Overview of Netflow

NetFlow is a Cisco IOS technology that provides statistics on packets flowing through the router. NetFlow is the standard for acquiring IP operational data from IP networks. NetFlow provides data to enable network and security monitoring, network planning, traffic analysis, and IP accounting.

The following features are supported for Netflow:

  • Netflow—IPv4 and IPv6 unicast flows

  • Netflow Export over IPv4 and IPv6 addresses

For information on understanding and configuring Netflow, see Flexible NetFlow Configuration Guide.

NetFlow Support on L2VPN and L3VPN

Table 1. Feature History

Feature Name

Release Information

Feature Description

Ingress and Egress Flexible NetFlow

Cisco IOS XE Bengaluru 17.6.1

Flexible NetFlow allows you to monitor the traffic from access circuit on an L2VPN and L3VPN network. In addition to monitoring traffic in routed and ethernet service interfaces, you can now monitor traffic in VRF enabled L2 VFI (virtual forwarding interfaces) and cross-connect services.

  • On an L2VPN network, the ingress and egress monitor are attached to L2 VFI enabled Ethernet Flow Point (EFP) in an access circuit.

  • On an L3VPN network, the ingress and egress monitor are attached to VRF enabled interface in an access circuit.


Note

NetFlow is supported on both ingress and egress direction in an access circuit network.

Prerequisites for Netflow Monitoring

  • Netflow Version 9 is the only default export format supported on the router.

  • Netflow support is made available through a separate FPGA Image. This is applicable for ASR-920-12CZ-A, ASR-920-12CZ-D, ASR-920-4SZ-A, ASR-920-4SZ-D, ASR-920-12SZ-IM, and ASR-920-24SZ-IM routers.

  • To configure netflow and issue netflow commands, select the template

    • For Cisco ASR-920-12SZ-A, Cisco ASR-920-12SZ-D, Cisco ASR-920-12CZ-A, ASR-920-12CZ-D, ASR-920-4SZ-A, ASR-920-4SZ-D, and ASR-920-12SZ-IM routers—sdm prefer netflow-video.


      Note

      Sets the template to video, and also allows configuration of netflow monitoring options by upgrading the router with the netflow supported FPGA.


    • Cisco ASR-920-20SZ-M, Cisco ASR-920-24SZ-IM, ASR-920-24SZ-M, ASR-920-24TZ-M routers—sdm prefer video.


      Note

      The template is chosen as video, and allows configuration of the netflow monitoring options.


Restrictions for Netflow Monitoring for ASR 920 Series Routers

  • Netflow ingress and egress monitoring in not supported on mpls core interface.

  • Configuration of caches entries number is not supported.

  • L2VPN Flow monitor configured under Xconnect does not monitor the flows and cache is not updated.

  • Configuring netflow monitor for both input and output direction under L2VPN Xconnect context (local connect) is not supported.

  • Starting with Cisco IOS XE Release 17.6.x VRF monitoring (ip flow monitor) is supported at the physical interface level.

  • Netflow monitoring is supported over VRF-enabled interfaces on the router.

  • Flow exporter's destination on a VRF is not supported

  • Netflow monitoring supports only the 7 keys—Source IP, Destination IP, Layer 3 protocol type, TOS, source port, destination port and input logical interface to identify or classify flows for both IPv4 and IPv6 unicast traffic. All other keys are not supported.

  • Non-key fields supported are packets and bytes (collect counter packets and collect counter bytes)

  • Only routed ports (IP Ethernet, BDI) and EFP are supported.

  • EFP flow monitoring can be configured only after configuring bridge-domain on the EFP service instance.

  • Flow monitoring of multicast traffic is not supported.

  • Maximum of 16K flows can only be learnt due to FPGA limitations. Though, netflow supports 16K entries, flows monitored are lower due to hash collisions.

  • Netflow monitoring can account for a maximum of 1Gbps traffic rate in the system (with a minimum frame size of 100 bytes). The accounting is accurate only when the overall traffic monitored is within 1Gbps. This is due to FPGA limitations.

  • At interface level, MVPN/MLDP/SPAN/PBR feature cannot be enabled on the same interface with netflow configuration.

  • Permanent and aggregate flow caches are not supported due to FPGA limitations.

    Configuration of caches entries number is not supported.

  • SADT/BFD feature cannot co-exist with netflow configurations for the following routers:

    • ASR-920-12CZ-A

    • ASR-920-12CZ-D

    • ASR-920-4SZ-A

    • ASR-920-4SZ-D

    • ASR-920-12SZ-IM

    • ASR-920-12SZ-A

    • ASR-920-12SZ-D

    • ASR-920-24SZ-IM

    • ASR-920-24SZ-M

    • ASR-920-24TZ-M

    • ASR-920-20SZ-M

  • If BFD and netflow is enabled on the same interface, only the BFD ingress packets are monitored. BFD egress packet monitoring does not occur. This is applicable on the Cisco ASR-920-24SZ-IM, ASR-920-24SZ-M, ASR-920-24TZ-M, and ASR-920-20SZ-M routers.

  • When ICMP (ping) and netflow is enabled on the same interface, only the ICMP ingress packets are monitored. ICMP egress packet monitoring does not occur.

  • At the global level, both netflow and PBR features use the same TCAM region for adding rules. The maximum size of the tunnel region is 2K. The scale of PBR feature may be reduced when netflow is enabled.

    SDM template must be set as video (similar to PBR) using the sdm prefer video command. This is applicable on the Cisco ASR-920-24SZ-IM, ASR-920-24SZ-M, ASR-920-24TZ-M, and ASR-920-20SZ-M routers.

    SDM template must be set as netflow-video using the sdm prefer netfow-video command for Cisco ASR-920-12CZ-A, ASR-920-12CZ-D, ASR-920-4SZ-A, ASR-920-4SZ-D, ASR-920-12SZ-IM, ASR-920-12SZ-A, ASR-920-12SZ-D, and ASR-920-24SZ-IM routers.

    When PBR and netflow is applied together on an interface, the order of operations is applicable. If PBR is applied first, netflow configuration will not work and vice-versa.

  • We recommend to remove netflow related commands before reverting to non-netflow-supported sdm template or image.

  • At the global level, SADT re-directs traffic towards FPGA. If SADT re-directs high volumes of traffic to FPGA, then netflow configuration may not work.

    If SADT and netflow is enabled on the same interface, only the SADT ingress packets are monitored. SADT egress packet monitoring is not monitored. This is applicable on the Cisco ASR-920-24SZ-IM, ASR-920-24SZ-M, ASR-920-24TZ-M, and ASR-920-20SZ-M routers.

  • When netflow and Ethernet loopback (ELB) is enabled on same interface, the netflow monitoring behavior is inconsistent for the data packets. Data packets are not monitored intermittently, and netflow and OSPF flaps are observed when ELB is enabled.


    Note

    We recommend you avoid enabling ELB and netflow together, since the results are unexpected and inconsistent.


  • Sampler is not supported due to FPGA limitations.

  • IP flow monitor should not be applied before assigning IP address.

    When netflow and ACL configurations are applied together on routed interfaces in ingress direction, the denied packets are accounted in the netflow counters. When the same ACL and netflow combination configurations are applied on an EFP, the denied packets are not accounted in the netflow counters.

  • For clearing the flow status and cache, use the clear flow monitor statistics command and clear flow exporter statistics commands. Other clear commands shall not reset the entries.

  • Multiple flow monitors with the same traffic type and direction are not supported on an interface. Possible combinations supported on an interface at the same time are:

    • ip flow monitor input

    • ip flow monitor output

    • ipv6 flow monitor input

    • ipv6 flow monitor output

  • Maximum number of interfaces that support netflow monitoring at chassis level is 64.

  • Flow records are exported only when the flow expires due to active or inactive timer expiry. Due to FPGA limitations, the cache timeout granularity is 10 seconds.

  • Netflow version 9 format is used for flow information export. For exporting the netflow packets, only a single destination is supported under every flow exporter.

  • In the egress direction, even if only IPV4 traffic is enabled for netflow monitoring, both IPv4 and IPv6 traffic is forwarded to FPGA (and vice versa).

  • Netflow MIBs are not supported.

  • Only one exporter is supported with a single flow monitor.

Information About Flexible Netflow

Flexible NetFlow Overview

Flexible NetFlow facilitates the creation of more complex configurations for traffic analysis and data export through the use of reusable configuration components.

NetFlow IPv4 Supported Fields

Table 2. Key and Nonkey Fields for NetFlow

Field

Key or Nonkey Field

Definition

IPv4 Protocol

Key

Value in the IPv4 protocol field.

IPv4 ToS

Key

Value in the type of service (ToS) field.

IPv4 Source Address

Key

IPv4 source address.

IPv4 Destination Address

Key

IPv4 destination address.

Transport Source-port

Key

Value of the transport layer source port field.

Transport Destination-port

Key

Value of the transport layer destination port field.

Interface Input

Key

Interface on which the traffic is received.

Counter Bytes

Nonkey

Number of bytes seen in the flow.

Counter Packets

Nonkey

Number of packets seen in the flow.

NetFlow IPv6 Supported Fields

Table 3. Key and Nonkey Fields for NetFlow

Field

Key or Nonkey Field

Definition

IPv6 Traffic-class

Key

Value in the traffic class field.

IPv6 Next-header

Key

Value in the next header field.

IPv6 Source Address

Key

IPv6 source address.

IPv6 Destination Address

Key

IPv6 destination address.

Transport Source Port

Key

Value of the transport layer source port field.

Transport Destination Port

Key

Value of the transport layer destination port field.

Interface Input

Key

Interface on which the traffic is received.

Counter Bytes

Nonkey

Number of bytes seen in the flow.

Counter Packets

Nonkey

Number of packets seen in the flow.

How to Configure Flexible Netflow

Workflow for Configuring Netflow Monitoring


Note

The match interface should have input and output directions specified. If it is missing in any direction, the value of the direction is considered NULL.


  1. Define the flow record for IPv4 or IPv6 flows.

    flow record TEST_IPV4_RECORD
     match ipv4 source address
     match ipv4 destination address
     match ipv4 protocol
     match interface input
     match interface output
     match transport source-port
     match transport destination-port
     match ipv4 tos
     collect counter packets
     collect counter bytes
    flow record TEST_IPV6_RECORD
     match ipv6 source address
     match ipv6 destination address
     match ipv6 traffic-class
     match ipv6 next-header
     match transport source-port
     match transport destination-port
     match interface input
     match interface output
     collect counter packets
     collect counter bytes
  2. Define the flow exporter to define the collector destination.

    flow exporter TEST_EXPORTER
     destination 10.10.10.100   <<<<--- This can be an IPv4 or IPv6 reachable destinationS
     source Loopback1
     dscp 23
     ttl 7
     transport udp 9999
     template data timeout 60   <<<----- To refresh and send the v9 template to collector
  3. Create the flow monitor to map the flow record and the flow exporter.

    flow monitor TEST_IPV4_MONITOR
     exporter TEST_EXPORTER
     cache timeout inactive 20
     cache timeout active 180
     record TEST_IPV4_RECORD
    
    flow monitor TEST_IPV6_MONITOR
     exporter TEST_EXPORTER
     cache timeout inactive 20   <<<<----- Timers to export packet to collector
     cache timeout active 180
     record TEST_IPV6_RECORD
    
  4. Attach the flow monitor to an interface.

    interface GigabitEthernet 0/1/20/2
     ip address 16.16.16.1 255.255.255.0
     ip flow monitor TEST_IPV4_MONITOR input  <<<<------ The above defined monitor in inbound and outbound directions
     ip flow monitor TEST_IPV4_MONITOR output
     negotiation auto
     ipv6 flow monitor TEST_IPV6_MONITOR input
     ipv6 flow monitor TEST_IPV6_MONITOR output
     ipv6 address 16:16:16::1/64
     
    end

Displaying the Current Status of a Flow Record

Perform this optional task to display the current status of a flow record.

Procedure


Step 1

enable

The enable command enters privileged EXEC mode (enter the password if prompted).

Example:


Device> enable
Device#
Step 2

show flow record

The show flow record command shows the current status of the flow monitor that you specify.

Example:


Device# show flow record

flow record FLOW-RECORD-2:
  Description:        Used for basic IPv6 traffic analysis
  No. of users:       1
  Total field space:  53 bytes
  Fields:
    match ipv6 destination address
    collect counter bytes
    collect counter packets
flow record FLOW-RECORD-1:
  Description:        Used for basic IPv4 traffic analysis
  No. of users:       1
  Total field space:  29 bytes
  Fields:
    match ipv4 destination address
    collect counter bytes
    collect counter packets

Verifying the Flow Record Configuration

Perform this optional task to verify the configuration commands that you entered.

Procedure


Step 1

enable

The enable command enters privileged EXEC mode (enter the password if prompted).

Example:


Device> enable
Device#
Step 2

show running-config flow record

The show running-config flow record command shows the configuration commands of the flow monitor that you specify.

Example:


Device# show running-config flow record

Current configuration:
!
flow record FLOW-RECORD-2
 description Used for basic IPv6 traffic analysis
 match ipv6 destination address
 collect counter bytes
 collect counter packets
!
flow record FLOW-RECORD-1
 description Used for basic IPv4 traffic analysis
 match ipv4 destination address
 collect counter bytes
 collect counter packets
 

!

Displaying the Current Status of a Flow Monitor

show flow monitor
Router# show flow monitor FLOW-MONITOR-1
Flow Monitor FLOW-MONITOR-1:
  Description:       User defined
  Flow Record:       TEST4
  Flow Exporter:     TEST4
  Cache:
    Type:                 normal (Platform cache)
    Status:               allocated
    Size:                 16384 entries
    Inactive Timeout:     15 secs
    Active Timeout:       1800 secs
    Trans end aging:   off

Configuration Examples for Flexible Netflow

Verifying Netflow Monitoring on IPv4 Routed Interfaces

Use these commands to verify netlfow monitoring on IPv4 routed interfaces.

  • show run interfaces

    Router# #show run interfaces gigabitEthernet 0/0/4
    
    Building configuration...
    
    Current configuration : 315 bytes
    !
    interface GigabitEthernet0/0/4
     ip address 192.168.1.1 255.255.255.0
     ip flow monitor TEST_IPV4_MONITOR input
     negotiation auto
     ipv6 address 2001:192:168:1::1 
     ipv6 ospf 1 area 0
    end
    
    
    Router# show flow interface GigabitEthernet 0/0/4
    Interface GigabitEthernet0/0/4
      FNF:  monitor:          TEST_IPV4_MONITOR
            direction:        Input
            traffic(ip):      on
    .
    .
    .
    !
    
  • show run flow monitor

    Router# show run flow monitor TEST_IPV4_MONITOR
    
    Current configuration:
    !
    flow monitor TEST_IPV4_MONITOR
     exporter TEST_EXPORTER
     cache timeout inactive 20
     cache timeout active 180
     record TEST_IPV4_RECORD
    !
    
    Router# show run flow exporter TEST_EXPORTER
    Current configuration:
    !
    flow exporter TEST_EXPORTER
     destination 10.10.10.100
     source Loopback1
     dscp 23
     ttl 7
     transport udp 9999
     template data timeout 60
    !              
    
    
  • show run flow record

    Router# show run flow record TEST_IPV4_RECORD
    Current configuration:
    !
    flow record TEST_IPV4_RECORD
     match ipv4 source address
     match ipv4 destination address
     match ipv4 protocol
     match interface input
     match interface output 
     match transport source-port
     match transport destination-port
     match ipv4 tos
     collect counter packets
     collect counter bytes
    
    
  • show flow monitor cache

    Router# show flow monitor TEST_IPV4_MONITOR cache
    
    Cache type:                               Normal (Platform cache)
      Cache size:                                16384
      Current entries:                               2
    
      Flows added:                                   0
      Flows aged:                                    0
    
    IPV4 SOURCE ADDRESS:       10.10.10.100
    IPV4 DESTINATION ADDRESS:  192.168.1.3
    TRNS SOURCE PORT:          0
    TRNS DESTINATION PORT:     0
    INTERFACE INPUT:           Gi0/0/4
    INTERFACE OUTPUT:           Gi0/0/4
    IP TOS:                    0x00
    IP PROTOCOL:               6
    counter bytes:             1440072700
    counter packets:           1309157
    
    IPV4 SOURCE ADDRESS:       10.10.10.101
    IPV4 DESTINATION ADDRESS:  192.162.1.100
    TRNS SOURCE PORT:          0
    TRNS DESTINATION PORT:     0
    INTERFACE INPUT:           Gi0/0/4
    IP TOS:                    0x00
    IP PROTOCOL:               6
    counter bytes:             1440072700
    counter packets:           1309157
    .
    .
    .
    !
    
    Router# show flow monitor TEST_IPV4_MONITOR cache format csv
      Cache type:                               Normal (Platform cache)
      Cache size:                                16384
      Current entries:                               2
    
      Flows added:                                   0
      Flows aged:                                    0
    
    IPV4 SRC ADDR,IPV4 DST ADDR,TRNS SRC PORT,TRNS DST PORT,INTF INPUT,IP TOS,IP PROT,bytes,pkts
    10.10.10.100,192.168.1.3,0,0,Gi0/0/4,0x00,6,1478774000,1344340
    10.10.10.101,192.162.1.100,0,0,Gi0/0/4,0x00,6,1478774000,1344340
    .
    .
    .
    !
    
    

Verifying Netflow Monitoring on IPv6 Routed Interfaces

Use these commands to verify netflow monitoring on IPv6 routed interfaces.

  • show run interfaces

    Router# #show run interfaces gigabitEthernet 0/0/4
    
    Current configuration : 315 bytes
    !
    interface GigabitEthernet0/0/4
     ip address 192.168.1.3 255.255.255.0
     negotiation auto
     ipv6 flow monitor TEST_IPV6_MONITOR input
     ipv6 address 2001:192:168:1::1
     ipv6 ospf 1 area 0
    end
    
    Router# show flow interface GigabitEthernet 0/0/4
    Interface GigabitEthernet0/0/4
      FNF:  monitor:          TEST_IPV6_MONITOR
            direction:        Input
            traffic(ipv6):    on
    
    .
    .
    .
    
  • show run flow monitor

    Router# show run flow monitor TEST_IPV6_MONITOR
    
    Current configuration:
    !
    flow monitor TEST_IPV6_MONITOR
     exporter TEST_EXPORTER
     cache timeout inactive 20
     cache timeout active 180
     record TEST_IPV6_RECORD
    !
    
    Router# show run flow exporter TEST_EXPORTER
    Current configuration:
    !
    flow exporter TEST_EXPORTER
     destination 10.10.10.100
     source Loopback1
     dscp 23
     ttl 7
     transport udp 9999
     template data timeout 60
    !
    
  • show run flow record

    Router# show run flow record TEST_IPV6_RECORD
    Current configuration:
    !
    flow record TEST_IPV6_RECORD
     match ipv6 source address
     match ipv6 destination address
     match ipv6 traffic-class
     match ipv6 next-header
     match transport source-port
     match transport destination-port
     match interface input
     match interface output
     collect counter packets
     collect counter bytes
    !
    
    
  • show flow monitor cache

    Router# show flow monitor TEST_IPV6_MONITOR cache
    
    Cache type:                               Normal (Platform cache)
      Cache size:                                16384
      Current entries:                               2
    
      Flows added:                                   0
      Flows aged:                                    0
    
    IPV6 NEXT HEADER:          59
    IPV6 SOURCE ADDRESS:       2001:192:168:1::1
    IPV6 DESTINATION ADDRESS:  2001:DB8::1
    TRNS SOURCE PORT:          0
    TRNS DESTINATION PORT:     0
    INTERFACE INPUT:           Gi0/0/4
    INTERFACE OUTPUT:          Gi0/0/4
    IP TOS:                    0x03
    counter bytes:             233697724
    counter packets:           191242
    
    IPV6 NEXT HEADER:          59
    IPV6 SOURCE ADDRESS:       2001:192:168:1::2
    IPV6 DESTINATION ADDRESS:  2001:DB8::2
    TRNS SOURCE PORT:          0
    TRNS DESTINATION PORT:     0
    INTERFACE INPUT:           Gi0/0/4
    IP TOS:                    0x03
    counter bytes:             233697724
    counter packets:           191242
    .
    .
    .
    !
    
    
    Router# show flow monitor TEST_IPV6_MONITOR cache format csv
      Cache type:                               Normal (Platform cache)
      Cache size:                                16384
      Current entries:                               2
    
      Flows added:                                   0
      Flows aged:                                    0
    
    IPV6 NEXT HEADER,IPV6 SRC ADDR,IPV6 DST ADDR,TRNS SRC PORT,TRNS DST PORT,INTF INPUT,IP TOS,bytes,pkts
    59,2001:192:168:1::1,2001:DB8::1,0,0,Gi0/0/4,0x03,574518412,470146
    59,2001:192:168:1::2,2001:DB8::2,0,0,Gi0/0/4,0x03,574518412,470146
    .
    .
    .
    !
    
    
    

Verifying Netflow Monitoring for IPv4 traffic on EFP interfaces

Use these commands to verify netlfow monitoring for IPv4 traffic on EFP interfaces.

  • show run interfaces

    Router# #show run interfaces gigabitEthernet 0/0/2
    
    Building configuration...
    
    Current configuration : 8880 bytes
    !
    interface GigabitEthernet0/0/2
     no ip address
     negotiation auto
     service instance 151 ethernet
      encapsulation dot1q 151
      rewrite ingress tag pop 1 symmetric
      bridge-domain 151
      ip flow monitor fnf_151_v4_in input
    .
    .
    .
    
  • show run flow monitor

    Router# show run flow monitor fnf_151_v4_in
    Current configuration:
    !
    flow monitor fnf_151_v4_in
     exporter TEST6
     record TEST6
    !
    
    Router# show run flow exporter TEST6
    Current configuration:
    !
    flow exporter TEST6
     destination 10.10.10.100
     source Loopback1
     dscp 23
     ttl 7
     transport udp 9999
     template data timeout 60
    !
    
    
  • show run flow record

    Router# show run flow record TEST6
    Current configuration:
    !
    flow record TEST6
     match ipv4 source address
     match ipv4 destination address
     match ipv4 protocol
     match interface input
     match interface output
    match transport source-port
     match transport destination-port
     match ipv4 tos
     collect counter packets
     collect counter bytes
    !
    
  • show flow service instance id

    Router# show flow service instance id 151 interface GigabitEthernet 0/0/2
    
      FNF:  monitor:          fnf_151_v4_in
            direction:        Input
            traffic(ip):      on
    
    Router# show flow monitor fnf_151_v4_in cache
      Cache type:                               Normal (Platform cache)
      Cache size:                                16384
      Current entries:                             100
    
      Flows added:                                7900
      Flows aged:                                 7800
        - Immediate aged                          7800
    
    IPV4 SOURCE ADDRESS:       192.168.1.201
    IPV4 DESTINATION ADDRESS:  192.168.1.100
    TRNS SOURCE PORT:          4000
    TRNS DESTINATION PORT:     5000
    INTERFACE INPUT:           Gi0/0/2
    INTERFACE OUTPUT:          Gi0/0/2
    IP TOS:                    0x00
    IP PROTOCOL:               6
    counter bytes:             1943500
    counter packets:           3887
    
    IPV4 SOURCE ADDRESS:       192.168.1.203
    IPV4 DESTINATION ADDRESS:  192.168.1.100
    TRNS SOURCE PORT:          4000
    TRNS DESTINATION PORT:     5000
    INTERFACE INPUT:           Gi0/0/2
    IP TOS:                    0x00
    IP PROTOCOL:               6
    counter bytes:             1944500
    counter packets:           3889
    
    IPV4 SOURCE ADDRESS:       192.168.1.200
    IPV4 DESTINATION ADDRESS:  192.168.1.100
    TRNS SOURCE PORT:          4000
    TRNS DESTINATION PORT:     5000
    INTERFACE INPUT:           Gi0/0/2
    IP TOS:                    0x00
    IP PROTOCOL:               6
    counter bytes:             1944500
    counter packets:           3889
    .
    .
    .
    !
    Router# show flow monitor fnf_151_v4_in cache format csv
    
      Cache type:                               Normal (Platform cache)
      Cache size:                                16384
      Current entries:                             100
    
      Flows added:                                7900
      Flows aged:                                 7800
        - Immediate aged                          7800
    
    IPV4 SRC ADDR,IPV4 DST ADDR,TRNS SRC PORT,TRNS DST PORT,INTF INPUT,IP TOS,IP PROT,bytes,pkts
    192.168.1.201,192.168.1.100,4000,5000,Gi0/0/2,0x00,6,243000,486
    192.168.1.203,192.168.1.100,4000,5000,Gi0/0/2,0x00,6,243500,487
    192.168.1.200,192.168.1.100,4000,5000,Gi0/0/2,0x00,6,244000,488
    .
    .
    .
    !
    

Verifying Netflow Monitoring for IPv6 traffic on EFP interfaces

Use these commands to verify netlfow monitoring for IPv6 traffic on EFP interfaces.

  • show run interfaces

    Router# #show run interfaces TenGigabitEthernet 0/5/0
    
    Building configuration...
    
    Current configuration : 9710 bytes
    !
    interface TenGigabitEthernet0/5/0
     no ip address
     service instance 181 ethernet
      encapsulation dot1q 181
      rewrite ingress tag pop 1 symmetric
      bridge-domain 181
      ipv6 flow monitor fnf_181_v6_out output
    .
    .
    .
    !
    
    Router# show flow service instance id 181 interface tenGigabitEthernet 0/5/0
      FNF:  monitor:          fnf_181_v6_out
            direction:        Output
            traffic(ipv6):    on
  • show run flow monitor

    Router# show run flow monitor fnf_181_v6_out
    Current configuration:
    !
    flow monitor fnf_181_v6_out
     exporter IPV6_TEST6
     record IPV6_TEST6
    !
    
    Router# show run flow record IPV6_TEST6
    Current configuration:
    !
    flow record IPV6_TEST6
     match ipv6 source address
     match ipv6 destination address
     match ipv6 traffic-class
     match ipv6 next-header
     match transport source-port
     match transport destination-port
     match interface input
     match interface output
     collect counter packets
     collect counter bytes
    !
    
    Router# show run flow exporter IPV6_TEST6
    CCurrent configuration:
    !
    flow exporter IPV6_TEST6
     destination 10.10.10.100
     template data timeout 60
    !
    
    Router# show flow monitor fnf_181_v6_out
    Flow Monitor fnf_181_v6_out:
      Description:       User defined
      Flow Record:       IPV6_TEST6
      Flow Exporter:     IPV6_TEST6
      Cache:
        Type:                 normal (Platform cache)
        Status:               allocated
        Size:                 16384 entries
        Inactive Timeout:     15 secs
        Active Timeout:       1800 secs
        Trans end aging:   off
  • show run flow record

    Router# show run flow record IPV6_TEST6
    flow record IPV6_TEST6:
      Description:        User defined
      No. of users:       63
      Total field space:  50 bytes
      Fields:
        match ipv6 traffic-class
        match ipv6 next-header
        match ipv6 source address
        match ipv6 destination address
        match transport source-port
        match transport destination-port
        match interface input 
        match interface output
        collect counter bytes
        collect counter packets
    !
    Router# show flow exporter IPV6_TEST6
    Flow Exporter IPV6_TEST6:
      Description:              User defined
      Export protocol:          NetFlow Version 9
      Transport Configuration:
        Destination IP address: 2001:DB8::1
        Source IP address:      2001:192:168:1::1
        Transport Protocol:     UDP
        Destination Port:       9995
        Source Port:            62241
        DSCP:                   0x0
        TTL:                    255
        Output Features:        Used
  • show flow service instance id

    Router# show flow service instance id 181 interface tenGigabitEthernet 0/5/0
    
      FNF:  monitor:          fnf_181_v6_out
            direction:        Output
            traffic(ipv6):    on
    
    Router# show flow monitor fnf_181_v6_out cache
      Cache type:                               Normal (Platform cache)
      Cache size:                                16384
      Current entries:                             100
    
      Flows added:                                8000
      Flows aged:                                 7900
        - Immediate aged                          7900
    
    IPV6 NEXT HEADER:          59
    IPV6 SOURCE ADDRESS:       2001:192:168:1::1
    IPV6 DESTINATION ADDRESS:  2001:DB8::1
    TRNS SOURCE PORT:          0
    TRNS DESTINATION PORT:     0
    INTERFACE INPUT:           Te0/5/0
    INTERFACE OUTPUT:            Te0/5/0
    IP TOS:                    0x03
    counter bytes:             16086455
    counter packets:           48895
    
    IPV6 NEXT HEADER:          59
    IPV6 SOURCE ADDRESS:       2001:192:168:1::2
    IPV6 DESTINATION ADDRESS:  2001:DB8::2
    TRNS SOURCE PORT:          0
    TRNS DESTINATION PORT:     0
    INTERFACE INPUT:           Te0/5/0
    IP TOS:                    0x03
    counter bytes:             16088429
    counter packets:           48901
    
    IPV6 NEXT HEADER:          59
    IPV6 SOURCE ADDRESS:       2001:192:168:1::3
    IPV6 DESTINATION ADDRESS:  2001:DB8::3
    TRNS SOURCE PORT:          0
    TRNS DESTINATION PORT:     0
    INTERFACE INPUT:           Te0/5/0
    .
    .
    .
    !
    
    
    Router# show flow monitor fnf_181_v6_out cache format csv
    
      Cache type:                               Normal (Platform cache)
      Cache size:                                16384
      Current entries:                             100
    
      Flows added:                                8000
      Flows aged:                                 7900
        - Immediate aged                          7900
    
    IPV6 NEXT HEADER,IPV6 SRC ADDR,IPV6 DST ADDR,TRNS SRC PORT,TRNS DST PORT,INTF INPUT,IP TOS,bytes,pkts
    59,2001:192:168:1::1,2001:DB8::1,0,0,Te0/5/0,0x03,16086455,48895
    59,2001:192:168:1::2,2001:DB8::2,0,0,Te0/5/0,0x03,16088429,48901
    59,2001:192:168:1::3,2001:DB8::3,0,0,Te0/5/0,0x03,16089087,48903
    59,2001:192:168:1::4,2001:DB8::4,0,0,Te0/5/0,0x03,16089087,48903
    59,2001:192:168:1::5,2001:DB8::5,0,0,Te0/5/0,0x03,16090074,48906
    59,2001:192:168:1::6,2001:DB8::6,0,0,Te0/5/0,0x03,16091061,48909
    .
    .
    .
    !
    

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

Flexible NetFlow conceptual information and configuration tasks

Flexible NetFlow Configuration Guide

Flexible NetFlow commands

Cisco IOS Flexible NetFlow Command Reference

Standards/RFCs

Standard

Title

No new or modified standards/RFCs are supported by this feature.

MIBs

MIB

MIBs Link

None

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html