Configuring MPLS-aware NetFlow

Last Updated: November 27, 2012

NetFlow is a Cisco IOS application that provides statistics on packets flowing through the router. This module contains information about and instructions for configuring Multiprotocol Label Switching (MPLS)-aware NetFlow. MPLS-aware NetFlow is an extension of the NetFlow accounting feature that provides highly granular traffic statistics for Cisco routers.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Configuring MPLS-aware NetFlow

  • Configure NetFlow on the label switch router (LSR).
  • Configure MPLS on the LSR.
  • Configure Cisco Express Forwarding or distributed CEF enabled on the LSR and the interfaces that you want to enable NetFlow on.

If you are exporting data to a Cisco NetFlow collector, the following requirements apply:

  • NetFlow Version 9 export format configured on the LSR
  • NetFlow collector and analyzer capable of using MPLS-aware NetFlow export packets in Version 9 format

The table below describes the Cisco 12000 series Internet router line card support for Cisco IOS 12.0 S releases of MPLS-aware NetFlow.

Table 1 Cisco 12000 Series Line Card Support for MPLS-aware NetFlow in Cisco IOS 12.0S Releases

Type

Line Card

Ethernet

1-Port GE1

8-Port FE

3-Port GE

1-Port 10-GE Modular GE

Packet over SONET (POS)

4-Port OC-3 POS2 1-Port OC-12 POS

1-Port OC-48 POS

4-Port OC-12 POS

4-Port OC-12 POS ISE

1-Port OC-48 POS ISE

4-Port OC-3 POS ISE

8-Port OC-3 POS ISE

16-Port OC-3 POS ISE

1-Port OC-192 POS ES (Edge Release)

4-Port OC-48 POS ES (Edge Release)

Channelized interfaces

1-Port CHOC-12 (DS3)

1-Port CHOC-12 (OC-3)

6-Port Ch T3 (DS1)

2-Port CHOC-3

1-Port CHOC-48 ISE

4-Port CHOC-12 ISE

Electrical interface

6-Port DS3

12-Port DS3

6-Port E3

12-Port E3

Dynamic packet transport

1-Port OC-12 DPT

1-Port OC-48 DPT

4-Port OC-48 DPT

1-Port OC-192 DPT

ATM

4-Port OC-3 ATM

1-Port OC-12 ATM

8-Port OC-3 STM-1 ATM

1 This Cisco 12000 series Internet router line card does not support MPLS-aware NetFlow.
2 This Cisco 12000 series Internet router line card supports MPLS-aware NetFlow enabled in either full or sampled mode. Line cards not marked with a footnote character support MPLS-aware NetFlow in sampled mode only. In general, Cisco 12000 line cards support MPLS-aware NetFlow in the same mode as they support NetFlow.

Restrictions for Configuring MPLS-aware NetFlow

Cisco IOS Releases 12.2(14)S, 12.0(22)S, or 12.2(15)T

If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T, the ip route-cache flow command is used to enable NetFlow on an interface.

If your router is running Cisco IOS Release 12.2(14)S, 12.0(22)S, 12.2(15)T, or later releases, the ip flow ingress command is used to enable NetFlow on an interface.

MPLS-aware NetFlow

The following restrictions apply to the MPLS-aware NetFlow feature:

  • Three MPLS labels can only be captured and exported.
  • MPLS-aware NetFlow reports the following fields in MPLS flows as 0: IP next-hop, source and destination Border Gateway Protocol (BGP) autonomous system numbers, and source and destination prefix masks.
  • For MPLS packets that contain non-IP packets under the MPLS label stack, MPLS-aware NetFlow reports the following flow fields as 0: source and destination IP addresses, protocol, ToS, ports, and TCP flags.
  • The IP addresses associated with the top label for traffic engineering (TE) tunnel midpoints and Any Transport over MPLS (AToM) are reported as 0.0.0.0.
  • The top label type and IP address are obtained at the moment of flow export. Either can be incorrect if the top label was deleted or reassigned after the creation of the flow in the NetFlow cache.
  • The following points apply for the Cisco 12000 1-Port 10-GE, Modular GE, 1-Port OC-192 POS ES (Edge Release), and 4-Port OC-48 POS ES (Edge Release) line cards:
    • MPLS-aware NetFlow samples both IP and MPLS packets, but reports only MPLS packets that have one label per packet, ignoring all other packets (that is, IP and MPLS packets with more than one label).
    • MPLS-aware NetFlow does not report application (TCP/UDP) port numbers.
    • MPLS-aware NetFlow reports experimental bits in MPLS labels as 0.
  • The Cisco 12000 1-Port OC-48 POS, 4-Port OC-12 POS, 16-Port OC-3 POS, 3-Port GE, and 1-Port OC-48 DPT line cards support MPLS-aware NetFlow in sampled mode in all microcode bundles that include IP-sampled NetFlow.
  • Cisco 7600 series routers do not support the MPLS-aware NetFlow feature.

Information About Configuring MPLS-aware NetFlow

MPLS-aware NetFlow Overview

MPLS-aware NetFlow is an extension of the NetFlow accounting feature that provides highly granular traffic statistics for Cisco routers. MPLS-aware NetFlow collects statistics on a per-flow basis just as NetFlow does.

A flow is a unidirectional set of packets (IP or MPLS) that arrive at the router on the same subinterface, have the same source and destination IP addresses, the same Layer 4 protocol, the same TCP/UDP source and destination ports, and the same type of service byte in the IP header.

An MPLS flow contains up to three of the same incoming MPLS labels of interest with experimental bits and end-of-stack bits in the same positions in the packet label stack. MPLS-aware NetFlow captures MPLS traffic that contains both IP and non-IP packets. It reports non-IP packets, but sets the IP NetFlow fields to 0. It can also be configured to capture and report IP packets, setting to 0 the IP NetFlow fields. MPLS-aware NetFlow uses the NetFlow Version 9 export format. MPLS-aware NetFlow exports up to three labels of interest from the incoming label stack, the IP address associated with the top label, and traditional NetFlow data.

MPLS-aware NetFlow statistics can be used for detailed MPLS traffic studies and analysis that can provide information for a variety of purposes such as MPLS network management, network planning, and enterprise accounting.

A network administrator can turn on MPLS-aware NetFlow inside an MPLS cloud on a subset of provider backbone (P) routers. These routers can export MPLS-aware NetFlow data to an external NetFlow collection device for further processing and analysis or you can display NetFlow cache data on a router terminal.

MPLS Label Stack

As packets move through an MPLS network, LSRs can add labels to the MPLS label stack. LSRs in an MPLS cloud can add up to six labels to the MPLS label stack. An LSR adds the MPLS labels to the top of the IP packet. The figure below shows an example of an incoming MPLS label stack that LSRs added to an IP packet as it traversed an MPLS cloud.

Figure 1 Example of an MPLS Label Stack Added to an IP Packet in an MPLS Cloud


In the example of an MPLS label stack in the figure above:

  • The 33 represents the top label of this packet.

This label was the last label added to the MPLS label stack and the label that MPLS-aware NetFlow captures if you indicate the label of interest as 1.

  • The 42 represents the second label in the MPLS stack.

MPLS-aware NetFlow captures this label if you indicate 2 (second from the top) as a label of interest.

  • The 16 represents the third label in the MPLS label stack.

MPLS-aware NetFlow captures this label if you indicate 3 (third from the top) as a label of interest.

  • Lb4-Lb6 represents the fourth to sixth labels in the MPLS stack. LSRs in an MPLS cloud add up to six labels to the MPLS label stack.

MPLS-aware NetFlow captures these labels if you indicate 4, 5, or 6 as labels of interest.

  • The B represents miscellaneous bits. These include the following:
    • Exp--Three bits reserved for experimental use
    • S--End-of-stack bits, set to 1 for the last entry in the stack and to 0 for every other entry
    • Time to Live (TTL)--Eight bits used to encode a hop count (or time to live) value

The figure below shows a sample Carrier Supporting Carrier (CSC) topology and the incoming MPLS label stack on multiple LSRs as the packet travels through the network. The figure shows what the stack might look like at a provider core LSR.

Figure 2 Provider and Customer Networks and MPLS Label Imposition


In the example in the figure above, a hierarchical VPN is set up between two customer edge (CE) routers.

  • Traffic flows from the CE router to a provider edge (PE) router, possibly one belonging to an Internet service provider (ISP). Here, a VPN label (16) is imposed on the inbound IP packet.
  • The ISP network eventually connects to an Internet backbone provider where a CSC label (42) is imposed on the label stack.
  • As packets traverse the backbone network, a Label Distribution Protocol (LDP) label (33) is imposed on the label stack.

At the inbound interface shown in the figure above, MPLS-aware NetFlow captures the MPLS label stack and reports that the top label (33) is an LDP label, the second label (42) is a CSC label, and the third label (16) is a VPN label.

With NetFlow and MPLS-aware NetFlow enabled on the P router, you can determine the label type for the specified labels, and the IP address associated with the top label on the incoming interface (see the MPLS-aware NetFlow Capture of MPLS Labels). Thus, you can track specific types of MPLS traffic, such as TE, LDP, or VPNs.

MPLS-aware NetFlow Capture of MPLS Labels

When you configure the MPLS-aware NetFlow feature, you select the MPLS label positions in the incoming label stack that you are interested in monitoring. You can capture up to three labels from positions 1 to 6 in the MPLS label stack. Label positions are counted from the top of the stack. For example, the position of the top label is 1, the position of the next label is 2, and so on. You enter the stack location value as an argument to the following command:

ip flow-cache mpls label-positions
 
[label-position-1 [label-position-2 [label-position-3]]]
 

The label-position-n argument represents the position of the label on the incoming label stack. For example, the ip flow-cache mpls label-positions 1 3 4 command configures MPLS-aware NetFlow to capture and export the first (top), third, and fourth labels. If you enter this command and the label stack consists of two MPLS labels, MPLS-aware NetFlow captures only the first (top) label. If some of the labels you requested are not available, they are not captured or reported.

In addition to capturing MPLS labels from the label stack, MPLS-aware NetFlow records the following MPLS label information:

  • Type of top label--The type can be any of the following: unknown, TE tunnel midpoint, AToM, VPN, BGP, or LDP.
  • The IP address associated with the top label--The route prefix to which the label maps.

Note


The IP address for any TE tunnel midpoint or AToM top label is reported as 0.0.0.0.

MPLS-aware NetFlow is enabled globally on the router. However, NetFlow is enabled per interface and must be enabled in either full or sampled mode on the interfaces where you choose to capture and export MPLS and IP NetFlow data.


Note


See the table below for information about Cisco 12000 series Internet router line card support for NetFlow (full and sampled modes).

MPLS-aware NetFlow Display of MPLS Labels

The MPLS-aware NetFlow feature allows the display of a snapshot of the NetFlow cache, including MPLS flows, on a terminal through the use of the show ip cache verbose flow command. For example, the following output from a provider core router (P router) shows position, value, experimental bits, and end-of-stack bit for each MPLS label of interest. It also shows the type of the top label and the IP address associated with the top label.

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
PO3/0          10.1.1.1        PO5/1          10.2.1.1        01 00  10       9
0100 /0  0                     0200 /0  0     0.0.0.0               100     0.0
Pos:Lbl-Exp-S 1:12305-6-0 (LDP/10.10.10.10) 2:12312-6-1

In this example from a P router:

  • The value of the top label is 12305.
  • The experimental bits value is 6 and the end-of-stack bit is 0.
  • The label type is LDP and the IP address associated with the label is 10.10.10.10.
  • The value of the second label is 12312, the experimental bits value is 6, and the end-of-stack bit is 1.

To fully understand and use the information gathered on the P router, you need information from the Label Forwarding Information Base (LFIB) on the PE router.


Note


The MPLS application owner for a label is not reported by MPLS-aware NetFlow for any MPLS label except for the top label. IP information, the label number, and the MPLS application are reported for the top label. Only IP information and the label number are reported for labels other than the top label. Therefore, you need to understand your network if you are interested in identifying the MPLS application owner for labels other than the top MPLS label.

Using MPLS-aware NetFlow, you can monitor various labels in the MPLS label stack. You can also export this information to a NetFlow collector for further processing with a data analyzer and look at MPLS traffic patterns in your network.

Information Captured and Exported by MPLS-aware NetFlow

MPLS-aware NetFlow captures and reports on other information in addition to MPLS labels. It provides per-flow statistics for both incoming IP and MPLS traffic.

  • For MPLS traffic, MPLS-aware NetFlow captures and reports up to three labels of interest and the label type and associated IP address of the top label, along with a subset of NetFlow data.
  • For IP traffic, MPLS-aware NetFlow provides the regular NetFlow data.
  • MPLS-aware NetFlow uses the Version 9 format to export both IP and MPLS NetFlow data.

MPLS-aware NetFlow provides the following traditional NetFlow per-flow statistics:

  • Number of packets
  • Number of bytes, counting either MPLS payload size only or MPLS payload size plus MPLS label stack size
  • Time stamp of the first packet
  • Time stamp of the last packet

In addition to these statistics, MPLS-aware NetFlow exports values for the following fields for each flow, using the Version 9 NetFlow export format:

  • Regular NetFlow fields:
    • Source IP address
    • Destination IP address
    • Transport layer protocol
    • Source application port number
    • Destination application port number
    • IP ToS
    • TCP flags
    • Input interface
    • Output interface

Note


With the exception of the input interface and output interface fields, these regular NetFlow fields are not included in a flow if the no-ip-fields keyword is specified in the ip flow-cache mpls label-positions command.
  • Additional fields:
    • Up to three incoming MPLS labels with experimental bits and an end-of-stack bit
    • Positions of the MPLS labels in the label stack
    • Type of the top label
    • An address prefix associated with the top label specific to the label type: TE--This is always set to "0.0.0.0" because tunnel label addresses are not supported. LDP--The address prefix is the IP address of the next-hop. VPN--If the VRFs do not have overlapping IP addresses, the address prefix is the destination prefix. If the VRFs have overlapping IP addresses the destination prefix given may be ambiguous.

Note


Unlike NetFlow, MPLS-aware NetFlow reports a 0 value for IP next-hop, source, and destination BGP autonomous system numbers, or source and destination prefix masks for MPLS packets.

Note


If you are exporting MPLS data to a NetFlow collector or a data analyzer, the collector must support the NetFlow Version 9 flow export format, and you must configure NetFlow export in Version 9 format on the router.

Full and Sampled MPLS-aware NetFlow Support

The table below shows full and sampled MPLS-aware NetFlow support. Information in the table is based on the Cisco IOS release and includes the commands to implement the functionality on a supported platform.

Table 2 Full and Sampled MPLS-aware NetFlow Support

Cisco IOS Release

Full or Sampled NetFlow

Cisco 12000 Series Commands to Implement

Cisco 7500/7200 Series Commands to Implement3

12.0(24)S

Sampled

ip route-cache flow sampled

--

Full

--

--

12.0(26)S

Sampled

ip route-cache flow sampled

flow-sampler-map sampler-map-name

mode random one-of packet-interval

interface type number

flow-sampler sampler-map-name

Full

--

ip route-cache flow

3 NetFlow sampling on the Cisco 7500 and 7200 platforms is performed by a feature called Random Sampled NetFlow.

How to Configure MPLS-aware NetFlow

Configuring MPLS-aware NetFlow on a Router

Perform the following task to configure MPLS-aware NetFlow on a router.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    interface type /number

4.    ip flow {ingress}

5.    exit

6.    Repeat Steps 3 through 5 for each interface you want to configure NetFlow on.

7.    ip flow-export version 9 [origin-as | peer-as][bgp-nexthop]

8.    ip flow-cache mpls label-positions [label-position-1 [label-position-2 [label-position-3]]] [no-ip-fields] [mpls-length]

9.    exit


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
interface type /number


Example:

Router(config)# interface pos 3/0

 

Specifies the interface and enters interface configuration mode.

 
Step 4
ip flow {ingress}


Example:

Router(config-if)# ip flow ingress

 

Enables NetFlow on the interface.

  • ingress --captures traffic that is being received by the interface
 
Step 5
exit


Example:

Router(config-if)# exit

 

(Optional) Exits interface configuration mode and returns to global configuration mode.

Note    You only need to use this command if you want to enable NetFlow on another interface.
 
Step 6
Repeat Steps 3 through 5 for each interface you want to configure NetFlow on. 

This step is optional.

 
Step 7
ip flow-export version 9 [origin-as | peer-as][bgp-nexthop]


Example:

Router(config)# ip flow-export version 9 origin-as

 

(Optional) Enables the export of information in NetFlow cache entries.

  • The version 9 keyword specifies that the export packet uses the Version 9 format.
  • The origin-as keyword specifies that export statistics include the origin autonomous system (AS) for the source and destination.
  • The peer-as keyword specifies that export statistics include the peer AS for the source and destination.
  • The bgp-nexthop keyword specifies that export statistics include BGP next hop-related information.
Caution   

Entering this command on a Cisco 12000 series Internet router causes packet forwarding to stop for a few seconds while NetFlow reloads the Route Processor and line card Cisco Express Forwarding tables. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-config file to be executed during a router reboot.

 
Step 8
ip flow-cache mpls label-positions [label-position-1 [label-position-2 [label-position-3]]] [no-ip-fields] [mpls-length]


Example:

Router(config)# ip flow-cache mpls label-positions 1 2 3

 

Enables MPLS-aware NetFlow.

  • The label-position-n argument identifies the position of an MPLS label of interest in the incoming label stack. Label positions are counted from the top of the stack, starting with 1.
  • The no-ip-fields keyword controls the capture and reporting of MPLS flow fields. If the no-ip-fields keyword is specified, the following IP-related flow fields are not included:
    • Source IP address
    • Destination IP address
    • Transport layer protocol
    • Source application port number
    • Destination application port number
    • IP type of service (ToS)
    • TCP flag (the result of a bitwise OR of TCP)

If the no-ip-fields keyword is not specified, the IP-related fields are captured and reported.

  • The mpls-length keyword controls the reporting of packet length. If the mpls-length keyword is specified, the reported length represents the sum of the MPLS packet payload length and the MPLS label stack length.

If the mpls-length keyword is not specified, only the length of the MPLS packet payload is reported.

 
Step 9
exit


Example:

Router(config)# exit

 

Exits the current configuration mode and returns to privileged EXEC mode.

 

Configuring Sampling for MPLS-aware NetFlow

Perform the following task to configure sampling for MPLS-aware NetFlow.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    flow-sampler-map sampler-map-name

4.    mode random one-out-of packet-interval

5.    exit

6.    interface type / number

7.    flow-sampler sampler-map-name

8.    end


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
flow-sampler-map sampler-map-name


Example:

Router(config)# flow-sampler-map mysampler

 

Defines a named object representing a NetFlow sampler and enters sampler map configuration mode.

  • The sampler-map-name argument is the name of the NetFlow sampler.
 
Step 4
mode random one-out-of packet-interval


Example:

Router(config-sampler-map)# mode random one-out-of 100

 

Specifies the sampling mode for the NetFlow sampler.

  • The random keyword specifies the random sampling mode.
  • The one-out-of packet-interval keyword argument combination defines the interval selected for random sampling. The packet interval is from 1 to 65535.
 
Step 5
exit


Example:

Router(config-sampler-map)# exit

 

Exits sampler map configuration mode and returns to global configuration mode.

 
Step 6
interface type / number


Example:

Router(config)# interface ethernet 0/0

 

Specifies the interface that you want to enable NetFlow on and enters interface configuration mode.

 
Step 7
flow-sampler sampler-map-name


Example:

Router(config-if)# flow-sampler mysampler

 

Enables sampled NetFlow accounting on the interface.

  • The sampler-map-name argument is the name of the NetFlow sampler.
 
Step 8
end


Example:

Router(config-if)# end

 

Exits the current configuration mode and returns to privileged EXEC mode.

 

Troubleshooting Tips

Use the show-sampler sampler-map-name command to verify the configuration of NetFlow sampling, including the NetFlow sampling mode, sampling mode parameters, and number of packets sampled by the NetFlow sampler.

For more information about NetFlow export sampling, see the Using NetFlow Filtering or Sampling to Select the Network Traffic to Track module.

Verifying the NetFlow Sampler Configuration

Perform the following task to verify the NetFlow sampler configuration on your router:

SUMMARY STEPS

1.    show flow-sampler [sampler-map-name]


DETAILED STEPS
show flow-sampler [sampler-map-name]

Use this command to verify the following information about a specific or all NetFlow samplers on the router: sampling mode, sampling parameters (such as packet sampling interval), and number of packets selected by the sampler for NetFlow processing. For example, the following command verifies the configuration for a specific NetFlow sampler:



Example:
Router# show flow-sampler mysampler
Sampler : mysampler, id : 1, packets matched : 10, mode : random sampling mode
  sampling interval is : 100
 
           

The following command verifies the configuration for all NetFlow samplers on the router:



Example:
Router# show flow-sampler
Sampler : mysampler, id : 1, packets matched : 10, mode : random sampling mode
  sampling interval is : 100
 Sampler : mysampler1, id : 2, packets matched : 5, mode : random sampling mode 
  sampling interval is : 200

Displaying MPLS-aware NetFlow Information on a Router

Perform this task to display a snapshot of the MPLS-aware NetFlow cache on a router.

SUMMARY STEPS

1.    enable

2.   

  • attach slot-number
  • if-con slot-number

3.    show ip cache verbose flow

4.    show ip cache flow

5.    exit (Cisco 12000 series routers only)


DETAILED STEPS
Step 1   enable

Use this command to enable privileged EXEC mode. Enter your password if required. For example:



Example:
Router> enable
Step 2  
  • attach slot-number
  • if-con slot-number


Example:
Router# attach 3


Example:
Router# if-con 3

Use the attach command to access the Cisco IOS software on the line card of a Cisco 12000 series Internet router.

Use the if-con command to access the Cisco IOS software on the line card of a Cisco 7500 series router.

Step 3   show ip cache verbose flow

Use this command to display IP and MPLS flow records in the NetFlow cache on a Cisco 12000 series Internet router or Cisco 7500 series router. For example:



Example:
Router# show ip cache verbose flow
SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
PO3/0          10.1.1.1        PO5/1          10.2.1.1        01 00  10       9
0100 /0  0                     0200 /0  0     0.0.0.0               100     0.0
Pos:Lbl-Exp-S 1:12305-6-0 (LDP/10.10.10.10) 2:12312-6-1

In this example, the value of the top label is 12305, the experimental bits value is 6, and the end-of-stack bit is 0. The label is LDP and it has an associated IP address of 10.10.10.10. The value of the next from the top label is 12312, the experimental bits value is 6, and the end-of-stack bit is 1. The 1 indicates that this is the last MPLS label in the stack.

Use this command to display IP and MPLS flow records in the NetFlow cache on a Cisco 7200 series router. For example:



Example:
Router# show ip cache verbose flow
...             
SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
PO3/0          10.1.1.1        PO5/1          10.2.1.1        01 00  10       9
0100 /0  0                     0200 /0  0     0.0.0.0               100     0.0
Pos:Lbl-Exp-S 1:12305-6-0 (LDP/10.10.10.10) 2:12312-6-1

In this example, the value of the top label is 12305, the experimental bits value is 6, and the end-of-stack bit is 0. The label is LDP and has an associated IP address of 10.10.10.10. The value of the next from the top label is 12312, the experimental bits value is 6, and the end-of-stack bit is 1. The 1 indicates that this is the last MPLS label in the stack.

Step 4   show ip cache flow

Use this command to display a summary of the IP and MPLS flow records in the NetFlow cache on a Cisco 12000 series Internet router or Cisco 7500 series router. For example, the following output of the show ip cache flow command shows the IP portion of the MPLS flow record in the NetFlow cache:



Example:
Router# show ip cache flow
...
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
PO3/0         10.1.1.1        PO5/1         10.2.1.1        01 0100 0200     9
...

Use this command to display a summary of the IP and MPLS flow records in the NetFlow cache on a Cisco 7200 series router. For example:



Example:
Router# show ip cache flow
...
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
PO3/0         10.1.1.1        PO5/1         10.2.1.1        01 0100 0200     9
...
Step 5   exit (Cisco 12000 series routers only)

or

if-quit (Cisco 7500 series routers only)

Use the exit command to exit from the line card to privileged EXEC mode of a Cisco 12000 series Internet router. For example:



Example:
Router# exit

Use the if-quit command to exit from the line card to privileged EXEC mode of a Cisco 7500 series router. For example:



Example:
Router# if-quit

Configuration Examples for MPLS-aware NetFlow

Example Configuring MPLS-aware NetFlow on a Router

The following example shows MPLS-aware NetFlow configured globally and NetFlow enabled on an interface on a Cisco 12000 series P router with Cisco IOS Release 12.0(24)S and later releases:

configure terminal
!
interface pos 3/0
 ip address 10.10.10.2 255.255.255.0
 ip route-cache flow sampled
 exit 
!
ip flow-export version 9 origin-as
ip flow-sampling-mode packet-interval 101
ip flow-cache mpls label-positions 1 2 3
exit

The following examples show MPLS-aware NetFlow configured globally and NetFlow enabled on an interface on a Cisco 7200 or Cisco 7500 series P router with Cisco IOS 12.0S releases:

configure terminal
!
interface pos 3/0
 ip address 10.10.10.2 255.255.255.0
 ip route-cache flow sampled
 exit 
!
ip flow-export version 9 origin-as
ip flow-sampling-mode packet-interval 101
ip flow-cache mpls label-positions 1 2 3
exit

The following examples show MPLS-aware NetFlow configured globally and NetFlow enabled on an interface on a router with a Cisco IOS Release 12.2(14)S, 12.2(15)T, or 12.0(22)S or later releases:

configure terminal
!
interface pos 3/0
 ip address 10.10.10.2 255.255.255.0
 ip flow ingress
 exit 
!
ip flow-export version 9 origin-as
ip flow-sampling-mode packet-interval 101
ip flow-cache mpls label-positions 1 2 3
exit

To export MPLS-aware NetFlow data from the router, you need to configure the NetFlow Version 9 export format. This example shows the NetFlow Version 9 export format configuration options for MPLS-aware NetFlow and IP NetFlow data export along with an explanation of what each command configures.

Table 3 NetFlow Version 9 Format Configuration Options
configure terminal
 ip flow-export version 9 origin-as 

Enters global configuration mode and requests Version 9 flow export, and reports origin-as for IP packets.

 ip flow-export template options sampling 

Specifies the template option sampling configuration.

 ip flow-export template options export-stats

Reports the number of export packets sent and the number of flows exported.

 ip flow-export template options timeout 5

Exports template options every 5 minutes.

 ip flow-export template timeout 5

Resends templates to the collector every 5 minutes.

 ip flow-export destination 10.21.32.25 9996

Specifies the export destination and UDP port.

 ip flow-export source Loopback0

Specifies the export source.

 ip flow-sampling-mode packet-interval 101

Configures the sampling mode packet interval.

ip flow-cache mpls label-positions 1 2 3

Configures the MPLS-aware NetFlow feature to report the top three labels.

interface pos 3/0
 ip route-cache flow [sampled]
 end

Enables full or sampled IP and MPLS-aware NetFlow on interface POS 3/0 and returns to privileged EXEC mode.

Note    The combination of sampled IP and MPLS-aware NetFlow is supported on the Cisco 12000 series Internet router only.

Example Configuring Sampling for MPLS-aware NetFlow

The following examples show how to define a NetFlow sampler that randomly selects 1 out of 100 packets for NetFlow processing, and how to apply this sampler to an interface on a Cisco 7500 or Cisco 7200 series router.

Defining the NetFlow Sampler

The following example shows how to define a NetFlow sampler called mysampler that randomly selects 1 out of 100 packets for NetFlow processing:

configure terminal
!
flow-sampler-map mysampler
 mode random one-out-of 100 
 end
exit

Applying the NetFlow Sampler to an Interface

The following example shows how to apply the NetFlow sampler named mysampler to an interface:

configure terminal
!
interface FastEthernet 2/0
 flow-sampler mysampler 
 end
exit

Additional References

Related Documents

Related Topic

Document Title

Overview of Cisco IOS NetFlow

Cisco IOS NetFlow Overview

The minimum information about and tasks required for configuring NetFlow and NetFlow Data Export

Getting Started with Configuring NetFlow and NetFlow Data Export

Tasks for configuring NetFlow to capture and export network traffic data

Configuring NetFlow and NetFlow Data Export

Tasks for configuring MPLS egress NetFlow accounting

Configuring MPLS Egress NetFlow Accounting and Analysis

Tasks for configuring NetFlow input filters

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Tasks for configuring Random Sampled NetFlow

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Tasks for configuring NetFlow aggregation caches

Configuring NetFlow Aggregation Caches

Tasks for configuring NetFlow BGP next hop support

Configuring NetFlow BGP Next Hop Support for Accounting and Analysis

Tasks for configuring NetFlow multicast support

Configuring NetFlow Multicast Accounting

Tasks for detecting and analyzing network threats with NetFlow

Detecting and Analyzing Network Threats with NetFlow

Tasks for configuring NetFlow Reliable Export With SCTP

NetFlow Reliable Export with SCTP

Tasks for configuring NetFlow Layer 2 and Security Monitoring Exports

NetFlow Layer 2 and Security Monitoring Exports

Tasks for configuring the SNMP NetFlow MIB

Configuring SNMP and Using the NetFlow MIB to Monitor NetFlow Data

Tasks for configuring the NetFlow MIB and Top Talkers feature

Configuring NetFlow Top Talkers Using Cisco IOS CLI Commands or SNMP Commands

Information for installing, starting, and configuring the CNS NetFlow Collection Engine

Cisco CNS NetFlow Collection Engine Documentation

Standards

Standard

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

--

MIBs

MIB

MIBs Link

None

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

--

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Configuring MPLS-aware NetFlow

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 4 Feature Information for Configuring MPLS-aware NetFlow

Feature Name

Releases

Feature Configuration Information

MPLS-aware NetFlow

12.0(24)S, 12.3(8)T

MPLS-aware NetFlow is an extension of the NetFlow accounting feature that provides highly granular traffic statistics for Cisco routers. MPLS-aware NetFlow collects statistics on a per-flow basis just as NetFlow does. MPLS-aware NetFlow uses the NetFlow Version 9 export format.

The following commands were introduced or modified: ip flow-cache mpls label-positions and show ip cache verbose flow.

Glossary

AToM --Any Transport over MPLS. A protocol that provides a common framework for encapsulating and transporting supported Layer 2 traffic types over a Multiprotocol Label Switching (MPLS) network core.

BGP --Border Gateway Protocol. An interdomain routing protocol that replaces Exterior Gateway Protocol (EGP). A BGP system exchanges reachability information with other BGP systems. It is defined by RFC 1163.

CE router --customer edge router. A router that is part of a customer network and that interfaces to a provider edge (PE) router. CE routers do not have routes to associated VPNs in their routing tables.

core router --In a packet-switched star topology, a router that is part of the backbone and that serves as the single pipe through which all traffic from peripheral networks must pass on its way to other peripheral networks.

EGP --Exterior Gateway Protocol. Internet protocol for exchanging routing information between autonomous systems. It is documented in RFC 904. This term is not to be confused with the general term exterior gateway protocol. EGP is an obsolete protocol that was replaced by Border Gateway Protocol (BGP).

export packet --(NetFlow) A packet from a device (for example, a router) with NetFlow services enabled that is addressed to another device (for example, a NetFlow collector). This other device processes the packet (parses, aggregates, and stores information on IP flows).

FEC --Forward Equivalency Class. A set of packets that can be handled equivalently for the purpose of forwarding and thus is suitable for binding to a single label. The set of packets destined for an address prefix is one example of an FEC. A flow is another example.

flow --A unidirectional set of packets (IP or Multiprotocol Label Switching [MPLS]) that arrive at the router on the same subinterface and have the same source and destination IP addresses, the same Layer 4 protocol, the same TCP/UDP source and destination ports, and the same type of service (ToS) byte in the IP header.

IPv6 --IP Version 6. Replacement for the current version of IP (Version 4). IPv6 includes support for flow ID in the packet header, which can be used to identify flows. Formerly called IPng (next generation).

label --A short, fixed-length identifier that tells switching nodes how the data (packets or cells) should be forwarded.

label imposition --The act of putting a label or labels on a packet.

LDP --Label Distribution Protocol. A standard protocol that operates between Multiprotocol Label Switching (MPLS)-enabled routers to negotiate the labels (addresses) used to forward packets. The Cisco proprietary version of this protocol is the Tag Distribution Protocol (TDP).

LFIB --Label Forwarding Information Base. A data structure and way of managing forwarding in which destinations and incoming labels are associated with outgoing interfaces and labels.

LSR --label switch router. A router that forwards packets in a Multiprotocol Label Switching (MPLS) network by looking only at the fixed-length label.

MPLS --Multiprotocol Label Switching. A switching method in which IP traffic is forwarded through use of a label. This label instructs the routers and the switches in the network where to forward the packets. The forwarding of MPLS packets is based on preestablished IP routing information.

MPLS flow --A unidirectional sequence of Multiprotocol Label Switching (MPLS) packets that arrive at a router on the same subinterface and have the same source and destination IP addresses, the same Layer 4 protocol, the same TCP/UDP source and destination ports, and the same type of service (ToS) byte in the IP header. A TCP session is an example of a flow.

packet header -- (NetFlow) The first part of an export packet that provides basic information about the packet, such as the NetFlow version, number of records contained within the packet, and sequence numbering. The header information enables lost packets to be detected.

PE router --provider edge router. A router that is part of a service provider's network connected to a customer edge (CE) router. All VPN processing occurs in the PE router.

P router --provider core or backbone router. A router that is part of a service provider's core or backbone network and is connected to the provider edge (PE) routers.

TDP --Tag Distribution Protocol. The Cisco proprietary version of the protocol (label distribution protocol) between Multiprotocol Label Switching (MPLS)-enabled routers to negotiate the labels (addresses) used to forward packets.

TE --traffic engineering. Techniques and processes that cause routed traffic to travel through the network on a path other than the one that would have been chosen if standard routing methods were used.

TE tunnel --traffic engineering tunnel. A label-switched tunnel that is used for traffic engineering. Such a tunnel is set up through means other than normal Layer 3 routing; it is used to direct traffic over a path different from the one that Layer 3 routing could cause the tunnel to take.

VPN --Virtual Private Network. A secure IP-based network that shares resources on one or more physical networks. A VPN contains geographically dispersed sites that can communicate securely over a shared backbone.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.