TNSR can send UDP IP Flow Information Export (IPFIX, RFC 7011) data to an external flow collector. This allows the collector to track connections between hosts routing through TNSR and perform further actions such as connection logging or data analysis.
There are numerous open source and commercial collectors capable of accepting UDP IPFIX data. The settings on TNSR for IPFIX largely depend upon what the collector expects. Consult the collector documentation for details.
Data exported by IPFIX may be sensitive in nature. IPFIX does not perform authentication or encryption. Only transmit data across trusted network paths.
The first step is to configure the location of the collector to which TNSR will deliver IPFIX data, and how it delivers that data.
config-ipfix-exporter mode from
config mode using the
config-ipfix-exporter mode, the following commands are available:
- checksum (true|false)
Controls whether or not TNSR will calculate UDP checksums for IPFIX flow data.
- collector <ip4-addr> port <port>
Sets the IPv4 address and UDP port number to which TNSR will send IPFIX flow data. The default port is typically
4739but may vary depending upon settings in the collector.
- pmtu <mtu>
Sets an upper bound on the size of IPFIX packets between TNSR and the IPFIX collector. Must be within the range
- source <ip4-addr>
Sets an alternate IPv4 source address rather than selecting a source address automatically. Useful if, for example, the IPFIX collector or a firewall in between expects traffic to come from a specific address.
- template-interval <sec>
Sets the number of seconds after which TNSR will resend template data to the collector. IPFIX does not send the template with every data record to save on bandwidth consumption. Sending the template periodically allows the format of the data to change as needed, and to ensure the template data is received by the collector properly.
- vrf <vrf-name>
Restricts IPFIX data collection to a specific VRF.
The next step is to configure which types of IPFIX data TNSR will send to the collector.
Currently TNSR only supports IPFIX NAT Logging data. Future versions of TNSR will support additional types of IPFIX flow data.
Configuring IPFIX NAT Logging¶
TNSR is capable of sending NAT data via IPFIX so that a collector can log NAT translations. This allows the collector to observe the pre-NAT and post-NAT connection properties, such as IP addresses and ports.
This is useful for security reasons to track down abuse reports to an internal host, and it is also a legal requirement in certain environments.
config mode, the following commands configure IPFIX NAT logging:
tnsr(config)# nat ipfix logging enable tnsr(config)# nat ipfix logging domain <domain-id> tnsr(config)# nat ipfix logging src-port <src-port>
- nat ipfix logging enable
Enable IPFIX NAT logging
- nat ipfix logging domain <domain-id>
The IPFIX observation domain (integer,
1or higher) which uniquely identifies this TNSR instance to the collector. Should be unique per IPFIX device so the collector can differentiate the source of flow data. Default value is
- nat ipfix logging src-port <src-port>
The source port from which TNSR will send the IPFIX NAT logging data. Default value is
The dataplane only supports a single instance of IPFIX NAT logging (one domain, one source port).
This example exports IPFIX data and NAT logging to
198.51.100.7 from a
203.0.113.2 along with other settings expected by the collector.
tnsr(config)# ipfix-exporter tnsr(config-ipfix-exporter)# collector 198.51.100.7 port 4739 tnsr(config-ipfix-exporter)# source 203.0.113.2 tnsr(config-ipfix-exporter)# template-interval 20 tnsr(config-ipfix-exporter)# checksum true tnsr(config-ipfix-exporter)# pmtu 1400 tnsr(config-ipfix-exporter)# exit tnsr(config)# nat ipfix logging domain 2 tnsr(config)# nat ipfix logging src-port 54321 tnsr(config)# nat ipfix logging enable tnsr(config)#