CCIE NetStream technology overview
The rapid development of the Internet provides users with higher bandwidth, and the supported services and applications are increasing. Traditional traffic statistics such as SNMP, port mirroring, etc., cannot meet the requirements due to inflexible traffic statistics methods or the high cost of investing in dedicated servers. For more detailed network management, a new technology is needed to better support network traffic statistics. NetStream technology is a statistical technology based on network flow information, which can perform statistics and analysis on the business traffic on the network. NetStream can be deployed on the access layer, convergence layer, and core layer of the network.
NetStream technology provides packet statistics based on “flow”, which can sample the inbound and outbound traffic on each port of a network device. The sampled packets are based on key values in the packets (such as source IP address, destination IP address). , Source port number, destination port number, etc.) classify and count the traffic in the network, and can also filter and aggregate the statistical data. Of course, you can also customize a specific template, and classify and count the traffic in the network according to the template.
The applications of NetStream technology are as follows:
1. Billing: NetStream provides fine data for billing based on the occupancy of resources (such as lines, bandwidth, time periods, etc.).
2. Network planning: NetStream can provide key information for network management tools, such as network traffic conditions between various AS domains, to achieve the best network performance and reliability with minimal network operating costs.
3. Network monitoring: By deploying NetStream at the exit, real-time traffic monitoring of the interface connected to the Internet network can be used to analyze the export bandwidth occupied by various services.
4. User monitoring and analysis: NetStream technology can easily obtain detailed information about the user’s use of network and application resources, and ensure the safe operation of the network.
NetStream technology system composition:
1. NDE (NetStream Data Exporter, network traffic sampling). NDE is responsible for collecting and sending network flows, extracting qualified flows for statistics, and outputting statistics to NSC equipment. Data can also be processed before output, such as aggregation. The device configured with NetStream function plays the role of NDE in the NetStream system.
2. NSC (NetStream Collector, network traffic collection). NSC is usually an application running on Unix or Windows. It is responsible for collecting and storing messages from NDE, and collecting statistical data into a database for NDA to analyze. NSC can collect data output from multiple NDE devices, and further filter and aggregate the data.
3. NDA (NetStream Data Analyzer, network traffic analysis). NDA is a network traffic analysis tool. It extracts statistical data from the database, performs further processing, generates reports, and provides basis for various businesses (such as traffic accounting, network planning, attack monitoring). Generally, NDA has a graphical user interface that allows users to easily obtain, display, and analyze the collected data.
NetStream flow aging mechanism:
NetStream flow aging is a means for the device to export flow statistics to the NSC. When the NetStream function is enabled on the device, stream statistics are first stored in the NetStream buffer of the device. When the NetStream flow information stored on the device ages, the device sends the flow statistics in the buffer to the NSC through NetStream output packets of the specified version.
NetStream flow aging has the following four mechanisms:
Timely aging, forced aging, TCP FIN and RST packets trigger aging, and aging when statistical bytes exceed the limit.
1. Timely aging is divided into the following two methods: inactive and active flow aging.
Inactive flow aging: Starting from the last packet, if the flow is not collected within the specified inactive flow aging time, the device will output the statistics of the flow to the NSC. This aging is called inactive flow Ageing. Through this aging, useless entries in the NetStream buffer on the device can be cleared, making full use of statistics entry resources.
Active flow aging: Starting from the first packet, the flow can be collected within the specified active flow aging time. After the active time exceeds the set active flow aging time, the statistical information of the flow needs to be output. This aging is called active flow aging.
2. Forced aging: By executing the forced aging command, the user can age all flows in the NetStream buffer and clear the NetStream buffer information.
3. TCP FIN and RST packets trigger aging: For TCP connections, when a packet marked as FIN or RST is sent, it means that a session is over. Therefore, when a packet marked as FIN or RST flows in an existing TCP protocol NetStream flow, the corresponding NetStream flow can be aged out immediately.
4. Aging when statistics bytes exceed the limit: The stream in the Netstream buffer area needs to record the number of message bytes that flow through. When the number of bytes exceeds a custom variable, the stream will overflow, so the system is detecting a certain When the number of bytes in a stream exceeds the limit, to avoid counting errors, the stream will be aged immediately.
The network flow output refers to the process of outputting the aging flow to the NSC when the flow in the Netstream buffer reaches the aging condition, so that the NSC can form a database for subsequent analysis.
Netstream stream output method
1. Original stream output: All stream information must be counted. After the stream aging condition is reached, all streams in the Netstream buffer area must be output to the Netstream server. The advantage is that you can know the detailed statistics of each stream. The disadvantage is that it consumes a lot of network resources and CPU resources.
2. Aggregated stream output: On the basis of the original stream, the streams are classified and aggregated, and the streams that can “represent” most of the streams are extracted and uploaded to the Netstream server to obtain aggregated statistical information, which can save network resource overhead and CPU Load.
3. Flexible flow output: This method is the most flexible. You can customize the conditions for forming a flow. These conditions can be protocol number, source and destination IP address, source and destination port number, etc., so as to carry out classified flow statistics and get the most desired The stream statistics to be obtained. It also reduces the consumption of network bandwidth.