Traffic Flow Monitoring with Cflowd

Cflowd monitors traffic flowing through Cisco vEdge devices in the overlay network and exports flow information to a collector, where it can be processed by an IPFIX analyzer. For a traffic flow, cflowd periodically sends template reports to flow collector. These reports contain information about the flows and the data is extracted from the payload of these reports.

You can create a cflowd-template that defines the location of cflowd collectors, how often sets of sampled flows are sent to the collectors, and how often the template is sent to the collectors (on Cisco vSmart Controllers only). You can configure a maximum of four cflowd collectors per Cisco vEdge device. To have a cflowd-template take effect, apply it with the appropriate data policy.

You must configure at least one cflowd-template, but it need not contain any parameters. With no parameters, the data flow cache on the nodes is managed using default settings, and no flow export occurs.

Cflowd traffic flow monitoring is equivalent to Flexible Netflow (FNF).

The cflowd software implements cflowd version 10, as specified in RFC 7011 and RFC 7012. Cflowd version 10 is also called the IP Flow Information Export (IPFIX) protocol.

Cflowd performs 1:1 sampling. Information about all flows is aggregated in the cflowd records; flows are not sampled. Cisco vEdge devices do not cache any of the records that are exported to a collector.

Components of Cflowd

In the overlay network, you configure cflowd using a centralized data policy. As part of the policy, you specify the location of the collector.

By default, flow information is sent to the collector every 60 seconds. You can modify this and other timers related to how often cflowd templates are refreshed and how often a traffic flow times out.

You can configure many cflowd policies, but in one single cflowd policy, you can configure at most four external collectors. When you configure a new data policy that changes which flows are sampled, the software allows the old flows to expire gracefully rather than deleting them all at once.

The Cisco vEdge device exports template records and data records to a collector. The template record is used by the collector to parse the data record information that is exported to it.

Note

Option templates are not supported on Cisco vEdge devices.

The source IP address for the packet containing the IPFIX records is selected from the collector that is closer to the interfaces in the VPN. The flow records are exported through TCP or UDP connections for Cisco devices. Anonymization of records and TLS encryption are not performed, because it is assumed that the collector and the IPFIX analyzer are both located within the data center, traffic traveling within the data center is assumed to be safe.

Cflowd can track GRE, ICMP, IPsec, SCTP, TCP, and UDP flows.

Cisco SD-WAN IPFIX Information Elements Exported to the Collector

The Cisco SD-WAN cflowd software exports the following IPFIX information elements to the cflowd collector. These information elements are a subset of those defined in RFC 7012 and maintained by IANA. The elements are exported in the order listed. You cannot modify the information elements that are exported, nor can you change the order in which they appear.


Information Element	Element ID	Description	Data Type	Data Type Semantics	Units or Range
ipClassOfService	5	Value of type of service (TOS) field in the IPv4 packet header.	unsigned8 (1 byte)	identifier	—
ipNextHopIPv4Address	15	IPv4 address of the next IPv4 hop.	IPv4Address (4 bytes)	default	—
minimumIpTotalLength	25	Length of the smallest packet observed for this flow. The packet length includes the IP headers and the IP payload.	unsigned64 (8 bytes)	—	Octets
maximumIpTotalLength	26	Length of the largest packet observed for this flow. The packet length includes the IP headers and the IP payload.	unsigned64 (8 bytes)	—	Octets
icmpTypeCodeIPv4	32	Type and Code of the IPv4 ICMP message. The combination of both values is reported as (ICMP type * 256) + ICMP code.	unsigned16 (2 bytes)	identifier	—
octetTotalCount	85	Total number of octets in incoming packets for this flow at the observation point since initialization or re-initialization of the metering process for the observation point. The count includes the IP headers and the IP payload.	unsigned64 (8 bytes)	totalCounter	Octets
packetTotalCount	86	Total number of incoming packets for this flow at the observation point since initialization or re-initialization of the metering process for the observation point.	unsigned64 (8 bytes)	totalCounter	Packets
flowStartSeconds	150	Absolute timestamp of the first packet of this flow.	dateTime-Seconds (4 bytes)	—	—
flowEndSeconds	151	Absolute timestamp of the last packet of this flow.	dateTime-Seconds (4 bytes)	—	—
ipPrecedence	196	Value of IP precedence. This value is encoded in the first 3 bits of the IPv4 TOS field.	unsigned8 (1 byte)	flags	0 through 7
paddingOctets	210	Value of this Information Element is always a sequence of 0x00 values.	octetArray	default	—

Configure Cflowd Traffic Flow Monitoring

This topic provides general procedures for configuring cflowd traffic flow monitoring. You configure cflowd traffic flow monitoring using the basic components of centralized data policy. You configure cflowd template options, including the location of the cflowd collector (if you are sending the flow to a collector), and you must configure cflowd as an action in the data policy.

To configure policy for cflowd traffic flow monitoring, use the Cisco vManage policy configuration wizard. The wizard consists of four sequential screens that guide you through the process of creating and editing policy components:

Create Applications or Groups of Interest—Create lists that group together related items and that you call in the match or action components of a policy.
Configure Topology—Create the network structure to which the policy applies.
Configure Traffic Rules—Create the match and action conditions of a policy.
Apply Policies to Sites and VPNs—Associate policy with sites and VPNs in the overlay network.

In the first three policy configuration wizard screens, you are creating policy components or blocks. In the last screen, you are applying policy blocks to sites and VPNs in the overlay network.

For the cflowd policy to take effect, you must activate the policy.

Step 1: Start the Policy Configuration Wizard

To start the policy configuration wizard:

In the Cisco vManage NMS, select the Configure > Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
Click Add Policy.

The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed.

Step 2: Create Applications or Groups of Interest

To create lists of applications or groups to use in cflowd policy:

Create new lists as described in the following table:
- Prefix
  1. In the left bar, click Prefix.
  2. Click New Prefix List.
  3. Enter a name for the list.
  4. In the Add Prefix field, enter one or more data prefixes separated by commas.
  5. Click Add.
- Site
  1. In the left bar, click Site.
  2. Click New Site List.
  3. Enter a name for the list.
  4. In the Add Site field, enter one or more site IDs separated by commas.
  5. Click Add.
- VPN
  1. In the left bar, click VPN.
  2. Click New VPN List.
  3. Enter a name for the list.
  4. In the Add VPN field, enter one or more VPN IDs separated by commas.
  5. Click Add.
Click Next to Configure Topology in the wizard. When you first open this screen, the Topology tab is selected by default.

Step 3: Configure the Network Topology

To configure the network topology:

In the Topology tab, create a network topology as described:

Hub and Spoke - Policy for a topology with one or more central hub sites and with spokes connected to a hub
1. In the Add Topology drop-down, select Hub and Spoke.
2. Enter a name for the hub-and-spoke policy.
3. Enter a description for the policy.
4. In the VPN List field, select the VPN list for the policy.
5. In the left pane, click Add Hub and Spoke. A hub-and-spoke policy component containing the text string My Hub-and-Spoke is added in the left pane.
6. Double-click the My Hub-and-Spoke text string, and enter a name for the policy component.
7. In the right pane, add hub sites to the network topology:
  1. Click Add Hub Sites.
  2. In the Site List Field, select a site list for the policy component.
  3. Click Add.
  4. Repeat Steps 7a, 7b, and 7c to add more hub sites to the policy component.
8. In the right pane, add spoke sites to the network topology:
  1. Click Add Spoke Sites.
  2. In the Site List Field, select a site list for the policy component.
  3. Click Add.
  4. Repeat Steps 8a, 8b, and 8c to add more spoke sites to the policy component.
9. Repeat Steps 5 through 8 to add more components to the hub-and-spoke policy.
10. Click Save Hub and Spoke Policy.
Mesh - Partial-mesh or full-mesh region
1. In the Add Topology drop-down, select Mesh.
2. Enter a name for the mesh region policy component.
3. Enter a description for the mesh region policy component.
4. In the VPN List field, select the VPN list for the policy.
5. Click New Mesh Region.
6. In the Mesh Region Name field, enter a name for the individual mesh region.
7. In the Site List field, select one or more sites to include in the mesh region.
8. Repeat Steps 5 through 7 to add more mesh regions to the policy.
9. Click Save Mesh Region.

To use an existing topology:

In the Add Topology drop-down, click Import Existing Topology. The Import Existing Topology popup displays.
Select the type of topology.
In the Policy drop-down, select the name of the topology.
Click Import.

Click Next to move to Configure Traffic Rules in the wizard. When you first open this screen, the Application-Aware Routing tab is selected by default.

Step 4: Configure Traffic Rules

To configure traffic rules for cflowd policy:

In the Application-Aware Routing bar, select the Cflowd tab.
Click the Add Policy drop-down.
Select Create New. The Add Cflowd Policy popup opens.
Configure timer parameters for the cflowd template:
1. In the Active Flow Timeout field, specify how long to collect a set of flows on which traffic is actively flowing, a value from 30 through 3,600 seconds. The default is 600 seconds (10 minutes).
2. In the Inactive Flow Timeout field, specify how long to wait to send a set of sampled flows to a collector for a flow on which no traffic is flowing, a value from 1 through 3,600 seconds. The default is 60 seconds (1 minute).
3. In the Flow Refresh Interval field, specify how often to send the cflowd template record fields to the collector, a value from 60 through 86,400 seconds (1 minute through 1 day). The default is 90 seconds.
4. In the Sampling Interval field, specify how many packets to wait before creating a new flow, a value from 1 through 65,536 seconds. While you can configure any integer value, the software rounds the value down to the nearest power of 2.
Click Add New Collector, and configure the location of the cflowd collector. You can configure up to four collectors.
1. In the VPN ID field, enter the number of the VPN in which the collector is located.
2. In the IP Address field, enter the IP address of the collector.
3. In the Port Number field, enter the collector port number. The default port is 4739.
4. In the Transport Protocol drop-down, select the transport type to use to reach the collector, either TCP or UDP.
5. In the Source Interface field, enter the name of the interface to use to send flows to the collector. It can be either a Gigabit Ethernet, a 10-Gigabit Ethernet interface (ge), or a loopback interface (loopback number).
Click Save Cflowd Policy.
Click Next to move to Apply Policies to Sites and VPNs in the wizard.

Step 5: Apply Policies to Sites and VPNs

To apply a policy block to sites and VPNs in the overlay network:

If you are already in the policy configuration wizard, skip to Step 6. Otherwise, in the Cisco vManage NMS, select the Configure > Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
Click Add Policy. The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed
Click Next. The Network Topology screen opens, and in the Topology bar, the Topology tab is selected by default.
Click Next. The Configure Traffic Rules screen opens, and in the Application-Aware Routing bar, the Application-Aware Routing tab is selected by default.
Click Next. The Apply Policies to Sites and VPNs screen opens.
In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
In the Policy Description field, enter a description of the policy. It can contain up to 2048 characters. This field is mandatory, and it can contain any characters and spaces.
From the Topology bar, select the type of policy block. The table then lists policies that you have created for that type of policy block.
Click Add New Site List. Select one or more site lists, and click Add.
Click Preview to view the configured policy. The policy is displayed in CLI format.
Click Save Policy. The Configuration > Policies screen opens, and the policies table includes the newly created policy.

Step 6: Activate a Centralized Policy

Activating a cflowd policy sends that policy to all connected Cisco vSmart Controllers. To activate a cflowd policy:

In the Cisco vManage NMS, select the Configure > Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
Select a policy.
Click the More Actions icon to the right of the row, and click Activate. The Activate Policy popup opens. It lists the IP addresses of the reachable Cisco vSmart Controllers to which the policy is to be applied.
Click Activate.

Configure Cflowd Traffic Flow Monitoring Using CLI

Following are the high-level steps for configuring a cflowd centralized data policy to perform traffic monitoring and to export traffic flows to a collector:

Create a list of overlay network sites to which the cflowd centralized data policy is to be applied (in the apply-policy command):
```
vSmart(config)# policy
vSmart(config-policy)# lists site-list list-name
vSmart(config-lists-list-name)# site-id site-id
```
The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–). Create additional site lists, as needed.

Create a list of VPN for which the cflowd centralized data policy is to be configured (in the policy data-policy command):

vSmart(config)# policy lists
vSmart(config-lists)# vpn-list list-name
vSmart(config-lists-list-name)# vpn vpn-id

Create lists of IP prefixes, as needed:

vSmart(config)# policy lists
vSmart(config-lists)# prefix-list list-name
vSmart(config-lists-list-name)# ip-prefix prefix/length

Configure a cflowd template, and optionally, configure template parameters, including the location of the cflowd collector, the flow export timers, and the flow sampling interval:
```
vSmart(config)# policy cflowd-template template-name
vSmart(config-cflowd-template-template-name)# collector vpn vpn-id address ip-address port port-number transport-type (transport_tcp | transport_udp) source-interface interface-name
vSmart(config-cflowd-template-template-name)# flow-active-timeout seconds
vSmart(config-cflowd-template-template-name)# flow-inactive-timeout seconds
vSmart(config-cflowd-template-template-name)# template-refresh seconds
```
You must configure a cflowd template, but it need not contain any parameters. With no parameters, the data flow cache on router is managed using default settings, and no flow export occurs. You can configure one cflowd template per router, and it can export to a maximum of four collectors.

By default, an actively flowing data set is exported to the collector every 600 seconds (10 minutes), a data set for a flow on which no traffic is flowing is sent every 60 seconds (1 minute), and the cflowd template record fields (the three timer values) are sent to the collector every 90 seconds.

Also by default, a new flow is created immediately after an existing flow has ended. If you modify the configuration of the template record fields, the changes take effect only on flows that are created after the configuration change has been propagated to the router. Because an existing flow continues indefinitely, to have configuration changes take effect, clear the flow with the clear app cflowd flows command.
If you configure a logging action, configure how often to log packets to the syslog files:
```
vEdge(config)# policy log-frequency number
```

Create a data policy instance and associate it with a list of VPNs:

vSmart(config)# policy data-policy policy-name
vSmart(config-data-policy-policy-name)# vpn-list list-name

Create a sequence to contain a single match–action pair:
```
vSmart(config-vpn-list-list-name)# sequence number
vSmart(config-sequence-number)# 
```
The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. If no match occurs, the default action is taken.

Define match parameters for the data packets:

vSmart(config-sequence-number)# match  parameters

In the action, enable cflowd:

vSmart(config-sequence-number)# action cflowd

In the action, count or log data packets:

vSmart(config-sequence-number)# action count counter-name
vSmart(config-sequence-number)# action log

Create additional numbered sequences of match–action pairs within the data policy, as needed.
If a route does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching prefixes to be accepted, configure the default action for the policy:
```
vSmart(config-policy-name)# default-action accept
```

Apply the policy and the cflowd template to one or more sites in the overlay network:

vSmart(config)# apply-policy site-list list-name data-policy policy-name
vSmart(config)# apply-policy site-list list-name cflowd-template template-name

Structural Components of Policy Configuration for Cflowd

Here are the structural components required to configure cflowd on a Cisco vSmart Controller. Each component is explained in more detail in the sections below.

policy
  lists
    prefix-list list-name
      ip-prefix prefix
    site-list list-name
      site-id site-id
    vpn-list list-name
      vpn vpn-id
  log-frequency number
  cflowd-template template-name
    collector vpn vpn-id address ip-address port port-number transport transport-type source-interface interface-name
    flow-active-timeout seconds
    flow-inactive-timeout seconds
    flow-sampling-interval number
    template-refresh seconds
  data-policy policy-name
    vpn-list list-name
      sequence number
        match
          match-parameters
        action
          cflowd
          count counter-name
          drop
          log
       default-action
         (accept | drop)
apply-policy site-list list-name
  data-policy policy-name
  cflowd-template template-name

Lists

Centralized data policy uses the following types of lists to group related items. You configure lists under the policy lists command hierarchy on Cisco vSmart Controllers.

Table 1.
List Type	Description	Command
Data prefixes	List of one or more IP prefixes. To configure multiple prefixes in a single list, include multiple ip-prefix options, specifying one prefix in each option.	data-prefix-list list-name ip-prefix prefix/length
Sites	List of one or more site identifiers in the overlay network. To configure multiple sites in a single list, include multiple site-id options, specifying one site number in each option. You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).	site-list list-name site-id site-id
VPNs	List of one or more VPNs in the overlay network. To configure multiple VPNs in a single list, include multiple vpn options, specifying one VPN number in each option. You can specify a single VPN identifier (such as vpn 1) or a range of VPN identifiers (such as vpn 1-10).	vpn-list list-name vpn vpn-id

Logging Frequency

If you configure a logging action, by default, the Cisco vEdge device logs all data packet headers to a syslog file. To log only a sample of the data packet headers:

vEdge(config)# policy log-frequency number

number specifies how often to to log packet headers. For example, if you configure log-frequency 20, every sixteenth packet is logged. While you can configure any integer value for the frequency, the software rounds the value down to the nearest power of 2.

Cflowd Templates

For each cflowd data policy, you must create a template that defines the location of the flow collector:

vSmart(config)# policy cflowd-template template-name

The template can specify cflowd parameters or it can be empty. With no parameters, the data flow cache on vEdge nodes is managed using default settings, and no flow export occurs.

In the cflowd template, you can define the location of the flow collection:

vSmart# (config-cflowd-template-template-name)
vSamrt# collector vpn vpn-id address 
ip-address port port-number 
transport transport-type source-interface 
interface-name

You can configure one cflowd template per Cisco vEdge device, and it can export to a maximum of four collectors.

You can configure flow export timers:

vSmart(config)# policy cflowd-template template-name
vSmart(config-cflowd-template-template-name)# flow-active-timeout seconds
vSmart(config-cflowd-template-template-name)# flow-inactive-timeout seconds
vSmart(config-cflowd-template-template-name)# template-refresh seconds

By default, an actively flowing data set is exported to the collector every 600 seconds (10 minutes), a data set for a flow on which no traffic is flowing is sent every 60 seconds (1 minute), and the cflowd template record fields are sent to the collector every 90 seconds. For flow sampling, by default, a new flow is started immediately after an existing flow ends.

For a single Cisco vEdge device, you can configure a maximum of four collectors.

Data Policy Instance

For each centralized data policy, you create a named container for that policy with a policy data-policy policy-name command. For a single Cisco vEdge device, you can configure a maximum of four cflowd policies.

VPN Lists

Each centralized data policy instance applies to the VPNs contained in a VPN list. Within the policy, you specify the VPN list with the policy data-policy vpn-list list-name command. The list name must be one that you created with a policy lists vpn-list list-name command.

Sequences

Within each VPN list, a centralized data policy contains sequences of match–action pairs. The sequences are numbered to set the order in which data traffic is analyzed by the match–action pairs in the policy. You configure sequences with the policy data-policy vpn-list sequence command.

Each sequence in a centralized data policy can contain one match command and one action command.

Match Parameters

Centralized data policy can match IP prefixes and fields in the IP headers. You configure the match parameters under the policy data-policy vpn-list sequence match command.

For data policy, you can match these parameters:

Table 2.
Description	Command	Value or Range
Group of destination prefixes	destination-data-prefix-list list-name	Name of a data-prefix-list list.
Individual destination prefix	destination-ip prefix/length	IP prefix and prefix length
Destination port number	destination-port number	0 through 65535
DSCP value	dscp number	0 through 63
Internet Protocol number	protocol number	0 through 255
Group of source prefixes	source-data-prefix-list list-name	Name of a data-prefix-list list
Individual source prefix	source-ip prefix/length	IP prefix and prefix length
Source port number	source-port address	0 through 255

Action Parameters

When data traffic matches the conditions in the match portion of a centralized data policy, the packet can be accepted or rejected, and you can configure a counter for the accepted or rejected packets. You configure the action parameters under the policy data-policy vpn-list sequence action command.

Table 3.
Description	Command	Value or Range
Count the accepted or dropped packets.	count counter-name	Name of a counter. To display counter information, use the show policy access-lists counters command on the Cisco vEdge device.
Enable cflowd.	cflowd	—
Log the packet headers into the messages and vsyslog system logging (syslog) files. In addition to logging the packet headers, a syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active.	log	To display logging information, use the show app log flow-all, show app log flows, and show log commands on the Cisco vEdge device.

For a packet that is accepted, configure the parameter cflowd to enable packet collection.

Default Action

If a data packet being evaluated does not match any of the match conditions in a control policy, a default action is applied to this route. By default, the route is rejected. To modify this behavior, include the policy data-policy vpn-list default-action accept command.

Apply and Enable Cflowd Policy

For a centralized data policy to take effect, you must apply it to a list of sites in the overlay network:

vSmart(config)# apply-policy site-list list-name data-policy policy-name

To activate the cflowd template, associate it with the data policy:

vSmart(config)# apply-policy cflowd-template template-name

For all data-policy policies that you apply with apply-policy commands, the site IDs across all the site lists must be unique. That is, the site lists must not contain overlapping site IDs. An example of overlapping site IDs are those in the two site lists site-list 1 site-id 1-100 and site-list 2 site-id 70-130. Here, sites 70 through 100 are in both lists. If you were to apply these two site lists to two different data-policy policies, the attempt to commit the configuration on the Cisco vSmart Controller would fail.

The same type of restriction also applies to the following types of policies:

Application-aware routing policy (app-route-policy)
Centralized control policy (control-policy)
Centralized data policy (data-policy)

You can, however, have overlapping site IDs for site lists that you apply for different types of policy. For example, the sites lists for control-policy and data-policy policies can have overlapping site IDs. So for the two example site lists above, site-list 1 site-id 1-100 and site-list 2 site-id 70-130, you could apply one to a control policy and the other to a data policy.

As soon as you successfully activate the configuration by issuing a commit command, the Cisco vSmart Controller pushes the data policy to the Cisco vEdge devices located in the specified sites. To view the policy as configured on the Cisco vSmart Controller, use the show running-config command on the Cisco vSmart Controller. To view the policy that has been pushed to the device, use the show policy from-vsmart command on the device.

To display the centralized data policy as configured on the Cisco vSmart Controller, use the show running-config command:

vSmart# show running-config policy 
vSmart# show running-config apply-policy

Enable Cflowd Visibility on Cisco vEdge device Devices

You can enable cflowd visibility directly on Cisco vEdge devices, without configuring a data policy, so that you can perform traffic flow monitoring on traffic coming to the router from all VPNs in the LAN. To do this, configure cflowd visiblity on the device:

Device(config)# policy flow-visibility

To monitor the applications, use the show app cflowd flows and show app cflowd statistics commands on the device.

Cflowd Traffic Flow Monitoring Configuration Example

This topic shows a straightforward example of configuring traffic flow monitoring.

Configuration Steps

You enable cflowd traffic monitoring with a centralized data policy, so all configuration is done on a Cisco vSmart Controller. The following example procedure monitors all TCP traffic, sending it to a single collector:

Create a cflowd template to define the location of the collector and to modify cflowd timers:

vsmart(config)# policy cflowd-template test-cflowd-template
vsmart(config-cflowd-template-test-cflowd-template)# collector vpn 1 address 172.16.155.15 port 13322 transport transport_udp
vsmart(config-cflowd-template-test-cflowd-template)# flow-inactive-timeout 60
vsmart(config-cflowd-template-test-cflowd-template)# template-refresh 90

Create a list of VPNs whose traffic you want to monitor:
```
vsmart(config)# policy lists vpn-list vpn_1 vpn 1
```
Create a list of sites to apply the data policy to:
```
vsmart(config)# policy lists site-list cflowd-sites site-id 400,500,600
```

Configure the data policy itself:

vsmart(config)# policy data-policy test-cflowd-policy
vsmart(config-data-policy-test-cflowd-policy)# vpn-list vpn_1
vsmart(config-vpn-list-vpn_1)# sequence 1
vsmart(config-sequence-1)# match protocol 6
vsmart(config-match)# exit
vsmart(config-sequence-1)# action accept cflowd
vsmart(config-action)# exit
vsmart(config-sequence-1)# exit
vsmart(config-vpn-list-vpn_1)# default-action accept

Apply the policy and the cflowd template to sites in the overlay network:

vsmart(config)# apply-policy site-list cflowd-sites data-policy test-cflowd-policy
Device(config-site-list-cflowd-sites)# cflowd-template test-cflowd-template

Activate the data policy:

vsmart(config-site-list-cflowd-sites)# validate
Validation complete
vsmart(config-site-list-cflowd-sites)# commit
Commit complete.
vsmart(config-site-list-cflowd-sites)# exit configuration-mode

Full Example Configuration

Here is what the full example cflowd configuration looks like:

vsmart(config)# show configuration
apply-policy
 site-list cflowd-sites
  data-policy     test-cflowd-policy
  cflowd-template test-cflowd-template
 !
!
policy
 data-policy test-cflowd-policy
  vpn-list vpn_1
   sequence 1
    match
     protocol 6
    !
    action accept
     cflowd
    !
   !
   default-action accept
  !
 !
 cflowd-template test-cflowd-template
  flow-inactive-timeout 60
  template-refresh      90
  collector vpn 1 address 192.0.2.1 port 13322 transport transport_udp
 !
 lists
  vpn-list vpn_1
   vpn 1
  !
  site-list cflowd-sites
   site-id 400,500,600
  !
 !
!

Check the Cflowd Configuration

After you activate the cflowd configuration on the Cisco vSmart Controller, you can check it with the show running-config policy and show running-config apply-policy commands on the Cisco vSmart Controller. In addition, the configuration is immediately pushed down to the Cisco vEdge devices at the affected sites.

Check the Flows

On the Cisco vEdge devices affected by the cflowd data policy, various commands let you check the status of the cflowd flows.

To display information about the flows themselves.

vEdge# show app cflowd flows       
                                                            TCP                                                                                        TIME    
                                 SRC    DEST         IP     CNTRL  ICMP             EGRESS  INGRESS  TOTAL  TOTAL  MIN  MAX                            TO      
VPN  SRC IP       DEST IP        PORT   PORT   DSCP  PROTO  BITS   OPCODE  NHOP IP  INTF    INTF     PKTS   BYTES  LEN  LEN  START TIME                EXPIRE  
---------------------------------------------------------------------------------------------------------------------------------------------------------------
1    10.20.24.15  172.16.155.15  46772  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:31:45 2014  3       
1    10.20.24.15  172.16.155.15  46773  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:31:50 2014  8       
1    10.20.24.15  172.16.155.15  46774  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:31:55 2014  13      
1    10.20.24.15  172.16.155.15  46775  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:32:00 2014  18      
1    10.20.24.15  172.16.155.15  46776  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:32:05 2014  23      
1    10.20.24.15  172.16.155.15  46777  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:32:10 2014  28      
1    10.20.24.15  172.16.155.15  46778  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:32:15 2014  33      
1    10.20.24.15  172.16.155.15  46779  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:32:19 2014  38      
1    10.20.24.15  172.16.155.15  46780  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:32:25 2014  43      
1    10.20.24.15  172.16.155.15  46781  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:32:30 2014  48      
1    10.20.24.15  172.16.155.15  46782  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:32:35 2014  53      
1    10.20.24.15  172.16.155.15  46783  13322  0     6      2      0       0.0.0.0  0       0        1      78     78   78   Wed Nov 19 12:32:40 2014  58

To quickly get a count of the number of flows.

vEdge# show app cflowd flow-count
VPN  count  
------------
1    12

To display flow statistics.

vEdge# show app cflowd statistics 

      data_packets             :      0 
      template_packets         :      0 
      total-packets            :      0 
      flow-refresh             :      123 
      flow-ageout              :      117 
      flow-end-detected        :      0 
      flow-end-forced          :      0

The following commands show information about the cflowd collectors and the cflowd template information that is sent to the collector.

vEdge# show app cflowd collector 

VPN  COLLECTOR IP   COLLECTOR  CONNECTION            IPFIX    CONNECTION  TEMPLATE  DATA     
ID   ADDRESS        PORT       STATE       PROTOCOL  VERSION  RETRY       PACKETS   PACKETS  
---------------------------------------------------------------------------------------------
1    172.16.155.15  13322      false       TCP       10       133         0         0        

vEdge# show app cflowd template 
app cflowd template name test-cflowd-template
app cflowd template flow-active-timeout 30
app cflowd template flow-inactive-timeout 60
app cflowd template template-refresh 90

Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Releases 19.1, 19.2, and 19.3

Book Title

Chapter Title

Results

Chapter: Traffic Flow Monitoring with Cflowd