The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes the following sections:
Note | For Release 3.0(2), NetFlow monitoring is supported for end-host mode only. |
NetFlow is a standard network protocol for collecting IP traffic data. NetFlow enables you to define a flow in terms of unidirectional IP packets that share certain characteristics. All packets that match the flow definition are then collected and exported to one or more external NetFlow collectors where they can be further aggregated, analyzed and used for application specific processing.
Cisco UCS Manager uses NetFlow-capable adapters (Cisco UCS VIC 1240, Cisco UCS VIC 1280, and Cisco UCS VIC 1225) to communicate with the routers and switches that collect and export flow information.
A flow is a set of unidirectional IP packets that have common properties such as, the source or destination of the traffic, routing information, or the protocol used. Flows are collected when they match the definitions in the flow record definition.
A flow record definition contains all information about the properties used to define the flow, which can include both characteristic properties or measured properties. Characteristic properties, also called flow keys, are the properties that define the flow. Cisco UCS Manager supports IPv4, IPv6, and Layer 2 keys. Measured characteristics, also called flow values or nonkeys, are values that you can measure, such as the number of bytes contained in all packets of the flow, or the total number of packets.
A flow record definition is a specific combination of flow keys and flow values. You can use the following type of flow record definitions:
Flow exporters transfer the flows to the flow connector based on the information in a flow exporter profile. The flow exporter profile contains the networking properties used to export NetFlow packets. The networking properties include a VLAN, the source IP address, and the subnet mask for each fabric interconnect.
Note | In the Cisco UCS Manager GUI, the networking properties are defined in an exporter interface that is included in the profile. In the Cisco UCS Manager CLI, the properties are defined in the profile. |
Flow collectors receive the flows from the flow exporter. Each flow collector contains an IP address, port, external gateway IP, and VLAN that defines where the flows are sent.
A flow monitor consists of a flow definition, one or two flow exporters, and a timeout policy. You can use a flow monitor to specify which flow information you want to gather, and where you want to collect it from. Each flow monitor operates in either the egress or ingress direction.
A flow monitor session contains up to four flow monitors: two flow monitors in the ingress direction and two flow monitors in the egress direction. A flow monitor session can also be associated with a vNIC.
Note | For Release 3.0(2), NetFlow monitoring is supported for end-host mode only. |
The following limitations apply to NetFlow monitoring:
NetFlow monitoring is not supported on the Cisco UCS 6100 Series Fabric Interconnect.
NetFlow monitoring is supported only on the Cisco UCS VIC 1240, Cisco UCS VIC 1280, and Cisco UCS VIC 1225 adapters. First generation or non-Cisco VIC adapters are not supported.
Beginning with release 2.2(3a), NetFlow monitoring is also supported on the Cisco UCS VIC 1340, Cisco UCS VIC 1380, and Cisco UCS VIC 1227 adapters.
You can have up to 64 flow record definitions, flow exporters, and flow monitors.
NetFlow is not supported in vNIC template objects.
PVLANs and local VLANs are not supported for service VLANs.
All VLANs must be public and must be common to both fabric interconnects.
VLANs must be defined as an exporter interface before they can be used with a flow collector.
You cannot use NetFlow with usNIC, the Virtual Machine queue, or Linux ARFS.
The following example shows how to create a flow record definition with Layer 2 keys and commit the transaction:
UCS-A# scope eth-flow-mon UCS-A /eth-flow-mon # enter flow-record r1 UCS-A /eth-flow-mon/flow-record* # set keytype l2keys UCS-A /eth-flow-mon/flow-record* #set l2keys dest-mac-address src-mac-address UCS-A /eth-flow-mon/flow-record* # set nonkeys sys-uptime counter-bytes counter-packets UCS-A /eth-flow-mon/flow-record* # commit-buffer UCS-A /eth-flow-mon/flow-record #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope eth-flow-mon |
Enters the ethernet flow monitor mode. |
Step 2 | UCS-A /eth-flow-mon # scope flow-profile profile-name |
Enters the flow profile mode for the specified profile. |
Step 3 | UCS-A /eth-flow-mon/flow-profile # show config |
Displays the flow profile configuration. |
Step 4 | UCS-A /eth-flow-mon/flow-profile # enter vlan vlan-name |
Specifies the VLAN associated with the exporter profile. PVLANs and local VLAN are not supported. All VLAN must be public and must be common to both fabric interconnects. |
Step 5 | UCS-A /eth-flow-mon/flow-profile/vlan # enter fabric {a | b} |
Enters flow profile mode for the specified fabric. |
Step 6 | UCS-A /eth-flow-mon/flow-profile/vlan/fabric/ # set addr ip-addr subnet ip-addr |
Specifies the source IP and subnet mask for the exporter profile on the fabric. |
Step 7 | UCS-A /eth-flow-mon/flow-profile/vlan/fabric/ # commit-buffer |
Commits the transaction to the system configuration. |
The following example shows how to configure the default exporter profile, set the source IP and subnet mask for the exporter interface on each fabric, and commit the transaction:
UCS-A# scope eth-flow-mon UCS-A /eth-flow-mon # scope flow-profile default UCS-A /eth-flow-mon/flow-profile # enter vlan 100 UCS-A /eth-flow-mon/flow-profile/vlan* # enter fabric a UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # set addr 10.10.10.10 subnet 255.255.255.0 UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # up UCS-A /eth-flow-mon/flow-profile/vlan* # enter fabric b UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # set addr 10.10.10.11 subnet 255.255.255.0 UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # commit-buffer UCS-A /eth-flow-mon/flow-profile/vlan/fabric #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope eth-flow-mon |
Enters the ethernet flow monitor mode. |
Step 2 | UCS-A /eth-flow-mon # enter flow-collector flow-collector-name |
Enters the flow collector mode for the specified flow collector. |
Step 3 | UCS-A /eth-flow-mon/flow-collector # set dest-port port_number |
Specifies the destination port for the flow collector. |
Step 4 | UCS-A /eth-flow-mon/flow-collector # set vlan vlan_id |
Specifies the VLAN ID for the flow collector. |
Step 5 | UCS-A /eth-flow-mon/flow-collector # enter ip-if |
Enters IPv4 configuration mode. |
Step 6 | UCS-A /eth-flow-mon/flow-collector/ip-if # set addr ip-address |
Specifies the exporter IP address. |
Step 7 | UCS-A /eth-flow-mon/flow-collector/ip-if # set exporter-gw gw-address |
Specifies the exporter gateway address. |
Step 8 | UCS-A /eth-flow-mon/flow-collector/ip-if # commit-buffer |
Commits the transaction to the system configuration. |
The following example shows how to configure a NetFlow collector, set the exporter IP and gateway address, and commit the transaction:
UCS-A# scope eth-flow-mon UCS-A /eth-flow-mon # enter flow-collector c1 UCS-A /eth-flow-mon/flow-collector* # set dest-port 9999 UCS-A /eth-flow-mon/flow-collector* # set vlan vlan100 UCS-A /eth-flow-mon/flow-collector* # enter ip-if UCS-A /eth-flow-mon/flow-collector/ip-if* # set addr 20.20.20.20 UCS-A /eth-flow-mon/flow-collector/ip-if* # set exporter-gw 10.10.10.1 UCS-A /eth-flow-mon/flow-collector/ip-if* # commit-buffer UCS-A /eth-flow-mon/flow-collector/ip-if #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope eth-flow-mon |
Enters the ethernet flow monitor mode. |
Step 2 | UCS-A /eth-flow-mon # enter flow-exporter flow-exporter-name |
Enters the flow exporter mode for the specified flow exporter. |
Step 3 | UCS-A /eth-flow-mon/flow-exporter # set dscp dscp_number |
Specifies the differentiated services code point. |
Step 4 | UCS-A /eth-flow-mon/flow-exporter # set flow-collector flow-collector_name |
Specifies the flow collector. |
Step 5 | UCS-A /eth-flow-mon/flow-exporter # set exporter-stats-timeout timeout_number |
Specifies the timeout period for resending NetFlow flow exporter data. |
Step 6 | UCS-A /eth-flow-mon/flow-exporter # set interface-table-timeout timeout_number |
Specifies the time period for resending the NetFlow flow exporter interface table. |
Step 7 | UCS-A /eth-flow-mon/flow-exporter # set template-data-timeout timeout_number |
Specifies the timeout period for resending NetFlow template data. |
Step 8 | UCS-A /eth-flow-mon/flow-exporter # commit-buffer |
Commits the transaction to the system configuration. |
The following example shows how to configure a flow exporter, set the timeout values, and commit the transaction:
UCS-A# scope eth-flow-mon UCS-A /eth-flow-mon # enter flow-exporter ex1 UCS-A /eth-flow-mon/flow-exporter* # set dscp 6 UCS-A /eth-flow-mon/flow-exporter* # set flow-collector c1 UCS-A /eth-flow-mon/flow-exporter* # set exporter-stats-timeout 600 UCS-A /eth-flow-mon/flow-exporter* # set interface-table-timeout 600 UCS-A /eth-flow-mon/flow-exporter* # set template-data-timeout 600 UCS-A /eth-flow-mon/flow-exporter* # commit-buffer UCS-A /eth-flow-mon/flow-exporter #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope eth-flow-mon |
Enters the ethernet flow monitor mode. |
Step 2 | UCS-A /eth-flow-mon # enter flow-monitor flow-monitor-name |
Enters the flow monitor mode for the specified flow monitor. |
Step 3 | UCS-A /eth-flow-mon/flow-monitor # set flow-record flow-record-name |
Specifies the flow record. |
Step 4 | UCS-A /eth-flow-mon/flow-monitor # create flow-exporter flow-exporter-name |
Specifies the first flow exporter. |
Step 5 | UCS-A /eth-flow-mon/flow-monitor # create flow-exporter flow-exporter-name |
Specifies the second flow exporter. |
Step 6 | UCS-A /eth-flow-mon/flow-monitor # commit-buffer |
Commits the transaction to the system configuration. |
The following example shows how to create a flow monitor and commit the transaction:
UCS-A# scope eth-flow-mon UCS-A /eth-flow-mon # enter flow-monitor m1 UCS-A /eth-flow-mon/flow-monitor* # set flow-record r1 UCS-A /eth-flow-mon/flow-monitor* # create flow-exporter ex1 UCS-A /eth-flow-mon/flow-monitor* # create flow-exporter ex2 UCS-A /eth-flow-mon/flow-monitor* # commit-buffer UCS-A /eth-flow-mon/flow-monitor #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope eth-flow-mon |
Enters the ethernet flow monitor mode. |
Step 2 | UCS-A /eth-flow-mon # enter flow-mon-session flow-monitor-session-name |
Enters the flow monitor session mode for the specified flow monitor session. |
Step 3 | UCS-A /eth-flow-mon/flow-mon-session # create flow-monitor flow-monitor-1 |
Specifies the first flow monitor. |
Step 4 | UCS-A /eth-flow-mon/flow-mon-session # create flow-monitor flow-monitor-2 |
Specifies the second flow monitor. |
Step 5 | UCS-A /eth-flow-mon/flow-mon-session # commit-buffer |
Commits the transaction to the system configuration. |
The following example shows how to create a flow monitor session with two flow monitors:
UCS-A# scope eth-flow-mon UCS-A /eth-flow-mon # enter flow-mon-session s1 UCS-A /eth-flow-mon/flow-mon-session* # create flow-monitor m1 UCS-A /eth-flow-mon/flow-mon-session* # create flow-monitor m2 UCS-A /eth-flow-mon/flow-mon-session* # commit-buffer UCS-A /eth-flow-mon/flow-mon-session #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope eth-flow-mon |
Enters the ethernet flow monitor mode. |
Step 2 | UCS-A /eth-flow-mon # scope flow-timeout timeout-name |
Enters the flow timeout mode for the specified flow timeout. |
Step 3 | UCS-A /eth-flow-mon/flow-timeout # set cache-timeout-active timeout-value |
Specifies the active timeout value. This value can be between 60 and 4092 seconds. The default value is 120 seconds. |
Step 4 | UCS-A /eth-flow-mon/flow-timeout # set cache-timeout-inactive timeout-value |
Specifies the inactive timeout value. This value can be between 15 and 4092 seconds. The default value is 15 seconds. |
Step 5 | UCS-A /eth-flow-mon/flow-timeout # commit-buffer |
Commits the transaction to the system configuration. |
The following example shows how to change the NetFlow timeout values and commit the transaction:
UCS-A# scope eth-flow-mon UCS-A /eth-flow-mon # scope flow-timeout default UCS-A /eth-flow-mon/flow-timeout # set cache-timeout-active 1800 UCS-A /eth-flow-mon/flow-timeout* # set cache-timeout-inactive 20 UCS-A /eth-flow-mon/flow-timeout* # commit-buffer UCS-A /eth-flow-mon/flow-timeout #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope org org-name |
Enters the organization mode for the specified organization. To enter the root organization mode, enter / as the org-name. |
Step 2 | UCS-A /org # scope service-profile profile-name |
Enters the organization service profile mode for the specified service profile. |
Step 3 | UCS-A /org/service-profile # scope vnic vnic-name |
Enters the organization service profile mode for the specified vNIC. |
Step 4 | UCS-A /org/service-profile/vnic # enter flow-mon-src flow-monitor-session-name |
Associates the flow monitor session to the vNIC. |
Step 5 | UCS-A /org/service-profile/vnic # commit-buffer |
Commits the transaction to the system configuration. |
The following example shows how to associate the flow monitor session s1 to the vNIC eth5:
UCS-A# scope org / UCS-A /org # scope service-profile sp1 UCS-A /org/service-profile # scope vnic eth5 UCS-A /org/service-profile/vnic # enter flow-mon-src s1 UCS-A /org/service-profile/vnic # commit-buffer