NetFlow

Netflow部署模式

Due to the overhead issues of turning Netflow on widely in a network, the typical deployment architecture for Netflow is to enable Netflow exporting from interfaces primarily at key points in the network where a large percentage of traffic is flow into or out of the network. For example, router interfaces connected to major data centers, Internet peering, and WAN backbone links are typical places where Netflow is enabled. Since these points are the source of most of the traffic traveling to the rest of the network, enabling Netflow on the associated routers provides the greatest coverage of the network's traffic with the least overhead.

包括连接大型数据中心、Internet对等体、广域网主干的路由器接口是开启Netflow的最佳地点。


NetFlow采样误差分析

有相关测量工作表明,在现网环境下,NetFlow流量采样比一般设置为2000:1至5000:1,这时流量分析的误差也就在1%左右。

这里的流量分析是指,统计某种包(如WWW)占总数据包数量的比例,或者,统计某种包(如WWW)占总数据包字节数的比例;即一个是数量比例,另一个是流量大小比例。

此外,一般采样时间设定为5分钟。因为根据经验,流量统计特性能够保持稳定,这样采样结果将收敛于真实结果。




1 Netflow are exported from the router in User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP) packets. Traditional netflow is the 7-tuple key:

1) Source IP

2) Destination IP

3) Source Port

4) Destination Port

5) IP Protocol Number

6) IP ToS(Type of Service)

7) Logical interface (ifIndex)

which is the input ifIndex in case of ingress NetFlow, or the output ifIndex with egress NetFlow.

Note also that the command ip flow-egress input-interface lets you use the input ifIndex as a key-field even if NetFlow egress is configured. This means that the input ifIndex is an additional key-field.

 

2 vendors:

Netflow-Cisco;

JFlow or CFlowd-Juniper;

NetStream-3Com/H3C/Huawei;

sFlow- 

Cflowd-Alcatel-Lucent;

 

3 Standard:

RFC3954-Cisco Systems NetFlow Services Export Version 9

RFC5101/5102- Internet Protocol Flow Information eXport (IPFIX)

 

4 When to export a flow

1)  TCP session termination in a TCP flow

2) Active flows timeout in 30 minutes

即output a flow record at a fixed interval even if the flow is still ongoing(ofcourse, when the router sees new traffic for an existing flow it resets the aging counter)

3) Inactive flows timeout in 15 seconds

there were no activity on the flow for 15 seconds, the entry would have been exported and purged from the cache 

 

5 Netflow Version 5 Format

 

头格式
字节  内容                                               描述
0~1 v e r s i o n                        NetFlow 导出格式的版本号
2~3 c o u n t                            包中导出的流数目(1~3 0)
4~7 S y s U p t i m e                 从路由器启动以来的当前时间,以毫秒为单位
8~11 u n i x - s e c s                 从0000 UTC 1970开始的秒数
1 2~1 5 u n i x - n s e c s            从0000 UTC 1970开始的剩余纳秒时间
1 6~1 9 f l o w - s e q u e n c e   所有能看到的流的顺序计数器
2 0~2 4 r e s e r v e d               未使用的字节(0)

 

流记录格式

字节内容                                                     描述
0~3 s r c a d d r                                   源I P地址
4~7 d s t a d d r                                  目的I P地址
8~11 n e x t h o p                               下一跳的路由器I P地址
1 2~1 3 i n p u t                                  输入接口的S N M P索引
1 4~1 5 o u t p u                                 t 输出接口的S N M P索引
1 6~1 9 d P k t s                                    流中的报文
2 0~2 3 d O c t e t s                           在流的报文中第3层字节总数
2 4~2 7 F i r s t                                  流开始处的S y s U p t i m e
2 8~3 1 L a s t                                   流中最后一个报文被接收时的S y s U p t i m e
3 2~3 3 s r c p o r t T C P / U D           P源端口号或等价值
3 4~3 5 d s t p o r t T C P / U D P         目的端口号或等价值
3 6 p a d 1                                       未使用的字节(0)
3 7 t c p~f l a g s                               T C P标记的累积O R
3 8 p r o t                                         I P协议(例如, 6 = T C P, 17=UDP)
3 9 t o s                                                 服务的I P类型
4 0~4 1 s r c~a s                                      源的A S,原来的或对等的
4 2~4 3 d s t~a s                              目的A S,原来的或对等的
4 4 s r c~m a s k                                 源地址前缀的掩码位
4 5 d s t~m a s k                                 目的地址前缀的掩码位
4 6~4 7 p a d 2                                    未使用的字节(0)

 

 

6 Sampled Netflow

两种Sample的方式:

1)  Deterministic NetFlow: the router looks at every nth packet, wheren can be configured

2) Random Sampled Netflow:  it is a randomly selecting interval

 

7 Netflow监测的两种使用方式

1)  NetFlow on routers:  provides a Network-wide view of the traffic,but limited to sampling and processing power of router

2) NetFlow on dedicated/standalone probes: well adapted to the observation of critical links, but must be deployed on every link that must be observed, causing additional hardware, setup and maintenance costs. (The probes are transparently connected to the monitored link as a totally passive appliance using the TAP or SPAN port,见下图 )

 

8 Configuration

一个样例配置为:

router#enable
Password:*****
router#configure terminal
router-2621(config)#interface FastEthernet 0/1
router-2621(config-if)#ip route-cache flow
router-2621(config-if)#exit

router-2621(config)#ip flow-export destination 192.168.9.101 9996
router-2621(config)#ip flow-export source FastEthernet 0/1
router-2621(config)#ip flow-export version 5
router-2621(config)#ip flow-cache timeout active 1
router-2621(config)#ip flow-cache timeout inactive 15
router-2621(config)#snmp-server ifindex persist
router-2621(config)#^Z
router#write
router#show ip flow export
router#show ip cache flow

 

1) ip route-cache flow也可以被写作 ip flow ingress.两者的主要区别是:

The "ip route-cache flow" can be used only under the main interface, it enable flows on the physical interface and all sub-interfaces associated with it.,

while the "ip flow ingress" was an enhancement to be used under subinterfaces

2) With NetFlow v5, we only had the option to monitor inbound statistics using the ip flow ingress command. However, with the release of NetFlow v9, we now have the option to monitor traffic leaving each 

3) ip flow-cache timeout inactive 15的含义是

there were no activity on the flow for 15 seconds, the entry would have been exported and purged from the cache

即Specifies the number of seconds that an inactive entry is allowed to remain in the aggregation cache before it is deleted. Ensures that flows that have finished are periodically exported. The default value is 15 seconds

 

ip flow-cache timeout active 1 的含义是

If an active entry is in the cache for 1 minutes, it is expired, even if traffic still exists. A new cache entry is built on the receipt of the next packet for that particular flow.

即Breaks up long-lived flows into 1-minute fragments. You can choose any number of minutes between 1 and 60

 

Milli

1)  for efficiency reasons, the router does not store flow records once they are exported. Therefore, if the NetFlow record is dropped due tonetwork congestion, it is lost forever -- there's no way for the router to resend it

2) The IP address of the netflow collector and the port upon which it is listening must be configured on the sending router but is usually either on ports 2055, 9555, or 9995

3) NetFlow is generally based on the packets input to interfaces where it is enabled. This avoids double counting and saves work for the router

 

NetFlow_第1张图片

你可能感兴趣的:(NetFlow)