configuracion basica de netflow

Cisco IOS Flexible NetFlow Configuration GuideRelease 12.4T

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco IOS Flexible NetFlow Configuration Guide © 2008 Cisco Systems, Inc. All rights reserved.

i

About Cisco IOS and Cisco IOS XE Software Documentation

Last updated: August 6, 2008

This document describes the objectives, audience, conventions, and organization used in Cisco IOS and Cisco IOS XE software documentation, collectively referred to in this document as Cisco IOS documentation. Also included are resources for obtaining technical assistance, additional documentation, and other information from Cisco. This document is organized into the following sections:

• Documentation Objectives, page i

• Audience, page i

• Documentation Conventions, page ii

• Documentation Organization, page iii

• Additional Resources and Documentation Feedback, page xi

Documentation ObjectivesCisco IOS documentation describes the tasks and commands available to configure and maintain Cisco networking devices.

AudienceThe Cisco IOS documentation set is i ntended for users who configure and maintain Cisco networking devices (such as routers and switches) but who may not be familiar with the configuration and maintenance tasks, the relationship among tasks, or the Cisco IOS commands necessary to perform particular tasks. The Cisco IOS documentation set is also intended for those users experienced with Cisco IOS who need to know about new features, new configuration options, and new software characteristics in the current Cisco IOS release.

About Cisco IOS and Cisco IOS XE Software DocumentationDocumentation Conventions

ii

Documentation ConventionsIn Cisco IOS documentation, the term router may be used to refer to various Cisco products; for example, routers, access servers, and switches. These and other networking devices that support Cisco IOS software are shown interchangeably in examples and are used only for illustrative purposes. An example that shows one product does not necessarily mean that other products are not supported.

This section includes the following topics:

• Typographic Conventions, page ii

• Command Syntax Conventions, page ii

• Software Conventions, page iii

• Reader Alert Conventions, page iii

Typographic ConventionsCisco IOS documentation uses the following typographic conventions:

Command Syntax ConventionsCisco IOS documentation uses the following command syntax conventions:

Convention Description

^ or Ctrl Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard. For example, the key combination ^D or Ctrl-D means that you hold down the Control key while you press the D key. (Keys are indicated in capital letters but are not case sensitive.)

string A string is a nonquoted set of characters shown in italics. For example, when setting a Simple Network Management Protocol (SNMP) community string to public, do not use quotation marks around the string; otherwise, the string will include the quotation marks.


bold Bold text indicates commands and keywords that you enter as shown.

italic Italic text indicates arguments for which you supply values.

[x] Square brackets enclose an optional keyword or argument.

| A vertical line, called a pipe, indicates a choice within a set of keywords or arguments.

[x | y] Square brackets enclosing keywords or arguments separated by a pipe indicate an optional choice.

{x | y} Braces enclosing keywords or arguments separated by a pipe indicate a required choice.

[x {y | z}] Braces and a pipe within square brackets indicate a required choice within an optional element.

About Cisco IOS and Cisco IOS XE Software DocumentationDocumentation Organization

iii

Software ConventionsCisco IOS uses the following program code conventions:

Reader Alert ConventionsThe Cisco IOS documentation set uses the following conventions for reader alerts:

Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph.

Documentation OrganizationThis section describes the Cisco IOS documentation set, how it is organized, and how to access it on Cisco.com. Included are lists of configuration guides, command references, and supplementary references and resources that make up the documentation set. The following topics are included:

• Cisco IOS Documentation Set, page iv

• Cisco IOS Documentation on Cisco.com, page iv

• Configuration Guides, Command References, and Supplementary Resources, page v


Courier font Courier font is used for information that is displayed on a PC or terminal screen.

Bold Courier font Bold Courier font indicates text that the user must enter.

< > Angle brackets enclose text that is not displayed, such as a password. Angle brackets also are used in contexts in which the italic font style is not supported; for example, ASCII text.

! An exclamation point at the beginning of a line indicates that the text that follows is a comment, not a line of code. An exclamation point is also displayed by Cisco IOS software for certain processes.

[ ] Square brackets enclose default responses to system prompts.


iv

Cisco IOS Documentation SetCisco IOS documentation consists of the following:

• Release notes and caveats provide information about platform, technology, and feature support for a release and describe severity 1 (catastrophic), severity 2 (severe), and severity 3 (moderate) defects in released Cisco IOS code. Review release notes before other documents to learn whether or not updates have been made to a feature.

• Sets of configuration guides and command references organized by technology and published for each standard Cisco IOS release.

– Configuration guides—Compilations of documents that provide informational and task-oriented descriptions of Cisco IOS features.

– Command references—Compilations of command pages that provide detailed information about the commands used in the Cisco IOS features and processes that make up the related configuration guides. For each technology, there is a single command reference that covers all Cisco IOS releases and that is updated at each standard release.

• Lists of all the commands in a specific release and all commands that are new, modified, removed, or replaced in the release.

• Command reference book for debug commands. Command pages are listed in alphabetical order.

• Reference book for system messages for all Cisco IOS releases.

Cisco IOS Documentation on Cisco.comThe following sections describe the documentation organization and how to access various document types.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

New Features List

The New Features List for each release provides a list of all features in the release with hyperlinks to the feature guides in which they are documented.

Feature Guides

Cisco IOS features are documented in feature guides. Feature guides describe one feature or a group of related features that are supported on many different software releases and platforms. Your Cisco IOS software release or platform may not support all the features documented in a feature guide. See the Feature Information table at the end of the feature guide for information about which features in that guide are supported in your software release.

Configuration Guides

Configuration guides are provided by technology and release and comprise a set of individual feature guides relevant to the release and technology.

http://www.cisco.com/go/cfn


v

Command References

Command reference books describe Cisco IOS commands that are supported in many different software releases and on many different platforms. The books are provided by technology. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Cisco IOS Master Command List, All Releases, at http://www.cisco.com/en/US/docs/ios/mcl/all_release/all_mcl.html.

Cisco IOS Supplementary Documents and Resources

Supplementary documents and resources are listed in Table 2 on page xi.

Configuration Guides, Command References, and Supplementary ResourcesTable 1 lists, in alphabetical order, Cisco IOS and Cisco IOS XE software configuration guides and command references, including brief descriptions of the contents of the documents. The Cisco IOS command references are comprehensive, meaning that they include commands for both Cisco IOS software and Cisco IOS XE software, for all releases. The configuration guides and command references support many different software releases and platforms. Your Cisco IOS software release or platform may not support all these technologies.

For additional information about configuring and operating specific networking devices, go to the Product Support area of Cisco.com at http://www.cisco.com/web/psa/products/index.html.

Table 2 lists documents and resources that supplement the Cisco IOS software configuration guides and command references. These supplementary resources include release notes and caveats; master command lists; new, modified, removed, and replaced command lists; system messages; and the debug command reference.

Table 1 Cisco IOS and Cisco IOS XE Configuration Guides and Command References

Configuration Guide and Command Reference Titles Features/Protocols/Technologies

Cisco IOS AppleTalk Configuration Guide

Cisco IOS XE AppleTalk Configuration Guide

Cisco IOS AppleTalk Command Reference

AppleTalk protocol.

Cisco IOS Asynchronous Transfer Mode Configuration Guide

Cisco IOS Asynchronous Transfer Mode Command Reference

LAN ATM, multiprotocol over ATM (MPoA), and WAN ATM.

http://tools.cisco.com/Support/CLILookup

http://www.cisco.com/web/psa/products/index.html

http://www.cisco.com/en/US/docs/ios/mcl/all_release/all_mcl.html


vi

Cisco IOS Bridging and IBM Networking Configuration Guide

Cisco IOS Bridging Command Reference

Cisco IOS IBM Networking Command Reference

• Transparent and source-route transparent (SRT) bridging, source-route bridging (SRB), Token Ring Inter-Switch Link (TRISL), and token ring route switch module (TRRSM).

• Data-link switching plus (DLSw+), serial tunnel (STUN), block serial tunnel (BSTUN); logical link control, type 2 (LLC2), synchronous data link control (SDLC); IBM Network Media Translation, including Synchronous Data Logical Link Control (SDLLC) and qualified LLC (QLLC); downstream physical unit (DSPU), Systems Network Architecture (SNA) service point, SNA frame relay access, advanced peer-to-peer networking (APPN), native client interface architecture (NCIA) client/server topologies, and IBM Channel Attach.

Cisco IOS Broadband and DSL Configuration Guide

Cisco IOS XE Broadband and DSL Configuration Guide

Cisco IOS Broadband and DSL Command Reference

Point-to-Point Protocol (PPP) over ATM (PPPoA) and PPP over Ethernet (PPPoE).

Cisco IOS Carrier Ethernet Configuration Guide

Cisco IOS Carrier Ethernet Command Reference

Connectivity fault management (CFM), Ethernet Local Management Interface (ELMI), IEEE 802.3ad link bundling, Link Layer Discovery Protocol (LLDP), media endpoint discovery (MED), and operations, administration, and maintenance (OAM).

Cisco IOS Configuration Fundamentals Configuration Guide

Cisco IOS XE Configuration Fundamentals Configuration Guide

Cisco IOS Configuration Fundamentals Command Reference

Autoinstall, Setup, Cisco IOS command-line interface (CLI), Cisco IOS file system (IFS), Cisco IOS web browser user interface (UI), basic file transfer services, and file management.

Cisco IOS DECnet Configuration Guide

Cisco IOS XE DECnet Configuration Guide

Cisco IOS DECnet Command Reference

DECnet protocol.

Cisco IOS Dial Technologies Configuration Guide

Cisco IOS XE Dial Technologies Configuration Guide

Cisco IOS Dial Technologies Command Reference

Asynchronous communications, dial backup, dialer technology, dial-in terminal services and AppleTalk remote access (ARA), large scale dialout, dial-on-demand routing, dialout, modem and resource pooling, ISDN, multilink PPP (MLP), PPP, virtual private dialup network (VPDN).

Cisco IOS Flexible NetFlow Configuration Guide

Cisco IOS Flexible NetFlow Command Reference

Flexible NetFlow.

Table 1 Cisco IOS and Cisco IOS XE Configuration Guides and Command References (continued)



vii

Cisco IOS H.323 Configuration Guide Gatekeeper enhancements for managed voice services, Gatekeeper Transaction Message Protocol, gateway codec order preservation and shutdown control, H.323 dual tone multifrequency relay, H.323 version 2 enhancements, Network Address Translation (NAT) support of H.323 v2 Registration, Admission, and Status (RAS) protocol, tokenless call authorization, and VoIP gateway trunk and carrier-based routing.

Cisco IOS High Availability Configuration Guide

Cisco IOS XE High Availability Configuration Guide

Cisco IOS High Availability Command Reference

A variety of High Availability (HA) features and technologies that are available for different network segments (from enterprise access to service provider core) to facilitate creation of end-to-end highly available networks. Cisco IOS HA features and technologies can be categorized in three key areas: system-level resiliency, network-level resiliency, and embedded management for resiliency.

Cisco IOS Integrated Session Border Controller Command Reference

A VoIP-enabled device that is deployed at the edge of networks. An SBC is a toolkit of functions, such as signaling interworking, network hiding, security, and quality of service (QoS).

Cisco IOS Intelligent Service Gateway Configuration Guide

Cisco IOS Intelligent Service Gateway Command Reference

Subscriber identification, service and policy determination, session creation, session policy enforcement, session life-cycle management, accounting for access and service usage, session state monitoring.

Cisco IOS Interface and Hardware Component Configuration Guide

Cisco IOS XE Interface and Hardware Component Configuration Guide

Cisco IOS Interface and Hardware Component Command Reference

LAN interfaces, logical interfaces, serial interfaces, virtual interfaces, and interface configuration.

Cisco IOS IP Addressing Services Configuration Guide

Cisco IOS XE Addressing Services Configuration Guide

Cisco IOS IP Addressing Services Command Reference

Address Resolution Protocol (ARP), Network Address Translation (NAT), Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and Next Hop Address Resolution Protocol (NHRP).

Cisco IOS IP Application Services Configuration Guide

Cisco IOS XE IP Application Services Configuration Guide

Cisco IOS IP Application Services Command Reference

Enhanced Object Tracking (EOT), Gateway Load Balancing Protocol (GLBP), Hot Standby Router Protocol (HSRP), IP Services, Server Load Balancing (SLB), Stream Control Transmission Protocol (SCTP), TCP, Web Cache Communication Protocol (WCCP), User Datagram Protocol (UDP), and Virtual Router Redundancy Protocol (VRRP).

Cisco IOS IP Mobility Configuration Guide

Cisco IOS IP Mobility Command Reference

Mobile ad hoc networks (MANet) and Cisco mobile networks.

Cisco IOS IP Multicast Configuration Guide

Cisco IOS XE IP Multicast Configuration Guide

Cisco IOS IP Multicast Command Reference

Protocol Independent Multicast (PIM) sparse mode (PIM-SM), bidirectional PIM (bidir-PIM), Source Specific Multicast (SSM), Multicast Source Discovery Protocol (MSDP), Internet Group Management Protocol (IGMP), and Multicast VPN (MVPN).




viii

Cisco IOS IP Routing Protocols Configuration Guide

Cisco IOS XE IP Routing Protocols Configuration Guide

Cisco IOS IP Routing Protocols Command Reference

Border Gateway Protocol (BGP), multiprotocol BGP, multiprotocol BGP extensions for IP multicast, bidirectional forwarding detection (BFD), Enhanced Interior Gateway Routing Protocol (EIGRP), Interior Gateway Routing Protocol (IGRP), Intermediate System-to-Intermediate System (IS-IS), on-demand routing (ODR), Open Shortest Path First (OSPF), and Routing Information Protocol (RIP).

Cisco IOS IP SLAs Configuration Guide

Cisco IOS XE IP SLAs Configuration Guide

Cisco IOS IP SLAs Command Reference

Cisco IOS IP Service Level Agreements (IP SLAs).

Cisco IOS IP Switching Configuration Guide

Cisco IOS XE IP Switching Configuration Guide

Cisco IOS IP Switching Command Reference

Cisco Express Forwarding, fast switching, and Multicast Distributed Switching (MDS).

Cisco IOS IPv6 Configuration Guide

Cisco IOS XE IPv6 Configuration Guide

Cisco IOS IPv6 Command Reference

For IPv6 features, protocols, and technologies, go to the IPv6 “Start Here” document at the following URL:

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/ guide/ip6-roadmap.html

Cisco IOS ISO CLNS Configuration Guide

Cisco IOS XE ISO CLNS Configuration Guide

Cisco IOS ISO CLNS Command Reference

ISO connectionless network service (CLNS).

Cisco IOS LAN Switching Configuration Guide

Cisco IOS XE LAN Switching Configuration Guide

Cisco IOS LAN Switching Command Reference

VLANs, Inter-Switch Link (ISL) encapsulation, IEEE 802.10 encapsulation, IEEE 802.1Q encapsulation, and multilayer switching (MLS).

Cisco IOS Mobile Wireless Gateway GPRS Support Node Configuration Guide

Cisco IOS Mobile Wireless Gateway GPRS Support Node Command Reference

Cisco IOS Gateway GPRS Support Node (GGSN) in a 2.5-generation general packet radio service (GPRS) and 3-generation universal mobile telecommunication system (UMTS) network.

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Cisco IOS Mobile Wireless Home Agent Command Reference

Cisco Mobile Wireless Home Agent, an anchor point for mobile terminals for which mobile IP or proxy mobile IP services are provided.

Cisco IOS Mobile Wireless Packet Data Serving Node Configuration Guide

Cisco IOS Mobile Wireless Packet Data Serving Node Command Reference

Cisco Packet Data Serving Node (PDSN), a wireless gateway that is between the mobile infrastructure and standard IP networks and that enables packet data services in a code division multiple access (CDMA) environment.

Cisco IOS Mobile Wireless Radio Access Networking Configuration Guide

Cisco IOS Mobile Wireless Radio Access Networking Command Reference

Cisco IOS radio access network products.



http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html


ix

Cisco IOS Multiprotocol Label Switching Configuration Guide

Cisco IOS XE Multiprotocol Label Switching Configuration Guide

Cisco IOS Multiprotocol Label Switching Command Reference

MPLS Label Distribution Protocol (LDP), MPLS Layer 2 VPNs, MPLS Layer 3 VPNs, MPLS Traffic Engineering (TE), and MPLS Embedded Management (EM) and MIBs.

Cisco IOS Multi-Topology Routing Configuration Guide

Cisco IOS Multi-Topology Routing Command Reference

Unicast and multicast topology configurations, traffic classification, routing protocol support, and network management support.

Cisco IOS NetFlow Configuration Guide

Cisco IOS XE NetFlow Configuration Guide

Cisco IOS NetFlow Command Reference

Network traffic data analysis, aggregation caches, export features.

Cisco IOS Network Management Configuration Guide

Cisco IOS XE Network Management Configuration Guide

Cisco IOS Network Management Command Reference

Basic system management; system monitoring and logging; troubleshooting, logging, and fault management; Cisco Discovery Protocol; Cisco IOS Scripting with Tool Control Language (Tcl); Cisco networking services (CNS); DistributedDirector; Embedded Event Manager (EEM); Embedded Resource Manager (ERM); Embedded Syslog Manager (ESM); HTTP; Remote Monitoring (RMON); SNMP; and VPN Device Manager Client for Cisco IOS Software (XSM Configuration).

Cisco IOS Novell IPX Configuration Guide

Cisco IOS XE Novell IPX Configuration Guide

Cisco IOS Novell IPX Command Reference

Novell Internetwork Packet Exchange (IPX) protocol.

Cisco IOS Optimized Edge Routing Configuration Guide

Cisco IOS Optimized Edge Routing Command Reference

Optimized edge routing (OER) monitoring, policy configuration, routing control, logging and reporting, and VPN IPsec/generic routing encapsulation (GRE) tunnel interface optimization.

Cisco IOS Quality of Service Solutions Configuration Guide

Cisco IOS XE Quality of Service Solutions Configuration Guide

Cisco IOS Quality of Service Solutions Command Reference

Class-based weighted fair queuing (CBWFQ), custom queuing, distributed traffic shaping (DTS), generic traffic shaping (GTS), IP- to-ATM class of service (CoS), low latency queuing (LLQ), modular QoS CLI (MQC), Network-Based Application Recognition (NBAR), priority queuing, Security Device Manager (SDM), Multilink PPP (MLPPP) for QoS, header compression, AutoQoS, QoS features for voice, Resource Reservation Protocol (RSVP), weighted fair queuing (WFQ), and weighted random early detection (WRED).

Cisco IOS Security Configuration Guide

Cisco IOS XE Security Configuration Guide

Cisco IOS Security Command Reference

Access control lists (ACLs), authentication, authorization, and accounting (AAA), firewalls, IP security and encryption, neighbor router authentication, network access security, network data encryption with router authentication, public key infrastructure (PKI), RADIUS, TACACS+, terminal access security, and traffic filters.




x

Cisco IOS Service Selection Gateway Configuration Guide

Cisco IOS Service Selection Gateway Command Reference

Subscriber authentication, service access, and accounting.

Cisco IOS Software Activation Configuration Guide

Cisco IOS Software Activation Command Reference

An orchestrated collection of processes and components to activate Cisco IOS software feature sets by obtaining and validating Cisco software licenses.

Cisco IOS Software Modularity Installation and Configuration Guide

Cisco IOS Software Modularity Command Reference

Installation and basic configuration of software modularity images, including installations on single and dual route processors, installation rollbacks, software modularity binding, software modularity processes and patches.

Cisco IOS Terminal Services Configuration Guide

Cisco IOS Terminal Services Command Reference

Cisco IOS XE Terminal Services Command Reference

DEC, local-area transport (LAT), and X.25 packet assembler/disassembler (PAD).

Cisco IOS Virtual Switch Command Reference Virtual switch redundancy, high availability, and packet handling; converting between standalone and virtual switch modes; virtual switch link (VSL); Virtual Switch Link Protocol (VSLP).

Note For information about virtual switch configuration, refer to the product-specific software configuration information for the Cisco Catalyst 6500 series switch or for the Metro Ethernet 6500 series switch.

Cisco IOS Voice Configuration Library

Cisco IOS Voice Command Reference

Cisco IOS support for voice call control protocols, interoperability, physical and virtual interface management, and troubleshooting. The library includes documentation for IP telephony applications.

Cisco IOS VPDN Configuration Guide

Cisco IOS XE VPDN Configuration Guide

Cisco IOS VPDN Command Reference

Layer 2 Tunneling Protocol (L2TP) dial-out load balancing and redundancy, L2TP extended failover, L2TP security VPDN, multihop by Dialed Number Identification Service (DNIS), timer and retry enhancements for L2TP and Layer 2 Forwarding (L2F), RADIUS Attribute 82: tunnel assignment ID, shell-based authentication of VPDN users, tunnel authentication via RADIUS on tunnel terminator.

Cisco IOS Wide-Area Networking Configuration Guide

Cisco IOS XE Wide-Area Networking Configuration Guide

Cisco IOS Wide-Area Networking Command Reference

Frame Relay, Layer 2 Tunneling Protocol Version 3 (L2TPv3), Link Access Procedure, Balanced (LAPB), Switched Multimegabit Data Service (SMDS), and X.25.

Cisco IOS Wireless LAN Configuration Guide

Cisco IOS Wireless LAN Command Reference

Broadcast key rotation, IEEE 802.11x support, IEEE 802.1x authenticator, IEEE 802.1x local authentication service for Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), Multiple Basic Service Set ID (BSSID), Wi-Fi Multimedia (WMM) required elements, and Wi-Fi Protected Access (WPA).



About Cisco IOS and Cisco IOS XE Software DocumentationAdditional Resources and Documentation Feedback

xi

Additional Resources and Documentation FeedbackWhat’s New in Cisco Product Documentation is published monthly and describes all new and revised Cisco technical documentation. The What’s New in Cisco Product Documentation publication also provides information about obtaining the following resources:

• Technical documentation

• Cisco product security overview

• Product alerts and field notices

• Technical assistance

Cisco IOS technical documentation includes embedded feedback forms where you can rate documents and provide suggestions for improvement. Your feedback helps us improve our documentation.

Table 2 Cisco IOS Supplementary Documents and Resources

Document Title Description

Cisco IOS Master Command List, All Releases Alphabetical list of all the commands documented in all Cisco IOS releases.

Cisco IOS New, Modified, Removed, and Replaced Commands

List of all the new, modified, removed, and replaced commands for a Cisco IOS release.

Cisco IOS Software System Messages List of Cisco IOS system messages and descriptions. System messages may indicate problems with your system; be informational only; or may help diagnose problems with communications lines, internal hardware, or the system software.

Cisco IOS Debug Command Reference Alphabetical list of debug commands including brief descriptions of use, command syntax, and usage guidelines.

Release Notes and Caveats Information about new and changed features, system requirements, and other useful information about specific software releases; information about defects in specific Cisco IOS software releases.

MIBs Files used for network monitoring. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator at the following URL:

http://www.cisco.com/go/mibs

RFCs Standards documents maintained by the Internet Engineering Task Force (IETF) that Cisco IOS documentation references where applicable. The full text of referenced RFCs may be obtained at the following URL:

http://www.rfc-editor.org/


http://www.rfc-editor.org/

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

About Cisco IOS and Cisco IOS XE Software DocumentationAdditional Resources and Documentation Feedback

xii

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0807R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. © 2007–2008 Cisco Systems, Inc. All rights reserved.

i

Using the Command-Line Interface in Cisco IOS and Cisco IOS XE Software

Last updated: August 6, 2008

This document provides basic information about the command-line interface (CLI) in Cisco IOS and Cisco IOS XE software and how you can use some of the CLI features. This document contains the following sections:

• Initially Configuring a Device, page i

• Using the CLI, page ii

• Saving Changes to a Configuration, page xii

• Additional Information, page xii

For more information about using the CLI, see the “Using the Cisco IOS Command-Line Interface” section of the Cisco IOS Configuration Fundamentals Configuration Guide.

For information about the software documentation set, see the “About Cisco IOS and Cisco IOS XE Software Documentation” document.

Initially Configuring a DeviceInitially configuring a device varies by platform. For information about performing an initial configuration, see the hardware installation documentation that is provided with the original packaging of the product or go to the Product Support area of Cisco.com at http://www.cisco.com/web/psa/products/index.html.

After you have performed the initial configuration and connected the device to your network, you can configure the device by using the console port or a remote access method, such as Telnet or Secure Shell (SSH), to access the CLI or by using the configuration method provided on the device, such as Security Device Manager.

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_cli-basics.html

http://www.cisco.com/en/US/docs/ios/preface/aboutios.html

http://www.cisco.com/en/US/docs/ios/preface/aboutios.html


Using the Command-Line Interface in Cisco IOS and Cisco IOS XE SoftwareUsing the CLI

ii

Changing the Default Settings for a Console or AUX Port

There are only two changes that you can make to a console port and an AUX port:

• Change the port speed with the config-register 0x command. Changing the port speed is not recommended. The well-known default speed is 9600.

• Change the behavior of the port; for example, by adding a password or changing the timeout value.

Note The AUX port on the Route Processor (RP) installed in a Cisco ASR1000 series router does not serve any useful customer purpose and should be accessed only under the advisement of a customer support representative.

Using the CLIThis section describes the following topics:

• Understanding Command Modes, page ii

• Using the Interactive Help Feature, page v

• Understanding Command Syntax, page vi

• Understanding Enable and Enable Secret Passwords, page viii

• Using the Command History Feature, page viii

• Abbreviating Commands, page ix

• Using Aliases for CLI Commands, page ix

• Using the no and default Forms of Commands, page x

• Using the debug Command, page x

• Filtering Output Using Output Modifiers, page x

• Understanding CLI Error Messages, page xi

Understanding Command ModesThe CLI command mode structure is hierarchical, and each mode supports a set of specific commands. This section describes the most common of the many modes that exist.

Table 1 lists common command modes with associated CLI prompts, access and exit methods, and a brief description of how each mode is used.


iii

Table 1 CLI Command Modes

Command Mode

Access Method Prompt Exit Method Mode Usage

User EXEC Log in. Router> Issue the logout or exit command.

• Change terminal settings.

• Perform basic tests.

• Display device status.

Privileged EXEC

From user EXEC mode, issue the enable command.

Router# Issue the disable command or the exit command to return to user EXEC mode.

• Issue show and debug commands.

• Copy images to the device.

• Reload the device.

• Manage device configuration files.

• Manage device file systems.

Global configuration

From privileged EXEC mode, issue the configure terminal command.

Router(config)# Issue the exit command or the end command to return to privileged EXEC mode.

Configure the device.

Interface configuration

From global configuration mode, issue the interface command.

Router(config-if)# Issue the exit command to return to global configuration mode or the end command to return to privileged EXEC mode.

Configure individual interfaces.

Line configuration

From global configuration mode, issue the line vty or line console command.

Router(config-line)# Issue the exit command to return to global configuration mode or the end command to return to privileged EXEC mode.

Configure individual terminal lines.


iv

ROM monitor From privileged EXEC mode, issue the reload command. Press the Break key during the first 60 seconds while the system is booting.

rommon # >

The # symbol represents the line number and increments at each prompt.

Issue the continue command.

• Run as the default operating mode when a valid image cannot be loaded.

• Access the fall-back procedure for loading an image when the device lacks a valid image and cannot be booted.

• Perform password recovery when a CTRL-Break sequence is issued within 60 seconds of a power-on or reload event.

Diagnostic (available only on the Cisco ASR1000 series router)

The router boots or enters diagnostic mode in the following scenarios. When a Cisco IOS process or processes fail, in most scenarios the router will reload.

• A user-configured access policy was configured using the transport-map command, which directed the user into diagnostic mode.

• The router was accessed using an RP auxiliary port.

• A break signal (Ctrl-C, Ctrl-Shift-6, or the send break command) was entered, and the router was configured to enter diagnostic mode when the break signal was received.

Router(diag)# If a Cisco IOS process failure is the reason for entering diagnostic mode, the failure must be resolved and the router must be rebooted to exit diagnostic mode.

If the router is in diagnostic mode because of a transport-map configuration, access the router through another port or using a method that is configured to connect to the Cisco IOS CLI.

If the RP auxiliary port was used to access the router, use another port for access. Accessing the router through the auxiliary port is not useful for customer purposes.

• Inspect various states on the router, including the Cisco IOS state.

• Replace or roll back the configuration.

• Provide methods of restarting the Cisco IOS software or other processes.

• Reboot hardware, such as the entire router, an RP, an ESP, a SIP, a SPA, or possibly other hardware components.

• Transfer files into or off of the router using remote access methods such as FTP, TFTP, and SCP.

Table 1 CLI Command Modes (continued)

Command Mode

Access Method Prompt Exit Method Mode Usage


v

EXEC commands are not saved when the software reboots. Commands that you issue in a configuration mode can be saved to the startup configuration. If you save the running configuration to the startup configuration, these commands will execute when the software is rebooted. Global configuration mode is the highest level of configuration mode. From global configuration mode, you can enter a variety of other configuration modes, including protocol-specific modes.

ROM monitor mode is a separate mode that is used when the software cannot load properly. If a valid software image is not found when the software boots or if the configuration file is corrupted at startup, the software might enter ROM monitor mode. Use the question symbol (?) to view the commands that you can use while the device is in ROM monitor mode.

rommon 1 > ?alias set and display aliases commandboot boot up an external processconfreg configuration register utilitycont continue executing a downloaded imagecontext display the context of a loaded imagecookie display contents of cookie PROM in hex...rommon 2 >

The following example shows how the command prompt changes to indicate a different command mode:

Router> enableRouter# configure terminalRouter(config)# interface ethernet 1/1Router(config-if)# ethernetRouter(config-line)# exitRouter(config)# endRouter#

Note A keyboard alternative to the end command is Ctrl-Z.

Using the Interactive Help FeatureThe CLI includes an interactive Help feature. Table 2 describes how to use the Help feature.

Table 2 CLI Interactive Help Commands

Command Purpose

help Provides a brief description of the help feature in any command mode.

? Lists all commands available for a particular command mode.

partial command? Provides a list of commands that begin with the character string (no space between the command and the question mark).

partial command<Tab> Completes a partial command name (no space between the command and <Tab>).

command ? Lists the keywords, arguments, or both associated with the command (space between the command and the question mark).

command keyword ? Lists the arguments that are associated with the keyword (space between the keyword and the question mark).


vi

The following examples show how to use the help commands:

helpRouter> help

Help may be requested at any point in a command by entering a question mark '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options.

Two styles of help are provided:

1. Full help is available when you are ready to enter a command argument (e.g. 'show ?') and describes each possible argument.

2. Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (e.g. 'show pr?'.)

?Router# ?Exec commands: access-enable Create a temporary access-List entry access-profile Apply user-profile to interface access-template Create a temporary access-List entry alps ALPS exec commands archive manage archive files<snip>

partial command?Router(config)# zo?zone zone-pair

partial command<Tab>Router(config)# we<Tab> webvpn

command ?Router(config-if)# pppoe ? enable Enable pppoe max-sessions Maximum PPPOE sessions

command keyword ?Router(config-if)# pppoe enable ? group attach a BBA group <cr>

Understanding Command SyntaxCommand syntax is the format in which a command should be entered in the CLI. Commands include the name of the command, keywords, and arguments. Keywords are alphanumeric strings that are used literally. Arguments are placeholders for values that a user must supply. Keywords and arguments may be required or optional.

Specific conventions convey information about syntax and command elements. Table 3 describes these conventions.


vii

The following examples show syntax conventions:

Router(config)# ethernet cfm domain ? WORD domain nameRouter(config)# ethernet cfm domain dname ? level Router(config)# ethernet cfm domain dname level ? <0-7> maintenance level numberRouter(config)# ethernet cfm domain dname level 7 ? <cr>Router(config)# snmp-server file-transfer access-group 10 ? protocol protocol options <cr>Router(config)# logging host ? Hostname or A.B.C.D IP address of the syslog server ipv6 Configure IPv6 syslog serverRouter(config)# snmp-server file-transfer access-group 10 ? protocol protocol options <cr>

Table 3 CLI Syntax Conventions

Symbol/Text Function Notes

< > (angle brackets) Indicate that the option is an argument.

Sometimes arguments are displayed without angle brackets.

A.B.C.D. Indicates that you must enter a dotted decimal IP address.

Angle brackets (< >) are not always used to indicate that an IP address is an argument.

WORD (all capital letters) Indicates that you must enter one word.

Angle brackets (< >) are not always used to indicate that a WORD is an argument.

LINE (all capital letters) Indicates that you must enter more than one word.

Angle brackets (< >) are not always used to indicate that a LINE is an argument.

<cr> (carriage return) Indicates the end of the list of available keywords and argu-ments, and also indicates when keywords and arguments are optional. When <cr> is the only option, you have reached the end of the branch or the end of the command if the command has only one branch.

—


viii

Understanding Enable and Enable Secret PasswordsSome privileged EXEC commands are used for actions that impact the system, and it is recommended that you set a password for these commands to prevent unauthorized use. Two types of passwords, enable (not encrypted) and enable secret (encrypted), can be set. The following commands set these passwords and are issued in global configuration mode:

• enable password

• enable secret password

Using an enable secret password is recommended because it is encrypted and more secure than the enable password. When you use an enable secret password, text is encrypted (unreadable) before it is written to the config.text file. When you use an enable password, the text is written as entered (readable) to the config.text file.

Each type of password is case sensitive, can contain from 1 to 25 uppercase and lowercase alphanumeric characters, and can start with a number. Spaces are also valid password characters; for example, “two words” is a valid password. Leading spaces are ignored, but trailing spaces are recognized.

Note Both password commands have numeric keywords that are single integer values. If you choose a number for the first character of your password followed by a space, the system will read the number as if it were the numeric keyword and not as part of your password.

When both passwords are set, the enable secret password takes precedence over the enable password.

To remove a password, use the no form of the commands: no enable password or no enable secret password.

For more information about password recovery procedures for Cisco products, see http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/ products_tech_note09186a00801746e6.shtml.

Using the Command History FeatureThe CLI command history feature saves the commands you enter during a session in a command history buffer. The default number of commands saved is 10, but the number is configurable within the range of 0 to 256. This command history feature is particularly useful for recalling long or complex commands.

To change the number of commands saved in the history buffer for a terminal session, issue the terminal history size command:

Router# terminal history size num

A command history buffer is also available in line configuration mode with the same default and configuration options. To set the command history buffer size for a terminal session in line configuration mode, issue the history command:

Router(config-line)# history [size num]

To recall commands from the history buffer, use the following methods:

• Press Ctrl-P or the up arrow key—Recalls commands beginning with the most recent command. Repeat the key sequence to recall successively older commands.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml


ix

• Press Ctrl-N or the down arrow key—Recalls the most recent commands in the history buffer after they have been recalled using Ctrl-P or the up arrow key. Repeat the key sequence to recall successively more recent commands.

Note The arrow keys function only on ANSI-compatible terminals such as the VT100.

• Issue the show history command in user EXEC or privileged EXEC mode—Lists the most recent commands that you entered. The number of commands that are displayed is determined by the setting of the terminal history size and history commands.

The CLI command history feature is enabled by default. To disable this feature for a terminal session, issue the terminal no history command in user EXEC or privileged EXEC mode or the no history command in line configuration mode.

Abbreviating CommandsTyping a complete command name is not always required for the command to execute. The CLI recognizes an abbreviated command when the abbreviation contains enough characters to uniquely identify the command. For example, the show version command can be abbreviated as sh ver. It cannot be abbreviated as s ver because s could mean show, set, or systat. The sh v abbreviation also is not valid because the show command has vrrp as a keyword in addition to version. (Command and keyword examples from Cisco IOS Release 12.4(13)T.)

Using Aliases for CLI CommandsTo save time and the repetition of entering the same command multiple times, you can use a command alias. An alias can be configured to do anything that can be done at the command line, but an alias cannot move between modes, type in passwords, or perform any interactive functions.

Table 4 shows the default command aliases.

To create a command alias, issue the alias command in global configuration mode. The syntax of the command is alias mode command-alias original-command. Following are some examples:

• Router(config)# alias exec prt partition—privileged EXEC mode

• Router(config)# alias configure sb source-bridge—global configuration mode

• Router(config)# alias interface rl rate-limit—interface configuration mode

Table 4 Default Command Aliases

Command Alias Original Command

h help

lo logout

p ping

s show

u or un undebug

w where


x

To view both default and user-created aliases, issue the show alias command.

For more information about the alias command, see http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_book.html.

Using the no and default Forms of CommandsMost configuration commands have a no form that is used to reset a command to its default value or disable a feature or function. For example, the ip routing command is enabled by default. To disable this command, you would issue the no ip routing command. To re-enable IP routing, you would issue the ip routing command.

Configuration commands may also have a default form, which returns the command settings to their default values. For commands that are disabled by default, using the default form has the same effect as using the no form of the command. For commands that are enabled by default and have default settings, the default form enables the command and returns the settings to their default values.

The no and default forms of commands are described in the command pages of command references.

Using the debug CommandA debug command produces extensive output that helps you troubleshoot problems in your network. These commands are available for many features and functions within Cisco IOS and Cisco IOS XE software. Some debug commands are debug all, debug aaa accounting, and debug mpls packets. To use debug commands during a Telnet session with a device, you must first enter the terminal monitor command. To turn off debugging completely, you must enter the undebug all command.

For more information about debug commands, see the Cisco IOS Debug Command Reference at http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_book.html.

Caution Debugging is a high priority and high CPU utilization process that can render your device unusable. Use debug commands only to troubleshoot specific problems. The best times to run debugging are during periods of low network traffic and when few users are interacting with the network. Debugging during these periods decreases the likelihood that the debug command processing overhead will affect network performance or user access or response times.

Filtering Output Using Output ModifiersMany commands produce lengthy output that may use several screens to display. Using output modifiers, you can filter this output to show only the information that you want to see.

Three output modifiers are available and are described as follows:

• begin regular expression—Displays the first line in which a match of the regular expression is found and all lines that follow.

• include regular expression—Displays all lines in which a match of the regular expression is found.

• exclude regular expression—Displays all lines except those in which a match of the regular expression is found.

http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_book.html

http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_book.html


xi

To use one of these output modifiers, type the command followed by the pipe symbol (|), the modifier, and the regular expression that you want to search for or filter. A regular expression is a case-sensitive alphanumeric pattern. It can be a single character or number, a phrase, or a more complex string.

The following example illustrates how to filter output of the show interface command to display only lines that include the expression “protocol.”

Router# show interface | include protocol

FastEthernet0/0 is up, line protocol is upSerial4/0 is up, line protocol is upSerial4/1 is up, line protocol is upSerial4/2 is administratively down, line protocol is downSerial4/3 is administratively down, line protocol is down

Understanding CLI Error MessagesYou may encounter some error messages while using the CLI. Table 5 shows the common CLI error messages.

For more system error messages, see the following documents:

• Cisco IOS Release 12.2SR System Message Guide

• Cisco IOS System Messages, Volume 1 of 2 (Cisco IOS Release 12.4)

• Cisco IOS System Messages, Volume 2 of 2 (Cisco IOS Release 12.4)

Table 5 Common CLI Error Messages

Error Message Meaning How to Get Help

% Ambiguous command: “show con”

You did not enter enough characters for the command to be recognized.

Reenter the command followed by a space and a question mark (?). The keywords that you are allowed to enter for the command appear.

% Incomplete command. You did not enter all the keywords or values required by the command.

Reenter the command followed by a space and a question mark (?). The keywords that you are allowed to enter for the command appear.

% Invalid input detected at “^” marker.

You entered the command in-correctly. The caret (^) marks the point of the error.

Enter a question mark (?) to display all the commands that are available in this command mode. The keywords that you are allowed to enter for the command appear.

http://www.cisco.com/en/US/products/ps6922/products_system_message_guide_book09186a00806c11a7.html

http://www.cisco.com/en/US/products/ps6350/products_system_message_guide_chapter09186a008046268a.html

http://www.cisco.com/en/US/products/ps6350/products_system_message_guide_book09186a008043c0cb.html

Using the Command-Line Interface in Cisco IOS and Cisco IOS XE SoftwareSaving Changes to a Configuration

xii

Saving Changes to a ConfigurationTo save changes that you made to the configuration of a device, you must issue the copy running-config startup-config command or the copy system:running-config nvram:startup-config command. When you issue these commands, the configuration changes that you made are saved to the startup configuration and saved when the software reloads or power to the device is turned off or interrupted. The following example shows the syntax of the copy running-config startup-config command:

Router# copy running-config startup-configDestination filename [startup-config]?

You press Enter to accept the startup-config filename (the default), or type a new filename and then press Enter to accept that name. The following output is displayed indicating that the configuration was saved:

Building configuration...[OK]Router#

On most platforms, the configuration is saved to NVRAM. On platforms with a Class A flash file system, the configuration is saved to the location specified by the CONFIG_FILE environment variable. The CONFIG_FILE variable defaults to NVRAM.

Additional Information • “Using the Cisco IOS Command-Line Interface” section of the

Cisco IOS Configuration Fundamentals Configuration Guide:


or

“Using Cisco IOS XE Software” chapter of the Cisco ASR1000 Series Aggregation Services Routers Software Configuration Guide:

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/using_cli.html

• Cisco Product Support Resources


• Support area on Cisco.com (also search for documentation by task or product)

http://www.cisco.com/en/US/support/index.html

• White Paper: Cisco IOS Reference Guide

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml

• Software Download Center (downloads; tools; licensing, registration, advisory, and general information) (requires Cisco.com User ID and password)

http://www.cisco.com/kobayashi/sw-center/

• Error Message Decoder, a tool to help you research and resolve error messages for Cisco IOS software

http://www.cisco.com/pcgi-bin/Support/Errordecoder/index.cgi

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/using_cli.html


http://www.cisco.com/en/US/support/index.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml

http://www.cisco.com/kobayashi/sw-center/

http://www.cisco.com/pcgi-bin/Support/Errordecoder/index.cgi


Using the Command-Line Interface in Cisco IOS and Cisco IOS XE SoftwareAdditional Information

xiii

• Command Lookup Tool, a tool to help you find detailed descriptions of Cisco IOS commands (requires Cisco.com user ID and password)


• Output Interpreter, a troubleshooting tool that analyzes command output of supported show commands

https://www.cisco.com/pcgi-bin/Support/OutputInterpreter/home.pl\


All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0807R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. © 2007–2008 Cisco Systems, Inc. All rights reserved.

http://tools.cisco.com/Support/CLILookup/cltSearchAction.do


https://www.cisco.com/pcgi-bin/Support/OutputInterpreter/home.pl\

Using the Command-Line Interface in Cisco IOS and Cisco IOS XE SoftwareAdditional Information

xiv

Americas Headquarters:Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco IOS Flexible NetFlow Overview

First Published: June 19, 2006Last Updated: October 10, 2008

NetFlow is a Cisco IOS technology that provides statistics on packets flowing through the router. NetFlow is the standard for acquiring IP operational data from IP networks. NetFlow provides network and security monitoring, network planning, traffic analysis, and IP accounting.

Flexible NetFlow improves on original NetFlow by adding the capability to customize the traffic analysis parameters for your specific requirements. Flexible NetFlow makes it easier to create more complex configurations for traffic analysis and data export through the use of reusable configuration components.

This module provides an overview of Flexible NetFlow and the advanced Flexible NetFlow features and services.

Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents• Information About Flexible NetFlow, page 1

• Where to Go Next, page 13

• Additional References, page 14

Information About Flexible NetFlowThe following sections contain information about Flexible NetFlow.

• Typical Uses for NetFlow, page 2

• Flows, page 3

• Original NetFlow and Flexible NetFlow, page 3


Cisco IOS Flexible NetFlow Overview Information About Flexible NetFlow

2

• Flexible NetFlow Components, page 5

• Security Detection with Flexible NetFlow, page 11

• Feature Comparison of Original NetFlow and Flexible NetFlow, page 11

Typical Uses for NetFlowNetFlow is typically used for several key customer applications, including the following:

• Network monitoring. NetFlow data enables extensive near-real-time network monitoring capabilities. Flow-based analysis techniques are used to visualize traffic patterns associated with individual routers and switches and network-wide traffic patterns (providing aggregate traffic or application-based views) to provide proactive problem detection, efficient troubleshooting, and rapid problem resolution.

• Application monitoring and profiling. NetFlow data enables network managers to gain a detailed time-based view of application usage over the network. This information is used to plan, understand new services, and allocate network and application resources (for example, web server sizing and voice over IP (VoIP) deployment) to meet customer demands responsively.

• User monitoring and profiling. NetFlow data enables network engineers to gain detailed understanding of customer and user use of network and application resources. This information may then be used to efficiently plan and allocate access, backbone, and application resources and to detect and resolve potential security and policy violations.

• Network planning. NetFlow can be used to capture data over a long period of time, affording the opportunity to track and anticipate network growth and plan upgrades to increase the number of routing devices, ports, and higher-bandwidth interfaces. NetFlow services data optimizes network planning for peering, backbone upgrades, and routing policy. NetFlow helps to minimize the total cost of network operations while maximizing network performance, capacity, and reliability. NetFlow detects unwanted WAN traffic, validates bandwidth and quality of service (QoS), and allows the analysis of new network applications. NetFlow will give you valuable information to reduce the cost of operating your network.

• Security analysis. NetFlow identifies and classifies distributed denial of service (dDoS) attacks, viruses, and worms in real time. Changes in network behavior indicate anomalies that are clearly demonstrated in Flexible NetFlow data. The data is also a valuable forensic tool to understand and replay the history of security incidents.

• Billing and accounting. NetFlow data provides fine-grained metering (for instance, flow data includes details such as IP addresses, packet and byte counts, time stamps, type of service (ToS) and application ports) for highly flexible and detailed resource utilization accounting. Service providers may use the information for billing based on time of day, bandwidth usage, application usage, quality of service, and so on. Enterprise customers may use the information for departmental charge back or cost allocation for resource utilization.

• NetFlow data warehousing and data mining. NetFlow data (or derived information) can be warehoused for later retrieval and analysis in support of proactive marketing and customer service programs (for example, figuring out which applications and services are being used by internal and


3

external users and targeting them for improved service, advertising, and so on). In addition, Flexible NetFlow data gives market researchers access to the “who,” “what,” “where,” and “how long” information relevant to enterprises and service providers.

FlowsOriginal NetFlow and Flexible NetFlow both use the concept of flows. A flow is defined as a stream of packets between a given source and a given destination.

Original NetFlow and Flexible NetFlow both use the values in key fields in IP datagrams, such as the IP source or destination address and the source or destination transport protocol port, as the criteria for determining when a new flow must be created in the cache while network traffic is being monitored. When the value of the data in the key field of a datagram is unique with respect to the flows that already exist, a new flow is created.

Original NetFlow and Flexible NetFlow both use non-key fields as the criteria for identifying fields from which data is captured from the flows. The flows are populated with data that is captured from the values in the non-key fields.

Figure 1 is an example of the process for inspecting packets and creating flow records in the cache. In this example, two unique flows are created in the cache because there are different values in the source and destination IP address key fields.

Figure 1 Packet Inspection

Original NetFlow and Flexible NetFlowOriginal NetFlow uses a fixed seven tuple of IP information to identify a flow. The new flexible concept allows the flow to be user defined. The benefits of Flexible NetFlow include:

Inspect Packet

Example 2

P2 P1

Key Fields Packet 1

Source IP 10.1.1.1

Destination IP 10.9.7.2

Source port 23

Destination port 22078

Layer 3 Protocol TCP-6

TOS Byte 0

Input Interface Ethernet 0

Example 1

Inspect Packet

P1P2

Key Fields Packet 1

Source IP 10.1.1.1

Destination IP 10.9.7.2

Source port 23

Destination port 22078


TOS Byte 0


Create Flow record in the Cache

10.1.1.1

Source IP

10.9.7.2

Dest. IP

E1

Dest. I/F

6

Protocol

0

TOS

...

...

11000

Pkts Source IP

10.3.3.3

Dest. IP

10.2.7.2

Dest. I/F

E1

Protocol

6

TOS

0

...

...

Pkts

11000

10.1.1.1 10.9.7.2 E1 6 0 ... 11000

Add new Flow to the NetFlow Cache4


4

• High-capacity flow recognition, including scalability and aggregation of flow information.

• Enhanced flow infrastructure for security monitoring and distributed DoS detection and identification.

• New information from packets to adapt flow information to a particular service or operation in the network. The flow information available will be customizable by Flexible NetFlow users.

• Extensive use of Cisco’s flexible and extensible NetFlow Version 9 export format.

• A comprehensive IP accounting feature that can be used to replace many accounting features, such as IP accounting, BGP Policy Accounting, and persistent caches.

Original NetFlow allows you to understand what the network is doing and thus to optimize network design and reduce operational costs. Flexible NetFlow allows you to understand network behavior with more efficiency, with specific flow information tailored for various services used in the network. The following are some example applications for a Flexible NetFlow feature:

• Flexible NetFlow enhances Cisco NetFlow as a security monitoring tool. For instance, new flow keys can be defined for packet length or MAC address, allowing users to search for a specific type of attack in the network.

• Flexible NetFlow allows you to quickly identify how much application traffic is being sent between hosts by specifically tracking TCP or user datagram protocol (UDP) applications by the class of service (CoS) in the packets.

• The accounting of traffic entering a multi-protocol label switching (MPLS) or IP core network and its destination for each next hop per class of service. This capability allows the building of an edge-to-edge traffic matrix.

Figure 2 is an example of how Flexible NetFlow might be deployed in a network.

Figure 2 Typical Deployment for Flexible NetFlow

2717

59

WAN

IP

IP

IP

ISP

Data CenterCampus

Branch

IP FlowsIP SubnetsPortsProtocolInterfacesEgress/Ingress

Peering FlowsDest. ASDest. Traffic IndexBGP Next HopDSCP

Security FlowsProtocolPortsIP AddressTCP FlagsPacket Section

Multicast FlowsProtocolPortsIP AddressTCP FlagsPacket Section


5

Flexible NetFlow ComponentsFlexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export. The user-defined flow records and the component structure of Flexible NetFlow make it easy for you to create various configurations for traffic analysis and data export on a networking device with a minimum number of configuration commands. Each flow monitor can have a unique combination of flow record, flow exporter, and cache type. If you change a parameter such as the destination IP address for a flow exporter, it is automatically changed for all the flow monitors that use the flow exporter. The same flow monitor can be used in conjunction with different flow samplers to sample the same type of network traffic at different rates on different interfaces. The following sections provide more information on Flexible NetFlow components:

• Records, page 5

• Flow Monitors, page 7

• Flow Exporters, page 9

• Flow Samplers, page 11

Records

In Flexible NetFlow a combination of key and non-key fields is called a record. Flexible NetFlow records are assigned to Flexible NetFlow flow monitors to define the cache that is used for storing flow data. Flexible NetFlow includes several predefined records that can help you get started using Flexible NetFlow. To use Flexible NetFlow to its fullest potential, you need to create your own customized records.

• NetFlow Predefined Records, page 5

• User-Defined Records, page 6

NetFlow Predefined Records

Flexible NetFlow includes several predefined records that you can use right away to start monitoring traffic in your network. The predefined records are available to help you quickly deploy Flexible NetFlow and are easier to use than user-defined flow records. You can choose from a list of already defined records that may meet the needs for network monitoring. As Flexible NetFlow evolves, popular user-defined flow records will be made available as predefined records to make them easier to implement.

The predefined records ensure backward compatibility with your existing NetFlow collector configurations for the data that is exported. Each of the predefined records has a unique combination of key and non-keys fields that offer you the built-in ability to monitor various types of traffic in your network without customizing Flexible Netflow on your router.

Two of the predefined records (NetFlow original1 and NetFlow IPv4/IPv6 original output) emulate original (ingress) NetFlow and the Egress NetFlow Accounting feature in original NetFlow, respectively. Some of the other Flexible NetFlow predefined records are based on the aggregation cache schemes available in original NetFlow. The Flexible NetFlow predefined records that are based on the aggregation cache schemes available in original NetFlow do not perform aggregation. Instead each flow is tracked separately by the predefined records.

1. The “Netflow Original” and “NetFlow IPv4/IPv6 original-input” predefined records are functionally equivalent.


6

If you want to learn more about the Flexible NetFlow predefined records, refer to the “Getting Started with Configuring Cisco IOS Flexible NetFlow” module or the “Configuring Cisco IOS Flexible NetFlow with Predefined Records” module.

User-Defined Records

Flexible NetFlow enables you to define your own records for a Flexible NetFlow flow monitor cache by specifying the key and non-key fields to customize the data collection to your specific requirements. When you define your own records for a Flexible NetFlow flow monitor cache, they are referred to as user-defined records. The values in non-key fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a non-key field does not create a new flow. In most cases the values for non-key fields are taken from only the first packet in the flow. Flexible NetFlow enables you to capture counter values such as the number of bytes and packets in a flow as non-key fields.

You can create user-defined records for applications such as QoS and bandwidth monitoring, application and end user traffic profiling, and security monitoring for denial of service (DoS) attacks. Flexible NetFlow also includes several predefined records that emulate original NetFlow.

Flexible NetFlow user-defined records provide the capability to monitor a contiguous section of a packet of a user-configurable size, and use it in a flow record as a key or a non-key field along with other fields and attributes of the packet. The section may potentially include any Layer 3 data from the packet.

The packet section fields allow the user to monitor any packet fields that are not covered by the Flexible NetFlow predefined keys. The ability to analyze packet fields that are not collected with the predefined keys enables more detailed traffic monitoring, facilitates the investigation of distributed denial of service (dDoS) attacks, and enables implementation of other security applications such as URL monitoring.

Flexible NetFlow provides predefined types of packet sections of a user-configurable size. The following Flexible NetFlow commands (used in flow record configuration mode) can be used to configure the predefined types of packet sections:

• collect ipv4 section header size header-size—Starts capturing the number of bytes specified by the header-size argument from the beginning of the IPv4 header of each packet.

• collect ipv4 section payload size payload-size—Starts capturing bytes immediately after the IPv4 header from each packet. The number of bytes captured is specified by the payload-size argument.

• collect ipv6 section header size header-size—Starts capturing the number of bytes specified by the header-size argument from the beginning of the IPv6 header of each packet.

• collect ipv6 section payload size payload-size—Starts capturing bytes immediately after the IPv6 header from each packet. The number of bytes captured is specified by the payload-size argument.

The header-size and payload-size values are the sizes in bytes of these fields in the flow record. If the corresponding fragment of the packet is smaller than the requested section size, Flexible NetFlow will fill the rest of the section field in the flow record with zeros. If the packet type does not match the requested section type, Flexible NetFlow will fill the entire section field in the flow record with zeros.

Flexible NetFlow adds a new Version 9 export format field type for the header and packet section types. Flexible NetFlow will communicate to the NetFlow collector the configured section sizes in the corresponding Version 9 export template fields. The payload sections will have a corresponding length field that can be used to collect the actual size of the collected section.

http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/get_start_cfg_fnflow.html


http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cfg_fnflow_predf_rec.html



7

Flow Monitors

Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a user-defined or predefined record, an optional flow exporter, and a cache that is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic and added to the flow monitor cache during the monitoring process based on the key and non-key fields in the flow record.

Flexible NetFlow can be used to perform different types of analysis on the same traffic. In Figure 3, packet 1 is analyzed using a record designed for standard traffic analysis on the input interface and a record designed for security analysis on the output interface.

Figure 3 Example of Using Two Flow Monitors to Analyze the Same Traffic

P1P5 P4 P3 P2

Key Fields Packet 1 Non Key Fields

Source IP 10.3.3.3 Packets

Destination IP 10.2.2.2 Bytes

Source port 23 Time Stamps

Destination port 22078 Next-Hop Address


TOS Byte 0


Key Fields Packet 1 Non Key Fields

Source IP 10.3.3.3 Packets

Destination IP 10.2.2.2 Time Stamps


SYN Flag 0

Traffic Analysis Cache

10.3.3.3

Source IP

10.2.2.2

Dest. IP

E1

Dest. I/F

6

Protocol

0

TOS

...

...

11000

Pkts

Security Analysis Cache

10.3.3.3

Source IP

10.2.2.2

Dest. IP

E1

Dest. I/F

E1

Protocol

0

TOS

...

...

11000

Pkts

2717

55

Flow Monitor 1(Ethernet 0)

Flow Monitor 2(Ethernet 1)

Traffic


8

Figure 4 shows a more complex example of how you can apply different types of flow monitors with custom records.

Figure 4 Complex Example of Using Multiple Types of Flow Monitors with Custom Records

There are three types of flow monitor caches. You change the type of cache used by the flow monitor after you create the flow monitor. The three types of flow monitor caches are as follows:

• Normal, page 8

• Immediate, page 8

• Permanent, page 9

Normal

The default cache type is “normal.” In this mode, the entries in the cache are aged out according to the timeout active and timeout inactive settings. When a cache entry is aged out, it is removed from the cache and exported via any exporters configured.

Immediate

A cache of type “immediate” ages out every record as soon as it is created. As a result, every flow contains just one packet. The commands that display the cache contents will provide a history of the packets seen.

This mode is desirable when you expect only very small flows and you want a minimum amount of latency between seeing a packet and exporting a report.

Caution This command may result in a large amount of export data that can overload low-speed links and overwhelm any systems that you are exporting to. We recommended that you configure sampling to reduce the number of packets that are processed.

2717

56

WAN

IP

IP

IP

ISP

Data CenterCampus

Branch

Teleworker

IP

Application Flows Security Flows MulticastFlows

IP Flows

PeeringFlows


9

Note The cache timeout settings have no effect in this mode.

Permanent

A cache of type “permanent” never ages out any flows. A permanent cache is useful when the number of flows you expect to see is low and there is a need to keep long-term statistics on the router. For example, if the only key field in the flow record is the 8-bit IP ToS field, only 256 flows can be monitored. To monitor the long-term usage of the IP ToS field in the network traffic, a permanent cache can be used. Permanent caches are useful for billing applications and for an edge-to-edge traffic matrix for a fixed set of flows that are being tracked. Update messages will be sent periodically to any flow exporters configured according to the “timeout update” setting.

Note When a cache becomes full in permanent mode, new flows will not be monitored. If this occurs, a “Flows not added” message will appear in the cache statistics.

Note A permanent cache uses update counters rather than delta counters. This means that when a flow is exported, the counters represent the totals seen for the full lifetime of the flow and not the additional packets and bytes seen since the last export was sent.

Flow Exporters

Flow exporters export the data in the flow monitor cache to a remote system, such as a server running NetFlow collector, for analysis and storage. Flow exporters are created as separate entities in the configuration. Flow exporters are assigned to flow monitors to provide data export capability for the flow monitors. You can create several flow exporters and assign them to one or more flow monitors to provide several export destinations. You can create one flow exporter and apply it to several flow monitors.

NetFlow Data Export Format Version 9

The basic output of NetFlow is a flow record. Several different formats for flow records have evolved as NetFlow has matured. The most recent evolution of the NetFlow export format is known as Version 9. The distinguishing feature of the NetFlow Version 9 export format is that it is template-based. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format. Using templates provides several key benefits:

• Third-party business partners who produce applications that provide collector or display services for NetFlow do not have to recompile their applications each time a new NetFlow feature is added. Instead, they should be able to use an external data file that documents the known template formats.

• New features can be added to NetFlow quickly without breaking current implementations.

• NetFlow is “future-proofed” against new or developing protocols because the Version 9 format can be adapted to provide support for them.

The Version 9 export format consists of a packet header followed by one or more template flow or data flow sets. A template flow set provides a description of the fields that will be present in future data flow sets. These data flow sets may occur later within the same export packet or in subsequent export packets. Template flow and data flow sets can be intermingled within a single export packet, as illustrated in Figure 5.


10

Figure 5 Version 9 Export Packet

NetFlow Version 9 will periodically export the template data so the NetFlow collector will understand what data is to be sent and also export the data flow set for the template. The key advantage to Flexible NetFlow is that the user configures a flow record, which is effectively converted to a Version 9 template and then forwarded to the collector. Figure 6 is a detailed example of the NetFlow Version 9 export format, including the header, template flow and data flow sets.

Note The NetFlow Version 5 export format is a fixed export format that would provide limited information for Flexible NetFlow data. This is why Flexible Netflow uses the Version 9 export format.

Figure 6 Detailed Example of the NetFlow Version 9 Export Format

For more information on the Version 9 export format, refer to the white paper entitled Cisco IOS NetFlow Version 9 Flow-Record Format, available at this url: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_white_paper09186a00800a3db9.shtml.

2717

57PacketHeader

TemplateFlowSet

DataFlowSet

TemplateFlowSet

DataFlowSet

DataFlowSet

-

NetFlow Version 9 Header: 32 bits

Version 9 Count = 4 (FlowSets)

System Uptime

UNIX Seconds

Package Sequence

Source ID

Template FlowSet: 16 bits

FlowSet ID - 0

Length = 28 bytes

Template ID = 256

Field Count = 5

IPv4_SRCADDR (0x0008)

Length = 4

IPv4_DSTADDR (0x000C)

Length = 4

IPv4_NEXT_HDP (0x000E)

Length = 4

PKTS:_32(0x0002)

Length = 4

BYTES:_32(0x0001)

Length = 4

Header

First Template FlowSet

Template Record

First Record FlowSet(Template ID 256)

First Data Record

Second Data Record

Third Data Record

Second Template FlowSet

Template Record

Template Record

Second Record FlowSet(Template ID 257)

Data Record

Data Record

Data Record

Data Record

2717

58

Data FlowSet: 32 bits

192.168.1.12

10.5.12.254

192.168.1.1

5009

5344385

192.168.1.27

10.5.12.23

192.168.1.1

748

388964

192.168.1.56

10.5.12.65

192.168.1.1

5

6534

FlowSetID = 256

Length =64 bytes

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_white_paper09186a00800a3db9.shtml




11

Flow Samplers

Flow samplers are used to reduce the load that Flexible NetFlow places on the networking device to monitor traffic by limiting the number of packets that are analyzed. You can configure a rate of sampling that is 1 out of a range of 2 to 32768 packets. For example, a sampling rate of 1 out of 2 results in the analysis of 50 percent of the packets processed by the networking device.

Flow samplers are applied to interfaces in conjunction with a flow monitor to implement Flexible NetFlow flow sampling. Packets are analyzed at the rate specified by the sampler and compared with the flow record associated with the flow monitor. If the analyzed packets meet the criteria specified by the flow record, they are added to the flow monitor cache.

Security Detection with Flexible NetFlowFlexible NetFlow can be used as a network attack detection tool with capabilities to track all parts of the IP header and even packet sections and characterize this information into flows. Security detection systems can listen to Flexible NetFlow data, and upon finding an issue in the network, create a virtual bucket or virtual cache that will be configured to track specific information and identify details about the attack pattern or worm propagation. The capability to create caches dynamically with specific information combined with input filtering (for example, filtering all flows to a specific destination) makes Flexible NetFlow a powerful security detection tool.

One common type of attack occurs when TCP flags are used to flood open TCP requests to a destination server (for example, a SYN flood attack). The attacking device sends a stream of TCP SYNs to a given destination address but never send the ACK in response to the servers SYN-ACK as part of the TCP three-way handshake. The flow information needed for security detection server requires the tracking of three key fields: destination address or subnet, TCP flags, and packet count. The security detection server may be monitoring general Flexible NetFlow information, and this data may trigger a detailed view of this particular attack by dynamically creating a new flow monitor in the router’s configuration. The new flow monitor might include input filtering to limit what traffic is visible in the Flexible NetFlow cache along with the tracking of the specific information to diagnose the TCP-based attack. In this case the user may want to filter all flow information to the server destination address or subnet to limit the amount of information the security detection server needs to evaluate. If the security detection server decided it understood this attack, it might then program another flow monitor to collect and export payload information or sections of packets to take a deeper look at a signature within the packet. This example is just one of many possible ways that Flexible NetFlow can be used to detect security incidents.

Feature Comparison of Original NetFlow and Flexible NetFlowTable 1 provides a feature-by-feature comparison of original NetFlow and Flexible NetFlow.

Table 1 Feature-by-Feature Comparison of Original NetFlow and Flexible NetFlow

FeatureOriginal NetFlow

Flexible NetFlow Comments

NetFlow Data Capture Supported Supported Data capture is available with the predefined1 and user-defined records in Flexible NetFlow.

NetFlow Data Export Supported Supported Flow exporters export data from the Flexible NetFlow flow monitor caches to remote systems.


12

NetFlow for IPv6 Supported Supported IPv6 support was removed from original NetFlow in Cisco IOS Release 12.4(20)T.

The Flexible NetFlow - IPv6 Unicast Flows feature implemented IPv6 support for Flexible NetFlow in Cisco IOS Release 12.4(20)T.

MPLS-Aware NetFlow Supported Not supported —

MPLS Egress NetFlow Supported Supported The Flexible Netflow - MPLS Egress NetFlow feature implemented MPLS NetFlow egress support for Flexible NetFlow in Cisco IOS Release 12.4(22)T.

NetFlow BGP Next Hop Support

Supported Supported Available in the predefined and user- defined keys in Flexible NetFlow records.

Random Packet Sampled NetFlow

Supported Supported Available with Flexible NetFlow sampling.

NetFlow v9 Export Format Supported Supported Available with Flexible NetFlow exporters.

NetFlow Subinterface Support

Supported Supported Flexible NetFlow monitors can be assigned to subinterfaces.

NetFlow Multiple Export Destinations

Supported Supported Available with Flexible NetFlow exporters.

NetFlow ToS-Based Router Aggregation

Supported Supported Available in the predefined and user-defined records in Flexible NetFlow records.

NetFlow Minimum Prefix Mask for Router-Based Aggregation

Supported Supported Available in the predefined and user-defined records.

NetFlow Input Filters Supported Not supported —

NetFlow MIB Supported Not supported —

NetFlow MIB and Top Talkers

Supported Not supported —

Table 1 Feature-by-Feature Comparison of Original NetFlow and Flexible NetFlow (continued)



Cisco IOS Flexible NetFlow Overview Where to Go Next

13

Where to Go NextTo implement a basic Flexible NetFlow configuration that emulates original NetFlow traffic analysis and data export, refer to the “Getting Started with Configuring Cisco IOS Flexible NetFlow” module. To implement other Flexible NetFlow configurations, refer to the “Related Documents” section on page 14.

NetFlow Multicast Support Supported Supported In Cisco IOS release 12.4(9)T through 12.4(20)T Flexible NetFlow collects statistics for multicast flows. However, specific additional fields such as replication counts for bytes and packets are not supported.

The Flexible Netflow - IPv4 Multicast Statistics Support feature implemented support for capturing multicast replication counts for bytes and packets in Cisco IOS Release 12.4(22)T.

NetFlow Layer 2 and Security Monitoring Exports

Supported Partially supported

The Flexible Netflow - Layer 2 Fields feature implemented support for capturing MAC addresses and virtual LAN (VLAN) IDs in Cisco IOS Release 12.4(22)T.

Egress NetFlow Accounting Supported Supported Flexible NetFlow monitors can be used to monitor egress traffic on interfaces and subinterfaces.

NetFlow Reliable Export with SCTP

Supported Not supported —

NetFlow Dynamic Top Talkers CLI

Supported Supported The Flexible Netflow - Top N Talkers Support feature implemented in Cisco IOS Release 12.4(22)T provides the same functionailty.

1. Flexible NetFlow has several predefined keys that emulate the traffic analysis capabilities of original NetFlow.

Table 1 Feature-by-Feature Comparison of Original NetFlow and Flexible NetFlow (continued)




Cisco IOS Flexible NetFlow Overview Additional References

14

Additional ReferencesThe following sections provide references related to Flexible NetFlow.

Related Documents

RFCs

Technical Assistance

Related Topic Document Title

Flexible NetFlow Feature Roadmap “Cisco IOS Flexible NetFlow Features Roadmap”

Emulating original NetFlow with Flexible NetFlow “Getting Started with Configuring Cisco IOS Flexible NetFlow”

Configuring flow exporters to export Flexible NetFlow data

“Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters”

Customizing Flexible NetFlow for your network “Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors”

Configuring flow sampling to reduce the overhead of monitoring traffic with Flexible NetFlow

“Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic”

Configuring Flexible NetFlow using predefined records

“Configuring Cisco IOS Flexible NetFlow with Predefined Records”

Using Flexible Netflow Top N Talkers to Analyze Network Traffic

“Using Cisco IOS Flexible Netflow Top N Talkers to Analyze Network Traffic”

Configuring IPv4 Multicast Statistics Support for Flexible NetFlow

“Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow”

Configuration commands for Flexible NetFlow Cisco IOS Flexible NetFlow Command Reference

RFC Title

RFC #3954 Cisco Systems NetFlow Services Export Version 9

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/fnetflow_feat_rdmap.htm


http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cfg_de_fnflow_exprts.html

http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cust_fnflow_rec_mon.html

http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/use_fnflow_redce_cpu.html


http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cgf-topn.html

http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cgf-mcast.html

http://www.cisco.com/en/US/docs/ios/fnetflow/command/reference/fnf_book.html

http://www.cisco.com/public/support/tac/home.shtml


15






16



Cisco IOS Flexible NetFlow Features Roadmap


This feature roadmap lists the Cisco IOS features documented in the Cisco IOS Flexible NetFlow Configuration Guide and maps them to the documents in which they appear. The roadmap is organized so that you can select your release train and see the features in that release. Find the feature name you are searching for and click on the URL in the “Where Documented” column to access the document containing that feature.

Feature and Release Support

Table 1 lists Flexible NetFlow feature support for the following Cisco IOS software release trains:

• Cisco IOS Release 12.2SB

• Cisco IOS Release 12.2SR

• Cisco IOS Release 12.4T

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.



2

Table 1 lists the most recent release of each software train first and the features in alphabetical order within the release.

Table 1 Supported Cisco IOS Flexible NetFlow Features

Release Feature Name Feature Description Where Documented

Cisco IOS Release 12.2SB

12.2(31)SB2 Flexible NetFlow Flexible NetFlow was integrated into Cisco IOS Release 12.2(31)SB2.

“Cisco IOS Flexible NetFlow Overview”

“Getting Started with Configuring Cisco IOS Flexible NetFlow”


“Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors”



Cisco IOS Release 12.2SR

12.2(33)SR Flexible NetFlow Support for Flexible NetFlow on Cisco 7200 series routers was added in Cisco IOS Release 12.2(33)SRC.

“Cisco IOS Flexible NetFlow Overview”






http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/fnetflow_overview.html



































3

Cisco IOS Release 12.4T

12.4(22)T Flexible Netflow - IPv4 Multicast Statistics Support

The capability of reporting the number of replicated bytes and the number of replicated packets in multicast flows was added.


12.4(22)T Flexible Netflow - Netflow V5 export protocol

Support for sending export packets using the Version 5 export protocol was added.


12.4(22)T Flexible Netflow - Layer 2 Fields

Support for collecting statistics for Layer 2 fields such as MAC addresses and virtual LAN (VLAN) IDs from traffic was added.


12.4(22)T Flexible Netflow - MPLS Egress NetFlow

Support for captureing IP flow information for packets undergoing MPLS label disposition; that is, packets that arrive on a router as MPLS packets and are transmitted as IP packets.


12.4(22)T Flexible Netflow - Top N Talkers Support

Support for analyzing the large amount of data Flexible NetFlow captures from the traffic in a network by providing the ability to filter, aggregate, and sort the data in the Flexible NetFlow cache as it is displayed was added.


12.4(20)T Flexible NetFlow - IPv6 Unicast Flows

Support for IPv6 traffic was added. “Cisco IOS Flexible NetFlow Overview”






Flexible NetFlow - Output Features on Data Export

Support for data export using the Cisco IOS feature path was added.


Table 1 Supported Cisco IOS Flexible NetFlow Features (continued)


































4





12.4(9)T Flexible NetFlow Flexible NetFlow is introduced. “Cisco IOS Flexible NetFlow Overview”






Table 1 Supported Cisco IOS Flexible NetFlow Features (continued)





















Getting Started with Configuring Cisco IOS Flexible NetFlow


This document contains information about and instructions for configuring Flexible NetFlow to emulate the data capture, data analysis, and data export features of original NetFlow. The Flexible NetFlow equivalents of some of the other features that have been added to original NetFlow, such as NetFlow Subinterface Support, and Multiple Export Destinations, are covered in this document. The purpose of this document is to help you get started using Flexible NetFlow as quickly as possible.

This document explains how to configure certain Flexible NetFlow features but does not explain them in detail. The documents listed in the “Related Documents” section on page 23 contain more detailed information on Flexible NetFlow features.



Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the “Feature Information for Flexible NetFlow” section on page 24.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Getting Started with Configuring Cisco IOS Flexible NetFlow Contents

2

Contents• Prerequisites for Getting Started with Configuring Flexible NetFlow, page 2

• Information About Getting Started with Configuring Flexible NetFlow, page 2

• How to Get Started with Configuring Flexible NetFlow, page 8

• Configuration Examples for Emulating Original NetFlow Features with Flexible NetFlow, page 21



• Feature Information for Flexible NetFlow, page 24

Prerequisites for Getting Started with Configuring Flexible NetFlow

The following prerequisites must be met before you can configure Flexible NetFlow:

• You are familiar with the information in the “Cisco IOS Flexible NetFlow Overview” module.

• The networking device must be running a Cisco IOS release that supports Cisco IOS Flexible NetFlow. See the “Cisco IOS Flexible NetFlow Features Roadmap” module for a list of Cisco IOS software releases that support Flexible NetFlow.

IPv4 Traffic

• The networking device must be configured for IPv4 routing.

• One of the following must be enabled on your router and on any interfaces on which you want to enable Flexible NetFlow: Cisco Express Forwarding (CEF) or distributed CEF (dCEF).

IPv6 Traffic


• One of the following must be enabled on your router and on any interfaces on which you want to enable Flexible NetFlow: Cisco Express Forwarding IPv6 (CEF IPv6) or distributed CEF IPv6 (dCEF IPv6).

Information About Getting Started with Configuring Flexible NetFlow

Before you configure Flexible NetFlow to emulate original NetFlow, you should understand the following concepts:

• Benefit of Emulating Original NetFlow with Flexible NetFlow, page 3

• Flexible NetFlow “Netflow Original” and “NetFlow IPv4 Original Input” Predefined Records, page 3

• Flexible NetFlow “NetFlow IPv4 Original Output” Predefined Record, page 4

• Flexible NetFlow “NetFlow IPv6 Original Input” Predefined Record, page 5


http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/fget_start_cfg_fnflow.html

Getting Started with Configuring Cisco IOS Flexible NetFlow Information About Getting Started with Configuring Flexible NetFlow

3


• Flexible Netflow - MPLS Egress NetFlow, page 7

Benefit of Emulating Original NetFlow with Flexible NetFlowEmulating original NetFlow with Flexible NetFlow enables to you to deploy Flexible NetFlow quickly because you can use a predefined record instead of designing and configuring a custom user-defined record. You need only configure a flow monitor and apply it to an interface for Flexible NetFlow to start working like original NetFlow. You can add an optional exporter if you want to analyze the data that you collect with an application such as NetFlow collector.

If you are familiar with original NetFlow, you already understand the format and content of the data that you collect and export with Flexible NetFlow when you emulate original Netflow. You will be able to use the same techniques for analyzing the data.

Flexible NetFlow “Netflow Original” and “NetFlow IPv4 Original Input” Predefined Records

The Flexible NetFlow “NetFlow original” and “NetFlow IPv4 original input” predefined records can be used interchangeably because they have the same key and non-key fields. The key and non-key fields and the counters for the Flexible NetFlow “NetFlow original” and “NetFlow IPv4 original input” predefined records are shown in Table 1.

Table 1 Key and Non Key-Fields Used by the Flexible NetFlow “NetFlow Original” and

“NetFlow IPv4 Original Input” Predefined Records

Field Key or Non-Key Field Definition

IP ToS Key Value in the type of service (ToS) field.

IP Protocol Key Value in the IP protocol field.

IP Source Address Key IP source address.

IP Destination Address Key IP source address.

Transport Source Port Key Value of the transport layer source port field.

Transport Destination Port

Key Value of the transport layer destination port field.

Interface Input Key Interface on which the traffic is received.

Flow Sampler ID Key ID number of the flow sampler (if flow sampling is enabled).

IP Source AS Non-key Source autonomous system number.

IP Destination AS Non-key Destination autonomous system number.

IP Next Hop Address Non-key IP address of the next hop.

IP Source Mask Non-key Mask for the IP source address.

IP Destination Mask Non-key Mask for the IP destination address.

TCP Flags Non-key Value in the TCP flag field.

Interface Output Non-key Interface on which the traffic is transmitted.


4

The configuration in the “How to Get Started with Configuring Flexible NetFlow” section on page 8 uses the predefined Flexible NetFlow “NetFlow original” record.

Flexible NetFlow “NetFlow IPv4 Original Output” Predefined RecordThe Flexible NetFlow “NetFlow IPv4 original output” predefined record is used to emulate the original NetFlow Egress NetFlow Accounting feature that was released in Cisco IOS Release 12.3(11)T. The key and non-key fields and the counters for the Flexible NetFlow “NetFlow IPv4 original output” predefined record are shown in Table 2.

Counter Bytes Non-key Number of bytes seen in the flow.

Counter Packets Non-key Number of packets seen in the flow.

Time Stamp System Uptime First

Non-key System uptime (time, in milliseconds, since this device was first booted) when the first packet was switched.

Time Stamp System Uptime Last

Non-key System uptime (time, in milliseconds, since this device was first booted) when the last packet was switched.

Table 1 Key and Non Key-Fields Used by the Flexible NetFlow “NetFlow Original” and

“NetFlow IPv4 Original Input” Predefined Records (continued)


Table 2 Key and Non Key Fields Used by the Flexible NetFlow “NetFlow IPv4 Original Output”

Predefined Record


IP ToS Key Value in the ToS field.



IP Destination Address Key IP destination address.




Interface Output Key Interface on which the traffic is transmitted.




IP Next Hop Address Non-key IP address of the next hop.




Interface Input Non-key Interface on which the traffic is received.


5

The configuration in the “Configuring Flexible NetFlow Egress Accounting for IPV4 and IPv6 Traffic: Example” section on page 21 uses the predefined Flexible NetFlow “NetFlow original output” record.

Flexible NetFlow “NetFlow IPv6 Original Input” Predefined RecordThe key and non-key fields and the counters for the Flexible NetFlow “NetFlow IPv6 original input” predefined record are shown in Table 3.







Table 2 Key and Non Key Fields Used by the Flexible NetFlow “NetFlow IPv4 Original Output”

Predefined Record (continued)


Table 3 Key and Non Key-Fields Used by the Flexible NetFlow “NetFlow IPv6 Original Input”

Predefined Record


Traffic Class Key Value in the traffic class field.

Flow Label Key Flow label.

Protocol Key Value in the protocol field.

Extension Map Key Value in the extension map bitmap.







Flow Direction Key The direction of the flow.

Flow Sampler Key ID number of the flow sampler (if flow sampling is enabled).

Routing Source AS Non-key Source autonomous system number.

Routing Destination AS Non-key Destination autonomous system number.

Routing Next-hop Address

Non-key IP address of the next hop.




6

Flexible NetFlow “NetFlow IPv6 Original Output” Predefined RecordThe key and non-key fields and the counters for the Flexible NetFlow “NetFlow IPv6 original output” predefined record are shown in Table 4.

Transport TCP Flags Non-key Value in the TCP flag field.

Interface Output Non-key Interface over which the traffic is transmitted.










Table 4 Key and Non Key-Fields Used by the Flexible NetFlow “NetFlow IPv6 Original

Output” Predefined Record



Flow Label Key The flow label.








Interface Output Key Interface over which the traffic is transmitted.










7

Flexible Netflow - MPLS Egress NetFlowThe Flexible Netflow - MPLS Egress NetFlow feature allows you to capture IP flow information for packets that arrive on a router as MPLS packets and are transmitted as IP packets. This feature allows you to capture the MPLS Virtual Private Network (VPN) IP flows that are traveling through the service provider backbone from one site of a VPN to another site of the same VPN. The Flexible Netflow - MPLS Egress NetFlow feature is enabled by applying a flow monitor in output (egress) mode on the provider edge (PE) to customer edge (CE) interface of the provider’s network.

Figure 1 shows a sample MPLS VPN network topology that includes four VPN 1 sites and two VPN 2 sites. If the Flexible Netflow - MPLS Egress NetFlow is enabled on an outgoing PE interface by applying a flow monitor in output mode, IP flow information for packets that arrive at the PE as MPLS packets (from an MPLS VPN) and that are transmitted as IP packets to the PE router is captured. For example,

• To capture the flow of traffic going to site 2 of VPN 1 from any remote VPN 1 sites, you enable a flow monitor in output mode on link PE2-CE5 of provider edge router PE2.

• To capture the flow of traffic going to site 1 of VPN 2 from any remote VPN 2 site, you enable a flow monitor in output mode on link PE3-CE4 of the provider edge router PE3.

The flow data is stored in the Flexible NetFlow cache. You can use the show flow monitor monitor-name cache command view the flow data in the cache.










Output” Predefined Record (continued)


Getting Started with Configuring Cisco IOS Flexible NetFlow How to Get Started with Configuring Flexible NetFlow

8

Figure 1 Sample MPLS VPN Network Topology with Flexible Netflow - MPLS Egress NetFlow

feature

If you configure a Flexible NetFlow exporter for the flow monitors you use for the Flexible Netflow - MPLS Egress NetFlow feature, the PE routers will export the captured flows to the configured collector devices in the provider network. Applications such as the Network Data Analyzer or the VPN Solution Center (VPN-SC) can gather information from the captured flows and compute and display site-to-site VPN traffic statistics.

How to Get Started with Configuring Flexible NetFlow The tasks in this section explain how to configure and verify the emulation of original (ingress) NetFlow data capture with Flexible NetFlow for traffic that is received by the router and how to configure and verify the emulation of original NetFlow data export with Flexible NetFlow.

Note Flexible NetFlow emulation of original NetFlow requires the configuration of a flow monitor and the application of the flow monitor to at least one interface that is receiving the traffic that you want to analyze.

Note Only the keywords and arguments required for the Flexible NetFlow commands used in these tasks are explained in these tasks. For information on the other keywords and arguments available for these Flexible NetFlow commands, refer to the Cisco IOS Flexible NetFlow Command Reference.

To configure and enable Flexible NetFlow using a predefined record, perform the following tasks:

• Configuring a Flow Monitor for IPv4 Traffic Using the Flexible NetFlow “NetFlow IPv4 Original Input” Predefined Record, page 9


• Applying an IPv4 Flow Monitor to an Interface, page 12

4294

9

PE3

PE2

CE2

CE5

C

CE4

PE4

P

CE3

CE1

P

PE1Collector 1

Collector 2

VPN-SC Backbone

Site 1VPN 1

Site 2VPN 2

Site 3VPN 1

Site 2VPN 1

Site 1VPN 2

CE6

Site 4VPN 1



9


• Verifying the Flow Monitor, page 14 (optional)

• Verifying That Flexible NetFlow Is Enabled, page 15 (optional)

• Viewing the Flow Monitor Cache, page 15

• Configuring a Flow Exporter for the Flow Monitor, page 18

• Verifying the Flow Exporter, page 20 (optional)

Configuring a Flow Monitor for IPv4 Traffic Using the Flexible NetFlow “NetFlow IPv4 Original Input” Predefined Record

To configure a flow monitor for IPv4 traffic using the Flexible NetFlow “NetFlow IPv4 original input” predefined record for the flow monitor, perform the following required task.

Flow Monitors

Each flow monitor has a separate cache assigned to it. Each flow monitor requires a record to define the contents and layout of its cache entries. The record format can be one of the predefined record formats, or an advanced user may create his or her own record format using the collect and match commands in flow record configuration mode.

Restrictions

You must remove a flow monitor from all of the interfaces to which you have applied it before you can modify the record format of the flow monitor.

SUMMARY STEPS

1. enable

2. configure terminal

3. flow monitor monitor-name

4. description text-string

5. record netflow ipv4 original-input

6. end


10

DETAILED STEPS

Configuring a Flow Monitor for IPv6 Traffic Using the Flexible NetFlow “NetFlow IPv6 Original Input” Predefined Record

To configure a flow monitor for IPv6 traffic using the Flexible NetFlow “NetFlow IPv6 original input” predefined record for the flow monitor, perform the following required task.

Flow Monitors


Command or Action Purpose

Step 1 enable

Example:Router> enable

Enables privileged EXEC mode.

• Enter your password if prompted.

Step 2 configure terminal

Example:Router# configure terminal

Enters global configuration mode.

Step 3 flow monitor monitor-name

Example:Router(config)# flow monitor FLOW-MONITOR-1

Creates a flow monitor and enters Flexible NetFlow flow monitor configuration mode.

• This command also allows you to modify an existing flow monitor. For example, to modify the configuration of a flow monitor named “monitor-name”, use the flow monitor monitor-name command in global configuration mode.

Step 4 description text-string

Example:Router(config-flow-monitor)# description Used for monitoring IPv4 traffic

(Optional) Creates a description for the flow monitor.

Step 5 record netflow ipv4 original-input

Example:Router(config-flow-monitor)# record netflow ipv4 original-input

Specifies the record for the flow monitor.

Step 6 end

Example:Router(config-flow-monitor)# end

Exits flow monitor configuration mode and returns to privileged EXEC mode.


11

Restrictions


SUMMARY STEPS

1. enable



4. description string

5. record netflow ipv6 original-input

6. end

DETAILED STEPS


Step 1 enable











Step 4 description string



Step 5 record netflow ipv6 original-input



Step 6 end




12

Applying an IPv4 Flow Monitor to an InterfaceBefore it can be activated an IPv4 flow monitor must be applied to at least one interface. To activate an IPv4 flow monitor, perform the following required task.

Restrictions

When you specify the “NetFlow original” or the “NetFlow IPv4 original input” predefined record for the flow monitor to emulate original NetFlow, the flow monitor can be used only for analyzing input (ingress) traffic.

When you specify the “NetFlow IPv4 original output” predefined record for the flow monitor to emulate the Egress NetFlow Accounting feature, the flow monitor can be used only for analyzing output (egress) traffic.

SUMMARY STEPS

1. enable


3. interface type number

4. ip flow monitor monitor-name input

5. end

DETAILED STEPS


Step 1 enable







Step 3 interface type number

Example:Router(config)# interface ethernet 0/0

Specifies an interface and enters interface configuration mode.

Step 4 ip flow monitor monitor-name input

Example:Router(config-if)# ip flow monitor FLOW-MONITOR-1 input

Activates the flow monitor that you created previously by assigning it to the interface to analyze traffic.

Step 5 end

Example:Router(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.


13

Applying an IPv6 Flow Monitor to an Interfacebefore it can be activated an IPv6 flow monitor must be applied to at least one interface. To activate an IPv6 flow monitor, perform the following required task.

Restrictions

When you specify the “NetFlow IPv6 original input” predefined record for the flow monitor to emulate original NetFlow, the flow monitor can be used only for analyzing input (ingress) traffic.


SUMMARY STEPS

1. enable



4. ipv6 flow monitor monitor-name input

5. end

DETAILED STEPS


Step 1 enable










Step 4 ipv6 flow monitor monitor-name input

Example:Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 input


Step 5 end




14

Verifying the Flow MonitorTo view the current status of a flow monitor and verify the configuration commands that you entered, perform the following optional task.

Prerequisites

The interface to which you applied the input flow monitor must be receiving traffic that meets the criteria defined by the NetFlow original record before you can view the flows in the flow monitor cache.

SUMMARY STEPS

1. enable

2. show flow monitor

3. show running-config flow monitor

DETAILED STEPS

Step 1 enable

The enable command enters privileged EXEC mode (enter the password if prompted).

Router> enable

Router#

Step 2 show flow monitor

The show flow monitor command shows the current status of the flow monitor that you specify.

Router# show flow monitor

Flow Monitor FLOW-MONITOR-1: Description: Used for basic IPv4 traffic analysis Flow Record: netflow ipv4 original-input Cache: Type: normal Status: allocated Size: 4096 entries / 311316 bytes Inactive Timeout: 15 secs Active Timeout: 1800 secs Update Timeout: 1800 secs

Flow Monitor FLOW-MONITOR-2: Description: Used for basic IPv6 traffic analysis Flow Record: netflow ipv6 original-input Cache: Type: normal Status: allocated Size: 4096 entries / 507936 bytes Inactive Timeout: 15 secs Active Timeout: 1800 secs Update Timeout: 1800 secs

Step 3 show running-config flow monitor

The show running-config flow monitor command shows the configuration commands of the flow monitor that you specify.


15

Router# show running-config flow monitor

Current configuration:!flow monitor FLOW-MONITOR-1 description Used for basic IPv4 traffic analysis record netflow ipv4 original-input!!flow monitor FLOW-MONITOR-2 description Used for basic IPv6 traffic analysis record netflow ipv6 original-input!

Verifying That Flexible NetFlow Is EnabledTo verify that Flexible NetFlow is enabled on an interface, perform the following optional task.

SUMMARY STEPS

1. enable

2. show flow interface type number

DETAILED STEPS

Step 1 enable


Router> enable

Router#

Step 2 show flow interface type number

The show flow interface command verifies that Flexible NetFlow is enabled on an interface.

Router# show flow interface ethernet 0/0

Interface Ethernet0/0 FNF: monitor: FLOW-MONITOR-1 direction: Input traffic(ip): on FNF: monitor: FLOW-MONITOR-2 direction: Input traffic(ipv6): on

Viewing the Flow Monitor CacheTo display the status, statistics and the flow data in the cache for a flow monitor, perform the following optional task.


16

Prerequisites

The interface to which you applied the input flow monitor must be receiving traffic that meets the criteria defined by the NetFlow original record before you can view the flow data in the flow monitor cache.

SUMMARY STEPS

1. enable

2. show flow monitor name monitor-name cache format record

DETAILED STEPS

Step 1 enable


Router> enable

Router#

Step 2 show flow monitor name monitor-name cache format record

The show flow monitor name monitor-name cache format record command string displays the status, statistics, and the flow data in the cache for a flow monitor.

Router# show flow monitor name FLOW-MONITOR-1 cache format recordCache type: Normal Cache size: 4096 Current entries: 8 High Watermark: 8

Flows added: 24 Flows aged: 16 - Active timeout ( 1800 secs) 0 - Inactive timeout ( 15 secs) 16 - Event aged 0 - Watermark aged 0 - Emergency aged 0

IPV4 SOURCE ADDRESS: 10.251.10.1IPV4 DESTINATION ADDRESS: 172.16.10.2TRNS SOURCE PORT: 0TRNS DESTINATION PORT: 2048INTERFACE INPUT: Et0/0FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 1ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0counter bytes: 733500counter packets: 489timestamp first: 720892timestamp last: 975032...


17

IPV4 SOURCE ADDRESS: 172.16.6.1IPV4 DESTINATION ADDRESS: 224.0.0.9TRNS SOURCE PORT: 520TRNS DESTINATION PORT: 520INTERFACE INPUT: Et0/0FLOW SAMPLER ID: 0IP TOS: 0xC0IP PROTOCOL: 17ip source as: 0ip destination as: 0ipv4 next hop address: 0.0.0.0ipv4 source mask: /24ipv4 destination mask: /0tcp flags: 0x00interface output: Nullcounter bytes: 52counter packets: 1timestamp first: 973804timestamp last: 973804

Router# show flow monitor name FLOW-MONITOR-2 cache format record

Cache type: Normal Cache size: 4096 Current entries: 6 High Watermark: 8


IPV6 FLOW LABEL: 0IPV6 EXTENSION MAP: 0x00000040IPV6 SOURCE ADDRESS: 2001:DB8:1:ABCD::1IPV6 DESTINATION ADDRESS: 2001:DB8:4:ABCD::2TRNS SOURCE PORT: 3000TRNS DESTINATION PORT: 55INTERFACE INPUT: Et0/0FLOW DIRECTION: InputFLOW SAMPLER ID: 0IP PROTOCOL: 17IP TOS: 0x00ip source as: 0ip destination as: 0ipv6 next hop address: ::ipv6 source mask: /48ipv6 destination mask: /0tcp flags: 0x00interface output: Nullcounter bytes: 521192counter packets: 9307timestamp first: 9899684timestamp last: 11660744...IPV6 FLOW LABEL: 0IPV6 EXTENSION MAP: 0x00000000IPV6 SOURCE ADDRESS: FE80::A8AA:BBFF:FEBB:CC03IPV6 DESTINATION ADDRESS: FF02::9


18

TRNS SOURCE PORT: 521TRNS DESTINATION PORT: 521INTERFACE INPUT: Et0/0FLOW DIRECTION: InputFLOW SAMPLER ID: 0IP PROTOCOL: 17IP TOS: 0xE0ip source as: 0ip destination as: 0ipv6 next hop address: ::ipv6 source mask: /10ipv6 destination mask: /0tcp flags: 0x00interface output: Nullcounter bytes: 92counter packets: 1timestamp first: 11653832timestamp last: 11653832

Configuring a Flow Exporter for the Flow MonitorTo export the data that is collected by Flexible NetFlow to a remote system for further analysis and storage, perform the following optional task.

Flow Exporters

Flow exporters are used to send the data that you collect with Flexible NetFlow to a remote system such as a NetFlow Collection Engine. Exporters use UDP as the transport protocol and use the Version 9 export format.

Restrictions

Each flow exporter supports only one destination. If you want to export the data to multiple destinations, you must configure multiple flow exporters and assign them to the flow monitor.

SUMMARY STEPS

1. enable


3. flow exporter exporter-name


5. destination {hostname | ip-address} [vrf vrf-name]

6. transport udp udp-port

7. exit


9. exporter exporter-name

10. end


19

DETAILED STEPS


Step 1 enable







Step 3 flow exporter exporter-name

Example:Router(config)# flow exporter EXPORTER-1

Creates a flow exporter and enters Flexible NetFlow flow exporter configuration mode.

• This command also allows you to modify an existing flow exporter. For example, to modify the configuration of a flow exporter named “exporter-name”, use the flow exporter exporter-name command and argument in global configuration mode.


Example:Router(config-flow-exporter)# description Exports to Chicago datacenter

(Optional) Creates a description for the flow exporter.

Step 5 destination {hostname | ip-address} [vrf vrf-name]

Example:Router(config-flow-exporter)# destination 172.16.10.2

Specifies the hostname or IP address of the system to which the exporter sends data.

Step 6 transport udp udp-port

Example:Router(config-flow-exporter)# transport udp 65

Configures UDP as the transport protocol and specifies the UDP port on which the destination system is listening for exported Flexible NetFlow traffic.

Step 7 exit

Example:Router(config-flow-exporter)# exit

Exits Flexible NetFlow flow exporter configuration mode and returns to global configuration mode.

Step 8 flow monitor flow-monitor-name


Enters Flexible NetFlow flow monitor configuration mode for the flow monitor that you created previously.


20

Verifying the Flow Exporter To view the current status of a flow exporter and verify the configuration commands that you entered, perform the following optional task.

SUMMARY STEPS

1. enable

2. show flow exporter

3. show running-config flow exporter exporter-name

DETAILED STEPS

Step 1 enable


Router> enable

Router#

Step 2 show flow exporter exporter-name

The show flow exporter command shows the current status of the flow exporter that you specify.

Router# show flow exporter EXPORTER-1

Flow Exporter EXPORTER-1: Description: Exports to Chicago datacenter Transport Configuration: Destination IP address: 172.16.10.2 Source IP address: 172.16.7.1 Transport Protocol: UDP Destination Port: 65 Source Port: 56041 DSCP: 0x0 TTL: 255

Step 3 show running-config flow exporter

The show running-config flow exporter command shows the configuration commands of the flow exporter that you specify.

Router# show running-config flow exporter EXPORTER-1

Step 9 exporter exporter-name

Example:Router(config-flow-monitor)# exporter EXPORTER-1

Specifies the name of an exporter that you created previously.

Step 10 end


Exits Flexible NetFlow flow monitor configuration mode and returns to privileged EXEC mode.


Getting Started with Configuring Cisco IOS Flexible NetFlow Configuration Examples for Emulating Original NetFlow Features with Flexible NetFlow

21

Building configuration...

!flow exporter EXPORTER-1 description Exports to Chicago datacenter destination 172.16.10.2 transport udp 65!

Configuration Examples for Emulating Original NetFlow Features with Flexible NetFlow

The following examples show you how to configure Flexible NetFlow to emulate three features that are available in original NetFlow:

• Configuring Flexible NetFlow Egress Accounting for IPV4 and IPv6 Traffic: Example, page 21

• Configuring Flexible NetFlow Subinterface Support: Example, page 22

• Configuring Flexible NetFlow Multiple Export Destinations: Example, page 22

Configuring Flexible NetFlow Egress Accounting for IPV4 and IPv6 Traffic: Example

The following example shows how to configure Flexible NetFlow Egress Accounting for IPv4 and IPv6 traffic.

This sample starts in global configuration mode:

!flow monitor FLOW-MONITOR-1record netflow ipv4 original-outputexit

!!flow monitor FLOW-MONITOR-2record netflow ipv6 original-outputexit

!

ip cefipv6 cef!interface Ethernet0/0ip address 172.16.6.2 255.255.255.0ipv6 address 2001:DB8:2:ABCD::2/48

ip flow monitor FLOW-MONITOR-1 outputipv6 flow monitor FLOW-MONITOR-2 output

!

Getting Started with Configuring Cisco IOS Flexible NetFlow Configuration Examples for Emulating Original NetFlow Features with Flexible NetFlow

22

Configuring Flexible NetFlow Subinterface Support: ExampleThe following example shows how to configure Flexible NetFlow Subinterface Support for IPv4 traffic.


!flow monitor FLOW-MONITOR-1record netflow ipv4 original-inputexit

!ip cef!interface Ethernet0/0.1ip address 172.16.6.2 255.255.255.0ip flow monitor FLOW-MONITOR-1 input

!

The following example shows how to configure Flexible NetFlow to Emulate NetFlow Subinterface Support for IPv6 traffic.



!ip cefipv6 cef!interface Ethernet0/0.1ipv6 address 2001:DB8:2:ABCD::2/48ipv6 flow monitor FLOW-MONITOR-2 input

!

Configuring Flexible NetFlow Multiple Export Destinations: ExampleThe following example shows how to configure Flexible NetFlow Multiple Export Destinations.


!flow exporter EXPORTER-1destination 172.16.10.2transport udp 90exit


!flow monitor FLOW-MONITOR-1record netflow-originalexporter EXPORTER-2exporter EXPORTER-1exit

!ip cef!interface Ethernet0/0ip address 172.16.6.2 255.255.255.0

Getting Started with Configuring Cisco IOS Flexible NetFlow Where to Go Next

23

ip flow monitor FLOW-MONITOR-1 input!

Where to Go NextFor information on advanced Flexible NetFlow configurations for specific purposes such as quality of service (QoS) and bandwidth monitoring, application and user flow monitoring and profiling, and security analysis, refer to the “Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors” module.

If you want to configure additional options for data export for Flexible NetFlow, refer to the “Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters” module.

If you want to configure flow sampling to reduce the CPU overhead of analyzing traffic, refer to the “Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic” module.

If you want to configure any of the predefined records for Flexible NetFlow refer, to the “Configuring Cisco IOS Flexible NetFlow with Predefined Records” module.


Related Documents


Overview of Flexible NetFlow “Cisco IOS Flexible NetFlow Overview”


Configuring flow exporters to export Flexible NetFlow data.


Customizing Flexible NetFlow “Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors”











http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/fnetflow_feat_rdmap.html














Getting Started with Configuring Cisco IOS Flexible NetFlow Feature Information for Flexible NetFlow

24

Standards

MIBs

RFCs


Feature Information for Flexible NetFlowTable 5 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or Cisco IOS Releases 12.2(1) or 12.0(3)S or a later release appear in the table.

For information on a feature in this technology that is not documented here, see the “Cisco IOS Flexible NetFlow Features Roadmap”.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Standard Title

There are no standards associated with this feature. —

MIB MIBs Link

None To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:


RFC Title


Description Link










25

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Table 5 Feature Information for Flexible NetFlow

Feature Name Releases Feature Configuration Information

Flexible NetFlow 12.4(9)T Flexible NetFlow is introduced.

Information about the Flexible NetFlow feature is included in the following sections:

• Prerequisites for Getting Started with Configuring Flexible NetFlow, page 2

• Information About Getting Started with Configuring Flexible NetFlow, page 2

• How to Get Started with Configuring Flexible NetFlow, page 8

• Configuration Examples for Emulating Original NetFlow Features with Flexible NetFlow, page 21

The following commands were introduced or modified: cache (Flexible NetFlow), clear flow exporter, clear flow monitor, clear sampler, collect counter, collect flow, collect interface, collect ipv4, collect ipv4 destination, collect ipv4 fragmentation, collect ipv4 section, collect ipv4 source, collect ipv4 total-length, collect ipv4 ttl, collect routing, collect timestamp sys-uptime, collect transport, collect transport icmp ipv4, collect transport tcp, collect transport udp, debug flow exporter, debug flow monitor, debug flow record, debug sampler, description (Flexible NetFlow), destination, dscp (Flexible NetFlow), exporter, flow exporter, flow monitor, flow record, ip flow monitor, match flow, match interface (Flexible NetFlow), match ipv4, match ipv4 destination, match ipv4 fragmentation, match ipv4 section, match ipv4 source, match ipv4 total-length, match ipv4 ttl, match routing, match transport, match transport icmp ipv4, match transport tcp, match transport udp, mode (Flexible NetFlow), option (Flexible NetFlow), record, sampler, show flow exporter, show flow interface, show flow monitor, show flow record, show sampler, source (Flexible NetFlow), statistics packet, template data timeout, transport (Flexible NetFlow).



26





Flexible Netflow - MPLS Egress NetFlow 12.4(22)T The Flexible Netflow - MPLS Egress NetFlow feature allows you to capture IP flow information for packets undergoing MPLS label disposition; that is, packets that arrive on a router as MPLS packets and are transmitted as IP packets.

The following sections provide information about this feature:

• Flexible Netflow - MPLS Egress NetFlow, page 7

No commands were introduced or modified by this feature.

Flexible NetFlow - IPv6 Unicast Flows 12.4(20)T Enables Flexible NetFlow to monitor IPv6 traffic.

Information about the Flexible NetFlow - IPv6 Unicast Flows feature is included in the following sections:



• Configuring Flexible NetFlow Egress Accounting for IPV4 and IPv6 Traffic: Example, page 21

The following commands were introduced or modified: collect routing, debug flow record, match routing, record, show flow monitor, show flow record, collect ipv6, collect ipv6 destination, collect ipv6 extension map, collect ipv6 fragmentation, collect ipv6 hop-limit, collect ipv6 length, collect ipv6 section, collect ipv6 source, collect transport icmp ipv6, ipv6 flow monitor, match ipv6, match ipv6 destination, match ipv6 extension map, match ipv6 fragmentation, match ipv6 hop-limit, match ipv6 length, match ipv6 section, match ipv6 source, match transport icmp ipv6.





Configuring Cisco IOS Flexible NetFlow with Predefined Records


This module contains information about and instructions for configuring Flexible NetFlow using predefined records. Many of the Flexible NetFlow predefined records use the same key and non-key fields as the aggregation caches available in original NetFlow. However, the predefined Flexible NetFlow records do not perform aggregation.

NetFlow is a Cisco IOS technology that provides statistics on packets flowing through a router. NetFlow is the standard for acquiring IP operational data from IP networks. NetFlow provides network and security monitoring, network planning, traffic analysis, and IP accounting.




Contents• Prerequisites for Configuring Flexible NetFlow with Predefined Records, page 2

• Information About Configuring Flexible NetFlow with Predefined Records, page 2


Configuring Cisco IOS Flexible NetFlow with Predefined Records Prerequisites for Configuring Flexible NetFlow with Predefined Records

2

• How to Configure Flexible NetFlow Using a Predefined Record for the Flow Monitor, page 18

• Configuration Examples for Configuring Flexible NetFlow with Predefined Records, page 27




Prerequisites for Configuring Flexible NetFlow with Predefined Records



• The networking device must be running a Cisco IOS release that supports Flexible NetFlow. See the “Cisco IOS Flexible NetFlow Features Roadmap” module for a list of Cisco IOS software releases that support Flexible NetFlow.

IPv4 Traffic



IPv6 Traffic



Information About Configuring Flexible NetFlow with Predefined Records

Before configuring Flexible NetFlow with predefined records, you should understand the following information:

• Flexible NetFlow Predefined Records, page 3

• Benefits of Flexible NetFlow Predefined Records, page 3

• Flexible NetFlow “Netflow Original” and “NetFlow IPv4 Original Input” Predefined Records, page 3


• Flexible NetFlow “NetFlow IPv6 Original Input” Predefined Record, page 5


• Flexible NetFlow “Autonomous System” Predefined Record, page 7

• Flexible NetFlow “Autonomous System ToS” Predefined Record, page 8



Configuring Cisco IOS Flexible NetFlow with Predefined Records Information About Configuring Flexible NetFlow with Predefined Records

3

• Flexible NetFlow “BGP Next-Hop ToS” Predefined Record, page 10

• Flexible NetFlow “Destination Prefix” Predefined Record, page 10

• Flexible NetFlow “Destination Prefix ToS” Predefined Record, page 11

• Flexible NetFlow “Prefix” Predefined Record, page 12

• Flexible NetFlow “Prefix Port” Predefined Record, page 13

• Flexible NetFlow “Prefix ToS” Predefined Record, page 14

• Flexible NetFlow “Protocol Port” Predefined Record, page 15

• Flexible NetFlow “Protocol Port ToS” Predefined Record, page 15

• Flexible NetFlow “Source Prefix” Predefined Record, page 16

• Flexible NetFlow “Source Prefix ToS” Predefined Record, page 17

Flexible NetFlow Predefined RecordsFlexible NetFlow predefined records are based on the original NetFlow ingress and egress caches and the aggregation caches. The difference between the original NetFlow aggregation caches and the corresponding predefined Flexible NetFlow records is that the predefined records do not perform aggregation. Flexible NetFlow predefined records are associated with a Flexible NetFlow flow monitor the same way that you associate a user-defined (custom) record.

Benefits of Flexible NetFlow Predefined RecordsIf you have been using original NetFlow or original NetFlow with aggregation caches you can continue to capture the same traffic data for analysis when you migrate to Flexible NetFlow by using the predefined records available with Flexible NetFlow. Many users will find that the pre-existing Flexible NetFlow records are suitable for the majority of their traffic analysis requirements.

Flexible NetFlow “Netflow Original” and “NetFlow IPv4 Original Input” Predefined Records

The Flexible NetFlow “NetFlow original” and “NetFlow IPv4 original input” predefined records can be used interchangeably because they have the same key and non-key fields. The key and non-key fields and the counters for the “NetFlow original” and “NetFlow IPv4 original input” predefined records are shown in Table 1.

Table 1 Key and Non Key-Fields Used by the “Netflow Original” and “NetFlow IPv4 Original

Input” Predefined Records


IP ToS Key Value in the type of service (ToS) field.


IPv4 Source Address Key IPv4 source address.

IPv4 Destination Address

Key IPv4 source address.


4

Flexible NetFlow “NetFlow IPv4 Original Output” Predefined RecordThe Flexible NetFlow “NetFlow IPv4 original output” predefined record is used to emulate the original NetFlow Egress NetFlow Accounting feature that was released in Cisco IOS Release 12.3(11)T. The key and non-key fields and the counters for the “NetFlow IPv4 original output” predefined record are shown in Table 2.

Transport Source Port Key Value in the transport layer source port field.


Key Value in the transport layer destination port field.





IPv4 Next Hop Address Non-key IPv4 address of the next hop.

IPv4 Source Mask Non-key Mask for the IPv4 source address.

IPv4 Destination Mask Non-key Mask for the IPv4 destination address.


Interface Output Non-key Interface on which the traffic is transmitted.




Non-key System uptime (time in milliseconds since this device was first booted) when the first packet was switched.


Non-key System uptime (time in milliseconds since this device was first booted) when the last packet was switched.

Table 1 Key and Non Key-Fields Used by the “Netflow Original” and “NetFlow IPv4 Original

Input” Predefined Records (continued)


Table 2 Key and Non Key Fields Used by the “NetFlow IPv4 Original Output” Predefined

Record




IPv4 Source Address Key IPv4 source address.

IPv4 Destination Address

Key IPv4 source address.



5

Flexible NetFlow “NetFlow IPv6 Original Input” Predefined RecordThe key and non-key fields and the counters for the Flexible NetFlow “NetFlow IPv6 original input” predefined records are shown in Table 3.







IPv4 Next Hop Address Non-key IPv4 address of the next hop.

IPv4 Source Mask Non-key Mask for the IPv4 source address.

IPv4 Destination Mask Non-key Mask for the IPv4 destination address.









Table 2 Key and Non Key Fields Used by the “NetFlow IPv4 Original Output” Predefined

Record (continued)



Predefined Record



Flow Label Key Flow label.









6

Flexible NetFlow “NetFlow IPv6 Original Output” Predefined RecordThe key and non-key fields and the counters for the Flexible NetFlow “NetFlow IPv6 original output” predefined records are shown in Table 4.











Interface Output Non-key Interface over which the traffic is transmitted.



Timestamp Sys-uptime First


Timestamp Sys-uptime Last






Output” Predefined Record



Flow Label Key The flow label.









7

Flexible NetFlow “Autonomous System” Predefined RecordThe Flexible NetFlow “autonomous system” predefined record creates flows based on autonomous system-to-autonomous system traffic flow data. The Flexible NetFlow “autonomous system” predefined record uses the same key and non-key fields as the original NetFlow “autonomous system” aggregation cache.

Note This predefined record can be used to analyze IPv4 and IPv6 traffic.

Table 5 lists the key and non-key fields used in the Flexible NetFlow “autonomous system” predefined record.

Interface Output Key Interface over which the traffic is transmitted.


















Output” Predefined Record (continued)


Table 5 Key and Non-Key Fields Used by the Flexible NetFlow “Autonomous System”

Predefined Record


IP Source AS Key Autonomous system of the source IP address (peer or origin).

IP Destination AS Key Autonomous system of the destination IP address (peer or origin).


8

Flexible NetFlow “Autonomous System ToS” Predefined RecordThe Flexible NetFlow “autonomous system ToS” predefined record creates flows based on autonomous system-to-autonomous system and type of service (ToS) traffic flow data. The Flexible NetFlow “autonomous system TOS” predefined record uses the same key and non-key fields as the original NetFlow “autonomous system TOS” aggregation cache.

Note This predefined record can only be used to analyze IPv4 traffic.

Tip This predefined record is particularly useful for generating autonomous system-to- autonomous system traffic flow data.

Table 6 lists the key and non-key fields used in the Flexible NetFlow “autonomous system TOS” predefined record.



Flow Direction Key Direction in which the flow is being monitored.




Non-key System uptime (time, in milliseconds since this device was first booted) when the first packet was switched.


Non-key System uptime (time, in milliseconds since this device was first booted) when the last packet was switched.

Table 5 Key and Non-Key Fields Used by the Flexible NetFlow “Autonomous System”



Table 6 Key and Non-Key Fields Used by the “Flexible NetFlow Autonomous System ToS”

Predefined Record



IP Source autonomous system

Key Autonomous system of the source IP address (peer or origin).

IP Destination autonomous system

Key Autonomous system of the destination IP address (peer or origin).






9

Flexible NetFlow “BGP Next-Hop” Predefined RecordThe Flexible NetFlow “BGP next-hop” predefined record creates flows based on border gateway protocol (BGP) traffic flow data.


Table 7 lists the key and non-key fields used in the Flexible NetFlow “BGP next-hop” predefined record.






Table 6 Key and Non-Key Fields Used by the “Flexible NetFlow Autonomous System ToS”



Table 7 Key and Non-Key Fields Used by the Flexible NetFlow “BGP Next-hop” Predefined

Record


Routing Source AS Key Autonomous system of the source IP address.

Routing Destination AS Key Autonomous system of the destination IP address.

Routing Next-hop Address IPv6 BGP

Key IPv6 address of the BGP next-hop.











10

Flexible NetFlow “BGP Next-Hop ToS” Predefined RecordThe Flexible NetFlow “BGP next-hop ToS” predefined record creates flows based on BGP and ToS traffic flow data. The Flexible NetFlow “BGP next-hop ToS” predefined record uses the same key and non-key fields as the original NetFlow “BGP next-hop ToS” aggregation cache.


Table 8 lists the key and non-key fields used in the “BGP next-hop ToS” predefined record.

Flexible NetFlow “Destination Prefix” Predefined RecordThe Flexible NetFlow “destination prefix” predefined record creates flows based on destination prefix traffic flow data. The Flexible NetFlow “destination prefix” predefined record uses the same key and non-key fields as the original NetFlow “destination prefix” aggregation cache.


Table 9 lists the key and non-key fields used in the Flexible NetFlow “destination prefix” predefined record.

Table 8 Key and Non-Key Fields Used by the Flexible NetFlow “BGP Next-hop ToS”

Predefined Record







IPv4 Next Hop Address BGP

Key IPv4 address of the BGP next-hop peer.











11

Flexible NetFlow “Destination Prefix ToS” Predefined RecordThe Flexible NetFlow “destination prefix ToS” predefined record creates flows based on destination prefix and ToS traffic flow data. The Flexible NetFlow “destination prefix ToS” predefined record uses the same key and non-key fields as the original NetFlow “destination prefix ToS” aggregation cache.

This predefined record is particularly useful for capturing data with which you can examine the destinations of network traffic passing through a NetFlow-enabled device.


Table 10 lists the key and non-key fields used in the used in the Flexible NetFlow “destination prefix ToS” predefined record.

Table 9 Key and Non-Key Fields Used by the Flexible NetFlow “Destination Prefix” Predefined

Record




IPv4 or IPv6 Destination Prefix

Key Destination IP address ANDed with the destination prefix mask.

IPv4 or IPv6 Destination Mask

Key Number of bits in the destination prefix.









Table 10 Key and Non Key Fields Used by the Flexible NetFlow “Destination Prefix ToS”

Predefined Record





IPv4 Destination Prefix Key Destination IP address ANDed with the destination prefix mask.

IPv4 Destination Mask Key Number of bits in the destination prefix.


12

Flexible NetFlow “Prefix” Predefined RecordThe Flexible NetFlow “prefix” predefined record creates flows based on the source and destination prefixes in the traffic flow data. The Flexible NetFlow “prefix” predefined record uses the same key and non-key fields as the original NetFlow “prefix” aggregation cache.

Note This predefined record can be used to analyze IPv4 and IPv6 traffic. For IPv6 traffic, a minimum prefix mask length of 0 bits is assumed.

Table 11 lists the key and non-key fields used in the Flexible NetFlow “prefix” predefined record.









Table 10 Key and Non Key Fields Used by the Flexible NetFlow “Destination Prefix ToS”



Table 11 Key and Non-Key Fields Used by the Flexible NetFlow “Prefix” Predefined Record






IPv4 or IPv6 Source Prefix

Key Source IP address ANDed with the source prefix mask, or the prefix to which the source IP address of the aggregated flows belongs.

IPv4 or IPv6 Source Mask

Key Number of bits in the source prefix.

IPv4 or IPv6 Destination Prefix

Key Destination IP address ANDed with the destination prefix mask.

IPv4 or IPv6 Destination Mask

Key Number of bits in the destination prefix.





13

Flexible NetFlow “Prefix Port” Predefined RecordThe Flexible NetFlow “prefix port” predefined record creates flows based on source and destination prefixes and ports in the traffic flow data. The Flexible NetFlow “prefix port” predefined record uses the same key and non-key fields as the original NetFlow “prefix port” aggregation cache.

This predefined record is particularly useful for capturing data with which you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device.


Table 12 lists the key and non-key fields used in the destination Flexible NetFlow “prefix port” predefined record.






Table 11 Key and Non-Key Fields Used by the Flexible NetFlow “Prefix” Predefined Record


Table 12 Key and Non-Key Fields Used by the Flexible NetFlow “Prefix Port” Predefined

Record




IPv4 Source Prefix Key Source IP address ANDed with the source prefix mask, or the prefix to which the source IP address of the aggregated flows belongs.

IPv4 Source Mask Key Number of bits in the source prefix.











14

Flexible NetFlow “Prefix ToS” Predefined RecordThe Flexible NetFlow “prefix ToS” predefined record creates flows based on source and destination prefixes and ToS traffic flow data. The Flexible NetFlow “prefix ToS” predefined record uses the same key and non-key fields as the original NetFlow “destination prefix ToS” aggregation cache.

This predefined record is particularly useful for capturing data so that you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device.


Table 13 lists the key and non-key fields used in the Flexible NetFlow “prefix ToS” predefined record.






Table 12 Key and Non-Key Fields Used by the Flexible NetFlow “Prefix Port” Predefined Record

(continued)


Table 13 Key and Non-Key Fields Used by the Flexible NetFlow “Prefix ToS” Predefined Record

















15

Flexible NetFlow “Protocol Port” Predefined RecordThe Flexible NetFlow “protocol port” predefined record creates flows based on protocols and ports in the traffic flow data. The Flexible NetFlow “protocol port” predefined record uses the same key and non-key fields as the original NetFlow “protocol port” aggregation cache.


Table 14 lists the key and non-key fields used in the Flexible NetFlow “protocol port” predefined record.

Flexible NetFlow “Protocol Port ToS” Predefined RecordThe Flexible NetFlow “protocol port ToS” predefined record creates flows based on the protocol, port, and ToS value in the traffic data. The Flexible NetFlow “protocol port ToS” predefined record uses the same key and non-key fields as the original NetFlow “protocol port ToS” aggregation cache.

This predefined record is particularly useful for capturing data so that you can examine network usage by type of traffic.





Table 13 Key and Non-Key Fields Used by the Flexible NetFlow “Prefix ToS” Predefined Record


Table 14 Key and Non-Key Fields Used by the Flexible NetFlow “Protocol Port” Predefined

Record






Flow Direction Key Direction that the flow is being monitored in.








16


Table 15 lists the key and non-key fields used in the used in the Flexible NetFlow “protocol port ToS” predefined record.

Flexible NetFlow “Source Prefix” Predefined RecordThe Flexible NetFlow “source prefix” predefined record creates flows based on source prefixes in the network traffic. The Flexible NetFlow “source prefix” predefined record uses the same key and non-key fields as the original NetFlow “source prefix” aggregation cache.


Table 16 lists the key and non-key fields used in the Flexible NetFlow “source prefix” predefined record.

Table 15 Key and Non-Key Fields Used by the Flexible NetFlow “Protocol Port ToS” Predefined

Record














Table 16 Key and Non-Key Fields Used by the Flexible NetFlow “Source Prefix” Predefined

Record




IPv4 or IPv6 Source Prefix

Key Source IP address ANDed with the source prefix mask, or the prefix to which the source IP address of the aggregated flows belongs.

IPv4 or IPv6 Source Mask

Key Number of bits in the source prefix.


17

Flexible NetFlow “Source Prefix ToS” Predefined RecordThe Flexible NetFlow “source prefix ToS” predefined record creates flows based on source prefixes and ToS values in the network traffic. The Flexible NetFlow “source prefix ToS” predefined record uses the same key and non-key fields as the original NetFlow “source prefix” ToS aggregation cache.

This predefined record is particularly useful for capturing data so that you can examine the sources of network traffic passing through a NetFlow-enabled device.


Table 17 lists the key and non-key fields used in the Flexible NetFlow “source prefix ToS” predefined record.









Table 16 Key and Non-Key Fields Used by the Flexible NetFlow “Source Prefix” Predefined

Record (continued)


Table 17 Key and Non-Key Fields Used by the Flexible NetFlow “Source Prefix ToS” Predefined

Record











Configuring Cisco IOS Flexible NetFlow with Predefined Records How to Configure Flexible NetFlow Using a Predefined Record for the Flow Monitor

18

How to Configure Flexible NetFlow Using a Predefined Record for the Flow Monitor

The tasks in this section explain how to configure Flexible NetFlow using a predefined record for the flow monitor.

Note Only the keywords and arguments required for the Flexible NetFlow commands used in these tasks are explained in these tasks. For information on the other keywords and arguments available for these Flexible NetFlow commands, refer to the Cisco IOS Flexible NetFlow Command Reference.

To configure and enable Flexible NetFlow using a predefined record, perform the following tasks:

• Configuring a Flow Monitor for IPv4 Traffic Using a Predefined Record, page 18






• Viewing the Flow Monitor Cache, page 25 (optional)

Configuring a Flow Monitor for IPv4 Traffic Using a Predefined RecordTo configure a flow monitor for IPv4 traffic using a predefined record for the flow monitor, perform the following required task.

Flow Monitors






Table 17 Key and Non-Key Fields Used by the Flexible NetFlow “Source Prefix ToS” Predefined

Record (continued)




19

Restrictions

You must remove a flow monitor from all of the interfaces on which you have applied it before you can modify the record format of the flow monitor.

SUMMARY STEPS

1. enable



4. description text-string

5. record {netflow-original | netflow ipv4 record [peer]}

6. end

DETAILED STEPS


Step 1 enable











Step 4 description text-string




20

Configuring a Flow Monitor for IPv6 Traffic Using a Predefined RecordTo configure a flow monitor for IPv6 traffic using a predefined record for the flow monitor, perform the following required task.

Flow Monitors


Restrictions

You must remove a flow monitor from all of the interfaces on which you have applied it before you can modify the record format of the flow monitor.

SUMMARY STEPS

1. enable




5. record netflow ipv6 record [peer]

6. end

Step 5 record {netflow-original | netflow ipv4 record [peer]}


or

Example:Router(config-flow-monitor)# record netflow-original


Step 6 end





21

DETAILED STEPS

Applying an IPv4 Flow Monitor to an InterfaceBefore it can be activated, an IPv4 flow monitor must be applied to at least one interface. To activate an IPv4 flow monitor, perform the following required task.

Restrictions

When you specify the “NetFlow original” or the “NetFlow IPv4 original input” predefined record for the flow monitor to emulate original NetFlow, the flow monitor can be used only for analyzing input (ingress) traffic.



Step 1 enable














Step 5 record netflow ipv6 record [peer]



Step 6 end




22

SUMMARY STEPS

1. enable



4. ip flow monitor monitor-name {input | output}

5. end

DETAILED STEPS

Applying an IPv6 Flow Monitor to an InterfaceBefore it can be activated, an IPv6 flow monitor must be applied to at least one interface. To activate an IPv6 flow monitor, perform the following required task.

Restrictions

When you specify the “NetFlow IPv6 original input” predefined record for the flow monitor to emulate original NetFlow, the flow monitor can be used only for analyzing input (ingress) traffic.


Step 1 enable










Step 4 ip flow monitor monitor-name {input | output}


and/or

Router(config-if)# ip flow monitor FLOW-MONITOR-1 output


• You can configure input and output traffic analysis concurrently by configuring the ip flow monitor monitor-name input and ip flow monitor monitor-name output commands on the same interface. You can use different flow monitors for input and output traffic analysis.

Step 5 end




23


SUMMARY STEPS

1. enable



4. ipv6 flow monitor monitor-name {input | output}

5. end

DETAILED STEPS



Step 1 enable










Step 4 ipv6 flow monitor monitor-name {input | output}


and/or

Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 output


• You can configure input and output traffic analysis concurrently by configuring the ipv6 flow monitor monitor-name input and ipv6 flow monitor monitor-name output commands on the same interface. You can use different flow monitors for input and output traffic analysis.

Step 5 end




24

Prerequisites


SUMMARY STEPS

1. enable


3. show running-config flow monitor

DETAILED STEPS

Step 1 enable


Router> enable

Router#

Step 2 show flow monitor


Router# show flow monitor

Flow Monitor FLOW-MONITOR-1: Description: Used for monitoring IPv4 traffic Flow Record: netflow ipv4 original-input Cache: Type: normal Status: allocated Size: 4096 entries / 196620 bytes Inactive Timeout: 15 secs Active Timeout: 1800 secs Update Timeout: 1800 secs

Flow Monitor FLOW-MONITOR-2: Description: Used for monitoring IPv6 traffic Flow Record: netflow ipv6 original-input Cache: Type: normal Status: allocated Size: 4096 entries / 278544 bytes Inactive Timeout: 15 secs Active Timeout: 1800 secs Update Timeout: 1800 secs



Router# show running-config flow monitor


Current configuration:!flow monitor FLOW-MONITOR-1


25

description Used for monitoring IPv4 traffic record netflow ipv4 original-input!flow monitor FLOW-MONITOR-2 description Used for monitoring IPv6 traffic record netflow ipv6 original-input!end


SUMMARY STEPS

1. enable

2. show flow interface type number

DETAILED STEPS

Step 1 enable


Router> enable

Router#

Step 2 show flow interface type number




Viewing the Flow Monitor CacheTo view the data in the flow monitor cache, perform the following optional task.

Prerequisites



26

SUMMARY STEPS

1. enable


DETAILED STEPS

Step 1 enable


Router> enable

Router#


The show flow monitor name monitor-name cache format record command string displays the status, statistics, and flow data in the cache for a flow monitor.




IP DESTINATION AS: 0IPV4 DESTINATION PREFIX: 172.16.10.0IPV4 DESTINATION MASK: /24INTERFACE OUTPUT: Et1/0FLOW DIRECTION: Inputcounter bytes: 4292430counter packets: 4305timestamp first: 15853684timestamp last: 15860868




IPV6 FLOW LABEL: 0IPV6 EXTENSION MAP: 0x00000040

Configuring Cisco IOS Flexible NetFlow with Predefined Records Configuration Examples for Configuring Flexible NetFlow with Predefined Records

27

IPV6 SOURCE ADDRESS: 2001:DB8:1:ABCD::1IPV6 DESTINATION ADDRESS: 2001:DB8:4:ABCD::2TRNS SOURCE PORT: 3000TRNS DESTINATION PORT: 55INTERFACE INPUT: Et0/0FLOW DIRECTION: InputFLOW SAMPLER ID: 0IP PROTOCOL: 17IP TOS: 0x00ip source as: 0ip destination as: 0ipv6 next hop address: ::ipv6 source mask: /48ipv6 destination mask: /0tcp flags: 0x00interface output: Nullcounter bytes: 521192counter packets: 9307timestamp first: 9899684timestamp last: 11660744...IPV6 FLOW LABEL: 0IPV6 EXTENSION MAP: 0x00000000IPV6 SOURCE ADDRESS: FE80::A8AA:BBFF:FEBB:CC03IPV6 DESTINATION ADDRESS: FF02::9TRNS SOURCE PORT: 521TRNS DESTINATION PORT: 521INTERFACE INPUT: Et0/0FLOW DIRECTION: InputFLOW SAMPLER ID: 0IP PROTOCOL: 17IP TOS: 0xE0ip source as: 0ip destination as: 0ipv6 next hop address: ::ipv6 source mask: /10ipv6 destination mask: /0tcp flags: 0x00interface output: Nullcounter bytes: 92counter packets: 1timestamp first: 11653832timestamp last: 11653832

Configuration Examples for Configuring Flexible NetFlow with Predefined Records

This section contains the following configuration examples:

• Configuring a Flexible NetFlow Predefined Record for IPv4 Traffic: Example, page 28


Configuring Cisco IOS Flexible NetFlow with Predefined Records Where to Go Next

28

Configuring a Flexible NetFlow Predefined Record for IPv4 Traffic: ExampleThe following example shows how to configure a flow monitor using the Flexible NetFlow” BGP ToS next-hop” predefined record to monitor IPv4 traffic.


!flow monitor FLOW-MONITOR-1record netflow ipv4 bgp-nexthop-tosexit

!ip cef!interface Ethernet0/0 ip address 172.16.6.2 255.255.255.0 ip flow monitor FLOW-MONITOR-1 input!

Configuring a Flexible NetFlow Predefined Record for IPv6 Traffic: ExampleThe following example shows how to configure a flow monitor using the Flexible NetFlow “source prefix” predefined record to monitor IPv6 traffic.


!flow monitor FLOW-MONITOR-2record netflow ipv6 source-prefixexit

ip cefipv6 cef!interface Ethernet0/0ipv6 address 2001:DB8:2:ABCD::2/48

ipv6 flow monitor FLOW-MONITOR-2 input!


If you want to configure flow sampling to reduce the CPU overhead of analyzing traffic refer, to the “Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic” module.

If you want to configure data export for Flexible NetFlow, refer to the “Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters” module.






Configuring Cisco IOS Flexible NetFlow with Predefined Records Additional References

29


Related Documents

Standards

MIBs

RFCs















Standard Title


MIB MIBs Link

None. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:


RFC Title

RFC3954 Cisco Systems NetFlow Services Export Version 9











Configuring Cisco IOS Flexible NetFlow with Predefined Records Feature Information for Flexible NetFlow

30







Description Link










31





• Prerequisites for Configuring Flexible NetFlow with Predefined Records, page 2

• Information About Configuring Flexible NetFlow with Predefined Records, page 2

• How to Configure Flexible NetFlow Using a Predefined Record for the Flow Monitor, page 18

• Configuration Examples for Configuring Flexible NetFlow with Predefined Records, page 27



32















Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters


This document contains information about and instructions for configuring flow exporters to export Flexible NetFlow data to remote systems such as a UNIX server running NetFlow collector.





Contents• Prerequisites for Configuring Data Export for Flexible NetFlow with Flow Exporters, page 2

• Restrictions for Configuring Data Export for Flexible NetFlow with Flow Exporters, page 2

• Information About Data Export for Flexible NetFlow with Flow Exporters, page 2

• How to Configure Data Export for Flexible NetFlow with Flow Exporters, page 3


Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters Prerequisites for Configuring Data Export for Flexible NetFlow with Flow Exporters

2

• Configuration Examples for Flexible NetFlow Data Export with Flow Exporters, page 10




Prerequisites for Configuring Data Export for Flexible NetFlow with Flow Exporters




IPv4 Traffic



IPv6 Traffic



Restrictions for Configuring Data Export for Flexible NetFlow with Flow Exporters

The following restriction applies to configuring data export for Flexible NetFlow with flow exporters:

• The NetFlow Version 5 export protocol that was first shipped in Cisco IOS Release 12.4(22)T is supported only for flow monitors that use the Flexible NetFlow predefined records.

Information About Data Export for Flexible NetFlow with Flow Exporters

Before you configure a flow exporter, you need to understand the following:

• Flow Exporters, page 3

• Benefits of Flexible NetFlow Flow Exporters, page 3



Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters How to Configure Data Export for Flexible NetFlow with Flow Exporters

3

Flow ExportersFlow exporters are created as separate components in a router’s configuration. Exporters are assigned to flow monitors to export the data from the flow monitor cache to a remote system such as a NetFlow collector. Flow monitors can support more than one exporter. Each exporter can be customized to meet the requirements of the flow monitor or monitors in which it is used and the NetFlow collector systems to which it is exporting data.

Benefits of Flexible NetFlow Flow ExportersFlexible NetFlow allows you to configure many different flow exporters, depending on your requirements. Some of the benefits of Flexible NetFlow flow exporters are as follows:

• Using flow exporters, you can create an exporter for every type of traffic that you want to analyze so that you can send each type of traffic to a different NetFlow collector. Original NetFlow sends the data in a cache for all of the analyzed traffic to a maximum of two export destinations.

• Flow exporters support up to 10 exporters per flow monitor. Original NetFlow is limited to only two export destinations per cache.

• In Cisco IOS Release 12.4(20)T and newer releases, flow exporters can use class of service (CoS) in the packets that are sent to export destinations to help ensure that the packets are given the correct priority throughout the network. Original Netflow exporters do not use CoS in the packets that are sent to export destinations.

• In Cisco IOS Release 12.4(20)T and newer releases flow exporter, traffic can be encrypted.

How to Configure Data Export for Flexible NetFlow with Flow Exporters

The tasks in this section explain how to export the data that is collected by Flexible NetFlow to a remote system for further analysis and storage.

Flow Exporters

Flow exporters are used to send the data that you collect with Flexible NetFlow to a remote system such as a NetFlow collector. Flow exporters use UDP as the transport protocol.

Restrictions

Each flow exporter supports only one destination. If you want to export the data to multiple destinations, you must configure multiple flow exporters and assign them to the flow monitor. Flow exporters are added to flow monitors to enable data export from the flow monitor cache.

Note Only the keywords and arguments required for the Flexible NetFlow commands used in these tasks are explained in these tasks. For information about the other keywords and arguments available for these Flexible NetFlow commands, refer to the Cisco IOS Flexible NetFlow Command Reference.



4

To configure data export for Flexible NetFlow, perform the tasks in this section:

• Configuring the Flow Exporter, page 4

• Verifying the Flow Exporter, page 6 (optional)

• Configuring and Enabling Flexible NetFlow with Data Export, page 7

• Verifying That Data Export Is Enabled for the Flow Monitor, page 10 (optional)

Configuring the Flow ExporterTo configure the flow exporter, perform the following required task.

SUMMARY STEPS

1. enable


3. flow exporter exporter-name


5. destination {ip-address | hostname} [vrf vrf-name]

6. export-protocol {netflow-v5 | netflow-v9}

7. dscp dscp

8. source type number

9. option {{exporter-stats | interface-table | sampler-table} [timeout seconds]}

10. output-features

11. template data timeout seconds

12. transport udp udp-port

13. ttl ttl

14. end

DETAILED STEPS


Step 1 enable








5

Step 3 flow exporter exporter-name

Example:Router(config)# flow exporter EXPORTER-1

Creates the flow exporter and enters flow exporter configuration mode.

• This command also allows you to modify an existing flow exporter. For example, to modify the configuration of a flow exporter named “EXPORTER-1”, use the flow exporter EXPORTER-1 command and argument in global configuration mode.


Example:Router(config-flow-exporter)# description Exports to the Chicago datacenter

(Optional) Configures a description to the exporter that will appear in the configuration and the display of the show flow exporter command.

Step 5 destination {ip-address | hostname} [vrf vrf-name]


Specifies the IP address or hostname of the destination system for the exporter.

Step 6 export-protocol {netflow-v5 | netflow-v9}


Specifies the version of the Netflow export protocol used by the exporter. Default: netflow-v9.

Step 7 dscp dscp

Example:Router(config-flow-exporter)# dscp 63

(Optional) Configures DSCP parameters for datagrams sent by the exporter.

• The range for the dscp argument is from 0 to 63. Default: 0.

Step 8 source type number

Example:Router(config-flow-exporter)# source ethernet 0/0

(Optional) Specifies the local interface from which the exporter will use the IP address as the source IP address for exported datagrams.

Step 9 option {{exporter-stats | interface-table | sampler-table} [timeout seconds]}

Example:Router(config-flow-exporter)# option exporter-stats timeout 120

(Optional) Configures options data parameters for the exporter.

• You can configure all three options concurrently.

• The range for the seconds argument is 1 to 86400. Default: 600

Step 10 output-features

Example:Router(config-flow-exporter)# output-features

(Optional) Enables sending export packets using quality of service (QoS) and encryption.



6

Verifying the Flow ExporterTo view the current status of a flow exporter and verify the configuration commands that you entered, perform the following optional task.

SUMMARY STEPS

1. enable

2. show flow exporter

3. show running-config flow exporter

DETAILED STEPS

Step 1 enable


Router> enable

Router#

Step 2 show flow exporter

The show flow exporter command shows the current status of the flow exporter that you specify.

Router# show flow exporter EXPORTER-1

Flow Exporter EXPORTER-1: Description: Exports to the Chicago datacenter Transport Configuration: Destination IP address: 172.16.10.2 Source IP address: 172.16.6.2 Source Interface: Ethernet0/0

Step 11 template data timeout seconds

Example:Router(config-flow-exporter)# template data timeout 120

(Optional) Configure resending of templates based on a timeout.

• The range for the seconds argument is 1 to 86400 seconds. (86400 seconds = 24 hours)

Step 12 transport udp udp-port

Example:Router(config-flow-exporter)# transport udp 650

Specifies the UDP port on which the destination system is listening for exported datagrams.

• The range for the udp-port argument is from 1 to 65536.

Step 13 ttl ttl

Example:Router(config-flow-exporter)# ttl 15

(Optional) Configures the time-to-live (TTL) value for datagrams sent by the exporter.

• The range for the ttl argument is from 1 to 255.

Step 14 end

Example:Router(config-flow-exporter)# end

Exits flow exporter configuration mode and returns to privileged EXEC mode.



7

Transport Protocol: UDP Destination Port: 650 Source Port: 55864 DSCP: 0x3F TTL: 15 Output Features: Used Options Configuration: exporter-stats (timeout 120 seconds) interface-table (timeout 120 seconds) sampler-table (timeout 120 seconds)

Step 3 show running-config flow exporter

The show running-config flow exporter command shows the configuration commands of the flow exporter that you specify.

Router# show running-config flow exporter EXPORTER-1


Current configuration:!flow exporter EXPORTER-1 description Exports to the Chicago datacenter destination 172.16.10.2 source Ethernet0/0 output-features dscp 63 ttl 15 transport udp 650 template data timeout 120 option exporter-stats timeout 120 option interface-table timeout 120 option sampler-table timeout 120!end

Configuring and Enabling Flexible NetFlow with Data ExportYou must create a flow monitor to configure the types of traffic for which you want to export the cache data. You must enable the flow monitor by applying it to at least one interface to start exporting data. To configure and enable Flexible NetFlow with data export, perform this required task.

Flow Monitors


Restrictions



8

When you specify the “NetFlow original” or the “NetFlow IPv4 original input” or the “NetFlow IPv6 original input” predefined record for the flow monitor to emulate original NetFlow, the flow monitor can be used only for analyzing input (ingress) traffic.

When you specify the “NetFlow IPv4 original output” or the “NetFlow IPv6 original output” predefined record for the flow monitor to emulate the Egress NetFlow Accounting feature, the flow monitor can be used only for analyzing output (egress) traffic.

SUMMARY STEPS

1. enable



4. record {record-name | netflow-original | netflow {ipv4 | ipv6} record [peer]}


6. exit


8. {ip | ipv6} flow monitor monitor-name {input | output}

9. end

DETAILED STEPS


Step 1 enable












9

Step 4 record {record-name | netflow-original | netflow {ipv4 | ipv6} record [peer]}


and/or





Specifies the name of an exporter that you created previously.

Step 6 exit

Example:Router(config-flow-monitor)# exit

Exits Flexible NetFlow flow monitor configuration mode and returns to global configuration mode.




Step 8 {ip | ipv6} flow monitor monitor-name {input | output}


and/or



Step 9 end


Exits flow interface configuration mode and returns to privileged EXEC mode.


Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters Configuration Examples for Flexible NetFlow Data Export with Flow Exporters

10

Verifying That Data Export Is Enabled for the Flow MonitorTo verify that data export is enabled for the flow monitor cache, perform the following optional task.

Prerequisites

Before you can view the flows in the flow monitor cache, the interface to which you applied the input flow monitor must be receiving traffic that meets the criteria defined by the NetFlow original record.

SUMMARY STEPS

1. enable

2. show flow monitor name monitor-name

DETAILED STEPS

Step 1 enable


Router> enable

Router#

Step 2 show flow monitor name monitor-name

Displays the status and statistics for a flow monitor.

Router# show flow monitor name FLOW-MONITOR-1

Flow Monitor FLOW-MONITOR-1: Description: User defined Flow Record: netflow original-input Flow Exporter: EXPORTER-1 Cache: Type: normal Status: allocated Size: 4096 entries / 311316 bytes Inactive Timeout: 15 secs Active Timeout: 1800 secs Update Timeout: 1800 secs

Configuration Examples for Flexible NetFlow Data Export with Flow Exporters

The following example shows you how to configure data export for Flexible NetFlow:

• Configuring Multiple Export Destinations: Example, page 11

• Configuring Sending Export Packets Using QoS: Example, page 11

• Configuring Version 5 Export: Example, page 13


11

Configuring Multiple Export Destinations: ExampleThe following example shows how to configure multiple export destinations for Flexible NetFlow for IPv4 and IPv6 traffic.




!flow monitor FLOW-MONITOR-1record netflow ipv4 original-inputexporter EXPORTER-2exporter EXPORTER-1

!!flow monitor FLOW-MONITOR-2record netflow ipv6 original-inputexporter EXPORTER-2exporter EXPORTER-1

!

ip cef!interface Ethernet0/0ip address 172.16.6.2 255.255.255.0ipv6 address 2001:DB8:2:ABCD::2/48ip flow monitor FLOW-MONITOR-1 inputipv6 flow monitor FLOW-MONITOR-2 input

!

The following display output shows that the flow monitor is exporting data to the two exporters:

Router# show flow monitor FLOW-MONITOR-1Flow Monitor FLOW-MONITOR-1: Description: User defined Flow Record: netflow original-input Flow Exporter: EXPORTER-1 EXPORTER-2 Cache: Type: normal Status: allocated Size: 4096 entries / 311316 bytes Inactive Timeout: 15 secs Active Timeout: 1800 secs Update Timeout: 1800 secs

Configuring Sending Export Packets Using QoS: ExampleThe following example shows how to configure sending Flexible NetFlow export packets using quality of service (QoS).


12

Note The Flexible NetFlow export packets to the destination host (IP address 10.0.1.2) are transmitted on Ethernet 0/1 using QoS.


!flow record FLOW-RECORD-1 match ipv4 source address collect counter packets!flow exporter FLOW-EXPORTER-1 destination 10.0.1.2 output-features dscp 18!flow monitor FLOW-MONITOR-1 record FLOW-RECORD-1 exporter FLOW-EXPORTER-1 cache entries 1024!ip cef!class-map match-any COS3!policy-map PH_LABS_FRL_64k_16k_16k_8k_8k class COS3 bandwidth percent 2 random-detect dscp-based random-detect exponential-weighting-constant 1 random-detect dscp 18 200 300 10!interface Ethernet0/0 ip address 10.0.0.1 255.255.255.0 ip flow monitor FLOW-MONITOR-1 input!interface Ethernet0/1 ip address 10.0.1.1 255.255.255.0 service-policy output PH_LABS_FRL_64k_16k_16k_8k_8k!

The following display output shows that the flow monitor is exporting data using output feature support that enables the exported data to use QoS:

Router# show flow monitor FLOW-MONITOR-1Flow Exporter FLOW-EXPORTER-1: Description: User defined Tranport Configuration: Destination IP address: 10.0.1.2 Source IP address: 10.0.0.1 Transport Protocol: UDP Destination Port: 9995 Source Port: 56750 DSCP: 0x12 TTL: 255 Output Features: Used


13

Configuring Version 5 Export: ExampleThe following example shows how to configure multiple export destinations for Flexible NetFlow for IPv4 and IPv6 traffic.


!flow exporter EXPORTER-1destination 172.16.10.2export-protocol netflow-v5transport udp 90exit

!flow monitor FLOW-MONITOR-1record netflow ipv4 original-inputexporter EXPORTER-1

!

ip cef!interface Ethernet0/0ip address 172.16.6.2 255.255.255.0ip flow monitor FLOW-MONITOR-1 input

!

The following display output shows that the flow monitor is exporting data to the two exporters:

Router# #show flow exporter FLOW-EXPORTER-6Flow Exporter FLOW-EXPORTER-6: Description: User defined Export protocol: NetFlow Version 5 Transport Configuration: Destination IP address: 172.31.90.23 Source IP address: 10.1.1.2 Transport Protocol: UDP Destination Port: 90 Source Port: 55950 DSCP: 0x0 TTL: 255 Output Features: Not Used

Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters Where to Go Next

14



If you want to configure any of the predefined records for Flexible NetFlow refer, to the “Configuring Cisco IOS Flexible NetFlow with Predefined Records” module.


Related Documents

Standards















Standard Title
















Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters Feature Information for Flexible NetFlow

15

MIBs

RFCs


Feature Information for Flexible NetFlow Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or Cisco IOS Releases 12.2(1) or 12.0(3)S or a later release appear in the table.




MIB MIBs Link

None. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:


RFC Title


Description Link











16






• Prerequisites for Configuring Data Export for Flexible NetFlow with Flow Exporters, page 2

• Information About Data Export for Flexible NetFlow with Flow Exporters, page 2

• How to Configure Data Export for Flexible NetFlow with Flow Exporters, page 3

• Configuration Examples for Flexible NetFlow Data Export with Flow Exporters, page 10



17




• Configuring and Enabling Flexible NetFlow with Data Export, page 7

• Configuring Multiple Export Destinations: Example, page 11


Flexible NetFlow - Output Features on Data Export

12.4(20)T Enables sending export packets using quality of service (QoS) and encryption.

Information about the Flexible NetFlow - Output Features on Data Export feature is included in the following sections:


• Configuring Sending Export Packets Using QoS: Example, page 11

The following command was introduced: output-features.

Flexible Netflow - NetflowV5 export protocol 12.4(22)T Enables sending export packets using the Version 5 export protocol.

Information about the Flexible NetFlow - NetflowV5 export protocol feature is included in the following sections:

• Restrictions for Configuring Data Export for Flexible NetFlow with Flow Exporters, page 2


• Configuring Version 5 Export: Example, page 13

The following command was introduced: export-protocol.




18






Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors


This document contains information about and instructions for customizing Flexible NetFlow flow records and flow monitor requirements. If the tasks and configuration examples in the “Getting Started with Configuring Cisco IOS Flexible NetFlow” module and the “Configuring Cisco IOS Flexible NetFlow with Predefined Records” module were not suitable for your traffic analysis requirements, you can use the information and instructions in this document to customize Flexible NetFlow to meet your traffic analysis requirements.










Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors Contents

2

Contents• Prerequisites for Customizing Flexible NetFlow Flow Records and Flow Monitors, page 2

• Information About Customizing Flexible NetFlow Flow Records and Flow Monitors, page 3

• How to Customize Flexible NetFlow Flow Records and Flow Monitors, page 4

• Configuration Examples for Customizing Flexible NetFlow Flow Records and Flow Monitors, page 16




Prerequisites for Customizing Flexible NetFlow Flow Records and Flow Monitors



• You are familiar with the Flexible NetFlow key fields as they are defined in the following commands in the Cisco IOS Flexible NetFlow Command Reference:

– match flow

– match interface

– match {ipv4 | ipv6}

– match routing

– match transport

• You are familiar with the Flexible NetFlow non-key fields as they are defined in the following commands in the Cisco IOS Flexible NetFlow Command Reference:

– collect counter

– collect flow

– collect interface

– collect {ipv4 | ipv6}

– collect routing

– collect timestamp sys-uptime

– collect transport


IPv4 Traffic







Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors Information About Customizing Flexible NetFlow Flow Records and Flow Monitors

3

IPv6 Traffic



Information About Customizing Flexible NetFlow Flow Records and Flow Monitors

Before you customize Flexible NetFlow flow records and flow monitors, you must understand the following concept:

• Identifying the Types of Traffic That You Want to Analyze, page 3

Identifying the Types of Traffic That You Want to AnalyzeIf the predefined Flexible NetFlow records are not suitable for your traffic requirements, you can create a user-defined (custom) record using the Flexible NetFlow collect and match commands. Before you can create a customized record, you must decide the criteria that you are going to use for the key and non-key fields.

If you want to create a customized record for detecting network attacks, you must include the appropriate key and non-key fields in the record to ensure that the router creates the flows and captures the data that you need to analyze the attack and respond to it. For example, SYN flood attacks are a common denial of service (DoS) attack in which TCP flags are used to flood open TCP requests to a destination host. When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Since the SYN ACK is destined for an incorrect or non-existent host, the last part of the "three-way handshake" is never completed and the entry remains in the connection queue until a timer expires, typically for about one minute. By generating phony TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services (such as e-mail, file transfer, or WWW) to legitimate users.

The information needed for a security monitoring record for this type of DoS attack might include the following key and non-key fields:

• Key fields:

– Destination IP address or destination IP subnet

– TCP flags

– Packet count

• Non-key fields

– Destination IP address

Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors How to Customize Flexible NetFlow Flow Records and Flow Monitors

4

– Source IP address

– Interface input and output

Tip Many users configure a general Flexible NetFlow monitor that triggers a more detailed Flexible NetFlow view of a DoS attack using these key and non-key fields.

How to Customize Flexible NetFlow Flow Records and Flow Monitors

The tasks in this section explain how to do the following:

• Customize a Flexible NetFlow flow record.

• Customize a Flexible NetFlow flow monitor.

• Enable Flexible NetFlow.


To customize Flexible NetFlow flow records and flow monitors, and to enable Flexible NetFlow, perform the following tasks:

• Configuring a Customized Flow Record, page 4

• Verifying the Flow Record, page 7 (optional)

• Customizing a Flow Monitor, page 9


• Applying a Flow Monitor to an Interface, page 12


• Viewing the Flow Monitor Cache, page 14 (optional)

Configuring a Customized Flow RecordCustomized flow records are used to analyze traffic data for a specific purpose. A customized flow record must have at least one match criterion for use as the key field and typically has at least one collect criterion for use as a non-key field.

There are hundreds of possible permutations of customized flow records. This task explains the steps that are used to create one of the possible permutations. Modify the steps in these tasks as appropriate to create a customized flow record for your requirements.

To configure a customized flow record, perform either of the following tasks:

• Configuring a Customized Flow Record for IPv4 Traffic

• Configuring a Customized Flow Record for IPv6 Traffic



5

Configuring a Customized Flow Record for IPv4 Traffic

SUMMARY STEPS

1. enable


3. flow record flow-record-name


5. match ipv4 {destination | source} address

6. Repeat Step 5 as required to configure additional key fields for the record.

7. collect ipv4 source {address | mask [minimum-mask mask] | prefix [minimum-mask mask]}

8. Repeat Step 7 as required to configure additional non-key fields for the record

9. end

DETAILED STEPS


Step 1 enable







Step 3 flow record flow-record-name

Example:Router(config)# flow record FLOW-RECORD-1

Creates a flow record and enters flow record configuration mode.

• This command also allows you to modify an existing flow record. For example, to modify the configuration of a flow record named “record-name” use the flow record record-name command and argument in global configuration mode.


Example:Router(config-flow-record)# description Used for basic traffic analysis

(Optional) Creates a description for the flow record.

Step 5 match ipv4 {destination | source} address

Example:Router(config-flow-record)# match ipv4 destination address

Configures a key field for the flow record.

Note This example configures the IPv4 destination address as a key field for the record. For information about the other key fields available for the match ipv4 command, and the other match commands that are available to configure key fields, refer to the Cisco IOS Flexible NetFlow Command Reference.



6

Configuring a Customized Flow Record for IPv6 Traffic

SUMMARY STEPS

1. enable




5. match ipv6 {destination | source} address

6. Repeat Step 5 as required to configure additional key fields for the record.

7. collect ipv6 source {address | mask [minimum-mask mask] | prefix [minimum-mask mask]}

8. Repeat Step 7 as required to configure additional non-key fields for the record

9. end

DETAILED STEPS

Step 6 Repeat Step 5 as required to configure additional key fields for the record.

—

Step 7 collect ipv4 source {address | mask [minimum-mask mask] | prefix [minimum-mask mask]}

Example:Router(config-flow-record)# collect ipv4 source address

Configures one or more of the IPv4 source fields in the flow as a non-key field for the record.

Note This example configures the IPv4 source address as a non-key field for the record. For information on the other collect commands that are available to configure non-key fields, refer to the Cisco IOS Flexible NetFlow Command Reference.

Step 8 Repeat Step 7 as required to configure additional non-key fields for the record.

—

Step 9 end

Example:Router(config-flow-record)# end

Exits flow record configuration mode and returns to privileged EXEC mode.



Step 1 enable










7

Verifying the Flow RecordTo view the current status of a flow record and verify the configuration commands that you entered, perform the following optional task.

SUMMARY STEPS

1. enable

2. show flow record

3. show running-config flow record




• This command also allows you to modify an existing flow record. For example, to modify the configuration of a flow record named “record-name” use the flow record record-name command and argument in global configuration mode.


Example:Router(config-flow-record)# description Used for basic IPv6 traffic analysis


Step 5 match ipv6 {destination | source} address

Example:Router(config-flow-record)# match ipv6 destination address

Configures a key field for the flow record.

Note This example configures the IPv6 destination address as a key field for the record. For information about the other key fields available for the match ipv6 command, and the other match commands that are available to configure key fields, refer to the Cisco IOS Flexible NetFlow Command Reference.

Step 6 Repeat Step 5 as required to configure additional key fields for the record.

—

Step 7 collect ipv6 source {address | mask [minimum-mask mask] | prefix [minimum-mask mask]}

Example:Router(config-flow-record)# collect ipv6 source address

Configures the number of packets in the flow as a non-key field for the record.

Note This example configures the IPv6 source address as a non-key field for the record. For information about the other collect commands that are available to configure non-key fields, refer to the Cisco IOS Flexible NetFlow Command Reference.

Step 8 Repeat Step 7 as required to configure additional non-key fields for the record.

—

Step 9 end

Example:Router(config-flow-record)# end

Exits flow record configuration mode and returns to privileged EXEC mode.






8

DETAILED STEPS

Step 1 enable


Router> enable

Router#

Step 2 show flow record

The show flow record command shows the current status of the flow monitor that you specify.

Router# show flow record

flow record FLOW-RECORD-2: Description: Used for basic IPv6 traffic analysis No. of users: 1 Total field space: 53 bytes Fields: match ipv6 destination address collect ipv6 protocol collect ipv6 source address collect transport source-port collect transport destination-port collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last

flow record FLOW-RECORD-1: Description: Used for basic IPv4 traffic analysis No. of users: 1 Total field space: 29 bytes Fields: match ipv4 destination address collect ipv4 protocol collect ipv4 source address collect transport source-port collect transport destination-port collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last

Step 3 show running-config flow record

The show running-config flow record command shows the configuration commands of the flow monitor that you specify.

Router# show running-config flow record

Current configuration:!flow record FLOW-RECORD-2 description Used for basic IPv6 traffic analysis match ipv6 destination address collect ipv6 protocol collect ipv6 source address collect transport source-port collect transport destination-port collect counter bytes collect counter packets


9

collect timestamp sys-uptime first collect timestamp sys-uptime last!!flow record FLOW-RECORD-1 description Used for basic IPv4 traffic analysis match ipv4 destination address collect ipv4 protocol collect ipv4 source address collect transport source-port collect transport destination-port collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!

Customizing a Flow MonitorTo create a customized flow monitor, perform the following required task.

Flow Monitor

Each flow monitor has a separate cache assigned to it. Each flow monitor requires a record to define the contents and layout of its cache entries. These record formats can be one of the predefined formats, or an advanced user can create a customized format using the flow record command. This task uses the record that you created in the “Configuring a Customized Flow Record” section on page 4.

Prerequisites

If you want to use a customized record instead of using one of the Flexible NetFlow predefined records, you must create the customized record before you can perform this task. Refer to the “Configuring a Customized Flow Record” section on page 4 for information about and instructions for creating a customized flow record.

If you want to add a flow exporter to the flow monitor for data export, you must create the exporter before you can complete this task. Refer to the “Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters” module for information about and instructions for creating a flow exporter.

Restrictions

You must use the no ip flow monitor command to remove a flow monitor from all of the interfaces to which you have applied it before you can modify the parameters for the record command on the flow monitor. For information about the ip flow monitor command, refer to the Cisco IOS Flexible NetFlow Command Reference.

SUMMARY STEPS

1. enable


http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cfg_de_fnflow_exprts.fm

http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cfg_de_fnflow_exprts.fm




10




6. cache {entries entries | timeout {active active | inactive inactive | update update} | type {immediate | normal | permanent}}

7. Repeat Step 6 as required to finish modifying the cache parameters for this flow monitor.

8. statistics packet protocol

9. statistics packet size


11. end

DETAILED STEPS


Step 1 enable










• This command also allows you to modify an existing flow monitor. For example, to modify the configuration of a flow monitor named “monitor-name”, use the flow monitor monitor-name command and argument in global configuration mode.


Example:Router(config-flow-monitor)# description Used for basic ipv4 traffic analysis



Example:Router(config-flow-monitor)# record FLOW-RECORD-1


Step 6 cache {entries entries | timeout {active active | inactive inactive | update update} | type {immediate | normal | permanent}}

Example:Router(config-flow-monitor)# cache entries 1000

(Optional) Modifies the flow monitor cache parameters such as timeout values, number of cache entries, and the cache type.

• The timeout keywords do not have any effect when the cache type is set to immediate.


11


SUMMARY STEPS

1. enable


3. show running-config flow monitor monitor-name

DETAILED STEPS

Step 1 enable


Router> enable

Router#

Step 2 show flow monitor monitor-name


Router# show flow monitor FLOW-MONITOR-1

Step 7 Repeat Step 6 as required to finish modifying the cache parameters for this flow monitor.

—

Step 8 statistics packet protocol

Example:Router(config-flow-monitor)# statistics packet protocol

(Optional) Enables the collection of protocol distribution statistics for Flexible NetFlow monitors.

Step 9 statistics packet size

Example:Router(config-flow-monitor)# statistics packet size

(Optional) Enables the collection of size distribution statistics for Flexible NetFlow monitors.



(Optional) Specifies the name of an exporter that was created previously.

• Refer to the “Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters” module for information about and instructions for configuring flow exporters.

Step 11 end







12

Flow Monitor FLOW-MONITOR-1: Description: Used for basic ipv4 traffic analysis Flow Record: FLOW-RECORD-1 Flow Exporter: EXPORTER-1 Cache: Type: normal Status: allocated Size: 1000 entries / 50052 bytes Inactive Timeout: 15 secs Active Timeout: 1800 secs Update Timeout: 1800 secs Stats: protocol distribution size distribution



Router# show running-config flow monitor FLOW-MONITOR-1Current configuration:!flow monitor FLOW-MONITOR-1 description Used for basic ipv4 traffic analysis record FLOW-RECORD-1 exporter EXPORTER-1 cache entries 1000 statistics packet protocol statistics packet size!

Applying a Flow Monitor to an InterfaceBefore it can be activated, a flow monitor must be applied to at least one interface. To activate a flow monitor, perform the following required task.

Restrictions

When you specify the “NetFlow original” or the “NetFlow IPv4 original input” or the “NetFlow IPv6 original input” predefined record for the flow monitor to emulate original NetFlow, the Flexible NetFlow flow monitor can be used only for analyzing input (ingress) traffic.

When you specify the “NetFlow IPv4 original output” or the “NetFlow IPv6 original output” predefined record for the flow monitor to emulate the Egress NetFlow Accounting feature, the Flexible NetFlow flow monitor can be used only for analyzing output (egress) traffic.

SUMMARY STEPS

1. enable



4. {ip | ipv6} flow monitor monitor-name {input | output}


13

5. Repeat Steps 3 and 4 to activate a flow monitor on any other interfaces in the router over which you want to monitor traffic.

6. end

DETAILED STEPS


SUMMARY STEPS

1. enable

2. show flow interface

DETAILED STEPS

Step 1 enable



Step 1 enable










Step 4 {ip | ipv6} flow monitor monitor-name {input | output}


Activates a flow monitor that was created previously by assigning it to the interface to analyze traffic.

Step 5 Repeat Steps 3 and 4 to activate a flow monitor on any other interfaces in the router over which you want to monitor traffic.

—

Step 6 end




14

Router> enable

Router#

Step 2 show flow interface





Interface Ethernet1/0 FNF: monitor: FLOW-MONITOR-1 direction: Output traffic(ip): on FNF: monitor: FLOW-MONITOR-2 direction: Output traffic(ipv6): on

Viewing the Flow Monitor CacheTo view the data in the flow monitor cache, perform the following optional task.

Prerequisites

The interface on which you applied the input flow monitor must be receiving traffic that meets the criteria defined by the NetFlow original record before you can view the flows in the flow monitor cache.

SUMMARY STEPS

1. enable


DETAILED STEPS

Step 1 enable


Router> enable

Router#



15

The show flow monitor name monitor-name cache format record command string displays the status, statistics, and flow data in the cache for a flow monitor.




IPV4 DESTINATION ADDRESS: 172.16.10.5ipv4 source address: 10.10.11.1trns source port: 25trns destination port: 25counter bytes: 72840counter packets: 1821timestamp first: 21237828timestamp last: 22086520ip protocol: 6






IPV6 DESTINATION ADDRESS: 2001:DB8:4:ABCD::2

Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors Configuration Examples for Customizing Flexible NetFlow Flow Records and Flow Monitors

16

ipv6 source address: 2001:DB8:1:ABCD::1trns source port: 33572trns destination port: 23counter bytes: 19140counter packets: 349timestamp first: 2172704timestamp last: 2198272ip protocol: 6

IPV6 DESTINATION ADDRESS: FF02::9ipv6 source address: FE80::A8AA:BBFF:FEBB:CC03trns source port: 521trns destination port: 521counter bytes: 92counter packets: 1timestamp first: 2195672timestamp last: 2195672ip protocol: 17

Configuration Examples for Customizing Flexible NetFlow Flow Records and Flow Monitors

This section contains the following configuration examples:

• Configuring a Permanent Flow Record Cache with a Limited Number of Possible Flows: Example, page 16

• Configuring a Customized Flow Record Cache for Monitoring IPv6 Traffic: Example, page 17

• Configuring Flexible NetFlow for Monitoring MAC and VLAN Statistics: Example, page 18

Configuring a Permanent Flow Record Cache with a Limited Number of Possible Flows: Example

The following example is designed to monitor the type of service (ToS) field usage on all interfaces in the router. An exporter is not configured because this example is intended to be used to capture additional data for analysis on the router using the show flow monitor command.


!ip cef!flow record QOS_RECORDdescription UD: Flow Record to monitor the use of TOS within this router/networkmatch interface inputmatch interface outputmatch ipv4 toscollect counter packetscollect counter bytesexit

!flow monitor QOS_MONITORdescription UD: Flow Monitor which watches the limited combinations of interface and TOSrecord QOS_RECORD


17

cache type permanentcache entries 8192 ! 2^5 (combos of interfaces) * 256 (values of TOS)exit

!interface ethernet0/0ip flow monitor QOS_MONITOR inputexit



!interface serial2/0ip flow monitor QOS_MONITOR inputexit

!interface serial2/1ip flow monitor QOS_MONITOR input

!

The display from the show flow monitor command shows the current status of the cache.

Router# show flow monitor QOS_MONITOR cache Cache type: Permanent Cache size: 8192 Current entries: 2 High Watermark: 2

Flows added: 2 Updates sent ( 1800 secs) 0

Configuring a Customized Flow Record Cache for Monitoring IPv6 Traffic: Example

The following example creates a customized flow record for monitoring common IPv6 traffic characteristics.


!ip cefipv6 cef!flow record FLOW-RECORD-2 description Used for basic IPv6 traffic analysis match ipv6 destination address collect ipv6 protocol collect ipv6 source address collect transport source-port collect transport destination-port collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!flow monitor FLOW-MONITOR-2 description Used for basic IPv6 traffic analysis


18

record FLOW-RECORD-2 cache entries 1000 statistics packet protocol statistics packet size!interface Ethernet0/0ipv6 address 2001:DB8:2:ABCD::2/48

ipv6 flow monitor FLOW-MONITOR-2 input!interface Ethernet1/0ipv6 address 2001:DB8:3:ABCD::1/48

ipv6 flow monitor FLOW-MONITOR-2 output!

Configuring Flexible NetFlow for Monitoring MAC and VLAN Statistics: Example

The following example shows how to configure Flexible NetFlow for monitoring MAC and VLAN statistics.


!flow record LAYER-2-FIELDS-1match ipv4 source address

match ipv4 destination address collect datalink dot1q vlan output collect datalink mac source address input collect datalink mac source address output collect datalink mac destination address input collect flow direction collect counter bytes collect counter packets!exit

!!flow monitor FLOW-MONITOR-4record LAYER-2-FIELDS-1exit

!ip cef!interface Ethernet0/0ip address 172.16.6.2 255.255.255.0ip flow monitor FLOW-MONITOR-1 input

!

Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors Where to Go Next

19

Where to Go NextIf you want to configure data export for Flexible NetFlow, refer to the “Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters” module.


If you want to configure any of the predefined records for Flexible NetFlow, refer to the “Configuring Cisco IOS Flexible NetFlow with Predefined Records” module.


Related Documents

Standards
















Standard Title
















Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors Feature Information for Flexible NetFlow

20

MIBs

RFCs






MIB MIBs Link



RFC Title


Description Link











21






• Prerequisites for Customizing Flexible NetFlow Flow Records and Flow Monitors, page 2

• Information About Customizing Flexible NetFlow Flow Records and Flow Monitors, page 3

• How to Customize Flexible NetFlow Flow Records and Flow Monitors, page 4

• Configuration Examples for Customizing Flexible NetFlow Flow Records and Flow Monitors, page 16



22





Flexible Netflow - Layer 2 Fields 12.4(22)T Enables collecting statistics for Layer 2 fields such as MAC addresses and virtual LAN (VLAN) IDs from traffic.

Information about the Flexible NetFlow - Layer 2 Fields feature is included in the following sections:

• Configuring Flexible NetFlow for Monitoring MAC and VLAN Statistics: Example, page 18

The following commands were introduced or modified:

collect datalink dot1q vlan, collect datalink mac, match datalink dot1q vlan, match datalink mac.



• Configuring a Customized Flow Record for IPv6 Traffic, page 6

• Applying a Flow Monitor to an Interface, page 12

• Configuring a Customized Flow Record Cache for Monitoring IPv6 Traffic: Example, page 17






Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic

First Published: June 19, 2006Last Updated: October 10 2008

This document contains information about and instructions for configuring sampling to reduce the CPU overhead of analyzing traffic with Flexible NetFlow.





Contents• Prerequisites for Using Flow Sampling, page 2

• Information About Flexible NetFlow Samplers, page 3

• How to Configure Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic with Flexible NetFlow, page 3


Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic Prerequisites for Using Flow Sampling

2

• Configuration Examples for Using Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic with Flexible NetFlow, page 7




Prerequisites for Using Flow SamplingThe following prerequisites must be met before you can configure Flexible NetFlow:



IPv4 Traffic



IPv6 Traffic





Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic Information About Flexible NetFlow Samplers

3

Information About Flexible NetFlow SamplersBefore you configure a Flexible NetFlow sampler, you need to understand the following:

• Samplers, page 3

SamplersFlow samplers are created as separate components in a router’s configuration. Flow samplers are used to reduce the load on the device that is running Flexible Netflow by limiting the number of packets that are selected for analysis. Samplers use either random or deterministic sampling techniques (modes).

• Deterministic—The same sampling position is used each time a sample is taken.

• Random—A randomly selected sampling position is used each time a sample is taken.

Flow sampling exchanges monitoring accuracy for router performance. When you apply a sampler to a flow monitor, the overhead load on the router of running the flow monitor is reduced because the number of packets that the flow monitor must analyze is reduced. The reduction in the number of packets that are analyzed by the flow monitor causes a corresponding reduction in the accuracy of the information stored in the flow monitor’s cache.

Samplers are combined with flow monitors when they are applied to an interface with the ip flow monitor command.

How to Configure Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic with Flexible NetFlow

Flow sampling reduces the CPU overhead of analyzing traffic with Flexible NetFlow by reducing the number of packets that are analyzed.


To configure flow sampling to reduce the CPU overhead of analyzing traffic with Flexible NetFlow, perform the following tasks:

• Configuring a Flow Monitor, page 3

• Configuring and Enabling Flow Sampling, page 5

• Verifying the Flow Sampler Configuration, page 7 (optional)

Configuring a Flow MonitorSamplers are applied to an interface in conjunction with a flow monitor. You must create a flow monitor to configure the types of traffic that you want to analyze before you can enable sampling. To create a flow monitor, perform the following required task.


Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic How to Configure Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic with Flexible NetFlow

4

Flow Monitor


Restrictions

You must use the no ip flow monitor command to remove a flow monitor from all of the interfaces to which you have applied it before you can modify the parameters for the record command on the flow monitor.

SUMMARY STEPS

1. enable





6. end

DETAILED STEPS


Step 1 enable












Example:Router(config-flow-monitor)# description Used for basic traffic analysis



5

Configuring and Enabling Flow SamplingTo configure and enable a random flow sampler, perform the following required task.

Restrictions

When you specify the “NetFlow original” or the “NetFlow IPv4 original input” or the “NetFlow IPv6 original input” predefined record for the flow monitor to emulate original NetFlow, the flow monitor can be used only for analyzing input (ingress) traffic.

When you specify the “NetFlow IPv4 original output” or the “NetFlow IPv6 original output” predefined record for the flow monitor to emulate the Egress NetFlow Accounting feature, the flow monitor can be used only for analyzing output (egress) traffic.

SUMMARY STEPS

1. enable


3. sampler sampler-name


5. mode {deterministic | random} 1 out-of window-size

6. exit


8. {ip | ipv6} flow monitor {monitor-name [[sampler] sampler-name] {input | output}}

9. end




Step 6 end





6

DETAILED STEPS


Step 1 enable







Step 3 sampler sampler-name

Example:Router(config)# sampler SAMPLER-1

Creates a sampler and enters sampler configuration mode.

• This command also allows you to modify an existing sampler. For example, to modify the configuration of a sampler named “sampler-name” use the sampler sampler-name command in global configuration mode.


Example:Router(config-sampler)# description Sample at 50%

(Optional) Creates a description for the flow sampler.

Step 5 mode {deterministic | random} 1 out-of window-size

Example:Router(config-sampler)# mode random 1 out-of 2

Specifies the sampler mode and the flow sampler window size.

• The range for the window-size argument is from 2 to 32768.

Step 6 exit

Example:Router(config-sampler)# exit

Exits sampler configuration mode and returns to global configuration mode.




Step 8 {ip | ipv6} flow monitor {monitor-name [[sampler] sampler-name] {input | output}}

Example:Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input

Assigns the flow monitor and the flow sampler that you created to the interface to enable sampling.

Step 9 end



Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic Configuration Examples for Using Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic with Flexible

7

Verifying the Flow Sampler ConfigurationTo display the status and statistics of the flow sampler that you configured and enabled, perform the following optional task.

SUMMARY STEPS

1. enable

2. show sampler

DETAILED STEPS

Step 1 enable


Router> enable

Router#

Step 2 show sampler

The show sampler command shows the current status of the sampler that you specify.

Router# show sampler SAMPLER-1

Sampler SAMPLER-1: ID: 2 Description: Sample at 50% Type: random Rate: 1 out of 2 Samples: 2482 Requests: 4964 Users (1): flow monitor FLOW-MONITOR-1 (ip,Et0/0,I 2482 out of 4964

Configuration Examples for Using Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic with Flexible NetFlow

The following example shows you how configure and enable a deterministic sampler:

• Configuring and Enabling a Deterministic Sampler for IPv4 Traffic, page 8


• Adding a Sampler to a Flow Monitor When a Flow Monitor Is Already Enabled on an Interface, page 9

• Removing a Sampler from a Flow Monitor, page 9


8

Configuring and Enabling a Deterministic Sampler for IPv4 TrafficThe following example shows how to configure and enable deterministic sampling for IPv4 output traffic.



!sampler SAMPLER-1mode deterministic 1 out-of 2exit

!ip cef!interface Ethernet0/0ip address 172.16.6.2 255.255.255.0ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 output

!

The following example shows how to configure and enable deterministic sampling for IPv4 input traffic.




!ip cef!interface Ethernet0/0ip address 172.16.6.2 255.255.255.0ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input

!

Configuring and Enabling a Deterministic Sampler for IPv6 TrafficThe following example shows how to configure and enable deterministic sampling for IPv6 output traffic.




!ip cefipv6 cef


9

!interface Ethernet0/0ipv6 address 2001:DB8:2:ABCD::2/48ipv6 flow monitor FLOW-MONITOR-2 sampler SAMPLER-1 output

!

The following example shows how to configure and enable deterministic sampling for IPv6 input traffic.




!ip cefipv6 cef!interface Ethernet0/0ipv6 address 2001:DB8:2:ABCD::2/48ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input

!

Adding a Sampler to a Flow Monitor When a Flow Monitor Is Already Enabled on an Interface

The following example shows what happens when you try to add a sampler to a flow monitor that has already been enabled on an interface without a sampler:

Router(config)# interface Ethernet0/0Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 in% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in full mode and cannot be enabled with a sampler.

The following example shows how to remove the flow monitor from the interface so that it can be enabled with the sampler:

Router(config)# interface Ethernet0/0Router(config-if)# no ip flow monitor FLOW-MONITOR-1 inRouter(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 in

Removing a Sampler from a Flow Monitor The following example shows what happens when you try to remove a sampler from a flow monitor on an interface by entering the flow monitor command again without the sampler keyword and argument:

Router(config)# interface Ethernet0/0Router(config-if)# ip flow monitor FLOW-MONITOR-1 in% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in sampled mode and cannot be enabled in full mode.

The following example shows how to remove the flow monitor that was enabled with a sampler from the interface so that it can be enabled without the sampler:

Router(config)# interface Ethernet0/0

Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic Where to Go Next

10

Router(config-if)# no ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 inRouter(config-if)# ip flow monitor FLOW-MONITOR-1 in



If you want to configure data export for Flexible NetFlow, refer to the “Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters” module.


Related Documents






























Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic Additional References

11

Standards

MIBs

RFCs


Standard Title


MIB MIBs Link



RFC Title


Description Link







Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic Feature Information for Flexible NetFlow

12




Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required..






13





• Prerequisites for Using Flow Sampling, page 2

• Information About Flexible NetFlow Samplers, page 3


• Configuration Examples for Using Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic with Flexible NetFlow, page 7



14













Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow

First Published: October 10, 2008Last Updated: October 14, 2008

This document contains information about and instructions for configuring the Flexible Netflow - IPv4 Multicast Statistics Support feature. Prior to the introduction of the Flexible Netflow - IPv4 Multicast Statistics Support feature, Flexible NetFlow was capable of analyzing IPv4 multicast traffic, but was not capable of reporting the number of replicated bytes or the number of replicated packets in multicast flows. The Flexible Netflow - IPv4 Multicast Statistics Support feature adds the capability of reporting the number of replicated bytes and the number of replicated packets in multicast flows to Flexible NetFlow.

NetFlow is a Cisco IOS technology that provides statistics on packets flowing through a networking device. NetFlow is the standard for acquiring IP operational data from IP networks. NetFlow provides network and security monitoring, network planning, traffic analysis, and IP accounting.


Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the “Feature Information for IPv4 Multicast Statistics Support” section on page 8.



Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow Contents

2

Contents• Prerequisites for Configuring IPv4 Multicast Statistics Support, page 2

• Restrictions for Configuring IPv4 Multicast Statistics Support, page 2

• Information About IPv4 Multicast Statistics Support, page 3

• How to Configure IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow, page 3

• Configuration Examples for IPv4 Multicast Statistics Support, page 6



• Feature Information for IPv4 Multicast Statistics Support, page 8

Prerequisites for Configuring IPv4 Multicast Statistics SupportThe following prerequisites must be met before you can configure multicast support for Flexible NetFlow:


• You are familiar with the information in the “Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors” module.

• The networking device is running a Cisco IOS release that supports the Flexible Netflow - IPv4 Multicast Statistics Support feature. See the “Cisco IOS Flexible NetFlow Features Roadmap” module for a list of Cisco IOS software releases that support the Flexible Netflow - IPv4 Multicast Statistics Support feature.

• The networking device is configured for IPv4 unicast routing and IPv4 multicast routing.

• One of the following is enabled on your networking device and on any interfaces on which you want to enable Flexible NetFlow: Cisco Express Forwarding (CEF), distributed CEF (dCEF).

Restrictions for Configuring IPv4 Multicast Statistics SupportThe following restrictions apply to configuring multicast support for Flexible NetFlow:

IPv4 traffic

• When the replication-factor field is used in a flow record, it will only have a non-zero value in the cache for ingress multicast traffic that is forwarded by the router. If the flow record is used with a flow monitor in output (egress) mode and/or to monitor unicast traffic, the cache data for the replication factor field is set to 0.

IPv6 traffic

• Traffic monitoring for multicast statistics is not supported.




Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow Information About IPv4 Multicast Statistics Support

3

Information About IPv4 Multicast Statistics SupportThe Flexible Netflow - IPv4 Multicast Statistics Support feature adds the capability of reporting the number of replicated bytes and the number of replicated packets in multicast flows to Flexible NetFlow. You can capture the packet-replication factor for a specific flow as well as for each outgoing stream.

You can use the The Flexible Netflow - IPv4 Multicast Statistics Support feature to identify and count multicast packets on the ingress side or the egress side (or both sides) of a networking device. Multicast ingress accounting provides information about the source and how many times the traffic was replicated. Multicast egress accounting monitors the destination of the traffic flow.

How to Configure IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow

To configure the Flexible Netflow - IPv4 Multicast Statistics Support feature, perform the following task.

SUMMARY STEPS

1. enable




5. match routing is-multicast

6. Add key fields for the record as required using other match commands.

7. collect counter {bytes replicated [long] | packets replicated [long]}

8. collect routing multicast replication-factor

9. Add non-key fields for the record as required using other collect commands.



12. record record-name


14. ip flow monitor monitor-name [multicast | unicast] {input | output}

15. Repeat Steps 13 and 14 to activate a flow monitor on any other interfaces in the networking device over which you want to monitor traffic.

16. end

Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow How to Configure IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow

4

DETAILED STEPS


Step 1 enable










• This command also allows you to modify an existing flow record. For example, to modify the configuration of a flow record named “record-name”, use the flow record record-name command and argument in global configuration mode.


Example:Router(config-flow-record)# description Used for IPv4 multicast traffic analysis


Step 5 match routing is-multicast

Example:Router(config-flow-record)# match routing is-multicast

Configures IPv4 multicast destination addresses (indicating that the IPv4 traffic is multicast traffic) as a key field for the flow record.

Step 6 Add key fields for the record as required using other match commands.

For information about the other match commands that are available to configure key fields, refer to the Cisco IOS Flexible NetFlow Command Reference.

Step 7 collect counter {bytes replicated [long] | packets replicated [long]}

Example:Router(config-flow-record)# collect counter packets replicated

Configures the number of bytes or packets multiplied by the multicast replication factor (number of interfaces the multicast traffic is forwarded over) as a non-key field.

Default: Uses a 32-bit counter. The long keyword configures a 64-bit counter.

Step 8 collect routing multicast replication-factor

Example:Router(config-flow-record)# collect routing multicast replication-factor

Configures the multicast replication factor (number of interfaces over which multicast traffic is forwarded) as a non-key field.

Step 9 Add non-key fields for the record as required using other collect commands.

For information about the other collect commands that are available to configure non-key fields, refer to the Cisco IOS Flexible NetFlow Command Reference.





Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow How to Configure IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow

5

Examples

The following output from the show flow monitor command shows four multicast flows and three unicast flows:

Router# show flow monitor FLOW-MONITOR-2 cache


Flows added: 4074 Flows aged: 4066






Example:Router(config-flow-monitor)# description Used for IPv4 multicast traffic analysis


Step 12 record record-name

Example:Router(config-flow-monitor)# record FLOW-RECORD-2





Step 14 ip flow monitor monitor-name [multicast | unicast] {input | output}


Activates the flow monitor that was created previously by assigning it to the interface to analyze traffic. To monitor only multicast traffic, use the multicast keyword. Default: Unicast traffic and multicast traffic are monitored.

Step 15 Repeat Steps 13 and 14 to activate a flow monitor on any other interfaces in the networking device over which you want to monitor traffic.

—

Step 16 end


Exits flow interface configuration mode and returns to privileged EXEC mode.


Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow Configuration Examples for IPv4 Multicast Statistics Support

6

- Active timeout ( 1800 secs) 46 - Inactive timeout ( 15 secs) 4020 - Event aged 0 - Watermark aged 0 - Emergency aged 0

IP IS MULTICAST IPV4 DST ADDR pkts rep=============== =============== ==========Yes 224.192.16.1 16642Yes 224.192.65.1 16621No 10.1.4.2 0No 10.1.2.2 0No 10.1.3.2 0Yes 224.0.0.13 0No 255.255.255.255 0Yes 224.0.0.1 0

Configuration Examples for IPv4 Multicast Statistics SupportThis section contains the following configuration example:

• Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow: Example, page 6

Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow: Example

This example configures the following:

• IPv4 multicast destination addresses (indicating that the IPv4 traffic is multicast traffic) as a key field.

• The destination IPv4 address as a key field.

• The replicated packet count as a non-key field.

• The replication factor as a non-key field.

• The flow monitor to monitor only multicast traffic.


!flow record FLOW-RECORD-2match routing is-multicastmatch ipv4 destination addresscollect counter packets replicatedcollect routing multicast replication-factorexit

!flow monitor FLOW-MONITOR-2 record FLOW-RECORD-2exit

!interface Ethernet0/0 no shut ip address 10.1.1.2 255.255.255.0ip flow monitor FLOW-MONITOR-2 multicast input

!end

Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow Where to Go Next

7

Where to Go NextIf you want to configure data export for Flexible NetFlow, refer to the “Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters” module.




Related Documents

Standards














Standard Title















Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow Feature Information for IPv4 Multicast Statistics Support

8

MIBs

RFCs


Feature Information for IPv4 Multicast Statistics SupportTable 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or Cisco IOS Releases 12.2(1) or 12.0(3)S or a later release appear in the table.

For information on a feature in this technology that is not documented here, see the “Cisco IOS Flexible NetFlow Features Roadmap” or other available documentation for your Cisco IOS release.



MIB MIBs Link



RFC Title


Description Link











9


Table 1 Feature Information for Flexible Netflow - IPv4 Multicast Statistics Support

Feature Name Releases Feature Information






10





Flexible Netflow - IPv4 Multicast Statistics Support

12.4(22)T The Flexible Netflow - IPv4 Multicast Statistics Support feature adds the capability of reporting the number of replicated bytes and the number of replicated packets in multicast flows to Flexible NetFlow.

The following sections provide information about this feature:

• Prerequisites for Configuring IPv4 Multicast Statistics Support, page 2

• Restrictions for Configuring IPv4 Multicast Statistics Support, page 2

• Information About IPv4 Multicast Statistics Support, page 3


• Configuration Examples for IPv4 Multicast Statistics Support, page 6

The following commands were introduced or modified: collect counter, collect routing is-multicast, collect routing multicast replication-factor, match routing is-multicast, match routing multicast replication-factor, ip flow monitor, ipv6 flow monitor.

Table 1 Feature Information for Flexible Netflow - IPv4 Multicast Statistics Support (continued)

Feature Name Releases Feature Information


Using Cisco IOS Flexible NetFlow Top N Talkers to Analyze Network Traffic

First Published: October 10, 2008Last Updated: October 21, 2008

This document contains information about and instructions for using the Flexible NetFlow - Top N Talkers Support feature. The Flexible NetFlow - Top N Talkers Support feature helps you analyze the large amount of data that Flexible NetFlow captures from the traffic in your network by providing the ability to filter, aggregate, and sort the data in the Flexible NetFlow cache as you display it. When you are sorting and displaying the data in the cache, you can limit the display output to a specific number of entries with the highest values (Top N Talkers) for traffic volume, packet counters, and so on. The Flexible NetFlow - Top N Talkers Support feature facilitates real-time traffic analysis by requiring only the use of show commands, which can be entered in many different variations using the available keywords and arguments to meet your traffic data analysis requirements.



Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the “Feature Information for Flexible NetFlow Top N Talkers” section on page 15.



Using Cisco IOS Flexible NetFlow Top N Talkers to Analyze Network Traffic Contents

2

Contents• Prerequisites for Flexible NetFlow Top N Talkers, page 2

• Information About Flexible NetFlow Top N Talkers, page 2

• How to Analyze Network Traffic With Cisco IOS Flexible NetFlow Top N Talkers, page 4

• Examples for Flexible NetFlow Top N Talkers, page 10


• Feature Information for Flexible NetFlow Top N Talkers, page 15

Prerequisites for Flexible NetFlow Top N TalkersThe following prerequisites must be met before you can use the Flexible NetFlow - Top N Talkers Support feature:


• The networking device is running a Cisco IOS release that supports the Flexible NetFlow - Top N Talkers Support feature. See the “Feature Information for Flexible NetFlow Top N Talkers” section on page 15 for a list of Cisco IOS software releases that support Flexible NetFlow.

There are no configuration tasks associated with the Flexible NetFlow - Top N Talkers Support feature. Therefore, in order to use the Flexible NetFlow - Top N Talkers Support feature, traffic analysis with Flexible NetFlow must already be configured about the networking device. See the “Cisco IOS Flexible NetFlow Features Roadmap” module for information on configuring traffic analysis on your networking device with Flexible NetFlow.

Information About Flexible NetFlow Top N TalkersBefore you can use the Flexible NetFlow - Top N Talkers Support feature, you should understand the following concepts:

• Flow Filtering, page 2

• Flow Aggregation, page 3

• Flow Sorting and Top N Talkers, page 3

• Documented Command Names and Actual Command Syntax, page 3

• Combined Use of Flow Filtering, Flow Aggregation, and Flow Sorting with Top N Talkers, page 4

• Memory and Performance Impact of Top N Talkers

Flow FilteringThe flow filtering function of the Flexible NetFlow - Top N Talkers Support feature filters the flow data in a flow monitor cache based on the criteria that you specify, and displays the data.

The flow filtering function of the Flexible NetFlow - Top N Talkers Support feature is provided by the show flow monitor cache filter command. For more information on the show flow monitor cache filter command, refer to the Cisco IOS Flexible NetFlow Command Reference.





Using Cisco IOS Flexible NetFlow Top N Talkers to Analyze Network Traffic Information About Flexible NetFlow Top N Talkers

3

Flow AggregationFlow aggregation using the show flow monitor cache aggregate command allows you to dynamically view the flow information in a cache using a different flow record than the cache was originally created from. Only the fields in the cache will be available for the aggregated flows.

The flow aggregation function of the Flexible NetFlow - Top N Talkers Support feature is provided by the show flow monitor cache aggregate command. For more information on the show flow monitor cache aggregate command, refer to the Cisco IOS Flexible NetFlow Command Reference.

Flow Sorting and Top N TalkersThe flow sorting function of the Flexible NetFlow - Top N Talkers Support feature sorts flow data from the Flexible NetFlow cache based on the criteria that you specify and displays the data. You can also use the flow sorting function of the Flexible NetFlow - Top N Talkers Support feature to limit the display output to a specific number of entries (top n talkers, where n is the number or talkers to display) by using the top keyword.

The flow sorting and Top N Talkers function of the Flexible NetFlow - Top N Talkers Support feature is provided by the show flow monitor cache sort command. For more information on the show flow monitor cache sort command, refer to the Cisco IOS Flexible NetFlow Command Reference.

Documented Command Names and Actual Command SyntaxThe three commands that make up the Flexible NetFlow - Top N Talkers Support feature are documented using the Cisco documentation convention of using the initial words in the CLI syntax, omitting a subsequent words in the CLI syntax, and using a word in the CLI syntax that follows the omitted words. Therefore the syntax that you use for entering the commands is different from the actual documented command name. Table 1 shows the documented commands names and the actual command CLI syntax. The monitor-name argument is the name of a flow monitor that was previously configured.

Note The arguments and keywords that you can use after filter, aggregation, and sort are not included in Table 1. For more information on the arguments and keywords that you can use after filter, aggregation, and sort, refer to the Cisco IOS Flexible NetFlow Command Reference.

Table 1 Documented Command Names and Actual Command Syntax

Documented Command Name Actual CLI Syntax for Using the Command

show flow monitor cache filter show flow monitor monitor-name cache filter

show flow monitor cache aggregation show flow monitor monitor-name cache aggregation

show flow monitor cache sort show flow monitor monitor-name cache sort




Using Cisco IOS Flexible NetFlow Top N Talkers to Analyze Network Traffic How to Analyze Network Traffic With Cisco IOS Flexible NetFlow Top N Talkers

4

Combined Use of Flow Filtering, Flow Aggregation, and Flow Sorting with Top N Talkers

Although each of the show commands that make up the Flexible NetFlow - Top N Talkers Support feature can be used individually for traffic analysis; they provide much greater analytical capabilities when they are used together. When you use any combination of the three show commands, you enter only the common prefix of show flow monitor monitor-name cache followed by filter, aggregation, sort, and the arguments and keywords available for filter, aggregation, sort, as required. For example,

show flow monitor monitor-name cache filter options aggregation options sort options

where options is any permissible combination of arguments and keywords. See the “Examples for Flexible NetFlow Top N Talkers” section on page 10 for more information.

Memory and Performance Impact of Top N TalkersThe Flexible NetFlow - Top N Talkers Support feature can use a large number of CPU cycles and possibly also system memory for a short time. However, because Flexible NetFlow - Top N Talkers Support feature uses only show commands, the CPU usage should be run at a low priority because there is no real-time data processing involved. The memory usage can be mitigated by using a larger granularity of aggregation, or no aggregation at all.

How to Analyze Network Traffic With Cisco IOS Flexible NetFlow Top N Talkers

The tasks in this section are examples of using the Flexible NetFlow - Top N Talkers Support feature to analyze traffic in a network:

• Filtering Flow Data from the Flexible NetFlow Cache, page 4

• Aggregating Flow Data from the Flexible NetFlow Cache, page 6

• Sorting Flow Data from the Flexible NetFlow Cache, page 6

• Sorting Flow Data from the Flexible NetFlow Cache and Displaying the Top N Talkers, page 8

Filtering Flow Data from the Flexible NetFlow CacheThis task shows you how to use the show flow monitor cache filter command with a regular expression to filter the flow monitor cache data, and display the results. For more information on regular expressions and the show flow monitor cache filter command, refer to the Cisco IOS Flexible NetFlow Command Reference.

To filter the flow monitor cache data using a regular expression and display the results, perform the following task.




5

SUMMARY STEPS

1. enable

2. show flow monitor [name] monitor-name cache filter options [regexp regexp] [...options [regexp regexp] [format {csv | record | table}

DETAILED STEPS

Step 1 enable

Enters privileged EXEC mode.

Router> enable

Step 2 show flow monitor [name] monitor-name cache filter options [regexp regexp] [...options [regexp regexp] [format {csv | record | table}

Filters the flow monitor cache data on the IPv4 type of service (ToS) value.

Router# show flow monitor FLOW-MONITOR-3 cache filter ipv4 tos regexp 0x(C0|50)



IPV4 SOURCE ADDRESS: 10.1.1.1IPV4 DESTINATION ADDRESS: 255.255.255.255TRNS SOURCE PORT: 520TRNS DESTINATION PORT: 520INTERFACE INPUT: Et0/0FLOW SAMPLER ID: 0IP TOS: 0xC0IP PROTOCOL: 17ip source as: 0ip destination as: 0ipv4 next hop address: 0.0.0.0ipv4 source mask: /24ipv4 destination mask: /0tcp flags: 0x00interface output: Nullcounter bytes: 52counter packets: 1timestamp first: 18:59:46.199timestamp last: 18:59:46.199

Matched 1 flow


6

Aggregating Flow Data from the Flexible NetFlow CacheThis task shows you how to use the show flow monitor cache aggregate command to aggregate the flow monitor cache data with a different record than the cache was created with, and display the results. For more information on the show flow monitor cache aggregate command, refer to the Cisco IOS Flexible NetFlow Command Reference.

To aggregate the flow monitor cache data and display the results, perform the following task.

SUMMARY STEPS

1. enable

2. show flow monitor [name] monitor-name cache aggregate {{options [...options] [collect options [...options]] | record record-name} [format {csv | record | table}}

DETAILED STEPS

Step 1 enable


Router> enable

Step 2 show flow monitor [name] monitor-name cache aggregate {{options [...options] [collect options [...options]] | record record-name} [format {csv | record | table}}

Aggregates the flow monitor cache data on the IPv4 destination address and displays the cache data for the IPv4 protocol type and input interface non-key fields:

Router# show flow monitor FLOW-MONITOR-3 cache aggregate ipv4 destination address collect ipv4 protocol interface input

Processed 17 flowsAggregated to 7 flows

IPV4 DST ADDR intf input flows bytes pkts ip prot=============== ==================== ========== ========== ========== =======224.192.16.4 Et0/0 3 42200 2110 1224.192.16.1 Et0/0 3 17160 858 1224.192.18.1 Et0/0 4 18180 909 1224.192.45.12 Et0/0 4 14440 722 1255.255.255.255 Et0/0 1 52 1 17224.0.0.13 Et0/0 1 54 1 103224.0.0.1 Et0/0 1 28 1 2

Sorting Flow Data from the Flexible NetFlow CacheThis task shows you how to use the show flow monitor cache sort command to sort the flow monitor cache data, and display the results. For more information on the show flow monitor cache sort command, refer to the Cisco IOS Flexible NetFlow Command Reference.

To sort the flow monitor cache data and display the results, perform the following task.





7

SUMMARY STEPS

1. enable

2. show flow monitor [name] monitor-name cache sort options [top [number]] [format {csv | record | table}]

DETAILED STEPS

Step 1 enable


Router> enable

Step 2 show flow monitor [name] monitor-name cache sort options [top [number]] [format {csv | record | table}]

Displays the cache data sorted on the number of packets from highest to lowest.

Note When the top keyword is not used, the default number of sorted flows shown is 20.

Router# show flow monitor FLOW-MONITOR-1 cache sort highest counter packets

Processed 26 flowsAggregated to 26 flowsShowing the top 20 flows

IPV4 SOURCE ADDRESS: 10.1.1.3IPV4 DESTINATION ADDRESS: 172.16.10.11TRNS SOURCE PORT: 443TRNS DESTINATION PORT: 443INTERFACE INPUT: Et0/0.1FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 6ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0.1counter bytes: 22760counter packets: 1569timestamp first: 19:42:32.924timestamp last: 19:57:28.656

IPV4 SOURCE ADDRESS: 10.10.11.2IPV4 DESTINATION ADDRESS: 172.16.10.6TRNS SOURCE PORT: 65TRNS DESTINATION PORT: 65INTERFACE INPUT: Et0/0.1FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 6ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24


8

tcp flags: 0x00interface output: Et1/0.1counter bytes: 22720counter packets: 568timestamp first: 19:42:34.264timestamp last: 19:57:28.428...IPV4 SOURCE ADDRESS: 192.168.67.6IPV4 DESTINATION ADDRESS: 172.16.10.200TRNS SOURCE PORT: 0TRNS DESTINATION PORT: 3073INTERFACE INPUT: Et0/0.1FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 1ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0.1counter bytes: 15848counter packets: 344timestamp first: 19:42:36.852timestamp last: 19:57:27.836


Sorting Flow Data from the Flexible NetFlow Cache and Displaying the Top N Talkers

This task shows you how to use the show flow monitor cache sort command to sort the flow monitor cache data, and to limit the display results to a specific number of high volume flows. For more information on the show flow monitor cache sort command, refer to the Cisco IOS Flexible NetFlow Command Reference.




9

To sort the flow monitor cache data and limit the display output using to a specific number of high volume flows, perform the following task:

SUMMARY STEPS

1. enable

2. show flow monitor [name] monitor-name cache sort options [top [number]] [format {csv | record | table}]

DETAILED STEPS

Step 1 enable


Router> enable

Step 2 show flow monitor [name] monitor-name cache sort options [top [number]] [format {csv | record | table}]

Displays the cache data sorted on the number of packets from highest to lowest and limits the output to the three highest volume flows:

Router# show flow monitor FLOW-MONITOR-1 cache sort highest counter packets top 3

Processed 25 flowsAggregated to 25 flowsShowing the top 3 flows


IPV4 SOURCE ADDRESS: 10.10.11.2IPV4 DESTINATION ADDRESS: 172.16.10.6TRNS SOURCE PORT: 65TRNS DESTINATION PORT: 65INTERFACE INPUT: Et0/0.1FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 6ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0

Using Cisco IOS Flexible NetFlow Top N Talkers to Analyze Network Traffic Examples for Flexible NetFlow Top N Talkers

10

ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0.1counter bytes: 32360counter packets: 809timestamp first: 19:42:34.264timestamp last: 20:03:48.460


Examples for Flexible NetFlow Top N TalkersThis section contains the following example:

• Filtering, Aggregating, and Sorting Flow Data from the Flexible NetFlow Cache and Displaying the Top Talkers: Example, page 10

• Filtering Using Multiple Filtering Criterion: Example, page 12

• Aggregation Using Multiple Aggregation Criterion: Example, page 13

Filtering, Aggregating, and Sorting Flow Data from the Flexible NetFlow Cache and Displaying the Top Talkers: Example

The following example combines filtering, aggregation, collecting additional field data, sorting the flow monitor cache data, and limiting the display output to a specific number of high volume flows (top talkers).

This sample runs in privileged EXEC mode:

Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 protocol regexp (1|6) aggregate ipv4 destination address collect ipv4 protocol sort counter bytes top 4

Processed 26 flowsMatched 26 flowsAggregated to 13 flowsShowing the top 4 flows


11

IPV4 DST ADDR flows bytes pkts=============== ========== ========== ==========172.16.10.2 12 1358370 6708172.16.10.19 2 44640 1116172.16.10.20 2 44640 1116172.16.10.4 1 22360 559

The following example combines filtering using a regular expression, aggregation using a predefined record, sorting the flow monitor cache data, limiting the display output to a specific number of high volume flows (top talkers), and displaying the output in record format.

This sample runs in privileged exec mode:

Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 source address regexp 10.* aggregate record netflow ipv4 protocol-port sort transport destination-port top 5 format record

Processed 26 flowsMatched 15 flowsAggregated to 10 flowsShowing the top 5 flows

TRNS SOURCE PORT: 0TRNS DESTINATION PORT: 0FLOW DIRECTION: InputIP PROTOCOL: 1counter flows: 1counter bytes: 387800counter packets: 700timestamp first: 17:12:30.712timestamp last: 17:30:52.936




TRNS SOURCE PORT: 25TRNS DESTINATION PORT: 25


12

FLOW DIRECTION: InputIP PROTOCOL: 6counter flows: 2counter bytes: 56000counter packets: 1400timestamp first: 17:12:29.692timestamp last: 17:30:51.968

Filtering Using Multiple Filtering Criterion: ExampleThe following example filters the cache data on the IPv4 destination address and the destination port:


Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 destination address regexp 172.16.10* transport destination-port 21




IPV4 SOURCE ADDRESS: 172.30.231.193IPV4 DESTINATION ADDRESS: 172.16.10.2TRNS SOURCE PORT: 21TRNS DESTINATION PORT: 21INTERFACE INPUT: Et0/0.1FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 6ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2

Using Cisco IOS Flexible NetFlow Top N Talkers to Analyze Network Traffic Additional References

13

ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0.1counter bytes: 17160counter packets: 429timestamp first: 17:03:59.963timestamp last: 17:15:14.887

Matched 2 flows

Aggregation Using Multiple Aggregation Criterion: ExampleThe following example aggregates the flow monitor cache data on the destination and source IPv4 addresses:


Router# show flow monitor FLOW-MONITOR-1 cache aggregate ipv4 destination address ipv4 source address Processed 26 flowsAggregated to 17 flows

IPV4 SRC ADDR IPV4 DST ADDR flows bytes pkts=============== =============== ========== ========== ==========10.251.10.1 172.16.10.2 2 1400828 1364192.168.67.6 172.16.10.200 1 19096 68210.234.53.1 172.16.10.2 3 73656 2046172.30.231.193 172.16.10.2 3 73616 204510.10.10.2 172.16.10.2 2 54560 1364192.168.87.200 172.16.10.2 2 54560 136410.10.10.4 172.16.10.4 1 27280 68210.10.11.1 172.16.10.5 1 27280 68210.10.11.2 172.16.10.6 1 27280 68210.10.11.3 172.16.10.7 1 27280 68210.10.11.4 172.16.10.8 1 27280 68210.1.1.1 172.16.10.9 1 27280 68210.1.1.2 172.16.10.10 1 27280 68210.1.1.3 172.16.10.11 1 27280 682172.16.1.84 172.16.10.19 2 54520 1363172.16.1.85 172.16.10.20 2 54520 1363172.16.6.1 224.0.0.9 1 52 1

Router#

Additional ReferencesThe following sections provide references related to the Flexible NetFlow - Top N Talkers Support feature.

Using Cisco IOS Flexible NetFlow Top N Talkers to Analyze Network Traffic Additional References

14

Related Documents

Standards

MIBs

RFCs




Configuring flow exporters to export Flexible NetFlow data










Standard Title


MIB MIBs Link



RFC Title

There are no RFCs associated with this feature. —










Using Cisco IOS Flexible NetFlow Top N Talkers to Analyze Network Traffic Feature Information for Flexible NetFlow Top N Talkers

15


Feature Information for Flexible NetFlow Top N TalkersTable 2 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or Cisco IOS Releases 12.2(1) or 12.0(3)S or a later release appear in the table.





Description Link










16


Feature Name Releases Feature Usage Information

Flexible NetFlow - Top N Talkers Support 12.4(22)T Helps you analyze the large amount of data Flexible NetFlow captures from the traffic in your network by providing the ability to filter, aggregate, and sort the data in the Flexible NetFlow cache as you display it.

Information about the Flexible NetFlow - Top N Talkers Support feature is included in the following sections:

• Prerequisites for Flexible NetFlow Top N Talkers, page 2

• Information About Flexible NetFlow Top N Talkers, page 2

• How to Analyze Network Traffic With Cisco IOS Flexible NetFlow Top N Talkers, page 4

• Examples for Flexible NetFlow Top N Talkers, page 10

The following commands were introduced or modified:

show flow monitor cache aggregate, show flow monitor cache filter, show flow monitor cache sort.


17


All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0807R)




18