Configuring Cflowd with CLI

This section provides information to configure cflowd using the command line interface.

Topics in this section include:

•	Cflowd Configuration Overview

→	Traffic Sampling

→	Collectors

→	Aggregation

•	Basic Cflowd Configuration

•	Common Configuration Tasks

→	Enabling Cflowd

→	Configuring Global Cflowd Parameters

→	Configuring Cflowd Collectors

→	Dependencies

→	Enabling Cflowd on Interfaces and Filters

→	Specifying Cflowd Options on an IP Interface

→	Specifying Sampling Options in Filter Entries

•	Cflowd Configuration Management Tasks

→	Modifying Global Cflowd Components

→	Modifying Cflowd Collector Parameters

Cflowd Configuration Overview

The SR OS implementation of cflowd supports the option to analyze traffic flow. The implementation also supports the use of traffic/access list (ACL) filters to limit the type of traffic that is analyzed.

 

Traffic Sampling

Traffic sampling does not examine all packets received by a router. Command parameters allow the rate at which traffic is sampled and sent for flow analysis to be modified. The default sampling rate is every 1000th packet. Excessive sampling over an extended period of time, for example, more than every 1000th packet, can burden router processing resources.

The following data is maintained for each individual flow in the raw flow cache:

•	Source IP address

•	Destinations IP address

•	Source port

•	Destination port

•	Forwarding status

•	Input interface

•	Output interface

•	IP protocol

•

TCP flags

•	First timestamp (of the first packet in the flow)

•	Last timestamp (timestamp of last packet in the flow prior to expiry of the flow)

•	Source AS number for peer and origin (taken from BGP)

•	Destination AS number for peer and origin (taken from BGP)

•	IP next hop

•	BGP next hop

•	ICMP type and code

•	IP version

•	Source prefix (from routing)

•	Destination prefix (from routing)

•	MPLS label stack from label 1 to 6

 

Within the raw flow cache, the following characteristics are used to identify an individual flow:

•	Ingress interface

•	Source IP address

•	Destination IP address

•	Source transport port number

•	Destination transport port number

•	IP protocol type

•	IP TOS byte

•	Virtual router id

•	ICMP type and code

•

Direction

•	MPLS labels

The SR OS implementation allows you to enable cflowd either at the interface level or as an action to a filter. By enabling cflowd at the interface level, all IP packets forwarded by the interface are subject to cflowd analysis. By setting cflowd as an action in a filter, only packets matching the specified filter are subject to cflowd analysis. This provides the network operator greater flexibility in the types of flows that are captured.

 

Collectors 

A collector defines how data flows should be exported from the flow cache. A maximum of 5 collectors can be configured. Each collector is identified by a unique IP address and UDP port value. Each collector can only export traffic in one version type, either V5, V8, V9, or V10.

The parameters within a collector configuration can be modified or the defaults retained.

The autonomous-system-type command defines whether the autonomous system information to be included in the flow data is based on the originating AS or external peer AS of the flow.

 

Aggregation

V8 aggregation allows for flow data to be aggregated into larger, less granular flows. Use aggregation commands to specify the type of data to be collected. These aggregation types are only applicable to flows being exported to a v8 collector.

The following aggregation schemes are supported:

•	AS matrix — Flows are aggregated based on source and destination AS and ingress and egress interface.

•	Protocol-port — Flows are aggregated based on the IP protocol, source port number, and destination port number.

•	Source prefix — Flows are aggregated based on source prefix and mask, source AS, and ingress interface.

•	Destination prefix — Flows are aggregated based on destination prefix and mask, destination AS, and egress interface.

•	Source-destination prefix — Flows are aggregated based on source prefix and mask, destination prefix and mask, source and destination AS, ingress interface and egress interface.

•	Raw — Flows are not aggregated and are sent to the collector in a V5 record.

Basic Cflowd Configuration

This section provides information to configure cflowd and configuration examples of common configuration tasks. In order to sample traffic, the minimal cflowd parameters that need to be configured are:

•	Cflowd must be enabled.

•	At least one collector must be configured and enabled.

•	Sampling must be enabled on either:

→	An IP filter entry and applied to a service or an port.

→	An interface applied to a port.

The following example displays a cflowd configuration.

A:ALA-1>config>cflowd# info detail

----------------------------------------------

	active-timeout 30

	cache-size 65536inactive-timeout 15

	overflow 1

	rate 1000

	collector 10.10.10.103:2055 version 9

		no aggregation

		autonomous-system-type origin

		description "V9 collector"

		no shutdown

	exit

	template-retransmit 330

	exit

	no shutdown

----------------------------------------------

A:ALA-1>config>cflowd#

Common Configuration Tasks

This section provides a brief overview of the tasks that must be performed to configure cflowd and provides the CLI commands. In order to begin traffic flow sampling, cflowd must be enabled and at least one collector must be configured.

 

Global Cflowd Components

The following common (global) attributes apply to all instances of cflowd:

•	Active timeout - Controls the maximum amount of time a flow record can be active before it will be automatically exported to defined collectors.

•	Inactive timeout - Controls the minimum amount of time before a flow is declared inactive. If no traffic is sampled for an existing flow for the inactive timeout duration, the flow is decalred inactive and marked to be exported to the defined collectors.

•	Cache size - Defines the maximum size of the flow cache.

•	Overflow - Defines the percentage of flow records that are exported to all collectors if the flow cache size is exceeded.

•	Rate - Defines the system wide sampling rate for cflowd.

•	Template retransmit - Defines the interval (in seconds) at which the v9 and v10 template are retransmitted to all configured v9 or v10 collectors.

 

Configuring Cflowd

Use the CLI syntax displayed below to perform the following tasks:

•	Enabling Cflowd

•	Configuring Global Cflowd Parameters

•	Configuring Cflowd Collectors

•	Enabling Cflowd on Interfaces and Filters

 

CLI Syntax: config>cflowd#

active-timeout minutes

cache-size num-entries

inactive-timeout seconds

template-retransmit seconds

overflow percent

rate sample-rate

collector ip-address[:port] {version [5 | 8 | 9 |10]}

aggregation

as-matrix

destination-prefix

protocol-port

raw

source-destination-prefix

source-prefix

template-set {basic | mpls-ip}

autonomous-system-type [origin | peer]

description description-string

no shutdown

no shutdown

 

Enabling Cflowd

Cflowd is disabled by default. Executing the command configure cflowd will enable cflowd, by default cflowd is not shutdown but must be configured including at least one collector to be active.

 

Use the following CLI syntax to enable cflowd:

CLI Syntax: config# cflowd

no shutdown

 

The following example displays the default values when cflowd is initially enabled. No collectors or collector options are configured.

 

A:ALA-1>config# info detail 

...

#------------------------------------------

echo "Cflowd Configuration"

#------------------------------------------

    cflowd

        active-timeout 30

        cache-size 65536

        inactive-timeout 15

        overflow 1

        rate 1000

        template-retransmit 600 

        no shutdown

    exit

#------------------------------------------

A:ALA-1>config#

 

Configuring Global Cflowd Parameters

The following cflowd parameters apply to all instances where cflowd (traffic sampling) is enabled.

Use the following CLI commands to configure cflowd parameters:

CLI Syntax: config>cflowd#

active-timeout minutes

cache-size num-entries

inactive-timeout seconds

overflow percent

rate sample-rate

template-retransmit seconds

no shutdown

 

The following example displays a common cflowd component configuration:

A:ALA-1>config>cflowd# info 
#------------------------------------------

        active-timeout 20

        inactive-timeout 10

        overflow 10

        rate 100

#------------------------------------------

A:ALA-1>config>cflowd# 

 

 

Configuring Cflowd Collectors

To configure cflowd collector parameters, enter the following commands:

CLI Syntax: config>cflowd#

collector ip-address[:port] [version version]

aggregation

as-matrix

destination-prefix

protocol-port

raw

source-destination-prefix

source-prefix

autonomous-system-type [origin | peer]

description description-string

no shutdown

template-set {basic | mpls-ip}

The following example displays a basic cflowd configuration:

A:ALA-1>config>cflowd# info

-----------------------------------------

active-timeout 20

        inactive-timeout 10

        overflow 10

        rate 100

        collector 10.10.10.1:2000 version 8

            aggregation

                as-matrix

                raw

            exit

            description "AS info collector"

        exit

        collector 10.10.10.2:5000 version 8

            aggregation

                protocol-port

                source-destination-prefix

            exit

            autonomous-system-type peer

            description "Neighbor collector"

        exit

-----------------------------------------

A:ALA-1>config>cflowd# 

Version 9 Collector example:

collector 10.10.10.9:2000 version 9

           description "v9collector"

           template-set mpls-ip

           no shutdown

exit

Version 9 and Version 10 Templates

If the collector is configured to use either version 9 or 10 (IPFIX) formats, the flow data is sent to the designated collector using one of the pre-defined templates. The template used is based on the type of flow for which the data was collected (IPv4, IPv6, MPLS or Ethernet (Layer 2)), and the configuration of the template-set parameter. Table 11 indicates the relationship between these values and the corresponding template used to export the flow data.

 

Table 11: Template-Set 

Traffic type	Basic	MPLS-IP
IPv4	Basic IPv4	MPLS-IPv4
IPv6	Basic IPv6	MPLS-IPv6
MPLS	Basic MPLS	MPLS-IP
Ethernet	L2-IP	L2-IP

Each flow exported, to a collector configured for either v9 or v10 formats, will be sent using one of the above flow template sets. As described above, which template is used is based on the flow type and how the collector’s template-set parameter is configured.

The following tables specify the fields present in each template:

Table 12: Basic IPv4 Template  

Field Name	Field ID
IPv4 Src Addr	8
IPv4 Dest Addr	12
IPv4 Nexthop	15
BGP Nexthop	18
Ingress Interface	10
Egress Interface	14
Packet Count	2
Byte Count	1
Start Time	22
End Time	21
Flow Start Milliseconds1	152
Flow End Milliseconds1	153
Src Port	7
Dest Port	11
Forwarding Status	89
TCP control Bits (Flags)	6
IPv4 Protocol	4
IPv4 TOS	5
IP version	60
ICMP Type & Code	32
Direction	61
BGP Source ASN	16
BGP Dest ASN	17
Source IPv4 Prefix Length	9
Dest IPv4 Prefix Length	13

---

1

Only sent to collectors configured for v10 format

 

Table 13: MPLS-IPv4 Template  

Field Name	Field ID
IPv4 Src Addr	8
IPv4 Dest Addr	12
IPv4 Nexthop	15
BGP Nexthop	18
Ingress Interface	10
Egress Interface	14
Packet Count	2
Byte Count	1
Start Time	22
End Time	21
Flow Start Milliseconds1	152
Flow End Milliseconds	153
Src Port	7
Dest Port	11
Forwarding Status	89
TCP control Bits (Flags)	6
IPv4 Protocol	4
IPv4 TOS	5
IP version	60
ICMP Type & Code	32
Direction	61
BGP Source ASN	16
BGP Dest ASN	17
Source IPv4 Prefix Length	9
Dest IPv4 Prefix Length	13
MPLS Top Label Type	46
MPLS Top Label IPv4 Addr	47
MPLS Label 1	70
MPLS Label 2	71
MPLS Label 3	72
MPLS Label 4	73
MPLS Label 5	74
MPLS Label 6	75

---

1

Only sent to collectors configured for v10 format

 

Table 14: Basic IPv6 Template

Field Name	Field ID
IPv6 Src Addr	27
IPv6 Dest Addr	28
IPv6 Nexthop	62
IPv6 BGP Nexthop	63
IPv4 Nexthop	15
IPv4 BGP Nexthop	18
Ingress Interface	10
Egress Interface	14
Packet Count	2
Byte Count	1
Start Time	22
End Time	21
Flow Start Milliseconds1	152
Flow End Milliseconds1	153
Src Port	7
Dest Port	11
Forwarding Status	89
TCP control Bits (Flags)	6
Protocol	4
IPv6 Extension Hdr	64
IPv6 Next Header	193
IPv6 Flow Label	31
TOS	5
IP version	60
IPv6 ICMP Type & Code	139
Direction	61
BGP Source ASN	16
BGP Dest ASN	17
IPv6 Src Mask	29
IPv6 Dest Mask	30

---

1

Only sent to collectors configured for v10 format

 

Table 15: MPLS-IPv6 Template

Field Name	Field ID
IPv6 Src Addr	27
IPv6 Dest Addr	28
IPv6 Nexthop	62
IPv6 BGP Nexthop	63
IPv4 Nexthop	15
IPv4 BGP Nexthop	18
Ingress Interface	10
Egress Interface	14
Packet Count	2
Byte Count	1
Start Time	22
End Time	21
Flow Start Milliseconds1	152
Flow End Milliseconds1	153
Src Port	7
Dest Port	11
Forwarding Status	89
TCP control Bits (Flags)	6
Protocol	4
IPv6 Extension Hdr	64
IPv6 Next Header	193
IPv6 Flow Label	31
TOS	5
IP version	60
IPv6 ICMP Type & Code	139
Direction	61
BGP Source ASN	16
BGP Dest ASN	17
IPv6 Src Mask	29
IPv6 Dest Mask	30
MPLS_TOP_LABEL_TYPE	46
MPLS_TOP_LABEL_ADDR	47
MPLS Top Label Type	46
MPLS Top Label IPv6 Addr	47
MPLS Label 1	70
MPLS Label 2	71
MPLS Label 3	72
MPLS Label 4	73
MPLS Label 5	74
MPLS Label 6	75
MPLS_TOP_LABEL_TYPE	46
MPLS_TOP_LABEL_ADDR	47

---

1

Only sent to collectors configured for v10 format

 

Table 16: Basic MPLS Template

Field Name	Field ID
Start Time	22
End Time	21
Flow Start Milliseconds1	152
Flow End Milliseconds1	153
Ingress Interface	10
Egress Interface	14
Packet Count	2
Byte Count	1
Direction	61
MPLS_TOP_LABEL_TYPE	46
MPLS_TOP_LABEL_ADDR	47
MPLS Label 1	70
MPLS Label 2	71
MPLS Label 3	72
MPLS Label 4	73
MPLS Label 5	74
MPLS Label 6	75

---

1

Only sent to collectors configured for v10 format

 

Table 17: MPLS-IP Template

Field Name	Field ID
IPv4 Src Addr	8
IPv4 Dest Addr	12
IPv4 Nexthop	15
IPv6 Src Addr	27
IPv6 Dest Addr	28
IPv6 Nexthop	62
Ingress Interface	10
Egress Interface	14
Packet Count	2
Byte Count	1
Start Time	22
End Time	21
Flow Start Milliseconds1	152
Flow End Milliseconds1	153
Src Port	7
Dest Port	11
TCP control Bits (Flags)	6
IPv4 Protocol	4
IPv4 TOS	5
IP version	60
ICMP Type & Code	32
Direction	61
MPLS_TOP_LABEL_TYPE	46
MPLS_TOP_LABEL_ADDR	47
MPLS Top Label Type	46
MPLS Top Label IPv4 Addr	47
MPLS Label 1	70
MPLS Label 2	71
MPLS Label 3	72
MPLS Label 4	73
MPLS Label 5	74
MPLS Label 6	75

---

1

Only sent to collectors configured for v10 format

 

Table 18: Ethernet (L2-IP) Flow Template¹

Field Name	Field ID
MAC Src Addr	56
MAC Dest Addr	80
Ingress Physical Interface	252
Egress Physical Interface	253
Dot1q VLAN ID	243
Dot1q Customer VLAN ID	245
Post Dot1q VLAN ID	254
Post Dot1q Customer VLAN Id	255
IPv4 Src Addr	8
IPv4 Dest Addr	12
IPv6 Src Addr	27
IPv6 Dest Addr	28
Packet Count	2
Byte Count	1
Flow Start Milliseconds	152
Flow End Milliseconds	153
Src Port	7
Dest Port	11
TCP control Bits (Flags)	6
Protocol	4
IPv6 Option Header	64
IPv6 Next Header	196
IPv6 Flow Label	31
TOS	5
IP Version	60
ICMP Type Code	32

---

1

Ohe Ethernet (L2-IP) flow template is only supported and exported to IPFIX (v10) collectors.

 

 

Enabling Cflowd on Interfaces and Filters

This section discusses the following cflowd configuration management tasks:

•	Specifying Cflowd Options on an IP Interface

→	Interface Configurations

→	Service Interfaces

•	Specifying Sampling Options in Filter Entries

→	Interface Configurations

•	Dependencies

 

Specifying Cflowd Options on an IP Interface

When cflowd is enabled on an interface, all packets forwarded by the interface are subject to analysis according to the global cflowd configuration and sorted according to the collector configuration(s).

Refer to Table 19, Cflowd Configuration Dependencies for configuration combinations.

When the cflowd interface option is configured in the config>router>interface context, the following requirements must be met to enable traffic sampling on the specific interface:

1.	Cflowd must be enabled.

2.	At least one cflowd collector must be configured and enabled.

3.	The interface>cflowd interface option must be selected. For configuration information, refer to the Filter Policy Overview section of the 7750 SR Router Configuration Guide.

4.

To omit certain types of traffic from being sampled when the interface sampling is enabled, the config>filter>ip-filter>entry>interface-disable-sample option may be enabled via an ip-filter or ipv6-filter. The filter must be applied to the service or network interface on which the traffic to be omitted is to ingress the system.

 

Interface Configurations

CLI Syntax: config>router>if#

cflowd {acl|interface}

no cflowd

Depending on the option selected, either acl or interface, cflowd extracts traffic flow samples from an IP filter or an interface for analysis. All packets forwarded by the interface are analyzed according to the cflowd configuration.

The acl option must be selected in order to enable traffic sampling on an IP filter. Cflowd (filter-sample) must be enabled in at least one IP filter entry.

The interface option must be selected in order to enable traffic sampling on an interface. If cflowd is not enabled (no cflowd) then traffic sampling will not occur on the interface.

 

Service Interfaces

CLI Syntax: config>service>vpls service-id# interface ip-int-name

cflowd {acl|interface}

 

When enabled on a service interface, cflowd collects routed traffic flow samples through a router for analysis. Cflowd is supported on IES and VPRN services interfaces only. Layer 2 traffic is excluded. All packets forwarded by the interface are analyzed according to the cflowd configuration. On the interface level, cflowd can be associated with a filter (ACL) or an IP interface.

 

Specifying Sampling Options in Filter Entries

Packets are matched against filter entries to determine acceptability. With cflowd, only the first packet of a flow is compared. If the first packet matches the filter criteria, then an entry is added to the cflowd cache. Subsequent packets in the same flow are also sampled based on the cache entry.

Since a filter can be applied to more than one interface (when configured with a scope template), the interface-disable-sample option is intended to enable or disable traffic sampling on an interface-by-interface basis. The command can be enabled or disabled as needed instead creating numerous filter versions.

To enable for filtr traffic sampling, the following requirements must be met::

1.	Cflowd must be enabled globally.

2.	At least one cflowd collector must be configured and enabled.

3.	On the IP interface being used, the interface>cflowd acl option must be selected. (See Interfcace Configuration) For configuration information, refer to the IP Router Confguration Overview section of the 7750 SR Router Configuration Guide.

4.	On the IP filter being used, the entry>filter-sample option must be explicitly enabled for the entries matching the traffic that should be sampled. The default is no filter-sample. (See Filter Configuration for more information).

5.	The filter must be applied to a service or a network interface. The service or port must be enabled and operational.

 

Filter Configurations

CLI Syntax: config>filter>ip-filter>entry#

[no] filter-sample

[no] interface-disable-sample

When a filter policy is applied to a service or a network interface, sampling can be configured so that traffic matching the associated IP filter entry is sampled when the IP interface is set to cflowd ACL mode and the filter-sample command is enabled. If cflowd is either not enabled (no filter-sample) or set to the cflowd interface mode, then sampling does not occur.

When the interface-disable-sample command is enabled, then traffic matching the associated IP filter entry is not sampled if the IP interface is set to cflowd ACL mode.

 

Dependencies

In order for cflowd to be operational, the following requirements must be met:

•	Cflowd must be enabled on a global level. If cflowd is disabled, any traffic sampling instances are also disabled.

•	At least one collector must be configured and enabled in order for traffic sampling to occur on an enabled entity.

•	If a specific collector UDP port is not identified then, by default, flows are sent to port 2055.

Cflowd can also be dependent on the following entity configurations:

•	Interface Configurations

•	Service Interfaces

•	Filter Configurations

Depending on the combination of interface and filter entry configurations determine if and when flow sampling occurs. Table 19 displays the expected results when specific features are enabled and disabled.

 

Table 19: Cflowd Configuration Dependencies  

Interface Setting	router>interface cflowd [acl | interface] Setting	Command ip-filter entry	Expected Results
IP-filter mode	ACL	filter-sampled	Traffic matching is sampled at specified rate.
IP-filter mode	ACL	no filter-sampled	No traffic is sampled on this interface.
IP-filter mode or cflowd not enabled on interface	ACL	interface-disable-sample	Command is ignored. No sampling occurs.
Interface mode	interface	interface-disable-sample	Traffic matching this IP filter entry is not sampled.
Interface mode	interface	none	All IP traffic ingressing the interface is subject to sampling.
Interface mode	interface	filter sampled	Filter level action is ignored. All traffic ingressing the interface is subject to sampling.

 

Cflowd Configuration Management Tasks

This section discusses the following cflowd configuration management tasks:

•	Modifying Global Cflowd Components

•	Modifying Cflowd Collector Parameters

 

Modifying Global Cflowd Components

Cflowd parameter modifications apply to all instances where cflowd or traffic sampling is enabled. Changes are applied immediately. Use the following cflowd commands to modify global cflowd parameters:

CLI Syntax: config>cflowd#

active-timeout minutes

no active-timeout

cache-size num-entries

no cache-size

inactive-timeout seconds

no inactive-timeout

overflow percent

no overflow

rate sample-rate

no rate

[no] shutdown

template-retransmit seconds

no template-retransmit

 

The following example displays the cflowd command usage to modify configuration parameters:

Example: config>cflowd# active-timeout 60

config>cflowd# no inactive-timeout

config>cflowd# overflow 2

config>cflowd# rate 10

The following example displays the common cflowd component configuration:

A:ALA-1>config>cflowd# info 
#------------------------------------------

        active-timeout 60

        overflow 2

        rate 10

#------------------------------------------

A:ALA-1>config>cflowd# 

 

Modifying Cflowd Collector Parameters

Use the following commands to modify cflowd collector and aggregation parameters:

CLI Syntax: config>cflowd#

collector ip-address[:port] [version version]

no collector ip-address[:port]

[no] aggregation

[no] as-matrix

[no] destination-prefix

[no] protocol-port

[no] raw

[no] source-destination-prefix

[no] source-prefix

[no] autonomous-system-type [origin | peer]

[no] description description-string

[no] shutdown

template-set {basic | mpls-ip | l2-ip}

 

If a specific collector UDP port is not identified then, by default, flows are sent to port 2055.

The following displays basic cflowd modifications:

A:ALA-1>config>cflowd# info

-----------------------------------------

	active-timeout 60

        overflow 2

        rate 10

        collector 10.10.10.1:2000 version 5

            description "AS info collector"

        exit

        collector 10.10.10.2:5000 version 8

            aggregation

                source-prefix

                raw

            exit

            description "Test collector"

        exit

-----------------------------------------

A:ALA-1>config>cflowd#