Cisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 6.x
Configuring NetFlow
Downloads: This chapterpdf (PDF - 401.0KB) The complete bookPDF (PDF - 4.29MB) | Feedback

Table of Contents

Configuring NetFlow

Finding Feature Information

Information About NetFlow

NetFlow Overview

Flow Records

Flow Exporters

Export Formats

Flow Monitors

Samplers

Network Analysis Module

High Availability

Virtualization Support

Licensing Requirements for NetFlow

Prerequisites for NetFlow

Guidelines and Limitations for NetFlow

Default Settings for NetFlow

Configuring NetFlow

Enabling the NetFlow Feature

Creating a Flow Record

Specifying the Match Parameters

Specifying the Collect Parameters

Creating a Flow Exporter

Creating a Flow Monitor

Creating a Sampler

Applying a Flow Monitor to an Interface

Configuring Bridged NetFlow on a VLAN

Configuring Layer 2 NetFlow

Configuring NetFlow Timeouts

Verifying the NetFlow Configuration

Monitoring NetFlow

Configuration Examples for NetFlow

Additional References for NetFlow

Related Documents

Standards

Feature History for NetFlow

Finding Feature Information

Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the “New and Changed Information” chapter or the Feature History table below.

Information About NetFlow

NetFlow identifies packet flows for both ingress and egress IP packets and provides statistics based on these packet flows. NetFlow does not require any change to either the packets themselves or to any networking device.

This section includes the following topics:

NetFlow Overview

NetFlow uses flows to provide statistics for accounting, network monitoring, and network planning. A flow is a unidirectional stream of packets that arrives on a source interface (or VLAN) and has the same values for the keys. A key is an identified value for a field within the packet. You create a flow using a flow record to define the unique keys for your flow.

Cisco NX-OS supports the Flexible NetFlow feature that enables enhanced network anomalies and security detection. Flexible NetFlow allows you to define an optimal flow record for a particular application by selecting the keys from a large collection of predefined fields. For more information on the flow records, see the “Flow Records” section.

All key values must match for the packet to count in a given flow. A flow might gather other fields of interest, depending on the export record version that you configure. Flows are stored in the NetFlow cache.

You can export the data that NetFlow gathers for your flow by using a flow exporter and export this data to a remote NetFlow collector. Cisco NX-OS exports a flow as part of a NetFlow export User Datagram Protocol (UDP) datagram under the following circumstances:

  • The flow has been inactive or active for too long.
  • The flow cache is getting full.
  • One of the counters (packets or bytes) has exceeded its maximum value.
  • You have forced the flow to export.

For more information on flow exporters, see the “Flow Exporters” section.

The flow record determines the size of the data to be collected for a flow. The flow monitor combines the flow record and flow exporter with the NetFlow cache information. For more information on flow monitors, see the “Flow Monitors” section.

Cisco NX-OS can gather NetFlow statistics in either full or sampled mode. Cisco NX-OS analyzes all packets on the interface or subinterface for full NetFlow mode. For sampled mode, you configure the rate at which Cisco NX-OS analyzes packets. For more information on samplers, see the “Samplers” section.

Flow Records

A flow record defines the keys that NetFlow uses to identify packets in the flow as well as other fields of interest that NetFlow gathers for the flow. You can define a flow record with any combination of keys and fields of interest. Cisco NX-OS supports a rich set of keys. A flow record also defines the types of counters gathered per flow. You can configure 32-bit or 64-bit packet or byte counters.

The key fields are specified with the match keyword. The fields of interest and counters are specified under the match keyword.

Cisco NX-OS enables the following match fields as the defaults when you create a flow record:

  • match interface input
  • match interface output
  • match flow direction

For more information, see the “Creating a Flow Record” section.

Flow Exporters

A flow exporter contains network layer and transport layer details for the NetFlow export packet. You can configure the following information in a flow exporter:

  • Export destination IP address
  • Source interface
  • UDP port number (where the collector is listening for NetFlow packets)
  • Export format

Note NetFlow export packets use the IP address that is assigned to the source interface. If the source interface does not have an IP address assigned to it, the flow exporter will be inactive.


Cisco NX-OS exports data to the collector whenever a timeout occurs or when the flow is terminated (TCP FIN or RST received, for example). You can configure the following timers to force a flow export:

  • Active timeout—Removes the cache entries from the cache. Prevents long-lasting flows from becoming invisible to the collector for a long period of time. The value of the active timeout should always be greater than that of the inactive timeout.
  • Inactive timeout—Removes the cache entries from the cache.
  • Fast timeout—Flushes low-hitting flows.
  • Aggressive timeout—Aggressively times out the flows when the cache starts getting full.
  • Session timeout—Ages the flows if the TCP close connection handshake is observed (FIN/FIN_ACK packets).
  • Flow timeout—Flushes the cache for F2, F2e, and F3 Series modules.

Note The first five timeouts are applicable only to the NetFlow cache on M Series modules. The flow timeout is supported only for F2, F2e, and F3 Series modules.


The active and inactive timeouts exist by default and cannot be unconfigured. Only their time values can be configured.

Export Formats

Cisco NX-OS supports the Version 5 and Version 9 export formats. We recommend that you use the Version 9 export format for the following reasons:

  • Variable field specification format
  • More efficient network utilization
  • Support for IPv6 and Layer 2 fields

If you configure the Version 5 export format, you have these limitations:

  • Fixed field specifications
  • No support for IPv6 and Layer 2 fields
  • The Netflow.InputInterface and Netflow.OutputInterface represent a 16-bit I/O descriptor (IOD) of the interface.

Note The IOD information of the interface can be retrieved using the show system internal im info global command.


For information about the Version 9 export format, see RFC 3954 .


Note Cisco NX-OS supports UDP as the transport protocol for exports to up to two collectors.



Note M1 Series modules support the configuration change from the Version 5 to Version 9 export format, but F2, F2e, and F3 Series modules do not.


Flow Monitors

A flow monitor references the flow record and flow exporter. You apply a flow monitor to an interface.

Samplers

Cisco NX-OS supports sampled NetFlow. This feature samples incoming packets on an interface.The packets sampled then qualify to create flows.

Sampled NetFlow reduces the amount of export data sent to the collector by limiting the number of packets that create flows and the number of flows. It is essential when flows are created on a line card or external device, instead of on the forwarding engine. F2, F2e, and F3 Series modules support only sampled NetFlow.

Implementing NetFlow on F2, F2e, and F3 Series modules creates flows in the software. Too many packets trying to create or update flows can increase the load on the CPU, thereby increasing the need for a protective rate limiter. The rate limiter limits the number of packets that reach the CPU to approximately 1000 packets per second.

The sampling mode supported on F2, F2e, and F3 Series, and M Series modules is M out of N, where M packets are selected randomly out of every N packets for sampling, and only those packets can create flows.

With the F2, F2e, and F3 Series modules, you will need to be aware of the scaling factor to be configured, which is the additional sampling multiplied by the configured sampling. If you overlook this factor, you will not see the actual in the reported rate.

Rate limiter limits the number of packets that reach the CPU to approximately 1000 packets per second on the F2 and F2e Series modules. On the F3 Series module, rate limiting of 500 PPS per ASIC (SoC) is implemented. Hence if the F3 Series module has 6 SoCs, then it will rate limit 500*6=3000PPS to the CPU per F3 Series module.

The following limitations apply to sampled NetFlow and F2 Series and F2e Series modules:

  • An additional sampling of 1:100 is applied over the configured value for F2 Series and F2e Series modules. For example, if the configured sampling is 1 in 200, the actual applied sampling is 1 in 20000. When you configure the sampler value to 1:4956, the system does not start the rate-limiter. This value is calculated based on the maximum traffic that would cross a module.
  • The accuracy of the sampled NetFlow compared with the traditional NetFlow is dependent on the sampling rate configured. If the sampling rate is 1:1, the sampled NetFlow is exactly accurate as the traditional NetFlow. And if the sampling rate is 1:100, the sampled NetFlow is less accurate than the traditional, but it still yields statistical patterns that allow you to monitor the device.

Network Analysis Module

You can also use the Cisco Network Analysis Module (NAM) to monitor NetFlow data sources. NAM enables traffic analysis views and reports such as hosts, applications, conversations, VLAN, and QoS. See the NAM configuration example in the “Configuration Examples for NetFlow” section.

To use NAM for monitoring the Cisco Nexus 7000 NetFlow data sources, see the Cisco Nexus 7000 Series Network Analysis Module (NAM-NX1) Quick Start Guide .

High Availability

Cisco NX-OS supports stateful restarts for NetFlow. After a reboot or supervisor switchover, Cisco NX-OS applies the running configuration.

Because the flow cache is not preserved across restarts of the process and packets that come to the software during restarts cannot be processed, all of the flows during switchovers are lost and cannot be recovered.

Virtualization Support

A virtual device context (VDC) is a logical representation of a set of system resources. Within each VDC, you can configure NetFlow. By default, Cisco NX-OS places you in the default VDC and any flows that you define in this mode are only available for interfaces in the default VDC.

For information about configuring VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide .

Licensing Requirements for NetFlow

 

Product
License Requirement

Cisco NX-OS

NetFlow requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide .

Prerequisites for NetFlow

NetFlow has the following prerequisites:

  • You must understand the resources required on your device because NetFlow consumes additional memory and CPU resources.
  • If you configure VDCs, install the appropriate license and enter the desired VDC. See the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide for configuration information and the Cisco NX-OS Licensing Guide for licensing information.

Guidelines and Limitations for NetFlow

NetFlow has the following configuration guidelines and limitations:

  • You must configure a source interface. If you do not configure a source interface, the flow exporter will remain in a disabled state.
  • You must configure a valid record name for every flow monitor.
  • All of the NetFlow timeouts, except the flow timeout, are applicable only to M Series modules. The flow timeout is supported only for F2, F2e, and F3 Series modules.
  • A rollback will fail if you try to modify a record that is programmed in the hardware during a rollback.
  • Only Layer 2 NetFlow is applied on Layer 2 interfaces, and only Layer 3 NetFlow is applied on Layer 3 interfaces.
  • If you add a member to a port channel that is already configured for Layer 2 NetFlow, its NetFlow configuration is removed and the Layer 2 configuration of the port channel is added to it.
  • If you change a Layer 2 interface to a Layer 3 interface, the software removes the Layer 2 NetFlow configuration from the interface.
  • Use v9 export to see the full 32-bit SNMP ifIndex values at the NetFlow connector.
  • The maximum number of supported NetFlow entries is 512,000.
  • The Cisco Nexus 2000 Series Fabric Extender (FEX) supports a Layer 3 NetFlow configuration on FEX ports.
  • The Cisco Nexus 2000 Series FEX supports bridged NetFlow (for flows within a VLAN).
  • M1 Series modules support the configuration change from the Version 5 to Version 9 export format, but F2, F2e, and F3 Series modules do not.
  • F2, F2e, and F3 Series modules do not support the following changes:

Changing the fields in a record that is applied on the active monitor

Changing the sampling mode value on a sampler that is applied on the active monitor

  • Beginning with Cisco NX-OS Release 5.2, NetFlow is supported on switch virtual interfaces (SVIs) for F1 Series ports, if at least one M1 Series module is present. SVI NetFlow is for traffic that is routed between VLANs.
  • For M Series modules, if you apply a Layer 3 NetFlow input flow monitor to an SVI and apply a Layer 2 NetFlow input flow monitor to a Layer 2 interface such as a trunk that allows the same underlying VLAN, all input flows into both interfaces are reported by the Layer 2 NetFlow flow monitor only.
  • Beginning with Cisco NX-OS Release 6.1(2), sampled NetFlow is supported on F2 and F2e Series modules. F2, F2e, and F3 Series modules support only sampled NetFlow. Support for the F3 Series modules is in Cisco Release NX-OS 6.2(6).
  • Sampled NetFlow for F2, F2e, and F3 Series modules is supported only in the ingress direction and is not supported on subinterfaces.
  • By default, you cannot use ingress NetFlow sampling and DHCP relay together on the same interface. However, beginning with Cisco NX-OS Release 6.2(2), you can override the default and configure these two features on the same interface using the hardware access-list resource feature bank-mapping command, after you have entered the necessary commands to enable each of these features individually. For more information on this command, see the “Configuring IP ACLs” chapter of the Cisco Nexus 7000 Series NX-OS Security Configuration Guide .
  • Beginning with Cisco NX-OS Release 6.2(2), full NetFlow is supported on the Cisco NetFlow Generation Appliance (NGA) through SPAN. Sampled NetFlow is supported on the NGA through sampled SPAN.

NetFlow has the following limitations for mixed VDCs with both M Series and F2, F2e, and F3 Series modules:

  • A VDC is classified as a mixed VDC only when it contains at least one F2e Series port or at least 1 F3 Series port.
  • Layer 2 NetFlow—Sampled and nonsampled NetFlow is supported on the M Series module ports, and only sampled NetFlow is supported on the F2e and F3 Series module ports.
  • Layer 3 NetFlow—Sampled and nonsampled NetFlow is supported on the M Series module ports. The F2, F2e, and F3 Series module ports come up in proxy mode and, therefore, cannot be configured as Layer 3 ports. Thus, Layer 3 NetFlow and subinterface NetFlow do not work with these ports.
  • VLANs, SVIs, and port channels—Only sampled NetFlow is supported on VLANs, SVIs, and port channels for both the M Series and F2e and F3 Series modules.
  • Subinterfaces (physical/port channels)—NetFlow configuration is blocked on the F2e and F3 Series module interfaces.
  • Dynamic configuration change is not available in the mixed VDC for the policies applied on the M Series and F2e and F3 Series modules.
  • Flow timeout applies only to the F2e and F3 Series modules. Other NetFlow timers apply to the M Series modules.
  • Egress NetFlow is completely blocked in VDCs that contain both M Series and F2e and F3 Series modules.

Default Settings for NetFlow

Table 19-1 lists the default settings for NetFlow parameters.

 

Table 19-1 Default NetFlow Parameters

Parameters
Default

Egress and ingress cache size

512,000

Flow active timeout

1800 seconds

Flow timeout (for F2, F2e, and F3 Series modules only)

15 seconds

Flow timeout aggressive threshold

Disabled

Flow timeout fast threshold

Disabled

Flow timeout inactive

15 seconds

Flow timeout session aging

Disabled

Configuring NetFlow

To configure NetFlow, follow these steps:


Step 1 Enable the NetFlow feature (see the “Enabling the NetFlow Feature” section).

Step 2 Define a flow record by specifying keys and fields to the flow (see the “Creating a Flow Record” section).

Step 3 Define an optional flow exporter by specifying the export format, protocol, destination, and other parameters (see the “Creating a Flow Exporter” section).

Step 4 Define a flow monitor based on the flow record and flow exporter (see the “Creating a Flow Monitor” section).

Step 5 Apply the flow monitor to a source interface, subinterface, VLAN interface (see the “Applying a Flow Monitor to an Interface” section), or a VLAN (see the “Configuring Bridged NetFlow on a VLAN” section).


 

This section includes the following topics:


Note Be aware that the Cisco NX-OS commands for this feature may differ from those used in Cisco IOS.


Enabling the NetFlow Feature

You must globally enable NetFlow before you can configure any flows.

Use the following command in global configuration mode to enable NetFlow:

 

Command
Purpose

feature netflow

 

Example :

switch(config)# feature netflow

Enables the NetFlow feature.

Use the following command in global configuration mode to disable NetFlow and remove all flows:

 

Command
Purpose

no feature netflow

 

Example :

switch(config)# no feature netflow

Disables the NetFlow feature. The default is disabled.

Creating a Flow Record

You can create a flow record and add keys to match on and nonkey fields to collect in the flow.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. flow record name

3. (Optional) description string

4. match type

5. (Optional) collect type

6. (Optional) show flow record [ name ] [ record-name | netflow-original | netflow protocol-port | netflow { ipv4 | ipv6 } { original-input | original-output }}

7. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

config t

 

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Places you in global configuration mode.

Step 2

flow record name

 

Example:

switch(config)# flow record Test

switch(config-flow-record)#

Creates a flow record and enters flow record configuration mode. You can enter up to 63 alphanumeric characters for the flow record name.

Step 3

description string

 

Example:

switch(config-flow-record)# description Ipv4Flow

(Optional) Describes this flow record as a maximum 63-character string.

Step 4

match type

 

Example:

switch(config-flow-record)# match transport destination-port

Specifies a match key. See the “Specifying the Match Parameters” section for more information on the type argument.

Step 5

collect type

 

Example:

switch(config-flow-record)# collect counter packets

(Optional) Specifies the collection field. See the “Specifying the Collect Parameters” section for more information on the type argument.

Step 6

show flow record [ name ] [ record-name | netflow-original | netflow protocol-port | netflow { ipv4 | ipv6 } { original-input | original-output }}

 

Example:

switch(config-flow-exporter)# show flow record netflow protocol-port

(Optional) Displays information about NetFlow flow records. You can enter up to 63 alphanumeric characters for the flow record name.

Step 7

copy running-config startup-config

 

Example:

switch(config-flow-exporter)# copy running-config startup-config

(Optional) Saves this configuration change.

Specifying the Match Parameters

You must configure at least one of the following match parameters for flow records:

 

Command
Purpose

match ip { protocol | tos }

 

Example:

switch(config-flow-record)# match ip protocol

Specifies the IP protocol or ToS fields as keys.

match ipv4 { destination address | source address }

 

Example:

switch(config-flow-record)# match ipv4 destination address

Specifies the IPv4 source or destination address as a key.

match ipv6 { destination address | source address | flow-label | options }

 

Example:

switch(config-flow-record)# match ipv6 flow-label

Specifies the IPv6 key.

match transport { destination-port | source-port }

 

Example:

switch(config-flow-record)# match transport destination-port

Specifies the transport source or destination port as a key.

match datalink { mac source-address | mac destination-address | ethertype | vlan }

 

Example:

switch(config-flow-record)# match datalink ethertype

Specifies the Layer 2 attribute as a key.

Specifying the Collect Parameters

The following collect parameters for flow records are optional:

 

Command
Purpose

collect counter { bytes | packets } [ long ]

 

Example:

switch(config-flow-record)# collect counter packets

Collects either packet-based or byte counters from the flow. You can optionally specify that 64-bit counters are used.

collect flow { direction | sampler id }

 

Example:

switch(config-flow-record)# collect flow direction

Collects the direction of the flow or the sampler identifier used for the flow.

collect interface {input | output}

 

Example:

switch(config-flow-record)# collect interface input

Collects the input or output interface attribute.

collect routing { destination | source } as [ peer ]

 

Example:

switch(config-flow-record)# collect routing destination as

Collects the source or destination AS number of the local device or the peer.

collect routing forwarding-status

 

Example:

switch(config-flow-record)# collect routing forwarding-status

Triggers the creation of an additional flow monitor on M1 Series modules for collecting the denied flows.

collect routing next-hop address ipv4 [ bgp ]

 

Example:

switch(config-flow-record)# collect routing next-hop address ipv4

Collects the next-hop IPv4 address.

collect routing next-hop address ipv6 [ bgp ]

 

Example:

switch(config-flow-record)# collect routing next-hop address ipv6

Collects the next-hop IPv6 address.

collect timestamp sys-uptime { first | last }

 

Example:

switch(config-flow-record)# collect timestamp sys-uptime last

Collects the system up time for the first or last packet in the flow.

collect transport tcp flags

 

Example:

switch(config-flow-record)# collect transport tcp flags

Collects the TCP transport layer flags for the packets in the flow.

Creating a Flow Exporter

You can create a flow export to define the export parameters for a flow.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. flow exporter name

3. destination { ipv4-address | ipv6-address } [ use-vrf name ]

4. source interface-type slot/port

5. version { 5 | 9 }

6. (Optional) show flow exporter [ name ]

7. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

config t

 

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Places you in global configuration mode.

Step 2

flow exporter name

 

Example:

switch(config)# flow exporter ExportTest

switch(config-flow-exporter)#

Creates a flow exporter and enters flow exporter configuration mode. You can enter up to 63 alphanumeric characters for the flow exporter name.

Step 3

destination { ipv4-address | ipv6-address } [ use-vrf name ]

 

Example:

switch(config-flow-exporter)# destination 192.0.2.1

Sets the destination IPv4 or IPv6 address for this flow exporter. You can optionally configure the VRF to use to reach the NetFlow collector.

You can enter up to 32 alphanumeric characters for the VRF name.

Step 4

source interface-type slot/port

 

Example:

switch(config-flow-exporter)# source ethernet 2/1

Specifies the interface to use to reach the NetFlow collector at the configured destination.

Step 5

version { 5 | 9 }

 

Example:

switch(config-flow-exporter)# version 9

switch(config-flow-exporter-version-9)#

Specifies the NetFlow export version. Version 9 enters the export version configuration submode.

Step 6

show flow exporter [ name ]

 

Example:

switch(config-flow-exporter)# show flow exporter

(Optional) Displays information about NetFlow flow exporters. You can enter up to 63 alphanumeric characters for the flow exporter name.

Step 7

copy running-config startup-config

 

Example:

switch(config-flow-exporter)# copy running-config startup-config

(Optional) Saves this configuration change.

You can optionally configure the following parameters for flow exporters:

 

Command
Purpose

description string

 

Example:

switch(config-flow-exporter)# description ExportV9

Describes this flow exporter as a maximum 63-character string.

dscp value

 

Example:

switch(config-flow-exporter)# dscp 0

Specifies the differentiated services codepoint value. The range is from 0 to 63.

transport udp port

 

Example:

switch(config-flow-exporter)# transport udp 200

Specifies the UDP port to use to reach the NetFlow collector. The range is from 0 to 65535.

Note If you do not configure the UDP port, 9995 is selected as the default.

You can optionally configure the following parameters in flow exporter version configuration submode:

 

Command
Purpose

option { exporter-stats | interface-table | sampler-table } timeout seconds

 

Example:

switch(config-flow-exporter-version-9)# option exporter-stats timeout 1200

Sets the flow exporter resend timer. The range is from 1 to 86400 seconds.

Note On the F2 and F2e Series modules, The sampler rate you configure is not the sampler rate that is applied in the hardware. There is an additional multiplier of 100. For example, when you configure the sampler rate for 150, the systems applies a multiplier of 100, which yields a rate of 15000.

template data timeout seconds

 

Example:

switch(config-flow-exporter-version-9)# template data timeout 1200

Sets the template data resend timer. The range is from 1 to 86400 seconds.

Creating a Flow Monitor

You can create a flow monitor and associate it with a flow record and a flow exporter.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. flow monitor name

3. (Optional) description string

4. (Optional) exporter name

5. record { name | netflow-original | netflow protocol-port | netflow { ipv4 | ipv6 } { original-input | original-output }}

6. (Optional) show flow monitor [ name ]

7. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

config t

 

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Places you in global configuration mode.

Step 2

flow monitor name

 

Example:

switch(config)# flow monitor MonitorTest

switch(config-flow-monitor)#

Creates a flow monitor and enters flow monitor configuration mode. You can enter up to 63 alphanumeric characters for the flow monitor name.

Step 3

description string

 

Example:

switch(config-flow-monitor)# description Ipv4Monitor

(Optional) Describes the flow monitor with an alphanumeric string up to 63 characters.

Step 4

exporter name

 

Example:

switch(config-flow-monitor)# exporter Exportv9

(Optional) Associates a flow exporter with this flow monitor. You can enter up to 63 alphanumeric characters for the exporter name.

Step 5

record { name | netflow-original | netflow protocol-port | netflow { ipv4 | ipv6 } { original-input | original-output }}

 

Example:

switch(config-flow-monitor)# record IPv4Flow

Associates a flow record with the specified flow monitor. You can enter up to 63 alphanumeric characters for the record name.

Step 6

show flow monitor [ name ]

 

Example:

switch(config-flow-monitor)# show flow monitor

(Optional) Displays information about NetFlow flow monitors. You can enter up to 63 alphanumeric characters for the flow monitor name.

Step 7

copy running-config startup-config

 

Example:

switch(config-flow-monitor)# copy running-config startup-config

(Optional) Saves this configuration change.

Creating a Sampler

You can create a sampler to define the NetFlow sampling rate for a flow.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. sampler name

3. (Optional) description string

4. mode samples out-of packets

5. (Optional) show sampler [ name ]

6. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

config t

 

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Places you in global configuration mode.

Step 2

sampler name

 

Example:

switch(config)# sampler SampleTest

switch(config-flow-sampler)#

Creates a sampler and enters flow sampler configuration mode. You can enter up to 63 alphanumeric characters for the sampler name.

Step 3

description string

 

Example:

switch(config-flow-sampler)# description Samples

(Optional) Describes the sampler with an alphanumeric string up to 63 characters.

Step 4

mode samples out-of packets

 

Example:

switch(config-flow-sampler)# mode 1 out-of 100

Defines the number of samples to take per the number of packets received. The samples range is from 1 to 63, and the packets range is from 1 to 8191 packets.

Note For F2 Series and F2e Series modules, an additional sampling of 1:100 is applied over the configured valued. For example, if the configured sampling is 1 in 800, the actual applied sampling is 1 in 80000. With this always-enabled additional 1:100 sampling, the packets range for all F2 Series and F2e Series module ports is from 1 to 819100. The recommended sampler is 1 in 4956, per physical interface. Depending on the traffic, rate limiting might occur beyond this sampling rate.

Step 5

show sampler [ name ]

 

Example:

switch(config-flow-sampler)# show sampler

(Optional) Displays information about NetFlow samplers. You can enter up to 63 alphanumeric characters for the sampler name.

Step 6

copy running-config startup-config

 

Example:

switch(config-flow-sampler)# copy running-config startup-config

(Optional) Saves this configuration change.

Applying a Flow Monitor to an Interface

You can apply a flow monitor and an optional sampler to an interface.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. interface interface-type slot/port

3. ip flow monitor name { input | output } [ sampler name ]

4. ipv6 flow monitor name { input | output } [ sampler name ]

5. layer2-switched flow monitor name input [ sampler name ]

6. (Optional) show flow interface [ interface-type slot/port ]

7. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

config t

 

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Places you in global configuration mode.

Step 2

interface interface-type slot/port

 

Example:

switch(config)# interface ethernet 2/1

switch(config-if)#

Enters interface configuration mode. The interface type can be Ethernet (including subinterfaces), port channel, VLAN, VLAN interface, or tunnel.

Step 3

ip flow monitor name { input | output } [ sampler name ]

 

Example:

switch(config-if)# ip flow monitor MonitorTest input

Associates an IPv4 flow monitor and an optional sampler to the interface for input or output packets. You can enter up to 63 alphanumeric characters for the flow monitor name and the sampler name.

Step 4

ipv6 flow monitor name { input | output } [ sampler name ]

 

Example:

switch(config-if)# ipv6 flow monitor MonitorTest input

Associates an IPv6 flow monitor and an optional sampler to the interface for input or output packets. You can enter up to 63 alphanumeric characters for the flow monitor name and the sampler name.

Step 5

layer2-switched flow monitor name input [ sampler name ]

 

Example:

switch(config-if)# layer2-switched flow monitor MonitorTest input

Associates a Layer 2-switched flow monitor and an optional sampler to the interface for input packets. You can enter up to 63 alphanumeric characters for the flow monitor name and the sampler name.

Step 6

show flow interface [ interface-type port/slot ]

 

Example:

switch(config-if# show flow interface

(Optional) Displays information about NetFlow on an interface.

Step 7

copy running-config startup-config

 

Example:

switch(config-if)# copy running-config startup-config

(Optional) Saves this configuration change.

Configuring Bridged NetFlow on a VLAN

You can apply a flow monitor and an optional sampler to a VLAN.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. vlan configuration vlan-id

3. {ip | ipv6} flow monitor name { input | output } [ sampler name ]

4. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

config t

 

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Places you in global configuration mode.

Step 2

vlan configuration vlan-id

 

Example:

switch(config)# vlan configuration 30
switch(config-vlan-config)#

Enters VLAN configuration mode. The vlan-id range is from 1 to 3967 or from 4048 to 4093.

Note VLAN configuration mode enables you to configure VLANs independently of their creation, which is required for VTP client support.

Step 3

{ip | ipv6} flow monitor name { input | output } [ sampler name ]

 

Example:

switch(config-vlan-config)# ip flow monitor MonitorTest input

Associates a flow monitor and an optional sampler to the VLAN for input or output packets. You can enter up to 63 alphanumeric characters for the flow monitor name and the sampler name.

Step 4

copy running-config startup-config

 

Example:

switch(config-vlan-config)# copy running-config startup-config

(Optional) Saves this configuration change.

Configuring Layer 2 NetFlow

You can define Layer 2 keys in flexible NetFlow records that you can use to capture flows in Layer 2 interfaces. The Layer 2 keys are as follows:

  • Source and destination MAC addresses
  • Source VLAN ID
  • EtherType from the Ethernet frame

You can apply Layer 2 NetFlow to the following interfaces for the ingress direction:

  • Switch ports in access mode
  • Switch ports in trunk mode
  • Layer 2 port channels

Note You cannot apply Layer 2 NetFlow to VLANs, egress interfaces, or Layer 3 interfaces such as VLAN interfaces.


BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. flow record name

3. match datalink { mac source-address | mac destination-address | ethertype | vlan }

4. interface { ethernet slot / port } | { port-channel number }

5. switchport

6. mac packet-classify

7. layer2-switched flow monitor flow-name input [ sampler sampler-name ]

8. (Optional) show flow record netflow layer2-switched input

9. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

config t

 

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Places you in global configuration mode.

Step 2

flow record name

 

Example:

switch(config)# flow record L2_record

Enters flow record configuration mode. You can enter up to 63 alphanumeric characters for the flow record name.

For more information about configuring flow records, see the “Creating a Flow Record” section.

Step 3

match datalink { mac source-address | mac destination-address | ethertype | vlan }

 

Example:

switch(config-flow-record)# match datalink ethertype

 

Specifies the Layer 2 attribute as a key.

Step 4

interface { ethernet slot / port } | { port-channel number }

 

Example 1:

switch(config)# interface ethernet 2/1

switch(config-if)#

 

Example 2:

switch(config)# interface port-channel 8

switch(config-if)#

Enters interface configuration mode. The interface type can be a physical Ethernet port or a port channel.

Step 5

switchport

 

Example:

switch(config-if)# switchport

Changes the interface to a Layer 2 physical interface.

For information about configuring switch ports, see the Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guide .

Step 6

mac packet-classify

 

Example:

switch(config-if)# mac packet-classify

Forces MAC classification of packets.

For more information about using the mac packet-classify command, see the Cisco Nexus 7000 Series NX-OS Security Configuration Guide .

Note You must use this command to capture flows.

Step 7

layer2-switched flow monitor flow-name input [ sampler sampler-name ]

 

Example:

switch(config-vlan)# layer2-switched flow monitor L2_monitor input sampler L2_sampler

Associates a flow monitor and an optional sampler to the switch port input packets.

Step 8

show flow record netflow layer2-switched input

 

Example:

switch(config-if# show flow record netflow layer2-switched input

(Optional) Displays information about the Layer 2 NetFlow default record.

Step 9

copy running-config startup-config

 

Example:

switch(config-vlan)# copy running-config startup-config

(Optional) Saves this configuration change.

Configuring NetFlow Timeouts

You can optionally configure global NetFlow timeouts that apply to all flows.


Note Only the flow timeout seconds command is supported for F2, F2e, and F3 Series modules. All of the other NetFlow timeout commands are supported only for M Series modules.


Use the following commands in global configuration mode to configure NetFlow timeout parameters:

 

Command
Purpose

flow timeout active seconds

 

Example:

switch(config)# flow timeout active 90

Sets the active timeout value in seconds for M Series modules. The range is from 60 to 4092. The default is 1800.

Note The value of the active timeout should always be greater than that of the inactive timeout.

flow timeout aggressive threshold percent

 

Example:

switch(config)# flow timeout aggressive threshold 90

For M Series modules, enables using a percentage that you want the NetFlow table to be before aggressive aging starts. The range is from 50 to 99. The default is disabled.

flow timeout fast seconds threshold packets

 

Example:

switch(config)# flow timeout fast 40 threshold 1200

For M Series modules, enables a fast timeout value and the number of packets in a flow before the timeout for the flow to not expire. The fast timeout range in seconds is from 32 to 512. The packet range is from 1 to 4000. The default is disabled.

flow timeout seconds

 

Example:

switch(config)# flow timeout 90

Sets the flush timeout value in seconds for F2, F2e, and F3 Series modules. The range is from 1 to 60 seconds.

flow timeout inactive seconds

 

Example:

switch(config)# flow timeout inactive 900

Sets the inactive timeout value in seconds for M Series modules. The range is from 15 to 4092. The default is 15.

flow timeout session

 

Example:

switch(config)# flow timeout session

Enables TCP session aging for M Series modules. The default is disabled.

Verifying the NetFlow Configuration

To display NetFlow configuration information, perform one of the following tasks:

 

Command
Purpose

show flow exporter [ name ]

Displays information about NetFlow flow exporters and statistics. You can enter up to 63 alphanumeric characters for the flow exporter name.

show flow interface [ interface-type slot/port ]

Displays information about NetFlow interfaces.

show flow record [ name ]

Displays information about NetFlow flow records. You can enter up to 63 alphanumeric characters for the flow record name.

show flow record netflow layer2-switched input

Displays information about the Layer 2 NetFlow configuration.

show flow sw-monitor [ name name ] [ cache [ detailed ]]

Displays information about NetFlow flow monitors and statistics.

  • The cache option shows the flow of packets generated by the supervisor.
  • Use this command with the show hardware flow {ip | ipv6 } command to get all the flows on the system.

show flow timeout

Displays information about NetFlow timeouts.

show hardware flow aging [ vdc vdc_id ] [ module module ]

Displays information about NetFlow aging flows in the hardware.

show hardware flow entry address table-address type { ip | ipv6 } [ module module ]

Displays information about NetFlow table entries in the hardware.

This command is not supported for F2, F2e, and F3 Series modules.

show hardware flow {ip | ipv6} [detail | instance instance | interface type number | module module | monitor monitor_name | profile profile-id | vdc vdc_id | vlan vlan_id ] [ detail ] [ instance instance ] [ module module ]

Displays information about NetFlow IPv4 or IPv6 flows in the hardware.

show hardware flow l2 [detail | instance instance | module module | monitor monitor_name | profile profile-id | vdc vdc_id | vlan vlan_id ] [ detail ] [ instance instance ] [ module module ]

Displays information about NetFlow Layer 2 flows in the hardware.

show hardware flow sampler {all | count | index number | name sampler-name | vdc vdc_id} [ detail ] [ module module ] [ instance instance ]

Displays information about the NetFlow sampler in the hardware.

show hardware flow utilization [ module module | instance instance [ module module] ]

Displays information about NetFlow table utilization in the hardware.

show sampler [ name ]

Displays information about NetFlow samplers.

You can enter up to 63 alphanumeric characters for the sampler name.

Monitoring NetFlow

Use the show flow exporter command to display NetFlow statistics.

Use the clear flow exporter command to clear NetFlow flow exporter statistics. Use the clear flow monitor command to clear the flow monitor cache and statistics.

Configuration Examples for NetFlow

This example shows how to create a flow and apply it to an interface:

feature netflow
flow exporter ee
version 9
flow record rr
match ipv4 source address
match ipv4 destination address
collect counter bytes
collect counter packets
flow monitor foo
record rr
exporter ee
interface Ethernet2/45
ip flow monitor foo input
ip address 10.20.1.1/24
no shutdown
 

This example shows a NetFlow exporter configuration for IPv4 from the Cisco Nexus 7000 Series switch to NAM:

flow exporter pw
destination 172.20.101.87 use-vrf management
transport udp 3000
source mgmt0
version 9
 
flow record pw
match ipv4 source address
match ipv4 destination address
match ip protocol
match ip tos
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect ip version
 
flow monitor pw
record pw
exporter pw
 
interface Ethernet2/9
ip flow monitor pw input
ip flow monitor pw output

Additional References for NetFlow

For additional information related to implementing NetFlow, see the following sections:

Related Documents

Related Topic
Document Title

NetFlow CLI commands

Cisco Nexus 7000 Series NX-OS System Management Command Reference

VDCs and VRFs

Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide

Cisco Network Analysis Module (NAM)

Cisco Nexus 7000 Series Network Analysis Module (NAM-NX1) Quick Start Guide

Cisco NetFlow Generation Appliance (NGA)

Command Reference Guide for Cisco NetFlow Generation Appliance

User Guide for the Cisco NetFlow Generation Appliance

Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

Feature History for NetFlow

Table 19-2 lists the release history for this feature.

 

Table 19-2 Feature History for NetFlow

Feature Name
Releases
Feature Information

NetFlow

6.2(6)

Added support for F3 Series modules.

NetFlow

6.2(2)

Added support for ingress NetFlow sampling and DHCP relay to be configured on the same interface.

NetFlow

6.2(2)

Added NAM support for NetFlow data sources.

NetFlow

6.2(2)

Added support for full NetFlow and sampled NetFlow on the Cisco NetFlow Generation Appliance (NGA).

NetFlow

6.1(2)

Added support for sampled NetFlow on F2 Series and F2e Series modules.

NetFlow

6.1(2)

Added the flow timeout seconds command for F2 Series and F2e Series modules.

NetFlow

6.0(1)

NetFlow is not supported on F2 Series modules.

NetFlow

6.0(1)

Added support for the collect routing forwarding-status command to trigger the collection of flows denied by ACL entries.

NetFlow

5.2(1)

NetFlow is supported on switch virtual interfaces (SVIs) for F1 Series ports.

Bridged NetFlow

5.1(1)

VLAN configuration mode, which enables you to configure VLANs independently of their creation, is supported when configuring bridged NetFlow on a VLAN.

See the “Configuring Bridged NetFlow on a VLAN” section.

NetFlow verification

5.0(2)

You can specify the NetFlow instance for which you want to display NetFlow IPv4 flows and NetFlow table utilization.

See the “Verifying the NetFlow Configuration” section.

Layer 2 NetFlow

4.2(1)

You can define Layer 2 keys in flexible NetFlow records that you can use to capture flows in Layer 2 interfaces.

See the “Guidelines and Limitations for NetFlow” section and the “Configuring Layer 2 NetFlow” section.

Rollback during NetFlow

4.1(3)

Rollback fails for NetFlow if, during rollback, you try to modify a record that is programmed in the hardware.

See the “Guidelines and Limitations for NetFlow” section.