Netflow
This scenario shows how to configure and use Netflow on OSDx.
Simple Netflow
Description
Netflow is configured in DUT0 (exporter) and DUT1 acts as a collector. DUT0 exports incoming and outgoing TCP traffic towards DUT1.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.0.0.2/24 set system conntrack app-detect set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.0.0.1/24 set system conntrack app-detect set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run command system conntrack clear at DUT1.
Step 4: Modify the following configuration lines in DUT0:
set interfaces ethernet eth0 flow egress selector TCP_SEL set interfaces ethernet eth0 flow ingress selector TCP_SEL set system netflow app-id set system netflow destination 10.0.0.1 set system netflow engine-id 1111
Step 5: Ping IP address 10.0.0.1 from DUT0:
admin@DUT0$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.245 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.245/0.245/0.245/0.000 ms
Step 6: Run command system conntrack show at DUT1 and check if output matches the following regular expressions:
src=10.0.0.2\sdst=10.0.0.1.*dport=2055\spackets=\d+\sShow output
udp 17 29 src=10.0.0.2 dst=10.0.0.1 sport=38185 dport=2055 packets=4 bytes=584 [UNREPLIED] src=10.0.0.1 dst=10.0.0.2 sport=2055 dport=38185 packets=0 bytes=0 mark=0 use=1 appdetect[L4:2055] icmp 1 29 src=10.0.0.2 dst=10.0.0.1 type=8 code=0 id=289 packets=1 bytes=84 src=10.0.0.1 dst=10.0.0.2 type=0 code=0 id=289 packets=1 bytes=84 mark=0 use=1 appdetect[L3:1] conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Step 7: Ping IP address 10.0.0.1 from DUT0:
admin@DUT0$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.251 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.251/0.251/0.251/0.000 ms
Step 8: Run command system netflow show flows detailed at DUT0 and check if output does not match the following regular expressions:
10.0.0.2:\d+\s+10.0.0.1:\d+\s*\d*\s*\d+[^\[]*\[L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow --------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ---------------------------------------------------------------------------------------------------------------------
Step 9: Run command system netflow show status at DUT0 and check if output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr 0, other 0Show output
ipt_NETFLOW 2.6, srcversion C7171DDDBA03CBB4C9AD070; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 2 reached 0d0h0m ago), mem 491K, worker delay 25/250 [1..25] (76 ms, 0 us, 0:0 [cpu1]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 644 bps, 0 pps; 5 min: 210 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 68 8 [1.00], 0 0 0 0, traffic: 76, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 0; 0 68 8 [1.00], 0 0 0 0, traffic: 76, 0 MB, drop: 0, 0 K cpu2 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu3 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K Export: Rate 106 bytes/s; Total 26 pkts, 0 MB, 8 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 10: Initiate a tcp connection from DUT0 to DUT1 and try to send some messages between both endpoints
admin@DUT1$ monitor test connection server 8080 tcp admin@DUT0$ monitor test connection client 10.0.0.1 8080 tcp
Step 11: Run command system netflow show flows detailed at DUT0 and check if output matches the following regular expressions:
10.0.0.2:\d+\s+10.0.0.1:\d+\s*\d*\s*\d+[^\[]*\[L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ---------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ---------------------------------------------------------------------------------------------------------------------------------------------------- 1 3743 0 2 0 10.0.0.1:8080 10.0.0.2:47024 47024 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 11 680 377 28 2 d477 0 0 2 10.0.0.2:47024 10.0.0.1:8080 8080 0.0.0.0[L4:8080] 0x0 0x1b 0x0 0xf1000000 10 628 377 28
Step 12: Run command system netflow show status at DUT0 and check if output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr 0, other 0Show output
ipt_NETFLOW 2.6, srcversion C7171DDDBA03CBB4C9AD070; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 2 (peak 2 reached 0d0h0m ago), mem 492K, worker delay 25/250 [1..25] (8 ms, 0 us, 2:0 [cpu1]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 21 pkt, 1 K, InPDU 0, 0. Rate: 344 bits/sec, 0 packets/sec; Avg 1 min: 606 bps, 0 pps; 5 min: 213 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 87 10 [1.00], 0 0 0 0, traffic: 97, 0 MB, drop: 0, 0 K cpu0 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu1 0; 0 81 9 [1.00], 0 0 0 0, traffic: 90, 0 MB, drop: 0, 0 K cpu2 0; 0 0 0 [1.00], 0 0 0 0, traffic: 0, 0 MB, drop: 0, 0 K cpu3 0; 0 6 1 [1.00], 0 0 0 0, traffic: 7, 0 MB, drop: 0, 0 K Export: Rate 118 bytes/s; Total 26 pkts, 0 MB, 8 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0