NetFlow 101 Seminar Series, 2012
NetFlow 101 SeminarSeries, 2012An Introduction to Cisco’s NetFlow TechnologyKnow Your Network, Run Your Business
Agenda Introduction to NetFlowhow it works, what it is Why is NetFlow so popular?NetFlow costs less and works better How is NetFlow used?what can we do with NetFlow? Configuring and Working with NetFlowa glimpse into the power of NetFlow Cisco Flexible NetFlow Labset up and work with NetFlow Lancope’s StealthWatch Systempremium NetFlow collection and analysis
Science of Flow Analysis Lancope specializes in Behavior-based Network Flow AnalysisDetects attacks by baselining and analyzing network traffic patternsExcellent defense in depth strategy to aid in defense of critical assetsOver 600 customers world-wideOperational since 2002, located in Atlanta, GAhttp://netflowninjas.lancope.com
Introduction toNetFlowKnow Your Network, Run Your Business
Recap: The OSI ModelLowerUpperLayer-7: Application HTTP Browser, FTP, TelnetLayer-6: Presentation JPEG, GIF, MPEG-2Layer-5: Session WinSock, RPC, SQL, NFSLayer-4: Transport TCP, UDP, SPXLayer-3: Network IP, ICMP, IPXLayer-2: Data-Link Ethernet (Mac Addresses)Layer-1: Physical Hub, Cat-5 Cable
Introducing NetFlow Technologytelephone billNetFlow
Internal Visibility Through NetFlowNetFlow PacketsInternetsrc and dst ipsrc and dst portVPNstart timeend timeNetFlowmac addressbyte count- more -NetFlowDMZNetFlowInternalNetworkNetFlow Collector
Create New TCP FlowNon-Key FieldsKey 28023:14:0623:14:061195Gi4/13Gi2/1SNETFLOW CACHEDataTCP10.1.1.1102410.2.2.280SYN
Create New TCP FlowIngress and Egress ports are based on the interfaceon which the packets entered and left the .1.1.1102423.14:0723.14.071132Gi2/1Gi4/13SANETFLOW CACHESYN/ACK102410.1.1.18010.2.2.2TCPData
Update Existing TCP FlowPacket and Byte counts are incrementedaccordingly. Last Seen is also LOW CACHEDataTCP10.1.1.1102410.2.2.280ACK
Update Existing TCP 1.1.1102423.14:0723.14.082862Gi2/1Gi4/13SAPNETFLOW CACHEACK/PSH102410.1.1.18010.2.2.2TCPData
Create New UDP -NETFLOW CACHEDataUDP10.3.1.1291810.2.8.1253
Create New UDP /1Gi4/12-NETFLOW CACHE291810.3.1.15310.2.8.12UDPData
Create New ICMP 23.14.12196Gi4/19Gi2/1-Most NetFlow caches do not offer ICMP type andcode fields so the Destination Port column isoverloaded with with ICMP information.NETFLOW CACHEDataICMPECHOREQUEST10.1.1.410.2.8.14
Update Existing ICMP 23.14.132192Gi4/19Gi2/1-NETFLOW CACHEDataICMPECHOREQUEST10.1.1.410.2.8.14
Create New ICMP 3192Gi2/1Gi4/19-ECHOREQUESTECHORESPONSENETFLOW CACHE10.1.1.410.2.8.14ECHORESPONSEICMPData
Continued 523.14.15196Gi4/19Gi2/1-ICMP10.1.1.4-NETFLOW 1.1.4TCPDataData231010.2.8.1510.2.2.4443SYN
NetFlow In Action
Flow Collection Methods Traditional NetFlow– Provides router interface statistics– Very easy to deploy; available for “free”almost anywhere Cisco equipment is found– No packet-level visibility or response timeinformation FlowSensor Appliance– Enables flow monitoring where traditionalNetFlow is not available– Provides flow performance informationsuch as round-trip time and serverresponse time– URL information in Flows– Requires SPAN port or Ethernet tap FlowSensor Virtual Edition (VE)– Installs into VMware ESX to monitorVM2VM communications– Software only, no hardware requiredNetFlowCollectorNetFlowCiscoCatalyst6500
Cisco NetFlow SupportCisco 2900Cisco ASACisco 7600Cisco 1700HardwareSupportedCisco 2800Cisco 7200 VXRCisco XR 12000Cisco ISR G2Cisco ASRCisco 3560/3750-XCisco Nexus 7000Cisco Catalyst 4500Cisco Catalyst 650020 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution)
Wide Support for NetFlowExinda 2060Palo AltoFirewallsHuawei QuidwayJuniper NetworksBlueCoat PacketShaperSonicWall 3500Citrix NetScalerNortel Networks
Flow Collection Methods Traditional NetFlow– Provides router interface statistics– Very easy to deploy; available for “free”almost anywhere Cisco equipment is found– No packet-level visibility or response timeinformation FlowSensor Appliance– Enables flow monitoring where traditionalNetFlow is not available– Provides flow performance informationsuch as round-trip time and serverresponse time– URL information in Flows– Requires SPAN port or Ethernet tap FlowSensor Virtual Edition (VE)– Installs into VMware ESX to monitorVM2VM communications– Software only, no hardware requiredNetFlowCollectorNetFlow latency statistics URLsFlowSensorAESPAN porttap
Flow Collection Methods Traditional NetFlow– Provides router interface statistics– Very easy to deploy; available for “free”almost anywhere Cisco equipment is found– No packet-level visibility or response timeinformation FlowSensor Appliance– Enables flow monitoring where traditionalNetFlow is not available– Provides flow performance informationsuch as round-trip time and serverresponse time– URL information in Flows– Requires SPAN port or Ethernet tap FlowSensor Virtual Edition (VE)– Installs into VMware ESX to monitorVM2VM communications– Software only, no hardware required
FlowSensor VE: How It Works1VM to VMcommunications capturedby the FlowSensor2Virtualized FlowSensorcreates NetFlow v9packets just like a router3External Flow Collector hascomplete visibility into thevirtual network backplane(layer-2!)*Other virtual NetFlowenablement mechanisms:- Cisco Nexus-1000v- Xen Open vSwitchFlow Collector
NetFlow VersionsVersionStatusv1Similar to v5 but without sequence numbers or BGP infov2Never releasedv3Never releasedv4Never releasedv5Fixed format, most common version found in productionv6Never releasedv7Similar to v5 but without TCP flags, specific to Cat5k and Cat6kv8Aggregated formats, never gained wide use in the enterprisev9“Next Gen” flow format found in most modern NetFlow exporters,supports IPv6, MPLS, Multicast, many othersIPFIXSimilar to v9 but standardized and with variable length fields
NetFlow v5* (most common)* fixed format, cannot be extended to include new fields
NetFlow Version 9: Key FieldsFlowIPv4Sampler IDIP (Source orDestination)Payload SizeIP (Source orDestination)Payload SizePrefix (Source orDestination)Packet Section(Header)Prefix (Source orDestination)Packet Section(Header)Mask (Source orDestination)Packet Section(Payload)Mask (Source orDestination)Packet Section(Payload)Minimum-Mask(Source orDestination)TTLMinimum-Mask(Source ension HeadersDot1q VLANFragmentationFlagsVersionTraffic ClassHop-LimitDot1q priorityFragmentationOffsetPrecedenceFlow LabelLengthOption HeaderNext-headerIdentificationDSCPHeader LengthTOSHeader LengthVersionDirectionInterfaceInputOutputLayer 2Source VLANDest VLANSource MACaddressDestination MACaddressTotal LengthIPv6Payload Length
NetFlow Version 9: Key FieldsRoutingTransportsrc or dest ASDestination PortTCP Flag: ACKPeer ASSource PortTCP Flag: CWRTraffic IndexICMP CodeTCP Flag: ECEForwardingStatusICMP TypeTCP Flag: FINIGMP Type*TCP Flag: PSHTCP ACK NumberTCP Flag: RSTTCP Header LengthTCP Flag: SYNTCP Sequence NumberTCP Flag: URGIGP Next HopBGP Next HopInput VRFNameApplicationApplication IDMulticastReplicationFactor*RPF CheckDrop*Is-MulticastTCP Window-SizeUDP Message LengthTCP Source PortUDP Source PortTCP Destination PortUDP Destination PortTCP Urgent Pointer
NetFlow Version 9: Non-Key FieldsCountersTimestampIPv4IPv4 and IPv6BytessysUpTime FirstPacketTotal LengthMinimum (*)Total LengthMinimum (**)Bytes LongsysUpTime FirstPacketTotal LengthMaximum (*)Total LengthMaximum (**)Bytes Square SumTTL MinimumBytes Square Sum LongTTL MaximumPacketsPackets Long Plus any of the potential “key” fields: will be the value from the first packetin the flow(*) IPV4 TOTAL LEN MIN, IPV4 TOTAL LEN MAX(**)IP LENGTH TOTAL MIN, IP LENGTH TOTAL MAX
NetFlow Version 9 Export PacketTemplate FlowSetHEADERTemplateRecordTemplateID #1TemplateRecordTemplateID #2(SpecificFieldTypes andLengths)(SpecificFieldTypes andLengths)Template 1Template 2Data FlowSetFlowSet ID #1Data FlowSetFlowSet ID #1FlowSetID dValues)(FieldValues)
NetFlow v9: Application Aware NetFlowPalo AltoFirewallsExindaSonicWall NSALancope FlowSensorBlueCoat PacketShaperCisco ASRCisco ISR G2
Application Awarenesslayer-7layer-4
HTTP Application Awareness – Flow Payload Sampling
URL Data from the FlowSensor Added Application Details (meta-data) by extending existing Payloadfunctionality– For HTTP: Host name, path, and response code / error messages– For HTTPS: Common name and organization Flow Table is only place this information is shown
A Note on sFlow Found in Foundry, Extreme, HPProcurve, etc Uses sampling such as “1 in 128”packets The first 100 bytes of theEthernet frame is extracted andplaced into a UDP packet 1500 sFlow packets are sent tothe sFlow collector Collector scales the byte countsbased on scaling factor Performs poorly in low-bandwidthenvironment or when full flowdetails are needed (compliance)sFlow Collector
Why NetFlow?Know Your Network, Run Your Business
Business Challenges High availability and performance of the Network and its Apps Constantly evolving networks create gaps in monitoring 10G, 40G, 100G Interfaces MPLS & Multipoint VPN Lack of Internal security Gaps left by traditional security technologies High-speed, highly segmented networks IT Consumerization Rapidly evolving threats - How do we stay out of the news? Advanced Persistent Threat Denial of Service Data Exfiltration Compliance – SOX, PCI, HIPPA, etc Lack of visibility into behaviors across the network User accountability for employees, partners, consultants, customers
10G Ethernet“10G Ethernet is so fast few probe technologies can keep up and those that can are tooexpensive”traditionalEthernetsensorWhere toplug in?
10G Ethernet“NetFlow enables monitoring without the high cost of placing probes throughout thenetwork”Flow CollectorNetFlow Capable
MPLS and Multi-point VPNs“MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitoradequately”traditionalEthernetsensor
MPLS and Multi-point VPNsFully meshed connectivity circumvents network monitoring deployed at the “hub”location
MPLS and Multi-point VPNsFull visibility requires a probe at each location throughout the WAN
NetFlow Collection in the WANDeploy a StealthWatch NetFlow collector at a central location and enable NetFlow ateach remote site NetFlow CollectorNetFlow PacketNetFlow Packet
NetFlow Benefits for Network Operations Fully integrated view of: Network usagePerformanceHost integrityUser behavior Diagnose the source and root cause of a network problem causingresponse time delays Network management and security operations collaboration Avoid expensive upgrades and complexity to existing networkmanagement and security architectures with fully meshednetworks Provides extensive historical and trending data to facilitate networkperformance capacity planning and resource management
Business Challenges High availability and performance of the Network and its Apps Constantly evolving networks create gaps in monitoring 10G, 40G, 100G Interfaces MPLS & Multipoint VPN Lack of Internal security Gaps left by traditional security technologies High-speed, highly segmented networks IT Consumerization Rapidly evolving threats - How do we stay out of the news? Advanced Persistent Threat Denial of Service Data Exfiltration Compliance – SOX, PCI, HIPPA, etc Lack of visibility into behaviors across the network User accountability for employees, partners, consultants, customers
Once upon a timeInternetVPNDMZInternalNetwork
The Mobile Computing EraInternetVPNDMZInternalNetwork
And now BYOD or IT work4GInternet3GInternet
BYOD is Riskiest Difficult to find common AV or hostbased IDS spanning platforms Reliant on employees to install them Cisco says 70 percent of youngworkers ignore IT ent?type webcontent&articleId 586267 Over half of all IT leaders in the U.S.say that employee-owned mobiledevices pose a greater risk to theenterprise than mobile devicessupplied by the company.
Internal Visibility Through NetFlowNetFlow PacketsInternetsrc and dst ipsrc and dst portVPNstart timeNetFlowend timemac addressbyte count- more NetFlow3GInternetNetFlow Collector
Business Challenges High availability and performance of the Network and its Apps Constantly evolving networks create gaps in monitoring 10G, 40G, 100G Interfaces MPLS & Multipoint VPN Lack of Internal security Gaps left by traditional security technologies High-speed, highly segmented networks IT Consumerization Rapidly evolving threats - How do we stay out of the news? Advanced Persistent Threat Denial of Service Data exfiltration Compliance – SOX, PCI, HIPPA, etc Lack of visibility into behaviors across the network User accountability for employees, partners, consultants, customers
The Threats are Real52 2012 Lancope , Inc. All Rights Reserved.
53 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution)
Bad Things Will Happen HBGary vs. Anonymous: Story by Ars ary-hack.ars HBGary Federal sought to “out” WikiLeaks and associated Anonymoushacker organization Anonymous finds out and launches full frontal assault on HBGary HBGary website defaced,emails stolen, backups deleted,twitter and LinkedIn accountshacked, etc. Massive damage to HBGary’sreputation Cleanup could take weeks ormonths
Business Challenges High availability and performance of the Network and its Apps Constantly evolving networks create gaps in monitoring 10G, 40G, 100G Interfaces MPLS & Multipoint VPN Lack of Internal security Gaps left by traditional security technologies High-speed, highly segmented networks IT Consumerization Rapidly evolving threats - How do we stay out of the news? Advanced Persistent Threat Denial of Service Data Exfiltration Compliance – SOX, PCI, HIPPA, etc Lack of visibility into behaviors across the network User accountability for employees, partners, consultants, customers
How is NetFlow Used?What Can We DoWith It?Know Your Network, Run Your Business
NetFlow VisibilityNETWORKING Operational troubleshootingCOMPLIANCE Remote and data centersecurity PCI Internal IDS/IPS SCADA QoS Monitoring Network forensics FISMA NIST Application performance Data extrusion detection Organizational billing Firewall planning/auditing Capacity planning andoptimization57SECURITY 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution) HIPAA, GLB, SOX
How Flows are UsedTraffic Analysis and Network Visibility1 Bandwidth Trending Network troubleshooting QoS Monitoring Router CapacityDetect Network Anomalies2 Internal Monitoring Firewall Validation Rapid Detection DoS DetectionForensics and Incident Response3 Reduce MTTK Situational Awareness Records *All* Traffic Compliments SIEM
SNMP Monitoring59 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution)
SNMP Monitoring Cont.60 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution)
Traffic Visibility with NetFlow and NBAR61 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution)
Traffic Visibility with NetFlow and NBAR Cont.HTTP (unclassified)62 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution)
How Flows are UsedTraffic Analysis and Network Visibility1 Bandwidth Trending Network troubleshooting QoS Monitoring Router CapacityDetect Network Anomalies2 Internal Monitoring Firewall Validation Rapid Detection DoS DetectionForensics and Incident Response3 Reduce MTTK Situational Awareness Records *All* Traffic Compliments SIEM
NetFlow security use cases Detecting Sophisticated and Persistent Threats. Malware that makes itpast perimeter security can remain in the enterprise waiting to strike aslurking threats. These may be zero day threats that do not yet have anantivirus signature or be hard to detect for other reasons. Uncovering Network Reconnaissance. Some attacks will probe thenetwork looking for attack vectors to be utilized by custom-crafted cyberthreats. Finding Internally Spread Malware. Network interior malwareproliferation can occur across hosts for the purpose gathering securityreconnaissance data, data exfiltration or network backdoors. Identifying BotNet Command & Control Activity. BotNets are implanted inthe enterprise to execute commands from their Bot herders to send SPAM,Denial of Service attacks, or other malicious acts. Revealing Data Loss. Code can be hidden in the enterprise to export ofsensitive information back to the attacker. This Data Leakage may occurrapidly or over time.
Host Becomes Infected Internal host connects to amalware infected website– Downloads data infecting thesystem Method of detectionInternet/MPLS– Host Lock to known bad listNetFlow Packetssrc and dst ipsrc and dst portstart timeend timemac addressbyte count- more -NetFlow(Collector(
Communication to CNC Host communicates withCommand and Controlnetwork for instructions– Periodic phone home Method of detection– Host Lock to known bad list– Suspect Long Flow andBeaconing Host alarmsInternet/MPLSNetFlow Packetssrc and dst ipsrc and dst portstart timeend timemac addressbyte count- more -NetFlow(Collector(
Detecting Command and ControlAccess1. Infected machine opens connectionCatalyst36502. Periodic command and control exchangeCatalyst4500Catalyst37503. Infrastructure generates NetFlow DataISRASADistribution/CoreISRInternetData CenterCatalyst6500ISRFlowCollector
Network activities Compromised host performs maliciousactivities– Attempts to compromise internal resources(probing)– Becomes a member of DDoS– Data extrusion to Internet Method of detection– Scanning detection (CI)– DoS Monitoring– Suspect Data LossNetFlow Packetssrc and dst ipsrc and dst portstart timeend timeNetFlow(Collector(mac addressbyte count- more -Internet/MPLS
Detecting Network ReconnaissanceAccessCatalyst3650Subnet Pings and SweepsCatalyst4500Catalyst3750ISRInfrastructure generates NetFlow DataASADistribution/CoreISRInternetData CenterCatalyst6500ISRFlowCollector
Distributed Denial of ServiceAccessCatalyst3650Infected hosts DDOS Data n/CoreISRInternetData CenterCatalyst6500ISRFlowCollector70 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution)
Detecting Data 37501. Infected machine opens connection2. Infected machine exfiltrates dataISR3. Infrastructure generates NetFlow DataASADistribution/CoreISRInternetData CenterCatalyst6500ISRFlowCollector
Traffic Analysis and Network Visibility Advanced Top N reports showing any time period across any Host Group
Flow-based Anomaly Detection
Expert Systems For Analytics74 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution)
Behavior-based Analysis
StealthWatch Threat Indexes
How Flows are UsedTraffic Analysis and Network Visibility1 Bandwidth Trending Network troubleshooting QoS Monitoring Router CapacityDetect Network Anomalies2 Internal Monitoring Firewall Validation Rapid Detection DoS DetectionForensics and Incident Response3 Reduce MTTK Situational Awareness Records *All* Traffic Compliments SIEM
Incident Investigation Using Flows5 hour 6 Mbps ssh connection?
Incident Investigation Using Flows
Incident Investigation Using Flows
Map Flows to Users
Configuring andWorkingwith NetFlowKnow Your Network, Run Your Business
Flow Replication
Flow Replication ModesUnicast ModePromiscuous Mode
Flow Replication: UDP or/
Active vs. Inactive TimeoutsInactive Timeout configures how long a flow can be inactive before it is expired from the cache Recommend 15 seconds (which is also the IOS default) All exporters should have similar inactive timeoutsActive Timeout configures longest amount of time a flow can stay in the cache regardless of activity Recommend 1 minute All exporters should have similar active timeouts Cisco default of 30 minutes is far too longLast Seen – First Seen Time Active
Configuring Netflow – Flexible NetFlow1. Configure the ExporterRouter(config)# flow exporter my-exporterWhere do I want my data sent?Router(config-flow-exporter)# destination 1.1.1.12. Configure the Flow RecordRouter(config)# flow record my-recordRouter(config-flow-record)# match ipv4 destination addressWhat data do Imatchwant tometer?Router(config-flow-record)#ipv4source addressRouter(config-flow-record)# collect counter bytes3. Configure the Flow MonitorRouter(config)# flow monitor my-monitorRouter(config-flow-monitor)#How do I want to low-monitor)# record my-record4. Apply to an InterfaceRouter(config)# interface gi0/1Which interface do I want to monitor?Router(config-if)# ip flow monitor my-monitor input87 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution)
Flexible NetFlow - User-Defined Record ConfigurationRouter(config)# flow record my-recordRouter(config-flow-record)# matchRouter(config-flow-record)# collectSpecify a Key FieldSpecify a Non-Key KieldRouter(config-flow-record)# match ?applicationApplication FieldsdatalinkDatalink (layer 2) fieldsflowFlow identifying fieldsinterfaceInterface fieldsipv4IPv4 fieldsipv6IPv6 fieldsroutingrouting attributestransportTransport layer fieldRouter(config-flow-record)# collect ?applicationApplication FieldscounterCounter fieldsdatalinkDatalink (layer 2) fieldsflowFlow identifying fieldsinterfaceInterface fieldsipv4IPv4 fieldsipv6IPv6 fieldsroutingIPv4 routing attributestimestampTimestamp fieldstransportTransport layer fields
Configuring a Flexible NetFlow Flow RecordRouter(config)# flow g-flow-record)#Router(config-flow-record)#89 2011 Lancope , Inc. All Rights Reserved.my-recordmatch ipv4 tosmatch ipv4 protocolmatch ipv4 destination addressmatch ipv4 source addressmatch transport source-portmatch transport destination-portmatch interface inputcollect routing destination ascollect routing next-hop address ipv4collect ipv4 dscpcollect ipv4 ttl maximumcollect ipv4 ttl minimumcollect transport tcp flagscollect interface outputcollect counter bytescollect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime lastCompany Confidential (not for distribution)
Useful Show Commands List of all possible information elementsshow flow exporter export-ids netflow-v9 Template assignmentshow flow exporter template High watermark in the cacheshow flow monitor flow-monitor statistics NetFlow configurationshow running flow [exporter monitor record]
Lab Exercise #1, #2Know Your Network, Run Your Business
Working withNetFlowKnow Your Network, Run Your Business
Sup (SP)MSFC (RP)Configuring NetFlow on the Cat6k (older)!ip flow-export destination {collector ip} 2055ip flow-export source loopback0ip flow-export version 9ip flow-cache timeout active 1ip flow-cache timeout inactive 15ip flow-export version 9 origin-asip flow ingress layer2-switched vlan {vlanlist}ip flow-capture mac-addressesip flow-capture vlan-idsnmp-server ifindex persistmls nde sender version 7mls aging long 64mls aging normal 32mls nde interfacemls flow ip interface-full!interface {interface}ip flow ingress!exporter IP and portloopback0 usuallyexport in NetFlow v9 formatactive timeout in minutesinactive timeout in secondsenables BGP AS reportingenables layer-2 NetFlowenables layer-2 MAC addressesenables vlan idsfreezes ifindex valuessup NetFlow versionsup active timeout in seconds
NetFlow Impact to CPU and NetworkCisco Whitepaper: NetFlow Performance nologies white paper0900aecd802a0eb9.shtmlFully loaded ISR running software IOS 15% CPUuptick resulting from NetFlow enablement.Cat6K only runs into issues when TCAM full.Lancope NetFlow Bandwidth xAssume 50 flows per second for each 10Mbps of traffic.
Troubleshooting with NetFlow Several approaches to working with flow data. Direct router access via CLI Flow-tools, ntop and other open source Commercial NetFlow Collector
Direct access via CLI (Flexible NetFlow)
Choose the Right CollectorKey ConsiderationsOrganization Higher-Ed ISP Small or LargeEnterprise SIEM User eCommerceScalability Number ofNetFlowSources Number ofUsers Flows PerSecondFeature Set Reportingonly? Drill Down? Flowretention? Deduplication?Your Time Do you havetime to rollyour own? Can yousupport whatyou’ve built?Cost Executivesponsorshipfor theproject? What kind ofbudget do youhave?
Choose the Right alabilityFeatureSetOpen Sourcenfdump, ntopLabor HardwarePower Users,EnthusiastsMediumLow(varies with effort)(varies with effort)SmallBusinessCommercialSolarWindsOrion 50KSmallNetworks, 500 usersVery ratorsLowVery LowEnterpriseCommercialLancopeStealthWatch 50K Fortune 5000,DoD, Higher EdeCommerceHighVery HighCarrier Gradeand ISPArborPeakFlow SP 100K InternetServiceProvidersVery HighHigh
NetFlow Collector Typesbackbone provider100,000 (sampled)higher-edFlows Per Second40,000eCommercelarge enterprise15,000Trouble Starts Here5,000SME1000branch office10050cable modem*5ntopSolarWindsLancopeArborScalability Requirements* check out “dd-wrt” for NetFlow support in your L
NetFlow Cisco Catalyst 6500 NetFlow Collector . Cisco NetFlow Support 20 2011 Lancope , Inc. . Cisco 2800 Cisco 7600 Cisco 1700 Cisco Catalyst 6500 Cisco ASR Cisco 3560/3750-X Cisco ASA Cisco ISR G2 Hardware Supported Cisco Catalyst 4500 . Wide Support for NetFlow Nortel Networks Junip
Cisco 3560 & 3750 NetFlow Configuration Guide Cisco Nexus 7000 NetFlow Configuration Cisco Nexus 1000v NetFlow Configuration Cisco ASR 9000 NetFlow Configuration Appendix. 3 Cisco NetFlow Configuration Cisco IOS NetFlow Configuration Guide Netflow Configuration In configuration mode issue the following to enable NetFlow Export:
Cisco 3560 & 3750 NetFlow Configuration Guide Cisco Nexus 7000 NetFlow Configuration Cisco Nexus 1000v NetFlow Configuration Cisco ASR 9000 NetFlow Configuration Appendix. 8 Cisco NetFlow Configuration Cisco 3560X & 3750X NetFlow Configuration Your software release may not support all the features documented in this module.File Size: 2MB
Configuring NetFlow on a Cisco 6500 Series Switch 148 Configuring NetFlow on a Cisco 6500 Series Switch 150 Configuring NetFlow on Cisco Routers 151 Contents NetFlow Configuration Guide, Cisco IOS Release 12.2SX viii . Configuring NetFlow on Cisco Routers 153 Configuring NetFlow Top Talkers 153
NetFlow-lite Aggregators and collectors can sit anywhere in the network, as long as L3 reachable NetFlow-lite Aggregators are transparent to NetFlow collector (NetFlow collectors receive aggregated flow data as if it's coming directly from the switch) NetFlow collector analyzes & correlates both NetFow and aggregated NetFlow-lite data
Example: Router enable Enteryourpasswordifprompted. configureterminal (Required)Entersglobalconfigurationmode. Example: Router# configure terminal Step 2 NetFlow Configuration Guide, Cisco IOS Release 15M&T 5 Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data How to Configure SNMP and use the NetFlow MIB to Monitor NetFlow Data
Aside: Myths about NetFlow Generation 30 Myth #1: NetFlow impacts performance Hardware implemented NetFlow has no performance impact Software implementation is typically significantly 15% processing overhead Myth #2: NetFlow has bandwidth overhead NetFlow is a summary protocol Traffic overhead is typically significantly 1% of
Flexible NetFlow Configuration Guide, Cisco IOS Release 15.2(3)E and Later (Catalyst 3750-X and 3560-X Switches) 3 Configuring Flexible NetFlow Information About Flexible Netflow . Flexible NetFlow Configuration Guide, Cisco IOS Release 15.2(3)E and Later (Catalyst 3750-X and 3560-X Switches) 17 Configur
spine .9120” Start with FREE Cheat Sheets Cheat Sheets include Checklists Charts Common Instructions And Other Good Stuff! Get Smart at Dummies.com Dummies.com m
