- backup (NetFlow SCTP)
- cache
- cache-timeout
- clear fm netflow counters
- clear ip flow stats
- clear mls nde flow counters
- clear mls netflow
- debug mpls netflow
- enabled (aggregation cache)
- export destination
- export destination sctp (NetFlow aggregation cache)
- export template
- export version
- flow hardware mpls-vpn ip
- flow-sampler
- flow-sampler-map
- ip flow
- ip flow layer2-switched
- ip flow-aggregation cache
- ip flow-cache entries
- ip flow-cache mpls label-positions
- ip flow-cache timeout
- ip flow-capture
- ip flow-egress input-interface
- ip flow-export destination
- ip flow-export destination sctp
- ip flow-export hardware version
- ip flow-export interface-names
- ip flow-export source
- ip flow-export template
- ip flow-export version
- ip flow-export version (Supervisor Engine 2)
- ip flow-export version (Supervisor Engine 720)
- ip flow-top-talkers
- ip multicast netflow
- ip multicast netflow output-counters
- ip multicast netflow rpf-failure
- ip route-cache flow
backup (NetFlow SCTP) through ip route-cache flow
backup (NetFlow SCTP)
To configure a backup destination for the reliable export of NetFlow accounting information in NetFlow cache entries, use the backupcommand in NetFlow ip flow export stream control transmission protocol (SCTP) configuration mode. To remove a destination for the reliable export of NetFlow accounting information, use the noform of this command.
Syntax Description
Command Default
Backup destinations for the reliable export of NetFlow information are not configured.
Command Modes
NetFlow ip flow export SCTP (config-flow-export-sctp)
Usage Guidelines
When you configure a backup export destination for SCTP messages are sent to the destination if the primary export destination becomes unavailable. When connectivity with the primary export destination has been lost and a backup export destination is configured, SCTP begins using the backup export destination. The default period of time that SCTP waits until it starts using the backup export destination is 25 sec. You can configure a different with the fail-overtime command.
Note |
SCTP retransmits messages that have not been acknowledged three times. The router will initiate fail-over after three retransmissions of the same message are not acknowledged by the primary collector. |
The router sends periodic SCTP heart beat messages to the SCTP export destinations that you have configured. The router uses the SCTP heart-beat message acknowledgments from the export destinations to monitor the status of each export destination. This allows an application, such as NetFlow, to be quickly informed when connectivity to an export destination is lost.
You can configure SCTP backup in fail-over or redundant mode. When the router is configured with SCTP backup in fail-over mode the router waits to activate the association with the backup export destination until the router has not received acknowledgments for the SCTP heart beat messages from the primary export destination for the time specified by the fail-overtime command. When the router is configured with SCTP backup in redundant mode, the router activates the association with the backup export destination immediately instead of waiting for the primary export destination to fail. The router will not start sending SCTP messages to a backup export destination in redundant mode until the router has not received acknowledgements for the SCTP heart beat messages from the primary export destination for the time specified by the fail-overtime command. Fail-over mode is the preferred method when the backup export destination is on the end of an expensive lower-bandwidth link such as ISDN.
During the time that SCTP is using the backup export destination, SCTP continues to try to restore the association with the primary export destination. SCTP makes this attempt until connectivity is restored or the primary SCTP export destination is removed from the configuration.
When connectivity to the primary export destination is available again, the router waits for a period of time before reverting to using it as the primary destination. You use the restore-timetime command to configure the value of the period of time that SCTP waits until reverting. The default period of time that SCTP waits is 25 msecs.
Under either fail-over mode, any records which have been queued between loss of connectivity with the primary destination and, the establishing of the association with the backup export destination might be lost. A count of how many records were lost can be viewed through the use of the show ip flow export sctp verbose command.
To avoid a flapping SCTP association with an export destination (the SCTP association going up and down in quick succession), the time period configured with the restore-timetime command should be greater than the period of a typical connectivity problem. For example, your router is configured to use IP fast convergence for its routing table and you have a LAN interface that is going up and down repeatedly (flapping). This causes the IP route to the primary export destination to be added to and removed from the routing table (route flapping) every 2000 msec (2 sec) you need to configure the restore time for a value greater than 2000 msec.
The backup connection uses stream 0 for sending templates, options templates, and option records. The data stream(s) inherit the reliability settings of the primary export destination.
Command History
Release |
Modification |
---|---|
12.4(4)T |
This command was introduced. |
Examples
The following example shows how to configure the networking device to use SCTP as the transport protocol for transmissions to multiple export destinations in redundant mode. The router activates the association with the backup export destination immediately instead of waiting until the primary export destination fails. The router starts sending SCTP messages to the backup export destination over the preexisting association after it fails to receive acknowledgments for its SCTP heart-beat messages from the primary export destination for 1500 msec. The router waits 3000 msec after the primary export destination is reachable again before resuming the association with the primary export destination.
Router(config)# ip flow-export destination 172.16.10.2 78 sctp Router(config-flow-export-sctp)# backup destination 172.16.10.3 78 Router(config-flow-export-sctp)# backup mode redundant Router(config-flow-export-sctp)# backup fail-over 1500 Router(config-flow-export-sctp)# backup restore-time 3000
The following example shows how to configure the networking device to use SCTP as the transport protocol to multiple export destinations in fail-over mode. The router activates the association with the backup export destination and starts sending SCTP messages to the backup export destination after it fails to receive acknowledgments for its SCTP heart beat messages from the primary export destination for 1500 msec. The router waits 3000 sec after the primary export destination is reachable again before resuming the association with the primary export destination. The SCTP association with the backup export destination is closed after the router resumes sending SCTP messages to the primary export destination.
Router(config)# ip flow-export destination 172.16.10.2 78 sctp Router(config-flow-export-sctp)# backup destination 172.16.10.3 78 Router(config-flow-export-sctp)# backup mode fail-over Router(config-flow-export-sctp)# backup fail-over 1500 Router(config-flow-export-sctp)# backup restore-time 3000
Related Commands
Command |
Description |
---|---|
ip flow-export destination sctp |
Enables the reliable export of NetFlow accounting information in NetFlow cache entries. |
reliability |
Specifies the level of reliability for the reliable export of NetFlow accounting information in NetFlow cache entries. |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
cache
To configure operational parameters for NetFlow accounting aggregation caches, use the cache command in NetFlow aggregation cache configuration mode. To disable the NetFlow aggregation cache operational parameters for NetFlow accounting, use the no form of this command.
Syntax Description
Command Default
The operational parameters for NetFlow accounting aggregation caches are not configured.
Command Modes
NetFlow aggregation cache configuration (config-flow-cache)
Command History
Release |
Modification |
---|---|
12.0(3)T |
This command was introduced. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S. |
12.3(7)T |
This command function was modified to support cache entries for IPv6. |
12.2(28)SB |
This command was integrated into Cisco IOS Release 12.2(28)SB. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command. .
Examples
The following example shows how to set the NetFlow aggregation cache entry limits and timeout values for the NetFlow protocol-port aggregation cache:
Router(config)# ip flow-aggregation cache protocol-port Router(config-flow-cache)# cache entries 2046 Router(config-flow-cache)# cache timeout inactive 199 Router(config-flow-cache)# cache timeout active 45 Router(config-flow-cache)# enabled
Related Commands
Command |
Description |
enabled (aggregation cache) |
Enables a NetFlow accounting aggregation cache. |
export destination (aggregation cache) |
Enables the exporting of NetFlow accounting information from NetFlow aggregation caches. |
ip flow-aggregation cache |
Enables NetFlow accounting aggregation cache schemes. |
mask (IPv4) |
Specifies the source or destination prefix mask for a NetFlow accounting prefix aggregation cache. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache flow aggregation |
Displays the NetFlow accounting aggregation cache statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
cache-timeout
To specify the length of time for which the list of NetFlow top talkers (unaggregated top flows) is retained, use the cache-timeout command in NetFlow top talkers configuration mode. To return the timeout parameters for the list of top talkers to the default of 5 seconds, use the no form of this command.
Syntax Description
milliseconds |
Length in milliseconds for which the list of top talkers is retained. The range is from 1 to 3,600,000 (1 millisecond to one hour). The default is 5000 (5 seconds). |
Command Default
The default time for which the list of top talkers is retained is 5 seconds.
Command Modes
NetFlow top talkers configuration
Command History
Release |
Modification |
---|---|
12.2(25)S |
This command was introduced. |
12.3(11)T |
This feature was integrated into Cisco IOS Release 12.3(11)T. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
Configuring NetFlow top talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Cache Timeout
The cache timeout starts after the list of top talkers is requested by entering the show ip flow top-talkerscommand or through the netflow MIB.
A long timeout period limits the system resources that are used by NetFlow top talkers. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.
A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:
- The list of top talkers is lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required NetFlow top talkers.
- The list of top talkers is updated every time the top talkers information is requested, possibly causing unnecessary usage of system resources.
A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but recalculate the list of top talkers by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkerscommand to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.
Examples
In the following example, the list of top talkers is configured to be retained for 2 seconds (2000 milliseconds). There is a maximum of 4 top talkers, and the sort criterion is configured to sort the list of top talkers by the total number of bytes in each top talker.
Router(config)# ip flow-top-talkers Router(config-flow-top-talkers)# cache-timeout 2000 Router(config-flow-top-talkers)# top 4 Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command using the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
Command |
Description |
---|---|
ip flow-top-talkers |
Enters the configuration mode for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature. |
match (NetFlow) |
Specifies match criteria for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature. |
show ip flow top-talkers |
Displays the statistics for the top talkers (heaviest traffic patterns and most-used applications in the network). |
sort-by |
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature. |
top |
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
clear fm netflow counters
To clear the NetFlow counters, use the clear fm netflow counters command in privileged EXEC mode.
Syntax Description
This command has no arguments or keywords.
Command Default
This command has no default settings.
Command Modes
Privileged EXEC
Command History
Release |
Modification |
---|---|
12.2(18)SXD |
Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
This command is not supported on systems that are configured with a Supervisor Engine 2.
Examples
This example shows how to clear the NetFlow counters:
Router# clear fm netflow counters
Router#
clear ip flow stats
To clear the NetFlow accounting statistics, use the clear ip flow stats command in privileged EXEC mode.
Syntax Description
nbar |
(Optional) Clears Network Based Application Recognition (NBAR) NetFlow statistics. |
Command Modes
Privileged EXEC (#)
Command History
Release |
Modification |
---|---|
11.1CA |
This command was introduced. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S. |
12.2(14)SX |
Support for this command was introduced on the Supervisor Engine 720. |
12.2(17d)SXB |
Support for this command on the Supervisor Engine 2 was extended to the 12.2(17d)SXB release. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2(18)ZYA2 |
This command was modified. The nbarkeyword was added. |
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
The show ip cache flowcommand displays the NetFlow accounting statistics. Use the clear ip flow statscommand to clear the NetFlow accounting statistics.
Examples
The following example shows how to clear the NetFlow accounting statistics on the router:
Router# clear ip flow stats
Related Commands
Command |
Description |
---|---|
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
show ip interface |
Displays the usability status of interfaces configured for IP. |
clear mls nde flow counters
To clear the NDE counters, use the clearmlsndeflowcounters command.
Syntax Description
This command has no keywords or arguments.
Command Default
This command has no default settings.
Command Modes
Privileged EXEC
Command History
Release |
Modification |
---|---|
12.2(14)SX |
Support for this command was introduced on the Supervisor Engine 720. |
12.2(17d)SXB |
Support for this command on the Supervisor Engine 2 was extended to the 12.2 SX release. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Examples
This example shows how to reset the NDE counters:
Router#
clear mls nde flow counters
Router#
Related Commands
Command |
Description |
---|---|
show mls nde |
Displays information about the NDE hardware-switched flow. |
clear mls netflow
To clear the MLS NetFlow-shortcut entries, use the clearmlsnetflowcommand.
Syntax Description
ip |
Clears IP MLS entries. |
destination ip-addr |
(Optional) Specifies a destination f ull IP address or a subnet address. See the "Usage Guidelines" section for formatting guidelines. |
source ip-addr |
(Optional) Specifies a source f ull IP address or a subnet address. See the "Usage Guidelines" section for formatting guidelines. |
dynamic |
(Optional) Clears NetFlow-statistics entries that are created in the hardware. |
sw-installed non-static |
(Optional) Clears software-installed nonstatic entries. |
sw-installed static |
(Optional) Clears software-installed static entries. |
module mod |
(Optional) Specifies a module number. |
ipv6 |
Clears IP version 6 software-installed entries. |
destination ipv6-addr |
(Optional) Specifies a destination f ull IPv6 address or a subnet address. See the "Usage Guidelines" section for formatting guidelines. |
/ ipv6-prefix |
(Optional) IPv6 prefix; valid values are from 0 to 128. |
source iv6p-addr |
(Optional) Specifies a source f ull IPv6 address or a subnet address. See the "Usage Guidelines" section for formatting guidelines. |
flow tcp |
(Optional) Clears TCP flow information. |
flow udp |
(Optional) Clears UDP flow information. |
destination port-num |
(Optional) Specifies a destination port number. |
sourceport-num |
(Optional) Specifies a source port number. |
mpls |
Clears MPLS software-installed entries. |
top-label entry |
(Optional) Clears top-label entries; valid values are from 1 to 4294967295. |
ipx |
Clears IPX MLS entries. |
destination ipx-network |
(Optional) Specifies the destination IPX address. See the "Usage Guidelines" section for formatting guidelines. |
ipx-node |
(Optional) IPX node address. See the "Usage Guidelines" section for formatting guidelines. |
source ipx-network |
(Optional) Specifies the source IPX address. See the "Usage Guidelines" section for formatting guidelines. |
macs mac-addr |
(Optional) Specifies the source MAC addresses to consider when searching for entries to purge. |
macd mac-addr |
(Optional) Specifies the destination MAC addresses to consider when searching for entries to purge. |
interface interface-num |
(Optional) Clears entries that are associated with the specified VLAN or interface. |
all |
(Optional) Clears all entries. |
Command Default
This command has no default settings.
Command Modes
Privileged EXEC
Command History
Release |
Modification |
---|---|
12.2(14)SX |
Support for this command was introduced on the Supervisor Engine 720. |
12.2(17a)SX |
This command was changed as follows:
|
12.2(17d)SXB |
Support for this command on the Supervisor Engine 2 was extended to the 12.2 SX release. |
12.2(18)SXF |
This command was changed as follows:
|
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
The destinationipx-network, ipx-node, andsourceipx-network keywords and arguments are supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2 only.
When entering the IPX address syntax, use the following format:
- IPX network address--1..FFFFFFFE
- IPX node address--x.x.x where x is 0..FFFF
- IPX address--ipx_net.ipx_node (for example, 3.0034.1245.AB45, A43.0000.0000.0001)
Entering any combination of input parameters narrows the search of entries to be cleared. The destination or sourceport-num keyword and argument should be specified as one of the following: telnet, FTP, WWW, SMTP, X, or DNS.
Up to 16 routers can be included explicitly as MLS-RPs.
Use the following syntax to specify an IP subnet address:
- ip-subnet-addr or ipv6-subnet-addr--Short subnet address format. The trailing decimal number 00 in an IP or IPv6 address YY.YY.YY.00 specifies the boundary for an IP or IPv6 subnet address. For example, 172.22.36.00 indicates a 24-bit subnet address (subnet mask 172.22.36.00/255.255.255.0), and 173.24.00.00 indicates a 16-bit subnet address (subnet mask 173.24.00.00/255.255.0.0). However, this format can identify only a subnet address of 8, 16, or 24 bits.
- ip-addr/subnet-mask or ipv6-addr/subnet-mask--Long subnet address format. For example, 172.22.252.00/255.255.252.00 indicates a 22-bit subnet address. This format can specify a subnet address of any bit number. To provide more flexibility, the ip-addr or ipv6-addris a full host address, such as 172.22.253.1/255.255.252.00.
- ip-addr/maskbits or ipv6-addr/maskbits--Simplified long subnet address format. The mask bits specify the number of bits of the network masks. For example, 172.22.252.00/22 indicates a 22-bit subnet address. The ip-addror ipv6-addr is a full host address, such as 193.22.253.1/22, which has the same subnet address as the ip-subnet-addror ipv6-subnet-addr.
If you do not use the all keyword, you must specify at least one of the other four keywords (source, destination, flow, or interface) an d its arguments.
A 0 value for the destination or sourceport-num keyword and argument clears all entries. Unspecified options are treated as wildcards, and all entries are cleared.
Examples
This example shows how to clear all the entries that are associated with a specific module (2) and that have a specific destination IP address (173.11.50.89):
Router#
clear mls netflow ip destination 173.11.50.89 module 2
Router#
This example shows how to clear the IPv6 software-installed entries:
Router#
clear mls netflow ipv6
Router#
This example shows how to clear the statistical information:
Router#
clear mls netflow dynamic
Router#
Related Commands
Command |
Description |
---|---|
show mls netflow ip |
Displays information about the hardware NetFlow IP. |
show mls netflow ipv6 |
Displays information about the hardware NetFlow IPv6 configuration. |
debug mpls netflow
To display debug messages for MPLS egress NetFlow accounting, use the debug mpls netflowcommand in privileged EXEC mode. To disable debugging output, use the no form of this command.
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release |
Modification |
---|---|
12.0(10)ST |
This command was introduced. |
12.1(5)T |
This command was integrated into Cisco IOS Release 12.1(5)T. |
12.0(22)S |
This command was integrated into Cisco IOS Release 12.0(22)S. |
12.2(28)SB |
This command was integrated into Cisco IOS Release 12.2(28)SB. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2(33)SXI4 |
This command was integrated into Cisco IOS Release 12.2(33)SXI4. |
Examples
Here is sample output from the debug mpls netflow command:
Router# debug mpls netflow MPLS Egress NetFlow debugging is on Router# Router# Router# 4d00h:Egress flow:entry created, dest 3.3.3.3/32, src 34.0.0.1/8 Router# Router# 4d00h:Egress flow:entry created, dest 3.3.3.3/32, src 42.42.42.42/32 Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# int eth1/4 Router(config-if)# no mpls netflow egress Router(config-if)# 4d00h:MPLS output feature change, trigger TFIB scan 4d00h:tfib_scanner_walk, prefix 5.5.5.5/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 2.0.0.0/8, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 3.3.3.3/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 40.40.40.40/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 50.50.50.50/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 100.100.100.100/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 180.1.1.0/24, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 190.1.1.0/24, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 2.0.0.0/8, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 4.4.4.4/32, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 40.40.40.40/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 50.50.50.50/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 177.1.1.0/24, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 180.1.1.0/24, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 190.1.1.0/24, rewrite flow flag 1 Router(config-if)# Router(config-if)# mpls netflow egress Router(config-if)# 4d00h:Interface refcount with output feature enabled = 2 4d00h:MPLS output feature change, trigger TFIB scan 4d00h:tfib_scanner_walk, prefix 5.5.5.5/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 2.0.0.0/8, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 3.3.3.3/32, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 40.40.40.40/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 50.50.50.50/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 100.100.100.100/32, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 180.1.1.0/24, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 190.1.1.0/24, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 2.0.0.0/8, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 4.4.4.4/32, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 40.40.40.40/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 50.50.50.50/32, rewrite flow flag 0 4d00h:tfib_scanner_walk, prefix 177.1.1.0/24, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 180.1.1.0/24, rewrite flow flag 1 4d00h:tfib_scanner_walk, prefix 190.1.1.0/24, rewrite flow flag 1 4d00h:Egress flow:entry created, dest 3.3.3.3/32, src 42.42.42.42/32 Router(config-if)# Router(config-if)# end Router# show run int eth1/4 Building configuration... Current configuration: ! interface Ethernet1/4 ip vrf forwarding vpn1 ip address 180.1.1.1 255.255.255.0 no ip directed-broadcast mpls netflow egress end Router# Router# 4d00h:%SYS-5-CONFIG_I:Configured from console by console Router#
Note |
Flow flag 1 prefixes are reachable through this interface; therefore, MPLS egress NetFlow accounting is applied to all packets going out the destination prefix. Flow flag 0 prefixes are not reachable through this interface; therefore, MPLS egress NetFlow accounting is not applied to any packets going out the destination prefix. |
Related Commands
Command |
Description |
---|---|
show debug |
Displays active debug output. |
enabled (aggregation cache)
To enable a NetFlow accounting aggregation cache, use the enabled command in NetFlow aggregation cache configuration mode. To disable a NetFlow accounting aggregation cache, use the no form of thiscommand.
Syntax Description
This command has no arguments or keywords.
Command Default
No aggregation cache is enabled.
Command Modes
NetFlow aggregation cache configuration
Command History
Release |
Modification |
---|---|
12.0(3)T |
This command was introduced. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Examples
The following example shows how to enable a NetFlow protocol-port aggregation cache:
Router(config)# ip flow-aggregation cache protocol-port
Router(config-flow-cache)# enabled
The following example shows how to disable a NetFlow protocol-port aggregation cache:
Router(config)# ip flow-aggregation cache protocol-port
Router(config-flow-cache)# no enabled
Related Commands
Command |
Description |
---|---|
cache |
Defines operational parameters for NetFlow accounting aggregation caches. |
export destination (aggregation cache) |
Enables the exporting of NetFlow accounting information from NetFlow aggregation caches. |
ip flow-aggregation cache |
Enables NetFlow accounting aggregation cache schemes. |
mask (IPv4) |
Specifies the source or destination prefix mask for a NetFlow accounting prefix aggregation cache. |
show ip cache flow aggregation |
Displays the NetFlow accounting aggregation cache statistics. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
export destination
To enable the exporting of NetFlow accounting information from NetFlow aggregation caches, use the export destination command in NetFlow aggregation cache configuration mode. To disable the export of NetFlow accounting information from NetFlow aggregation caches, use the no form of this command.
Syntax Description
ip-address | hostname |
IP address or hostname of the workstation to which you want to send the NetFlow information |
||
port |
Specifies the number of the user datagram protocol (UDP) port on which the workstation is listening for the exported NetFlow datagrams. |
||
vrf vrf-name |
(Optional) The vrf keyword specifies that the export data packets are to be sent to the named Virtual Private Network (VPN) routing forwarding instance (VRF) for routing to the destination, instead of to the global routing table.
|
||
udp |
(Optional) Specifies UDP as the transport protocol. UDP is the default transport protocol. |
Command Default
Export of NetFlow information from NetFlow aggregation caches is disabled.
Command Modes
NetFlow aggregation cache configuration (config-flow-cache)
Command History
Release |
Modification |
---|---|
12.0(3)T |
This command was introduced. |
12.2T |
This command was modified to enable multiple NetFlow export destinations to be used. |
12.3(1) |
Support for the NetFlow v9 Export Format feature was added. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S, and support for the Multiple Export Destinations feature was added. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
If the version of Cisco IOS that you have installed on your networking device supports the NetFlow Multiple Export Destinations feature, you can configure your networking device to export NetFlow data to a maximum of 2 export destinations (collectors) per cache (main and aggregation caches), using any combination of UDP and SCTP as the transport protocol for the destinations. A destination is identified by a unique combination of hostname or IP address and port number or port type.
Note |
UDP is the default transport protocol used by the export destinationcommand. In some Cisco IOS releases you can configure SCTP as the transport protocol if you need reliability and additional redundancy. Refer to the export destination sctp command for more information. |
The table below shows examples of the 2 permitted NetFlow export destinations for each cache.
Table 1 | Examples of Permitted Multiple NetFlow Export Destinations for Each Cache |
First Export Destination |
Second Export Destination |
---|---|
ip flow-export 10.25.89.32 100 udp |
ip flow-export 10.25.89.32 285 udp |
ip flow-export 10.25.89.32 100 udp |
ip flow-export 172.16.89.32 100 udp |
ip flow-export 10.25.89.32 100 udp |
ip flow-export 172.16.89.32 285 udp |
ip flow-export 10.25.89.32 100 udp |
ip flow-export 10.25.89.32 100 sctp |
ip flow-export 10.25.89.32 100 sctp |
ip flow-export 10.25.89.32 285 sctp |
ip flow-export 10.25.89.32 100 sctp |
ip flow-export 172.16.89.32 100 sctp |
ip flow-export 10.25.89.32 100 sctp |
ip flow-export 172.16.89.32 285 sctp |
The most common use of the multiple-destination feature is to send the NetFlow cache entries to two different destinations for redundancy. Therefore, in most cases the second destination IP address is not the same as the first IP address. The port numbers can be the same when you are configuring two unique destination IP addresses. If you want to configure both instances of the command to use the same destination IP address, you must use unique port numbers. You receive a warning message when you configure the two instances of the command with the same IP address. The warning message is, "%Warning: Second destination address is the same as previous address <ip-address>".
VRF Destinations for Exporting NetFlow Data
Before Cisco IOS Releases 12.4(4)T and 12.2(18)SXH, only one routing option existed for NetFlow export data packets. NetFlow sent all export data packets to the global routing table for routing to the export destinations you specified.
Cisco IOS 12.4(4)T, 12.2(18)SXH, and later releases provide an additional routing option for NetFlow export data packets. You can send NetFlow data export packets to a Virtual Private Network (VPN) routing/forwarding instance (VRF) for routing to the destinations that you specify.
To send NetFlow data export packets to a VRF for routing to a destination, you enter the optional vrfvrf-name keyword and argument with the ip flow-export destination ip-addressport command. To configure the global routing table option, enter this command without the optional vrfvrf-name keyword and argument.
Examples
The following example shows how to configure two export destinations for a NetFlow accounting protocol-port aggregation cache scheme:
Router(config)# ip flow-aggregation cache protocol-port Router(config-flow-cache)# export destination 10.41.41.1 9992 Router(config-flow-cache)# export destination 172.16.89.1 9992 Router(config-flow-cache)# enabled
The following example shows how to configure the networking device for exporting from the NetFlow source-prefix-tos aggregation cache to an export destination that is reachable in VRF group1:
Router(config)# ip flow-aggregation cache source-prefix-tos Router(config-flow-cache)# export destination 172.16.10.2 78 vrf group1 Router(config-flow-cache)# enabled
Related Commands
Command |
Description |
---|---|
export template |
Configures template options for the export of NetFlow accounting information in NetFlow aggregation cache entries |
export version |
Specifies the export version format for the exporting of NetFlow accounting information in NetFlow aggregation cache entries |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
export destination sctp (NetFlow aggregation cache)
To enable the reliable export of NetFlow accounting information from NetFlow aggregation caches, use the export destination sctp command in NetFlow aggregation cache configuration mode. To disable the reliable export of NetFlow accounting information from NetFlow aggregation caches, use the no form of this command.
Syntax Description
ip-address | hostname |
IP address or hostname of the workstation to which you want to send the NetFlow information. |
||
port |
Specifies the number of the stream control transmission protocol (SCTP) port on which the workstation is listening for the exported NetFlow datagrams. |
||
vrf vrf-name |
(Optional) The vrf keyword specifies that the export data packets are to be sent to the named Virtual Private Network (VPN) routing forwarding instance (VRF) for routing to the destination, instead of to the global routing table.
|
Command Default
Reliable export of NetFlow information from NetFlow aggregation caches is disabled.
Command Modes
NetFlow aggregation cache configuration (config-flow-cache)
Command History
Release |
Modification |
---|---|
12.4(4)T |
This command was introduced. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
NetFlow Reliable Export Using SCTP
SCTP can be used as an alternative to UDP when you need a more robust and flexible transport protocol than UDP. SCTP is a reliable message-oriented transport layer protocol, which allows data to be transmitted between two end-points in a reliable, partially reliable, or unreliable manner.
An SCTP session consists of an association (connection) between two end-points (peers), which can contain one or more logical channels called streams. The default mode of transmission for a stream is to guarantee reliable ordered delivery of messages using a selective-acknowledgment scheme. SCTP buffers messages until their receipt has been acknowledged by the receiving end-point. SCTP has a congestion control mechanism which limits how much memory is consumed by the SCTP stack, in packet buffering.
VRF Destinations for Exporting NetFlow Data
Before Cisco IOS Release 12.4(4)T, one routing option existed for NetFlow export data packets. NetFlow sent all export data packets to the global routing table for routing to the destinations you specified.
Cisco IOS 12.4(4)T and later releases provide an additional routing option for NetFlow export data packets. You can send NetFlow data export packets to a Virtual Private Network (VPN) routing/forwarding instance (VRF) for routing to the destinations that you specify.
To send NetFlow data export packets to a VRF for routing to a destination, you enter the optional vrfvrf-name keyword and argument with the export destination ip-addressport command. To configure the global routing table option, enter this command without the optional vrfvrf-name keyword and argument.
Examples
The following example shows how to configure the networking device to use SCTP as the transport protocol when exporting NetFlow data from a NetFlow AS aggregation cache to a host:
Router(config)# ip flow-aggregation cache as Router(config -flow-cache )# export destination 172.16.10.2 78 sctp Router(config -flow-cache )# enabled
The following example shows how to configure the networking device to use SCTP as the transport protocol when exporting NetFlow data from a NetFlow AS aggregation cache to a host that is reachable in VRF group1:
Router(config)# ip flow-aggregation cache as Router(config -flow-cache )# export destination 172.16.10.2 78 vrf group1 sctp Router(config -flow-cache )# enabled
Related Commands
Command |
Description |
---|---|
backup |
Configures a backup destination for the reliable export of NetFlow accounting information in NetFlow cache entries |
export destination |
Enables the export of NetFlow accounting information in NetFlow aggregation cache entries to a remote device such as a server running an application that analyzes NetFlow data. |
export template |
Configures template options for the export of NetFlow accounting information in NetFlow aggregation cache entries |
export version |
Specifies the export version format for the exporting of NetFlow accounting information in NetFlow aggregation cache entries |
reliability |
Specifies the level of reliability for the reliable export of NetFlow accounting information in NetFlow cache entries. |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
export template
To configure template options for the export of NetFlow accounting information from NetFlow aggregation caches, use the export template command in NetFlow aggregation cache configuration mode. To return to the default behavior, use the noform of this command.
Configure template only
Configure template options
Syntax Description
template |
Enables the refresh-rate and timeout-rate keywords for the configuring of Version 9 export templates. |
||
refresh-rate packets |
(Optional) Specifies the number of export packets that are sent before the options and flow templates are resent. Range:1 to 600 packets. The default is 20 packets.
|
||
timeout-rate minutes |
(Optional) Specifies the interval (in minutes) that the router waits after sending the templates (flow and options) before sending them again. Range: 1 to 3600 minutes. The default is 30 minutes.
|
||
options |
(Optional) Enables the export-stats, refresh-rate, sampler and timeout-rate keywords for configuring Version 9 export options. |
||
export-stats |
(Optional) Enables the export of statistics including the total number of flows exported and the total number of packets exported. |
||
sampler |
(Optional) When Version 9 export is configured, this keyword enables the export of an option containing a random-sampler configuration, including the sampler ID, sampling mode, and sampling interval for each configured random sampler.
|
||
refresh-rate packets |
(Optional) Specifies the number of packets that are sent before the configured options records are resent. Range: 1 to 600 packets. The default is 20 packets.
|
||
timeout-rate minutes |
(Optional) Specifies the interval (in minutes) that the router will wait after sending the options records before they are sent again. Range: 1 to 3600 minutes. The default is 30 minutes.
|
Command Default
The default parameters as noted in the Syntax Description table are used.
Command Modes
NetFlow aggregation cache configuration (config-flow-cache)
Command History
Release |
Modification |
---|---|
12.3(2)T |
This command was introduced. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
The export template options export-stats command requires that the NetFlow Version 9 export format be already configured on the router.
The export template options sampler command requires that the NetFlow Version 9 export format and a flow sampler map be already configured on the router.
Examples
The following example shows how to configure a NetFlow accounting protocol-port aggregation cache so that the networking device sends the export statistics (total flows and packets exported) as options data:
Router(config)# ip flow-aggregation cache protocol-port Router(config-flow-cache)# export template options export-stats Router(config-flow-cache)# enabled
The following example shows how to configure a NetFlow accounting protocol-port aggregation cache to wait until 100 export packets have been sent, or 60 minutes have passed since the last time the templates were sent (whichever comes first) before the templates are resent to the destination host:
Router(config)# ip flow-aggregation cache protocol-port Router(config-flow-cache)# export template refresh-rate 100 Router(config-flow-cache)# export template timeout-rate 60 Router(config-flow-cache)# enabled
The following example shows how to configure a NetFlow accounting protocol-port aggregation cache to enable the export of information about NetFlow random samplers:
Router(config)# ip flow-aggregation cache protocol-port Router(config-flow-cache)# export template option sampler Router(config-flow-cache)# enabled
Tip |
You must have a flow-sampler map configured before you can configure the sampler keyword for the ip flow-export template options command. |
Related Commands
Command |
Description |
---|---|
export destination |
Enables the export of NetFlow accounting information in NetFlow aggregation cache entries to a remote device such as a server running an application that analyzes NetFlow data. |
export version |
Specifies the export version format for the exporting of NetFlow accounting information in NetFlow aggregation cache entries |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
export version
To specify the version of the export format of NetFlow accounting information from NetFlow aggregation caches, use the export versioncommand in NetFlow aggregation cache configuration mode. To return to the default behavior, use the no form of this command.
Syntax Description
version {8| 9} |
Version of the format for NetFlow data export. |
Command Default
Version 9 is the default format for the exporting of NetFlow accounting information from NetFlow aggregation caches.
Command Modes
NetFlow aggregation cache configuration (config-flow-cache)
Command History
Release |
Modification |
---|---|
12.0(3)T |
This command was introduced. |
12.4(4)T |
The sctp keyword was added. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
NetFlow aggregation caches export data in UDP datagrams using either the Version 9 or Version 8 export format.
The table below describes how to determine the most appropriate export format for your requirements.
Table 2 | Selecting a NetFlow Export Format |
Export Format |
Select When... |
---|---|
Version 9 |
You need a flexible and extensible format, which provides the versatility needed for support of new fields and record types. This format accommodates new NetFlow-supported technologies such as Multicast, IPv6 NetFlow, Egress NetFlow, NetFlow Layer 2 and security exports, Multiprotocol Label Switching (MPLS), and Border Gateway Protocol (BGP) next hop. Version 9 export format enables you to use the same version for main and aggregation caches, and because the format is extensible you can use the same export format with future features. |
Version 8 |
Version 8 export format is available only for export from aggregation caches. Use Version 8 when your NetFlow Collection Engine (NFC) does not support Version 9. |
The export version command supports two export data formats: Version 8, and Version 9. Version 8 should be used only when it is the only NetFlow data export format version that is supported by the application that you are using to analyze the exported NetFlow data. Version 9 is the only flexible export format version.
The NetFlow Version 9 Export Format feature was introduced in Cisco IOS Release 12.0(24)S and was integrated into Cisco IOS Release 12.3(1) and Cisco IOS Release 12.2(18)S.
NetFlow Version 9 is a flexible and extensible means for transferring NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.
Third-party business partners who produce applications that provide NetFlow Collection Engine or display services for NetFlow do not need to recompile their applications each time a new NetFlow technology is added. Instead, with the NetFlow Version 9 Export Format feature, they can use an external data file that documents the known template formats and field types.
NetFlow Version 9 has the following characteristics:
- Record formats are defined by templates.
- Template descriptions are communicated from the router to the NetFlow Collection Engine.
- Flow records are sent from the router to the NetFlow Collection Engine with minimal template information so that the NetFlow Collection Engine can relate the records to the appropriate template.
Version 9 is independent of the underlying transport (UDP, TCP, SCTP, and so on).
Note |
In order for the BGP information to be populated in the main cache, you must have either a NetFlow export destination configured or a NetFlow aggregation configured. |
Note |
The AS values for the peer-as and the origin-as keywords are captured only if you have configured an export destination with the ip flow-export destination command. |
Note |
The AS values for the peer-as and the origin-as keywords are captured only if you have configured an export destination with the ip flow-export destination command. |
For more information on the available export data formats, see the Cisco IOS NetFlow Configuration Guide, Release 12.4T. For more information on the Version 9 data format, see the Cisco IOS NetFlow Version 9 Export Format Feature Guide .
Examples
The following example shows how to configure version 9 as the export format for a NetFlow accounting protocol-port aggregation cache scheme:
Router(config)# ip flow-aggregation cache protocol-port Router(config-flow-cache)# export version 9 Router(config-flow-cache)# enabled
Related Commands
Command |
Description |
---|---|
export destination |
Enables the export of NetFlow accounting information in NetFlow aggregation cache entries to a remote device such as a server running an application that analyzes NetFlow data. |
export template |
Configures template options for the export of NetFlow accounting information in NetFlow aggregation cache entries |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
flow hardware mpls-vpn ip
To ensure the creation and export of hardware NetFlow cache entries for traffic entering the router on the last MPLS hop of an IPv4 MPLS VPN network, use the flow hardware mpls-vpn ip command in global configuration mode. To disable the creation and export of hardware NetFlow cache entries for this traffic, use the no form of this command.
Syntax Description
vrf-id |
The name of a VRF that you have previously configured. |
Command Default
Creation and export of hardware NetFlow cache entries for traffic entering the router on the last MPLS hop of an IPv4 MPLS VPN network is not enabled.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.2(33)SRB |
This command was introduced. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
NetFlow Aggregation
If you want to include IPV4 MPLS VPN traffic in a NetFlow aggregation scheme on your router, you must configure the flow hardware mpls-vpn ip command.
NetFlow Sampling
If you want to include IPV4 MPLS VPN traffic in the traffic that is analyzed using NetFlow sampling on your router, you must configure the flow hardware mpls-vpn ip command.
Examples
The following example configures NDE for VRF vpn1:
Router(config)# flow hardware mpls-vpn ip vpn1
Related Commands
Command |
Description |
---|---|
show mls netflow ip |
Displays information about the hardware NetFlow IP flows. |
flow-sampler
To apply a flow sampler map for random sampled NetFlow accounting to an interface, use the flow-samplercommand in interface configuration mode. To remove a flow sampler map for random sampled NetFlow accounting from an interface, use the noform of this command.
Syntax Description
sampler-map-name |
Name of the flow sampler map to apply to the interface. |
egress |
(Optional) Specifies that the sampler map is to be applied to egress traffic. |
Command Default
Flow sampler maps for NetFlow accounting are not applied to interfaces by default.
Command Modes
Interface configuration
Subinterface configuration
Command History
Release |
Modification |
---|---|
12.3(2)T |
This command was introduced. |
12.2(18)S |
This command was integrated into Cisco IOS Release 12.2(18)S. |
12.0(26)S |
This command was integrated into Cisco IOS Release 12.0(26)S. |
12.3(11)T |
NetFlow egress support was added. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
You must create and enable the random sampler NetFlow map for random sampled NetFlow accounting using the flow-sampler-map and mode commands before you can use the flow-sampler command to apply the random sampler NetFlow map to an interface.
Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable ingress NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface, or subinterface, if you want to enable random sampled NetFlow accounting on the interface, or subinterface.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip |
If you disable CEF or DCEF globally using the no ip cef [distributed] command the flow-sampler sampler-map-name command is removed from any interfaces that you previously configured for random sampled NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable CEF or dCEF to reactivate random sampled NetFlow accounting. |
Tip |
If your router is running Cisco IOS release 12.2(14)S or a later release, or Cisco IOS Release 12.2(15)T or a later release, NetFlow accounting might be enabled through the use of the ip flow ingress command instead of the ip route-cache flow command. If your router has NetFlow accounting enabled through the use of ip flow ingress command you must disable NetFlow accounting, using the no form of this command, before you apply a random sampler map for random sampled NetFlow accounting on an interface otherwise the full, un-sampled traffic will continue to be seen. |
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# ip cef Router(config)# flow-sampler-map my-map Router(config-sampler)# mode random one-out-of 100 Router(config-sampler)# interface ethernet 0/0 Router(config-if)# no ip route-cache flow Router(config-if)# ip route-cache cef Router(config-if)# flow-sampler my-map
The following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# ip cef Router(config)# flow-sampler-map my-map Router(config-sampler)# mode random one-out-of 100 Router(config-sampler)# interface ethernet 1/0 Router(config-if)# no ip flow egress Router(config-if)# ip route-cache cef Router(config-if)# flow-sampler my-map egress
The following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-sampler
Sampler : my-map, id : 1, packets matched : 7, mode : random sampling mode
sampling interval is : 100
Related Commands
Command |
Description |
---|---|
flow-sampler-map |
Defines a flow sampler map for random sampled NetFlow accounting. |
mode (flow sampler configuration) |
Specifies a packet interval for NetFlow accounting random sampling mode and enables the flow sampler map. |
netflow-sampler |
Enables NetFlow accounting with input filter sampling. |
show flow-sampler |
Displays the status of random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler). |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
flow-sampler-map
To define a flow sampler map for random sampled NetFlow accounting, use the flow-sampler-mapcommand in global configuration mode. To remove a flow sampler map for random sampled NetFlow accounting, use the no form of this command.
Syntax Description
sampler-map-name |
Name of the flow sampler map to be defined for random sampled NetFlow accounting. |
Command Default
No flow sampler maps for random sampled NetFlow accounting are defined.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.3(2)T |
This command was introduced. |
12.2(18)S |
This command was integrated into Cisco IOS Release 12.2(18)S. |
12.0(26)S |
This command was integrated into Cisco IOS Release 12.0(26)S. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
Random sampled NetFlow accounting does not start sampling traffic until (1) the random sampler map is activated through the use of the mode command and (2) the sampler map has been applied to an interface through the use of the flow-sampler command.
Random Sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface or subinterface, if you want to enable random sampled NetFlow accounting on that interface or subinterface.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip |
If you disable dCEF globally using the no ip cef [distributed] command, the flow-sampler sampler-map-name command is removed from any interfaces that you previously configured for random sampled NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable CEF or dCEF to reactivate random sampled NetFlow accounting. |
Tip |
If your router is running Cisco IOS release 12.2(14)S or a later release, or Cisco IOS Release 12.2(15)T or a later release, NetFlow accounting might be enabled through the use of the ip flow ingress command instead of the ip route-cache flow command. If your router has NetFlow accounting enabled through the use of ip flow ingress command you must disable NetFlow accounting, using the no form of this command, before you apply a random sampler map for random sampled NetFlow accounting on an interface otherwise the full, un-sampled traffic will continue to be seen. |
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# ip cef Router(config)# flow-sampler-map my-map Router(config-sampler)# mode random one-out-of 100 Router(config-sampler)# interface ethernet 0/0 Router(config-if)# no ip route-cache flow Router(config-if)# ip route-cache cef Router(config-if)# flow-sampler my-map
The following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# ip cef Router(config)# flow-sampler-map my-map Router(config-sampler)# mode random one-out-of 100 Router(config-sampler)# interface ethernet 1/0 Router(config-if)# no ip flow egress Router(config-if)# ip route-cache cef Router(config-if)# flow-sampler my-map egress
The following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-sampler
Sampler : my-map, id : 1, packets matched : 7, mode : random sampling mode
sampling interval is : 100
Related Commands
Command |
Description |
---|---|
flow-sampler-map |
Defines a flow sampler map for random sampled NetFlow accounting. |
mode (flow sampler configuration) |
Specifies a packet interval for NetFlow accounting random sampling mode and enables the flow sampler map. |
netflow-sampler |
Enables NetFlow accounting with input filter sampling. |
show flow-sampler |
Displays the status of random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler). |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
ip flow
To enable NetFlow accounting for inbound (received) or outbound (transmitted) network traffic, use the ip flowcommand in interface or subinterface configuration mode. To disable NetFlow accounting, use the no form of this command.
Syntax Description
ingress |
Enables NetFlow accounting for traffic that is received on an interface.
|
||
egress |
Enables NetFlow accounting for traffic that is transmitted on an interface.
|
Command Default
NetFlow accounting is disabled.
Command Modes
Interface configuration (config-if)
Subinterface configuration (config-sub-if)
Command History
Release |
Modification |
---|---|
12.2(14)S |
This command was introduced. |
12.2(25)S |
Output of the show running configuration command was modified so that the ip route-cache flowcommand as well as the ip flow ingress command will appear when either command is configured. |
12.2(15)T |
This command was integrated into Cisco IOS Release 12.2(15)T. |
12.3(11)T |
The egress keyword was added. |
12.2(28)SBB |
This command was integrated into Cisco IOS Release 12.2(27)SBB and implemented for the Cisco 10000 series routers. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
12.2(18)SXE |
Support for this command was introduced on the Supervisor Engine 720. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. This command was changed to allow you to dynamically create NetFlow entries on a 7600. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
Cisco 7600 Series Platforms
The ip flow ingresscommand is supported on the Supervisor Engine 720 in PFC3B and PFC3BXL mode.
The ip flow ingresscommand is supported on the Supervisor Engine 2 with a PFC2.
In Release 12.2(18)SXF and later releases, to create a NetFlow entry, you need to enter the ip flow ingress command. In releases prior to Release 12.2(18)SXF, the NetFlow entries are created automatically.
Other Platforms
Use this command on an interface or subinterface to enable NetFlow accounting for traffic.
You must enable CEF or dCEF globally on the networking device, and on the interface or subinterface that you want to enable NetFlow accounting on before you enable either ingress or egress NetFlow accounting.
Examples
The following example shows how to configure ingress NetFlow accounting for traffic that is received on FastEthernet interface 0/0:
Router(config)# interface fastethernet0/0 Router(config-if)# ip flow ingress
The following example shows how to configure egress NetFlow accounting for traffic that is transmitted on FastEthernet interface 0/0:
Router(config)# interface fastethernet0/0 Router(config-if)# ip flow egress
Related Commands
Command |
Description |
---|---|
ip flow-egress input-interface |
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting. |
ip flow-cache timeout |
Specifies NetFlow accounting flow cache parameters |
ip flow-cache entries |
Changes the number of entries maintained in the NetFlow accounting cache. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
ip flow layer2-switched
To enable the creation of switched, bridged, and Layer 2 IP flows for a specific VLAN, use the ip flow layer2-switched command in global configuration mode. Use the no form of this command to return to the default settings.
Syntax Description
ingress |
Enables the collection of switched, bridged, and IP flows in Layer 2. |
export |
Enables the export of switched, bridged, and IP flows in Layer 2. |
vlan num | vlanlist |
Specifies the VLAN or range of VLANs; valid values are from 1 to 4094. See the "Usage Guidelines" section for additional information. |
Command Default
The defaults are as follows:
- ip flow ingress layer2switch is disabled.
- ip flow export layer2switched is enabled.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
12.2(18)SXE |
Support for this command was introduced on the Supervisor Engine 720. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
The ip flow layer2-switchedcommand is supported on the Supervisor Engine 720 in PFC3B and PFC3BXL mode only.
The ip flow layer2-switchedcommand is supported on the Supervisor Engine 2 with a PFC2.
Before using this command on Cisco 7600 series routers that are configured with a Supervisor Engine 720, you must ensure that a corresponding VLAN interface is available and has a valid IP address. This guideline does not apply to Cisco 7600 series routers that are configured with a Supervisor Engine 2.
You can enter one or multiple VLANs. The following examples are samples of valid VLAN lists: 1; 1,2,3; 1-3,7.
Examples
This example shows how to enable the collection of Layer 2-switched flows on a specific VLAN:
Router(config)# ip flow ingress layer2-switched vlan 2
Router(config)#
This example shows how to enable export of Layer 2-switched flows on a range of VLANs:
Router(config)# ip flow export layer2-switched vlan 1-3,7
Router(config)#
This example shows how to disable the collection of Layer 2-switched flows on a specific VLAN:
Router(config)# no ip flow ingress layer2-switched vlan 2
Router(config#
ip flow-aggregation cache
To enable NetFlow accounting aggregation cache schemes, use the ip flow-aggregation cachecommand in global configuration mode. To disable NetFlow accounting aggregation cache schemes, use the no form of this command.
Syntax Description
as |
Configures the autonomous system aggregation cache scheme. |
||
as-tos |
Configures the autonomous system type of service (ToS) aggregation cache scheme. |
||
bgp-nexthop-tos |
Configures the Border Gateway Protocol (BGP) next hop ToS aggregation cache scheme.
|
||
destination-prefix |
Configures the destination-prefix aggregation cache scheme. |
||
destination-prefix-tos |
Configures the destination prefix ToS aggregation cache scheme. |
||
prefix |
Configures the prefix aggregation cache scheme. |
||
prefix-port |
Configures the prefix port aggregation cache scheme. |
||
prefix-tos |
Configures the prefix ToS aggregation cache scheme. |
||
protocol-port |
Configures the protocol-port aggregation cache scheme. |
||
protocol-port-tos |
Configures the protocol-port ToS aggregation cache scheme. |
||
source-prefix |
Configures the source-prefix aggregation cache scheme. |
||
source-prefix-tos |
Configures the source-prefix ToS aggregation cache scheme. |
||
exp-bgp-prefix |
Configures the exp-bgp-prefix aggregation cache scheme. |
Command Default
This command is not enabled by default.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.0(3)T |
This command was introduced. |
12.0(15)S |
This command was modified to include the ToS aggregation scheme keywords. |
12.2(2)T |
This command was modified to enable multiple NetFlow export destinations. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S. |
12.3(1) |
Support for the BGP Next Hop Support feature was added. |
12.2(18)S |
Support for the BGP Next Hop Support feature was added. |
12.2(14)SX |
Support for this command was introduced on the Supervisor Engine 720. |
12.2(17d)SXB |
Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. The exp-bgp-prefix aggregation cache keyword was added. |
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command. The export destination command supports a maximum of two concurrent export destinations.
The ToS aggregation cache scheme keywords enable NetFlow accounting aggregation cache schemes that include the ToS byte in their export records. The ToS byte is an 8-bit field in the IP header. The ToS byte specifies the quality of service for a datagram during its transmission through the Internet.
You can enable only one aggregation cache configuration scheme per command line. The following rules apply to configuring source and destination masks.
- The source mask can only be configured in the prefix, prefix-port, prefix-tos, source-prefix and source-prefix-tos aggregation modes.
- The destination mask can only be configured in the prefix, prefix-port, prefix-tos, destination-prefix and destination-prefix-tos aggregation modes.
- No masks can be configured in non-prefix aggregation modes
To enable aggregation (whether or not an aggregation cache is fully configured), you must enter the enabled command in aggregation cache configuration mode. (You can use the no form of this command to disable aggregation. The cache configuration remains unchanged even if aggregation is disabled.)
Examples
The following example shows how to configure a NetFlow accounting autonomous system aggregation cache scheme:
Router(config)# ip flow-aggregation cache as Router(config-flow-cache)# enabled
The following example shows how to configure a minimum prefix mask of 16 bits for the NetFlow accounting destination-prefix aggregation cache scheme:
Router(config)# ip flow-aggregation cache destination-prefix Router(config-flow-cache)# mask destination minimum 16 Router(config-flow-cache)# enabled
The following example shows how to configure a minimum prefix mask of 16 bits for the NetFlow accounting source-prefix aggregation cache scheme:
Router(config)# ip flow-aggregation cache source-prefix Router(config-flow-cache)# mask source minimum 16 Router(config-flow-cache)# enabled
The following example shows how to configure multiple export destinations for the NetFlow accounting autonomous system ToS aggregation cache scheme:
Router(config)# ip flow-aggregation cache as-tos Router(config-flow-cache)# export destination 172.17.24.65 9991 Router(config-flow-cache)# export destination 172.16.10.2 9991 Router(config-flow-cache)# enabled
Related Commands
Command |
Description |
---|---|
export destination (aggregation cache) |
Enables the exporting of NetFlow accounting information from NetFlow aggregation caches. |
enabled (aggregation cache) |
Enables the NetFlow aggregation cache. |
mask |
Specifies the source or destination prefix mask. |
show ip cache flow aggregation |
Displays a summary of the NetFlow accounting aggregation cache statistics. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
ip flow-cache entries
To change the number of entries maintained in the NetFlow accounting cache, use the ip flow-cache entriescommand in global configuration mode. To return to the default number of entries, use the no form of this command.
Syntax Description
number |
Number of entries to maintain in the NetFlow cache. The range is from 1024 to 524288. The default is 4096.
|
Command Default
The default value of 4096 is used as the size of the NetFlow accounting cache.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
12.0(3)T |
This command was introduced. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S. |
12.2(14)SX |
Support for this command was introduced on the Supervisor Engine 720. |
12.2(17d)SXB |
Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Normally the default size of the NetFlow cache will meet your needs. However, you can increase or decrease the number of entries maintained in the cache to meet the needs of your flow traffic rates. For environments with a high amount of flow traffic (such as an internet core router), a larger value such as 131072 (128K) is recommended. To obtain information on your flow traffic, use the show ip cache flow EXEC command.
Each cache entry is approximately 64 bytes of storage. Assuming a cache with the default number of entries, approximately 4 MB of DRAM would be required. Each time a new flow is taken from the free flow queue, the number of free flows is checked. If only a few free flows remain, NetFlow attempts to age 30 flows using an accelerated timeout. If only one free flow remains, NetFlow automatically ages 30 flows regardless of their age. The intent is to ensure that free flow entries are always available.
Caution |
We recommend that you not change the number of NetFlow cache entries. To return to the default number of NetFlow cache entries, use the no ip flow-cache entries global configuration command. |
Examples
The following example shows how to increase the number of NetFlow cache entries to 131,072 (128K):
Router(config)# ip flow-cache entries 131072
%The change in number of entries will take effect after either the next reboot or when netflow is turned off on all interfaces
Tip |
You turn off NetFlow accounting on interfaces by removing the command that you enabled NetFlow accounting with. For example, if you enabled NetFlow accounting on an interface with the ip flow ingress command you turn off NetFlow accounting for the interface using the no form of the command -no ip flow ingress. Remember to turn NetFlow accounting back on for the interface after you have turned it off. |
Related Commands
Command |
Description |
---|---|
ip flow-cache timeout |
Specifies NetFlow accounting flow cache parameters. |
ip flow egress |
Enables NetFlow egress accounting for traffic that the router is forwarding. |
ip flow-egress input-interface |
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting. |
ip flow ingress |
Enables NetFlow (ingress) accounting for traffic arriving on an interface. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
ip flow-cache mpls label-positions
To enable Multiprotocol Label Switching (MPLS)-Aware NetFlow, use the ip flow-cache mpls label-positions command in global configuration mode. To disable MPLS-aware NetFlow, use the no form of this command.
Syntax Description
label-position-l |
(Optional) Position of an MPLS label in the incoming label stack. Label positions are counted from the top of the stack, starting with 1. |
exp-bgp-prefix-fields |
(Optional) Generates a MPLS Provider Edge (PE) PE-to-PE traffic matrix. The following IP-related flow fields are included: The MPLS label values will be set to zero on the Cisco 10000 in the display output of the show ip cache verbose flow aggregation exp-bgp-prefix command. |
no-ip-fields |
(Optional) Controls the capture and reporting of MPLS flow fields. If the no-ip-fields keyword is not specified, the following IP-related flow fields are included:
If the no-ip-fields keyword is specified, the IP-related fields are reported with a value of 0. |
mpls-length |
(Optional) Controls the reporting of packet length. If the mpls-length keyword is specified, the reported length represents the sum of the MPLS packet payload length and the MPLS label stack length. If the mpls-length keyword is not specified, only the length of the MPLS packet payload is reported. |
Command Default
MPLS-Aware NetFlow is not enabled.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
12.0(24)S |
This command was introduced. |
12.0(25)S |
The no-ip-fields and mpls-length keywords were added. |
12.3(8)T |
This command was integrated into Cisco IOS Release 12.3(8)T. |
12.2(28)SB |
This command was integrated into Cisco IOS Release 12.2(28)SB. |
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. The exp-bgp-prefix-fields keyword was added. |
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Use this command to configure the MPLS-aware NetFlow feature on a label switch router (LSR) and to specify labels of interest in the incoming label stack. Label positions are counted from the top of the stack, starting with 1. The position of the top label is 1, the position of the second label is 2, and so forth.
With MPLS-aware NetFlow enabled on the router, NetFlow collects data for incoming IP packets and for incoming MPLS packets on all interfaces where NetFlow is enabled in full or in sampled mode.
Caution |
When you enter the ip flow-cache mpls label-positions command on a Cisco 12000 series Internet router, NetFlow will stop collecting data for incoming IP packets on any Engine 4P line cards installed in the router on which NetFlow is enabled in full or in sampled mode. Engine 4P line cards in a Cisco 12000 series Internet router do not support NetFlow data collection of incoming IP packets and MPLS packets concurrently. |
Tip |
MPLS-aware NetFlow is enabled in global configuration mode. NetFlow is enabled per interface. |
Examples
The following example shows how to configure MPLS-aware NetFlow to capture the first (top), third, and fifth label:
Router(config)# ip flow-cache mpls label-positions 1 3 5
The following example shows how to configure MPLS-aware NetFlow to capture only MPLS flow information (no IP-related flow fields) and the length that represents the sum of the MPLS packet payload length and the MPLS label stack length:
Router(config)# ip flow-cache mpls label-positions no-ip-fields mpls-length
The following example shows how to configure MPLS PE-to-PE Traffic Statistics for Netflow:
Router(config)# ip flow-cache mpls label-positions 1 2 exp-bgp-prefix-fields
Related Commands
Command |
Description |
---|---|
ip flow-cache entries |
Changes the number of entries maintained in the NetFlow accounting cache. |
ip flow-cache timeout |
Specifies NetFlow accounting flow cache parameters. |
ip flow egress |
Enables NetFlow egress accounting for traffic that the router is forwarding. |
ip flow-egress input-interface |
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting. |
ip flow ingress |
Enables NetFlow (ingress) accounting for traffic arriving on an interface. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
ip flow-cache timeout
To specify NetFlow accounting flow cache parameters, use the ip flow-cache timeout command in global configuration mode. To disable the flow cache parameters, use the no form of this command.
Syntax Description
active |
Specifies the active flow timeout. |
minutes |
(Optional) The number of minutes that an active flow remains in the cache before it times out. The range is from 1 to 60. The default value is 30. |
inactive |
Specifies the inactive flow timeout. |
seconds |
(Optional) The number of seconds that an inactive flow remains in the cache before it times out. The range is from 10 to 600. The default value is 15. |
Command Default
The flow-cache timeout values are set to the default values.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.3(7)T |
This command was introduced. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Use this command to specify active and inactive timeout parameters.
A flow is considered to be active if packets belonging to the flow are detected wherever the NetFlow statistics are being collected. A flow is considered to be inactive if no further packets are detected for the flow at the collection point for NetFlow statistics.
Examples
In the following example, an active flow is allowed to remain in the cache for 20 minutes:
Router(config)# ip flow-cache timeout active 20
In the following example, an inactive flow is allowed to remain in the cache for 10 seconds before it times out and is removed:
Router(config)# ip flow-cache timeout inactive 10
Related Commands
Command |
Description |
---|---|
ip flow egress |
Enables NetFlow (egress) accounting for traffic that the router is forwarding. |
ip flow ingress |
Enables NetFlow (ingress) accounting for traffic arriving on an interface. |
ip flow-cache entries |
Changes the number of entries maintained in the NetFlow accounting cache. |
ip flow-egress input-interface |
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
ip flow-capture
To enable the capture of values from Layer 2 or additional Layer 3 fields in NetFlow traffic, use the ip flow-capture command in global configuration mode. To disable capturing Layer 2 or Layer 3 fields from NetFlow traffic, use the no form of this command.
Syntax Description
fragment-offset |
Captures the value of the 13-bit IP fragment offset field from the first fragmented IP datagram in a flow. |
||
icmp |
Captures the value of the ICMP type and code fields from the first ICMP datagram in a flow. |
||
ip-id |
Captures the value of the IP-ID field from the first IP datagram in a flow. |
||
mac-addresses |
Captures the values of the source MAC addresses from ingress packets and the destination MAC addresses from egress packets from the first packet in a flow.
|
||
packet-length |
Captures the value of the packet length field from IP datagrams in a flow. |
||
ttl |
Captures the value of the time-to-live (TTL) field from IP datagrams in a flow. |
||
vlan-id |
Captures the value of the 802.1q or Inter-Switch Link (ISL) VLAN-ID field from VLAN-encapsulated frames in a flow when the frames are received or transmitted on trunk ports. |
||
nbar |
Exports Network Based Application Recognition (NBAR) information along with the NetFlow Version 9 record. |
Command Default
Values from Layer 2 and Layer 3 fields are not captured.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
12.3(14)T |
This command was introduced. |
12.4(2)T |
The fragment-offset keyword was added. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2(18)ZYA2 |
This command was modified. The nbar keyword was added. |
Usage Guidelines
You must enable NetFlow accounting on an interface or a subinterface using the ip flow {ingress | egress} command for the ip flow-capture command to take effect. You can enable NetFlow accounting before or after you have entered the ip flow-capture command in global configuration mode.
If you want to export the information captured by the ip flow-capturecommand, you must configure NetFlow export using the ip flow-export destination command, and you must configure NetFlow to use the Version 9 export format. Use the ip flow-export version 9 command to configure the NetFlow Version 9 export format.
The fields captured by the ip flow-capturecommand are currently not available in the NetFlow MIB.
Note |
You can capture the value from only one field at a time. Execute the command once for each value you want to capture. |
ip flow-capture fragment-offset
IP fragmentation occurs when the size of an IP datagram exceeds the maximum transmission unit (MTU) of the Layer 2 frame type used by the next-hop network. For example, the IP MTU size of an ATM network is 4470 bytes. When a host needs to transmit an IP datagram that exceeds 4470 bytes on an ATM network, it must first fragment the datagram into two or more smaller IP datagrams.
An IP datagram sent by a host system such as a web server can also be fragmented by a router in the network if the router needs to transmit the IP datagram on a next-hop network that has an MTU that is smaller than the current size of the IP datagram. For example, if a router receives a 4470-byte IP datagram on an ATM interface and the next-hop network is a 100-Mbps Fast Ethernet network with an MTU of 1514, the router must fragment the IP datagram into three smaller IP datagrams (4470/1514). It is possible for an IP datagram to be fragmented two or more times on its path from the sending host to the destination host.
A fragmented IP datagram is reassembled by the destination host. The last fragment of an IP datagram is identified when the "more fragments" flag is set to 0. The length of a complete IP datagram is calculated by the receiving host by means of the fragment offset field and the length of the last fragment.
The ip flow-capture fragment-offsetcommand captures the value of the IP fragment offset field from the first fragmented IP packet in the flow. If you are seeing several flows with the same value for the IP fragment offset field, it is possible that your network is being attacked by a host that is sending the same IP packets again and again.
ip flow-capture icmp
Internet Control Message Protocol (ICMP) is used for several purposes. One of the most common is the ping command. ICMP echo requests are sent by a host to a destination to verify that the destination is reachable by IP. If the destination is reachable, it should respond by sending an ICMP echo reply. Refer to RFC 792, Darpa Internet Program Protocol Specification ( http://www.ietf.org/rfc/rfc0792.txt?number=792 ) for more information on ICMP.
ICMP packets have been used in many types of attacks on networks. Two of the most common attacks are the denial-of-service (DoS) attack and the "ping of death" attack.
- DoS attack--Any action or actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized delay of service. Generally, DoS attacks do not destroy data or resources, but prevent access or use. In network operations, flooding a device with ping packets when the device has not been configured to block or ignore them might effect a denial of service.
- "ping of death"--An attack that sends an improperly large ping echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash.
Finding out the types of ICMP traffic in your network can help you decide if your network is being attacked by ICMP packets.
The ip flow-capture icmp command captures the value of the ICMP type field and the ICMP code field from the first ICMP packet detected in a flow.
ip flow-capture ip-id
It is possible for a host to receive IP datagrams from two or more senders concurrently. It is also possible for a host to receive multiple IP datagrams from the same host for different applications concurrently. For example, a server might be transferring email and HTTP traffic from the same host concurrently. When a host is receiving multiple IP datagrams concurrently, it must be able to identify the fragments from each of the incoming datagrams to ensure that they do not get mixed up during the datagram reassembly process. The receiving host uses the IP header identification field and the source IP address of the IP datagram fragment to ensure that it rebuilds the IP datagrams correctly.
The ip flow-capture ip-id command captures the value of the IP header identification field from the first packet in the flow. The value in the IP header identification field is a sequence number assigned by the host that originally transmitted the IP datagram. All of the fragments of an IP datagram have the same identifier value. This ensures that the destination host can match the IP datagram to the fragment during the IP datagram reassembly process. The sending host is responsible for ensuring that each subsequent IP datagram it sends to the same destination host has a unique value for the IP header identification field.
If you are seeing several flows with the same value for the IP header identification field, it is possible that your network is being attacked by a host that is sending the same IP packets again and again.
ip flow-capture packet-length
The value in the packet length field in an IP datagram indicates the length of the IP datagram, excluding the IP header.
Use the ip flow-capture packet-length command to capture the value of the IP header packet length field for packets in the flow. The ip flow-capture packet-length command keeps track of the minimum and maximum values captured from the flow. The minimum and maximum packet length values are stored in separate fields. This data is updated when a packet with a packet length that is lower or higher than the currently stored value is received. For example, if the currently stored value for the minimum packet length is 1024 bytes and the next packet received has a packet length of 512 bytes, the 1024 is replaced by 512.
If you are seeing several IP datagrams in the flow with the same value for the packet-length field, it is possible that your network is being attacked by a host that is constantly sending the same IP packets again and again.
ip flow-capture ttl
The TTL field is used to prevent the indefinite forwarding of IP datagrams. The TTL field contains a counter value set by the source host. Each router that processes this datagram decreases the TTL value by 1. When the TTL value reaches 0, the datagram is discarded.
There are two scenarios where an IP packet without a TTL field could live indefinitely in a network:
- The first scenario occurs when a host sends an IP datagram to an IP network that does not exist and the routers in the network have a gateway of last resort configured--that is, a gateway to which they forward IP datagrams for unknown destinations. Each router in the network receives the datagram and attempts to determine the best interface to use to forward it. Because the destination network is unknown, the best interface for the router to use to forward the datagram to the next hop is always the interface to which the gateway of last resort is assigned.
- The second scenario occurs when a wrong configuration in the network results in a routing loop. For example, if one router forwards an IP datagram to another router because it appears to be the correct next-hop router, then the receiving router sends it back because it believes that the correct next-hop router is the router that it received the IP datagram from in the first place.
The ip flow-capture ttl command keeps track of the TTL values captured from packets in the flow. The minimum and maximum TTL values are stored in separate fields. This data is updated when a packet with a TTL that is lower or higher than the currently stored value is received. For example if the currently stored value for the minimum TTL is 64 and the next packet received has a TTL of 12, the 64 is replaced by 12.
If you are seeing several flows with the same value for the TTL, it is possible that your network is being attacked by a host that is constantly sending the same IP packets again and again. Under normal circumstances, flows come from many sources, each a different distance away. Therefore you should see a variety of TTLs across all the flows that NetFlow is capturing.
ip flow-capture mac-addresses
Note |
This command applies only to the traffic that is received or transmitted over Ethernet interfaces. |
The ip flow-capture mac-addresses command captures the MAC addresses of the incoming source and the outgoing destination from the first Layer 2 frame in the flow. If you discover that your network is attacked by Layer 3 traffic, use these addresses to identify the device that transmits the traffic received by the router and the next-hop or final destination device to which the router forwards the traffic.
ip flow-capture vlan-id
A virtual LAN (VLAN) is a broadcast domain within a switched network. A broadcast domain is defined by the network boundaries within which a network propagates a broadcast frame generated by a station. Some switches can be configured to support single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN.
Each VLAN is also a separate Layer 3 network. A router or a multilayer switch must be used to interconnect the Layer 3 networks that are assigned to the VLANs. For example, a device on VLAN 2 with an IP address of 172.16.0.76 communicating with a device on VLAN 3 with an IP address of 172.17.0.34 must use a router as an intermediary device because they are on different Class B IP networks. This is accomplished by connecting a switch to a router and configuring the link between them as a VLAN trunk. In order for the link to be used as a VLAN trunk, the interfaces on the router and the switch must be configured for the same VLAN encapsulation type.
Note |
When a router is configured to route traffic between VLANs, it is often referred to as an inter-VLAN router. |
When a router or a switch needs to send traffic on a VLAN trunk, it must either tag the frames using the IEEE 802.1q protocol or encapsulate the frames using the Cisco Inter-Switch Link (ISL) protocol. The VLAN tag or encapsulation header must contain the correct VLAN ID to ensure that the device receiving the frames can process them properly. The device that receives the VLAN traffic examines the VLAN ID from each frame to find out how it should process the frame. For example, when a switch receives an IP broadcast datagram such as an Address Resolution Protocol (ARP) datagram with an 802.1q tagged VLAN ID of 6 from a router, it forwards the datagram to every interface that is assigned to VLAN 6 and any interfaces that are configured as VLAN trunks.
The ip flow-capture vlan-idcommand captures the VLAN ID number from the first frame in the flow it receives that has an 802.1q tag or that is encapsulated with ISL. When the received traffic in the flow is transmitted over an interface that is configured with either 802.1q or ISL trunking, the ip flow-capture vlan-idcommand captures the destination VLAN ID number from the 802.1q or ISL VLAN header from the first frame in the flow.
Note |
The ip flow-capture vlan-idcommand does not capture the type of VLAN encapsulation in use. The receiving and transmitting interfaces can use different VLAN protocols. If only one of the interfaces is configured as a VLAN trunk, the VLAN ID field is blank for the other interface. |
Your router configuration must meet the following criteria before NetFlow can capture the value in the VLAN-ID field:
- It must have at least one LAN interface that is configured with one or more subinterfaces.
- The subinterfaces where you want to receive VLAN traffic must have either 802.1q or ISL enabled.
- The subinterfaces that are configured to receive VLAN traffic must have the ip flow ingress command configured on them.
If you discover that your network is being attacked by Layer 3 traffic, you can use the VLAN-ID information to help you find out which VLAN the device that is sending the traffic is on. The information can also help you identify the VLAN to which the router is forwarding the traffic.
ip flow-capture nbar
The ip flow-capture nbar command captures the application IDs and subapplication IDs exported as part of the NetFlow Version 9 record. The application IDs are mapped to applications. By means of the ip flow-export template options nbar command, this mapping information is exported to the NetFlow data collector. To capture Network Based Application Recognition (NBAR) information, you must enable NetFlow Version 9.
Note |
The subapplication ID value is always 0 in current release. |
Examples
The following example shows how to configure NetFlow to capture the value of the IP fragment-offset field from the IP datagrams in the flow:
Router(config)# ip flow-capture fragment-offset
The following example shows how to configure NetFlow to capture the value of the ICMP type field and the value of the code field from the IP datagrams in the flow:
Router(config)# ip flow-capture icmp
The following example shows how to configure NetFlow to capture the value of the IP-ID field from the IP datagrams in the flow:
Router(config)# ip flow-capture ip-id
The following example shows how to configure NetFlow to capture the value of the packet length field from the IP datagrams in the flow:
Router(config)# ip flow-capture packet-length
The following example shows how to configure NetFlow to capture the TTL field from the IP datagrams in the flow:
Router(config)# ip flow-capture ttl
The following example shows how to configure NetFlow to capture the MAC addresses from the IP datagrams in the flow:
Router(config)# ip flow-capture mac-addresses
The following example shows how to configure NetFlow to capture the VLAN ID from the IP datagrams in the flow:
Router(config)# ip flow-capture vlan-id
The following example shows how to configure NetFlow to capture NBAR information:
Router(config)# ip flow-capture nbar
Related Commands
Command |
Description |
---|---|
ip flow-cache entries |
Changes the number of entries maintained in the NetFlow accounting cache. |
ip flow-cache timeout |
Specifies NetFlow accounting flow cache parameters. |
ip flow egress |
Enables NetFlow egress accounting for traffic that the router is forwarding. |
ip flow-egress input-interface |
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting. |
ip flow-export template options nbar |
Exports application mapping information to the NetFlow data collector. |
ip flow ingress |
Enables NetFlow ingress accounting for traffic arriving on an interface. |
show ip cache flow |
Displays a summary of NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
show ip flow interface |
Displays the NetFlow accounting configuration for interfaces. |
ip flow-egress input-interface
To remove the NetFlow egress accounting flow key that specifies an output interface and to add a flow key that specifies an input interface for NetFlow egress accounting, use the ip flow-egress input-interface command in global configuration mode. To change the flow key back from an input interface to an output interface for NetFlow egress statistics, use the no form of this command.
Syntax Description
This command has no arguments or keywords.
Command Default
By default NetFlow egress statistics use the output interface as part of the flow key.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.3(11)T |
This command was introduced. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
You must have NetFlow egress accounting configured on your router before you can use this command.
When the NetFlow Egress Support feature is configured, by default it uses the output interface as part of the flow key. The ip flow-egress input-interfacecommand changes the key for egress flows so that the ingress interface is used instead of the output interface. This command is used to create a new flow for each input interface.
Examples
In the following example the key for NetFlow reporting of egress traffic is changed from the output interface to the input interface:
Router(config)# ip flow-egress input-interface
Related Commands
Command |
Description |
---|---|
ip flow ingress |
Enables NetFlow (ingress) accounting for traffic arriving on an interface. |
ip flow egress |
Enables NetFlow egress accounting for traffic that the router is forwarding. |
ip flow-cache timeout |
Specifies NetFlow accounting flow cache parameters. |
ip flow-cache entries |
Changes the number of entries maintained in the NetFlow accounting cache. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
ip flow-export destination
To enable the export of NetFlow accounting information in NetFlow cache entries to a remote device such as a server running an application that analyzes NetFlow data, use the ip flow-export destination command in global configuration mode. To remove an export destination, use the noform of this command.
Syntax Description
ip-address | hostname |
IP address or hostname of the workstation to which you want to send the NetFlow information |
||
port |
Specifies the number of the user datagram protocol (UDP) port on which the workstation is listening for the exported NetFlow datagrams. |
||
vrf vrf-name |
(Optional) The vrf keyword specifies that the export data packets are to be sent to the named Virtual Private Network (VPN) routing forwarding instance (VRF) for routing to the destination, instead of to the global routing table.
|
||
udp |
(Optional) Specifies UDP as the transport protocol. UDP is the default transport protocol. |
Command Default
Export of NetFlow information is disabled.
Command Modes
Global configuration (config)#
Command History
Release |
Modification |
---|---|
11.1 CA |
This command was introduced. |
12.0(24)S |
This command was integrated into Cisco IOS Release 12.0(24)S. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S, and support for the Multiple Export Destinations feature was added. |
12.2(2)T |
This command was modified to enable multiple NetFlow export destinations to be used. |
12.2(14)SX |
This command was introduced on the Supervisor Engine 720. |
12.2(17d)SXB |
Support for this command on the Supervisor Engine 2 was extended to the 12.2 SX release. |
12.2(18)SXD |
This command was changed to allow you to configure multiple NetFlow export destinations to a router. |
12.2(18)SXE |
This command was changed to allow you to enter two destination IP addresses on the Supervisor Engine 720 only. See the "Usage Guidelines" section for more information. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.4(4)T |
The vrf keyword and vrf name argument were added. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Cisco IOS XE 2.6 |
This command was integrated into Cisco IOS Release XE 2.6. |
12.2(33)SXI4 |
This command was integrated into Cisco IOS Release 12.2(33)SXI4. The vrf keyword and vrf name argument were added. |
Usage Guidelines
Cisco Catalyst 6500 Series Switches
With a PFC3 and Release 12.2(18)SXE and later releases, you can enter multiple NetFlow export destinations on the Supervisor Engine 720 only.
Multiple Export Destinations
If the version of Cisco IOS that you have installed on your networking device supports the NetFlow Multiple Export Destinations feature, you can configure your networking device to export NetFlow data to a maximum of 2 export destinations (collectors) per cache (main and aggregation caches), using any combination of UDP and SCTP as the transport protocol for the destinations. A destination is identified by a unique combination of hostname or IP address and port number or port type.
Note |
UDP is the default transport protocol used by the export destinationcommand. In some Cisco IOS releases you can configure SCTP as the transport protocol if you need reliability and additional redundancy. Refer to the ip flow-export sctp command for more information. |
The table below shows examples of the 2 permitted NetFlow export destinations for each cache.
Table 3 | Examples of Permitted Multiple NetFlow Export Destinations for Each Cache |
First Export Destination |
Second Export Destination |
---|---|
ip flow-export 10.25.89.32 100 udp |
ip flow-export 10.25.89.32 285 udp |
ip flow-export 10.25.89.32 100 udp |
ip flow-export 172.16.89.32 100 udp |
ip flow-export 10.25.89.32 100 udp |
ip flow-export 172.16.89.32 285 udp |
ip flow-export 10.25.89.32 100 udp |
ip flow-export 10.25.89.32 100 sctp |
ip flow-export 10.25.89.32 100 sctp |
ip flow-export 10.25.89.32 285 sctp |
ip flow-export 10.25.89.32 100 sctp |
ip flow-export 172.16.89.32 100 sctp |
ip flow-export 10.25.89.32 100 sctp |
ip flow-export 172.16.89.32 285 sctp |
The most common use of the multiple-destination feature is to send the NetFlow cache entries to two different destinations for redundancy. Therefore, in most cases the second destination IP address is not the same as the first IP address. The port numbers can be the same when you are configuring two unique destination IP addresses. If you want to configure both instances of the command to use the same destination IP address, you must use unique port numbers. You receive a warning message when you configure the two instances of the command with the same IP address. The warning message is, "%Warning: Second destination address is the same as previous address <ip-address>".
VRF Destinations for Exporting NetFlow Data
Before Cisco IOS Releases 12.4(4)T, 12.2(33)SXI4, and Cisco IOS XE Release 2.6, only one routing option existed for NetFlow export data packets. NetFlow sent all export data packets to the global routing table for routing to the export destinations you specified.
Cisco IOS Release 12.4(4)T, Cisco IOS XE Release 2.6, Cisco IOS Release 12.2(33)SXI4, and later releases provide an additional routing option for NetFlow export data packets. You can send NetFlow data export packets to a Virtual Private Network (VPN) routing/forwarding instance (VRF) for routing to the destinations that you specify.
To send NetFlow data export packets to a VRF for routing to a destination, you enter the optional vrfvrf-name keyword and argument with the ip flow-export destination ip-addressport command. To configure the global routing table option, enter this command without the optional vrfvrf-name keyword and argument.
More Information on NetFlow Data Export
For more information on NetFlow Data Export (NDE) on a Cisco Catalyst 6500 series switch, refer to the "Configuring NDE" chapter in the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide .
For more information on NetFlow Data Export (NDE) on a Cisco 7600 series router, refer to the "Configuring NDE" chapter in the Cisco 7600 Series Cisco IOS Software Configuration Guide .
For more information on NetFlow Data Export (NDE) on Cisco routers, refer to the "Configuring NetFlow and NetFlow Data Export" chapter in the Cisco IOS NetFlow Configuration Guide .
Examples
The following example shows how to configure the networking device to export the NetFlow cache entry to a single export destination system:
Router(config)# ip flow-export destination 10.42.42.1 9991
The following example shows how to configure the networking device to export the NetFlow cache entry to multiple destination systems:
Router(config)# ip flow-export destination 10.42.42.1 9991 Router(config)# ip flow-export destination 10.0.101.254 9991
The following example shows how to configure the networking device to export the NetFlow cache entry to two different UDP ports on the same destination system:
Router(config)# ip flow-export destination 10.42.42.1 9991 Router(config)# ip flow-export destination 10.42.42.1 9992 %Warning: Second destination address is the same as previous address 10.42.42.1
The following example shows how to configure the networking device to export NetFlow data to a export destination that is reachable in VRF group1:
Router(config)# ip flow-export destination 172.16.10.2 78 vrf group1
Related Commands
Command |
Description |
---|---|
ip flow-export interface-names |
Enables the inclusion of the interface names for the flows during the export of NetFlow accounting information in NetFlow cache entries. |
ip flow-export source |
Specifies the interface from which NetFlow will derive the source IP address for the NetFlow export datagrams containing NetFlow accounting information from NetFlow cache entries. |
ip flow-export template |
Configures template options for the export of NetFlow accounting information in NetFlow cache entries |
ip flow-export version |
Specifies the export version format for the exporting of NetFlow accounting information in NetFlow cache entries |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
ip flow-export destination sctp
To enable the reliable export of NetFlow accounting information in NetFlow cache entries, use the ip flow-export destination sctp command in global configuration mode. To disable the reliable export of information, use the noform of this command.
Syntax Description
ip-address | hostname |
IP address or hostname of the workstation to which you want to send the NetFlow information. |
||
port |
Specifies the number of the stream control transmission protocol (SCTP) port on which the workstation is listening for the exported NetFlow datagrams. |
||
vrf vrf-name |
(Optional) The vrf keyword specifies that the export data packets are to be sent to the named Virtual Private Network (VPN) routing forwarding instance (VRF) for routing to the destination, instead of to the global routing table.
|
Command Default
Reliable export of NetFlow information is disabled.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
12.4(4)T |
This command was introduced. |
Usage Guidelines
NetFlow Reliable Export Using SCTP
SCTP can be used as an alternative to UDP when you need a more robust and flexible transport protocol than UDP. SCTP is a reliable message-oriented transport layer protocol, which allows data to be transmitted between two end-points in a reliable, partially reliable, or unreliable manner.
An SCTP session consists of an association (connection) between two end-points (peers), which can contain one or more logical channels called streams. The default mode of transmission for a stream is to guarantee reliable ordered delivery of messages using a selective-acknowledgment scheme. SCTP buffers messages until their receipt has been acknowledged by the receiving end-point. SCTP has a congestion control mechanism which limits how much memory is consumed by the SCTP stack, in packet buffering.
VRF Destinations for Exporting NetFlow Data
Before Cisco IOS Release 12.4(4)T, one routing option existed for NetFlow export data packets. NetFlow sent all export data packets to the global routing table for routing to the destinations you specified.
Cisco IOS 12.4(4)T and later releases provide an additional routing option for NetFlow export data packets. You can send NetFlow data export packets to a Virtual Private Network (VPN) routing/forwarding instance (VRF) for routing to the destinations that you specify.
To send NetFlow data export packets to a VRF for routing to a destination, you enter the optional vrfvrf-name keyword and argument with the ip flow-export destination ip-addressport command. To configure the global routing table option, enter this command without the optional vrfvrf-name keyword and argument.
Examples
The following example shows how to configure the networking device to use SCTP as the transport protocol when exporting NetFlow data:
Router(config)# ip flow-export destination 172.16.10.2 78 sctp
The following example shows how to configure the networking device to use SCTP as the transport protocol when exporting NetFlow data to a host that is reachable in VRF group1:
Router(config)# ip flow-export destination 172.16.10.2 78 vrf group1 sctp
Related Commands
Command |
Description |
---|---|
backup |
Configures a backup destination for the reliable export of NetFlow accounting information in NetFlow cache entries |
reliability |
Specifies the level of reliability for the reliable export of NetFlow accounting information in NetFlow cache entries. |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
ip flow-export hardware version
To specify the NetFlow Data Export (NDE) version for hardware-switched flows, use the ip flow-export hardware versioncommand in global configuration mode. To return to the default settings, use the noform of this command.
Syntax Description
5 |
Specifies that the export packet uses the version 5 format; see the "Usage Guidelines" section for additional information. |
7 |
Specifies that the export packet uses the version 7 format; see the "Usage Guidelines" section for additional information. |
Command Default
Version 7
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.2(18)SXD |
Support for this command was introduced on the Supervisor Engine 720 and the Supervisor Engine 2. |
Usage Guidelines
The ip flow-export hardware version command is only supported on systems that have a version 2 Supervisior Engine.
Examples
This example shows how to specify the NDE version for hardware-switched flows:
Router(config)#
ip flow-export hardware version 5
Router(config)#
Related Commands
Command |
Description |
---|---|
ip flow-export interface |
Enables the interface-based ingress NDE for hardware-switched flows. |
ip flow-export version (Supervisor Engine 2) |
Specifies the version for the export of information in NetFlow cache entries. |
show mls nde |
Displays information about the NDE hardware-switched flow. |
ip flow-export interface-names
To enable the inclusion of the interface names for the flows during the export of NetFlow accounting information in NetFlow cache entries, use the ip flow-export interface-names command in global configuration mode. To return to the default behavior, use the noform of this command.
Syntax Description
There are no keywords or arguments for this command.
Command Default
Inclusion the interface names for the flows during the export of NetFlow accounting information in NetFlow cache entries is disabled.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
12.4(2)T |
This command was introduced. |
Usage Guidelines
The interface-names keyword for the ip flow-export command configures NetFlow to include the interface names from the flows when it exports the NetFlow cache entry to a destination system.
Prior to the addition of the interface-names keyword you had to poll the SNMP MIB for this information and correlate IF-index entries to interface names. After you enable the ip flow-export interface-names command the information is included in the exported NetFlow cache entries.
Note |
Interface names are exported as options templates/records. |
Examples
The following example shows how to configure the networking device to include the interface names from the flows when it exports the NetFlow cache entry to a destination system:
Router(config)# ip flow-export interface-names
Related Commands
Command |
Description |
---|---|
ip flow-export destination |
Enables the export of NetFlow accounting information in NetFlow cache entries to a remote device such as a server running an application that analyzes NetFlow data. |
ip flow-export source |
Specifies the interface from which NetFlow will derive the source IP address for the NetFlow export datagrams containing NetFlow accounting information from NetFlow cache entries. |
ip flow-export template |
Configures template options for the export of NetFlow accounting information in NetFlow cache entries |
ip flow-export version |
Specifies the export version format for the exporting of NetFlow accounting information in NetFlow cache entries |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
ip flow-export source
To specify the interface from which NetFlow will derive the source IP address for the NetFlow export datagrams containing NetFlow accounting information from NetFlow cache entries, use the ip flow-export source command in global configuration mode. To return to the default behavior, use the noform of this command.
Syntax Description
interface type number |
Interface name followed by the interface type and number. |
Command Default
NetFlow uses the IP address of the interface that the datagram is transmitted over as the source IP address for the NetFlow datagrams.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
11.1 CA |
This command was introduced. |
12.0(24)S |
This command was integrated into Cisco IOS Release 12.0(24)S. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
15.0(1)M |
This command was integrated into a release earlier than Cisco IOS Release 15.0(1)M. The interface type numberkeyword and arguments were added. |
12.2(33)SRC |
This command was modified. The interface type numberkeyword and arguments were added. |
12.2(33)SXI |
This command was modified. The interface type numberkeyword and arguments were added. |
Cisco IOS XE Release2.1 |
This command was integrated into Cisco IOS XE Release 2.1. |
Usage Guidelines
After you configure NetFlow data export, use the ip flow-export sourcecommand to specify the interface that NetFlow will use to obtain the source IP address for the NetFlow datagrams that it sends to destination systems, such as a system running NFC Engine. This will override the default behavior (using the IP address of the interface that the datagram is transmitted over as the source IP address for the NetFlow datagrams).
Some of the benefits of using a consistent IP source address for the datagrams that NetFlow sends are:
- The source IP address of the datagrams exported by NetFlow is used by the destination system to determine which router the NetFlow data is arriving from. If your network has two or more paths that can be used to send NetFlow datagrams from the router to the destination system and you do not specify the source interface from which the source IP address is to obtained, the router uses the IP address of the interface that the datagram is transmitted over as the source IP address of the datagram. In this situation the destination system might receive NetFlow datagrams from the same router, but with different source IP addresses. This causes the destination system to treat the NetFlow datagrams as if they were being sent from different routers unless you have configured the destination system to aggregate the NetFlow datagrams it receives from all of the possible source IP addresses in the router into a single NetFlow flow.
- If your router has multiple interfaces that can be used to transmit datagrams to the CNS NFC, and you do not configure the ip flow-export source interfacecommand, you will have to add an entry for the IP address of each interface into any access lists that you create for permitting NetFlow traffic. It is easier to create and maintain access-lists for permitting NetFlow traffic from known sources and blocking it from unknown sources when you limit the source IP address for NetFlow datagrams to a single IP address for each router that is exporting NetFlow traffic.
You can use the IP address of a loopback interface as the source IP address for NetFlow traffic by entering the ip flow-export source interface type[number | slot/port] command (for example, ip flow-export source interfaceloopback 0 ).Doing so makes it more difficult for people who want to attack your network by spoofing the source IP address of your NetFlow-enabled routers to determine which IP address to use. This is because the IP addresses assigned to loopback interfaces are not as easy to discover as the IP addresses assigned to physical interfaces on the router. For example, it is easy to determine the IP address of a Fast Ethernet interface on a router that is connected to a LAN that has end user devices on it. You simply check the configuration of one of the devices for its IP default gateway address.
If the export destination is in a VRF, the ip flow-export source command specifies an interface, which is not an interface in the same VRF as the destination. Therefore, the code will automatically pickup an interface on the local router that is in the same VRF as the export-destination and hence ignore the configured export source.
Examples
The following example shows how to configure NetFlow to use a loopback interface as the source interface for NetFlow traffic.
Caution |
The interface that you configure as the ip flow-export source interface must have an IP address configured and it must be up. |
Router(config)# ip flow-export source loopback0
Related Commands
Command |
Description |
---|---|
ip flow-export destination |
Enables the export of NetFlow accounting information in NetFlow cache entries to a remote device such as a server running an application that analyzes NetFlow data. |
ip flow-export interface-names |
Enables the inclusion of the interface names for the flows during the export of NetFlow accounting information in NetFlow cache entries. |
ip flow-export template |
Configures template options for the export of NetFlow accounting information in NetFlow cache entries |
ip flow-export version |
Specifies the export version format for the exporting of NetFlow accounting information in NetFlow cache entries |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
ip flow-export template
To configure template options for the export of NetFlow accounting information in NetFlow cache entries, use the ip flow-export template command in global configuration mode. To remove the configured refresh-rate and timeout-rate and to return to the default rate, use the noform of this command.
Configure template only
Configure template options
Syntax Description
template |
Enables the refresh-rate and timeout-rate keywords for the configuring of Version 9 export templates. |
||
refresh-rate packets |
Specifies the number of export packets that are sent before the options and flow templates are resent. Range: 1 to 600. Default: 20. |
||
timeout-rate minutes |
Specifies the interval (in minutes) that the router waits after sending the templates (flow and options) before sending them again. Range: 1 to 3600. Default: 30. |
||
options |
Enables the export-stats, refresh-rate, sampler and timeout-rate keywords for configuring Version 9 export options. |
||
export-stats |
Enables the export of statistics including the total number of flows exported and the total number of packets exported. |
||
sampler |
When Version 9 export is configured, this keyword enables the export of an option containing a random-sampler configuration, including the sampler ID, sampling mode, and sampling interval for each configured random sampler.
|
||
nbar |
Exports application mapping information to the NetFlow data collector. |
Command Default
The export template and export template options are not configured.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
12.3(2)T |
This command was introduced. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2(18)ZYA2 |
This command was modified. The nbarkeyword was added. |
Usage Guidelines
The ip flow-export template options export-stats command requires that the NetFlow Version 9 export format be already configured on the router.
The ip flow-export template options sampler command requires that the NetFlow Version 9 export format and a flow sampler map be already configured on the router.
The ip flow-export template options nbar command exports application IDs to string mapping as options. It displays string values for application IDs to which they are mapped. To export the application mapping information, you must enable NetFlow Export Version 9 export format and have Network Based Application Recognition (NBAR) configured on the device.
Examples
The following example shows how to configure NetFlow so that the networking device sends the export statistics (total flows and packets exported) as options data:
Router(config)# ip flow-export template options export-stats
The following example shows how to configure NetFlow to wait until 100 export packets have been sent or 60 minutes have passed since the last time the templates were sent (whichever comes first) before the templates are resent to the destination host:
Router(config)# ip flow-export template refresh-rate 100 Router(config)# ip flow-export template timeout-rate 60
The following example shows how to configure NetFlow to enable the export of information about NetFlow random samplers:
Router(config)# ip flow-export template options sampler
Tip |
You must have a flow-sampler map configured before you can configure the sampler keyword for the ip flow-export template options command. |
The following example shows how to configure NetFlow to enable the export of application mapping information:
Router(config)# ip flow-export template options nbar
Related Commands
Command |
Description |
---|---|
ip flow-export destination |
Enables the export of NetFlow accounting information in NetFlow cache entries to a remote device such as a server running an application that analyzes NetFlow data. |
ip flow-export interface-names |
Enables the inclusion of the interface names for the flows during the export of NetFlow accounting information in NetFlow cache entries. |
ip flow-export source |
Specifies the interface from which NetFlow will derive the source IP address for the NetFlow export datagrams containing NetFlow accounting information from NetFlow cache entries. |
ip flow-export version |
Specifies the export version format for the exporting of NetFlow accounting information in NetFlow cache entries |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
ip flow-export version
To specify the export version format for the exporting of NetFlow accounting information in NetFlow cache entries, use the ip flow-export version command in global configuration mode. To return to the default behavior, use the noform of this command.
Syntax Description
1 |
Specifies that the export datagram uses the version 1 format. This is the default. |
5 |
Specifies that the export datagram uses the version 5 format. |
9 |
(Specifies that the export datagram uses the version 9 format. |
origin-as |
(Optional) Specifies that export statistics include the originating autonomous system (AS) for the source and destination. |
peer-as |
(Optional) Specifies that export statistics include the peer AS for the source and destination. |
bgp-nexthop |
(Optional) Specifies that export statistics include Border Gateway Protocol (BGP) next-hop-related information. |
Command Default
Version 1 is the default export format for the exporting of NetFlow accounting information in NetFlow cache entries.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
11.1CA |
This command was introduced. |
12.0(24)S |
This command was integrated into Cisco IOS Release 12.0(24)S, and the 9 keyword was added. |
12.0(26)S |
Support for the BGP Next Hop Support feature was added. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S. |
12.3(1) |
Support for the BGP Next Hop Support and NetFlow v9 Export Format features was added. |
12.2(18)S |
Support for the BGP Next Hop Support and NetFlow v9 Export Format features was added. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
The ip flow-export version command supports three export data formats: Version 1, Version 5, and Version 9. Version 1 should be used only when it is the only NetFlow data export format version that is supported by the application that you are using to analyze the exported NetFlow data. Version 5 exports more fields than Version 1. Version 9 is the only flexible export format version.
The NetFlow Version 9 Export Format feature was introduced in Cisco IOS Release 12.0(24)S and was integrated into Cisco IOS Release 12.3(1) and Cisco IOS Release 12.2(18)S.
NetFlow Version 9 is a flexible and extensible means for transferring NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.
Third-party business partners who produce applications that provide NetFlow Collection Engine or display services for NetFlow do not need to recompile their applications each time a new NetFlow technology is added. Instead, with the NetFlow Version 9 Export Format feature, they can use an external data file that documents the known template formats and field types.
NetFlow Version 9 has the following characteristics:
- Record formats are defined by templates.
- Template descriptions are communicated from the router to the NetFlow Collection (NFC) Engine.
- Flow records are sent from the router to the NetFlow Collection Engine with minimal template information so that the NetFlow Collection Engine can relate the records to the appropriate template.
Version 9 is independent of the underlying transport (UDP, TCP, SCTP, and so on).
Note |
The values for the BGP next hop IP address captured by the bgp-nexthop command are exported to a NetFlow export destination only when the Version 9 export format is configured. |
Note |
In order for the BGP information to be populated in the main cache, you must have either a NetFlow export destination configured or a NetFlow aggregation configured. |
Note |
The AS values for the peer-as and the origin-as keywords are captured only if you have configured an export destination with the ip flow-export destination command. |
For more information on the available export data formats, see the Cisco IOS NetFlow Configuration Guide, Release 12.4T. For more information on the Version 9 data format, see the Cisco IOS NetFlow Version 9 Export Format Feature Guide .
Caution |
Entering the ip flow-export versionor no ip flow-export versioncommand on the Cisco 12000 series Internet routers, Cisco 6500 series routers, and Cisco 7600 series routers and specifying a format other than version 1 (in other words, entering the ip flow-export versionor no ip flow-export versioncommand and specifying the 5 keyword) causes packet forwarding to stop for a few seconds while NetFlow reloads the Route Processor and line card Cisco Express Forwarding tables. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-config file to be executed during a router reboot. |
Examples
The following example shows how to configure the networking device to use the NetFlow Version 9 format for the exported data and how to include the originating autonomous system (origin-as) with its corresponding next BGP hop (bgp-nexthop):
Router(config)# ip flow-export version 9 origin-as bgp-nexthop
Related Commands
Command |
Description |
---|---|
ip flow-export destination |
Enables the export of NetFlow accounting information in NetFlow cache entries to a remote device such as a server running an application that analyzes NetFlow data. |
ip flow-export interface-names |
Enables the inclusion of the interface names for the flows during the export of NetFlow accounting information in NetFlow cache entries. |
ip flow-export source |
Specifies the interface from which NetFlow will derive the source IP address for the NetFlow export datagrams containing NetFlow accounting information from NetFlow cache entries. |
ip flow-export template |
Configures template options for the export of NetFlow accounting information in NetFlow cache entries |
show ip flow export |
Displays the status and the statistics for NetFlow accounting data export. |
ip flow-export version (Supervisor Engine 2)
To specify the version for the export of information in NetFlow cache entries, use the ip flow-export versioncommand in global configuration mode. To disable information exporting, use the noform of this command.
Syntax Description
1 |
Specifies that the export packet uses the version 1 format; see the "Usage Guidelines" section for additional information. |
5 |
Specifies that the export packet uses the version 5 format; see the "Usage Guidelines" section for additional information. |
origin-as |
(Optional) Specifies that export statistics include the origin autonomous system for the source and destination. |
peer-as |
(Optional) Specifies that export statistics include the peer autonomous system for the source and destination. |
6 |
Specifies that the export packet uses the version 6 format; see the "Usage Guidelines" section for additional information. |
Command Default
Version 1
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.2(17d)SXB |
Support for this command on the Supervisor Engine 2 was extended to the 12.2 SX release. |
Usage Guidelines
This command documentation applies only to systems that have a version 2 Supervisior Engine.
NDE makes traffic statistics available for analysis by an external data collector. You can use NDE to monitor all Layer 3 switched and all routed IP unicast traffic. In the Cisco 7600 series router, both the Policy Feature Card (PFC) and the Multilayer Switch Feature Card (MSFC) maintain NetFlow caches that capture flow-based traffic statistics. The cache on the PFC captures statistics for Layer 3-switched flows. The cache on the MSFC captures statistics for routed flows.
Note |
NDE can use NDE version 1, 5, or 6 to export the statistics that are captured on the MSFC for routed traffic. |
The number of records stored in the datagram is a variable from 1 to 24 for version 1. The number of records stored in the datagram is a variable between 1 and 30 for version 5.
For more information on NDE, refer to the "Configuring NDE" chapter in the Cisco 7600 Series Router Cisco IOS Software Configuration Guide.
Examples
This example shows how to export the data using the version 5 format and include the peer autonomous system information:
Router# configure terminal Router(config)# interface loopback0 Router(config-if)# ip address 4.0.0.1 255.0.0.0 Router(config-if)# exit Router(config)# interface serial 5/0:0 Router(config-if)# ip unnumbered loopback0 Router(config-if)# no ip mroute-cache Router(config-if)# encapsulation ppp Router(config-if)# ip route-cache flow Router(config-if)# exit Router(config)# ip flow-export version 5 peer-as Router(config)# exit
Related Commands
Command |
Description |
---|---|
ip flow-export destination |
Exports the NetFlow cache entries to a specific destination. |
ip flow-export source |
Specifies the source interface IP address that is used in the NDE datagram. |
ip route-cache flow |
Enables NetFlow switching for IP routing. |
ip flow-export version (Supervisor Engine 720)
To specify the version for the export of information in NetFlow cache entries, use the ip flow-export versioncommand in global configuration mode. To return to the default settings, use the noform of this command.
Syntax Description
1 |
Specifies that the export packet use the version 1 format; see the "Usage Guidelines" section for additional information. |
5 |
Specifies that the export packet use the version 5 format; see the "Usage Guidelines" section for additional information. |
origin-as |
(Optional) Specifies that export statistics include the origin autonomous system for the source and destination. |
peer-as |
(Optional) Specifies that export statistics include the peer autonomous system for the source and destination. |
9 |
Specifies that the export packet uses the version 9 format; see the "Usage Guidelines" section for additional information. |
bgp-nexthop |
(Optional) Specifies that export statistics include the BGP next hop for the source and destination. |
Command Default
Export of information in NetFlow cache entries is disabled.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.2(17d)SXB |
This command was introduced on the Supervisor Engine 720. |
12.2(18)SXF |
Support was added for NetFlow version 9 export format on the Supervisor Engine 720. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
Version 5 and version 9 formats include the source and destination autonomous-system addresses and source and destination prefix masks. Also, version 9 includes BGP next-hop information.
The number of records stored in the datagram is a variable from 1 to 24 for version 1. The number of records stored in the datagram is a variable between 1 and 30 for version 5.
For more information on NDE, refer to the "Configuring NDE" chapter in the Cisco 7600 Series Router Cisco IOS Software Configuration Guide.
Caution |
Entering the ip flow-export versionor no ip flow-export versioncommand on the Cisco 12000 series Internet routers, Cisco 6500 series routers, and Cisco 7600 series routers and specifying a format other than version 1 (in other words, entering the ip flow-export versionor no ip flow-export versioncommand and specifying the 5 keyword) causes packet forwarding to stop for a few seconds while NetFlow reloads the Route Processor and line card Cisco Express Forwarding tables. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-config file to be executed during a router reboot. |
Examples
This example shows how to export the data using the version 5 format:
Router(config)# ip flow-export version 5
Related Commands
Command |
Description |
---|---|
ip flow-export version (Supervisor Engine 2) |
Specifies the version for the export of information in NetFlow cache entries. |
show mls nde |
Displays information about the NDE hardware-switched flow. |
ip flow-top-talkers
To configure NetFlow top talkers to capture traffic statistics for the unaggregated top flows of the heaviest traffic patterns and most-used applications in the network, use the ip flow-top-talkerscommand in global configuration mode. To disable NetFlow top talkers, use the no form of this command.
Syntax Description
This command has no arguments or keywords.
Command Default
NetFlow top talkers is disabled by default.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.2(25)S |
This command was introduced. |
12.3(11)T |
This feature was integrated into Cisco IOS Release 12.3(11)T. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
Tip |
The ip flow-top-talkerscommand does not appear in the configuration until you have configured the topnumber and sort-by [bytes | packets] commands. |
Enabling NetFlow
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Cache Timeout
The timeout period as specified by the cache-timeout command does not start until the show ip flow top-talkers command is entered. From that time, the same top talkers are displayed until the timeout period expires. To recalculate a new list of top talkers before the timeout period expires, you can change the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkerscommand.
A long timeout period for the cache-timeout command limits the system resources that are used by the NetFlow top talkers feature. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.
A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:
- The list of top talkers is lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required NetFlow top talkers.
- The list of top talkers is updated every time the top talkers information is requested, possibly causing unnecessary usage of system resources.
A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but cause the list of top talkers to be recalculated by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkerscommand to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.
Use the show ip flow top-talkers command to display the list of unaggregated top flows.
Examples
In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each Top Talker.
Router(config)# ip flow-top-talkers Router(config-flow-top-talkers)# top 4 Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
Command |
Description |
---|---|
cache-timeout |
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and top talkers feature is retained. |
match (NetFlow) |
Specifies match criteria for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature. |
show ip flow top-talkers |
Displays the statistics for the top talkers (heaviest traffic patterns and most-used applications in the network). |
sort-by |
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature. |
top |
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
ip multicast netflow
To configure multicast NetFlow accounting on an interface, use the ip multicast netflowcommand in interface configuration mode. To disable multicast NetFlow accounting, use the no form of this command.
Syntax Description
ingress |
Enables multicast NetFlow (ingress) accounting. |
egress |
Enables multicast NetFlow (egress) accounting. |
Command Default
Multicast ingress NetFlow accounting is enabled.
Multicast egress NetFlow accounting is disabled.
Command Modes
Interface configuration
Command History
Release |
Modification |
---|---|
12.3(1) |
This command was introduced. |
12.2(18)S |
This command was integrated into Cisco IOS Release 12.2(18)S. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXD |
Support for this command was introduced on the Supervisor Engine 720. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA |
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
12.4(11)T |
In Cisco IOS Release 12.4(11)T this command was moved to global configuration mode and the ingress and egress keywords were replaced by the output-counters keyword. See the ip multicast netflow output-counters command. |
12.4(12) |
In Cisco IOS Release 12.4(12) this command was moved to global configuration mode and the ingress and egress keywords were replaced by the output-counters keyword. See the ip multicast netflow output-counters command. |
12.(33)SRB |
In Cisco IOS Release 12.(33)SRB this command was moved to global configuration mode and the ingress and egress keywords were replaced by the output-counters keyword. See the ip multicast netflow output-counters command. |
12.(33)SXH |
In Cisco IOS Release 12.(33)SXH this command was moved to global configuration mode and the ingress and egress keywords were replaced by the output-counters keyword. See the ip multicast netflow output-counters command. |
12.(33)SB |
In Cisco IOS Release 12.(33)SB this command was moved to global configuration mode and the ingress and egress keywords were replaced by the output-counters keyword. See the ip multicast netflow output-counters command. |
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
ip multicast netflow ingress
NetFlow (ingress) accounting for multicast traffic is enabled by default. The ip multicast netflow ingress command does not appear in the configuration.
ip multicast netflow egress
You must enable multicast egress NetFlow accounting on all interfaces for which you want to count outgoing multicast streams.
To display the multicast entries, enter the show mls netflow ip command.
Examples
The following example shows how to enable multicast ingress NetFlow accounting on the ingress Ethernet 1/0 interface:
Router(config)# interface ethernet 1/0 Router(config-if)# ip multicast netflow ingress
The following example shows how to enable multicast egress NetFlow accounting on the egress Ethernet interface 0/0:
Router(config)# interface ethernet 0/0 Router(config-if)# ip multicast netflow egress
Related Commands
Command |
Description |
---|---|
ip multicast netflow rpf-failure |
Enables accounting for multicast data that fails the RPF check. |
show ip cache flow |
Displays a summary of the NetFlow statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
show ip mroute |
Displays the contents of the IP multicast routing (mroute) table. |
show mls netflow ip |
Displays information about the hardware NetFlow IP. |
ip multicast netflow output-counters
To enable NetFlow accounting for the number of bytes and packets of multicast traffic forwarded from an ingress flow, use the ip multicast netflow output-counterscommand in global configuration mode. To disable accounting for the number of bytes and packets forwarded, use the no form of this command.
Syntax Description
This command has no arguments or keywords.
Command Default
Accounting for the number of bytes and packets of multicast traffic that is forwarded is disabled.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.3(1) |
This command was introduced. |
12.2(18)S |
This command was integrated into Cisco IOS Release 12.2(18)S. |
12.4(11)T |
This command was integrated into Cisco IOS Release 12.4(11)T. |
12.4(12) |
This command was integrated into Cisco IOS Release 12.4(12). |
12.2(33)SRB |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2(33)SXH |
This command was integrated into Cisco IOS Release 12.2(33)SXH. |
12.2(33)SB |
This command was integrated into Cisco IOS Release 12.2(33)SB. |
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Examples
The following example shows how to enable NetFlow accounting for the number of bytes and packets of multicast traffic forwarded from an ingress flow:
Router# configure terminal Router(config)# ip multicast netflow output-counters Router(config)# end
Related Commands
Command |
Description |
---|---|
ip multicast netflow |
Configures multicast NetFlow accounting on an interface. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
show ip mroute |
Displays the contents of the IP multicast routing (mroute) table. |
show ip rpf |
Displays how IP multicast routing does RPF. |
show ip rpf events |
Displays the last 15 triggered multicast RPF check events. |
ip multicast netflow rpf-failure
To enable NetFlow accounting for multicast data that fails the reverse path forwarding (RPF) check (meaning any IP packets that lack a verifiable IP source address), use the ip multicast netflow rpf-failure command in global configuration mode. To disable accounting for multicast data that fails the RPF check, use the no form of this command.
Syntax Description
This command has no arguments or keywords.
Command Default
Accounting for multicast data that fails the RPF check is disabled.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.3(1) |
This command was introduced. |
12.2(18)S |
This command was integrated into Cisco IOS Release 12.2(18)S. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Examples
The following example shows how to enable accounting for multicast data that fails the RPF check:
Router# configure terminal Router(config)# ip multicast netflow rpf-failure Router(config)# end
Related Commands
Command |
Description |
---|---|
ip multicast netflow |
Configures multicast NetFlow accounting on an interface. |
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
show ip flow interface |
Displays NetFlow accounting configuration for interfaces. |
show ip mroute |
Displays the contents of the IP multicast routing (mroute) table. |
show ip rpf |
Displays how IP multicast routing does RPF. |
show ip rpf events |
Displays the last 15 triggered multicast RPF check events. |
ip route-cache flow
Effective with Cisco IOS Releases 12.4(2)T and 12.2(18)SXD, the ip route-cache flowcommand is replaced by the ip flow ingresscommand. See the ip flow ingress command for more information.
To enable NetFlow (ingress) accounting for traffic arriving on an interface, use the ip route-cache flowcommand in interface configuration mode. To disable NetFlow (ingress) accounting for traffic arriving on an interface, use the no form of this command in interface configuration mode.
Syntax Description
This command has no arguments or keywords.
Command Default
This command is not enabled by default.
Command Modes
Interface configuration
Command History
Release |
Modification |
---|---|
11.1 |
This command was introduced. |
12.4(2)T |
The ip route-cache flow command is automatically remapped to the ip flow-ingress command. |
12.2(14)S |
This command was integrated into Cisco IOS Release 12.2(14)S. |
12.2(25)S |
The ip route-cache flow command is automatically remapped to the ip flow-ingress command. |
12.2(14)SX |
Support for this command was introduced on the Supervisor Engine 720. |
12.2(27)SBC |
This command was integrated into Cisco IOS Release 12.2(27)SBC. |
12.2(17d)SXB |
Support for this command on the Supervisor Engine 2 was extended to the 12.2 SX release. |
12.2(18)SXD |
The ip route-cache flow command is automatically remapped to the ip flow-ingress command. |
12.2(18)SXF |
This command was integrated into Cisco IOS Release 12.2(18)SXF. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
Use this command on an interface or subinterface to enable NetFlow (ingress) accounting for traffic that is being received by the router.
Cisco IOS Release 12.2(25)S and 12.2(18)SXD
When you enter the ip route-cache flow command to enable NetFlow (ingress) accounting on an interface in a router that is running Cisco IOS Release 12.2(25)S or later, or Cisco IOS Release 12.2(18)SXD or later, the command is automatically remapped to the ip flow-ingress command before it is added to the in the running configuration. Therefore you must use the no ip flow ingress command to disable NetFlow (ingress) accounting on the interface.
Examples
The following example shows how to enable NetFlow (ingress) accounting on Ethernet interface 0/0 using the ip route-cache flow command:
Router(config)# interface Ethernet0/0 Router(config-if)# ip route-cache flow
The following example shows how to disable NetFlow (ingress) accounting on Ethernet interface 0/0 of a router that is running Cisco IOS Release 12.2(25)S or later using the no ip flow ingress command:
Router(config)# interface Ethernet0/0 Router(config-if)# no ip flow ingress
Related Commands
Command |
Description |
---|---|
show ip cache flow |
Displays a summary of the NetFlow accounting statistics. |
show ip cache verbose flow |
Displays a detailed summary of the NetFlow accounting statistics. |
ip flow ingress |
Enables NetFlow (ingress) accounting for traffic arriving on an interface. |