Guest

Cisco IOS Software Releases 12.3 T

Random Sampled NetFlow

  • Viewing Options

  • PDF (398.6 KB)
  • Feedback
Random Sampled NetFlow

Table Of Contents

Random Sampled NetFlow

Contents

Prerequisites for Random Sampled NetFlow

Restrictions for Random Sampled NetFlow

Information About Random Sampled NetFlow

Random Sampling Mode

Subinterface Support

NetFlow Sampler

Export Format

Memory Impact

Effect on Interface Traffic

How to Configure Random Sampled NetFlow

Defining a NetFlow Sampler Map

Applying a NetFlow Sampler Map to an Interface

Verifying the Configuration

Troubleshooting Tips

Configuration Examples for Random Sampled NetFlow

Defining a NetFlow Sampler Map: Example

Applying a NetFlow Sampler Map to an Interface: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

debug flow-sampler

flow-sampler

flow-sampler-map

ip flow-export

mode (flow sampler configuration)

show flow-sampler

Glossary


Random Sampled NetFlow


NetFlow provides highly granular per-flow traffic statistics in a Cisco router. A flow is a unidirectional set of packets that arrive at the router on the same subinterface, have the same source and destination IP addresses, Layer 4 protocol, TCP/UDP source and destination ports, and the same type of service (ToS) byte in the IP headers. The router accumulates NetFlow statistics in a NetFlow cache and can export them to an external device (such as the Cisco CNS NetFlow Collection Engine) for further processing.

Random Sampled NetFlow provides NetFlow data for a subset of traffic in a Cisco router by processing only one randomly selected packet out of n sequential packets (n is a user-configurable parameter). Packets are sampled as they arrive (before any NetFlow cache entries are made for those packets). Statistical traffic sampling substantially reduces consumption of router resources (especially CPU resources) while providing valuable NetFlow data.

The main uses of Random Sampled NetFlow are traffic engineering, capacity planning, and applications where full NetFlow is not needed for an accurate view of network traffic.


Note NetFlow's ability to sample packets was first provided by a feature named Sampled NetFlow. The methodology that the Sampled NetFlow feature uses is deterministic sampling, which selects every nth packet for NetFlow processing on a per-interface basis. For example, if you set the sampling rate to 1 out of 100 packets, then Sampled NetFlow samples the 1st, 101st, 201st, 301st, and so on packets. Sampled NetFlow does not allow random sampling and thus can make statistics inaccurate when traffic arrives in fixed patterns. Random Sampled NetFlow is more statistically accurate than Sampled NetFlow.


History for Random Sampled NetFlow Feature

Release
Modification

12.3(2)T

This feature was introduced.

12.2(18)S

This feature was integrated into Cisco IOS Release 12.2(18)S.

12.0(26)S

This feature was integrated into Cisco IOS Release 12.0(26)S.

12.2(27)SBC

This feature was integrated into Cisco IOS Release12.2(27)SBC.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for Random Sampled NetFlow

Restrictions for Random Sampled NetFlow

Information About Random Sampled NetFlow

How to Configure Random Sampled NetFlow

Configuration Examples for Random Sampled NetFlow

Additional References

Command Reference

Glossary

Prerequisites for Random Sampled NetFlow

Before you can configure the Random Sampled NetFlow feature, you must configure

CEF switching or dCEF switching (fast switching is not supported)

NetFlow Version 5 or Version 9 data export if you want to export NetFlow data (otherwise, NetFlow data is visible in the cache, but is not exported)

NetFlow Version 9 if you want to use sampler options templates or view NetFlow sampler IDs

Restrictions for Random Sampled NetFlow

If full Netflow is enabled on an interface, it takes precedence over Random Sampled NetFlow (which will thus have no effect). This means that you should disable full NetFlow on an interface before enabling Random Sampled NetFlow on that interface.

In contrast with full NetFlow, enabling Random Sampled NetFlow on a physical interface does not automatically enable Random Sampled NetFlow on subinterfaces—you must explicitly configure it on subinterfaces. Also, disabling Random Sampled NetFlow on a physical interface (or a subinterface) does not enable full NetFlow. This restriction prevents the transition to full NetFlow from overwhelming the physical interface (or subinterface); you must explicitly enable full NetFlow if desired.

If you enable Random Sampled NetFlow with Version 5 data export, sampler options templates are not exported, and sampler IDs are exported in the least significant three bits of the last byte of the Version 5 record pad field.

Information About Random Sampled NetFlow

To configure Random Sampled NetFlow, you must understand the following concepts:

Random Sampling Mode

Subinterface Support

NetFlow Sampler

Export Format

Memory Impact

Effect on Interface Traffic

Random Sampling Mode

The sampling mode determines the algorithm that selects a subset of traffic for NetFlow processing. In the random sampling mode that Random Sampled NetFlow uses, incoming packets are randomly selected so that one out of each n sequential packets is selected on average for NetFlow processing. For example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the 5th, 120th, 199th, 302nd, and so on packets. This sample configuration provides NetFlow data on 1 percent of total traffic. The n value is a parameter from 1 to 65535 packets that you can configure.

Subinterface Support

Random Sampled NetFlow is supported at the subinterface level. You can configure Random Sampled NetFlow per subinterface as well as per physical interface. Traffic is collected only on the subinterfaces on which Random Sampled NetFlow is configured. As with full NetFlow, enabling Random Sampled NetFlow on a physical interface does not enable Random Sampled NetFlow on subinterfaces automatically—you must explicitly configure it on the subinterfaces.

NetFlow Sampler

A NetFlow sampler map defines a set of properties (such as the sampling rate and NetFlow sampler name) for NetFlow sampling. Each NetFlow sampler map can be applied to one or many subinterfaces as well as physical interfaces. You can define up to eight NetFlow sampler maps.

For example, you can create a NetFlow sampler map named mysampler1 with the following properties: random sampling mode and a sampling rate of 1 out of 100 packets. This NetFlow sampler map can be applied to any number of subinterfaces, each of which would refer to mysampler1 to perform NetFlow sampling. Traffic from these subinterfaces is merged from a sampling point of view. This introduces even more "randomness" than with random per-subinterface NetFlow sampling, but statistically provides the same sampling rate of 1 out of 100 packets for each participating subinterface.

The sampling in Random Sampled NetFlow is done by NetFlow samplers. A NetFlow sampler is defined as an instance of a NetFlow sampler map that has been applied to a physical interface or subinterface. If full NetFlow is configured on a physical interface, it overrides Random Sampled NetFlow on all subinterfaces of this physical interface.

Export Format

Random Sampled NetFlow is supported in the Version 5 and Version 9 NetFlow export formats.

Memory Impact

This feature allows a smaller NetFlow cache than full NetFlow, because it significantly reduces the number of flows. This feature requires an insignificant amount of memory for each configured NetFlow sampler.

Effect on Interface Traffic

This feature substantially reduces the impact of NetFlow data export on interface traffic. For example, a sampling rate of 1 out of 100 packets reduces the export of NetFlow data by about 50 percent.

How to Configure Random Sampled NetFlow

This section contains the following configuration tasks:

Defining a NetFlow Sampler Map (required)

Applying a NetFlow Sampler Map to an Interface (required)

Verifying the Configuration (optional)

Troubleshooting Tips (optional)

Defining a NetFlow Sampler Map

This section shows how to define a NetFlow sampler map.

SUMMARY STEPS

1. enable

2. configure terminal

3. flow-sampler-map sampler-map-name

4. mode random one-out-of sampling-rate

5. end

DETAILED STEPS

 
Command
Purpose

Step 1 

enable

Example:

Router> enable

Enters privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

flow-sampler-map sampler-map-name

Example:

Router(config)# flow-sampler-map mysampler1

Defines a NetFlow sampler map and enters flow sampler map configuration mode.

Step 4 

mode random one-out-of sampling-rate

Example:

Router(config-sampler)# mode random one-out-of 100

Enables random mode and specifies a sampling rate for the NetFlow sampler.

Step 5 

end

Example:

Router(config-sampler)# end

Ends the configuration session and returns to privileged EXEC mode.

Applying a NetFlow Sampler Map to an Interface

This section shows how to apply a NetFlow sampler map to a physical interface (or a subinterface) to create a NetFlow sampler.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface interface-name

4. flow-sampler sampler-map-name

5. end

DETAILED STEPS

 
Command
Purpose

Step 1 

enable

Example:

Router> enable

Enters privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type-number

Example:

Router(config)# interface ethernet 1

Enters interface configuration mode.

Step 4 

flow-sampler sampler-map-name

Example:

Router(config-if)# flow-sampler mysampler1

Applies a NetFlow sampler map to the interface to create the NetFlow sampler.

Step 5 

end

Example:

Router(config-if)# end

Ends the configuration session and returns to privileged EXEC mode.

Verifying the Configuration

This section shows how to verify successful configuration of Random Sampled NetFlow.

SUMMARY STEPS

1. show flow-sampler

2. show ip cache verbose flow

3. show ip flow export template

DETAILED STEPS

 
Command
Purpose

Step 1 

show flow-sampler [sampler-map-name]

Example:

Router> show flow-sampler mysampler1

Displays attributes (including mode, sampling rate, and number of sampled packets) of one or all Random Sampled NetFlow samplers.

Step 2 

show ip cache verbose flow

Example:

Router> show ip cache verbose flow

Displays additional NetFlow fields in the header when Random Sampled NetFlow is configured.

Step 3 

show ip flow export template

Example:

Router> show ip flow export template

Displays the statistics for the NetFlow data export (such as template timeout and refresh rate) for the template-specific configurations.


Troubleshooting Tips

Use the debug flow-sampler command to display debugging output for Random Sampled NetFlow.

Configuration Examples for Random Sampled NetFlow

This section provides the following configuration examples:

Defining a NetFlow Sampler Map: Example

Applying a NetFlow Sampler Map to an Interface: Example

Defining a NetFlow Sampler Map: Example

The following example shows how to define a NetFlow sampler map named mysampler1:

Router> enable
Password:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# flow-sampler-map mysampler1
 Router(config-sampler)# mode random one-out-of 100
 Router(config-sampler)#
 Router(config-sampler)# end
Router#
3w5d: %SYS-5-CONFIG_I: Configured from console by console

Applying a NetFlow Sampler Map to an Interface: Example

The following example shows how to enable CEF switching and apply a NetFlow sampler map named mysampler1 to Ethernet interface 1 to create a NetFlow sampler on that interface:

Router> enable
Password:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip cef
Router(config)# interface ethernet 1
 Router(config-if)# flow-sampler mysampler1
 Router(config-if)#
 Router(config-if)# end
Router# 
3w5d:%SYS-5-CONFIG_I: Configured from console by console

Additional References

The following sections provide references related to the Random Sampled NetFlow feature.

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Related Documents

Related Topic
Document Title

NetFlow

Cisco IOS Switching Services Configuration Guide, Release 12.3

Cisco IOS Switching Services Command Reference, Release 12.3T

Cisco IOS Command Reference Master Index, Release 12.3

NetFlow Version 9 data export

NetFlow v9 Export Format feature module, Release 12.3

NetFlow Version 9 export format

NetFlow Version 9 Flow-Record Format white paper

Description of an actual customer deployment of NetFlow services within an IP network

NetFlow Services for an Enterprise Network integrated solutions document (ISD)

IP multicast routing

Cisco IOS IP Configuration Guide, Release 12.3,"IP Multicast"

NetFlow Minimum Prefix Mask for Router-Based Aggregation feature

NetFlow Minimum Prefix Mask for Router-Based Aggregation feature module, Release 12.1(3)T

NetFlow ToS-Based Router Aggregation feature

NetFlow ToS-Based Router Aggregation feature module, Release 12.1(3)T

Sampled NetFlow feature

Sampled NetFlow feature module, Release 12.0(26)S

Cisco CNS NetFlow Collection Engine (formerly called NetFlow FlowCollector)

Cisco CNS NetFlow Collection Engine Installation and User Guide, Release 4.0

Documentation Updates for Cisco CNS NetFlow Collection Engine, Release 4.0

Release Notes for Cisco CNS NetFlow Collection Engine, Release 4.0

NetFlow Data Analyzer (formerly called NetFlow FlowAnalyzer)

Network Data Analyzer Installation and User Guide, Release 3.6

Release Notes for Cisco Network Data Analyzer, Release 3.6(1)

NetFlow performance test results

NetFlow Performance Analysis white paper


Standards

Standard
Title
   

MIBs

MIB
MIBs Link

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title
   

Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport


Command Reference

This section documents modified commands only.

debug flow-sampler

flow-sampler

flow-sampler-map

ip flow-export

mode (flow sampler configuration)

show flow-sampler

debug flow-sampler

To enable debugging output for NetFlow sampler activity, use the debug flow-sampler command in privileged EXEC mode. To disable debugging output for NetFlow sampler activity, use the no form of this command.

debug flow-sampler {class-based | events | ipc | match}

no debug flow-sampler {class-based | events | ipc | match}

Syntax Description

class-based

Displays debug messages for class-based NetFlow samplers.

events

Displays debug messages when a NetFlow sampler map is added, deleted, or applied to an interface.

ipc

Displays NetFlow sampler-related debug messages for interprocess communications (IPC) between the route processor and line cards.

match

Displays debug messages when a packet is sampled (is matched with a NetFlow sampler).


Command Default

Debugging output for NetFlow sampler activity is disabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.0(26)S

This command was integrated into Cisco IOS Release 12.0(26)S.

12.3(4)T

The class-based keyword was added.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, you should use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, you should use debug commands during periods of lower network traffic and fewer users. Debugging during these periods reducess the likelihood that increased debug command processing overhead will affect system use.

Examples

The following is sample output from the debug flow-sampler events command:

Router# debug flow-sampler events

Flow sampler events debugging is on
Router# configure terminal
Router(config# no flow-sampler mysampler2
Router(config)# 
5d00h:  Flow: Sampler mysampler2 detached from FastEthernet0/1
5d00h: Flow: Sampler mysampler2 deleted

The following is sample output from the debug flow-sampler match command:

Router# debug flow-sampler match

Flow sampler match debugging is on
Router# 
4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0
Router# 
4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0
Router# 
4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0
Router# 
4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0

Table 2 describes the significant fields shown in the display.

Table 1 debug flow-sampler Field Descriptions 

Field
Description

Sampler

Name of the NetFlow sampler.

id

Unique ID of the NetFlow sampler.

packets matched

Number of packets matched (sampled) for the NetFlow sampler.

mode

NetFlow sampling mode.

sampling interval is

NetFlow sampling interval (in packets).


Related Commands

Command
Description

flow-sampler

Enables a Random Sampled NetFlow sampler.

flow-sampler-map

Defines a Random Sampled NetFlow sampler map.

ip flow-export

Enables the export of NetFlow data to a collector.

mode (flow sampler map)

Specifies a Random Sampled NetFlow sampling mode and sampling rate.

netflow-sampler

Enables a class-based NetFlow sampler.

show flow-sampler

Displays attributes (including mode, sampling rate, and number of sampled packets) of one or all Random Sampled NetFlow samplers.

show ip flow export

Displays the statistics for the NetFlow data export.


flow-sampler

To apply a flow sampler map for random sampled NetFlow accounting to an interface, use the flow-sampler command in interface configuration mode. To remove a flow sampler map for random sampled NetFlow accounting from an interface, use the no form of this command.

flow-sampler sampler-map-name [egress]

no flow-sampler sampler-map-name [egress]

Syntax Description

sampler-map-name

Name of the flow sampler map to apply to the interface.

egress

(Optional) Specifies that the sampler map is to be applied to egress traffic.


Command Default

Flow sampler maps for NetFlow accounting are not applied to interfaces by default. If flow sampler maps for NetFlow accounting are applied to an interface, they are applied for ingress (incoming) traffic unless otherwise specified with the egress keyword.

Command Modes

Interface configuration
Subinterface configuration

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.0(26)S

This command was integrated into Cisco IOS Release 12.0(26)S.

12.3(11)T

NetFlow egress support was added.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.


Usage Guidelines

You must create and enable the random sampler NetFlow map for random sampled NetFlow accounting using the flow-sampler-map and mode commands before you can use the flow-sampler command to apply the random sampler NetFlow map to an interface.

Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable ingress NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface, or subinterface, if you want to enable random sampled NetFlow accounting on the interface, or subinterface.

You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.


Tip If you disable CEF or DCEF globally using the no ip cef [distributed] command the flow-sampler sampler-map-name command is removed from any interfaces that you previously configured for random sampled NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable CEF or dCEF to reactivate random sampled NetFlow accounting.



Tip If your router is running Cisco IOS release 12.2(14)S or a later release, or Cisco IOS Release 12.2(15)T or a later release, NetFlow accounting might be enabled through the use of the ip flow ingress command instead of the ip route-cache flow command. If your router has NetFlow accounting enabled through the use of ip flow ingress command you must disable NetFlow accounting, using the no form of this command, before you apply a random sampler map for random sampled NetFlow accounting on an interface otherwise the full, un-sampled traffic will continue to be seen.


Examples

The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:

Router(config)# ip cef
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 0/0
Router(config-if)# no ip route-cache flow
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map

The following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:

Router(config)# ip cef
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 1/0
Router(config-if)# no ip flow egress
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map egress

The following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:

Router# show flow-sampler 

 Sampler : my-map, id : 1, packets matched : 7, mode : random sampling mode
  sampling interval is : 100

Related Commands

Command
Description

flow-sampler-map

Defines a flow sampler map for random sampled NetFlow accounting.

mode (flow sampler configuration)

Specifies a packet interval for NetFlow accounting random sampling mode and enables the flow sampler map.

netflow-sampler

Enables NetFlow accounting with input filter sampling.

show flow-sampler

Displays the status of random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler).

show ip cache flow

Displays a summary of the NetFlow accounting statistics.

show ip cache verbose flow

Displays a detailed summary of the NetFlow accounting statistics.

show ip flow interface

Displays NetFlow accounting configuration for interfaces.


flow-sampler-map

To define a flow sampler map for random sampled NetFlow accounting, use the flow-sampler-map command in global configuration mode. To remove a flow sampler map for random sampled NetFlow accounting use the no form of this command.

flow-sampler-map sampler-map-name

no flow-sampler-map sampler-map-name

Syntax Description

sampler-map-name

Name of the flow sampler map to be defined for random sampled NetFlow accounting.


Command Default

No flow sampler maps for random sampled NetFlow accounting are defined.

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.0(26)S

This command was integrated into Cisco IOS Release 12.0(26)S.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.


Usage Guidelines

Random sampled NetFlow accounting does not start sampling traffic until (1) the random sampler map is activated through the use of the mode command and (2) the sampler map has been applied to an interface through the use of the flow-sampler command.

Random Sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface or subinterface, if you want to enable random sampled NetFlow accounting on that interface or subinterface.

You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.


Tip If you disable dCEF globally using the no ip cef [distributed] command, the flow-sampler sampler-map-name command is removed from any interfaces that you previously configured for random sampled NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable CEF or dCEF to reactivate random sampled NetFlow accounting.



Tip If your router is running Cisco IOS release 12.2(14)S or a later release, or Cisco IOS Release 12.2(15)T or a later release, NetFlow accounting might be enabled through the use of the ip flow ingress command instead of the ip route-cache flow command. If your router has NetFlow accounting enabled through the use of ip flow ingress command you must disable NetFlow accounting, using the no form of this command, before you apply a random sampler map for random sampled NetFlow accounting on an interface otherwise the full, un-sampled traffic will continue to be seen.


Examples

The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:

Router(config)# ip cef
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 0/0
Router(config-if)# no ip route-cache flow
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map

The following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:

Router(config)# ip cef
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 1/0
Router(config-if)# no ip flow egress
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map egress

The following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:

Router# show flow-sampler 

 Sampler : my-map, id : 1, packets matched : 7, mode : random sampling mode
  sampling interval is : 100

Related Commandssampling interval is : 100

Command
Description

flow-sampler

Enables a Random Sampled Netflow sampler.

mode (flow sampler configuration)

Specifies a packet interval for NetFlow accounting random sampling mode and enables the flow sampler map.

netflow-sampler

Enables NetFlow accounting with input filter sampling.

show flow-sampler

Displays the status of random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler).

show ip cache flow

Displays a summary of the NetFlow accounting statistics.

show ip cache verbose flow

Displays a detailed summary of the NetFlow accounting statistics.

show ip flow interface

Displays NetFlow accounting configuration for interfaces.


ip flow-export

To enable the export of information in NetFlow cache entries, use the ip flow-export command in global configuration mode. To disable the export of information, use the no form of this command.

ip flow-export {destination ip-address udp-port | source {ip-address | interface-name} | version {1 | [{5 | 9} [origin-as | peer-as] [bgp-nexthop]]} | template {refresh-rate packets | timeout-rate minutes} [options {export-stats | refresh-rate packets | sampler | timeout-rate minutes}]}

no ip flow-export {destination ip-address udp-port | source {ip-address | interface-name} | version {1 | [{5 | 9} [origin-as | peer-as] [bgp-nexthop]]} | template {refresh-rate packets | timeout-rate minutes} [options {export-stats | refresh-rate packets | sampler | timeout-rate minutes}]}

Syntax Description

destination ip-address udp-port

IP address and protocol-specific port number of the workstation to which you want to send the NetFlow information.

source {ip-address | interface-name}

IP address and interface type and number for the source address.

version 1

Specifies that the export packet uses the version 1 format. This format is the default. The version field occupies the first 2 bytes of the export record. The number of records stored in the datagram is a variable from 1 to 24 for version 1.

version 5

Specifies that the export packet uses the version 5 format. The number of records stored in the datagram is a variable between 1 and 30 for version 5.

version 9

Specifies that the export packet uses the version 9 format.

origin-as

(Optional) Specifies that export statistics include the origin autonomous system (AS) for the source and destination.

peer-as

(Optional) Specifies that export statistics include the peer AS for the source and destination.

bgp-nexthop

(Optional) Specifies that export statistics include BGP next hop related information.

template

Specifies that the refresh-rate and timeout-rate keywords apply to the template.

options

Specifies that the export-stats, refresh-rate, sampler, and timeout-rate keywords apply to the options template.

export-stats

(Optional) Specifies that the export statistics include the total number of flows exported and the total number of packets exported.

refresh-rate packets

(Optional) Specifies the number of export packets before the options are reset. You can specify from 1 to 600 packets. The default is 20 packets.

sampler

(Optional) Specifies that Random Sampled NetFlow options templates are exported. You must enable version 9 data export before using this keyword.

timeout-rate minutes

(Optional) Specifies the time before the options are resent. You can specify from 1 to 3600 minutes. The default is 30 minutes.


Command Default

Export of information in NetFlow cache entries is disabled. You can specify origin AS accounting or peer AS export accounting, but not both.

Command Modes

Global configuration

Command History

Release
Modification

11.1 CA

This command was introduced.

12.0(24)S

This command was integrated into Cisco IOS Release 12.0(24)S, and the (version) 9 keyword was added.

12.3(1)

This command was integrated into Cisco IOS Release 12.3(1), and the bgp-nexthop keyword was added.

12.2(18)S

The bgp-nexthop and sampler keywords were added.

12.0(26)S

The bgp-nexthop and sampler keywords were added.

12.2(27)SBC

This feature was integrated into Cisco IOS Release 12.2(27)SBC.


Usage Guidelines

A NetFlow cache entry contains a lot of information. When NetFlow data collection is enabled with the ip route-cache flow command, you can use the ip flow-export command to configure the router to export the flow cache entries to a destination (such as a system running the NetFlow Collection Engine) when flows expire. This configuration can be useful for traffic analysis, monitoring, attack mitigation, and billing.

Version 5 and version 9 formats include the source and destination AS addresses and source and destination prefix masks. Also, version 9 might include BGP next hop information.

For more information on the version 5 data format, refer to the Cisco IOS Switching Services Configuration Guide. For more information on version 9 data format, refer to the Cisco IOS NetFlow Version 9 Flow-Record Format white paper.

Examples

The following example shows how to configure the router to export the NetFlow cache entry to UDP port 2048 on the workstation at 134.22.23.7 when the flow expires using version 5 format and includes the peer AS information:

Router(config)# ip flow-export destination 134.22.23.7 2048 version 5 peer-as

Related Commands

Command
Description

debug ip flow export

Enables debugging output for NetFlow data export.

export destination

Enables the export of information from NetFlow aggregation caches.

ip route-cache flow

Enables NetFlow data collection for IP routing.

show ip flow export

Displays the statistics for the NetFlow data export.


mode (flow sampler configuration)

To specify a packet interval for random sampled NetFlow accounting and enable the flow sampler map, use the mode command in NetFlow flow sampler configuration mode.

mode random one-out-of packet-interval

Syntax Description

random

Specifies that sampling uses the random mode.

one-out-of packet-interval

Specifies the packet interval (1 out of every n packets). For n, you can specify from 1 to 65535 packets.


Command Default

The random sampling mode and packet sampling interval are undefined.

Command Modes

NetFlow flow sampler configuration

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.0(26)S

This command was integrated into Cisco IOS Release 12.0(26)S.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.


Usage Guidelines

The mode random one-out-of command does not have a no format to remove it from the configuration. To disable NetFlow random sampling and packet interval you must remove the flow sampler map that you enabled with the mode random one-out-of command.

If you want to change the value that you entered for the packet-interval argument repeat the mode random one-out-of packet-interval command using the new value for packet-interval.

Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. In order to run random sampled NetFlow accounting, you must first disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling.

You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.


Tip If you disable dCEF globally using the no ip cef [distributed] command, the flow-sampler sampler-map-name command is removed from any interfaces that you previously configured for random sampled NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable CEF or dCEF to reactivate random sampled NetFlow accounting.



Tip If your router is running Cisco IOS release 12.2(14)S or a later release, or Cisco IOS Release 12.2(15)T or a later release, NetFlow accounting might be enabled through the use of the ip flow ingress command instead of the ip route-cache flow command. If your router has NetFlow accounting enabled through the use of ip flow ingress command you must disable NetFlow accounting, using the no form of this command, before you apply a random sampler map for random sampled NetFlow accounting on an interface otherwise the full, un-sampled traffic will continue to be seen.


Examples

The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:

Router(config)# ip cef
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 0/0
Router(config-if)# no ip route-cache flow
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map

The following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:

Router(config)# ip cef
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 1/0
Router(config-if)# no ip flow egress
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map egress

The following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:

Router# show flow-sampler 

 Sampler : my-map, id : 1, packets matched : 7, mode : random sampling mode
  sampling interval is : 100

Related Commands

Command
Description

flow-sampler

Applies a flow sampler map for random sampled NetFlow accounting to an interface.

flow-sampler-map

Defines a flow sampler map for random sampled NetFlow accounting.

netflow-sampler

Enables NetFlow accounting with input filter sampling.

show flow-sampler

Displays the status of random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler).

show ip cache flow

Displays a summary of the NetFlow accounting statistics.

show ip cache verbose flow

Displays a detailed summary of the NetFlow accounting statistics.

show ip flow interface

Displays NetFlow accounting configuration for interfaces.


show flow-sampler

To display the status and statistics for random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler), use the show flow-sampler command in user EXEC or privileged EXEC mode.

show flow-sampler [sampler-map-name]

Syntax Description

sampler-map-name

(Optional) Name of a flow sampler map.


Command Modes

User EXEC
Privileged EXEC

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.0(26)S

This command was integrated into Cisco IOS Release 12.0(26)S.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.


Examples

The following is sample output from the show flow-sampler command for all flow samplers:

Router> show flow-sampler

Sampler : mysampler1, id : 1, packets matched : 10, mode : random sampling mode
  sampling interval is : 100

 Sampler : myflowsampler2, id : 2, packets matched : 5, mode : random sampling mode 
  sampling interval is : 200

The following is sample output from the show flow-sampler command for a flow sampler named mysampler1:

Router> show flow-sampler mysampler1

Sampler : mysampler1, id : 1, packets matched : 0, mode : random sampling mode
  sampling interval is : 100

Table 2 describes the fields shown in the displays.

Table 2 show flow-sampler Field Descriptions 

Field
Description

Sampler

Name of the flow sampler

id

Unique ID of the flow sampler

packets matched

Number of packets matched for the flow sampler

mode

Flow sampling mode

sampling interval is

Flow sampling interval (in packets)


Related Commands

Command
Description

flow-sampler

Applies a flow sampler map for random sampled NetFlow accounting to an interface.

flow-sampler-map

Defines a flow sampler map for random sampled NetFlow accounting.

mode (flow sampler configuration)

Specifies a packet interval for NetFlow accounting random sampling mode.

netflow-sampler

Enables NetFlow accounting with input filter sampling.

show ip cache flow

Displays a summary of the NetFlow accounting statistics.

show ip cache verbose flow

Displays a detailed summary of the NetFlow accounting statistics.

show ip flow interface

Displays NetFlow accounting configuration for interfaces.


Glossary

BGP—Border Gateway Protocol. Interdomain routing protocol that replaces Exterior Border Gateway Protocol (EBGP). BGP exchanges reachability information with other BGP systems. It is defined by RFC 1163.

BGP next hop—IP address of the next hop to be used to reach a certain destination.

CEF—Cisco Express Forwarding. Layer 3 IP switching technology that optimizes network performance and scalability for networks with large and dynamic traffic patterns.

data flowset—A collection of data records that are grouped together in an export packet.

data recordProvides information about an IP flow that exists on the device that produced an export packet. Each group of data records (meaning each data flowset) references a previously transmitted template ID, which can be used to parse the data within the records.

dCEF—Distributed Cisco Express Forwarding. Type of CEF switching in which line cards (such as VIP line cards) maintain an identical copy of the forwarding information base (FIB) and adjacency tables. The line cards perform the express forwarding between port adapters; this relieves the route/switch processor of involvement in the switching operation.

export packetType of packet built by a device (for example, a router) with NetFlow services enabled that is addressed to another device (for example, a NetFlow Collection Engine). The packet contains NetFlow statistics. The other device processes the packet (parses, aggregates, and stores information on IP flows).

fast switching—Cisco feature in which a route cache is used to expedite packet switching through a router.

flow—Unidirectional stream of packets between a given source and destination—each defined by a network-layer IP address and transport-layer source and destination port numbers.

flowset—A collection of flow records that follow the packet header in an export packet. A flowset contains information that must be parsed and interpreted by the NetFlow Collection Engine device. There are two different types of flowsets: template flowsets and data flowsets. An export packet contains one or more flowsets, and both template and data flowsets can be mixed in the same export packet.

NetFlow—A Cisco IOS acceleration and accounting feature that maintains per-flow information.

NetFlow Aggregation—A NetFlow feature that lets you summarize NetFlow export data on an IOS router before the data is exported to a NetFlow data collection system such as the NetFlow Collection Engine. This feature lowers bandwidth requirements for NetFlow export data and reduces platform requirements for NetFlow data collection devices.

NetFlow Collection Engine (formerly NetFlow FlowCollector)—Cisco application that is used with NetFlow on Cisco routers and Catalyst 5000 series switches. The NetFlow Collection Engine collects packets from the router that is running NetFlow and decodes, aggregates, and stores them. You can generate reports on various aggregations that can be set up on the NetFlow Collection Engine.

NetFlow sampler—NetFlow sampler map that has been applied to at least one physical interface or subinterface.

NetFlow sampler map—Defines a set of properties (such as the sampling rate) for NetFlow sampling.

NetFlow v9—NetFlow export format Version 9. A flexible and extensible means to carry NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.

options data recordSpecial type of data record (which is based on an options template) with a reserved template ID that provides information about the NetFlow process itself.

options templateType of template record used to communicate the format of data related to the NetFlow process.

packet headerFirst part of an export packet. It provides basic information about the packet (such as the NetFlow version, number of records contained in the packet, and sequence numbering) so that lost packets can be detected.

template flowsetCollection of one or more template records that are grouped in an export packet.

template IDUnique number that distinguishes a template record from other template records produced by the same export device. A NetFlow Collection Engine application that receives export packets from several devices should be aware that uniqueness is not guaranteed across export devices. Thus, the NetFlow Collection Engine should also cache the address of the export device that produced the template ID in order to enforce uniqueness.

template recordDefines the format of subsequent data records that might be received in current or future export packets. A template record within an export packet does not necessarily indicate the format of data records within that same packet. A NetFlow Collection Engine application must cache any template records received and then parse any data records it encounters by locating the appropriate template record in the cache.

ToS—type of service byte. Second byte in the IP header that indicates the desired quality of service for a particular datagram.


Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.