Understanding NetStream
This section describes the mechanism of NetStream.
NetStream Working Mechanism
NetStream systems work as follows:
- An NDE periodically exports detailed data about flows to an NSC.
- The NSC processes the data and sends it to an NDA.
- The NDA analyzes the data for applications such as accounting and network planning.
In practice, the NSC and NDA are integrated on a NetStream server.
In most cases, FW functions as NDE in a NetStream system.
- Samples packets (see NetStream Packet Sampling).
- Creates a flow based on the collected data (see NetStream Flows)
- Ages out the flow (see NetStream Flow Aging).
- Exports the flow statistics (see NetStream Flow Statistics Exporting).
NetStream Packet Sampling
Packet sampling takes samples of incoming traffic in adjustable intervals so that only the statistics of sampled packets are collected. This reduces the impact of NetStream on device performance and the statistics show the flow status of the entire network.
The FW supports packet-based regular sampling. In this mode, one packet is sampled out of a fixed number of packets. For example, if the number of packets is set to 100 and packet sampling starts from the 5th packet, the 105th packet is sampled and so on.
NetStream Flows
NetStream provides packet statistics based on flows and supports statistics about IP packets (including UDP, TCP, and ICMP packets).
- For IPv4 packets, IPv4 NetStream defines a flow based on the:
- Destination IP address
- Source IP address
- Destination port number
- Source port number
- Protocol number
- ToS
- Inbound or outbound interface
- For IPv6 packets, IPv6 NetStream defines a flow based on the:
- Destination IP address
- Source IP address
- Destination port number
- Source port number
- Protocol number
- Traffic class
- Flow label
- Inbound or outbound interface
NetStream Flow Aging
Certain current flows must be deleted to release memory for the successive flows. This is because the number of flows across the network burst up in a short time, Thousands of flows can be generated in a few seconds. The process for deleting flows to release memory is called flow aging.
Four flow aging modes are available:
Scheduled flow aging
Flows are aged if the inactive period (from the time when the last packet is received to the current time) times out. Flows are also aged if the active period (from the time when the first packet passes to the current time) times out. If the inactive period times out, flows in the cache are immediately aged regardless of whether the active period times out. Active and inactive timeout values can be manually set or use the default values. The default active timeout period is 30 minutes, and the inactive timeout value is 30 seconds.
Aging triggered by TCP FIN and RST packets
For a TCP connection, the sending of the packet carrying the FIN or RST flag bit indicates that the TCP session is closed. Therefore, if a NetStream TCP flow contains the packet with the FIN or RST flag bit, the system can immediately age this TCP flow.
Aging triggered by excessive statistics bytes
The flow in the cache records the number of passed bytes. When the number of bytes exceeds the specified upper limit, the cache overflows. Therefore, when the system detects that the total bytes in a flow exceed 3.63 Gb, the system immediately ages the flow.
Forcible aging
You can run the reset ip netstream statistics command to age all flows in the current cache.
NetStream Flow Statistics Exporting
Displaying original flows: After the NetStream module collects the statistics on the aged NetStream flows, the system generates UDP packets carrying the statistics and sends the packets to the NSC. The NSC then flexibly processes the received flow records. This process increases the usage of bandwidth and the CPU of the routing device. In addition, to store the flow records, additional memory capacity is required. This increases the load on devices.
Displaying aggregated flows: After the NetStream module collects the statistics on the aged NetStream flows, the system classifies the raw statistics based on certain rules to aggregate flows. The aggregated flows are sent in UDP packets. Aggregating original flows decreases bandwidth and CPU usages and saves memory. Table 1 lists the currently supported aggregation modes.
Aggregation Mode |
Description |
|---|---|
as |
Flows are classified based on four key values: source autonomous system (AS) ID, destination AS ID, index of the inbound interface, and index of the outbound interface. Flows with the same four key values are aggregated into one flow, and one aggregation flow record is generated. |
protocol-port |
Flows are classified based on three key values: protocol ID, source port, and destination port. Flows with the same three key values are aggregated into one flow, and one aggregation flow record is generated. |
protocol-port-tos |
Flows are classified based on six key values: protocol ID, source port, destination port, ToS field, index of the inbound interface, and index of the outbound interface. Flows with the same six key values are aggregated into one flow, and one aggregation flow record is generated. |
source-prefix |
Flows are classified based on four key values: AS ID, length of the source mask, prefix of the source address, and index of the inbound interface. Flows with the same four key values are aggregated into one flow, and one aggregation flow record is generated. |
destination-prefix |
Flows are classified based on four key values: AS ID, length of the destination address mask, prefix of the destination address, and index of the outbound interface. Flows with the same four key values are aggregated into one flow, and one aggregation flow record is generated. |
- V5: NetStream packets use a fixed format and contain the original flow statistics collected based on 7-tuple information.
- V8: NetStream packets use a fixed format and support the aggregation exporting format.
- V9: NetStream packets are defined in profiles and support the exporting of BGP next hop. Statistical items can be combined, allowing more flexibility for exporting statistics.