Manufacturer: Vyatta (VyOS)
Model(s): ALL
Version(s): Equuleus 1.3
URL: https://docs.vyos.io/en/equuleus/configuration/system/flow-accounting.html
Notes:
- VyOS supports flow-accounting for both IPv4 and IPv6 traffic.
- Flows can be exported via two different protocols: NetFlow (versions 5, 9 and 10/IPFIX) and sFlow.
- For connectionless protocols as like ICMP and UDP, a flow is considered complete once no more packets for this flow appear after configurable timeout.
Configuration steps
Enabling NetFlow
- Disable the local in-memory table where flows are stored by default.
set system flow-accounting disable-imt
- Configure address of the Scrutinizer collector.
set system flow-accounting netflow server <ip address>
- Configure the source address of NetFlow packets
set system flow-accounting netflow source-ip <address>
- Configure the NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255.
set system flow-accounting netflow engine-id <id>
- Configure the Netflow version to be exported.
set system flow-accounting netflow version <version>
The following versions are supported:
- 5 – Most common version, but restricted to IPv4 flows only
- 9 – NetFlow version 9 (default)
- 10 – IPFIX as per RFC 3917
- Configure the sampling rate.The system samples one in every <rate> packets, where <rate> is the value configured for the sampling-rate option. The advantage of sampling every n packets, where n > 1, allows you to decrease the amount of processing resources required for flow accounting. Per default every packet is sampled (that is, the sampling rate is 1).
set system flow-accounting netflow sampling-rate <rate>
- Configure the active timeout interval. Specifies the interval at which Netflow data will be sent to a collector. As per default, Netflow data will be sent every 60 seconds.
set system flow-accounting netflow timeout expiry-interval <interval>
- In order for flow accounting information to be collected and displayed for an interface, the interface must be configured for flow accounting. Configure and enable collection of flow information for the interface identified by <interface>. You can configure multiple interfaces which would participate in flow accounting.
set system flow-accounting interface <interface>
Note: Will record only packets/flows on incoming direction in configured interfaces by default. If you need to export also egress traffic, you may want to configure egress flow-accounting:
set system flow-accounting enable-egress
Example:
NetFlow v5 example:
set system flow-accounting netflow engine-id 100
set system flow-accounting netflow version 5
set system flow-accounting netflow server 192.168.2.10 port 2055
Enabling sFlow
- Disable the local in-memory table where flows are stored by default.
set system flow-accounting disable-imt
- Configure address of sFlow collector. sFlow server at <address> can be an IPv4 or IPv6 address. But you cannot export to both IPv4 and IPv6 collectors at the same time!
set system flow-accounting sflow server <address>
- Enable sampling of packets, which will be transmitted to sFlow collectors.
set system flow-accounting sflow sampling-rate <rate>
- Configure a sFlow agent address. It can be IPv4 or IPv6 address, but you must set the same protocol, which is used for sFlow collector addresses. By default, using router-id from BGP or OSPF protocol, or the primary IP address from the first interface.
set system flow-accounting sflow agent-address <address>
- In order for flow accounting information to be collected and displayed for an interface, the interface must be configured for flow accounting. Configure and enable collection of flow information for the interface identified by <interface>. You can configure multiple interfaces which would participate in flow accounting.
set system flow-accounting interface <interface>
Note: Will record only packets/flows on incoming direction in configured interfaces by default. If you need to export also egress traffic, you may want to configure egress flow-accounting:
set system flow-accounting enable-egress
Operation
Once flow accounting is configured on an interface it provides the ability to display captured network traffic information for all configured interfaces.
show flow-accounting interface <interface>