NetFlow exchange and Its Application in Network Management

The deployment and use of Internet/Intranet are growing rapidly, leading to a significant change in the computing mode of enterprises and consumers. The market has put forward the demand for traffic statistics and management technology, and requires this technology to effectively provide the information necessary to record the utilization of network and application resources. To this end, Cisco Systems introduced a new exchange technology, NetFlow exchange, in its IOS switching architecture. Based on the VLAN (Virtual LAN) technology, NetFlow exchange provides switching and routing functions on the same platform.

The NetFlow service in the Cisco routing and switching Platform provides network data flow statistics built into the fast, optimal, and CEF switching path. The NetFlow service can use the data stream in the network to create value, and provide detailed data stream statistics on the premise of minimizing the impact on the performance of routers/switches. In particular, as part of its exchange function, it can provide enterprises with information on network capacity planning, trend analysis, and data priority, these statistics include users, protocols, ports, and service types. NetFlow switches can be deployed anywhere in the network as an extension of the existing path-finding infrastructure. NetFlow can also effectively process access lists to implement packet filtering and security services. NetFlow data can be used for a variety of purposes, such as network management and planning, corporate finance, usage-based billing, and data warehousing and data collection for marketing purposes.

I. NetFlow exchange and Its Features

NetFlow exchange achieves high-performance switching at the network layer. It provides an efficient mechanism for handling secure access lists, so that it does not have to be like other exchange methods, performance costs are high for the same task. NetFlow exchange identifies network traffic between hosts and exchanges groups of network traffic while providing related services. In traditional network switching, each input group is processed independently. Routers perform a series of independent queries for each group, use a series of functions to check the access list, obtain accounting data, and exchange the group. And then send it to the destination. These queries include determining whether Secure Access filtering is used and updating network statistics and accounting records. In NetFlow exchange, the query process only performs on the first group in the group stream. When a network stream is identified and its related services are determined, all groups are processed as part of the information flow based on connection orientation. This bypasses the access list check, and switches the groups and obtains statistical information in turn.

In NetFlow exchange, you need to create an information flow high-speed cache, which contains the information required for exchanging all the active information flows and checking the access list. The standard fast exchange path is used to process the first group in the information flow first, in this way, the NetFlow high-speed cache is generated, so that each information stream is associated with an upcoming interface port number and the port number of the interface to be sent out, and there is a specific security access permission and Encryption Policy. The cache also contains entries used for data flow statistics. These entries are constantly updated as the group is switched. After the NetFlow cache is created, groups marked as an existing information stream can be exchanged Based on the cache information, bypassing the security access list check. For all activity information flows, the corresponding information is retained in the NetFlow cache.

Exchange groups, and one task is followed by one task to provide services for the group in order. This streamlined processing grouping method improves the capabilities of network services and improves the service performance of Cisco IOS for security and service quality QoS) and network traffic accounting. At the same time, NetFlow exchange provides more effective services based on each user and each application as a session.

Ii. NetFlow Data Format

NetFlow outputs information in the form of UDP data packets. It has two formats: 1) Version 1. This is the initial release format; 2) version 5 format. This is a later enhanced format, which adds the autonomous system AS) of the Border Gateway Protocol BGP) information and information stream serial number.

In versions 1 and 5, a data packet consists of one header Tag Information and one or more information flow records. Generally, no matter which format the receiver receives, it allocates a buffer that is large enough to accommodate the maximum data when data packets arrive. In addition, it uses the version information in the header label information to determine how to understand these data packets. The second field in the header information is the number of records in the datagram. You can use it to index the records.

Because NetFlow output uses UDP protocol to send output data packets, data may be lost. To determine whether the output information of the information flow is lost, the header information format of version 5 contains a serial number of the information flow. This serial number is equal to the number of information flows in the previous datagram text added to the previous serial number. After receiving a new data packet, the receiving program can extract the expected serial number from the serial number in the initial information to obtain the number of lost information streams.

3. Configure NetFlow exchange

In a vro, NetFlow exchange involves identifying the group information stream, performing the exchange and processing of the access list. It does not involve any connection setup protocol between routers, nor connection setup protocol for any other network device or endpoint workstation. It also does not require any external modification to the group itself or any other network device. Therefore, NetFlow switching is completely transparent to the existing network, including the endpoint workstation, application software, and network devices such as LAN switches. In addition, because NetFlow exchange is performed independently on each interconnected network device, it does not need to be operated on every vro in the network, network planners can selectively activate NetFlow exchange and NetFlow data output on the basis of routers/interfaces, so that they can exchange, control, and keep data streams at specific network locations.

When NetFlow is configured on an interface, this interface no longer uses other switching modes. To configure NetFlow switching, use the following command to enable NetFlow switching for IP routing in Interface Configuration Mode:

Ip route-cache flow

The no format of this command can disable NetFlow switching. The specific command is as follows:

No ip route-cache flow

Generally, the default value of NetFlow cache can meet the requirements. However, the network administrator can also increase or decrease the number of items retained in the cache to meet the needs of the information flow ratio. The default value of the system is 64KB. Each cache entry occupies about 64B of storage space. To customize the number of entries in the NetFlow cache, use the following command in global configuration mode to change the number of entries in the NetFlow cache:

Ip flow-cache entries number

Number indicates the number of entries in the range of 1024 ~ 524288. The default value is 65536.

Some of Cisco's routers have routing/switching processor RSP) and VIP controllers. The VIP controller can be configured as follows: the VIP exchange receiving group does not require RSP participation in each group. This type of processing is called distributed switching, which can reduce the need for RSP. You can configure the VIP hardware to enable NetFlow switching.

In order to configure the distributed switch on the VIP, you must first configure the router for the IP route according to the protocol used, and then you can use the following command in global configuration mode, configure the IP address distributed switching and NetFlow switching.

Interface type slot/port-adapter/port; specifies the interface and enters the interface configuration mode.

Ip route-cache distributed; enable the IP Group's VIP distributed switch in this interface

Ip route-cache flow; specify information flow exchange

When RSP or VIP exchange information, they use the information stream cache instead of the destination network cache to exchange IP groups. The information stream cache uses the network address, protocol, and port number of the source and destination to differentiate entries.

4. manage and use the statistics exchanged by NetFlow

Through NetFlow exchange, you can also obtain a wealth of statistical information, including the distribution of IP group size, the high-speed cache information of IP information flow exchange, and information flow information, for example, the protocol, the total number of information flows, and the number of information flows per second. The above information can help the network administrator analyze the running status of the router. To manage the statistics of NetFlow exchanges, you can use the "show ip cache flow" command to display the comprehensive statistics of NetFlow exchanges in the authorized executable mode, so that network administrators can understand the current network traffic and the data flow of various applications. The following figure shows an example of the output information using this command. IP packet size distribution indicates the percentage of group size distribution. For example,. 554 indicates that the number of groups is 33-55.4% ~ The following figures describe the use of the Netflow high-speed buffer. The following two tables detail the grouping of various protocols and the statistics of the current information flow. The information exchanged by NetFlow can also be output to the network management application. To output the statistics of the NetFlow exchange retained in the NetFlow cache to a workstation when the information flow expires, use the following command in global configuration mode:

Ip flow-export ip-address udp-port version 5 [origin-as | peer-as]

In version 5, use this command to configure the vro and output the NetFlow cache entries to the workstation. You can specify the original AS or the same, the default value is neither output nor output, which can improve the performance. To ensure that the data comes from a valid NetFlow source, Cisco recommends that the receiving program check the data packet. First, check the size of the data packet to ensure that it can contain at least the version field and count field. Then, it should be confirmed that the version is valid version 1 or 5, and the number of bytes received is sufficient to accommodate header information and count information flow records. NetFlow provides a wide range of functions for enterprise network management and analysis, and provides a reference for network administrators to reasonably plan the enterprise's network structure, balance network loads, and optimize network performance, provides ISP billing basis, diagnoses network intrusions, finds network attacks, and helps enterprises collect data.

Related Articles]

• NetFlow technology and University Network Management

• Analyze abnormal network traffic using NetFlow

• NetFlow technology and network traffic analyzer