IPFIX Exporter¶
TNSR can send UDP IP Flow Information Export (IPFIX, RFC 7011) data to an external flow collector. This allows the collector to track connections between hosts routing through TNSR and perform further actions such as connection logging or data analysis.
Note
There are numerous open source and commercial collectors capable of accepting UDP IPFIX data. The settings on TNSR for IPFIX largely depend upon what the collector expects. Consult the collector documentation for details.
Warning
Data exported by IPFIX may be sensitive in nature. IPFIX does not perform authentication or encryption. Only transmit data across trusted network paths.
Configuring IPFIX¶
The first step is to configure the location of the collector to which TNSR will deliver IPFIX data, and how it delivers that data.
Enter config-ipfix-exporter mode from config mode using the
ipfix exporter <name> command where <name> is a unique name for the
exporter instance.
Note
The dataplane only supports a single exporter instance at this time.
Inside config-ipfix-exporter mode, the following commands are available:
- checksum (true|false)
Controls whether or not TNSR will calculate UDP checksums for IPFIX flow data.
- collector <ip4-addr> port <port>
Sets the IPv4 address and UDP port number to which TNSR will send IPFIX flow data. The default port is typically
4739but may vary depending upon settings in the collector.- pmtu <mtu>
Sets an upper bound on the size of IPFIX packets between TNSR and the IPFIX collector. Must be within the range
68-1450.- source <ip4-addr>
Sets an alternate IPv4 source address rather than selecting a source address automatically. Useful if, for example, the IPFIX collector or a firewall in between expects traffic to come from a specific address.
- template-interval <sec>
Sets the number of seconds after which TNSR will resend template data to the collector. IPFIX does not send the template with every data record to save on bandwidth consumption. Sending the template periodically allows the format of the data to change as needed, and to ensure the template data is received by the collector properly.
- vrf <vrf-name>
Restricts IPFIX data collection to a specific VRF.
The next step is to configure which types of IPFIX data TNSR will send to the collector.
Configuring IPFIX NAT Logging¶
TNSR is capable of sending NAT data via IPFIX so that a collector can log NAT translations. This allows the collector to observe the pre-NAT and post-NAT connection properties, such as IP addresses and ports.
This is useful for security reasons to track down abuse reports to an internal host, and it is also a legal requirement in certain environments.
In config mode, the following commands configure IPFIX NAT logging:
tnsr(config)# nat ipfix logging enable
tnsr(config)# nat ipfix logging domain <domain-id>
tnsr(config)# nat ipfix logging src-port <src-port>
- nat ipfix logging enable
Enable IPFIX NAT logging
- nat ipfix logging domain <domain-id>
The IPFIX observation domain (integer,
1or higher) which uniquely identifies this TNSR instance to the collector. Should be unique per IPFIX device so the collector can differentiate the source of flow data. Default value is1.- nat ipfix logging src-port <src-port>
The source port from which TNSR will send the IPFIX NAT logging data. Default value is
4739.
Note
The dataplane only supports a single instance of IPFIX NAT logging (one domain, one source port).
Configuring IPFIX Traffic Logging¶
IPFIX can also monitor general traffic flows and export this information to a collector. This configuration must be completed in two parts, the Observation Point and the Selection Process.
Note
The entries for these sections should be added in pairs, one of each type,
with each entry in the pair using the same name (e.g. tnsr).
Configure IPFIX Observation Point¶
Enter config-ipfix-obs-pt mode by issuing the command ipfix
observation-point <name> from config mode.
From within config-ipfix-obs-pt mode, the following commands are available:
- direction (both|egress|ingress)
The direction of traffic flows which IPFIX will monitor.
- both
Monitor both directions of traffic.
- egress
Monitor traffic exiting the interface.
- ingress
Monitor traffic entering the interface.
- interface <if-name>
The interface which IPFIX will monitor for traffic flows.
Configure IPFIX Selection Process¶
Enter config-ipfix-sel-proc mode by issuing the command ipfix
selection-process <name>, using the same name as the corresponding observation
point, from within config mode.
From within config-ipfix-sel-proc mode, the following commands are
available:
- selector (all|ipv4|ipv6)
- all
Monitor everything including non-IP traffic. Uses multiple templates depending upon the type of traffic in a flow.
- ipv4
Monitor only IPv4 traffic.
- ipv6
Monitor only IPv6 traffic.
Configuring IPFIX Cache¶
The cache behavior for IPFIX flows can also be fine-tuned. For example, collectors may prefer to receive flows more/less often or changes in templates may need to happen more frequently.
To adjust cache paramters, enter config-ipfix-cache mode by issuing the
command ipfix cache <name> from config mode.
From within config-ipfix-cache mode, the following commands are available:
- timeout-cache active-timeout <seconds>
This parameter configures the time in seconds after which TNSR will expire an IPFIX flow even though packets matching this flow are still being actively received by the cache.
The default value is
15seconds. The value must be greater than0.- timeout-cache idle-timeout <seconds>
This parameter configures the time in seconds after which TNSR will expire an IPFIX flow if no more packets matching this flow are received by the cache.
The default value is
120seconds. The value must be greater than the value ofactive-timeout.
IPFIX Example¶
This example exports IPFIX data and NAT logging to 198.51.100.7 from a
source of 203.0.113.2 along with other settings expected by the collector.
It monitors the interface named WAN for all types of traffic in both directions.
tnsr(config)# ipfix exporter tnsr
tnsr(config-ipfix-exporter)# collector 198.51.100.7 port 4739
tnsr(config-ipfix-exporter)# source 203.0.113.2
tnsr(config-ipfix-exporter)# template-interval 20
tnsr(config-ipfix-exporter)# checksum true
tnsr(config-ipfix-exporter)# pmtu 1400
tnsr(config-ipfix-exporter)# exit
tnsr(config)# ipfix observation-point tnsr
tnsr(config-ipfix-obs-pt)# direction both
tnsr(config-ipfix-obs-pt)# interface WAN
tnsr(config-ipfix-obs-pt)# exit
tnsr(config)# ipfix selection-process tnsr
tnsr(config-ipfix-sel-proc)# selector ipv4
tnsr(config-ipfix-sel-proc)# exit
tnsr(config)# nat ipfix logging domain 2
tnsr(config)# nat ipfix logging src-port 54321
tnsr(config)# nat ipfix logging enable
tnsr(config)#
IPFIX Template Reference¶
The following table contains a list of possible IPFIX template fields and the templates in which they are included.
The templates vary by selector and are:
Selector
ipv4Template 1 for IPv4 flows
Selector
ipv6Template 1 for IPv6 flows
Selector
allTemplate 1 for Non-IP flows
Template 2 for IPv4 flows
Template 3 for IPv6 flows
Field Name |
Selector |
||
|---|---|---|---|
IPv4 |
IPv6 |
All |
|
|
1 |
2 |
|
|
1 |
3 |
|
|
1, 2, 3 |
||
|
1 |
1 |
2, 3 |
|
1 |
1 |
1, 2, 3 |
|
1, 2, 3 |
||
|
1 |
1 |
1, 2, 3 |
|
1 |
1 |
1, 2, 3 |
|
1 |
1 |
1, 2, 3 |
|
1 |
1 |
1, 2, 3 |
|
1 |
1 |
2, 3 |
|
1 |
1 |
1, 2, 3 |
|
1 |
1 |
2, 3 |
|
1 |
2 |
|
|
1 |
3 |
|
|
1, 2, 3 |
||
|
1 |
1 |
2, 3 |
|
1 |
1 |
2, 3 |
Footnotes
- 1
When TNSR exports inbound flows via IPFIX the
egressInterfaceis not valid. The egress interface cannot be known at the time the flow data is recorded because the routing lookup has not yet occurred. At this point,egressInterfaceis uninitialized and its value is set as the maximum value of a 32-bit unsigned integer (0xffffffffhex,4294967295decimal).