H3C S5560X & S6520X Switch Series NetStream Technology White Paper-6W100

HomeSupportResource CenterTechnology White PapersH3C S5560X & S6520X Switch Series NetStream Technology White Paper-6W100

 

 

H3C S5560X & S6520X Switch Series

NetStream Technology White Paper

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2020 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Overview

Technical background

The Internet is growing rapidly with an ever-increasing number of services and applications. Enterprises need a tool that provides refined visibility into the network traffic to ensure the performance of critical services and to facilitate capacity planning and anomaly detection. Traditional network monitoring technologies such as SNMP and port mirroring cannot meet these requirements because they lack the desired flexibility or are expensive to implement.

NetStream has been developed to address this issue. The NetStream collector captures traffic data on a per-flow basis and sends the data to the network traffic analyzer. The network traffic analyzer then analyzes and reassembles the data and stores the data in the database for further analysis. NetStream enables fine-grained network traffic analysis with minimal impact on network device performance. You can deploy NetStream at the access, aggregation, and core layers of the network to achieve the following goals:

·     Understand the network running state.

·     Timely discover and troubleshoot performance bottlenecks and network anomalies.

·     Provide guidelines for network and bandwidth optimization, capacity planning, and network equipment procurement.

Features

NetStream provides the following features:

·     Accounting—NetStream provides fine-grained traffic data for accounting based on various metrics such as link usage, bandwidth usage, and time ranges. An ISP can use NetStream to implement time-based, bandwidth-based, application-based, QoS-based and other flexible accounting strategies. A company can use NetStream to understand the network traffic patterns and bandwidth usage of each department and optimize resource allocation to improve resource usage.

·     Network planning—NetStream provides key information for network management tools, such as information about inter-AS traffic, to plan and optimize the network, achieving optimal network performance and reliability with minimal network operation costs.

·     Network monitoring—NetStream can be deployed at the network egress to monitor the traffic on the Internet-facing interface in almost real time and analyze bandwidth usage on a per-service basis. The traffic monitoring information helps network administrators determine the network running state and discover inappropriate network structures or performance bottlenecks on networks. Enterprises can easily plan and allocate network resources.

·     User monitoring and analysis—NetStream allows network administrators to obtain network resource usage of users so that they can efficiently plan and allocate network resources and ensure network security.

 


Implementation

NetStream provides traffic statistics on a per-flow basis. It parses a set of header attributes in captured packets and classifies the packets with identical attributes into the same flow. NetStream can parse the UDP header of VXLAN packets and IP header attributes including the L2, L3, L4, and MPLS labels.

NetStream architecture

A typical NetStream system includes the following elements:

·     NetStream data exporter—A device configured with NetStream. The NDE provides the following functions:

¡     Classifies traffic flows by using the 7-tuple elements.

¡     Collects data from the classified flows.

¡     Aggregates and exports the data to the NSC.

·     NetStream collector—A program running on an operating system. The NSC parses the packets received from the NDEs, and saves the data to its database.

·     NetStream data analyzer—A network traffic analyzing tool. Based on the data in NSC, the NDA generates reports for traffic billing, network planning, and attack detection and monitoring. The NDA can collect data from multiple NSCs. Typically, the NDA features a Web-based system for easy operation.

NSC and NDA are typically integrated into a NetStream server.

Figure 1 NetStream system

 

 

NOTE:

·     Network devices that support NetStream, such as S5560X switch series and S6520X switch series, can act as NDEs.

·     For unidirectional NetStream, you can use H3C IMC platform or third-party IPFIX-compliant platform as NSC and NDA.

·     For bidirectional NetStream, you can only use H3C threat discovery and security operations platform as NSC and NDA.

 

Standards

To collect traffic statistics, Huawei and H3C use NetStream while Cisco uses NetFlow. The IPFIX protocol of IETF uses NetFlow for illustration. H3C NetStream is IPFIX-compliant and uses 11 as the element ID and unsigned16 as the integral data type.

Features

NetStream flow aging

NetStream uses flow aging to enable the NDE to export NetStream data to NetStream servers. NetStream creates a NetStream entry for each flow for storing the flow statistics in the cache.

When a flow is aged out, the NDE performs the following operations:

·     Exports the summarized data to NetStream servers in a specific format.

·     Clears NetStream entry information in the cache.

NetStream supports the following flow aging methods:

·     Periodical aging.

·     Forced aging.

Periodical aging

Periodical aging uses the following methods:

·     Inactive flow aging—A flow is inactive if no packet arrives for the NetStream entry within the inactive flow aging timer. When the timer expires, the following events occur:

¡     The inactive flow entry is aged out.

¡     The statistics of the flow are sent to NetStream servers and are cleared in the cache. The statistics can no longer be displayed by using the display ip netstream cache command.

This method ensures that inactive flow entries are cleared from the cache in a timely manner so new entries can be cached.

·     Active flow aging—A flow is active if packets arrive for the NetStream entry within the active flow aging timer. When the timer expires, the statistics of the active flow are exported to NetStream servers. The device continues to collect active flow statistics.

This method periodically exports the statistics of active flows to NetStream servers.

Forced aging

To implement forced aging, use one of the following methods:

·     Clear the NetStream cache immediately. All entries in the cache are aged out and exported to NetStream servers.

·     Specify the upper limit for cached entries and configure the system to take either of the following actions when the limit is reached:

¡     Age out the oldest entries.

¡     Disable creation of a new entry in the cache.

NetStream export formats

NetStream exports data in UDP datagrams in one of the following formats:

·     Version 5—Exports original statistics collected based on the 7-tuple elements and does not support the NetStream aggregation data export. The packet format is fixed and cannot be extended.

·     Version 8—Supports the NetStream aggregation data export. The packet format is fixed and cannot be extended.

·     Version 9—Based on a template that can be configured according to the template formats defined in RFCs. Version 9 supports exporting the NetStream aggregation data and collecting statistics about BGP next hop and MPLS packets.

·     Version 10—Similar to version 9. The difference between version 9 and version 10 is that version 10 export format is compliant with the IPFIX standard.

NetStream mirroring

NetStream mirroring copies packets that pass through the device to a NetStream module for collecting traffic statistics. The forwarding performance of the device is not affected.

NetStream mirroring has the following types:

·     NetStream flow mirroring—Copies the packets that meet specific QoS match criteria to a NetStream module.

·     NetStream port mirroring—Copies the packets passing through an interface to a NetStream module by using the sampler.

NetStream filtering

NetStream filtering uses an ACL to identify packets. Whether NetStream collects data for identified packets depends on the action in the matching rule.

·     NetStream collects data for packets that match permit rules in the ACL.

·     NetStream does not collect data for packets that match deny rules in the ACL.

For more information about ACL, see ACL and QoS Configuration Guide.

NetStream sampling

You can use NetStream together with the sampler. If the collected statistics can basically reflect the network status, you can enable NetStream sampling and set a proper sampling interval to decrease the NetStream traffic volume. Thus, NetStream sampling can lessen the impact on the device performance. For more information about sampling, see sampler configuration in Network Management and Monitoring Configuration Guide.

Session-based NetStream

Session-based NetStream provides statistics for session-based services and exports the statistics in NetStream v9 format to NetStream servers. Session-based bidirectional NetStream can collect statistics about intranet traffic and analyze the abnormal intranet traffic.

NetStream module-based implementation

NetStream module

You can implement unidirectional NetStream or session-based bidirectional NetStream on a device simply by installing an LSWM2FPGA or LSWM2FPGAB NetStream interface module on the device. There is no need for device replacement or upgrade.

A NetStream-capable device can implement NetStream mirroring to mirror only the desired traffic to the NetStream interface module. The field programmable gate array (FPGA) chip in the NetStream module then analyzes the mirrored traffic and creates NetStream entries. This approach saves ACL resources and improves NetStream entry creation performance on the device.

Figure 2 LSWM2FPGA NetStream interface module

 

Figure 3 LSWM2FPGAB NetStream interface module

 

Table 1 NetStream interface module specifications

Item

Specifications

Number of unidirectional NetStream entries that can be cached

128,000

Number of bidirectional NetStream entries that can be cached

64,000

Flow entry refresh interval

·     Bidirectional NetStream: 200 seconds

·     Unidirectional NetStream: 400 seconds

Ports used for internal communications with the device

2 × 10GE ports (one used by the control channel and the other used by the service channel)

Firmware version

V101 or later

 

Mechanism

NetStream flow entry creation

Creation of unidirectional NetStream flow entries

With NetStream sampling enabled on the device, NetStream copies each captured packet to the NetStream interface module. The NetStream interface module creates a unidirectional NetStream entry for the packet based on the packet's 7-tuple attributes (source and destination IP addresses, source and destination port numbers, ToS, and inbound or outbound interface). Upon receiving subsequent packets of that flow, NetStream updates the packet and byte counters of the flow entry accordingly.

Table 2 shows an example of unidirectional NetStream flow entries.

Table 2 Unidirectional NetStream flow entries

Time

Source IP

Source port

Destination IP

Destination port

ToS

Protocol

Interface

Sent packets

Sent packet bytes

10:20:21:000

1.1.1.1

1024

2.2.2.2

80

0

TCP

GE1/0/1(I)

5

1025

10:20:22:000

2.2.2.2

80

1.1.1.1

1024

0

TCP

GE1/0/1(O)

17

28712

 

Creation of session-based bidirectional NetStream flow entries

With NetStream flow mirroring enabled, the device mirrors each captured packet to the inline interface of the NetStream interface module. The NetStream interface module first creates two unidirectional flow entries and then merges the unidirectional flow entries into one bidirectional flow entry to record the bidirectional flow statistics for the entire session. One unidirectional flow entry is created with the packet's 7-tuple attributes (source and destination IP addresses, source and destination MAC addresses, source and destination port numbers, and protocol). The other unidirectional entry is created with the same set of 7-tuple attributes except that the source and destination IP addresses, MAC addresses, and port numbers are reversed. Upon receiving subsequent packets of the session, NetStream updates the corresponding bidirectional NetStream flow entries accordingly.

Table 3 shows an example of a bidirectional NetStream flow entry.

Table 3 Bidirectional NetStream table

Time

Client IP

Client MAC

Client port

Server IP

Server MAC

Server port

Protocol

Packets sent by client

Bytes sent by client

Packets sent by server

Bytes sent by server

10:20:21:000

1.1.1.1

0-0-1

1024

2.2.2.2

0-0-2

80

TCP

5

1025

4

1000

 

Support for NetStream flow aging

Unidirectional NetStream supports both periodical aging and forced aging.

Session-based bidirectional NetStream supports only inactive flow aging of the periodical aging method.

Support for NetStream export formats

Unidirectional NetStream supports version 5, 9, and 10 export formats.

Session-based bidirectional NetStream supports only the version 9 export format.

Restrictions

NetStream modules

The NetStream interface module requires loading of the firmware (.rbf file) which is not packaged in the .ipe file. Before loading the firmware, obtain the .rbf file and upload it to the flash of the device. If you do not have the firmware, contact H3C Support.

By default, the device does not support NetStream interface modules. To enable support for NetStream, perform the following steps:

1.     Upload the firmware (.rbf file) for a NetStream working mode to the flash of the device.

2.     Execute the fpga-working-mode command to specify the mode related to the firmware.

The unidirectional and bidirectional NetStream modes require different firmware files and they cannot function at the same time.

3.     Restart the device.

To update a firmware for the NetStream interface module without changing the NetStream mode:

1.     Upload the .rbf file of the new version to the flash of the device.

2.     Remove and reinstall the NetStream interface module.

 

 

NOTE:

·     The firmware names for unidirectional and bidirectional NetStream are in the format of SSAE_CS_FUNC1_Vxxx.rbf and SSAE_CS_FUNC2_Vxxx.rbf, respectively, where xxx represents the firmware version number.

·     When different versions of the firmware for the same NetStream feature exist in the flash, the device automatically identifies the firmware with the higher version.

 

The maximum packet length that can be processed by a NetStream interface module varies by NetStream interface module model. A LSWM2FPGA or LSWM2FPGAB NetStream interface module can process packets containing up to 1518 bytes. Set an appropriate MTU value on the switch to ensure correct NetStream statistics collection.

Unidirectional NetStream

The device enabled with unidirectional NetStream can send a log template to the NetStream server and then the NetStream server parses the received data according to the template. Both the H3C IMC platform and third-party IPFIX-compliant platforms can act as the NetStream server.

When collecting statistics about VXLAN packets, NetStream collects only the inner layer information of VXLAN packets.

Unidirectional NetStream sampling and sFlow are mutually exclusive. You cannot enable them at the same time.

In an IRF fabric, unidirectional NetStream cannot collect statistics about the internal traffic within the IRF fabric.

Bidirectional NetStream

The device enabled with bidirectional NetStream cannot send a log template to the NetStream server, so only H3C threat discovery and security operations platform can act as the NetStream server.

Bidirectional NetStream cannot collect statistics about VXLAN packets.

Bidirectional NetStream supports only periodical aging because it is based on simulated sessions to collect traffic statistics.

The device does not support mirroring the same traffic to multiple destinations. Therefore, do not configure mirroring for traffic that is mirrored to the inline interface of the NetStream module.

As a best practice, install a NetStream interface module on the master device of an IRF fabric.

Bidirectional NetStream might misidentify different short-lived TCP sessions between the same parties as the same session. For example, if two parties finish an old session and then set up a new session before the flow entry for the old session is exported, NetStream considers the new session as a continuation of the old session, and counts the new and old sessions together.

Support for NetStream interface modules

The following devices support installation of NetStream interface modules to provide unidirectional or bidirectional NetStream:

·     H3C S5560X switch series in F6509 or later versions.

·     H3C S6520X switch series in F6509 or later versions.

Application scenarios

Unidirectional NetStream

As shown in Figure 4, install a NetStream interface module on the switch at the aggregation layer, upload the firmware file for unidirectional NetStream to the switch, and enable NetStream in the inbound direction of all interfaces. The switch can then collect statistics about traffic from the R&D department, management department, marketing department, and finance department, and send the data to the IMC platform for storage and analysis.

Based on the analysis results of the IMC platform, the network administrator can calculate bandwidth usage of each department and optimize the network to avoid network congestion and improve bandwidth utilization.

Figure 4 Network diagram

 

Bidirectional NetStream

As shown in Figure 5, install a NetStream interface module on the switch at the aggregation layer, upload the firmware file for bidirectional NetStream to the switch, and enable NetStream in the inbound and outbound directions of all interfaces. The switch can then collect session traffic statistics between the departments and Internet, and send the data to the threat discovery and security operations platform. Based on analysis of the collected session traffic statistics, the threat discovery and security operations platform can detect and troubleshoot network anomalies such as abnormal internal server-to-Internet connections.

Figure 5 Network diagram

 

References

RFC 5101, Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information