Network Application and User Monitoring

NetFlow data enables you to view detailed, time and application based usage of a network. This information allows you to plan and allocate network and application resources, and provides for extensive near real-time network monitoring capabilities. It can be used to display traffic patterns and application-based views. NetFlow provides proactive problem detection and efficient troubleshooting, and it facilitates rapid problem resolution. You can use NetFlow information to efficiently allocate network resources and to detect and resolve potential security and policy violations.

Network Analysis and Planning

You can use NetFlow to capture data for extended periods of time, which enables you to track network utilization and anticipate network growth and plan upgrades. NetFlow service data can be used to optimize network planning, which includes peering, backbone upgrades, and routing policy planning. It also enables you to minimize the total cost of network operations while maximizing network performance, capacity, and reliability. NetFlow detects unwanted WAN traffic, validates bandwidth and quality of service (QoS) behavior, and enables the analysis of new network applications. NetFlow offers valuable information that you can use to reduce the cost of operating the network.

Denial of Service and Security Analysis

You can use NetFlow data to identify and classify in real time denial of service (DoS) attacks, viruses, and worms. Changes in network behavior indicate anomalies that are clearly reflected in NetFlow data. The data is also a valuable forensic tool that you can use to understand and replay the history of security incidents.

Accounting and Billing

NetFlow data provides fine-grained metering for highly flexible and detailed resource utilization accounting. For example, flow data includes details such as IP addresses, packet and byte counts, timestamps, and information about type of service (ToS) and application ports. Service providers might utilize the information for billing based on time-of-day, bandwidth usage, application usage, or QoS. Enterprise customers might utilize the information for departmental charge-back or cost allocation for resource utilization.

Traffic Engineering

NetFlow provides autonomous system (AS) traffic engineering details. You can use NetFlow-captured traffic data to understand source-to-destination traffic trends. This data can be used for load-balancing traffic across alternate paths or for forwarding traffic along a preferred route. NetFlow can measure the amount of traffic crossing peering or transit points. You can use the data to help you decide if a peering arrangement with other service providers is fair and equitable.

NetFlow Data Storage and Data Mining

NetFlow data can be stored for later retrieval and analysis in support of marketing and customer service programs. For example, the data can be mined to find out which applications and services are being used by internal and external users and target the users for improved service and advertising. In addition, NetFlow data gives market researchers access to the who, what, where, and how long information relevant to enterprises and service providers.

Cisco 7200/7500/7400/MGX/AS5850

Although NetFlow functionality is included in all software images for these platforms, you must purchase a separate NetFlow feature license. NetFlow licenses are sold on a per-node basis.

Other Routers

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn . You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Security

SCTP contains several built-in features to counter many common security threats such as the syn-flood type of DoS attack.

SCTP uses the following techniques to resist flooding attacks:

• A four-way start-up handshake is used to ensure that anyone opening an association is a genuine caller, rather the someone performing a 'syn-flood' type of DoS attack.

• Cookies are used to defer commitment of resources at the responding SCTP node until the handshake is completed.

• Verification Tags are used to prevent insertion of extraneous packets into the flow of an established association.

Reliability Options

SCTP allows data to be transmitted between two end-points (a router running NetFlow SCTP export and a collector that is receiving and acknowledging the SCTP messages) in a reliable manner. In addition to the default behavior of full reliability, SCTP can be configured for partially-reliable or unreliable transmission for applications that do not require full reliability.

When SCTP is operating in full reliability mode, it uses a selective-acknowledgment scheme to guarantee the ordered delivery of messages. The SCTP protocol stack buffers messages until their receipt has been acknowledged by the receiving end-point. (collector). SCTP has a congestion control mechanism that can be used to limit how much memory is consumed by SCTP for buffering packets.

If a stream is specified as unreliable, then the packet is simply sent once and not buffered on the exporter. If the packet is lost enroute to the receiver, the exporter cannot retransmit it.

When a stream is specified as partially-reliable a limit is placed on how much memory should be dedicated to storing un-acknowledged packets. The limit on how much memory should be dedicated to storing unacknowledged packets is configurable by means of the buffer-limit limit command. If the limit on how much memory should be dedicated to storing unacknowledged packets is exceeded and the router attempts to buffer another packet, the oldest unacknowledged packet is discarded. When SCTP discards the oldest unacknowledged packet, a message called a forward-tsn (transmit sequence number) is sent to the collector to indicate that this packet will not be received. This prevents NetFlow from consuming all the free memory on a router when a situation has arisen which requires many packets to be buffered, for example when SCTP is experiencing long response times from an SCTP peer connection.

When SCTP is operating in partially reliable mode, the limit on how much memory should be dedicated to storing un-acknowledged packets should initially be set as high as possible. The limit can be reduced if other processes on the router begin to run out of memory. Deciding on the best value for the limit involves a trade-off between avoiding starving other processes of the memory that they require to operate and dropping SCTP messages that have not been acknowledged by the collector.

Unreliable SCTP can be used when the collector that you are using doesn’t support UDP as a transport protocol for receiving NetFlow export datagrams and you do not want to allocate the resources on your router required to provide reliable, or partially reliable, SCTP connections.

Congestion Avoidance

SCTP uses congestion avoidance algorithms that are similar to those for TCP. An SCTP end-point advertises the size of its receive window (rWnd) to ensure that a sender cannot flood it with more messages than it can store in its input queues.

Each SCTP sender also maintains a congestion window (cWnd), which determines the number of unacknowledged packets that can be outstanding at a given time. SCTP uses the same 'slow-start' algorithm as TCP, in which it starts with a small cWnd and gradually increases it until it reaches its optimum size.

Whenever a packet isn't acknowledged within the given timeout period, the value of cWnd is halved. This method of congestion avoidance is known as added increase / multiplicative decrease and has been shown to be the most effective congestion avoidance algorithm in most circumstances.

SCTP also employs the fast-retransmit algorithm whereby it retransmits a message if it receives acknowledgments from four messages which were sent after the message in question. This is preferable to waiting for the timeout period to elapse and triggering a retransmit of the message.

Options for Backup Collectors

You can configure a backup collector for SCTP. It is used as a message destination in the event that the primary collector becomes unavailable. When connectivity with the primary collector has been lost, and a backup collector is configured, SCTP begins using the backup collector. The default period of time that SCTP waits until it starts using the backup collector is 25 milliseconds (msec). You can configure a different value for interval with the fail-over time command.

The router sends periodic SCTP heartbeat messages to the SCTP collectors that you have configured. The router uses the SCTP heartbeat message acknowledgements from the collectors to monitor the status of each collector. This allows an application, such as NetFlow, to be quickly informed when connectivity to a collector is lost.

You can configure SCTP backup in fail-over or redundant mode. When the router is configured with SCTP backup in fail-over mode, the router waits to activate the association with the backup collector until the router has not received acknowledgements for the SCTP heartbeat messages from the primary collector for the time specified by the fail-over time command (or the default of 25 msec if this parameter has not been modified).

Note	SCTP retransmits messages that have not been acknowledged three times. The router will initiate fail-over after three retransmissions of the same message are not acknowledged by the primary collector.

When the router is configured with SCTP backup in redundant mode, the router activates the association with the backup collector immediately, and if NetFlow v9 export is configured the router sends the (options) templates in advance. The router will not start sending other SCTP messages to a backup collector in redundant mode until the router has not received acknowledgments for the SCTP heartbeat messages from the primary collector for the time specified by the fail-over time command. Fail-over mode is the preferred method when the backup collector is on the end of an expensive lower-bandwidth link such as ISDN.

During the time that SCTP is using the backup collector, SCTP continues to try to restore the association with the primary collector. This goes on until connectivity is restored or the primary SCTP collector is removed from the configuration.

When connectivity to the primary collector is available again, the router waits for a period of time before reverting to using it as the primary destination. You configure the value of the period of time that SCTP waits until reverting to the primary collector with the restore-time time command. The default period of time that SCTP waits until it reverts to the primary collector is 25 sec.

Under either fail-over mode any records which have been queued between losing connectivity with the primary destination and establishing the association with the backup collector might be lost. A count is maintained of how many records were lost. It can be viewed with the show ip flow export sctp verbose command.

To avoid a flapping SCTP association with a collector (the SCTP association goes up and down in quick succession), the time period configured with the restore-time time command should be greater than the period of a typical connectivity problem. For example, your router is configured to use IP fast convergence for its routing table and you have a LAN interface that is going up and down repeatedly (flapping). That causes the IP route to the primary collector to be added and removed from the routing table repeatedly (route flapping) every 2000 msec (2 sec). you need to configure the restore time for a value greater than 2000 msecs.

The backup connection uses stream 0 for sending templates, options templates, and option data record. The data stream(s) inherit the reliability settings of the primary connection.

Export to Multiple Collectors

You can configure your networking device to export NetFlow data to a maximum of two export destinations (collectors) per cache (main and aggregation caches), using any combination of UDP and SCTP. A destination is identified by a unique combination of hostname or IP address and port number or port type. The table below shows examples of permitted multiple NetFlow export destinations for each cache.

The most common use of the multiple-destination feature is to send the NetFlow cache entries to two different destinations for redundancy. Therefore, in most cases the second destination IP address is not the same as the first IP address. The port numbers can be the same when you are configuring two unique destination IP addresses. If you want to configure both instances of the command to use the same destination IP address, you must use unique port numbers. You receive a warning message when you configure the two instances of the command with the same IP address. The warning message is, "%Warning: Second destination address is the same as previous address <ip-address>".

SCTP Support For Export Formats

SCTP based reliable transport is available for all NetFlow export formats: Versions 1, 5, 8 and 9.