NetFlow v8 i obsługa Aggregation Caches
W dużych sieciach z dużą ilością ruchu, ilość eksportowanych informacji może być na tyle spora, że zmuszeni będziemy do rozłożenia ich na większą ilość kolektorów. Jeśli jednak część z tych informacji nie jest nam potrzebna, to możemy spróbować zmniejszyć ilość ruchu w sieci, jaka generowana jest przez NetFlow i obciążenie kolektorów, poprzez ich wcześniejszą agregację.
Umożliwia to wersja 8. Kolektor może również posiadać funkcję agregacji danych, ale dzięki wersji 8, dochodzi do tego jeszcze przed ich eksportem. Wykorzystywane są do tego celu wcześniej wspomniane Aggregation Caches.
Aggregation Caches
Istnieje 12 predefiniowanych Aggregation Caches, ale tylko 11 z nich obsługuje eksport danych w wersji 8. Są to Aggregation Caches realizujące agregację w oparciu o kilka pól, jakie obsługiwane są przez wersję 5. Pole BGP Next-Hop zostało wprowadzone wraz z wersją 9.
R4# show ip cache flow aggregation ?
as AS aggregation cache
as-tos AS TOS aggregation cache
bgp-nexthop-tos BGP nexthop TOS aggregation cache
destination-prefix Destination Prefix aggregation cache
destination-prefix-tos Destination Prefix TOS aggregation cache
prefix Source/Destination Prefix aggregation cache
prefix-port Source/Destination Prefix port aggregation cache
prefix-tos Source/Destination Prefix TOS aggregation cache
protocol-port Protocol and port aggregation cache
protocol-port-tos Protocol, port, TOS aggregation cache
source-prefix Source Prefix aggregation cache
source-prefix-tos Source Prefix TOS aggregation cache
R4#
Pakiety NetFlow wersji 8 zawierają numer sekwencyjny, który rośnie per każdy przenoszony przepływ, podobnie jak jest to w wersji 5. W każdym pakiecie może być przenoszone do 30 zagregowanych przepływów. Lista zbieranych informacji, wraz z polami kluczowymi po których odbywa się agregacja, zostanie pokazana poniżej dla każdego z Aggregation Caches oddzielnie. We wcześniejszym artykule omówiliśmy, jak dobywa się konfiguracja parametrów związanych z czasami wygasania i ilością obsługiwanych wpisów w Aggregation Caches oraz kolektora, do którego będą wysyłane dane. Tutaj zajmiemy się pozostałymi parametrami.
W Aggregation Caches, które obsługują agregację danych w oparciu o prefiks (docelowy, źródłowy lub docelowy i źródłowy), można dodatkowo wskazać jego minimalną długość. Nie jest to konieczne. Kiedy nie ma określonej minimalnej długości, to dla wszystkich prefiksów brane są informacje z tablicy routingu. Jeśli jest określona minimalna długość, to dla prefiksów o krótszej długości informacje są odpowiednio agregowane do wskazanej długości.
Widać to w naszym przykładzie (warto wcześniej zapoznać się z topologią i adresacją wykorzystywanej sieci). We wszystkich pozostałych Aggregation Caches, nie ma żadnych dodatkowych opcji konfiguracji, poza tymi jakie zostały już omówione. Każdy z Aggregation Caches należy wcześniej włączyć poleceniem enabled.
W związku z tym, że do Aggregation Caches trafiają dane z Main Cache, wcześniej należy uruchomić zbieranie danych o przepływach z wejścia odpowiednich interfejsów. Przy czym, jeżeli interesuje nas tylko eksport zagregowanych danych, nie należy go konfigurować dla Main Cache.
Dla każdego z Aggregation Caches, który obsługuje eksport danych w wersji 8 został poniżej przedstawiony:
- sposób jego konfiguracji,
- sposób wyświetlenia jego zawartość,
- zrzut pakietu.
Zestawione poniżej dane wymagają spokojnej analizy. Do wyświetlenia zawartości Aggregation Caches korzystam z polecenia show ip cache verbose flow aggregation <>, a nie show ip cache flow aggregation <>, ze względu na chęć wyświetlenia wszystkich pól.
Zainteresowanych zbieraniem danych o ruchu oraz jego analizą zachęcamy do zapoznania się z Cisco Stealthwatch.
AS Aggregation Cache
Agregacja z użyciem źródłowego i docelowego BGP ASN.
R4(config)# ip flow-aggregation cache as
R4(config-flow-cache)# ?
Flow Aggregation Cache configuration commands:
cache Configure netflow cache parameters
default Set a command to its defaults
enabled Enable the aggreation cache
exit Exit from flow aggregation cache configuration mode
export Specify host/port to send flow statistics
help Description of the interactive help system
no Negate a command or set its defaults
R4(config-flow-cache)# export destination 10.246.4.91 9995
R4(config-flow-cache)# enabled
R4(config-flow-cache)# do show ip flow export
Flow export v1 is disabled for main cache
Version 1 flow records
Cache for as aggregation v8
VRF ID : Default
Destination(1) 10.246.4.91 (9995)
0 flows exported in 0 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
R4(config-flow-cache)#
R4# show ip cache verbose flow aggregation as
IP Flow Switching Cache, 278544 bytes
7 active, 4089 inactive, 680 added
14214 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
7 active, 1017 inactive, 680 added, 680 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active
Gi0/0 65007 Gi0/2 65006 5 10 40 0.0
Gi0/0 0 Null 0 1 1 40 0.0
Gi0/2 0 Null 0 1 1 59 0.0
Gi0/0 0 Gi0/2 65006 37 73 99 2.4
Gi0/2 65006 Gi0/0 0 37 73 99 2.4
Gi0/1 65005 Gi0/0 0 37 73 99 6.6
R4#
AS-ToS Aggregation Cache
Agregacja z użyciem źródłowego i docelowego BGP ASN oraz pola ToS (DSCP).
R4(config)# ip flow-aggregation cache as-tos
R4(config-flow-cache)# ?
Flow Aggregation Cache configuration commands:
cache Configure netflow cache parameters
default Set a command to its defaults
enabled Enable the aggreation cache
exit Exit from flow aggregation cache configuration mode
export Specify host/port to send flow statistics
help Description of the interactive help system
no Negate a command or set its defaults
R4(config-flow-cache)# enabled
R4# show ip cache verbose flow aggregation as-tos
IP Flow Switching Cache, 278544 bytes
19 active, 4077 inactive, 945 added
17882 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
19 active, 1005 inactive, 945 added, 945 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Src If Src AS Dst If Dst AS TOS Flows Pkts B/Pk Active
Gi0/0 65007 Gi0/2 65006 00 5 10 40 0.0
Gi0/0 0 Null 0 C0 1 1 40 0.0
Gi0/2 0 Null 0 C0 1 1 59 0.0
Gi0/2 65006 Gi0/0 0 E0 12 24 100 0.0
Gi0/0 0 Gi0/2 65006 E0 12 24 100 0.0
Gi0/1 65005 Gi0/0 0 E0 12 24 100 0.0
Gi0/0 0 Gi0/1 65005 E0 12 24 100 0.0
Gi0/2 65006 Gi0/0 0 F8 6 12 100 0.0
Gi0/0 0 Gi0/2 65006 F8 6 12 100 0.0
Gi0/1 65005 Gi0/0 0 F8 6 12 100 0.0
Gi0/0 0 Gi0/1 65005 F8 6 12 100 0.0
Gi0/0 0 Gi0/2 65006 C0 13 25 97 2.4
Gi0/2 65006 Gi0/0 0 C0 13 25 97 2.4
Gi0/1 65005 Gi0/0 0 C0 13 25 97 6.6
Gi0/0 0 Gi0/1 65005 C0 13 25 97 6.6
Gi0/2 65006 Gi0/0 0 00 6 12 100 0.0
Gi0/0 0 Gi0/2 65006 00 6 12 100 0.0
Gi0/1 65005 Gi0/0 0 00 6 12 100 0.0
Gi0/0 0 Gi0/1 65005 00 6 12 100 0.0
R4#
Destination-Prefix Aggregation Cache
Agregacja z użyciem prefiksu docelowego.
R4(config)# ip flow-aggregation cache destination-prefix
R4(config-flow-cache)# mask ?
destination Configure the destination mask
R4(config-flow-cache)# mask destination ?
minimum Specify the minimum value for the mask
R4(config-flow-cache)# mask destination minimum ?
<1-32> Specify value for the mask
R4(config-flow-cache)# mask destination minimum 26
R4(config-flow-cache)# enabled
R4# show ip cache verbose flow aggregation destination-prefix
IP Flow Switching Cache, 278544 bytes
23 active, 4073 inactive, 704 added
13333 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
23 active, 1001 inactive, 704 added, 704 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Minimum destination mask is configured to /26
Dst If Dst Prefix Msk AS Flows Pkts B/Pk Active
Gi0/0 172.16.12.0 /26 0 3 3 40 14.3
Gi0/1 172.16.5.128 /26 65005 6 12 100 0.0
Gi0/1 172.16.5.64 /26 65005 6 12 100 0.0
Gi0/1 172.16.5.32 /27 65005 6 12 100 0.0
Gi0/1 172.16.5.0 /32 65005 2 2 40 14.3
Gi0/1 172.16.5.1 /32 65005 6 12 100 0.0
Gi0/1 172.16.5.8 /29 65005 6 12 100 0.0
Gi0/1 172.16.5.16 /28 65005 6 12 100 0.0
Local 10.246.255.4 /32 0 2 2 58 14.0
Gi0/0 172.16.7.0 /26 65007 2 2 44 0.0
Gi0/2 172.16.6.128 /26 65006 6 12 100 0.0
Gi0/2 172.16.6.64 /26 65006 6 12 100 0.0
Gi0/2 172.16.6.32 /27 65006 6 12 100 0.0
Gi0/2 172.16.6.0 /32 65006 3 5 40 10.2
Gi0/2 172.16.6.1 /32 65006 6 12 100 0.0
Gi0/2 172.16.6.8 /29 65006 6 12 100 0.0
Gi0/2 172.16.6.16 /28 65006 6 12 100 0.0
Local 10.246.34.4 /32 0 1 1 76 0.0
Gi0/0 172.16.2.8 /29 0 12 24 100 0.1
Gi0/0 172.16.2.16 /28 0 12 24 100 0.1
Gi0/0 172.16.2.32 /27 0 12 24 100 0.1
Gi0/0 172.16.2.1 /32 0 12 24 100 0.1
Gi0/0 172.16.2.64 /26 0 24 48 100 0.2
R4#
Destination-Prefix-ToS Aggregation Cache
Agregacja z użyciem prefiksu docelowego oraz pola ToS (DSCP).
R4(config)# ip flow-aggregation cache destination-prefix-tos
R4(config-flow-cache)# mask destination minimum 26
R4(config-flow-cache)# enabled
R4# show ip cache verbose flow aggregation destination-prefix-tos
IP Flow Switching Cache, 278544 bytes
60 active, 4036 inactive, 1297 added
26686 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
60 active, 964 inactive, 1297 added, 1297 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Minimum destination mask is configured to /26
Dst If Dst Prefix Msk AS TOS Flows Pkts B/Pk Active
Gi0/0 172.16.12.0 /26 0 C0 3 3 40 14.3
Gi0/1 172.16.5.32 /27 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.16 /28 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.8 /29 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.16 /28 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.8 /29 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.0 /32 65005 C0 2 2 40 14.3
Gi0/1 172.16.5.1 /32 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.1 /32 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.32 /27 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.8 /29 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.16 /28 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.1 /32 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.32 /27 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.64 /26 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.64 /26 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.128 /26 65005 00 1 2 100 0.0
Gi0/1 172.16.5.64 /26 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.128 /26 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.128 /26 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.128 /26 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.64 /26 65005 00 1 2 100 0.0
Gi0/1 172.16.5.32 /27 65005 00 1 2 100 0.0
Gi0/1 172.16.5.1 /32 65005 00 1 2 100 0.0
Gi0/1 172.16.5.8 /29 65005 00 1 2 100 0.0
Gi0/1 172.16.5.16 /28 65005 00 1 2 100 0.0
Local 10.246.255.4 /32 0 C0 2 2 58 14.0
Gi0/0 172.16.7.0 /26 65007 00 2 2 44 0.0
Gi0/2 172.16.6.32 /27 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.16 /28 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.8 /29 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.16 /28 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.8 /29 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.1 /32 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.1 /32 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.32 /27 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.8 /29 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.16 /28 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.1 /32 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.32 /27 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.64 /26 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.64 /26 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.128 /26 65006 00 1 2 100 0.0
Gi0/2 172.16.6.64 /26 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.128 /26 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.128 /26 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.128 /26 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.64 /26 65006 00 1 2 100 0.0
Gi0/2 172.16.6.32 /27 65006 00 1 2 100 0.0
Gi0/2 172.16.6.0 /32 65006 00 2 4 40 0.0
Gi0/2 172.16.6.1 /32 65006 00 1 2 100 0.0
Gi0/2 172.16.6.8 /29 65006 00 1 2 100 0.0
Gi0/2 172.16.6.16 /28 65006 00 1 2 100 0.0
Local 10.246.34.4 /32 0 C0 1 1 76 0.0
Gi0/0 172.16.2.1 /32 0 00 12 24 100 0.1
Gi0/0 172.16.2.64 /26 0 C0 12 24 100 0.1
Gi0/0 172.16.2.64 /26 0 E0 12 24 100 0.1
Gi0/0 172.16.2.8 /29 0 C0 12 24 100 0.1
Gi0/0 172.16.2.32 /27 0 F8 12 24 100 0.1
Gi0/0 172.16.2.16 /28 0 E0 12 24 100 0.1
R4#
Prefix Aggregation Cache
Agregacja z użyciem prefiksu źródłowego i docelowego.
R4(config)# ip flow-aggregation cache prefix
R4(config-flow-cache)# mask destination minimum 26
R4(config-flow-cache)# mask source minimum 26
R4(config-flow-cache)# enabled
R4# show ip cache verbose flow aggregation prefix
IP Flow Switching Cache, 278544 bytes
126 active, 3970 inactive, 2293 added
44052 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
126 active, 898 inactive, 2293 added, 2293 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Minimum source mask is configured to /26
Minimum destination mask is configured to /26
Src If Src Prefix Dst If Dst Prefix Flows Pkts
Msk AS Msk AS B/Pk Active
Gi0/0 172.16.2.1 Gi0/2 172.16.6.128 1 2
/32 0 /26 65006 100 0.0
Gi0/2 172.16.6.128 Gi0/0 172.16.2.1 1 2
/26 65006 /32 0 100 0.0
Gi0/2 172.16.6.128 Gi0/0 172.16.2.32 1 2
/26 65006 /27 0 100 0.0
Gi0/0 172.16.2.32 Gi0/2 172.16.6.128 1 2
/27 0 /26 65006 100 0.0
Gi0/0 172.16.2.16 Gi0/2 172.16.6.128 1 2
/28 0 /26 65006 100 0.0
Gi0/2 172.16.6.128 Gi0/0 172.16.2.16 1 2
/26 65006 /28 0 100 0.0
Gi0/0 172.16.2.8 Gi0/2 172.16.6.128 1 2
/29 0 /26 65006 100 0.0
Gi0/2 172.16.6.128 Gi0/0 172.16.2.8 1 2
/26 65006 /29 0 100 0.0
Gi0/2 172.16.6.64 Gi0/0 172.16.2.64 2 4
/26 65006 /26 0 100 0.0
Gi0/0 172.16.2.64 Gi0/2 172.16.6.64 2 4
/26 0 /26 65006 100 0.0
Gi0/2 172.16.6.128 Gi0/0 172.16.2.64 2 4
/26 65006 /26 0 100 0.0
Gi0/0 172.16.2.64 Gi0/2 172.16.6.128 2 4
/26 0 /26 65006 100 0.0
Gi0/2 172.16.6.8 Gi0/0 172.16.2.1 1 2
/29 65006 /32 0 100 0.0
Gi0/0 172.16.2.16 Gi0/2 172.16.6.32 1 2
/28 0 /27 65006 100 0.0
Gi0/0 172.16.2.32 Gi0/2 172.16.6.16 1 2
/27 0 /28 65006 100 0.0
Gi0/2 172.16.6.1 Gi0/0 172.16.2.8 1 2
/32 65006 /29 0 100 0.0
Gi0/0 172.16.2.8 Gi0/2 172.16.6.1 1 2
/29 0 /32 65006 100 0.0
Gi0/2 172.16.6.32 Gi0/0 172.16.2.16 1 2
/27 65006 /28 0 100 0.0
Gi0/2 172.16.6.16 Gi0/0 172.16.2.32 1 2
/28 65006 /27 0 100 0.0
Gi0/0 10.246.255.3 Local 10.246.255.4 1 1
/32 0 /32 0 40 0.0
Gi0/1 172.16.5.0 Gi0/0 172.16.12.0 2 2
/32 65005 /26 0 40 14.3
Gi0/0 172.16.12.0 Gi0/1 172.16.5.0 2 2
/26 0 /32 65005 40 14.3
Gi0/2 172.16.6.0 Gi0/0 172.16.7.0 2 2
/32 65006 /26 65007 44 0.0
Gi0/0 172.16.7.0 Gi0/2 172.16.6.0 2 4
/26 65007 /32 65006 40 0.0
Gi0/0 10.246.34.0 Local 10.246.34.4 1 1
/26 0 /32 0 76 0.0
R4#
Prefix-Port Aggregation Cache
Agregacja z użyciem prefiksu źródłowego i docelowego oraz pola numeru portu docelowego.
R4(config)# ip flow-aggregation cache prefix-port
R4(config-flow-cache)# mask destination minimum 26
R4(config-flow-cache)# mask source minimum 26
R4(config-flow-cache)# enabled
R4# show ip cache verbose flow aggregation prefix-port
IP Flow Switching Cache, 278544 bytes
10 active, 4086 inactive, 26078 added
216706 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Minimum source mask is configured to /26
Minimum destination mask is configured to /26
Src If Src Prefix Dst If Dst Prefix TOS Flows Pkts
Port Msk Port Msk Pr B/Pk Active
Gi0/2 172.16.46.0 Null 172.16.46.0 C0 1 2
6893 /26 00B3 /26 06 49 7.7
Gi0/0 10.246.255.2 Local 10.246.255.4 C0 1 1
00B3 /32 F621 /32 06 59 0.0
Gi0/0 172.16.7.0 Gi0/2 172.16.6.0 00 1 2
3566 /26 0016 /32 06 40 0.0
Gi0/1 172.16.45.0 Gi0/0 172.16.1.64 C0 1 1
007B /26 007B /26 11 76 0.0
Gi0/0 172.16.7.0 Gi0/2 172.16.6.0 00 1 2
935B /26 0016 /32 06 40 0.0
Gi0/0 172.16.7.0 Gi0/2 172.16.6.0 00 1 2
277A /26 0016 /32 06 40 0.0
Gi0/0 172.16.12.0 Gi0/2 172.16.6.0 C0 1 1
D354 /26 0016 /32 06 40 0.0
Gi0/0 172.16.7.0 Gi0/2 172.16.6.0 00 1 2
B7FF /26 0016 /32 06 40 0.0
Gi0/1 172.16.45.0 Null 172.16.45.0 C0 1 1
00B3 /26 ECD2 /26 06 59 0.0
Gi0/2 172.16.6.0 Gi0/0 172.16.12.0 C0 1 1
0016 /32 D354 /26 06 40 0.0
R4#
Prefix-ToS Aggregation Cache
Agregacji z użyciem prefiksu źródłowego i docelowego oraz pola ToS (DSCP).
R4(config)# ip flow-aggregation cache prefix-tos
R4(config-flow-cache)# mask destination minimum 26
R4(config-flow-cache)# mask source minimum 26
R4(config-flow-cache)# enabled
R4# show ip cache verbose flow aggregation prefix-tos
IP Flow Switching Cache, 278544 bytes
6 active, 4090 inactive, 2667 added
50018 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
6 active, 1018 inactive, 2667 added, 2667 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Minimum source mask is configured to /26
Minimum destination mask is configured to /26
Src If Src Prefix Dst If Dst Prefix TOS Flows Pkts
Msk AS Msk AS B/Pk Active
Gi0/0 10.246.255.2 Local 10.246.255.4 C0 1 1
/32 0 /32 0 59 0.0
Gi0/1 172.16.45.0 Null 172.16.45.0 C0 1 1
/26 0 /26 0 59 0.0
Gi0/0 172.16.7.0 Gi0/2 172.16.6.0 00 4 8
/26 65007 /32 65006 40 9.5
Gi0/1 172.16.5.0 Gi0/0 172.16.12.0 C0 1 1
/32 65005 /26 0 40 0.0
Gi0/0 172.16.12.0 Gi0/1 172.16.5.0 C0 1 1
/26 0 /32 65005 40 0.0
Gi0/1 172.16.45.0 Gi0/0 172.16.1.64 C0 1 1
/26 0 /26 0 76 0.0
R4#
Protocol-Port Aggregation Cache
Agregacja z użyciem protokołu oraz portu źródłowego i docelowego.
R4(config)# ip flow-aggregation cache protocol-port
R4(config-flow-cache)# ?
Flow Aggregation Cache configuration commands:
cache Configure netflow cache parameters
default Set a command to its defaults
enabled Enable the aggreation cache
exit Exit from flow aggregation cache configuration mode
export Specify host/port to send flow statistics
help Description of the interactive help system
no Negate a command or set its defaults
R4(config-flow-cache)# enabled
R4# show ip cache verbose flow aggregation protocol-port
IP Flow Switching Cache, 278544 bytes
15 active, 4081 inactive, 24059 added
190035 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Protocol Source Port Dest Port Flows Packets Bytes/Packet Active
0x01 0x0000 0x0000 72 144 100 0.2
0x06 0x0016 0x3566 1 1 44 0.0
0x06 0x00B3 0xF621 1 1 59 0.0
0x06 0x0016 0x935B 1 1 44 0.0
0x06 0x3566 0x0016 1 2 40 0.0
0x06 0x7EF6 0x0016 1 1 40 0.0
0x01 0x0000 0x0800 72 144 100 0.2
0x06 0x0016 0x7EF6 1 1 40 0.0
0x06 0x0017 0x4E0A 1 1 40 0.0
0x06 0x277A 0x0016 1 2 40 0.0
0x06 0x4E0A 0x0017 1 1 40 0.0
0x11 0x007B 0x007B 1 1 76 0.0
0x06 0x935B 0x0016 1 2 40 0.0
0x06 0xB7FF 0x0016 1 2 40 0.0
0x06 0x00B3 0xECD2 1 1 59 0.0
R4#
Protocol-Port-ToS Aggregation Cache
Agregacja z użyciem protokołu, portu źródłowego i docelowego oraz pola ToS (DSCP).
R4(config)# ip flow-aggregation cache protocol-port-tos
R4(config-flow-cache)# enabled
R4# show ip cache verbose flow aggregation protocol-port-tos
IP Flow Switching Cache, 278544 bytes
28 active, 4068 inactive, 24284 added
192976 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Prot Src If SrcPort Dst If DstPort TOS Flows Pkts B/Pk Active
0x01 Gi0/1 0000 Gi0/0 0000 00 6 12 100 0.0
0x01 Gi0/2 0000 Gi0/0 0000 00 6 12 100 0.0
0x01 Gi0/1 0000 Gi0/0 0000 C0 12 24 100 0.1
0x01 Gi0/2 0000 Gi0/0 0000 C0 12 24 100 0.0
0x01 Gi0/1 0000 Gi0/0 0000 E0 12 24 100 0.1
0x01 Gi0/2 0000 Gi0/0 0000 E0 12 24 100 0.0
0x01 Gi0/1 0000 Gi0/0 0000 F8 6 12 100 0.0
0x01 Gi0/2 0000 Gi0/0 0000 F8 6 12 100 0.0
0x06 Gi0/2 0016 Gi0/0 3566 00 1 1 44 0.0
0x06 Gi0/2 0016 Gi0/0 935B 00 1 1 44 0.0
0x06 Gi0/0 00B3 Null F621 C0 1 1 59 0.0
0x06 Gi0/0 3566 Gi0/2 0016 00 1 2 40 0.0
0x06 Gi0/0 7EF6 Gi0/1 0016 C0 1 1 40 0.0
0x01 Gi0/0 0000 Gi0/1 0800 00 6 12 100 0.0
0x01 Gi0/0 0000 Gi0/2 0800 00 6 12 100 0.0
0x06 Gi0/1 0016 Gi0/0 7EF6 C0 1 1 40 0.0
0x01 Gi0/0 0000 Gi0/1 0800 C0 12 24 100 0.1
0x01 Gi0/0 0000 Gi0/2 0800 C0 12 24 100 0.0
0x01 Gi0/0 0000 Gi0/1 0800 E0 12 24 100 0.0
0x01 Gi0/0 0000 Gi0/2 0800 E0 12 24 100 0.0
0x01 Gi0/0 0000 Gi0/1 0800 F8 6 12 100 0.0
0x01 Gi0/0 0000 Gi0/2 0800 F8 6 12 100 0.0
0x06 Gi0/2 0017 Gi0/0 4E0A C0 1 1 40 0.0
0x06 Gi0/0 277A Gi0/2 0016 00 1 2 40 0.0
0x06 Gi0/0 4E0A Gi0/2 0017 C0 1 1 40 0.0
0x06 Gi0/0 935B Gi0/2 0016 00 1 2 40 0.0
0x06 Gi0/1 00B3 Null ECD2 C0 1 1 59 0.0
0x06 Gi0/0 B7FF Gi0/2 0016 00 1 2 40 0.0
R4#
Source-Prefix Aggregation Cache
Agregacja z użyciem prefiksu źródłowego.
R4(config)# ip flow-aggregation cache source-prefix
R4(config-flow-cache)# mask source minimum 26
R4(config-flow-cache)# enabled
R4# show ip cache verbose flow aggregation source-prefix
IP Flow Switching Cache, 278544 bytes
23 active, 4073 inactive, 809 added
14491 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
23 active, 1001 inactive, 809 added, 809 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Minimum source mask is configured to /26
Src If Src Prefix Msk AS Flows Pkts B/Pk Active
Gi0/0 172.16.12.0 /26 0 2 2 40 4.1
Gi0/1 172.16.45.0 /26 0 2 2 67 4.7
Gi0/1 172.16.5.128 /26 65005 6 12 100 0.0
Gi0/1 172.16.5.64 /26 65005 6 12 100 0.0
Gi0/1 172.16.5.32 /27 65005 6 12 100 0.0
Gi0/1 172.16.5.0 /32 65005 1 1 40 0.0
Gi0/1 172.16.5.1 /32 65005 6 12 100 0.0
Gi0/1 172.16.5.8 /29 65005 6 12 100 0.0
Gi0/1 172.16.5.16 /28 65005 6 12 100 0.0
Gi0/0 10.246.255.2 /32 0 1 1 59 0.0
Gi0/0 172.16.7.0 /26 65007 4 8 40 9.5
Gi0/2 172.16.6.128 /26 65006 6 12 100 0.0
Gi0/2 172.16.6.64 /26 65006 6 12 100 0.0
Gi0/2 172.16.6.32 /27 65006 6 12 100 0.0
Gi0/2 172.16.6.0 /32 65006 3 3 42 1.1
Gi0/2 172.16.6.1 /32 65006 6 12 100 0.0
Gi0/2 172.16.6.8 /29 65006 6 12 100 0.0
Gi0/2 172.16.6.16 /28 65006 6 12 100 0.0
Gi0/0 172.16.2.8 /29 0 12 24 100 0.1
Gi0/0 172.16.2.16 /28 0 12 24 100 0.1
Gi0/0 172.16.2.32 /27 0 12 24 100 0.1
Gi0/0 172.16.2.1 /32 0 12 24 100 0.1
Gi0/0 172.16.2.64 /26 0 24 48 100 0.2
R4#
Source-Prefix-ToS Aggregation Cache
Agregacja z użyciem prefiksu źródłowego oraz pola ToS (DSCP).
R4(config)# ip flow-aggregation cache source-prefix-tos
R4(config-flow-cache)# mask source minimum 26
R4(config-flow-cache)# enabled
R4# show ip cache verbose flow aggregation source-prefix-tos
IP Flow Switching Cache, 278544 bytes
59 active, 4037 inactive, 1380 added
27800 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
59 active, 965 inactive, 1380 added, 1380 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Minimum source mask is configured to /26
Src If Src Prefix Msk AS TOS Flows Pkts B/Pk Active
Gi0/0 172.16.12.0 /26 0 C0 2 2 40 4.1
Gi0/1 172.16.5.32 /27 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.16 /28 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.8 /29 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.16 /28 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.8 /29 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.0 /32 65005 C0 1 1 40 0.0
Gi0/1 172.16.5.1 /32 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.1 /32 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.32 /27 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.8 /29 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.16 /28 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.1 /32 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.32 /27 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.64 /26 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.64 /26 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.128 /26 65005 00 1 2 100 0.0
Gi0/1 172.16.5.64 /26 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.128 /26 65005 E0 2 4 100 0.0
Gi0/1 172.16.5.128 /26 65005 F8 1 2 100 0.0
Gi0/1 172.16.5.128 /26 65005 C0 2 4 100 0.0
Gi0/1 172.16.5.64 /26 65005 00 1 2 100 0.0
Gi0/1 172.16.5.32 /27 65005 00 1 2 100 0.0
Gi0/1 172.16.5.1 /32 65005 00 1 2 100 0.0
Gi0/1 172.16.5.8 /29 65005 00 1 2 100 0.0
Gi0/1 172.16.5.16 /28 65005 00 1 2 100 0.0
Gi0/0 172.16.7.0 /26 65007 00 4 8 40 9.5
Gi0/2 172.16.6.32 /27 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.16 /28 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.8 /29 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.16 /28 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.8 /29 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.0 /32 65006 C0 1 1 40 0.0
Gi0/2 172.16.6.1 /32 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.1 /32 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.32 /27 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.8 /29 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.16 /28 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.1 /32 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.32 /27 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.64 /26 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.64 /26 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.128 /26 65006 00 1 2 100 0.0
Gi0/2 172.16.6.64 /26 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.128 /26 65006 E0 2 4 100 0.0
Gi0/2 172.16.6.128 /26 65006 F8 1 2 100 0.0
Gi0/2 172.16.6.64 /26 65006 00 1 2 100 0.0
Gi0/2 172.16.6.128 /26 65006 C0 2 4 100 0.0
Gi0/2 172.16.6.32 /27 65006 00 1 2 100 0.0
Gi0/2 172.16.6.0 /32 65006 00 4 4 44 9.5
Gi0/2 172.16.6.1 /32 65006 00 1 2 100 0.0
Gi0/2 172.16.6.8 /29 65006 00 1 2 100 0.0
Gi0/2 172.16.6.16 /28 65006 00 1 2 100 0.0
Gi0/0 172.16.2.1 /32 0 00 12 24 100 0.1
Gi0/0 172.16.2.64 /26 0 C0 12 24 100 0.1
Gi0/0 172.16.2.64 /26 0 E0 12 24 100 0.1
Gi0/0 172.16.2.8 /29 0 C0 12 24 100 0.1
Gi0/0 172.16.2.32 /27 0 F8 12 24 100 0.1
Gi0/0 172.16.2.16 /28 0 E0 12 24 100 0.1
R4#
Eksport danych z Aggregation Caches
Sposób konfiguracji eksportu danych NetFlow dla Main Cache oraz Aggregation Caches został już omówiony w pierwszym artykule. Poniżej możemy zobaczyć konfigurację eksportu dla każdego z Aggregation Caches, razem z informacją o ewentualnej minimalnej długości prefiksu, jeśli została ona skonfigurowana. Na końcu widać też ilość wysłanych łącznie do kolektora informacji. Należy pamiętać, iż każdy Aggregation Cache jest obsługiwany niezależnie i niezależnie w ramach każdego Aggregation Cache odbywa się numeracja przepływów.
R4# show ip flow export
Flow export v1 is disabled for main cache
Version 1 flow records
Cache for as aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9991)
Cache for protocol-port aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9992)
Cache for source-prefix aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9993)
Minimum source mask is configured to /26
Cache for destination-prefix aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9994)
Minimum destination mask configured to /26
Cache for prefix aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9995)
Minimum source mask is configured to /26
Minimum destination mask configured to /26
Cache for as-tos aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9996)
Cache for protocol-port-tos aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9997)
Cache for source-prefix-tos aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9998)
Minimum source mask is configured to /26
Cache for destination-prefix-tos aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9999)
Minimum destination mask configured to /26
Cache for prefix-tos aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9990)
Minimum source mask is configured to /26
Minimum destination mask configured to /26
Cache for prefix-port aggregation v8
VRF ID : Default
Destination(1) 172.16.1.123 (9989)
Minimum source mask is configured to /26
Minimum destination mask configured to /26
869 flows exported in 86 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
R4#
Jeśli chcemy wyłączyć wcześniej skonfigurowany Aggregation Cache, należy w jego konfiguracji zanegować polecenie enabled (jego konfiguracja pozostanie) lub całkiem zanegować wybrany Aggregation Cache w trybie konfiguracji globalnej (stracimy jego wcześniejszą konfigurację).
Zapraszamy do kontaktu drogą mailową This email address is being protected from spambots. You need JavaScript enabled to view it. lub telefonicznie +48 797 004 932.