Configuring IPFIX

This chapter describes how to configure IPFIX on Cisco IOS XR devices.

IPFIX

Table 1. Feature History Table

Feature Name

Release Information

Description

IPFIX Flow Record Enhancements for L2 and L3 traffic.

Release 7.4.1

This release introduces:

  • Support for flow-based IPFIX protocol version 10(v10), for L2 interfaces. Only L3 interfaces were supported in previous releases.

  • A new record-type, MPLS-IPv4, to capture BGP next-hop information.

Internet Protocol Flow Information Export (IPFIX) is an IETF standard export protocol for sending Netflow packets. IPFIX is based on Netflow version 9.

The IPFIX feature formats Netflow data and transfers the Netflow information from an exporter to a collector using UDP as transport protocol.

Restrictions for IPFIX

These IPFIX features are not supported:

  • Variable-length information element in the IPFIX template

  • Stream Control Transmission Protocol (SCTP) as the transport protocol

  • The outbundlemember option does not function in the fourth generation and fifth generation of the Cisco ASR 9000 Series Ethernet line cards for the ingress direction. However, it is supported in the third generation of the Cisco ASR 9000 Series Ethernet line cards for both directions.

Limitations for IPFIX

  • You cannot modify an exporter version of an exporter map that is already applied to an interface. To modify the exporter version, first remove the exporter configuration applied on the interface, later modify the version and apply the configuration to the interface.

  • An interface can have eight different monitor-maps but all the monitor maps should have the same version for the exporters. There can be different exporters for the 8 monitor maps but they all need to have the same exporter version either v9 or IPFIX.

Configuring IPFIX

Consider SP-PE use case where SP (Service Provider) cloud is connected to the PE (Provider Edge) router through TenGigabit ethernet.

Figure 1. SP-PE Topology


Configuring NetFlow on PE router involves:

  1. Configuring Exporter map with IPFIX as an exporter

  2. Configuring Monitor map

  3. Configuring Sampler map

  4. Applying the Monitor map and Sampler map to an interface

Configuring Exporter map with IPFIX as the exporter version 

flow exporter-map fem_ipfix 
 destination 10.1.1.1
 source Loopback 0
 transport udp 1025
 exit
version ipfix
 template data timeout 600
 options sampler-table
exit

Configuring Monitor map 


flow monitor-map fmm1
   record ipv4
    option filtered 
   exporter fem_ipfix
   cache entries 10000
   cache timeout active 1800
   cache timeout inactive 15
   exit

Configuring Sampler map 


sampler-map fsm1 
 random 1 out-of 65535
exit

Applying the Monitor map to an interface

Now apply the monitor-map fmm1 that is configured with an exporter version IPFIX and sampler-map fsm1 to the 10GE 0/0/0/1 interface in the ingress direction: 

configure
 interface 10GE0/0/0/1
  flow ipv4 monitor fmm1 sampler fsm1 ingress 
 exit

Verification

Use the show flow flow-exporter map command to verify the exporter version configured is IPFIX: 

RP/0/RSP0/CPU0:router# show flow exporter-map fem_ipfix
Flow Exporter Map : fem_ipfix
-------------------------------------------------
Id                  : 3
Packet-Length       : 1468
DestinationIpAddr   : 10.1.1.1
VRFName             : default
SourceIfName        : Loopback1
SourceIpAddr        : 4.4.0.1
DSCP                : 40
TransportProtocol   : UDP
TransportDestPort   : 9001

Export Version: IPFIX
  Common Template Timeout : 1800 seconds
  Options Template Timeout : 1800 seconds
  Data Template Timeout : 1800 seconds
  Interface-Table Export Timeout : 0 seconds
  Sampler-Table Export Timeout : 0 seconds
  VRF-Table Export Timeout : 0 seconds

Exported packets in an IPFIX packet structure are in the form of template set or data set. The first data template is sent when the configuration is activated on the interface.

With constant stream, the flowset data does not change, so data is decoded. Data template is updated in the case of timeout on the template. To change the timeout options in the flow exporter, use the template options timeout command: 

RP/0/RP0/CPU0:router(config)#flow exporter-map ipfix_exp1
RP/0/RP0/CPU0:router(config-fem)#version ipfix
RP/0/RP0/CPU0:router(config-fem-ver)#template options 
RP/0/RP0/CPU0:TU-PE3(config-fem-ver)#template options timeout
RP/0/RP0/CPU0:TU-PE3(config-fem-ver)#template options timeout 30
 
RP/0/RP0/CPU0:router# show flow exporter-map ipfix_exp1
version ipfix                                                                                                                                    
  template data timeout 30
!
dscp 40
transport udp 9001
source Loopback0
destination 10.127.59.86

BGP community and AS path information elements for IPFIX

BGP community and AS path information elements are IPFIX (NetFlow v10) data elements that

  • enable tagging of network flows with BGP community and AS path values

  • allow users to correlate flow records with BGP path attributes for both communities and autonomous system numbers, and

  • support enhanced flow analysis, troubleshooting, and policy verification.

BGP communities and AS paths

BGP communities are mechanisms that tag routes with additional information, making it easier for network operators to manage routing policies and analyze routing decisions based on BGP attributes.

AS path represents the sequence of autonomous systems a route has traversed, providing insight into the journey of a route across multiple networks and enabling more informed routing decisions.

Exported attributes information

The IPFIX (NetFlow v10) export supports two primary BGP attributes:

  • bgpDestinationCommunityList (IE485): Exports a list of BGP community values associated with the destination of each flow.

  • bgpDestinationAsPathList (IE512): Exports the sequence of autonomous systems (AS path) associated with the destination prefix of each flow.

Guidelines for exporting BGP and AS attributes using IPFIX

Requirements for exporting BGP and AS attributes using IPFIX

  • Set the exporter map to IPFIX version to export BGP attributes.

  • Exported list is limited to 32 elements. If a list contains more than 32 elements, it will be truncated, and only the first 32 elements will be exported.

  • Verify BGP attribute export by checking the exported packets at the collector because show commands do not display these changes.

Caution for exporting BGP and AS attributes using IPFIX

  • This export feature is specific to NetFlow v10 (IPFIX).

BGP community information element export prerequisites

To export BGP community information elements using Cisco NetFlow and IPFIX, follow these key prerequisites and considerations:

  • Enable export of BGP community information elements by entering the 
    option
        bgpattr
    command under a flow monitor map in the CLI.

  • Configure the exporter map to use the IPFIX (NetFlow v10) format; NetFlow v9 does not support the updated BGP community information elements.

  • NetFlow v9 continues to support similar features, but exporting the updated BGP community information elements specifically requires IPFIX.

  • Show command outputs remain unchanged when using IPFIX export; to verify exported elements, inspect the export packets directly.

IP Flow Information Export (IPFIX) 315

Internet Protocol Flow Information Export (IPFIX) is an IETF standard export protocol (RFC 7011) for sending IP flow information. Cisco ASR 9000 Router supports IPFIX 315 format to export flow information. IPFIX 315 format facilitates sending ā€˜nā€™ octets frame information starting from ethernet header till trasport header of the traffic flow over the network. IPFIX 315 supports sending variable size packet record with variable payload information such as IPv4, IPv6, MPLS, and Nested packets like OuterIP-GRE-InnerIP etc. The process includes sampling and exporting the traffic flow information. Along with the ethernet frame information, IPFIX 315 format exports information of incoming and outgoing interface of the sampled packet.

Use hw-module profile netflow ipfix315 location < linecard location > command to enable IPFIX 315.

The information of the packets flowing through a device is used for variety of purpose including network monitoring, capacity planning, traffic management, etc.

Sampling and Exporting Information

You must configure a sampling map to sample the traffic flow information. The sampler map specifies the rate at which packets (one out of n packets) are sampled.

The size of exported packet is untill and including L4 header. If the L4 header is not found then the maximum of 160 bytes are exported.

The below figure IPFIX 315 Export Packet Format shows exported packet information.

Figure 2. IPFIX 315 Export Packet Format

A special cache type called Immediate Aging is used while exporting the packets. Immediate Aging ensures that the flows are exported as soon as they are added to the cache. Use the command cache immediate in flow monitor map configuration to enable Immediate Aging cache type.

IPFIX 315 Implementation Considerations

Here are few key points to consider before implementing IPFIX 315:

  • You cannot enable the IPFIX 315 (using the datalinkframesection command) on an interface that has IPv4, IPv6 and MPLS flows already configured. Similarly, you cannot configure IPv4, IPv6 and MPLS flows if you have first enabled the IPFIX 315.

  • Supported only in ingress direction.

  • Supported on third and fourth generation of ASR 9000 line cards.

  • Not supported on satellite interface.

  • Supports only L3 routed packets.

Configuring IPFIX 315

Configuring IPFIX 315 involves:

  1. Configuring Exporter map

  2. Configuring Monitor map

  3. Configuring Sampler map

  4. Applying the Monitor map and Sampler map to an interface

Configuring Exporter map 

flow exporter-map ipfix_exp
 version ipfix
 !
 dscp 40
 transport udp 9002
 source Loopback1
 destination 100.10.1.112
!

Note

For options command and its configurations in Exporter Map, see options .

Configuring Monitor map

flow monitor-map ipfix_mon
 record datalinksectiondump
 exporter ipfix_exp
 cache immediate
 cache entries 1000000
 cache timeout rate-limit 1000000
!

Configuring Sampler map

sampler-map ipfix_sm
 random 1 out-of 32000
!

Note

The default cache size is 65535, hence you can configure sampling rate as 1 out of 65535 packets. However the recommended sampling rate is 1 out of 32000 packets.

Applying the Monitor map to an interface

interface HundredGigE 0/0/0/18
        flow datalinkframesection monitor ipfix_mon sampler ipfix_sm ingress

Verification

Use the show flow platform producer statistics location command to display the statistics for datalinkframesection in the ingress direction:
RP/0/RP0/CPU0#show flow platform producer statistics location 02/CPU0 
Wed Dec  6 02:49:04.411 EST
Netflow Platform Producer Counters:
IPv4 Ingress Packets:                 3558922
IPv4 Egress Packets:                      183
IPv6 Ingress Packets:                       0
IPv6 Egress Packets:                        0
MPLS Ingress Packets:              2176292132
MPLS Egress Packets:                 96276772
Section Ingress Packets            2176292157
Drops (no space):                           0
Drops (other):                              0
Unknown Ingress Packets:                    0
Unknown Egress Packets:                     0
Worker waiting:                        369792
SPP Packets:                       2119944979
Flow Packets:                      2276128009
Flow Packets per SPP Frame:                 1
Use the show flow monitor <monitor-map> cache location command to check the flow monitor stats. In this example flow statistics for ipfix_mon monitor map are displayed:
RP/0/RP0/CPU0#show flow monitor ipfix_mon cache location 0/2/CPU0

Cache summary for Flow Monitor ipfix:
Cache size:                          65535
Current entries:                         0
Flows added:                          2515
Flows not added:                         0
Ager Polls:                            252
  - Active timeout                       0
  - Inactive timeout                     0
  - Immediate                         2515
  - TCP FIN flag                         0
  - Emergency aged                       0
  - Counter wrap aged                    0
 - Total                             2515
Periodic export:
  - Counter wrap                         0
  - TCP FIN flag                         0
Flows exported                           2


Matching entries:                        0

In the above sample output, cache immediate entries are 2515 and flows exported are 2.


Note

The cache record statistics are not displayed for IPFIX 315.