Network Data
Monitoring and
Reporting
How Cisco IT Uses NetFlow to
Capture Network Behavior,
Security, and Capacity Data
A Cisco on Cisco Case Study: Inside Cisco IT
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Overview
ƒ Challenge
Network managers need to see application flows through the
network, to troubleshoot capacity and quality problems and to
understand usage. Networks provide views of but not information
about application flows. Seeing packet flows per port can help,
but a growing number of applications use dynamic ports,
complicating traffic characterization.
ƒ Solution
Cisco® NetFlow (already part of the network), plus tools to
capture and format the data
ƒ Results
Cisco NetFlow supports capacity planning, network protection
against denial of service (Dos) attacks and other forms of
undesirable traffic, and can give us new information about
network use.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
Overview (Contd.)
ƒ Next Steps
Expand the use of the Net Flow technology to other
parts of the network.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Challenge : No Application Flow
Information
ƒ Cisco Systems® relied almost exclusively on Simple
Network Management Protocol (SNMP) to monitor
Internet bandwidth.
Although SNMP facilitates capacity planning, it does little to
characterize traffic applications, essential for understanding how
well the network supports the business.
ƒ Cisco® needed a more granular understanding of how
Cisco bandwidth was being used.
ƒ Port flow was monitored, but many newer applications
dynamically select new ports for each use.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Challenge : Application Usage
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
Solution: Cisco NetFlow Technology
ƒ Cisco® gained the ability to characterize and analyze
network traffic flows with Cisco NetFlow technology.
NetFlow technology is built into most Cisco switches and
routers using a specialized application-specific integrated circuit
(ASIC) and some specialized features of Cisco IOS® Software
and Cisco Catalyst® Operating System Software.
ƒ NetFlow answers the who, what, when, where, and how
of network traffic, and it has become the primary
network accounting technology and anomaly-detection
technology in the industry.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
Solution: Cisco Net Flow Technology
(Contd.)
ƒ In 2003, Cisco Net Flow Version 9 was chosen for a
proposed IETF standard called IP Flow Information
Export (IPFIX).
IPFIX defines the format by which IP flow information can be
transferred from an exporter, such as a Cisco router, to a
collector application that analyzes the data.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
Solution : Cisco NetFlow Technology
ƒ To export data, routers represent each network traffic
flow based on:
− Source and destination IP address
− Source and destination port
− Layer 3 protocol type
− Type of service
− Input logical interface
ƒ “You can think of NetFlow as a form of telemetry pushed
from routers and Layer 3 switches, each one acting as a
sensor.” —John Cornell, Cisco IT Technical Staff
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Solution : Flow Information
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
Solution : Export Packets
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Results: Characterize Traffic by
Application
ƒ Cisco® NetFlow Data by Arbor Networks Peak flow
Traffic
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Results : Cost Effective
ƒ Cisco® NetFlow is more cost effective in gathering
network traffic information than Remote Monitoring
(RMON) probes.
ƒ Cisco enabled the NetFlow feature of Cisco IOS®
Software in several places on the Cisco network that
process incoming and outgoing traffic, for a total of more
than 1900 WAN interfaces.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Results : Cost Effective (Contd.)
ƒ Information from each location is useful on its own, as
well as in combination with other network–related
business intelligence.
For example, the combination of Cisco Net Flow and Border
Gateway Protocol (BGP) routing information provides visibility
into the origin and destination of Cisco network traffic, which
helps to ensure optimal peering with Internet service providers
(ISPs).
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Results: Analysis Software (Data
Collection)
Network Location
Internet gateway
routers that connect
to ISP links
Analysis Software
Arbor Networks Peakflow
Traffic
Arbor Networks Peakflow DoS
Purpose
Network traffic analysis by
application
Correlation of network traffic with
BGP routing information
Anomaly detection
Routers at inner
Arbor Networks Peakflow DoS
edge of public-facing
network
Anomaly detection
WAN core
(aggregation layer)
NetQoS ReporterAnalyzer
Network traffic analysis by
application, for capacity planning
WAN edge
NetQoS ReporterAnalyzer
Network traffic analysis by
application, for capacity planning
Core routers on
public-facing
network
OSU flow-tools from
splintered.net
Collection of historical data, useful
for forensics and diagnostics
Network Address
Translation (NAT)
gateway
OSU flow-tools from
splintered.net
Collection of historical data, useful
for forensics and diagnostics
Auditing of addresses that have
undergone NAT (“NATed”
addresses)
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Results : Internet and Security Benefits
ƒ Avoidance of SQL Slammer Worm
On January 24, 2003, the SQL Slammer worm, also called
Sapphire, propagated worldwide in just eight minutes.
Networks fell worldwide, including entire networks of automated
teller machines and leading enterprises.
ƒ Cisco® experienced no loss of business continuity from
SQL Slammer
A victory the IT team attributes to teamwork, an established
communications plan, a robust network architecture, and the
effective use of Cisco NetFlow technology.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Results : DOS Attacks
and Other Undesirable Traffic
ƒ Cisco® IT uses NetFlow data to protect the network
from viruses and attacks, and to understand the effects
of current and planned applications on the network.
ƒ From time to time Cisco receives traffic intended to
produce a DoS attack. DoS attacks flood the network
with packets, often of an unusual size, from an
untrusted source to a single destination.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Results : DOS Attacks
and Other Undesirable Traffic (Contd.)
ƒ Cisco detects and prevents DOS attacks by using
Cisco Net Flow to collect:
Packet source
Port number
Destination
Packet size
Protocol number
ƒ The information collected is sent to Arbor Peak flow
DOS for anomaly detection.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Results: Anomaly Detection Report
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Results: WAN Traffic
ƒ Detection of Unauthorized WAN Traffic
Cisco® has avoided costly upgrades by identifying the
applications causing congestion and, if appropriate, changing
the usage policy.
ƒ Reduction in Peak WAN Traffic
Cisco IT uses NetFlow statistics to measure WAN traffic
improvement from application-policy changes.
ƒ Validation of QoS Parameters
By using Cisco NetFlow and NetQoS Reporter Analyzer, IT is
able to confirm that appropriate bandwidth has been allocated
to each class of service (CoS) and that no CoS is over- or
under-subscribed.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Results: WAN Traffic (Contd.)
ƒ Analysis of VPN Traffic and Tele worker Behavior
Cisco IT can easily identify tele worker traffic because it all
travels over identifiable tunnels. This type of traffic analysis
facilitates capacity planning for Internet access, and
understanding of home worker behavior.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Results: Total Cost of Ownership
Calculation
ƒ To prevent unexpected effects on the WAN, Cisco®
application development groups first deploy new
applications in a test environment.
Cisco NetFlow is used to measure how much WAN traffic the
application is likely to generate when released to a larger
population.
ƒ Testing applications helps to calculate TCO more
accurately.
ƒ For Cisco, the benefits of Cisco NetFlow are to ensure
that applications are deployed cost–effectively and that
services remain available at all times for all employees,
customers, and partners worldwide.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Next Steps: Summary
ƒ The next steps for Cisco® IT are to benefit from the
increasing value of the network data being collected
and to expand the use of NetFlow to other parts of the
network.
ƒ Capacity planning will be easier as we continue to
collect more NetFlow historical data.
ƒ Cisco anticipates extending capacity planning
methodologies used for Internet connectivity to internal
networks on the Cisco WAN.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
22
Cisco NetFlow Technology
ƒ As converged networks and IP
telephony become more prevalent,
the ability to characterize traffic on
the network—both for capacity
planning and anomaly detection—
will become even more critical.
For Cisco®, NetFlow provides that
capability.
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
23
To read the entire case study, or for additional Cisco IT case studies on a
variety of business solutions, visit Cisco on Cisco: Inside Cisco IT
www.cisco.com/go/ciscoit
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
24