Netflow V9 and V10 (IPFIX) Considerations(3.1)
The Netflow Agent
The V9 and V10 UDR formats are template based, where the template provides a description of the fields that will be present in the UDRs. For detailed information on the V9 UDR format, see the section NetFlow Version 9 Flow-Record Format on Cisco's web site and for the V10 UDR format, see RFC 7011 ( https://tools.ietf.org/html/rfc7011 ) .
The Netflow Agent does not itself detect templates, or map incoming data to the corresponding template, or create UDRs of the incoming data. This functionality must be implemented in APL, as described in the section below, Workflow Design for V9UDR and V10UDR. The agent will forward the Netflow data using the rawData field to the workflow.
Workflow Design for V9UDR and V10UDR
When using Netflow with the V9UDR or V10UDR format, the workflow design must handle certain functions.
Dynamic format
Since the V9UDR V10UDR formats are dynamic, the workflow may not have access to the template when the first UDRs arrive, or the template may have changed and not yet been sent to the workflow.
For this reason, it is recommended to let the real time workflow with the Netflow collection agent(s) forward the UDRs via Inter Workflow, or Workflow Bridge agents, to a batch workflow that stores them on disk.
A third workflow may then collect, decode and aggregate the UDRs.
Decoding and Aggregation
In order to decode the UDRs, you first have to decode the template, and this has to be done by defining an Ultra format for the template. For further information on decoding the V10UDR format, see RFC 7011 (https://tools.ietf.org/html/rfc7011). The template should then be sent to an Aggregation agent to start a session, which will correlate all the UDRs that use the template. An Ultra defining the aggregation session handling will also have to be created.
Since the aggregation has to be based on a template specific field, the templates have to be routed one at the time to the Aggregation agent.
The APL code in the Aggregation agent will then have to handle the decoding of the actual UDRs.