Network Traffic Observability using Flow
Rather than attempt to collect all the Flow data for future processing, we are aiming for a small data Flow approach where flow data is broken down into interface level (i.e. metrics are from a specific interface's perspective).
Flow data can be overwhelming, so a "discovery" mechanism would be helpful to get a digest of the data (devices, interfaces) without needing to provide detailed metrics. This could be used to observe what devices and interfaces are being referenced in the flow datagrams being received. This information could then be used to craft policy/handler/filter configurations, whether manually or automatically.
Metrics (aggregated by device):
-
flow_records_total- how much flow data is being received? -
flow_top_(in|out)_interfaces_(bytes|packets)- what are the most active interfaces for this device?
Metric Labels:
- IP address of the device
- SNMP ifIndex of the interfaces
- Optionally, the enriched device name and interface names
- A concatenated
device|interfacelabel
Sample Policy:
handlers:
modules:
flow_discovery:
config:
enrichment: false
topn_count: 20
type: flow
metric_groups:
enable:
- byBytes
- interfaces
disable:
- byPacketsOur hypothesis is that the bulk of the flow reporting is done based on interface metrics. These metrics provide a specific interface's perspective on the network traffic and should be easy to leverage in building reports, dashboards and alerting rules.
Sample Static Policy
handlers:
modules:
flow_192.168.2.1_544:
config:
enrichment: true #default is true
mute_dynamic_ports: true #default is true
filter:
device: 192.168.2.1
interface: 544
type: flow
metric_groups:
enable:
- top_ports
- top_ips
- top_ip_ports
- top_geo
- cardinality
disable:
- interfaces
- top_conversationsSample Automatic Policy (preferred)
handlers:
modules:
flow_192.168.2.1:
config:
max_interfaces_per_device: 5 #default is 16
enrichment: true #default is true
mute_dynamic_ports: true #default is true
filter:
device: 192.168.2.1
interfaces: [*]
type: flow
metric_groups:
enable:
- top_ports
- top_ips
- top_ip_ports
- top_geoMetrics and Metric Groups
- ByPackets
-
_packetsmetrics should be returned
-
- ByBytes
-
_bytesmetrics should be returned
-
- Counters
flow_records_filteredflow_records_totalflow_(in|out)_(bytes|packets)flow_(in|out)_tcp_(bytes|packets)flow_(in|out)_udp_(bytes|packets)flow_(in|out)_other_l4_(bytes|packets)flow_(in|out)_ipv4_(bytes|packets)flow_(in|out)_ipv6_(bytes|packets)
- TopPorts
flow_top_(in|out)_(dst|src)_port_(bytes|packets)
- TopIPs
flow_top_(in|out)_(dst|src)_ip_(bytes|packets)
- TopIP_Ports
flow_top_(in|out)_(dst|src)_ip_port_(bytes|packets)
- TopGeo
flow_top_(in|out)_asn_(bytes|packets)flow_top_(in|out)_geo_loc_(bytes|packets)
- Cardinality
flow_top_(in|out)_cardinality_(dst|src)_(ip|port)
- TopConversations
flow_cardinality_conversationsflow_top_conversations_(bytes|packets)
- TopInterfaces
flow_top_(in|out)_interface_(bytes|packets)
Flow collection should be configurable to calculate metrics only for specific devices and interfaces observed in the flow datagrams. Ideally this filter could be specified within a single policy handler, avoiding the need to manually create multiple hander configurations for each device or each device|interface. The filter should support wildcards ("all"), where cardinality could be controlled using configurable limits:
max_devices_per_handler: 16 #default is 10max_interfaces_per_device: 10 #default is 5
Compact Proposal (using wildcards):
config:
max_devices_per_handler: 16
max_interfaces_per_device: 10
filter:
device_interfaces:
all: [all]Compact Proposal:
filter:
device_interfaces:
192.168.2.1: [all]
192.168.2.2: [6,7,8]Verbose Proposal:
filter:
devices:
router01:
interfaces: all
ip: 192.168.2.1
label: "Branch X Router"
switch02:
interfaces:
- ge0/0:
ifIndex: 6
label: "Service Provider Link"
- ge0/1:
ifIndex: 7
label: "Uplink to Campus"
- ge1/0:
ifIndex: 8
label: "Connection to firewall"
ip: 192.168.2.2
label: "Branch X Switch"
