You are on page 1of 23

Catalyst 4948E NetFlow-lite

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Application Visibility in Data Center
Why Application Visibility in Data
Center
Efficient Operation
•What applications are consuming Si Si
bandwidth
•Who is using them
•When they are being used
•What activities are prevalent Si Si

Visibility into the network & control


End-user experience management
Network and capacity planning
Troubleshooting
Network forensics

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Introducing NetFlow-lite

What is NetFlow-lite for?


NetFlow-lite Traffic monitoring capability for east-
Aggregator
west & north-south L2/L3 traffic.
Any NetFlow
Collector Identify top talkers (applications,
Si Si
servers, hosts)
Capacity planning thru insights of
link/network utilization
Si Si What does NetFlow-lite Provide?
NetFlow-lite 1:N Up to 1:32 sampling on all 1G downlink &
packet sampling
10G uplink ports
1:1 sampling on up to 2 downlink ports for
troubleshooting
Supported on L2/L3 ports, EtherChannel
NetFlow v9 and IPFIX format
NetFlow v9 or Optional packet section
IPFIX export

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
NetFlow-lite:
Building upon the flexibility of Flexible NetFlow

Flexible NetFlow NetFlow-lite

More selection of flow keys* Packet sampling


Metering User selection of flow keys +
More selection of flow keys*
Process User definition of flow records Packet packet Sampling
length section rate

Permanent cache
Flow
Normal cache Immediate cache
Cache
Immediate cache

Exporting NetFlow version 9 or NetFlow version 9 or


Process IPFIX IPFIX

•NetFlow-lite exports new keys such as raw packet section & sampling rate

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
NetFlow-lite: Metering Process

Packet forwarding

I-in-N samples (truncated)

NetFlow-lite export packet header


Other NetFlow-lite export (v9 or IPFIX)
fields (sampled packet length, # of
sampled packets, total # of packets
observed)
NetFlow-lite export packet

 Configurable sampling rate up to 1-in-32 on all 48 downlinks (1G) ad 4 uplinks (10G), AND 1-in-1
sampling on up to 2 ports (1G only)
 Configurable packet sample length (export truncated packet section to conserve bandwidth)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
NetFlow-lite: Export Format
 Example: NetFlow-lite in NetFlow version 9 export Format
 Version 9 is based on template and separate flow records
Templates composed of type and length Template 1
Flow records composed of template ID and value

Template FlowSet Data FlowSet


H FlowSet ID #1
E

Sample packet size


of packet sampled

output
Template Record

packet observed

Input interface
Packet length

packet section
Template ID #1
Sequence #

Total

Sampled
D

interface
(Specific Field
E Types and Lengths)
R # of

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
NetFlow-lite: Flow Cache

 There are 3 type of flow caches in Flexible NetFlow


Normal Cache (traditional NetFlow)
Permanent Cache
Immediate Cache

 NetFlow-lite uses immediate cache


Every packet creates a new flow
Good for packet section export in version 9/IPFIX format

 Additional Reference:
Cisco IOS Flexible NetFlow Technology White Paper
(http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/p
s6601/ps6965/prod_white_paper0900aecd804be1cc.html)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
NetFlow-lite vs. NetFlow
Catalyst 4500/4900 Switches NetFlow-lite vs NetFlow Support:
NetFlow-lite NetFlow (SupIV/V,
(4948E, 4948E-F) SupV-10GE, Sup7-E)
Technology Packet-based Flow-based
Hardware FPGA-assist NetFlow ASIC
Metering Method Sampling (configurable, Every packet accounted
up to 1-in-32*) for
Export format v5, v9, IPFIX** v5, v8, v9, IPFIX
Flow Cache Immediate Cache Norman cache/immediate
cache/permanent cache
Ecosystem Easily integrate with any NetFlow collector
NetFlow collector with
NetFlow-lite Aggregator
Platform Support 4948E, 4948E-F SupIV/V (with daughter
card)
SupV-10GE
Sup7-E (Flexible NetFlow)
* Supports 1-in-1 sampling for up to 2 ports for troubleshooting
**Catalyst 4948E/4948E-F is the first Cisco products supporting IPFIX 8
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Data Center-wide Monitoring
Integrating NetFlow-lite into Your Network
Integrating NetFlow-lite into existing NetFlow architecture is easy:
 Work with existing collectors & back-end tools through NetFlow-lite Aggregators
 NetFlow-lite Aggregators and collectors can sit anywhere in the network, as long as L3
reachable
 NetFlow-lite Aggregators are transparent to NetFlow collector (NetFlow collectors receive
aggregated flow data as if it’s coming directly from the switch)
 NetFlow collector analyzes & correlates both NetFow and aggregated NetFlow-lite data

Existing NetFlow Export


NF NF
Si Si
Any NetFlow
Collector
NetFlow-lite
Aggregator Back-end
NetFlow
Tools
Si Si v5/IPFIX

NetFlow-lite 1:N NF NetFlow enabled device


packet sampling
NFL NFL NFL NFL NFL NFL
NFL
NetFlow-lite enabled device

NetFlow v9 or
IPFIX export
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Why do I Need a NetFlow-lite Aggregator?
NetFlow-lite Aggregator serves the following purposes:
 Parse NetFlow-lite data to extract information such as src/dst IP
address, TCP/UDP port, packet length, etc.
 Construct temporary flow cache
 Extrapolate flow statistics by correlating sampling rate w/ sampled
packets
 Export aggregated and extrapolated data to NetFlow collectors in
standard IPFIX or NetFlow v5/v9 format
 Conserve valuable forwarding bandwidth by aggregating NetFlow-
lite data to more bandwidth efficient NetFlow export

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
NetFlow-lite Aggregator – Using nProbe
What is it?
NetFlow-lite
nProbe is an open source NetFlow aggregator
(nProbe)
collector/probe/NetFlow-lite Aggregator
Any NetFlow
and can be obtained from ntop.org Collector
5.5.5.10:5000
How Si Si

• nProbe can run on any linux


server by issuing the following Si Si

command:
# ./nprobe -i eth2 -b 1 -s 5 -t 60 -w
1000000 --nflite 2055:16 -n
5.5.5.10:2055 -O 2 -e 0

The command Indicates that nProbe will be collecting NetFlow-lite info


over eth2, on port 2055~2070, extract & aggregate info using 1MB of NetFlow v9 or
cache size, flow expiration time is 60 seconds, into NetFlow v5/v9/IPFIXIPFIX export
format, send to NetFlow collector located at 5.5.5.10, port 2055, whether
on the same server or other L3 reachable servers/appliances
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Designing NetFlow-lite in Large-scale DC
A Tiered Approach

 Deploy an nProbe per zone


to scale
Any NetFlow •NetFlow-lite data
Collector
Si Si
aggregated per zone to
conserve bandwidth
usage in data center
core/distribution
•Recommended to
Si Si

deploy nProbe as close


to the switches as
Zone1 Zone2 possible
 How many switches can be
in a zone?
• Depending on the
sampling rate, link
Zone3 Zone4 utilization, # of flows, the
horsepower of server
running nProbe

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Use Case Example:
Network Visibility with NetFlow-lite
Screenshot taken from Plixer Scrutinizer

Link utilization
over time

Top
talkers

Bandwidth usage per flow


Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
NetFlow-lite Configuration
netflow-lite exporter check
transport udp 2055 Configure exporter setting
transport udp load-share 16
NetFlow-lite to
template data timeout 60 NetFlow
options sampler-table timeout 60 Converter
Any NetFlow
source 9.9.9.10 Collector
destination 9.9.9.1
export-protocol ipfix Si Si

netflow-lite sampler check


packet-rate 32 Configure sampler setting
Si Si

packet-section size 64
packet-offset 0
!

interface GigabitEthernet1/1
no switchport
ip address 40.40.40.1 255.255.255.0
netflow-lite monitor 1
sampler check
exporter check
NetFlow v9 or
Apply sampler and exporter to IPFIX export
Netflow-lite monitor on the
interface
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Other Resources

 Catalyst 4948E NetFlow-lite configuration guide


http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2
/15.02SG/configuration/guide/nswich_l.html

 Ntop.org
http://www.ntop.org/nProbe.html

 Flexible NetFlow Technology White Paper


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6
555/ps6601/ps6965/prod_white_paper0900aecd804be1cc.html

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Using nProbe as
NetFlow-Lite Aggregator

Luca Deri <deri@ntop.org>

© 2011 - ntop.org
Problem Statement
• NetFlow-Lite brings visibility to switched
networks.
• NetFlow-Lite are exports in v9/IPFIX
format and contain packets sections.
• Legacy NetFlow collectors need additional
support to understand and analyze
NetFlow-lite flows.

© 2011 - ntop.org 17
What is nProbe ?
Flow Collection
NetFlow-Lite Flows

“Classic” NetFlow
Flows (v5/v9/IPFIX)

© 2011 - ntop.org 18
Typical nProbe Deployment
NetFlow
Collector • Place nProbe as
close as possible
to the NetFlow-Lite
NetFlow v9 or Switch.
IPFIX exports
• Each nProbe
instance can
Deployed nProbes
collect flows from
multiple switches.

© 2011 - ntop.org 19
Converting NFLite to NetFlow
• nProbe implements a “real” flow cache
without converting each NFLite flow into a
single NetFlow “classic” flow.
• Interface Identifiers are preserved, as well
sampling rate is taken into account as
packets/bytes are scaled.
• Collectors are unaware of the
NFLite-to- NetFlow conversion that is
totally transparent for them.
© 2011 - ntop.org 20
NetFlow-Lite Support in nProbe
[1/2]
• nProbe collects NetFlow-Lite Flows over
IPv4/IPv6 UDP.
• 4948E balances flows on multiple UDP
destination ports

© 2011 - ntop.org 21
NetFlow-Lite Support in nProbe
[2/2]
• For collecting large number of NetFlow-Lite
Flows a kernel plugin (Linux only) has
been developed.

© 2011 - ntop.org 22
Final Remarks
• nProbe 6.5.x natively supports NetFlow-
Lite.
• It is available for both Windows and Unix.
• Typical NetFlow lite conversion speed
range from 250k to 1M flows/sec (Linux
only using the kernel plugin).
• nProbe supports transparent IP address
spoofing for impersonating the 4948E
switch.
© 2011 - ntop.org 23