Configure cflowd

You can collect an aggregate of sampled flows and send the aggregate to a specified host that runs the cflowd application available from CAIDA (http://www.caida.org). Before you can perform flow aggregation, the routing protocol process must export the AS path and routing information to the sampling process. To do this, include the route-record statement at the [edit routing-options] hierarchy level (for routing instances, include the statement at the [edit routing-instances routing-instance-name routing-options] hierarchy level:

[edit]

routing-options {

    route-record;

}

By default, flow aggregation is disabled.

By using cflowd, you can obtain various types of byte and packet counts of flows through a router. The cflowd application collects the sampled flows over a period of 1 minute. At the end of the minute, the number of samples to be exported are divided over the period of another minute and are exported over the course of the same minute.

To enable the collection of cflowd flow formats, include the cflowd statement at the [edit forwarding-options sampling output] or [edit forwarding-options accounting name output cflowd hostname] hierarchy level:

cflowd hostname {

    aggregation {

        autonomous-system;

        destination-prefix;

        protocol-port;

        source-destination-prefix {

            caida-compliant;

        }

        source-prefix;

    }

    autonomous-system-type (origin | peer);

    (local-dump | no-local-dump);

    port port-number;

    version format;

}

You can also configure cflowd version 5 for flow-monitoring applications by including the cflowd statement at the [edit forwarding-options monitoring name family inet output] hierarchy level:

cflowd hostname {

    port port-number;

}

The following restrictions apply to cflowd flow formats:

• You can configure up to one version 5 and one version 8 flow format at the [edit forwarding-options accounting name output] hierarchy level.
• You can configure only one version 5 or one version 8 flow format at the [edit forwarding-options sampling output] hierarchy level for Routing Engine-based sampling. In contrast, PIC-based sampling allows you to specify one cflowd version 5 server and one version 8 server simultaneously. However, the two cflowd servers must have different IP addresses.
• You can configure up to eight version 5 flow formats at the [edit forwarding-options monitoring name output] hierarchy level. Version 8 flow formats and aggregation are not supported for flow-monitoring applications.

In the cflowd statement, specify the name or identifier of the host that collects the flow aggregates. You must also include the UDP port number on the host and the version, which gives the format of the exported cflowd aggregates. To collect cflowd records in a log file before exporting, include the local-dump statement.

NOTE: You can specify both host (cflowd) sampling and port mirroring in the same configuration; however, only one action takes effect at any one time. Port mirroring takes precedence. For more information, see Configure Port Mirroring.

For cflowd version 8 only, you can specify aggregation of specific types of traffic by including the aggregation statement. This conserves memory and bandwidth by enabling cflowd to export targeted flows rather than all aggregated traffic. To specify a flow type, include the aggregation statement at the [edit forwarding-options sampling output cflowd hostname] or [edit forwarding-options accounting name output cflowd hostname] hierarchy level:

aggregation {

    autonomous-system;

    destination-prefix;

    protocol-port;

    source-destination-prefix {

        caida-compliant;

    }

    source-prefix;

}

The autonomous-system statement configures aggregation by the autonomous system (AS) number; this statement might require setting the separate cflowd autonomous-system-type statement to include either origin or peer AS numbers. The origin option specifies to use the origin AS of the packet source address in the Source Autonomous System cflowd field. The peer option specifies to use the peer AS through which the packet passed in the Source Autonomous System cflowd field. By default, cflowd exports the origin AS number.

The destination-prefix statement configures aggregation by the destination prefix (only).

The protocol-port statement configures aggregation by the protocol and port number; requires setting the separate cflowd port statement.

The source-destination-prefix statement configures aggregation by the source and destination prefix. Version 2.1b1 of CAIDA's cflowd application does not record source and destination mask length values in compliance with CAIDA's cflowd Configuration Guide, dated August 30, 1999. If you configure the caida-compliant statement, the JUNOS software complies with Version 2.1b1 of cflowd. If you do not include the caida-compliant statement in the configuration, the JUNOS software records source and destination mask length values in compliance with the cflowd Configuration Guide.

The source-prefix statement configures aggregation by the source prefix (only).

Collection of sampled packets in a local ASCII file is not affected by the cflowd statement.

Debug cflowd Flow Aggregation

To collect the cflowd flows in a log file before they are exported, include the local-dump statement at the [edit forwarding-options sampling output cflowd hostname] hierarchy level:

[edit forwarding-options sampling output cflowd hostname] 

local-dump;

By default, the flows are collected in /var/log/sampled; to change the filename, include the filename statement at the [edit forwarding-options sampling traceoptions] hierarchy level. For more information about changing the filename, see Configure Traffic Sampling Output.

NOTE: Because the local-dump statement adds extra overhead, you should use it only while debugging cflowd problems, not during normal operation.

The following is an example of the flow information. The AS number exported is the origin AS number. All flows that belong under a cflowd header are dumped, followed by the header itself:

Jun 27 18:35:43 v5 flow entry

Jun 27 18:35:43    Src addr: 192.53.127.1 

Jun 27 18:35:43    Dst addr: 192.6.255.15 

Jun 27 18:35:43    Nhop addr: 192.6.255.240 

Jun 27 18:35:43    Input interface: 5

Jun 27 18:35:43    Output interface: 3

Jun 27 18:35:43    Pkts in flow: 15

Jun 27 18:35:43    Bytes in flow: 600 

Jun 27 18:35:43    Start time of flow: 7230 

Jun 27 18:35:43    End time of flow: 7271 

Jun 27 18:35:43    Src port: 26629 

Jun 27 18:35:43    Dst port: 179 

Jun 27 18:35:43    TCP flags: 0x10 

Jun 27 18:35:43    IP proto num: 6 

Jun 27 18:35:43    TOS: 0xc0 

Jun 27 18:35:43    Src AS: 7018

Jun 27 18:35:43    Dst AS: 11111

Jun 27 18:35:43    Src netmask len: 16

Jun 27 18:35:43    Dst netmask len: 0

[... 41 more version 5 flow entries; then the following header:]

Jun 27 18:35:43 cflowd header:

Jun 27 18:35:43   Num-records: 42

Jun 27 18:35:43   Version: 5

Jun 27 18:35:43   Flow seq num: 118

Jun 27 18:35:43   Engine id: 0

Jun 27 18:35:43   Engine type: 3