Cflowd

Cflowd overview

Cflowd is a tool used to obtain samples of IPv4, IPv6, MPLS, and Ethernet traffic data flows through a router. Cflowd enables traffic sampling and analysis by ISPs and network engineers to support capacity planning, trends analysis, and characterization of workloads in a network service provider environment.

Cflowd is also useful for traffic engineering, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations. Collected information can be viewed several ways such as in port, AS, or network matrices, and pure flow structures. The amount of data stored depends on the cflowd configurations.

Cflowd maintains a list of data flows through a router. A flow is a unidirectional traffic stream defined by several characteristics such as source and destination IP addresses, source and destination ports, inbound interface, IP protocol and ToS bits.

When a router receives a packet for which it currently does not have a flow entry, a flow structure is initialized to maintain state information about that flow, such as the number of bytes exchanged, IP addresses, port numbers, AS numbers, and so on. Each subsequently sampled packet matching the same command options of the flow contributes to the byte and packet count of the flow until the flow is terminated and exported to a collector for storage.

Operation

Basic cflowd steps shows the basic operation of the cflowd feature. This sampled flow is only used to describe the basic steps that are performed. It is not intended to specify implementation.

Figure 1. Basic cflowd steps
  1. As a packet ingresses a port, a decision is made to sample it or not for cflowd.

  2. The original packet is processed for forwarding as normal and the cflowd sample is sent for processing. If a packet is discarded because of filters actions, an indicator is sent with the cflowd sample to the processing agent.

  3. If a new flow is found, a new entry is added to the cache. If the flow already exists in the cache, the flow statistics are updated.

  4. If a new flow is detected and the maximum number of entries are already in the flow cache, the earliest expiry entry is removed. The earliest expiry entry/flow is the next flow that expires because of the active or inactive timer expiration.

  5. If a flow has been inactive for a period of time equal to or greater than the inactive timer (default 15 s), the entry is removed from the flow cache.

  6. If a flow has been active for a period of time equal to or greater than the active timer (default 30 min), the entry is removed from the flow cache.

When a flow is exported from the cache, the collected data is sent to an external collector, which maintains an accumulation of historical data flows that network users can use to analyze traffic patterns.

Data is exported in one of the following formats:

  • Version 5

    Generates a fixed export record for each individual flow captured.

  • Version 8

    Aggregates multiple individual flows into a fixed aggregate record.

  • Version 9

    Generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.

  • Version 10 (IPFIX)

    Generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.

V5, V8, V9, V10, and flow processing shows V5, V8, V9, and V10 flow processing.

Figure 2. V5, V8, V9, V10, and flow processing

As flows are expired from the active flow cache, the export format must be determined, either V5, V8, V9, and V10.

  • If the export format is V5 or V9 and V10, no further processing is performed and the flow data is accumulated to be sent to the external collector.

  • If the export format is V8, the flow entry is added to one or more of the configured aggregation matrices.

  • As the entries within the aggregate matrices are aged out, they are accumulated to be sent to the external flow collector in V8 format.

The sample rate and cache size are configurable values. The cache size default is 64K flow entries.

A flow terminates when one of the following conditions is met:

  • When the inactive timeout period expires (default: 15 s). A flow is considered terminated when no packets are seen for the flow for n seconds.

  • When an active timeout expires (default: 30 s). Default active timeout is 30 min. A flow terminates according to the time duration, regardless of whether there are packets coming in for the flow.

  • When the user executes a clear cflowd command.

  • When other measures are met that apply to aggressively age flows as the cache becomes too full (such as overflow percent).

Version 8

There are several different aggregate flow types including:

  • AS matrix

  • destination prefix matrix

  • source prefix matrix

  • prefix matrix

  • protocol/port matrix

Version 8 is an aggregated export format. As individual flows are aged out of the raw flow cache, the data is added to the aggregate flow cache for each configured aggregate type. Each of these aggregate flows are also aged in a manner similar to the method the active flow cache entries are aged. When an aggregate flow is aged out, it is sent to the external collector in the V8 record format.

Version 9

Version 9 format is a more flexible format and allows for different templates or sets of cflowd data to be sent based on the type of traffic being sampled and the template set configured.

Version 9 is interoperable with RFC 3954, Cisco Systems NetFlow Services Export Version 9.

Version 10

Version 10 is a new format and protocol that interoperates with the specifications from the IETF as the IP Flow Information Export (IPFIX) standard. Like V9, the V10 format uses templates to allow for different data elements about a flow that is to be exported and to handle different type of data flows, such as IPv4, IPv6, and MPLS.

Version 10 is interoperable with RFC 5101 and 5102.

Cflowd filter matching

In the filter-matching process, usually every packet is matched against filter (access list) criteria to determine acceptability. With cflowd, only the first packet of a flow is checked. If the first packet is forwarded, an entry is added to the cflowd cache. Subsequent packets in the same flow are then forwarded without needing to be matched against the complete set of filters. Specific performance varies depending on the number and complexity of the filters.

Cflowd Collector flow direction configuration

The Cflowd Collector feature allows users to configure the direction of flows sent to the associated Cflowd Collector as ingress, egress, or both. Use the following options to configure the flow direction:

  • both – flows ingressing or egressing the specified interface match the collector filter (default)
  • ingress – flows ingressing the specified interface match the collector filter
  • egress – flows egressing the specified interface match the collector filter

Use the following commands to enable this feature:

  • MD-CLI
    configure cflowd collector export-filter interface-list router interface-name direction
    configure cflowd collector export-filter interface-list service ies-group-interface direction
    configure cflowd collector export-filter interface-list service ies-interface direction
    configure cflowd collector export-filter interface-list service vprn-group-interface direction
    configure cflowd collector export-filter interface-list service vprn-interface direction
    configure cflowd collector export-filter interface-list service vprn-network-interface direction
    
  • classic CLI
    configure cflowd collector export-filter interface-list router interface direction [direction {ingress | egress | both}]
    configure cflowd collector export-filter interface-list service ies subscriber-interface group-interface [direction {ingress | egress | both}]
    configure cflowd collector export-filter interface-list service ies interface [direction {ingress | egress | both}]
    configure cflowd collector export-filter interface-list service vprn subscriber-interface group-interface [direction {ingress | egress | both}]
    configure cflowd collector export-filter interface-list service vprn interface [direction {ingress | egress | both}]
    configure cflowd collector export-filter interface-list service vprn network-interface [direction {ingress | egress | both}]

Cflowd configuration process overview

Cflowd configuration and implementation flow shows the process to configure cflowd command options.

Figure 3. Cflowd configuration and implementation flow

There are three modes in which cflowd can be enabled to sample traffic on an interface:

  • Cflowd interface – where all traffic entering a specified port is subjected to sampling at the configured sampling rate

  • Cflowd interface plus – the definition of IP filters that specify an action to disable sampling, where traffic that matches these filter entries is not subject to cflowd sampling

    Use the following commands to disable sampling as part of the IP filter configuration:

    • MD-CLI

      configure filter ip-filter entry interface-sample false
      configure filter ipv6-filter entry interface-sample false
    • classic CLI

      configure filter ip-filter entry interface-disable-sample
      configure filter ipv6-filter entry interface-disable-sample
  • Cflowd ACL – where IP filters must be created with entries containing the action filter-sampled. In this mode, only traffic matching these filter entries is subject to the cflowd sampling process.

Configuration notes

The following cflowd components must be configured for cflowd to be operational:

  • Cflowd is enabled globally.

  • At least one collector must be configured and enabled.

  • A cflowd option must be specified and enabled on a router interface.

  • Sampling must be enabled on either:

    • An IP filter that is applied to a port or service.

    • An interface on a port or service.

Configuring cflowd with CLI

This section provides information to configure cflowd using the command line interface (CLI).

Cflowd configuration overview

SR OS implementation of cflowd supports the option to analyze traffic flow. The implementation also supports the use of traffic or access list (ACL) filters to limit the type of traffic that is analyzed.

Traffic sampling

Traffic sampling does not examine all packets received by a router. Command options allow the rate at which traffic is sampled and sent for flow analysis to be modified. The default sampling rate is every 1000th packet. Excessive sampling over an extended period of time, for example, more than every 1000th packet, can burden router processing resources.

The following data is maintained for each individual flow in the raw flow cache:

  • source IP address

  • destinations IP address

  • source port

  • destination port

  • forwarding status

  • input interface

  • output interface

  • IP protocol

  • TCP flags

  • first timestamp (of the first packet in the flow)

  • last timestamp (timestamp of last packet in the flow before the expiry of the flow)

  • source AS number for peer and origin (taken from BGP)

  • destination AS number for peer and origin (taken from BGP)

  • IP next hop

  • BGP next hop

  • ICMP type and code

  • IP version

  • source prefix (from routing)

  • destination prefix (from routing)

  • MPLS label stack from label 1 to 6

Within the raw flow cache, the following characteristics are used to identify an individual flow:

  • ingress interface

  • source IP address

  • destination IP address

  • source transport port number

  • destination transport port number

  • IP protocol type

  • IP ToS byte

  • virtual router ID

  • ICMP type and code

  • direction

  • MPLS labels

SR OS implementation allows cflowd to be enabled at the interface level or as an action to a filter. By enabling cflowd at the interface level, all IP packets forwarded by the interface are subject to cflowd analysis. By setting cflowd as an action in a filter, only packets matching the specified filter are subject to cflowd analysis. This provides the network user greater flexibility in the types of flows that are captured.

Collectors

A collector defines how data flows should be exported from the flow cache. A maximum of five collectors can be configured. Each collector is identified by a unique IP address and UDP port value. Each collector can only export traffic in one version type: V5, V8, V9, or V10.

The command options within a collector configuration can be modified or the defaults retained.

The autonomous-system-type command defines whether the autonomous system information to be included in the flow data is based on the originating AS or external peer AS of the flow.

Aggregation

V8 aggregation allows for flow data to be aggregated into larger, less granular flows. Use aggregation commands to specify the type of data to be collected. These aggregation types are only applicable to flows being exported to a V8 collector.

The following aggregation schemes are supported:

  • AS matrix

    Flows are aggregated based on source and destination AS and ingress and egress interface.

  • protocol port

    Flows are aggregated based on the IP protocol, source port number, and destination port number.

  • source prefix

    Flows are aggregated based on source prefix and mask, source AS, and ingress interface.

  • destination prefix

    Flows are aggregated based on destination prefix and mask, destination AS, and egress interface.

  • source-destination prefix

    Flows are aggregated based on source prefix and mask, destination prefix and mask, source and destination AS, ingress interface, and egress interface.

  • raw

    Flows are not aggregated and are sent to the collector in a V5 record.

Basic cflowd configuration

This section provides information to configure cflowd and examples of common configuration tasks. To sample traffic, the following command options must be configured, as a minimum.

  • Cflowd must be enabled.

  • At least one collector must be configured and enabled.

  • Sampling must be enabled on either:

    • an IP filter entry (and applied to a service or a port)

    • an interface applied to a port

The following example shows the cflowd configuration.

MD-CLI

[ex:/configure cflowd]
A:admin@node-2# info detail
## apply-groups
 ## apply-groups-exclude
    admin-state enable
    analyze-gre-payload false
    analyze-l2tp-traffic false
    analyze-v4overv6-traffic false
    cache-size 6553
    export-mode automatic
    inband-collector-export-only false
    overflow 1
    template-retransmit 600
    use-vrtr-if-index false
    active-flow-timeout 1800
    inactive-flow-timeout 15
    sample-profile 1 {
     ## apply-groups
     ## apply-groups-exclude
        sample-rate 1000
    }

classic CLI

A:node-2>config>cflowd# info detail
----------------------------------------------
        active-flow-timeout 1800
        cache-size 6553
        inactive-flow-timeout 15
        export-mode automatic
        overflow 1
        template-retransmit 600
        no use-vrtr-if-index
        no inband-collector-export-only
        no analyze-gre-payload
        no analyze-l2tp-traffic
        no analyze-v4overv6-traffic
        sample-profile 1 create
            sample-rate 1000
        exit
        no shutdown
----------------------------------------------

Common configuration tasks

This section provides a brief overview of the tasks that must be performed to configure cflowd and provides the CLI commands. To begin traffic flow sampling, cflowd must be enabled and at least one collector must be configured.

Global cflowd components

The following common (global) attributes apply to all instances of cflowd:

  • active flow timeout

    The active flow timeout attribute controls the maximum time a flow record can be active before it is automatically exported to defined collectors.

  • inactive flow timeout

    The inactive flow timeout attribute controls the minimum time before a flow is declared inactive. If no traffic is sampled for a flow for the inactive timeout duration, the flow is declared inactive and marked to be exported to the defined collectors.

  • cache size

    The cache size attribute defines the maximum size of the flow cache.

  • overflow

    The overflow attribute defines the percentage of flow records that are exported to all collectors if the flow cache size is exceeded.

  • rate

    The rate attribute defines the system-wide sampling rate for cflowd.

  • template retransmit

    The template retransmit attribute defines the interval (in seconds) at which the V9 and V10 templates are retransmitted to all configured V9 or V10 collectors.

Enabling cflowd

Cflowd is disabled by default. Cflowd must be configured with at least one collector to be active. Executing the cflowd command enables cflowd.

The following example shows the defaults when cflowd is initially enabled. No collectors or collector options are configured.

MD-CLI
[ex:/configure cflowd]
A:admin@node-2# info detail
...
    admin-state enable
...
    cache-size 65536
...
     overflow 1
...
    template-retransmit 600
...
    active-flow-timeout 1800
    inactive-flow-timeout 15
    sample-profile 1 {
...
        sample-rate 1000
    }
classic CLI
A:node-2>config>cflowd# info detail
----------------------------------------------
        active-flow-timeout 1800
        cache-size 65536
        inactive-flow-timeout 15
...
        overflow 1
        template-retransmit 600
...
        sample-profile 1 create
            sample-rate 1000
        exit
        no shutdown
----------------------------------------------

Configuring global cflowd

The following example shows the global cflowd configuration.

MD-CLI
[ex:/configure cflowd]
A:admin@node-2# info
...
    overflow 10
...
    active-flow-timeout 1800
    inactive-flow-timeout 10
    sample-profile 1 {
        sample-rate 100
    }
classic CLI
A:node-2>config>cflowd# info detail
----------------------------------------------
        active-flow-timeout 1800
...
A:node-2>config>cflowd# info
----------------------------------------------
        inactive-flow-timeout 10
...
        overflow 10
        sample-profile 1 create
            sample-rate 100
        exit
----------------------------------------------

Configuring cflowd collectors

The following example shows a basic configuration of cflowd collectors.

Basic cflowd collector configuration (MD-CLI)
[ex:/configure cflowd]
A:admin@node-2# info
...
    overflow 10
...
    active-flow-timeout 1800
    inactive-flow-timeout 10
    sample-profile 1 {
        sample-rate 100
    }
    collector 10.10.10.1 port 2000 {
        description "AS info collector"
        version 8
        aggregation {
            as-matrix true
            raw true
        }
    }
 collector 10.10.10.2 port 5000 {
        description "Neighbor collector"
        autonomous-system-type peer
        version 8
        aggregation {
            protocol-port true
            source-destination-prefix true
        }
    }
Basic cflowd collector configuration (classic CLI)
A:node-2>config>cflowd# info detail
----------------------------------------------
        active-flow-timeout 1800
...
A:node-2>config>cflowd# info
-----------------------------------------
        inactive-flow-timeout 10
        overflow 10
        sample-profile 1 create
            sample-rate 100
        exit
        collector 10.10.10.1:2000 version 8
            description "AS info collector"
            aggregation
                as-matrix
                raw
            exit
        exit
        collector 10.10.10.2:5000 version 8
            description "Neighbor collector"
            aggregation
                protocol-port
                source-destination-prefix
            exit
            autonomous-system-type peer
        exit
Version 9 collector configuration (MD-CLI)
[ex:/configure cflowd]
A:admin@node-2# info
...
    collector 10.10.10.9 port 2000 {
        description "v9collector"
        template-set mpls-ip
        version 9
    }
Version 9 collector configuration (classic CLI)
A:node-2>config>cflowd# info
----------------------------------------------
...
        collector 10.10.10.9:2000 version 9
            description "v9collector"
            template-set mpls-ip
        exit
----------------------------------------------
Version 9 and Version 10 templates

If the collector is configured to use either V9 or V10 (IPFIX) formats, the flow data is sent to the designated collector using one of the predefined templates. The template used is based on the type of flow for which the data was collected (IPv4, IPv6, MPLS, or Ethernet [Layer 2]), and the configuration of the template-set command. The following table lists these options and the corresponding template used to export the flow data.

Table 1. Template sets
Traffic flow Basic MPLS-IP

IPv4

Basic IPv4

MPLS-IPv4

IPv6

Basic IPv6

MPLS-IPv6

MPLS

Basic MPLS

MPLS-IP

Ethernet

L2-IP

L2-IP

Each flow exported to a collector configured for either V9 or V10 formats is sent using one of the flow template sets listed in Template sets.

Basic IPv4 template to MPLS transport template list the fields in each template listed in Template sets.

Table 2. Basic IPv4 template
Field name Field ID

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv4 Nexthop

15

BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds1

152

Flow End Milliseconds1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

IPv4 Protocol

4

IPv4 ToS

5

IP version

60

ICMP Type and Code

32

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

Source IPv4 Prefix Length

9

Dest IPv4 Prefix Length

13

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

bgpNextAdjacentAsNumber

128

bgpPrevAdjacentAsNumber

129

IsMulticast1

206

Ingress VRFID1

234

Egress VRFID1

235

1 Only sent to collectors configured for V10 format.
Table 3. MPLS-IPv4 template
Field Name Field ID

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv4 Nexthop

15

BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds1

152

Flow End Milliseconds1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

IPv4 Protocol

4

IPv4 ToS

5

IP version

60

ICMP Type & Code

32

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

Source IPv4 Prefix Length

9

Dest IPv4 Prefix Length

13

MPLS Top Label Type

46

MPLS Top Label IPv4 Addr

47

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

MPLS Label 7

76

MPLS Label 8

77

MPLS Label 9

78

MPLS Label 10

79

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

bgpNextAdjacentAsNumber

128

bgpPrevAdjacentAsNumber

129

IsMulticast1

206

Ingress VRFID1

234

Egress VRFID1

235

Table 4. Basic IPv6 template
Field Name

Field ID

IPv6 Src Addr

27

IPv6 Dest Addr

28

IPv6 Nexthop

62

IPv6 BGP Nexthop

63

IPv4 Nexthop

15

IPv4 BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds1

152

Flow End Milliseconds1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

Protocol

4

IPv6 Extension Hdr

64

IPv6 Next Header

193

IPv6 Flow Label

31

ToS

5

IP version

60

IPv6 ICMP Type & Code

139

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

IPv6 Src Mask

29

IPv6 Dest Mask

30

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

bgpNextAdjacentAsNumber

128

bgpPrevAdjacentAsNumber

129

IsMulticast1

206

Ingress VRFID1

234

Egress VRFID1

235

Table 5. MPLS-IPv6 template
Field name Field ID

IPv6 Src Addr

27

IPv6 Dest Addr

28

IPv6 Nexthop

62

IPv6 BGP Nexthop

63

IPv4 Nexthop

15

IPv4 BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds1

152

Flow End Milliseconds1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

Protocol

4

IPv6 Extension Hdr

64

IPv6 Next Header

193

IPv6 Flow Label

31

ToS

5

IP version

60

IPv6 ICMP Type & Code

139

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

IPv6 Src Mask

29

IPv6 Dest Mask

30

MPLS Top Label Type

46

MPLS Top Label IPv6 Addr

47

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

MPLS Label 7

76

MPLS Label 8

77

MPLS Label 9

78

MPLS Label 10

79

MPLS_TOP_LABEL_TYPE

46

MPLS_TOP_LABEL_ADDR

47

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

bgpNextAdjacentAsNumber

128

bgpPrevAdjacentAsNumber

129

IsMulticast1

206

Ingress VRFID1

234

Egress VRFID1

235

Table 6. Basic MPLS template
Field name Field ID

Start Time

22

End Time

21

Flow Start Milliseconds1

152

Flow End Milliseconds1

153

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Direction

61

MPLS Top Label Type

46

MPLS Top Label Address

47

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

Table 7. MPLS-IP template
Field name Field ID

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv4 Nexthop

15

IPv6 Src Addr

27

IPv6 Dest Addr

28

IPv6 Nexthop

62

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds1

152

Flow End Milliseconds1

153

Src Port

7

Dest Port

11

TCP control Bits (Flags)

6

IPv4 Protocol

4

IPv4 ToS

5

IP version

60

ICMP Type & Code

32

IPv6 Flow Label

31

Direction

61

MPLS Top Label Type

46

MPLS Top Label IPv4 Addr

47

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

MPLS Label 7

76

MPLS Label 8

77

MPLS Label 9

78

MPLS Label 10

79

To address L2-IP (Ethernet) flow template, only one Ethernet (L2-IP) flow template is supported and exported to IPFIX (V10) collectors.

Table 8. L2-IP (Ethernet) flow template
Field name

Field ID

MAC Src Addr

56

MAC Dest Addr

80

Ingress Physical Interface

252

Egress Physical Interface

253

Dot1q VLAN ID

243

Dot1q Customer VLAN ID

245

Post Dot1q VLAN ID

254

Post Dot1q Customer VLAN Id

255

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv6 Src Addr

27

IPv6 Dest Addr

28

Packet Count

2

Byte Count

1

Flow Start Milliseconds

152

Flow End Milliseconds

153

Src Port

7

Dest Port

11

TCP control Bits (Flags)

6

Protocol

4

IPv6 Option Header

64

IPv6 Next Header

196

IPv6 Flow Label

31

ToS

5

IP Version

60

ICMP Type Code

32

Ingress VRF

234

IPv4 BGP Nexthop

18

IPv6 BGP Nexthop

63

Table 9. MPLS transport template
Field name Field ID

Flow Start Milliseconds

152

Flow End Milliseconds

153

VRF ID

234

Ingress Interface

10

Packet Count

2

Byte Count

1

Direction

61

MPLS_TOP_LABEL_TYPE

46

MPLS_TOP_LABEL_ADDR

47

MPLS Label-1

70

Table 10. GRE flow template
Field name2

Field ID

IPv4 Src Addr3

8

IPv4 Dest Addr3

12

Ingress ID

252

Egress ID

253

Flow Start Milliseconds

152

Ingress VRF ID3

234

Egress VRF ID3

235

Protocol3

4

ToS3

5

Data Link Frame Size4

312

Section Exported Octets3

410

Data Link Frame Section3

315

1 The field names are exported only to IPFIX (V10) collectors.
2 The IP fields contain values from the outer GRE IP header.
3 The Data Link Frame section field includes the inner IP headers.

Specifying cflowd on an IP interface

When cflowd is enabled on an interface, all packets forwarded by the interface are subject to analysis according to the global cflowd configuration and sorted according to the collector configurations.

See Cflowd configuration dependencies for configuration combinations.

Use the following command to configure cflowd on an IP interface.

configure router interface cflowd-parameters sampling unicast type interface

When the preceding command is configured, the following requirements must be met to enable traffic sampling on the interface:

  • Enable cflowd.

  • Ensure at least one cflowd collector is configured and enabled.

  • Use the commands in the following context to configure sampling as unicast or multicast, as well as the type and direction of the sampling. By default, the direction is ingress-only.

    configure router interface cflowd-parameters sampling
  • Use the following commands to prevent specific types of traffic from being sampled when interface sampling is enabled. The filter must be applied to the service or network interface on which the traffic to be omitted is to ingress the system.
    • MD-CLI

      configure filter ip-filter entry interface-sample false
      configure filter ipv6-filter entry interface-sample false
    • classic CLI

      configure filter ip-filter entry interface-disable-sample
      configure filter ipv6-filter entry interface-disable-sample
Interface sampling configuration

Use the commands in the following context to configure cflowd sampling on an interface.

configure router interface cflowd-parameters sampling

Depending on the sampling type command option selected, either acl or interface, cflowd extracts traffic flow samples from an IP filter or an interface for analysis. All packets forwarded by the interface are analyzed according to the cflowd configuration.

The acl command option must be selected to enable traffic sampling on an IP filter. Cflowd must be enabled in at least one IP filter entry. Use the following command to enable cflowd sampling on an IP filter entry:
  • MD-CLI

    configure filter ip-filter entry filter-sample true
  • classic CLI

    configure filter ip-filter entry filter-sample

The interface command option must be selected to enable traffic sampling on an interface. If cflowd is not enabled, traffic sampling does not occur on the interface.

Service interfaces

Use the commands in the following context to configure cflowd on a service interface.

configure router interface cflowd-parameters sampling

When enabled on a service interface, cflowd collects routed traffic flow samples through a router for analysis. Cflowd is supported on IES and VPRN service interfaces only. Layer 2 traffic is excluded. All packets forwarded by the interface are analyzed according to the cflowd configuration. On the interface level, cflowd can be associated with a filter (ACL) or an IP interface. Layer 2 cflowd ingress sampling is supported on VPLS and Epipe SAPs.

Compact templates
Table 11. IPv4 flow record
IPFIX Field Field ID

Packet

2

Byte

1

Input ifIndex

10

Output ifIndex

14

IP version

60

IP Src Port

7

IP Dst Port

11

IP proto

4

IP tcpflags

6

Flow Start

22/152

Flow Stop

21/153

IP min TTL

52

IP max TTL

53

IP tos

5

Flow Direction

61

IP icmp type/code

32

Forwarding status

89

IP src Address

8 (IPv4)

IP dst Address

12 (IPv4)

Table 12. IPv6 flow record
IPFIX Field Field ID

Packet

2

Byte

1

Input ifIndex

10

Output ifIndex

14

IP version

60

IP Src Port

7

IP Dst Port

11

IP proto

4

IP tcpflags

6

Flow Start

22/152

Flow Stop

21/153

IP min TTL

52

IP max TTL

53

IP tos

5

Flow Direction

61

IPv6 ICMP type/code

139

Forwarding status

89

IP src Address

27(IPv6)

IP dst Address

28(IPv6)

Table 13. MPLS flow record (v9 and v10)
IPFIX Field Field ID

Flow Start

22/152

Flow Stop

21/153

Input ifIndex

10

Output ifIndex

14

Packet

2

Byte

1

Flow Direction

61

MPLS Top Label

46

MPLS Top Label IPv4 Address

47

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

MPLS Label 7

76

MPLS Label 8

77

MPLS Label 9

78

MPLS Label 10

79

Table 14. Layer-2 flow record (v10 only)
IPFIX Field Field ID

Source MAC Address

53

Destination MAC Address

80

Ingress Physical Interface

252

Egress Physical Interface

253

Dot1q VLAN ID

243

Dot1q Customer VLAN ID

245

Post Dot1q VLAN ID

254

Post Dot1q Customer VLAN ID

255

IPv4 src Address

8

IPv4 dst Address

12

IPv6 src Address

27

IPv6 dst Address

28

Packet Count

2

Byte Count

1

Flow Start Millisecond

152

Flow End Millisecond

153

FP-accelerated templates
Table 15. IPv4 flow record
IPFIX Field Field ID

Byte

1

Input ifIndex

10

Output ifIndex

14

IP version

60

IP src Port

7

IP Dst Port

11

IP Proto

4

IP TCP flags

6

IP min TTL

52

IP TOS

5

IP icmp type/code

32

Forwarding status

89

IP src Address1

8 (IPv4)

IP dst Address1

12 (IPv4)

Table 16. IPv6 flow record
IPFIX Field Field ID

Byte

1

Input ifIndex

10

Output ifIndex

14

IP version

60

IP src Port

7

IP Dst Port

11

IP Proto

4

IP TCP flags

6

IP min TTL

52

IP TOS

5

Forwarding status

89

IP src Address1

27(IPv6)

IP dst Address1

28(IPv6)

Specifying sampling options in filter entries

Packets are matched against filter entries to determine acceptability. With cflowd, only the first packet of a flow is compared. If the first packet matches the filter criteria, an entry is added to the cflowd cache. Subsequent packets in the same flow are also sampled based on the cache entry.

Because a filter can be applied to more than one interface (when configured with a scope template), you can enable or disable traffic sampling on an interface-by-interface basis. Use the following command to disable traffic sampling:

  • MD-CLI

    configure filter ip-filter entry interface-sample false
  • classic CLI

    configure filter ip-filter entry interface-disable-sample

The preceding command to disable traffic sampling can be enabled or disabled as needed instead of having to create numerous filter versions.

To enable an interface for filter traffic sampling, the following requirements must be met:

  • Cflowd must be enabled globally.

  • At least one cflowd collector must be configured and enabled.

  • Use the commands in the following context on the IP interface that is used to configure sampling as unicast or multicast. You must also select the ACL option.

    configure router interface cflowd-parameters sampling
  • On the IP filter being used, you must explicitly enable filter sampling for the entries matching the traffic that should be sampled. Use the following commands to configure filter sampling for the filter:
    • MD-CLI

      configure filter ip-filter entry filter-sample true
      configure filter ipv6-filter entry filter-sample true
    • classic CLI

      configure filter ip-filter entry filter-sample
      configure filter ipv6-filter entry filter-sample

    The default is disabled. See Filter configurations for more information.

  • The filter must be applied to a service or a network interface. The service or port must be enabled and operational.

Filter configurations
When a filter policy is applied to a service or a network interface, sampling can be configured so that traffic matching the associated IP filter entry is sampled when the IP interface is set to cflowd ACL mode and filter sampling is enabled. Use the following command to enable cflowd sampling on an IP filter entry:
  • MD-CLI

    configure filter ip-filter entry filter-sample true
  • classic CLI

    configure filter ip-filter entry filter-sample

When the traffic sampling is disabled, traffic matching the associated IP filter entry is not sampled if the IP interface is set to cflowd ACL mode. Use the following command to disable traffic sampling:

  • MD-CLI

    configure filter ip-filter entry interface-sample false
  • classic CLI

    configure filter ip-filter entry interface-disable-sample
Dependencies

For cflowd to be operational, the following requirements must be met:

  • Cflowd must be enabled on a global level. If cflowd is disabled, any traffic sampling instances are also disabled.

  • At least one collector must be configured and enabled in order for traffic sampling to occur on an enabled entity.

  • If a specific collector UDP port is not identified, flows are sent to port 2055 by default.

Cflowd can also be dependent on the following entity configurations:

The combination of interface and filter entry configurations determines whether flow sampling occurs. Cflowd configuration dependencies lists the expected results based on cflowd configuration dependencies.

Table 17. Cflowd configuration dependencies
Interface Setting cflowd-parameter type Setting Command ip-filter entry Setting Expected Results

IP-filter mode

ACL

filter-sample true (MD-CLI)

filter-sample (classic CLI)

Traffic matching is sampled at specified rate

IP-filter mode

ACL

filter-sample false (MD-CLI)

no filter-sample (classic CLI)

No traffic is sampled on this interface

IP-filter mode or cflowd not enabled on interface

ACL

interface-sample false (MD-CLI)

interface-disable-sample (classic CLI)

Command is ignored; no sampling occurs

Interface mode

Interface

interface-sample false (MD-CLI)

interface-disable-sample (classic CLI)

Traffic matching this IP filter entry is not sampled

Interface mode

Interface

none

All IP traffic ingressing the interface is subject to sampling

Interface mode

Interface

filter-sample true (MD-CLI)

filter-sample (classic CLI)

Filter-level action is ignored; all traffic ingressing the interface is subject to sampling

Configuring Cflowd Collector flow direction

The following example shows how to configure the direction of flows to the Cflowd Collector.

MD-CLI
[ex:/configure cflowd]
A:admin@node-2# info
    overflow 10
    template-retransmit 60
    active-flow-timeout 30
    inactive-flow-timeout 10
    collector 192.168.202.171 port 2055 {
        description "test"
        version 9
        export-filter {
            interface-list {
                service {
                    ies-interface service-name "28000" interface-name "ies-28000" {
                        direction ingress
                    }
                    ies-interface service-name "33600" interface-name "ies-33600" {
                        direction ingress
                    }
                }
            }
        }
    }
classic CLI
A:node-2>config>cflowd# info
----------------------------------------------
        active-flow-timeout 30
        inactive-flow-timeout 10
        overflow 10
        template-retransmit 60
        collector 192.168.202.171 version 9
            description "test"
            export-filter
                interface-list
                    service
                        ies 28000 interface ies-28000 direction ingress
                        ies 33600 interface ies-33600 direction ingress
                    exit
                exit
            exit
        exit
----------------------------------------------

Cflowd configuration management tasks

This section describes cflowd configuration management tasks.

Modifying global cflowd

Cflowd modifications apply to all instances where cflowd is enabled. Use the commands in the following context to configure cflowd.

configure cflowd

Modification of a cflowd configuration (MD-CLI)

*[ex:/configure cflowd]
A:admin@node-2# active-flow-timeout 3600

*[ex:/configure cflowd]
A:admin@node-2# inactive-flow-timeout 15

*[ex:/configure cflowd]
A:admin@node-2# overflow 2

*[ex:/configure cflowd]
A:admin@node-2# sample-profile 1

*[ex:/configure cflowd sample-profile 1]
A:admin@node-2# sample-rate 10

Cflowd configuration output (MD-CLI)

[ex:/configure cflowd]
A:admin@node-2# info detail
...
    inactive-flow-timeout 15
...
*[ex:/configure cflowd]
A:admin@node-2# info
...
    overflow 2
...
    active-flow-timeout 3600
    sample-profile 1 {
        sample-rate 10
    }
...
   }

Modification of a cflowd configuration (classic CLI)

*A:node-2>config>cflowd# active-flow-timeout 3600
*A:node-2>config>cflowd# inactive-flow-timeout 15
*A:node-2>config>cflowd# overflow 2
*A:node-2>config>cflowd# sample-profile 1 create
*A:node-2>config>cflowd>sample-profile# sample-rate 10

Cflowd configuration output (classic CLI)

A:node-2>config>cflowd# info detail
----------------------------------------------
 ...
        inactive-flow-timeout 15
...
*A:node-2>config>cflowd# info
----------------------------------------------
        active-flow-timeout 3600
...
        overflow 2
        sample-profile 1 create
            sample-rate 10
        exit

Modifying cflowd collector command options

Use the commands in the following context to modify cflowd collector and aggregation command options.

configure cflowd

If a specific collector UDP port is not identified, flows are sent to port 2055 by default.

The following example shows a basic cflowd configuration that has been modified.

MD-CLI

[ex:/configure cflowd]
A:admin@node-2# info
...
    overflow 2
...
    active-flow-timeout 3600
    sample-profile 1 {
        sample-rate 10
    }
    collector 10.10.10.1 port 2000 {
        description "AS info collector"
        version 8
        }
    }
    collector 10.10.10.2 port 5000 {
        description "Test collector"
        version 9
        aggregation {
            source-prefix true
            raw true
        }
    }

classic CLI

A:node-2>config>cflowd# info
-----------------------------------------
     active-flow-timeout 3600
        overflow 2
        sample-profile 1 create
            sample-rate 10
        exit
        collector 10.10.10.1:2000 version 8
            description "AS info collector"
        exit
        collector 10.10.10.2:5000 version 9
            description "Test collector"
            aggregation
                source-prefix
                raw
            exit
        exit
-----------------------------------------

FP acceleration for cflowd processing

FP acceleration for cflowd allows the FP complex on specific CPMs to process and directly export IPv4 and IPv6 flow records. This feature supports significantly higher sampling capacity and flow record generation. The feature requires using CPM-2 or later in 7750 SR-7s and SR-14s, and 7950 XRS. When enabled, cflowd samples from configured interfaces are sent to the FP complex located on the CPM, which then pulls specific information from the IPv4 or IPv6 headers to populate the FP, accelerated flow record template. This mechanism generates a flow record for each sample.

Configuring FP acceleration for cflowd processing

Note: The following information applies for the MD-CLI.

To enable FP-accelerated cflowd processing, configure the following:

  • Use the following command to configure a cflowd collector for FP-accelerated cflowd processing.

    configure cflowd collector template-set fastpath
  • Use the following command to configure one or more sample profiles.

    configure cflowd sample-profile metering-process fp-accelerated

The following example shows the configuration of FP acceleration for cflowd processing.

MD-CLI

[ex:/configure]
A:admin@node-2# info
    cflowd {
        admin-state enable
...
        inband-collector-export-only true
...
        sample-profile 2 {
            sample-rate 2000
            metering-process fp-accelerated
        }
        collector 10.10.10.10 port 1 {
            template-set fastpath
            version 10
        }
    }

Supported forwarding status codes

The following table shows supported forwarding status codes.

Table 18. Supported forwarding status codes
Status Reported code (field 89)

Forwarded

64

Drop-ACL

130

Drop-Unroutable

131

Drop-Fragmentation needed but DF bit set

133

Drop-uRPF failure

140