網(wǎng)絡管理與網(wǎng)絡監(jiān)控

云南電網(wǎng)公司高級網(wǎng)絡知識培訓7、網(wǎng)絡管理、監(jiān)控和優(yōu)化服務

網(wǎng)絡管理、SNMP協(xié)議云南電網(wǎng)網(wǎng)絡知識培訓網(wǎng)管的重要性???網(wǎng)絡中設備日漸增多－交換機、路由器、防火墻、撥號訪問服務器……技術日趨復雜－以太網(wǎng)、千兆以太網(wǎng)、多媒體技術、語音、數(shù)據(jù)、視頻集成、安全策略……，

發(fā)生問題時無從下手

缺乏經(jīng)驗豐富、受過專業(yè)培訓的網(wǎng)絡管理人員缺乏綜合的網(wǎng)管解決方案網(wǎng)管基本概念網(wǎng)絡管理系統(tǒng)主要功能是維護網(wǎng)絡正常高效的運行。網(wǎng)管系統(tǒng)能及時檢測網(wǎng)絡出現(xiàn)的故障和進行處理，能通過監(jiān)測分析運行狀況而估價系統(tǒng)性能.兩種網(wǎng)絡管理系統(tǒng)標準：1.OSI的網(wǎng)絡管理規(guī)程:公共管理信息協(xié)議(CMIP)2.起源于Internet的TCP/IP的簡單網(wǎng)絡管理協(xié)議(SNMP)WhatIstheNMS?SecurityConfigurationPerformanceAccountingFaultTroubleshootingforproblemdiscovery,isolation,andresolutionCollectutilizationandperformancedata,analyzedata,setutilizationthresholdsFinding,configuring,andmaintainingnetworkdevicesLogginguseraccessanddatatrafficforbilling;providingsecureaccesstothenetwork為了使網(wǎng)絡的性能功效達到最高而采用的能夠控制管理復雜的數(shù)據(jù)網(wǎng)絡一組工具?！啊本W(wǎng)管的管理功能配置管理：定義、識別、初始化、控制、檢測被管對象。故障管理：故障檢測、排除。性能管理：流量負載、網(wǎng)絡服務器負載情況。記帳管理：哪個用戶、什么時間、使用了什么資源、使用了多少。安全管理：身份驗證、授權、加/解密OSI提出網(wǎng)管五個管理功能SNMP操作模型管理站SNMP代理(Agent)MIB代理(Agent)MIB被管設備被管設備用戶接口網(wǎng)管應用程序SNMP操作讀取(get)：管理站被管設備請求回應寫入(set):管理站用寫入命令設置被管設備的變量值陷井(Trap):被管設備向管理站報告重要事件獲取變量的值網(wǎng)管分類網(wǎng)元管理流量管理安全管理基礎設施管理網(wǎng)元管理

以設備單元為基礎的網(wǎng)絡管理，監(jiān)控網(wǎng) 絡設備的運行狀態(tài)、網(wǎng)絡鏈路的通斷、 異常事件告警等。 代表產(chǎn)品：CiscoWorks、華訊網(wǎng)管（EccomNet）、 NetCool流量管理

對網(wǎng)絡流量的智能分析 對關鍵網(wǎng)絡節(jié)點或關鍵網(wǎng)絡鏈路上網(wǎng)絡 流量的長期數(shù)據(jù)捕獲保存能力 能夠提供長期的流量分析報告

代表產(chǎn)品：NetScout安全管理

實現(xiàn)對安全設備的統(tǒng)一管理，安全策略 的集中下發(fā) 收集、分析安全事件，提供相應安全建 議

代表產(chǎn)品：CSM、MARS基礎設施管理

實現(xiàn)對機房網(wǎng)絡設備、主機設備及機柜 電源的統(tǒng)一管理

代表產(chǎn)品：AvocentCISCO網(wǎng)管體系結構所有CISCO網(wǎng)絡管理設備都支持SNMP，即可以在其上啟動SNMP的Agent(軟件模塊/進程)網(wǎng)管工作站操作系統(tǒng)平臺SUN(solaris)、HP、IBM(AIX)、NT、WIN95網(wǎng)管平臺(如SUN:Netmanger,HP:OpenView,IBM:Netview)CISCOWORKS/CWSICISCOVIEW網(wǎng)絡管理：

CiscoIOSIPSLAs技術云南電網(wǎng)網(wǎng)絡知識培訓CiscoIOSIPSLAs技術IPSLAs是內嵌在CiscoIOS中的一個網(wǎng)絡管理代理，用于對網(wǎng)絡中任意兩點間的服務質量進行主動測量可以感知IP業(yè)務類型和通信服務級別專門針對IP電話、視頻、VPN業(yè)務進行了優(yōu)化所有運行IOS操作系統(tǒng)的Cisco網(wǎng)絡硬件設備都支持IPSLAs管理代理，無需額外的采購費用IPSLAs是Cisco提供智能化網(wǎng)絡戰(zhàn)略的重要組成部分，能提供業(yè)界領先的內嵌式服務質量測量智能代理性能測量SPAN和RSPAN監(jiān)控云南電網(wǎng)網(wǎng)絡知識培訓ObjectivesUponcompletingthislesson,youwillbeableto:DescribetechniquestoenhancetheperformanceofamultilayerswitchednetworkMonitorswitchportsusingSPANandVSPANMonitorswitchportsusingRSPANDescribethefeaturesandoperationofnetworkanalysismodulesonCatalystswitchestoimprovenetworktrafficmanagementVerifyandtroubleshoottheoperationofnetworkanalysismodulesEnhancingNetworkPerformanceGatherabaseline.Performawhat-ifanalysis.Performexceptionreportingforcapacityissues.Determinethenetworkmanagementoverhead.Analyzethecapacityinformation.Periodicallyreviewcapacityinformation.Haveupgradeortuningproceduressetup.SwitchedPortAnalyzerConfiguringSPANSwitch(config)#monitorsession{session_num}{source{interfacetype/num}|{vlannum}}[,|-|rx|tx|both]

ConfiguresaSPANsessiontomonitortrafficSwitch(config)#monitorsession{session_number}{destination{interfacetype/num}[,|-]|{vlannum}}

ConfiguresthedestinationforaSPANsessionRemoteSPANConfiguringRSPANEntersconfigurationmodeforaspecificVLANSwitch(config)#vlanvlan-numberEnablesRSPANfortheVLANSwitch(config-vlan)#remote-spanVerifyingSPANandRSPANSwitch#showmonitorsessionsession_number[detail]DisplaysSPANsessioninformationSwitch#showmonitorsession2

Session2

Type:RemoteSourceSession

SourcePorts:

RXOnly:Fa3/1

DestRSPANVLAN:901Switch#showmonitorsession2detail

Session2

Type:RemoteSourceSession

SourcePorts:

RXOnly:Fa1/1-3

TXOnly:None

Both:None

SourceVLANs:

RXOnly:None

TXOnly:None

Both:None

SourceRSPANVLAN:None

DestinationPorts:None

FilterVLANs:None

DestRSPANVLAN:901NetworkAnalysisModuleNAMInitialConfigurationAssignparametersIPaddressSubnetmaskIPbroadcastaddressIPhostnameDefaultgatewayDomainnameDNSnameserverSNMP(MIBvariables,accesscontrol,systemgroupsettings)StartthewebserverConfiguringNAMSwitch(config)#interfacegi8/0Switch(config-if)#switchportaccessvlan93Switch(config-if)#end

Switch(config)#monitorsession1destinationinterfacegi8/1

root@localhost#autostartaddressmapenableEnablesacollectiontypeRoot@localhost#autostartcollectionenableVerifyingNAMSwitch#showmoduleDisplaysinformationaboutinstalledmodulesSwitch#showmodule

ModPortsCardTypeModelSerialNo.

22Catalyst6000supervisor2(Active)WS-X6K-SUP2-2GESAD0410050B

34848port10/100mbRJ-45ethernetWS-X6248-RJ-45SAD03080485

52NetworkAnalysisModuleWS-X6380-NAMSAD05130AXB

72IntrusionDetectionSystemWS-X6381-IDSSAD05100HPTSwitch#showinterfaceGigabitEthernetslot/[1|2]DisplaysNAMinterfaceinformationSummaryPerformancemanagementmaintainsinternetworkperformanceatacceptablelevelsbymeasuringandmanagingvariousnetworkperformancevariables.SPANselectsandcopiesnetworktraffictosendtoanetworkanalyzer.RemoteSPANisavariationofSPANthatsendsmonitoredtrafficthroughanintermediateswitchratherthandirectlytothetrafficanalyzer.ANAMusesSNMPRMONinformationtomonitorandanalyzenetworktraffic.UsetheshowcommandstoverifyNAMconfiguration.Syslog云南電網(wǎng)網(wǎng)絡知識培訓什么是Syslog?記錄發(fā)生了什么事件？包括流量行為的一系列事件都可以被記錄下來。是一種很好的troubleshooting的工具，尤其是在設備重啟或者crash后。Syslog配置!servicetimestampsdebugdatetimelocaltimeservicetimestampslogdatetimelocaltime！loggingbuffered20480Nologgingconsole！loggingsource-interfaceLoopback0logginghostlogginghost21!Log的級別和數(shù)目log級別中包含的具體內容，具體參見設備的datatsheetsyslog用showlogging可查看目前l(fā)og的設置情況。SyslogYX-C-M-C7606-B01(config)#loggingbuffered?<0-7>Loggingseveritylevel<4096-2147483647>LoggingbuffersizealertsImmediateactionneeded(severity=1)criticalCriticalconditions(severity=2)debuggingDebuggingmessages(severity=7)discriminatorEstablishMD-BufferassociationemergenciesSystemisunusable(severity=0)errorsErrorconditions(severity=3)filteredEnablefilteredlogginginformationalInformationalmessages(severity=6)notificationsNormalbutsignificantconditions(severity=5)warningsWarningconditions(severity=4)xmlEnablelogginginXMLtoXMLloggingbuffer<cr>默認：informationalInformationalmessages(severity=6)思科網(wǎng)管工具云南電網(wǎng)網(wǎng)絡知識培訓CiscoNetmanager(CNM)入門級網(wǎng)元管理軟件-CisconetManager基礎網(wǎng)絡管理軟件CisconetManager基礎網(wǎng)絡管理軟件的英文全稱是CisconetManagerIPinfrastructure它是CisconetManager網(wǎng)管產(chǎn)品家族中的成員。它是一個高效的網(wǎng)絡監(jiān)控的解決方案，它可以監(jiān)控思科網(wǎng)絡中低端網(wǎng)絡設備、以及其它基于SNMP的第三方IT設備，如：服務器、工作站、應用服務器，甚至打印機等netManager基礎網(wǎng)絡管理軟件的基本功能(1)網(wǎng)絡的自動發(fā)現(xiàn)（包括主機等一般SNMP設備）實時和歷史的性能監(jiān)控與報告CPU利用率內存利用率硬盤利用率接口利用率（帶寬）設備可用性豐富的故障通知手段：SNMPTRAP、SYSLOG，SMS、電子郵件、外部腳本激活彈出窗口和網(wǎng)頁報警等豐富的通知機制。netManager基礎網(wǎng)絡管理軟件的基本功能(2)實時網(wǎng)絡拓撲展現(xiàn)CiscoWorksLMS3.0

+HUMCiscoworks網(wǎng)絡管理系統(tǒng)的英文全稱是CiscoworksLanManagerSolution，簡稱LMS。CiscoWorksLMS由多個具有出色運營功能的工具組成，提供故障管理、可擴展拓撲視圖、先進配置、L2和L3路徑分析、支持語音的路徑跟蹤、廣域網(wǎng)性能故障排除、終端工作站跟蹤以及設備故障排除等功能CiscoWorksLMS3.0是一個全新的主要軟件版本，在可擴展性、性能和應用級功能方面叫以前版本有了大幅提高。CiscoView全部Cisco設備支持詳細設備外觀圖形有助于微小故障的迅速定位簡單的點擊配置多個端口和參數(shù)迅速啟動實時監(jiān)控集成于CiscoWorks2000和CiscoWorksforWindows的Cisco網(wǎng)絡設備視圖處理器CiscoWorksWindows易于使用的基于Windows的互連網(wǎng)管理應用套件支持集成的交換機和路由器帶有多個管理級別的安全的SNMP管理系統(tǒng)中小型企業(yè)專門的網(wǎng)管軟件CommonManagementFoundation

ArchitectureCD-One(CommonManagementFoundation)Desktop,WebServices,Security,ProcessManagement,HelpDatabaseEngine,JobManagement,EventDistributionANI(AsynchronousNetworkInterface)NetworkDeviceDiscoveryRUNTIMESERVICESNETWORKSERVICESSYSTEMSERVICESCORBAEventBusCustomerPartnerInterfaceCIM/XMLCiscoManagementConnectionCCOHTMLCORBAWebBrowserUserInterfaceCommontoLMS?RWAN?SMS?VMS?CVM?…ACLManagerReal-TimeMonitorResourceManagerEssentialsContentFlowManagerCampusManagerDeviceFaultManagerInternetworkPerformanceMonitorLMSLMSLMS?RWAN+RWANRWANLMS?RWANLMS?RWANInternalInterfacesyslogSNMPNetworkDevicestelnetCDOneCDTwoSLMCollectorSWServiceLevelMgtSolutionCDOneRMERTMACLIPMRWANSolutionCDOneRME&CD-2VPNMonCSPM(IDS)VPN/SecurityMgtSolutionCDOneRMERTMCMCFMLANMgtSolutionDFMCDOneVoIPHealthMonitorDFMVHMCWWACSURTQPMCVMHSENAMCSPM(fw)HIDSCiscoWorks2000Netflow介紹云南電網(wǎng)網(wǎng)絡知識培訓AgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyFeaturesandUsesPlatformSpecificsPerformanceRoadmapandFutureDirectionSummaryNetFlowOverviewNetFlowOrigination&InnovationDevelopedbyDarrenKerrandBarryBruinsatCiscoSystemsin1996ThevalueofinformationinthecachewasasecondarydiscoveryInitiallydesignedasaswitchingpathNetFlowisnowtheprimarynetworkaccountingtechnology

intheindustrySampledNetFlowaCiscoinnovationNetFlowversion9anIETFstandardAnswersquestionsregardingIPtraffic:who,what,where,when,andhowNetFlow技術Cisco?Systems在1996發(fā)明并取得專利NetFlow現(xiàn)在是業(yè)界最主要的網(wǎng)絡流量統(tǒng)計技術,同時也已經(jīng)成為IETF標準提取網(wǎng)絡傳輸?shù)臄?shù)據(jù)包的關鍵信息：時間，來源，目的，做什么等等。詳細描述網(wǎng)絡的運行狀況和流量特點。Whatisaflow?ExportedDataDefinedbysevenuniquekeys:SourceIPaddressDestinationIPaddressSourceportDestinationportLayer3protocoltypeTOSbyte(DSCP)Inputlogicalinterface(ifIndex)NetFlowSequence

RouterCreateandupdateflowsinNetFlowCacheInactivetimerexpired(15secisdefault)

Activetimerexpired(30min(1800sec)isdefault)NetFlowcacheisfull(oldestflowsareexpired)

RSTorFINTCPFlagHeaderExportPacketPayload(flows)ExpirationAggregation?e.g.Protocol-PortAggregationSchemebecomesExportVersionYesNoAggregatedFlows–exportVersion8or9Non-AggregatedFlows–exportVersion5or9TransportProtocolCoreNetworkCreatingExportPacketsEnableNetFlowTrafficCollector(Solaris,HP-UX,orLinux)UDPNetFlowExportPacketsApplicationGUIPEExportPacketsApproximately1500bytesTypicallycontain20-50flowrecordsSentmorefrequentlyiftrafficincreasesonNetFlow-enabledinterfacesNetFlowPrinciplesInboundtrafficonlyUnidirectionalflowAccountsforbothtransittrafficandtrafficdestinedfortherouterWorkswithCiscoExpressForwarding(CEF)orfastswitchingNotaswitchingpathSupportedonallinterfacesandCiscoIOSSoftwareplatformsReturnsthesub-interfaceinformationintheflowrecordsAgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyFeaturesandUsesPlatformSpecificsPerformanceRoadmapandFutureDirectionSummaryVersionsNetFlowVersionsNetFlowVersionComments1Original5Standardandmostcommon7SpecifictoCiscoCatalyst6500and7600SeriesSwitchesSimilartoVersion5,butdoesnotincludeAS,interface,TCPFlag&TOSinformation8ChoiceofelevenaggregationschemesReducesresourceusage9Flexible,extensiblefileexportformattoenableeasiersupportofadditionalfields&technologies;comingoutnowMPLS,Multicast,&BGPNextHopAgendaVersion5Version8Version7Version9Version5NetFlowOverviewVersionsVersion5-FlowFormatSourceIPAddressDestinationIPAddressPacketCountByteCountUsageQoSTimeofDayApplicationPortUtilizationFrom/ToRoutingandPeeringInputifIndexOutputifIndexTypeofServiceTCPFlagsProtocolStartsysUpTimeEndsysUpTimeSourceTCP/UDPPortDestinationTCP/UDPPortNextHopAddressSourceASNumberDest.ASNumberSourcePrefixMaskDest.PrefixMaskSourceIPAddressDestinationIPAddressAgendaVersion5Version7Version8Version9Version7NetFlowOverviewVersionsVersion7AddsNetFlowswitchingsupportfor:CiscoCatalyst5000SeriesSwitcheswithanRSMCiscoCatalyst5000SeriesSwitcheswithanMSFCUsesMultiLayerSwitching(MLS)orCEFwithCiscoCatalyst6000SeriesSwitcheswithSUP2IPunicastonlyNomulticastorIPX,evenifMLScandoallthreeMLScacheistheequivalentoftheNetFlowcacheVersion7-FlowFormatSourceIPAddressDestinationIPAddressUsageQoSTimeofDayApplicationPortUtilizationFrom/ToRoutingandPeeringSourceIPAddressDestinationIPAddressInputifIndexOutputifIndexTypeofServiceTCPFlagsProtocolPacketCountByteCountStartsysUpTimeEndsysUpTimeSourceTCP/UDPPortDestinationTCP/UDPPortNextHopAddressSourceASNumberDest.ASNumberSourceSubnetMaskDest.SubnetMaskRouterSc(routershortcut)**Addedfromversion5NotethattheToSandTCPFlagsfieldsarenotpopulatedAgendaVersion5Version7Version8Version9Version8NetFlowOverviewVersionsVersion8Router-basedaggregationEnablesroutertosummarizeNetFlowdataReducesNetFlowExportdatavolumeDecreasesNetFlowExportbandwidthrequirementsCurrently11aggregationschemesFiveoriginalschemesSixnewschemeswiththeTOSbytefieldSeveralaggregationscanbeenabledsimultaneouslyVersion8-FlowFormatVersion8-FlowFormatVersion8-Configuration3600-4(config)#ipflow-aggregationcache?asASaggregationas-tosAS-TOSaggregationdestination-prefixDestinationPrefixaggregationdestination-prefix-tosDestinationPrefixTOSaggregationprefixPrefixaggregationprefix-portPrefix-portaggregationprefix-tosPrefix-TOSaggregationprotocol-portProtocolandportaggregationprotocol-port-tosProtocol,portandTOSaggregationsource-prefixSourcePrefixaggregationsource-prefix-tosSourcePrefixTOSaggregationNote–donotexportversion5atthesametime“ipflow-exportversion5”AgendaVersion5Version8Version7Version9Version9NetFlowOverviewVersionsWhyaNewVersion?Fixedformats(versions1,5,7,and8)arenotflexibleandadaptableCisconeededtobuildanewversioneachtimeacustomerwantedtoexportnewfieldsWhennewversionsarecreated,partnersneedtoreengineertosupportthenewexportformatSolution:Buildaflexible

andextensibleexportformat!Netflowv9PrinciplesVersion9isanexportformatStillapushmodelSentthetemplateregularly(configurable)Independentoftheunderlyingprotocol,itisreadyforanyreliableprotocol(ie:TCP,SCTP)NetFlowv9ExportPacketDataFlowSetTemplateFlowSetOptionTemplateFlowSetHeaderFlowSetID#1DataFlowSetFlowSetID#2TemplateID(specificFieldtypesandlengths)(version,#packets,sequence#,SourceID)MatchingID#sisthewaytoassociateTemplatetotheDataRecordsTheHeaderfollowsthesameformataspriorNetFlowversionssoCollectorswillbebackwardcompatibleEachDataRecordrepresentsoneflowIfexportedflowshavethesamefieldsthentheycanbecontainedinthesameTemplateRecorde.g.unicasttrafficcanbecombinedwithmulticastrecordsIfexportedflowshavedifferentfieldsthentheycan’tbecontainedinthesameTemplateRecorde.g.BGPnext-hopcan’tbecombinedwithMPLSAwareNetFlowrecordsFlowsfromInterfaceAFlowsfromInterfaceBTosupporttechnologiessuchasMPLSorMulticast,thisexportformatcanbeleveragedtoeasilyinsertnewfieldsOptionDataFlowSetFlowSetIDOptionDataRecord(Fieldvalues)OptionDataRecord(Fieldvalues)TemplateRecordTemplateID#2(specificFieldtypesandlengths)TemplateRecordTemplateID#1(specificFieldtypesandlengths)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)NetFlowv9FlexibleFormatTemplateFlowSetDataFlowSetFlowSetIDDataFlowSetFlowSetIDExampleofExportPacketrightafterrouterbootorNetFlowconfigurationExampleofExportPacketscontainingmostlyflowinformationOptionDataFlowSetFlowSetIDHeaderHeaderOptionDataRecord(Fieldvalues)OptionDataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)DataRecord(Fieldvalues)(version,#packets,sequence#,SourceID)(version,#packets,sequence#,SourceID)TemplateRecordTemplateID(specificFieldtypesandlengths)TemplateRecordTemplateID(specificFieldtypesandlengths)TemplateRecordTemplateID(specificFieldtypesandlengths)TemplateRecordTemplateID(specificFieldtypesandlengths)OptionTemplateFlowSetTemplateID(specificFieldtypesandlengths)NetFlowv9ExportPacket

IETFSpecificationOptionFlowsetssenddataassociatedwith:SystemInterfaceLineCardCacheTemplateExample:ThesamplingrateassociatedwithaparticularinterfaceNetFlowv9Exportpamela(config)#ipflow-exportversion?159pamela(config)#ipflow-exportversion9.ConfiguringVersion9exportpamela(config)#ipflow-aggregationcacheaspamela(config-flow-cache)#enabledpamela(config-flow-cache)#export?destinationSpecifytheDestinationIPaddressversionconfigureaggregationcacheexportversionpamela(config-flow-cache)#exportversion?8Version8exportformat9Version9exportformatpamela(config-flow-cache)#exportversion9ConfiguringVersion9exportforanaggregationschemeExportversionsavailableforstandardNetFlowflowsExportversionsavailableforaggregatedNetFlowflowsNetFlowV9andIETFInternetProtocolFlowInformationeXport(IPFIX)isanIETFWorkingGroup/Netflowversion9hasbeenpresentedinthelastIETFInformationalRFConNetFlowversion9/internet-drafts/draft-bclaise-netflow-9-00.txtCiscoisworkingondraftsforversion9AgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyFeaturesandUsesPlatformSpecificsPerformanceRoadmapandFutureDirectionSummaryPartnersNetFlowInfrastructureApplications:Router:CacheCreationDataExportAggregationCollector:CollectionFilteringAggregationStorageFileSystemManagementAccounting/BillingNetworkPlanningDataPresentationPartnersCisco&PartnersCiscoCiscoNetFlowPartnersCollectionTrafficAnalysisDenialofServiceFlow-ToolsBillingNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyFeaturesandUsesPlatformSpecificsPerformanceRoadmapandFutureDirectionSummaryAgendaCustomerApplicationsGeneralEnterpriseServiceProviderGeneralNetFlowUsesAttackMitigationUser(IP)monitoringApplicationmonitoringBillingChargebackASPeerMonitoringTrafficEngineeringTrafficAnalysisApplicationsAttackMitigationUser(IP)monitoringApplicationmonitoringBillingChargebackASPeerMonitoringNetworkLayerAccessDistributionDistributionAccessCoreNetFlowFeaturesAggregationSchemes(v8)“showipcacheflow”commandArborNetworksNetFlowMPLSEgressAccountingBGPNext-hop(v9)MulticastNetFlow(v9)MPLSAwareNetFlow(v9)BGPNext-hop(v9)SampledNetFlowNetFlowMPLSEgressAccountingBGPNext-hop(v9)MulticastNetFlow(v9)AggregationSchemes(v8)“showipcacheflow”commandArborNetworksBillingFlat-ratebillingdoesnotnecessarilyscaleCompetitivepricingmodelscanbecreatedwithusage-basedbillingUsage-basedbillingconsiderationsTimeofdayWithinoroutsideofthenetworkApplicationDistance-basedQualityofService(QoS)/ClassofService(CoS)BandwidthusageTransitorpeerDatatransferredTrafficclassTrackingUsersWhoaremytopNtalkers,andwhatpercentageoftrafficdotheyrepresent?Howmanyusersareonthenetworkatagiventime?Whenwillupgradesaffecttheleastnumberofusers?Howlongdousersspendconnectedtothenetwork?WhereInternetsitesdotheyuse?Whatisatypicalpatternofusagebetweensites?Areusersstayingwithinanacceptableusage

policy(AUP)?AlarmDOSattackslikesmurf,fraggle,andSYNfloodWillwatchfortheseattack,regardlessofsource/destinationPrincipleNetflowBenefitsServiceProviderEnterpriseInternetaccessmonitoring(protocoldistribution,wheretrafficisgoing/coming)UserMonitoringApplicationMonitoringChargeBackbillingfordepartmentsSecurityMonitoringPeeringarrangementsNetworkPlanningTrafficEngineeringAccountingandbillingSecurityMonitoringCurrentMarketCurrenteconomicsituationhassparkedinterestintheServiceProviderandEnterprisemarketsKeyareasofapplicationTrafficEngineering–50%UsagedBasedBilling/Chargeback–30%DoS–rapidlyemergingFeatureacceleration

ImprovedACLperformanceGeneralEnterpriseServiceProviderNetFlowOverviewVersionsPartnersCustomerApplicationsEnterpriseAgendaNetFlow–ChargeBackBillingR&DHRFinanceAccountpernetwork(ratherthatperIPaddresses)InternetExample:chargethedepartmentforthecostoftheInternetlinkGeneralEnterpriseServiceProviderNetFlowOverviewVersionsPartnersCustomerApplicationsServiceProviderAgendaNetFlow–PeeringAgreementAccountperBGPAS,toReviewPeeringAgreementsISPPublicRouters1,2,3MonthofSeptember—OutboundTrafficNetFlow–PeeringAgreement20%32%4%6%8%8%10%1%1%1%1%1%1%2%1%1%1%AgendaMPLSAutonomousSystemMulticastBGPNext-hopAttackMitigation–DenialofServiceLayer2TechnologiesQualityofServiceMPLSNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyMPLSAwareNetFlow(v9)IPFieldsSourceanddestinationIPaddressInputandoutputsub-interfacesTransportlayerprotocolSourceanddestinationapplicationportnumbers8bitIPTypeofService(ToS)TCPFlags(accumulationfromallpacketsintheflow)MPLSFieldsUptothreeincomingMPLSlabelswithexperimental(EXP)bitsandend-of-stack(S)bitPositionofeachofthethreelabelsTypeofthetoplabelIPaddressassociatedwiththetoplabelTraditionalNetFlowFieldsNumberofpacketsNumberofbytes(counteitherIPorMPLSheader/payload)Time-stampsoffirstandlastpacketsintheflowMPLSTraditionalNetFlow

forIPtoMPLStrafficPEPPEEgressMPLSNetFlowAccountingIPinformationonlyIdealforbillingCurrentavailability:CiscoIOSSoftwareReleases12.0(10)STand12.1(5)T

MPLSAwareNetFlow(version9)ExportsuptothreeMPLSlabels,andIPpacketinformationIdealforTrafficEngineeringWillbeavailableinCiscoIOSSoftwareReleases12.0(24)S,12.2S,and12.3TrafficFlowIPIPEgressMPLSNetFlowAccountingforMPLStoIPtrafficMPLSAwareNetFlow

(version9)MPLSAgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyMPLSAutonomousSystemMulticastBGPNext-hopAttackMitigation–DenialofServiceLayer2TechnologiesQualityofServiceAutonomousSystemAutonomousSystem3600-4(config)#ipflow-exportversion5?origin-asrecordoriginASpeer-asrecordpeerAS<cr>3600-4(config)#Origin-ASSpecifiesthatexportstatisticsincludetheoriginautonomoussystem(AS)forthesourceanddestinationPeer-ASSpecifiesthatexportstatisticsincludethepeerASforthesourceanddestinationNote–thisconfigurationcommandisoptionalAutonomousSystemAS101ConfiguringPeer-ASSourceAS=AS103DestinationAS=AS105NetFlowenabledAS103AS104AS105AS106ConfiguringOrigin-ASSourceAS=AS101DestinationAS=AS106AS102AgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTechnologyMPLSAutonomousSystemMulticastBGPNext-hopAttackMitigation–DenialofServiceLayer2TechnologiesQualityofServiceMulticastMulticastNetFlowThreetypesofNetFlowimplementationsforMulticasttraffic:TraditionalNetFlowMulticastNetFlowIngressMulticastNetFlowEgressMulticast–TraditionalNetFlowEth0Eth3Eth1Eth2InterfaceEthernet0 iproute-cacheflowipflow-exportversion9ipflow-exportdestination9995NetFlowCollectorserverTraditionalNetFlowconfiguration(S,G)-(,00)FlowRecordCreatedinNetFlowCacheThereisonlyoneflowperNetFlowconfiguredinputinterfaceThe7KeyfieldsthatdefineauniqueflowaremarkedinredDestinationinterfaceismarkedas“Null”BytesandPacketsaretheincomingvaluesMulticastNetFlowIngressInterfaceEthernet0 ipmulticastnetflowingressipflow-exportversion9ipflow-exportdestination9995MulticastNetFlowIngressconfigurationFlowRecordCreatedinNetFlowCacheThereisonlyoneflowperNetFlowconfiguredinputinterfaceThe7KeyfieldsthatdefineauniqueflowaremarkedinredDestinationinterfaceismarkedas“Null”BytesandPacketsaretheoutgoingvaluesEth0Eth3Eth1Eth2NetFlowCollectorserver(S,G)-(,00)MulticastNetFlowEgressInterfaceEthernet1 ipmulticastnetflowegressInterfaceEthernet2 ipmulticastnetflowegressInterfaceEthernet3 ipmulticastnetflowegressipflow-exportversion9ipflow-exportdestination9995MulticastNetFlowEgressconfigurationFlowRecordsCreatedinNetFlowCacheThereisoneflowperMulticastNetFlowEgressconfiguredoutputinterfaceOneofthe7KeyfieldsthatdefineauniqueflowhaschangedfromSourceInterfacetoDestinationInterfaceBytesandPacketsaretheoutgoingvaluesEth0Eth3Eth1Eth2NetFlowCollectorserver(S,G)-(,00)MulticastNetFlow–RPFFailuresFlowisblockedbecauseithasthesamekeyfieldsasanotherflow;however,itiscomingfromthewrongphysicalinterfaceCanbecountedusingMulticastNetFlowEgressifconfigured“ipmulticastnetflowrpf-failure”globallyOnceconfigured,therewillbeanewfieldintheNetFlowcachecalled“RPFFail”tocountflowsthatfailandhowmanytimesMulticastNetFlow–SummarySupportedviaNetFlowversion9exportformatAvailabilityCiscoIOSSoftwareReleases12.0(27)S,12.2S,and12.3Cisco2500,2600,3600,7200,and7500SeriesRoutersCisco12000SeriesInternetRouterPerformance:Ingressvs.EgressMulticastNetFlowIngressandtraditionalNetFlowwillhavesimilarperformancenumbersMulticastNetFlowEgresswillhaveperformanceimpactthatisproportionaltothenumberofinterfacesonwhichitisenabled(includeinputinterface)CiscoCatalyst6000and7600SeriesSwitchesDonotcurrentlysupportthetrackingofmulticasttrafficviaNetFlowduetocurrentASIClimitationWillhavethissupportinafutureSupervisorAgendaNetFlowOverviewVersionsPartnersCustomerApplicationsSolutionsbyTec