIRST_SWITCHED%LAST_SWITCHED%IPV6_SRC_ADDR%IPV6_DST_ADDR%ICMP_TYPE%SAMPLING_INTERVAL%SAMPLING_ALGORITHM%FLOW_ACTIVE_TIMEOUT%FLOW_INACTIVE_TIMEOUT%ENGINE_TYPE%ENGINE_ID%TOTAL_BYTES_EXP%TOTAL_PKTS_EXP%TOTAL_FLOWS_EXP%IP_PROTOCOL_VERSION%DIRECTION%MPLS_LABEL_1

%MPLS_LABEL_2%MPLS_LABEL_3%MPLS_LABEL_4...%MPLS_LABEL_10%SRC_MAC%DST_MAC%VLAN_TAG

%FRAGMENTED%FINGERPRINT%VLAN_TAG%NW_LATENCY_SEC%NW_LATENCY_NSEC%APPL_LATENCY_SEC%APPL_LATENCY_NSEC%PAYLOAD


Agenda





NetFlow benefits

Service ProviderService Provider EnterpriseEnterprise

• Internet access monitoring

• User Monitoring

• Application Monitoring

• Internal cost distribution for departments

• Security Monitoring

• Network utilization

• Internet access monitoring

• User Monitoring

• Application Monitoring

• Internal cost distribution for departments



• Accounting & Billing

• Traffic Monitoring


• SLA Analysis & Reporting

• Traffic Engineering

• Capacity Planning

• Traffic Interception


• Accounting & Billing

• Traffic Monitoring


• SLA Analysis & Reporting

• Traffic Engineering

• Capacity Planning

• Traffic Interception



Accounting & Billing• Current billing policies are:

– Flat-rate billing, simple and basic. No opportunity to differentiate for applications, bandwidth utilization, direction (e.g. local network/national/international), ...– Usage-based billing: competitive pricing models can be created and customized

• Usage-based billing considerations– Time of day– Within or outside of the network – Application– Distance-based– Quality of Service (QoS) / Class of Service (CoS)– Bandwidth usage– Transit or peer– Data transferred

• Full documentation about each conversation (flows) as for traditional telephone services


Traffic Monitoring & Network Utilization

• Monitoring Network (& Applications)– Top Applications– Traffic distribution– Bandwidth x application– Typical pattern of usage between sites– Network / Application Latency

• Monitoring Users– Users on the network at a given time– How long users spend connected to the network– Where Internet sites do they use?– User usage patterns– Peer-to-Peer traffic (WinMX, Morpheus, Gnutella, Kazaa, ...)

• Aggregation– Summary of traffic information for Autonomous System, Protocols, Source or Destination subnets, etc.


- Anomaly detection• Top volume flows • Atypical traffic distribution• Host fingerprints• Monitoring Top Applications and related users

- DoS-Attack detection• Identify source of attack

• Alarm DOS attacks like smurf, fraggle, and SYN flood• Suggest access-list/filters on Edge or Internet Peering

- Input for specific DoS-Attack Detection or security tools

Security Monitoring


- Service Level Agreement• Bandwidth per-connection/circuit• Network Latency• Application Latency• Quality of Service measurements• End-to-end traffic flows • Minimum/Peak bps

• per user• per application• per conversation

- Traffic documentation• Each conversation/flow is reported with full information

about dates, traffic, directions, etc, (e.g. normal telephone service bill we are usual to get)

SLA Monitoring and Reporting


Interception / Traffic Documentation

- Splitter/Network TAP can be included in network links to allow passive and trasparent monitor of traffic flows

• NetFlow v9 extensions by nMon.net includes payload information (full/partial)

• ‘Selected’/’Filtered’ users or applications or conversations may be processed as flow

• NetFlow data may be sent to Interception Systems for evaluations

- Traffic documentation• Each conversation/flow is reported with full

information about dates, traffic, directions, ..

• Easy way to find destinations or applications on a per-user basis


Capacity Planning & Traffic Engineering

• Key areas to monitor for capacity planning– Top user and Top applications consuming bandwidth– Traffic distribution and direction of flows– Network traffic analysis by application

• Network utilization and capacity– Traffic distribution between peerings– Link and bandwidth inventory

• Routing and Peering information (v5/v9)– Source and Destination AS number

• Advanced monitoring via NetFlow v9– MPLS, Multicast, IPv6

• Aggregation– Summary of traffic information for Autonomous System, Protocols, Source or Destination subnets, etc.


Others

• Departmental chargeback / Cost Distribution

– Distribute ‘cost’ for Internet connection to different internal departments

– Network traffic analysis by application on per-department basis

• CoS Measurements

– Confirm appropriate bandwidth has been allocated to each Class of Service

– Verify that no CoS is over- or under-subscribed

– Network Latency and Application Latency measurements with v9


Agenda


• Catapult Probe Product Overview• Base technology• Integration into Network Architectures• Performance• Manageability and High Availability



Catapult Probe – Main Points

• Capture rate at wire-speed on Gigabit Ethernet – nCap technology (network card drivers/firmware to

Monitoring applications, no CPU involved)– Hardware acceleration in 2-port models

• Analysis (NetFlow, IPFIX) at high speed– Software & RAM ...

• Support for IPv4, IPv6 and MPLS.• Optimization for NetFlow v5, with and without

aggregation, and v9.• 1U Rack unit version• Tested and fully interoperable with main NetFlow

Collectors in the market including Cisco FlowCollector, HP, etc.


Network Integration (1/2)

• Catapult Probe captures traffic from:– Span/Mirror port (router, switch)– Network Tap/Splitter or even Hub (UTP or

Fiber)

Probe


Network Integration (2/2)• Catapult Probe captures traffic from:

– Span/Mirror port (router, switch)– Network Tap/Splitter or even Hub (UTP or

Fiber)

Cisco (Span port)

Inside Outside

Extreme (Mirror port)

Inside Outside

Juniper (PortMirror)

Inside Outside


Agenda





Catapult Probe - Performance

• Capture (Mpps):– NP-1410 (Accelerated Probe) reaches 3Mpps on

Gigabit Ethernet (independent of packet size)

• NetFlow Analysis (Flow per second)– depends from type/nature of traffic, aggregation

(and Flow-template for NetFlow v9).– typical environment performance: 75k-200k Flows

per second (conservative data).– important to evaluate capacity of Flow Collectors

to receive and manage a large number of flows/s


Flow Collection Optimization(1/2)

• The main argument in evaluating a scalable NetFlow Accounting solution is the capacity of Flow Collector (Cisco, HP, InfoVista, ...)• Some of the special features provided by Catapult Probe to minimize impact and efforts on the Flow Collector side are:• Multiple Collectors

Catapult Probe can be configured to send flows to multiple collectors in round-robin (split load between different Collectors) or redirector (replication to multiple redundant Collectors)

• Flow Export DelaySome collectors cannot keep up with Catapult Probe speed. This feature allows flow export to be slow down by waiting a short delay (ms) between two consecutive exports towards the same Collector.

• Minimum TCP sizePeer-to-peer applications, attacks or misconfigured applications often generate a lot of tiny TCP flows that can cause significant load on the Collector side. It’s possible to configure Catapult Probe to not emit such flows (note: that’s only for TCP while UDP, ICMP and other protocols are not affected)


Flow Collection Optimization(2/2)

• Minimum number of flows per netflow packetIn order to minimize the number of emitted packets containing flows, it can be specified the minimum number of flows that need to be contained in a netflow packet towards the Collector(s).

•Sampling rateCatapult Probe usually capture all packets for calculating flows. In some situations (e.g. cost distribution / sharing, heavy DoS Attack condition) it’s not needed to work with all packets but could be enough a sampling rate (number of packets to be discarded before two packets used to produce flows)

• Packet Capture FilterFiltering to allow Catapult Probe to take into account only those packet that match the filter. The list of filter expression primitives can be found in product documentation, 30+ primitives such as source-address, dest-address, ports, protocols, packet size (less than/greater than), ... see next slide

• Export Flow Filtering and AggregationThe probe can manage aggregation (netflow v5, v9) or even a Flow Export Filtering in order to export only flows with IP addresses in certain ranges, while all the other are aggregated as 0.0.0.0


Packet Capture Filter

• IP Host/Subnet• IP Destination Host/Subnet• IP Source Host/Subnet• MAC Host• MAC Destination Host• MAC Source Host• Port• Source Port• Destination Port• Packet Length• Protocol• Multicast• Broadcast• ...

Primitives may be combined using: • Negation (`!' or `not'). • Concatenation (`&&' or `and'). • Alternation (`||' or `or').

These are the main conditions (primitives) that is possible to apply in order to filter packet capture:


Agenda





HA & Redundancy (1/2)

• Single Catapult Probe solution (via Tap)

Same results even with a single-port tap and an external hub (shared):

• Multi Catapult Probe solution (Regeneration Tap)

High Availability via a dedicated ethernet link

Probe

ProbeProbe

Probe Probe


Not only network monitoring…

HA & Redundancy (2/2)

Probe


Catapult Probe: Manageability

• Access:• Console• Telnet• SSH

• Embedded Web Interface• http/https

• SNMP• SNMPv1• SNMPv2c• SNMPv3

• Syslog


CollectionCollectionTraffic AnalysisTraffic Analysis

Denial of ServiceDenial of Service

Flow-Tools

BillingBilling

NetFlow Collector vendors (examples)


Open Source NetFlow Collector nTop

• Network Monitoring application– IPv4/v6 – NetFlow (v5/7/9)– sFlow (v2/v4/v5)

• 7 years of experience• Customized/Contributions

from people in 10+ countries all around the world

• Thousands of users across the world

• Available for: BSD, Linux, Windows, MacOS X, Solaris.


Agenda





Probe Portfolio

Applications

• High-performance Gigabit NetFlow v5/v9/IPFIX probe• Standard (1-port) and Accelerated (2-port) models• Over 75,000 flows per second in base model• Capture >1 million packets/sec in standard model• Up to 3 million packets/sec in accelerated model• Supports IPv4,IPv6 and MPLS traffic• VoIP (SIP and RTP) traffic analysis• Easy customization and extensions• Full flow capture or sampling models• Export flow filtering and buffering to manage collector loading• Multiple Collector mode for load balancing or redundancy• Management Access via Embedded Web GUI, Console, Telnet,

SSH, SNMP or Syslog • Fully interoperable with commercial NetFlow collectors from all

major vendors



Catapult Probe - Unique Features

• Capture– Wire-speed capture (nCap technology – no CPU).

• Analysis– NetFlow v5, v9, Row Data (file) – software & RAM, Differentiation between HC,MC,LC– up to 50k+ Flows per second

• Support of IPv4, IPv6 (NetFlow v9 only), MPLS• NetFlow v9 extensions:

– Application Latency, Network Latency, First payload packets (good to identify P2P traffic), Host fingerprints

• NetFlow v9: extensive flow template support• Easy customization and extensions – nCap

technology is independent from monitoring applications

• Support of IPFIX (draft 3) over SCTP/TCP/UDP.


Thank You


© 2007 nPulse Network Systems LLC 1 Product Introduction Catapult NetFlow Probe.

Documents

Transcript of © 2007 nPulse Network Systems LLC 1 Product Introduction Catapult NetFlow Probe.