--- The deployment and use of Internet/Intranet is growing rapidly and has led to a major shift in corporate and consumer computing models. The market has proposed a demand for traffic statistics and management technology and requires that this technology be able to effectively provide the information necessary to record network and application resource utilization. To this end, Cisco Systems introduced a new switching technology - NetFlow switching to its IOS switching architecture. Based on the virtual local area network (VLAN) technology, NetFlow switch provides two functions: switching and routing on the same platform.
---- NetFlow service in Cisco routing and switching platforms provides network data flow statistics built into fast, optimal and CEF switching paths. NetFlow services create value with data flows in the network and provide detailed data flow statistics while minimizing the impact on router/switch performance. Especially as part of its switching function, it can provide enterprises with information on network capacity planning, trend analysis, and data priority, including users, protocols, ports and service types. NetFlow switches can be deployed anywhere in the network as an extension to existing pathfinding infrastructure. NetFlow can also effectively process access lists, thereby implementing packet filtering and security services. NetFlow data can be used for a variety of purposes, such as network management and planning, enterprise finance, utilization-based billing, and data warehouses and data collection for marketing purposes.
1. NetFlow exchange and its characteristics
--- NetFlow switch implements high-performance switching at the network layer. It provides an efficient mechanism that can be used to handle secure access lists, so that there is no need to pay a high performance cost to accomplish the same task like other switching methods. NetFlow exchange identifies network traffic between hosts and exchanges packets in network traffic while providing related services. In traditional network exchange, each input packet is processed separately. The router performs a series of independent queries for each packet, using a series of functions to check the access list, obtain accounting data, and exchange the packet. Then send it (i.e. exchange) to the destination. These queries include determining whether secure access filtering is used, and updating network statistics accounting records. In NetFlow exchange, the query process only performs the first packet in the packet flow. When a network flow is identified and the services related to it are determined, then all subsequent packets are processed as part of the information flow and are connected on a connection-oriented basis. This bypasses the check of the access list, and then exchanges and obtains statistical information in turn.
---- In NetFlow exchange, an information flow cache is created, which contains the information needed to exchange and access list checks for all active information flows. The first packet in the information flow is processed first using a standard fast exchange path, thus generating a NetFlow cache, so that each information flow is associated with an upcoming interface port number and the interface port number to be issued, and has a specific secure access permissions and encryption policy. The cache also contains entries for data flow statistics. As the subsequent packets are exchanged, these entries are constantly updated. After the NetFlow cache is created, those packets identified as belonging to an existing information flow can be exchanged based on the cache information, thereby bypassing the secure access list check. For all active information flows, the corresponding information is retained in the NetFlow cache.
--- Exchange packets and serve the packets in sequence one task after another. This streamlined approach to grouping improves network services capabilities and improves Cisco IOS service performance regarding security, quality of service (QoS), and network traffic metering. At the same time, NetFlow exchange provides more efficient services based on each user and each application (i.e., session).
2. NetFlow's data format
--- NetFlow outputs information flow in the form of UDP data packets, and it has 2 formats: (1) Version 1 format. This is the format originally released; (2) Version 5 format. This is a reinforced format released later, which adds the autonomous system (AS) information and serial numbers of information flows of Border Gateway Protocol (BGP).
---- In version 1 and version 5 formats, the data packet consists of one header information, one or more information flow records. Normally, no matter which format the receiver receives, it will allocate a buffer large enough so that the maximum data can be accommodated when the data packet arrives. In addition, it uses the version information in the header information to determine how to understand these data packets. The second field in the header information is the number of records in the data packet, which can be used to index the records.
---- Because NetFlow output uses UDP protocol to send output data packets, data may be lost. To determine whether the information flow output information is lost, the header information format of Version 5 contains an information flow serial number. This sequence number is equal to the previous sequence number plus the number of information flows in the data packet that has just passed. After receiving a new data packet, the receiving program can extract the expected sequence number from the sequence number in the header information, so that the number of lost information flows can be obtained.
3. Configure NetFlow exchange
---- In a router, NetFlow exchange involves identifying packet information flows, performing exchanges, and processing access lists. It does not involve any connection setup protocol between routers, nor does it involve connection setup protocol for any other network device or endpoint workstation. It also does not require any external modifications to the packet itself or any other network device. Therefore, NetFlow switches are completely transparent to existing networks, including endpoint workstations, application software, and network devices (such as LAN switches). Furthermore, because NetFlow switches are performed independently in each interconnected network device, it is not necessary to operate it in every router in the network, and network planners can selectively activate NetFlow switches (and NetFlow data output) on the basis of the router/interface, so that data flow exchange, control and accounting can be performed at specific network locations.
--- When configuring NetFlow on one interface, this interface no longer uses other switching modes. To configure NetFlow switch, in interface configuration mode, use the following command to enable NetFlow switch for IP routing:
---- ip route-cache flow
---- The no format of this command can disable NetFlow exchange. The specific command is as follows:
---- no ip route-cache flow
--- Usually, the default value of NetFlow cache can meet the needs. However, network administrators can also meet the needs of information flow ratio by increasing or decreasing the number of entries retained in the cache. The default value of the system is 64KB of mobile cache entries, each cache entries occupy approximately 64B of storage space. In order to customize the number of entries in the NetFlow cache, in global configuration mode, use the following command to change the number of entries retained in the NetFlow cache:
---- ip flow-cache entries number
--- where number is the number of entries, the range is 1024~524288, and the default value is 65536.
--- Some of Cisco's routers come with a routing/switch processor (RSP) and a VIP controller. The VIP controller can be configured like this: the packet is received through VIP switching without the RSP participating in each packet. This processing is called decentralized switching, which can reduce the need for RSP. You can configure VIP hardware to perform NetFlow exchange.
---- In order to configure decentralized switching on VIP, you must first configure the router for IP routing according to the protocol used. Then you can use the following commands to start configuring IP decentralized switching and NetFlow switching in global configuration mode.
--- interface type slot/port-adapter/port; specify the interface and enter the interface configuration mode
--- ip route-cache distributed; enable VIP decentralized exchange of IP packets in this interface
--- ip route-cache flow; Specify information flow exchange
--- When RSPs or VIPs perform information flow exchange, they use information flow cache instead of destination network cache to exchange IP packets. The information flow cache uses the source and destination network addresses, protocols, and the source and destination port numbers to distinguish entries.
---- Router# show ip cache flow
---- IP packet size distribution ( 12718M total packets) :
---- 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
---- .000 .554 .042 .017 .015 .009 .009 .009.013 .030 .006.007
---- .005 .004 .004
---- 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
---- .003 .007 .139 .019 .098 .000 .000 .000 .000 .000 .000
---- IP Flow Switching Cache, 4456448 bytes
---- 65509 active, 27 inactive, 820628747 added
---- 955454490 ager polls, 0 flow alloc failures
---- Exporting flow to 1.1.15.1 (2057)
---- 820563238 flow exported in 34485239 udp datagrams, 0 failed
---- last Clearing of statistics 00:00:03
[1][2] [3] [4] Next page
Article entry: csh Editor in charge: csh
Protocol TotalFlows Flow
/Sec Packets
/Flow Bytes
/Pkt Packets
/Sec Active(Sec)
/Flow Idle(Sec)
/Flow
TCP-Telent 2656855 4.3 86 78 372.3 49.6 27.6
TCP-FTP 5900082 9.5 9 71 86.8 11.4 33.1
TCP-FTPD 3200453 5.1 193 461 1006.3 45.8 33.4
TCP-WWW 546778274 887.3 12 325 11170.8 8.0 32.3
TCP-SMTP 25536863 41.4 21 283 876.5 10.9 31.3
TCP-X 116391 0.1 231 269 43.8 68.2 27.3
TCP-BGP 24520 0.0 28 216 1.1 26.2 39.0
TCP-Frag 56847 0.0 24 952 2.2 13.1 33.2
TCP-other 49148540 79.7 47 338 3752.6 30.7 32.2
UDP-DNS 117240379 190.2 3 112 570.8 7.534.7
UDP-NTP 9378269 15.2 1 76 16.2 2.2 38.7
UDP-TFTP 8077 0.0 3 62 0.0 9.7 33.2
UDP-Frag 51161 0.0 14 322 1.2 11.0 39.4
UDP-other 45502422 73.8 30 174 2272.7 8.5 37.8
ICMP 14837957 24.0 5 224 125.8 12.1 34.3
IGMP 40916 0.0 170 207 11.3 197.3 13.5
IPINIP 3988 0.0 48713 393 315.2 644.2 19.6
GRE 3838 0.0 79 101 0.4 47.3 25.9
IP-other 77406 0.1 47 259 5.9 52.4 27.0
Total 820563238 1331.7 15 304 20633.0 9.8 33.0
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts b/Pk Active
Fd0/0 80.0.0.3 Hs1/0 200.1.9.1 06 0621 0052 7 87 5.9
Fd0/0 80.0.0.3 Hs1/0 200.1.8.1 06 0620 0052 7 87 1.8
Hs1/0 200.0.0.3 Fd0/0 80.1.10.1 06 0052 0621 6 58 1.8
Hs1/0 200.0.0.3 Fd0/0 80.1.1.1 06 0052 0620 5 62 5.9
Fd0/0 80.0.0.3 Hs1/0 200.1.3.1 06 0723 0052 16 68 0.3
HS1/0 200.0.0.3 Fd0/0 80.1.2.1 06 0052 0726 6 58 11.8
Fd0/0 80.0.0.3 Hs1/0 200.1.5.1 06 0726 0052 6 96 0.3
Hs1/0 200.0.0.3 Fd0/0 80.1.4.1 06 0052 0442 3 76 0.3
Hs1/0 200.0.0.3 Fd0/0 80.1.7.1 06 0052 0381 11 1171 0.6
4. Manage and use NetFlow to exchange statistics
---- Through NetFlow exchange, rich statistical information can also be obtained, including the distribution of IP packet size, cache information of IP information flow exchange, and information flow information, such as protocol, total information flow number and information flow number per second. The above information can help network administrators analyze the operation of the router. In order to manage the statistics of NetFlow exchanges, the "show ip cache flow" command can be used to display the comprehensive statistics of NetFlow exchanges in an authorized executable mode so that network managers can understand the current network traffic and the data flow of various applications. The accompanying figure is an example of output information using this command. IP packet size distribution gives the packet size distribution (percentage). As shown in the .554 here, 55.4% of the packets are between 33 and 64B; the following numbers describe the usage of the Netflow cache; the following two tables give detailed information on the packets using various protocols and the current information flow. The information exchanged by NetFlow can also be output to a network management application. In order to output the statistical information exchanged by NetFlow in the NetFlow cache in the NetFlow cache to a workstation when the information flow expires, use the following command in the global configuration mode: ip flow-export ip-address udp-port version 5 [origin-as |peer-as] In version 5, use this command to configure the router and output the NetFlow cache entry to the workstation. You can choose to specify the original AS or the same AS. The default value is that neither the two AS will be output, which can improve performance. To ensure that the data comes from a valid NetFlow source, Cisco recommends that the receiving program check the data packet, first check the size of the data packet, and make sure that it can accommodate at least the version field and count field. Then, it should be confirmed that the version is valid version 1 or 5 and that the number of bytes received is sufficient to accommodate the header information and count the information flow records. The information exchanged by NetFlow is widely used and can be used to provide a basis for enterprise network management and analysis, provide network administrators to reasonably plan the enterprise network structure, balance network load and optimize network performance, provide billing basis for ISPs, provide clues for diagnosing network intrusions and finding network attacks, and help enterprises to collect data, etc.
Show controller e1 content detailed explanation
First of all, I would like to talk about the basic concepts of E1 and CE1. The most original usage of E1 is to use one E1 as 32 64K when used as a digital relay for a voice switch, but time slot 0 and time slot 15 are used for transmission control signaling, so one E1 can transmit 30 voices. This is what E1 is mentioned on the access server (such as Huawei 8010, Nortel's CVX1800, etc.), and the concept of E1 is somewhat different from the ones that are usually mentioned on routers. E1 on the router cannot divide time slots, and can only be used as 2M lines.
The bandwidth of the transmission line of CE1 is 2048K. The main difference between it and E1 is that E1 cannot divide time slots, and CE1 can divide time slots. Each time slot of CE1 is 64K, with a total of 32 time slots. When used, it can be divided into n*64K, such as 128K, 256K, etc. The 0 and 15 time slots of CE1 are not used to transmit the user's data traffic. The 0 time slot is the transmission synchronization number and the 15 time slot transmits control signaling. In this way, only 30 time slots can be used, so when CE1 is configured to divide the time slots, you should pay attention to it. CE1 and E1 can also be interconnected, but CE1 must be used as E1, that is, it cannot be used in time slots. Because CE1 is more flexible, we can often encounter CE1.
During the router configuration E1 and CE1, when we encounter line problems, we often use the show controller e1 command. The following is a detailed explanation of show controller e1. I hope it will be helpful to you. Following the show controller e1 command, add a flowchart for cisco to solve E1 and CE1 failures!
Note: On both routers that configure CE1, the following parameters must be consistent. They are: time slots, framing, linecode, CRC, etc. Also, pay attention to keeping the clock synchronous.
The function of the show controller e1 command:
· Check the status of the E1 link. If you specify slot and port (such as show controller e1 5/6), then the link status is displayed every 15 minutes.
· Can display information used for troubleshoot physical layer and data link layer
Previous page [1][2][3] [4] Next page
Article entry: csh Editor in charge: csh
· Local and remote alarm information
The following is the parameter description of the command output. Let’s first look at the command output of show controller e1. The following are the results of the output of two different routers:
7026#show controller e1
E1 5/1 is up.
Applique type is Channelized E1 - balanced
No alarms detected.
Framing is NO-CRC4, Line Code is HDB3, Clock Source is Line.
International Bit: 1, National Bits: 11111
Data in current interval (648 seconds elapsed):
0 Line Code Violations, 0 Path Code Violations
0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
Total Data (last 24 hours)
0 Line Code Violations, 0 Path Code Violations,
0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
2600#show controller e1
E1 1/0 is up.
Applique type is Channelized E1 - balanced
No alarms detected.
Framing is CRC4, Line Code is HDB3, Clock Source is Line.
Data in current interval (457 seconds elapsed):
0 Line Code Violations, 0 Path Code Violations
0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
Total Data (last 25 15 minute intervals):
1123 Line Code Violations, 53 Path Code Violations,
2 Slip Secs, 708 Fr Loss Secs, 25 Line Err Secs, 0 Degraded Mins,
1 Errored Secs, 0 Bursty Err Secs, 2 Severely Err Secs, 709 Unavail Secs
Let’s take a look at the explanation of these parameters:
Domain Description
E1 5/1 is up
Shows that E1 controller 5/1 is running. E1 controller' may be in these three situations: up, down, administratively down. In addition, if ringing, it can be divided into local and remote rings.
Applique Type
Indicates whether E1 is balanced or unbalanced, the equilibrium impedance is 120 ohms, and the unbalanced is 75 ohms.
Framing
The current frame type is CRC4 by default, and NO-CRC4.
Line Code
The current line encoding is: HDB3. And ami.
No alarms detected
Warnings are displayed. Possible warnings are:
The transmitter sends a remote alarm
The transmitter is sending a high alert indication.
The receiver has lost signal
The recipient gets AIS.
The receiver has frame loss.
The receiver has a remote alarm
The receiver did not alert
Data in current interval
(251 seconds elapsed)
Displays the current accumulated time and refreshes every 15 minutes.
Line Code Violations
Indicates that a Bipolar Violation (BPV) or Excessive Zeros (EXZ) error event has occurred.
Path Code Violations
Indicates that there is a frame synchronization error bit in D4 and E1-no CRC formats, or a CRC error in the extended superframe (ESF) and E1-CRC formats.
Slip secs
Indicates the copy and deletion of the payload bits of the DS1 frame. When the routers connected to the transceiver and receiver are inconsistent, Slip secs will occur
Fr loss secs
The accumulation time of a missing frame discovery.
Line Err secs
When one or more Line Code Violation errors discover accumulated time
Degraded mins
A degraded minute is the time when the error rate is evaluated between 1E-6 and 1E-3
Errored secs
In the ESF and E1 CRC links, it refers to the time when one of the following errors is detected:
One or more Path Code Violations.
One or more Controlled Slip events.
For the SF and E1 no-CRC link, Bipolar Violations exists.
Bursty Err secs
More than one but less than 320 Path Coding Violation errors, not Severely Errored Frame found or not found in AIS. Controlled slips are not included in this parameter
Severly Err secs
For ESF signals, it refers to the time when one of the following errors is detected:
320 or more Path Code Violation errors
One or more frames are found to be missing.
An AIS discovery.
For E1-CRC signal, it refers to the time when one of the following errors is detected:
832 or more Path Code Violation errors
One or more frames are found to be missing.
For E1-nonCRC signals, this is the time when 2048 Line Code Violations or more exist
For D4 signals, it is the time when a frame error is found, or frame loss, or 1544 Line Code Violations is found.
Unavail Secs
Previous page [1] [2][3][4] Next page
Article entry: csh Editor in charge: csh
The total time not used by the interface is in seconds.
Previous page [1] [2] [3][4]
Article entry: csh Editor in charge: csh