Introduction To Cisco'S Netflow Technology: Slide 1

NetFlow 101 Boot Camp March 18, 2010
Slide 1 ___________________________
___________________________
Introduction to Cisco’s ___________________________

NetFlow Technology
___________________________
Adam Powers, CTO
___________________________
___________________________
NetFlow 101 Seminar, 2010

1
Slide 2 ___________________________
Agenda
___________________________
• Introduction to NetFlow
how it works, what it is
___________________________
• Why is NetFlow so popular?
NetFlow costs less and works better
• Configuring and Working with NetFlow ___________________________
a glimpse into the power of NetFlow
• Threat Detection Methods
using flows to detect malware ___________________________
• FlowSensor Technology
generate NetFlow v9 from a SPAN
• Cisco Flexible NetFlow Lab ___________________________
set up and work with NetFlow
Slide 3 ___________________________
Lancope NetFlow Ninjas Blog
___________________________
http://netflowninjas.typepad.com
___________________________
___________________________
___________________________
___________________________
3
Slide 4 ___________________________
___________________________
Introduction to NetFlow ___________________________
___________________________
___________________________
___________________________
Slide 5 ___________________________
Network Flow Collection
___________________________
___________________________
___________________________
___________________________
___________________________
Slide 6 ___________________________
The Life of a Flow
___________________________
google.com 10.1.1.1
Cisco Router
___________________________
___________________________
___________________________
NetFlow Packet Header
StealthWatch
Flow Collector
___________________________
6 6
Slide 7 ___________________________
Flow Collection Methods
___________________________
• Traditional NetFlow
• Provides router interface statistics
StealthWatch
• Very easy to deploy; available for Flow Collector ___________________________
“free” almost anywhere Cisco
equipment is found
• No packet-level visibility or
response time information
• FlowSensor Appliance Edition (AE)
NetFlow ___________________________
• Enables flow monitoring where
traditional NetFlow is not
Cisco
available Catalyst ___________________________
• Provides flow performance 6500
information such as round-trip

time and server response time
• Requires SPAN port or Ethernet ___________________________
tap
• FlowSensor Virtual Edition (VE)
• Installs into VMware ESX to
monitor VM2VM communications
7
• Software only no hardware
Slide 8 ___________________________
Wide Support for NetFlow
___________________________
Cisco 1900
Cisco 1700
Cisco 800 Cisco 2800 ___________________________
Not Supported
Cisco 3750
Huawei Quidway
Cisco 2900
___________________________
Juniper Networks
Cisco 7200 VXR

Cisco 7600
Cisco 3900
___________________________
___________________________
Nortel Networks Cisco XR 12000 Cisco Nexus

7000 Cisco Catalyst 6500
8
Slide 9 ___________________________
Wide Support for NetFlow
___________________________
___________________________
___________________________
___________________________
___________________________
9
Slide 10 ___________________________
___________________________
• Provides router interface statistics
StealthWatch
• Very easy to deploy; available for Flow Collector ___________________________
equipment is found
• No packet-level visibility or
response time information ___________________________
NetFlow + latency
• FlowSensor Appliance Edition (AE)
statistics
• Enables flow monitoring where
available ___________________________
• Provides flow performance FlowSensor
AE
time and server response time
tap SPAN port
• FlowSensor Virtual Edition (VE)

tap
10
Slide 11 ___________________________
___________________________
• Provides router interface statistics StealthWatch
Flow Collector
• Very easy to deploy; available for ___________________________
equipment is found
• No packet-level visibility or NetFlow + VM
information
response time information ___________________________
• FlowSensor Appliance Edition (AE) physical
networ
• Enables flow monitoring where k
available virtual
___________________________
VM VM VM machine
• Provides flow performance guests

time and server response time packet
capture
VM2VM

virtual
switches
tap VMware ESX 3.5/4.0

• FlowSensor Virtual Edition (VE) Host

11
Slide 12 ___________________________
NetFlow v5 (most common)
___________________________
___________________________
___________________________
___________________________
* fixed format, cannot be extended to include new ___________________________

fields
12
Slide 13 ___________________________
NetFlow v9 (newer and more powerful)
___________________________
___________________________
___________________________
___________________________
___________________________
* 160+ fields to choose from including payload
sections
13
Slide 14 ___________________________
NetFlow v9 – NBAR support!
___________________________
Network-Based Application Recognition being
integrated with NetFlow in Cisco IOS-based
products ___________________________
** available Q4 2009 from Lancope
Over 600 applications supported.... ___________________________
___________________________
___________________________
14
Slide 15 ___________________________
___________________________
Why is NetFlow so popular? ___________________________
___________________________
___________________________
___________________________
15
Slide 16 ___________________________
NetFlow for the Network Team
___________________________
NetFlow Packet
flow1
StealthWatch
___________________________
Flow Collector
flow2
...
___________________________
Network Team Compliance and Auditing Security Team
Interface utilization PCI Compliance File sharing
Billing and chargeback HIPAA Compliance Malware outbreak detection
QOS monitoring SCADA Security Network acceptable use
BGP ASN monitoring Sarbanes-Oxley Flow forensics
___________________________
MPLS visibility Data loss prevention
Application troubleshooting
___________________________
Slide 17 ___________________________
NetFlow Compliance and Auditing
___________________________
NetFlow Packet
flow1
StealthWatch
___________________________
Flow Collector
flow2
...
___________________________
___________________________
___________________________
Slide 18 ___________________________
NetFlow for the Security Team
___________________________
NetFlow Packet
flow1
StealthWatch
___________________________
Flow Collector
flow2
...
___________________________
___________________________
___________________________
Slide 19 ___________________________
NetFlow vs. SNMP
___________________________
SNMP
___________________________
___________________________
NetFlow ___________________________
___________________________
19
Slide 20 ___________________________
NetFlow Reporting and Drilldown
___________________________
___________________________
___________________________
___________________________
___________________________
20
Slide 21 ___________________________
Visibility Lost Due to Emerging Tech
___________________________
Emerging network technologies are outpacing traditional
network monitoring techniques such as SNMP and SPAN/tap-
based technology... ___________________________
“10G Ethernet is so fast few probe
technologies can keep up and those
that can are too expensive”
“MPLS and multi-point VPNs create

___________________________
a meshed WAN that’s expensive to
monitor adequately”
“Virtualization hides whole network

___________________________
segments from the network manager’s
view, making VM2VM communication
problems difficult to troubleshoot”
___________________________
These issues result in an inability to react to network problems
because of a basic lack of .
21
Slide 22 ___________________________
10G+ Ethernet
___________________________
“10G Ethernet is so fast few probe technologies can keep up and those
___________________________
traditional
Ethernet
sensor
___________________________
Where
to plug
in?
___________________________
___________________________
22
Slide 23 ___________________________
NetFlow in a 10G+ Ethernet Environment
___________________________
“10G Ethernet is so fast few probe technologies can keep up and those
that can are extremely expensive”
StealthWatch
Flow Collector ___________________________
___________________________
___________________________
___________________________
23
Slide 24 ___________________________
Virtualization
___________________________
“Virtualization hides whole network segments from the network
manager’s view, making VM2VM communication problems difficult to
troubleshoot”
___________________________
VM1 VM2 VM3
virtual
machines
physical ___________________________
network
VM2VM
virtual
traditional
Ethernet probe
switches ___________________________
physical machine
___________________________
24
Slide 25 ___________________________
NetFlow in the Virtual Environment
___________________________
___________________________
VM VM VM
virtual
machines
physical
network ___________________________
promisc VM2VM
capture
NetFlow v9 virtual
switches
VM Server ___________________________
StealthWatch
Flow Collector
___________________________
*** Cisco Nexus 1000v also supports NetFlow
***
25
Slide 26 ___________________________
MPLS and Multi-point VPNs
___________________________
“MPLS and multi-point VPNs create a meshed WAN that’s
expensive to monitor adequately”
___________________________
traditional
Ethernet
sensor
___________________________
___________________________
___________________________
26
Slide 27 ___________________________
___________________________
Fully meshed connectivity circumvents network monitoring deployed at
the “hub” location…
___________________________
___________________________
___________________________
___________________________
27
Slide 28 ___________________________
___________________________
Full visibility requires a probe at each location throughout the WAN…
___________________________
___________________________
___________________________
___________________________
28
Slide 29 ___________________________
NetFlow Collection in the WAN
___________________________
Deploy a StealthWatch NetFlow collector at a central location and
enable NetFlow at each remote site…
___________________________
StealthWatch
Flow Collector
NetFlow Packet ___________________________
NetFlow Packet
___________________________
___________________________
29
Slide 30 ___________________________
Quick Recap
___________________________
“10G Ethernet is so fast few probe network speed has no effect

___________________________
technologies can keep up and those on NetFlow
“MPLS and multi-point VPNs create enable NetFlow at each remote

___________________________
a meshed WAN that’s expensive to location for WAN visibility
monitor adequately”
“Virtualization hides whole network ___________________________

segments from the network manager’s invest in Nexus 100v or
view, making VM2VM communication FlowSensor
problems difficult to troubleshoot” technology
___________________________
30
Slide 31 ___________________________
___________________________
Configuring and Working
with NetFlow ___________________________
___________________________
___________________________
___________________________
31
Slide 32 ___________________________
Flow Replication
___________________________
___________________________
___________________________
___________________________
___________________________
32
Slide 33 ___________________________
Flow Replication Modes
___________________________
Unicast Mode
___________________________
___________________________
Promiscuous Mode ___________________________
___________________________
33
Slide 34 ___________________________
Flow Replication: UDP Samplicator
___________________________
http://freshmeat.net/projects/samplicator/
___________________________
___________________________
___________________________
___________________________
34
Slide 35 ___________________________
Active vs. Inactive Timeouts
___________________________
Active Timeout
• configures longest amount of time a flow can stay in the cache regardless
of activity
• Recommend 1 minute
___________________________
• All exporters should have similar active timeouts
• Cisco default of 30 minutes is far too long
Inactive Timeout ___________________________
• configures how long a flow can be inactive before it is expired from the
cache
• Recommend 15 seconds (which is also the IOS default)
• All exporters should have similar inactive timeouts
___________________________
Cisco Router
___________________________
35
Slide 36 ___________________________
Configuring NetFlow – Traditional Method
___________________________
Configure “Active”
Timeout ___________________________
Enable NetFlow for
each interface on the
router
___________________________
(also: “ip flow ingress”)
Specify a destination
for the flows
___________________________
___________________________
36
Slide 37 ___________________________
Configuring NetFlow – Flexible NetFlow (FnF)
___________________________
• Tells router
which fields to
extract from ___________________________
flows
• “match” is key
field
• “collect” is non- ___________________________
key
___________________________
___________________________
37
Slide 38 ___________________________
___________________________
• Configure “exporter”
• Tells the router where to ___________________________
send the flows.
___________________________
___________________________
___________________________
38
Slide 39 ___________________________
___________________________
• Configure “monitor”
• Sets up the cache timeouts and ___________________________
type
___________________________
___________________________
___________________________
39
Slide 40 ___________________________
___________________________
• Enable NetFlow on each interface
• Reference the “monitor” ___________________________
command in the interface config
___________________________
___________________________
___________________________
Blog entry describing FnF in detail...
http://netflowninjas.typepad.com/blog/2009/0
8/index.html
40
Slide 41 ___________________________
___________________________
Lab Exercise #1, #2 ___________________________
___________________________
___________________________
___________________________
41
Slide 42 ___________________________
Ingress vs. Egress NetFlow
___________________________
___________________________
___________________________
___________________________
___________________________
42
Slide 43 ___________________________
NetFlow on the Catalyst 6500
___________________________
Catalyst 6500
(MSFC) NetFlow
___________________________
___________________________
(Sup) NetFlow
___________________________
___________________________
43
Slide 44 ___________________________
Helpful Links re: CPU and bandwidth consumption from NetFlow
___________________________
Cisco Whitepaper: NetFlow Performance Analysis
http://www.cisco.com/en/US/tech/tk812/technologies_white_paper0900aecd802a0eb
9.shtml ___________________________
Fully loaded ISR running software IOS ~15%
CPU uptick resulting from NetFlow enablement.
___________________________
Lancope NetFlow Bandwidth Calculator ___________________________

http://lancope.com/netflowcalculator.aspx
1200 flows per second for each 250Mbps of

traffic. That's about 680Kbps of NetFlow v5
traffic arriving at the collector per 250Mbps of
___________________________
traffic seen by the exporter.
44
Slide 45 ___________________________
Viewing NetFlow bps rate per exporter
___________________________
___________________________
___________________________
___________________________
___________________________
45
Slide 46 ___________________________
___________________________
Working with NetFlow ___________________________
___________________________
___________________________
___________________________
46
Slide 47 ___________________________
Troubleshooting with NetFlow
___________________________
• Several approaches to working with flow data...
• Direct router access via CLI ___________________________
• Flow-tools, ntop and other open source
• Commercial NetFlow Collector
___________________________
___________________________
___________________________
47
Slide 48 ___________________________
Direct router access via CLI (Traditional)
___________________________
___________________________
___________________________
___________________________
___________________________
Malware Target Hosts Target Port
Infected (0x87=135)
Host
48
Slide 49 ___________________________
Direct access via CLI (Flexible NetFlow)
___________________________
___________________________
___________________________
___________________________
___________________________
49
Slide 50 ___________________________
Direct access via CLI (Flexible NetFlow)
___________________________
___________________________
___________________________
___________________________
___________________________
50
Slide 51 ___________________________
Flow-tools, ntop and other open source
___________________________
FLOW-TOOLS
• Collection of small open source programs to post process Cisco NetFlow
compatible flows
• Written in C, designed to be fast and lean ___________________________
• Allows for text-based reporting, storage, and analysis of flows
• Installation with “configure;make;make install” on most platforms
(FreeBSD, Linux, Solaris, BSDi, NetBSD)
• Only supports NetFlow v1/5/7 ___________________________
http://www.splintered.net/sw/flow-tools
NTOP ___________________________
• Lightweight, open-source, web-based flow reporting technology
• Similar to the Linux “top” utility but for network traffic rather than
processes
• Installation with “configure;make;make install” on most platforms ___________________________
(FreeBSD, Linux, Solaris, BSDi, NetBSD)
• Support for NetFlow v1/5/7/9 and sFlow
51
http://www ntop org
Slide 52 ___________________________
ntop web-UI
___________________________
___________________________
___________________________
___________________________
___________________________
52
Slide 53 ___________________________
Enable NetFlow on your Linksys router!
___________________________
___________________________
___________________________
___________________________
___________________________
53
<non-confidential>
Slide 54 ___________________________
Flow-tools CLI
___________________________
___________________________
___________________________
___________________________
src src dst dst proto pkts octets
interface IP interface IP
start and src dst TCP
___________________________
end times port port flags
(2=SYN)
54
Slide 55 ___________________________
...other open source
___________________________
Introduction to Cisco IOS NetFlow - A Technical Overview
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_whit
e_paper0900aecd80406232.html
___________________________
___________________________
___________________________
___________________________
55
Slide 56 ___________________________
NetFlow Deduplication
___________________________
___________________________
___________________________
___________________________
___________________________
56
Slide 57 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
The scenario:
• 8pm EDT, worker arrives at home
and logs into the corporate VPN to
finish up some work left over from ___________________________
the office earlier in the day.
• Worker forgets to log
off the VPN.
• Worker’s wife sits down at the ___________________________
same computer and begins
downloading season 2 of
The Office in HD from iTunes
• The corporate VPN Concentrator ___________________________
suffers under the load caused
by the downloads
(4Mbps max VPN throughput)
The result:
___________________________
• Users on the west coast (5pm PDT)
experience severe reduced
performance and begin to
57 complain.
Slide 58 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
58
Slide 59 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
59
Slide 60 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
60
Slide 61 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
61
Slide 62 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
62
Slide 63 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
63
Slide 64 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
64
Slide 65 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
65
Slide 66 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
66
Slide 67 ___________________________
___________________________
Threat Detection Methodologies ___________________________
___________________________
___________________________
___________________________
67
Slide 68 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
68
Slide 69 ___________________________
Flow-based Threat Detection
___________________________
StealthWatch
Flow Collector
___________________________
Flow-based Pattern Matching Behavior Analysis
___________________________
___________________________
___________________________
69 69
Slide 70 ___________________________
Threat Detection Method #1:
Pattern Recognition
___________________________
___________________________
___________________________
___________________________
___________________________
Slide 71 ___________________________
Threat Detection Method #2:
Behavior-based Analysis
___________________________
___________________________
___________________________
___________________________
___________________________
Slide 72 ___________________________
Threat Detection Method #3: Visualization
___________________________
___________________________
___________________________
___________________________
___________________________
72
Slide 73 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
73
Slide 74 ___________________________
___________________________
Scanning activity
___________________________
represented in a
Peer vs. Peer
diagram
___________________________
___________________________
___________________________
74
Slide 75 ___________________________
___________________________
FlowSensor Technology ___________________________
___________________________
___________________________
___________________________
75
Slide 76 ___________________________
FlowSensor Technology
___________________________
FlowSensor NetFlow
(NetFlow Enabled) Collector
___________________________
NetFlow NetFlow
Catalyst 3750
(No NetFlow)
Catalyst 6500
(NetFlow Enabled) ___________________________
___________________________
___________________________
76
Slide 77 ___________________________
FlowSensor AE
___________________________
• Light-weight, cost-effective 1U
network
appliance StealthWatch
___________________________
• Collects Ethernet frames and
Flow Collector
exports NetFlow v9
___________________________
• Monitor up to (5) 3750s
NetFlow
simultaneously
• Works with FlowSensor ___________________________
any NetFlow
Model Capacity v9
Disk capable flowList Price
Interfaces
collector
AE-500 200 Mbps ** AVAILABLE Q3-2010 **
AE-1000 1 Gbps 73GB 3 or 5 $6,995
AE-2000 2.5 Gbps 160GB 3 or 5 $12,995
___________________________
AE-3000 5.0 Gbps ** AVAILABLE Q2-2010 **
77
Slide 78 ___________________________
FlowSensor VE (Virtual Edition)
___________________________
• Lightweight, virtual appliance for VMware ESX 3.5 and
4.0
• Captures and records all VM2VM communications ___________________________
within the virtual network environment
• Exports NetFlow v9 from within the VMware ESX host ___________________________

• FREE to download and try
(visit lancope.com to register and download)
___________________________
VMware Server
StealthWatch NetFlow
___________________________
Flow Collector
78
Slide 79 ___________________________
10G Monitoring with Stackable FlowSensors
___________________________
Ethernet loadbalancer
vendors... 10G
FlowSensor
AE-2000 7.5G ___________________________
2.5G
5.0G
2.5G
FlowSensor
AE-2000 16x 1G ___________________________
NetFlow 2.5G
FlowSensor
StealthWatch
Flow Collector
AE-2000
___________________________
2.5G
___________________________
79
Slide 80 ___________________________
NetFlow for Breadth, Packets for Depth
___________________________
VM Server
Traditional
NetFlow
FlowSensor AE FlowSensor VE
___________________________
Latency Info Router Info VM Info
___________________________
Flows
Stealthwatch 5.10 Screenshot
___________________________
___________________________
80
Slide 81 ___________________________
Works with any NetFlow v9 collector!
___________________________
• 1,000,000 record cache size Cisco Flexible NetFlow Equivalent:
>> dynamically expands with increased load
!
• 60 second active timeout,

flow record lancope_template
match ipv4 tos
___________________________
15 second inactive match ipv4 protocol
>> follows Cisco IOS rules for aging match ipv4 source address
match ipv4 destination address
• Very similar to Cisco’s NetFlow v9

match transport source-port
match transport destination-port
___________________________
>> see equivalent IOS config at right match interface input
collect ipv4 dscp
collect ipv4 ttl minimum
• IPv6 aware
>> your collector much be IPv6 capable
collect ipv4 ttl maximum
collect ipv4 section header size 60
___________________________
collect transport tcp flags
• VLAN aware collect interface output
collect counter bytes
>> export VLAN tags in NetFlow collect counter packets
collect timestamp sys-uptime first
___________________________
collect timestamp sys-uptime last
!
81
Slide 82 ___________________________
Works Best with Lancope’s Collector
___________________________
SRCIP DSTIP PROTO DPORT SPORT PKTS BYTES RTT SRT ...
230m
TCP 80 5749 73 9,092 65ms ...
s
TCP 5749 80 103

78,02
65ms
230m
...
___________________________
0 s
___________________________
StealthWatch
FlowSensor
___________________________
SPAN
___________________________
round trip time across the network time it takes the server
RTT SRT
same as “ping” output to process a request
82
Slide 83 ___________________________
On a Related Note: World of Warcraft
___________________________
___________________________
Grinding in
Wintergrasp Northrend ___________________________
Various BGs
___________________________
___________________________
83
Slide 84 ___________________________
Thank You!
___________________________
 Flow-based technologies provide unrivaled scale and
cost effectiveness in large enterprise environments
___________________________
 NetFlow is not just for netops, its value extends
across all IT from compliance auditing to helpdesk
support
___________________________
 Enable NetFlow on as many devices as you can to
maximize visibility, the more the better
 Consider CPU and memory impact but don’t dwell ___________________________
on it, it’s not as big a problem as you may think
 NetFlow is ideal for monitoring port dense
datacenters and large distributed WAN
environments. No probes are required.
___________________________
84

Introduction To Cisco'S Netflow Technology: Slide 1

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Introduction To Cisco'S Netflow Technology: Slide 1

Загружено:

Авторское право:

Доступные форматы

NetFlow 101 Boot Camp March 18, 2010

Introduction to Cisco’s ___________________________

NetFlow 101 Seminar, 2010

Introduction to NetFlow ___________________________

information such as round-trip

Cisco 7200 VXR

Nortel Networks Cisco XR 12000 Cisco Nexus

• FlowSensor Virtual Edition (VE)

information such as round-trip

• Requires SPAN port or Ethernet ___________________________

tap VMware ESX 3.5/4.0

• Installs into VMware ESX to

* fixed format, cannot be extended to include new ___________________________

Why is NetFlow so popular? ___________________________

“MPLS and multi-point VPNs create

“Virtualization hides whole network

“10G Ethernet is so fast few probe network speed has no effect

“MPLS and multi-point VPNs create enable NetFlow at each remote

“Virtualization hides whole network ___________________________

Promiscuous Mode ___________________________

Lab Exercise #1, #2 ___________________________

Lancope NetFlow Bandwidth Calculator ___________________________

1200 flows per second for each 250Mbps of

Working with NetFlow ___________________________

Threat Detection Methodologies ___________________________

FlowSensor Technology ___________________________

• Exports NetFlow v9 from within the VMware ESX host ___________________________

Latency Info Router Info VM Info

• 60 second active timeout,

• Very similar to Cisco’s NetFlow v9

TCP 5749 80 103

Вам также может понравиться