Blog

Huawei NetFlow Support

Move over Cisco, Huawei Technologies also offers user flow export options with Flexible NetFlow support.

Huawei’s Netstream works much like Cisco’s NetFlow. The Netstream process gathers detailed data about flows and stores them to a cache table. Netstream then processes the flow data from the cache table and sends it to a NetFlow analyzer where the data can be used for application performance monitoring and network planning.

There are export options for flow sampling, aggregation, and flow record content depending on how and what you are monitoring and how you need to export and report.

Now let’s get to why we are here!

After aging flows in the NetStream cache, the flow statistics are exported to a specified collector. Original, aggregation, and flexible flow statistics are exported as packets of Version 5, 8, or 9 NetFlow.

Flow Statistics Exporting Modes

Original flow statistics exporting

In original flow statistics exporting mode, we collect statistics about all flows. After the aging timer expires, Netstream exports statistics about each flow to the collector.

Aggregation flow statistics exporting

Netstream aggregates flow statistics with the same aggregation entry values and exports the aggregation flow statistics to a specified collector. This mode greatly saves network bandwidth.

For example, there are four original TCP flows. They have the same source port number, destination port number, and destination IP address, but different source IP addresses. The protocol-port mode is used. Aggregation entries in this mode include protocol number, source port number, and destination port number. The four TCP flows have the same protocol number, source port number, and destination port number, so only one aggregation flow statistical record is recorded in the aggregation flow statistics table.

After NetStream sampling and aging are configured, you must configure aggregation keywords and exported packet attributes, and enable the aggregation function in the aggregation view.

This example uses the protocol-port aggregation mode:

[Huawei] ip netstream aggregation protocol-port
[Huawei-aggregation-protport] ip netstream export source 10.1.1.10
[Huawei-aggregation-protport] ip netstream export host 10.1.1.12 9996
[Huawei-aggregation-protport] enable

Flexible flow statistics exporting

Flexible flows are established based on customized flow record configuration. Users can configure flow statistics collection based on the protocol type, DSCP field, source IP address, destination IP address, source port number, destination port number, or flow label, as required.

Compared to original flow statistics exporting, flexible flow statistics exporting occupies less traffic and provides users with a flexible way to collect NetStream statistics.

This example uses the source IP address as the match in the flexible flow statistics template:

[Huawei] ip netstream export source 10.1.1.10
[Huawei] ip netstream export host 10.1.1.02 9996
[Huawei] ip netstream record test

[Huawei-record-test] match ip source-address
[Huawei-record-test] collect counter bytes
[Huawei-record-test] collect counter packets
[Huawei-record-test] collect interface input
[Huawei-record-test] collect interface output
[Huawei-record-test] quit

You must bind the flexible flow statistics template to the interface before enabling the NetStream statistics collection function on the interface by running the port ip netstream record command before the ip netstream command. If you run the ip netstream command first on the interface, the interface collects statistics about original flows.

[Huawei] interface gigabitethernet 1/0/1
[Huawei-GigabitEthernet1/0/1] port ip netstream record test

[Huawei-GigabitEthernet1/0/1] ip netstream inbound
[Huawei-GigabitEthernet1/0/1] ip netstream outbound

When configuring a flexible flow statistics template, you can configure one or more Match keywords. When you configure multiple keywords such as the source IP address and destination IP address, only the packets with the same source IP address and same destination IP address are added to the flow. The Collect keywords define what other fields will be present in the flow records.

Let’s take a look at a running Netstream configuration. Notice in this case we are sampling every 100th packet; we are also aggregating flow records on Autonomous System tags and another on Protocol, Application Port, and Class of Service.

Huawei Netstream Configuration showing Sampling and Flow Aggregation

See how multiple templates were exported and how we are reporting across multiple templates with different NetFlow versions:

Huawei: Advanced Netstream Reporting

In this configuration the exported flow records are version 5, for the sampled original flows, and version 8, for both aggregated flow records.

Exported packets of version 9 are easy to expand and can be flexibly exported based on the template. V9 supports the exporting of IPv6 and BGP next-hop information. I would usually recommend that you set the version of exported packets to V9, and when using a flexible netflow record you must use V9.

For exporting statistics about original and flexible flows, you can run the following command to set the version of exported packets to V9:

[Huawei] ip netstream export version 9

For exporting statistics about aggregation flows, you can run the following commands to set the version of exported packets to V9

(This example uses the protocol-port aggregation mode):

[Huawei] ip netstream aggregation protocol-port
[Huawei-aggregation-protport] export version 9

Now that you know that you have NetFlow support on your Huawei devices, what kind of flow volume are you seeing?  Let us show you how you can optimize the exports.