IPFIX
Internet Protocol Flow Information Export (IPFIX) is an IETF protocol and the name of the IETF working group defining the protocol. It was created based on the need for a common, universal standard of export for Internet Protocol flow information from routers, probes and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting, and billing. The IPFIX standard defines how IP flow information is formatted and transferred from an exporter to a collector.
IPFIX flow exporter
An IPFIX flow exporter is a component that collects and forwards network flow information from the device to a collector or analyzer for further analysis, visualization, and reporting.
Flow information includes information about network traffic such as source and destination IP addresses, ports, protocol types, packet and byte counts, timestamps, and other relevant metadata. IPFIX flow exporters can be configured with various filtering and sampling options to reduce the amount of data that is exported, thus improving scalability and efficiency.
Commands
- flow exporter
The flow exporter command is used to configure and define the parameters of an IP Flow Information Export (IPFIX) exporter.
The flow exporter command enters the flow-exporter configuration mode. In this mode, several commands can be used to configure the exporter.
- destination A.B.C.D
The destination command is used in the configuration of a flow exporter in IPFIX (Internet Protocol Flow Information Export) to specify the IP address of the system where the flow records will be sent.
A.B.C.D: The IP address of the system where the flow records will be sent.
- source A.B.C.D
Set IPFIX flow packets source. This address should be valid on the router.
A.B.C.D: The IP address that is used as IPFIX flow packets source in header.
- transport udp (1-65535)
The command is used to specify the transport protocol to be used for exporting IPFIX data.
(1-65535): The port number to be used for the UDP transport protocol. This can be any value between 1 and 65535.
Note
Default value is 4739.
IPFIX flow monitor
IPFIX flow definitions
Commands
- flow monitor
Enter flow monitor configuration mode
- cache timeout active (1-604800)
It sets the maximum number of seconds that a flow record can remain in the active cache before being aged out. When a cache entry is aged out, it is exported.
(1-604800): is the number of seconds (in the range of 1 to 604800) that a flow record can remain in the active cache.
Note
Default value is 120
- cache timeout inactive (1-604800)
The command is used to set the maximum amount of time an inactive flow can remain in the IPFIX cache. If the inactive timeout period expires, the flow is removed from the cache.
(1-604800): specifies the timeout value in seconds. The minimum value is 1 second and the maximum value is 604800 seconds (7 days).
Note
Default value is 20
- record netflow <ipv4|ipv6> prefix-port
Start recording flows information containing 5-tuple of
source address,destination address,protocol,source port,anddestination port.
- no record netflow <ipv4|ipv6> prefix-port
stop recording flows information
- ip flow monitor {output|input}
Apply flow monitor on an interface.
input: Collect the flows of the ingress traffic.output: Collect the flows of the egress traffic.
- no ip flow monitor {output|input}
Remove flow monitor from an interface.
Logging
Debugging logs can be set in case of need.
- [no] debug ipfix event
log data plane installation processes and results
Setup IPFIX
To setup IPFIX, one needs to do three things:
Define flow exporter
Define flow monitor
Apply monitor on 1 or more interfaces to collect data
Example configuration
soodar(config)# interface ge3
soodar(config-if)# ip address 192.168.1.10/24
soodar(config-if)# flow exporter
soodar(config-flow-exporter)# destination 192.168.1.20
soodar(config-flow-exporter)# source 192.168.1.10
soodar(config-flow-exporter)# transport udp 15200
soodar(config-flow-exporter)# flow monitor
soodar(config-flow-monitor)# cache timeout active 1800
soodar(config-flow-monitor)# cache timeout inactive 15
soodar(config-flow-monitor)# record netflow ipv4 prefix-port
soodar(config-flow-monitor)# interface ge0
soodar(config-if)# ip flow monitor output