Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring the BNG as an IPFIX Mediator to Collect and Export IPFIX Data

IPFIX mediation uses the ipfix analytics service agent. The service agent uses input and output plug-ins specific to IPFIX. The plug-ins configure aspects of the collecting and exporting functions for the mediator, such as TCP ports and the collector address. The input plug-in takes in the IPFIX flow data from the downstream devices. The output plug-in converts the data to the IPFIX format and exports it to the IPFIX collector. Data conversion is particularly important because users may have a variety of exporting devices using different formats. Converting the formats to a common form on the mediator alleviates the need to have specific collectors for different formats.

Your configuration for the output plug-in determines whether the IPFIX mediator sends records to the collector over a TCP connection or a TLS connection:

  • When you configure any of the certificate options (collector-ca-certificate, collector-certificate-key, or collector-certificate), the mediator attempts to make a TLS connection.

  • If none of the certificate options is configured, the mediator attempts to make a TCP connection.

To configure IPFIX mediation:

  1. Access the IPFIX service agent configuration.
  2. Configure parameters for the IPFIX input plug-in.
    Note:

    Although each of the parameters has a default value, you must configure at least one of the parameters to enable the plug-in. If you configure only one parameter and want to use the default value, you must specify that value.

    1. (Optional) Specify the maximum number of TCP connections that the IPFIX mediator can have. The default value is 100.

    2. (Optional) Specify the TCP port that the IPFIX mediator uses to receive TCP packets from the downstream devices. The default value is 4739.

    3. Specify the name of the VRF (routing instance) where IPFIX packets are accepted from the downstream devices.

  3. Configure parameters for the output plug-in.

    1. Specify the IP address of the upstream IPFIX collector. This is a mandatory option.

    2. (Optional) Specify the path for the certificate that is used to sign the peer certificate at the peer (IPFIX collector) level. The certificate is provided by a trusted certificate authority (CA) and is expected to be in .pem container format.

    3. (Optional) Specify the path for the client certificate that the server (IPFIX collector) uses to authenticate the client and to enable mutual authentication. The fully-qualified domain name (FQDN) of both the client and the server are stored in the certificate’s Subject Alternative Name field when the client and server certificates are generated. The certificate is expected to be in .pem container format.

    4. (Optional) Specify the path of the private key file that is loaded to decrypt the encrypted message sent from the peer.

    5. (Optional) Specify how many seconds the output plug-in waits before retrying the connection to the IPFIX collector. The default value is 20.

    6. (Optional) Specify the TCP port that the IPFIX mediator uses to connect to the IPFIX collector. The default value is 4740.

    7. (Optional) Specify the name of the VRF (routing instance) in which IPFIX packets are routed to the IPFIX collector. The default value is default.

In the following sample configuration, the input plug-in is configured so that the IPFIX mediator accepts up to 125 TCP connections from its downstream devices. Records are accepted in the RI-ipfix-1 routing instance. The TCP port is not configured, so the plug-in listens on the default port, 4739.

The following example configuration for the output plug-in specifies that:

  • Records are exported to the collector at 198.51.100.200.

  • If the connection to the collector is not successful, the plug-in attempts to make the connection at 15-second intervals.

  • The configuration includes paths for collector certificates, so the export connection is over TLS rather than TCP.

  • The TCP port is not configured, so the collector is expected to listen on the default port, 4740.

  • No routing instance is configured for the collector, so it accepts packets in the default routing instance.

Related Documentation