NetFlow Configuration

ThisdocumentdescribestheNetFlowfeatureanditsconfigurationonEnterasysswitch/routers.
For information about... What Is NetFlow? Why Would I Use It in My Network? How Can I Implement NetFlow? Understanding Flows Configuring NetFlow on the Enterasys Matrix DFE Configuring NetFlow on the Matrix X Core Router Terms and Definitions NetFlow Version 5 Record Format NetFlow Version 9 Templates Refer to page... 1 1 2 3 6 10 13 14 15

What Is NetFlow?
NetFlowisaflowbaseddatacollectionprotocolthatprovidesinformationaboutthepacketflows beingsentoveranetwork.NetFlowcollectsdatabyidentifyingunidirectionalIPpacketflows betweenasinglesourceIPaddress/portandasingledestinationIPaddress/port,usingthesame Layer3protocolandvaluesfoundinafixedsetofIPpacketfieldsforeachflow.NetFlowcollects identifiedflowsandexportsthemtoaNetFlowcollector.ANetFlowmanagementapplication retrievesthedatafromthecollectorforanalysisandreportgeneration.

Why Would I Use It in My Network?

Standardsystemfeedbackissimplynotgranularenoughtoprovideforsuchnetwork requirementsasplanning,userorapplicationmonitoring,securityanalysis,anddatamining.For example,becauseofitsabilitytoidentifyandcapturenetworkflows,NetFlow: Providesameanstoprofileallflowsonyournetworkoveraperiodoftime.Anetworkprofile providesthegranularityofinsightintoyournetworknecessaryforsuchsecurenetwork functionalityasestablishingroleswithpolicyandapplyingQoStopolicy. ProvidesameansofisolatingthesourceofDoSattacksallowingyoutoquicklyrespondwith apolicy,ACL,QoSchange,orallofthesetodefeattheattack. Canidentifythecauseofanintermittentlysluggishnetwork.Knowingthecauseallowsyouto determinewhetheritisanunexpected,butlegitimate,networkusagethatmightbe rescheduledforlowusagetimeblocks,ormaybeanillegitimateusageofthenetworkthatcan beaddressedbyspeakingtotheuser.

February 26, 2008

Page 1 of 19

How Can I Implement NetFlow?

Canlookintotheflowsthattransitthenetworklinks,providingameansofverifyingwhether QoSandpolicyconfigurationsareappropriatelyconfiguredforyournetwork. Canunderstandyournetworksflowcharacteristics,allowingforbetterplanningwhen transitioningtonewapplicationsorservices.

How Can I Implement NetFlow?

Havingaprofileofcapturedflowsthattransityournetworkovertimeisacrucialfirststepin implementingasecurenetwork.ThisNetFlowprofileprovidesyouwithagoodunderstandingof theactualgroupandindividualbehaviorsthatmakeuptherolesyousetbypolicyandtowhich youapplyQoS.Aprofilecanalsobeveryhelpfulinsituations,suchasprojectinghowanetwork mightreacttotheintroductionofanewapplicationpriortoactualimplementation.Figure 1 illustratesanexampleofaNetFlownetworkprofilesetup. Figure 1 NetFlow Network Profile Example

TocompleteaNetFlownetworkprofile,enableNetFlowonallportswherepacketflows aggregate.AtthetopofFigure 1youwillfindanabbreviatedsampleoftheindependentflow recordsthatarecapturedateachNetFlowenabledport.Theseflowrecordswillberetained

February 26, 2008

Page 2 of 19

Understanding Flows

locallyinacacheuntilaflowexpirationcriteriahasbeenmet.Asshown,NetFlowexportpackets aresenttotheNetFlowcollectorserver,whereacollectorandmanagementapplicationhasbeen installed.Themanagementapplicationwillprocesstherecordsandgenerateusefulreports.These reportsprovideyouwithaclearpictureoftheflowsthattraverseyournetwork,baseduponsuch datapointsassourceanddestinationaddress,startandendtime,application,andpacketpriority. ThefollowingstepsprovideahighleveloverviewofaNetFlowimplementation: 1. 2. DeterminethebusinessornetworkpurposeoftheinformationNetFlowwillprovideyou. ChooseacollectorandDragonSecurityCommandConsole(DSCC)orthirdparty managementapplication(s)bestsuitedforthepurposeyouarecollectingthedata.Installthe application(s)ontheNetFlowcollectorserver. IdentifythepathsusedbythedatatobecollectedbyNetFlow. IdentifythechokepointinterfaceswheretheIPpacketflowsyouwantNetFlowtocapture aggregate. EnableNetFlowontheidentifiedinterfaces. IdentifytheNetFlowcollectorserverbyconfiguringitsIPaddress. UsethedatareportinggeneratedbytheNetFlowmanagementapplicationtoaddressthe purposedeterminedinstep1.

3. 4. 5. 6. 7.

Understanding Flows
TheconceptofaflowiscriticaltounderstandingNetFlow.AflowisastreamofIPpacketsin whichthevalueofafixedsetofIPpacketfieldsisthesameforeachpacketinthestream.Aflowis identifiedbysevenkeyfieldsinanIPpacket: Sourceinputinterface SourceIPaddress DestinationIPaddress Destinationport(UDP/TCPportnumber) Sourceport(UDP/TCPportnumber) IPTOSfield Layer3protocol

Eachpacketcontainingthesamevalueforallofthesefieldsisconsideredpartofthesameflow, untilflowexpirationoccurs.Ifapacketisviewedwithanykeyfieldvaluethatisdifferentfrom anycurrentflow,anewflowisstartedbaseduponthekeyfieldvaluesforthatpacket.The NetFlowprotocolwilltrackaflowuntilanexpirationcriteriahasbeenmet,uptoaconfigured numberofcurrentflows. Eachflowhasdifferentdata,basedontheNetFlowexportversionformatsupportedbythe networkdevice.Thisdatacanincludesuchitemsaspacketcount,bytecount,destinationinterface index,startandendtime,andnexthoprouter.

Flow Expiration Criteria

FlowsarenotexportedbythenetworkswitchtotheNetFlowcollectoruntilexpirationtakes place.Therearetwotimersthataffectflowexpiration:theNetFlowactiveandinactivetimers.

February 26, 2008

Page 3 of 19

Understanding Flows

Theactivetimerdeterminesthemaximumamountoftimealonglastingflowwillremainactive beforeexpiring.Whenalonglastingactiveflowexpires,duetotheactivetimerexpiring,another flowisimmediatelycreatedtocontinuetheongoingflow.Itistheresponsibilityofthe managementapplication,ontheNetFlowcollector,torejointhesemultipleflowsthatmakeupa singlelogicalflow.TheactivetimerisconfigurableintheCLI(seeConfiguringtheActiveFlow ExportTimeronpage 6). TheinactivetimerdeterminesthelengthoftimeNetFlowwaitsbeforeexpiringtheflowoncea flowhasstopped.Theinactivetimerisafixedvalueof40secondsandcannotbeconfigured. RulesforexpiringNetFlowcacheentriesinclude: Flowswhichhavebeenidlefor40seconds(fixedvalueinfirmware)areexpiredandremoved fromthecache. Longlivedflowsareexpiredandremovedfromthecache.(Flowsarenotallowedtolivemore than30minutesbydefault;theunderlyingpacketconversationremainsundisturbed). Flowsassociatedwithaninterfacethathasgonedownareautomaticallyexpired.

Figure 2providesagraphicdepictionofhowthesetimersinteract.Flows1and3showasingle longlastinglogicalflow.Flow1timesoutandexpiresat30minutes,theactivetimerlength. Becausetheflowexpires,anexportpacketissenttotheNetFlowcollector.Flow3continuesthis longlastingflowforanother10minutes.Attime40minutestheflowends.The40secondinactive timerinitiatesandexpiresat40minutesand40secondsresultinginanexportpackettothe NetFlowcollectorforflow3.AttheNetFlowcollector,themanagementapplicationjoinsthetwo flowsintoasinglelogicalflowforpurposesofanalysisandreporting. Flow2isa7.5minuteflowthatneverexpirestheactivetimer.Itbeginsat2.5minutesandendsat 10minutes.At10minutestheinactivetimercommencesandexpirestheflowat10minutesand40 seconds.Atthistime,NetFlowsendsanexportpacketfortheflowtotheNetFlowcollectorfor processing.

February 26, 2008

Page 4 of 19

Understanding Flows

Figure 2

Flow Expiration Timers

Deriving Information from Collected Flows

Onthecollectionserver,athirdpartyNetFlowcollectorapplicationcorrelatesthereceived recordsandpreparesthemforusebytheNetFlowmanagementapplication.(Insomecasesthe collectorandmanagmentapplicationsarebundledinasingleapplication.)Themanagement applicationretrievestheflowrecords,combinesflowsthatwerebrokenupduetoexpiration rules,andaggregatesflowsbaseduponcommonvalues,beforeprocessingthedataintouseful reportsviewablebythenetworkadministrator. Correlatedreportscanbethebasisforsuchinformationcategoriesas: Understandingwhoisoriginatingandreceivingthetraffic Characterizingtheapplicationsthatareutilizingthetraffic Examiningflowsbypriority Characterizingtrafficutilizationbydevice Examiningtheamountoftrafficperport

February 26, 2008

Page 5 of 19

Configuring NetFlow on the Enterasys Matrix DFE

Configuring NetFlow on the Enterasys Matrix DFE

TheMatrixNSeriesDFEs(Gold,Platinum,andDiamond)allsupportNetFlow.NetFlowis disabledbydefaultonalldevicesatdevicestartup. ThissectioncoversthefollowingNetFlowconfigurationtopics: EnterasysMatrixDFEImplementation ConfiguringtheActiveFlowExportTimer ConfiguringtheNetFlowCollectorIPAddress ConfiguringtheNetFlowExportVersion ConfiguringNetFlowExportVersionRefresh ConfiguringaNetFlowPort ConfiguringtheNetFlowCache DisplayingNetFlowConfigurationandStatistics

Enterasys Matrix DFE Implementation

TheMatrixDFEflowbasedarchitectureprovidesapowerfulmechanismforcollectingnetwork flowstatistics,withreportingcapacitythatscaleswiththeadditionofeachDFEmodule.Foreach flow,packetandbytecountstatisticsarecollectedbytheDFEforwardinghardware.Theflow reportgenerationlogicisdistributed,permittingeachmoduletoreportflowsonitsownports. TheMatrixDFEimplementationenablesthecollectionofNetFlowdataonbothswitchedand routedframes,allowingDFEmodulesinallareasofanetworkinfrastructuretocollectandreport flowdata.RoutingdoesnotneedtobeenabledtoutilizeNetFlowdatacollection.Flowdetail dependsonthecontentoftheframeandthepaththeframetakesthroughtheswitch. NetFlowcanbeenabledonallportsonaMatrixsystem,includingfixedfrontpanelports,LAG ports,NEMports,andFTM1backplaneports.RouterinterfaceswhichmaptoVLANsmaynotbe enableddirectly. NetFlowrecordsaregeneratedonlyforflowsforwhichahardwareconnectionhasbeen established.Aslongasthenetworkconnectionexists(andNetFlowisenabled),NetFlowrecords willbegenerated.Flowsthatareswitchedinfirmware(softforwarded)willnothaveNetFlow recordsreported.Forflowsthatarerouted,theDFEfirmwarereportsthesourceanddestination ifIndexesasthephysicalports,notroutedinterfaces. InthecaseofaLAGport,themodule(s)thatthephysicalportsareonwillgenerateNetFlow recordsindependently.Theywillhowever,reportthesourceifIndexastheLAGport.TheFlow SequenceCounterfieldintheNetFlowHeaderisuniquepermodule.TheEngineIDfieldofthe NetFlowHeaderisusedtoidentifyeachuniquemodule. TheMatrixNSeriesDFErequires256MBofmemoryinallmodulesinachassisrunning5.41.xx firmwareandabovetoenableNetFlow.

Configuring the Active Flow Export Timer

Theactiveflowtimer,alsoreferredtoastheexportinterval,setsthemaximumamountoftimean activeflowwillbeallowedtocontinuebeforeexpirationforthissystem.Shouldtheactivetimer expireandtheflowterminate,theunderlyingflowcontinuesasaseparateflow.Itisthe

February 26, 2008

Page 6 of 19

Configuring NetFlow on the Enterasys Matrix DFE

responsibilityofthemanagementapplicationtorecognizethemultipleflowsasasinglelogical flowforanalysisandreportingpurposes.Theactiveflowtimerdefaultsto30minutes.
Notes: Some NetFlow management applications expect to see export packets prior to some set interval that is often as low as 1 minute. Check the documentation for your management application and make sure that the active flow timer is configured for a value that does not exceed that value.

Usethesetnetflowexportintervalintervalcommandtochangetheactiveflowtimervaluefor eachsystem. Usetheclearnetflowexportintervalcommandtoresettheactiveflowtimertoitsdefaultvalue.

Configuring the NetFlow Collector IP Address

ExpiredNetFlowrecordsarebundledintoNetFlowexportpacketsandsenttotheNetFlow collectorusingtheUDPprotocol.ConfiguringtheIPaddressoftheNetFlowcollectordestination determineswhereexpiredNetFlowrecordsforthissystemaresent.OnlyoneNetFlowcollector maybeconfiguredforeachsystem.MultiplesystemsmayshareasingleNetFlowcollector.You canoptionallyspecifytheUDPporttobeusedontheNetFlowcollector.Bydefault,noNetFlow collectorisconfiguredonasystem. IfaNetFlowcollectorhasalreadybeenconfiguredforthesystemandyouwishtochangethe addresstoadifferentcollector,youmustfirstclearthecurrentNetFlowcollectorconfiguration, beforeattemptingtoconfigurethenewNetFlowcollector. Usethesetnetflowexportdestination[ipaddress[udpport]]commandtoconfiguretheIP addressoftheNetFlowcollectorforthissystemandoptionallysettheUDPport. Usetheclearnetflowexportdestination[ipaddress[udpport]]commandtoclearthecurrent NetFlowcollectorconfiguration.

Configuring the NetFlow Export Version

TheEnterasysMatrixNSeriessupportsNetFlowexportversions5and9.Thedefaultexport versionis5. Theprimarydifferencebetweenthetwoversionsisthatversion5isafixeddatarecordwithout multicastsupport,whereversion9isaflexible,extensible,templatebaseddatarecordthat providesthecompleteifIndexvalueand64bitcounters. WithNetFlowversion5,packetsaremadeupofaseriesofdatarecordsandareexportedtothe collectionserverwhenthemaximumnumberofNetFlowrecordsisreached. WhentransmittingNetFlowVersion5reports,theDFEmoduleusesNetFlowinterfaceindexes. NormallythesewouldbeactualMIB2ifIndexvalues,buttheVersion5recordformatlimitsthe valuesto2bytes,whichisnotsufficienttohold4byteifIndexes.NetFlowcollectorapplications thatusethein/outinterfaceindexestogatherSNMPdataabouttheinterface(suchasifName) musttranslatetheinterfaceindexesusingtheEnterasysMIBetsysNetFlowMIB (1.3.1.6.1.4.1.5624.1.2.61). WithNetFlowversion9,packetsaremadeupoftemplatesand/ordatarecords.Templatesaresent aftertheperiodconfiguredforthetemplatetimeoutwhenamoduleorcollectionserverfirstboots up.Datarecordsforversion9cannotbeprocessedwithoutanuptodatetemplate.Collectors ignoreincomingpacketsuntilatemplatearrives.Templatesarerefreshedperiodicallybasedupon apacketrefreshrateandtimeoutperiod.SettingtheappropriaterefreshrateforyourMatrix

February 26, 2008

Page 7 of 19

Configuring NetFlow on the Enterasys Matrix DFE

systemmustbedetermined,sincethedefaultsettingsofa20packetrefreshrateanda30minute timeoutmaynotbeoptimalforyourenvironment.SeeConfiguringNetFlowExportVersion Refresh. NetFlowVersion9recordsgeneratedbyDFEmodulesusetrueMIB2ifIndexvaluessincethe templatemechanismpermitstransmissionof4byteifIndexes.Version9alsouses8bytepacket andbytecounters,sotheyarelesslikelytorollover.Checkwithyourcollectorproviderto determineiftheyprovidethenecessarysupport. ThecurrentVersion9implementation: Doesnotsupportaggregationcaches. Providesfourpredefinedtemplates.Theappropriatetemplateisselectedforeachflow dependingonwhethertheflowisroutedorswitched,andwhetheritisaTCP/UDPpacketor not.SeeTable 5onpage 15foracompletelistingofthefieldsforeachoftheNetFlowVersion 9supportedtemplates.

Usethesetnetflowexportversion{5|9}commandtosettheNetFlowexportversion. Usetheclearnetflowexportversioncommandtoresettheexportversiontothedefaultvalue.

Configuring NetFlow Export Version Refresh

Version9templaterecordshavealimitedlifetimeandmustbeperiodicallyrefreshed.Templates areretransmittedwheneither thepacketrefreshrateisreached,or thetemplatetimeoutisreached.

Templaterefreshbasedonthetimeoutperiodisperformedoneverymodule.SinceeachDFE modulehandlesitsownpackettransmissions,templaterefreshbasedonnumberofexport packetssentismanagedbyeachmoduleindependently. TherefreshratedefinesthemaximumdelayaneworrestartedNetFlowcollectorwould experience,beforeitlearnstheformatofthedatarecordsbeingforwarded(fromthetemplate referencedbythedatarecords).RefreshratesaffectNetFlowcollectorsduringtheirstartup. Collectorsmustignoreincomingdataflowreportsuntiltherequiredtemplateisreceived. Thedefaultbehaviorisforthetemplatetobesentafter20exportdatapacketsaresent.Sincedata recordpacketsaresentoutperflow,alongFTPflowmaycausethetemplatetimeouttimerto expirebeforethemaximumnumberofpacketsaresent.Inanycasearefreshofthetemplateis sentattimeoutexpirationaswell. SettingtheappropriaterefreshrateforyourEnterasysMatrixsystemmustbedetermined, becausethedefaultsettingsofa20packetrefreshrateanda30minutetimeoutmaynotbe optimalforyourenvironment.Forexample,aswitchprocessinganextremelyslowflowrateof, say,20packetsperhalfhour,wouldrefreshthetemplatesonlyeveryhalfhourusingthedefault settings,whileaswitchsending300flowreportpacketspersecondwouldrefreshthetemplates 15timespersecond. EnterasysrecommendsthatyouconfigureyourEnterasysMatrixsystemsoitdoesnotrefresh templatesmoreoftenthanoncepersecond. Usethesetnetflowtemplate{[refreshrate#ofPackets][timeoutminutes]}tosettheNetFlow exporttemplaterefreshrateandtimeoutforthissystem. Usetheclearnetflowtemplate{[refreshrate][timeout]}toresettheNetFlowexporttemplate refreshrateandtimeouttothedefaultvalues.

February 26, 2008

Page 8 of 19

Configuring NetFlow on the Enterasys Matrix DFE

Configuring a NetFlow Port

NetFlowrecordsareonlycollectedonportsthatareenabledforNetFlow. UsethesetnetflowportportstringenablecommandtoenableNetFlowonthespecifiedports. UsethesetnetflowportportstringdisablecommandtodisableNetFlowonthespecifiedports. Usetheclearnetflowportportstringcommandtosettheporttothedefaultvalueofdisabled.

Configuring the NetFlow Cache

EnablingtheNetFlowCachegloballyenablesNetFlowonallDFEmodulesforthissystem.When NetFlowrecognizesanewflowontheingressport,itcreatesaNetFlowrecordforthatflow.The NetFlowrecordresidesintheNetFlowcacheforthatportuntilanexpirationeventistriggeredfor thatflow,atwhichtimeitissentalongwithotherexpiredflowsinanexportpackettothe NetFlowcollectorforprocessing. UsethesetnetflowcacheenablecommandtoenableNetFlowonthissystem. UsethesetnetflowcachedisablecommandtogloballydisableNetFlowonthissystem. UsetheclearnetflowcachecommandtoresettheNetFlowcachetothedefaultvalueofdisabled forthisDFEmodule.

Displaying NetFlow Configuration and Statistics

Usetheshownetflowcommandtodisplaythecurrentconfigurationandexportstatisticsforthis system. UsetheshownetflowconfigportstringcommandtodisplaytheNetFlowconfigurationfora singleorsetofports. Usetheshownetflowstatisticsexportcommandtodisplayexportstatisticsforthissystem. Procedure 1providesaCLIexampleofaNetFlowsetup.Steps13arerequired.Steps46are optionaldependingupontheneedsofyourconfiguration. Procedure 1
Step 1. 2. Task Enable NetFlow collection on the specified port. Configure the NetFlow collector destination server for this system. Globally enable the NetFlow cache for this system. Verify the required NetFlow configuration. Optionally, modify the active flow timer value for this system.

Configuring NetFlow on Matrix N-Series Systems

Command(s) Matrix(rw)->set netflow port port_string enable Matrix(rw)->set netflow export-destination ip-address [udp-port] Matrix(rw)->set netflow cache enable Matrix(rw)->show netflow Matrix(rw)->set netflow export-interval interval

3.

4. 5.

Optionally, change NetFlow record format Matrix(rw)->set netflow between version 5 and version 9 for this system. export-version version

February 26, 2008

Page 9 of 19

Configuring NetFlow on the Matrix X Core Router

Procedure 1
Step 6. Task

Configuring NetFlow on Matrix N-Series Systems (continued)

Command(s) Matrix(rw)->set netflow template {[refresh-rate packets] [timeout minutes]

If using version 9, optionally modify the number of export packets sent that cause a template to be retransmitted by an individual DFE module and/or the length of the timeout period, in minutes, after which a template is retransmitted by all modules in the system. Verify any configuration changes made.

7.

Matrix(rw)->show netflow config

Default NetFlow Settings for Matrix N-Series Systems

Table 1providesalistingofthedefaultNetFlowconfigurationsettingsfortheMatrixNSeries systems. Table 1 Default NetFlow Configuration Settings for Matrix N-Series Systems
Description Whether NetFlow caching is globally enabled or disabled. The IP address of the NetFlow collector which is the destination of the NetFlow UDP packets. The time out interval when the NetFlow cache is flushed and the data is exported, if the maximum number of entries has not been reached. The NetFlow flow record format used when exporting NetFlow packets. Version can be either 5 or 9. The number of seconds after a flow stops before NetFlow sends an export packet for that flow to the collector. Whether NetFlow is enabled or disabled on a port. The number of export packets sent before NetFlow retransmits a template to the collector when using NetFlow Version 9. When using NetFlow Version 9, the number of minutes NetFlow waits before retransmitting a template to the collector. Default Value Disabled globally None 30 minutes

Parameter Cache Status Destination IP address Export Interval

Export Version

Version 5

Inactive flow timer

40 seconds (non-configurable) Disabled 20 export packets

Port state Refresh-rate

Timeout-period

30 minutes

Configuring NetFlow on the Matrix X Core Router

OntheMatrixXRouter,NetFlowclassificationandcachingareperformedontheInput/Output Modules(IOMs),whileNetFlowexportfunctionalityisperformedontheControlModule(CM). Packetsaresampledatingressattherateconfiguredforthewholesystemwiththeset samplingratecommand(seeProcedure 2onpage 11).TheIOMsclassifythesampledpackets intoflows,updateNetFlowcounters,anddeterminetheendoftheflows.TheIOMssendflow

February 26, 2008

Page 10 of 19

Configuring NetFlow on the Matrix X Core Router

datatotheCMforexportwhentheconfiguredexportintervaltimeexpires(defaultis30minutes) orwhenthecacheisfull. TheNetFlowexportprocessontheCMgathersanyfurtherdataneededtocompletethedata recordformatfortheconfiguredNetFlowversionandsendstheflowrecordstotheconfigured NetFlowcollector.NotethatonlyoneNetFlowexportdestination(collector)canbeconfigured perX Routersystem. NetFlowcanbeenabledonanyportontheX Router. TheMatrixXRoutercurrentlysupportsdataexportVersion1andVersion5.CLIcommandsare providedtoconfigurecertainrecordformatvaluesrequiredforVersion5,suchasengineIDand enginetype. YoumustconfigureaNetFlowexportdestinationbeforeyoucanenableNetFlowgloballyoron anyports.NetFlowwillstartsamplingpacketsafteryouenableNetFlowgloballyandonthe desiredports. Procedure 2
Step 1. 2. 3. Task Optionally, check the current NetFlow configuration settings and sampling rate. Optionally, change the sampling rate for packets. Configure the NetFlow collector destination. You cannot enable NetFlow globally or on ports until an export destination has been configured. Configure the administrative interface used as the source IP address of the exported NetFlow packets. Configure the NetFlow flow record version to be used for the flow data packets. Version 5 is the default. Optionally, also configure the BGP AS address type. Default is peer-as. 6. 7. 8. If using Version 5, configure the engine ID and engine type. Optionally, configure the export interval. The default is 30 minutes. Optionally, configure the maximum number of flows that can be saved into the cache. The default is 64 KB. Enable NetFlow globally. Enable NetFlow on the desired ports. set netflow engine-id engine-id type engine-type set netflow export-interval min set netflow entries max-num

Configuring NetFlow on Matrix X Core Router Systems

Command(s) show netflow config set sampling-rate number set netflow export-destination ip-address [udp-port] set netflow interface port-string

4.

5.

set netflow export version {1 | 5} [origin-as | peer-as]

9. 10.

set netflow cache enable set netflow port port-string enable

Disabling NetFlow
TodisableNetFlowonaport,useeitherofthefollowingcommands:
set netflow port port-string disable

February 26, 2008

Page 11 of 19

Configuring NetFlow on the Matrix X Core Router

clear netflow port port-string

WhenyoudisableNetFlowonaport,NetFlowwillstopsamplingandthecurrentflowdatawill beexportedwhentheexporttimeoutintervalexpires. TodisableNetFlowglobally,useeitherofthefollowingcommands:

set netflow cache disable clear netflow all

Whenyouexecutetheclearnetflowallcommand,allNetFlowsettingsarereturnedtotheir defaultcondition.InthecaseoftheglobalNetFlowcachesetting,thedefaultisdisabled.

Displaying NetFlow Information

TodisplaythecurrentNetFlowconfigurationsettings:
show netflow config

TodisplayNetFlowstatisticsonaperportbasis:
show netflow statistics port-string

TodisplayflowcountersforthecurrentcachedNetFlowinformation,onasystemwideor IOMspecificbasis:
show netflow cache-flow [slot-id]

Default NetFlow Settings for the Matrix X Core Router

Table 2providesalistingofthedefaultNetFlowsettingsfortheMatrixXCoreRouter. Table 2 Default NetFlow Settings for the Matrix X Core Router
Description Whether NetFlow caching is globally enabled or disabled. The rate at which packets are captured, or sampled. 100 indicates that 1 in 100 packets is captured. The ID number of the flow switching engine. This ID is required by NetFlow export version 5 format. The type of flow switching engine. This value is required by NetFlow export version 5 format. This is the interface used for the source IP address of the exported NetFlow UDP datagrams. The IP address of the NetFlow collector which is the destination of the NetFlow UDP packets. The UDP port on the NetFlow collector. The NetFlow flow record format used when exporting NetFlow packets. Version can be either 1 or 5. Default Value Disabled globally 100 0 0 eth0 None 2055 Version 5

Parameter Cache Status Sampling Rate Engine ID Engine Type Administrative Interface Destination IP Destination UDP port Export Version

February 26, 2008

Page 12 of 19

Terms and Definitions

Table 2

Default NetFlow Settings for the Matrix X Core Router (continued)

Description The time out interval when the NetFlow cache is flushed and the data is exported, if the maximum number of entries has not been reached. Whether the BGP AS addresses are origin or peer. BGP AS addresses are not supported by Version 1. The maximum number of flows saved into the cache. Whether NetFlow is enabled or disabled on a port. Default Value 30 minutes

Parameter Export Interval

Export AS Number of Entries Port state

peer AS 84 KB Disabled

Terms and Definitions

Table 3liststermsanddefinitionsusedinthisNetFlowconfigurationdiscussion. Table 3
Term Active Flow Timer

NetFlow Configuration Terms and Definitions

Definition A timer which specifies the maximum amount of time a flow may stay active. The ongoing flow continues to be tracked as a separate flow. It is the management applications responsibility to join these flows for analysis/reporting purposes. A stream of IP packets that has not yet met an expiration criteria, in which the value of a set of key fields is the same for each packet in the stream. A capture of information pertaining to a single flow within the NetFlow Cache based upon data type values supported by the NetFlow version format/template. A timer that determines how long a flow for which no packets are being received remains active. Contains the flow records for all currently active flows. A location where a condensed and detailed history of flow information that entered each NetFlow-enabled switch or router is archived for use by the NetFlow management application. A transport mechanism that periodically (based upon a timer or the number of flows accumulated in the cache) sends NetFlow data from the cache to a NetFlow collector for data analysis. A packet of flow records or version 9 templates (or both) that is periodically sent to the NetFlow collector based upon an export criteria. A Dragon Security Command Console (DSCC) or third-party software application(s) installed on the NetFlow collector, with client or browser access from a PC, capable of data reduction, monitoring, analysis, and/or troubleshooting specific to the purpose you are using NetFlow. Primarily determines the data types supported and whether the format is fixed or in an extensible template.

Flow Flow Record Inactive Flow Timer NetFlow Cache NetFlow Collector

NetFlow Export

NetFlow Export Packet NetFlow Management Application NetFlow Version

February 26, 2008

Page 13 of 19

NetFlow Version 5 Record Format

NetFlow Version 5 Record Format

Table 4providesalistinganddescriptionfortheNetFlowversion5headerfieldsanddatarecord format.Thecontentsofthesedatafieldsareusedbythecollectorsoftwareapplicationforflow analysis.Datafieldsareidentifiedinthedatarecordpacketsentbythenetworkswitchtothe collector.Thedatarecordscontainthevaluesspecifiedbytheformat. Table 4 NetFlow Version 5 Template Header and Data Field Support

NetFlow Version 5 Header Data Field count sys_uptime unix_secs unix_nsecs flow_sequence engine_type engine_id sampling_interval count NetFlow Version 5 Data Record Format Data Field srcaddr dstaddr nexthop input output dPkts dOctets first last srcport dstport pad1 tcp_flags Support Source IP address of the device that transmitted the packet. IP address of the destination of the packet. IP address of the next hop router. SNMP index of input interface. SNMP index of output interface. Number of packets in the flow. Total number of Layer 3 bytes in the packets of the flow. SysUptime at start of flow. SysUptime at the time the last packet of the flow was received. TCP/UDP source port number or equivalent. TCP/UDP destination port number or equivalent. Unused (zero) bytes. Cumulative OR of TCP flags. Support Number of flows exported in this packet (1-30). Current time in milliseconds since the export device booted. Current count of seconds since 0000 UTC 1970. Residual nanoseconds since 0000 UTC 1970. Sequence counter of total flows seen. Type of flow-switching engine. Slot number of the flow-switching engine. First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval. Number of flows exported in this packet (1-30).

February 26, 2008

Page 14 of 19

NetFlow Version 9 Templates

Table 4
prot tos src_as dst_as src_mask dst_mask pad2

NetFlow Version 5 Template Header and Data Field Support (continued)

IP protocol type (for example, TCP = 6; UDP = 17). IP type of service (ToS). Autonomous system number of the source, either origin or peer. Autonomous system number of the destination, either origin or peer. Source address prefix mask bits. Destination address prefix mask bits. Unused (zero) bytes.

NetFlow Version 9 Templates

Table 5providesalistinganddescriptionfortheNetFlowversion9headerfieldsandthefourdata recordtemplatetypessupportedbythecurrentimplementationofNetFlow.Thecontentsofthese datafieldsareusedbythecollectorsoftwareapplicationforflowanalysis.Datafieldsare identifiedinthetemplatesentbythenetworkswitchtothecollector.Thedatarecordscontainthe valuesspecifiedinthetemplate. Table 5 NetFlow Version 9 Template Header and Data Field Support

NetFlow Version 9 Header Data Field Format Version Flow Record Count Support 9 The total number of records in the export packet, which is the sum of the options flow set records, template flowset records, and data flowset records. Time in milli-seconds since this device was first booted. Time in seconds since 0000 UTC 1970, at which the export packet leaves the exporter. Incremental sequence counter of all export packets sent from the exporter. This is an accumulative count that lets the collector know if any packets have been missed. Engine Type (1 = Line Card). Engine ID (One based module slot number). NetFlow Version 9 Data Record (Template 256, Switch ID) Data Field SIP Support (Source) IP address of the device that transmitted the packet.

Sys Up Time Unix Seconds Flow Sequence Counter

Source ID

February 26, 2008

Page 15 of 19

NetFlow Version 9 Templates

Table 5
DIP

NetFlow Version 9 Template Header and Data Field Support (continued)

(Destination) IP address of the destination device. MIBII 32-bit ID of the interface on which the packet was transmitted. MIBII 32-bit ID of the interface on which the packet was received. The number of packets switched through this flow. The number of bytes switched through this flow. sysUptime in msec at which the first packet of this flow was switched. sysUptime in msec at which the last packet of this flow was switched. IP protocol for this flow. Type of service field value for this flow.

Dest IfIndex Source IfIndex Packet Count Byte Count Start Time Last Time IP Protocol TOS

V9 NetFlow Data Record (Template 257, Next Hop ID) Data Field SIP DIP Dest IfIndex Source IfIndex Packet Count Byte Count Start Time Last Time IP Protocol TOS Next Hop Router Support (Source) IP address of the device that transmitted the packet. (Destination) IP address of the destination device. MIBII 32-bit ID of the interface on which the packet was transmitted. MIBII 32-bit ID of the interface on which the packet was received. The number of packets switched through this flow. The number of bytes switched through this flow. sysUptime in msec at which the first packet of this flow was switched. sysUptime in msec at which the last packet of this flow was switched. IP protocol for this flow. Type of service field value for this flow. Specifies the BGP next-hop address.

V9 NetFlow Data Record (Template 258, Switch ID with TCP/UDP) Data Field SIP Support (Source) IP address of the device that transmitted the packet.

February 26, 2008

Page 16 of 19

NetFlow Version 9 Templates

Table 5
DIP

NetFlow Version 9 Template Header and Data Field Support (continued)

(Destination) IP address of the destination device. MIBII 32-bit ID of the interface on which the packet was transmitted. MIBII 32-bit ID of the interface on which the packet was received. The number of packets switched through this flow. The number of bytes switched through this flow. sysUptime in msec at which the first packet of this flow was switched. sysUptime in msec at which the last packet of this flow was switched. IP protocol for this flow. Type of service field value for this flow. TCP/UDP source port nunmber (for example, FTP, Telnet, or equivalent) TCP/UDP destination port nunmber (for example, FTP, Telnet, or equivalent)

Dest IfIndex Source IfIndex Packet Count Byte Count Start Time Last Time IP Protocol TOS L4 Source Port L4 Dest Port

V9 NetFlow Data Record (Template 259, Next Hop ID with TCP/UDP) Data Field SIP DIP Dest IfIndex Source IfIndex Packet Count Byte Count Start Time Last Time IP Protocol TOS Next Hop Router Support (Source) IP address of the device that transmitted the packet. (Destination) IP address of the destination device. MIBII 32- bit ID of the interface on which the packet was transmitted. MIBII 32- bit ID of the interface on which the packet was received. The number of packets switched through this flow. The number of bytes switched through this flow. sysUptime in msec at which the first packet of this flow was switched. sysUptime in msec at which the last packet of this flow was switched. IP protocol for this flow. Type of service field value for this flow. Specifies the BGP next-hop address.

February 26, 2008

Page 17 of 19

NetFlow Version 9 Templates

Table 5

NetFlow Version 9 Template Header and Data Field Support (continued)

TCP/UDP source port nunmber (for example, FTP, Telnet, or equivalent) TCP/UDP destination port nunmber (for example, FTP, Telnet, or equivalent)

L4 Source Port L4 Dest Port

February 26, 2008

Page 18 of 19

Revision History
Date January 16, 2008 February 26, 2008 Description First Release. Modifications due to product branding changes.

Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2008Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSMATRIX,ENTERASYSNETSIGHT,LANVIEW, WEBVIEW,andanylogosassociatedtherewith,aretrademarksorregisteredtrademarksof Enterasys Networks, Inc.,intheUnitedStatesandothercountries. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.