6.4. Configuring Cflowd with CLI

This section provides information to configure cflowd using the command line interface.

6.4.1. Cflowd Configuration Overview

SR OS implementation of cflowd supports the option to analyze traffic flow. The implementation also supports the use of traffic or access list (ACL) filters to limit the type of traffic that is analyzed.

6.4.1.1. Traffic Sampling

Traffic sampling does not examine all packets received by a router. Command parameters allow the rate at which traffic is sampled and sent for flow analysis to be modified. The default sampling rate is every 1000th packet. Excessive sampling over an extended period of time, for example, more than every 1000th packet, can burden router processing resources.

The following data is maintained for each individual flow in the raw flow cache:

  1. Source IP address
  2. Destinations IP address
  3. Source port
  4. Destination port
  5. Forwarding status
  6. Input interface
  7. Output interface
  8. IP protocol
  9. TCP flags
  10. First timestamp (of the first packet in the flow)
  11. Last timestamp (timestamp of last packet in the flow prior to expiry of the flow)
  12. Source AS number for peer and origin (taken from BGP)
  13. Destination AS number for peer and origin (taken from BGP)
  14. IP next hop
  15. BGP next hop
  16. ICMP type and code
  17. IP version
  18. Source prefix (from routing)
  19. Destination prefix (from routing)
  20. MPLS label stack from label 1 to 6

Within the raw flow cache, the following characteristics are used to identify an individual flow:

  1. Ingress interface
  2. Source IP address
  3. Destination IP address
  4. Source transport port number
  5. Destination transport port number
  6. IP protocol type
  7. IP TOS byte
  8. Virtual router ID
  9. ICMP type and code
  10. Direction
  11. MPLS labels

SR OS implementation allows you to enable cflowd either at the interface level or as an action to a filter. By enabling cflowd at the interface level, all IP packets forwarded by the interface are subject to cflowd analysis. By setting cflowd as an action in a filter, only packets matching the specified filter are subject to cflowd analysis. This provides the network operator greater flexibility in the types of flows that are captured.

6.4.1.2. Collectors

A collector defines how data flows should be exported from the flow cache. A maximum of five collectors can be configured. Each collector is identified by a unique IP address and UDP port value. Each collector can only export traffic in one version type: V5, V8, V9, or V10.

The parameters within a collector configuration can be modified or the defaults retained.

The autonomous-system-type command defines whether the autonomous system information to be included in the flow data is based on the originating AS or external peer AS of the flow.

6.4.1.2.1. Aggregation

V8 aggregation allows for flow data to be aggregated into larger, less granular flows. Use aggregation commands to specify the type of data to be collected. These aggregation types are only applicable to flows being exported to a V8 collector.

The following aggregation schemes are supported:

  1. AS matrix — Flows are aggregated based on source and destination AS and ingress and egress interface.
  2. Protocol-port — Flows are aggregated based on the IP protocol, source port number, and destination port number.
  3. Source prefix — Flows are aggregated based on source prefix and mask, source AS, and ingress interface.
  4. Destination prefix — Flows are aggregated based on destination prefix and mask, destination AS, and egress interface.
  5. Source-destination prefix — Flows are aggregated based on source prefix and mask, destination prefix and mask, source and destination AS, ingress interface and egress interface.
  6. Raw — Flows are not aggregated and are sent to the collector in a V5 record.

6.4.2. Basic Cflowd Configuration

This section provides information to configure cflowd and examples of common configuration tasks. To sample traffic, the following parameters must be configured, as a minimum.

  1. Cflowd must be enabled.
  2. At least one collector must be configured and enabled.
  3. Sampling must be enabled on either:
    1. An IP filter entry (and applied to a service or a port).
    2. An interface applied to a port.

The following example shows a cflowd configuration:

A:ALA-1>config>cflowd# info detail
----------------------------------------------
     active-timeout 30
     cache-size 65536
     inactive-timeout 15
     overflow 1
     rate 1000
     collector 10.10.10.103:2055 version 9
          no aggregation
          autonomous-system-type origin
          description "V9 collector"
          no shutdown
     exit
     template-retransmit 330
     exit
     no shutdown
----------------------------------------------
A:ALA-1>config>cflowd#

6.4.3. Common Configuration Tasks

This section provides a brief overview of the tasks that must be performed to configure cflowd and provides the CLI commands. To begin traffic flow sampling, cflowd must be enabled and at least one collector must be configured.

6.4.3.1. Global Cflowd Components

The following common (global) attributes apply to all instances of cflowd:

  1. Active timeout — Controls the maximum time a flow record can be active before it will be automatically exported to defined collectors.
  2. Inactive timeout — Controls the minimum time before a flow is declared inactive. If no traffic is sampled for a flow for the inactive timeout duration, the flow is declared inactive and marked to be exported to the defined collectors.
  3. Cache size — Defines the maximum size of the flow cache.
  4. Overflow — Defines the percentage of flow records that are exported to all collectors if the flow cache size is exceeded.
  5. Rate — Defines the system-wide sampling rate for cflowd.
  6. Template retransmit— Defines the interval (in seconds) at which the V9 and V10 templates are retransmitted to all configured V9 or V10 collectors.

6.4.3.2. Enabling Cflowd

Cflowd is disabled by default. Cflowd is not shut down but must be configured, including at least one collector, to be active. Executing the cflowd command enables cflowd.

Use the following CLI syntax to enable cflowd:

CLI Syntax:
config# cflowd
no shutdown

The following example shows the default values when cflowd is initially enabled. No collectors or collector options are configured.

A:ALA-1>config# info detail 
...
#------------------------------------------
echo "Cflowd Configuration"
#------------------------------------------
    cflowd
        active-timeout 30
        cache-size 65536
        inactive-timeout 15
        overflow 1
        rate 1000
        template-retransmit 600 
        no shutdown
    exit
#------------------------------------------
A:ALA-1>config#

6.4.3.3. Configuring Global Cflowd Parameters

The following cflowd parameters apply to all instances where cflowd is enabled.

Use the following CLI commands to configure cflowd parameters:

CLI Syntax:
config>cflowd#
active-timeout minutes
cache-size num-entries
enhanced-distribution
export-mode {automatic | manual}
inactive-timeout seconds
overflow percent
rate sample-rate
template-retransmit seconds
no shutdown

The following example shows a sample cflowd configuration:

A:ALA-1>config>cflowd# info 
#------------------------------------------
        active-timeout 20
        inactive-timeout 10
        overflow 10
        rate 100
#------------------------------------------
A:ALA-1>config>cflowd# 

6.4.3.4. Configuring Cflowd Collectors

To configure cflowd collector parameters, enter the following commands:

CLI Syntax:
config>cflowd#
collector ip-address[:port] [version version]
aggregation
as-matrix
destination-prefix
protocol-port
raw
source-destination-prefix
source-prefix
autonomous-system-type [origin | peer]
description description-string
no shutdown
template-set {basic | mpls-ip | l2-ip | mpls-transport}

The following example shows a basic cflowd configuration:

A:ALA-1>config>cflowd# info
-----------------------------------------
active-timeout 20
        inactive-timeout 10
        overflow 10
        rate 100
        collector 10.10.10.1:2000 version 8
            aggregation
                as-matrix
                raw
            exit
            description "AS info collector"
        exit
        collector 10.10.10.2:5000 version 8
            aggregation
                protocol-port
                source-destination-prefix
            exit
            autonomous-system-type peer
            description "Neighbor collector"
        exit
-----------------------------------------
A:ALA-1>config>cflowd# 
 

Version 9 collector example:

collector 10.10.10.9:2000 version 9
           description "v9collector"
           template-set mpls-ip
           no shutdown
exit
 

6.4.3.4.1. Version 9 and Version 10 Templates

If the collector is configured to use either V9 or V10 (IPFIX) formats, the flow data is sent to the designated collector using one of the predefined templates. The template used is based on the type of flow for which the data was collected (IPv4, IPv6, MPLS, or Ethernet (Layer 2)), and the configuration of the template-set parameter. Table 79 lists these values and the corresponding template used to export the flow data.

Table 79:  Template Sets 

Traffic Flow

Basic  

MPLS-IP

IPv4

Basic IPv4

MPLS-IPv4

IPv6

Basic IPv6

MPLS-IPv6

MPLS

Basic MPLS

MPLS-IP

Ethernet

L2-IP

L2-IP

Each flow exported to a collector configured for either V9 or V10 formats will be sent using one of the flow template sets listed in Table 79.

Table 80 to Table 87 list the fields in each template listed in Table 79.

Table 80:  Basic IPv4 Template  

Field Name

Field ID

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv4 Nexthop

15

BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds 1

152

Flow End Milliseconds 1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

IPv4 Protocol

4

IPv4 TOS

5

IP version

60

ICMP Type & Code

32

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

Source IPv4 Prefix Length

9

Dest IPv4 Prefix Length

13

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

IsMulticast 1

206

Ingress VRFID 1

234

Egress VRFID 1

235

    Note:

  1. Only sent to collectors configured for V10 format.
Table 81:  MPLS-IPv4 Template  

Field Name

Field ID

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv4 Nexthop

15

BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds 1

152

Flow End Milliseconds 1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

IPv4 Protocol

4

IPv4 TOS

5

IP version

60

ICMP Type & Code

32

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

Source IPv4 Prefix Length

9

Dest IPv4 Prefix Length

13

MPLS Top Label Type

46

MPLS Top Label IPv4 Addr

47

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

MPLS Label 7

76

MPLS Label 8

77

MPLS Label 9

78

MPLS Label 10

79

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

IsMulticast 1

206

Ingress VRFID 1

234

Egress VRFID 1

235

    Note:

  1. Only sent to collectors configured for V10 format.
Table 82:  Basic IPv6 Template 

Field Name

Field ID

IPv6 Src Addr

27

IPv6 Dest Addr

28

IPv6 Nexthop

62

IPv6 BGP Nexthop

63

IPv4 Nexthop

15

IPv4 BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds 1

152

Flow End Milliseconds 1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

Protocol

4

IPv6 Extension Hdr

64

IPv6 Next Header

193

IPv6 Flow Label

31

TOS

5

IP version

60

IPv6 ICMP Type & Code

139

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

IPv6 Src Mask

29

IPv6 Dest Mask

30

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

IsMulticast 1

206

Ingress VRFID 1

234

Egress VRFID 1

235

    Note:

  1. Only sent to collectors configured for V10 format.
Table 83:  MPLS-IPv6 Template 

Field Name

Field ID

IPv6 Src Addr

27

IPv6 Dest Addr

28

IPv6 Nexthop

62

IPv6 BGP Nexthop

63

IPv4 Nexthop

15

IPv4 BGP Nexthop

18

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds 1

152

Flow End Milliseconds 1

153

Src Port

7

Dest Port

11

Forwarding Status

89

TCP control Bits (Flags)

6

Protocol

4

IPv6 Extension Hdr

64

IPv6 Next Header

193

IPv6 Flow Label

31

TOS

5

IP version

60

IPv6 ICMP Type & Code

139

Direction

61

BGP Source ASN

16

BGP Dest ASN

17

IPv6 Src Mask

29

IPv6 Dest Mask

30

MPLS Top Label Type

46

MPLS Top Label IPv6 Addr

47

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

MPLS Label 7

76

MPLS Label 8

77

MPLS Label 9

78

MPLS Label 10

79

MPLS_TOP_LABEL_TYPE

46

MPLS_TOP_LABEL_ADDR

47

Minimum IP Total Length

25

Maximum IP Total Length

26

Minimum TTL

52

Maximum TTL

53

Multicast Replication Factor

99

IsMulticast 1

206

Ingress VRFID 1

234

Egress VRFID 1

235

    Note:

  1. Only sent to collectors configured for V10 format.
Table 84:  Basic MPLS Template 

Field Name

Field ID

Start Time

22

End Time

21

Flow Start Milliseconds 1

152

Flow End Milliseconds 1

153

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Direction

61

MPLS Top Label Type

46

MPLS Top Label Address

47

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

    Note:

  1. Only sent to collectors configured for V10 format.
Table 85:  MPLS-IP Template 

Field Name

Field ID

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv4 Nexthop

15

IPv6 Src Addr

27

IPv6 Dest Addr

28

IPv6 Nexthop

62

Ingress Interface

10

Egress Interface

14

Packet Count

2

Byte Count

1

Start Time

22

End Time

21

Flow Start Milliseconds 1

152

Flow End Milliseconds 1

153

Src Port

7

Dest Port

11

TCP control Bits (Flags)

6

IPv4 Protocol

4

IPv4 TOS

5

IP version

60

ICMP Type & Code

32

Direction

61

MPLS Top Label Type

46

MPLS Top Label IPv4 Addr

47

MPLS Label 1

70

MPLS Label 2

71

MPLS Label 3

72

MPLS Label 4

73

MPLS Label 5

74

MPLS Label 6

75

MPLS Label 7

76

MPLS Label 8

77

MPLS Label 9

78

MPLS Label 10

79

    Note:

  1. Only sent to collectors configured for V10 format.
Table 86:  L2-IP (Ethernet) Flow Template 

Field Name 1

Field ID

MAC Src Addr

56

MAC Dest Addr

80

Ingress Physical Interface

252

Egress Physical Interface

253

Dot1q VLAN ID

243

Dot1q Customer VLAN ID

245

Post Dot1q VLAN ID

254

 Post Dot1q Customer VLAN Id

255

IPv4 Src Addr

8

IPv4 Dest Addr

12

IPv6 Src Addr

27

IPv6 Dest Addr

28

Packet Count

2

Byte Count

1

Flow Start Milliseconds

152

Flow End Milliseconds

153

Src Port

7

Dest Port

11

TCP control Bits (Flags)

6

Protocol

4

IPv6 Option Header

64

IPv6 Next Header

196

IPv6 Flow Label

31

TOS

5

IP Version

60

ICMP Type Code

32

    Note:

  1. Only one Ethernet (L2-IP) flow template is supported and exported to IPFIX (V10) collectors.
Table 87:  MPLS-IP Template 

Field Name

Field ID

Flow Start Milliseconds

152

Flow End Milliseconds

153

VRF ID

234

Ingress Interface

10

Packet Count

2

Byte Count

1

Direction

61

MPLS_TOP_LABEL_TYPE

46

MPLS_TOP_LABEL_ADDR

47

MPLS Label-1

70

Table 88:  GRE Flow Template  

Field Name 1

Field ID

IPv4 Src Addr 2

8

IPv4 Dest Addr 2

12

Ingress ID

252

Egress ID

253

Flow Start Milliseconds

152

Ingress VRF ID 2

234

Egress VRF ID 2

235

Protocol 2

4

TOS 2

5

Data Link Frame Size 3

312

Section Exported Octets 2

410

Data Link Frame Section 2

315

    Notes:

  1. The field names are exported only to IPFIX (V10) collectors.
  2. The IP fields contain values from the outer GRE IP header.
  3. The Data Link Frame section field includes the inner IP headers.

6.4.3.5. Specifying Cflowd Options on an IP Interface

When cflowd is enabled on an interface, all packets forwarded by the interface are subject to analysis according to the global cflowd configuration and sorted according to the collector configurations.

See Table 89 for configuration combinations.

When the cflowd-parameters sampling unicast type interface option is configured in the config>router>interface context, the following requirements must be met to enable traffic sampling on the interface:

  1. Cflowd must be enabled.
  2. At least one cflowd collector must be configured and enabled.
  3. The config>router>interface>cflowd-parameters sampling {unicast | multicast} type {acl |interface} [direction {ingress-only | egress-only | both}] must be performed. By default, the direction is ingress-only.
  4. To prevent certain types of traffic from being sampled when interface sampling is enabled, use the interface-disable-sample command in the config>filter>ip-filter or config>filter>ipv6-filter context. The filter must be applied to the service or network interface on which the traffic to be omitted is to ingress the system.

6.4.3.5.1. Interface Configurations

CLI Syntax:
config>router>if#
cflowd-parameters
     sampling {unicast | multicast} type {acl | interface}
     no sampling {unicast | multicast} type {acl|interface}

Depending on the option selected, either acl or interface, cflowd extracts traffic flow samples from an IP filter or an interface for analysis. All packets forwarded by the interface are analyzed according to the cflowd configuration.

The acl option must be selected to enable traffic sampling on an IP filter. Cflowd (filter-sample) must be enabled in at least one IP filter entry.

The interface option must be selected to enable traffic sampling on an interface. If cflowd is not enabled (no cflowd), traffic sampling will not occur on the interface.

6.4.3.5.2. Service Interfaces

CLI Syntax:
config>router>interface# cflowd-parameters sampling {unicast | multicast} type {acl | interface}

When enabled on a service interface, cflowd collects routed traffic flow samples through a router for analysis. Cflowd is supported on IES and VPRN services interfaces only. Layer 2 traffic is excluded. All packets forwarded by the interface are analyzed according to the cflowd configuration. On the interface level, cflowd can be associated with a filter (ACL) or an IP interface. L2 cflowd ingress sampling in supported on VPLS and Epipe SAPs.

6.4.3.6. Specifying Sampling Options in Filter Entries

Packets are matched against filter entries to determine acceptability. With cflowd, only the first packet of a flow is compared. If the first packet matches the filter criteria, an entry is added to the cflowd cache. Subsequent packets in the same flow are also sampled based on the cache entry.

Because a filter can be applied to more than one interface (when configured with a scope template), the interface-disable-sample option is intended to enable or disable traffic sampling on an interface-by-interface basis. The command can be enabled or disabled as needed instead of having to create numerous filter versions.

To enable an interface for filter traffic sampling, the following requirements must be met:

  1. Cflowd must be enabled globally.
  2. At least one cflowd collector must be configured and enabled.
  3. On the IP interface being used, the config>router>interface>cflowd-parameters sampling {unicast | multicast} type acl option must be selected.
  4. On the IP filter being used, the entry>filter-sample option must be explicitly enabled for the entries matching the traffic that should be sampled. The default is no filter-sample. See Filter Configuration for more information.
  5. The filter must be applied to a service or a network interface. The service or port must be enabled and operational.

6.4.3.6.1. Filter Configurations

CLI Syntax:
config>filter>ip-filter>entry#
[no] filter-sample
[no] interface-disable-sample

or

CLI Syntax:
config>filter>ipv6-filter>entry#
[no] filter-sample
[no] interface-disable-sample

When a filter policy is applied to a service or a network interface, sampling can be configured so that traffic matching the associated IP filter entry is sampled when the IP interface is set to cflowd ACL mode and the filter-sample command is enabled. If cflowd is either not enabled (no filter-sample) or set to the cflowd interface mode, sampling does not occur.

When the interface-disable-sample command is enabled, traffic matching the associated IP filter entry is not sampled if the IP interface is set to cflowd ACL mode.

6.4.3.6.2. Dependencies

For cflowd to be operational, the following requirements must be met:

  1. Cflowd must be enabled on a global level. If cflowd is disabled, any traffic sampling instances are also disabled.
  2. At least one collector must be configured and enabled in order for traffic sampling to occur on an enabled entity.
  3. If a specific collector UDP port is not identified, flows are sent to port 2055 by default.

Cflowd can also be dependent on the following entity configurations:

  1. Interface Configurations
  2. Service Interfaces
  3. Filter Configurations

The combination of interface and filter entry configurations determines whether flow sampling occurs. Table 89 lists the expected results based on cflowd configuration dependencies.

Table 89:  Cflowd Configuration Dependencies 

Interface Setting

cflowd-parameter type Setting

Command ip-filter entry Setting

Expected Results

IP-filter mode

ACL

filter-sample

Traffic matching is sampled at specified rate.

IP-filter mode

ACL

no filter-sample

No traffic is sampled on this interface.

IP-filter mode or cflowd not enabled on interface

ACL

interface-disable-sample

Command is ignored. No sampling occurs.

Interface mode

Interface

interface-disable-sample

Traffic matching this IP filter entry is not sampled.

Interface mode

Interface

none

All IP traffic ingressing the interface is subject to sampling.

Interface mode

Interface

filter-sample

Filter-level action is ignored. All traffic ingressing the interface is subject to sampling.

6.5. Cflowd Configuration Management Tasks

This section describes Cflowd configuration management tasks:

6.5.1. Modifying Global Cflowd Components

Cflowd parameter modifications apply to all instances where cflowd is enabled. Changes are applied immediately. Use the following cflowd commands to modify global cflowd parameters:

CLI Syntax:
config>cflowd#
active-timeout minutes
no active-timeout
cache-size num-entries
no cache-size
[no] enhanced-distribution
export-mode {automatic | manual}
inactive-timeout seconds
no inactive-timeout
overflow percent
no overflow
rate sample-rate
no rate
[no] shutdown
template-retransmit seconds
no template-retransmit

The following example shows the cflowd command syntax to modify configuration parameters:

Example:
config>cflowd# active-timeout 60
config>cflowd# no inactive-timeout
config>cflowd# overflow 2
config>cflowd# rate 10

The following example shows an example cflowd configuration:

A:ALA-1>config>cflowd# info 
#------------------------------------------
        active-timeout 60
        overflow 2
        rate 10
#------------------------------------------
A:ALA-1>config>cflowd# 

6.5.2. Modifying Cflowd Collector Parameters

Use the following commands to modify cflowd collector and aggregation parameters:

CLI Syntax:
config>cflowd#
collector ip-address[:port] [version version]
no collector ip-address[:port]
[no] aggregation
[no] as-matrix
[no] destination-prefix
[no] protocol-port
[no] raw
[no] source-destination-prefix
[no] source-prefix
[no] autonomous-system-type [origin | peer]
[no] description description-string
[no] shutdown
template-set {basic | mpls-ip | l2-ip | mpls-transport}

If a specific collector UDP port is not identified, flows are sent to port 2055 by default.

The following example displays basic cflowd modifications:

A:ALA-1>config>cflowd# info
-----------------------------------------
     active-timeout 60
        overflow 2
        rate 10
        collector 10.10.10.1:2000 version 5
            description "AS info collector"
        exit
        collector 10.10.10.2:5000 version 8
            aggregation
                source-prefix
                raw
            exit
            description "Test collector"
        exit
-----------------------------------------
A:ALA-1>config>cflowd#