What is netflow?
It’s a means to delivery statistics
pertaining to traffic via flow information, & exports from a L3 device. Netflow was develop by cisco , but since than, "it has been adopted by most L3 router/switch manufactures". Even some opensource router/firewalls has netflow supported in their products.
Juniper has confused the general public, in that they call netflow...... jflow. It's also known as cflow ( cisco flow ).
I guess the marketing people took the approach of not to use netflow or cisco flow in their materials. But bottom line; netflow,jflow,&cflow is the same damm flow.
I guess the marketing people took the approach of not to use netflow or cisco flow in their materials. But bottom line; netflow,jflow,&cflow is the same damm flow.
Another new contender; is known as IPFIX. We will not discuss that version here, since it's not as commonly used, and has very limited support.
IPFIX it's gaining in recognition and deployment. And most vendors are adding support for IPFIX in their routers and layer3 switches. It ( IPFIX ) is similar to version 9 , but it's not the same & is a different beast.
http://en.wikipedia.org/wiki/IP_Flow_Information_Export
IPFIX it's gaining in recognition and deployment. And most vendors are adding support for IPFIX in their routers and layer3 switches. It ( IPFIX ) is similar to version 9 , but it's not the same & is a different beast.
http://en.wikipedia.org/wiki/IP_Flow_Information_Export
The parts of any netflow deployment, consists of at least two pieces;
- The exporter ( router/firewall/switch )
- The flow collector ( the device that decodes and store the flow details on )
Now why do we use netflow?
Simple, netflow is used for numerous reason to include some of the following;
- host/server traffic accounting
- traffic & capacity planning
- growth tracking
- network behavioral analysis
- DDoS detection, Forensic and Mitigation
Here's a typical netflow layout;
A few consideration for netflow that you will need to know before running off and configuration your SRX for netflow ;
- do you need sampling, and if so at what rate
- what direction as regards to the interface ( ingress/egress )
- what version of netflow does your exporter and collector support
- the purpose of the flow collection
- what udp/port does the collector sits at
- collector ip_address
The above items will be required, before we can attempt to configure netflow in the enterprise or service provider realm.
You will find netflow is simple to configure on a juniper device, and very well supported across most of the juniper line up. Juniper Network does impose certain restrictions when configuring options within netflow, so it's best to research what these limitations are & with regards to the enabling of flow accounting.
In my lab we are using a SRX 210H branch firewall, which are very basic models in the SRX lineup. A bigger SRX or MX will offer more features and supported versions.
This unit supports only netflow versions 5 , 8, 9 and 500. We will run thru some of these configuration and the gotchas.
1st netflow version 8,
This version is not as widely use as with version 5. But the configuration is about the same & similar, so I'm demo'ing it.
BTW, Version 5 is used in most business and very well supported. It provides the option to include AS origin information in the flow records. And most collectors supports this version to include the commercial ( Solarwinds, Lancope, ArborNetworks, Plixer,etc ) and most opensource deployments supports this version ( nflowd, ntop,etc....)
With netflow on juniper we need to 1st enable NTP. If you don't you will be welcome to this error message.
Next we enable the v8 forwarding output and flow-server, plus enabling collection on the interfaces of interest. Here we are doing our inside vlan0 (ingress) for the inet-family.
note: we can't enable flow collection for inet6 ( ipv6) in this version of Junos. And ipv6 is only supported within v9 or IPFIX.
set interafce vlan unit 0 family inet sampling input
and
set forwarding-options sampling input rate 0 run-length 0
set forwarding-options sampling family inet output aggreggate-export-interval 90
set forwarding-options sampling family inet output flow-server 10.98.10.10 port 5000 source 1.0.0.1 version 8
set forwarding-options sampling family inet output flow-server 10.98.10.10 aggregation source-destination-prefix
With version 8 you have to enable the aggregation method, with out this you will get errors.
So their you have it, you just seen the main items for netflow configuration. Version5 would be the same as of above but with the version being "5" and no requirement for "aggregationmethod".
Okay let's look at netflow v9.
Version 9 is a template based netflow. What this means, we send a template on a set interval by the number of seconds, or based on how many flows where exported. The collector will receive this template, and the template tells the collector how to decode the flow.
So you guess it , we need to 1st define our template;
set services flow-monitoring version9 template mynetflow option-refresh-rate seconds 120
set services flow-monitoring version9 template mynetflow template-refresh-rate seconds 60
set services flow-monitoring version9 template mynetflow ipv4-template
The template configuration has options to adjust the refresh rates. In the above example, I named my template "mynetflow" and set the refresh rates for this template and it's options at 60/120 secs respectively. The template refresh is a tweakable item & various collector will be more or less tolerant of the template refresh rate. The template must be sent on some type of interval in order to decode the v9 flow records.
Now we will build the forwarding options and specify the netflow template ( mynetflow ) from the above.
set forwarding-options sampling input rate 1 run-length 0
set forwarding-options sampling family inet output flow-server 10.98.10.10 port 5000 source 1.0.0.1 version9 template mynetflow
So in this model of hardware, we would be limited in regards to configuring netflow 9. So this is what I mean that juniper has verison restrictions and limitations across all of the juniper hardware devices, from support of hardware and software/licenses.
Okay let's look at AS500 configuration, it's the same for the most part to netflow v5 minus the version number is now "500".
set forwarding-options sampling input rate 50 run-length 0
set forwarding-options sampling family inet output flow-server 10.98.10.10 port 5000 version500
Okay now that you have been thru a few netflow configurations, you can now capture and/or decode the flow data to ensure it's working as planned.
and a simple decode using tshark;
- we deploy netflow for various reason
- Netflow has a few version
- Depending on the version selected you might have more configurable items
- v9 and IPFIX are template based
- Sampling is an option to consider
- NTP must be enable
- netflow systems are always made up at least a collector and the exporter
Ken Felix
Freelance Network/Security Engineer
kfelix ---at--hyperfeed ---dot--com
^ ^
= ( x x ) =
O
~
Great information!
ReplyDeleteI liked the information shared about netflow.
juniper srx
nice!
ReplyDelete