NetFlow - TERENA · NetFlow protocol Developed by Cisco Systems Classifies network traffic into...
Transcript of NetFlow - TERENA · NetFlow protocol Developed by Cisco Systems Classifies network traffic into...
NetFlow:What is it, why and how to use it?
Miloš Zeković,[email protected]
ICmyNet Chief Customer Officer
Soneco d.o.o. Serbia
2 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Agenda
What is NetFlow?
What are the benefits?
How to deploy NetFlow?
Questions
3 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
What is NetFlow?
NetFlow protocol
IP Flow
How it works
NetFlow equivalents
4 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NetFlow protocol
Developed by Cisco Systems
Classifies network traffic into 'flows'
v5 - most common version, IPv4
v9 - template based, IPv6 and MPLS
v10 (IPFIX) – standardised, flexible fields
5 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
IP Flow – RFC 3954
An IP Flow, ..., is defined as a set of IP packets passing an Observation Point in the network during a certain time interval. All packets that belong to a particular Flow have a set of common properties ... at the Observation Point.
6 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
IP Flow – Cisco NF v5
Unidirectional sequence of packets that all share the following 7 values:
Ingress interface (SNMP ifIndex)
Source IP address and Destination IP address
IP protocol
Source and destination port for UDP or TCP, 0 for other protocols
IP Type of Service
7 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
How it works?
Flow record
Exporter
Flow Collector
Netflow Server (flow collection + aggregation)
8 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
How it works? (2)
9 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NetFlow equivalents
Jflow – Juniper Networks
NetStream - 3Com/HP
NetStream - Huawei Technologies
sFlow – Cisco, Juniper, HP, IBM, Huawei...
10 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
What are the benefits?
Bandwidth utilization understandingApplication monitoring
Top consumers by host, service, QoS...
Accounting/Billing
Network optimization and planningTraffic trend visualization
Traffic engineering
11 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
What are the benefits? (2)
Faster network troubleshooting Faster, better diagnostics
Complements network monitoring systems
Network securityTraffic anomaly analysis
Flow records inspection
Lower operational cost
12 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
How to deploy NetFlow?
Netflow capability
Configuring netflow export
NetFlow Analyzers
13 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NetFlow capability
NetFlow capable devices: Routers
L3 switches
NetFlow probes – e.g. softflowd
Capability issuesNetflow protocol conversion – e.g. nprobe
Multiple exporting – e.g. samplicator
Sampling
14 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Configuring netflow export
Export planningOn what routers/interfaces to enable netflow
Duplication issues
Exporter configurationConfigure exporters
Setup sampling, conversion, probes
Choose and setup netflow collector/analyser
15 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Exporter configuration
← INCORRECT
CORRECT →
16 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Double export example
17 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
De-duplication of netflow
Duplication is usually a problem for network-wide statistics
Some NetFlow analysers have automatic de-duplication
Some Netflow analysers can be configured to avoid duplication
18 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NetFlow Analysers - approaches
Statistics per/by:exporter/interface
application/service
IP address group
routers/interfaces group
specific traffic
host
19 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NetFlow Analysers
Commercial applications:ManageEngine – NetFlow Analyzer
SolarWinds – NetFlow Traffic Analyzer
Plixer - Scrutinizer
Peassler – PRTG Traffic Grapher
Fluke Networks
Soneco - ICmyNet/NetVizura
...
20 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Question time
Questions?
21 / 22Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Thank you
NetFlow:What is it, why and how to use it?
Miloš Zeković,[email protected]
ICmyNet Chief Customer Officer
Soneco d.o.o. Serbia