Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Traffic Flow Monitoring with Cflowd

Cflowd monitors traffic flowing through vEdge routers in the overlay network and exports flow information to a collector, where it can be processed by an IPFIX analyzer. For a traffic flow, cflowd periodically sends template reports to flow collector. These reports contain information about the flow and data extracted from the IP headers of the packets in the flow.

The Viptela cflowd software implements cflowd version 10, as specified in RFC 7011 and RFC 7012. Cflowd version 10 is also called the IP Flow Information Export (IPFIX) protocol.

s00111.png

Cflowd performs 1:1 sampling. Information about all flows is aggregated in the cflowd records; flows are not sampled. vEdge routers do not cache any of the records that are exported to a collector.

Components of Cflowd

​In the Viptela overlay network, you configure cflowd using centralized data policy. As part of the policy, you specify the location of the collector. By default, flow information is sent to the collector every 60 seconds. You can modify this and other timers related to how often cflowd templates are refreshed and how often a traffic flow times out.​

You can configure a maximum of four cflowd policies. The Viptela software can export template records to a maximum of four cflowd collectors. When you configure a new data policy that changes which flows are sampled, the software allows the old flows to expire gracefully rather than deleting them all at once.

The vEdge router exports template records and data records to a collector. The template record is used by the collector to parse the data record information that is exported to it. Option templates are not supported. The source IP address for the packet containing the IPFIX records is randomly selected from any of the interfaces in the VPN. The flow records are exported via TCP or UDP connections. Anonymization of records and TLS encryption are not performed, because it is assumed that the collector and the IPFIX analyzer are both located within the data center, traffic traveling within the data center is assumed to be safe.

IPFIX Information Elements Exported to the Collector

The Viptela cflowd software exports the following 22 IPFIX information elements to the cflowd collector. These information elements are a subset of those defined in RFC 7012 and maintained by IANA. The elements are exported in the order listed. You cannot modify the information elements that are exported, nor can you change the order in which they appear.

Information Element

Element ID

Description

Data Type

Data Type Semantics

Units or Range

VPN Identifier

Enterprise specific

Viptela VPN identifier. Viptela uses the enterprise ID for VIP_IANA_ENUM or 41916, and the VPN element ID is 4321.

unsigned32 (8 bytes)

identifier

0 through 65535

sourceIPv4Address

8

IPv4 source address in the IP packet header.

ipv4Address (4 bytes)

default

destinationIPv4Address

12

IPv4 destination address in the IP packet header.

IPv4Address (4 bytes)

default

ipDiffServCodePoint

195

Value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services field. This field spans the most significant 6 bits of the IPv4 TOS field.

unsigned8
(1 byte)

identifier

0 through 63

destinationTransportPort

11

Destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.

unsigned16 (2 bytes)

identifier

sourceTransportPort

7

Source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.

unsigned16 (2 bytes)

identifier

protocolIdentifier

4

Value of the protocol number in the Protocol field of the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry.

unsigned8
(1 byte)

identifier

flowStartSeconds

150

Absolute timestamp of the first packet of this flow.

dateTime-Seconds (4 bytes)

flowEndSeconds

151

Absolute timestamp of the last packet of this flow.

dateTime- Seconds (4 bytes)

octetTotalCount

85

Total number of octets in incoming packets for this flow at the observation point since initialization or re-initialization of the metering process for the observation point. The count includes the IP headers and IP payload.

unsigned64 (8 bytes)

totalCounter

Octets

octetDeltaCount

1

Number of octets since the previous report in incoming packets for this flow at the observation point. This number includes IP headers and IP payload.

unsigned 64 (8 bytes)

deltaCounter

Octets

packetTotalCount

86

Total number of incoming packets for this flow at the observation point since initialization or re-initialization of the metering process for the observation point.

unsigned64 (8 bytes)

totalCounter

Packets

packetDeltaCount

2

Number of incoming packets since the previous report for this flow at this observation point.

unsigned64 (8 bytes)

deltaCounter

Packets

tcpControlBits

6

TCP control bits observed for the packets of this flow. This information is encoded as a bit field; each TCP control bit has a bit in this set. The bit is set to 1 if any observed packet of this flow has the corresponding TCP control bit set to 1. Otherwise, the bit is set to 0. For values of this field, see the IANA IPFIX web page.

unsigned16 (2 bytes)

flags

maximumIpTotalLength

26

Length of the largest packet observed for this flow. The packet length includes the IP headers and IP payload.

unsigned64 (8 bytes)

Octets

minimumIpTotalLength

25

Length of the smallest packet observed for this flow. The packet length includes the IP headers and IP payload.

unsigned64 (8 bytes)

Octets

ipNextHopIPv4Address

15

IPv4 address of the next IPv4 hop.

IPv4Address (4 bytes)

default

egressInterface

14

Index of the IP interface where packets of this flow are being sent.

unsigned32 (8 bytes)

default

ingressInterface

10

Index of the IP interface where packets of this flow are being received.

unsigned32 (8 bytes)

identifier

icmpTypeCodeIPv4

32

Type and Code of the IPv4 ICMP message. The combination of both values is reported as (ICMP type * 256) + ICMP code.

unsigned16 (4 bytes)

identifier

flowEndReason

136

Reason for the flow termination. For values of this field, see the IANA IPFIX web page

unsigned8
(1 byte)

identifier

ipClassOfService 5 Value of type of service (TOS) field in the IPv4 packet header. unsigned8 (1 byte) identifier

ipPrecedence 196 Value of IP precedence. This value is encoded in the first 3 bits of the IPv4 TOS field. unsigned8 (1 byte) flags 0 through 7

paddingOctets

210

Value of this Information Element is always a sequence of 0x00 values.

octetArray

default

  • Was this article helpful?