How to Get NetFlow from Cisco 3750s and Other Non-NetFlow Enabled Devicesand Other Non NetFlow Enabled Devices

Joe BuchananSystem Engineer Manager

www.lancope.com

Network Flow Collection

NetFlow Fields

src and dst IPInternet

src and dst port

start time

end time

packet count

byte count

...

NetFlowPackets

StealthWatchFlow CollectorFlow Collector

Flow Monitoring Dual Benefit to IT

Network Team Security TeamNetwork TeamhInterface Utilization

Z T ffi

Security TeamhBehavior-based IDS

PTP fil h i d t tihZone TraffichService Traffic

hPTP file sharing detectionWorm and Malware propagation detection

hQOS MonitoringhASN Monitoring

propagation detectionhNetwork Acceptable Use

policy enforcementASN MonitoringhIntra-site monitoringhMPLS i ibilit

p yhAttack context and 3rd

party correlationhMPLS visibility

p y

Flow monitoring dual benefit to IT

Network Team Security TeamhInterface UtilizationhZone Traffic

yhBehavior-based IDShPTP file sharing detectionhZone Traffic

hService TraffichPTP file sharing detection

Worm and Malware propagation detection

hQOS MonitoringhASN Monitoring

hNetwork Acceptable Use policy enforcementg

hIntra-site monitoringhMPLS visibility

hAttack context and 3rd

party correlationhMPLS visibility

NetFlow = Visibility

Traditional SNMPSNMP

NetFlow Reporting

NetFlow = Visibility

NetFlow Supported Devices

Cisco 800 Cisco 1900Cisco 2800Cisco 1700

N t S t d

Huawei Quidway

Cisco 2900

Cisco 3750

Not Supported

Juniper Networks

Cisco 7200 VXRCisco 7600

Cisco 3900Cisco 7200 VXR

Nortel Networks

Cisco Nexus 7000Cisco XR 12000Cisco Catalyst 6500

Cisco Nexus 7000Cisco XR 12000

How to Troubleshoot with NetFlow: An Example

How to Troubleshoot with NetFlow: An Example

How to Troubleshoot with NetFlow: An Example

How to Troubleshoot with NetFlow: An Example

How to Troubleshoot with NetFlow: An Example

How to Troubleshoot with NetFlow: An Example

The Layer-2 Visibility Problem

NetFlowCollector

FlowSensor(NetFlow Enabled)

NetFlowNetFlow

Catalyst 6500(NetFlow Enabled)Catalyst 3750

(No NetFlow)( )

How to Gain NetFlow From Your 3750

• FlowSensor AE• Light-weight, cost-effective 1U network

appliance

• Collects Ethernet frames andStealthWatch

Flow Collectorexports NetFlow v9

• Monitor up to (5) 3750s simultaneously

Works withNetFlow

FlowSensor

• Works withany NetFlow v9 capable flow collector

Model Capacity Disk InterfacesAE-1000 1 Gbps 73GB 3 or 5

AE-2000 2.5 Gbps 160GB 3 or 5

How to Measure Performance Between Hosts

SRCIP DSTIP PROTO DPORT SPORT PKTS BYTES RTT SRT ...

TCP 80 5749 73 9,092 65ms 230ms ...,

TCP 5749 80 103 78,020 65ms 230ms ...

StealthWatchStealthWatchFlowSensor

SPAN

RTTround trip time across the networksame as “ping” output

SRTtime it takes the server to process a request

Capturing NetFlow Per 3750 Link

FlowSensor capture portFlowSensor capture portSPAN interface description

Capturing NetFlow Per 3750 Link

Capturing Netflow Per 3750 Link

10G Monitoring with Stackable FlowSensors

10GFlowSensor

AE-2000

5.0G

7.5GFlowSensor

AE-2000

2.5G

5.0G

16x 1G

Fl S

2.5G

N tFl

2.5G

Ethernetloadbalancer vendors...

StealthWatchFl C ll t

FlowSensorAE-2000

2.5G

NetFlow

FlowSensorAE-2000

2.5G

Flow Collector

FlowSensor VE (Virtual Edition)

• Lightweight, virtual appliance for

• Captures and records all VM2VM communications within the virtual

VMware ESX 3.5 and 4.0

co u cat o s t t e tuanetwork environment

• Exports NetFlow v9

• FREE to download and try(visit lancope.com to register and download)

VMware Server

StealthWatchFlow

CollectorNetFlow

StealthWatch NetFlow Replicator

• Dedicated NetFlow replication appliance

• Designed to copy and redistribute flows of NetFlow packets based on a rule-set that you define

O i i l UDP IP d l d i d• Original UDP source IP and payload is preserved

• Simple, easy to configure, web-based, 1U network appliance

• “Promiscuous Mode” allows installation without changing NetFlow export IPs

• Search “Replicator” on NetFlow Ninjas blog for more infohttp://netflowninjas.typepad.com/blog/2009/09/stealthwatch-flow-replicator-holy-cow-this-thing-is-popular.html

NetFlowNetFlo

StealthWatchFlow Replicator

NetFlow NetFlowNetFlow

Flow Replicator

In Summary

Flow-based technologies provide unrivaled scale and cost effectiveness in large enterprise environments

NetFlow is not just for netops, its value extends across all IT from compliance auditing to helpdesk support

Enable NetFlow on as many devices as you can to maximize visibility the more Enable NetFlow on as many devices as you can to maximize visibility, the more the better

NetFlow is ideal for monitoring port dense datacenters and large distributed WAN NetFlow is ideal for monitoring port dense datacenters and large distributed WAN environments. No probes are required.

NetFlow 101 Boot Camp

22 New Cities in 2010!Event site: http://lancope.com/news/events/netflowseminar.aspx

Minneapolis, MNFebruary 17, 2010

Washington DCJuly, 22, 2010

Atlanta, GA February 25, 2010

Phoenix, AZ August 5, 2010

Hartford CT Chicago ILHartford, CTMarch 11, 2010

Chicago, IL August 12, 2010

Toronto, ON March 18, 2010

Cleveland, OH August 19, 2010

New York, NY April 1 2010

San Francisco, CA September 2 2010April 1, 2010 September 2, 2010

Houston, TX April 8, 2010

Pittsburgh, PA September 16, 2010

Denver, CO April 15, 2010

Charlotte, NC September 30, 2010

Baltimore, MD May 13, 2010

Boston, MA October 7, 2010

Seattle, WA May 20, 2010

Los Angeles, CA October 21, 2010

San Jose CA New York NYSan Jose, CA June 3, 2010

New York, NY November 11, 2010

Dallas, TX July 7, 2010

Miami, FLDecember 9, 2010

Thank You

J B hJoe BuchananSystem Engineer Manager

www lancope comwww.lancope.com