diff options
| author | Robert Göhler <github@ghlr.de> | 2021-01-24 22:14:00 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-24 22:14:00 +0100 |
| commit | c25c40dfa96dfeb022b203280c607c1f1835417b (patch) | |
| tree | ed05f81d48c65639e621ee3a067f435cb204ea9e /docs/configuration/system/flow-accounting.rst | |
| parent | ce9f2016218f0c162bd48457a41a18db15e52749 (diff) | |
| download | vyos-documentation-c25c40dfa96dfeb022b203280c607c1f1835417b.tar.gz vyos-documentation-c25c40dfa96dfeb022b203280c607c1f1835417b.zip | |
Migrate new file structure to crux (#435)
* order workflows and add submodule
* rename gitmodules file
* delete docs/.gitignore
* add vyos custom linter
* correct __pycache__ in gitignore
* add test-coverage.py
* move draw.io folder
* arrange changelog, install history and about
* arrange: firewall
* arrange: highavailability
* arrange: loadbalancing
* arrange: nat
* arrange: services
* sort configexamples and configuration interfaces
* wireles: rename wireless
* rearrange: Protocols and Policy
* rearrange: Firewall and Zone Policy
* rearrange: Interfaces
* rearrange: Interfaces
* rearrange: dynamic DNS
* hostinfo: add page to index
* rearrange: appendix
* venv: add Pipfile
* rearrange: contributing
* index: remove debugging
* rearrange: fix all figure and refs
* rearrange: commandtree
* fix: cli, openvpn, install headline level
* protocols: change headline
* firewall: move mss clamping
* ip: separate ipv4 and ipv6
* arp: move to static page
* igmp: rename multicast page
* Update to year 2021
Diffstat (limited to 'docs/configuration/system/flow-accounting.rst')
| -rw-r--r-- | docs/configuration/system/flow-accounting.rst | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/docs/configuration/system/flow-accounting.rst b/docs/configuration/system/flow-accounting.rst new file mode 100644 index 00000000..9c876001 --- /dev/null +++ b/docs/configuration/system/flow-accounting.rst @@ -0,0 +1,81 @@ +.. _flow-accounting: + +NetFlow is a feature that was introduced on Cisco routers around 1996 that +provides the ability to collect IP network traffic as it enters or exits an +interface. By analyzing the data provided by NetFlow, a network administrator +can determine things such as the source and destination of traffic, class of +service, and the causes of congestion. A typical flow monitoring setup (using +NetFlow) consists of three main components: + +* Flow exporter: aggregates packets into flows and exports flow records towards + one or more flow collectors +* Flow collector: responsible for reception, storage and pre-processing of flow + data received from a flow exporter +* Analysis application: analyzes received flow data in the context of intrusion + detection or traffic profiling, for example + +For connectionless protocols as like ICMP and UDP, a flow is considered complete +once no more packets for this flow appear after configurable timeout. + +NetFlow is usually enabled on a per-interface basis to limit load on the router +components involved in NetFlow, or to limit the amount of NetFlow records +exported. + +VyOS supports flow accounting through NetFlow (version 5, 9 and 10) or sFlow. + +Flow Accounting +--------------- + +In order for flow accounting information to be collected and displayed for an +interface, the interface must be configured for flow accounting. The following +example shows how to configure ``eth0`` and ``bond3`` for flow accounting. + +.. code-block:: none + + set system flow-accounting interface eth0 + set system flow-accounting interface bond3 + + +NetFlow is a protocol originating from Cisco Systems. It works on level3. +VyOS supports version 5, 9 and 10 (IPFIX - IP Flow Information Export) + +NetFlow v5 example: + +.. code-block:: none + + set system flow-accounting netflow engine-id 100 + set system flow-accounting netflow version 5 + set system flow-accounting netflow server 192.168.2.10 port 2055 + +Displaying Flow Accounting Information +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Once flow accounting is configured on an interfaces it provides the ability to +display captured network traffic information for all configured interfaces. + +The following op-mode command shows flow accounting for eth0. + +.. code-block:: none + + vyos@vyos:~$ show flow-accounting interface eth0 + flow-accounting for [eth0] + Src Addr Dst Addr Sport Dport Proto Packets Bytes Flows + 0.0.0.0 192.0.2.50 811 811 udp 7733 591576 0 + 0.0.0.0 192.0.2.50 811 811 udp 7669 586558 1 + 192.0.2.200 192.0.2.51 56188 22 tcp 586 36504 1 + 192.0.2.99 192.0.2.51 61636 161 udp 46 6313 4 + 192.0.2.99 192.0.2.51 61638 161 udp 42 5364 9 + 192.0.2.99 192.0.2.51 61640 161 udp 42 5111 3 + 192.0.2.200 192.0.2.51 54702 22 tcp 86 4432 1 + 192.0.2.99 192.0.2.51 62509 161 udp 24 3540 1 + 192.0.2.99 192.0.2.51 0 0 icmp 49 2989 8 + 192.0.2.99 192.0.2.51 54667 161 udp 18 2658 1 + 192.0.2.99 192.0.2.51 54996 161 udp 18 2622 1 + 192.0.2.99 192.0.2.51 63708 161 udp 18 2622 1 + 192.0.2.99 192.0.2.51 62111 161 udp 18 2622 1 + 192.0.2.99 192.0.2.51 61646 161 udp 16 1977 4 + 192.0.2.99 192.0.2.51 56038 161 udp 10 1256 1 + 192.0.2.99 192.0.2.51 55570 161 udp 6 1146 1 + 192.0.2.99 192.0.2.51 54599 161 udp 6 1134 1 + 192.0.2.99 192.0.2.51 56304 161 udp 8 1029 1 + |