Versions Compared

Old Version 1

changes.mady.by.user Kevin Wu

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Netflow Agent

The V9 and V10 UDR formats are template based, where the template provides a description of the fields fields that will be present in the UDRs.  For detailed information on the V9 UDR format, see the section NetFlow section NetFlow Version 9 Flow-Record Format on Cisco's website and website and for the V10 UDR format, see RFC 7011 RFC 7011 ( https://tools.ietf.org/html/rfc7011).
 

The Netflow Netflow Agent does not detect templates, map incoming data to the corresponding template, or create UDRs of the incoming data. This functionality must be implemented in APL, as described in the section below, Workflow Design for V9UDR and V10UDR. The agent will forward the Netflow Netflow data using the rawData field rawData field to the workflowworkflow.

Workflow Design for V9UDR and V10UDR

When using Netflow Netflow with the V9UDR or V10UDR format, the workflow workflow design must handle certain functions.

Dynamic format

Since the V9UDR V10UDR formats are dynamic, the workflow workflow may not have access to the template when the first first UDRs arrive, or the template may have changed and not yet been sent to the workflowworkflow.

For this reason, it is recommended to let the real-time workflow workflow with the Netflow Netflow collection agent(s) forward the UDRs via Inter WorkflowWorkflow, or Workflow Workflow Bridge agents, to a batch workflow workflow that stores them on disk.

A third workflow workflow may then collect, decode and aggregate the UDRs.

Decoding and Aggregation  

In order to decode the UDRs, you first first have to decode the template, and this has to be done by defining defining an Ultra format for the template.  For further information on decoding the V10UDR format, see RFC 7011 RFC 7011 (https://tools.ietf.org/html/rfc7011). The  The template should then be sent to an Aggregation agent to start a session, which will correlate all the UDRs that use the template. An Ultra defining defining the aggregation session handling will also have to be created. 

Since the aggregation has to be based on a template-specificfieldspecificfield, the templates have to be routed one at a time to the Aggregation agent.

The APL code in the Aggregation agent will then have to handle the decoding of the actual UDRs. 

Scroll pagebreak