IPFIX

IPFIX is a technology for monitoring traffic in data networks containing switches and routers. It consists of several IPFIX Probes running on the router, and a distant IPFIX Collectors.

The IPFIX probe collects flow information from processed traffic from the device it is monitoring. IPFIX probes are used to periodically forward the flow information to an IPFIX Collector for analysis.

More information is available in RFC 7011.

To configure IPFIX you need to specify the collector endpoint and which interfaces will be polled.

Warning

IPFIX can only monitor packets that are processed by the fast-path.

For each collector, you can tune:

• scan-interval-seconds: Amount of seconds between two reports to the collector.

• active-flow-lifetime-interval-seconds: Duration in seconds a flow is considered active, i.e. packets are being received.

• idle-flow-lifetime-interval-seconds: Duration in seconds while the flow is considered inactive i.e. no packets have been received. If a packet is received during this period the flow will become active again.

• template-refresh-timeout: minimal duration in seconds before the next “Template Sets” message could be sent. When the timeout is reached. The next scan will send the “Template Sets” message one more time. Very useful for UDP, where “Template Sets” messages may not reach the collector. More information is available in RFC 5101.

Extra tuning options:

• mpls-route-hash-order: Probe internal hash table size (power of two) to store MPLS route associated with the flows. Use for TopLabel protocol and next-hop IP information.

• sampling-packet-interval: Specifies the number of packets that are consecutively sampled. A value of 100 means that 100 consecutive packets are sampled. In NetFlow v9 protocol, this parameter is ignored and set to 1 by default (NetFlow v9 does not support consecutive packets probing) (default: 1).

• sampling-packet-space: This Information Element specifies the number of packets between two “sampling-packet-interval”s. A value of 100 means that the next interval starts 100 packets (which are not sampled) after the current “sampling-packet-interval” is over. 0 to sample all packets. (default: 4000).

• export-expired-flow-only: Only export expired flows to the collector (default: False).

• interface-cache-hash-order: Probe internal hash table size (power of two) to store interfaces on the machine. Use to generate interface-info and vrf-info messages that describe interfaces and VRFs on the machine.

Configuration example:

vsr running config# / vrf main ipfix ipfix-collector col-4739 address 10.100.0.1 port 4739 protocol tcp sampling-packet-space 0
vsr running config# / vrf main ipfix ipfix-probe eth2 collector col-4739 link-vrf main
vsr running config# / vrf main ipfix enabled true

To display the IPFIX state:

vsr> show state / vrf main ipfix
ipfix
    enabled true
    ipfix-collector col-4739
        address 10.100.0.1
        port 4739
        protocol tcp
        scan-interval-seconds 5
        active-flow-lifetime-interval-seconds 5
        idle-flow-lifetime-interval-seconds 5
        mpls-route-hash-order 1
        interface-cache-hash-order 3
        sampling-packet-interval 1
        sampling-packet-space 0
        export-expired-flow-only false
        ..
    ipfix-probe eth2
        enabled true
        link-vrf main
        collector col-4739
        observation-domain-id 0
        template-refresh-timeout 600
        connected true
        collecting true
        ..
    ..

Same configuration can be made using this NETCONF XML configuration:

vsr> show config xml absolute vrf main ipfix
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <ipfix xmlns="urn:6wind:vrouter/ipfix">
      <enabled>true</enabled>
      <ipfix-collector>
        <name>col-4739</name>
        <address>10.100.0.1</address>
        <port>4739</port>
        <protocol>tcp</protocol>
        <scan-interval-seconds>5</scan-interval-seconds>
        <frag-flow-lifetime-seconds>5</frag-flow-lifetime-seconds>
        <active-flow-lifetime-interval-seconds>5</active-flow-lifetime-interval-seconds>
        <idle-flow-lifetime-interval-seconds>5</idle-flow-lifetime-interval-seconds>
        <mpls-route-hash-order>1</mpls-route-hash-order>
        <interface-cache-hash-order>3</interface-cache-hash-order>
        <sampling-packet-interval>1</sampling-packet-interval>
        <sampling-packet-space>0</sampling-packet-space>
        <export-expired-flow-only>false</export-expired-flow-only>
      </ipfix-collector>
      <ipfix-probe>
        <ifname>eth2</ifname>
        <enabled>true</enabled>
        <link-vrf>main</link-vrf>
        <collector>col-4739</collector>
        <observation-domain-id>0</observation-domain-id>
        <template-refresh-timeout>600</template-refresh-timeout>
      </ipfix-probe>
    </ipfix>
  </vrf>
</config>

See also

The command reference for details.

It is also possible to display probe statistics with the show ipfix statistics command.

vsr> show ipfix statistics vrf main
Statistics for probe eth2
  Number of collected flows: 6
  Number of merged flows: 0
  Number of expired flows: 6
  Expired flow details:
   Number of expired flows due to TCP FIN flags: 0
   Number of expired flows due to TCP RST flags: 1
   Number of expired flows due to timeouts:  5
  Cache information:
   Flows currently active: 0
   Flows currently inactive: 0
   Flows currently expired: 0

See also

• The command reference for statistics.