Traffic Flow Monitoring with Cflowd
Cflowd monitors traffic flowing through vEdge routers in the overlay network and exports flow information to a collector, where it can be processed by an IPFIX analyzer. For a traffic flow, cflowd periodically sends template reports to flow collector. These reports contain information about the flow and data extracted from the IP headers of the packets in the flow.
The Viptela cflowd software implements cflowd version 10, as specified in RFC 7011 and RFC 7012. Cflowd version 10 is also called the IP Flow Information Export (IPFIX) protocol.
Cflowd performs 1:1 sampling. Information about all flows is aggregated in the cflowd records; flows are not sampled. vEdge routers do not cache any of the records that are exported to a collector.
Components of Cflowd
In the Viptela overlay network, you configure cflowd using centralized data policy. As part of the policy, you specify the location of the collector. By default, flow information is sent to the collector every 60 seconds. You can modify this and other timers related to how often cflowd templates are refreshed and how often a traffic flow times out.
You can configure a maximum of four cflowd policies. The Viptela software can export template records to a maximum of four cflowd collectors. When you configure a new data policy that changes which flows are sampled, the software allows the old flows to expire gracefully rather than deleting them all at once.
The vEdge router exports template records and data records to a collector. The template record is used by the collector to parse the data record information that is exported to it. Option templates are not supported. The source IP address for the packet containing the IPFIX records is randomly selected from any of the interfaces in the VPN. The flow records are exported via TCP or UDP connections. Anonymization of records and TLS encryption are not performed, because it is assumed that the collector and the IPFIX analyzer are both located within the data center, traffic traveling within the data center is assumed to be safe.
IPFIX Information Elements Exported to the Collector
The Viptela cflowd software exports the following 22 IPFIX information elements to the cflowd collector. These information elements are a subset of those defined in RFC 7012 and maintained by IANA. The elements are exported in the order listed. You cannot modify the information elements that are exported, nor can you change the order in which they appear.
| Information Element | Element ID | Description | Data Type | Data Type Semantics | Units or Range |
|---|---|---|---|---|---|
| VPN Identifier | Enterprise specific | Viptela VPN identifier. Viptela uses the enterprise ID for VIP_IANA_ENUM or 41916, and the VPN element ID is 4321. | unsigned32 (8 bytes) | identifier | 0 through 65535 |
| sourceIPv4Address | 8 | IPv4 source address in the IP packet header. | ipv4Address (4 bytes) | default | — |
| destinationIPv4Address | 12 | IPv4 destination address in the IP packet header. | IPv4Address (4 bytes) | default | — |
| ipDiffServCodePoint | 195 | Value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services field. This field spans the most significant 6 bits of the IPv4 TOS field. | unsigned8 | identifier | 0 through 63 |
| destinationTransportPort | 11 | Destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. | unsigned16 (2 bytes) | identifier | — |
| sourceTransportPort | 7 | Source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. | unsigned16 (2 bytes) | identifier | — |
| protocolIdentifier | 4 | Value of the protocol number in the Protocol field of the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. | unsigned8 | identifier | — |
| flowStartSeconds | 150 | Absolute timestamp of the first packet of this flow. | dateTime-Seconds (4 bytes) | — | — |
| flowEndSeconds | 151 | Absolute timestamp of the last packet of this flow. | dateTime- Seconds (4 bytes) | — | — |
| octetTotalCount | 85 | Total number of octets in incoming packets for this flow at the observation point since initialization or re-initialization of the metering process for the observation point. The count includes the IP headers and IP payload. | unsigned64 (8 bytes) | totalCounter | Octets |
| octetDeltaCount | 1 | Number of octets since the previous report in incoming packets for this flow at the observation point. This number includes IP headers and IP payload. | unsigned 64 (8 bytes) | deltaCounter | Octets |
| packetTotalCount | 86 | Total number of incoming packets for this flow at the observation point since initialization or re-initialization of the metering process for the observation point. | unsigned64 (8 bytes) | totalCounter | Packets |
| packetDeltaCount | 2 | Number of incoming packets since the previous report for this flow at this observation point. | unsigned64 (8 bytes) | deltaCounter | Packets |
| tcpControlBits | 6 | TCP control bits observed for the packets of this flow. This information is encoded as a bit field; each TCP control bit has a bit in this set. The bit is set to 1 if any observed packet of this flow has the corresponding TCP control bit set to 1. Otherwise, the bit is set to 0. For values of this field, see the IANA IPFIX web page. | unsigned16 (2 bytes) | flags | — |
| maximumIpTotalLength | 26 | Length of the largest packet observed for this flow. The packet length includes the IP headers and IP payload. | unsigned64 (8 bytes) | — | Octets |
| minimumIpTotalLength | 25 | Length of the smallest packet observed for this flow. The packet length includes the IP headers and IP payload. | unsigned64 (8 bytes) | — | Octets |
| ipNextHopIPv4Address | 15 | IPv4 address of the next IPv4 hop. | IPv4Address (4 bytes) | default | — |
| egressInterface | 14 | Index of the IP interface where packets of this flow are being sent. | unsigned32 (8 bytes) | default | — |
| ingressInterface | 10 | Index of the IP interface where packets of this flow are being received. | unsigned32 (8 bytes) | identifier | — |
| icmpTypeCodeIPv4 | 32 | Type and Code of the IPv4 ICMP message. The combination of both values is reported as (ICMP type * 256) + ICMP code. | unsigned16 (4 bytes) | identifier | — |
| flowEndReason | 136 | Reason for the flow termination. For values of this field, see the IANA IPFIX web page | unsigned8 | identifier | — |
| ipClassOfService | 5 | Value of type of service (TOS) field in the IPv4 packet header. | unsigned8 (1 byte) | identifier | — |
| ipPrecedence | 196 | Value of IP precedence. This value is encoded in the first 3 bits of the IPv4 TOS field. | unsigned8 (1 byte) | flags | 0 through 7 |
| paddingOctets | 210 | Value of this Information Element is always a sequence of 0x00 values. | octetArray | default | — |
Additional Information
Cflowd Traffic Flow Monitoring Configuration Example
Configuring Cflowd Traffic Flow Monitoring