Operation

Figure: Basic cflowd steps shows the basic operation of the cflowd feature. This sampled flow is only used to describe the basic steps that are performed. It is not intended to specify implementation.

Figure: Basic cflowd steps

As a packet ingresses a port, a decision is made to sample it or not for cflowd.
The original packet is processed for forwarding as normal and the cflowd sample is sent for processing. If a packet is discarded because of filters actions, an indicator is sent with the cflowd sample to the processing agent.
If a new flow is found, a new entry is added to the cache. If the flow already exists in the cache, the flow statistics are updated.
If a new flow is detected and the maximum number of entries are already in the flow cache, the earliest expiry entry is removed. The earliest expiry entry/flow is the next flow that expires because of the active or inactive timer expiration.
If a flow has been inactive for a period of time equal to or greater than the inactive timer (default 15 s), the entry is removed from the flow cache.
If a flow has been active for a period of time equal to or greater than the active timer (default 30 min), the entry is removed from the flow cache.

When a flow is exported from the cache, the collected data is sent to an external collector, which maintains an accumulation of historical data flows that network operators can use to analyze traffic patterns.

Data is exported in one of the following formats:

Version 5

Generates a fixed export record for each individual flow captured.
Version 8

Aggregates multiple individual flows into a fixed aggregate record.
Version 9

Generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.
Version 10 (IPFIX)

Generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.

Figure: V5, V8, V9, V10, and flow processing shows V5, V8, V9, and V10 flow processing.

Figure: V5, V8, V9, V10, and flow processing

As flows are expired from the active flow cache, the export format must be determined, either V5, V8, V9, and V10.

If the export format is V5 or V9 and V10, no further processing is performed and the flow data is accumulated to be sent to the external collector.
If the export format is V8, the flow entry is added to one or more of the configured aggregation matrices.
As the entries within the aggregate matrices are aged out, they are accumulated to be sent to the external flow collector in V8 format.

The sample rate and cache size are configurable values. The cache size default is 64K flow entries.

A flow terminates when one of the following conditions is met:

When the inactive timeout period expires (default: 15 s). A flow is considered terminated when no packets are seen for the flow for n seconds.
When an active timeout expires (default: 30 s). Default active timeout is 30 min. A flow terminates according to the time duration, regardless of whether there are packets coming in for the flow.
When the user executes a clear cflowd command.
When other measures are met that apply to aggressively age flows as the cache becomes too full (such as overflow percent).