6. Cflowd

This chapter provides information about filter policies and management.

Topics in this chapter include:

  1. Cflowd Overview
  2. Cflowd Configuration Process Overview

6.1. Cflowd Overview

Cflowd is a tool used to sample IPv4, IPv6, MPLS, and Ethernet traffic data flows through a router. Cflowd enables traffic sampling and analysis by ISPs and network engineers to support capacity planning, trends analysis, and characterization of workloads in a network service provider environment.

Cflowd is also useful for traffic engineering, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations. Collected information can be viewed in port, AS, or network matrices and pure flow structures. The amount of data stored depends on the Cflowd configurations.

Cflowd maintains a list of data flows through a router. A flow is a unidirectional traffic stream defined by several characteristics such as source and destination IP addresses, source and destination ports, inbound interface, IP protocol, and type of service (ToS) bits.

When a router receives a packet that is sampled by Cflowd, and for which it currently does not have a flow entry, a flow structure is initialized to maintain state information regarding that flow, such as the number of bytes exchanged, IP addresses, port numbers, and AS numbers. Each subsequent packet that is sampled and that matches the parameters of the flow contributes to the byte and packet count of the flow until the flow is terminated and exported to a collector for storage.

The 7705 SAR supports Cflowd version 9 and 10 on Ethernet ports on all cards except the 8-port Ethernet Adapter card. On the 2-port 10GigE (Ethernet) Adapter card and 2-port 10GigE (Ethernet) module, only the virtual port supports sampling. If Cflowd is configured on an IP interface or Layer 2 SAP that is associated with a LAG group with one or more member ports on an 8-port Ethernet Adapter card, no packets are sampled from those ports.

6.1.1. Operation

Figure 15 shows the basic operation of the Cflowd feature. This flow example is only used to describe the basic steps that are performed. It is not intended to specify how Cflowd is implemented.

Figure 15:  Basic Cflowd Operation 

The basic Cflowd steps are as follows.

  1. As a packet ingresses a port, a decision is made to forward or drop the packet.
  2. A decision is then made as to whether the packet should be sampled; if so, the forward/drop status is appended to the header information for processing by Cflowd.
  3. If a new flow is found, a new entry is added to the cache. If the flow already exists in the cache, the flow statistics are updated.
  4. If a new flow is found and the maximum number of entries are already in the flow cache, the earliest expiry entry is terminated. The earliest expiry entry is the next flow that will expire due to the active or inactive timer expiration.
  5. If a flow has been inactive for a period of time equal to, or greater than, the inactive timer (default 15 s), the entry is terminated.
  6. If a flow has been active for a period of time equal to, or greater than, the active timer (default 30 min), the entry is terminated.

The sample rate and cache size are configurable values. The sample rate default is 1000 with a range of one to 1 000 000. The cache size default is 65 536 flow entries with a range of 1000 to 250 000.

A flow terminates when one of the following conditions is met:

  1. the inactive timer expires
    A flow is terminated when no packets are seen for the flow for a number of seconds equal to, or greater than, the inactive timer. The default inactive timeout period is 15 s, with a range of 10 to 600 s.
  2. the active timer expires
    A flow is terminated if it has been active for a period of time equal to, or greater than, the active timer, even if there are packets coming in for the flow. The default active timeout period is 30 min, with a range of 1 to 600 min.
  3. the user executes a clear cflowd command
  4. any other measure is met that applies to aggressively age flows as the cache becomes too full (such as overflow percent)

When a flow is terminated, the collected data is formatted and exported from the cache to an external collector that maintains an accumulation of historical data flows that network operators can use to analyze traffic patterns. Flow data is exported in one of the following formats:

  1. version 9 — generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS) for each individual flow captured. Version 9 is interoperable with RFC 3954, Cisco Systems NetFlow Services Export Version 9.
  2. version 10 (IPFIX) — generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, MPLS, or Ethernet Layer 2) for each individual flow captured. Version 10 is interoperable with RFC 5101 and 5102 from the IETF as the IP Flow Information Export (IPFIX) standard.

6.1.2. Sampling

To avoid stressing router processors with excessive sampling, Cflowd is not required to examine every packet received by the router. The sampling rate can be configured to be every packet or up to every 1 000 000 packets, with a default rate of 1000 packets. A larger rate value provides more flexibility to avoid congestion on smaller platforms. Sampling at too high a rate over an extended period of time can burden router processing resources. Sampling is supported in ingress and egress directions for Layer 3 services. For Layer 2 services, only ingress sampling is supported.

The following data is maintained for each individual flow in the raw flow cache:

  1. source IP address
  2. destination IP address
  3. source port
  4. destination port
  5. forwarding status
  6. input interface
  7. output interface
  8. IP protocol
  9. TCP flags
  10. first timestamp (of the first packet in the flow)
  11. last timestamp (timestamp of last packet in the flow prior to expiry of the flow)
  12. source AS number for peer and origin (taken from BGP)
  13. destination AS number for peer and origin (taken from BGP)
  14. IP next hop
  15. BGP next hop
  16. ICMP type and code
  17. IP version
  18. source prefix (from routing)
  19. destination prefix (from routing)
  20. MPLS label stack from label 1 to 6

Within the raw flow cache, the following characteristics are used to identify an individual flow:

  1. ingress interface
  2. source IP address
  3. destination IP address
  4. source transport port number
  5. destination transport port number
  6. IP protocol type
  7. IP ToS byte
  8. forwarding status
  9. virtual router ID
  10. ICMP type and code
  11. direction
  12. MPLS labels

6.1.3. Collectors

A collector defines how data flows should be exported from the flow cache. A maximum of five collectors can be configured and at least one must be configured for Cflowd to be active. Each collector is identified by a unique IP address and UDP port value. Each collector can only export traffic in one version type: version 9 or version 10.

The parameters within a collector configuration can be modified.

6.1.4. Templates

Flow data is sent to the designated collector using a predefined template. The template used is based on the type of flow for which the data was collected (IPv4, IPv6, MPLS, or Ethernet Layer 2) and the configuration of the template-set parameter. Table 109 lists these values and the corresponding template used to export the flow data.

Table 109:  Cflowd Templates 

Traffic Flow

Template Set

basic

mpls-ip

l2-ip

IPv4

Basic IPv4

MPLS-IPv4

IPv6

Basic IPv6

MPLS-IPv6

MPLS

Basic MPLS

MPLS-IP

Ethernet 1

L2-IP

    Note:

  1. Only supported on collectors configured for version 10 format.

Each flow exported to a collector configured for either the version 9 or version 10 format is sent using one of the templates listed in Table 109.

Table 110 to Table 114 list the fields in each template listed in Table 109.

Table 110:  Basic IPv4 Template  

Field Name

Field ID

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv4 Nexthop

15

BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds 1

152

Flow End Milliseconds 1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

IPv4 Protocol

4

IPv4 TOS

5

IP version

60

ICMP Type & Code

32

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

Source IPv4 Prefix Length

9

Dest IPv4 Prefix Length

13

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

IsMulticast 1

206

Ingress VRFID 1

234

Egress VRFID 1

235

    Note:

  1. Only sent to collectors configured for version 10 format.
Table 111:  Basic IPv6 Template 

Field Name

Field ID

IPv6 Src Addr

27

IPv6 Dest Addr

18

IPv6 Nexthop

62

IPv6 BGP Nexthop

63

IPv4 Nexthop

15

IPv4 BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds 1

152

Flow End Milliseconds 1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

Protocol

4

IPv6 Extension Hdr

64

IPv6 Next Header 1

193

IPv6 Flow Label

31

TOS

5

IP version

60

IPv6 ICMP Type & Code 1

139

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

IPv6 Src Mask

29

IPv6 Dest Mask

30

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

IsMulticast 1

206

Ingress VRFID 1

234

Egress VRFID 1

235

    Note:

  1. Only sent to collectors configured for version 10 format.
Table 112:  MPLS-IPv4 Template  

Field Name

Field ID

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv4 Nexthop

15

BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds 1

152

Flow End Milliseconds 1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

IPv4 Protocol

4

IPv4 TOS

5

IP version

60

ICMP Type & Code

32

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

Source IPv4 Prefix Length

9

Dest IPv4 Prefix Length

13

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

IsMulticast 1

206

Ingress VRFID 1

234

Egress VRFID 1

235

    Note:

  1. Only sent to collectors configured for version 10 format.
Table 113:  MPLS-IPv6 Template 

Field Name

Field ID

IPv6 Src Addr

27

IPv6 Dest Addr

28

IPv6 Nexthop

62

IPv6 BGP Nexthop

63

IPv4 Nexthop

15

IPv4 BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds 1

152

Flow End Milliseconds 1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

Protocol

4

IPv6 Extension Hdr

64

IPv6 Next Header

193

IPv6 Flow Label

31

TOS

5

IP version

60

IPv4 ICMP Type & Code 2

32

IPv6 ICMP Type & Code 1

139

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

IPv6 Src Mask

29

IPv6 Dest Mask

30

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

IsMulticast 1

206

Ingress VRFID 1

234

Egress VRFID 1

235

    Notes:

  1. Only sent to collectors configured for version 10 format.
  2. Only sent to collectors configured for version 9 format.
Table 114:  L2-IP (Ethernet) Flow Template for Version 10 Only 

Field Name 1

Field ID

MAC Src Addr

56

MAC Dest Addr

80

Ingress Physical Interface

252

Egress Physical Interface 2

253

Dot1q VLAN ID

243

Dot1q Customer VLAN ID

245

Post Dot1q VLAN ID

254

Post Dot1q Customer VLAN Id 3

255

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv6 Src Addr

27

IPv6 Dest Addr

28

Packet Count

2

Byte Count

1

Flow Start Milliseconds

152

Flow End Milliseconds

153

Src Port

7

Dest Port

11

TCP control Bits (Flags)

6

Protocol

4

IPv6 Option Header

64

IPv6 Next Header

196

IPv6 Flow Label

31

TOS

5

IP Version

60

ICMP Type Code

32

    Notes:

  1. Only one L2-IP (Ethernet) flow template is supported and exported to IPFIX (V10) collectors.
  2. For SAP-to-SDP services, this value is the SDP ID.
  3. For SAP-to-SDP services, this value is the VC ID.

6.2. Cflowd Configuration Process Overview

The following components must be configured for Cflowd to be operational:

  1. Cflowd must be enabled globally
  2. at least one collector must be configured and enabled
  3. sampling must be enabled on an interface on a port or service