The Bit-Bucket > CCIE > Topic Notes > Infrastructure Services > Other IP Services Topic Notes

Other IP Services Topic Notes

NetFlow

NetFlow

  • Cisco proprietary software feature in IOS
  • Provides a method to collect information about traffic flows and bandwidth usage in a network
  • NetFlow export/transport mechanism sends the NetFlow data to a NetFlow Collector
  • Can capture ingress or egress traffic
  • If one of the key fields is different in another packet, it is considered a different flow
  • Exports the flow information in UDP packets to the Collector Engine
  • NetFlow Caches:
    • Main Cache
      • Default Cache used to store flow information captured
      • Used by NetFlow v5 and v9 template to export data
    • Aggregation Cache
      • Groups flows together before exporting to a Collector
        • Reduced bandwidth between NetFlow Exporter and NetFlow Collector
      • Used by NetFlow version 9 template
      • As flows expire from the main cache, they are added to each enabled aggregation cache
      • Cache sizes can be customized
      • Uses different Aggregation schemes to define combinations of fields that determine which flows re group together
        • Aggregation Schemes supported:
          • Autonomous System (AS) Aggregation
          • Destination Prefix Aggregation
          • Prefix Aggregation
          • Protocol Port Aggregation
          • Source Prefix Aggregation
        • Command:
          • (config)#ip flow-aggregation cache <scheme>

 

Cisco IOS NetFlow (Legacy)

Cisco IOS NetFlow
  • Original Legacy NetFlow technology
  • Support for NetFlow version 5 and version 9 templates
    • Cannot export all fields supported by the version 9 template
  • Components of IOS NetFlow are:
    • NetFlow Cache
      • Stores the IP flow information
    • NetFlow Export/Transport mechanism
      • Sends the  NetFlow data to a Collector Engine
      • Can have 2 different Collector Engine's configured

 

  • A Flow is defined by the following 7 key tuples:
    • Source IP Address
    • Destination IP Address
    • Source port number
    • Destination port number
    • Layer 3 protocol type
    • Type of Service (ToS)
    • Input logical interface

 

  • Captures data for the following ingress packets:
    • IP to IP
    • IP to MPLS
    • Frame Relay
    • ATM
  • Captures data for the following egress packets:
    • IP to IP
    • MPLS to IP

 

  • Configuration:
    • Set the Collector Engine IP address
      • (config)#ip flow-export destination <collector IP> <udp-port>
    • Set the NetFlow template version
      • (config)#ip flow-export version <5 | 9>
    • Enable NetFlow on an interface, in ingress, egress or both directions
      • (config-if)#ip flow <ingress | egress>

 

  • Troubleshooting IOS NetFlow Commands:
    • #show ip flow interface - Displays NetFlow configuration on an interface
    • #show ip cache flow - Displays NetFlow is operational, including statistics
    • #show ip cache verbose flow - Displays detailed NetFlow statistics
    • #show ip flow export - Displays export information and statistics

 

[_/su_spoiler]

Cisco Flexible NetFlow
 

Cisco Flexible NetFlow
  • Best supported by NetFlow version 9 export format
  • NetFlow version 5 export template still supported
  • NetFlow version 9 export template supports more technologies including:
    • MPLS
    • BGP next-hop
    • Multicast
    • Layer 2
  • Components of Cisco Flexible Netflow:
    • Records
      • Defines what Key and Non-Key fields to collect
        • A change in Non-Key fields doesn't create a new flow
      • Assigned to Flow Monitors
      • Can use Predefined Records or User-Defined Records
        • Pre-defined
          • Provides backward compatibility with NetFlow Collector
          • Choose from list of IPv4 or IPv6 predefined records
        • User-defined
          • Can choose own key and non-key fields to capture
    • NetFlow Monitor
      • Applied to interface to perform network monitoring
      • Includes:
        • Records
        • Flow Monitor Cache
          • When cache entry is aged out, its removed from the cache and exported
        • Flow Exporter
    • NetFlow Exporters
      • Export the collected NetFlow data to a NetFlow Collector Engine
      • Assigned to NetFlow Monitor
      • Can create several NetFlow Exporters and assign to the same or different NetFlow Monitor
    • Flow Samplers
      • Used to specify the ratio to sample packets
      • Designed to reduce load on device
      • Assigned to NetFlow Monitors

 

  • Configuration:
    • Create a NetFlow Record:
      • (config)#flow record <record name>
      • (config-flow-record)#match <key fields>
      • (config-flow-record)#collect <non-key fields>
    • Create a NetFlow Exporter:
      • (config)#flow exporter <exporter name>
      • (config-flow-exporter)#destination <collector IP> [vrf <vrf-name>]
      • (config-flow-exporter)#export-protocol <netflow-v5 | netflow-v9>
      • (config-flow-exporter)#transport udp <udp port>
      • (config-flow-exporter)#source <interface>
    • Create a NetFlow Monitor:
      • (config)#flow monitor <monitor name>
      • (config-flow-monitor)#record <record name>
      • (config-flow-monitor)#exporter <exporter name>
      • (config-flow-monitor)#cache type <normal | immediate | permenant>
      • (config-flow-monitor)#cache timeout active <seconds>
    •  Apply NetFlow Monitor to an interface
      • (config-if)#<ip | ipv6> flow monitor <monitor name> <input | output>

 

 

  • Troubleshooting Flexible NetFlow Commands:
    • #show flow record <record name> - Displays current status of the Flow Record
    • #show flow monitor <monitor name> - Displays status and statistics for the Flow Monitor
    • #show flow monitor <monitor name> cache format record - Displays flow data in the cache
    • #show flow exporter <exporter name> - Displays current status of the Flow Exporter
    • #show flow interface <IF> - Displays the status of NetFlow on the interface

 

[_/su_spoiler]

NBAR

NBAR – Network-Based Application Recognition

  •  Used to classify packets
  • Performs Deep Packet Inspection to classify packet
    • Not based on TCP/UDP port numbers
  • Works independently from QoS
  • Uses Protocol packs to update application signatures
    • Can create custom protocols
    • Can download and add Application Recognition Modules to recognise additional protocols on network
      • Also known as Packet Description Language Modules (PDLMs)
  • Requires protocol discovery to be enabled on the interface
    • Supported on L2 and L3 EtherChannels
    • Command:
      • (config-if)#ip nbar protocol-discovery
  • Used with Modular QoS Command (MQC)
    • Commands:
      • (config)#class-map <class-map name> match-any
      • (config-cmap)#match protocol <protocol>

 

Troubleshooting Commands

Troubleshooting Commands
  •  #show ip nbar protocol-pack active [detail] - displays detailed information about the current active protocol pack
  • #show ip nbar protocol-discovery interface <IF> - Displays NBAR statistics for interface

 

[_/su_spoiler]

TCP Optimization

TCP Optimization

Nagle Service

Nagle Service

  • Congestion control algorithm for small packets
  • Improves performance of Telnet sessions
    • Normal use is sending one packet for each keystroke typed
    • Larger networks will have many small packets and cause congestion
    • Using nagle it waits for acknowledgement of the first keystroke
      • Can then send larger packet including more than one typed character
        • Waits for acknowledgement
  • Command:
    • (config)#service nagle

 

[_/su_spoiler]

Explicit Congestion Notification (ECN)

Explit Congestion Notification (ECN)

  • Notifies end hosts of network congestion
  • Provides enhanced support for TCP applications sensitive to delay or packet loss including
    • Telnet
    • Web browsing
    • Transfer of audio and video data
  • Reduces delay and packet loss in data transmissions
  • Command:
    • (config)#ip tcp ecn

 

[_/su_spoiler]

Selective Acknowledgements

Selective Acknowledgements

  • Receiving TCP host returns selective acknowledgement packets to sender
    • Informs sender what packets have been received
  • Can acknowledge packets received out of order
  • Sender then only resends the missing packets, instead of everything from the first lost packet
  • Only used when multiple packets are lost within one TCP window
  • Command:
    • (config)#ip tcp selective-ack

 

[_/su_spoiler]

Path MTU Discovery

Path MTU Discovery

  • Disabled by default
  • Helps avoid fragmentation with TCP streams
  • Maximises use of available bandwidth between endpoints in a TCP connection
  • Discovers the maximum end-to-end MTU size
  • Process:
    • On receiving a MTU packet that is too big, the device sends a Fragmentation needed and DF bit set ICMP message back to the host
    • Host then lowers MTU value
  • Command:
    • (config)#ip tcp path-mtu-discovery

 

[_/su_spoiler]

Windows Scaling / Sizing

Window Scaling / Sizing

  • Used to control how often a TCP acknowledgement is needed when sending multiple packets to host
  • Larger window size recommended for higher TCP performance
    • Network paths with a large bandwidth-delay product called Long Fat Networks (LFNs)
  • Expands Window definition to 32 bits from 16 bits
    • Uses a scale factor to carry this 32 bit value in a 16 bit field
      • Can scale to a factor of 14
  • Command:
    • (config)#ip tcp window-size <0 - 1,073,741,823 bytes>

 

[_/su_spoiler]

TCP SYN Wait Time

TCP SYN Wait Time

  • Can specify the amount of time to wait before timing out a TCP connection
  • Only affects traffic originating from device and not going through device
  • Default is 30 seconds
  • Command:
    • (config)#ip tcp synwait-time <5 - 300(seconds)>

 

[_/su_spoiler]

TCP Outgoing Queue

TCP Outgoing Queue

  • Can limit the number of packets queued in the outgoing TCP queue
  • Default is 5 if the connection has a TTY associated with it e.g. Telnet
  • Default queue size is 20
  • Command:
    • (config)#ip tcp queuemax <5 - 50>

 

[_/su_spoiler]

Device Services

Device Services

IOS Small Services

IOS Small Services

  • Services or daemons that run on a router that originally used for diagnostic information
  • TCP Small servers are:
    • Echos
      • Echos back whatever you type in telnet session
      • Command to test:
        • #telnet <x.x.x.x> echo
    • Chargen
      • Generates a stream of ASCII data in a telnet session
      • Command to test:
        • #telnet <x.x.x.x> chargen
    • Discard
      • Throws away whatever you type in a telnet session
      • Command to test:
        • #telnet <x.x.x.x> discard
    • Daytime
      • Returns the system date and time
      • Command to test:
        • #telnet <x.x.x.x> daytime

 

  • TCP Small servers are enabled by default
  • Command:
    • (config)#service tcp-small-servers

 

  • UDP Small servers are:
    • Echo
      • Echos back whatever you type in telnet session
      • Command to test:
        • #telnet <x.x.x.x> echo
    • Discard
      • Throws away whatever you type in a telnet session
      • Command to test:
        • #telnet <x.x.x.x> discard
    • Chargen
      • Generates a stream of ASCII data in a telnet session
      • Command to test:
        • #telnet <x.x.x.x> chargen

 

  • UDP Small servers are enabled by default
  • Command:
    • (config)#service udp-small-servers

 

[_/su_spoiler]

Finger

Finger

  • Service that allows you to see remotely who is logged on to a router
  • Command:
    • (config)#service finger
    • (config)#ip finger
  • Command to test:
    • #telnet <x.x.x.x> finger

 

[_/su_spoiler]

Directed Broadcast and Broadcast Address

Directed Broadcast and Broadcast Address

  • A packet whose destination matches the local subnet broadcast address
  • Feature disabled by default
  • Allows Smurf and Fraggle DoS attacks
  • The router changes the destination address from the directed broadcast address to the all subnet broadcast address (255.255.255.255)
    •  This can be over-ridden with the broadcast address command set on the interface
    • Command:
      • (config-if)#ip broadcast-address <x.x.x.x>

 

  • Example:
  • An interface with the address 10.0.0.0/24 would have a broadcast address of 10.0.0.255
  • A directed broadcast would have its destination set to 10.0.0.255
  • The router changes that destination and sends it to the all subnet broadcast address of 255.255.255.255
  • If the broadcast address command is configured on the outgoing interface then it will only send it to the configured broadcast address

 

[_/su_spoiler]

UDP Forwarding

UDP Forwarding

  • Forward specific UDP broadcasts to unicast addresses
  • Can be configued on a per port / service basis
  • Will forward UDP by default for only the following protocols:
    • TACAS, TFTP, BOOTP, Time, NetBIOS Name Server, NetBIOS Datagram Services and DNS
  • Configured with the helper address and udp forwarding feature
  • Command:
    • (config)#ip forward-protocol udp <udp port>
    • (config-if)#ip helper-address <unicast address>

 

[_/su_spoiler]

Director Response Protocol (DRP)

Director Response Protocol (DRP)

  • Cisco proprietary UDP service to provide a very simple load balancing method between servers
    • Sends user service requests to the closest and most responsive server
  • It queries routers for BGP and IGP RIB metrics between distributed servers and clients
  • DistributedDirector is separate standalone software and will answer DNS queries or respond with HTTP 302 redirect message
  • DRP Server Agents are border routers within the estate

 

  • Can use authentication between devices and limit the scope of valid DRP queries using ACLs
  • Configuration to enable DRP Server Agent on router:
    • (config)#ip drp server
    • (config)#ip drp access-group <acl>
    • ip drp authentication key-chain <key-chain>

 

  • Displaying information command:
  • #show ip drp

 

[_/su_spoiler]

Print Friendly, PDF & Email