Viewing flows that contain MPLS fields
Internet Protocol Flow Information Export (IPFIX) is a common protocol that allows exporting of flow information from network devices. Multiprotocol Label Switching (MPLS) is a routing technique that runs on any protocol.
With MPLS support for IPFIX flow records in QFlow, you can filter and search for IPFIX flows in IBM QRadar that contain MPLS fields and write rules based on the values of these MPLS fields.
For example, an IPFIX flow is exported from a switch on a network that uses MPLS. The IPFIX flow that is exported from the router contains information about the MPLS stack, which is now saved as part of the flow in QRadar®®. The MPLS stack can contain up to 10 layers where each layer shows information about the flow routing. These MPLS fields are included in rules, searches, and filters, and can be viewed in the Flow Details window.
Filter on MPLS fields
Search for MPLS fields
For more information about using the Advanced Search option, see Advanced search options.
View information about MPLS fields
IPFIX MPLS information elements
| Field | Element ID |
|---|---|
| mplsTopLabelType | 46 |
| mplsTopLabelIPv4Address | 47 |
| mplsTopLabelStackSection | 70 |
| mplsLabelStackSection2 | 71 |
| mplsLabelStackSection3 | 72 |
| mplsLabelStackSection4 | 73 |
| mplsLabelStackSection5 | 74 |
| mplsLabelStackSection6 | 75 |
| mplsLabelStackSection7 | 76 |
| mplsLabelStackSection8 | 77 |
| mplsLabelStackSection9 | 78 |
| mplsLabelStackSection10 | 79 |
| mplsVpnRouteDistinguisher | 90 |
| mplsTopLabelPrefixLength | 91 |
| mplsTopLabelIPv6Address | 140 |
| mplsPayloadLength | 194 |
| mplsTopLabelTTL | 200 |
| mplsLabelStackLength | 201 |
| mplsLabelStackDepth | 202 |
| mplsTopLabelExp | 203 |
| postMplsTopLabelExp | 237 |
| pseudoWireType | 250 |
| pseudoWireControlWord | 251 |
| mplsLabelStackSection | 316 |
| mplsPayloadPacketSection | 317 |
| sectionOffset | 409 |
| sectionExportedOctets | 410 |