Collecting Statistics About IPv4 Original Flows
Before collecting statistics about IPv4 original flows, familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain the data required for the configuration.
Usage Scenario
On the network shown in Figure 3-2, a carrier enables NetStream on the router functioning as an NDE to obtain detailed network application information. The carrier can use the information to monitor abnormal network traffic, analyze users' operation modes, and plan networks between ASs.
Statistics about original flows are collected based on the 7-tuple information. The NetStream Data Exporter (NDE) samples IPv4 flows passing through it, collects statistics about sampled flows, encapsulates the aging NetStream original flows into UDP packets, and sends the packets to the NetStream Collector (NSC) for processing. Unlike collecting statistics about aggregated flows, collecting statistics about original flows imposes less impact on NDE performance. Original flows consume more storage space and network bandwidth resources because the volume of original flows is greater than that of aggregated flows.
Pre-configuration Tasks
Before collecting the statistics about IPv4 original flows, configure static routes or enable an IGP to implement network connectivity.
Configuration Procedures
- Specifying a NetStream Service Processing Mode
After t sampling packets, each NetStream-enabled interface board sends sampled packets to the NetStream service processing board for aggregation and output. If the NE20E has more than one NetStream service processing board, these NetStream services boards work in redundancy mode to back up each other and balance traffic, which improves system reliability. - Outputting Original Flows
To ensure that original flows can be correctly output to the NMS, configure the aging time, output format, and source and destination addresses for original flows. - (Optional) Configuring NetStream Monitoring Services
NetStream services can be configured on the NetStream Data Exporter (NDE) to enable carriers to implement more delicate traffic statistics and management over IPv4 original flows. - (Optional) Adjusting the AS Field Mode and Interface Index
Type
Before the NetStream Collector (NSC) can properly receive and parse NetStream packets output by the NetStream Data Exporter (NDE), the AS field modes and interface index types configured on the NDE must be the same as those on the NSC. - (Optional) Enabling Statistics Collection of TCP Flags
There are six flag bits (URG, ACK, PSH, RST, SYN, and FIN) in a TCP packet header. The flag bits, together with the destination IP address, source IP address, destination port number, and source port number of a TCP packet, identify the function and status of the TCP packet on a TCP connection. TCP flags can be extracted from packets. Their statistics can be collected and sent to the NMS. The NMS checks the traffic volume of each flag and determines whether the network is attacked by TCP packets. - (Optional) Configuring NetStream Interface Option Packets and
Setting Option Template Refreshing Parameters
This section describes how to configure NetStream interface option packets and set option template refreshing parameters. - Sampling IPv4 Flows
You can enable NetStream to sample and analyze the incoming or outgoing flows on an interface. - Verifying the Configuration of Statistics Collection of IPv4
Original Flows
In routine maintenance or after NetStream configurations are complete, you can run the display commands in any view to view the running status of NetStream functions.
Specifying a NetStream Service Processing Mode
After t sampling packets, each NetStream-enabled interface board sends sampled packets to the NetStream service processing board for aggregation and output. If the NE20E has more than one NetStream service processing board, these NetStream services boards work in redundancy mode to back up each other and balance traffic, which improves system reliability.
Context
NetStream services can be processed in the following modes:
Distributed mode
An interface board samples packets, aggregates flows, and outputs flows.
The ip netstream sampler to slot command has the same function as the ipv6 netstream sampler to slot command.
- The execution of either command takes effect on all packets, and there is no need to configure both of them. If it is required to configure both of them, ensure that NetStream service processing modes are the same. A mode inconsistency causes an error.
Outputting Original Flows
To ensure that original flows can be correctly output to the NMS, configure the aging time, output format, and source and destination addresses for original flows.
Procedure
- Run system-view
The system view is displayed.
- (Optional) Run ip netstream export version { 5 [ origin-as | peer-as ] | 9 [ origin-as | peer-as ] [ bgp-nexthop ] [ ttl ] | ipfix [ origin-as | peer-as ] [ bgp-nexthop ] [ ttl ] }
The output format of original flows is configured.
NetStream original flow packets support V5 and V9 as well as IPFIX packet formats. V5, IPFIX, and V9 packet formats are mutually exclusive.
The V9 format allows the output original flows to carry more variable statistics, to expand newly defined flow elements more flexibly, and to generate new records more easily.
Compared with the V9 format, the IPFIX format improves packet extensibility and compatibility, security, and reliability. In addition, the IPFIX format has an enterprise identifier field added. When setting this field, you must use the IPFIX format for the outputting of NetStream IPv4 original flows.
The V5 format is fixed, and the system cost is low. In most cases, NetStream original flows are output in V5 format. In any of the following situations, NetStream original flows must be output in V9 format or IPFIX:NetStream original flows need to carry BGP next-hop information.
Interface indexes carried in the output NetStream original flows need to be extended from 16 bits to 32 bits.
- (Optional) Configure NetStream packets to
carry the flow sequence field.
- Run slot slot-id
The view of the slot in which the interface board for NetStream sampling resides is displayed.
Run ip netstream export sequence-mode flow
NetStream packets are configured to carry the flow sequence field.
- Run quit
The system view is displayed.
NOTE:
The command applys to the V9 format only. - Run slot slot-id
- (Optional) Run ip netstream export template sequence-number fixed
The sequence numbers of template packets and option template packets in IPFIX format are configured to remain unchanged, but data packets and option data packets in IPFIX format are still consecutively numbered.
- (Optional) Run ip netstream export template timeout-rate timeout-interval
The interval at which the template for outputting original flows in the V9 or IPFIX format is refreshed.
- Run ip
netstream export source { ip-address | ipv6 ipv6-address }
The source IP address is specified for original flows.
- Specify the destination IP address and UDP port number
of the peer NSC for NetStream original flows in the system or slot view.
In the system view:
Run ip netstream export host { ip-address | ipv6 ipv6-address } port [ vpn-instance vpn-instance-name ] [ dscp dscp-value ]
The destination IP address and UDP port number of the peer NSC are specified for NetStream original flows to be output.
In the slot view:
Run slot slot-id
The view of the slot in which the interface board for NetStream sampling resides is displayed.
Run ip netstream export host { ip-address | ipv6 ipv6-address } port [ vpn-instance vpn-instance-name ] [ dscp dscp-value ]
The destination IP address and UDP port number of the peer NetStream Collector (NSC) are specified for NetStream original flows to be output.
Run quit
The system view is displayed.
- (Optional) Set parameters for aging original flows as needed.
Run ip netstream timeout { active active-interval | active interval-second active-interval-second }
The active aging time is set for NetStream original flows.
Run ip netstream timeout inactive inactive-interval
The inactive aging time is set for NetStream original flows.
- Run commit
The configuration is committed.
(Optional) Configuring NetStream Monitoring Services
NetStream services can be configured on the NetStream Data Exporter (NDE) to enable carriers to implement more delicate traffic statistics and management over IPv4 original flows.
Context
Increasing types of services and applications on networks urge carriers to provide more delicate management and accounting services.
If NetStream is configured on multiple interfaces on an NDE, all interfaces send traffic statistics to a single NetStream Collector (NSC). The NSC cannot distinguish interfaces, and therefore, cannot manage or analyze traffic statistics based on interfaces. In addition, the NSC will be overloaded due to a great amount of information.
NetStream monitoring configured on an NDE allows the NDE to send traffic statistics collected on specified interfaces to specified NSCs for analysis, which achieves interface-specific service monitoring. Traffic statistics can be balanced among these NSCs.
Procedure
- Run system-view
The system view is displayed.
- Run ip netstream monitor monitor-name
A NetStream monitoring service is created and its view is displayed. If a NetStream monitoring service view already exists, the view is displayed.
- Run ip
netstream export host [ ip-address | ipv6 ipv6-address ] port [ vpn-instance vpn-instance-name ] [ version { 5 | 9 | ipfix } ] [ dscp dscp-value ]
The destination IP address and destination port number for traffic statistics are specified.
- Run quit
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- Run ip netstream monitor monitor-name { inbound | outbound }
NetStream monitoring services are configured in the inbound or outbound direction of an interface.
NOTE:
If NetStream monitoring services have been configured on the interface, statistics about original flows are sent to the destination IP address specified in the NetStream monitoring service view, not the system view. - Run commit
The configuration is committed.
(Optional) Adjusting the AS Field Mode and Interface Index Type
Before the NetStream Collector (NSC) can properly receive and parse NetStream packets output by the NetStream Data Exporter (NDE), the AS field modes and interface index types configured on the NDE must be the same as those on the NSC.
Context
AS field mode: The length of the AS field in IP packets can be set to 16 bits or 32 bits. Devices on a network must use the same AS field mode. An AS field mode inconsistency causes NetStream to fail to sample inter-AS traffic.
If the 32-bit AS field mode is used, the NMS must identify the 32-bit AS field. If the NMS cannot identify the 32-bit AS field, the NMS fails to identify inter-AS traffic sent by devices.
Interface index: The NMS uses an interface index carried in a NetStream packet output by the NDE to query information about the interface that sends the packet. The interface index can be 16 or 32 bits long. The index length is determined by NMS devices of different vendors. Therefore, the NDE must use a proper interface index type that is also supported by the NMS.
Procedure
- Run system-view
The system view is displayed.
- Run ip netstream as-mode { 16 | 32 }
The AS field mode is specified on the router.
- Run ip
netstream export index-switch { 16 | 32 }
The type of the interface index carried in the NetStream packet output by the router is configured.
An interface index can be changed from 16 bits to 32 bits only after the following conditions are met:- Original flows are output in V9 or IPFIX format.
- The NetStream packet format for all aggregated flows is V9 or IPFIX format.
(Optional) Enabling Statistics Collection of TCP Flags
There are six flag bits (URG, ACK, PSH, RST, SYN, and FIN) in a TCP packet header. The flag bits, together with the destination IP address, source IP address, destination port number, and source port number of a TCP packet, identify the function and status of the TCP packet on a TCP connection. TCP flags can be extracted from packets. Their statistics can be collected and sent to the NMS. The NMS checks the traffic volume of each flag and determines whether the network is attacked by TCP packets.
Procedure
- Run system-view
The system view is displayed.
- Run ip
netstream tcp-flag enable
Statistics collection of TCP flags is enabled.
An original flow for each flag value is created. If statistics collection for TCP flags is enabled, the number of original flows will greatly increase.
- Run commit
The configuration is committed.
(Optional) Configuring NetStream Interface Option Packets and Setting Option Template Refreshing Parameters
This section describes how to configure NetStream interface option packets and set option template refreshing parameters.
Context
No matter whether traffic statistics are exported as original flows or aggregated flows, option packet data is exported to the NetStream Collector (NSC) as a supplement. In this way, the NetStream Data Exporter (NDE) can obtain information, such as the sampling ratio and whether the sampling function is enabled, to reflect the actual network traffic.
- Interface option packets: These packets are used to send the NetStream configurations of all the boards on the NDE to the NSC in a scheduled manner. The configurations cover the interface index, statistics collection direction, and sampling value in the inbound/outbound direction.
- Time application label (TAL) option packets: These packets are used to send application label data to the NSC. The application label option function provides data, such as the application type of system labels, for users to collect L3VPN NetStream statistics.
Option packets, which are independent of statistics packets, are exported to the NSC in V9 or IPFIX format. Therefore, the required option template is sent to the NMS for parsing option packets. You can set option template refreshing parameters as needed to regularly refresh the template to notify the NSC of the latest option template format.
Procedure
- Configure interface option packets to be exported in V9 or IPFIX format.
- Run the system-view command to enter the system view.
- Run the ip netstream export template option sampler command to enable the function of exporting statistics about interface option packets.
- Set option template refreshing parameters for interface
option packets to be exported in V9 or IPFIX format.
Sampling IPv4 Flows
You can enable NetStream to sample and analyze the incoming or outgoing flows on an interface.
Context
NOTE: If a NetStream-enabled interface is bound to a VPN instance, all packets in the VPN instance are sampled.
Procedure
- Run system-view
The system view is displayed.
- Configure
sampling mode and sampling ratio, perform at least one of the following
steps:
- Configure a sampling mode and sampling ratio globally.
- Run ip netstream sampler { fix-packets fix-packets-number | random-packets random-packets-number | fix-time fix-time-value } { inbound | outbound }
The sampling mode and sampling ratio are configured globally.
- Run interface interface-type interface-number
The interface view is displayed.
- Run ip netstream sampler { fix-packets fix-packets-number | random-packets random-packets-number | fix-time fix-time-value } { inbound | outbound }
- Configure sampling mode and sampling ratio for the interface.
- Run interface interface-type interface-number
The interface view is displayed.
- Run ip netstream sampler { fix-packets fix-packets-number | random-packets random-packets-number | fix-time fix-time-value } { inbound | outbound }
The sampling mode and sampling ratio are configured for the interface.
NOTE:
The sampling mode and sampling ratio configured in the system view are applicable to all interfaces on the device. The sampling mode and sampling ratio configured in the interface view takes precedence over those configured in the system view.
- Run interface interface-type interface-number
- Configure a sampling mode and sampling ratio globally.
- Run ip netstream { inbound | outbound }
NetStream is enabled on the interface.
Statistics about packets' BGP next-hop information can also be collected. Original flows output in V5 format, however, cannot carry the BGP next-hop information.
- Run commit
The configuration is committed.
Verifying the Configuration of Statistics Collection of IPv4 Original Flows
In routine maintenance or after NetStream configurations are complete, you can run the display commands in any view to view the running status of NetStream functions.
Procedure
- Run the display ip netstream
cache origin slot slot-id command to check information
about the NetStream buffer.
NOTE:
If the netstream sampling function configured in the outbound logical interface, running the command can only display the information about the NetStream buffer of the physical interface on which the logical interface configured.
- Run the display ip netstream statistics slot slot-id command to view statistics about NetStream flows.
- Run the display netstream { all | global | interface interface-type interface-number } command to check NetStream configurations in different views.
- Run the display ip netstream statistics interface interface-type interface-number command to view the statistics about the sampled packets on an interface.
- Run the display ip netstream monitor { all | monitor-name } command to check the monitoring information about IPv4 original flows.
- Run the display ip netstream cache origin statistics slot slot-id command to view original flow table specifications and the number of current flows of a specific board.
Example
<HUAWEI> display ip netstream cache origin slot 1 DstIf SrcIf DstP Msk Pro Tos SrcP Msk Flags Ttl Packets Bytes NextHop Direction DstIP DstAs SrcIP SrcAs BGP: BGP NextHop TopLabelType Label1 Exp1 Bottom1 Label2 Exp2 Bottom2 Label3 Exp3 Bottom3 TopLabelIpAddress VlanId VniId -------------------------------------------------------------------------- Unknown GigabitEthernet0/1/0 0 0 253 0 0 0 0 60 3 384 0.0.0.0 in 192.172.133.151 0 192.172.131.151 0 0.0.0.0 UNKNOWN 0 0 0 0 0 0 0 0 0 0.0.0.0 0 0 Unknown GigabitEthernet0/1/1 0 0 253 0 0 0 0 60 1 128 0.0.0.0 in 192.173.81.232 0 192.173.79.232 0 0.0.0.0 UNKNOWN 0 0 0 0 0 0 0 0 0 0.0.0.0 0 0
<HUAWEI> display ip netstream statistics slot 1 Netstream statistic information on slot 1: -------------------------------------------------------------------------------- length of packets Number Protocol Number -------------------------------------------------------------------------------- 1 ~ 64 : 0 IPV4 : 2779 65 ~ 128 : 985 IPV6 : 0 129 ~ 256 : 1 MPLS : 0 257 ~ 512 : 360 L2 : 0 513 ~ 1024 : 360 Total : 2779 1025 ~ 1500 : 357 longer than 1500 : 716 -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Aggregation Current Streams Aged Streams Created Streams Exported Packets Exported Streams -------------------------------------------------------------------------------- origin 2 92 94 65 92 as 0 0 0 0 0 as-tos 0 0 0 0 0 protport 0 0 0 0 0 protporttos 0 0 0 0 0 srcprefix 0 0 0 0 0 srcpretos 0 0 0 0 0 dstprefix 0 0 0 0 0 dstpretos 0 0 0 0 0 prefix 0 0 0 0 0 prefix-tos 0 0 0 0 0 mpls-label 0 0 0 0 0 vlan-id 0 0 0 0 0 bgp-nhp-tos 0 0 0 0 0 index-tos 0 0 0 0 0 src-index-tos 0 0 0 0 0 bgp-community 0 0 0 0 0 vni-sip-dip 0 0 0 0 0 system: bbbb 0 0 0 0 0 aaaa 0 0 0 0 0 bbbb 0 0 all-aggre 2 92 94 65 92 -------------------------------------------------------------------------------- srcprefix = source-prefix, srcpretos = source-prefix-tos, dstprefix = destination-prefix, dstpretos = destination-prefix-tos, protport = protocol-port, protporttos = protocol-port-tos, src-index-tos = source-index-tos, all-aggre = all aggregation streams "---" means that the current board is not supported.
<HUAWEI> display ip netstream statistics interface GigabitEthernet0/1/0 Netstream statistic information of <GigabitEthernet0/1/0>: Inbound : IPV4 :1000 Bytes, 10 Packets IPV6 :1000 Bytes, 10 Packets MPLS :0 Bytes, 0 Packets Total :2000 Bytes, 20 Packets Outbound : IPV4 :1000 Bytes, 10 Packets IPV6 :1000 Bytes, 10 Packets MPLS :0 Bytes, 0 Packets Total :2000 Bytes, 20 Packets
Run the display netstream { all | global | interface interface-type interface-number } command to view NetStream configurations in different views.
<HUAWEI> display netstream all system ip netstream export version 9 origin-as ip netstream timeout active 50 ip netstream timeout inactive 10 ip netstream export source 10.1.1.1 ip netstream export host 4.4.4.4 10000 ip netstream aggregation as enable export version 9 ip netstream export source 1.1.1.2 ip netstream export host 3.3.3.3 555 ip netstream export host 1.1.1.2 55 slot 1 interface GigabitEthernet0/1/3 ip netstream sampler fix-packets 1000 inbound Slot Slot 1:ip netstream sampler to slot 2
Run the display ip netstream monitor { all | monitor-name } command to view the monitoring information about IPv4 original flows.
<HUAWEI> display ip netstream monitor monitora
Monitor monitora
ID : 1
AppCount : 0
Address Port
1.1.1.1 1
2.2.2.2 2
------------------------------------------------------------
<HUAWEI> display ip netstream cache origin statistics slot 1 ------------------------------------------- Total Streams Current Streams ------------------------------------------- 1048576 1000
