======= Netflow ======= .. sidebar:: Contents .. contents:: :depth: 2 :local: The NETFLOW/IPFIX protocol allows you to monitor data flows within an IP network. This protocol allows you to easily observe when, where, and what traffic flows are being processed by the network, as well as identify the entities responsible for processing them. By gaining insights into the behavior of these traffic flows improvements can be made to the IP network and its actions can be better accounted for. NETFLOW/IPFIX exports IP flow information in packets, encapsulated in UDP, adhering to a specific format. The particular format used depends on the version of the protocol configured, with options for our devices including NETFLOW version 5, version 9 or IPFIX (Netflow version 10). Additionally, there is an option to encrypt these packets using the Datagram Transport Layer Security (DTLS) protocol before transmitting them. The UDP packets are received by a collector server, which interprets them and stores flows in a database. The network administrator can then access this database to obtain graphics and statistics on the traffic processed by the router. .. image:: topology.svg :alt: Netflow topology :scale: 50% :align: center Regardless of the flow exporting protocol and version used, the router creates an internal flow cache. Each flow consists of a unidirectional group of packets that share the following parameters: * Source IP address. * Destination IP address. * IP protocol. * Source port (for UDP/TCP/SCTP protocols or type/code for ICMP protocol). * Destination port (for UDP/TCP/SCTP protocols). * IP header TOS field. * Input interface SNMP Index. * Output interface SNMP Index. .. note:: If any of these parameters differ, the packet is considered to belong to a different flow. Configuration ============= The NETFLOW/IPFIX subsystem processes a packet if it enters the router through an interface where the ``flow ingress`` command is enabled, or if it is sent or forwarded by an interface where the ``flow egress`` command is enabled. These options can be configured using the following commands: .. code-block:: none set interfaces flow ingress [ selector ] set interfaces flow egress [ selector ] Optionally, you can specify a ``traffic selector`` to ensure that only IP packets matching the access list are processed. .. note:: :doc:`Here <../../routing/traffic/selector/index>` you can find more information about ``traffic selectors``. To configure NETFLOW/IPFIX you need to use the following command tree: .. code-block:: none set system netflow <...> The only required option is ``destination``, which indicates the export destination domain name (i.e., the collector). Multiple values can be configured (up to 5 destinations). Options ``local-address``, ``local-interface`` and ``local-vrf`` can be used to configure output options for exported flows. The ``protocol`` option helps configure the NETFLOW/IPFIX version to be used. By default, IPFIX (version 10) is used. When the NETFLOW/IPFIX subsystem processes a packet, it searches for a matching flow in the cache. If a match is found, the flow is updated by increasing the packet and byte counters, and the lifetime is refreshed. If no matching flow is found, a new flow is created and added to the cache. The router exports a flow record when it determines that a flow has expired and is removed from the cache. A flow is considered expired if no packets associated with it have been routed for a specific period of time (15 seconds, by default). This can be customized using the following command: .. code-block:: none set system netflow timeout inactive Additionally, a flow is considered finished if it has been active for a prolonged duration (30 minutes, by default, although 1 minute is recommended for better resolution and lower delay). This can be changed through the following command: .. code-block:: none set system netflow timeout active Several configuration options can be enabled in order to collect extra information in the exported flow records. *Examples:* * ``app-id`` includes the application ID. * ``dns-host`` includes the FQDN that dns-inspect picks up. * ``http-host``, ``http-ref``, ``http-ua`` and ``http-url`` include different HTTP fields. * ``ssl-server`` includes the SSL Server name. :ref:`Here `, you can find some examples related to ``system netflow``. Monitoring ========== Operational command :osdx:op:`system netflow show status` can be used to display some general NETFLOW information. *Example:* .. code-block:: none admin@DUT0$ system netflow show status ipt_NETFLOW 2.6, srcversion C7171DDDBA03CBB4C9AD070; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 6). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 14 (peak 14 reached 0d0h0m ago), mem 494K, worker delay 25/250 [1..25] (100 ms, 0 us, 13:0 [cpu1]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 334 pkt, 34 K, InPDU 0, 0. Rate: 6522 bits/sec, 5 packets/sec; Avg 1 min: 4743 bps, 2 pps; 5 min: 1746 bps, 0 pps cpu# pps; , traffic: , drop: Total 5; 0 394 22 [1.00], 0 0 0 0, traffic: 416, 0 MB, drop: 0, 0 K cpu0 5; 0 298 17 [1.00], 0 0 0 0, traffic: 315, 0 MB, drop: 0, 0 K cpu1 0; 0 96 5 [1.00], 0 0 0 0, traffic: 101, 0 MB, drop: 0, 0 K Export: Rate 0 bytes/s; Total 6 pkts, 0 MB, 8 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0 It displays information about the protocol version, configuration parameters and flow statistics. Operational command :osdx:op:`system netflow show stats` can be used to display statistics about processed packets. The ``detailed`` option can also be used to display information about configured ``traffic selectors``. *Example:* .. code-block:: none admin@DUT0$ system netflow show stats -------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth3 egress 227 227 28894 28894 eth3 ingress 370 370 44236 44236 -------------------------------------------------------------- Total 597 597 73130 73130 Operational command :osdx:op:`system netflow show flows` can be used to display the flows present in the cache. The ``detailed`` option can also be used to display an extensive report (including additional fields such as, flow status, ToS value, TCP flags, IP options, timestamps, etc.). *Example:* .. code-block:: none admin@DUT0$ system netflow show flows ----------------------------- Field Description ----------------------------- iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier pkts Packets counter bytes Bytes counter ----------------------------------------------------------------------------- iif oif src dst protocol pkts bytes ----------------------------------------------------------------------------- 5 0 192.168.215.40:54791 192.168.215.255:137 137 1 78 0 5 192.168.213.18:37316 1.0.0.1:2055 2055 1 1284 5 0 192.168.213.200:17500 192.168.215.255:17500 17500 1 172 5 0 192.168.215.40:137 192.168.215.255:137 137 6 468 5 0 0.0.0.0:68 255.255.255.255:67 67 73 26248 0 5 192.168.213.18:22 192.168.214.239:54334 54334 9 4588 5 0 0.0.0.0:68 255.255.255.255:67 67 6 1929 5 0 192.168.214.239:54334 192.168.213.18:22 22 16 1108 5 0 192.168.215.40:138 192.168.215.255:138 138 3 606 5 0 192.168.213.19:0 192.168.213.18:2048 2048 254 21336 5 0 192.168.212.74:62976 255.255.255.255:62976 62976 1 345 0 5 192.168.213.18:0 192.168.213.19:0 0 337 28308 5 0 192.168.214.239:59012 192.168.213.18:22 22 1 52 5 0 169.254.100.100:0 224.0.0.1:4352 4352 1 32 5 0 192.168.215.243:137 192.168.215.255:137 137 1 78 5 0 192.168.215.40:57621 192.168.215.255:57621 57621 1 72 0 5 192.168.213.18:22 192.168.214.239:59012 59012 1 232 Command Summary =============== .. depth=5 to show traffic policy actions .. osdx:cmdtree:: cfg :maxdepth: 5 system netflow .. osdx:cmdtree:: op system netflow