dokucama

This is an old revision of the document!

---

FLOW INFORMATION

• SFlow UDP-6343
• Netflow (v5, v9) UDP-2055 or UDP-9996
  • IPFIX

Neflow vanilla configuration CSR1000v

flow exporter Flow-exporter
 destination 10.10.11.143
 source GigabitEthernet1
 transport udp 9995
 template timeout 180    # every 3 minutes the router sends 'options template' which includes the sampler rate. This allows 'embedded sampling' to be requested by collector
 template data timeout 180    # 'data' and 'options'. the lack of templates just means it takes X minutes until collector can decode netflow from initial start of collecting process
 template options timeout 180
 option sampler-table timeout 60
!
flow monitor Flow-monitor
 exporter Flow-exporter
 cache timeout active 60
 cache timeout active 5
 record netflow-original   # record netflow ipv4 original-input
!
sampler Flow-sampler
 mode random 1 out-of 50
!
interface GigabitEthernet3
 ip flow monitor Flow-monitor sampler Flow-sampler input
 

Netflow in ubuntu or FRR:

FRR01:~# systemctl status pmacctd.service
● pmacctd.service - promiscuous mode accounting daemon
   Loaded: loaded (/lib/systemd/system/pmacctd.service; enabled; vendor preset: enabled)
  Process: 530 ExecStart=/usr/sbin/pmacctd -f ${PMACCTD_CONF} $DAEMON_OPTS (code=exited, status=0/SUCCESS)
 Main PID: 546 (pmacctd)
   CGroup: /system.slice/pmacctd.service
           ├─546 pmacctd: Core Process [default]
           └─548 pmacctd: Netflow Probe Plugin [ens20]

root@Router-FRR01:~# cat /lib/systemd/system/pmacctd.service
[Unit]
Description=promiscuous mode accounting daemon
After=network.target

[Service]
Type=forking
EnvironmentFile=-/etc/default/pmacctd
ExecStart=/usr/sbin/pmacctd -f ${PMACCTD_CONF} $DAEMON_OPTS
cat /etc/pmacct/pmacctd.conf
daemonize: true
interface: ens20
aggregate: src_host, dst_host, src_port, dst_port, proto, tos
plugins: nfprobe[ens20]
nfprobe_receiver: 10.100.10.142:9995
nfprobe_version: 9
nfprobe_direction[ens20]: tag
nfprobe_ifindex[ens20]: tag2
pre_tag_map: /etc/pmacct/pretag.map
timestamps_secs: true

---

SFLOW
SFLOW IN LINUX / FRR:
USE 'HOST SFLOW' PROJECT: https://sflow.net/documentation.php

# Example of working config in /etc/hsflowd.conf : polling every 20 sec, sampling 1:100, collecting data from interface ens4
sflow {
  polling = 20
  sampling = 100
  collector { ip=10.100.11.143 udpport=6343 }
  pcap { dev = ens4 }
  nflog { group = 5  probability = 0.01 }
}

# Then we need to issue this commandsL:
NFLOG_CONFIG="--nflog-group 5 --nflog-prefix SFLOW"
echo 1 > /proc/sys/net/ipv4/ip_forward  # Enable IP forwaring in the linux box 
MOD_STATISTIC="-m statistic --mode random --probability 0.0025"    # This is for a sampling rato of 100, needs to match with what we configure in /etc/hsflowd.conf
NFLOG_CONFIG="--nflog-group 5 --nflog-prefix SFLOW"
sudo iptables -I INPUT -j NFLOG $MOD_STATISTIC $NFLOG_CONFIG
sudo iptables -I OUTPUT -j NFLOG $MOD_STATISTIC $NFLOG_CONFIG

# Ad restart:
sudo systemctl enable hsflowd
service hsflowd start

# If issues
service hsflowd start
hsflowd -dd

Also see:

• https://groups.google.com/g/sflow/c/990vzm2g16c
• https://github.com/sflow/host-sflow/issues/38
• Cumulus_tshoot
• Tutu1

In Arista:

# example: Arista Networks DCS-7060CX-32S: Hardware Sample Rate for SW sFlow: 4096 / Polling Interval (sec): 2.0 (default).

sflow run
sflow interface disable default
int e2
ip address 10.100.11.129/24
description to-collector
int e1
ip add 192.168.0.1/24
description measurement
sflow enable
!
sflow destination 10.100.11.143 6343
sflow source 10.100.11.129
sflow source-interface e3
sflow polling-interval 30    # interval for sending counter data to the sFlow collector. The default interval is two seconds.
sflow sample 15    #  packet sampling rate. Packets are sampled at random intervals to avoid inaccurate sampling of periodic events.
sflow extension bgp    # Optional. routing agent will export the BGP routing table and autonomous system path information to the sFlow agent
!
show sflow detail