|
|
Procedures for configuring NetFlow Switching are provided in the "Configuring NetFlow Switching" chapter later in this publication.
This chapter describes NetFlow switching. It contains the following sections:
NetFlow switching is a high-performance, network-layer switching path that captures as part of its switching function a rich set of traffic statistics. These traffic statistics include user, protocol, port, and type of service information that can be used for a wide variety of purposes such as network analysis and planning, accounting, and billing.
NetFlow switching is supported on IP and IP encapsulated traffic over all interface types and encapsulations except for ISL/VLAN, ATM, and Frame Relay interfaces when more than one input access control list is used on the interface, and ATM LANE.
In conventional switching at the network layer, each incoming packet is handled on an individual basis with a series of functions to perform access list checks, capture accounting data, and switch the packet. With NetFlow switching, after a flow has been identified and access list processing of the first packet in the flow has been performed, all subsequent packets are handled on a connection-oriented basis as part of the flow, where access list checks are bypassed, and packet switching and statistics capture are performed in tandem.
A network flow is identified as a unidirectional stream of packets between a given source and destination---both defined by a network-layer IP address and transport-layer port number. Specifically, a flow is identified as the combination of the following fields:
NetFlow switching operates by creating a flow cache that contains the information needed to switch and perform access list check for all active flows. The NetFlow cache is built by processing the first packet of a flow through the standard switching path. As a result, each flow is associated with an incoming and outgoing interface port number and with a specific security access permission and encryption policy. The cache also includes entries for traffic statistics that are updated in tandem with the switching of subsequent packets. After the NetFlow cache is created, packets identified as belonging to an existing flow can be switched based on the cached information and security access list checks bypassed. Flow information is maintained within the NetFlow cache for all active flows.
NetFlow exports flow information in UDP datagrams in one of two formats. The version 1 format was the initially released version, and version 5 is a later enhancement to add Border Gateway Protocol (BGP) autonomous system (AS) information and flow sequence numbers. Versions 2 through 4 were not released.
In version 1 and version 5 formats, the datagram consists of a header and one or more flow records. The first field of the header contain the version number of the export datagram. Typically, a receiving application that accepts either format allocates a buffer big enough for the biggest possible datagram from either format and uses the version from the header to determine how to interpret the datagram. The second field in the header is the number of records in the datagram and should be used to index through the records.
All fields in either version 1 or version 5 formats are in network byte order. Table 5 and Table 6 describe the data format for version 1, and Table 7 and Table 8 describe the data format for version 5.
We recommend that receiving applications check datagrams to ensure that the datagrams are from a valid NetFlow source. We recommend you first check the size of the datagram to make sure it is at least long enough to contain the version and count fields. Next we recommend you verify that the version is valid (1 or 5) and that the number of received bytes is enough for the header and count flow records (using the appropriate version).
Because NetFlow export uses UDP to send export datagrams, it is possible for datagrams to be lost. To determine whether or not flow export information is lost, the version 5 header format contains a flow sequence number. The sequence number is equal to the sequence number of the previous plus the number of flows in the previous datagram. After receiving a new datagram, the receiving application can subtract the expected sequence number from the sequence number in the header to get the number of missed flows.
Table 5 lists the bytes for version 1 header format.
| Bytes | Content | Description |
|---|---|---|
0-3 | version and count | Netflow export format version number and number of flows exported in this packet (1-24). |
4-7 | SysUptime | Current time in milliseconds since router booted |
8-11 | unix_secs | Current seconds since 0000 UTC 1970. |
12-16 | unix_nsecs | Residual nanoseconds since 0000 UTC 1970. |
Table 6 lists the byte definitions for version 1 flow record format.
| Bytes | Content | Description |
|---|---|---|
0-3 | srcaddr | Source IP address. |
4-7 | dstaddr | Destination IP address. |
8-11 | nexthop | Next hop router's IP address. |
12-15 | input and output | Input and output interface's SNMP index. |
16-19 | dPkts | Packets in the flow. |
20-23 | dOctets | Total number of Layer 3 bytes in the flow's packets. |
24-27 | First | SysUptime at start of flow. |
28-31 | Last | SysUptime at the time the last packet of flow was received. |
32-35 | srcport and dstport | TCP/UDP source and destination port number or equivalent. |
36-39 | pad1, prot, and tos | Unused (zero) byte, IP protocol (for example, 6=TCP, 17=UDP), and IP type-of-service. |
40-43 | flags, pad2, and pad3 | Cumulative OR of TCP flags. Pad 2 and pad 3 are unused (zero) byte. |
44-48 | reserved | Unused (zero) bytes. |
Table 7 lists the byte definitions for version 5 header format.
| Bytes | Content | Description |
|---|---|---|
0-3 | version and count | Netflow export format version number and number of flows exported in this packet (1-30). |
4-7 | SysUptime | Current time in milliseconds since router booted |
8-11 | unix_secs | Current seconds since 0000 UTC 1970. |
12-15 | unix_nsecs | Residual nanoseconds since 0000 UTC 1970. |
16-19 | flow_sequence | Sequence counter of total flows seen. |
20-24 | reserved | Unused (zero) bytes. |
Table 8 lists the byte definitions for version 5 flow record format.
| Bytes | Content | Description |
|---|---|---|
0-3 | srcaddr | Source IP address. |
4-7 | dstaddr | Destination IP address. |
8-11 | nexthop | Next hop router's IP address. |
12-15 | input and output | Input and output interface's SNMP index. |
16-19 | dPkts | Packets in the flow. |
20-23 | dOctets | Total number of Layer 3 bytes in the flow's packets. |
24-27 | First | SysUptime at start of flow. |
28-31 | Last | SysUptime at the time the last packet of flow was received. |
32-35 | srcport and dstport | TCP/UDP source and destination port number or equivalent. |
36-39 | pad1, tcp_flags, prot, and tos | Unused (zero) byte, Cumulative OR of TCP flags, IP protocol (for example, 6=TCP, 17=UDP), and IP type-of-service. |
40-43 | src_as and dst_as | AS of the source and destination, either origin or peer. |
44-48 | src_mask, dst_mask, and pad2 | Source and destination address prefix mask bits, pad 2 is unused (zero) bytes. |
By maintaining one or more extra flow caches, called aggregation caches, the NetFlow Aggregation feature allows limited aggregation of NetFlow data export streams to be done on a router.
 |
Note To collect NetFlow version 8 data export records, use NetFlow FlowCollector version 3.0. Version 2.0 and earlier versions do not support version 8 data export record formats. |
The NetFlow Aggregation feature provides the following benefits:
The aggregation cache schemes are described in the following sections:
You can configure each aggregation cache with its individual cache size, cache ager timeout parameter, export destination IP address, and export destination UDP port. As data flows expire in the main NetFlow cache, the flows are added to each enabled aggregation cache. Each aggregation cache contains different field combinations that determine which data flows are grouped. The default aggregation cache size is 4096.
Table 9 lists definitions for the data export record terms used in each aggregation scheme.
| Term | Definition |
|---|---|
Bytes | Number of bytes in the aggregated flows. |
Destination BGP Autonomous System | Peer or origin autonomous system of the destination prefix (IP address.) |
Destination Interface | SNMP index of the output interface. |
Destination Port | Destination UDP or TCP port number. |
Destination Prefix | Destination IP address AND'd with the destination prefix mask. |
First | System uptime when the first packet was switched. |
Flows | Number of main cache flows that were aggregated. |
Last | System uptime when the last packet was switched. |
Packets | Number of packets in the aggregated flows. |
PAD | Zero field. |
Protocol | IP protocol byte. |
Source BGP Autonomous System | Peer or origin autonomous system of the source prefix. |
Source Interface | SNMP index of the input interface. |
Source Port | Source UDP or TCP port number if applicable. |
Source Prefix | Source IP address AND'd with the source prefix mask, or the prefix that the source IP address of the aggregated flows belong to. |
The autonomous system aggregation scheme provides significant NetFlow export data volume reduction and generates autonomous system-to-autonomous system traffic flow data. The scheme groups data flows with the same source BGP autonomous system, destination BGP autonomous system, input interface, and output interface. See Figure 10.
The aggregated NetFlow data export records report the following:
The Destination Prefix aggregation scheme generates data so that you can examine the destinations of network traffic passing through a NetFlow-enabled device. The scheme groups data flows with the same destination prefix, destination prefix mask, destination BGP autonomous system, and output interface. See Figure 11.
The aggregated NetFlow data export records report the following:
The Prefix aggregation scheme generates data so that you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device. The scheme groups data flows with the same source prefix, destination prefix, source prefix mask, destination prefix mask, source BGP autonomous system, destination BGP autonomous system, input interface, and output interface. See Figure 12.
The aggregated NetFlow data export records report the following:
The Protocol Port aggregation scheme generates data so that you can examine network usage by traffic type. The scheme groups data flows with the same IP protocol, source port number, and destination port number when applicable. See Figure 13.
The aggregated NetFlow data export records report the following:
The Source Prefix aggregation scheme generates data so that you can examine the sources of network traffic passing through a NetFlow-enabled device. The scheme groups data flows with the same source prefix, source prefix mask, source BGP autonomous system, and input interface. See Figure 14.
The aggregated NetFlow data export records report the following:
To coordinate flow aggregation on your router, determine the fields from which you want to collect data. Table 10 shows which fields are valid for the different aggregation schemes and which fields are part of the keys. Key fields define a unique flow.
| Data Fields | Aggregation Schemes | ||||
|---|---|---|---|---|---|
| Autonomous System | Destination Prefix | Prefix | Protocol Port | Source Prefix |
Source Prefix |
|
|
|
|
|
Destination Prefix |
|
|
|
|
|
Protocol |
|
|
| * |
|
Type of Service Byte |
|
|
|
|
|
Source Port |
|
|
| * |
|
Destination Port |
|
|
| * |
|
Source Interface | * |
| * |
| * |
Destination Interface | * | * | * |
|
|
OR'd TCP Flags |
|
|
|
|
|
Source BGP Autonomous System | * |
| * |
| * |
Destination BGP Autonomous System | * | * | * |
|
|
Source Prefix Mask |
|
| * |
| * |
Destination Prefix Mask |
| * | * |
|
|
Next Hop IP Adress |
|
|
|
|
|
Source Encap Bytes |
|
|
|
|
|
Destination Encap Bytes |
|
|
|
|
|
Source Prefix |
|
| * |
| * |
Destination Prefix |
| * | * |
|
|
First Timestamp | x | x | x | x | x |
Last Timestamp | x | x | x | x | x |
Flows | x | x | x | x | x |
Packets | x | x | x | x | x |
Bytes | x | x | x | x | x |
| * = exported key field x = exported field | |||||
NetFlow exports flow information in UDP datagrams in one of several formats. Version 8, a new data export version, has been added to support data exports from aggregation caches. Version 8 allows for export datagrams to contain a subset of the usual version 5 export data, which is valid for a particular aggregations scheme type.
Figure 15 shows the version 8 header with the version and timestamp information. Table 11 lists definitions for terms used in the version 8 header.
| Term | Definition |
|---|---|
Version | The flow export format version number. In this case, the number is "8." |
Count | The number of export records in the datagram. |
System Uptime | The number of milliseconds since the router was last booted. |
UNIX Seconds | The number of seconds since 0000 Universal Time Code (UTC) 1970. |
UNIX Nanoseconds | The number of residual nanoseconds since 0000UTC 1970. |
Sequence Number | Sequence counter of total flows sent for this export stream. |
Engine Type | The type of switching engine. RP=0 and LC=1. |
Engine ID | The slot number of the NetFlow switching engine. |
Aggregation | The type of aggregation scheme being used. |
Aggregation Version | The aggregation subformat version number. The current value is "2." |
NetFlow policy routing (NPR) integrates policy routing, which enables traffic engineering and traffic classification, with NetFlow services, which provide billing, capacity planning, and monitoring information on real-time traffic flows. IP policy routing now works with Cisco Express Forwarding (CEF), Distributed CEF (dCEF), NetFlow, and NetFlow flow acceleration.
As Quality of Service and traffic engineering become more popular, so does interest in policy routing's ability to selectively set IP precedence and type of service (TOS) bits (based on access lists and packet size), thereby routing packets based on predefined policy. It is important that policy routing work well in large, dynamic routing environments. Hence, distributed support allows customers to leverage their investment in distributed architecture.
Cisco IOS introduced three technologies for IP Policy Routing. See Table 12.
| Technology | Description |
|---|---|
CEF | Looks at a Forwarding Information Base (FIB) instead of a routing table when switching packets. |
dCEF | Addresses the scalability and maintenance problems of a demand caching scheme. |
NetFlow | Allows accounting, capacity planning, traffic monitoring, and flow-accelerating specific applications. |
NPR leverages these technologies. To configure NetFlow policy routing, see the chapter "Configuring NetFlow Switching" in this publication.
The NetFlow Policy Routing feature provides the following benefits:
Note the following restrictions:
Posted: Mon Jul 17 17:00:32 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.