Flexible Netflow Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

cache (Flexible NetFlow)

To configure the flow cache parameter for a Flexible NetFlow flow monitor, use the cache command in Flexible NetFlow flow monitor configuration mode. To remove a flow cache parameter for a Flexible NetFlow flow monitor, use the no form of this command.

cache { entries number | timeout { active seconds | inactive seconds | update seconds | event transaction-end } | type { immediate | normal | permanent } }

no cache { entries | timeout { active | inactive | update | event transaction-end } | type }

Cisco IOS XE Release 3.2SE

cache { timeout { active seconds | inactive seconds | update seconds } | type normal }

no cache { timeout { active | inactive | update } | type }

Syntax Description

entries number	Specifies the maximum number of entries in the flow monitor cache. Range: 16 to 1048576. Default: 4096.
timeout active seconds	Specifies the active flow timeout in seconds. Range: 1 to 604800 (7 days). Default: 1800.
timeout inactive seconds	Specifies the inactive flow timeout in seconds. Range: 1 to 604800 (7 days). Default: 15.
timeout update seconds	Specifies the update timeout, in seconds, for a permanent flow cache. Range: 1 to 604800 (7 days). Default: 1800.
timeout event transaction-end	Specifies that the record is generated and exported in the NetFlow cache at the end of a transaction.
type	Specifies the type of the flow cache.
immediate	Configures an immediate cache type. This cache type will age out every record as soon as it is created.
normal	Configures a normal cache type. The entries in the flow cache will be aged out according to the timeout active seconds and timeout inactive seconds settings. This is the default cache type.
permanent	Configures a permanent cache type. This cache type disables flow removal from the flow cache.

Command Default

The default Flexible NetFlow flow monitor flow cache parameters are used.

The following flow cache parameters for a Flexible NetFlow flow monitor are enabled:

Cache type: normal
Maximum number of entries in the flow monitor cache: 4096
Active flow timeout: 1800 seconds
Inactive flow timeout: 15 seconds
Update timeout for a permanent flow cache: 1800 seconds

Command Modes

Flexible NetFlow flow monitor configuration (config-flow-monitor)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S	This command was integrated into Cisco IOS XE Release 3.1S.
Cisco IOS XE Release 3.4S	This command was modified. The event transaction-end keyword was added.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE with support for the timeout and type normal keywords only.

Usage Guidelines

Each flow monitor has a cache that it uses to store all the flows it monitors. Each cache has various configurable elements, such as the number of entries and the time that a flow is allowed to remain in it. When a flow times out, it is removed from the cache and sent to any exporters that are configured for the corresponding flow monitor.

If a cache is already active (that is, you have applied the flow monitor to at least one interface in the router), your changes to the record, cache type, and cache size parameters will not take effect until you either reboot the router or remove the flow monitor from every interface and then reapply it. Therefore whenever possible you should customize the record, cache type, and cache size parameters for the cache before you apply the flow monitor to an interface. You can modify the timers, flow exporters, and statistics parameters for a cache while the cache is active.

cache entries

This command controls the size of the cache. Cache size should be based on a number of factors, including the number of flows expected, the time the flows are expected to last (based on the configured key fields and the traffic), and the timeout values configured for the cache. The size should be large enough to minimize emergency expiry.

Emergency expiry is caused by the Flexible NetFlow cache becoming full. When the Flexible NetFlow cache becomes full, the router performs “emergency expiry” where a number of flows are immediately aged, expired from the Flexible NetFlow cache, and exported in order to free up space for more flows.

For a permanent cache (flows never expire), the number of entries should be large enough to accommodate the number of flows expected for the entire duration of the cache entries. If more flows occur than there are cache entries, the excess flows are not recorded in the cache.

For an immediate cache (flows expire immediately), the number of entries simply controls the amount of history that is available for previously seen packets.

cache timeout active

This command controls the aging behavior of the normal type of cache. If a flow has been active for a long time, it is usually desirable to age it out (starting a new flow for any subsequent packets in the flow). This age out process allows the monitoring application that is receiving the exports to remain up to date. By default this timeout is 1800 seconds (30 minutes), but it can be adjusted according to system requirements. A larger value ensures that long-lived flows are accounted for in a single flow record; a smaller value results in a shorter delay between starting a new long-lived flow and exporting some data for it.

cache timeout inactive

This command controls the aging behavior of the normal type of cache. If a flow has not seen any activity for a specified amount of time, that flow will be aged out. By default, this timeout is 15 seconds, but this value can be adjusted depending on the type of traffic expected.

If a large number of short-lived flows is consuming many cache entries, reducing the inactive timeout can reduce this overhead. If a large number of flows frequently get aged out before they have finished collecting their data, increasing this timeout can result in better flow correlation.

cache timeout update

This command controls the periodic updates sent by the permanent type of cache. This behavior is similar to the active timeout, except that it does not result in the removal of the cache entry from the cache. By default this timer value is 1800 seconds (30 minutes).

cache timeout event transaction-end

To use this command, you must configure the match connection transaction id command and the match application name command for the flow record. This command causes the record to be generated and exported in the NetFlow cache at the end of a transaction. A transaction is a set of logical exchanges between endpoints. There is normally one transaction within a flow.

cache type immediate

This command specifies the immediate cache type. This type of cache will age out every record as soon as it is created, with the result that every flow contains just one packet. The commands that display the cache contents will provide a history of the packets seen.

The use of this cache type is appropriate when very small flows are expected and a minimum amount of latency between analyzing a packet and exporting a report is desired. We recommend using this command when you are sampling packet chunks because the number of packets per flow is typically very low.

Caution

This command may result in a large amount of export data that can overload low speed links and overwhelm any systems to which you are exporting. We recommended that you configure sampling to reduce the number of packets seen.

Note

The timeout settings have no effect for the immediate cache type.

cache type normal

This command specifies the normal cache type. This is the default cache type. The entries in the cache will be aged out according to the timeout active seconds and timeout inactive seconds settings. When a cache entry is aged out, it is removed from the cache and exported via any exporters configured for the monitor associated with the cache.

cache type permanent

This command specifies the permanent cache type. This type of cache never ages out any flows. This cache type is useful when the number of flows you expect to see has a limit and there is a need to keep long-term statistics on the router. For example, if the only key field is IP TOS, a limit of 256 flows can be seen, so to monitor the long-term usage of the IP TOS field, a permanent cache can be used. Update messages are exported via any exporters configured for the monitor associated with this cache in accordance with the timeout update seconds setting.

Note

When a cache becomes full, new flows will not be monitored. If this occurs, a “Flows not added” statistic will appear in the cache statistics.

Note

A permanent cache uses update counters rather than delta counters. This means that when a flow is exported, the counters represent the totals seen for the full lifetime of the flow and not the additional packets and bytes seen since the last export was sent.

Examples

The following example shows how to configure the number of entries for the flow monitor cache:

Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# cache entries 16

The following example shows how to configure the active timeout for the flow monitor cache:

Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# cache timeout active 4800

The following example shows how to configure the inactive timer for the flow monitor cache:

Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# cache timeout inactive 3000

The following example shows how to configure the permanent cache update timeout:

Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# cache timeout update 5000

The following example shows how to configure a normal cache:

Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# cache type normal

The following example shows how to configure a permanent cache:

Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# cache type permanent

The following example shows how to configure an immediate cache:

Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# cache type immediate

Related Commands

Command	Description
flow monitor	Creates a flow monitor, and enters Flexible NetFlow flow monitor configuration mode.

clear flow exporter

To clear the statistics for a Flexible NetFlow flow exporter, use the clear flow exporter command in privileged EXEC mode.

clear flow exporter { name exporter-name statistics | statistics }

Syntax Description

name	Specifies the name of a flow exporter.
exporter-name	Name of a flow exporter that was previously configured.
statistics	Clears the flow exporter statistics.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Examples

The following example clears the statistics for all of the flow exporters configured on the router:

Router# clear flow exporter statistics

The following example clears the statistics for the flow exporter named FLOW-EXPORTER-1:

Router# clear flow exporter name FLOW-EXPORTER-1 statistics

Related Commands

Command	Description
debug flow exporter	Enables debugging output for flow exporters.

clear flow monitor

To clear a Flexible NetFlow flow monitor, flow monitor cache, or flow monitor statistics and to force the export of the data in the flow monitor cache, use the clear flow monitor command in privileged EXEC mode.

clear flow monitor name monitor-name [ cache [force-export] | force-export | statistics ]

Syntax Description

name	Specifies the name of a flow monitor.
monitor-name	Name of a flow monitor that was previously configured.
cache	(Optional) Clears the flow monitor cache information.
force-export	(Optional) Forces the export of the flow monitor cache statistics.
statistics	(Optional) Clears the flow monitor statistics.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

cache

This keyword removes all entries from the flow monitor cache. These entries will not be exported and the data gathered in the cache will be lost.

Note

The statistics for the cleared cache entries are maintained.

force-export

This keyword removes all entries from the flow monitor cache and exports them via all flow exporters assigned to the flow monitor. This action can result in a short-term increase in CPU usage. Use with caution.

Note

The statistics for the cleared cache entries are maintained.

statistics

This keyword clears the statistics for this flow monitor.

Note

The “Current entries” statistic will not be cleared because this is an indicator of how many entries are in the cache and the cache is not cleared with this command.

Examples

The following example clears the statistics and cache entries for the flow monitor named FLOW-MONITOR-1:

Router# clear flow monitor name FLOW-MONITOR-1

The following example clears the statistics and cache entries for the flow monitor named FLOW-MONITOR-1 and forces an export:

Router# clear flow monitor name FLOW-MONITOR-1 force-export

The following example clears the cache for the flow monitor named FLOW-MONITOR-1 and forces an export:

Router# clear flow monitor name FLOW-MONITOR-1 cache force-export

The following example clears the statistics for the flow monitor named FLOW-MONITOR-1:

Router# clear flow monitor name FLOW-MONITOR-1 statistics

Related Commands

Command	Description
debug flow monitor	Enables debugging output for flow monitors.

clear sampler

To clear the statistics for a Flexible NetFlow flow sampler, use the clear sampler command in privileged EXEC mode.

clear sampler [name] [sampler-name]

Syntax Description

name	(Optional) Specifies the name of a flow sampler.
sampler-name	(Optional) Name of a flow sampler that was previously configured.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Examples

The following example clears the sampler statistics for all flow samplers configured on the router:

Router# clear sampler

The following example clears the sampler statistics for the flow sampler named SAMPLER-1:

Router# clear sampler name SAMPLER-1

Related Commands

Command	Description
debug sampler	Enables debugging output for flow samplers.

collect counter

To configure the number of bytes or packets in a flow as a nonkey field for a flow record, use the collect counter command in Flexible NetFLow flow record configuration mode. To disable the use of the number of bytes or packets in a flow (counters) as a nonkey field for a flow record, use the no form of this command.

collect counter { bytes [ long | replicated [long] | squared long ] | packets [ long | replicated [long] ] }

no collect counter { bytes [ long | replicated [long] | squared long ] | packets [ long | replicated [long] ] }

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

collect counter { bytes [ long | rate ] | packets [ dropped [long] | long ] }

no collect counter { bytes [ long | rate ] | packets [ dropped [long] | long ] }

Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY

collect counter { bytes [long] | packets [long] }

no collect counter { bytes [long] | packets [long] }

Cisco IOS XE Release 3.2SE

no collect counter { bytes { layer2 long | long } | packets long }

Syntax Description

bytes	Configures the number of bytes seen in a flow as a nonkey field and enables collecting the total number of bytes from the flow.
layer 2 long	Enables collecting the total number of Layer 2 bytes or packets from the flow using a 64-bit counter rather than a 32-bit counter. For Cisco IOS XE Release 3.2SE, use the layer 2 long keywords rather than the long keyword.
long	(Optional) Enables collecting the total number of bytes or packets from the flow using a 64-bit counter rather than a 32-bit counter. For Cisco IOS XE Release 3.2SE, use the layer 2 long keywords rather than the long keyword.
replicated	Total number of replicated (multicast) IPv4 packets.
squared long	(Optional) Enables collecting the total of the square of the number of bytes from the flow.
packets	Configures the number of packets seen in a flow as a nonkey field and enables collecting the total number of packets from the flow.
rate	Configures the byte rate counter as a nonkey field.
dropped	Configures the dropped packet counter as a nonkey field.

Command Default

The number of bytes or packets in a flow is not configured as a nonkey field.

Command Modes

Flexible NetFLow flow record configuration (config-flow-record)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this Cisco was implemented on the 12000 series routers.
12.2(33)SRC	This command was modified. Support for this Cisco was implemented on the Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.4(22)T	This command was modified. The replicated keyword was added.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T	This command was modified for the Cisco Performance Monitor. Thereplicated and squared long keywords were removed and the rate and dropped keywords were added.
12.2(58)SE	This command was modified for the Cisco Performance Monitor. Thereplicated and squared long keywords were removed and the rate and dropped keywords were added.
12.2(50)SY	This command was modified. The replicated and squared long keywords were removed.
Cisco IOS XE Release 3.2SE	This command was modified. The layer 2 long keyword combination was added. The replicated and squared long keywords were removed.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode. Here we refer to them both as flow record configuration mode.

The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

The rate and dropped keywords were added and the replicated and squared long keywords were removed. You must first enter theflow record type performance-monitor command.

collect counter bytes

This command configures a 32-bit counter for the number of bytes seen in a flow.

collect counter packets

This command configures a 32-bit counter that is incremented for each packet seen in the flow. For extremely long flows it is possible for this counter to restart at 0 (wrap) when it reaches the limit of approximately 4 billion packets. On detection of a situation that would cause this counter to restart at 0, a flow monitor with a normal cache type exports the flow and starts a new flow.

collect counter packets long

This command configures a 64-bit counter that will be incremented for each packet seen in the flow. It is unlikely that a 64-bit counter will ever restart at 0.

collect counter bytes squared long

This counter can be used in conjunction with the byte and packet counters in order to calculate the variance of the packet sizes. Its value is derived from squaring each of the packet sizes in the flow and adding the results. This value can be used as part of a standard variance function.

The variance and standard deviation of the packet sizes for the flow can be calculated with the following formulas:

cbs: value from the counter bytes squared field

pkts: value from the counter packets field

bytes: value from the counter bytes field

Variance = (cbs/pkts) - (bytes/pkts)2

Standard deviation = square root of Variance

Example 1:

Packet sizes of the flow: 100, 100, 100, 100

Counter packets: 4

Counter bytes: 400, mean packet size = 100

Counter bytes squared: 40,000

Variance = (40,000/4) - (400/4)2 = 0

Standard Deviation = 0

Size = 100 +/- 0

Example 2:

Packet sizes of the flow: 50, 150, 50, 150

Counter packets: 4

Counter bytes: 400, mean packet size = 100

Counter bytes squared: 50,000

Variance = (50,000/4) - (400/4)2 = 2500

Standard deviation = 50

Size = 100 +/- 50

Examples

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

The following example configures the total number of bytes in the flows as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter bytes

The following example configures the total number of bytes in the flows as a nonkey field using a 64-bit counter:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter bytes long

The following example configures the sum of the number of bytes of each packet in the flow squared as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter bytes squared long

The following example configures the total number of packets from the flows as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter packets

The following example configures the total number of packets from the flows as a nonkey field using a 64-bit counter:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter packets long

The following example configures the total number of packets from the flows as a nonkey field using a 64-bit counter:

Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect counter packets long

Related Commands

Command	Description
flow record	Creates a flow record for Flexible NetFlow.
flow record type performance-monitor	Creates a flow record for Performance Monitor.

collect interface

To configure the input and output interface as a nonkey field for a flow record, use the collect interface command in flow record configuration mode. To disable the use of the input and output interface as a nonkey field for a flow record, use the no form of this command.

collect interface { input | output }

no collect interface { input | output }

Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY

collect interface { input [physical] | output } [snmp]

no collect interface { input [physical] | output } [snmp]

Syntax Description

input	Configures the input interface as a nonkey field and enables collecting the input interface from the flows.
output	Configures the output interface as a nonkey field and enables collecting the output interface from the flows.

Command Default

The input and output interface is not configured as a nonkey field.

Command Modes

flow record configuration (config-flow-record)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was integrated into Cisco IOS Release 12.2(33)SRC and implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T	This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor.
12.2(58)SE	This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.
12.2(50)SY	This command was modified. The physical and snmpkeywords were added in Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode. Here we refer to them both as flow record configuration mode.

The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter theflowrecordtypeperformance-monitor command.

Examples

The following example configures the input interface as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect interface inpu

The following example configures the output interface as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect interface output

Examples

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

The following example configures the input interface as a nonkey field:

Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect interface input

Related Commands

Command	Description
flow record	Creates a flow record for Flexible NetFlow.
flow record type performance-monitor	Creates a flow record for Performance Monitor.

collect timestamp absolute

To configure the absolute time of the first seen or last seen packet in a flow as a nonkey field for a flow record, use the collect timestamp absolute command in Flexible NetFlow flow record configuration mode. To disable the use of the first seen or last seen packet in a flow as a nonkey field for a flow record, use the no form of this command.

collect timestamp absolute { first | last }

no collect timestamp absolute { first | last }

Syntax Description

first	Configures the absolute time that the first packet was seen from the flows as a nonkey field and enables collecting time stamps based on the system uptime for the time the first packet was seen from the flows.
last	Configures the absolute time that the last packet was seen from the flows as a nonkey field and enables collecting time stamps based on the system uptime for the time the most recent packet was seen from the flows.

Command Default

The absolute time field is not configured as a nonkey field.

Command Modes

Flexible NetFlow flow record configuration (config-flow-record)

Command History

Release	Modification
Cisco IOS XE Release 3.2SE	This command was introduced.

Usage Guidelines

The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.

Examples

Example

The following example configures time stamps for the absolute time that the first packet was seen from the flows as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect timestamp absolute first

The following example configures the time stamps for the absolute time that the most recent packet was seen from the flows as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect timestamp absolute last

Related Commands

Command	Description
flow record	Creates a flow record, and enters Flexible NetFlow flow record configuration mode.

collect transport tcp

To configure one or more of the TCP fields as a nonkey field for a flow record, use the collect transport tcp command in flow record configuration mode. To disable the use of one or more of the TCP fields as a nonkey field for a flow record, use the no form of this command.

collect transport tcp { acknowledgement-number | destination-port | flags [ ack | cwr | ece | fin | psh | rst | syn | urg ] | header-length | maximum-segment-size | sequence-number | source-port | urgent-pointer | window-size | window-size-average | window-size-maximum | window-size-minimum }

no collect transport tcp { acknowledgement-number | destination-port | flags [ ack | cwr | ece | fin | psh | rst | syn | urg ] | header-length | maximum-segment-size | sequence-number | source-port | urgent-pointer | window-size | window-size-average | window-size-maximum | window-size-minimum }

Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY

collect transport tcp flags [ ack | cwr | ece | fin | psh | rst | syn | urg ]

no collect transport tcp flags [ ack | cwr | ece | fin | psh | rst | syn | urg ]

Cisco IOS XE Release 3.2SE

collect transport tcp flags [ ack | cwr | ece | fin | psh | rst | syn | urg ]

no collect transport tcp flags [ ack | cwr | ece | fin | psh | rst | syn | urg ]

Syntax Description

acknowledgement- number	Configures the TCP acknowledgement number as a nonkey field and enables collecting the value of the TCP acknowledgment number from the flow.
destination-port	Configures the TCP destination port as a nonkey field and enables collecting the value of the TCP destination port from the flow.
flags	Configures one or more of the TCP flags as a nonkey field and enables collecting the values from the flow.
ack	(Optional) Configures the TCP acknowledgment flag as a nonkey field.
cwr	(Optional) Configures the TCP congestion window reduced flag as a nonkey field.
ece	(Optional) Configures the TCP Explicit Congestion Notification echo (ECE) flag as a nonkey field.
fin	(Optional) Configures the TCP finish flag as a nonkey field.
psh	(Optional) Configures the TCP push flag as a nonkey field.
rst	(Optional) Configures the TCP reset flag as a nonkey field.
syn	(Optional) Configures the TCP synchronize flag as a nonkey field.
urg	(Optional) Configures the TCP urgent flag as a nonkey field.
header-length	Configures the TCP header length (in 32-bit words) as a nonkey field and enables collecting the value of the TCP header length from the flow.
maximum-segment-size	Configures the maximum segment size as a nonkey field and enables collecting the values from the flow.
sequence-number	Configures the TCP sequence number as a nonkey field and enables collecting the value of the TCP sequence number from the flow.
source-port	Configures the TCP source port as a nonkey field and enables collecting the value of the TCP source port from the flow.
urgent-pointer	Configures the TCP urgent pointer as a nonkey field and enables collecting the value of the TCP urgent pointer from the flow.
window-size	Configures the TCP window size as a nonkey field and enables collecting the value of the TCP window size from the flow.
window-size-average	Configures the average window size as a nonkey field and enables collecting the values from the flow.
window-size-maximum	Configures the maximum window size as a nonkey field and enables collecting the values from the flow.
window-size-minimum	Configures the minimum window size as a nonkey field and enables collecting the values from the flow.

Command Default

The TCP fields are not configured as a nonkey field.

Command Modes

Flow record configuration (config-flow-record)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE	This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY without the support of the acknowledgement-number, destination-port, header-length, sequence-number,source-port, urgent-pointer,and window-size keywords.
15.2(2)T	This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S	This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Cisco IOS XE Release 3.6S	This command was modified. The maximum-segment-size, window-size-average, window-size-maximum, and window-size-minimum keywords were added into Cisco IOS XE Release 3.6S for Cisco Performance Monitor.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE without the support for the acknowledgement-number, destination-port, header-length, sequence-number,source-port, urgent-pointer,and window-size keywords.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.

Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.

The collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.

collect transport tcp flags ece

For more information about ECN echo, refer to RFC 3168 The Addition of Explicit Congestion Notification (ECN) to IP , at the following URL: http://www.ietf.org/rfc/rfc3168.txt .

Examples

The following example configures the TCP acknowledgment number as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp acknowledgement-number

The following example configures the TCP source port as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp source-port

The following example configures the TCP acknowledgment flag as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp flags ack

The following example configures the TCP finish flag as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp flags fin

The following example configures the TCP reset flag as a nonkey field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp flags rst

Examples

Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S

The following example configures the TCP reset flag as a nonkey field:

Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport tcp flags rst

Related Commands

Command	Description
flow record	Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flow record type performance-monitor	Creates a flow record, and enters Performance Monitor flow record configuration mode.

debug flow exporter

To enable debugging output for Flexible NetFlow flow exporters, use the debug flow exporter command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug flow exporter [ [name] exporter-name ] [error] [event] [ packets number ]

no debug flow exporter [ [name] exporter-name ] [error] [event] [ packets number ]

Syntax Description

name	(Optional) Specifies the name of a flow exporter.
exporter-name	(Optional) The name of a flow exporter that was previously configured.
error	(Optional) Enables debugging for flow exporter errors.
event	(Optional) Enables debugging for flow exporter events.
packets	(Optional) Enables packet-level debugging for flow exporters.
number	(Optional) The number of packets to debug for packet-level debugging of flow exporters. Range: 1 to 65535.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Examples

The following example indicates that a flow exporter packet has been queued for process send:

Router# debug flow exporter
May 21 21:29:12.603: FLOW EXP: Packet queued for process send

Related Commands

Command	Description
clear flow exporter	Clears the Flexible NetFlow statistics for exporters.

debug flow monitor

To enable debugging output for Flexible NetFlow flow monitors, use the debug flow monitor command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug flow monitor [error] [ [name] monitor-name [cache] [error] [ packets packets ] ]

no debug flow monitor [error] [ [name] monitor-name [cache] [error] [ packets packets ] ]

Syntax Description

error	(Optional) Enables debugging for flow monitor errors.
name	(Optional) Specifies the name of a flow monitor.
monitor-name	(Optional) The name of a flow monitor that was previously configured.
cache	(Optional) Enables debugging for the flow monitor cache.
packets	(Optional) Enables packet-level debugging for flow monitors.
packets	(Optional) The number of packets to debug for packet-level debugging of flow monitors. Range: 1 to 65535.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Examples

The following example shows that the cache for FLOW-MONITOR-1 was deleted:

Router# debug flow monitor FLOW-MONITOR-1 cache
May 21 21:53:02.839: FLOW MON:  'FLOW-MONITOR-1' deleted cache

Related Commands

Command	Description
clear flow monitor	Clears the Flexible NetFlow flow monitor.

debug flow record

To enable debugging output for Flexible NetFlow flow records, use the debug flow record command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug flow record [ [name] record-name | netflow-original | netflow { ipv4 | ipv6 } record [peer] | netflow-v5 | options { exporter-statistics | interface-table | sampler-table | vrf-id-name-table } ]

no debug flow record [ [name] record-name | netflow-original | netflow { ipv4 | ipv6 } record [peer] | netflow-v5 | options { exporter-statistics | interface-table | sampler-table | vrf-id-name-table } ]

Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY

debug flow record [ [name] record-name | netflow-v5 | options { exporter-statistics | interface-table | sampler-table | vrf-id-name-table } | platform-original { ipv4 | ipv6 } record [ detailed | error ] ]

no debug flow record [ [name] record-name | netflow-v5 | options { exporter-statistics | interface-table | sampler-table | vrf-id-name-table } | platform-original { ipv4 | ipv6 } record [ detailed | error ] ]

Cisco IOS XE Release 3.2SE

debug flow record [ [name] record-name | netflow { ipv4 | ipv6 } record [peer] | netflow-v5 | options sampler-table ]

no debug flow record [ [name] record-name | netflow { ipv4 | ipv6 } record [peer] | netflow-v5 | options sampler-table ]

Syntax Description

name

(Optional) Specifies the name of a flow record.

record-name

(Optional) Name of a user-defined flow record that was previously configured.

netflow-original

(Optional) Specifies the traditional IPv4 input NetFlow with origin autonomous systems.

netflow {ipv4 | ipv6} record

(Optional) Specifies the name of the NetFlow predefined record. See the table below.

peer

(Optional) Includes peer information for the NetFlow predefined records that support the peer keyword.

Note

The peer keyword is not supported for every type of NetFlow predefined record. See the table below.

options

(Optional) Includes information on other flow record options.

exporter-statistics

(Optional) Includes information on the flow exporter statistics.

interface-table

(Optional) Includes information on the interface tables.

sampler-table

(Optional) Includes information on the sampler tables.

vrf-id-name-table

(Optional) Includes information on the virtual routing and forwarding (VRF) ID-to-name tables.

platform-original ipv4 record

Configures the flow monitor to use one of the predefined IPv4 records.

platform-original ipv6 record

Configures the flow monitor to use one of the predefined IPv6 records.

detailed

(Optional) Displays detailed information.

error

(Optional) Displays errors only.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.4(20)T	This command was modified. The ipv6 keyword was added in Cisco IOS Release 12.4(20)T.
15.0(1)M	This command was modified. The vrf-id-name-table keyword was added.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY without support for the netflow-original, netflow, ipv4, netflow, ipv6 and peer keywords. The platform-original ipv4 and platform-originalipv6 keywords were added.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE without the support for the netflow-original, options exporter-statistics, options interface-table and option vrf-id-name-table keywords.

Usage Guidelines

The table below describes the keywords and descriptions for the record argument.

Table 1 Keywords and Descriptions for the record Argument

Keyword

Description

IPv4 Support

IPv6 Support

as

Autonomous system record.

Yes

as-tos

Autonomous system and type of service (ToS) record.

Yes

—

bgp-nexthop-tos

BGP next-hop and ToS record.

Yes

—

bgp-nexthop

BGP next-hop record.

—

Yes

destination

Original 12.2(50)SY platform IPv4/IPv6 destination record.

Yes

destination-prefix

Destination prefix record.

Note

For IPv6, a minimum prefix mask length of 0 bits is assumed.

Yes

destination-prefix-tos

Destination prefix and ToS record.

Yes

—

destination-source

Original 12.2(50)SY platform IPv4/IPv6 destination-source record.

Yes

full

Original 12.2(50)SY platform IPv4/IPv6 full record.

Yes

interface-destination

Original 12.2(50)SY platform IPv4/IPv6 interface-destination record.

Yes

interface-destination- source

Original 12.2(50)SY platform IPv4/IPv6 interface-destination-source record.

Yes

interface-full

Original 12.2(50)SY platform IPv4/IPv6 interface-full record.

Yes

interface-source

Original 12.2(50)SY platform IPv4/IPv6 interface-source only record.

Yes

original-input

Traditional IPv4 input NetFlow.

Yes

original-output

Traditional IPv4 output NetFlow.

Yes

prefix

Source and destination prefixes record.

Note

For IPv6, a minimum prefix mask length of 0 bits is assumed.

Yes

prefix-port

Prefix port record.

Note

The peer keyword is not available for this record.

Yes

—

prefix-tos

Prefix ToS record.

Yes

—

protocol-port

Protocol ports record.

Note

The peer keyword is not available for this record.

Yes

protocol-port-tos

Protocol port and ToS record.

Note

The peer keyword is not available for this record.

Yes

—

source

Original 12.2(50)SY platform IPv4/IPv6 source only record.

Yes

source-prefix

Source autonomous system and prefix record.

Note

For IPv6, a minimum prefix mask length of 0 bits is assumed.

Yes

source-prefix-tos

Source prefix and ToS record.

Yes

—

Examples

The following example enables debugging for the flow record:

Router# debug flow record FLOW-record-1

Related Commands

Command	Description
flow record	Create a Flexible NetFlow flow record.

debug sampler

To enable debugging output for Flexible NetFlow samplers, use the debug sampler command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug sampler [ detailed | error | [name] sampler-name [ detailed | error | sampling samples ] ]

no debug sampler [ detailed | error | [name] sampler-name [ detailed | error | sampling ] ]

Syntax Description

detailed	(Optional) Enables detailed debugging for sampler elements.
error	(Optional) Enables debugging for sampler errors.
name	(Optional) Specifies the name of a sampler.
sampler-name	(Optional) Name of a sampler that was previously configured.
sampling samples	(Optional) Enables debugging for sampling and specifies the number of samples to debug.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Examples

The following sample output shows that the debug process has obtained the ID for the sampler named SAMPLER-1:

Router# debug sampler detailed
*Oct 28 04:14:30.883: Sampler: Sampler(SAMPLER-1: flow monitor FLOW-MONITOR-1 (ip,Et1/0,O) get ID succeeded:1
*Oct 28 04:14:30.971: Sampler: Sampler(SAMPLER-1: flow monitor FLOW-MONITOR-1 (ip,Et0/0,I) get ID succeeded:1

Related Commands

Command	Description
clear sampler	Clears the Flexible NetFlow sampler statistics.

default (Flexible NetFlow)

To configure the default values for a Flexible NetFlow (FNF) flow exporter, use the default command in Flexible NetFlow flow exporter configuration mode.

default { description | destination | dscp | export-protocol | option { application-table | exporter-stats | interface-table | sampler-table | vrf-table } | output-features | source | template data timeout | transport | ttl }

Cisco IOS XE Release 3.2SE

default { description | destination | dscp | export-protocol | option { exporter-stats | interface-table | sampler-table } | source | template data timeout | transport | ttl }

Syntax Description

description	Provides a description for the flow exporter.
destination	Configures the export destination.
dscp	Configures optional Differentiated Services Code Point (DSCP) values.
export-protocol	Configures the export protocol version.
option	Selects the option for exporting.
application-table	Selects the application table option.
exporter-stats	Selects the exporter statistics option.
interface-table	Selects the interface SNMP-index-to-name table option.
sampler-table	Selects the export sampler option.
vrf-table	Selects the VRF ID-to-name table option.
output-features	Sends export packets via the Cisco IOS output feature path.
source	Configures the originating interface.
template	Configures the flow exporter template.
data	Configure the flow exporter data.
timeout	Resends data based on a timeout.
transport	Configures the transport protocol.
ttl	Configures optional time-to-live (TTL) or hop limit.

Command Modes

Flexible NetFlow flow exporter configuration (config-flow-exporter)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE without the support for the option application-table , option vrf-table, and output-features keywords.

Usage Guidelines

Use the default command to configure the default values for an FNF flow exporter. The flow exporter information is needed to export the data metrics to a specified destination, port number, and so on.

Examples

The following example shows how to set the default destination for an FNF flow exporter:

Router(config)# flow exporter e1
Router(config-flow-exporter)# default destination

Related Commands

Command	Description
flow exporter	Creates a flow exporter.

description (Flexible NetFlow)

To configure a description for a Flexible NetFlow flow sampler, flow monitor, flow exporter, or flow record, use the description command in the appropriate configuration mode. To remove a description, use the no form of this command.

description description

no description

Syntax Description

description

Text string that describes the flow sampler, flow monitor, flow exporter, or flow record.

Command Default

The default description for a Flexible NetFlow flow sampler, flow monitor, flow exporter, or flow record is “User defined”.

Command Modes

Flexible NetFlow flow exporter configuration (config-flow-exporter)
Flexible NetFlow flow monitor configuration (config-flow-monitor)
Flexible NetFlow flow record configuration (config-flow-record)
Flexible NetFlow sampler configuration (config-sampler)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE 3.1S	This command was integrated into Cisco IOS XE Release 3.1S.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Examples

The following example configures a description for a flow monitor:

Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# description Monitors traffic to 172.16.100.0 255.255.255.0

Related Commands

Command	Description
flow exporter	Creates a flow exporter.
flow monitor	Creates a flow monitor.
flow record	Creates a flow record.
sampler	Creates a flow sampler.

destination

To configure an export destination for a Flexible NetFlow flow exporter, use the destination command in Flexible NetFlow flow exporter configuration mode. To remove an export destination for a Flexible NetFlow flow exporter, use the no form of this command.

destination { { ip-address | hostname } | vrf vrf-name }

no destination

Syntax Description

ip-address	IP address of the workstation to which you want to send the NetFlow information.
hostname	Hostname of the device to which you want to send the NetFlow information.
vrf vrf-name	Specifies that the export data packets are to be sent to the named Virtual Private Network (VPN) routing and forwarding (VRF) instance for routing to the destination, instead of to the global routing table.

Command Default

An export destination is not configured.

Command Modes

Flexible NetFlow flow exporter configuration (config-flow-exporter)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S	This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T	This command was modified. Support for the Cisco Performance Monitor was added.
12.2(58)SE	This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
15.2(2)T	This command was integrated into Cisco IOS Release 15.2(2)T and added support for exporting data to a destination using an IPv6 address.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

Each flow exporter can have only one destination address or hostname.

For some releases, you can export data to a destination using an IPv6 address.

When you configure a hostname instead of the IP address for the device, the hostname is resolved immediately and the IP address is stored in the running configuration. If the hostname-to-IP-address mapping that was used for the original domain name system (DNS) name resolution changes dynamically on the DNS server, the router does not detect this, and the exported data continues to be sent to the original IP address, resulting in a loss of data. Resolving the hostname immediately is a prerequisite of the export protocol, to ensure that the templates and options arrive before the data

Examples

The following example shows how to configure the networking device to export the Flexible NetFlow cache entry to a destination system:

Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# destination 10.0.0.4

The following example shows how to configure the networking device to export the Flexible NetFlow cache entry to a destination system using a VRF named VRF-1:

Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# destination 172.16.10.2 vrf VRF-1

Related Commands

Command	Description
flow exporter	Creates a flow exporter.

dscp (Flexible NetFlow)

To configure a differentiated services code point (DSCP) value for Flexible NetFlow flow exporter datagrams, use the dscp command in Flexible NetFlow flow exporter configuration mode. To remove a DSCP value for Flexible NetFlow flow exporter datagrams, use the no form of this command.

dscp dscp

no dscp

Syntax Description

dscp	The DSCP to be used in the DSCP field in exported datagrams. Range: 0 to 63. Default: 0.

Command Default

The differentiated services code point (DSCP) value is 0.

Command Modes

Flexible NetFlow flow exporter configuration (config-flow-exporter)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T	This command was modified. Support for the Cisco Performance Monitor was added.
12.2(58)SE	This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Examples

The following example sets 22as the value of the DSCP field in exported datagrams:

Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# dscp 22

Related Commands

Command	Description
flow exporter	Creates a flow exporter.

exporter

To configure a flow exporter for a flow monitor, use the exporter command in the appropriate configuration mode. To remove a flow exporter for a flow monitor, use the no form of this command.

exporter exporter-name

no exporter exporter-name

Syntax Description

exporter-name

Name of a flow exporter that was previously configured.

Command Default

An exporter is not configured.

Command Modes

Flow monitor configuration (config-flow-monitor)
Policy configuration (config-pmap-c)
Policy monitor configuration (config-pmap-c-flowmon)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S	This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T	This command was modified. Support for the Cisco Performance Monitor was added. Support was added for policy configuration mode and policy monitor configuration configuration mode.
12.2(58)SE	This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

You must have already created a flow exporter by using the flow exporter command before you can apply the flow exporter to a flow monitor with the exporter command.

For Performance Monitor, you can associate a flow exporter with a flow monitor while configuring either a flow monitor, policy map, or service policy.

Examples

The following example configures an exporter for a flow monitor:

Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# exporter EXPORTER-1

The following example shows one of the ways to configure a flow exporter for Performance Monitor:

Router(config)# policy-map type performance-monitor policy-4
Router(config-pmap)# class class-4
Router(config-pmap-c)# flow monitor monitor-4
Router(config-pmap-c-flowmon)# exporter exporter-4

Related Commands

Command	Description
flow exporter	Creates a flow exporter.
flow monitor	Creates a flow monitor.
flow monitor type performance-monitor	Creates a flow monitor for Performance Monitor.
policy-map type performance-monitor	Creates a policy map for Performance Monitor
service-policy type performance-monitor	Associates policy map with an interface for Performance Monitor.

export-protocol

To configure the export protocol for a Flexible NetFlow exporter, use the export-protocol command in Flexible NetFlow flow exporter configuration mode. To restore the use of the default export protocol for a Flexible NetFlow exporter, use the no form of this command.

export-protocol { netflow-v5 | netflow-v9 | ipfix }

no export-protocol

Cisco IOS XE Release 3.2SE

export-protocol netflow-v9

no export-protocol

Syntax Description

netflow-v5	Configures Netflow Version 5 export as the export protocol.
netflow-v9	Configures Netflow Version 9 export as the export protocol.
ipfix	Configures IPFIX as the export protocol. The export of extracted fields from NBAR is supported only over IPFIX.

Command Default

Netflow Version 9 export is used as the export protocol for a Flexible NetFlow exporter.

Command Modes

Flexible NetFlow flow exporter configuration (config-flow-exporter)

Command History

Release	Modification
12.4(22)T	This command was introduced.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S	This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T	This command was modified. Support for the Cisco Performance Monitor was added.
12.2(58)SE	This command was modified. Support for the Cisco Performance Monitor was added.
15.2(4)M	This command was modified. The ipfix keyword was added in Cisco IOS Release 15.2(4)M.
Cisco IOS XE Release 3.8S	This command was integrated into Cisco IOS XE Release 3.8S.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE without the support for the netflow-v5 and ipfix keywords.

Usage Guidelines

The NetFlow Version 5 export protocol is supported only for flow monitors that use the Flexible NetFlow predefined records.

The export of extracted fields from NBAR is supported only over IPFIX.

Examples

The following example configures Netflow Version 5 export as the export protocol for a Flexible NetFlow exporter:

Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# export-protocol netflow-v5

Related Commands

Command	Description
flow exporter	Creates a flow exporter

flow exporter

To create a Flexible NetFlow flow exporter, or to modify an existing Flexible NetFlow flow exporter, and enter Flexible NetFlow flow exporter configuration mode, use the flow exporter command in global configuration mode. To remove a Flexible NetFlow flow exporter, use the no form of this command.

flow exporter exporter-name

no flow exporter exporter-name

Syntax Description

exporter-name

Name of the flow exporter that is being created or modified.

Command Default

Flexible NetFlow flow exporters are not present in the configuration.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE 3.1S	This command was integrated into Cisco IOS XE Release 3.1S.
15.1(2)S	This command was modified. A hash collision between the name supplied and any existing name is now possible. If this happens, you can retry, supplying another name
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

Flow exporters export the data in the flow monitor cache to a remote system, such as a server running Flexible NetFlow collector, for analysis and storage. Flow exporters are created as separate entities in the configuration. Flow exporters are assigned to flow monitors to provide data export capability for the flow monitors. You can create several flow exporters and assign them to one or more flow monitors to provide several export destinations. You can create one flow exporter and apply it to several flow monitors.

In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing name is possible. If this happens, you can retry, supplying another name.

Examples

The following example creates a flow exporter named FLOW-EXPORTER-1 and enters Flexible NetFlow flow exporter configuration mode:

Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)#

The following example shows the output when there is a hash collision between the name supplied and any existing name:

Router(config-flow-exporter)# flow exporter FLOW-EXPORTER-1
% Flow Exporter: Failure creating Flow Exporter 'FLOW-EXPORTER-1' (Hash value in use).

Related Commands

Command	Description
clear flow exporter	Clears the statistics for flow exporters.
debug flow exporter	Enables debugging output for flow exporters.

flow monitor

To create a Flexible NetFlow flow monitor, or to modify an existing Flexible NetFlow flow monitor, and enter Flexible NetFlow flow monitor configuration mode, use the flow monitor command in global configuration mode or in QoS policy-map-class configuration mode. To remove a Flexible NetFlow flow monitor, use the no form of this command.

flow monitor monitor-name

no flow monitor monitor-name

Syntax Description

monitor-name

Name of the flow monitor that is being created or modified.

Command Default

Flexible NetFlow flow monitors are not present in the configuration.

Command Modes

Global configuration (config)

QoS policy-map-class configuration (config-pmap-c)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S	This command was integrated into Cisco IOS XE Release 3.1S.
15.1(2)S	This command was modified. A hash collision between the name supplied and any existing name is now possible. If this happens, you can retry, supplying another name
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
15.2(4)M	This command was made available in QoS policy-map-class configuration mode.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a record and a cache. You add the record to the flow monitor after you create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic during the monitoring process based on the key and nonkey fields in the flow monitor's record and stored in the flow monitor cache.

In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing name is possible. If this happens, you can retry, supplying another name.

Examples

The following example creates a flow monitor named FLOW-MONITOR-1 and enters Flexible NetFlow flow monitor configuration mode:

Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)#

The following example shows the output when there is a hash collision between the name supplied and any existing name:

Router(config)# flow monitor FLOW-MONITOR-1
% Flow Monitor: could not create monitor.

Related Commands

Command	Description
clear flow monitor	Clears the flow monitor.
debug flow monitor	Enables debugging output for flow monitors.

flow record

To create a Flexible NetFlow flow record, or to modify an existing Flexible NetFlow flow record, and enter Flexible NetFlow flow record configuration mode, use the flow record command in global configuration mode. To remove a Flexible NetFlow flow record, use the no form of this command.

flow record record-name

no flow record record-name

Syntax Description

record-name

Name of the flow record that is being created or modified.

Command Default

A Flexible NetFlow flow record is not configured.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(2)S	This command was modified. A hash collision between the name supplied and any existing name is now possible. If this happens, you can retry, supplying another name
12.2(50)SY	This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

Flexible NetFlow uses key and nonkey fields just as original NetFlow does to create and populate flows in a cache. In Flexible NetFlow a combination of key and nonkey fields is called a record. Original NetFlow and Flexible NetFlow both use the values in key fields in IP datagrams, such as the IP source or destination address and the source or destination transport protocol port, as the criteria for determining when a new flow must be created in the cache while network traffic is being monitored. A flow is defined as a stream of packets between a given source and a given destination. New flows are created whenever a packet that has a unique value in one of the key fields is analyzed.

In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing name is possible. If this happens, you can retry, supplying another name.

Examples

The following example creates a flow record named FLOW-RECORD-1, and enters Flexible NetFlow flow record configuration mode:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)#

The following example shows the output when there is a hash collision between the name supplied and any existing name:

Router(config)# flow record FLOW-RECORD-1
% Flow Record: Failure creating new Flow Record (Hash value in use).

Related Commands

Command	Description
show flow record	Displays flow record status and statistics.

ip flow monitor

To enable a Flexible NetFlow flow monitor for IPv4 traffic that the router is receiving or forwarding, use the ip flow monitor command in interface configuration mode or subinterface configuration mode. To disable a Flexible NetFlow flow monitor, use the no form of this command.

ip flow monitor monitor-name [ sampler sampler-name ] [ multicast | unicast ] { input | output }

no ip flow monitor monitor-name [ sampler sampler-name ] [ multicast | unicast ] { input | output }

Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY

ip flow monitor monitor-name [ sampler sampler-name ] [ layer2-switched | multicast | unicast ] { input | output }

no ip flow monitor monitor-name [ sampler sampler-name ] [ layer2-switched | multicast | unicast ] { input | output }

Cisco IOS XE Release 3.2SE

ip flow monitor monitor-name [ sampler sampler-name ] { input | output }

no ip flow monitor monitor-name [ sampler sampler-name ] { input | output }

Syntax Description

monitor-name	Name of a flow monitor that was previously configured.
sampler sampler-name	(Optional) Enables a flow sampler for this flow monitor using the name of a sampler that was previously configured.
layer2-switched	(Optional) Applies the flow monitor for Layer 2-switched traffic only.
multicast	(Optional) Applies the flow monitor for multicast traffic only.
unicast	(Optional) Applies the flow monitor for unicast traffic only.
input	Monitors traffic that the router is receiving on the interface.
output	Monitors traffic that the router is transmitting on the interface.

Command Default

A flow monitor is not enabled.

Command Modes

Interface configuration (config-if)
Subinterface configuration (config-subif)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.4(22)T	This command was modified. The unicast and multicast keywords were added.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY	This command was modified. The layer2-switched keyword was added.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE without the support for the multicast and unicast keywords.

Usage Guidelines

You must have already created a flow monitor by using the flow monitor command before you can apply the flow monitor to an interface with the ip flowmonitor command to enable traffic monitoring with Flexible NetFlow.

ip flow monitor sampler

When a sampler is added to a flow monitor, only packets that are selected by the named sampler will be entered into the cache to form flows. Each use of a sampler causes separate statistics to be stored for that usage.

You cannot add a sampler to a flow monitor after the flow monitor has been enabled on an interface. You must remove the flow monitor from the interface prior to enabling the same flow monitor with a sampler. See the “Examples” section for more information.

Note

The statistics for each flow must be scaled to give the expected true usage. For example, with a 1 in 10 sampler it is expected that the packet and byte counters will have to be multiplied by 10.

Multicast Traffic and Unicast Traffic

In Cisco IOS Release 12.4(22)T and later releases, the default behavior of the ip flow monitorcommand is to analyze unicast and multicast traffic. If you need to monitor only unicast traffic, use the unicast keyword. If you need to monitor only multicast traffic, use the multicast keyword.

Examples

The following example enables a flow monitor for monitoring input traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input

The following example enables a flow monitor for monitoring output traffic on a subinterface:

Router(config)# interface ethernet0/0.1
Router(config-if)# ip flow monitor FLOW-MONITOR-1 output

The following example enables a flow monitor for monitoring only multicast input traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 multicast input

The following example enables a flow monitor for monitoring only unicast output traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 unicast output

The following example enables the same flow monitor on the same interface for monitoring input and output traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-1 output

The following example enables two different flow monitors on the same interface for monitoring input and output traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-2 output

The following example enables the same flow monitor on two different interfaces for monitoring input and output traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# exit
Router(config)# interface ethernet1/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 output

The following example enables two different flow monitors on two different interfaces for monitoring input and output traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# exit
Router(config)# interface ethernet1/0
Router(config-if)# ip flow monitor FLOW-MONITOR-2 output

The following example enables a flow monitor for monitoring input traffic, with a sampler to limit the input packets that are sampled:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input

The following example enables a flow monitor for monitoring output traffic, with a sampler to limit the output packets that are sampled:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 output

The following example enables two different flow monitors for monitoring input and output traffic, with a sampler on the flow monitor that is monitoring input traffic to limit the input packets that are sampled:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-2 output

The following example enables two different flow monitors for monitoring input and output traffic, with a sampler on the flow monitor that is monitoring output traffic to limit the output packets that are sampled:

Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-2 input
Router(config-if)# ip flow monitor FLOW-MONITOR-2 sampler SAMPLER-2 output

The following example shows what happens when you try to add a sampler to a flow monitor that has already been enabled on an interface without a sampler:

Router(config)# interface Ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in full mode and cannot be enabled with a sampler.

The following example shows how to remove a flow monitor from an interface so that it can be enabled with the sampler:

Router(config)# interface Ethernet0/0
Router(config-if)# no ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input

The following example shows what happens when you try to remove a sampler from a flow monitor on an interface by entering the flow monitor command again without the sampler keyword and argument:

Router(config)# interface Ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in sampled mode and cannot be enabled in full mode.

The following example shows how to remove the flow monitor that was enabled with a sampler from the interface so that it can be enabled without the sampler:

Router(config)# interface Ethernet0/0
Router(config-if)# no ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input

Related Commands

Command	Description
flow monitor	Creates a flow monitor.
sampler	Creates a flow sampler.

ipv6 flow monitor

To enable a Flexible NetFlow flow monitor for IPv6 traffic that the router is receiving or forwarding, use the ipv6 flow monitor command in interface configuration mode or subinterface configuration mode. To disable a Flexible NetFlow flow monitor, use the no form of this command.

ipv6 flow monitor monitor-name [ sampler sampler-name ] [ multicast | unicast ] { input | output }

no ipv6 flow monitor monitor-name [ sampler sampler-name ] [ layer2-bridged ] [ multicast | unicast ] { input | output }

Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY

ipv6 flow monitor monitor-name [ sampler sampler-name ] unicast { input | output }

no ipv6 flow monitor monitor-name [ sampler sampler-name ] [ layer2-bridged ] unicast { input | output }

Cisco IOS XE Release 3.2SE

ipv6 flow monitor monitor-name [ sampler sampler-name ] { input | output }

no ipv6 flow monitor monitor-name [ sampler sampler-name ] [ layer2-bridged ] { input | output }

Syntax Description

monitor-name	Name of a flow monitor that was previously configured.
sampler sampler-name	(Optional) Enables a flow sampler for this flow monitor using the name of a sampler that was previously configured.
multicast	(Optional) Applies the flow monitor for multicast traffic only.
unicast	(Optional) Applies the flow monitor for unicast traffic only.
input	Monitors traffic that the router is receiving on the interface.
output	Monitors traffic that the router is transmitting on the interface.
layer2-bridged	Monitors IPv6 Layer 2 Bridged traffic that the router is transmitting on the interface.

Command Default

A flow monitor is not enabled.

Command Modes

Interface configuration (config-if)
Subinterface configuration (config-subif)

Command History

Release	Modification
12.4(20)T	This command was introduced.
12.4(22)T	This command was modified. The unicast and multicast keywords were added.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY	This command was modified. The multicast keyword was not supported.
15.1(1)SY	This command was modified. The layer2-bridged keyword was added.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE without the support for the multicast and unicast keywords.

Usage Guidelines

You must have already created a flow monitor by using the flow monitor command before you can apply the flow monitor to an interface with the ipv6 flow monitor command to enable traffic monitoring with Flexible NetFlow.

ipv6 flow monitor sampler

When a sampler is added to a flow monitor, only packets that are selected by the named sampler will be entered into the cache to form flows. Each use of a sampler causes separate statistics to be stored for that usage.

You cannot add a sampler to a flow monitor after the flow monitor has been enabled on an interface. You must remove the flow monitor from the interface prior to enabling the same flow monitor with a sampler. See the “Examples” section for more information.

Note

The statistics for each flow must be scaled to give the expected true usage. For example, with a 1 in 10 sampler it is expected that the packet and byte counters will have to be multiplied by 10.

Multicast Traffic and Unicast Traffic

In Cisco IOS Release 12.4(22)T and later releases, the default behavior of the ip flow monitor command is to analyze unicast and multicast traffic. If you need to monitor only unicast traffic, use the unicast keyword. If you need to monitor only multicast traffic, use the multicast keyword.

Examples

The following example enables a flow monitor for monitoring input IPv6 traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input

The following example enables a flow monitor for monitoring output IPv6 traffic on a subinterface:

Router(config)# interface ethernet0/0.1
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 output

The following example enables a flow monitor for monitoring only multicast input traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 multicast input

The following example enables a flow monitor for monitoring only unicast output traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 unicast output

The following example enables the same flow monitor on the same interface for monitoring input and output IPv6 traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 output

The following example enables two different flow monitors on the same interface for monitoring input and output IPv6 traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 output

The following example enables the same flow monitor on two different interfaces for monitoring input and output IPv6 traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
Router(config-if)# exit
Router(config)# interface ethernet1/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 output

The following example enables two different flow monitors on two different interfaces for monitoring input and output IPv6 traffic:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
Router(config-if)# exit
Router(config)# interface ethernet1/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 output

The following example enables a flow monitor for monitoring input IPv6 traffic, with a sampler to limit the input packets that are sampled:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input

The following example enables a flow monitor for monitoring output IPv6 traffic, with a sampler to limit the output packets that are sampled:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 output

The following example enables two different flow monitors for monitoring input and output IPv6 traffic, with a sampler on the flow monitor that is monitoring input IPv6 traffic to limit the input packets that are sampled:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 output

The following example enables two different flow monitors for monitoring input and output IPv6 traffic, with a sampler on the flow monitor that is monitoring output IPv6 traffic to limit the output packets that are sampled:

Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 sampler SAMPLER-2 output

The following example shows what happens when you try to add a sampler to a flow monitor that has already been enabled on an interface without a sampler:

Router(config)# interface Ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in full mode and cannot be enabled with a sampler.

The following example shows how to remove a flow monitor from an interface so that it can be enabled with the sampler:

Router(config)# interface Ethernet0/0
Router(config-if)# no ipv6 flow monitor FLOW-MONITOR-1 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input

The following example shows what happens when you try to remove a sampler from a flow monitor on an interface by entering the flow monitor command again without the sampler keyword and argument:

Router(config)# interface Ethernet 0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in sampled mode and cannot be enabled in full mode.

The following example shows how to remove the flow monitor that was enabled with a sampler from the interface so that it can be enabled without the sampler:

Router(config)# interface Ethernet 0/0
Router(config-if)# no ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input

Related Commands

Command	Description
flow monitor	Creates a flow monitor.
sampler	Creates a flow sampler.

match datalink dot1q priority

To configure the 802.1Q (dot1q) priority as a key field for a Flexible NetFlow flow record, use the match datalink dot1q priority command in Flexible NetFlow flow record configuration mode. To disable the use of the 802.1Q priority as a key field for a Flexible NetFlow flow record, use the no form of this command.

match datalink dot1q priority

no match datalink dot1q priority

Command Default

The 802.1Q priority is not configured as a key field.

Command Modes

Flexible NetFlow flow record configuration (config-flow-record)

Command History

Release	Modification
Cisco IOS XE Release 3.2SE	This command was introduced. Only the switch ports support it.

Usage Guidelines

The Flexible NetFlow match commands are used to configure key fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record.

Examples

Example

The following example configures the 802.1Q priority of traffic being received by the router as a key field for a Flexible NetFlow flow record

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink dot1q priority

Related Commands

Command	Description
flow record	Creates a flow record.

match datalink dot1q vlan

To configure the 802.1Q (dot1q) VLAN value as a key field for a Flexible NetFlow flow record, use the match datalink dot1q vlan command in Flexible NetFlow flow record configuration mode. To disable the use of the 802.1Q VLAN value as a key field for a Flexible NetFlow flow record, use the no form of this command.

match datalink dot1q vlan { input | output }

no match datalink dot1q vlan { input | output }

Syntax Description

input	Configures the 802.1Q VLAN ID of traffic being received by the router as a key field.
output	Configures the 802.1Q VLAN ID of traffic being transmitted by the router as a key field.

Command Default

The 802.1Q VLAN ID is not configured as a key field.

Command Modes

Flexible NetFlow flow record configuration (config-flow-record)

Command History

Release	Modification
12.4(22)T	This command was introduced.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE. Only the switch ports support it.

Usage Guidelines

The input and output keywords of the match datalink dot1q vlan command are used to specify the observation point that is used by the match datalink dot1q vlan command to create flows based on the unique 802.1q VLAN IDs in the network traffic. For example, when you configure a flow record with the match datalink dot1q vlan input command to monitor the simulated denial of service (DoS) attack in the figure below and apply the flow monitor to which the flow record is assigned in either input (ingress) mode on Ethernet interface 0/0.1 on R3 or output (egress) mode on Ethernet interface 1/0.1 on R3, the observation point is always Ethernet 0/0.1 on R3. The 802.1q VLAN ID that is used as a key field is 5.

Figure 16. Simulated DoS Attack (c)

The observation point of match commands that do not have the input and/or output keywords is always the interface to which the flow monitor that contains the flow record with the match commands is applied.

Examples

The following example configures the 802.1Q VLAN ID of traffic being received by the router as a key field for a Flexible NetFlow flow record

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink dot1q vlan input

Related Commands

Command	Description
flow record	Creates a flow record.

match datalink ethertype

To configure the ethertype as a key field for a Flexible NetFlow flow record, use the match datalink ethertype command in Flexible NetFlow flow record configuration mode. To disable the use of the ethertype as a key field for a Flexible NetFlow flow record, use the no form of this command.

match datalink ethertype

no match datalink ethertype

Command Default

The ethertype is not configured as a key field.

Command Modes

Flexible NetFlow flow record configuration (config-flow-record)

Command History

Release	Modification
Cisco IOS XE Release 3.2SE	This command was introduced.

Usage Guidelines

The Flexible NetFlow match commands are used to configure key fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record.

Examples

Example

The following example configures the ethertype of traffic being received by the router as a key field for a Flexible NetFlow flow record

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink ethertype

Related Commands

Command	Description
flow record	Creates a flow record.

match datalink mac

To configure the use of MAC addresses as a key field for a Flexible NetFlow flow record, use the match datalink mac command in Flexible NetFlow flow record configuration mode. To disable the use of MAC addresses as a key field for a Flexible NetFlow flow record, use the no form of this command.

match datalink mac { destination | source } address { input | output }

no match datalink mac { destination | source } address { input | output }

Syntax Description

destination address	Configures the use of the destination MAC address as a key field.
source address	Configures the use of the source MAC address as a key field.
input	Packets received by the router.
output	Packets transmitted by the router.

Command Default

MAC addresses are not configured as a key field.

Command Modes

Flexible NetFlow flow record configuration (config-flow-record)

Command History

Release	Modification
12.4(22)T	This command was introduced.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The input and output keywords of the match datalink mac command are used to specify the observation point that is used by the match datalink mac command to create flows based on the unique MAC addressees in the network traffic. For example, when you configure a flow record with the match datalink mac destination address input command to monitor the simulated denial of service (DoS) attack in the figure below and apply the flow monitor to which the flow record is assigned in either input (ingress) mode on Ethernet interface 0/0.1 on R3 or output (egress) mode on Ethernet interface 1/0.1 on R3, the observation point is always Ethernet 0/0.1 on R3. The destination MAC address that is used a key field is aaaa.bbbb.cc04.

Figure 17. Simulated DoS Attack (d)

When the destination output mac address is configured, the value is the destination mac address of the output packet, even if the monitor the flow record is applied to is input only.

When the destination input mac address is configured, the value is the destination mac address of the input packet, even if the monitor the flow record is applied to is output only.

When the source output mac address is configured, the value is the source mac address of the output packet, even if the monitor the flow record is applied to is input only.

When the source input mac address is configured, the value is the source mac address of the input packet, even if the monitor the flow record is applied to is output only.

Examples

The following example configures the use of the destination MAC address of packets that are received by the router as a key field for a Flexible NetFlow flow record:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink mac destination address input

The following example configures the use of the source MAC addresses of packets that are transmitted by the router as a key field for a Flexible NetFlow flow record:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink mac source address output

Related Commands

Command	Description
flow record	Creates a flow record.

match datalink vlan

To configure the VLAN ID as a key field for a Flexible NetFlow flow record, use the match datalink vlan command in Flexible NetFlow flow record configuration mode. To disable the use of the VLAN ID value as a key field for a Flexible NetFlow flow record, use the no form of this command.

match datalink vlan { input | output }

no match datalink vlan { input | output }

Syntax Description

input	Configures the VLAN ID of traffic being received by the router as a key field.
output	Configures the VLAN ID of traffic being transmitted by the router as a key field.

Command Default

The VLAN ID is not configured as a key field.

Command Modes

Flexible NetFlow flow record configuration (config-flow-record)

Command History

Release	Modification
12.2(50)SY	This command was introduced.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE. Only the switch ports support it.

Examples

The following example configures the VLAN ID of traffic being received by the router as a key field for a Flexible NetFlow flow record:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink vlan input

Related Commands

Command	Description
flow record	Creates a flow record.

match flow

To configure the flow direction and the flow sampler ID number as key fields for a flow record, use the match flow command in Flexible NetFlow flow record configuration or policy inline configuration mode. To disable the use of the flow direction and the flow sampler ID number as key fields for a flow record, use the no form of this command.

match flow { direction | sampler }

no match flow { direction | sampler }

Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY and 15.1(1)SY

match flow { cts { destination | source } group-tag | direction }

no match flow { cts { destination | source } group-tag | direction }

Syntax Description

direction	Configures the direction in which the flow was monitored as a key field.
sampler	Configures the flow sampler ID as a key field.
cts destination group-tag	Configures the CTS destination field group as a key field.
cts source group-tag	Configures the CTS source field group as a key field.

Command Default

The CTS destination or source field group, flow direction and the flow sampler ID are not configured as key fields.

Command Modes

Flexible NetFlow flow record configuration (config-flow-record)
Policy inline configuration (config-if-spolicy-inline)

Command History

Release	Modification
12.4(9)T	This command was introduced.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S	This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC	This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE	This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T	This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.
12.2(58)SE	This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY	This command was modified. The cts destination group-tag and cts source group-tag keywords were added. The sampler keyword was removed.
15.1(1)SY	This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE	This command was integrated into Cisco IOS XE Release 3.2SE without the support for the sampler keyword.

Usage Guidelines

This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.

A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

You must first enter the service-policy type performance-monitor inline command.

match flow direction

This field indicates the direction of the flow. This is of most use when a single flow monitor is configured for input and output flows. It can be used to find and eliminate flows that are being monitored twice, once on input and once on output. This field may also be used to match up pairs of flows in the exported data when the two flows are flowing in opposite directions.

match flow sampler

This field contains the ID of the flow sampler used to monitor the flow. This is useful when more than one flow sampler is being used with different sampling rates. The flow exporter option sampler-table command will export options records with mappings of the flow sampler ID to the sampling rate so the collector can calculate the scaled counters for each flow.

Examples

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

The following example configures the direction the flow was monitored in as a key field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow direction

The following example configures the flow sampler ID as a key field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow sampler

The following example configures the CTS destination fields group as a key field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow cts destination group-tag

The following example configures the CTS source fields group as a key field:

Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow cts source group-tag

The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the flow sampler ID will be monitored based on the parameters specified in the flow monitor configuration named fm2:

Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match flow sampler
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit

Related Commands

Command	Description
class-map	Creates a class map to be used for matching packets to a specified class.
flow exporter	Creates a flow exporter.
flow record	Creates a flow record.
service-policy type performance-monitor	Associates a Performance Monitor policy with an interface.

Bias-Free Language

Results

Chapter: cache (Flexible NetFlow) through match flow

cache (Flexible NetFlow) through match flow

cache (Flexible NetFlow)

Cisco IOS XE Release 3.2SE

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

clear flow exporter

Syntax Description

Command Modes

Command History

Examples

Related Commands

clear flow monitor

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

clear sampler

Syntax Description

Command Modes

Command History

Examples

Related Commands

collect counter

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY

Cisco IOS XE Release 3.2SE

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

Related Commands

collect interface

Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Examples

Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE

Related Commands

collect timestamp absolute

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Example

Related Commands

collect transport tcp

Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY

Cisco IOS XE Release 3.2SE

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Examples

Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S

Related Commands

debug flow exporter

Syntax Description

Command Modes