The following figure shows the basic operation of the cflowd feature. This sample flow only describes the basic cflowd operation overview and is not intended to specify implementation and support on the 7210 SAS.
The logical sequence of cflowd operation is as follows:
The system decides whether to forward or drop packets as the packets ingress a port.
If the packet is forwarded, the system then decides whether to sample the packet for cflowd.
If a new flow is found, the system adds a new entry to the cache. If the flow already exists in the cache, the system updates the flow statistics.
If a new flow is detected and the maximum number of entries are already present in the flow cache, the system removes the entry with the earliest expiry time. The earliest expiry entry/flow is the next flow that will expire based on the active or inactive timer expiration.
If a flow has been inactive for a period of time equal to or greater than the inactive timer (default 15 seconds), or has been active for a period of time equal to or greater than the active timer (default 30 minutes), the system removes the entry from the flow cache.
When a flow is exported from the cache, the collected data is sent to an external collector that maintains an accumulation of historical data flows, which network operators can use to analyze traffic patterns.
Data is exported in one of the following formats:
Version 5
This format generates a fixed export record for each individual flow captured.
Version 8
This format aggregates multiple individual flows into a fixed aggregate record.
Version 9
This format generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.
Version 10 (IPFIX)
This format generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.
The following figure shows Version 5, Version 8, Version 9, and Version 10 flow processing.
As flows expire and are removed from the active flow cache, the export format is determined (either Version 5, Version 8, Version 9, and Version 10 record format) and one of the following processes occurs:
If the export format is Version 5, Version 9, or Version 10, no further processing is performed and the flow data is accumulated to be sent to the external collector.
If the export format is Version 8, the flow entry is added to one or more of the configured aggregation matrices.
As the entries within the aggregate matrices are aged out, they are accumulated to be sent to the external flow collector in Version 8 format.
The sample rate and cache size are configurable values. The cache size is set up with the default number of entries.
A flow terminates when one of the following conditions is met:
The inactive timeout period expires (default 15 seconds). A flow is considered terminated when no packets are seen for the flow for the configured number of seconds.
An active timeout expires (default 30 seconds). A flow terminates according to the time duration, regardless of whether packets are coming in for the flow.
The user executes a clear cflowd command.
Other conditions are met to aggressively age flows as the cache becomes too full, such as overflow percent.