Export of original flows
Information in aging original flows is collected and then encapsulated into UDP packets to be sent to an NSC. The NSC obtains detailed information about each original flow and process these flow records flexibly. This, however, increases network bandwidth and CPU usage. In addition, to store these flow records, a great amount of memory is used, and the device overhead is increased.
Export of aggregated flows
After information about aging original flows is collected, original flows are classified, combined, and constructed into aggregated flows based on specified rules. When the aggregation timer in the system expires, aggregated flows are exported to the NSC as UDP packets. Aggregation helps original flows be transmitted with less network bandwidth, CPU usage, and storage space. The device supports aggregation modes listed in Table 1.
Aggregation Mode |
Description |
|---|---|
as |
Indicates the autonomous system (AS) aggregation, which aggregates flows with the same source AS number, destination AS number, inbound interface index, and outbound interface index. |
as-tos |
Indicates the AS-ToS aggregation, which aggregates flows with the same source AS number, destination AS number, inbound interface index, outbound interface index, and type of service (ToS). |
bgp-nexthop-tos |
Indicates the BGP-nexthop-ToS aggregation, which aggregates flows with the same Border Gateway Protocol (BGP) next hop, source AS number, destination AS number, inbound interface index, and outbound interface index. A device aggregates flows with the same attributes into one flow and then generates one record about the aggregated flow. |
destination-prefix |
Indicates the destination-prefix aggregation, which aggregates flows with the same destination AS number, destination mask length, destination prefix, and outbound interface index. |
destination-prefix-tos |
Indicates the destination-prefix-ToS aggregation, which aggregates flows with the same destination AS number, destination mask length, destination prefix, outbound interface index and ToS. |
index-tos |
Indicates the index-ToS aggregation, which aggregates flows with the same inbound interface index, outbound interface index, and ToS. |
mpls-label |
Indicates the MPLS label aggregation, which aggregates flows with the same first layer label, second layer label, third layer label, TopLabelIpAddress, stack bottom symbol of the first layer label, and the EXP value of the first layer label. |
prefix |
Indicates the prefix aggregation, which aggregates flows with the same source AS number, destination AS number, source mask length, destination mask length, source prefix, destination prefix, inbound interface index, and outbound interface index. |
prefix-tos |
Indicates the prefix-ToS aggregation, which aggregates flows with the same source AS number, destination AS number, source mask length, destination mask length, source prefix, destination prefix, inbound interface index, outbound interface index, and ToS. |
protocol-port |
Indicates the protocol-port aggregation, which aggregates flows with the same protocol number, source port, and destination port. |
protocol-port-tos |
Indicates the protocol-port-ToS aggregation, which aggregates flows with the same protocol number, source port, destination port, ToS, inbound interface index, and outbound interface index. |
source-prefix |
Indicates the source-prefix aggregation, which aggregates flows with the same source AS number, source mask length, source prefix, and inbound interface index. |
source-prefix-tos |
Indicates the source-prefix-ToS aggregation, which aggregates flows with the same source AS number, source mask length, source prefix, ToS, and inbound interface index. |
source-index-tos |
Indicates the inbound interface index-ToS aggregation. It classifies flows based on inbound interface index, ToS, and BGP next hop. |
vlan-id |
Indicates the VLAN-ID aggregation, which aggregates flows with the same virtual local area network (VLAN) ID and inbound interface index. |
bgp-community |
Indicates BGP community aggregation. NetStream flows are classified based on the inbound and outbound interface indexes, BGP community name, and three key values. |
vni-sip-dip |
Indicates a VNI aggregation mode. NetStream combines flows with the same VNI ID and the same source and destination IP addresses of tenants into an aggregated flow and generates one aggregation record. |
Export of flexible flows
In each aggregation mode, original flows are classified and merged based on fixed rules, aggregated flow information is generated, aged out, and exported to the server. Users cannot customize aggregation modes as required. Flexible flow packets provide user-defined templates for users to customize matching and collected fields as required. The user-defined template improves traffic analysis accuracy and reduces network bandwidth occupation, CPU usage, and storage space usage.
Export to a server
NetStream packets can be exported to a specified server. The following server addresses can be used:
For aggregated flows, a server address can be specified in the system, slot, or monitoring view. The server addresses configured in the system view, slot view, and monitoring view are arranged in ascending order. If multiple server addresses are configured, the address with the highest priority takes effect. Multiple service addresses of interfaces can be specified in the monitoring view so that sampling packets of original flows can be exported to different servers. Packets can be output to specified interfaces, which helps filter out unnecessary packets and improve flexibility.
For aggregated flows, a server address can be specified in the system, slot, or aggregation view. After sampling packets, including original flows, are aggregated, the aggregated flows are output to the same server. The server address configured in the aggregation view takes precedence over that configured in the system view. If the server address is configured in both views, the server address configured in the aggregation view takes effect.