Implementing IPFIX 315

This module describes the concepts and tasks related to Internet Protocol Flow Information Export (IPFIX) 315. IPFIX is an IETF standard export protocol for sending IP flow information.

Table 1. Feature History for Implementing System Logging

Release

Modification

Release 6.2.1

IPFIX 315 feature was introduced.

IP Flow Information Export (IPFIX) 315

Internet Protocol Flow Information Export (IPFIX) is an IETF standard export protocol (RFC 7011) for sending IP flow information. Cisco NCS 5000 Router supports IPFIX 315 format to export flow information. IPFIX 315 format facilitates sending ā€˜nā€™ octets frame information starting from ethernet header till trasport header of the traffic flow over the network. IPFIX 315 supports sending variable size packet record with variable payload information such as IPv4, IPv6, MPLS, and Nested packets like OuterIP-GRE-InnerIP etc. The process includes sampling and exporting the traffic flow information. Along with the ethernet frame information, IPFIX 315 format exports information of incoming and outgoing interface of the sampled packet.

The information of the packets flowing through a device is used for variety of purpose including network monitoring, capacity planning, traffic management, etc.


Note

Cisco NCS 5000 Router does not support Netflow version 9 format to export flow information.


Sampling and Exporting Information

You must configure a sampling map to sample the traffic flow information. The sampler map specifies the rate at which packets (one out of n packets) are sampled. The minimun sampling rate is 1 out of 32,000 packets. Not all packets flowing through a device are exported; packets selected as per sampling rate are considered for exporting.

The size of exported packet depends on the sampled packet size and location of payload L4 header. The exported packet size is:

  • 160 bytes, if the sampled packet size is more than 160 bytes and payload L4 header is not obtained within first 160 bytes

  • length of the sampled packet until the payload L4 header, if the payload L4 header is obtained within 160 bytes

  • equal to length of the packet, if packet size is less than 160 bytes and the payload L4 header is not obtained within first 160 bytes

The below figure IPFIX 315 Export Packet Format shows exported packet information.

Figure 1. IPFIX 315 Export Packet Format

A special cache type called Immediate Aging is used while exporting the packets. Immediate Aging ensures that the flows are exported as soon as they are added to the cache. Use the command cache immediate in flow monitor map configuration to enable Immediate Aging cache type.

IPFIX 315 Implementation Considerations

Here are few key points to consider before implementing IPFIX 315:

  • Supported only in ingress direction.

  • Supported on main interface only. The traffic on all sub-interfaces under the main interface is exported.

  • Sampling rate for bundles is per member-link and not per bundle interface.

  • The outgoing interface information may not be correct incase of packets that are multicasted or broadcasted on multiple ports.

  • The incoming and outgoing interface will have information of main interface and not the sub-interface even if the packet is routed via sub-interface. Incase of bundles it will point to bundle main interface.

  • IPFIX 315 is not supported on BVI interface.

  • Sampling and exporting of the control packets is not supported.

  • When you configure ipfix315-enable, then you must configure all the ports on that LC with datalinkframesection flow.

  • When the HQoS profile is enabled, Netflow does not give correct Output Interface. DSP is unique for each sub-interface.

  • Netflow on the L2 interface assumes IPv4/IPv6/MPLS traffic, and if the traffic is purely L2 based, then the system ignores that traffic.

  • You must remove all v9 configurations before reloading an LC. Else, with the existing v9 configurations on LC reload, you might encounter a few configuration apply error. Or, flow might be seen on an interface even when apply on interface has failed.

Configuring IPFIX 315

Configuring IPFIX 315 involves:

  1. Configuring Exporter map

  2. Configuring Monitor map

  3. Configuring Sampler map

  4. Applying the Monitor map and Sampler map to an interface

Configuring Exporter map

flow exporter-map ipfix_exp
 version ipfix
 !
 dscp 40
 transport udp 9001
 source Loopback1
 destination 100.10.1.159
!

Configuring Monitor map

flow monitor-map ipfix_mon
 record datalinksectiondump
 exporter ipfix_exp
 cache immediate
 cache entries 1000000
 cache timeout rate-limit 1000000
!

Configuring Sampler map

sampler-map ipfix_sm
 random 1 out-of 32000
!

Note

The default cache size is 65535, hence you can configure sampling rate as 1 out of 65535 packets. However the recommended sampling rate is 1 out of 32000 packets.


Applying the Monitor map to an interface

interface HundredGigE 0/0/0/18
        flow datalinkframesection monitor ipfix_mon sampler ipfix_sm ingress

Verification

Use the show flow platform producer statistics location command to display the sampled and exported flow statistics:
RP/0/RP0/CPU0#show flow platform producer statistics location 0/RP0/CPU0 
Netflow Platform Producer Counters:
Ethernet Packets:                        1152
Drops (no space):                           0
Drops (other):                              0
Unknown Ingress Packets:                    0
Worker waiting:                             0
SPP Packets:                             1102
Flow Packets:                            1152
Flow Packets per SPP Frame:                 1
Use the show flow monitor <monitor-map> cache location command to check the flow monitor stats. In this example flow statistics for ipfix_mon monitor map are displayed:
RP/0/RP0/CPU0#show flow monitor ipfix_mon cache location 0/RP0/CPU0

Cache summary for Flow Monitor ipfix_mon:
Cache size:                        1000000
Current entries:                         0
Flows added:                          1152
Flows not added:                         0
Ager Polls:                             48
  - Active timeout                       0
  - Inactive timeout                     0
  - Immediate                         1152 /*cache type immediate*/
  - TCP FIN flag                         0
  - Emergency aged                       0
  - Counter wrap aged                    0
  - Total                             1152
Periodic export:
  - Counter wrap                         0
  - TCP FIN flag                         0
Flows exported                        1152

Above example shows that there were 1152 flows added to the cache and exported.