1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
|
.. _flow-accounting:
###############
Flow Accounting
###############
VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts
as a flow exporter, and you are free to use it with any compatible collector.
Flows can be exported via two different protocols: NetFlow (versions 5, 9 and
10/IPFIX) and sFlow. Additionally, you may save flows to an in-memory table
internally in a router.
.. warning:: You need to disable the in-memory table in production environments!
Using :abbr:`IMT (In-Memory Table)` may lead to heavy CPU overloading and
unstable flow-accounting behavior.
NetFlow / IPFIX
===============
NetFlow is a feature that was introduced on Cisco routers around 1996 that
provides the ability to collect IP network traffic as it enters or exits an
interface. By analyzing the data provided by NetFlow, a network administrator
can determine things such as the source and destination of traffic, class of
service, and the causes of congestion. A typical flow monitoring setup (using
NetFlow) consists of three main components:
* **exporter**: aggregates packets into flows and exports flow records towards
one or more flow collectors
* **collector**: responsible for reception, storage and pre-processing of flow
data received from a flow exporter
* **application**: analyzes received flow data in the context of intrusion
detection or traffic profiling, for example
For connectionless protocols as like ICMP and UDP, a flow is considered
complete once no more packets for this flow appear after configurable timeout.
NetFlow is usually enabled on a per-interface basis to limit load on the router
components involved in NetFlow, or to limit the amount of NetFlow records
exported.
Configururation
===============
In order for flow accounting information to be collected and displayed for an
interface, the interface must be configured for flow accounting.
.. cfgcmd:: set system flow-accounting interface <interface>
Configure and enable collection of flow information for the interface
identified by `<interface>`.
You can configure multiple interfaces which whould participate in flow
accounting.
.. note:: Will be recorded only packets/flows on **incoming** direction in
configured interfaces.
By default, recorded flows will be saved internally and can be listed with the
CLI command. You may disable using the local in-memory table with the command:
.. cfgcmd:: set system flow-accounting disable-imt
Internally, in flow-accounting processes exist a buffer for data exchanging
between core process and plugins (each export target is a separated plugin).
If you have high traffic levels or noted some problems with missed records
or stopping exporting, you may try to increase a default buffer size (10
MiB) with the next command:
.. cfgcmd:: set system flow-accounting buffer-size <buffer size>
In case, if you need to catch some logs from flow-accounting daemon, you may
configure logging facility:
.. cfgcmd:: set system flow-accounting syslog-facility <facility>
TBD
Flow Export
-----------
In addition to displaying flow accounting information locally, one can also
exported them to a collection server.
NetFlow
^^^^^^^
.. cfgcmd:: set system flow-accounting netflow version <version>
There are multiple versions available for the NetFlow data. The `<version>`
used in the exported flow data can be configured here. The following
versions are supported:
* **5** - Most common version, but restricted to IPv4 flows only
* **9** - NetFlow version 9 (default)
* **10** - :abbr:`IPFIX (IP Flow Information Export)` as per :rfc:`3917`
.. cfgcmd:: set system flow-accounting netflow server <address>
Configure address of NetFlow collector. NetFlow server at `<address>` can
be both listening on an IPv4 or IPv6 address.
.. cfgcmd:: set system flow-accounting netflow source-ip <address>
IPv4 or IPv6 source address of NetFlow packets
.. cfgcmd:: set system flow-accounting netflow engine-id <id>
NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255.
.. cfgcmd:: set system flow-accounting netflow sampling-rate <rate>
Use this command to configure the sampling rate for flow accounting. The
system samples one in every `<rate>` packets, where `<rate>` is the value
configured for the sampling-rate option. The advantage of sampling every n
packets, where n > 1, allows you to decrease the amount of processing
resources required for flow accounting. The disadvantage of not sampling
every packet is that the statistics produced are estimates of actual data
flows.
Per default every packet is sampled (that is, the sampling rate is 1).
.. cfgcmd:: set system flow-accounting netflow timeout expiry-interval <interval>
Specifies the interval at which Netflow data will be sent to a collector. As
per default, Netflow data will be sent every 60 seconds.
You may also additionally configure timeouts for different types of
connections.
.. cfgcmd:: set system flow-accounting netflow max-flows <n>
If you want to change the maximum number of flows, which are tracking
simultaneously, you may do this with this command (default 8192).
sFlow
^^^^^
.. cfgcmd:: set system flow-accounting sflow server <address>
Configure address of sFlow collector. sFlow server at `<address>` can
be an IPv4 or IPv6 address. But you cannot export to both IPv4 and
IPv6 collectors at the same time!
.. cfgcmd:: set system flow-accounting sflow sampling-rate <rate>
Enable sampling of packets, which will be transmitted to sFlow collectors.
.. cfgcmd:: set system flow-accounting sflow agent-address <address>
Configure a sFlow agent address. It can be IPv4 or IPv6 address, but you
must set the same protocol, which is used for sFlow collector addresses. By
default, using router-id from BGP or OSPF protocol, or the primary IP
address from the first interface.
Example:
--------
NetFlow v5 example:
.. code-block:: none
set system flow-accounting netflow engine-id 100
set system flow-accounting netflow version 5
set system flow-accounting netflow server 192.168.2.10 port 2055
Operation
=========
Once flow accounting is configured on an interfaces it provides the ability to
display captured network traffic information for all configured interfaces.
.. opcmd:: show flow-accounting interface <interface>
Show flow accounting information for given `<interface>`.
.. code-block:: none
vyos@vyos:~$ show flow-accounting interface eth0
IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES
---------- ----------------- ----------------- ------------------------ --------------- ---------- ---------- ---------- ----- --------- ------- -------
eth0 00:53:01:a8:28:ac ff:ff:ff:ff:ff:ff 192.0.2.2 255.255.255.255 5678 5678 udp 0 1 1 178
eth0 00:53:01:b2:2f:34 33:33:ff:00:00:00 fe80::253:01ff:feb2:2f34 ff02::1:ff00:0 0 0 ipv6-icmp 0 2 1 144
eth0 00:53:01:1a:b4:53 33:33:ff:00:00:00 fe80::253:01ff:fe1a:b453 ff02::1:ff00:0 0 0 ipv6-icmp 0 1 1 72
eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 39 1 2064
eth0 00:53:01:c8:33:af ff:ff:ff:ff:ff:ff 192.0.2.3 255.255.255.255 5678 5678 udp 0 1 1 154
eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 146 1 9444
eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 27 1 4455
.. opcmd:: show flow-accounting interface <interface> host <address>
Show flow accounting information for given `<interface>` for a specific host
only.
.. code-block:: none
vyos@vyos:~$ show flow-accounting interface eth0 host 192.0.2.14
IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES
---------- ----------------- ----------------- ----------- ---------- ---------- ---------- ---------- ----- --------- ------- -------
eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 197 2 12940
eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 94 1 4924
eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 36 1 5877
|