MPLS-Aware NetFlow

Table Of Contents

MPLS-Aware NetFlow

Contents

Prerequisites for MPLS-Aware NetFlow

Restrictions for MPLS-Aware NetFlow

Information About MPLS-Aware NetFlow

MPLS Flows

MPLS Label Stack

MPLS-Aware NetFlow Capture and Display of MPLS Labels

MPLS-Aware NetFlow Capture of MPLS Labels

MPLS-Aware NetFlow Display of MPLS Labels

Information Captured and Exported by MPLS-Aware NetFlow

Full and Sampled MPLS-Aware NetFlow Support

MPLS Traffic Analysis and Monitoring Using MPLS-Aware NetFlow and NetFlow MPLS Label Export

How to Configure MPLS-Aware NetFlow

Configuring MPLS-Aware NetFlow on a Router

Configuring Sampling for MPLS-Aware NetFlow

Verifying the NetFlow Sampler Configuration

Displaying MPLS-Aware NetFlow Information on a Router

Configuration Examples for MPLS-Aware NetFlow

Configuring MPLS-Aware NetFlow on a Router: Examples

Configuring Sampling for MPLS-Aware NetFlow: Examples

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

ip flow-cache mpls label-positions

show ip cache verbose flow

Glossary

Feature Information for MPLS-Aware NetFlow

MPLS-Aware NetFlow

---

First Published: January 31, 2003

Last Updated: March 20, 2006

Multiprotocol Label Switching (MPLS)-Aware NetFlow is an extension of the NetFlow accounting feature that provides highly granular traffic statistics for Cisco routers. MPLS-Aware NetFlow collects statistics on a per-flow basis just as NetFlow does.

MPLS-Aware NetFlow statistics can be used for detailed MPLS traffic studies and analysis that can provide information for a variety of purposes such as MPLS network management, network planning, and enterprise accounting.

A network administrator can turn on MPLS-Aware NetFlow inside an MPLS cloud on a subset of provider backbone (P) routers. These routers can export MPLS-Aware NetFlow data to an external NetFlow collection device for further processing and analysis or display NetFlow cache data on a router terminal.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for MPLS-Aware NetFlow" section.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Prerequisites for MPLS-Aware NetFlow

•Restrictions for MPLS-Aware NetFlow

•Information About MPLS-Aware NetFlow

•How to Configure MPLS-Aware NetFlow

•Configuration Examples for MPLS-Aware NetFlow

•Additional References

•Command Reference

•Glossary

•Feature Information for MPLS-Aware NetFlow

Prerequisites for MPLS-Aware NetFlow

The MPLS-Aware NetFlow feature requires the following for its operation:

•NetFlow configured on the label switch router (LSR)

•MPLS enabled on the LSR

•Cisco Express Forwarding or distributed Cisco Express Forwarding enabled on the LSR

The following are also required if you are exporting MPLS-Aware NetFlow data to a Cisco NetFlow collector:

•NetFlow Version 9 export format configured on the LSR

•NetFlow collector and analyzer capable of using MPLS-Aware NetFlow export packets in Version 9 format

Restrictions for MPLS-Aware NetFlow

The following restrictions apply to the MPLS-Aware NetFlow feature in Cisco IOS Releases 12.0(26)S, 12.3(8)T, 12.2(28)SB, and later releases:

•No more than three MPLS labels are allowed to be captured and exported for this implementation.

•MPLS-Aware NetFlow reports the following fields in MPLS flows as 0: IP next-hop, source and destination Border Gateway Protocol (BGP) autonomous system numbers, and source and destination prefix masks.

•For MPLS packets that contain non-IP packets under the MPLS label stack, MPLS-Aware NetFlow reports the following flow fields as 0: source and destination IP addresses, protocol, ToS, ports, and TCP flags.

The following restriction applies to MPLS-Aware NetFlow in Cisco IOS Release 12.2(28)SB and later releases:

•The MPLS label type and associated IP address are not captured. If you want this functionality, you need to enable the NetFlow MPLS Label Export feature.

Information About MPLS-Aware NetFlow

The following sections contain information for understanding how to configure and use the MPLS-Aware NetFlow feature:

•MPLS Flows

•MPLS Label Stack

•MPLS-Aware NetFlow Capture and Display of MPLS Labels

•Information Captured and Exported by MPLS-Aware NetFlow

•Full and Sampled MPLS-Aware NetFlow Support

•MPLS Traffic Analysis and Monitoring Using MPLS-Aware NetFlow and NetFlow MPLS Label Export

MPLS Flows

MPLS-Aware NetFlow collects statistics on a per-flow basis just as NetFlow does. A flow is a unidirectional set of packets (IP or MPLS) that arrive at the router on the same subinterface, and have the same source and destination IP addresses, the same Layer 4 protocol, the same TCP and UDP source and destination ports, and the same type of service (ToS) byte in the IP header.

An MPLS flow contains up to three of the same incoming MPLS labels of interest with experimental bits and end-of-stack bits in the same positions in the packet label stack. MPLS-Aware NetFlow captures MPLS traffic that contains both IP and non-IP packets. It reports non-IP packets, but sets the IP NetFlow fields to 0. It can also be configured to capture and report IP packets, setting to 0 the IP NetFlow fields. MPLS-Aware NetFlow uses the NetFlow Version 9 export format. MPLS-Aware NetFlow exports up to three labels of interest from the incoming label stack and traditional NetFlow data.

MPLS Label Stack

As packets move through an MPLS network, LSRs can add labels to the MPLS label stack. The label is a short, four-byte, fixed-length, locally-significant identifier that is used to identify a Forwarding Equivalence Class (FEC). The label that is put on a particular packet represents the FEC to which that packet is assigned. LSRs in an MPLS cloud can add up to six labels to the MPLS label stack. An LSR adds the MPLS labels to the top of the IP packet. Figure 1 shows an example of an incoming MPLS label stack that LSRs added to an IP packet as it traversed an MPLS cloud. The label type is the MPLS technology that allocated the label; for example, Label Distribution Protocol (LDP) allocated label 33, and the Carrier Supporting Carrier (CSC) technology allocated label 42.

Figure 1 Example of an MPLS Label Stack Added to an IP Packet in an MPLS Cloud

In the example of an MPLS label stack in Figure 1:

•The 33 represents the top label of this packet.

This label was the last label added to the MPLS label stack and the label that MPLS-Aware NetFlow captures if you indicate the label of interest as 1.

•The 42 represents the second label in the MPLS stack.

MPLS-Aware NetFlow captures this label if you indicate 2 (second from the top) as a label of interest.

•The 16 represents the third label in the MPLS label stack.

MPLS-Aware NetFlow captures this label if you indicate 3 (third from the top) as a label of interest.

•Lb4-Lb6 represents the fourth to sixth labels in the MPLS stack. LSRs in an MPLS cloud add up to six labels to the MPLS label stack.

MPLS-Aware NetFlow captures these labels if you indicate 4, 5, or 6 as a label of interest.

•The B represents miscellaneous bits. These include the following:

–Exp—Three bits reserved for experimental use

–S—End-of-stack bits, set to 1 for the last entry in the stack and to 0 for every other entry

–Time To Live (TTL)—Eight bits used to encode a hop count (or time to live) value

Figure 2 shows a sample CSC topology and the incoming MPLS label stack on multiple LSRs as the packet travels through the network. This is what the stack might look like at a provider backbone LSR.

Figure 2 Provider and Customer Networks and MPLS Label Imposition

In the example in Figure 2, a hierarchical Virtual Private Network (VPN) is set up between two customer edge (CE) routers:

•Traffic flows from the CE router to a provider edge (PE) router, possibly one belonging to an Internet service provider (ISP). Here, a VPN label (16) is imposed on the inbound IP packet.

•The ISP network eventually connects to an Internet backbone provider where a CSC label (42) is imposed on the label stack.

•As packets traverse the backbone network, an LDP label (33) is imposed on the label stack.

•At the inbound interface shown in Figure 2, MPLS-Aware NetFlow captures the MPLS label stack and reports that the top label is 33, the second label is 42, and the third label is 16.

If you configure the NetFlow MPLS Label Export feature on the P router at the inbound interface shown in Figure 2, you can capture and export label 33 with its associated application LDP and its destination IP address or the FEC.

---

Note For information on additional labels allocated in your network, you can configure the NetFlow MPLS Label Export feature on additional network routers.

---

MPLS-Aware NetFlow Capture and Display of MPLS Labels

This section contains the following topics:

•MPLS-Aware NetFlow Capture of MPLS Labels

•MPLS-Aware NetFlow Display of MPLS Labels

MPLS-Aware NetFlow Capture of MPLS Labels

When you configure the MPLS-Aware NetFlow feature, you select the MPLS label positions in the incoming label stack that you are interested in monitoring. You can capture up to three labels from positions 1 to 6 in the MPLS label stack. Label positions are counted from the top of the stack. For example, the position of the top label is 1, the position of the next label is 2, and so on. You enter the stack location value as an argument to the following command:

ip flow-cache mpls label-positions [label-position-1 [label-position-2 

[label-position-3]]] 

The label-position argument represents the position of the label on the incoming label stack. For example, the ip flow-cache mpls label-positions 1 3 4 command configures MPLS-Aware NetFlow to capture and export the first (top), third, and fourth labels. If you enter this command and the label stack consists of two MPLS labels, MPLS-Aware NetFlow captures only the first (top) label. If some of the labels you requested are not available, they are not captured or reported.

---

Note MPLS-Aware NetFlow allows the capture of up to three labels.

---

MPLS-Aware NetFlow is enabled globally on the router. However, NetFlow is enabled per interface and must be enabled in either full or sampled mode on the interfaces where you choose to capture and export MPLS and IP NetFlow data.

MPLS-Aware NetFlow Display of MPLS Labels

The MPLS-Aware NetFlow feature allows the display of a snapshot of the NetFlow cache, including MPLS flows, on a terminal through the use of the show ip cache verbose flow command. For example, output like the following from a provider backbone router (P router) shows position, value, experimental bits, and end-of-stack bit for each MPLS label of interest.

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

PO3/0          10.1.1.1        PO5/1          10.2.1.1        01 00  10       9

0100 /0  0                     0200 /0  0     0.0.0.0               100     0.0

Pos:Lbl-Exp-S 1:12305-6-0 2:12312-6-1

In this example from a P router:

•The value of the top label is 12305.

•The experimental bits value is 6 and the end-of-stack bit is 0.

•The value of the second label is 12312, the experimental bits value is 6, and the end-of-stack bit is 1.

To fully understand and use the information gathered on the P router, you need information from the Label Forwarding Information Base (LFIB) on the PE router.

The MPLS application owner for a label is not reported by MPLS-Aware NetFlow for any MPLS label; only the label number is reported. If you are interested in identifying the MPLS application owner for MPLS labels, you need to configure the NetFlow MPLS Label Export feature on your network devices.

Using MPLS-Aware NetFlow and NetFlow MPLS Label Export together, you can monitor various labels in the MPLS label stack by exporting the information to a NetFlow collector for further processing with a data analyzer and look at MPLS traffic patterns in your network.

Information Captured and Exported by MPLS-Aware NetFlow

MPLS-Aware NetFlow captures and reports on per-flow statistics for both incoming MPLS and IP traffic:

•For MPLS traffic, MPLS-Aware NetFlow captures and reports up to three labels of interest, along with a subset of NetFlow data.

•For IP traffic, MPLS-Aware NetFlow provides the regular NetFlow data.

MPLS-Aware NetFlow uses Version 9 format to export both IP and MPLS NetFlow data.

MPLS-Aware NetFlow provides the following traditional NetFlow per-flow statistics:

•Number of packets

•Number of bytes, counting either MPLS payload size only or MPLS payload size plus MPLS label stack size

•Time stamp of the first packet

•Time stamp of the last packet

In addition to these statistics, MPLS-Aware NetFlow exports values for the following fields for each flow, using Version 9 NetFlow export format:

•Regular NetFlow fields:

–Source IP address

–Destination IP address

–Transport layer protocol

–Source application port number

–Destination application port number

–IP ToS

–TCP flags

–Input interface

–Output interface

---

Note With the exception of the input interface and output interface fields, these regular NetFlow fields are not included in a flow if the no-ip-fields keyword is specified in the ip flow-cache mpls label-positions command.

---

•Additional fields:

–Up to three incoming MPLS labels with experimental bits and an end-of-stack bit

–Positions of the three labels in the label stack

---

Note Unlike NetFlow, MPLS-Aware NetFlow reports a 0 value for IP next-hop, source and destination BGP autonomous system numbers, or source and destination prefix masks for MPLS packets.

---

---

Note If you are exporting MPLS data to a NetFlow collector or a data analyzer, the collector must support NetFlow Version 9 flow export format, and you must configure NetFlow export in Version 9 format on the router.

---

For more information on IP NetFlow, refer to the Cisco IOS NetFlow Configuration Guide, Release 12.4.

Full and Sampled MPLS-Aware NetFlow Support

Table 1 shows MPLS-Aware NetFlow full and sampled NetFlow support. Information in the table is based on the Cisco IOS release and includes the commands to implement the functionality on a supported platform.

Table 1 MPLS-Aware NetFlow Full and Sampled NetFlow Support 

Cisco IOS Release	Full or Sampled NetFlow	Cisco 12000 Series Commands to Implement	Cisco 7500 and 7200 Series Commands to Implement 1
12.0(24)S	Sampled	ip route-cache flow sampled	—
	Full	—	—
12.0(26)S	Sampled	ip route-cache flow sampled	flow-sampler-map sampler-map-name mode random one-of packet-interval interface type number flow-sampler sampler-map-name
	Full	—	ip route-cache flow
12.2(28)SB	Sampled	ip route-cache flow sampled	flow-sampler-map sampler-map-name mode random one-of packet-interval interface type number flow-sampler sampler-map-name
	Full	—	ip route-cache flow

1 NetFlow sampling on the Cisco 7500 and 7200 platforms is performed by a feature called Random Sampled NetFlow. For more information, see the Random Sampled NetFlow feature module, Cisco IOS Release 12.3(2)T.

MPLS Traffic Analysis and Monitoring Using MPLS-Aware NetFlow and NetFlow MPLS Label Export

MPLS traffic in your network cannot be analyzed and monitored unless the following features are available:

•A collection of MPLS-Aware NetFlow statistics (possibly from line cards)

•A collection of mappings from MPLS labels to FECs and allocating applications (on the Route Processor [RP])

•A correlation of these statistics and mappings (on the NetFlow collector)

When you enable MPLS-Aware NetFlow you can capture up to three MPLS label values from the MPLS label stack and some traditional NetFlow IP information. The MPLS label that is most relevant to a router is the top label in the stack. The NetFlow MPLS Label Export feature sets up an MPLS Prefix/Application/Label (PAL) table. This table provides a mapping that can link the top label to a destination prefix or FEC and to the MPLS application that is currently using the label. You can use this prefix, label, and application mapping to help you analyze and monitor MPLS traffic patterns through a router.

---

Note Each mapping entry is known as a PAL entry. Each PAL entry contains a time stamp in addition to the prefix, application, and label.

---

MPLS-Aware NetFlow captures and stores MPLS label values in the NetFlow cache, which is usually located on a P router. The label values can be exported from the router to a NetFlow collector (Cisco's or a third party's application).

Label ownership and prefix information are not found on the line card where the NetFlow cache records are stored, nor are they found on the same router where the NetFlow cache records are stored. The NetFlow cache is located on a P router. The label-ownership information is located on an adjacent PE router.

In Cisco IOS 12.2(28)SB and later 12.2S releases, each MPLS application on the PE router can register its label values, prefixes, and owning applications. You can configure this information to be exported as the labels are allocated or periodically through the use of the mpls export interval command. The PAL table stores the label-tracking information.

When you enable the NetFlow MPLS Label Information Export feature along with the MPLS-Aware NetFlow feature, the show ip cache verbose flow command displays application and prefix information for MPLS flow records. For example:

Router# show ip cache verbose flow

. 
. 
.

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts  

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active  

Et1/4          10.34.0.2        Et1/1          10.0.0.9        01 04  10    2000   

0000 /0  0                     0800 /0  0     0.0.0.0               100     7.0  

Pos:Lbl-Exp-S 1:21-0-1 (VPN/10.0.0.9)  

The last line contains the information added by the NetFlow MPLS Label Information Export PAL table (VPN/10.0.0.9). This associates the VPN application and the 10.0.0.9 prefix with the top label in the MPLS stack.

You can configure the NetFlow MPLS Label Information Export feature on P or PE routers. That is, you can configure the feature on any router that has inbound MPLS traffic.

The NetFlow Collector can collect the information exported from the NetFlow cache of a P router and the PAL table information from a PE router. The Collector can then correlate the information from both based on the label value. For example, the PAL packet indicates that a label has the following mappings over a period of time, as each label is allocated and reallocated on the PE router:

label 5, prefix 10.0.0.0,  type LDP, 12:00:00

label 4, prefix 10.10.0.0, type LDP, 13:00:00

label 5, prefix 10.9.0.0,  type BGP, 14:00:00

---

Note Because the mapping may change over time as labels expire and are reused, each PAL record contains a time stamp indicating the system uptime at which the label was allocated.

---

The NetFlow collector then receives a NetFlow packet from the adjacent P router indicating the following:

label 5, 123 packets, 9876 bytes, time 12:22:15.

The collector would match the time range known from the PAL packets, with the line card packet time stamp, resulting in the correct mapping for label 5 at time 12:22:15:

label 5, application LDP, prefix 10.0.0.0. 

The correlation of the MPLS PAL record data exported from the PE router with NetFlow statistics exported from the P router on the collector is independent of the time at which the routers send the data. You can set up the exporting of the information and allow the collector to do the correlation of the data.

To successfully implement the offline label mapping checks in the NetFlow collector, the collector needs to maintain a history of label mappings obtained from the MPLS PAL packets sent by the RP. If a label is deallocated and reallocated, the NetFlow collector should track both the old and the new MPLS PAL information for the label. Cisco IOS 12.2S releases uses the MPLS Forwarding Infrastructure (MFI), which allows easy tracking of the allocation and deallocation of labels. This functionality does not exist in Cisco IOS 12.0S releases.

For more information on the NetFlow MPLS Label Export feature, see the NetFlow MPLS Label Export feature module.

---

Note The NetFlow collector might not be able to accurately track how many packets flowed for a label that has been deallocated by one application and soon reallocated by another application.

---

How to Configure MPLS-Aware NetFlow

This section contains the following procedures for configuring MPLS-Aware NetFlow:

•Configuring MPLS-Aware NetFlow on a Router (required)

•Configuring Sampling for MPLS-Aware NetFlow (optional)

•Verifying the NetFlow Sampler Configuration (optional)

•Displaying MPLS-Aware NetFlow Information on a Router (optional)

Configuring MPLS-Aware NetFlow on a Router

Perform this task to configure MPLS-Aware NetFlow on a router. Then, the router can export MPLS-Aware NetFlow data to a an external NetFlow collector or display NetFlow cache data on a router terminal. This data can be used for detailed MPLS traffic studies and analysis that can provide information for a variety of purposes such as MPLS network management, network planning, and enterprise accounting.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type slot/port-adapter/port
or
interface type slot/port

4. ip address ip-address mask [secondary]

5. ip flow ingress

6. Repeat Steps 3, 4, and 5 for each interface where you want to configure NetFlow accounting.

7. exit

8. ip flow-export version 9 [origin-as | peer-as] [bgp-nexthop]

9. ip flow-cache mpls label-positions [label-position-1 [label-position-2 [label-position-3]]] [no-ip-fields] [mpls-length]

10. exit

11. ip flow-cache mpls label-positions [label-position-1 [label-position-2 [label-position-3]]] [no-ip-fields] [mpls-length]

12. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface type slot/port-adapter/port or interface type slot/port Example: Router(config)# interface pos 0/2/0 or Example: Router(config)# interface pos 3/0	Specifies the interface and enters interface configuration mode. •The type argument is the type of interface to be configured. •The slot argument is the slot number. Refer to the appropriate hardware manual for slot and port information. •The /port-adapter argument is the port adapter number. Refer to the appropriate hardware manual for information about port adapter compatibility. •The /port argument is the port number. Refer to the appropriate hardware manual for slot and port information. Note Use the slot/port-adapter/port argument for the Cisco 7500 series router. Use the slot/port argument for the Cisco 7200 series router.
Step 4	ip address ip-address mask [secondary] Example: Router(config-if)# ip address 10.10.10.2 255.255.255.0	Sets a primary or secondary IP address for an interface. •The ip-address argument is the IP address of the interface. •The mask argument is the mask for the associated IP subnet. •The secondary keyword specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.
Step 5	ip flow ingress Example: Router(config-if)# ip flow ingress	Enables NetFlow for IP routing.
Step 6	Repeat Steps 3, 4, and 5 for each interface where you want to configure NetFlow accounting.	—
Step 7	exit Example: Router(config-if)# exit	Exits to global configuration mode.
Step 8	ip flow-export version 9 [origin-as | peer-as] [bgp-nexthop] Example: Router(config)# ip flow-export version 9 origin-as	Enables the export of information in NetFlow cache entries. •The version 9 keyword specifies that the export packet uses the Version 9 format. •The origin-as keyword specifies that export statistics include the origin autonomous system for the source and destination. •The peer-as keyword specifies that export statistics include the peer autonomous system for the source and destination. •The bgp-nexthop keyword specifies that export statistics include BGP next-hop related information. Caution Entering this command on a Cisco 12000 series Internet router causes packet forwarding to stop for a few seconds while NetFlow reloads the RP and line card Cisco Express Forwarding tables. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-config file to be executed during a router reboot.
Step 9	ip flow-cache mpls label-positions [label-position-1 [label-position-2 [label-position-3]]] [no-ip-fields] [mpls-length] Example: Router(config)# ip flow-cache mpls label-positions 1 2 3	Enables MPLS-Aware NetFlow. •The label-position argument identifies the position of an MPLS label of interest in the incoming label stack. Label positions are counted from the top of the stack, starting with 1. •The no-ip-fields keyword controls the capture and reporting of MPLS flow fields. If the no-ip-fields keyword is specified, the following IP-related flow fields are not included: –Source IP address –Destination IP address –Transport layer protocol –Source application port number –Destination application port number –IP ToS –TCP flag (the result of a bitwise OR of TCP) If the no-ip-fields keyword is not specified, the IP-related fields are captured and reported. •The mpls-length keyword controls the reporting of packet length. If the mpls-length keyword is specified, the reported length represents the sum of the MPLS packet payload length and the MPLS label stack length. If the mpls-length keyword is not specified, only the length of the MPLS packet payload is reported.
Step 10	exit Example: Router(config)# exit	(Optional) Exits to privileged EXEC mode.

Configuring Sampling for MPLS-Aware NetFlow

Perform this task to configure sampling for MPLS-Aware NetFlow. This sets up the random selection of one out of a given number of each sequential packets for NetFlow processing. You can use sampling for traffic engineering, capacity planning, and applications where full NetFlow is not needed for an accurate view of network traffic.

For example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the 5th packet and then the 120th, 199th, 302nd, and so on. This sample configuration provides NetFlow data on 1 percent of total traffic.

SUMMARY STEPS

1. enable

2. configure terminal

3. flow-sampler-map sampler-map-name

4. mode random one-out-of packet-interval

5. exit

6. interface type slot/port-adapter/port
or
interface type slot/port

7. ip address ip-address mask [secondary]

8. flow-sampler sampler-map-name

9. end

10. show-sampler sampler-map-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	flow-sampler-map sampler-map-name Example: Router(config)# flow-sampler-map mysampler	Enters sampler map mode and defines a named object representing a NetFlow sampler. •The sampler-map-name argument is the name of the NetFlow sampler.
Step 4	mode random one-out-of packet-interval Example: Router(config-sampler-map)# mode random one-out-of 100	Specifies the sampling mode for the NetFlow sampler. •The random keyword specifies the random sampling mode. •The one-out-of packet-interval keyword and argument combination defines the interval selected for random sampling. The packet interval is from 1 to 65535.
Step 5	exit Example: Router(config-sampler-map)# exit	Exits to global configuration mode.
Step 6	interface type slot/port-adapter/port or interface type slot/port Example: Router(config)# interface ethernet 0/2/0 or Example: Router(config)# interface fastethernet 2/0	Specifies the interface and enters interface configuration mode. •The type argument is the type of interface to be configured. •The slot argument is the slot number. Refer to the appropriate hardware manual for slot and port information. •The /port-adapter argument is the port adapter number. Refer to the appropriate hardware manual for information about port adapter compatibility. •The /port argument is the port number. Refer to the appropriate hardware manual for slot and port information. Note Use the slot/port-adapter/port argument for the Cisco 7500 series router. Use the slot/port argument for the Cisco 7200 series router.
Step 7	ip address ip-address mask [secondary] Example: Router(config-if)# ip address 10.0.0.1 255.255.255.0	Sets a primary or secondary IP address for an interface. •The ip-address argument is the IP address of the interface. •The mask argument is the mask for the associated IP subnet. •The secondary keyword specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.
Step 8	flow-sampler sampler-map-name Example: Router(config-if)# flow-sampler mysampler	Enables sampled NetFlow accounting on the interface. •The sampler-map-name argument is the name of the NetFlow sampler.
Step 9	end Example: Router(config-if)# end	Exits to privileged EXEC mode.
Step 10	show-sampler sampler-map-name Example: Router# show sampler mysampler	Displays the configuration of NetFlow sampling, including the NetFlow sampling mode, sampling mode parameters, and number of packets sampled by the NetFlow sampler.

Verifying the NetFlow Sampler Configuration

Perform the following task to verify the NetFlow sampler configuration on your router.

SUMMARY STEPS

1. enable

2. show flow-sampler [sampler-map-name]

3. exit

DETAILED STEPS

---

Step 1 enable

Use this command to enable privileged EXEC mode. Enter your password if required. For example:

Router> enable

Router#

Step 2 show flow-sampler [sampler-map-name]

Use this command to verify the following information about a specific NetFlow sampler: sampling mode, sampling parameters (such as packet sampling interval), and number of packets selected by the sampler for NetFlow processing. For example:

Router# show flow-sampler mysampler

Sampler : mysampler, id : 1, packets matched : 10, mode : random sampling mode

  sampling interval is : 100

Use the following command to verify the configuration for all NetFlow samplers on the router:

Router# show flow-sampler

Sampler : mysampler, id : 1, packets matched : 10, mode : random sampling mode

  sampling interval is : 100

 Sampler : mysampler1, id : 2, packets matched : 5, mode : random sampling mode 

  sampling interval is : 200

Step 3 exit

Use this command to exit to user EXEC mode. For example:

Router# exit

Router> 

---

Displaying MPLS-Aware NetFlow Information on a Router

Perform this task to display a snapshot of the MPLS-Aware NetFlow cache on a router.

SUMMARY STEPS

1. enable

2. attach slot-number

or

if-con slot-number

3. show ip cache verbose flow

4. show ip cache flow

5. exit

or

if-quit

6. exit

DETAILED STEPS

---

Step 1 enable

Use this command to enable privileged EXEC mode. Enter your password if required. For example:

Router> enable

Router#

Step 2 attach slot-number

or

if-con slot-number

Use the attach command to access the Cisco IOS software on the line card of a Cisco 12000 series Internet router. For example:

Router# attach 3

LC-Slot3# 

Use the if-con command to access the Cisco IOS software on the line card of a Cisco 7500 series router. For example:

Router# if-con 3

LC-Slot3# 

Step 3 show ip cache verbose flow

Use this command to display IP and MPLS flow records in the NetFlow cache on a Cisco 12000 series Internet router or Cisco 7500 series router. For example:

LC-Slot3# show ip cache verbose flow

.

.

.

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

PO3/0          10.1.1.1        PO5/1          10.2.1.1        01 00  10       9

0100 /0  0                     0200 /0  0     0.0.0.0               100     0.0

Pos:Lbl-Exp-S 1:12305-6-0 2:12312-6-1

In this example, the value of the top label is 12305, the experimental bits value is 6, and the end-of-stack bit is 0. The value of the next label from the top is 12312, the experimental bits value is 6, and the end-of-stack bit is 1. The 1 indicates that this is the last MPLS label in the stack.

Use this command to display IP and MPLS flow records in the NetFlow cache on a Cisco 7200 series router. For example:

Router# show ip cache verbose flow

.

.

.

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

PO3/0          10.1.1.1        PO5/1          10.2.1.1        01 00  10       9

0100 /0  0                     0200 /0  0     0.0.0.0               100     0.0

Pos:Lbl-Exp-S 1:12305-6-0 2:12312-6-1

In this example, the value of the top label is 12305, the experimental bits value is 6, and the end-of-stack bit is 0. The value of the next label from the top is 12312, the experimental bits value is 6, and the end-of-stack bit is 1. The 1 indicates that this is the last MPLS label in the stack.

Step 4 show ip cache flow

Use this command to display a summary of the IP and MPLS flow records in the NetFlow cache on a Cisco 12000 series Internet router or Cisco 7500 series router. For example, the following output of the show ip cache flow command shows the IP portion of the MPLS flow record in the NetFlow cache:

LC-Slot3# show ip cache flow

.

.

.

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

PO3/0         10.1.1.1        PO5/1         10.2.1.1        01 0100 0200     9

.

.

.

Use this command to display a summary of the IP and MPLS flow records in the NetFlow cache on a Cisco 7200 series router. For example:

Router# show ip cache flow

.

.

.

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

PO3/0         10.1.1.1        PO5/1         10.2.1.1        01 0100 0200     9

.

.

.

Step 5 exit

or

if-quit

Use the exit command to exit from the line card to privileged EXEC mode of a Cisco 12000 series Internet router. For example:

LC-Slot3# exit

Router#

Use the if-quit command to exit from the line card to privileged EXEC mode of a Cisco 7500 series router. For example:

LC-Slot3# if-quit

Router#

Step 6 exit

Use this command to exit to user EXEC mode. For example:

Router# exit

Router> 

---

Configuration Examples for MPLS-Aware NetFlow

This section contains the following configuration examples for MPLS-Aware NetFlow:

•Configuring MPLS-Aware NetFlow on a Router: Examples

•Configuring Sampling for MPLS-Aware NetFlow: Examples

Configuring MPLS-Aware NetFlow on a Router: Examples

The following example shows MPLS-Aware NetFlow configured globally and NetFlow enabled on an interface:

configure terminal

!

interface pos 3/0

 ip address 10.10.10.2 255.255.255.0

 ip flow ingress

 exit 

!

ip flow-export version 9 origin-as

ip flow-sampling-mode packet-interval 101

ip flow-cache mpls label-positions 1 2 3

exit

The following examples show MPLS-Aware NetFlow configured globally and NetFlow enabled on an interface on a Cisco 7200 or 7500 series P router with Cisco IOS 12.0S releases:

configure terminal

!

interface pos 3/0

 ip address 10.10.10.2 255.255.255.0

 ip flow ingress

 exit 

!

ip flow-export version 9 origin-as

ip flow-sampling-mode packet-interval 101

ip flow-cache mpls label-positions 1 2 3

exit

The following examples show MPLS-Aware NetFlow configured globally and NetFlow enabled on an interface on a router with a Cisco IOS Release 12.2(14)S, 12.2(15)T, or 12.0(22)S or a later release:

configure terminal

!

interface pos 3/0

 ip address 10.10.10.2 255.255.255.0

 ip flow ingress

 exit 

!

ip flow-export version 9 origin-as

ip flow-sampling-mode packet-interval 101

ip flow-cache mpls label-positions 1 2 3

exit

To export MPLS-Aware NetFlow data from the router, you need to configure NetFlow Version 9. This example shows the configuration of NetFlow Version 9 options for MPLS-Aware NetFlow and IP NetFlow data export along with an explanation of what each command configures:

configure terminal  ip flow-export version 9 origin-as	Enters global configuration mode and requests Version 9 flow export, reports origin-as for IP packets.
ip flow-export template options sampling	Specifies the template option sampling configuration.
ip flow-export template options export-stats	Reports the number of export packets sent and the number of flows exported.
ip flow-export template options timeout 5	Exports template options every 5 minutes.
ip flow-export template timeout 5	Resends templates to the collector every 5 minutes.
ip flow-export destination 10.21.32.25 9996	Specifies export destination and UDP port.
ip flow-export source Loopback0	Specifies export source.
ip flow-sampling-mode packet-interval 101	Configures the sampling mode packet interval.
ip flow-cache mpls label-positions 1 2 3	Configured the MPLS-Aware NetFlow feature to report the top three labels.
interface pos 3/0  ip route-cache flow [sampled]  end	Enables full or sampled IP and MPLS-Aware NetFlow on interface POS 3/0 and returns to privileged EXEC mode. Note The combination of sampled IP and MPLS-Aware NetFlow is supported on the Cisco 12000 series Internet router only.

Configuring Sampling for MPLS-Aware NetFlow: Examples

The following examples show how to define a NetFlow sampler that randomly selects 1 out of 100 packets for NetFlow processing and how to apply this sampler to an interface on a Cisco 7500 or 7200 series router.

Defining the NetFlow Sampler

The following example shows how to define a NetFlow sampler called mysampler that randomly selects 1 out of 100 packets for NetFlow processing:

configure terminal

!

flow-sampler-map mysampler

 mode random one-out-of 100

 end

exit

NetFlow might sample the 5th packet and then the 120th, 199th, 302nd, and so on when you select the sampling rate to 1 out of 100 packets. A sampling rate of 1 out of 100 packets reduces the export of NetFlow data by about 50 percent.

Applying the NetFlow Sampler to an Interface

The following example shows how to apply the NetFlow sampler named mysampler to an interface:

configure terminal

!

interface FastEthernet 2/0

 flow-sampler mysampler 

 end

exit

Additional References

The following sections provide references related to the MPLS-Aware NetFlow feature.

Related Documents

Related Topic	Document Title
Tasks for configuring the NetFlow MPLS Label Information Export feature	NetFlow MPLS Label Information Export
Configuration tasks and information about IP NetFlow and NetFlow applications	Cisco IOS NetFlow Configuration Guide, Release 12.4
Description and configuration tasks for NetFlow v9 export format	NetFlow v9 Export Format
Configuration tasks and information about NetFlow data export formats including the NetFlow Version 9 export format	"Selecting and Configuring a NetFlow Data Export Format"
Random NetFlow sampling description and configuration tasks	Using NetFlow Filtering or Sampling to Select the Network Traffic to Track
List of the features documented in the Cisco IOS NetFlow Configuration Guide	"Cisco IOS NetFlow Features Roadmap"
Overview of the NetFlow application and advanced NetFlow features and services	"Cisco IOS NetFlow Overview"
Cisco Network Data Analyzer functions, features, and uses	Network Data Analyzer Installation and User Guide, Release 3.6
NetFlow concepts and features, guidelines for exporting NetFlow accounting statistics to a NetFlow FlowCollector (NFC) and to the Network Data Analyzer (NDA), high-level examples showing how to deploy these features in different network environments	NetFlow Services Solutions Guide

Standards

Standards 1	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

1 The IETF working group, IP Flow Information Export (ipfix), is developing a standard that this feature will support.

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.	—

Technical Assistance

Description	Link
The Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/techsupport

Command Reference

This section documents modified commands only.

•ip flow-cache mpls label-positions

•show ip cache verbose flow

ip flow-cache mpls label-positions

To enable Multiprotocol Label Switching (MPLS)-Aware NetFlow, use the ip flow-cache mpls label-positions command in global configuration mode. To disable MPLS-aware NetFlow, use the no form of this command.

ip flow-cache mpls label-positions [label-position-1 [label-position-2 [label-position-3]]] [no-ip-fields] [mpls-length]

no ip flow-cache mpls label-positions

Syntax Description

label-position	(Optional) Position of an MPLS label in the incoming label stack. Label positions are counted from the top of the stack, starting with 1.
no-ip-fields	(Optional) Controls the capture and reporting of MPLS flow fields. If the no-ip-fields keyword is not specified, the following IP-related flow fields are included: •Source IP address •Destination IP address •Transport layer protocol •Source application port number •Destination application port number •IP type of service (ToS) •TCP flag If the no-ip-fields keyword is specified, the IP-related fields are reported with a value of 0.
mpls-length	(Optional) Controls the reporting of packet length. If the mpls-length keyword is specified, the reported length represents the sum of the MPLS packet payload length and the MPLS label stack length. If the mpls-length keyword is not specified, only the length of the MPLS packet payload is reported.

Defaults

MPLS-Aware NetFlow is not enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.0(24)S	This command was introduced.
12.0(25)S	The no-ip-fields and mpls-length keywords were added to the command.
12.3(8)T	This command was integrated into Cisco IOS Release 12.3(8)T.
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

You must have NetFlow accounting configured on your router before you can use this command.

Use this command to configure the MPLS-Aware NetFlow feature on a label switch router (LSR) and to specify labels of interest in the incoming label stack. Label positions are counted from the top of the stack, starting with 1. The position of the top label is 1, the position of the second label is 2, and so forth.

With MPLS-Aware NetFlow enabled on the router, NetFlow collects data for incoming IP packets and for incoming MPLS packets on all interfaces where NetFlow is enabled in full or in sampled mode.

---

Caution When you enter the ip flow-cache mpls label-positions command on a Cisco 12000 s eries Internet r outer, NetFlow will stop collecting data for incoming IP packets on any Engine 4P line cards installed in the router on which NetFlow is enabled in full or in sampled mode. Engine 4P line cards in a Cisco 12000 s eries Internet r outer do not support NetFlow data collection of incoming IP packets and MPLS packets concurrently.

---

---

Note MPLS-Aware NetFlow is enabled in global configuration mode. NetFlow is enabled per interface.

---

Examples

The following example shows how to configure MPLS-Aware NetFlow to capture the first (top), third, and fifth label:

Router(config)# ip flow-cache mpls label-positions 1 3 5

The following example shows how to configure MPLS-Aware NetFlow to capture only MPLS flow information (no IP-related flow fields) and the length that represents the sum of the MPLS packet payload length and the MPLS label stack length:

Router(config)# ip flow-cache mpls label-positions no-ip-fields mpls-length

Related Commands

Command	Description
ip flow ingress	Enables NetFlow (ingress) accounting for traffic arriving on an interface.
ip flow egress	Enables NetFlow egress accounting for traffic that the router is forwarding.
ip flow-egress input-interface	Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting.
ip flow-cache timeout	Specifies NetFlow accounting flow cache parameters.
ip flow-cache entries	Changes the number of entries maintained in the NetFlow accounting cache.
show ip cache flow	Displays a summary of the NetFlow accounting statistics.
show ip cache verbose flow	Displays a detailed summary of the NetFlow accounting statistics.
show ip flow interface	Displays NetFlow accounting configuration for interfaces.

show ip cache verbose flow

To display a detailed summary of the NetFlow accounting statistics, use the show ip cache verbose flow command in user EXEC or privileged EXEC mode.

show ip cache verbose flow

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC
Privileged EXEC

Command History

Release	Modification
11.1	This command was introduced.
11.1CA	The information display for the command was updated.
12.3(1)	The command output was updated to display additional NetFlow fields.
12.0(24)S	Multiprotocol Label Switching (MPLS) flow records were added to the command output.
12.3(4)T	The execute-on command was implemented on the Cisco 7500 platforms to include the remote execution of the show ip cache verbose flow command.
12.3(6)	The command was integrated into Cisco IOS Release 12.3(6).
12.2(20)S	The command was integrated into Cisco IOS Release 12.2(20)S.
12.3(8)T	MPLS flow records were added to the command output.
12.3(11)T	Support for egress flow accounting was added, and the [prefix mask] and [type number] arguments were removed.
12.3(14)T	Support for NetFlow Layer 2 and Security Monitoring Exports was added.
12.2(27)SBC	This command was integrated into Cisco IOS Release 12.2(27)SBC.
12.2(18)SXF	This command was integrated into Cisco IOS Release 12.2(18)SXF.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

Use the show ip cache verbose flow command to display flow record fields in the NetFlow cache in addition to the fields that are displayed with the show ip cache flow command. The values in the additional fields that are shown depend on the NetFlow features that are enabled and the flags that are set in the flow.

---

Note The flags, and therefore the fields, might vary from flow to flow.

---

Some of the content in the display of the show ip cache verbose flow command uses multiline headings and multiline data fields. Figure 3 shows how to associate the headings with the correct data fields when there are two lines of headings and two lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields.

When other features such as IP multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same.

Figure 3 How to Use the Multiline Headings and Multiline Data Fields in the Display Output from the show ip cache verbose flow Command

NetFlow Multicast Support

When the NetFlow Multicast Support feature is enabled, the show ip cache verbose flow command displays the number of replicated packets and the packet byte count for NetFlow multicast accounting. When you configure the NetFlow Version 9 Export Format feature, this command displays additional NetFlow fields in the header.

MPLS-Aware NetFlow

When you configure the MPLS-Aware NetFlow feature, you can use the show ip cache verbose flow command to display both the IP and MPLS portions of MPLS flows in the NetFlow cache on a router line card. To display only the IP portion of the flow record in the NetFlow cache when MPLS-Aware NetFlow is configured, use the show ip cache flow command.

NetFlow BGP Next Hop

The NetFlow bgp-nexthop command can be configured when either the Version 5 export format or the Version 9 export format is configured. The following caveats apply to the bgp-nexthop command:

•The values for the Border Gateway Protocol (BGP) next hop IP address are exported to a NetFlow collector only when the Version 9 export format is configured.

•In order for the BGP information to be populated in the main cache you must either have a NetFlow export destination configured or NetFlow aggregation configured.

Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding

On platforms running distributed Cisco Express Forwarding, NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt.

Cisco 7500 Series Platform

To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed Cisco Express Forwarding, enter the following sequence of commands:

Router# if-con slot-number

LC-slot-number# show ip cache verbose flow 

For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later releases, enter the following command to display detailed NetFlow cache information:

Router# execute-on slot-number show ip cache verbose flow 

Cisco 12000 Series Platform

To display detailed NetFlow cache information on a Cisco 12000 series Internet router, enter the following sequence of commands:

Router# attach slot-number

LC-slot-number# show ip cache verbose flow

For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later releases, enter the following command to display detailed NetFlow cache information:

Router# execute-on slot-number show ip cache verbose flow 

Examples

The following example shows output from the show ip cache verbose flow command:

Router# show ip cache verbose flow

IP packet size distribution (25229 total packets):

   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

   .000 .000 .000 .206 .793 .000 .000 .000 .000 .000 .000

The preceding output shows the percentage distribution of packets by size. In this display, 20.6 percent of the packets fall in the 1024-byte size range and 79.3 percent fall in the 1536-byte range.

The next section of the output can be divided into three sections. The section and the table corresponding to each are as follows:

•Field Descriptions in the NetFlow Cache Section of the Output (Table 2)

•Field Descriptions in the Activity by Protocol Section of the Output (Table 3)

•Field Descriptions in the NetFlow Record Section of the Output (Table 4)

IP Flow Switching Cache, 278544 bytes

  6 active, 4090 inactive, 17 added

  505 ager polls, 0 flow alloc failures

  Active flows timeout in 1 minutes

  Inactive flows timeout in 10 seconds

IP Sub Flow Cache, 25736 bytes

  12 active, 1012 inactive, 39 added, 17 added to flow

  0 alloc failures, 0 force free

  1 chunk, 1 chunk added

  last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

TCP-Telnet           1      0.0       362   940      2.7      60.2       0.0

TCP-FTP              1      0.0       362   840      2.7      60.2       0.0

TCP-FTPD             1      0.0       362   840      2.7      60.1       0.1

TCP-SMTP             1      0.0       361  1040      2.7      60.0       0.1

UDP-other            5      0.0         1    66      0.0       1.0      10.6

ICMP                 2      0.0      8829  1378    135.8      60.7       0.0

Total:              11      0.0      1737  1343    147.0      33.4       4.8

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

Et0/0.1        10.251.138.218  Et1/0.1        172.16.10.2     06 80  00      65 

0015 /0  0                     0015 /0  0     0.0.0.0               840    10.8

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      840                            Max plen:       840

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        172.16.6.1      Et1/0.1        172.16.10.2     01 00  00    4880 

0000 /0  0                     0000 /0  0     0.0.0.0              1354    20.1

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      772                            Max plen:       1500

Min TTL:       255                            Max TTL:        255

ICMP type:       0                            ICMP code:        0

IP id:        2943                            FO:            185

Et0/0.1        10.10.13.1      Et1/0.1        172.16.10.2     06 80  00      65 

0017 /0  0                     0017 /0  0     0.0.0.0               940    10.8

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      940                            Max plen:       940

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        10.89.38.215    Et1/0.1        172.16.10.2     06 80  00      65 

0014 /0  0                     0014 /0  0     0.0.0.0               840    10.8

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      840                            Max plen:       840

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        10.10.14.1      Et1/0.1        172.16.10.2     06 80  00      66 

0019 /0  0                     0019 /0  0     0.0.0.0              1040    11.0

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      1040                            Max plen:       1040

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        172.16.6.1      Et1/0.1        172.16.10.2     01 00  10     975 

0000 /0  0                     0800 /0  0     0.0.0.0              1500    20.1

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      1500                            Max plen:       1500

Min TTL:       255                            Max TTL:        255

ICMP type:       8                            ICMP code:        0

IP id:        2944

Et0/0.1        10.106.1.1      Et1/0.1        172.16.10.2     01 00  00    1950 

0000 /0  0                     0000 /0  0     0.0.0.0              1354     8.6

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      772                            Max plen:       1500

Min TTL:         59                           Max TTL:          59

ICMP type:       0                            ICMP code:        0

IP id:       13499                            FO:            185

R3#

Table 2 describes the significant fields shown in the NetFlow cache section of the output.

Table 2 Field Descriptions in the NetFlow Cache Section of the Output 

Field	Description
bytes	Number of bytes of memory used by the NetFlow cache.
active	Number of active flows in the NetFlow cache at the time this command was entered.
inactive	Number of flow buffers that are allocated in the NetFlow cache but that were not assigned to a specific flow at the time this command was entered.
added	Number of flows created since the start of the summary period.
ager polls	Number of times the NetFlow code caused entries to expire (used by Cisco for diagnostics only).
flow alloc failures	Number of times the NetFlow code tried to allocate a flow but could not.
last clearing of statistics	The period of time that has passed since the clear ip flow stats privileged EXEC command was last executed. The standard time output format of hours, minutes, and seconds (hh:mm:ss) is used for a period of time less than 24 hours. This time output changes to hours and days after the time exceeds 24 hours.

Table 3 describes the significant fields shown in the activity by protocol section of the output.

Table 3 Field Descriptions in the Activity by Protocol Section of the Output 

Field	Description
Protocol	IP protocol and the well-known port number. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.) Note Only a small subset of all protocols is displayed.
Total Flows	Number of flows in the cache for this protocol since the last time the statistics were cleared.
Flows/Sec	Average number of flows for this protocol per second; equal to the total flows divided by the number of seconds for this summary period.
Packets/Flow	Average number of packets for the flows for this protocol; equal to the total packets for this protocol divided by the number of flows for this protocol for this summary period.
Bytes/Pkt	Average number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the total number of packets for this protocol for this summary period.
Packets/Sec	Average number of packets for this protocol per second; equal to the total packets for this protocol divided by the total number of seconds for this summary period.
Active(Sec)/Flow	Number of seconds from the first packet to the last packet of an expired flow divided by the number of total flows for this protocol for this summary period.
Idle(Sec)/Flow	Number of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which the show ip cache verbose flow command was entered divided by the total number of flows for this protocol for this summary period.

Table 4 describes the significant fields in the NetFlow record section of the output.

Table 4 Field Descriptions for the NetFlow Record Section of the Output 

Field	Description
SrcIf	Interface on which the packet was received.
Port Msk AS	Source port number (displayed in hexadecimal format), IP address mask, and autonomous system number. The value of this field is always set to 0 in MPLS flows.
SrcIPaddress	IP address of the device that transmitted the packet.
DstIf	Interface from which the packet was transmitted. Note If an asterisk (*) immediately follows the DstIf field, the flow being shown is an egress flow.
Port Msk AS	Destination port number (displayed in hexadecimal format), IP address mask, and autonomous system. This is always set to 0 in MPLS flows.
DstIPaddress	IP address of the destination device.
NextHop	The BGP next-hop address. This is always set to 0 in MPLS flows.
Pr	IP protocol "well-known" port number, displayed in hexadecimal format. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
ToS	Type of service, displayed in hexadecimal format.
B/Pk	Average number of bytes observed for the packets seen for this protocol.
Flgs	TCP flags, shown in hexadecimal format (result of bitwise OR of TCP flags from all packets in the flow).
Pkts	Number of packets in this flow.
Active	Time the flow has been active.
MAC	Source and destination MAC addresses from the Layer 2 frames in the flow.
VLAN id	Source and destination VLAN IDs from the Layer 2 frames in the flow.
Min plen	Minimum packet length for the packets in the flows. Note This value is updated when a datagram with a lower value is received.
Max plen	Maximum packet length for the packets in the flows. Note This value is updated when a datagram with a higher value is received.
Min TTL	Minimum time-to-live (TTL) for the packets in the flows. Note This value is updated when a datagram with a lower value is received.
Max TTL	Maximum TTL for the packets in the flows. Note This value is updated when a datagram with a higher value is received.
IP id	IP identifier field for the packets in the flow.
ICMP type	Internet Control Message Protocol (ICMP) type field from the ICMP datagram in the flow.
ICMP code	ICMP code field from the ICMP datagram in the flow.
FO	The value of the fragment offset field from the first fragmented datagram in the second flow. The value is: 185

The following example shows the NetFlow output of the show ip cache verbose flow command in which the sampler, class ID, and general flags are set. What is displayed for a flow depends on what flags are set in the flow. If the flow was captured by a sampler, the output shows the sampler ID. If the flow was marked by Modular QoS CLI (MQC), the display includes the class ID. If any general flags are set, the output includes the flags.

Router# show ip cache verbose flow

.

.

.

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

BGP: BGP NextHop

Et1/0          10.8.8.8         Et0/0*         10.9.9.9         01 00  10       3 

0000 /8  302                   0800 /8  300   10.3.3.3               100     0.1

BGP: 2.2.2.2         Sampler: 1  Class: 1  FFlags: 01  

Table 5 describes the significant fields shown in the NetFlow output for a sampler, for an MQC policy class, and for general flags.

Table 5 show ip cache verbose flow Field Descriptions for a NetFlow Sampler, an MCQ Policy Class, and General Flags 

Field (with Sample Values)	Description
Sampler: 1	Displays the ID of the sampler that captured the flow. The sampler ID in this example is 1.
Class: 1	Displays the ID of the modular QoS CLI (MQC) traffic class. The class ID in this example is 1.
FFlags: 01	Displays the general flow flag (shown in hexadecimal format), which is the bitwise OR of one or more of the following: •01 indicates an output (or egress) flow. (If this bit is not set, the flow is an input [or ingress] flow.) •02 indicates a flow that was dropped (for example, by an access control list [ACL]). •04 indicates a MPLS flow. •08 indicates an IP Version 6 (IPv6) flow. The flow flag in this example is 01 (an egress flow).

The following example shows the NetFlow output for the show ip cache verbose flow command when NetFlow BGP next-hop accounting is enabled:

Router# show ip cache verbose flow 

.

.

.

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs   Pkts 

Port Msk AS                    Port Msk AS    NextHop              B/Pk   Active 

BGP:BGP_NextHop 

Et0/0/2        10.0.0.2        Et0/0/4        10.0.0.5        01 00  10      20 

0000 /8  0                     0800 /8  0     10.0.0.6              100     0.0 

BGP:26.0.0.6 

Et0/0/2        10.0.0.2        Et0/0/4        10.0.0.7        01 00  10      20 

0000 /8  0                     0800 /8  0     10.0.0.6              100     0.0 

BGP:26.0.0.6 

Et0/0/2        10.0.0.2        Et0/0/4        10.0.0.7        01 00  10      20 

0000 /8  0                     0000 /8  0     10.0.0.6              100     0.0 

BGP:26.0.0.6

Table 6 describes a significant field shown in the NetFlow BGP next-hop accounting lines of the output.

Table 6 show ip cache verbose flow Field Descriptions in NetFlow BGP Next-Hop Accounting Output

Field	Description
BGP:BGP_NextHop	Destination address for the BGP next hop

The following example shows the NetFlow output for the show ip cache verbose flow command when NetFlow multicast accounting is configured:

Router# show ip cache verbose flow 

.

.

.

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts 

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active 

IPM:OPkts    OBytes 

IPM:    0       0 

Et1/1/1        10.0.0.1        Null           192.168.1.1       01 55  10     100 

0000 /8  0                     0000 /0  0     0.0.0.0                28     0.0 

IPM:  100    2800 

Et1/1/1        10.0.0.1        Se2/1/1.16     192.168.1.1       01 55  10     100 

0000 /8  0                     0000 /0  0     0.0.0.0                28     0.0 

IPM:    0       0 

Et1/1/2        10.0.0.1        Et1/1/4        192.168.2.2       01 55  10     100 

0000 /8  0                     0000 /0  0     0.0.0.0                28     0.1 

Et1/1/2        10.0.0.1        Null           192.168.2.2       01 55  10     100 

0000 /8  0                     0000 /0  0     0.0.0.0                28     0.1 

IPM:  100    2800 

Table 7 describes the significant fields shown in the NetFlow multicast accounting lines of the output.

Table 7 show ip cache verbose flow Field Descriptions in NetFlow Multicast Accounting Output

Field	Description
OPkts	Displays the number of IP multicast (IPM) output packets
OBytes	Displays the number of IPM output bytes
DstIPaddress	Displays the destination IP address for the IPM output packets

The following example shows the output for both the IP and MPLS sections of the flow record in the NetFlow cache when MPLS-Aware NetFlow is enabled:

Router# show ip cache verbose flow

.

.

. 

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

PO3/0          10.1.1.1        PO5/1          10.2.1.1        01 00  10       9

0100 /0  0                     0200 /0  0     0.0.0.0               100     0.0

Pos:Lbl-Exp-S 1:12305-6-0 (LDP/10.10.10.10) 2:12312-6-1

Table 8 describes the significant fields for the IP and MPLS sections of the flow record in the output.

Table 8 show ip cache verbose flow Field Descriptions for the IP and MPLS Sections of the Flow Record in the Output 

Field	Description
Pos	Position of the MPLS label in the label stack, starting with 1 as the top label.
Lbl	Value given to the MPLS label by the router.
Exp	Value of the experimental bit.
S	Value of the end-of-stack bit. Set to 1 for the oldest entry in the stack and to 0 for all other entries.
LDP/10.10.10.10	Type of MPLS label and associated IP address for the top label in the MPLS label stack.

Related Commands

Command	Description
attach	Connects to a specific line card for the purpose of executing monitoring and maintenance commands on that line card only.
clear ip flow stats	Clears the NetFlow accounting statistics.
execute-on	Executes commands on a line card.
show ip cache flow	Displays a summary of the NetFlow accounting statistics.
show ip flow interface	Displays NetFlow accounting configuration for interfaces.
show ip interface	Displays the usability status of interfaces configured for IP.

Glossary

AToM—Any Transport over MPLS. A protocol that provides a common framework for encapsulating and transporting supported Layer 2 traffic types over a Multiprotocol Label Switching (MPLS) network core.

BGP—Border Gateway Protocol. An interdomain routing protocol that replaces Exterior Gateway Protocol (EGP). A BGP system exchanges reachability information with other BGP systems. It is defined by RFC 1163.

CE router—customer edge router. A router that is part of a customer network and that interfaces to a provider edge (PE) router. CE routers do not have routes to associated Virtual Private Networks (VPNs) in their routing tables.

core router—In a packet-switched star topology, a router that is part of the backbone and that serves as the single pipe through which all traffic from peripheral networks must pass on its way to other peripheral networks.

CSC network—Carrier Supporting Carrier network. A network topology in which one service provider allows another service provider to use a segment of its backbone network. The service provider that provides the segment of the backbone network to the other provider is called the backbone carrier. The service provider that uses the segment of the backbone network is called the customer carrier.

EGP—Exterior Gateway Protocol. Internet protocol for exchanging routing information between autonomous systems. It is documented in RFC 904. This term is not to be confused with the general term exterior gateway protocol. EGP is an obsolete protocol that was replaced by Border Gateway Protocol (BGP).

export packet—(NetFlow) A packet from a device (for example, a router) with NetFlow services enabled that is addressed to another device (for example, a NetFlow collector). This other device processes the packet (parses, aggregates, and stores information on IP flows).

FEC—Forwarding Equivalency Class. A set of packets that can be handled equivalently for the purpose of forwarding and thus is suitable for binding to a single label. The set of packets destined for an address prefix is one example of an FEC. A flow is another example.

flow—A unidirectional set of packets (IP or Multiprotocol Label Switching [MPLS]) that arrive at the router on the same subinterface and have the same source and destination IP addresses, the same Layer 4 protocol, the same TCP/UDP source and destination ports, and the same type of service (ToS) byte in the IP header.

IPv6—IP Version 6. Replacement for the current version of IP (Version 4). IPv6 includes support for flow ID in the packet header, which can be used to identify flows. Formerly called IPng (next generation).

label—A short, fixed-length identifier that tells switching nodes how the data (packets or cells) should be forwarded.

label imposition—The act of putting a label or labels on a packet.

LDP—Label Distribution Protocol. A standard protocol that operates between Multiprotocol Label Switching (MPLS)-enabled routers to negotiate the labels (addresses) used to forward packets. The Cisco proprietary version of this protocol is the Tag Distribution Protocol (TDP).

LFIB—Label Forwarding Information Base. A data structure and way of managing forwarding in which destinations and incoming labels are associated with outgoing interfaces and labels.

LSR—label switch router. A router that forwards packets in a Multiprotocol Label Switching (MPLS) network after looking only at the fixed-length label.

MPLS—Multiprotocol Label Switching. A switching method in which IP traffic is forwarded through use of a label. This label instructs the routers and the switches in the network where to forward the packets. The forwarding of MPLS packets is based on preestablished IP routing information.

MPLS flow—A unidirectional sequence of Multiprotocol Label Switching (MPLS) packets that arrive at a router on the same subinterface and have the same source and destination IP addresses, the same Layer 4 protocol, the same TCP/UDP source and destination ports, and the same type of service (ToS) byte in the IP header. A TCP session is an example of a flow.

NetFlow v9—NetFlow export format Version 9. A flexible and extensible means for carrying NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.

packet header—(NetFlow) The first part of an export packet that provides basic information about the packet, such as the NetFlow version, number of records contained within the packet, and sequence numbering. The header information enables lost packets to be detected.

P router—provider backbone router. A router that is part of a service provider's backbone network and is connected to the provider edge (PE) routers.

PE router—provider edge router. A router that is part of a service provider's network connected to a customer edge (CE) router. All Virtual Private Network (VPN) processing occurs in the PE router.

TDP—Tag Distribution Protocol. The Cisco proprietary version of the protocol (label distribution protocol) between Multiprotocol Label Switching (MPLS)-enabled routers to negotiate the labels (addresses) used to forward packets.

TE—traffic engineering. Techniques and processes that cause routed traffic to travel through the network on a path other than the one that would have been chosen if standard routing methods were used.

TE tunnel—traffic engineering tunnel. A label-switched tunnel that is used for traffic engineering. Such a tunnel is set up through means other than normal Layer 3 routing; it is used to direct traffic over a path different from the one that Layer 3 routing could cause the tunnel to take.

VPN—Virtual Private Network. A secure IP-based network that shares resources on one or more physical networks. A VPN contains geographically dispersed sites that can communicate securely over a shared backbone.

---

Note Refer to the Cisco Dictionary of Internetworking Terms and Acronyms for terms not included in this glossary.

---

Feature Information for MPLS-Aware NetFlow

Table 9 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For details on when support for a specific command was introduced, see the command reference documentation.

Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required..

---

Note Table 9 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release. Unless noted otherwise, subsequent releases of that Cisco IOS software release also support that feature.

---

Table 9 Feature Information for MPLS-Aware NetFlow 

Feature Name	Releases	Feature Information
MPLS-Aware NetFlow	12.0(24)S, 12.0(25)S, 12.0(26)S, 12.0(26)S1, 12.3(8)T, 12.2(28)SB	Multiprotocol Label Switching (MPLS)-aware NetFlow is an extension of the NetFlow accounting feature that provides highly granular traffic statistics for Cisco routers. MPLS-Aware NetFlow collects statistics on a per-flow basis just as NetFlow does. MPLS-Aware NetFlow uses the NetFlow Version 9 export format. In 12.0(24)S, this feature was introduced on the Cisco 12000 series Internet router. In 12.0(25)S, no-ip-fields and mpls-length keywords were added to the ip flow-cache mpls label-positions command. In 12.0(26)S, support was added for the Cisco 7200 and 7500 platforms. In 12.0(26)S1, support was added for sampled MPLS-aware NetFlow on the Cisco 7200 and 7500 platforms. In 12.3(8)T, this feature was integrated into a Cisco IOS 12.3T release. In 12.2(28)SB, support for MPLS label forwarding and management using the MPLS Forwarding Infrastructure (MFI) was introduced. The following sections provide information about this feature: •MPLS Flows •MPLS Label Stack •MPLS-Aware NetFlow Capture and Display of MPLS Labels •Information Captured and Exported by MPLS-Aware NetFlow •Full and Sampled MPLS-Aware NetFlow Support •MPLS Traffic Analysis and Monitoring Using MPLS-Aware NetFlow and NetFlow MPLS Label Export •Configuring MPLS-Aware NetFlow on a Router •Configuring Sampling for MPLS-Aware NetFlow •Verifying the NetFlow Sampler ConfigurationDisplaying MPLS-Aware NetFlow Information on a Router

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2003-2006 Cisco Systems, Inc. All rights reserved.