Catalyst 4948E NetFlow-lite

Catalyst 4948E NetFlow-lite 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential1

Application Visibility in Data CenterWhy Application Visibility in DataCenter Efficient Operation What applications are consumingbandwidthSiSiSiSi Who is using them When they are being used What activities are prevalent Visibility into the network & control End-user experience management Network and capacity planning Troubleshooting Network forensicsPresentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential2

Introducing NetFlow-liteWhat is NetFlow-lite for? Traffic monitoring capability for eastwest & north-south L2/L3 traffic.NetFlow-liteAggregatorAny NetFlowCollectorSiSi Identify top talkers (applications,servers, hosts) Capacity planning thru insights oflink/network utilizationSiWhat does NetFlow-lite Provide?SiNetFlow-lite 1:Npacket sampling Up to 1:32 sampling on all 1G downlink &10G uplink ports 1:1 sampling on up to 2 downlink ports fortroubleshooting Supported on L2/L3 ports, EtherChannel NetFlow v9 and IPFIX format Optional packet sectionNetFlow v9 orIPFIX exportPresentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential3

NetFlow-lite:Building upon the flexibility of Flexible NetFlowFlexible e selection of flow keys*User selection of flow keysUser definition of flow recordsNetFlow-litePacket sampling More selection of flow t cacheNormal cacheImmediate cacheImmediate cacheNetFlow version 9 orIPFIXNetFlow version 9 orIPFIX NetFlow-lite exports new keys such as raw packet section & sampling ratePresentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential4

NetFlow-lite: Metering ProcessPacket forwardingI-in-N samples (truncated)NetFlow-lite export packet headerOther NetFlow-lite export (v9 or IPFIX)fields (sampled packet length, # ofsampled packets, total # of packetsobserved)NetFlow-lite export packet Configurable sampling rate up to 1-in-32 on all 48 downlinks (1G) ad 4 uplinks (10G), AND 1-in-1sampling on up to 2 ports (1G only) Configurable packet sample length (export truncated packet section to conserve bandwidth)Presentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential5

NetFlow-lite: Export Format Example: NetFlow-lite in NetFlow version 9 export Format Version 9 is based on template and separate flow recordsTemplate 1Templates composed of type and lengthFlow records composed of template ID and valueTemplate FlowSetData FlowSetFlowSet ID #1HPresentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialSampledpacket sectionRSample packet size(Specific FieldTypes and Lengths)Input interfaceEoutputinterfaceTotal# ofpacket observedDTemplate RecordTemplate ID #1Packet lengthASequence #of packet sampledE6

NetFlow-lite: Flow Cache There are 3 type of flow caches in Flexible NetFlow Normal Cache (traditional NetFlow) Permanent Cache Immediate Cache NetFlow-lite uses immediate cache Every packet creates a new flow Good for packet section export in version 9/IPFIX format Additional Reference:Cisco IOS Flexible NetFlow Technology White osswrel/ps6537/ps6555/ps6601/ps6965/prod white paper0900aecd804be1cc.html)Presentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential7

NetFlow-lite vs. NetFlowCatalyst 4500/4900 Switches NetFlow-lite vs NetFlow Support:NetFlow-lite(4948E, 4948E-F)NetFlow (SupIV/V,SupV-10GE, A-assistNetFlow ASICMetering MethodSampling (configurable,up to 1-in-32*)Every packet accountedforExport formatv5, v9, IPFIX**v5, v8, v9, IPFIXFlow CacheImmediate CacheNorman cache/immediatecache/permanent cacheEcosystemEasily integrate with anyNetFlow collector withNetFlow-lite AggregatorNetFlow collectorPlatform Support4948E, 4948E-FSupIV/V (with daughtercard)SupV-10GESup7-E (Flexible NetFlow)Presentation ID* Supports 1-in-1 sampling for up to 2 ports for troubleshooting**Catalyst 4948E/4948E-F is the first Cisco products supporting IPFIX 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential8

Data Center-wide MonitoringIntegrating NetFlow-lite into Your NetworkIntegrating NetFlow-lite into existing NetFlow architecture is easy: Work with existing collectors & back-end tools through NetFlow-lite Aggregators NetFlow-lite Aggregators and collectors can sit anywhere in the network, as long as L3reachable NetFlow-lite Aggregators are transparent to NetFlow collector (NetFlow collectors receiveaggregated flow data as if it’s coming directly from the switch) NetFlow collector analyzes & correlates both NetFow and aggregated NetFlow-lite dataNFNFSiSiExisting NetFlow ExportAny LNFLNFLNFLBack-endToolsNetFlowv5/IPFIXNetFlow-lite 1:Npacket samplingNFNetFlow enabled deviceNFLNetFlow-lite enabled deviceNetFlow v9 orIPFIX exportPresentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential9

Why do I Need a NetFlow-lite Aggregator?NetFlow-lite Aggregator serves the following purposes: Parse NetFlow-lite data to extract information such as src/dst IPaddress, TCP/UDP port, packet length, etc. Construct temporary flow cache Extrapolate flow statistics by correlating sampling rate w/ sampledpackets Export aggregated and extrapolated data to NetFlow collectors instandard IPFIX or NetFlow v5/v9 format Conserve valuable forwarding bandwidth by aggregating NetFlowlite data to more bandwidth efficient NetFlow exportPresentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential10

NetFlow-lite Aggregator – Using nProbeWhat is it?NetFlow-liteaggregator(nProbe)nProbe is an open source NetFlowcollector/probe/NetFlow-lite Aggregatorand can be obtained from ntop.orgAny NetFlowCollector5.5.5.10:5000How nProbe can run on any linuxserver by issuing the followingcommand:SiSiSiSi# ./nprobe -i eth2 -b 1 -s 5 -t 60 -w1000000 --nflite 2055:16 -n5.5.5.10:2055 -O 2 -e 0The command Indicates that nProbe will be collecting NetFlow-lite infoover eth2, on port 2055 2070, extract & aggregate info using 1MB of NetFlow v9 orcache size, flow expiration time is 60 seconds, into NetFlow v5/v9/IPFIXIPFIX exportformat, send to NetFlow collector located at 5.5.5.10, port 2055, whetheron the same server or other L3 reachable servers/appliancesPresentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential11

Designing NetFlow-lite in Large-scale DCA Tiered Approach Deploy an nProbe per zoneto scale NetFlow-lite dataaggregated per zone toconserve bandwidthusage in data centercore/distributionAny NetFlowCollectorSiSiSiSiZone1Zone2 Recommended todeploy nProbe as closeto the switches aspossible How many switches can bein a zone?Zone3Presentation IDZone4 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential Depending on thesampling rate, linkutilization, # of flows, thehorsepower of serverrunning nProbe12

Use Case Example:Network Visibility with NetFlow-liteScreenshot taken from Plixer ScrutinizerLink utilizationover timeToptalkersBandwidth usage per flowPresentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential13

NetFlow-lite Configurationnetflow-lite exporter checktransport udp 2055transport udp load-share 16template data timeout 60options sampler-table timeout 60source 9.9.9.10destination 9.9.9.1export-protocol ipfix!netflow-lite sampler checkpacket-rate 32packet-section size 64packet-offset 0!Configure exporter settingNetFlow-lite toNetFlowConverterAny NetFlowCollectorConfigure sampler settingSiSiSiSiinterface GigabitEthernet1/1no switchportip address 40.40.40.1 255.255.255.0netflow-lite monitor 1sampler checkexporter checkApply sampler and exporter toNetflow-lite monitor on theinterfacePresentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialNetFlow v9 orIPFIX export14

Other Resources Catalyst 4948E NetFlow-lite configuration ch l.html Ntop.orghttp://www.ntop.org/nProbe.html Flexible NetFlow Technology White sswrel/ps6537/ps6555/ps6601/ps6965/prod white paper0900aecd804be1cc.htmlPresentation ID 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential15

Using nProbe asNetFlow-Lite AggregatorLuca Deri deri@ntop.org 2011 - ntop.org

Problem Statement NetFlow-Lite brings visibility to switchednetworks. NetFlow-Lite are exports in v9/IPFIXformat and contain packets sections. Legacy NetFlow collectors need additionalsupport to understand and analyzeNetFlow-lite flows. 2011 - ntop.org17

What is nProbe ?Flow CollectionNetFlow-Lite Flows“Classic” NetFlowFlows (v5/v9/IPFIX) 2011 - ntop.org18

Typical nProbe DeploymentNetFlowCollector NetFlow v9 orIPFIX exports Deployed nProbes 2011 - ntop.orgPlace nProbe asclose as possibleto the NetFlow-LiteSwitch.Each nProbeinstance cancollect flows frommultiple switches.19

Converting NFLite to NetFlow nProbe implements a “real” flow cachewithout converting each NFLite flow into asingle NetFlow “classic” flow.Interface Identifiers are preserved, as wellsampling rate is taken into account aspackets/bytes are scaled.Collectors are unaware of theNFLite-to- NetFlow conversion that istotally transparent for them. 2011 - ntop.org20

NetFlow-Lite Support in nProbe[1/2] nProbe collects NetFlow-Lite Flows overIPv4/IPv6 UDP.4948E balances flows on multiple UDPdestination ports 2011 - ntop.org21

NetFlow-Lite Support in nProbe[2/2] For collecting large number of NetFlow-LiteFlows a kernel plugin (Linux only) hasbeen developed. 2011 - ntop.org22

Final Remarks nProbe 6.5.x natively supports NetFlowLite.It is available for both Windows and Unix.Typical NetFlow lite conversion speedrange from 250k to 1M flows/sec (Linuxonly using the kernel plugin).nProbe supports transparent IP addressspoofing for impersonating the 4948Eswitch. 2011 - ntop.org23

NetFlow-lite Aggregators and collectors can sit anywhere in the network, as long as L3 reachable NetFlow-lite Aggregators are transparent to NetFlow collector (NetFlow collectors receive aggregated flow data as if it's coming directly from the switch) NetFlow collector analyzes & correlates both NetFow and aggregated NetFlow-lite data