Monday, January 12, 2015

Huawei NetStream (Netflow) RFC Compability ?

Netflow, which has become a de-facto industry standard, is a network protocol developed by Cisco for collecting IP information and monitoring network traffic. Other vendors also support other alternative flow protocols like: 

  •  Juniper® (Jflow)
  •  3Com/HP® , Dell® , and Netgear® (s-flow)
  •  Huawei® (NetStream)
  •  Alcatel-Lucent® (Cflow)
  •  Ericsson® (Rflow)

By analizing the flow data you can draw a map of your traffic, sources and destinations, determine the normal flow values thus analyze ddos attacks, and much more. 

A sample configuration for Huawei is:

ip netstream export version 9
ip netstream sampler fix-packets 1000 inbound
ip netstream sampler fix-packets 1000 outbound
ip netstream export source 
ip netstream export host  9996
ip netstream export template timeout-rate 1
ip netstream timeout active 1
ip netstream timeout inactive 5
ip netstream tcp-flag enable
ip netstream mpls-aware label-and-ip

 ip netstream inbound
 ip netstream sampler fix-packets 1000 inbound

 ip netstream sampler to slot self

In production, based on the configuration above, we realized that packet sequence numbers, from a NE40X series router, does not increase sequentially as defined in RFC3954:

   Sequence Number
         Incremental sequence counter of all Export Packets sent from
         the current Observation Domain by the Exporter.  This value
         MUST be cumulative, and SHOULD be used by the Collector to
         identify whether any Export Packets have been missed. were .....

Instead the sequence numbers were increasing by former flow record (21, 9 21, 16,21 ...) count,

NetStream V9:
1          0.000000        CFLOW           1326   SEQ:510215546       total: 21 (v9) records
3          0.100533        CFLOW           606    SEQ:510215567       total: 9 (v9) records
4          0.163794        CFLOW           1326   SEQ:510215576       total: 21 (v9) records
5          0.264529        CFLOW           1026   SEQ:510215597       total: 16 (v9) records
6          0.327319        CFLOW           1326   SEQ:510215613       total: 21 (v9) records

which can be formalized as:

  • "SEQ2=SEQ1+counter"

In VRP, for Netstream to be compatible with RFC, sequence-mode configuration must be configured exclusively as it is not the default behavior.

 [HUAWEI] slot x
 [HUAWEI-slot-x] ip netstream export sequence-mode packet

As sequence numbers are followed by SourceID in collectors, using "cflow.source_id==4" filter in wireshark (for this specific case) we verified that the problem is gone.

If you examine the capture carefully, you might see that there still is a little problem which is: even the sequence ID is the same, there is an extra packet which's flow number is not lined up.

If you are working with a Huawei router, be careful that many features that you expect it to work in default, must be exclusively configured.  I will share these commands in another post, hopefully.

You could contiue reading Part 2:


Post a Comment


Internetworking Hints Copyright © 2011 -- Template created by O Pregador -- Powered by Blogger