IP Flow Information Export

Overview

In OcNOS, the Internet Protocol Flow Information Export (IPFIX) Exporter enables real-time traffic analysis. It achieves this through sampling, which involves selecting a subset of network traffic and exports flow records containing detailed information about the sampled traffic flows. It enables network operators to gain valuable insights into network traffic patterns and behaviors.

IPFIX Exporter Characteristics

The OcNOS router equipped with IPFIX Exporter functionality within the network infrastructure identifies the customer domain (Observation ID), samples ingress traffic, and generates IPFIX flow records. These flow records are transmitted to a designated collector node for further analysis.

Achieves efficient flow record management and export on the Jericho2Closed Broadcom DNX Jericho2, a network routing chipset. (Broadcom DNX) platform by leveraging hardware acceleration support and utilizing Application Specific Integrated Circuit (ASICClosed Application Specific Integrated Circuit) capabilities, such as the Eventor block. ASIC ensures optimized performance and functionality at the hardware level.

The IPFIX exporter performs three core functions:

  1. Selecting flows for sampling
  2. Maintaining flow records
  3. Exporting flow records

The following diagram illustrates the flow of network (ingress) traffic data in an IPFIX-enabled environment.

Figure 54. IPFIX Exporter

Here’s a breakdown of the process steps:

Packet Capture: Capture network traffic data by the IPFIX Exporter (OcNOS Router) from various sources within the network.

Flow Selection for Sampling: IPFIX enables administrators to selectively sample specific network flows, allowing targeted traffic monitoring based on predefined criteria.

IPFIX supports ingress sampling and only one IPv4 template format.

Maintain Records: IPFIX Exporter maintains detailed flow records using hardware-accelerated functions. These records include comprehensive information such as IPv4 traffic details, source and destination addresses, port numbers, protocol specifics, and timestamps.

Export Records: The IPFIX Exporter aggregates and packages the flow records into IPFIX packets. These packets are then exported to configured collector nodes for centralized traffic analysis and management.

The IPFIX Exporter aggregates and packages flow records into IPFIX packets, which it then exports to configured collector nodes for centralized traffic analysis and management.

Transmission: The IPFIX Exporter sends packets to the designated collector device connected through the in-band network using the default UDPClosed User Datagram Protocol port number 4739. The collector IP address must be configured, and the port number is optional. If the port number is not specified, it defaults to 4739.

Collector: Collector nodes receive the IPFIX packets and parse the flow records for further analysis and interpretation

OcNOS does not include an IPFIX Collector.

Analyzer: Specialized software or tools analyze the collected flow records to gain insights into network traffic patterns and behaviors.

Limitations

  • IPFIX does not support validating route reachability to collector nodes.
  • IPFIX does not support sampling of sub-interfaces, LAGClosed Link Aggregation Group, and SVIClosed Switched Virtual Interface interfaces.
  • Hardware limitations cause disruptions lasting approximately twelve seconds when changes are made to samples-per-message.
  • The hardware-profile filter command is not integrated with IPFIX. IPFIX allocates its TCAM resources upon configuration of the first IPFIX monitored interface and releases them when the last IPFIX monitored interface is removed. The key size for IPFIX is 320 bits.

Benefits

The IPFIX Exporter has the following benefits:

  • Enhanced Network Visibility: IPFIX provides detailed insights into network traffic, enabling network operators to identify and address issues promptly.
  • Efficient Network Management: By collecting and exporting flow records, IPFIX streamlines network management tasks, allowing for more effective monitoring and troubleshooting.
  • Optimized Resource Utilization: With targeted flow sampling and detailed flow records, IPFIX helps optimize resource utilization by focusing monitoring efforts on specific network segments or traffic types.

Prerequisites

  • Before enabling IPFIX, check if any hardware-profile filter entries are enabled. If any entries with a key size less than 320 bits are enabled, it is recommended to first disable them. Then, configure the first IPFIX monitored interface, and finally, re-enable the existing entries. This ensures optimal allocation of TCAM resources. If a CRITICAL error message indicating No resources for operation appears when enabling IPFIX or re-enabling the existing entries, then all these features cannot be enabled simultaneously. Consider disabling other hardware filter entries. For example, on VXLAN Spine nodes, disable the vxlan filter to free up TCAM resources.
  • Before configuring the IPFIX objects, enable the hardware-profile statistics cfm-lm enable filter statistics loss-measurement command in hardware. This action ensures that the necessary hardware functionality is enabled for seamless integration with the IPFIX configuration. It also ensures IPFIX counters are unused by other modules.

  • Assign the IP address of a source and ingress interface configured on the exporter device.

    The following show running output illustrates enabling hardware statistics loss-measurement and assigning the IP address to the required interfaces.

    Copy 
    hardware-profile statistics cfm-lm enable
    !
    interface xe4
     ip address 198.51.100.4/24
    !
    interface xe5
     ip address 192.0.2.88/24
    !

 

  • The maximum number of unique sampling rates supported by IPFIX Exporter depends on the availability of free mirroring profiles in the ASIC.
  • Various features like SFLOW, SNIFF, and Mirror utilize each mirroring profile. Qumran-2A series platform supports a maximum of 32 mirror profiles. For every sampling rate configuration, even if it matches an existing rate on another interface, it requires a new mirror-profile. Therefore, the number of ports that can be enabled with IPFIX is limited by the number of mirror-port profiles available in the system.
  • The IPFIX Exporter sends template record format to the collector over the in-band, and the ASIC sends data records over the in-band.