下载文档原格式
一、测试环境介绍1、硬件1台6509交换机,1台3745路由器IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(22)E6, RELEASE SOFTWARE (fc1)System image file is "disk0:c6sup22-js-mz.121-22.E6.bin"IOS (tm) 3700 Software (C3745-IS-M), Version12.2(13)T5, RELEASE SOFTWARE (fc1)System image file is "flash:c3745-is-mz.122-13.T5.bin"2、软件solarwinds NetFlow Traffic Analysis 3.0、ManageEngine_NetFlowAnalyzer_7002、二、硬件配置1、NETFLOW配置文档。
2、6509配置mls netflowmls flow ip destination-sourcemls nde sender version 5 (我们的设备只有版本5)ip flow-export source Loopback0 (如果有L0接口用其他接口也可以)ip flow-export version 5ip flow-export destination 192.168.4.165 2055 (2055是SOLAR公司的NETFLOW端口,9996端口是manangeengine公司的端口。
两个端口号都是UDP 协议)到此配置结束通过下面命令显示配置结果CAT6509_1#show mls ndeNetflow Data Export enabledExporting flows to 192.168.4.165 (2055)Exporting flows from 218.30.64.33 (57965)Version: 5Include Filter not configuredExclude Filter not configuredTotal Netflow Data Export Packets are:612381 packets, 0 no packets, 16537978 recordsTotal Netflow Data Export Send Errors:IPWRITE_NO_FIB = 0IPWRITE_ADJ_FAILED = 0IPWRITE_PROCESS = 0IPWRITE_ENQUEUE_FAILED = 0IPWRITE_IPC_FAILED = 0IPWRITE_MTU_FAILED = 0IPWRITE_ENCAPFIX_FAILED = 0配置需要分析的端口。
网络流量分析NetFlow协议解析网络流量分析在网络安全和性能监控中起着重要的作用。
而NetFlow协议作为其中一种流量分析的关键工具,在网络管理领域中被广泛应用。
本文将对NetFlow协议进行详细解析,介绍其原理、功能和应用。
一、NetFlow协议简介NetFlow协议是由思科公司于1996年推出的一种网络流量分析技术。
它能够提供流量统计、流量分析和流量监控等功能。
NetFlow协议通过在路由器和交换机上收集、处理和导出流量数据,为网络管理员提供实时的流量信息和网络性能的评估。
二、NetFlow协议的工作原理NetFlow协议的工作原理可以分为三个阶段:数据收集、数据处理和数据导出。
1. 数据收集在网络中的路由器和交换机上,通过配置使其能够将经过设备的流量数据进行收集。
NetFlow支持两种收集方式:Full Flow和Sampled Flow。
Full Flow是指完整地收集每一个流量数据进行处理;Sampled Flow是指以一定的频率采样流量数据进行处理,减少处理开销。
2. 数据处理收集到的流量数据会经过设备内部的处理引擎进行处理。
处理引擎会提取关键信息,如源IP地址、目的IP地址、源端口、目的端口、协议类型等,并基于这些信息生成流记录。
3. 数据导出处理后的流记录会根据配置的规则进行导出。
导出方式有两种:NetFlow v5和NetFlow v9。
NetFlow v5是早期版本,具有广泛的兼容性;NetFlow v9则是最新版本,支持更多的字段,并且具有灵活的配置能力。
三、NetFlow协议的功能NetFlow协议具有以下几个主要功能:1. 流量统计NetFlow可以对流量进行实时统计,包括流量量、带宽利用率、流量峰值等。
这些统计数据可以帮助网络管理员了解网络的负载情况,有助于进行容量规划和性能优化。
2. 流量分析通过对收集到的流量数据进行分析,NetFlow可以帮助管理员发现网络中的异常情况和潜在安全威胁。
【转】netflow配置enable接⼝netflow,版本不同,命令也不同IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T, or laterip route-cache flow ip flow {ingress | egress}enable接⼝netflow,主接⼝和⼦接⼝,命令也不同Enabling NetFlow on an Interface Enabling NetFlow on a Subinterfaceinterface fe 0/1ip route-cache flow interface fe 0/1.1 ip flow ingress要在路由⼝(routed)开启流采集即要在配IP地址的接⼝开启流采集在未配IP地址的接⼝开启流采集,相当于对所有的⼦接⼝开启流采集If you enable NetFlow on an interface that contains subinterfaces, all the subinterfaces will be enabled automatically. interface GigabitEthernet0/1/0no ip addressip route-cache flow sampled inputinterface GigabitEthernet0/1/0.2encapsulation dot1Q 2ip address 122.64.0.145 255.255.255.252!interface GigabitEthernet0/1/0.996encapsulation dot1Q 996ip address 122.64.0.185 255.255.255.252在pppoe⼝打开 netflow ——要配在三层接⼝(routed)上,即要配在virutal⼝上interface GigabitEthernet2/0/0.10encapsulation dot1Q 10ip flow egress pppoe enable !不能配在物理⼝,要配在virtual-template⼝(三层⼝)interface Virtual-Template 1ip unnumbered ethernet 0encapsulation pppip flow egressV5 V9对出⼊流采集的⽀持· V5 V9的ip route-cache flow肯定都是不采出流的ip flow-export version 9 peer-as bgp-nexthop interface FastEthernet2/0ip address 10.193.193.21 255.255.255.0ip route-cache flow· V9 ip flow ingress/egress肯定是采出流的· V5 ip flow ingress/egress⽤第46、47byte的pad2去实现流向了,可以⽀持出流)ip flow-export version 5 peer-as bgp-nexthopinterface FastEthernet2/0ip address 10.193.193.21 255.255.255.0ip flow ingressip flow egressROUTER有时不⽀持出⼊流,和v5,v9⽆关3800-2(config)ip flow-export version 9 peer-as bgp-nexthop3800-2(config)#int e0/0.23800-2(config-subif)#ip flow ?ingress Enable inbound NetFlowip flow-export source loopback0的⽤途针对冗余链路造成多个源地址最终在flow分析仪上形成多个设备source loopback0 会使多链路显⽰相同的源,这样可以避免形成多个NDE(export router)设备ip flow-export source 的要求必须是可达的,否则flow分析仪会报错,或将接收的flow export扔掉此source不能任意设置,必须是可达的source可达不可达,主要在穿NAT防⽕墙时发⽣解决办法:1。
Configuring NetFlowRelease 12.1January 8, 2001This chapter describes how to configure NetFlow in Cisco IOS Release 12.1 and Release 12.0S. For acomplete description of NetFlow commands used in this chapter, refer to the Cisco IOS SwitchingServices Command Reference. For documentation on other commands that appear in this chapter, youcan use the command reference master index or search online.NetFlow ImplementationWith NetFlow, you can export data (traffic statistics) to a remote workstation for processing.NetFlow does not involve any connection-setup protocol either between routers or to any othernetworking device or end station and does not require any change externally—either to the traffic orpackets themselves or to any other networking device. Thus, NetFlow is completely transparent to theexisting network, including end stations and application software and network devices like LANswitches.Also,because NetFlow is performed independently on each internetworking device,it does notneed to be operational on each router in the work planners can selectively invoke NetFlow(and NetFlow data export) on a router or interface basis to gain traffic performance, control, oraccounting benefits in specific network locations.Note NetFlow does consume additional memory and CPU resources;therefore,it is important tounderstand the resources required on your router before enabling NetFlow.NetFlow Configuration Task ListTo configure NetFlow, complete the tasks in the following sections. At a minimum, you must enableNetFlow. The remaining tasks are optional.•Enabling NetFlow (Required)•Exporting NetFlow Statistics (Optional)•Customizing the Number of Entries in the NetFlow Cache (Optional)•Managing NetFlow Statistics (Optional)•Configuring IP Distributed Switching and NetFlow on VIP Interfaces (Optional)•Configuring an Aggregation Cache (Optional)Configuring NetFlowNetFlow Configuration Task List •Configuring NetFlow Policy Routing (Optional)Enabling NetFlowTo enable NetFlow,first configure the router for IP routing as described in the IP configuration chapters in the Cisco IOS IP and IP Routing Configuration Guide . After you configure IP routing, use thefollowing commands beginning in global configuration mode:Exporting NetFlow StatisticsNetFlow information can also be exported to network management applications.To configure the router to export NetFlow statistics maintained in the NetFlow cache to a workstation when a flow expires,use one of the following commands in global configuration mode:Customizing the Number of Entries in the NetFlow CacheNormally the size of the NetFlow cache will meet your needs. However, you can increase or decrease the number of entries maintained in the cache to meet the needs of your NetFlow traffic rates.The default is 64K flow cache entries.Each cache entry is approximately 64bytes of storage.Assuming a cache with the default number of entries,approximately 4MB of DRAM would be required.Each time a new flow is taken from the free-flow queue,the number of free flows is checked.If there are only a few free flows remaining,NetFlow attempts to age 30flows using an accelerated timeout.If there is only one free flow remaining,NetFlow automatically ages 30flows regardless of their age.The intent is to ensure free flow entries are always available.CommandPurpose Step 1interface type slot /port-adapter /port (Cisco7500 series routers)interface type slot /port (Cisco 7200 seriesrouters)Specifies the interface, and enter interface configuration mode.Step 2ip route-cache flow Enables mandPurpose ip flow-export ip-address udp-port [version 1]Configures the router to export NetFlow cache entries to aworkstation if you are using receiving software that requiresversion 1. Version 1 is the default.ip flow-export ip-address udp-port version 5[origin-as |peer-as ]Configures the router to export NetFlow cache entries to aworkstation if you are using receiving software that acceptsversion 5. Optionally specify origin or peer autonomoussystem (AS). The default is to export neither AS whichprovides improved performance.Configuring NetFlowNetFlow Configuration Task List To customize the number of entries in the NetFlow cache, use the following command in globalconfiguration mode:Command Purposeip flow-cache entries number Changes the number of entries maintained in the NetFlowcache. The number of entries can be 1024 to 524288.The default is 65536.Caution We recommend that you not change the NetFlow cache entries.Improper use of this featurecould cause network problems. To return to the default NetFlow cache entries, use theno ip flow-cache entries global configuration command.Managing NetFlow StatisticsYou can display and clear NetFlow Flow statistics consist of IP packet size distribution,IPNetFlow cache information,and flow information such as the protocol,total flow,flows per second,andso forth. The resulting information can be used to find out information about your router traffic. Tomanage NetFlow statistics, use either of the following commands in privileged EXEC mode:Command Purposeshow ip cache flow Displays the NetFlow statistics.clear ip flow stats Clears the NetFlow statistics.Configuring IP Distributed Switching and NetFlow on VIP InterfacesOn Cisco 7500 series routers with a Route Switch Processor (RSP) and with Versatile InterfaceProcessor(VIP)controllers,the VIP hardware can be configured to switch packets received by the VIPwith no per-packet intervention on the part of the RSP. This process is called distributed switching.Distributed switching decreases the demand on the RSP.The VIP hardware can also be configured for NetFlow, a new high-performance feature that cachesinformation about the flow. NetFlow data can also be exported to network management applications.Refer to the Cisco Product Catalog for information about VIP port adapters used for distributedswitching.To configure distributed switching on the VIP, first configure the router for IP routing as described inthis chapter and the various routing protocol chapters, depending on the protocols you use.After you configure IP routing, use the following commands beginning in global configuration mode:Command PurposeStep1interface type slot/port-adapter/port Specifies the interface, and enter interface configurationmode.Configuring NetFlowNetFlow Configuration Task List When the RSP or VIP is using NetFlow, it uses a flow cache instead of a destination network cache to switch IP packets.The flow cache uses source and destination network address,protocol,and source and destination port numbers to distinguish entries.To export NetFlow cache entries to a workstation when a flow expires, use the following command in global configuration mode:Configuring an Aggregation CacheTo configure an aggregation cache,you must enter aggregation cache configuration mode,and you must decide which type of aggregation scheme you would like to configure:autonomous system,Destination Prefix, Prefix, Protocol Prefix, or Source Prefix aggregation cache. Once you define the aggregation scheme, define the operational parameters for that scheme.Verifying Aggregation Cache Configuration and Data ExportTo verify the aggregation cache information, use the following command in EXEC mode:Step 2ip route-cache distributed Enables VIP distributed switching of IP packets on the interface.Step 3ip route-cache flow Enables Netflow.CommandPurpose CommandPurpose ip flow-export ip-address udp-port Configures the router to export NetFlow cache entries to aworkstation.CommandPurpose Step 1Router(config)#ip flow-aggregation cache as Enters aggregation cache configuration mode and enables anaggregation cache scheme (as, destination-prefix, prefix,protocol-port, or source-prefix)Step 2Router(config-flow-cache)#cache entries 2046Specifies the number (in this example,2046)of cache entriesto allocate for the autonomous system aggregation cache.Step 3Router(config-flow-cache)#cache timeout inactive 199Specifies the number of seconds (in this example, 199) thatan inactive entry is allowed to remain in the aggregationcache before it is deleted.Step 4Router(config-flow-cache)#cache timeout active 45Specifies the number of minutes (in this example,45)that anactive entry is active.Step 5Router(config-flow-cache)#export destination 10.42.41.1 9991Enables the data export.Step 6Router(config-flow-cache)#enabledEnables aggregation cache mandPurpose show ip cache flow aggregation Displays the aggregation cache information.Configuring NetFlowNetFlow Configuration Task List To confirm data export, use the following command in EXEC mode:Command Purposeshow ip flow export Displays the statistics for the data export including the main cache andall other enabled caches.Configuring NetFlow Policy RoutingAs long as policy routing is configured, NetFlow policy routing is enabled by default and cannot bedisabled.That is,NPR is the default policy routing mode.No configuration tasks are required to enablepolicy routing in conjunction with CEF, dCEF, or NetFlow. As soon as one of these features is turnedon, packets are automatically subject to policy routing in the appropriate switching path.There is one new,optional configuration command(set ip next-hop verify-availability).This commandhas the following restrictions:•It can cause some performance degradation.•CDP must be configured on the interface.•The direct next hop must be a Cisco device with CDP enabled.•It is not available in dCEF, due to the dependency of the CDP neighbor database.It is assumed that policy routing itself is already configured.If the router is policy routing packets to the next hop and the next hop happens to be down, the routerwill try unsuccessfully to use Address Resolution Protocol(ARP)for the next hop(which is down).Thisbehavior will continue forever.To prevent this situation,you can configure the router to first verify that the next hop(s)of the route mapis the router’s CDP neighbor(s) before routing to that next hop.This task is optional because some media or encapsulations do not support CDP,or it may not be a Ciscodevice that is sending the router traffic.To configure the router to verify that the next hop is a CDP neighbor before the router tries to policyroute to it, use the following command in route-map configuration mode:Command Purposeset ip next-hop verify-availability Causes the router to confirm that the next hop(s) of the route mapis a CDP neighbor(s) of the router.If the command shown is set and the next hop is not a CDP neighbor,the router looks to the subsequentnext hop, if there is one. If there is none, the packets simply are not policy routed.If the command shown is not set, the packets are either successfully policy routed or remain foreverunrouted.If you want to selectively verify availability of only some next hops, you can configure differentroute-map entries(under the same route-map name)with different criteria(using access list matching orpacket size matching), and use the set ip next-hop verify-availability command selectively.Configuring NetFlow NetFlow Configuration ExamplesMonitoring NetFlow Policy RoutingTypically,you would use existing policy routing and NetFlow show commands to monitor these features.For more information on these show commands,refer to the policy routing and NetFlow documentation.To display the route map Inter Processor Communication(IPC)message statistics in the RP or VIP,usethe following command in EXEC mode:Command Purposeshow route-map ipc Displays the route map IPC message statistics in the RP or VIP.NetFlow Configuration ExamplesThis section provides the following basic configuration examples:•NetFlow Configuration Example•NetFlow Aggregation Configuration Examples•NetFlow Policy Routing ExampleNetFlow Configuration ExampleThe following example shows how to modify the configuration of serial interface 3/0/0 to enableNetFlow and to export the flow statistics for further processing to UDP port0on a workstation with theIP address of 1.1.15.1. In this example, existing NetFlow statistics are cleared to ensure accurateinformation when the show ip cache flow command is executed to view a summary of the NetFlowstatistics.configure terminalinterface serial 3/0/0ip route-cache flowexitip flow-export 1.1.15.1 0 version 5 peer-asexitclear ip flow statsNetFlow Aggregation Configuration ExamplesThis section provides the following aggregation cache configuration examples:•Autonomous System Configuration Example•Destination Prefix Configuration Example•Prefix Configuration Example•Protocol Port Configuration Example•Source Prefix Configuration ExampleConfiguring NetFlowNetFlow Configuration ExamplesAutonomous System Configuration ExampleThe following example shows how to configure an autonomous system aggregation cache with a cachesize of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an exportdestination IP address of 10.42.42.1, and a destination port of 9992.Router(config)#ip flow-aggregation cache asRouter(config-flow-cache)#cache entries 2046Router(config-flow-cache)#cache timeout inactive 200Router(config-flow-cache)#cache timeout active 45Router(config-flow-cache)#export destination 10.42.42.1 9992Router(config-flow-cache)#enabledDestination Prefix Configuration ExampleThe following example shows how to configure a Destination Prefix aggregation cache with a cache sizeof2046,an inactive timeout of200seconds,a cache active timeout of45minutes,an export destinationIP address of 10.42.42.1, and a destination port of 9992.Router(config)#ip flow-aggregation cache destination-prefixRouter(config-flow-cache)#cache entries 2046Router(config-flow-cache)#cache timeout inactive 200Router(config-flow-cache)#cache timeout active 45Router(config-flow-cache)#export destination 10.42.42.1 9992Router(config-flow-cache)#enabledPrefix Configuration ExampleThe following example shows how to configure a Prefix aggregation cache with a cache size of2046,aninactive timeout of200seconds,a cache active timeout of45minutes,an export destination IP addressof 10.42.42.1, and a destination port of 9992.Router(config)#ip flow-aggregation cache prefixRouter(config-flow-cache)#cache entries 2046Router(config-flow-cache)#cache timeout inactive 200Router(config-flow-cache)#cache timeout active 45Router(config-flow-cache)#export destination 10.42.42.1 9992Router(config-flow-cache)#enabledProtocol Port Configuration ExampleThe following example shows how to configure a Protocol Port aggregation cache with a cache size of2046,an inactive timeout of200seconds,a cache active timeout of45minutes,an export destination IPaddress of 10.42.42.1, and a destination port of 9992.Router(config)#ip flow-aggregation cache protocol-portRouter(config-flow-cache)#cache entries 2046Router(config-flow-cache)#cache timeout inactive 200Router(config-flow-cache)#cache timeout active 45Router(config-flow-cache)#export destination 10.42.42.1 9992Router(config-flow-cache)#enabledConfiguring NetFlow NetFlow Configuration ExamplesSource Prefix Configuration ExampleThe following example shows how to configure a Source Prefix aggregation cache with a cache size of2046,an inactive timeout of200seconds,a cache active timeout of45minutes,an export destination IPaddress of 10.42.42.1, and a destination port of 9992.Router(config)#ip flow-aggregation cache source-prefixRouter(config-flow-cache)#cache entries 2046Router(config-flow-cache)#cache timeout inactive 200Router(config-flow-cache)#cache timeout active 45Router(config-flow-cache)#export destination 10.42.42.1 9992Router(config-flow-cache)#enabledNetFlow Policy Routing ExampleThe following example configures CEF and NetFlow.It also configures policy routing to verify that nexthop 50.0.0.8 of route map test is a CDP neighbor before the router tries to policy route to it.If the first packet is being policy routed via route map test sequence 10, the subsequent packets of thesame flow always take the same route map test sequence 10, not route map test sequence 20, becausethey all match or pass access list 1 check.ip cefinterface ethernet0/0/1ip route-cache flowip policy route-map testroute-map test permit 10match ip address 1set ip precedence priorityset ip next-hop 50.0.0.8set ip next-hop verify-availabilityroute-map test permit 20match ip address 101set interface Ethernet0/0/3set ip tos max-throughputThis document published January 8, 2001. Last content update: January 7, 2004。
关于Cisco 6509/7609 交换机Netflow的配置Netflow 在6500和7209 交换机上配置和路由器上配置有所不同,在公司开发Netflow的应用上,发现现场工程师基本没有配置对,导致流量出不来。
下面列出配置信息;CATOS的配置也的参考该配置1、首先看看Netflow配置是否正常起来:Switch# show mls nde一般看到都是Netflow Data Export disabled 这说明Netflow都没有起来。
参看Cisco 《Configuring NetFlow Data Export》PDf文档,默认是Disabled的2、启动netflowSwitch(config)# mls netflow3、启动netflow 的双向流量Switch(config)# mls flow ip destination-source4、启动NDE发送以及发送版本Switch(config)# mls nde sender [version {5 | 7}]如果只输入mls nde sender系统默认启用的是版本7,如果需要版本5,则mls nde send er version 5,目前版本能配的是5或7,这两个版本WEB均能出现正常的数据。
对于Cisco IOS 12.17以下版本的交换机,只有版本7。
5、进入VLAN,启动接口Netflow(如果在物理接口上其3层,则直接进入物理接口)。
Switch(config)# interface vlan 5Switch(config-if)# ip flow-export ingressSwitch(config-if)# ip route-cache flow6、配置Netflow的数据源,如果没有配置Loopback的接口,可以采用物理接口,建议配置L oopback接口Switch(config)# ip flow-export source loopback 07、检测Switch# show mls nde (能看到如下的信息,而且明确Netflow Data Export enable d )Netflow Data Export enabledExporting flows to 10.110.10.254 (9991)Exporting flows from 10.16.68.72 (55425)Version: 5Include Filter not configuredExclude Filter is:Total Netflow Data Export Packets are:49 packets, 0 no packets, 247 recordsTotal Netflow Data Export Send Errors:IPWRITE_NO_FIB = 0IPWRITE_ADJ_FAILED = 0IPWRITE_PROCESS = 0Switch(config)# show mls netfow ip看到大量的流量信息,大量的滚屏信息。
cisco路由器flow调试指令
思科制造的路由器、交换机和其他设备承载了全球80%的互联网通信,成为硅谷中新经济的传奇,那么你知道cisco路由器flow调试指令吗?下面是店铺整理的一些关于cisco路由器flow调试指令的相关资料,供你参考。
cisco路由器flow调试指令:
Netflow 校验
show ip flow interface
show ip flow export
show ip cache flow
show ip cache verbose flow
clear ip flow stats
debug ip flow export
Show ip cache flow
show ip cache verbose flow
Show ip cache flow 与show ip cache verbose flow唯一的不同,就是active flow多了几个域:
clear ip flow stat-----------清除neflow cache,使show ip cache flow里的各项累计值清0
debug ip flow export
Router# debug ip flow export
IP Flow export mechanism debugging is on
*Mar 6 22:56:21.627:IPFLOW:Sending export pak to 2001::FFFE/64 port 9999
*Mar 6 22:56:21.627:IPFLOW:Error sending export packet:Adjacency failure。
1. 流量流向监测技术1.1 概述传统的网络流量监测技术的局限性SNMP采集端口的数据主要是在网元层用来监控网络流量和设备的性能,而且SNMP 采集的数据是基于端口的,无法提供端到端的准确的流量信息,因此对流向的统计手段不明确。
利用RMON探针对运营商网络进行流量和流向管理可以部分弥补SNMP的技术局限性,其业务分析和协议分析功能较强。
但是,采用RMON探针建设的流量监测系统也有处理性能不足和难以在大型网络普遍部署的局限性。
提出新的流量监测技术为克服现有网管系统对网络流量和流向分析功能的技术局限性,运营商迫切需要寻找一种功能丰富、成熟稳定的新技术,对现有管理系统中流量信息的采集和分析方式进行改造和升级。
新的流量信息采集和分析技术应具备对运营商的运行网络影响小、无需对网络拓扑进行改变就能平滑升级的技术特征,既可以对网络中各个链路的带宽使用率进行统计,又可以对每条链路上不同类型业务的流量和流向进行分析和统计。
本文主要介绍应用广泛的Cisco NetFlow技术、华为Netstream技术、Sflow 、Cflowd 和IPFIX 以及支持上述流监测技术的厂家和设备情况。
1.2 相关厂家及设备2Netflow2.1 流原理netflow 的信息单元是flow。
flow是一个单向的带有唯一标识字节组的传输流。
基本的标识为:source-IP-address, source-port, destination-IP-address, destination-port, IP-protocol, TOS, input interface ID。
当路由器接收到一个没有flow入口的数据包时,一个flow的结构将被初始化以保存其状态信息如:交换的字节数、IP地址、端口、自治区域等。
随后所有满足这个flow结构的数据包都将增加flow结构的字节计数和包计数,直至这个flow中止并输出。
Netflow功能是在一个路由器内独立完成,它不涉及路由器之间的任何连接设置协议,也不要求对数据包本身或其它任何网络设备进行任何外部修改。
IP网络承载能力与所提供的应用业务规模向来都是相辅相成的,一方面IP网络的建设将给新应用技术的推广提供有效的实施平台,另一方面应用业务也会随着自身系统发展需要而对现有IP网络提出更高的资源需求,从而推动IP网络基础建设进入新的建设周期。
在这种类似于“鸡生蛋、蛋生鸡”的逻辑悖论中,另外一个问题却是毋庸置疑的凸现了出来,那就是如何把应用业务与其所占用的IP资源(如带宽)清晰、准确的对应起来,如何保证有限的IP资源能够被合理应用的到主要利润业务中。
以NetFlow为代表的Flow技术正是为响应这种挑战而出现的新型解决途径。
什么是Flow在最开始,Flow是网络设备厂商为了在网元设备内部提高路由转发速度而引入的一个技术概念,其本意是将高CPU消耗的路由表软件查询匹配作业部分转移到硬件实现的快速转发模块上(如Cisco的CEF模式)。
在这种功能模式中,数据包将通过几个给定的特征定义归并到特定的集合中,这个集合就是Flow。
每个Flow的第一个数据包除了促使该Flow记录的产生以外,还要驱动网元三层模块完成路由查询并将查询结果同期放入Flow记录中,而该Flow集合的后续数据包将直接在Flow的已有记录中获得路由转发信息,从而提高了网元设备的路由转发效率。
作为网元设备内部路由机制优化的副产物,Flow记录能够提供传统SNMP MIB 无法比拟的丰富信息,因此Flow数据被广泛用于高端网络流量测量技术的支撑,以提供网络监控、流量图式分析、应用业务定位、网络规划、快速排错、安全分析(如DDOS)、域间记帐等数据挖掘功能。
相对于会话(“Session”)而言,“Flow”具备更细致的标识特征,在传统的TCP/IP五元组的基础上增加了一些新的域值,至少包括以下几个字段:源IP地址目的IP地址源端口目的端口IP层协议类型ToS服务类型输入物理端口以上七个字段可以唯一地确定任意一个数据包属于哪个特定的Flow,换而言之任何一个字段出现了差异都意味着一个新Flow的发生。
1NETFLOW支持设备:Cisco 800, 1700, 2600YesCisco 1800, 2800, 3800YesCisco 4500YesCisco 6500YesCisco7200, 7300, 7500YesCisco 7600YesCisco 10000, 12000, CRS-1YesCisco 2900, 3500, 3660, 3750Nonetflow是ios平台技术,也就是说路由器全系列都支持,而交换机平台则依赖于IOS版本和支持硬件,例如Cisco 2900, 3500, 3660, 3750就不支持我们关注交换网络核心设备:6500/7600 系列:1 启动netflowSwitch(config)# mls netflow2 启动netflow 的双向流量Switch(config)# mls flow ip destination-source 后面可接其他参数3、进入VLAN,启动接口Netflow(如果在物理接口上其3层,则直接进入物理接口)Switch(config)# interface vlan 5Switch(config-if)# ip flow-export ingress-----此处为ingress 可以配置engress 依赖ios版本Switch(config-if)# ip route-cache flow4 配置Netflow的数据源,如果没有配置Loopback的接口,可以采用物理接口,建议配置Loopback接口Switch(config)# ip flow-export source loopback 05 配置统计信息的输出目的,即采集服务器的ip和监听端口(config)#ip flow-export 10.1.200.201 99917. 配置输出版本,目前可支持版本1和5(config)#ip flow-export version 5下面为参考命令:Switch# show mls nde一般看到都是Netflow Data Export disabled 这说明Netflow都没有起来。
参看Cisco 《Configuring NetFlow Data Export》PDf文档,默认是Disabled的启动NDE发送以及发送版本Switch(config)# mls nde sender [version {5 | 7}] 如果只输入mls nde sender 系统默认启用的是版本7,如果需要版本5,则mls nde sender version 5 ,目前版本能配的是5或7,这两个版本WEB均能出现正常的数据。
对于Cisco IOS 12.17以下版本的交换机,只有版本7。
参考部分用户反映netflow网管机器,没有收到数据包,可参考上面命令酌情配置,未必有效4500 系列:1 配置Netflow的数据源,如果没有配置Loopback的接口,可以采用物理接口,建议配置Loopback接口Switch(config)# ip flow-export source loopback 02 配置统计信息的输出目的,即采集服务器的ip和监听端口(config)#ip flow-export 10.1.200.201 99913. 配置输出版本,目前可支持版本1和5(config)#ip flow-export version 54. 设置路由器中flow cache的过期时限,建议按照以下配置:活动连接的时限为1分钟(即活动的连接每隔1分钟发送该连接的数据流量统计信息),非活动连接的时限为10秒钟。
(config)#ip flow-cache time active 1(config)#ip flow-cache time inactive 10(config)#ip flow-cache active-timeout 305部分Cisco4500就不支持,也就是它不能在某个Interface配置打开Netflow,要么所有端口启用,要么都不启用,重要的无法区分不同Interface上的流量情况,只能看到整个设备所有的流量情况,只能在全局模式下开启:Switch(config)# ip flow ingress infer-fields如果可以在接口上使用:那么进入VLAN,启动接口Netflow(如果在物理接口上其3层,则直接进入物理接口)Switch(config)# interface vlan 5Switch(config-if)# ip route-cache flow下面cisco官方说明:--------------------------------------------------------------------------------Note Enabling NetFlow on a per interface basis is not supported on a Catalyst 4500 switch.--------------------------------------------------------------------------------This example shows how to enable NetFlow globally:Switch# configure terminalSwitch(config)# ip flow ingressThis example shows how to enable NetFlow with support for inferred fields: Switch# configure terminalSwitch(config)# ip flow ingress infer-fieldsnetflow 总结1:Netflow released Version:(Netflow based UDP)V9:和V8/5/1不兼容,最大的Feature就是template,具有extensible:但是也因为V9是基于template,需要传输额外的模版数据,默认为20:1,占总流量的4%,Device为了维护Template必须消耗更多的资源V8:只能针对aggregate cache:当你再路由器上开启route-based netflow aggregation,就可以使用V8V5:只能针对Main cache:(比较常用):后续增加了BGP AS信息和流序列号信息V1:最先的发行版本,不再使用:V2/V3/V4:没有releasedV6:not support很多国际标准多是基于Netflow的:(IETF) IP Information Export (IPFIX) Working Group (WG) and the IETF Pack Sampling (PSAMP) WG are based on the NetFlow Version 9 export format.2:配置Netflow的前提:启用路由功能开启CEF/DCEF/Fast switch三者选一确认Device resource,Netflow需要resume additional resource3:针对Netflow capture traffic:==>Ingress NetflowIP to IPIP to MPLSFR terminateATM terminate==>Engress NetflowIP TO IPMPLS TO IP(MPLS 倒数第二跳)4:netflow confirm flow with 7 keywords:S/D IP ; S/D Port ;3层protocol type ;TOS;ingress interface2在部署netflow,通常需要考虑部署位置,在早期IOS版本中,只支持ingress方向数据流统计,对出方向engress不做统计,例如:假设一个路由器有两个接口 A和B,由于缺省情况下,Netflow数据统计只针对进入(ingress)数据进行,当你只启用接口A的NetFlow数据输出时,它只能输出接口A的流入(IN)流量和接口B的流出(OUT)流量。
接口A的流出流量只能由接口B的NetFlow输出数据才能得到。
所以如果不启用接口B的数据输出,将得不到接口A的流出流量信息。
用cisco官方图片实例: 图1我们看到图中,箭头方向就是数据流动方向,server则是我们部署netflow网管机位置,那么,在那些接口需要开启netflow呢:从图中,我们可以看到:在图中用椭圆形标注的地方就是需要开启netflow的接口,从数据流向分析+标注位置,我们发现全是数据流的入接口方向开启。
如果是IOS版本支持engress方向部署,那么部署位置,则简化许多:图2 如上面图2所示。
与图1做比较,发现部署位置,只需要对相应设备做配置即可,不再依赖于接口。
如何判断是否支持出方向netflow技术,最简单的方法。
能否在接口或者全局模式开启:Switch(config-if)# ip flow-export engress----------------------或者 switch(config-if)# ip flow engress2 谈到 netflow 的排错使用netflow技术,出现问题,一般集中在netflow 分析仪,没有数据那么对应我们排错,应该思路应该是:先检查物理设备上面命令是否开启,开启参数是否正确确认netflow设备工作正常,检查netflow分析仪,对应接收参数是否有误。
确认上面2步无误情况,检查netflow分析设备和netflow物理设备是否有防火墙,或者其他物理隔绝,阻隔UDP数据包检查是否是netflow设备开启端口位置不对等等下面给出对应简单排错方法:1 需要检查对应平台配置命令,例如对于4500 和6500 平台配置命令,就有所不同,需要查看对应命令,查看配置是否有误。
A 命令show ip flow interface检查接口上面上是否开启netflowRouter# show ip flow interfaceEthernet0/0ip flow ingressB 命令 show run 看是否设定输出端口,及ip地址等,2 确认配置上面没有问题,我们则应该使用IOS相关检测命令,看是否有netflow的输出,和1中提到命令配合:常用的是 show ip cache flowshow ip flow export下面给出netflow配置输出检测方法:1 使用Cisco-4507R#show ip flow export 会出现类似于下面输出;Flow export v5 is enabled for main cacheExporting flows to 192.168.1.1 (9995)Exporting using source interface Loopback0Version 5 flow records40 flows exported in 3 udp datagrams0 flows failed due to lack of export packet0 export packets were sent up to process level可间隔10S或者更长时间,重复使用上述命令。
