Flowops19th NetFlow Generation Appliance Catalyst 3850 Flexible NetFlow 2013.10.25 Kazumasa Ikuta [email protected] © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 • UCS C220 M3サーバをベースに、フロー生成ソフトウェアを搭載した専用製品 4*10G Monitoring Interfaces 2 Intel Xeon E5-2680 processor 48 GB DDR3 memory (6*8GB) • NetFlow v5, v9, IPFIX • レイヤ2、IPv4、IPv6に対応したフローレコード(FNF互換) • シャーシ全体で、80,000,000フローキャッシュ、200,000フローエクスポート/秒 • 出力時のロードバランスまたはフローレプリケーション • 最大6つのコレクタ • 設定用に組込みGUIまたはCLIを利用 • 監視用GUIは搭載なし、別途コレクタが必要 • サンプリングはサポート無し(1:1)、オプションでレコード集約フィルタを適用 • Nexus7K, 5K, 3KまたはCat6Kを併用(SPAN元・NGAに管理デバイスとして一台登録)することで、各種情報 (Input/Output情報など)をNGAが補完して出力 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Supports up to six collectors (Management Application) Third-party NetFlow Collector Cisco Infrastructure 10 export filters per destination Other Management Applications Exports Netflow . . . V5, V9, IPFIX records Two Deployment Modes • Flow Replication • Load Balanced Mgmt – 1 Gbps Cisco NGA 4x10Gbps Monitoring ports 10 Gbps 10 Gbps 10 Gbps 10 Gbps SPAN or network TAP L2, IPv4 and IPv6 traffic support © 2013 Cisco and/or its affiliates. All rights reserved. Nexus 7K Cat 6500 TAP Trunk Link Cisco Public 3 Reporting Application Reporting Application NGA NGA 10Gb 10Gb 10Gb Network TAP 10Gb SPAN SPAN 2x10Gb 2x10Gb SPAN Nexus 5000 Nexus 7000 SPAN SPAN Nexus 5000 • SPAN aggregated at Network TAP • SPAN traffic from TAP sent to NGA’s four 10Gb Data Ports © 2013 Cisco and/or its affiliates. All rights reserved. Nexus 5000 Nexus 2000 SPAN two individual 10Gb link or portchannel from each N5K Cisco Public 4 あらかじめ作成したExporter と Record を、モニターに関連付け、Activate © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 フロー識別キー © 2013 Cisco and/or its affiliates. All rights reserved. フローごとに収集 Cisco Public 6 フローレコードの定義 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 1 Exporterあたり、最大6つの コレクタを設定可能 出力を、ロードバランスまたは レプリケーション © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 NDEサンプル(Rec-1) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 http://www.cisco.com/web/JP/product/hs/switches/cat3850/prodlit/data_sheet_c78-720918.html © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 • Catalyst 3850 • IOS XE3.3 (2013/10/7に公開) • 有線スイッチに無線コントローラを統合 • 有線全ポートでFlexible NetFlow • 無線コントローラでFlexible NetFlow、 NBAR(DPI) • ASIC処理なのでラインレート WLAN端末トラフィックを対象 とするNetFlow(FNF) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 flow record W-Rec-1 description See-Cisco.com-Manual match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction match application name match wireless ssid collect counter bytes long collect counter packets long collect wireless ap mac address collect wireless client mac address C3850-01#sh run int gi 1/0/1 ! interface GigabitEthernet1/0/1 switchport mode trunk ip flow monitor Mon-1 input ip flow monitor Mon-1 output C3850-01#sh run | sec wlan wlan NMS 1 NMS client vlan AP-test ip dhcp server 10.71.154.54 ip flow monitor W-Mon-1 input ip flow monitor W-Mon-1 output no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes no shutdown © 2013 Cisco and/or its affiliates. All rights reserved. 無線AP配下のトラフィックを対象とするFlexible NetFlow設定例 – Catalyst 3850 ! flow exporter kikuta-dhcp description kikuta-dhcp destination 10.141.43.88 transport udp 2055 template data timeout 120 option usermac-table timeout 120 option sampler-table timeout 120 option application-table timeout 120 ! flow exporter PI20_88-second description PI20_88-second destination 10.71.154.88 source Vlan55 transport udp 9991 template data timeout 60 option usermac-table option interface-table timeout 60 ! flow monitor W-Mon-1 exporter kikuta-dhcp exporter PI20_88-second cache timeout inactive 60 cache timeout active 120 record W-Rec-1 ! 物理IFに対して flow monitor を適用 Wlan配下に対して flow monitorを適用 Cisco Public 12 ※ラボ環境でのテストトラフィックです © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 送信テンプレート例 Flow Exporter kikuta-dhcp: Client: Option options application-name Exporter Format: NetFlow Version 9 Template ID : 256 Source ID : 1 Record Size : 87 Template layout _____________________________________________________________________ | Field | Type | Offset | Size | --------------------------------------------------------------------| v9-scope system | 1 | 0 | 4 | | application id | 95 | 4 | 4 | | application name | 96 | 8 | 24 | | application description | 94 | 32 | 55 | --------------------------------------------------------------------Client: Option options usermac Exporter Format: NetFlow Version 9 Template ID : 257 Source ID : 1 Record Size : 266 Template layout _____________________________________________________________________ | Field | Type | Offset | Size | --------------------------------------------------------------------| v9-scope system | 1 | 0 | 4 | | wireless client mac address | 365 | 4 | 6 | | flow username | 371 | 10 | 256 | --------------------------------------------------------------------Client: Option options sampler-table Exporter Format: NetFlow Version 9 Template ID : 258 Source ID : 1 Record Size : 51 ソフトウェアアップデートで対応予定 © 2013 Cisco and/or its affiliates. All rights reserved. Template layout _____________________________________________________________________ | Field | Type | Offset | Size | --------------------------------------------------------------------| v9-scope system | 1 | 0 | 4 | | flow sampler | 48 | 4 | 4 | | flow sampler name | 84 | 8 | 40 | | flow sampler algorithm export | 49 | 48 | 1 | | flow sampler interval | 50 | 49 | 2 | --------------------------------------------------------------------Client: Flow Monitor W-Mon-1 Exporter Format: NetFlow Version 9 Template ID : 264 Source ID : 65537 Record Size : 78 Template layout _____________________________________________________________________ | Field | Type | Offset | Size | --------------------------------------------------------------------| ipv4 source address | 8 | 0 | 4 | | ipv4 destination address | 12 | 4 | 4 | | transport source-port | 7 | 8 | 2 | | transport destination-port | 11 | 10 | 2 | | flow direction | 61 | 12 | 1 | | wireless ssid | 147 | 13 | 32 | | ip protocol | 4 | 45 | 1 | | application id | 95 | 46 | 4 | | counter bytes long | 1 | 50 | 8 | | counter packets long | 2 | 58 | 8 | | wireless ap mac address | 367 | 66 | 6 | | wireless client mac address | 365 | 72 | 6 | --------------------------------------------------------------------- Cisco Public 14 ※ラボ環境でのテストトラフィックです © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 ※ラボ環境でのテストトラフィックです ActionPacked! Networks社 LiveAction http://actionpacked.com/ © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 ※ラボ環境でのテストトラフィックです © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 ※ラボ環境でのテストトラフィックです © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 ※ラボ環境でのテストトラフィックです © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 • Cisco NGA www.cisco.com/go/nga • Catalyst 3850 www.cisco.com/jp/go/3850 www.cisco.com/go/3850 • Cisco Flexible NetFlow www.cisco.com/go/fnf • Cisco AVC (Application Visibility and Control) www.cisco.com/go/avc © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Thank you.
© Copyright 2024 Paperzz
