dokucama

User Tools

Site Tools

Trace: product_sunsetting sd-wan dnsmasq flow_information
network_stuff:flow_information

This is an old revision of the document!

FLOW INFORMATION

  • SFlow UDP-6343
  • Netflow (v5, v9) UDP-2055 or UDP-9996
    • IPFIX

Neflow vanilla configuration CSR1000v 

flow exporter Flow-exporter
 destination 10.10.11.143
 source GigabitEthernet1
 transport udp 9995
 template timeout 180    # every 3 minutes the router sends 'options template' which includes the sampler rate. This allows 'embedded sampling' to be requested by collector
 template data timeout 180    # 'data' and 'options'. the lack of templates just means it takes X minutes until collector can decode netflow from initial start of collecting process
 template options timeout 180
 option sampler-table timeout 60
!
flow monitor Flow-monitor
 exporter Flow-exporter
 cache timeout active 60
 cache timeout active 5
 record netflow-original   # record netflow ipv4 original-input
!
sampler Flow-sampler
 mode random 1 out-of 50
!
interface GigabitEthernet3
 ip flow monitor Flow-monitor sampler Flow-sampler input

Netflow in ubuntu or FRR: 

FRR01:~# systemctl status pmacctd.service
● pmacctd.service - promiscuous mode accounting daemon
   Loaded: loaded (/lib/systemd/system/pmacctd.service; enabled; vendor preset: enabled)
  Process: 530 ExecStart=/usr/sbin/pmacctd -f ${PMACCTD_CONF} $DAEMON_OPTS (code=exited, status=0/SUCCESS)
 Main PID: 546 (pmacctd)
   CGroup: /system.slice/pmacctd.service
           ├─546 pmacctd: Core Process [default]
           └─548 pmacctd: Netflow Probe Plugin [ens20]

root@Router-FRR01:~# cat /lib/systemd/system/pmacctd.service
[Unit]
Description=promiscuous mode accounting daemon
After=network.target

[Service]
Type=forking
EnvironmentFile=-/etc/default/pmacctd
ExecStart=/usr/sbin/pmacctd -f ${PMACCTD_CONF} $DAEMON_OPTS
cat /etc/pmacct/pmacctd.conf
daemonize: true
interface: ens20
aggregate: src_host, dst_host, src_port, dst_port, proto, tos
plugins: nfprobe[ens20]
nfprobe_receiver: 10.100.10.142:9995
nfprobe_version: 9
nfprobe_direction[ens20]: tag
nfprobe_ifindex[ens20]: tag2
pre_tag_map: /etc/pmacct/pretag.map
timestamps_secs: true

SFLOW

  • sampled frames + interface counter + flow-tuple data. All in the same packet
  • sflow is configurable via SNMP mibs
  • Flow sample (conceptually one in each sflow packet but in reality we pack more than 1). It lists things like: ingress egress. ifindex and sampling rate
    • Flow record


SFLOW IN LINUX / FRR:
USE 'HOST SFLOW' PROJECT: https://sflow.net/documentation.php 

# Example of working config in /etc/hsflowd.conf : polling every 20 sec, sampling 1:100, collecting data from interface ens4
sflow {
  polling = 20
  sampling = 100
  collector { ip=10.100.11.143 udpport=6343 }
  pcap { dev = ens4 }
  nflog { group = 5  probability = 0.01 }
}

# Then we need to issue this commandsL:
NFLOG_CONFIG="--nflog-group 5 --nflog-prefix SFLOW"
echo 1 > /proc/sys/net/ipv4/ip_forward  # Enable IP forwaring in the linux box 
MOD_STATISTIC="-m statistic --mode random --probability 0.0025"    # This is for a sampling rato of 100, needs to match with what we configure in /etc/hsflowd.conf
NFLOG_CONFIG="--nflog-group 5 --nflog-prefix SFLOW"
sudo iptables -I INPUT -j NFLOG $MOD_STATISTIC $NFLOG_CONFIG
sudo iptables -I OUTPUT -j NFLOG $MOD_STATISTIC $NFLOG_CONFIG

# Ad restart:
sudo systemctl enable hsflowd
service hsflowd start

# If issues
service hsflowd start
hsflowd -dd

Also see:



In Arista:

  • Arista Networks DCS-7060CX-32S: Hardware Sample Rate for SW sFlow: 4096 / Polling Interval (sec): 2.0 (default).
sflow run
sflow interface disable default
int e2
ip address 10.100.11.129/24
description to-collector
int e1
ip add 192.168.0.1/24
description measurement
sflow enable
!
sflow destination 10.100.11.143 6343
sflow source 10.100.11.129
sflow source-interface e3
sflow polling-interval 30    # interval for sending counter data to the sFlow collector. The default interval is two seconds.
sflow sample 15    #  packet sampling rate. Packets are sampled at random intervals to avoid inaccurate sampling of periodic events.
sflow extension bgp    # Optional. routing agent will export the BGP routing table and autonomous system path information to the sFlow agent
!
show sflow detail

In Junos 

set protocols sflow polling-interval 2 # interval for sending data to the collector
set protocols sflow sample-rate ingress 4096 # packet sampling rate. Packets are sampled at random intervals
set protocols sflow source-ip 1.1.1.1
set protocols sflow collector 2.2.2.2 udp-port 6343
set protocols sflow interfaces xe-0/0/0:0.0
ibr-0-0-1 protocols sflow
set protocols sflow agent-id 1.1.1.1
set protocols sflow polling-interval 1
set protocols sflow sample-rate ingress 1024
set protocols sflow source-ip 1.1.1.1
set protocols sflow collector 2.2.2.2 udp-port 6343
set protocols sflow interfaces xe-0/0/0:0.0

In Cisco (IOS-XR): https://blog.sflow.com/2022/02/cisco-ncs-5500-series-routers.html

network_stuff/flow_information.1692980722.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki