-
Cisco CNS NetFlow Collection Engine Installation and Configuration Guide, 4.0
-
Index
-
About This Guide
-
Overview
-
Installing and Configuring CNS NetFlow Collection Engine
-
Using the CNS NetFlow Collection Engine User Interface
-
Understanding the CNS NetFlow Collection Engine Data File Format
-
Customizing the CNS NetFlow Collection Engine
-
Using Cafeteria-Style Aggregation
-
Troubleshooting CNS NetFlow Collection Engine
-
NetFlow Export Datagram Formats
-
CNS NetFlow Collection Engine Configuration and Control Protocol
-
CNS NetFlow Collection Engine Binary Data File Format
-
CNS NetFlow Collection Engine CNS/XML Interface
-
Table Of Contents
Using Cafeteria-Style Aggregation Schemes
Modifying CNS NetFlow Collection Engine Resources
Using Cafeteria-Style Aggregation Schemes
Prior releases of CNS NetFlow Collection Engine included a library of pre-defined aggregation schemes that you could use to determine the type of information that is aggregated and stored in data files. Beginning with Release 4.0, you can now customize aggregation schemes.
With cafeteria-style aggregation, you can select the set of key fields that will be used to aggregate the flow. You can also select the value fields. Cafeteria-style aggregation works with and NetFlow Data Export formats supported by CNS NetFlow Collection Engine, Release 4.0.
This chapter includes the following sections:
•
Modifying CNS NetFlow Collection Engine Resources
Custom Aggregation Schemes
With CNS NetFlow Collection Engine, Release 4.0 you can define your own aggregation schemes and filters in the nfconfig.file file using field names in nfknown.typefile. The nfknown.typefile file is a new file that stores the mapping of the numeric value and name of field types.
Note
The format of type definitions in nfknow.typefile is as follows.
Type type_name type_numberApart from mapping of the name and type, the nfknown.typefile file also defines which types represent IP address. Such types are listed following the DOTTED_ADDRESS_TYPE keyword.
An additional Scope entry can appear in this file which maps the integer scope type contained in options template messages to the string for this in options data output files written by the collector. The format is:
<Key word Scope> <Name string> <type>For further information on options data and options templates, refer to the "Options Data File Format" section on page 4-9.
The location of nfknown.typefile is specified in nf.resources with the NFC_KNOWNTYPEFILE property.
Configuration
With cafeteria-style aggregation, you have more control over how to aggregate flows. The following is used to define aggregation schemes.
AggregationDef Aggregation_namekeys type_name, type_name, ...values type_name, type_name, ...The aggregation definition contains comma-separated lists of key and value type names. The type names must be defined in nfknown.typefile. The values of the key fields and value fields are written in CNA Netflow Collection Engine aggregation output files. Key fields determine which records in the output are unique; value fields are summed in the output.
When you configure a thread for cafeteria-style aggregation, instead of specifying a pre-defined AggregationName, you now must specify the aggregation definition's name.
Note
The following is an example of a how to create and use a cafeteria-style aggregation definition:
AggregationDef SrcIPToskeys IPSRCADDR,TOSvalues BYTES_32,PKTS_32,FLOWSThread threadSrcIpTosPort 9999Aggregation SrcIPTosPeriod 5DataSetPath /opt/CSCOnfc/DataState ActiveCompression noBinary noMaxUsage 0If the flow records from the router do not have all the fields specified in the aggregation definition, then the flows will not be aggregated and errors will be reported in the nfc.log file.
Filters
Filter configuration, management, and processing has been extended to enable processing of Netflow Data Export Version 9 data, and to support the cafeteria-style aggregation.Basic filter configuration has not changed, but a new keyword has been added for filters used with cafeteria-style aggregation.
Note
To use a filter with a cafeteria-style aggregation scheme, you must create a FlexTypeFilter. For example:
FlexTypeFilter V9DenyWebdeny SRC_PORT 80deny DST_PORT 80permit IPSRCADDR 0.0.0.0 255.255.255.255
Note
Only use FlexTypeFilters definitions in conjunction with user-defined aggregation schemes that are defined in an AggregationDef block in nfconfig.file. A "standard" Filter for pre-defined aggregations cannot be specified in a thread that contains a user-defined aggregation; similarly, a FlexTypeFilter cannot be specified in a thread where a pre-defined aggregation is used.
Modifying CNS NetFlow Collection Engine Resources
The nf.resources file contains the configuration parameter settings and directory file path names used to configure your startup CNS NetFlow Collection Engine environment. Besides the path name definitions, the nf.resources file also includes a set of parameters for tuning CNS NetFlow Collection Engine performance. Only users with root or .bin directory privileges can modify this file. The nf.resources file is located in the $NFC_DIR/config directory.
Table 6-1 describes the configuration parameters that support cafeteria-style aggregation schemes.
