TNSR can send UDP IP Flow Information Export (IPFIX, RFC 7011) data to an external flow collector. This allows the collector to track connections between hosts routing through TNSR and perform further actions such as connection logging or data analysis.
There are numerous open source and commercial collectors capable of accepting UDP IPFIX data. The settings on TNSR for IPFIX largely depend upon what the collector expects. Consult the collector documentation for details.
Data exported by IPFIX may be sensitive in nature. IPFIX does not perform authentication or encryption. Only transmit data across trusted network paths.
The first step is to configure the location of the collector to which TNSR will deliver IPFIX data, and how it delivers that data.
config-ipfix-exporter mode from
config mode using the
ipfix exporter <name> command where
<name> is a unique name for the
The dataplane only supports a single exporter instance at this time.
config-ipfix-exporter mode, the following commands are available:
- checksum (true|false)
Controls whether or not TNSR will calculate UDP checksums for IPFIX flow data.
- collector <ip4-addr> port <port>
Sets the IPv4 address and UDP port number to which TNSR will send IPFIX flow data. The default port is typically
4739but may vary depending upon settings in the collector.
- pmtu <mtu>
Sets an upper bound on the size of IPFIX packets between TNSR and the IPFIX collector. Must be within the range
- source <ip4-addr>
Sets an alternate IPv4 source address rather than selecting a source address automatically. Useful if, for example, the IPFIX collector or a firewall in between expects traffic to come from a specific address.
- template-interval <sec>
Sets the number of seconds after which TNSR will resend template data to the collector. IPFIX does not send the template with every data record to save on bandwidth consumption. Sending the template periodically allows the format of the data to change as needed, and to ensure the template data is received by the collector properly.
- vrf <vrf-name>
Restricts IPFIX data collection to a specific VRF.
The next step is to configure which types of IPFIX data TNSR will send to the collector.
Configuring IPFIX NAT Logging¶
TNSR is capable of sending NAT data via IPFIX so that a collector can log NAT translations. This allows the collector to observe the pre-NAT and post-NAT connection properties, such as IP addresses and ports.
This is useful for security reasons to track down abuse reports to an internal host, and it is also a legal requirement in certain environments.
config mode, the following commands configure IPFIX NAT logging:
tnsr(config)# nat ipfix logging enable tnsr(config)# nat ipfix logging domain <domain-id> tnsr(config)# nat ipfix logging src-port <src-port>
- nat ipfix logging enable
Enable IPFIX NAT logging
- nat ipfix logging domain <domain-id>
The IPFIX observation domain (integer,
1or higher) which uniquely identifies this TNSR instance to the collector. Should be unique per IPFIX device so the collector can differentiate the source of flow data. Default value is
- nat ipfix logging src-port <src-port>
The source port from which TNSR will send the IPFIX NAT logging data. Default value is
The dataplane only supports a single instance of IPFIX NAT logging (one domain, one source port).
Configuring IPFIX Traffic Logging¶
IPFIX can also monitor general traffic flows and export this information to a collector. This configuration must be completed in two parts, the Observation Point and the Selection Process.
The entries for these sections should be added in pairs, one of each type,
with each entry in the pair using the same name (e.g.
Configure IPFIX Observation Point¶
config-ipfix-obs-pt mode by issuing the command
observation-point <name> from
config-ipfix-obs-pt mode, the following commands are available:
- direction (both|egress|ingress)
The direction of traffic flows which IPFIX will monitor.
Monitor both directions of traffic.
Monitor traffic exiting the interface.
Monitor traffic entering the interface.
- interface <if-name>
The interface which IPFIX will monitor for traffic flows.
Configure IPFIX Selection Process¶
config-ipfix-sel-proc mode by issuing the command
selection-process <name>, using the same name as the corresponding observation
point, from within
config-ipfix-sel-proc mode, the following commands are
- selector (all|ipv4|ipv6)
Monitor all traffic.
Some IPFIX collectors may not support this selector.
Monitor only IPv4 traffic.
Monitor only IPv6 traffic.
This example exports IPFIX data and NAT logging to
198.51.100.7 from a
203.0.113.2 along with other settings expected by the collector.
It monitors the interface named WAN for all types of traffic in both directions.
tnsr(config)# ipfix exporter tnsr tnsr(config-ipfix-exporter)# collector 198.51.100.7 port 4739 tnsr(config-ipfix-exporter)# source 203.0.113.2 tnsr(config-ipfix-exporter)# template-interval 20 tnsr(config-ipfix-exporter)# checksum true tnsr(config-ipfix-exporter)# pmtu 1400 tnsr(config-ipfix-exporter)# exit tnsr(config)# ipfix observation-point tnsr tnsr(config-ipfix-obs-pt)# direction both tnsr(config-ipfix-obs-pt)# interface WAN tnsr(config-ipfix-obs-pt)# exit tnsr(config)# ipfix selection-process tnsr tnsr(config-ipfix-sel-proc)# selector ipv4 tnsr(config-ipfix-sel-proc)# exit tnsr(config)# nat ipfix logging domain 2 tnsr(config)# nat ipfix logging src-port 54321 tnsr(config)# nat ipfix logging enable tnsr(config)#