网络管理与网络监控

云南电网公司高级网络知识培训7、网络管理、监控和优化服务

网络管理、SNMP协议云南电网网络知识培训网管的重要性???网络中设备日渐增多－交换机、路由器、防火墙、拨号访问服务器……技术日趋复杂－以太网、千兆以太网、多媒体技术、语音、数据、视频集成、安全策略……，

发生问题时无从下手

缺乏经验丰富、受过专业培训的网络管理人员缺乏综合的网管解决方案网管基本概念网络管理系统主要功能是维护网络正常高效的运行。网管系统能及时检测网络出现的故障和进行处理，能通过监测分析运行状况而估价系统性能.两种网络管理系统标准：1.OSI的网络管理规程:公共管理信息协议(CMIP)2.起源于Internet的TCP/IP的简单网络管理协议(SNMP)WhatIstheNMS?SecurityConfigurationPerformanceAccountingFaultTroubleshootingforproblemdiscovery,isolation,andresolutionCollectutilizationandperformancedata,analyzedata,setutilizationthresholdsFinding,configuring,andmaintainingnetworkdevicesLogginguseraccessanddatatrafficforbilling;providingsecureaccesstothenetwork为了使网络的性能功效达到最高而采用的能够控制管理复杂的数据网络一组工具。“”网管的管理功能配置管理：定义、识别、初始化、控制、检测被管对象。故障管理：故障检测、排除。性能管理：流量负载、网络服务器负载情况。记帐管理：哪个用户、什么时间、使用了什么资源、使用了多少。安全管理：身份验证、授权、加/解密OSI提出网管五个管理功能SNMP操作模型管理站SNMP代理(Agent)MIB代理(Agent)MIB被管设备被管设备用户接口网管应用程序SNMP操作读取(get)：管理站被管设备请求回应写入(set):管理站用写入命令设置被管设备的变量值陷井(Trap):被管设备向管理站报告重要事件获取变量的值网管分类网元管理流量管理安全管理基础设施管理网元管理

以设备单元为基础的网络管理，监控网 络设备的运行状态、网络链路的通断、 异常事件告警等。 代表产品：CiscoWorks、华讯网管（EccomNet）、 NetCool流量管理

对网络流量的智能分析 对关键网络节点或关键网络链路上网络 流量的长期数据捕获保存能力 能够提供长期的流量分析报告

代表产品：NetScout安全管理

实现对安全设备的统一管理，安全策略 的集中下发 收集、分析安全事件，提供相应安全建 议

代表产品：CSM、MARS基础设施管理

实现对机房网络设备、主机设备及机柜 电源的统一管理

代表产品：AvocentCISCO网管体系结构所有CISCO网络管理设备都支持SNMP，即可以在其上启动SNMP的Agent(软件模块/进程)网管工作站操作系统平台SUN(solaris)、HP、IBM(AIX)、NT、WIN95网管平台(如SUN:Netmanger,HP:OpenView,IBM:Netview)CISCOWORKS/CWSICISCOVIEW网络管理：

CiscoIOSIPSLAs技术云南电网网络知识培训CiscoIOSIPSLAs技术IPSLAs是内嵌在CiscoIOS中的一个网络管理代理，用于对网络中任意两点间的服务质量进行主动测量可以感知IP业务类型和通信服务级别专门针对IP电话、视频、VPN业务进行了优化所有运行IOS操作系统的Cisco网络硬件设备都支持IPSLAs管理代理，无需额外的采购费用IPSLAs是Cisco提供智能化网络战略的重要组成部分，能提供业界领先的内嵌式服务质量测量智能代理性能测量SPAN和RSPAN监控云南电网网络知识培训ObjectivesUponcompletingthislesson,youwillbeableto:DescribetechniquestoenhancetheperformanceofamultilayerswitchednetworkMonitorswitchportsusingSPANandVSPANMonitorswitchportsusingRSPANDescribethefeaturesandoperationofnetworkanalysismodulesonCatalystswitchestoimprovenetworktrafficmanagementVerifyandtroubleshoottheoperationofnetworkanalysismodulesEnhancingNetworkPerformanceGatherabaseline.Performawhat-ifanalysis.Performexceptionreportingforcapacityissues.Determinethenetworkmanagementoverhead.Analyzethecapacityinformation.Periodicallyreviewcapacityinformation.Haveupgradeortuningproceduressetup.SwitchedPortAnalyzerConfiguringSPANSwitch(config)#monitorsession{session_num}{source{interfacetype/num}|{vlannum}}[,|-|rx|tx|both]

ConfiguresaSPANsessiontomonitortrafficSwitch(config)#monitorsession{session_number}{destination{interfacetype/num}[,|-]|{vlannum}}

ConfiguresthedestinationforaSPANsessionRemoteSPANConfiguringRSPANEntersconfigurationmodeforaspecificVLANSwitch(config)#vlanvlan-numberEnablesRSPANfortheVLANSwitch(config-vlan)#remote-spanVerifyingSPANandRSPANSwitch#showmonitorsessionsession_number[detail]DisplaysSPANsessioninformationSwitch#showmonitorsession2

Session2

Type:RemoteSourceSession

SourcePorts:

RXOnly:Fa3/1

DestRSPANVLAN:901Switch#showmonitorsession2detail

Session2

Type:RemoteSourceSession

SourcePorts:

RXOnly:Fa1/1-3

TXOnly:None

Both:None

SourceVLANs:

RXOnly:None

TXOnly:None

Both:None

SourceRSPANVLAN:None

DestinationPorts:None

FilterVLANs:None

DestRSPANVLAN:901NetworkAnalysisModuleNAMInitialConfigurationAssignparametersIPaddressSubnetmaskIPbroadcastaddressIPhostnameDefaultgatewayDomainnameDNSnameserverSNMP(MIBvariables,accesscontrol,systemgroupsettings)StartthewebserverConfiguringNAMSwitch(config)#interfacegi8/0Switch(config-if)#switchportaccessvlan93Switch(config-if)#end

Switch(config)#monitorsession1destinationinterfacegi8/1

root@localhost#autostartaddressmapenableEnablesacollectiontypeRoot@localhost#autostartcollectionenableVerifyingNAMSwitch#showmoduleDisplaysinformationaboutinstalledmodulesSwitch#showmodule

ModPortsCardTypeModelSerialNo.

22Catalyst6000supervisor2(Active)WS-X6K-SUP2-2GESAD0410050B

34848port10/100mbRJ-45ethernetWS-X6248-RJ-45SAD03080485

52NetworkAnalysisModuleWS-X6380-NAMSAD05130AXB

72IntrusionDetectionSystemWS-X6381-IDSSAD05100HPTSwitch#showinterfaceGigabitEthernetslot/[1|2]DisplaysNAMinterfaceinformationSummaryPerformancemanagementmaintainsinternetworkperformanceatacceptablelevelsbymeasuringandmanagingvariousnetworkperformancevariables.SPANselectsandcopiesnetworktraffictosendtoanetworkanalyzer.RemoteSPANisavariationofSPANthatsendsmonitoredtrafficthroughanintermediateswitchratherthandirectlytothetrafficanalyzer.ANAMusesSNMPRMONinformationtomonitorandanalyzenetworktraffic.UsetheshowcommandstoverifyNAMconfiguration.Syslog云南电网网络知识培训什么是Syslog?记录发生了什么事件？包括流量行为的一系列事件都可以被记录下来。是一种很好的troubleshooting的工具，尤其是在设备重启或者crash后。Syslog配置!servicetimestampsdebugdatetimelocaltimeservicetimestampslogdatetimelocaltime！loggingbuffered20480Nologgingconsole！loggingsource-interfaceLoopback0logginghostlogginghost21!Log的级别和数目log级别中包含的具体内容，具体参见设备的datatsheetsyslog用showlogging可查看目前log的设置情况。SyslogYX-C-M-C7606-B01(config)#loggingbuffered?<0-7>Loggingseveritylevel<4096-2147483647>LoggingbuffersizealertsImmediateactionneeded(severity=1)criticalCriticalconditions(severity=2)debuggingDebuggingmessages(severity=7)discriminatorEstablishMD-BufferassociationemergenciesSystemisunusable(severity=0)errorsErrorconditions(severity=3)filteredEnablefilteredlogginginformationalInformationalmessages(severity=6)notificationsNormalbutsignificantconditions(severity=5)warningsWarningconditions(severity=4)xmlEnablelogginginXMLtoXMLloggingbuffer<cr>默认：informationalInformationalmessages(severity=6)思科网管工具云南电网网络知识培训CiscoNetmanager(CNM)入门级网元管理软件-CisconetManager基础网络管理软件CisconetManager基础网络管理软件的英文全称是CisconetManagerIPinfrastructure它是CisconetManager网管产品家族中的成员。它是一个高效的网络监控的解决方案，它可以监控思科网络中低端网络设备、以及其它基于SNMP的第三方IT设备，如：服务器、工作站、应用服务器，甚至打印机等netManager基础网络管理软件的基本功能(1)网络的自动发现（包括主机等一般SNMP设备）实时和历史的性能监控与报告CPU利用率内存利用率硬盘利用率接口利用率（带宽）设备可用性丰富的故障通知手段：SNMPTRAP、SYSLOG，SMS、电子邮件、外部脚本激活弹出窗口和网页报警等丰富的通知机制。netManager基础网络管理软件的基本功能(2)实时网络拓扑展现CiscoWorksLMS3.0

+HUMCiscoworks网络管理系统的英文全称是CiscoworksLanManagerSolution，简称LMS。CiscoWorksLMS由多个具有出色运营功能的工具组成，提供故障管理、可扩展拓扑视图、先进配置、L2和L3路径分析、支持语音的路径跟踪、广域网性能故障排除、终端工作站跟踪以及设备故障排除等功能CiscoWorksLMS3.0是一个全新的主要软件版本，在可扩展性、性能和应用级功能方面叫以前版本有了大幅提高。CiscoView全部Cisco设备支持详细设备外观图形有助于微小故障的迅速定位简单的点击配置多个端口和参数迅速启动实时监控集成于CiscoWorks2000和CiscoWorksforWindows的Cisco网络设备视图处理器CiscoWorksWindows易于使用的基于Windows的互连网管理应用套件支持集成的交换机和路由器带有多个管理级别的安全的SNMP管理系统中小型企业专门的网管软件CommonManagementFoundation

ArchitectureCD-One(CommonManagementFoundation)Desktop,WebServices,Security,ProcessManagement,HelpDatabaseEngine,JobManagement,EventDistributionANI(AsynchronousNetworkInterface)NetworkDeviceDiscoveryRUNTIMESERVICESNETWORKSERVICESSYSTEMSERVICESCORBAEventBusCustomerPartnerInterfaceCIM/XMLCiscoManagementConnectionCCOHTMLCORBAWebBrowserUserInterfaceCommontoLMS•RWAN•SMS•VMS•CVM•…ACLManagerReal-TimeMonitorResourceManagerEssentialsContentFlowManagerCampusManagerDeviceFaultManagerInternetworkPerformanceMonitorLMSLMSLMS•RWAN+RWANRWANLMS•RWANLMS•RWANInternalInterfacesyslogSNMPNetworkDevicestelnetCDOneCDTwoSLMCollectorSWServiceLevelMgtSolutionCDOneRMERTMACLIPMRWANSolutionCDOneRME&CD-2VPNMonCSPM(IDS)VPN/SecurityMgtSolutionCDOneRMERTMCMCFMLANMgtSolutionDFMCDOneVoIPHealthMonitorDFMVHMCWWACSURTQPMCVMHSENAMCSPM(fw)HIDSCiscoWorks2000Netflow介绍云南电网网络知识培训AgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyFeaturesandUsesPlatformSpecificsPerformanceRoadmapandFutureDirectionSummaryNetFlowOverviewNetFlowOrigination&InnovationDevelopedbyDarrenKerrandBarryBruinsatCiscoSystemsin1996ThevalueofinformationinthecachewasasecondarydiscoveryInitiallydesignedasaswitchingpathNetFlowisnowtheprimarynetworkaccountingtechnology

intheindustrySampledNetFlowaCiscoinnovationNetFlowversion9anIETFstandardAnswersquestionsregardingIPtraffic:who,what,where,when,andhowNetFlow技术Cisco®Systems在1996发明并取得专利NetFlow现在是业界最主要的网络流量统计技术,同时也已经成为IETF标准提取网络传输的数据包的关键信息：时间，来源，目的，做什么等等。详细描述网络的运行状况和流量特点。Whatisaflow?ExportedDataDefinedbysevenuniquekeys:SourceIPaddressDestinationIPaddressSourceportDestinationportLayer3protocoltypeTOSbyte(DSCP)Inputlogicalinterface(ifIndex)NetFlowSequence

RouterCreateandupdateflowsinNetFlowCacheInactivetimerexpired(15secisdefault)

Activetimerexpired(30min(1800sec)isdefault)NetFlowcacheisfull(oldestflowsareexpired)

RSTorFINTCPFlagHeaderExportPacketPayload(flows)ExpirationAggregation?e.g.Protocol-PortAggregationSchemebecomesExportVersionYesNoAggregatedFlows–exportVersion8or9Non-AggregatedFlows–exportVersion5or9TransportProtocolCoreNetworkCreatingExportPacketsEnableNetFlowTrafficCollector(Solaris,HP-UX,orLinux)UDPNetFlowExportPacketsApplicationGUIPEExportPacketsApproximately1500bytesTypicallycontain20-50flowrecordsSentmorefrequentlyiftrafficincreasesonNetFlow-enabledinterfacesNetFlowPrinciplesInboundtrafficonlyUnidirectionalflowAccountsforbothtransittrafficandtrafficdestinedfortherouterWorkswithCiscoExpressForwarding(CEF)orfastswitchingNotaswitchingpathSupportedonallinterfacesandCiscoIOSSoftwareplatformsReturnsthesub-interfaceinformationintheflowrecordsAgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyFeaturesandUsesPlatformSpecificsPerformanceRoadmapandFutureDirectionSummaryVersionsNetFlowVersionsNetFlowVersionComments1Original5Standardandmostcommon7SpecifictoCiscoCatalyst6500and7600SeriesSwitchesSimilartoVersion5,butdoesnotincludeAS,interface,TCPFlag&TOSinformation8ChoiceofelevenaggregationschemesReducesresourceusage9Flexible,extensiblefileexportformattoenableeasiersupportofadditionalfields&technologies;comingoutnowMPLS,Multicast,&BGPNextHopAgendaVersion5Version8Version7Version9Version5NetFlowOverviewVersionsVersion5-FlowFormatSourceIPAddressDestinationIPAddressPacketCountByteCountUsageQoSTimeofDayApplicationPortUtilizationFrom/ToRoutingandPeeringInputifIndexOutputifIndexTypeofServiceTCPFlagsProtocolStartsysUpTimeEndsysUpTimeSourceTCP/UDPPortDestinationTCP/UDPPortNextHopAddressSourceASNumberDest.ASNumberSourcePrefixMaskDest.PrefixMaskSourceIPAddressDestinationIPAddressAgendaVersion5Version7Version8Version9Version7NetFlowOverviewVersionsVersion7AddsNetFlowswitchingsupportfor:CiscoCatalyst5000SeriesSwitcheswithanRSMCiscoCatalyst5000SeriesSwitcheswithanMSFCUsesMultiLayerSwitching(MLS)orCEFwithCiscoCatalyst6000SeriesSwitcheswithSUP2IPunicastonlyNomulticastorIPX,evenifMLScandoallthreeMLScacheistheequivalentoftheNetFlowcacheVersion7-FlowFormatSourceIPAddressDestinationIPAddressUsageQoSTimeofDayApplicationPortUtilizationFrom/ToRoutingandPeeringSourceIPAddressDestinationIPAddressInputifIndexOutputifIndexTypeofServiceTCPFlagsProtocolPacketCountByteCountStartsysUpTimeEndsysUpTimeSourceTCP/UDPPortDestinationTCP/UDPPortNextHopAddressSourceASNumberDest.ASNumberSourceSubnetMaskDest.SubnetMaskRouterSc(routershortcut)**Addedfromversion5NotethattheToSandTCPFlagsfieldsarenotpopulatedAgendaVersion5Version7Version8Version9Version8NetFlowOverviewVersionsVersion8Router-basedaggregationEnablesroutertosummarizeNetFlowdataReducesNetFlowExportdatavolumeDecreasesNetFlowExportbandwidthrequirementsCurrently11aggregationschemesFiveoriginalschemesSixnewschemeswiththeTOSbytefieldSeveralaggregationscanbeenabledsimultaneouslyVersion8-FlowFormatVersion8-FlowFormatVersion8-Configuration3600-4(config)#ipflow-aggregationcache?asASaggregationas-tosAS-TOSaggregationdestination-prefixDestinationPrefixaggregationdestination-prefix-tosDestinationPrefixTOSaggregationprefixPrefixaggregationprefix-portPrefix-portaggregationprefix-tosPrefix-TOSaggregationprotocol-portProtocolandportaggregationprotocol-port-tosProtocol,portandTOSaggregationsource-prefixSourcePrefixaggregationsource-prefix-tosSourcePrefixTOSaggregationNote–donotexportversion5atthesametime“ipflow-exportversion5”AgendaVersion5Version8Version7Version9Version9NetFlowOverviewVersionsWhyaNewVersion?Fixedformats(versions1,5,7,and8)arenotflexibleandadaptableCisconeededtobuildanewversioneachtimeacustomerwantedtoexportnewfieldsWhennewversionsarecreated,partnersneedtoreengineertosupportthenewexportformatSolution:Buildaflexible

andextensibleexportformat!Netflowv9PrinciplesVersion9isanexportformatStillapushmodelSentthetemplateregularly(configurable)Independentoftheunderlyingprotocol,itisreadyforanyreliableprotocol(ie:TCP,SCTP)NetFlowv9ExportPacketDataFlowSetTemplateFlowSetOptionTemplateFlowSetHeaderFlowSetID#1DataFlowSetFlowSetID#2TemplateID(specificFieldtypesandlengths)(version,#packets,sequence#,SourceID)MatchingID#sisthewaytoassociateTemplatetotheDataRecordsTheHeaderfollowsthesameformataspriorNetFlowversionssoCollectorswillbebackwardcompatibleEachDataRecordrepresentsoneflowIfexportedflowshavethesamefieldsthentheycanbecontainedinthesameTemplateRecorde.g.unicasttrafficcanbecombinedwithmulticastrecordsIfexportedflowshavedifferentfieldsthentheycan’tbecontainedinthesameTemplateRecorde.g.BGPnext-hopcan’tbecombinedwithMPLSAwareNetFlowrecordsFlowsfromInterfaceAFlowsfromInterfaceBTosupporttechnologiessuchasMPLSorMulticast,thisexportformatcanbeleveragedtoeasilyinsertnewfieldsOptionDataFlowSetFlowSetIDOptionDataRecord(Fieldvalues)OptionDataRecord(Fieldvalues)TemplateRecordTemplateID#2(specificFieldtypesandlengths)TemplateRecordTemplateID#1(specificFieldtypesandlengths)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)NetFlowv9FlexibleFormatTemplateFlowSetDataFlowSetFlowSetIDDataFlowSetFlowSetIDExampleofExportPacketrightafterrouterbootorNetFlowconfigurationExampleofExportPacketscontainingmostlyflowinformationOptionDataFlowSetFlowSetIDHeaderHeaderOptionDataRecord(Fieldvalues)OptionDataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)(version,#packets,sequence#,SourceID)(version,#packets,sequence#,SourceID)TemplateRecordTemplateID(specificFieldtypesandlengths)TemplateRecordTemplateID(specificFieldtypesandlengths)TemplateRecordTemplateID(specificFieldtypesandlengths)TemplateRecordTemplateID(specificFieldtypesandlengths)OptionTemplateFlowSetTemplateID(specificFieldtypesandlengths)NetFlowv9ExportPacket

IETFSpecificationOptionFlowsetssenddataassociatedwith:SystemInterfaceLineCardCacheTemplateExample:ThesamplingrateassociatedwithaparticularinterfaceNetFlowv9Exportpamela(config)#ipflow-exportversion?159pamela(config)#ipflow-exportversion9.ConfiguringVersion9exportpamela(config)#ipflow-aggregationcacheaspamela(config-flow-cache)#enabledpamela(config-flow-cache)#export?destinationSpecifytheDestinationIPaddressversionconfigureaggregationcacheexportversionpamela(config-flow-cache)#exportversion?8Version8exportformat9Version9exportformatpamela(config-flow-cache)#exportversion9ConfiguringVersion9exportforanaggregationschemeExportversionsavailableforstandardNetFlowflowsExportversionsavailableforaggregatedNetFlowflowsNetFlowV9andIETFInternetProtocolFlowInformationeXport(IPFIX)isanIETFWorkingGroup/Netflowversion9hasbeenpresentedinthelastIETFInformationalRFConNetFlowversion9/internet-drafts/draft-bclaise-netflow-9-00.txtCiscoisworkingondraftsforversion9AgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyFeaturesandUsesPlatformSpecificsPerformanceRoadmapandFutureDirectionSummaryPartnersNetFlowInfrastructureApplications:Router:CacheCreationDataExportAggregationCollector:CollectionFilteringAggregationStorageFileSystemManagementAccounting/BillingNetworkPlanningDataPresentationPartnersCisco&PartnersCiscoCiscoNetFlowPartnersCollectionTrafficAnalysisDenialofServiceFlow-ToolsBillingNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyFeaturesandUsesPlatformSpecificsPerformanceRoadmapandFutureDirectionSummaryAgendaCustomerApplicationsGeneralEnterpriseServiceProviderGeneralNetFlowUsesAttackMitigationUser(IP)monitoringApplicationmonitoringBillingChargebackASPeerMonitoringTrafficEngineeringTrafficAnalysisApplicationsAttackMitigationUser(IP)monitoringApplicationmonitoringBillingChargebackASPeerMonitoringNetworkLayerAccessDistributionDistributionAccessCoreNetFlowFeaturesAggregationSchemes(v8)“showipcacheflow”commandArborNetworksNetFlowMPLSEgressAccountingBGPNext-hop(v9)MulticastNetFlow(v9)MPLSAwareNetFlow(v9)BGPNext-hop(v9)SampledNetFlowNetFlowMPLSEgressAccountingBGPNext-hop(v9)MulticastNetFlow(v9)AggregationSchemes(v8)“showipcacheflow”commandArborNetworksBillingFlat-ratebillingdoesnotnecessarilyscaleCompetitivepricingmodelscanbecreatedwithusage-basedbillingUsage-basedbillingconsiderationsTimeofdayWithinoroutsideofthenetworkApplicationDistance-basedQualityofService(QoS)/ClassofService(CoS)BandwidthusageTransitorpeerDatatransferredTrafficclassTrackingUsersWhoaremytopNtalkers,andwhatpercentageoftrafficdotheyrepresent?Howmanyusersareonthenetworkatagiventime?Whenwillupgradesaffecttheleastnumberofusers?Howlongdousersspendconnectedtothenetwork?WhereInternetsitesdotheyuse?Whatisatypicalpatternofusagebetweensites?Areusersstayingwithinanacceptableusage

policy(AUP)?AlarmDOSattackslikesmurf,fraggle,andSYNfloodWillwatchfortheseattack,regardlessofsource/destinationPrincipleNetflowBenefitsServiceProviderEnterpriseInternetaccessmonitoring(protocoldistribution,wheretrafficisgoing/coming)UserMonitoringApplicationMonitoringChargeBackbillingfordepartmentsSecurityMonitoringPeeringarrangementsNetworkPlanningTrafficEngineeringAccountingandbillingSecurityMonitoringCurrentMarketCurrenteconomicsituationhassparkedinterestintheServiceProviderandEnterprisemarketsKeyareasofapplicationTrafficEngineering–50%UsagedBasedBilling/Chargeback–30%DoS–rapidlyemergingFeatureacceleration

ImprovedACLperformanceGeneralEnterpriseServiceProviderNetFlowOverviewVersionsPartnersCustomerApplicationsEnterpriseAgendaNetFlow–ChargeBackBillingR&DHRFinanceAccountpernetwork(ratherthatperIPaddresses)InternetExample:chargethedepartmentforthecostoftheInternetlinkGeneralEnterpriseServiceProviderNetFlowOverviewVersionsPartnersCustomerApplicationsServiceProviderAgendaNetFlow–PeeringAgreementAccountperBGPAS,toReviewPeeringAgreementsISPPublicRouters1,2,3MonthofSeptember—OutboundTrafficNetFlow–PeeringAgreement20%32%4%6%8%8%10%1%1%1%1%1%1%2%1%1%1%AgendaMPLSAutonomousSystemMulticastBGPNext-hopAttackMitigation–DenialofServiceLayer2TechnologiesQualityofServiceMPLSNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyMPLSAwareNetFlow(v9)IPFieldsSourceanddestinationIPaddressInputandoutputsub-interfacesTransportlayerprotocolSourceanddestinationapplicationportnumbers8bitIPTypeofService(ToS)TCPFlags(accumulationfromallpacketsintheflow)MPLSFieldsUptothreeincomingMPLSlabelswithexperimental(EXP)bitsandend-of-stack(S)bitPositionofeachofthethreelabelsTypeofthetoplabelIPaddressassociatedwiththetoplabelTraditionalNetFlowFieldsNumberofpacketsNumberofbytes(counteitherIPorMPLSheader/payload)Time-stampsoffirstandlastpacketsintheflowMPLSTraditionalNetFlow

forIPtoMPLStrafficPEPPEEgressMPLSNetFlowAccountingIPinformationonlyIdealforbillingCurrentavailability:CiscoIOSSoftwareReleases12.0(10)STand12.1(5)T

MPLSAwareNetFlow(version9)ExportsuptothreeMPLSlabels,andIPpacketinformationIdealforTrafficEngineeringWillbeavailableinCiscoIOSSoftwareReleases12.0(24)S,12.2S,and12.3TrafficFlowIPIPEgressMPLSNetFlowAccountingforMPLStoIPtrafficMPLSAwareNetFlow

(version9)MPLSAgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyMPLSAutonomousSystemMulticastBGPNext-hopAttackMitigation–DenialofServiceLayer2TechnologiesQualityofServiceAutonomousSystemAutonomousSystem3600-4(config)#ipflow-exportversion5?origin-asrecordoriginASpeer-asrecordpeerAS<cr>3600-4(config)#Origin-ASSpecifiesthatexportstatisticsincludetheoriginautonomoussystem(AS)forthesourceanddestinationPeer-ASSpecifiesthatexportstatisticsincludethepeerASforthesourceanddestinationNote–thisconfigurationcommandisoptionalAutonomousSystemAS101ConfiguringPeer-ASSourceAS=AS103DestinationAS=AS105NetFlowenabledAS103AS104AS105AS106ConfiguringOrigin-ASSourceAS=AS101DestinationAS=AS106AS102AgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyMPLSAutonomousSystemMulticastBGPNext-hopAttackMitigation–DenialofServiceLayer2TechnologiesQualityofServiceMulticastMulticastNetFlowThreetypesofNetFlowimplementationsforMulticasttraffic:TraditionalNetFlowMulticastNetFlowIngressMulticastNetFlowEgressMulticast–TraditionalNetFlowEth0Eth3Eth1Eth2InterfaceEthernet0 iproute-cacheflowipflow-exportversion9ipflow-exportdestination9995NetFlowCollectorserverTraditionalNetFlowconfiguration(S,G)-(,00)FlowRecordCreatedinNetFlowCacheThereisonlyoneflowperNetFlowconfiguredinputinterfaceThe7KeyfieldsthatdefineauniqueflowaremarkedinredDestinationinterfaceismarkedas“Null”BytesandPacketsaretheincomingvaluesMulticastNetFlowIngressInterfaceEthernet0 ipmulticastnetflowingressipflow-exportversion9ipflow-exportdestination9995MulticastNetFlowIngressconfigurationFlowRecordCreatedinNetFlowCacheThereisonlyoneflowperNetFlowconfiguredinputinterfaceThe7KeyfieldsthatdefineauniqueflowaremarkedinredDestinationinterfaceismarkedas“Null”BytesandPacketsaretheoutgoingvaluesEth0Eth3Eth1Eth2NetFlowCollectorserver(S,G)-(,00)MulticastNetFlowEgressInterfaceEthernet1 ipmulticastnetflowegressInterfaceEthernet2 ipmulticastnetflowegressInterfaceEthernet3 ipmulticastnetflowegressipflow-exportversion9ipflow-exportdestination9995MulticastNetFlowEgressconfigurationFlowRecordsCreatedinNetFlowCacheThereisoneflowperMulticastNetFlowEgressconfiguredoutputinterfaceOneofthe7KeyfieldsthatdefineauniqueflowhaschangedfromSourceInterfacetoDestinationInterfaceBytesandPacketsaretheoutgoingvaluesEth0Eth3Eth1Eth2NetFlowCollectorserver(S,G)-(,00)MulticastNetFlow–RPFFailuresFlowisblockedbecauseithasthesamekeyfieldsasanotherflow;however,itiscomingfromthewrongphysicalinterfaceCanbecountedusingMulticastNetFlowEgressifconfigured“ipmulticastnetflowrpf-failure”globallyOnceconfigured,therewillbeanewfieldintheNetFlowcachecalled“RPFFail”tocountflowsthatfailandhowmanytimesMulticastNetFlow–SummarySupportedviaNetFlowversion9exportformatAvailabilityCiscoIOSSoftwareReleases12.0(27)S,12.2S,and12.3Cisco2500,2600,3600,7200,and7500SeriesRoutersCisco12000SeriesInternetRouterPerformance:Ingressvs.EgressMulticastNetFlowIngressandtraditionalNetFlowwillhavesimilarperformancenumbersMulticastNetFlowEgresswillhaveperformanceimpactthatisproportionaltothenumberofinterfacesonwhichitisenabled(includeinputinterface)CiscoCatalyst6000and7600SeriesSwitchesDonotcurrentlysupportthetrackingofmulticasttrafficviaNetFlowduetocurrentASIClimitationWillhavethissupportinafutureSupervisorAgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTec