Netflowによって全てのパケットを採取して、それを統計情報としてNMSに送信するのは、データサイズが大きすぎる事もあるかもしれません。そのような場合は、ランダムに採取した一部のパケットのみをnetflowとして送信する事もできます。
コマンド一覧
このシナリオで重要なコマンド一覧は以下の通りです。
Router(config)# flow-sampler-map <map_name> Router(config-sampler)# mode random one-out-of <num> Router(config)# interface <interface> Router(config-if)# flow-sampler <map_name> [ egress ]
構成図
R3をHTTP serverとして構築します。
e0/0 e0/1 e0/0 e0/1
+--------+.1 .2+--------+.2 .3+--------+
| R1 +--------+ R2 +--------+ R3 |
+--------+ +--------+ +--------+
192.168.12.0/24 192.168.23.0/24
R1 Loopback0 R2 Loopback0 R3 Loopback0
10.1.1.1/32 10.2.2.2/32 10.3.3.3/32
[R3] enable password cisco ip http server ip http path flash: ip http authentication enable ! show running-config | redirect flash:running-config
設定全文は下記ファイルです。ルーティングなどの詳細設定は下記を参照ください。
sampler map
仕様説明
以下のコマンドで数回に一度のみの採取を行うflow-sampler-mapを作成する事ができます。
Router(config)# flow-sampler-map <map_name> Router(config-sampler)# mode random one-out-of <num>
flow-sampler-mapは以下のような設定で、interfaceに対する適用ができます。egress省略時は入力方向を採取し、egressをつけた時は出力方向を採取します。
Router(config)# interface <interface> Router(config-if)# flow-sampler <map_name> [ egress ]
動作確認
5回に一度のパケット採取を行う設定をR2に投入します。
[R2] flow-sampler-map SAMPLE_MAP mode random one-out-of 5 ! interface Ethernet0/1 flow-sampler SAMPLE_MAP flow-sampler SAMPLE_MAP egress
R1からR3へのpingを100発送信します。5回に1回の20発分が、NetFlowとして採取されている事を確認します。
[R1]
R1#ping 10.3.3.3 source Loopback 0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 4/35/64 ms
R1#
[R2]
R2#show ip cache flow
IP packet size distribution (145 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .165 .000 .834 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
3 active, 4093 inactive, 34 added
523 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
UDP-other 23 0.0 1 52 0.0 0.0 14.8
ICMP 4 0.0 20 100 0.0 4.0 15.3
Total: 27 0.0 3 89 0.0 0.5 14.9
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et0/0 10.3.3.3 Et0/1* 10.1.1.1 01 0000 0000 20
Et0/1 192.168.12.1 Null 224.0.0.9 11 0208 0208 1
Et0/1 10.1.1.1 Et0/0 10.3.3.3 01 0000 0800 20
R2#
sampler map with policy map
動作確認
sampler mapとpolicy mapを併用する事で特定の種類のパケットのみを採取できます。以下はHTTPを5回に1回採取する設定です。
[R2] class-map CMAP_HTTP match protocol http ! policy-map PMAP_SAMPLE class CMAP_HTTP netflow-sampler SAMPLE_MAP ! interface Ethernet0/1 no flow-sampler SAMPLE_MAP no flow-sampler SAMPLE_MAP egress service-policy input PMAP_SAMPLE service-policy output PMAP_SAMPLE
ICMPなどのclass-mapに合致しないパケットは集計の対象外になっている事を確認します。
[R1]
R1#ping 10.3.3.3 source Loopback 0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 12/38/72 ms
R1#
[R2]
R2#show ip cache flow
IP packet size distribution (152 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .203 .000 .796 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
1 active, 4095 inactive, 42 added
674 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 3 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
UDP-other 30 0.0 1 52 0.0 0.0 15.0
ICMP 6 0.0 20 100 0.0 3.6 15.2
Total: 36 0.0 4 90 0.1 0.6 15.1
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
R2#
HTTP通信を発生させ、集計の対象となっている事を確認します。
[R1]
R1#copy http://cisco:cisco@10.3.3.3/running-config null:
Loading http://***********@10.3.3.3/running-config !
918 bytes copied in 0.308 secs (2981 bytes/sec)
R1#
[R2]
R2#show ip cache flow
IP packet size distribution (166 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .240 .000 .728 .000 .000 .006 .000 .006 .006 .000 .000 .000 .000 .012
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
2 active, 4094 inactive, 53 added
812 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 3 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-WWW 5 0.0 1 157 0.0 0.0 12.5
UDP-other 35 0.0 1 52 0.0 0.0 15.1
ICMP 6 0.0 20 100 0.0 3.6 15.2
Total: 46 0.0 3 92 0.0 0.4 14.8
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et0/1 192.168.12.1 Et0/0 10.3.3.3 06 C55A 0050 1
Et0/0 10.3.3.3 Et0/1* 192.168.12.1 06 0050 C55A 2
R2#
