The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To configure a flow cache parameter for a flow monitor, use the cache command in flow monitor configuration mode. To remove a flow cache parameter for a flow monitor, use the no form of this command.
cache { entries number | timeout { active | inactive | update } seconds | type { normal | permanent } }
no cache { entries | timeout { active | inactive | update } | type }
entries number |
Specifies the maximum number of entries in the flow monitor cache. The range is 16 to 1048576. The default is 16640 for each switch in the stack. |
timeout |
Specifies the flow timeout. |
active |
Specifies the active flow timeout. |
inactive |
Specifies the inactive flow timeout. |
update |
Specifies the update timeout for a permanent flow cache. |
seconds |
The timeout value in seconds. The range is 30 to 604800 (7 days) for a normal flow cache. For a permanent flow cache the range is 1 to 604800 (7 days). |
type |
Specifies the type of the flow cache. |
normal |
Configures a normal cache type. The entries in the flow cache will be aged out according to the timeout active seconds and timeout inactive seconds settings. This is the default cache type. |
permanent |
Configures a permanent cache type. This cache type disables flow removal from the flow cache. |
The default flow monitor flow cache parameters are used.
The following flow cache parameters for a flow monitor are enabled:
Flow monitor configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Each flow monitor has a cache that it uses to store all the flows it monitors. Each cache has various configurable elements, such as the time that a flow is allowed to remain in it. When a flow times out, it is removed from the cache and sent to any exporters that are configured for the corresponding flow monitor.
If a cache is already active (that is, you have applied the flow monitor to at least one interface in the switch), your changes to the parameters will not take effect until you either reboot the switch or remove the flow monitor from every interface and then reapply it. Therefore, whenever possible you should customize the parameters for the cache before you apply the flow monitor to an interface. You can modify the timers, flow exporters, and statistics parameters for a cache while the cache is active.
The cache timeout active command controls the aging behavior of the normal type of cache. If a flow has been active for a long time, it is usually desirable to age it out (starting a new flow for any subsequent packets in the flow). This age out process allows the monitoring application that is receiving the exports to remain up to date. By default, this timeout is 1800 seconds (30 minutes), but it can be adjusted according to system requirements. A larger value ensures that long-lived flows are accounted for in a single flow record; a smaller value results in a shorter delay between starting a new long-lived flow and exporting some data for it. When you change the active flow timeout, the new timeout value takes effect immediately.
The cache timeout inactive command also controls the aging behavior of the normal type of cache. If a flow has not seen any activity for a specified amount of time, that flow will be aged out. By default, this timeout is 30 seconds, but this value can be adjusted depending on the type of traffic expected. If a large number of short-lived flows is consuming many cache entries, reducing the inactive timeout can reduce this overhead. If a large number of flows frequently get aged out before they have finished collecting their data, increasing this timeout can result in better flow correlation. When you change the inactive flow timeout, the new timeout value takes effect immediately.
The cache timeout update command controls the periodic updates sent by the permanent type of cache. This behavior is similar to the active timeout, except that it does not result in the removal of the cache entry from the cache. By default, this timer value is 1800 seconds (30 minutes).
The cache type normal command specifies the normal cache type. This is the default cache type. The entries in the cache will be aged out according to the timeout active seconds and timeout inactive seconds settings. When a cache entry is aged out, it is removed from the cache and exported via any exporters configured for the monitor associated with the cache.
To return a cache to its default settings, use the default cache flow monitor configuration command.
Note | When a cache becomes full, new flows will not be monitored. If this occurs, a Flows not added statistic will appear in the cache statistics. |
Note | A permanent cache uses update counters rather than delta counters. When a flow is exported, the counters represent the totals seen for the full lifetime of the flow and not the additional packets and bytes seen since the last export was sent. |
The following example shows how to configure the active timeout for the flow monitor cache:
Switch(config)# flow monitor FLOW-MONITOR-1 Switch(config-flow-monitor)# cache timeout active 4800
The following example shows how to configure the inactive timer for the flow monitor cache:
Switch(config)# flow monitor FLOW-MONITOR-1 Switch(config-flow-monitor)# cache timeout inactive 30
The following example shows how to configure the permanent cache update timeout:
Switch(config)# flow monitor FLOW-MONITOR-1 Switch(config-flow-monitor)# cache timeout update 5000
The following example shows how to configure a normal cache:
Switch(config)# flow monitor FLOW-MONITOR-1 Switch(config-flow-monitor)# cache type normal
Command | Description |
Creates a flow monitor, or modifies an existing flow monitor, and enters flow monitor configuration mode. |
To clear the statistics for a NetFlow Lite flow exporter, use the clear flow exporter command in privileged EXEC mode.
clear flow exporter [ [ name ] exporter-name ] statistics
name |
(Optional) Specifies the name of a flow exporter. |
exporter-name |
(Optional) Name of a flow exporter that was previously configured. |
statistics |
Clears the flow exporter statistics. |
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The clear flow exporter command removes all statistics from the flow exporter. These statistics will not be exported and the data gathered in the cache will be lost.
You can view the flow exporter statistics by using the show flow exporter statistics privileged EXEC command.
The following example clears the statistics for all of the flow exporters configured on the switch:
Switch# clear flow exporter statistics
The following example clears the statistics for the flow exporter named FLOW-EXPORTER-1:
Switch# clear flow exporter FLOW-EXPORTER-1 statistics
Command | Description |
Enables debugging output for NetFlow Lite flow exporters. |
To clear a flow monitor cache or flow monitor statistics and to force the export of the data in the flow monitor cache, use the clear flow monitor command in privileged EXEC mode.
clear flow monitor [ name ] monitor-name [ [ cache ] force-export | statistics ]
name |
Specifies the name of a flow monitor. |
monitor-name |
Name of a flow monitor that was previously configured. |
cache |
(Optional) Clears the flow monitor cache information. |
force-export |
(Optional) Forces the export of the flow monitor cache statistics. |
statistics |
(Optional) Clears the flow monitor statistics. |
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Note | The statistics for the cleared cache entries are maintained. |
The clear flow monitor force-export command removes all entries from the flow monitor cache and exports them using all flow exporters assigned to the flow monitor. This action can result in a short-term increase in CPU usage. Use this command with caution.
The clear flow monitor statistics command clears the statistics for this flow monitor.
Note | The current entries statistic will not be cleared by the clear flow monitor statistics command because this is an indicator of how many entries are in the cache and the cache is not cleared with this command. |
You can view the flow monitor statistics by using the show flow monitor statistics privileged EXEC command.
The following example clears the statistics and cache entries for the flow monitor named FLOW-MONITOR-1:
Switch# clear flow monitor name FLOW-MONITOR-1
The following example clears the statistics and cache entries for the flow monitor named FLOW-MONITOR-1 and forces an export:
Switch# clear flow monitor name FLOW-MONITOR-1 force-export
The following example clears the cache for the flow monitor named FLOW-MONITOR-1 and forces an export:
Switch# clear flow monitor name FLOW-MONITOR-1 cache force-export
The following example clears the statistics for the flow monitor named FLOW-MONITOR-1:
Switch# clear flow monitor name FLOW-MONITOR-1 statistics
Command | Description |
Enables debugging output for NetFlow Lite flow monitors. |
To configure the number of bytes or packets in a flow as a non-key field for a flow record, use the collect counter command in flow record configuration mode. To disable the use of the number of bytes or packets in a flow (counters) as a non-key field for a flow record, use the no form of this command.
collect counter { bytes | packets } { long | permanent }
no collect counter { bytes | packets } { long | permanent }
bytes |
Configures the number of bytes seen in a flow as a non-key field and enables collecting the total number of bytes from the flow. |
packets |
Configures the number of packets seen in a flow as a non-key field and enables collecting the total number of packets from the flow. |
long |
Enables collecting the total number of bytes or packets from the flow using a 64-bit counter. After collection the counter resets to 0. |
permanent |
Enables collecting the total number of bytes or packets from the flow using a 64-bit counter. After collection the counter does not reset. |
The number of bytes or packets in a flow is not configured as a non-key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Flow packets are exported after cache timeout interval. After they are exported, the count restarts from 0 if the long keyword is specified. If the permanent keyword is specified, the counter increments for each byte or packet seen in the flow.
To return this command to its default settings, use the no collect counter or default collect counter flow record configuration command.
The following example configures the total number of bytes in the flows as a non-key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)#collect counter bytes long
The following example configures the total number of packets from the flows as a non-key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# collect counter packets long
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure the flow sampler ID as a non-key field and enable the collection of the ID of the sampler that is assigned to the flow monitor, use the collect flow sampler command in flow record configuration mode. To disable the use of the flow sampler ID as a non-key field for a flow record, use the no form of this command.
collect flow sampler
no collect flow sampler
This command has no arguments or keywords.
The flow sampler ID is not configured as a non-key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The NetFlow Lite collect commands are used to configure non-key fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in non-key fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a non-key field does not create a new flow. In most cases, the values for non-key fields are taken from only the first packet in the flow.
The collect flow sampler command is useful when more than one flow sampler is being used with different sampling rates. The option sampler-table flow exporter command exports options records with mappings of the flow sampler ID to sampling rate so the collector can calculate the scaled counters for each flow.
To return this command to its default settings, use the no collect flow sampler or default collect flow sampler flow record configuration command.
The following example configures the ID of the flow sampler that is assigned to the flow as a non-key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# collect flow sampler
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. | |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure the input interface name as a non-key field for a flow record, use the collect interface command in flow record configuration mode. To disable the use of the input interface as a non-key field for a flow record, use the no form of this command.
collect interface input
no collect interface input
input |
Configures the input interface name as a non-key field and enables collecting the input interface from the flows. |
The input interface name is not configured as a non-key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The NetFlow Lite collect commands are used to configure non-key fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in non-key fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a non-key field does not create a new flow. In most cases, the values for non-key fields are taken from only the first packet in the flow.
To return this command to its default settings, use the no collect interface or default collect interface flow record configuration command.
The following example configures the input interface as a non-key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# collect interface input
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure the system uptime of the first seen or last seen packet in a flow as a nonkey field for a flow record, use the collect timestamp sys-uptime command in flow record configuration mode. To disable the use of the first seen or last seen packet in a flow as a nonkey field for a flow record, use the no form of this command.
collect timestamp sys-uptime { first | last }
no collect timestamp sys-uptime { first | last }
first |
Configures the system uptime for the time the first packet was seen from the flows as a nonkey field and enables collecting time stamps based on the system uptime for the time the first packet was seen from the flows. |
last |
Configures the system uptime for the time the last packet was seen from the flows as a nonkey field and enables collecting time stamps based on the system uptime for the time the most recent packet was seen from the flows. |
The system uptime field is not configured as a nonkey field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The NetFlow Lite collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases, the values for nonkey fields are taken from only the first packet in the flow.
To return this command to its default settings, use the no collect timestamp sys-uptime or default collect timestamp sys-uptime flow record configuration command.
The following example configures time stamps based on the system uptime for the time the first packet was seen from the flows as a nonkey field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# collect timestamp sys-uptime first
The following example configures the time stamps based on the system uptime for the time the most recent packet was seen from the flows as a nonkey field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# collect timestamp sys-uptime last
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure one or more TCP flags as a non-key field for a flow record and enable the collecting of values from the flow, use the collect transport tcp flags command in flow record configuration mode. To disable the use of one or more of the TCP fields as a non-key field for a flow record and disable collecting the values from the flow, use the no form of this command.
collect transport tcp flags [ ack | cwr | ece | fin | psh | rst | syn | urg ]
no collect transport tcp flags [ ack | cwr | ece | fin | psh | rst | syn | urg ]
ack |
(Optional) Configures the TCP acknowledgment flag as a non-key field. |
cwr |
(Optional) Configures the TCP congestion window reduced flag as a non-key field. |
ece |
(Optional) Configures the TCP Explicit Congestion Notification echo (ECE) flag as a non-key field. |
fin |
(Optional) Configures the TCP finish flag as a non-key field. |
psh |
(Optional) Configures the TCP push flag as a non-key field. |
rst |
(Optional) Configures the TCP reset flag as a non-key field. |
syn | (Optional) Configures the TCP synchronize flag as a non-key field. |
urg | (Optional) Configures the TCP urgent flag as a non-key field. |
The transport layer fields are not configured as a non-key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The values of the transport layer fields are taken from all packets in the flow. You cannot specify which TCP flag to collect. You can only specify to collect transport TCP flags. All TCP flags will be collected with this command. The following transport TCP flags are collected:
To return this command to its default settings, use the no collect collect transport tcp flags or default collect collect transport tcp flags flow record configuration command.
The following example configures the TCP acknowledgment flag as a non-key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# collect transport tcp flags ack
The following example configures the TCP finish flag as a non-key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# collect transport tcp flags fin
The following example configures the TCP reset flag as a non-key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# collect transport tcp flags rst
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To apply a NetFlow Lite flow monitor to an interface, use the datalink flow monitor command in interface configuration mode. To disable a NetFlow Lite flow monitor, use the no form of this command.
datalink flow monitor monitor-name sampler sampler-name input
no datalink flow monitor monitor-name sampler sampler-name input
monitor-name |
Name of the flow monitor to apply to the interface. |
sampler sampler-name |
Enables the specified flow sampler for the flow monitor. |
input | Monitors traffic that the switch receives on the interface. |
A flow monitor is not enabled.
Interface configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Before you apply a flow monitor to an interface with the datalink flow monitor command, you must have already created the flow monitor using the flow monitor global configuration command and the flow sampler using the sampler global configuration command.
To enable a flow sampler for the flow monitor, you must have already created the sampler.
Note | The datalink flow monitor command only monitors non-IPv4 and non-IPv6 traffic. To monitor IPv4 traffic, use the ip flow monitor command. To monitor IPv6 traffic, use the ipv6 flow monitor command. |
This example shows how to enable NetFlow Lite datalink monitoring on an interface:
Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# datalink flow monitor FLOW-MONITOR-1 sampler FLOW-SAMPLER-1 input
Command | Description |
Creates a flow monitor, or modifies an existing flow monitor, and enters flow monitor configuration mode. |
To enable debugging output for NetFlow Lite flow exporters, use the debug flow exporter command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug flow exporter [ [ name ] exporter-name ] [ error | event | packets number ]
no debug flow exporter [ [ name ] exporter-name ] [ error | event | packets number ]
name |
(Optional) Specifies the name of a flow exporter. |
exporter-name |
(Optional) The name of a flow exporter that was previously configured. |
error |
(Optional) Enables debugging for flow exporter errors. |
event |
(Optional) Enables debugging for flow exporter events. |
packets |
(Optional) Enables packet-level debugging for flow exporters. |
number |
(Optional) The number of packets to debug for packet-level debugging of flow exporters. The range is 1 to 65535. |
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The following example indicates that a flow exporter packet has been queued for process send:
Switch# debug flow exporter
May 21 21:29:12.603: FLOW EXP: Packet queued for process send
Command | Description |
Clears the statistics for a NetFlow Lite flow exporter. |
To enable debugging output for NetFlow Lite flow monitors, use the debug flow monitor command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug flow monitor [ error | [ name ] monitor-name [ cache [ error ] | error | packets packets ] ]
no debug flow monitor [ error | [ name ] monitor-name [ cache [ error ] | error | packets packets ] ]
error |
(Optional) Enables debugging for flow monitor errors for all flow monitors or for the specified flow monitor. |
name |
(Optional) Specifies the name of a flow monitor. |
monitor-name |
(Optional) Name of a flow monitor that was previously configured. |
cache |
(Optional) Enables debugging for the flow monitor cache. |
cache error |
(Optional) Enables debugging for flow monitor cache errors. |
packets |
(Optional) Enables packet-level debugging for flow monitors. |
packets |
(Optional) Number of packets to debug for packet-level debugging of flow monitors. The range is 1 to 65535. |
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The following example shows that the cache for FLOW-MONITOR-1 was deleted:
Switch# debug flow monitor FLOW-MONITOR-1 cache
May 21 21:53:02.839: FLOW MON: 'FLOW-MONITOR-1' deleted cache
Command | Description |
Clears a flow monitor cache or flow monitor statistics and forces the export of the data in the flow monitor cache. |
To enable debugging output for NetFlow Lite samplers, use the debug sampler command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sampler [ detailed | error | [ name ] sampler-name [ detailed | error | sampling samples ] ]
no debug sampler [ detailed | error | [ name ] sampler-name [ detailed | error | sampling ] ]
detailed |
(Optional) Enables detailed debugging for sampler elements. |
error |
(Optional) Enables debugging for sampler errors. |
name |
(Optional) Specifies the name of a sampler. |
sampler-name |
(Optional) Name of a sampler that was previously configured. |
sampling samples |
(Optional) Enables debugging for sampling and specifies the number of samples to debug. |
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The following sample output shows that the debug process has obtained the ID for the sampler named SAMPLER-1:
Switch# debug sampler detailed
*May 28 04:14:30.883: Sampler: Sampler(SAMPLER-1: flow monitor FLOW-MONITOR-1 (ip,Et1/0,O) get ID succeeded:1
*May 28 04:14:30.971: Sampler: Sampler(SAMPLER-1: flow monitor FLOW-MONITOR-1 (ip,Et0/0,I) get ID succeeded:1
To configure a description for a flow monitor, flow exporter, or flow record, use the description command in the appropriate configuration mode. To remove a description, use the no form of this command.
description description
no description description
description |
Text string that describes the flow monitor, flow exporter, or flow record. |
The default description for a flow sampler, flow monitor, flow exporter, or flow record is "User defined."
The following command modes are supported:
Flow exporter configuration
Flow monitor configuration
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
To return this command to its default setting, use the no description or default description command in the appropriate configuration mode.
The following example configures a description for a flow monitor:
Switch(config)# flow monitor FLOW-MONITOR-1 Switch(config-flow-monitor)# description Monitors traffic to 172.16.0.1 255.255.0.0
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. | |
Creates a flow monitor, or modifies an existing flow monitor, and enters flow monitor configuration mode. | |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure an export destination for a flow exporter, use the destination command in flow exporter configuration mode. To remove an export destination for a flow exporter, use the no form of this command.
destination { hostname | ip-address }
no destination { hostname | ip-address }
hostname |
Hostname of the device to which you want to send the NetFlow information. |
ip-address |
IPv4 address of the workstation to which you want to send the NetFlow information. |
An export destination is not configured.
Flow exporter configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Each flow exporter can have only one destination address or hostname.
When you configure a hostname instead of the IP address for the device, the hostname is resolved immediately and the IPv4 address is stored in the running configuration. If the hostname-to-IP-address mapping that was used for the original Domain Name System (DNS) name resolution changes dynamically on the DNS server, the switch does not detect this, and the exported data continues to be sent to the original IP address, resulting in a loss of data.
To return this command to its default setting, use the no destination or default destination command in flow exporter configuration mode.
The following example shows how to configure the networking device to export the NetFlow Lite cache entry to a destination system:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)# destination 10.0.0.4
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. |
To configure a differentiated services code point (DSCP) value for flow exporter datagrams, use the dscp command in flow exporter configuration mode. To remove a DSCP value for flow exporter datagrams, use the no form of this command.
dscp dscp
no dscp dscp
dscp |
DSCP to be used in the DSCP field in exported datagrams. The range is 0 to 63. The default is 0. |
The differentiated services code point (DSCP) value is 0.
Flow exporter configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
To return this command to its default setting, use the no dscp or default dscp flow exporter configuration command.
The following example sets 22 as the value of the DSCP field in exported datagrams:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)# dscp 22
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. |
To configure NetFlow Version 9 export as the export protocol for a NetFlow Lite exporter, use the export-protocol netflow-v9 command in flow exporter configuration mode.
export-protocol netflow-v9
This command has no arguments or keywords.
NetFlow Version 9 is enabled.
Flow exporter configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The switch does not support NetFlow v5 export format, only NetFlow v9 export format is supported.
The following example configures NetFlow Version 9 export as the export protocol for a NetFlow exporter:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)# export-protocol netflow-v9
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. |
To add a flow exporter for a flow monitor, use the exporter command in the appropriate configuration mode. To remove a flow exporter for a flow monitor, use the no form of this command.
exporter exporter-name
no exporter exporter-name
exporter-name |
Name of a flow exporter that was previously configured. |
An exporter is not configured.
Flow monitor configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
You must have already created a flow exporter by using the flow exporter command before you can apply the flow exporter to a flow monitor with the exporter command.
To return this command to its default settings, use the no exporter or default exporter flow monitor configuration command.
The following example configures an exporter for a flow monitor:
Switch(config)# flow monitor FLOW-MONITOR-1 Switch(config-flow-monitor)# exporter EXPORTER-1
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. | |
Creates a flow monitor, or modifies an existing flow monitor, and enters flow monitor configuration mode. |
To create a NetFlow Lite flow exporter, or to modify an existing NetFlow Lite flow exporter, and enter NetFlow Lite flow exporter configuration mode, use the flow exporter command in global configuration mode. To remove a NetFlow Lite flow exporter, use the no form of this command.
flow exporter exporter-name
no flow exporter exporter-name
exporter-name |
Name of the flow exporter that is being created or modified. |
NetFlow Lite flow exporters are not present in the configuration.
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running NetFlow collector, for analysis and storage. Flow exporters are created as separate entities in the configuration. Flow exporters are assigned to flow monitors to provide data export capability for the flow monitors. You can create several flow exporters and assign them to one or more flow monitors to provide several export destinations. You can create one flow exporter and apply it to several flow monitors.
The following example creates a flow exporter named FLOW-EXPORTER-1 and enters NetFlow Lite flow exporter configuration mode:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)#
Command | Description |
Clears the statistics for a NetFlow Lite flow exporter. | |
Enables debugging output for NetFlow Lite flow exporters. | |
Displays flow exporter status and statistics. |
To create a flow monitor, or to modify an existing flow monitor, and enter flow monitor configuration mode, use the flow monitor command in global configuration mode. To remove a flow monitor, use the no form of this command.
flow monitor monitor-name
no flow monitor monitor-name
monitor-name |
Name of the flow monitor that is being created or modified. |
NetFlow Lite flow monitors are not present in the configuration.
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Flow monitors are the NetFlow Lite component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a flow record and a cache. You add the record to the flow monitor after you create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic during the monitoring process based on the key and nonkey fields in the flow monitor's record and stored in the flow monitor cache.
The following example creates a flow monitor named FLOW-MONITOR-1 and enters flow monitor configuration mode:
Switch(config)# flow monitor FLOW-MONITOR-1 Switch(config-flow-monitor)#
Command | Description |
Clears a flow monitor cache or flow monitor statistics and forces the export of the data in the flow monitor cache. | |
Enables debugging output for NetFlow Lite flow monitors. | |
Displays the status and statistics for a NetFlow Lite flow monitor. |
To create a NetFlow Lite flow record, or to modify an existing NetFlow Lite flow record, and enter NetFlow Lite flow record configuration mode, use the flow record command in global configuration mode. To remove a NetFlow Lite record, use the no form of this command.
flow record record-name
no flow record record-name
record-name |
Name of the flow record that is being created or modified. |
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A flow record defines the keys that NetFlow Lite uses to identify packets in the flow, as well as other fields of interest that NetFlow Lite gathers for the flow. You can define a flow record with any combination of keys and fields of interest. The switch supports a rich set of keys. A flow record also defines the types of counters gathered per flow. You can configure 64-bit packet or byte counters.
The following example creates a flow record named FLOW-RECORD-1, and enters NetFlow Lite flow record configuration mode:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)#
Command | Description |
Displays the status and statistics for a NetFlow Lite flow record. |
To enable a NetFlow Lite flow monitor for IPv4 traffic that the switch is receiving, use the ip flow monitor command in interface configuration mode. To disable a flow monitor, use the no form of this command.
ip flow monitor monitor-name sampler sampler-name input
no ip flow monitor monitor-name sampler sampler-name input
monitor-name |
Name of the flow monitor to apply to the interface. |
sampler sampler-name | Enables the specified flow sampler for the flow monitor. |
input | Monitors IPv4 traffic that the switch receives on the interface. |
A flow monitor is not enabled.
Interface configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Before you can apply a flow monitor to an interface with the ip flow monitor command, you must have already created the flow monitor using the flow monitor global configuration command.
When you add a sampler to a flow monitor, only packets that are selected by the named sampler will be entered into the cache to form flows. Each use of a sampler causes separate statistics to be stored for that usage.
Note | The statistics for each flow must be scaled to give the expected true usage. For example, with a 1 in 100 sampler it is expected that the packet and byte counters will have to be multiplied by 100. |
The following example enables a flow monitor for monitoring input traffic, with a sampler to limit the input packets that are sampled:
Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
Command | Description |
Creates a flow monitor, or modifies an existing flow monitor, and enters flow monitor configuration mode. | |
Creates a NetFlow Lite flow sampler, or modifies an existing NetFlow Lite flow sampler. |
To enable a flow monitor for IPv6 traffic that the switch is receiving, use the ipv6 flow monitor command in interface configuration mode. To disable a flow monitor, use the no form of this command.
ipv6 flow monitor monitor-name sampler sampler-name input
no ipv6 flow monitor monitor-name sampler sampler-name input
monitor-name |
Name of the flow monitor to apply to the interface. |
sampler sampler-name | Enables the specified flow sampler for the flow monitor. |
input | Monitors IPv6 traffic that the switch receives on the interface. |
A flow monitor is not enabled.
Interface configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Before you can apply a flow monitor to the interface with the ipv6 flow monitor command, you must have already created the flow monitor using the flow monitor global configuration command.
When you add a sampler to a flow monitor, only packets that are selected by the named sampler will be entered into the cache to form flows. Each use of a sampler causes separate statistics to be stored for that usage.
You cannot add a sampler to a flow monitor after the flow monitor has been enabled on the interface. You must first remove the flow monitor from the interface and then enable the same flow monitor with a sampler.
Note | The statistics for each flow must be scaled to give the expected true usage. For example, with a 1 in 100 sampler it is expected that the packet and byte counters will have to be multiplied by 100. |
The following example enables a flow monitor for monitoring input traffic, with a sampler to limit the input packets that are sampled:
Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
Command | Description |
Creates a flow monitor, or modifies an existing flow monitor, and enters flow monitor configuration mode. | |
Creates a NetFlow Lite flow sampler, or modifies an existing NetFlow Lite flow sampler. |
To configure the EtherType of the packet as a key field for a flow record, use the match datalink ethertype command in flow record configuration mode. To disable the EtherType of the packet as a key field for a flow record, use the no form of this command.
match datalink ethertype
no match datalink ethertype
This command has no arguments or keywords.
The EtherType of the packet is not configured as a key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A flow record requires at least one key field before it can be used in a flow monitor. The key fields distinguish flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
When you configure the EtherType of the packet as a key field for a flow record using the match datalink ethertype command, the traffic flow that is created is based on the type of flow monitor that is assigned to the interface:
To return this command to its default settings, use the no match datalink ethertype or default match datalink ethertype flow record configuration command.
The following example configures the EtherType of the packet as a key field for a NetFlow Lite flow record:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# match datalink ethertype
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure the use of MAC addresses as a key field for a flow record, use the match datalink mac command in flow record configuration mode. To disable the use of MAC addresses as a key field for a flow record, use the no form of this command.
match datalink mac { destination address input | source address input }
no match datalink mac { destination address input | source address input }
destination address | Configures the use of the destination MAC address as a key field. |
input |
Specifies the MAC address of input packets. |
source address |
Configures the use of the source MAC address as a key field. |
MAC addresses are not configured as a key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A flow record requires at least one key field before it can be used in a flow monitor. The key fields distinguish flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
The input keyword is used to specify the observation point that is used by the match datalink mac command to create flows based on the unique MAC addresses in the network traffic.
Note | When a datalink flow monitor is assigned to an interface or VLAN record, it creates flows only for non-IPv6 or non-IPv4 traffic. |
To return this command to its default settings, use the no match datalink mac or default match datalink mac flow record configuration command.
The following example configures the use of the destination MAC address of packets that are received by the switch as a key field for a flow record:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# match datalink mac destination address input
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure one or more of the IPv4 fields as a key field for a flow record, use the match ipv4 command in flow record configuration mode. To disable the use of one or more of the IPv4 fields as a key field for a flow record, use the no form of this command.
match ipv4 { destination address | protocol | source address | tos | version }
no match ipv4 { destination address | protocol | source address | tos | version }
destination address |
Configures the IPv4 destination address as a key field. For more information see match ipv4 destination address. |
protocol |
Configures the IPv4 protocol as a key field. |
source address | Configures the IPv4 destination address as a key field. For more information see match ipv4 source address. |
tos | Configures the IPv4 ToS as a key field. |
version | Configures the IP version from IPv4 header as a key field. |
The use of one or more of the IPv4 fields as a key field for a user-defined flow record is not enabled.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A flow record requires at least one key field before it can be used in a flow monitor. The key fields distinguish flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
The following example configures the IPv4 protocol as a key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# match ipv4 protocol
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure the IPv4 destination address as a key field for a flow record, use the match ipv4 destination address command in flow record configuration mode. To disable the IPv4 destination address as a key field for a flow record, use the no form of this command.
match ipv4 destination address
no match ipv4 destination address
This command has no arguments or keywords.
The IPv4 destination address is not configured as a key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A flow record requires at least one key field before it can be used in a flow monitor. The key fields distinguish flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
To return this command to its default settings, use the no match ipv4 destination address or default match ipv4 destination address flow record configuration command.
The following example configures the IPv4 destination address as a key field for a flow record:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# match ipv4 destination address
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure the IPv4 source address as a key field for a flow record, use the match ipv4 source address command in flow record configuration mode. To disable the use of the IPv4 source address as a key field for a flow record, use the no form of this command.
match ipv4 source address
no match ipv4 source address
This command has no arguments or keywords.
The IPv4 source address is not configured as a key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A flow record requires at least one key field before it can be used in a flow monitor. The key fields distinguish flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
To return this command to its default settings, use the no match ipv4 source address or default match ipv4 source address flow record configuration command.
The following example configures the IPv4 source address as a key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# match ipv4 source address
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure one or more of the IPv6 fields as a key field for a flow record, use the match ipv6 command in flow record configuration mode. To disable the use of one or more of the IPv6 fields as a key field for a flow record, use the no form of this command.
match ipv6 { destination address | flow-label | protocol | source address }
no match ipv6 { destination address | flow-label | protocol | source address }
destination address | Configures the IPv4 destination address as a key field. For more information see match ipv6 destination address. |
flow-label | Configures the IPv6 flow-label as a key field. |
protocol |
Configures the IPv6 protocol as a key field. |
source address | Configures the IPv4 destination address as a key field. For more information see match ipv6 source address. |
The IPv6 fields are not configured as a key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A flow record requires at least one key field before it can be used in a flow monitor. The key fields distinguish flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
The following example configures the IPv6 protocol field as a key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# match ipv6 protocol
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure the IPv6 destination address as a key field for a flow record, use the match ipv6 destination address command in flow record configuration mode. To disable the IPv6 destination address as a key field for a flow record, use the no form of this command.
match ipv6 destination address
no match ipv6 destination address
This command has no arguments or keywords.
The IPv6 destination address is not configured as a key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A flow record requires at least one key field before it can be used in a flow monitor. The key fields distinguish flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
To return this command to its default settings, use the no match ipv6 destination address or default match ipv6 destination address flow record configuration command.
The following example configures the IPv6 destination address as a key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# match ipv6 destination address
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure the IPv6 source address as a key field for a flow record, use the match ipv6 source address command in flow record configuration mode. To disable the use of the IPv6 source address as a key field for a flow record, use the no form of this command.
match ipv6 source address
no match ipv6 source address
This command has no arguments or keywords.
The IPv6 source address is not configured as a key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A flow record requires at least one key field before it can be used in a flow monitor. The key fields distinguish flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
To return this command to its default settings, use the no match ipv6 source address or default match ipv6 source address flow record configuration command.
The following example configures a IPv6 source address as a key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# match ipv6 source address
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To configure one or more of the transport fields as a key field for a flow record, use the match transport command in flow record configuration mode. To disable the use of one or more of the transport fields as a key field for a flow record, use the no form of this command.
match transport { destination-port | source-port }
no match transport { destination-port | source-port }
destination-port |
Configures the transport destination port as a key field. |
source-port |
Configures the transport source port as a key field. |
The transport fields are not configured as a key field.
Flow record configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A flow record requires at least one key field before it can be used in a flow monitor. The key fields distinguish flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
The following example configures the destination port as a key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# match transport destination-port
The following example configures the source port as a key field:
Switch(config)# flow record FLOW-RECORD-1 Switch(config-flow-record)# match transport source-port
Command | Description |
Creates a NetFlow Lite flow record, or modifies an existing NetFlow Lite flow record, and enters NetFlow Lite flow record configuration mode. |
To specify the type of sampling and the packet interval for a NetFlow Lite sampler, use the mode command in sampler configuration mode. To remove the type of sampling and the packet interval information for a NetFlow Lite sampler, use the no form of this command.
mode { deterministic | random } 1 out-of window-size
no mode
deterministic |
Enables deterministic mode sampling for the sampler. |
random |
Enables random mode sampling for the sampler. |
1 out-of window-size |
Specifies the window size from which to select packets. The range is 32 to 1022. |
The mode and the packet interval for a sampler are not configured.
Sampler configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
A total of four unique samplers (random or deterministic) are supported on the switch.
In deterministic mode, packets are chosen periodically based on the configured interval. This mode has less overhead than random mode and can be useful when the switch samples traffic that is random in nature.
In random mode, packets are chosen in a manner that should eliminate any bias from traffic patterns and counter any attempt by users to avoid monitoring.
When you attach a monitor using a deterministic sampler, every attachment with the same sampler uses one new free sampler from the switch out of four available samplers. You cannot attach a monitor with any sampler beyond four attachments. When you attach a monitor using a random sampler, only the first attachment uses a new sampler from the switch. The remainder of all of the attachments using the same sampler, share the same sampler. Because of this behavior, when using a deterministic sampler, you can always make sure that the correct number of flows are sampled by comparing the sampling rate and what the switch sends. If the same random sampler is used with multiple interfaces, flows from any interface can always be sampled, and flows from other interfaces can always be skipped.
The following example enables deterministic sampling with a window size of 1000:
Switch(config)# sampler SAMPLER-1 Switch(config-sampler)# mode deterministic 1 out-of 1000
The following example enables random sampling with a window size of 1000:
Switch(config)# sampler SAMPLER-1 Switch(config-sampler)# mode random 1 out-of 1000
Command | Description |
Enables debugging output for NetFlow Lite samplers. | |
Displays the status and statistics for a NetFlow Lite sampler. |
To configure optional data parameters for a flow exporter for NetFlow Lite, use the option command in flow exporter configuration mode. To remove optional data parameters for a flow exporter, use the no form of this command.
option { exporter-stats | interface-table | sampler-table } [ timeout seconds ]
no option { exporter-stats | interface-table | sampler-table }
exporter-stats |
Configures the exporter statistics option for flow exporters. |
interface-table |
Configures the interface table option for flow exporters. |
sampler-table |
Configures the export sampler table option for flow exporters. |
timeout seconds |
(Optional) Configures the option resend time in seconds for flow exporters. The range is 1 to 86400. The default is 600. |
The timeout is 600 seconds. All other optional data parameters are not configured.
Flow exporter configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The option exporter-stats command causes the periodic sending of the exporter statistics, including the number of records, bytes, and packets sent. This command allows the collector to estimate packet loss for the export records it receives. The optional timeout alters the frequency at which the reports are sent.
The option interface-table command causes the periodic sending of an options table, which allows the collector to map the interface SNMP indexes provided in the flow records to interface names. The optional timeout can alter the frequency at which the reports are sent.
The option sampler-table command causes the periodic sending of an options table, which details the configuration of each sampler and allows the collector to map the sampler ID provided in any flow record to a configuration that it can use to scale up the flow statistics. The optional timeout can alter the frequency at which the reports are sent.
To return this command to its default settings, use the no option or default option flow exporter configuration command.
The following example shows how to enable the periodic sending of the sampler option table, which allows the collector to map the sampler ID to the sampler type and rate:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)# option sampler-table
The following example shows how to enable the periodic sending of the exporter statistics, including the number of records, bytes, and packets sent:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)# option exporter-stats
The following example shows how to enable the periodic sending of an options table, which allows the collector to map the interface SNMP indexes provided in the flow records to interface names:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)# option interface-table
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. |
To add a flow record for a NetFlow Lite flow monitor, use the record command in flow monitor configuration mode. To remove a flow record for a NetFlow Lite flow monitor, use the no form of this command.
record record-name
no record
record-name |
Name of a user-defined flow record that was previously configured. |
A flow record is not configured.
Flow monitor configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Each flow monitor requires a record to define the contents and layout of its cache entries. The flow monitor can use one of the wide range of predefined record formats, or advanced users may create their own record formats.
Note | You must use the no ip flow monitor command to remove a flow monitor from all of the interfaces to which you have applied it before you can modify the parameters for the record command for the flow monitor. |
The following example configures the flow monitor to use FLOW-RECORD-1:
Switch(config)# flow monitor FLOW-MONITOR-1 Switch(config-flow-monitor)# record FLOW-RECORD-1
Command | Description |
Creates a flow monitor, or modifies an existing flow monitor, and enters flow monitor configuration mode. |
To create a NetFlow Lite flow sampler, or to modify an existing NetFlow Lite flow sampler, and to enter NetFlow Lite sampler configuration mode, use the sampler command in global configuration mode. To remove a sampler, use the no form of this command.
sampler sampler-name
no sampler sampler-name
sampler-name |
Name of the flow sampler that is being created or modified. |
Global configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Flow samplers are used to reduce the load placed by NetFlow Lite on the networking device to monitor traffic by limiting the number of packets that are analyzed. You configure a rate of sampling that is 1 out of a range of 32 to 1022 packets. Flow samplers are applied to interfaces in conjunction with a flow monitor to implement sampled NetFlow Lite.
To enable flow sampling, you configure the record that you want to use for traffic analysis and assign it to a flow monitor. When you apply a flow monitor with a sampler to an interface, the sampled packets are analyzed at the rate specified by the sampler and compared with the flow record associated with the flow monitor. If the analyzed packets meet the criteria specified by the flow record, they are added to the flow monitor cache.
The following example creates a flow sampler name SAMPLER-1:
Switch(config)# sampler SAMPLER-1 Switch(config-sampler)#
Command | Description |
Enables debugging output for NetFlow Lite samplers. | |
Specifies the type of sampling and the packet interval for a NetFlow Lite sampler. | |
Displays the status and statistics for a NetFlow Lite sampler. |
To display flow exporter status and statistics, use the show flow exporter command in privileged EXEC mode.
show flow exporter [ export-ids netflow-v9 | [ name ] exporter-name [ statistics | templates ] | statistics | templates ]
export-ids netflow-v9 |
(Optional) Displays the NetFlow Version 9 export fields that can be exported and their IDs. |
name |
(Optional) Specifies the name of a flow exporter. |
exporter-name |
(Optional) Name of a flow exporter that was previously configured. |
statistics |
(Optional) Displays statistics for all flow exporters or for the specified flow exporter. |
templates |
(Optional) Displays template information for all flow exporters or for the specified flow exporter. |
None
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The following example displays the status and statistics for all of the flow exporters configured on a switch:
Switch# show flow exporter
Flow Exporter FLOW-EXPORTER-1:
Description: Exports to the datacenter
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 192.168.0.1
Source IP address: 192.168.0.2
Transport Protocol: UDP
Destination Port: 9995
Source Port: 55864
DSCP: 0x0
TTL: 255
Output Features: Used
This table describes the significant fields shown in the display:
Field |
Description |
---|---|
Flow Exporter |
The name of the flow exporter that you configured. |
Description |
The description that you configured for the exporter, or the default description User defined. |
Transport Configuration |
The transport configuration fields for this exporter. |
Destination IP address |
The IP address of the destination host. |
Source IP address |
The source IP address used by the exported packets. |
Transport Protocol |
The transport layer protocol used by the exported packets. |
Destination Port |
The destination UDP port to which the exported packets are sent. |
Source Port |
The source UDP port from which the exported packets are sent. |
DSCP |
The differentiated services code point (DSCP) value. |
TTL |
The time-to-live value. |
Output Features |
Specifies whether the output-features command, which causes the output features to be run on Flexible NetFlow export packets, has been used or not. |
The following example displays the status and statistics for all of the flow exporters configured on a switch:
Switch# show flow exporter name FLOW-EXPORTER-1 statistics
Flow Exporter FLOW-EXPORTER-1:
Packet send statistics (last cleared 2w6d ago):
Successfully sent: 0 (0 bytes)
Command | Description |
Clears the statistics for a NetFlow Lite flow exporter. | |
Enables debugging output for NetFlow Lite flow exporters. | |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. |
To display the NetFlow Lite configuration and status for an interface, use the show flow interface command in privileged EXEC mode.
show flow interface [ type number ]
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The following example displays the NetFlow Lite accounting configuration on Ethernet interfaces 0/0 and 0/1:
Switch# show flow interface gigabitethernet1/0/1 Interface Ethernet1/0 monitor: FLOW-MONITOR-1 direction: Output traffic(ip): on Switch# show flow interface gigabitethernet1/0/2 Interface Ethernet0/0 monitor: FLOW-MONITOR-1 direction: Input traffic(ip): sampler SAMPLER-2#
The table below describes the significant fields shown in the display.
Command | Description |
Displays the status and statistics for a NetFlow Lite flow monitor. |
To display the status and statistics for a NetFlow Lite flow monitor, use the show flow monitor command in privileged EXEC mode.
show flow monitor [ [ name ] monitor-name [ cache [ format { csv | record | table } ] ] [ statistics ] ]
name |
(Optional) Specifies the name of a flow monitor. |
monitor-name |
(Optional) Name of a flow monitor that was previously configured. |
cache |
(Optional) Displays the contents of the cache for the flow monitor. |
format |
(Optional) Specifies the use of one of the format options for formatting the display output. |
csv |
(Optional) Displays the flow monitor cache contents in comma-separated variables (CSV) format. |
record |
(Optional) Displays the flow monitor cache contents in record format. |
table |
(Optional) Displays the flow monitor cache contents in table format. |
statistics |
(Optional) Displays the statistics for the flow monitor. |
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The cache keyword uses the record format by default.
The uppercase field names in the display output of the show flowmonitor monitor-name cache command are key fields that NetFlow Lite uses to differentiate flows. The lowercase field names in the display output of the show flow monitor monitor-name cache command are nonkey fields from which NetFlow Lite collects values as additional data for the cache.
The following example displays the status for a flow monitor:
Switch# show flow monitor FLOW-MONITOR-1 Flow Monitor FLOW-MONITOR-1: Description: Used for basic traffic analysis Flow Record: flow-record-1 Flow Exporter: flow-exporter-1 flow-exporter-2 Cache: Type: normal Status: allocated Size: 4096 entries / 311316 bytes Inactive Timeout: 15 secs Active Timeout: 1800 secs Update Timeout: 1800 secs
This table describes the significant fields shown in the display.
The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-1:
Switch# show flow monitor FLOW-MONITOR-1 cache
Cache type: Normal
Cache size: 4096
Current entries: 8
High Watermark: 10
Flows added: 1560
Flows aged: 1552
- Active timeout ( 1800 secs) 24
- Inactive timeout ( 15 secs) 1528
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IP TOS: 0x00
IP PROTOCOL: 6
IPV4 SOURCE ADDRESS: 10.0.0.1
IPV4 DESTINATION ADDRESS: 172.16.0.1
TRNS SOURCE PORT: 20
TRNS DESTINATION PORT: 20
INTERFACE INPUT: Et0/0
FLOW SAMPLER ID: 0
ip source as: 0
ip destination as: 0
ipv4 next hop address: 172.16.0.2
ipv4 source mask: /0
ipv4 destination mask: /24
tcp flags: 0x00
interface output: Et1/0
counter bytes: 198520
counter packets: 4963
timestamp first: 10564356
timestamp last: 12154104
This table describes the significant fields shown in the display.
The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-1 in a table format:
Switch# show flow monitor FLOW-MONITOR-1 cache format table
Cache type: Normal
Cache size: 4096
Current entries: 4
High Watermark: 6
Flows added: 90
Flows aged: 86
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 86
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IP TOS IP PROT IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT
====== ======= =============== =============== ============= ==============
0x00 1 10.251.10.1 172.16.10.2 0 02
0x00 1 10.251.10.1 172.16.10.2 0 20484
0xC0 17 172.16.6.1 224.0.0.9 520 5202
0x00 6 10.10.11.1 172.16.10.5 25 252
The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-IPv6 (the cache contains IPv6 data) in record format:
Switch# show flow monitor name FLOW-MONITOR-IPv6 cache format record
Cache type: Normal
Cache size: 4096
Current entries: 6
High Watermark: 8
Flows added: 1048
Flows aged: 1042
- Active timeout ( 1800 secs) 11
- Inactive timeout ( 15 secs) 1031
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV6 FLOW LABEL: 0
IPV6 EXTENSION MAP: 0x00000040
IPV6 SOURCE ADDRESS: 2001:DB8:1:ABCD::1
IPV6 DESTINATION ADDRESS: 2001:DB8:4:ABCD::2
TRNS SOURCE PORT: 3000
TRNS DESTINATION PORT: 55
INTERFACE INPUT: Et0/0
FLOW DIRECTION: Input
FLOW SAMPLER ID: 0
IP PROTOCOL: 17
IP TOS: 0x00
ip source as: 0
ip destination as: 0
ipv6 next hop address: ::
ipv6 source mask: /48
ipv6 destination mask: /0
tcp flags: 0x00
interface output: Null
counter bytes: 521192
counter packets: 9307
timestamp first: 9899684
timestamp last: 11660744
The following example displays the status and statistics for a flow monitor:
Switch# show flow monitor FLOW-MONITOR-1 statistics
Cache type: Normal
Cache size: 4096
Current entries: 4
High Watermark: 6
Flows added: 116
Flows aged: 112
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 112
- Event aged 0
- Watermark aged 0
- Emergency aged 0
Command | Description |
Clears a flow monitor cache or flow monitor statistics and forces the export of the data in the flow monitor cache. | |
Enables debugging output for NetFlow Lite flow monitors. |
To display the status and statistics for a NetFlow Lite flow record, use the show flow record command in privileged EXEC mode.
show flow record [ [ name ] record-name ]
name | (Optional) Specifies the name of a flow record. |
record-name | (Optional) Name of a user-defined flow record that was previously configured. |
None
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The following example displays the status and statistics for FLOW-RECORD-1:
Switch# show flow record FLOW-RECORD-1
flow record FLOW-RECORD-1:
Description: User defined
No. of users: 0
Total field space: 24 bytes
Fields:
match ipv6 destination address
match transport source-port
collect interface input
Command | Description |
Configures a flow record for a NetFlow Lite flow monitor. |
To display the status and statistics for a NetFlow Lite sampler, use the show sampler command in privileged EXEC mode.
show sampler [ [ name ] sampler-name ]
name | (Optional) Specifies the name of a sampler. |
sampler-name | (Optional) Name of a sampler that was previously configured. |
None
Privileged EXEC
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The following example displays the status and statistics for all of the flow samplers configured:
Switch# show sampler
Sampler SAMPLER-1:
ID: 2083940135
export ID: 0
Description: User defined
Type: Invalid (not in use)
Rate: 1 out of 32
Samples: 0
Requests: 0
Users (0):
Sampler SAMPLER-2:
ID: 3800923489
export ID: 1
Description: User defined
Type: random
Rate: 1 out of 100
Samples: 1
Requests: 124
Users (1):
flow monitor FLOW-MONITOR-1 (datalink,vlan1) 0 out of 0
This table describes the significant fields shown in the display.
Field |
Description |
---|---|
ID |
ID number of the flow sampler. |
Export ID |
ID of the flow sampler export. |
Description |
Description that you configured for the flow sampler, or the default description User defined. |
Type |
Sampling mode that you configured for the flow sampler. |
Rate |
Window size (for packet selection) that you configured for the flow sampler. The range is 2 to 32768. |
Samples |
Number of packets sampled since the flow sampler was configured or the switch was restarted. This is equivalent to the number of times a positive response was received when the sampler was queried to determine if the traffic needed to be sampled. See the explanation of the Requests field in this table. |
Requests |
Number of times the flow sampler was queried to determine if the traffic needed to be sampled. |
Users |
Interfaces on which the flow sampler is configured. |
Command | Description |
Enables debugging output for NetFlow Lite samplers. | |
Creates a NetFlow Lite flow sampler, or modifies an existing NetFlow Lite flow sampler. |
To configure the source IP address interface for all of the packets sent by a NetFlow Lite flow exporter, use the source command in flow exporter configuration mode. To remove the source IP address interface for all of the packets sent by a NetFlow Lite flow exporter, use the no form of this command.
source interface-type interface-number
no source
The IP address of the interface over which the NetFlow Lite datagram is transmitted is used as the source IP address.
Flow exporter configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The benefits of using a consistent IP source address for the datagrams that NetFlow Lite sends include the following:
Caution | The interface that you configure as the source interface must have an IP address configured, and it must be up. |
To return this command to its default settings, use the no source or default source flow exporter configuration command.
The following example shows how to configure NetFlow Lite to use a loopback interface as the source interface for NetFlow traffic:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)# source loopback 0
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. |
To collect protocol distribution statistics for a flow monitor, use the statistics packet protocol command in flow monitor configuration mode. To disable collecting protocol distribution statistics and size distribution statistics for a flow monitor, use the no form of this command.
statistics packet protocol
no statistics packet protocol
This command has no arguments or keywords.
The collection of protocol distribution statistics for a flow monitor is not enabled by default.
Flow monitor configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
Before you can collect protocol distribution statistics for a flow monitor with the statistics packet protocol command, you must define the protocol, source and destination ports, first and last time stamps and packet and bytes counters in the flow record. If you do not define these fields, you will get the following warning:
Warning: Cannot set protocol distribution with this Flow Record. Require protocol, source and destination ports, first and last timestamps and packet and bytes counters.
To return this command to its default settings, use the no statistics packet protocol or default statistics packet protocol flow monitor configuration command.
The following example enables the collection of protocol distribution statistics for flow monitors:
Switch(config)# flow monitor FLOW-MONITOR-1 Switch(config-flow-monitor)# statistics packet protocol
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. |
To specify a timeout period for resending flow exporter template data, use the template data timeout command in flow exporter configuration mode. To remove the template resend timeout for a flow exporter, use the no form of this command.
template data timeout seconds
no template data timeout seconds
seconds |
Timeout value in seconds. The range is 1 to 86400. The default is 600. |
The default template resend timeout for a flow exporter is 600 seconds.
Flow exporter configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
The following example configures resending templates based on a timeout of 1000 seconds:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)# template data timeout 1000
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. |
To configure the transport protocol for a flow exporter for NetFlow Lite, use the transport command in flow exporter configuration mode. To remove the transport protocol for a flow exporter, use the no form of this command.
transport udp udp-port
no transport udp udp-port
udp udp-port |
Specifies User Datagram Protocol (UDP) as the transport protocol and the UDP port number. |
Flow exporters use UDP on port 9995.
Flow exporter configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
To return this command to its default settings, use the no transport or default transport flow exporter configuration command.
The following example configures UDP as the transport protocol and a UDP port number of 250:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)# transport udp 250
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. |
To configure the time-to-live (TTL) value, use the ttl command in flow exporter configuration mode. To remove the TTL value, use the no form of this command.
ttl ttl
no ttl ttl
ttl |
Time-to-live (TTL) value for exported datagrams. The range is 1 to 255. The default is 255. |
Flow exporters use a TTL of 255.
Flow exporter configuration
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This command was introduced. |
To return this command to its default settings, use the no ttl or default ttl flow exporter configuration command.
The following example specifies a TTL of 15:
Switch(config)# flow exporter FLOW-EXPORTER-1 Switch(config-flow-exporter)# ttl 15
Command | Description |
Creates a NetFlow Lite flow exporter, or modifies an existing NetFlow Lite flow exporter, and enters NetFlow Lite flow exporter configuration mode. |