In this blog, I will go over Gigamon NetFlow support. As you’ve probably already seen, if you follow our blogs, many new devices are now supporting NetFlow/IPFIX, and Gigamon is no different. Gigamon has created some highly advanced network taps that allow the user to generate NetFlow/IPFIX; from there, they send this data to an external collector, for further reporting. This can be a huge help to those of you that have devices on your network that do not natively support NetFlow/IPFIX.Now with the help of Gigamon you can get some visibility in areas that would otherwise be impossible. I will outline some of the different NetFlow exports that Gigamon can do, as well as the different versions below.

Gigamon NetFlow/IPFIX Support:

The following 3 NetFlow protocol formats are available in the Gigamon NetFlow implementation. I would verify that your NetFlow monitoring tool supports one or all of the following to ensure you don’t run into issues down the road.

  1. NetFlow v5
  2. NetFlow V9
  3. IPFIX

NetFlow/IPFIX Record Configuration:

For NetFlow v5 record, Gigamon solution comes with a pre-defined NetFlow v5 record, which is not user-editable.

IPFIX Support

For NetFlow v9 and IPFIX records, the user is able to configure record fields (both keys and non-keys) as mentioned below.

The user can specify the number of ‘match’ key fields in a NetFlow record. The different supported combinations are mentioned in the table below.

parameters
datalink    
mac source
destination
vlan
ipv4 dscp
header-length
id
option-map
precedence
protocol
tos
version
destination address
mask [minimum-mask <mask>]
prefix
fragmentation flags
id
offset
section header-size <size>
payload-size <size>
source address
mask [minimum-mask <mask>]
prefix
total-length
ttl
ipv6 dscp
flow-label
next-header
payload-length
precedence
protocol
traffic-class
version
destination address
mask [minimum-mask <mask>]
prefix
extension-map
fragmentation flags
id
offset
hop-limit
length header
payload
total
section header-size <size>
payload-size <size>
source address
mask [minimum-mask <mask>]
prefix
transport destination-port
igmp type
source-port
icmp ipv4 code
type
ipv6 code
type
udp destination-port
message-length
source-port
tcp ack-number
destination-port
flags [ack] | [cwr] | [ece] | [fin] | [psh] | [rst] | [syn] | [urg]
header-length
sequence-number
source-port
urgent-pointer
window-size

 

The user could specify number of ‘collect’ non-key fields in a NetFlow record. The different supported combinations are mentioned in the table below.

collect_type parameters
counter bytes [long]
packets [long]
datalink dot1q vlan
mac source
destination
vlan
ipv4 dscp
header-length
id
option-map
precedence
protocol
tos
version
destination address
mask [minimum-mask <mask>]
prefix
fragmentation flags
id
offset
section header-size <size>
payload-size <size>
source address
mask [minimum-mask <mask>]
prefix
total-length [minimum]
[maximum]
ttl
ipv6 dscp
flow-label
next-header
payload-length
precedence
protocol
traffic-class
version
destination address
mask [minimum-mask <mask>]
prefix
extension-map
fragmentation flags
id
offset
hop-limit [maximum]
[minimum]
length header
payload
total [maximum]
[minimum]
section header-size <size>
payload-size <size>
source address
mask [minimum-mask <mask>]
prefix
timestamp sys-uptime first
last
transport destination-port
igmp type
source-port
icmp ipv4 code
type
ipv6 code
type
udp destination-port
message-length
source-port
tcp ack-number
destination-port
flags [ack] | [cwr] | [ece] | [fin] | [psh] | [rst] | [syn] | [urg]
header-length
sequence-number
source-port
urgent-pointer
window-size
Gigamon IPFIX Support

Future of IPFIX

As you can see, from the table above, Gigamon supports manyIPFIX/NetFlow fields. I wonder if they’re looking to export some of their own IPFIX fields in the future. In which case, they can open up a huge range of new and exciting IPFIX exports; all of  which you can send to your NetFlow monitoring tool, for further reporting and analysis on such juicy information. If you need any help setting up Gigamon Netflow on your devices, or have some stories about threat detection with IPFIX feel free to let us know!

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related

One comment on “Gigamon NetFlow Support

  1. Hello Jake,

    Hope all is well.
    GCI is Gigamon’s first and largest distributor and I am looking to strike up distribution conversations with Plixer. I would very much like the opportunity to briefly speak with you, or whomever you deem appropriate, regarding other solutions Gigamopn and Plixer have partnered with their technologies. I believe there is great synergy between these two but I need to get some more case studies to prove my assumptions.

    Can you assist or direct me to the proper person(s) who can have quick chat? My contact info is below, so feel free to reach out any time of the day or night.

    Thanks for the help and have a great day.
    -Ken Carvalis, Dir. Business Development
    Global Convergence, Inc.
    O-813.925.6579
    C-727.465.8426
    [email protected]
    http://www.globalconvergence.com

Comments are closed.