Practical use of Netflow technology
description
Transcript of Practical use of Netflow technology
![Page 1: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/1.jpg)
connect • communicate • collaborate
Practical use of Netflow technology
Ivan Ivanovic, RCUB/AMRES
Géant3, Skopje, September 2011.
![Page 2: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/2.jpg)
connect • communicate • collaborate
Content
Netflow technology
Configuration of netflow
Data duplication
Timers
Data aggregation
How to solve L2 problem
Netflow probes
Future of netflow
Case study
![Page 3: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/3.jpg)
connect • communicate • collaborate
Flow
NetFlow statisticRouter
(Exporter)
Netflow Technology – Terminology
What is flow?
Src/dst IP
Src/dst ports
Protocol
QoS
Total bytes, packets, fllows
BGP src/dst AS
Exporter ip
In/out ports
Timestamp
….
….
![Page 4: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/4.jpg)
connect • communicate • collaborate
Netflow Technology – Overview
Developed by Cisco
IETF standardization – IPFIX.
Netflow V5 and V9 are commonly used.
By default provide us information on the higher levels (L3-L4).
IPFIX (netflow V9) – Also called flexible netflow.
Netflow V9 has support for mpls, mac and IPV6…
In AMRES netflow is only protocol used for IPV6 monitoring.
Other vendors also support netflow protocol (netstream, jflow…).
Less than 1% of total traffic in network
![Page 5: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/5.jpg)
connect • communicate • collaborate
How to start NetFlow data collection?
Most of the routers that are forwarding packets “in software” support NetFlow protocol.
Some of the switches support NetFlow protocol (Require specialized hardware)
Two groups of dvices regarding NetFlow configuration
– Global control (older devices, in direction is commonly used)
– Per interface control (newer devices, in or out direction can be used)
Globaly controlled allows statistic collecton only on all interfaces in one direction (commonly in/ingress)
Per interface control allows statistic collecton on the interface in in/ingress or out/egress direction.
![Page 6: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/6.jpg)
connect • communicate • collaborate
NetFlow data duplication - Ingrees direction
NetFlow Collector
Host A
![Page 7: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/7.jpg)
connect • communicate • collaborate
NetFlow data duplication - Ingrees direction
Host A
![Page 8: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/8.jpg)
connect • communicate • collaborate
Netflow data duplication - Ingrees direction
Host A
Gi0/1Gi0/1
Gi0/2
Gi0/3
![Page 9: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/9.jpg)
connect • communicate • collaborate
Netflow data duplication - Ingrees direction
![Page 10: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/10.jpg)
connect • communicate • collaborate
Netflow data duplication - Solution
Problem can be solved if device can control collection of netflow statistic per interface.
Using Ingress/Egress commands we can control collection of netflow statistic.
Some of the applications that collect netflow statistic have capabilities to automatically detect duplicated netflow statistic using combination of exported fields (src ip, dst ip , src port, dst port, protocol, QoS).
Applications (collectors) that support filtering based on static netflow fields provide very good solution against data duplication.
ICmyNet.Flow - http://netflow.rcub.bg.ac.rs
![Page 11: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/11.jpg)
connect • communicate • collaborate
Netflow data duplication - Solution
Don’t use netflow statistic that has exporter ip address of device R2 and ingress interface Gi0/1 of device R2!
Host A
Host B
Use this statistic Ignore this statistic
Gi0/1Gi0/1
![Page 12: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/12.jpg)
connect • communicate • collaborate
Netflow data duplication - Solution
Don’t use netlfow statistic that has exporter ip address of device R1 and in interface Gi0/1 of device R1!
Host A
Host B
Use this statisticIgnore this statistic
Gi0/1Gi0/1
![Page 13: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/13.jpg)
connect • communicate • collaborate
Netflow Timers and Aggregation -Timestamp problem
![Page 14: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/14.jpg)
connect • communicate • collaborate
Netflow Timers and Aggregation
Most people don't use them.
Some of the applications for netflow collection doesn't use timestamp fields in exported statistic.
Reasons for that are large amount of netflow data, solution is data aggregation.
Benefits of using aggregation are small databases and fast applications.
Shortcomings of using aggregation is lack of detail information.
What are netflow timers (aging)?
E.g. Cisco
Normal
Long
Fast (threshold ~100packets)
![Page 15: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/15.jpg)
connect • communicate • collaborate
Netflow Timers – Long aging
Receiving application is using 5 minute aggregation
![Page 16: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/16.jpg)
connect • communicate • collaborate
Netflow Timers – Fast aging(If your application can detect attack!)
![Page 17: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/17.jpg)
connect • communicate • collaborate
Netflow timers
Exporter is collecting netflow statistic in local memory.
When memory table gets overloaded exporter ages out all flows in the memory. Then exporter sends all information to the collector and clears local memory
Special situation can cause memory overload:
Ping sweep
DNS lookups
Exporter can easily detect end of flows that use connection oriented protocol.
Exporter can only assume when flow, that use connectionless protocol, ended.
Memory overloading can have influence to the exporter behavior.
Using timers is the only way to age out some flows!
![Page 18: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/18.jpg)
connect • communicate • collaborate
Netflow Probes
Very useful tool!
Lot of useful information can be found on the web page of the Swiss academic network
http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html
What is netflow probe?
How to use it?
Where to use it?
What do I get?
What do I lose?
![Page 19: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/19.jpg)
connect • communicate • collaborate
Netflow Probe - L2 segment of the network!
L2 switches usually do not support netflow protocol.
L2 switches usually support port mirroring (SPAN)!
E.g. softflowd
http://www.mindrot.org/projects/softflowd/
http://code.google.com/p/softflowd/
![Page 20: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/20.jpg)
connect • communicate • collaborate
Netflow Probe – Port mirroring
Extra server (desktop pc).
Two Nic cards.
Two ports on the switch.
eth0eth1
![Page 21: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/21.jpg)
connect • communicate • collaborate
Netflow Probe – Port mirroring
Institutions on the L2 segment.
![Page 22: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/22.jpg)
connect • communicate • collaborate
Netflow Probe – Virtualization
Tested on Citrix XenServer
Older version of VmWare (3.5) support netflow protocol.
eth0 eth0 eth0 eth0
![Page 23: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/23.jpg)
connect • communicate • collaborate
AMRES configuration
![Page 24: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/24.jpg)
connect • communicate • collaborate
Future of netflow
More and more netflow fields are becoming popular
Cisco is already using netflow to gather statistic about media traffic (Medianet)
Information’s like jitter, packet delay, packet loss could be also exported via netflow.
![Page 25: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/25.jpg)
connect • communicate • collaborate
Problem analysis – example I
![Page 26: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/26.jpg)
connect • communicate • collaborate
Problem analysis – example I
![Page 27: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/27.jpg)
connect • communicate • collaborate
Problem analysis – example II
![Page 28: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/28.jpg)
connect • communicate • collaborate
Problem analysis – example II
![Page 29: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/29.jpg)
connect • communicate • collaborate
Problem analysis – example II
![Page 30: Practical use of Netflow technology](https://reader035.fdocuments.in/reader035/viewer/2022062321/56814009550346895dab4105/html5/thumbnails/30.jpg)
connect • communicate • collaborate
END