5.4. Configuring Cflowd with CLI
This section provides information to configure Cflowd using the command line interface.
5.5. Cflowd Configuration Overview
The Cflowd implementation supports traffic flow analysis and the use of traffic and access list (ACL) filters to limit the type of traffic analyzed.
5.5.1. Traffic Sampling
Traffic sampling does not examine all packets received by a router. The use can configure command parameters to modify the rate at which traffic is sampled and sent for flow analysis. The default sampling rate is one out of every 1000 packets.
 | Caution: Excessive sampling, such as one out of every 100 packets, over an extended period of time can burden router processing resources. |
The following data is maintained for each individual flow in the raw flow cache:
- source IP address
- destinations IP address
- source port
- destination port
- forwarding status
- input interface
- output interface
- IP protocol
- TCP flags
- first timestamp (of the first packet in the flow)
- last timestamp (timestamp of last packet in the flow prior to expiry of the flow)
- source AS number for peer and origin (taken from BGP)
- destination AS number for peer and origin (taken from BGP)
- IP next hop
- BGP next hop
- ICMP type and code
- IP version
- source prefix (from routing)
- destination prefix (from routing)
- MPLS label stack from label 1 to 6
Within the raw flow cache, the following characteristics are used to identify an individual flow:
- ingress interface
- source IP address
- destination IP address
- source transport port number
- destination transport port number
- IP protocol type
- IP TOS byte
- virtual router id
- ICMP type and code
- direction
- MPLS labels
The user enables Cflowd at the interface level. By enabling Cflowd at the interface level, all IP packets forwarded by the interface are subject to Cflowd analysis.
5.5.2. Collectors
A collector defines how data flows are exported from the flow cache. The user can configure a maximum of five collectors. Each collector is identified by a unique IP address and UDP port value. Each collector can only export traffic in one version type: Version 5, Version 8, Version 9, or Version 10.
The user can modify the parameters of a collector configuration or retain the defaults.
The autonomous-system-type command defines whether the autonomous system (AS) information is included in the flow data based on the originating AS or external peer AS of the flow.
5.5.2.1. Aggregation
Version 8 allows the aggregation of flow data into larger, less granular flows. Use aggregation commands to specify the type of data to collect. These aggregation types are only applicable to flows that are exported to a Version 8 collector.
The following aggregation schemes are supported:
- AS matrixFlows are aggregated based on source and destination AS and ingress and egress interfaces.
- protocol-portFlows are aggregated based on the IP protocol, source port number, and destination port number.
- source prefixFlows are aggregated based on source prefix and mask, source AS, and ingress interface.
- destination prefixFlows are aggregated based on destination prefix and mask, destination AS, and egress interface.
- source-destination prefixFlows are aggregated based on source prefix and mask, destination prefix and mask, source and destination AS, ingress and egress interfaces.
- rawFlows are not aggregated and are sent to the collector in a Version 5 record.
5.6. Basic Cflowd Configuration
This section provides information to configure Cflowd and examples of common configuration tasks. To sample traffic, the user must configure the following minimal Cflowd parameters.
- Cflowd must be enabled.
- At least one collector must be configured and enabled.
- Sampling must be enabled on the interface (ingress only)
The following is a sample of Cflowd configuration output.
5.7. Common Configuration Tasks
This section provides an overview of the Cflowd configuration tasks and CLI commands. To begin traffic flow sampling, Cflowd and the user must enable at least one collector.
5.7.1. Global Cflowd Components
The following common (global) attributes apply to all instances of Cflowd:
- active timeoutThis attribute controls the maximum time a flow record can be active before it is automatically exported to defined collectors.
- inactive timeoutThis attribute controls the minimum time before a flow is declared inactive. If no traffic is sampled for an existing flow for the inactive timeout duration, the flow is declared inactive and marked to be exported to the defined collectors.
- cache sizeThis attribute defines the maximum size of the flow cache.
- overflowThis attribute defines the percentage of flow records that are exported to all collectors if the flow cache size is exceeded.
- rateThis attribute defines the system wide sampling rate for Cflowd.
- template retransmitThis attribute defines the interval (in seconds) at which the Version 9 and Version 10 templates are retransmitted to all configured Version 9 or Version 10 collectors.
5.7.2. Configuring Cflowd
Use the following CLI syntax to perform Cflowd configuration tasks.
5.7.3. Enabling Cflowd
Cflowd is disabled by default. Executing the configure cflowd command enables Cflowd. By default, Cflowd is not shut down but must be configured, including at least one collector, to be active.
Use the following CLI syntax to enable Cflowd.
The following is a sample configuration output that shows the default values when Cflowd is initially enabled. No collectors or collector options are configured.
5.7.4. Configuring Global Cflowd Parameters
This section describes the Cflowd parameters that apply to all instances where Cflowd (traffic sampling) is enabled.
Use the following syntax to configure Cflowd parameters.
The following is an example of a common Cflowd component configuration:
5.7.5. Configuring Cflowd Collectors
Use the following syntax to configure Cflowd collector parameters.
The following is a sample configuration output.
The following is a sample configuration output for a Version 9 collector.
5.7.5.1. Version 9 and Version 10 Templates
If the collector is configured to use either Version 9 or Version 10 (IPFIX) formats, the flow data is sent to the designated collector using one of the predefined templates. The template used is based on the type of flow for which the data was collected (IPv4, IPv6, or MPLS), and the configuration of the template-set parameter. Table 57 lists traffic flow types and the corresponding template used to export the flow data.
Table 57: Template-Set
Traffic type | Basic | MPLS-IP |
IPv4 | Basic IPv4 | MPLS-IPv4 |
IPv6 | Basic IPv6 | MPLS-IPv6 |
Each flow exported to a collector, configured for either Version 9 or Version 10 formats, is sent using one of the preceding flow template sets. The template is used based on the flow type and how the template-set parameter of the collector is configured.
The following tables list the fields present in each template set listed in Table 57:
Table 58: Basic IPv4 Template
Field Name | Field ID |
IPv4 Src Addr | 8 |
IPv4 Dest Addr | 12 |
IPv4 Nexthop | 15 |
BGP Nexthop | 18 |
Ingress Interface | 10 |
Egress Interface | 14 |
Packet Count | 2 |
Byte Count | 1 |
Start Time | 22 |
End Time | 21 |
Flow Start Milliseconds 1 | 152 |
Flow End Milliseconds1 | 153 |
Src Port | 7 |
Dest Port | 11 |
Forwarding Status | 89 |
TCP control Bits (Flags) | 6 |
IPv4 Protocol | 4 |
IPv4 TOS | 5 |
IP version | 60 |
ICMP Type & Code | 32 |
Direction | 61 |
BGP Source ASN | 16 |
BGP Dest ASN | 17 |
Source IPv4 Prefix Length | 9 |
Dest IPv4 Prefix Length | 13 |
- Only sent to collectors configured for the Version 10 format
Note:
Table 59: MPLS-IPv4 Template
Field Name | Field ID |
IPv4 Src Addr | 8 |
IPv4 Dest Addr | 12 |
IPv4 Nexthop | 15 |
BGP Nexthop | 18 |
Ingress Interface | 10 |
Egress Interface | 14 |
Packet Count | 2 |
Byte Count | 1 |
Start Time | 22 |
End Time | 21 |
Flow Start Milliseconds 1 | 152 |
Flow End Milliseconds | 153 |
Src Port | 7 |
Dest Port | 11 |
Forwarding Status | 89 |
TCP control Bits (Flags) | 6 |
IPv4 Protocol | 4 |
IPv4 TOS | 5 |
IP version | 60 |
ICMP Type & Code | 32 |
Direction | 61 |
BGP Source ASN | 16 |
BGP Dest ASN | 17 |
Source IPv4 Prefix Length | 9 |
Dest IPv4 Prefix Length | 13 |
MPLS Top Label Type | 46 |
MPLS Top Label IPv4 Addr | 47 |
MPLS Label 1 | 70 |
MPLS Label 2 | 71 |
MPLS Label 3 | 72 |
MPLS Label 4 | 73 |
MPLS Label 5 | 74 |
MPLS Label 6 | 75 |
- Only sent to collectors configured for the Version 10 format
Note:
Table 60: Basic IPv6 Template
Field Name | Field ID |
IPv6 Src Addr | 27 |
IPv6 Dest Addr | 28 |
IPv6 Nexthop | 62 |
IPv6 BGP Nexthop | 63 |
IPv4 Nexthop | 15 |
IPv4 BGP Nexthop | 18 |
Ingress Interface | 10 |
Egress Interface | 14 |
Packet Count | 2 |
Byte Count | 1 |
Start Time | 22 |
End Time | 21 |
Flow Start Milliseconds 1 | 152 |
Flow End Milliseconds1 | 153 |
Src Port | 7 |
Dest Port | 11 |
Forwarding Status | 89 |
TCP control Bits (Flags) | 6 |
Protocol | 4 |
IPv6 Extension Hdr | 64 |
IPv6 Next Header | 193 |
IPv6 Flow Label | 31 |
TOS | 5 |
IP version | 60 |
IPv6 ICMP Type & Code | 139 |
Direction | 61 |
BGP Source ASN | 16 |
BGP Dest ASN | 17 |
IPv6 Src Mask | 29 |
IPv6 Dest Mask | 30 |
- Only sent to collectors configured for the Version 10 format
Note:
Table 61: MPLS-IPv6 Template
Field Name | Field ID |
IPv6 Src Addr | 27 |
IPv6 Dest Addr | 28 |
IPv6 Nexthop | 62 |
IPv6 BGP Nexthop | 63 |
IPv4 Nexthop | 15 |
IPv4 BGP Nexthop | 18 |
Ingress Interface | 10 |
Egress Interface | 14 |
Packet Count | 2 |
Byte Count | 1 |
Start Time | 22 |
End Time | 21 |
Flow Start Milliseconds 1 | 152 |
Flow End Milliseconds1 | 153 |
Src Port | 7 |
Dest Port | 11 |
Forwarding Status | 89 |
TCP control Bits (Flags) | 6 |
Protocol | 4 |
IPv6 Extension Hdr | 64 |
IPv6 Next Header | 193 |
IPv6 Flow Label | 31 |
TOS | 5 |
IP version | 60 |
IPv6 ICMP Type & Code | 139 |
Direction | 61 |
BGP Source ASN | 16 |
BGP Dest ASN | 17 |
IPv6 Src Mask | 29 |
IPv6 Dest Mask | 30 |
MPLS_TOP_LABEL_TYPE | 46 |
MPLS_TOP_LABEL_ADDR | 47 |
MPLS Top Label Type | 46 |
MPLS Top Label IPv6 Addr | 47 |
MPLS Label 1 | 70 |
MPLS Label 2 | 71 |
MPLS Label 3 | 72 |
MPLS Label 4 | 73 |
MPLS Label 5 | 74 |
MPLS Label 6 | 75 |
MPLS_TOP_LABEL_TYPE | 46 |
MPLS_TOP_LABEL_ADDR | 47 |
- Only sent to collectors configured for the Version 10 format
Note:
5.7.6. Specifying Cflowd Options on an IP Interface
When Cflowd is enabled on an interface, all packets forwarded by the interface are subject to analysis according to the global Cflowd configuration and sorted according to the collector configurations.
See Table 62 for configuration combinations.
When the cflowd interface option is configured in the config>router>interface context, the following requirements must be met to enable traffic sampling on the specific interface.
- Cflowd must be enabled.
- At least one Cflowd collector must be configured and enabled.
- The interface>cflowd interface option must be selected. For configuration information, see Filter Policy Configuration Overview.
5.7.6.1. Interface Configurations
Use the following CLI syntax to enable traffic sampling on an interface.
When the interface option is configured, Cflowd extracts traffic flow samples from an interface for analysis. All packets forwarded by the interface are analyzed in accordance with the Cflowd configuration.
Configure the interface option to enable traffic sampling on an interface. If cflowd is not enabled (no cflowd), traffic sampling does not occur on the interface.
5.7.6.2. Service Interfaces
Use the following CLI syntax to enable traffic sample on a service interface.
When enabled on a service interface, Cflowd collects routed traffic flow samples through a router for analysis. Cflowd is supported on IES and VPRN service interfaces only. Layer 2 traffic is excluded. All packets forwarded by the interface are analyzed according to the cflowd configuration. On the interface level, Cflowd can be associated with an IP interface.
5.7.7. Dependencies
For Cflowd to be operational, the following requirements must be met.
- Cflowd must be enabled on a global level. If Cflowd is disabled, any traffic sampling instances are also disabled.
- At least one collector must be configured and enabled for traffic sampling to occur on an enabled entity.
- If a specific collector UDP port is not identified, flows are sent to port 2055 by default.
Table 62 displays the expected results when specific features are enabled and disabled.
Table 62: Cflowd Configuration Dependencies
Interface Setting | router>interface cflowd [interface] Setting | Command ip-filter entry Setting | Expected Results |
Interface mode 1 | Interface | none | All IP traffic ingressing the interface is subject to sampling |
- See Configuration Notes for more information.
Note:
5.8. Cflowd Configuration Management Tasks
This section describes Cflowd configuration management tasks.
5.8.1. Modifying Global Cflowd Components
Cflowd parameter modifications apply to all instances where cflowd or traffic sampling is enabled. Changes are applied immediately. Use the following syntax to modify global cflowd parameters.
The following example shows the Cflowd command usage to modify configuration parameters.
The following is a sample Cflowd component configuration output.
5.8.2. Modifying Cflowd Collector Parameters
Use the following syntax to modify Cflowd collector and aggregation parameters.
If a specific collector UDP port is not identified, flows are sent to port 2055 by default.
The following sample output shows basic Cflowd modifications.