cFlowd flows ( IPFIX) in Cisco Viptela SDWAN

 Most of you heard about cFlowd in Cisco Viptela SDWAN. Do you actual know what is cFlowd ? Well today we are going to discuss about cFlowd and the purpose of using it.

What is cFlowd ?
cFlowd is a tool for monitoring the traffic flowing through vEdge routers in the overlay network and exporting information about the traffic to a flow collector. The exported information is sent in template reports, which contain both information about the flow and data extracted from the IP headers of the packets in the flow.

It is also called as IPFIX (IP Flow Information Export). So the cFlowd or IPFIX actually performs 1:1 traffic sampling. Information about all flows is aggregated in the cflowd records; flows are not sampled. vEdge routers do not cache any of the records that are exported to a collector.

Fig 1.1- cFlowd flows and analyzer

What version of cFlowd is used in Cisco Viptela SDWAN ?
cflowd version 10 used in Cisco Viptela SDWAN solution and as i talked it is also called as IPFIX (IP Flow Information Export) protocol. So if in the interview somebody ask you about IPFIX or cFlowd, they are the same thing. 

How many policies we can defined in cFlowd ?
We can configure a maximum of four cflowd policies. So it can export template records to a maximum of four cflowd collectors. The point to be noted that When we configure a new data policy that changes which flows are sampled, the software allows the old flows to expire gracefully rather than deleting them all at once.

Where we defined the cFlowd policy ?
We configure cflowd using centralized data policy and specify the location of the collector. The flow information is sent to the collector every 60 seconds. You can modify this and other timers related to how often cflowd templates are refreshed and how often a traffic flow times out.

Note: The vEdge router exports template records and data records to a collector. The template record is used by the collector to parse the data record information that is exported to it. 

The flow records are exported via TCP or UDP connections. De-identifying of records and TLS encryption are not performed, as the collector and the cflowd analyzer are located within the same data center.

What kind of flows can be tracked by cflowd ?
Cflowd can track GRE, ICMP, IPsec, SCTP, TCP, and UDP flows.

Below are the general commands used in the vEdge and cEdge for cFlowd 

Fig 1.2- cFlowd commands and others

In our next article, we will talk about the cflowd elements and exporters to the collector. We will also discuss about the configuration of cflowd procedure via vManage.