NetFlow 101 Boot Camp

March 18, 2010

Slide 1

___________________________
___________________________

Introduction to Cisco’s
NetFlow Technology

___________________________
___________________________

Adam Powers, CTO

___________________________
___________________________
NetFlow 101 Seminar, 2010
1

Slide 2

___________________________
Agenda

___________________________
• Introduction to NetFlow

how it works, what it is

• Why is NetFlow so popular?

___________________________

NetFlow costs less and works better

• Configuring and Working with NetFlow

a glimpse into the power of NetFlow

___________________________

• Threat Detection Methods

using flows to detect malware

• FlowSensor Technology

generate NetFlow v9 from a SPAN

• Cisco Flexible NetFlow Lab

set up and work with NetFlow

___________________________
___________________________

2

Slide 3

___________________________
Lancope NetFlow Ninjas Blog

___________________________
http://netflowninjas.typepad.com

___________________________
___________________________
___________________________
___________________________

3

NetFlow 101 Boot Camp

March 18, 2010

Slide 4

___________________________
___________________________

Introduction to NetFlow

___________________________
___________________________
___________________________
___________________________

4

Slide 5

___________________________
Network Flow Collection

___________________________
___________________________
___________________________
___________________________
___________________________
5

Slide 6

___________________________
The Life of a Flow

___________________________
google.com

Cisco Router

10.1.1.1

___________________________
___________________________
___________________________
NetFlow Packet Header

StealthWatch
Flow Collector

6

6

___________________________

NetFlow 101 Boot Camp

March 18, 2010

Slide 7

___________________________
Flow Collection Methods

___________________________

7

• Traditional NetFlow
• Provides router interface statistics
• Very easy to deploy; available for
“free” almost anywhere Cisco
equipment is found
• No packet-level visibility or
response time information
• FlowSensor Appliance Edition (AE)
• Enables flow monitoring where
traditional NetFlow is not
available
• Provides flow performance
information such as round-trip
time and server response time
• Requires SPAN port or Ethernet
tap
• FlowSensor Virtual Edition (VE)
• Installs into VMware ESX to
monitor VM2VM communications
• Software only no hardware

StealthWatch
Flow Collector

___________________________
___________________________

NetFlow

Cisco
Catalyst
6500

___________________________
___________________________

Slide 8

___________________________
Wide Support for NetFlow

___________________________
Cisco 800

Cisco 1700

Cisco 1900

Cisco 2800

___________________________

Not Supported
Cisco 3750

Huawei Quidway

Juniper Networks
Cisco 7200 VXR

Cisco 2900

Cisco 7600

Cisco 3900

___________________________
___________________________
___________________________

Nortel Networks

Cisco XR 12000

8

Slide 9

Cisco Nexus
7000

Cisco Catalyst 6500

___________________________
Wide Support for NetFlow

___________________________
___________________________
___________________________
___________________________
___________________________
9

NetFlow 101 Boot Camp

March 18, 2010

Slide 10

___________________________
Flow Collection Methods

___________________________
• Traditional NetFlow
• Provides router interface statistics
• Very easy to deploy; available for
“free” almost anywhere Cisco
equipment is found
• No packet-level visibility or
response time information
• FlowSensor Appliance Edition (AE)
• Enables flow monitoring where
traditional NetFlow is not
available
• Provides flow performance
information such as round-trip
time and server response time
• Requires SPAN port or Ethernet
tap
• FlowSensor Virtual Edition (VE)
• Installs into VMware ESX to
monitor VM2VM communications
10
• Software only no hardware

StealthWatch
Flow Collector

___________________________
___________________________

NetFlow + latency

statistics

___________________________

FlowSensor
AE

___________________________

SPAN port
tap

Slide 11

___________________________
Flow Collection Methods

___________________________
• Traditional NetFlow
• Provides router interface statistics
• Very easy to deploy; available for
“free” almost anywhere Cisco
equipment is found
• No packet-level visibility or
response time information
• FlowSensor Appliance Edition (AE)
• Enables flow monitoring where
traditional NetFlow is not
available
• Provides flow performance
information such as round-trip
time and server response time
• Requires SPAN port or Ethernet
tap
• FlowSensor Virtual Edition (VE)
• Installs into VMware ESX to
monitor VM2VM communications
11
• Software only no hardware

StealthWatch
Flow Collector

NetFlow + VM
information

___________________________

physical
networ
k

VM

VM

packet
capture

VM

___________________________

virtual
machine
guests

___________________________

VM2VM
virtual
switches

___________________________

VMware ESX 3.5/4.0
Host

Slide 12

___________________________
NetFlow v5 (most common)

___________________________
___________________________
___________________________
___________________________
* fixed format, cannot be extended to include new
fields
12

___________________________

NetFlow 101 Boot Camp

March 18, 2010

Slide 13

___________________________
NetFlow v9 (newer and more powerful)

___________________________
___________________________
___________________________
___________________________
___________________________
13

* 160+ fields to choose from including payload
sections

Slide 14

___________________________
NetFlow v9 – NBAR support!

___________________________
Network-Based Application Recognition being
integrated with NetFlow in Cisco IOS-based
products

___________________________

** available Q4 2009 from Lancope
Over 600 applications supported....

___________________________
___________________________
___________________________

14

Slide 15

___________________________
___________________________

Why is NetFlow so popular?

___________________________
___________________________
___________________________
___________________________

15

NetFlow 101 Boot Camp

March 18, 2010

Slide 16

___________________________
NetFlow for the Network Team

___________________________
NetFlow Packet
flow1
flow2

StealthWatch
Flow Collector

___________________________

...

Compliance and Auditing
Security Team
Network Team
PCI Compliance
File sharing
Interface utilization
HIPAA Compliance
Malware outbreak detection
Billing and chargeback
SCADA Security
Network acceptable use
QOS monitoring
Sarbanes-Oxley
Flow forensics
BGP ASN monitoring
Data loss prevention
MPLS visibility
Application troubleshooting

___________________________
___________________________
___________________________

Slide 17

___________________________
NetFlow Compliance and Auditing

___________________________
NetFlow Packet
flow1
flow2

StealthWatch
Flow Collector

___________________________

...

Compliance and Auditing
Security Team
Network Team
PCI Compliance
File sharing
Interface utilization
HIPAA Compliance
Malware outbreak detection
Billing and chargeback
SCADA
Security
Network acceptable use
QOS monitoring
Sarbanes-Oxley
Flow forensics
BGP ASN monitoring
Data loss prevention
MPLS visibility
Application troubleshooting

___________________________
___________________________
___________________________

Slide 18

___________________________
NetFlow for the Security Team

___________________________
NetFlow Packet
flow1
flow2

StealthWatch
Flow Collector

___________________________

...

Compliance and Auditing
Security Team
Network Team
PCI Compliance
File sharing
Interface utilization
HIPAA
Compliance
Malware outbreak detection
Billing and chargeback
SCADA Security
Network acceptable use
QOS monitoring
Sarbanes-Oxley
Flow forensics
BGP ASN monitoring
Data loss prevention
MPLS visibility
Application troubleshooting

___________________________
___________________________
___________________________

NetFlow 101 Boot Camp

March 18, 2010

Slide 19

___________________________
NetFlow vs. SNMP
SNMP

___________________________
___________________________
___________________________

NetFlow

___________________________
___________________________

19

Slide 20

___________________________
NetFlow Reporting and Drilldown

___________________________
___________________________
___________________________
___________________________
___________________________
20

Slide 21

___________________________
Visibility Lost Due to Emerging Tech

___________________________
Emerging network technologies are outpacing traditional
network monitoring techniques such as SNMP and SPAN/tapbased technology...
“10G Ethernet is so fast few probe
technologies can keep up and those
that can are too expensive”

“MPLS and multi-point VPNs create
a meshed WAN that’s expensive to
monitor adequately”
“Virtualization hides whole network
segments from the network manager’s
view, making VM2VM communication
problems difficult to troubleshoot”

These issues result in an inability to react to network problems
because of a basic lack of
.
21

___________________________
___________________________
___________________________
___________________________

NetFlow 101 Boot Camp

March 18, 2010

Slide 22

___________________________
10G+ Ethernet
“10G Ethernet is so fast few probe technologies can keep up and those
that can are too expensive”

___________________________
___________________________

traditional
Ethernet
sensor

Where
to plug
in?

___________________________
___________________________
___________________________

22

Slide 23

___________________________
NetFlow in a 10G+ Ethernet Environment
“10G Ethernet is so fast few probe technologies can keep up and those
that can are extremely expensive”
StealthWatch
Flow Collector

___________________________
___________________________
___________________________
___________________________
___________________________

23

Slide 24

___________________________
Virtualization
“Virtualization hides whole network segments from the network
manager’s view, making VM2VM communication problems difficult to
troubleshoot”

VM1

VM2

VM3

___________________________

virtual
machines

___________________________

physical
network

traditional
Ethernet probe

___________________________

VM2VM
virtual
switches

___________________________

physical machine

___________________________
24

NetFlow 101 Boot Camp

March 18, 2010

Slide 25

___________________________
NetFlow in the Virtual Environment

___________________________
___________________________
VM
physical
network
NetFlow v9

VM

promisc
capture

VM

virtual
machines

VM2VM

___________________________

virtual
switches

VM Server

StealthWatch
Flow Collector

___________________________
___________________________

*** Cisco Nexus 1000v also supports NetFlow
***

25

Slide 26

___________________________
MPLS and Multi-point VPNs
“MPLS and multi-point VPNs create a meshed WAN that’s
expensive to monitor adequately”

___________________________
___________________________

traditional
Ethernet
sensor

___________________________
___________________________
___________________________

26

Slide 27

___________________________
MPLS and Multi-point VPNs
Fully meshed connectivity circumvents network monitoring deployed at
the “hub” location…

___________________________
___________________________
___________________________
___________________________
___________________________

27

NetFlow 101 Boot Camp

March 18, 2010

Slide 28

___________________________
MPLS and Multi-point VPNs
Full visibility requires a probe at each location throughout the WAN…

___________________________
___________________________
___________________________
___________________________
___________________________

28

Slide 29

___________________________
NetFlow Collection in the WAN
Deploy a StealthWatch NetFlow collector at a central location and
enable NetFlow at each remote site…

___________________________
___________________________

StealthWatch
Flow Collector

___________________________

NetFlow Packet

___________________________

NetFlow Packet

___________________________
29

Slide 30

___________________________
Quick Recap

___________________________
“10G Ethernet is so fast few probe
technologies can keep up and those
that can are too expensive”

network speed has no effect
on NetFlow

“MPLS and multi-point VPNs create
a meshed WAN that’s expensive to
monitor adequately”

enable NetFlow at each remote
location for WAN visibility

“Virtualization hides whole network
segments from the network manager’s
view, making VM2VM communication
problems difficult to troubleshoot”

30

invest in Nexus 100v or
FlowSensor
technology

___________________________
___________________________
___________________________
___________________________

NetFlow 101 Boot Camp

March 18, 2010

Slide 31

___________________________
___________________________

Configuring and Working
with NetFlow

___________________________
___________________________
___________________________
___________________________

31

Slide 32

___________________________
Flow Replication

___________________________
___________________________
___________________________
___________________________
___________________________
32

Slide 33

___________________________
Flow Replication Modes

___________________________
Unicast Mode

___________________________
___________________________
Promiscuous Mode

___________________________
___________________________

33

NetFlow 101 Boot Camp

March 18, 2010

Slide 34

___________________________
Flow Replication: UDP Samplicator

___________________________
http://freshmeat.net/projects/samplicator/

___________________________
___________________________
___________________________
___________________________
34

Slide 35

___________________________
Active vs. Inactive Timeouts

___________________________

Active Timeout

configures longest amount of time a flow can stay in the cache regardless
of activity

Recommend 1 minute

All exporters should have similar active timeouts

• Cisco default of 30 minutes is far too long
Inactive Timeout

configures how long a flow can be inactive before it is expired from the
cache

Recommend 15 seconds (which is also the IOS default)

All exporters should have similar inactive timeouts

___________________________
___________________________
___________________________

Cisco Router

___________________________
35

Slide 36

___________________________
Configuring NetFlow – Traditional Method

___________________________
Configure “Active”
Timeout
Enable NetFlow for
each interface on the
router
(also: “ip flow ingress”)
Specify a destination
for the flows

___________________________
___________________________
___________________________
___________________________

36

NetFlow 101 Boot Camp

March 18, 2010

Slide 37

___________________________
Configuring NetFlow – Flexible NetFlow (FnF)

___________________________


Tells router
which fields to
extract from
flows
“match” is key
field
“collect” is nonkey

___________________________
___________________________
___________________________
___________________________

37

Slide 38

___________________________
Configuring NetFlow – Flexible NetFlow (FnF)

___________________________

Configure “exporter”
Tells the router where to
send the flows.

___________________________
___________________________
___________________________
___________________________

38

Slide 39

___________________________
Configuring NetFlow – Flexible NetFlow (FnF)

___________________________

Configure “monitor”
Sets up the cache timeouts and
type

___________________________
___________________________
___________________________
___________________________

39

NetFlow 101 Boot Camp

March 18, 2010

Slide 40

___________________________
Configuring NetFlow – Flexible NetFlow (FnF)

___________________________

Enable NetFlow on each interface
Reference the “monitor”
command in the interface config

___________________________
___________________________
___________________________

Blog entry describing FnF in detail...

___________________________

http://netflowninjas.typepad.com/blog/2009/0
8/index.html

40

Slide 41

___________________________
___________________________

Lab Exercise #1, #2

___________________________
___________________________
___________________________
___________________________

41

Slide 42

___________________________
Ingress vs. Egress NetFlow

___________________________
___________________________
___________________________
___________________________
___________________________
42

NetFlow 101 Boot Camp

March 18, 2010

Slide 43

___________________________
NetFlow on the Catalyst 6500

___________________________
Catalyst 6500

(MSFC)

NetFlow

(Sup)

NetFlow

___________________________
___________________________
___________________________
___________________________

43

Slide 44

___________________________
Helpful Links re: CPU and bandwidth consumption from NetFlow

___________________________
Cisco Whitepaper: NetFlow Performance Analysis
http://www.cisco.com/en/US/tech/tk812/technologies_white_paper0900aecd802a0eb
9.shtml
Fully loaded ISR running software IOS ~15%
CPU uptick resulting from NetFlow enablement.

___________________________
___________________________

Lancope NetFlow Bandwidth Calculator
http://lancope.com/netflowcalculator.aspx
1200 flows per second for each 250Mbps of
traffic. That's about 680Kbps of NetFlow v5
traffic arriving at the collector per 250Mbps of
traffic seen by the exporter.

___________________________
___________________________

44

Slide 45

___________________________
Viewing NetFlow bps rate per exporter

___________________________
___________________________
___________________________
___________________________
___________________________
45

NetFlow 101 Boot Camp

March 18, 2010

Slide 46

___________________________
___________________________

Working with NetFlow

___________________________
___________________________
___________________________
___________________________

46

Slide 47

___________________________
Troubleshooting with NetFlow

___________________________
• Several approaches to working with flow data...
• Direct router access via CLI
• Flow-tools, ntop and other open source
• Commercial NetFlow Collector

___________________________
___________________________
___________________________
___________________________

47

Slide 48

___________________________
Direct router access via CLI (Traditional)

___________________________
___________________________
___________________________
___________________________

48

Malware
Infected
Host

Target Hosts

Target Port
(0x87=135)

___________________________

NetFlow 101 Boot Camp
Slide 49

March 18, 2010
___________________________

Direct access via CLI (Flexible NetFlow)

___________________________
___________________________
___________________________
___________________________
___________________________
49

Slide 50

___________________________
Direct access via CLI (Flexible NetFlow)

___________________________
___________________________
___________________________
___________________________
___________________________
50

Slide 51

___________________________
Flow-tools, ntop and other open source
FLOW-TOOLS





Collection of small open source programs to post process Cisco NetFlow
compatible flows
Written in C, designed to be fast and lean
Allows for text-based reporting, storage, and analysis of flows
Installation with “configure;make;make install” on most platforms
(FreeBSD, Linux, Solaris, BSDi, NetBSD)
Only supports NetFlow v1/5/7

___________________________
___________________________
___________________________

http://www.splintered.net/sw/flow-tools

NTOP

___________________________

___________________________




51

Lightweight, open-source, web-based flow reporting technology
Similar to the Linux “top” utility but for network traffic rather than
processes
Installation with “configure;make;make install” on most platforms
(FreeBSD, Linux, Solaris, BSDi, NetBSD)
Support for NetFlow v1/5/7/9 and sFlow

http://www ntop org

NetFlow 101 Boot Camp

March 18, 2010

Slide 52

___________________________
ntop web-UI

___________________________
___________________________
___________________________
___________________________
___________________________
52

Slide 53

___________________________
Enable NetFlow on your Linksys router!

___________________________
___________________________
___________________________
___________________________
___________________________
<non-confidential>

53

Slide 54

___________________________
Flow-tools CLI

___________________________
___________________________
___________________________
___________________________
start and
end times

54

src
interface

src
IP

src
port

dst
interface

dst
IP

proto
dst
port

pkts

TCP
flags
(2=SYN)

octets

___________________________

NetFlow 101 Boot Camp
Slide 55

March 18, 2010
___________________________

...other open source
Introduction to Cisco IOS NetFlow - A Technical Overview
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_whit
e_paper0900aecd80406232.html

___________________________
___________________________
___________________________
___________________________
___________________________

55

Slide 56

___________________________
NetFlow Deduplication

___________________________
___________________________
___________________________
___________________________
___________________________
56

Slide 57

___________________________
Troubleshooting with NetFlow: An Example
The scenario:
• 8pm EDT, worker arrives at home
and logs into the corporate VPN to
finish up some work left over from
the office earlier in the day.
• Worker forgets to log
off the VPN.
• Worker’s wife sits down at the
same computer and begins
downloading season 2 of
The Office in HD from iTunes
• The corporate VPN Concentrator
suffers under the load caused
by the downloads

___________________________
___________________________
___________________________
___________________________

(4Mbps max VPN throughput)

The result:
• Users on the west coast (5pm PDT)
experience severe reduced
performance and begin to
57 complain.

___________________________

NetFlow 101 Boot Camp
Slide 58

March 18, 2010
___________________________

Troubleshooting with NetFlow: An Example

___________________________
___________________________
___________________________
___________________________
___________________________
58

Slide 59

___________________________
Troubleshooting with NetFlow: An Example

___________________________
___________________________
___________________________
___________________________
___________________________
59

Slide 60

___________________________
Troubleshooting with NetFlow: An Example

___________________________
___________________________
___________________________
___________________________
___________________________
60

NetFlow 101 Boot Camp
Slide 61

March 18, 2010
___________________________

Troubleshooting with NetFlow: An Example

___________________________
___________________________
___________________________
___________________________
___________________________
61

Slide 62

___________________________
Troubleshooting with NetFlow: An Example

___________________________
___________________________
___________________________
___________________________
___________________________
62

Slide 63

___________________________
Troubleshooting with NetFlow: An Example

___________________________
___________________________
___________________________
___________________________
___________________________
63

NetFlow 101 Boot Camp
Slide 64

March 18, 2010
___________________________

Troubleshooting with NetFlow: An Example

___________________________
___________________________
___________________________
___________________________
___________________________
64

Slide 65

___________________________
Troubleshooting with NetFlow: An Example

___________________________
___________________________
___________________________
___________________________
___________________________
65

Slide 66

___________________________
Troubleshooting with NetFlow: An Example

___________________________
___________________________
___________________________
___________________________
___________________________
66

NetFlow 101 Boot Camp

March 18, 2010

Slide 67

___________________________
___________________________

Threat Detection Methodologies

___________________________
___________________________
___________________________
___________________________

67

Slide 68

___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
68

Slide 69

___________________________
Flow-based Threat Detection

___________________________
StealthWatch
Flow Collector

___________________________
Flow-based Pattern Matching

Behavior Analysis

___________________________
___________________________
___________________________
69

69

NetFlow 101 Boot Camp
Slide 70

March 18, 2010
___________________________

Threat Detection Method #1:
Pattern Recognition

___________________________
___________________________
___________________________
___________________________
___________________________

Slide 71

___________________________
Threat Detection Method #2:
Behavior-based Analysis

___________________________
___________________________
___________________________
___________________________
___________________________

Slide 72

___________________________
Threat Detection Method #3: Visualization

___________________________
___________________________
___________________________
___________________________
___________________________
72

NetFlow 101 Boot Camp

March 18, 2010

Slide 73

___________________________
Threat Detection Method #3: Visualization

___________________________
___________________________
___________________________
___________________________
___________________________
73

Slide 74

___________________________
Threat Detection Method #3: Visualization

___________________________
___________________________

Scanning activity
represented in a
Peer vs. Peer
diagram

___________________________
___________________________
___________________________

74

Slide 75

___________________________
___________________________

FlowSensor Technology

___________________________
___________________________
___________________________
___________________________

75

NetFlow 101 Boot Camp

March 18, 2010

Slide 76

___________________________
FlowSensor Technology

___________________________
FlowSensor
(NetFlow Enabled)

NetFlow
Collector

___________________________
NetFlow

NetFlow

Catalyst 6500
(NetFlow Enabled)

Catalyst 3750
(No NetFlow)

___________________________
___________________________
___________________________

76

Slide 77

___________________________
FlowSensor AE

___________________________
• Light-weight, cost-effective 1U
network
appliance
• Collects Ethernet frames and
exports NetFlow v9
• Monitor up to (5) 3750s
simultaneously
• Works with
Model
Capacity
Disk capable
Interfaces
any NetFlow
v9
flowList Price
AE-500
200 Mbps
** AVAILABLE Q3-2010 **
collector
AE-1000

1 Gbps

73GB

3 or 5

$6,995

AE-2000

2.5 Gbps

160GB

3 or 5

$12,995

AE-3000

5.0 Gbps

___________________________

StealthWatch
Flow Collector

NetFlow

FlowSensor

___________________________
___________________________
___________________________

** AVAILABLE Q2-2010 **

77

Slide 78

___________________________
FlowSensor VE (Virtual Edition)

___________________________
• Lightweight, virtual appliance for VMware ESX 3.5 and
4.0
• Captures and records all VM2VM communications
within the virtual network environment

___________________________
___________________________

• Exports NetFlow v9 from within the VMware ESX host
• FREE to download and try
(visit lancope.com to register and download)

___________________________
VMware Server

StealthWatch
Flow Collector

78

NetFlow

___________________________

NetFlow 101 Boot Camp

March 18, 2010

Slide 79

___________________________
10G Monitoring with Stackable FlowSensors

___________________________

Ethernet loadbalancer
vendors...

10G
7.5G

FlowSensor
AE-2000

2.5G

FlowSensor
AE-2000

2.5G

16x 1G

___________________________

2.5G

NetFlow

FlowSensor
AE-2000

StealthWatch
Flow Collector

___________________________

5.0G

___________________________

2.5G

___________________________
79

Slide 80

___________________________
NetFlow for Breadth, Packets for Depth

___________________________
FlowSensor AE

Latency Info

Traditional
NetFlow

Router Info

VM Server
FlowSensor VE

VM Info

Flows

___________________________
___________________________

Stealthwatch 5.10 Screenshot

___________________________
___________________________
80

Slide 81

___________________________
Works with any NetFlow v9 collector!

___________________________
• 1,000,000 record cache size

>> dynamically expands with increased load

• 60 second active timeout,
15 second inactive

>> follows Cisco IOS rules for aging

• Very similar to Cisco’s NetFlow v9
>> see equivalent IOS config at right

• IPv6 aware

>> your collector much be IPv6 capable

• VLAN aware
>> export VLAN tags in NetFlow

81

Cisco Flexible NetFlow Equivalent:
!
flow record lancope_template
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect ipv4 dscp
collect ipv4 ttl minimum
collect ipv4 ttl maximum
collect ipv4 section header size 60
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!

___________________________
___________________________
___________________________
___________________________

NetFlow 101 Boot Camp

March 18, 2010

Slide 82

___________________________
Works Best with Lancope’s Collector

___________________________
SRCIP DSTIP

PROTO DPORT SPORT

TCP

80

5749

TCP

5749

80

PKTS

BYTES

RTT

SRT

230m
9,092 65ms
s
78,02
230m
103
65ms
0
s
73

...

...
...

___________________________
___________________________

StealthWatch
FlowSensor

___________________________
SPAN

round trip time across the network
same as “ping” output

time it takes the server
SRT
to process a request

RTT

___________________________

82

Slide 83

___________________________
On a Related Note: World of Warcraft

___________________________
___________________________
Wintergrasp

Grinding in
Northrend

___________________________

Various BGs

___________________________
___________________________
83

Slide 84

___________________________
Thank You!

___________________________
 Flow-based technologies provide unrivaled scale and
cost effectiveness in large enterprise environments
 NetFlow is not just for netops, its value extends
across all IT from compliance auditing to helpdesk
support
 Enable NetFlow on as many devices as you can to
maximize visibility, the more the better
 Consider CPU and memory impact but don’t dwell
on it, it’s not as big a problem as you may think
 NetFlow is ideal for monitoring port dense
datacenters and large distributed WAN
environments. No probes are required.
84

___________________________
___________________________
___________________________
___________________________

NetFlow 101 Boot Camp

March 18, 2010