Blog :: Network Operations :: Security Operations

Alcatel-Lucent SR7750 IPFIX Support

Alcatel-Lucent’s Application-Assured Virtual Private Network (AA-VPN) technology includes IPFIX support on the SR7750 (Service Router) and the 7450 ESS (Ethernet Service Switch).  They claim that this decision is “transforming a service provider’s business service delivery infrastructure from being service-aware to being application-aware”.  We couldn’t agree more.  In this post I dug into their documentation a bit to find out more about the new SR7750 IPFIX support. Alcatel-Lucent IPFIX support The AA-VPN solution relies on a Multi-Service Integrated Service Adapter (MS-ISA) blade which performs high-touch packet processing.  The AA mode-enabled MS-ISA(or AA-ISA) is able to report on the performance of TCP and RTP/UDP application leveraging cflowd v10, which apparently is compliant with the IP Flow Information eXport (IPFIX) proposed standard. We have not verified this but supposedly the hardware exports details on:

  • TCP client and server round trip delay
  • VoIP and video pack loss ratios
  • RTP payload type
  • MOS details and much more.

On the surface, it looks like Alcatel-Lucent are supporting many of the same exports supported by Cisco Performance Monitoring, SonicWALL and the nBox. Their solution is also somewhat scalable as each AA-ISA is capable of producing up to 10,000 flows per second (fps). A fully populated router chassis can produce up to 30,000 fps but, unlike the other vendors exporting similar details, it is sampled data. The sampled nature of the data precludes the use of cflowd for billing purposes in most circumstances, hence, cflowd data does not serve to replace the existing accounting data available through the 5670 RAM, but serves to augment it with performance behavior data.” This sounds smart.  Export traditional NetFlow and export AA-VPN for additional metrics. “Performance reporting employs the flow sampling mechanism, while volume reporting uses the packet sampling technique. In both cases, the sample rate is configurable at the AA-Group1 level. Such a configuration will affect all associated partitions2, and all applications within those partitions. The AA-ISA does support cflowd publication to multiple destinations for redundancy, however, it is important to note that this does not change the overall maximum flow output rate. Sending cflowd records to two different destinations effectively reduces the unique flow output rate to 5000 fps per AA-ISA. Sounds pretty impressive!  I read a couple things that concerned me.  On page 3 A flow record is published upon termination of a tracked flow.” And on page 6 I saw “Total Bytes” listed.  This probably means they are exporting octetTotalCount instead of octetDeltaCount and I can tell you that this may not be ideal for many NetFlow and IPFIX reporting solutions. Waiting for a flow to end (e.g. 10 minute phone call) and exporting the flow with a total byte count representing the entire 10 minutes can result in spikes in trends which can be misleading.  We have seen several vendors make the mistake of exporting octetTotalCount when octetDeltaCount would have been a wiser choice.  This is not to say that exporting octetTotalCount is wrong.  It’s just that in most cases what IPFIX collection solutions really want is octetDeltaCount every 60 seconds. The octetTotalCount really should be used for other types of ‘event’ messaging (e.g. denied flows on the Cisco ASA using NSEL). Despite some shortcomings, this new export is an exciting advancement in Alcatel-Lucent’s capabilities and further demonstrates that Application Performance Management/ (APM) continues to develop a strong foot hold in the IPFIX industry.  Alcatel-Lucent now joins the ranks of leadership in the IPFIX industry.