cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2539
Views
0
Helpful
9
Replies

netflow and different flow

sarahr202
Level 5
Level 5

Hi everybody

I am reading about netflow for my Tshot exam. I have few questions as to what we consider a  unique flow in route cache ?

H1-------ethernet----------R1.

H1 --> 199.199.199.1

R1----> 199.199.199.2.

We configured following on R1:

int f0/0 ( the int connected to H1)

ip flow ingress

Also assume R1 has inactive timer set to 500 seconds.

Let say H1 telnets to R1

then we exit the telnet

Next we issue ping 199.199.199.2 on H1.

1)How many flows have been created ?

thanks

6 Accepted Solutions

Accepted Solutions

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Sarah,

This may be a good doc to look at:

All packets with the same source/destination IP  address, source/destination ports, protocol interface and class of  service are grouped into a flow and then packets and bytes are tallied.  This methodology of fingerprinting or determining a flow is scalable  because a large amount of network information is condensed into a  database of NetFlow information called the NetFlow cache.

Here is the link:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html

HTH

Reza

View solution in original post

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarah,

if R1 is a router the answer is 2 different flows as L4 information is different. (TCP to port 23, ICMP )

However, if R1 were a C6500 the answer could be 2 or 1 depending on the IP flow mask configured on the device.

for TSHOT exam the answer should be 2  ( same IP addresses involved but different L4 information)

Hope to help

Giuseppe

View solution in original post

Hello Sarah,

Flow inspection is not performed up to application layer.

So for case 2)

>>p1 contains icmp type value 3 but code value 7

>>p2 contains icmp type value 3 but code value 8

these packets are classified in a single flow

Let's go back to case 1)

>>On R1, We issue " ping 199.199.199.2"

>>Then We issue " traceroute 199.199.199.2"

in this case the OSI layer 4 information is diffferent

1.a " ping 199.199.199.2"  ICMP echo request   - > ICMP   IP protocol 2

1.b " traceroute 199.199.199.2" the traceroute probe in Cisco implementation is an UDP packet with TTL=1 and an high UDP port > 30000

see

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml#traceroute

see the packet trace

Jan 20 16:42:48.611: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 28,
 sending
Jan 20 16:42:48.615:     UDP src=39911, dst=33434   >>> traceroute UDP probe
Jan 20 16:42:48.635: IP: s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), len 56,
 rcvd 3
Jan 20 16:42:48.639:     ICMP type=11, code=0  >>>> ICMP reply to traceroute originator

So they are classified as different flows for the different L4 information

Hope to help

Giuseppe

View solution in original post

Thanks Giuseppe.

Show ip cache flow

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
ICMP                 3      0.0         3    68      0.0       1.1      15.4
Total:               3      0.0         3    68      0.0       1.1      15.4

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr  SrcP DstP  Pkts
Fa0/1         100.100.100.2   Fa0/0         199.199.199.10  01 0000 0000     7
Fa0/1         200.200.200.1   Fa0/0         199.199.199.10  01 0000 0B00     3

Above the output shows different field such as srcip,srcip,dstif, protocol, srcP dst P.

If two packets share all the same value for all the feilds as shown above, then those packets are part of same flow.

Srcp means src port ( refering to udp or tcp port)

DstP means destination port ( refering to udp or tcp port)

But in case of ICMP payload in ip packet, DSTP is used to denote the type and code of icmp.

First 8 right most bits indicate type of icmp in hex ; the last 8 bits shows the code.

For example:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstPPkts

Fa0/1 100.100.100.2 Fa0/0 199.199.199.10 01 0000 0000 7

Above the DstP 0000 indicates type 0 and code 0

Another example:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstPPkts

Fa0/1 200.200.200.1 Fa0/0 199.199.199.10 01 0000 0B00 3

Above DstP 0B00 indicates type 11 ( 0B in hex) and code 0 ( 00 in hex).

.

The question is if we have two ip  packets carrying ICMP payload with all the fields such as srcip,srcip,dstif, protocol, srcP same but they have different DstP value, will they considered as part of same flow or different flows?

If they are considered part of different flows  then lets revisit the 2nd case I posted earlier. I quoted below:

.

>>p1 contains icmp type value 3 but code value 7

>>p2 contains icmp type value 3 but code value 8

Assuming these two packets have all identical field such as SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP

then these two packets will be part of different flows because their DstP values will be different.

p1 will have DstP 0307

p2 will have DstP 0308.

Is my observation correct?

thanks Giuseppe for your help and patience.

you have a great day.

===========================

View solution in original post

Hello Sarah,

>> Is my observation correct?

Yes it is absolutely as your tests show that ICMP header fields type and code are placed in the 16 bit DSTPort in flow classification, as a result of this two ICMP packets with different type/code are classified into two different flows.

Hope to help

Giuseppe

View solution in original post

Hello Sarah,

flow based multilayer switching is the past, flow based MLS  was done on C6500 Sup1, C4500 in Hybrid Mode (CatOS on L2 switch, IOS on the MSFC on C6500, RSFC n C4500 on board router on a stick with an internal trunk between L2 supevisor and the daughter routing engine).

Said this, the flow classification for flow based MLS could be different (based on flow mask see below):  with default flow mask it was based only on the destination address of the packet with the MLS cache that cached the action of the router on the first packet of the flow to emulate packet rewrite action on the next packets of the same flow.

Flow based MLS was traffic driven, CEF MLS is topology based.

Flow based MLS has the concept of flow mask:

the definition of flow could be based on:

destination-IP based only on destination address   (default flow mask)

Source-destination-IP based on IP SA IP DA pair   (required if standard ACL are present on the L3 interfaces of   MLS router)

IP-flow   (required if extended ACL are configured on the L3 interfaces of  the MLS router)

the IP-flow mode is the one more near to netflow flow classification includes L4 information (protocol and protocol ports)

I have checked the CCNP switching book first edition in paper edition  ( took from shelf )

Hope to help

Giuseppe

View solution in original post

9 Replies 9

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Sarah,

This may be a good doc to look at:

All packets with the same source/destination IP  address, source/destination ports, protocol interface and class of  service are grouped into a flow and then packets and bytes are tallied.  This methodology of fingerprinting or determining a flow is scalable  because a large amount of network information is condensed into a  database of NetFlow information called the NetFlow cache.

Here is the link:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html

HTH

Reza

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarah,

if R1 is a router the answer is 2 different flows as L4 information is different. (TCP to port 23, ICMP )

However, if R1 were a C6500 the answer could be 2 or 1 depending on the IP flow mask configured on the device.

for TSHOT exam the answer should be 2  ( same IP addresses involved but different L4 information)

Hope to help

Giuseppe

Thanks Giuseppe and Reza.

I apologize for late reply.

Please consider the following example:

R1---ethetnet-R2

R1 199.199.199.1

R2 199.199.199.2

We configure R2 as:

int f0/0 ( the int connected to R1)

ip flow ingress.

On R1, We issue " ping 199.199.199.2"

Then We issue " traceroute 199.199.199.2"

Did R2 has two flow in its cache?

My understanding is based on the following link, I quoted from it below:

http://en.wikipedia.org/wiki/Netflow

A network flow can be defined in many ways. Cisco standard NetFlow version 5 defines a flow as an unidirectional sequence of packets that all share the following 7 values:

    Ingress interface (SNMP ifIndex)

    Source IP address

    Destination IP address

    IP protocol

    Source port for UDP or TCP, 0 for other protocols

    Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols

    IP Type of Service

So in Ip header, protocol field specified " ICMP" paylaod. Upto this point Ping and traceroute appears to be same i.e they share same attributes in ip header.

But Icmp paylaod has icmp header which has type field. For ping, this type field has a value of 8 while for traceroute it will have the value of 30.

1)Based on the above , R2 should have two flow i.e one for ping, the other for traceroute.

Is my understanding correct?

===========================================================

2). I am trying to understand if  we have two ip packets both are received on same interface say f1/1 and  forwarded out f1/2 by a router,  lets call them p1 and p2.

p1 and p2 have same all the ip header attributes but payload in ip header is different as  described below:

p1 contains icmp type value 3 but code value 7

p2 contains icmp type value 3 but code value 8

Will the router consider these two packets as part of same flow or different flow?

thanks and have a great day.

Hello Sarah,

Flow inspection is not performed up to application layer.

So for case 2)

>>p1 contains icmp type value 3 but code value 7

>>p2 contains icmp type value 3 but code value 8

these packets are classified in a single flow

Let's go back to case 1)

>>On R1, We issue " ping 199.199.199.2"

>>Then We issue " traceroute 199.199.199.2"

in this case the OSI layer 4 information is diffferent

1.a " ping 199.199.199.2"  ICMP echo request   - > ICMP   IP protocol 2

1.b " traceroute 199.199.199.2" the traceroute probe in Cisco implementation is an UDP packet with TTL=1 and an high UDP port > 30000

see

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml#traceroute

see the packet trace

Jan 20 16:42:48.611: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 28,
 sending
Jan 20 16:42:48.615:     UDP src=39911, dst=33434   >>> traceroute UDP probe
Jan 20 16:42:48.635: IP: s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), len 56,
 rcvd 3
Jan 20 16:42:48.639:     ICMP type=11, code=0  >>>> ICMP reply to traceroute originator

So they are classified as different flows for the different L4 information

Hope to help

Giuseppe

Thanks Giuseppe.

Show ip cache flow

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
ICMP                 3      0.0         3    68      0.0       1.1      15.4
Total:               3      0.0         3    68      0.0       1.1      15.4

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr  SrcP DstP  Pkts
Fa0/1         100.100.100.2   Fa0/0         199.199.199.10  01 0000 0000     7
Fa0/1         200.200.200.1   Fa0/0         199.199.199.10  01 0000 0B00     3

Above the output shows different field such as srcip,srcip,dstif, protocol, srcP dst P.

If two packets share all the same value for all the feilds as shown above, then those packets are part of same flow.

Srcp means src port ( refering to udp or tcp port)

DstP means destination port ( refering to udp or tcp port)

But in case of ICMP payload in ip packet, DSTP is used to denote the type and code of icmp.

First 8 right most bits indicate type of icmp in hex ; the last 8 bits shows the code.

For example:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstPPkts

Fa0/1 100.100.100.2 Fa0/0 199.199.199.10 01 0000 0000 7

Above the DstP 0000 indicates type 0 and code 0

Another example:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstPPkts

Fa0/1 200.200.200.1 Fa0/0 199.199.199.10 01 0000 0B00 3

Above DstP 0B00 indicates type 11 ( 0B in hex) and code 0 ( 00 in hex).

.

The question is if we have two ip  packets carrying ICMP payload with all the fields such as srcip,srcip,dstif, protocol, srcP same but they have different DstP value, will they considered as part of same flow or different flows?

If they are considered part of different flows  then lets revisit the 2nd case I posted earlier. I quoted below:

.

>>p1 contains icmp type value 3 but code value 7

>>p2 contains icmp type value 3 but code value 8

Assuming these two packets have all identical field such as SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP

then these two packets will be part of different flows because their DstP values will be different.

p1 will have DstP 0307

p2 will have DstP 0308.

Is my observation correct?

thanks Giuseppe for your help and patience.

you have a great day.

===========================

Hello Sarah,

>> Is my observation correct?

Yes it is absolutely as your tests show that ICMP header fields type and code are placed in the 16 bit DSTPort in flow classification, as a result of this two ICMP packets with different type/code are classified into two different flows.

Hope to help

Giuseppe

Thanks Giuseppe.

When I was reading about CEF for switch exam, I also read about multilayer switching using cached flow.

With a better understanding  as towhat is flow and  how different packets can generate different flows or same flow.,I want to ask one more question.

Let say we are performing  multilayer switching using a  router and and layer 2 switch. 

Is it true everytime switch receives a packet, it will check its cache to determine if the packet received is part of existing flow or different flow; the switch does that using same criteria we have discussed on this thread. Once the switch determines the packet is not part of existing flow, it will send it to router and later a new flow is cached at the the switch.

?

Thanks and have a great day.

Hello Sarah,

flow based multilayer switching is the past, flow based MLS  was done on C6500 Sup1, C4500 in Hybrid Mode (CatOS on L2 switch, IOS on the MSFC on C6500, RSFC n C4500 on board router on a stick with an internal trunk between L2 supevisor and the daughter routing engine).

Said this, the flow classification for flow based MLS could be different (based on flow mask see below):  with default flow mask it was based only on the destination address of the packet with the MLS cache that cached the action of the router on the first packet of the flow to emulate packet rewrite action on the next packets of the same flow.

Flow based MLS was traffic driven, CEF MLS is topology based.

Flow based MLS has the concept of flow mask:

the definition of flow could be based on:

destination-IP based only on destination address   (default flow mask)

Source-destination-IP based on IP SA IP DA pair   (required if standard ACL are present on the L3 interfaces of   MLS router)

IP-flow   (required if extended ACL are configured on the L3 interfaces of  the MLS router)

the IP-flow mode is the one more near to netflow flow classification includes L4 information (protocol and protocol ports)

I have checked the CCNP switching book first edition in paper edition  ( took from shelf )

Hope to help

Giuseppe

Thanks Giuseppe.

Just curious what are some commonly used netflow collectors ? I am thinking to set up a lab to practice Netflow.

Have a great day.

Review Cisco Networking for a $25 gift card