Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.1E
Configuring NetFlow Data Export
Downloads: This chapterpdf (PDF - 383.0KB) The complete bookPDF (PDF - 7.08MB) | Feedback

Configuring NDE

Table Of Contents

Configuring NDE

Understanding How NDE Works

NDE Overview

NDE from the MSFC

NDE from the PFC

Flow Masks

NDE Versions

MLS Cache Entries

Sampled NetFlow

Default NDE Configuration

Configuring NDE

Configuring NDE on the PFC

Enabling NDE From the PFC

Setting the Minimum IP MLS Flow Mask

Populating Additional NDE Fields

Configuring the MLS Aging Time

Configuring Sampled NetFlow

Configuring NDE on the MSFC

Enabling NetFlow

Configuring the MSFC NDE Source Layer 3 Interface

Configuring the NDE Destination

Displaying the NDE Address and Port Configuration

Configuring NDE Flow Filters

NDE Flow Filter Overview

Configuring a Port Flow Filter

Configuring a Host and Port Filter

Configuring a Host Flow Filter

Configuring a Protocol Flow Filter

Clearing an NDE Flow Filter

Displaying the NDE Configuration


Configuring NDE


This chapter describes how to configure NetFlow Data Export (NDE) on the Catalyst 6500 series switches.


Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6500 Series Switch Cisco IOS Command Reference publication and the Release 12.1 publications at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/index.htm


This chapter consists of these sections:

Understanding How NDE Works

Default NDE Configuration

Configuring NDE


NoteNDE does not support bridged traffic or Internetwork Packet Exchange (IPX) traffic.

NDE does not support IP multicast traffic. You can display NetFlow statistics for IP multicast traffic with the show mls ip multicast command.


Understanding How NDE Works

These sections describe how NDE works:

NDE Overview

NDE from the MSFC

NDE from the PFC


Note In this chapter, the term "PFC" refers to either a PFC2 or a PFC1, except when specifically differentiated, and the term "MSFC" refers to either an MSFC2 or an MSFC1, except when specifically differentiated.


NDE Overview

NDE makes routed-traffic statistics available for analysis by an external data collector. You can use NDE to analyze all IP unicast traffic that is Layer 3-switched on the PFC and all IP unicast traffic that is routed in software on the MSFC.

The Supervisor Engine 2 stores NetFlow statistics in the NetFlow table. The NDE configuration has no effect on Layer 3 switching in hardware by the PFC2. If the NetFlow table has more than 32K entries, there is an increased probability that there will be insufficient room to store statistics. On the Supervisor Engine 2, no statistics are available for flows that are switched when the NetFlow table is full.

On the Supervisor Engine 1, NetFlow statistics are derived from the MLS cache, which is used primarily for Layer 3 switching by the PFC. If you change the configuration to modify NDE, the new configuration applies to PFC Layer 3 switching. For more information about Layer 3 switching by the PFC on Supervisor Engine 1, see Chapter 19, "Configuring IP Unicast Layer 3 Switching on Supervisor Engine 1." On the Supervisor Engine 1, when the MLS cache is full, the PFC sends flows to be switched by the MSFC, and NetFlow statistics are available from the MSFC for flows that are routed by the MSFC.

NDE from the MSFC

The NetFlow cache on the MSFC captures statistics for routed flows.

NDE on the Catalyst 6500 series switches can use NDE version 1, 5, or 6 to export the statistics captured on the MSFC for routed traffic. For more information, refer to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/switch_c/xcprt3/xcdnfov.htm

NDE from the PFC

These sections describe NDE from the PFC:

Flow Masks

NDE Versions

MLS Cache Entries

Sampled NetFlow

Flow Masks

The PFC uses a flow mask to create flow entries. The following flow masks exist:

destination—The least-specific flow mask. The PFC maintains one entry for each destination IP address. All flows to a given destination IP address use this entry.

destination-source—A more-specific flow mask. The PFC maintains one entry for each source and destination IP address pair. All flows between same source and destination IP addresses use this entry.

destination-source-interface—A more-specific flow mask. Adds the source VLAN SNMP ifIndex to the information in the destination-source flow mask. The destination-source-interface flow mask is supported on Supervisor Engine 2 with Release 12.1(13)E and later releases.

full—A more-specific flow mask. The PFC creates and maintains a separate cache entry for each IP flow. A full entry includes the source IP address, destination IP address, protocol, and protocol-specific Layer 4 port information.

full-interface—The most-specific flow mask. Adds the source VLAN SNMP ifIndex to the information in the full flow mask. The full-interface flow mask is supported on Supervisor Engine 2 with Release 12.1(13)E and later releases.

The PFC uses only one flow mask for all Layer 3-switched traffic. If you change the flow mask configuration, the entire MLS cache is purged.

NDE Versions

NDE on the PFC supports the following NDE versions to export the statistics captured on the PFC for Layer 3-switched traffic:

Supervisor Engine 1 and PFC—NDE version 7

Supervisor Engine 2 and PFC2

NDE version 5 with Release 12.1(13)E and later releases

NDE version 7 with all releases

Depending on the current flow mask, some fields in the flow records might not have values. When the PFC exports cached entries, unsupported fields are filled with a zero (0).

The following tables list the supported NDE fields:

Table 33-1—Version 5 header format

Table 33-2—Version 5 flow record format

Table 33-3—Version 7 header format

Table 33-4—Version 7 flow record format

Table 33-1 NDE Version 5 Header Format 

Bytes
Content
Description

0-1

version

Netflow export format version number

2-3

count

Number of flows exported in this packet (1-30)

4-7

SysUptime

Current time in milliseconds since router booted

8-11

unix_secs

Current seconds since 0000 UTC 1970

12-15

unix_nsecs

Residual nanoseconds since 0000 UTC 1970

16-19

flow_sequence

Sequence counter of total flows seen

20-21

engine_type

Type of flow switching engine

21-23

engine_id

Slot number of the flow switching engine


Table 33-2 NDE Version 5 Flow Record Format 

Bytes
Content
Description
Flow masks:
· X=Populated
· A=Additional field (see the "Populating Additional NDE Fields" section )
Destination
Destination
Source
Destination
Source
Interface 1
Full
Full
Interface 1

0-3

srcaddr

Source IP address

 
X
X
X
X

4-7

dstaddr

Destination IP address

X
X
X
X
X

8-11

nexthop

Next hop router's IP address

A 2
A
A
A
A

12-13

input

Ingress interface SNMP ifIndex

   
X
 
X

14-15

output

Egress interface SNMP ifIndex

A 2
A
A
A
A

16-19

dPkts

Packets in the flow

X
X
X
X
X

20-23

dOctets

Octets (bytes) in the flow

X
X
X
X
X

24-27

first

SysUptime at start of the flow

X
X
X
X
X

28-31

last

SysUptime at the time the last packet of the flow was received

X
X
X
X
X

32-33

srcport

Layer 4 source port number or equivalent

     
X
X

34-35

dstport

Layer 4 destination port number or equivalent

     
X
X

36

pad1

Unused (zero) byte

         

37

tcp_flags

Cumulative OR of TCP flags

         

38

prot

Layer 4 protocol (for example, 6=TCP, 17=UDP)

     
X
X

39

tos

IP type-of-service byte

         

40-41

src_as

Autonomous system number of the source, either origin or peer

 
A
A
A
A

42-43

dst_as

Autonomous system number of the destination, either origin or peer

A
A
A
A
A

44-45

src_mask

Source address prefix mask bits

         

46-47

dst_mask

Destination address prefix mask bits

         

48

pad2

Pad 2

         

1 Supported in Release 12.1(13)E and later releases.

2 With the destination flowmask, the "Next hop router's IP address" field and the "Output interface's SNMP ifIndex" field might not contain information that is accurate for all flows.


Table 33-3 NDE Version 7 Header Format 

Bytes
Content
Description

0-1

version

Netflow export format version number

2-3

count

Number of flows exported in this packet (1-30)

4-7

SysUptime

Current time in milliseconds since router booted

8-11

unix_secs

Current seconds since 0000 UTC 1970

12-15

unix_nsecs

Residual nanoseconds since 0000 UTC 1970

16-19

flow_sequence

Sequence counter of total flows seen

20-24

reserved

Unused (zero) bytes


Table 33-4 NDE Version 7 Flow Record Format 

Bytes
Content
Description
Flow masks:
· X=Populated
· A=Additional field (see the "Populating Additional NDE Fields" section )
Destination
Destination
Source
Destination
Source
Interface 1
Full
Full
Interface 1

0-3

srcaddr

Source IP address

 
X
X
X
X

4-7

dstaddr

Destination IP address

X
X
X
X
X

8-11

nexthop

Next hop router's IP address

X 2
X
X
X
X

12-13

input

Ingress interface SNMP ifIndex

   
X
 
X

14-15

output

Egress interface SNMP ifIndex

X 2
X
X
X
X

16-19

dPkts

Packets in the flow

X
X
X
X
X

20-23

dOctets

Octets (bytes) in the flow

X
X
X
X
X

24-27

First

SysUptime at start of the flow

X
X
X
X
X

28-31

Last

SysUptime at the time the last packet of the flow was received

X
X
X
X
X

32-33

srcport

Layer 4 source port number or equivalent

     
X
X

34-35

dstport

Layer 4 destination port number or equivalent

     
X
X

36

flags

flow mask in use

X
X
X
X
X

37

tcp_flags

Cumulative OR of TCP flags

         

38

prot

Layer 4 protocol (for example, 6=TCP, 17=UDP)

     
X
X

39

tos

IP type-of-service byte

         

40-41

src_as

Autonomous system number of the source, either origin or peer

 
A
A
A
A

42-43

dst_as

Autonomous system number of the destination, either origin or peer

A
A
A
A
A

44

src_mask

Source address prefix mask bits

         

45

dst_mask

Destination address prefix mask bits

         

46-47

pad2

Pad 2

         

48-51

MLS RP

IP address of MLS router

X
X
X
X
X

1 Supported in Release 12.1(13)E and later releases.

2 With the destination flowmask, the "Next hop router's IP address" field and the "Output interface's SNMP ifIndex" field might not contain information that is accurate for all flows.


MLS Cache Entries

NDE captures statistics for Layer 3-switched flows in the MLS cache on the PFC.

NDE maintains traffic statistics for each active flow in the MLS cache and increments the statistics when packets within each flow are switched. Periodically, NDE exports summarized traffic statistics for all expired flows, which the external data collector receives and processes.

Exported NetFlow data contains statistics for the flow entries in the MLS cache that have expired since the last export. Flow entries in the MLS cache expire and are flushed from the MLS cache when one of the following conditions occurs:

The transport protocol indicates that the connection is completed.

Traffic inactivity exceeds 15 seconds.

For flows that remain continuously active, flow entries in the MLS cache expire every 32 minutes to ensure periodic reporting of active flows.

NetFlow data export packets go to the external data collector either when the number of recently expired flows reaches a predetermined maximum, or every second, whichever occurs first.

By default, all expired flows are exported unless filtered. With a filter configured, NDE only exports expired and purged flows that match the filter criteria. NDE flow filters are stored in NVRAM and are not cleared when NDE is disabled. See the "Configuring NDE Flow Filters" section for NDE filter configuration procedures.

Sampled NetFlow

Sampled NetFlow exports data for a subset of the Layer 3-switched IP packets instead of for all packets in a flow. Sampled NetFlow substantially decreases the Supervisor Engine 2 CPU utilization. Release 12.1(13)E and later releases support sampled NetFlow on the Supervisor Engine 2.

With the full-interface or destination-source-interface flow masks, you can enable or disable sampled NetFlow on each LAN port. With all other flow masks, sampled Netflow is enabled or disabled globally.

You can configure sampled NetFlow to use time-based sampling or packet-based sampling.

Table 33-5 lists the time-based sampling rates and export intervals.

Table 33-5 Time-Based Sampling Rates, Sampling Times, and Export Intervals

Sampling Rate
Sampling Time (Milliseconds)
Export Interval (Milliseconds)

1 in 64

64

4096

1 in 128

32

4096

1 in 256

16

4096

1 in 512

8

4096

1 in 1024

4

4096

1 in 2048

4

8192

1 in 4096

4

16384

1 in 8192

4

32768


As examples, if you configure 64 as the rate, then every 4096 milliseconds the sampled NetFlow feature uses traffic from the first 64 milliseconds of a flow; if the rate is 2048, then every 8192 milliseconds, the sampled NetFlow feature uses traffic from the first 4 milliseconds of a flow. With time-based sampled NetFlow, the export interval is not configurable.

Packet-based sampled NetFlow uses this formula to sample a flow: the numer of times sampled is approximately the length divided by the rate (packets_in_flow/sampling_rate). For example, if the flow is 32,768 packets long and the sampling rate is 1024, the flow is sampled approximately 32 times (32,768/1,024). With packet-based sampled NetFlow, the export interval is configurable.

Default NDE Configuration

Table 33-6 shows the default NDE configuration.

Table 33-6 Default NetFlow Data Export Configuration

Feature
Default Value

NDE

Disabled

NDE source addresses

None

NDE data collector address and UDP port

None

NDE filters

None

Sampled NetFlow

Disabled

Populating additional NDE fields

Disabled


Configuring NDE

These sections describe how to configure NDE:

Configuring NDE on the PFC

Configuring NDE on the MSFC

Displaying the NDE Address and Port Configuration

Configuring NDE Flow Filters

Displaying the NDE Configuration


NoteYou must enable NetFlow on the MSFC Layer 3 interfaces to support NDE on the PFC and on the MSFC.

You must configure NDE on the MSFC to support NDE on the PFC.

With Release 12.1(11b)E and later releases, when you are in configuration mode you can enter EXEC mode-level commands by entering the do keyword before the EXEC mode-level command.


Configuring NDE on the PFC

These sections describe how to configure NDE on the PFC:

Enabling NDE From the PFC

Setting the Minimum IP MLS Flow Mask

Populating Additional NDE Fields

Configuring the MLS Aging Time

Configuring Sampled NetFlow

Enabling NDE From the PFC

NDE from the PFC uses the source configured for the MSFC. To enable NDE from the PFC, perform this task:

Command
Purpose

Router(config)# mls nde sender [version {5 | 7}]

Enables NDE from the PFC.

Note NDE version 5 is supported on Supervisor Engine 2 with Release 12.1(13)E and later releases.

Router(config)# no mls nde sender

Disables NDE from the PFC.



Note With Supervisor Engine 1 and PFC, if NDE is enabled and you disable Multilayer Switching (MLS), you lose the statistics for existing cache entries. They are not exported when MLS shuts down.


This example shows how to enable NDE from the PFC:

Router(config)# mls nde sender 

Setting the Minimum IP MLS Flow Mask

You can set the minimum granularity of the flow mask for the MLS cache on the PFC. The actual flow mask used will have at least the granularity specified by this command. For information on how the different flow masks work, see the "Flow Masks" section.

If you configure TCP intercept, IOS Server Load Balancing (ISLB), Context-Based Access Control (CBAC), reflexive ACLs, or Web Cache Communication Protocol (WCCP), the flow mask changes to full.


Caution Changing the flow mask purges all existing shortcuts in the MLS cache, which on a Supervisor Engine 1 affects the number of active shortcuts. Be careful when using this command on a Supervisor Engine 1. With a Supervisor Engine 2, NDE configuration has no effect on Layer 3 switching in hardware by the PFC2.

To set the minimum IP MLS flow mask, perform this task:

Command
Purpose

Router(config)# mls flow ip {destination | destination-source | interface-destination-source | full | interface-full}

Sets the minimum IP MLS flow mask for the protocol.

Router(config)# no mls flow ip

Reverts to the default IP MLS flow mask.



Note Release 12.1(13)E and later releases support the interface-destination-source and interface-full keywords.


This example shows how to set the minimum IP MLS flow mask:

Router(config)# mls flow ip destination 

To display the IP MLS flow mask configuration, perform this task:

Command
Purpose

Router# show mls netflow flowmask

With Release 12.1(8a)E and later releases, displays the flow mask configuration.

Router# show mls flowmask

With releases earlier than Release 12.1(8a)E, displays the flow mask configuration.


This example shows how to display the MLS flow mask configuration:

Router# show mls netflow flowmask 
current ip flowmask for unicast: destination address
current ipx flowmask for unicast: destination address
Router#

Populating Additional NDE Fields

With Release 12.1(13)E and later releases, you can configure NDE to populate the following additional fields in the NDE packets:

IP address of the next hop router

Egress interface SNMP ifIndex

Source autonomous system number

Destination autonomous system number

Not all of the additional fields are populated with all flow masks. See the "NDE Versions" section for additional information.

To populate the additional fields in NDE packets, perform this task:

Command
Purpose

Router(config)# mls nde interface

Populates additional fields in NDE packets.

Router(config)# no mls nde interface

Disables population of the additional fields.


This example shows how to populate the additional fields in NDE packets:

Router(config)# mls nde interface 

Configuring the MLS Aging Time

The MLS aging time applies to all MLS cache entries. The aging-time value is applied directly to destination mode aging. The MLS aging time value is divided by two to obtain the source-to-destination mode aging time and divided by eight to obtain the full-flow aging time. The default MLS aging time value is 256 seconds.

You can configure the normal aging time in the range of 32 to 4092 seconds in 8-second increments. Any aging-time value that is not a multiple of 8 seconds is adjusted to the closest multiple of 8 seconds. For example, a value of 65 is adjusted to 64 and a value of 127 is adjusted to 128.

Other events might cause MLS entries to be purged, such as routing changes or a change in link state (PFC link is down).


Note If the number of MLS entries exceeds 32K, only adjacency statistics might be available for some flows.


To keep the MLS cache size below 32K entries, enable the following parameters when using the mls aging command:

normal—Configures the wait before aging out and deleting shortcut entries in the Layer 3 table.

fast aging—Configures an efficient process to age out entries created for flows that only switch a few packets and then are never used again. The fast aging parameter uses the time keyword value to check if at least the threshold keyword value of packets have been switched for each flow. If a flow has not switched the threshold number of packets during the time interval, then the entry in the Layer 3 table is aged out.

long—Configures entries for deletion that have been up for the specified value even if the Layer 3 entry is in use. Long aging is used to prevent counter wraparound, which can cause inaccurate statistics.

A typical cache entry that is removed is the entry for flows to and from a Domain Name Server (DNS) or TFTP server. This entry might not be used again after it is created. The PFC saves space in the MLS cache for other data when it detects and ages out these entries.

If you need to enable MLS fast aging time, initially set the value to 128 seconds. If the size of the MLS cache continues to grow over 32K entries, decrease the setting until the cache size stays below 32K. If the cache continues to grow over 32K entries, decrease the normal MLS aging time.

To configure the MLS aging time, perform this task:

Command
Purpose

Router(config)# mls aging {fast [threshold {1-128} | time {1-128}] | long 64-900 | normal 32-4092}

Configures the MLS aging time for an MLS cache entry.

Router(config)# no mls aging {fast | long | normal}

Reverts to the default MLS aging time.


This example displays how to configure the MLS aging time:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# mls aging fast threshold 64 time 30

To display the MLS aging-time configuration, perform this task:

Command
Purpose

Router# show mls aging

Displays the MLS aging-time configuration.


This example shows how to display the MLS aging-time configuration:

Router# show mls aging
             enable timeout  packet threshold
             ------ -------  ----------------
normal aging false      300        N/A
fast aging   false      32         100
long aging   false      900        N/A

Router# 

Configuring Sampled NetFlow

These sections describe how to configure sampled NetFlow on the PFC:

Configuring Sampled NetFlow Globally

Configuring Sampled NetFlow on a Layer 3 Interface


NoteRelease 12.1(13)E and later releases support sampled NetFlow on the PFC.

NDE on the MSFC does not support sampled NetFlow.

With the full-interface or destination-source-interface flow masks, you can enable or disable sampled NetFlow on individual Layer 3 interfaces. With all other flow masks, sampled NetFlow is enabled or disabled globally.


Configuring Sampled NetFlow Globally

To configure sampled NetFlow globally, perform this task:

 
Command
Purpose

Step 1 

Router(config)# mls sampling {time-based rate | packet-based rate [interval]}

Enables sampled NetFlow and configures the rate. For packet-based sampling, optionally configures the export interval.

Router(config)# no mls sampling

Clears the sampled NetFlow configuration.

Step 2 

Router(config)# end

Exits configuration mode.

When you configure sampled NetFlow globally, note the following:

The valid values for rate are 64, 128, 256, 512, 1024, 2048, 4096, and 8192.

The valid values for the packet-based export interval are from 4000 through 16,000.

See the "Sampled NetFlow" section for more information.

Configuring Sampled NetFlow on a Layer 3 Interface


NoteWith the full-interface or destination-source-interface flow masks, you can enable or disable sampled NetFlow on individual Layer 3 interfaces. With all other flow masks, sampled NetFlow is enabled or disabled globally.

The Layer 3 interface must be configured with an IP address.


To configure sampled NetFlow on a Layer 3 interface, perform this task:

 
Command
Purpose

Step 1 

Router(config)# interface {vlan vlan_ID | type1  slot/port}

Selects an interface to configure.

Step 2 

Router(config-if)# mls netflow sampling

Enables sampled NetFlow on the interface.

Disables sampled NetFlow on the interface.

Router(config-if)# no mls netflow sampling

Step 3 

Router(config)# end

Exits configuration mode.

1 type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

This example shows how to enable sampled NetFlow on Fast Ethernet port 5/12:

Router# configure terminal 
Router(config)# interface fastethernet 5/12 
Router(config-if)# mls netflow sampling 
Router(config)# end 
Router#

Configuring NDE on the MSFC

This section supplements the NetFlow procedures at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/switch_r/index.htm

These sections describe how to configure NDE on the MSFC:

Enabling NetFlow

Configuring the MSFC NDE Source Layer 3 Interface

Configuring the NDE Destination


NoteYou must enable NetFlow on the MSFC Layer 3 interfaces to support NDE on the PFC and NDE on the MSFC.

You must enable NDE on the MSFC to support NDE on the PFC.


Enabling NetFlow

To enable NetFlow, perform this task for each Layer 3 interface from which you want NDE:

 
Command
Purpose

Step 1 

Router(config)# interface {vlan vlan_ID} | {type1  slot/port} | {port-channel port_channel_number}

Selects an interface to configure.

Step 2 

Router(config-if)# ip route-cache flow

Enables NetFlow.

1 type = ethernet, fastethernet, gigabitethernet, tengigabitethernet, or ge-wan

Configuring the MSFC NDE Source Layer 3 Interface

To configure the Layer 3 interface used as the source of the NDE packets containing statistics from the MSFC, perform this task:

Command
Purpose

Router(config)# ip flow-export source {{vlan vlan_ID} | {type1  slot/port} | {port-channel number} | {loopback number}}

Configures the interface used as the source of the NDE packets containing statistics from the MSFC:

Select an interface configured with an IP address.

You can use a loopback interface.

Router(config)# no ip flow-export source

Clears the NDE source interface configuration.

1 type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet


This example shows how to configure a loopback interface as the NDE flow source:

Router(config)# ip flow-export source loopback 0 
Router(config)#

Configuring the NDE Destination

To configure the destination IP address and UDP port to receive the NDE statistics, perform this task:

Command
Purpose

Router(config)# ip flow-export destination ip_address udp_port_number

Configures the NDE destination IP address and UDP port.

Router(config)# no ip flow-export destination

Clears the NDE destination configuration.


This example shows how to configure the NDE flow destination IP address and UDP port:

Router(config)# ip flow-export destination 172.20.52.37 200 

Note The destination address and UDP port number are saved in NVRAM and are preserved if NDE is disabled and reenabled or if the switch is power cycled. If you are using the NetFlow FlowCollector application for data collection, verify that the UDP port number you configure is the same port number shown in the FlowCollector's nfconfig.file. This file is located at /opt/csconfc/config/nfconfig.file in the FlowCollector application.


Displaying the NDE Address and Port Configuration

To display the NDE address and port configuration, perform these tasks:

Command
Purpose

Router# show mls nde

Displays the NDE export flow IP address and UDP port configuration.

Router# show ip flow export

Displays the NDE export flow IP address, UDP port, and the NDE source interface configuration.


This example shows how to display the NDE export flow source IP address and UDP port configuration:

Router# show mls nde 
 Netflow Data Export enabled
 Netflow Data Export configured for port 0 on Host 0.0.0.0
 Source address: 172.20.52.3, port: 8
 Version: 0
 Include Filter is:
   destination: ip address 0.0.0.0, mask 0.0.0.0, port 35
   source: ip address 0.0.0.0, mask 0.0.0.0, port 0
 Exclude Filter is:
   destination: ip address 2.2.2.2, mask 255.255.255.0, port 23
   source: ip address 0.0.0.0, mask 0.0.0.0, port 0
 Total Netflow Data Export Packets are:
    0 packets, 0 no packets, 0 records
Router# 

This example shows how to display the NDE export flow IP address, UDP port, and the NDE source interface configuration:

Router# show ip flow export 
Flow export is enabled
  Exporting flows to 172.20.52.37 (200)
  Exporting using source interface FastEthernet5/8
  Version 1 flow records
  0 flows exported in 0 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
Router# 

Configuring NDE Flow Filters

These sections describe NDE flow filters:

NDE Flow Filter Overview

Configuring a Port Flow Filter

Configuring a Host and Port Filter

Configuring a Host Flow Filter

Configuring a Protocol Flow Filter

Clearing an NDE Flow Filter

NDE Flow Filter Overview

By default, all expired flows are exported until you configure a filter. After you configure a filter, only expired and purged flows matching the specified filter criteria are exported. Filter values are stored in NVRAM and are not cleared when NDE is disabled.

To display the configuration of the NDE flow filters you configure, use the show mls nde command described in the "Displaying the NDE Configuration" section.

Configuring a Port Flow Filter

To configure a destination or source port flow filter, perform this task:

Command
Purpose

Router(config)# mls nde flow {exclude | include} {dest-port number | src-port number}

Configures a port flow filter for an NDE flow.

Router(config)# no mls nde flow {exclude | include}

Clears the port flow filter configuration.


This example shows how to configure a port flow filter so that only expired flows to destination port 23 are exported (assuming the flow mask is set to ip-flow):

Router(config)# mls nde flow include dest-port 35 
Router(config)#

Configuring a Host and Port Filter

To configure a host and TCP/UDP port flow filter, perform this task:

Command
Purpose

Router(config)# mls nde flow {exclude | include} {destination ip_address mask | source ip_address mask {dest-port number | src-port number}}

Configures a host and port flow filter for an NDE flow.

Router(config)# no mls nde flow {exclude | include}

Clears the port flow filter configuration.


This example shows how to configure a source host and destination TCP/UDP port flow filter so that only expired flows from host 171.69.194.140 to destination port 23 are exported (assuming the flow mask is set to ip-flow):

Router(config)# mls nde flow exclude destination 2.2.2.2 255.255.255.0 dest-port 23 

Configuring a Host Flow Filter

To configure a destination or source host flow filter, perform this task:

Command
Purpose

Router(config)# mls nde flow {exclude | include} {destination ip_address mask | source ip_address mask | protocol {tcp {dest-port number | src-port number} | udp {dest-port number | src-port number}}

Configures a host flow filter for an NDE flow.

Router(config)# no mls nde flow {exclude | include}

Clears port filter configuration.


This example shows how to configure a host flow filter to include and export only destinations to host 172.20.52.37:

Router(config)# mls nde flow include destination 172.20.52.37 255.255.255.224 
Router(config)# 

Configuring a Protocol Flow Filter

To configure a protocol flow filter, perform this task:

Command
Purpose

Router(config)# mls nde flow {exclude | include} protocol {tcp {dest-port number | src-port number} | udp {dest-port number | src-port number}}

Configures a protocol flow filter for an NDE flow.

Router(config)# no mls nde flow {exclude | include}

Clears port filter configuration.


This example shows how to configure a TCP protocol flow filter so that only expired flows from destination port 35 are exported:

Router(config)# mls nde flow include protocol tcp dest-port 35 
Router(config)#

Clearing an NDE Flow Filter

To clear the NDE flow filter and reset the filter to the default (all flows exported), perform this task:

Command
Purpose

Router# clear mls nde flow {all | exclude | include}

Clears the NDE flow filter.


This example shows how to clear the NDE flow filter so that all flows are exported:

Router# clear mls nde flow all 
Router# 

To display the status of the NDE flow filters, use the show mls nde command described in the "Displaying the NDE Configuration" section.

Displaying the NDE Configuration

To display the NDE configuration, perform this task:

Command
Purpose

Router# show mls nde

Displays the NDE configuration.


This example shows how to display the NDE configuration:

Router# show mls nde 
 Netflow Data Export enabled
 Netflow Data Export configured for port 0 on Host 0.0.0.0
 Source address: 172.20.52.3, port: 8
 Version: 0
 Include Filter is:
   destination: ip address 0.0.0.0, mask 0.0.0.0, port 35
   source: ip address 0.0.0.0, mask 0.0.0.0, port 0
 Exclude Filter is:
   destination: ip address 2.2.2.2, mask 255.255.255.0, port 23
   source: ip address 0.0.0.0, mask 0.0.0.0, port 0
 Total Netflow Data Export Packets are:
    0 packets, 0 no packets, 0 records
Router#