Flow Export

NetFlow exports data in UDP datagrams

Ø      flow export包是flow active entryflow cache 中被老化(aging)退出时,生成的,并发往flow分析仪

一个NetFlow V5 export包中包括的Flow的数量为30;

一个NetFlow V5 export包的包长最大可达到1500 Byte(当一个export包中含30flow时)

up to 30 flows can be sent in a single UDP datagram of approximately 1500 bytes.

V5,v9都是最大30个流

      flow老化的四大规则:

路由设备每秒检查一次cache,对条目做如下老化措施:

The routing device checks the NetFlow cache once per second and expires the flow in the followinginstances:

Transport is completed (TCP FIN or RST).

The flow cache has become full.

cache 满,最老的flow被顶出,这种情况也很多,尤其是达到几万个流时,经常是这种情况

The inactive timer has expired after 15 seconds of traffic inactivity.

The active timer has expired after 30 minutes of traffic activity.


    Netflow的主要优点

Ø      NetFlow采集实施成本较低、安装方便

Ø      NetFlow的非常适用于大型网络

Ø      NetFlow记录的流包含了丰富的信息,非常适合于网络性能分析。

 

            netflow 相对snmprmonDPI(包深度采集) 的优势

RMONDPI无法大规模部署,

SNMP无法提取流量特征,SNMP更关注设备状态

RMONDPI无法提供流量端到端的准确的流量信息

 

            cisco支持netflow的情况

标准IOS均支持V5

                        NetFlow version 9 export format is supported in Release 12.2(18)SXF and later.

Egress capture(出流采集)要看具体的设备feature

CISCO 4500系列需要加子卡(NetFlow Services Card (WS-F4531)

Catalyst系列不同engine版本支持的netflow不同(设计到version 7

 

            华为系列支持flow情况

NE系列、NE-E系列(40E80E等)支持nettream

S系列需要加netstream采集卡

华三部分设备支持netflow

 

            IP Flow Information Export (IPFIX)

Cisco IOS NetFlow Version 9 was chosen for a proposed IETF standard called IP Flow Information Export (IPFIX) in 2003

NetFlow version 9, is now on the IETF standards track in the IP Information export (IPFIX) working group.

这个V9标准的国标部分,目前只包含IP部分。其他的BGPMPLS,组播,IPV6AD,仍是各做各的,没称为标准。

NetFlow Version 9 is now the protocol of choice for the IETF IP Information Export (IPFIX) WG and the IETF Pack Sampling WG (PSAMP).