Notas Flexible Netflow

by

A Cisco renomeou o Netflow para Cisco Flexible NetFlow. A versão inicial de Netflow inclui-a um tuplo 7 como identificador do flow. O Flexible NetFlow permite ao user config o número de tuples de forma a especificar um target para um determinado flow a monitorizar.Neste momento a versão mais recente é a v9

As componentes de NetFlow são:

  • Records – Um conjunto predefinido de key fields (como source IP, destination IP, source port, etc) para monitorizar a rede
  • Flow monitors – Aplicado á interface, monitoriza os flows incluindo os records, cache, e um flow exporter opcional. O flow monitor cache coleta a informação acerca dos flows
  • Flow exporters – Exportar o cached flow para um sistema externo (tipicamente um NetFlow Server)
  • Flow samplers – desenhado para reduzir o load nos devices com NetFlow ativo, os flow samplers permitem especificar um sample size do tráfego NetFlow analisado para um rácio de pacotes 1:2 até 1:32768.O número de pacotes analisados é configurável entre 1/ 2 e 1/32768 que atravessam a interfaces.
    Existem 2 tipos de Flow Samplers:

    • Deterministic— Usa a mesma posição a cada sample recolhido
    • Random— Posição aleatória a cada sample recolhido

Notas:
Quando especificado o record “NetFlow original,” ou “NetFlow IPv4 original input,” ou “NetFlow IPv6 original input” para o monitor este emula o original NetFlow, este flow monitor apenas pode ser usada para tráfego ingress
Quando especificado o record “NetFlow IPv4 original output” ou “NetFlow IPv6 original output” emula o Egress NetFlow Accounting, este flow monitor apenas pode ser usada para tráfego egress.

Exemplo:

Ligações:

R2-f0/1—-f0/0-R3

R2(config)#
flow exporter ipv4Export
destination 192.168.1.1
source loopback0
dscp 8
transport udp 1333
!
flow monitor ipv4Monitor
 !usando o record do Old Netflow
record netflow ipv4 original-input
exporter ipv4Export
cache timeout inactive 600
cache timeout active 180
cache entries 5000
statistics packet protocol
!
interface FastEthernet0/1
ip flow monitor ipv4Monitor input

R2#sh flow exporter   
Flow Exporter ipv4Export:
Description:              User defined
Tranport Configuration:
Destination IP address: 192.168.1.1
Source IP address:      1.1.1.1
Source Interface:       Loopback0
Transport Protocol:     UDP
Destination Port:       1333
Source Port:            56582
DSCP:                   0x8
TTL:                    255

R2#sh flow monitor
Flow Monitor ipv4Monitor:
Description:       User defined
Flow Record:       netflow ipv4 original-input
Flow Exporter:     ipv4Export
Cache:
Type:              normal
Status:            allocated
Size:              5000 entries / 376408 bytes
Inactive Timeout:  600 secs
Active Timeout:    180 secs
Update Timeout:    1800 secs
Stats:
protocol distribution

R2#sh flow monitor ipv4Monitor cache  
Cache type:                            Normal
Cache size:                              5000
Current entries:                            0
High Watermark:                            41

Flows added:                               42
Flows aged:                                42
– Active timeout   (   180 secs)         42
– Inactive timeout (   600 secs)          0
– Event aged                              0
– Watermark aged                          0
– Emergency aged                          0

R2#sh flow monitor ipv4Monitor statistics
Cache type:                            Normal
Cache size:                              5000
Current entries:                            0
High Watermark:                            41

Flows added:                               42
Flows aged:                                42
– Active timeout   (   180 secs)         42
– Inactive timeout (   600 secs)          0
– Event aged                              0
– Watermark aged                          0
– Emergency aged                          0

Protocol         Total    Flows   Packets Bytes Packets Active(Sec) Idle(Sec)
——–         Flows     /Sec     /Flow  /Pkt    /Sec       /Flow    /Flow
UDP_other           39      0.0        46    59      0.4       1.0     179.7
ICMP                 3      0.0       349   120      0.2     115.0      65.5
Total:              42      0.0        68    82      0.7       9.1     171.5

R2#sh flow record netflow-original
flow record netflow-original:
Description:        Traditional IPv4 input NetFlow with origin ASs
No. of users:       0
Total field space:  53 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow sampler
collect interface output
collect routing next-hop address ipv4
collect transport tcp flags
collect routing source as
collect routing destination as
collect ipv4 source mask
collect ipv4 destination mask
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect counter packets
collect counter bytes

Aplicar um sampler ao monitor já existente

R2(config)#

sampler SAMPLE
mode random 1 out-of 10
!
interface FastEthernet0/1
no ip flow monitor ipv4Monitor input
ip flow monitor ipv4Monitor sampler SAMPLE input

R2#sh sampler
Sampler SAMPLE:
ID:             1
Description:    User defined
Type:           random
Rate:           1 out of 10
Samples:        0
Requests:       0
Users (1):
flow monitor ipv4Monitor (ip,Fa0/1,Inpu  0 out of 0

R2#sh flow interface f0/1
Interface FastEthernet0/1
FNF:  monitor:         ipv4Monitor
direction:       Input
traffic(ip):     sampler SAMPLE

Tags: Netflow, Flexible netflow, Sample, Traffic

Leave a Comment

Translate »
Google no longer supports Google Images API and this plugin can't work.

You can try to use other plugins with the same feature:
WP Picasa Box - http://codecanyon.net/item/wp-picasa-box/16099962
WP Pixabay Search And Insert - http://wpclever.net/downloads/wordpress-pixabay-search-and-insert