5. Cflowd

Note:

Cflowd is supported only on the 7210 SAS-Mxp and 7210 SAS-Sx/S 1/10GE (standalone).

This chapter provides information to configure the Cflowd tool.

5.1. Cflowd Overview

Cflowd is a tool used to sample IPv4, IPv6, MPLS, and Ethernet traffic data flows through a router. Cflowd enables ISPs and traffic engineers to perform traffic sampling and analysis in order to support capacity planning, trends analysis, and characterization of workloads in a network service provider environment.

Cflowd is also useful for traffic engineering, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, and performing security-related investigations. Collected information can be interpreted in several ways such as in port, autonomous system (AS), or network matrices, and pure flow structures. The amount of data stored depends on the Cflowd configurations.

Cflowd maintains a list of router data flows. A flow is a unidirectional traffic stream defined by several characteristics such as source and destination IP addresses, source and destination ports, inbound interface, IP protocol, and Type-of-Service (TOS) bits.

When a router receives a packet for which it currently does not have a flow entry, a flow structure is initialized to maintain state information regarding that flow, such as the number of bytes exchanged, IP addresses, port numbers, AS numbers, and so on. Each subsequent packet matching the same parameters of the flow contributes to the byte and packet count of the flow until the flow is terminated and exported to a collector for storage.

5.1.1. Operation

Figure 12 shows the basic operation of the Cflowd feature. This sample flow only describes the basic Cflowd operation overview and is not intended to specify implementation and support on the 7210 SAS.

Figure 12:  Basic Cflowd Steps 

The logical sequence of Cflowd operation is as follows.

  1. The system decides whether to forward or drop packets as the packets ingress a port.
  2. If the packet is forwarded, the system then decides whether to sample the packet for Cflowd.
  3. If a new flow is found, the system adds a new entry to the cache. If the flow already exists in the cache, the system updates the flow statistics.
  4. If a new flow is detected and the maximum number of entries are already present in the flow cache, the system removes the entry with the earliest expiry time. The earliest expiry entry/flow is the next flow that will expire based on the active or inactive timer expiration.
  5. If a flow has been inactive for a period of time equal to or greater than the inactive timer (default 15 seconds), or has been active for a period of time equal to or greater than the active timer (default 30 minutes), the system removes the entry from the flow cache.

When a flow is exported from the cache, the collected data is sent to an external collector that maintains an accumulation of historical data flows, which network operators can use to analyze traffic patterns.

Data is exported in one of the following formats:

  1. Version 5
    This format generates a fixed export record for each individual flow captured.
  2. Version 8
    This format aggregates multiple individual flows into a fixed aggregate record.
  3. Version 9
    This format generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.
  4. Version 10 (IPFIX)
    This format generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.

Figure 13 shows Version 5, Version 8, Version 9, and Version 10 flow processing.

Figure 13:  V5, V8, V9, V10, and Flow Processing 

As flows expire and are removed from the active flow cache, the export format is determined (either Version 5, Version 8, Version 9, and Version 10 record format) and one of the following processes occurs.

  1. If the export format is Version 5, Version 9, or Version 10, no further processing is performed and the flow data is accumulated to be sent to the external collector.
  2. If the export format is Version 8, the flow entry is added to one or more of the configured aggregation matrices.
    As the entries within the aggregate matrices are aged out, they are accumulated to be sent to the external flow collector in Version 8 format.

The sample rate and cache size are configurable values. The cache size is set up with the default number of entries.

A flow terminates when one of the following conditions is met.

  1. The inactive timeout period expires (default 15 seconds). A flow is considered terminated when no packets are seen for the flow for the configured number of seconds.
  2. An active timeout expires (default 30 seconds). A flow terminates according to the time duration, regardless of whether packets are coming in for the flow.
  3. The user executes a clear cflowd command.
  4. Other conditions are met to aggressively age flows as the cache becomes too full, such as overflow percent.

5.1.1.1. Version 8

There are several aggregate flow types including:

  1. AS matrix
  2. destination prefix matrix
  3. source prefix matrix
  4. prefix matrix
  5. protocol/port matrix

Version 8 is an aggregated export format. As individual flows are aged out of the raw flow cache, the data is added to the aggregate flow cache for each configured aggregate type. Each of these aggregate flows are also aged in a manner similar to the method the active flow cache entries are aged. When an aggregate flow is aged out, it is sent to the external collector in the Version 8 record format.

5.1.1.2. Version 9

The Version 9 format is a more flexible and allows for different templates or sets of Cflowd data to be sent based on the sampled traffic type and the configured template set.

Version 9 is interoperable with RFC 3954, Cisco Systems NetFlow Services Export Version 9.

5.1.1.3. Version 10

Version 10 is a new format and protocol that interoperates with the IETF specifications described in the IP Flow Information Export (IPFIX) standard. Like Version 9, Version 10 uses templates to export different data elements for a flow and handle different types of data flows, such as IPv4, IPv6, and MPLS.

Version 10 is interoperable with RFC 5150 and RFC 5102.

5.2. Cflowd Configuration Process Overview

Figure 14 shows the process to configure Cflowd parameters.

Figure 14:  Cflowd Configuration and Implementation Flow 

Cflowd can be enabled to sample traffic on a specific interface in the Cflowd interface mode. In this mode, all traffic entering a specific port is subject to sampling as the configured sampling rate.

5.3. Configuration Notes

The following Cflowd components must be configured for Cflowd to be operational.

  1. Cflowd must be enabled globally.
  2. At least one collector must be configured and enabled.
  3. A Cflowd option must be specified and enabled on a router interface.
  4. Sampling must be enabled on the interface (ingress only).
  5. On the 7210 SAS, when Cflowd is enabled on an IP interface, the sampling rate is applied to a port and only the samples that match the IP interface for which Cflowd is enabled are processed further to update or create flow records in the flow cache. Samples received that do not match the IP interface for which Cflowd is enabled are not processed further, and flow records are not created for them.
  6. On the 7210 SAS, samples are collected only in the ingress direction. Sampling in the egress direction is not supported.