In this blog, I will go over Gigamon NetFlow support. As you’ve probably already seen, if you follow our blogs, many new devices are now supporting NetFlow/IPFIX, and Gigamon is no different. Gigamon has created some highly advanced network taps that allow the user to generate NetFlow/IPFIX; from there, they send this data to an external collector, for further reporting. This can be a huge help to those of you that have devices on your network that do not natively support NetFlow/IPFIX.Now with the help of Gigamon you can get some visibility in areas that would otherwise be impossible. I will outline some of the different NetFlow exports that Gigamon can do, as well as the different versions below.

Gigamon NetFlow/IPFIX Support:

The following 3 NetFlow protocol formats are available in the Gigamon NetFlow implementation. I would verify that your NetFlow monitoring tool supports one or all of the following to ensure you don’t run into issues down the road.

  1. NetFlow v5
  2. NetFlow V9
  3. IPFIX

NetFlow/IPFIX Record Configuration:

For NetFlow v5 record, Gigamon solution comes with a pre-defined NetFlow v5 record, which is not user-editable.

IPFIX Support

For NetFlow v9 and IPFIX records, the user is able to configure record fields (both keys and non-keys) as mentioned below.

The user can specify the number of ‘match’ key fields in a NetFlow record. The different supported combinations are mentioned in the table below.

parameters
datalink  
macsource
destination
vlan
ipv4dscp
header-length
id
option-map
precedence
protocol
tos
version
destinationaddress
mask[minimum-mask <mask>]
prefix
fragmentationflags
id
offset
sectionheader-size <size>
payload-size <size>
sourceaddress
mask[minimum-mask <mask>]
prefix
total-length
ttl
ipv6dscp
flow-label
next-header
payload-length
precedence
protocol
traffic-class
version
destinationaddress
mask[minimum-mask <mask>]
prefix
extension-map
fragmentationflags
id
offset
hop-limit
lengthheader
payload
total
sectionheader-size <size>
payload-size <size>
sourceaddress
mask[minimum-mask <mask>]
prefix
transportdestination-port
igmptype
source-port
icmpipv4code
type
ipv6code
type
udpdestination-port
message-length
source-port
tcpack-number
destination-port
flags[ack] | [cwr] | [ece] | [fin] | [psh] | [rst] | [syn] | [urg]
header-length
sequence-number
source-port
urgent-pointer
window-size

 

The user could specify number of ‘collect’ non-key fields in a NetFlow record. The different supported combinations are mentioned in the table below.

collect_typeparameters
counterbytes[long]
packets[long]
datalinkdot1qvlan
macsource
destination
vlan
ipv4dscp
header-length
id
option-map
precedence
protocol
tos
version
destinationaddress
mask[minimum-mask <mask>]
prefix
fragmentationflags
id
offset
sectionheader-size<size>
payload-size<size>
sourceaddress
mask[minimum-mask <mask>]
prefix
total-length[minimum]
[maximum]
ttl
ipv6dscp
flow-label
next-header
payload-length
precedence
protocol
traffic-class
version
destinationaddress
mask[minimum-mask <mask>]
prefix
extension-map
fragmentationflags
id
offset
hop-limit[maximum]
[minimum]
lengthheader
payload
total[maximum]
[minimum]
sectionheader-size <size>
payload-size <size>
sourceaddress
mask[minimum-mask <mask>]
prefix
timestampsys-uptimefirst
last
transportdestination-port
igmptype
source-port
icmpipv4code
type
ipv6code
type
udpdestination-port
message-length
source-port
tcpack-number
destination-port
flags[ack] | [cwr] | [ece] | [fin] | [psh] | [rst] | [syn] | [urg]
header-length
sequence-number
source-port
urgent-pointer
window-size
Gigamon IPFIX Support

Future of IPFIX

As you can see, from the table above, Gigamon supports manyIPFIX/NetFlow fields. I wonder if they’re looking to export some of their own IPFIX fields in the future. In which case, they can open up a huge range of new and exciting IPFIX exports; all of  which you can send to your NetFlow monitoring tool, for further reporting and analysis on such juicy information. If you need any help setting up Gigamon Netflow on your devices, or have some stories about threat detection with IPFIX feel free to let us know!

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related

One comment on “Gigamon NetFlow Support

  1. Hello Jake,

    Hope all is well.
    GCI is Gigamon’s first and largest distributor and I am looking to strike up distribution conversations with Plixer. I would very much like the opportunity to briefly speak with you, or whomever you deem appropriate, regarding other solutions Gigamopn and Plixer have partnered with their technologies. I believe there is great synergy between these two but I need to get some more case studies to prove my assumptions.

    Can you assist or direct me to the proper person(s) who can have quick chat? My contact info is below, so feel free to reach out any time of the day or night.

    Thanks for the help and have a great day.
    -Ken Carvalis, Dir. Business Development
    Global Convergence, Inc.
    O-813.925.6579
    C-727.465.8426
    [email protected]
    http://www.globalconvergence.com

Comments are closed.