1. 1 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, Technical, 9/04 Cisco Internal Use Only CISCO IOS IP SERVICE LEVEL AGREEMENTS: TECHNICAL OVERVIEW TOM ZINGALE INTERNET TECHNOLOGIES DIVISION SEPTEMBER 2004

2. 2 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco IOS IP Service Level Agreement: A New Direction Cisco solution that assures IP service levels, proactively verifies network operation, and accurately measures network performance Comprehensive hardware support Committed Cisco partner support Cisco IOS Software, the world’s leading network infrastructure software Access Enterprise Backbone Enterprise Premise Edge Service Provider Aggregation Edge Service Provider Core Enterprise and Small Medium Business Understand Network Performance & Ease Deployment Verify Service Levels Verify Outsourced SLAs Measure and provide SLAs Service Providers Cisco IOS Software

3. 3 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential The Need for IP-Based Service Levels 1 2003 Infonetics Research Study “Cost of Enterprise Downtime” www.infonetics.com/services/green.shtml?2004/service.provider.and.user.plans.shtml 2 2003 Network World Application Performance Market Study www.nwfusion.com 3 Forrester Research www.forrester.com PROBLEMRESULT 40% of companies delay launching new applications due to network performance concerns 2 Reduced business productivity 59% of companies simply add bandwidth to ensure application efficiency 2 Increased network costs 55% of companies only identify some of their network traffic 2 Reduced understanding of network behavior Cost of application downtime and degradation is $13,000 per minute for an ERP application 3 Lowered network performance can be costly

4. 4 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco IOS IP SLA Benefits Measurements and Metrics Proactive Automated Intelligence Continuous Predictable Reliable OPTIMIZED APPLICATIONS & SERVICES REDUCED TOTAL COST OF OWNERSHIP AND OpEx Performance visibility Prove service levels Enhance Customer satisfaction Enhance acceptance of business- critical services Reduce deployment time Lower mean time to restore and downtime Proactive identification of issues enforces higher reliability

5. 5 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Fine tune and optimize Ongoing measurements to understand behavior with proactive notification Baseline network performance Verify network readiness for new services with Cisco IOS IP SLA capabilities. Quantify results Reduce deployment time Prove service and application differentiation Verify service levels Reduce network down time Manage demand for the network Understand network performance baseline Confidence to deploy new IP services and applications Assure application and service deployment 1 2 3 4 Cisco IOS IP SLAs Life Cycle

6. 6 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Latency Network Jitter Dist. of Stats Connectivity Packet Loss FTPDNSDHCPTCPJitterICMPUDPDLSWHTTP Network Performance Monitoring Service Level Agreement(SLA)MonitoringNetworkAssessment Multiprotocol Label Switching (MPLS) MonitoringVoIPMonitoring Availability Trouble Shooting Protocols Measurement Metrics Applications IP Server MIB Data Active Generated Traffic to measure the network Destination Source Defined Packet Size, Spacing COS and Protocol IP Server Responder LDPH.323SIPRTP IP SLA Cisco IOS Software IP SLA Cisco IOS Software IP SLA Cisco IOS Software Example: Multi-Protocol Measurement and Management with Cisco IOS IP SLAs RadiusVideo

7. 7 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco 800 Series Cisco 1700 1800 Series Cisco 3700 3800Series Cisco 2600 2800 Series Cisco 7300 Series Cisco Catalyst 6500; Cisco 7600 Series Cisco 10000 Series Cisco 12000 Series Cisco 7200 Series Enterprise & Aggregation/Edge Cisco IOS Software Release 12.2S Cisco 2900, 3550, & 3750 Series Cisco 7200 & 7300 Series Comprehensive Hardware Support Access Core Cisco IOS Software Releases 12.3T and 12.4

8. 8 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential SLA Verification and Management Access router may be managed or unmanaged Data typically provided by the service provider for the customer includes availability, QoS, and Jitter SLAs Service Provider needs visibility in the Customer Edge, in order to commit to SLAs Enterprise will verify SP SLAs by using access router edge to edge measurements Enterprise may provide restricted Simple Network Management Protocol (SNMP) (RTT, Latency, QoS) visibility into Access router for Service Provider Service Provider with restricted access can report SLA as a service back to the enterprise

9. 9 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Network Monitoring Cisco IOS IP SLA answers the following question: What is the jitter, latency, or packet loss between any two points in the network? IP Services can be simulated by specifying various packet sizes, ports, class of service, packet spacing, and measurement frequencies Uni-directional and highly accurate measurements Measurements per class of service to validate service differentiation for data, voice, and video Cisco IOS IP SLA will identify an edge to edge network performance baseline and allow the user to understand trends and anomalies from the baseline

10. 10 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential IP Network Readiness Network assessment tool built into Cisco IOS Software Simulate IP Services and verify how well they will work in the network How well is QoS working in the network pre- deployment Post deployment continued verification of network performance per IP service

11. 11 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Availability Monitoring Cisco IOS IP SLA uses proactive monitoring for periodic, reliable, and continuous availability measurements Connectivity measurements from Cisco router to router or Cisco router to server Threshold notifications when end point is not available What is the availability of a Network File System (NFS) server used to store business critical data from a remote site ? Cisco IOS IP SLA UDP active measurement to specific server ports is used to test remote site to server connectivity If server is unavailable, then traps can notify the network management system

12. 12 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Troubleshooting with Cisco IOS IP SLA Proactive notification of problems and issues based on threshold alerts Testing edge to edge consistently and reliability will save time in finding and pin pointing network performance problem areas Secondary activation of path operation (ie: path jitter) or activation of operations at a higher frequency to isolate and verify problem areas in the network

13. 13 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco IOS IP SLA Source and Responder Source Router Cisco IOS Software router that sends data from operation Cisco IOS Software may or may not be the target Some operations require the target to run the IP SLA responder Stores results in MIB Responder Responds to IP SLA packets at destination User defined UDP/TCP ports IP SLA Control Protocol MD 5 Authentication Accurate measurements

14. 14 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Responder The Responder takes 2 Timestamps (T2 & T3) Source Router Responder Target Router T1 T4 T3 T2  = T3 - T2 Responder factors out destination processing time making results highly accurate Responder allows for one-way measurements for latency, jitter, packet loss, and MOS

15. 15 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential *DATA TRAFFIC *VoIP *SERVICE LEVEL AGREEMENT *AVAILABILITY **STREAMING VIDEO REQUIREMENT Minimize Delay, Packet Loss Verify Quality of Service (QoS) Minimize Delay, Packet Loss, Jitter Measure Delay, Packet Loss, Jitter One-way Connectivity testing Minimize Delay, Packet Loss IP SLA MEASURMENT Jitter Packet loss Latency per QoS Jitter Packet loss Latency MOS Voice Quality Score Jitter Packet loss Latency One-way Enhanced accuracy NTP Connectivity tests to IP devices Jitter Packet loss Latency Cisco IOS IP SLAs Uses and Metrics * Currently available **Limited availability in 9/04; complete in CY’05

16. 16 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Reaction Trigger to Events Can send SNMP traps for certain “triggering” events: Connection Loss and Timeout Round Trip Time Threshold Average Jitter Threshold Unidirectional packet loss, latency, jitter, MOS Scores Can trigger another IP SLA operation for further analysis Threshold Violation Threshold violation No Alert 100 ms 50 ms Time Alert Resolution Threshold Violation Trigger Immediate Consecutive X of Y times Average Exceeded Cisco IOS IP SLA Reaction Conditions 16 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, Technical, 9/04 Cisco Internal Use Only

17. 17 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Availability

18. 18 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential THIRD PARTY PRODUCTS Cisco Network Management Solution Cisco IP Solution CenterMPLS VPN and SLA Monitoring Internetworking Performance MonitorEnterprise performance measurements Cisco IOS IP SLA Partners

19. 19 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco IOS IP SLA Performance with Infrastructure 2: CPU Load by Hardware Operations/ Second Operations/ Minute Cisco 2600 Series Cisco 2620XM Series Cisco 3640 Series Cisco 3725 Router Cisco 7200VXR NPE225 4240147624 8480208933 1272029121323 1696035151733 20120041192223 24144048242533 28168056272833 32192063283124 36216067313523 402400343837 442640384348 482880424758 5231204649510 5633604843611 6036005258611 *Jitter operations are activated sequentially with this testing. Each operation sends 10 packets, 64 bytes each with 20ms spacing Jitter probe Versus Release 12.3(3) 2,000 active probes

20. 20 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Operations per second Operations per minute Cisco 831 Router Cisco 837 Router Cisco 1751 Router 42407103 848013168 1272023 10 16960293017 201200333422 241440353627 28168041 29 321920474632 362160525035 402400575639 44264062 43 482880666548 523120726853 563360767159 603600817562 Cisco IOS IP SLA Performance Infrastructure 2: CPU Load by Hardware Jitter probe Release 12.3(4)T6 IP Plus/Firewall/3DES 2,000 active probes

21. 21 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco IOS IP SLA VoIP Measurements Q1CY’05 Headquarters Data Center Seattle Sales Office LA San Jose Sales Office New York Sales Office Boston Call Manager Cluster ClevelandDetroit Gatekeeper Responder Registration Delay Discovery Delay Post Dial Delay H323 or SIP

22. 22 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Digital Signal Processor Based IP SLA Measurements (Q3CY’05) Call Control IP Server DSP Responder RTP IP SLA RTP IP SLA Cisco IOS IP SLA RTP Operation Data VoIP Active (test call) measurements using Real-time Transport Protocol (RTP) streams Voice quality scores and voice metrics from the Digital Signal Processor (DSP) VoIP Metrics

23. 23 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential New IOS IP SLA CLI The new IOS IP SLA CLI releases Q1CY05 in 12.3(RLS6)T Phase 1 changes include new syntax for commands and new show commands New show commands: “show ip sla statistics” and “ show ip sla statistics details” Older show commands will be deprecated over time and replaced with the new show commands The RTR keyword was changed to IP SLA Monitor in CLI The new syntax is used in the presentation. The old syntax before 12.3(pi6)T is shown in the Appendix OLD CLI Router (config)#rtr 1 Router (config-rtr)#type echo protocol ipIcmpEcho 1.1.1.1 Router (config)#rtr schedule 1 start-time now New CLI Router (config)#ip sla monitor 1 Router (config-sla-monitor)#icmp-echo 1.1.1.1 Router (config)#ip sla monitor schedule 1 start-time now

24. 24 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential New Cisco IOS IP SLA Show Commands Q1CY’05 Jitter operation “show ip sla monitor statistics (details)” Router#sh ip sla monitor statistics 15 Round trip time (RTT) Index 15 Latest RTT: 1 ms Latest operation start time: *05:43:28.720 UTC Fri May 28 2004 Latest operation return code: OK RTT Values Number Of RTT: 10 RTT Min/Avg/Max: 1/1/1 ms Latency one-way time milliseconds Number of one-way Samples: 0 Source to Destination one way Latency Min/Avg/Max: 0/0/0 ms Desination to source one way Latency Min/Avg/Max: 0/0/0 ms Jitter time milliseconds Number of Jitter Samples: 9 Source to Destination Jitter Min/Avg/Max: 20/20/23 ms Destination to Source Jitter Min/Avg/Max: 0/0/0 ms Packet Loss Values Loss Source to Destination: 0 Loss Destination to Source: 0 Out Of Sequence: 0 Tail Drop: 0 Packet Late Arrival: 0 Number of successes: 1 Number of failures: 0 Operation time to live: 3567 sec

25. 25 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential New Cisco IOS IP SLA Show Commands Q1CY’05 Jitter operation “show ip sla monitor statistics details” Round trip time (RTT) Index 2004 Latest RTT: 1 ms Latest operation start time: *08:41:09.937 PST Wed Oct 6 2004 Latest operation return code: OK Over thresholds occurred: FALSE RTT Values Number Of RTT: 10 RTT Min/Avg/Max: 1/1/1 ms Latency one-way time: Number of Latency one-way Samples: 0 Source to Destination Latency one way Min/Avg/Max: 0/0/0 ms Destination to Source Latency one way Min/Avg/Max: 0/0/0 ms Source to Destination Latency one way Sum/Sum2: 0/0 Destination to Source Latency one way Sum/Sum2: 0/0 Jitter time: Number of Jitter Samples: 9 Source to Destination Jitter Min/Avg/Max: 0/0/0 ms Destination to Source Jitter Min/Avg/Max: 0/0/0 ms Source to destination positive jitter Min/Avg/Max: 0/0/0 ms Source to destination positive jitter Number/Sum/Sum2: 0/0/0 Source to destination negative jitter Min/Avg/Max: 0/0/0 ms Source to destination negative jitter Number/Sum/Sum2: 0/0/0 Destination to Source positive jitter Min/Avg/Max: 0/0/0 ms Destination to Source positive jitter Number/Sum/Sum2: 0/0/0 Destination to Source negative jitter Min/Avg/Max: 0/0/0 ms Destination to Source negative jitter Number/Sum/Sum2: 0/0/0 Interarrival jitterout: 0 Interarrival jitterin: 0

26. 26 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco IOS IP SLA Multiple Operations Scheduling (Release 12.3(8)T) Schedule multiple operations in one command Scalable and sequential activation of IP SLA operations If the frequency is not specified, the default frequency will be the same as that of the schedule period) Reduced load on the network Consistent monitoring coverage Router (config)#ip sla monitor 1 Router (config-sla-monitor)#type echo protocol ipIcmpEcho 1.1.1.1 Router (config)# ip sla monitor 2 Router (config-sla-monitor)#type echo protocol ipIcmpEcho 2.2.2.2 Router (config)# ip sla monitor 3 Router (config-sla-monitor)#type echo protocol ipIcmpEcho 3.3.3.3 Router (config)# ip sla monitor group schedule 1 1-3 sch 20 start now Router #show ip sla monitor group schedule

27. 27 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco IOS IP SLA Random Scheduler Enhancement Release 12.4(Rls1)T will introduce the following functionality: Randomness for group scheduler during schedule period Randomness for the frequency of the operations, which are started by random group scheduler

28. 28 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco IOS IP SLA Accuracy Feature High performance and high accuracy measurements Precision to.1 ms from current 1ms Improve Cisco IOS IP SLA accuracy under forwarding load and for dedicated routers Release 12.3(RLS6)T will introduce this functionality in Q1CY’05

29. 29 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential FeatureReleaseTarget Date Release 12.3T Features MOS and ICPIF Scores12.3(4)TNovember 2003 One way latency, jitter, packet loss and MOS Traps12.3(7)TMarch 2003 Multi-Operation Scheduler – Ease of scheduling12.3(8)TJune 2003 Post Dial and Gatekeeper Delays with SIP and H32312.3(pi-6)TQ1CY’05 High accuracy enhancement12.3(pi-6)TQ1CY’05 Ease of use CLI12.3(pi-6)TQ1CY’05 Release 12.4T Features Ease of use CLI Phase 212.4(pi-1)TQ2CY’05 Random scheduler for operations12.4(pi-1)TQ2CY’05 Voice gateway integration VoIP measurement using DSP12.4(pi-2)TQ3CY’05 Ease of use CLI Phase 312.4(pi-2)TQ3CY’05 Video operation12.4(pi-2)TQ3CY’05 Radius response operation12.4(pi-2)TQ3CY’05 Release 12.2S Features IP SLA: Auto MPLS VPN Monitoring12.2(Rls6)SQ1CY’05 IP SLA: Auto MPLS VPN Monitoring with ECMP12.2(Rls7)SQ3CY’05 IP SLA: Auto MPLS Monitoring with VCCV12.2(Rls8)SRadar IP SLA: Auto MPLS Monitoring with BFD12.2(Rls8)SRadar IP SLA MulticastRadar Auto IP SLA MonitoringRadar IP SLA with DMVPNRadar ICMP JitterRadar IP SLA High AvailabilityRadar Embedded Event Manager (EEM) DetectorRadar Cisco IOS IP Service Level Agreement Roadmap

30. 30 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential NetFlow

31. 31 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Enable NetFlow Traffic Traditional Export & Collector NetFlow Export Packets GUI New SNMP MIB Interface SNMP Poller Source IP address Destination IP address Source port Destination port Layer 3 protocol type TOS byte (DSCP) Input logical interface (ifIndex) Flow Is Defined By Seven Unique Keys 31 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS NetFlow Overview, 2/04

32. 32 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential NetFlow Cache Example 1.Create and update flows in NetFlow cache SrclfSrclPaddDstlfDstlPaddProtocolTOSFlgsPkts Src Port Src Msk Src AS Dst Port Dst Msk Dst AS NextHop Bytes/ Pkt ActiveIdle Fa1/0173.100.21.2Fa0/010.0.227.121180101100000A2/24500A2/241510.0.23.2152817454 Fa1/0173.100.3.2Fa0/010.0.227.126400249115/2619615/241510.0.23.274041.51 Fa1/0173.100.20.2Fa0/010.0.227.121180101000000A1/2418000A1/241510.0.23.214281145.53 Fa1/0173.100.6.2Fa0/010.0.227.126400221019/3018019/241510.0.23.2104024.514 Inactive timer expired (15 sec is default) Active timer expired (30 min (1800 sec) is default) NetFlow cache is full (oldest flows are expired) RST or FIN TCP Flag 2.Expiration SrclfSrclPaddDstlfDstlPaddProtocolTOSFlgsPkts Src Port Src Msk Src AS Dst Port Dst Msk Dst AS NextHop Bytes/ Pkt ActiveIdle Fa1/0173.100.21.2Fa0/010.0.227.121180101100000A2/24500A2/241510.0.23.2152818004 3.Aggregation 4.Export version 5.Transport protocol e.g. Protocol-Port Aggregation Scheme Becomes Aggregated Flows—Export Version 8 or 9 Export Packet Payload (Flows) Non-Aggregated Flows—Export Version 5 or 9 Yes No ProtocolPktsSrcPortDstPortBytes/Pkt 111100000A2 1528 Heade r

33. 33 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Principle Netflow Benefits Service Provider Enterprise Internet access monitoring (protocol distribution, where traffic is going/coming) User Monitoring Application Monitoring Charge Back billing for departments Security Monitoring Internet access monitoring (protocol distribution, where traffic is going/coming) User Monitoring Application Monitoring Charge Back billing for departments Security Monitoring Peering arrangements Network Planning Traffic Engineering Accounting and billing Security Monitoring Peering arrangements Network Planning Traffic Engineering Accounting and billing Security Monitoring

34. 34 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Tracking Users Who are the top users? How long are the users on the network? What Internet sites do they use? Where do the users go on the network? What percentage of traffic do they use? What applications do they use? What are the user usage patterns?

35. 35 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential NetFlow for Security: Flow Information Helps Mitigate Attacks Identify the attack Count the Flows Inactive flows signal a worm attack Classify the attack Small size flows to same destination What is being attacked and origination of attack Key Partners: Arbor Networks, Protego, NetQos, Adlex

36. 36 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Capacity Planning Capacity planning is the process of determining the network resources required to prevent a performance or availability impact on business-critical applications Key areas to monitor Application usage Identify which applications consume bandwidth Who are the top ten nodes that consume bandwidth Output data circuit forecasts Current network utilization and capacity being used

37. 37 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Billing IP Accounting and Billing Usage-based billing considerations Time of day Within or outside of the network Application Distance-based Quality of Service (QoS) / Class of Service (CoS) Bandwidth usage Transit or peer Data transferred Traffic class

38. 38 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential How Cisco IT uses NetFlow Characterize IP traffic and account for how and where it flows Total Avoidance of SQL Slammer Worm Transition from Managed DSL service to Internet VPN Detection of Unauthorized WAN Traffic Reduction in Peak WAN Traffic Validation of QoS Parameters and BW allocation Analysis of VPN Traffic and Tele-Commuter Behavior Calculating Total Cost of Ownership for Applications Use of NetFlowNMS and Usage Security Monitoring Network traffic analysis by application with BGP. Anomaly detection Arbor Networks WAN Aggregation and Edge Network traffic analysis by application, for capacity planning using NetQOS Core routers and Nat Gateway Collection of historical data, useful for forensics and diagnostics with Flow Tools

39. 39 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco 800 Series Cisco 1700 Series Cisco 3700 Series Cisco 2600 Series Cisco 7300 Series Cisco Catalyst 6500; Cisco 7600 Series Cisco 10000 Series ASIC Cisco 12000 Series ASIC Cisco 7200 Series Cisco 4500 Series ASIC Cisco IOS Software Releases 12.3T & 12.4 Enterprise & Aggregation/Edge Cisco IOS Software Release 12.2S Cisco 7200/ 7300 Series Comprehensive Hardware Support Access Core Release 12.0S

40. 40 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential NetFlow Versions Cisco Catalyst 6500 Series Router will support versions 5 & 8 in Cisco IOS Software Release 12.1(13)E NetFlow Version Comments 1Original 5Standard and most common 7 Specific to Cisco Catalyst 6500 and 7600 Series Switches Similar to Version 5, but does not include AS, interface, TCP Flag & TOS information 8 Choice of eleven aggregation schemes Reduces resource usage 9 Flexible, extensible file export format to enable easier support of additional fields & technologies; coming out now MPLS, Multicast, & BGP Next Hop

41. 41 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Version 5 - Flow Export Format Source IP Address Destination IP Address Packet Count Byte Count Usage QoS Time of Day Application Port Utilization From/To Routing and Peering Input ifIndex Output ifIndex Type of Service TCP Flags Protocol Start sysUpTime End sysUpTime Source TCP/UDP Port Destination TCP/UDP Port Next Hop Address Source AS Number Dest. AS Number Source Prefix Mask Dest. Prefix Mask Source IP Address Destination IP Address Version 5 used extensively today Flow information

42. 42 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Why a New Version 9? Fixed export formats are not flexible and adaptable With each new version Cisco creates new export fields Partners need to re-engineer for each new version Solution: Build a flexible and extensible export format called version 9!

43. 43 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential NetFlow v9 Export Packet Data FlowSetTemplate FlowSet Option Template FlowSet FlowSet ID #1 Data FlowSet FlowSet ID #2 Template ID (specific Field types and lengths) (version, # packets, sequence #, Source ID ) Matching ID numbers are the way to associate template to the Data Records The Header follows the same format as prior NetFlow versions so Collectors will be backward compatible Each data record represents one flow If exported flows have the same fields, then they can be contained in the same Template Record (ie: unicast traffic) can be combined with multicast records If exported flows have different fields, then they cannot be contained in the same Template Record (ie: BGP next-hop cannot be combined with MPLS Aware NetFlow records) Flows from Interface A Flows from Interface B To support technologies such as MPLS or Multicast, this export format can be leveraged to easily insert new fields Option Data FlowSet FlowSet ID Option Data Record (Field values) Option Data Record (Field values) Template Record Template ID #2 (specific Field types and lengths) Template Record Template ID #1 (specific Field types and lengths) Data Record (Field values) Data Record (Field values) Data Record (Field values)

44. 44 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential NetFlow v9 and IETF Internet Protocol Flow Information eXport (IPFIX) is an IETF Working Group www.ietf.org/html.charters/ipfix-charter.html Netflow version 9 is the basis for the standard in the IETF Standards Track NetFlow version 9 http://www.ietf.org/internet-drafts/draft-ietf-ipfix-protocol-05.txt New

45. 45 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential New IETF: Packet SAMPling WG (PSAMP) PSAMP web site for the charter, email archive, drafts, etc. psamp.ccrle.nec.de/psamp.ccrle.nec.de/ Agreed to use IPFIX for export protocol if suitable for PSAMP To be improved: the variable length data type Note: NetFlow is already using some sampling mechanisms

46. 46 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential NetFlow Partners Traffic Analysis Denial of Service Flow-Tools Billing

47. 47 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential HybridNative 12.1ENative 12.2SX MSFCx v5 v5, v8* Sup1a V7, v8v7N/A Sup2 V7, v8v5, v7v5, v7, v8 Sup720 v5, v7, v8v5, v7v5, v7, v8 Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Hybrid: Cisco Catalyst OS on PFC/supervisor and Cisco IOS software on MSFC Native Cisco IOS Software: PFC/supervisor and the MSFC both run a single bundled Cisco IOS software image Export is centrally via the supervisor and MSFC, each linecard has its own hardware NetFlow cache and forwarding table, i.e. distributed platform *No NetFlow Support on MSFC with Sup1a

48. 48 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco Catalyst 6500 and Cisco 7600 Series Versions and Features Cisco IOS Software Release 12.1(13)E1 PFC2 Source/destination interface information (Hybrid 6.3(6)) PFC2 Source/destination AS information PFC2 Support for V5 NetFlow data export (Hybrid 7.5(1)) IP Next hop Sampled NetFlow is available on PFC in Cisco IOS Cisco IOS Software Release 12.2(14)SX Version 8 in native mode PFC3b (Sup720) cards ToS byte Hybrid Catalyst OS 7.2(1) L2 switched traffic (vlan x to vlan y) support (doesn’t require MSFC) Hybrid Catalyst OS 7.3(1) Destination and source IfIndex enabled by default

49. 49 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Cisco Catalyst 4000 Supervisor IV NetFlow Services Card NetFlow Service Card Features NetFlow Statistics Collection and Data Export (NDE) VLAN Statistics Collection CLI support for NetFlow & VLAN Stats SNMP support for VLAN Stats Requirements: Supervisor IV or V IOS 12.1(13)EW NetFlow Versions 1 & 5, 8 w IOS 12.1.19 EW

50. 50 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Multicast NetFlow Availability: Major Release 12.3(1) and 12.2(18)S Ingress Accounting of replicated multicast packets Egress Per user accounting of multicast packets MPLS Aware NetFlow Availability: Release 12.0(26)S Label and prefix export information BGP Next Hop Availability: Releases 12.0(26)S, 12.2(18)S, and 12.3 Edge to Edge Traffic Matrix BGP traffic destination information NetFlow for IPv6 Availability: Release 12.3(7)T Export IPv6 source and destination information NetFlow Features supported with Version 9

51. 51 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Sampled NetFlow Availability: Releases 12.0(26)S, 12.3(2)T, and 12.2(18)S Random Sampling of packets per flow with reduce CPU NetFlow MIB Availability: Releases 12.3(7)T and 12.2(25)S Top N Talker in MIB NetFlow configuration using MIB Input Flow Filters Availability: Release 12.3(7)T, 12.2(25)S QOS MQC based Filtering entering NetFlow Egress NetFlow Availability: Release 12.3(11)T, 12.2(Rls6)S-Q1CY05 Accounting for Egress IP Flows NetFlow Product Update

52. 52 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Random Sampled NetFlow Capacity planning may not need every packet per Flow Sampling on high speed interfaces will reduce CPU consumption Random (select packet to export per statistical principles) Cisco IOS Software Releases 12.0(26)S, 12.2S(18), and 12.3(1)T Cisco 800, 1700, 1800, 2600, 2800,3600, 3700, 3800 7200, and 7500 Series Routers Random sampling Cisco 12000 Series 12.0(28)S Cisco 12000 Series deterministic sampling today Cisco Catalyst 6500 Series Random and Time based sampling 12.1(13)E

53. 53 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential NetFlow MIB Currently available in Releases 12.3(7)T NetFlow information available using SNMP and without NetFlow export Administration of Netflow using the MIB interface NetFlow MIB cannot be used to retrieve all Flow information but is very useful for security monitoring and locations where export is not possible Example objects available: Packet size distribution Number of Bytes exported per second Number of flowsNetFlow MIB with Export of Top N talkers Top N Talkers Top N Flows based on various NetFlow field values ( AS Number, destination, ports…) MIB and CLI support 12.2(25)S and 12.3(11)T

54. 54 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Import Flow Mask Filters Prevent flows from entering NetFlow cache by using Flow Filter Increase scalability and decrease CPU usage Filters are based on QOS MQC CLI class maps User can use ACL to match flows from certain port or source Define Traffic Class (match ACL) and Flow Sampling per Match Traffic Filter Low Importance Packets 12.0(27)S, 12.3(4)T, 12.2S(25) Traffic Filter High Importance Sample 1:100 from Subnet A Sample 1:1 from Server B

55. 55 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Egress NetFlow Accounting PEPE IP IP Netflow Ingress Netflow Egress Servers IP or MPLS Netflow Egress and Ingress 12.3(7)T, 12.2(25)S

56. 56 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Flexible NetFlow and Flexible Accounting Flexible NetFlow and Flexible Accounting will replace most static accounting technologies available today Flexible NetFlow user defined Flow keys and export fields within NetFlow Flexible Accounting user defined permanent flow with periodic export and account for defined flows over time The data can be polled thru a MIB Flow Groups user defined buckets for specific flow fields values Example show me packets and bytes from 1.1.1.1 to 2.2.2.2 on port 21

57. 57 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential SCTP Reliable Transport Flows may be sent in Reliable or unreliable or partial mode SCTP connection to collector and multiple streams per connection Supported with Version 9. Templates may be sent reliably Congestion Awareness, retransmission and queuing Data for Export in SCTP Stream Collector Congestion - packets marked unreliable potentially dropped Releases 12.4(2nd)T, 12.2S(Rls7) Send Queue

58. 58 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential NetFlow Security Enhancement Releases 12.4(1st)T Q2CY05 New show commands to understand and parse NetFlow data For Example, show flows on port X to destination Y show ip flow top show ip flow top 10 destination-address packets interface ser0 port-range 100 to 135 New Flow export fields including Source Mac, TTL, Packet length, ICMP type, and more Also will be available in 12.2(rls7)S

59. 59 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Upcoming New Features: NetFlow Product Update NetFlow Security Enhancements (Q2CY2005) New exports and show commands for security monitoring Flexible NetFlow and Accounting (Q3CY2005) Allow user defined flow keys and aggregation with v.9 Reliable and Congestion Aware Export (Q2CY2005) SCTP protocol NetFlow export NBAR and NetFlow Integration (Radar) Application flow information export

60. 60 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential Mar 2005 Dec 2004 Jan 2005 Nov 2004 Oct 2004 Sep 2004 Aug 2004 Jul 2004 Jun 2004 May 2004 Apr 2004 Mar 2004 Feb 2004 Jan 2004 Dec 2003 Nov 2003 Feb 2005 12.3(Rls2)T Input Filter Scalability & Flexibility Enhancing Cisco technologies’ with Flow Accounting Optimizing data for Flow processing 12.0(27)S Input Filter Targeting 12.3(2)T NetFlow MIB & Top Talker NetFlow IPv6 Standardization Targeting 12.2(25)S NetFlow MIB & Top Talker Input Filter Targeting 12.3(11)T Egress NetFlow Targeting 12.2(Rls6)S Egress NetFlow Targeting 12.2(Rls7)S Flexible Flow Definition Reliable Export Security Exports MIB Phase 2 NetFlow Roadmap Targeting 12.4(Rls1)T Security Exports

61. 61 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS IP SLA, and NetFlow, 9/04 Cisco Confidential