Contents
- match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
- match interface (Flexible NetFlow)
- match ipv4
- match ipv4 destination
- match ipv4 fragmentation
- match ipv4 section
- match ipv4 source
- match ipv4 total-length
- match ipv4 ttl
- match ipv6
- match ipv6 destination
- match ipv6 extension map
- match ipv6 fragmentation
- match ipv6 hop-limit
- match ipv6 length
- match ipv6 section
- match ipv6 source
- match routing
- match routing is-multicast
- match routing multicast replication-factor
- match transport
- match transport icmp ipv4
- match transport icmp ipv6
- match transport tcp
- match transport udp
- mode (Flexible NetFlow)
- option (Flexible NetFlow)
- output-features
- record
- sampler
- show flow exporter
- show flow interface
- show flow monitor
- show flow monitor cache aggregate
- show flow monitor cache filter
- show flow monitor cache sort
- show flow record
- show platform flow
- show sampler
- source (Flexible NetFlow)
- statistics packet
- template data timeout
- transport (Flexible NetFlow)
- ttl (Flexible NetFlow)
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match interface (Flexible NetFlow)
To configure the input and output interfaces as key fields for a flow record, use the match interface command in flow record configuration mode. To disable the use of the input and output interfaces as key fields for a flow record, use the no form of this command.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Syntax Description
|
input |
Configures the input interface as a key field. |
|
physical |
(Optional) Configures the physical input interface as a key field and enables collecting the input interface from the flows. |
|
snmp |
(Optional) Configures the simple network management protocol (SNMP) index of the input interface as a key field. |
|
output |
Configures the output interface as a key field. |
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
12.2(50)SY |
This command was modified. The physical and snmpkeywords were added in Cisco IOS Release 12.2(50)SY. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the input interface as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match interface input
The following example configures the output interface as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match interface output
match ipv4
To configure one or more of the IPv4 fields as a key field for a flow record, use the matchipv4 command in flow record configuration mode. To disable the use of one or more of the IPv4 fields as a key field for a flow record, use the no form of this command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Syntax Description
|
dscp |
Configures the IPv4 differentiated services code point (DSCP) (part of type of service (ToS)) as a key field. |
|
header-length |
Configures the IPv4 header length (in 32-bit words) as a key field. |
|
id |
Configures the IPv4 ID as a key field. |
|
option map |
Configures the bitmap representing which IPv4 options have been seen as a key field. |
|
precedence |
Configures the IPv4 precedence (part of ToS) as a key field. |
|
protocol |
Configures the IPv4 protocol as a key field. |
|
tos |
Configures the IPv4 ToS as a key field. |
|
version |
Configures the IP version from IPv4 header as a key field. |
Command Default
The use of one or more of the IPv4 fields as a key field for a user-defined flow record is not enabled by default.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
This command was integrated into Cisco IOS Release 12.2(33)SRC and implemented on the Cisco 7200 series routers. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.1(3)T |
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor with only the protocol keyword. |
|
12.2(58)SE |
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor with only the protocolkeyword. |
|
12.2(50)SY |
This command was modified. The header-length, id,optionmap, and versionkeywords were not supported in Cisco IOS Release 12.2(50)SY. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
Only the protocolkeyword is available. You must first enter theflowrecordtypeperformance-monitor command.
Examples
The following example configures the IPv4 DSCP field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 dscp
match ipv4 destination
To configure the IPv4 destination address as a key field for a flow record, use the matchipv4destination command in flow record configuration mode. To disable the IPv4 destination address as a key field for a flow record, use the no form of this command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Syntax Description
|
address |
Configures the IPv4 destination address as a key field. |
|
mask |
Configures the mask for the IPv4 destination address as a key field. |
|
prefix |
Configures the prefix for the IPv4 destination address as a key field. |
|
minimum-mask mask |
(Optional) Specifies the size, in bits, of the minimum mask. The range is 1 to 32. |
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was integrated into Cisco IOS Release 12.0(33)S and implemented on the Gigabit Switch Router (GSR). |
|
12.2(33)SRC |
This command was integrated into Cisco IOS Release 12.2(33)SRC and implemented on the Cisco 7200 series routers. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.1(3)T |
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor without the mask keyword. |
|
12.2(58)SE |
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor without the maskkeyword. |
|
12.2(50)SY |
This command was modified. The mask, prefix, and minimum-maskkeywords were not supported in Cisco IOS Release 12.2(50)SY. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The maskkeyword is not available. You must first enter theflowrecordtypeperformance-monitor command.
Examples
The following example configures a 16-bit IPv4 destination address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 destination prefix minimum-mask 16
The following example specifies a 16-bit IPv4 destination address mask as a key field:
Router(config)# flow recor d F LOW-RECORD-1 Router(config-flow-record)# match ipv4 destination mask minimum-mask 16
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The following example specifies a 16-bit IPv4 destination address mask as a key field for Cisco Performance Monitor:
Router(config)# flow recor d type performance-monitor F LOW-RECORD-1 Router(config-flow-record)# match ipv4 destination mask minimum-mask 16
match ipv4 fragmentation
To configure the IPv4 fragmentation flags and the IPv4 fragmentation offset as key fields for a flow record, use the match ipv4 fragmentation command in flow record configuration mode. To disable the use of the IPv4 fragmentation flags and the IPv4 fragmentation offset as key fields for a flow record, use the no form of this command.
Command Default
The IPv4 fragmentation flags and the IPv4 fragmentation offset arenot configured as key fields.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
match ipv4 fragmentation flags
This field matches the "don't fragment" and "more fragments" flags.
Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment
Bit 2: (MF) 0 = Last Fragment,1 = More Fragments
Bits 3-7: (DC) Don't Care, value is irrelevant
0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+
| | D | M | D | D | D | D | D |
| 0 | F | F | C | C | C | C | C |
+---+---+---+---+---+---+---+---+
For more information on IPv4 fragmentation flags, see RFC 791, Internet Protocol at the following URL: http://www.ietf.org/rfc/rfc791.txt .
Examples
The following example configures the IPv4 fragmentation flags as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 fragmentation flags
The following example configures the IPv4 offset flag as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 fragmentation offset
match ipv4 section
To configure a section of an IPv4 packet as a key field for a flow record, use the match ipv4 section command in flow record configuration mode. To disable the use of a section of an IPv4 packet as a key field for a flow record, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
match ipv4 section header
This command uses the section of the IPv4 header indicated by the header sizeheader-size keyword and argument as a key field. Only the configured size in bytes will be matched, and part of the payload will also be matched if the configured size is larger than the size of the header.
 Note | This command can result in large records that use a large amount of router memory and export bandwidth. |
match ipv4 section payload
This command uses the section of the IPv4 payload indicated by the payload sizepayload-size keyword and argument as a key field.
Note | This command can result in large records that use a large amount of router memory and export bandwidth. |
Examples
The following example configures the first four bytes (the IPv4 version field) as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 section header size 4
The following example configures the first 16 bytes from the payload of the IPv4 packets in the flow as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 section payload size 16
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the first 16 bytes from the payload of the IPv4 packets in the flow as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv4 section payload size 16
match ipv4 source
To configure the IPv4 source address as a key field for a flow record, use the matchipv4sourcecommand in flow record configuration mode. To disable the use of the IPv4 source address as a key field for a flow record, use the no form of this command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.2(33)SRC |
This command was integrated into Cisco IOS Release 12.2(33)SRC and implemented on the Cisco 7200 series routers. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.1(3)T |
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor without the mask keyword. |
|
12.2(58)SE |
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor without the maskkeyword. |
|
12.2(50)SY |
This command was modified. The mask, prefix, and minimum-maskkeywords were not supported in Cisco IOS Release 12.2(50)SY. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The maskkeyword is not available. You must first enter theflowrecordtypeperformance-monitor command.
match ipv4 source prefix minimum-mask
The source address prefix field is the network part of the source address. The optional minimum mask allows a more information to be gathered about large networks.
match ipv4 source mask minimum-mask
The source address mask is the number of bits that make up the network part of the source address. The optional minimum mask allows a minimum value to be configured. This command is useful when there is a minimum mask configured for the source prefix field and the mask is to be used with the prefix. In this case, the values configured for the minimum mask should be the same for the prefix and mask fields.
Alternatively, if the collector knows the minimum mask configuration of the prefix field, the mask field can be configured without a minimum mask so that the true mask and prefix can be calculated.
Examples
The following example configures a 16-bit IPv4 source address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 source prefix minimum-mask 16
The following example specifies a 16-bit IPv4 source address mask as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 source mask minimum-mask 16
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The following example specifies a 16-bit IPv4 source address mask as a key field for Cisco Performance Monitor:
Router(config)# flow recor d type performance-monitor F LOW-RECORD-1 Router(config-flow-record)# match ipv4 source mask minimum-mask 16
match ipv4 total-length
To configure the IPv4 total-length field as a key field for a flow record, use the match ipv4 total-length command in flow record configuration mode. To disable the use of the IPv4 total-length field as a key field for a flow record, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the total-length value as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 total-length
match ipv4 ttl
To configure the IPv4 time-to-live (TTL) field as a key field for a flow record, use the match ipv4 ttl command in flow record configuration mode. To disable the use of the IPv4 TTL field as a key field for a flow record, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures IPv4 TTL as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 ttl
match ipv6
To configure one or more of the IPv6 fields as a key field for a flow record, use the match ipv6 command in flow record configuration mode. To disable the use of one or more of the IPv6 fields as a key field for a flow record, use the no form of this command.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Syntax Description
|
dscp |
Configures the IPv6 differentiated services code point DSCP (part of type of service (ToS)) as a key field. |
|
flow-label |
Configures the IPv6 flow label as a key field. |
|
next-header |
Configures the IPv6 next header as a key field. |
|
payload-length |
Configures the IPv6 payload length as a key field. |
|
precedence |
Configures the IPv6 precedence (part of ToS) as a key field. |
|
protocol |
Configures the IPv6 protocol as a key field. |
|
tos |
Configures the IPv6 ToS as a key field. |
|
traffic-class |
Configures the IPv6 traffic class as a key field. |
|
version |
Configures the IPv6 version from IPv6 header as a key field. |
Command History
|
Release |
Modification |
|---|---|
|
12.4(20)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
12.2(50)SY |
This command was modified. The flow-label, next-header, payload-length,traffic-class,andversionkeywords were not supported in Cisco IOS Release 12.2(50)SY. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the IPv6 DSCP field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 dscp
match ipv6 destination
To configure the IPv6 destination address as a key field for a flow record, use the match ipv6 destination command in flow record configuration mode. To disable the IPv6 destination address as a key field for a flow record, use the no form of this command.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Syntax Description
|
address |
Configures the IPv6 destination address as a key field. |
|
mask |
Configures the mask for the IPv6 destination address as a key field. |
|
prefix |
Configures the prefix for the IPv6 destination address as a key field. |
|
minimum-mask mask |
(Optional) Specifies the size, in bits, of the minimum mask. Range 1 to 128. |
Command History
|
Release |
Modification |
|---|---|
|
12.4(20)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
12.2(50)SY |
This command was modified. The mask, prefix, and minimum-maskkeywords were not supported in Cisco IOS Release 12.2(50)SY. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures a 16-bit IPv6 destination address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 destination prefix minimum-mask 16
The following example specifies a 16-bit IPv6 destination address mask as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 destination mask minimum-mask 16
match ipv6 extension map
To configure the bitmap of the IPv6 extension header map as a key field for a flow record, use the match ipv6 extension map command in flow record configuration mode. To disable the use of the IPv6 bitmap of the IPv6 extension header map as a key field for a flow record, use the no form of this command.
Command Default
The use of the bitmap of the IPv6 extension header map as a key field for a user-defined flow record is not enabled by default.
Command History
|
Release |
Modification |
|---|---|
|
12.4(20)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Bitmap of the IPv6 Extension Header Map
The bitmap of IPv6 extension header map is made up of 32 bits.
0 1 2 3 4 5 6 7
+-----+-----+-----+-----+-----+-----+-----+-----+
| Res | FRA1| RH | FRA0| UNK | Res | HOP | DST |
+-----+-----+-----+-----+-----+-----+-----+-----+
8 9 10 11 12 13 14 15
+-----+-----+-----+-----+-----+-----+-----+-----+
| PAY | AH | ESP | Reserved |
+-----+-----+-----+-----+-----+-----+-----+-----+
16 17 18 19 20 21 22 23
+-----+-----+-----+-----+-----+-----+-----+-----+
| Reserved |
+-----+-----+-----+-----+-----+-----+-----+-----+
24 25 26 27 28 29 30 31
+-----+-----+-----+-----+-----+-----+-----+-----+
| Reserved |
+-----+-----+-----+-----+-----+-----+-----+-----+
0 Res Reserved
1 FRA1 Fragmentation header - not first fragment
2 RH Routing header
3 FRA0 Fragment header - first fragment
4 UNK Unknown Layer 4 header
(compressed, encrypted, not supported)
5 Res Reserved
6 HOP Hop-by-hop option header
7 DST Destination option header
8 PAY Payload compression header
9 AH Authentication Header
10 ESP Encrypted security payload
11 to 31 Reserved
For more information on IPv6 headers, refer to RFC 2460 Internet Protocol, Version 6 (IPv6) at the following URL: http://www.ietf.org/rfc/rfc2460.txt .
Examples
The following example configures the IPv6 bitmap of the IPv6 extension header map of the packets in the flow as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 extension map
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the IPv6 bitmap of the IPv6 extension header map of the packets in the flow as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv6 extension map
match ipv6 fragmentation
To configure one or more of the IPv6 fragmentation fields as a key field for a flow record, use the match ipv6 fragmentation command in flow record configuration mode. To disable the use of the IPv6 fragmentation field as a key field for a flow record, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(20)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the IPv6 fragmentation flags a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 fragmentation flags
The following example configures the IPv6 offset value a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 fragmentation offset
match ipv6 hop-limit
To configure the IPv6 hop limit as a key field for a flow record, use the match ipv6 hop-limit command in flow record configuration mode. To disable the use of a section of an IPv6 packet as a key field for a flow record, use the no form of this command.
Command Default
The use of the IPv6 hop limit as a key field for a user-defined flow record is not enabled by default.
Command History
|
Release |
Modification |
|---|---|
|
12.4(20)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the hop limit of the packets in the flow as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 hop-limit
match ipv6 length
To configure one or more of the IPv6 length fields as a key field for a flow record, use the match ipv6 length command in flow record configuration mode. To disable the use of the IPv6 length field as a key field for a flow record, use the no form of this command.
Syntax Description
|
header |
Configures the length in bytes of the IPv6 header, not including any extension headers as a key field. |
|
payload |
Configures the length in bytes of the IPv6 payload, including any extension header as a key field. |
|
total |
Configures the total length in bytes of the IPv6 header and payload as a key field. |
Command History
|
Release |
Modification |
|---|---|
|
12.4(20)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the length of the IPv6 header in bytes, not including any extension headers, as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 length header
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the length of the IPv6 header in bytes, not including any extension headers, as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv6 length header
match ipv6 section
To configure a section of an IPv6 packet as a key field for a flow record, use the match ipv6 section command in flow record configuration mode. To disable the use of a section of an IPv6 packet as a key field for a flow record, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(20)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
match ipv6 section header
This command uses the section of the IPv6 header indicated by the headersizeheader-size keyword and argument as a key field. Only the configured size in bytes will be matched, and part of the payload will also be matched if the configured size is larger than the size of the header.
Note | This command can result in large records that use a large amount of router memory and export bandwidth. |
match ipv6section payload
This command uses the section of the IPv6 payload indicated by the payloadsizepayload-size keyword and argument as a key field.
Note | This command can result in large records that use a large amount of router memory and export bandwidth. |
Examples
The following example configures the first four bytes (the IP version field) from the IPv6 header of the packets in the flows as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 section header size 4
The following example configures the first 16 bytes from the payload of the IPv6 packets in the flows as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 section payload size 16
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the first 16 bytes from the payload of the IPv6 packets in the flows as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv6 section payload size 16
match ipv6 source
To configure the IPv6 source address as a key field for a flow record, use the match ipv6 sourcecommand in flow record configuration mode. To disable the use of the IPv6 source address as a key field for a flow record, use the no form of this command.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Command History
|
Release |
Modification |
|---|---|
|
12.4(20)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
12.2(50)SY |
This command was modified. The mask, prefix, and minimum-maskkeywords were not supported in Cisco IOS Release 12.2(50)SY. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures a 16-bit IPv6 source address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 source prefix minimum-mask 16
The following example specifies a 16-bit IPv6 source address mask as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 source mask minimum-mask 16
match routing
To configure one or more of the routing fields as a key field for a flow record, use the match routing command in flow record configuration mode. To disable the use of one or more of the routing fields as a key field for a flow record, use the no form of this command.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Syntax Description
|
destination |
Specifies one or more of the destination routing attributes fields as a key field. |
|
source |
Specifies one or more of the source routing attributes fields as a key field. |
|
as |
Configures the autonomous system field as a key field. |
|
4-octet |
(Optional) Configures the 32-bit autonomous system number as a key field. |
|
peer |
(Optional) Configures the autonomous system number of the peer network as a key field. |
|
traffic-index |
Configures the Border Gateway Protocol (BGP) destination traffic index as a key field. |
|
forwarding-status |
Configures the forwarding status of the packet as a key field. |
|
next-hop address |
Configures the next hop address value as a key field. The type of address (IPv4 or IPv6) is determined by the next keyword entered. |
|
ipv4 |
Specifies that the next-hopaddress value is an IPv4 address. |
|
ipv6 |
Specifies that the next-hopaddress value is an IPv6 address. |
|
bgp |
(Optional) Configures the IPv4 address of the BGP next hop as a key field. |
|
vrf input |
Configures the virtual routing and forwarding (VRF) ID for incoming packets as a key field. |
Command Default
The use of one or more of the routing fields as a key field for a user-defined flow record is disabled.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.4(20)T |
The ipv6 keyword was added in Cisco IOS Release 12.4(20)T. |
|
15.0(1)M |
This command was modified. The vrf input keywords were added in Cisco IOS Release 15.0(1)M. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
Cisco IOS Release XE 3.2S |
This command was modified. The 4-octet keyword was added. |
|
12.2(50)SY |
This command was modified. The vrfinputkeywords are the only keywords supported in Cisco IOS Release 12.2(50)SY. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
match routing source as [peer]
This command matches the 16-bit autonomous system number based on a lookup of the router's routing table using the source IP address. The optional peer keyword provides the expected next network, as opposed to the originating network.
match routing source as 4-octet [ 4-octet peer]
This command matches the 32-bit autonomous system number based on a lookup of the router's routing table using the source IP address. The optional peer keyword provides the expected next network, as opposed to the originating network.
match routing destination as [peer]
This command matches the 16-bit autonomous system number based on a lookup of the router's routing table using the destination IP address. The peer keyword will provide the expected next network as opposed to the destination network.
match routing destination as 4-octet [ 4-octet peer]
This command matches the 32-bit autonomous system number based on a lookup of the router's routing table using the destination IP address. The peer keyword will provide the expected next network as opposed to the destination network.
match routing destination traffic-index
This command matches the traffic-index field based on the destination autonomous system for this flow. The traffic-index field is a value propagated through BGP.
This command is not supported for IPv6.
match routing source traffic-index
This command matches the traffic-index field based on the source autonomous system for this flow. The traffic-index field is a value propagated through BGP.
This command is not supported for IPv6.
match routing forwarding-status
This command matches a field to indicate if the packets were successfully forwarded. The field is in two parts and may be up to 4 bytes in length. For the releases specified in the Command History table, only the status field is used:
+-+-+-+-+-+-+-+-+
| S | Reason |
| t | codes |
| a | or |
| t | flags |
| u | |
| s | |
+-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7
Status:
00b=Unknown, 01b = Forwarded, 10b = Dropped, 11b = Consumed
match routing vrf input
This command matches the VRF ID from incoming packets on a router. In the case where VRFs are associated with an interface via methods such as VRF Selection Using Policy Based Routing/Source IP Address, a VRF ID of 0 will be recorded. If a packet arrives on an interface that does not belong to a VRF, a VRF ID of 0 is recorded.
Examples
The following example configures the source autonomous system as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match routing source as
The following example configures the destination autonomous system as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match routing destination as
The following example configures the BGP source traffic index as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match routing source traffic-index
The following example configures the forwarding status as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match routing forwarding-status
The following example configures the VRF ID for incoming packets as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match routing vrf input
match routing is-multicast
To configure the use of the is-multicast field (indicating that the IPv4 traffic is multicast traffic) as a key field for a flow record, use the match routing is-multicast command in flow record configuration mode. To disable the use of the is-multicast field as a key field for a flow record, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(22)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
Examples
The following example configures the is-multicast field as a key field for a flow record:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match routing is-multicast
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the is-multicast field as a key field for a Performance Monitor flow record:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match routing multicast replication-factor
match routing multicast replication-factor
To configure the multicast replication factor value for IPv4 traffic as a key field for a flow record, use the match multicast replication-factorcommand in flow record configuration mode. To disable the use of the multicast replication factor value as a key field for a flow record, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(22)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
When the replication-factor field is used in a flow record, it will only have a non-zero value in the cache for ingress multicast traffic that is forwarded by the router. If the flow record is used with a flow monitor in output (egress) mode or to monitor unicast traffic or both, the cache data for the replication factor field is set to 0.
Examples
The following example configures the multicast replication factor value as a key field for a flow record:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match routing multicast replication-factor
match transport
To configure one or more of the transport fields as a key field for a flow record, use the match transport command in flow record configuration mode. To disable the use of one or more of the transport fields as a key field for a flow record, use the no form of this command.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
12.2(50)SY |
This command was modified. The igmptypekeywords were not supported in Cisco IOS Release 12.2(50)SY. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the destination port as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport destination-port
The following example configures the source port as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport source-port
match transport icmp ipv4
To configure the ICMP IPv4 type field and the code field as key fields for a flow record, use the match transport icmp ipv4 command in flow record configuration mode. To disable the use of the ICMP IPv4 type field and code field as key fields for a flow record, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2 |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the IPv4 ICMP code field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport icmp ipv4 code
The following example configures the IPv4 ICMP type field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport icmp ipv4 type
match transport icmp ipv6
To configure the internet control message protocol ICMP IPv6 type field and the code field as key fields for a flow record, use the match transport icmp ipv6 command in flow record configuration mode. To disable the use of the ICMP IPv6 type field and code field as key fields for a flow record, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(20)T |
This command was introduced. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A Flow Record requires at least one key field before it can be used in a Flow Monitor. The Key fields differentiate Flows, with each flow having a unique set of values for the key fields. The Key fields are defined using the match command.
Examples
The following example configures the IPv6 ICMP code field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport icmp ipv6 code
The following example configures the IPv6 ICMP type field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport icmp ipv6 type
match transport tcp
To configure one or more of the TCP fields as a key field for a flow record, use the match transport tcp command in flow record configuration mode. To disable the use of a TCP field as a key field for a flow record, use the no form of this command.
see collect
Syntax Description
|
acknowledgement -number |
Configures the TCP acknowledgement number as a key field. |
|
destination-port |
Configures the TCP destination port as a key field. |
|
flags |
Configures one or more of the TCP flags as a key field. If you configure the flags keyword you must also configure at least one of the optional keywords for the flags keyword. |
|
ack |
(Optional) Configures the TCP acknowledgement flag as a key field. |
|
cwr |
(Optional) Configures the TCP congestion window reduced flag as a key field. |
|
ece |
(Optional) Configures the TCP Explicit Notification Congestion echo (ECE) flag as a key field. |
|
fin |
(Optional) Configures the TCP finish flag as a key field. |
|
psh |
(Optional) Configures the TCP push flag as a key field. |
|
rst |
(Optional) Configures the TCP reset flag as a key field. |
|
syn |
(Optional) Configures the TCP synchronize flag as a key field. |
|
urg |
(Optional) Configures the TCP urgent flag as a key field. |
|
header-length |
Configures the TCP header length (in 32-bit words) as a key field. |
|
sequence-number |
Configures the TCP sequence number as a key field. |
|
source-port |
Configures the TCP source port as a key field. |
|
urgent-pointer |
Configures the TCP urgent pointer as a key field. |
|
window-size |
Configures the TCP window size as a key field. |
Command Default
The use of one or more of the TCP fields as a key field for a user-defined flow record is not enabled by default.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the TCP acknowledgement flag as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport tcp flags ack
The following example configures the TCP finish flag as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport tcp flags fin
The following example configures the TCP reset flag as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport tcp flags rst
The following example configures the transport destination port as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport tcp destination-port
The following example configures the transport source port as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport tcp source-port
match transport udp
To configure one or more of the user datagram protocol UDP fields as a key field for a Flexible NetFlow flow record, use the match transport udp command in Flexible NetFlow flow record configuration mode. To disable the use of a UDP field as a key field for a Flexible NetFlow flow record, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor. |
|
Cisco IOS XE Release 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor. |
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the UDP destination port as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport udp destination-port
The following example configures the UDP message length as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport udp message-length
The following example configures the UDP source port as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport udp source-port
mode (Flexible NetFlow)
To specify the type of sampling and the packet interval for a Flexible NetFlow sampler, use the mode command in Flexible NetFlow sampler configuration mode. To unconfigure the type of sampling and the packet interval for a Flexible NetFlow sampler, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
12.2(50)SY |
This command was integrated into Cisco IOS Release 12.2(50)SY. |
Usage Guidelines
Deterministic Mode
In deterministic mode, packets are chosen periodically based on the configured interval. This mode has less overhead than random mode and can be useful when the router samples traffic that is random in nature. For more information about determinstic sampling, refer to the "Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic" module in the Cisco IOS Flexible NetFlow Configuration Guide at the following URL: http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/use_fnflow_redce_cpu.html.
Random Mode
In random mode, packets are chosen in a manner that should eliminate any bias from traffic patterns and counter any attempt by users to avoid monitoring. For more information about random sampling, refer to the "Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic" module in the Cisco IOS Flexible NetFlow Configuration Guide at the following URL: http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/use_fnflow_redce_cpu.html.
Examples
The following example enables deterministic sampling with a window size of 1000:
Router(config)# sampler SAMPLER-1 Router(config-sampler)# mode deterministic 1 out-of 1000
The following example enables random sampling with a window size of 1000:
Router(config)# sampler SAMPLER-1 Router(config-sampler)# mode random 1 out-of 1000
option (Flexible NetFlow)
To configure optional data parameters for a flow exporter for Flexible NetFlow or Performance Monitor, use the option command in flow exporter configuration mode. To remove optional data parameters for a flow exporter, use the no form of this command.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Syntax Description
|
application-attributes |
Configures the application attributes for flow exporters. |
|
application-table |
Configures the application table option for flow exporters. |
|
exporter-stats |
Configures the exporter statistics option for flow exporters. |
|
interface-table |
Configures the interface table option for flow exporters. |
|
sampler-table |
Configures the export sampler information option for flow exporters. |
|
vrf-table |
Configures the virtual routing and forwarding (VRF) ID-to-name table option for flow exporters. |
|
timeout seconds |
(Optional) Configures the option resend time in seconds for flow exporters. Range: 1 to 86400. Default: 600. |
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
15.0(1)M |
This command was modified. The application-table and vrf-table keywords were added in Cisco IOS Release 15.0(1)M. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
Cisco IOS XE Release 3.1S |
This command was integrated into Cisco IOS XE Release 3.1S. |
|
15.1(3)T |
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. |
|
12.2(58)SE |
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor. |
|
12.2(50)SY |
This command was modified. The application-table keyword was removed. |
|
Cisco IOS XE Release 3.5S |
This command was modified. The application-attributes keyword was added. |
Usage Guidelines
The option command can be used with both Flexible NetFlow and Performance Monitor.
option application-attributes
The optionapplication-attributes command causes the periodic sending of Network Based Application Recognition (NBAR) application attributes to the collector.
The following application attributes are sent to the collector per protocol:
- Category--Provides first-level categorization for each application.
- Sub-category--Provides second-level categorization for each application.
- Application-Group--Groups applications that belong to the same networking application.
- P2P-Technology--Specifies whether the application is based on peer-to-peer technology or not.
- Tunnel-Technology--Specifies whether the application tunnels the traffic of other protocols or not.
- Encrypted--Specifies whether the application is an encrypted networking protocol or not.
The optional timeout can alter the frequency at which the reports are sent.
option application-table
The optionapplication-table command causes the periodic sending of an options table, which allows the collector to map NBAR application IDs provided in the flow records to application names. The optional timeout can alter the frequency at which the reports are sent.
option exporter-stats
The optionexporter-stats command causes the periodic sending of the exporter statistics, including the number of records, bytes, and packets sent. This command allows the collector to estimate packet loss for the export records it receives. The optional timeout alters the frequency at which the reports are sent.
option interface-table
The optioninterface-table causes the periodic sending of an options table, which allows the collector to map the interface SNMP indexes provided in the flow records to interface names. The optional timeout can alter the frequency at which the reports are sent.
option sampler-table
The optionsampler-table command causes the periodic sending of an options table, which details the configuration of each sampler and allows the collector to map the sampler ID provided in any flow record to a configuration that it can use to scale up the flow statistics. The optional timeout can alter the frequency at which the reports are sent.
option vrf-table
The optionvrf-table command causes the periodic sending of an options table, which allows the collector to map the VRF IDs provided in the flow records to VRF names. The optional timeout can alter the frequency at which the reports are sent.
Examples
The following example shows how to enable the periodic sending of NBAR application attributes to the collector:
Router(config)# flow exporter FLOW-EXPORTER-1 Router(config-flow-exporter)# option application-attributes
The following example shows how to enable the periodic sending of the exporter statistics, including the number of records, bytes, and packets sent:
Router(config)# flow exporter FLOW-EXPORTER-1 Router(config-flow-exporter)# option exporter-stats
The following example shows how to enable the periodic sending of an options table, which allows the collector to map the interface SNMP indexes provided in the flow records to interface names:
Router(config)# flow exporter FLOW-EXPORTER-1 Router(config-flow-exporter)# option interface-table
The following example shows how to enable the periodic sending of an options table, which details the configuration of each sampler and allows the collector to map the sampler ID provided in any flow record to a configuration that it can use to scale up the flow statistics:
Router(config)# flow exporter FLOW-EXPORTER-1 Router(config-flow-exporter)# option sampler-table
The following example shows how to enable the periodic sending of an options table, which allows the collector to map the NBAR application IDs provided in the flow records to application names:
Router(config)# flow exporter FLOW-EXPORTER-1 Router(config-flow-exporter)# option application-table
The following example shows how to enable the periodic sending of an options table, which allows the collector to map the VRF IDs provided in the flow records to VRF names:
Router(config)# flow exporter FLOW-EXPORTER-1 Router(config-flow-exporter)# option vrf-table
output-features
To enable sending export packets for Flexible NetFlow or Performance Monitor using quality of service (QoS) or encryption, use the output-features command in flow exporter configuration mode. To disable sending export packets using QoS or encryption, use the no form of this command.
Command Default
If QoS or encryption is configured on the router, neither QoS or encryption is run on Flexible NetFlow or Performance Monitor export packets.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor.
If the router has the output feature quality of service (QoS) or encryption configured, the output-features command causes the output features to be run on Flexible NetFlow or Performance Monitor export packets.
record
To configure a flow record for a Flexible NetFlow flow monitor, use the record command in Flexible NetFlow flow monitor configuration mode. To remove a flow record for a Flexible NetFlow flow monitor, use the no form of this command.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Syntax Description
|
record-name |
Name of a user-defined flow record that was previously configured. |
|
netflow-original |
Configures the flow monitor to use the Flexible NetFlow implementation of original NetFlow with origin autonomous systems. |
|
netflow ipv4 |
Configures the flow monitor to use one of the predefined IPv4 records. |
|
netflow ipv6 |
Configures the flow monitor to use one of the predefined IPv6 records. This keyword is not supported on the Cisco ASR 1000 Series Aggregation Services router. |
|
record |
Name of the predefined record. See the table below for a listing of the available records and their definitions. |
|
peer |
(Optional) Configures the flow monitor to use one of the predefined records with peer autonomous systems. The peer keyword is not supported for every type of Flexible NetFlow predefined record. See the table below. |
|
platform-original ipv4 |
Configures the flow monitor to use one of the predefined IPv4 records. |
|
platform-original ipv6 |
Configures the flow monitor to use one of the predefined IPv6 records. |
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.4(20)T |
The ipv6 keyword was added in Cisco IOS Release 12.4(20)T. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
Cisco IOS XE 3.1S |
This command was integrated into Cisco IOS XE Release 3.1S. |
|
12.2(50)SY |
This command was modified. The netflow-original,netflowipv4,netflowipv6,andpeerkeywords were removed in Cisco IOS Release 12.2(50)SY. The platform-originalipv4and platform-originalipv4keywords were added. |
Usage Guidelines
Each flow monitor requires a record to define the contents and layout of its cache entries. The flow monitor can use one of the wide range of predefined record formats, or advanced users may create their own record formats.
The table below describes the keywords and descriptions for the record argument.
| Table 1 | Keywords and Descriptions for the record Argument |
Examples
The following example configures the flow monitor to use the NetFlow original record:
Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)# record netflow-original
The following example configures the flow monitor to use a user-defined record named collect-ipv4-data:
Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)# record collect-ipv4-data
The following example configures the flow monitor to use the Flexible NetFlow IPv4 destination prefix record:
Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)# record netflow ipv4 destination-prefix
The following example configures the flow monitor to use a the Flexible NetFlow IPv6 destination prefix record:
Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)# record netflow ipv6 destination-prefix
sampler
To create a Flexible NetFlow flow sampler, or to modify an existing Flexible NetFlow flow sampler, and to enter Flexible NetFlow sampler configuration mode, use the sampler command in global configuration mode. To remove a sampler, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
15.1(2)S |
This command was modified. |
|
12.2(50)SY |
This command was integrated into Cisco IOS Release 12.2(50)SY. |
Usage Guidelines
Flow samplers are used to reduce the load placed by Flexible NetFlow on the networking device to monitor traffic by limiting the number of packets that are analyzed. You configure a rate of sampling that is 1 out of a range of 2 to 32,768 packets. For example, a rate of 1 out of 2 results in analysis of 50 percent of the packets sampled. Flow samplers are applied to interfaces in conjunction with a flow monitor to implement sampled Flexible NetFlow.
To enable flow sampling, you configure the record that you want to use for traffic analysis and assign it to a flow monitor. When you apply a flow monitor with a sampler to an interface, the sampled packets are analyzed at the rate specified by the sampler and compared with the flow record associated with the flow monitor. If the analyzed packets meet the criteria specified by the flow record, they are added to the flow monitor cache.
In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing name is possible. If this happens, you can retry, supplying another name.
Examples
The following example creates a flow sampler name SAMPLER-1:
Router(config)# sampler SAMPLER-1
Router(config-sampler)#
The following example shows the output when there is a hash collision between the name supplied and any existing name:
Router(config-sampler)# sampler SAMPLER-1
% sampler: Failed to create a new Sampler (Hash value in use).
Router(config)#
show flow exporter
To display Flexible NetFlow flow exporter status and statistics, use the showflowexporter command in privileged EXEC mode.
Syntax Description
|
export-ids netflow-v5 |
(Optional) Displays the NetFlow Version 5 export fields that can be exported and their IDs. |
|
export-ids netflow-v9 |
(Optional) Displays the NetFlow Version 9 export fields that can be exported and their IDs. |
|
name |
(Optional) Specifies the name of a flow exporter. |
|
exporter-name |
(Optional) Name of a flow exporter that was previously configured. |
|
statistics |
(Optional) Displays flow exporter statistics. |
|
templates |
(Optional) Displays flow exporter template information. |
|
option |
(Optional) Displays flow exporter options data. |
|
application engines |
(Optional) Displays the application engines option for flow exporters. |
|
application table |
(Optional) Displays the application table option for flow exporters. |
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
Cisco IOS XE 3.1S |
This command was integrated into Cisco IOS XE Release 3.1S. The option and application keywords were added. |
|
12.2(50)SY |
This command was integrated into Cisco IOS Release 12.2(50)SY. |
|
15.2.(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. The ability to display IPv6 addresses was added. |
|
Cisco IOS XE 3.5S |
This command was integrated into Cisco IOS XE Release 3.5S. The ability to display IPv6 addresses was added. |
Examples
The following example displays the status and statistics for all of the flow exporters configured on a router:
Router# show flow exporter
Flow Exporter FLOW-MONITOR-1:
Description: Exports to the datacenter
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 172.16.10.2
Source IP address: 172.16.6.2
Source Interface: Ethernet0/0
Transport Protocol: UDP
Destination Port: 650
Source Port: 55864
DSCP: 0x3F
TTL: 15
Output Features: Used
Flow Exporter FLOW-MONITOR-2:
Description: Exports to the datacenter
Export protocol: NetFlow Version 9
Transport Configuration:
Destination IP address: 2222::2/64
Source IP address: 1111::1/64
Transport Protocol: UDP
Destination Port: 4739
Source Port: 49936
DSCP: 0x0
TTL: 255
Output Features: Not Used
Options Configuration:
exporter-stats (timeout 120 seconds)
interface-table (timeout 120 seconds)
sampler-table (timeout 120 seconds)
The table below describes the significant fields shown in the display.
| Table 2 | show flow exporter Field Descriptions |
|
Field |
Description |
|---|---|
|
Flow Exporter |
The name of the flow exporter that you configured. |
|
Description |
The description that you configured for the exporter, or the default description "User defined." |
|
Transport Configuration |
The transport configuration fields for this exporter. |
|
Destination IP address |
The IP address of the destination host. |
|
Source IP address |
The source IP address used by the exported packets. |
|
Transport Protocol |
The transport layer protocol used by the exported packets. |
|
Destination Port |
The destination UDP port to which the exported packets are sent. |
|
Source Port |
The source UDP port from which the exported packets are sent. |
|
DSCP |
The differentiated services code point (DSCP) value. |
|
TTL |
The time-to-live value. |
The following example displays the NetFlow Version 9 export IDs for all of the flow exporters configured on a router. This output will vary according to the flow record configured:
Router# show flow exporter export-ids netflow-v9
Export IDs used by fields in NetFlow-common export format:
ip version : 60
ip tos : 194
ip dscp : 195
ip precedence : 196
ip protocol : 4
ip ttl : 192
ip ttl minimum : 52
ip ttl maximum : 53
ip length header : 189
ip length payload : 204
ip section header : 313
ip section payload : 314
routing source as : 16
routing destination as : 17
routing source as peer : 129
routing destination as peer : 128
routing source traffic-index : 92
routing destination traffic-index : 93
routing forwarding-status : 89
routing is-multicast : 206
routing next-hop address ipv4 : 15
routing next-hop address ipv4 bgp : 18
routing next-hop address ipv6 bgp : 63
ipv4 header-length : 207
ipv4 tos : 5
ipv4 total-length : 190
ipv4 total-length minimum : 25
ipv4 total-length maximum : 26
ipv4 id : 54
ipv4 fragmentation flags : 197
ipv4 fragmentation offset : 88
ipv4 source address : 8
ipv4 source prefix : 44
ipv4 source mask : 9
ipv4 destination address : 12
ipv4 destination prefix : 45
ipv4 destination mask : 13
ipv4 options : 208
transport source-port : 7
transport destination-port : 11
transport icmp-ipv4 type : 176
transport icmp-ipv4 code : 177
transport igmp type : 33
transport tcp source-port : 182
transport tcp destination-port : 183
transport tcp sequence-number : 184
transport tcp acknowledgement-number : 185
transport tcp header-length : 188
transport tcp window-size : 186
transport tcp urgent-pointer : 187
transport tcp flags : 6
transport udp source-port : 180
transport udp destination-port : 181
transport udp message-length : 205
interface input snmp : 10
interface output snmp : 14
interface name : 82
interface description : 83
flow direction : 61
flow exporter : 144
flow sampler : 48
flow sampler algorithm export : 49
flow sampler interval : 50
flow sampler name : 84
flow class : 51
v9-scope system : 1
v9-scope interface : 2
v9-scope linecard : 3
v9-scope cache : 4
v9-scope template : 5
counter flows : 3
counter bytes : 1
counter bytes long : 1
counter packets : 2
counter packets long : 2
counter bytes squared long : 198
counter bytes permanent : 85
counter packets permanent : 86
counter bytes squared permanent : 199
counter bytes exported : 40
counter packets exported : 41
counter flows exported : 42
timestamp sys-uptime first : 22
timestamp sys-uptime last : 21
The following example displays the status and statistics for all of the flow exporters configured on a router:
Router# show flow exporter name FLOW-MONITOR-1 statistics
Flow Exporter FLOW-MONITOR-1:
Packet send statistics:
Ok 0
No FIB 0
Adjacency failure 0
Enqueued to process level 488
Enqueueing failed 0
IPC failed 0
Output failed 0
Fragmentation failed 0
Encap fixup failed 0
No destination address 0
Client send statistics:
Client: Flow Monitor FLOW-MONITOR-1
Records added 558
Packets sent 486 (51261 bytes)
Packets dropped 0 (0 bytes)
No Packet available errors 0
The table below describes the significant fields shown in the display.
| Table 3 | show flow exporter name exporter-name statistics Field Descriptions |
|
Field |
Description |
|---|---|
|
Flow Exporter |
The name of the flow exporter that you configured. |
|
Packet send statistics |
The packet transmission statistics for this exporter. |
|
Ok |
The number of packets that have been sent successfully. |
|
No FIB |
No entry in the Forwarding Information Base (FIB) to forward to. |
|
Adjacency failure |
No Cisco Express Forwarding (CEF) adjacency available for forwarding. |
|
Enqueued to process level |
Packets that were sent to the processor for forwarding. |
|
Enqueueing failed |
Packets that could not be queued for transmission. |
|
IPC failed |
Packets for which interprocess communication (IPC) failed. |
|
Output failed |
Packets that were dropped because the output queue was full. |
|
Fragmentation failed |
Packets that were not able to be fragmented. |
|
Encap fixup failed |
Packets that were not able to be encapsulated for transmission on the egress interface. |
|
No destination address |
No destination address configured for the exporter. |
|
Client send statistics |
Statistics for the flow monitors that are using the exporters. |
|
Client |
The name of the flow monitor that is using the exporter. |
|
Records added |
The number of flow records that have been added for this flow monitor. |
|
Packets sent |
The number of packets that have been exported for this flow monitor. |
|
Packets dropped |
The number of packets that were dropped for this flow monitor. |
|
No Packet available error |
The number of times that no packets were available to transmit the records. |
The following example displays the template format for the exporters configured on the router. This output will vary according to the flow record configured:
Router# show flow exporter FLOW_EXPORTER-1 templates
Flow Exporter FLOW-MONITOR-1:
Client: Flow Monitor FLOW-MONITOR-1
Exporter Format: NetFlow Version 9
Template ID : 256
Record Size : 53
Template layout
_____________________________________________________________________
| Field | Type1 | Offset2 | Size3 |
---------------------------------------------------------------------
| ipv4 source address | 8 | 0 | 4 |
| ipv4 destination address | 12 | 4 | 4 |
| interface input snmp | 10 | 8 | 4 |
| flow sampler | 48 | 12 | 4 |
| transport source-port | 7 | 16 | 2 |
| transport destination-port | 11 | 18 | 2 |
| ip tos | 194 | 20 | 1 |
| ip protocol | 4 | 21 | 1 |
| ipv4 source mask | 9 | 22 | 1 |
| ipv4 destination mask | 13 | 23 | 1 |
| transport tcp flags | 6 | 24 | 1 |
| routing source as | 16 | 25 | 2 |
| routing destination as | 17 | 27 | 2 |
| routing next-hop address ipv4 | 15 | 29 | 4 |
| interface output snmp | 14 | 33 | 4 |
| counter bytes | 1 | 37 | 4 |
| counter packets | 2 | 41 | 4 |
| timestamp sys-uptime first | 22 | 45 | 4 |
| timestamp sys-uptime last | 21 | 49 | 4 |
---------------------------------------------------------------------
1The field type from the display output of the showflowexporterexport-idsnetflow-v9 command. 2Where this field is located in the flow record. 3Size of the field in octets (8-bit bytes).
show flow interface
To display the Flexible NetFlow configuration and status for an interface, use the showflowinterface command in privileged EXEC mode.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
12.2(50)SY |
This command was integrated into Cisco IOS Release 12.2(50)SY. |
Examples
The following example displays the Flexible NetFlow accounting configuration on Ethernet interfaces 0/0 and 0/1:
Router# show flow interface ethernet 1/0 Interface Ethernet1/0 FNF: monitor: FLOW-MONITOR-1 direction: Output traffic(ip): on Router# show flow interface ethernet 0/0 Interface Ethernet0/0 FNF: monitor: FLOW-MONITOR-1 direction: Input traffic(ip): sampler SAMPLER-2#
The table below describes the significant fields shown in the display.
| Table 4 | show flow interface Field Descriptions |
|
Field |
Description |
|---|---|
|
Interface |
The interface to which the information applies. |
|
monitor |
The name of the flow monitor that is configured on the interface. |
|
direction: |
The direction of traffic that is being monitored by the flow monitor. The possible values are: |
|
traffic(ip) |
Indicates if the flow monitor is in normal mode or sampler mode. The possible values are: |
show flow monitor
To display the status and statistics for a Flexible NetFlow flow monitor, use the showflowmonitor command in privileged EXEC mode.
Syntax Description
|
name |
(Optional) Specifies the name of a flow monitor. |
|
monitor-name |
(Optional) Name of a flow monitor that was previously configured. |
|
cache |
(Optional) Displays the contents of the cache for the flow monitor. |
|
format |
(Optional) Specifies the use of one of the format options for formatting the display output. |
|
csv |
(Optional) Displays the flow monitor cache contents in comma separated variables (CSV) format. |
|
record |
(Optional) Displays the flow monitor cache contents in record format. |
|
table |
(Optional) Displays the flow monitor cache contents in table format. |
|
statistics |
(Optional) Displays the statistics for the flow monitor. |
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.4(20)T |
Support for displaying IPv6 data in Flexible NetFlow flow monitor caches was added in Cisco IOS Release 12.4(20)T. |
|
15.0(1)M |
This command was modified. Support for displaying virtual routing and forwarding (VRF) and Network Based Application Recognition (NBAR) data in Flexible NetFlow flow monitor caches was added in Cisco IOS Release 15.0(1)M. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers. |
Usage Guidelines
The cache keyword uses the table format by default.
The uppercase field names in the display output of theshowflowmonitormonitor-namecache command are key fields that Flexible NetFlow uses to differentiate flows. The lowercase field names in the display output of the showflowmonitormonitor-namecache command are nonkey fields from which Flexible NetFlow collects values as additional data for the cache.
Examples
The following example displays the status for a flow monitor:
Router# show flow monitor FLOW-MONITOR-1
Flow Monitor FLOW-MONITOR-1:
Description: Used for basic traffic analysis
Flow Record: netflow-original
Flow Exporter: EXP-DC-TOPEKA
EXP-DC-PHOENIX
Cache:
Type: normal
Status: allocated
Size: 4096 entries / 311316 bytes
Inactive Timeout: 15 secs
Active Timeout: 1800 secs
Update Timeout: 1800 secs
The table below describes the significant fields shown in the display.
| Table 5 | show flow monitor monitor-name Field Descriptions |
|
Field |
Description |
|---|---|
|
Flow Monitor |
Name of the flow monitor that you configured. |
|
Description |
Description that you configured or the monitor, or the default description "User defined". |
|
Flow Record |
Flow record assigned to the flow monitor. |
|
Flow Exporter |
Exporters that are assigned to the flow monitor. |
|
Cache |
Information about the cache for the flow monitor. |
|
Type |
Flow monitor cache type. The possible values are: |
|
Status |
Status of the flow monitor cache. The possible values are: |
|
Size |
Current cache size. |
|
Inactive Timeout |
Current value for the inactive timeout in seconds. |
|
Active Timeout |
Current value for the active timeout in seconds . |
|
Update Timeout |
Current value for the update timeout in seconds . |
The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-1:
Router# show flow monitor FLOW-MONITOR-1 cache
Cache type: Normal
Cache size: 4096
Current entries: 8
High Watermark: 10
Flows added: 1560
Flows aged: 1552
- Active timeout ( 1800 secs) 24
- Inactive timeout ( 15 secs) 1528
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IP TOS: 0x00
IP PROTOCOL: 6
IPV4 SOURCE ADDRESS: 10.10.10.2
IPV4 DESTINATION ADDRESS: 172.16.10.2
TRNS SOURCE PORT: 20
TRNS DESTINATION PORT: 20
INTERFACE INPUT: Et0/0
FLOW SAMPLER ID: 0
ip source as: 0
ip destination as: 0
ipv4 next hop address: 172.16.7.2
ipv4 source mask: /0
ipv4 destination mask: /24
tcp flags: 0x00
interface output: Et1/0
counter bytes: 198520
counter packets: 4963
timestamp first: 10564356
timestamp last: 12154104
The table below describes the significant fields shown in the display.
| Table 6 | show flow monitor monitor-name cache Field Descriptions |
|
Field |
Description |
|---|---|
|
Cache type |
Flow monitor cache type. The possible values are: |
|
Cache Size |
Number of entries in the cache. |
|
Current entries |
Number of entries in the cache that are in use. |
|
High Watermark |
Highest number of cache entries seen. |
|
Flows added |
Flows added to the cache since the cache was created. |
|
Flows aged |
Flows expired from the cache since the cache was created. |
|
Active timeout |
Current value for the active timeout in seconds. |
|
Inactive timeout |
Current value for the inactive timeout in seconds . |
|
Event aged |
Number of flows that have been aged by an event such as using the force-export option for the clearflowmonitor command. |
|
Watermark aged |
Number of flows that have been aged because they exceeded the maximum high watermark value. |
|
Emergency aged |
Number of flows that have been aged because the cache size was exceeded. |
|
IP TOS |
IP type of service (ToS) value. |
|
IP PROTOCOL |
Protocol number. |
|
IPV4 SOURCE ADDRESS |
IPv4 source address. |
|
IPV4 DESTINATION ADDRESS |
IPv4 destination address. |
|
TRNS SOURCE PORT |
Source port for the transport protocol. |
|
TRNS DESTINATION PORT |
Destination port for the transport protocol. |
|
INTERFACE INPUT |
Interface on which the input is received. |
|
FLOW SAMPLER ID |
Flow sampler ID number. |
|
ip source as |
Border Gateway Protocol (BGP) source autonomous system number. |
|
ip destination as |
BGP destination autonomous system number. |
|
ipv4 next hop address |
IPv4 address of the next hop to which the packet is forwarded. |
|
ipv4 source mask |
IPv4 source address mask. |
|
ipv4 destination mask |
IPv4 destination address mask. |
|
tcp flags |
Value of the TCP flags. |
|
interface output |
Interface on which the input is transmitted. |
|
counter bytes |
Number of bytes that have been counted. |
|
counter packets |
Number of packets that have been counted. |
|
timestamp first |
Time stamp of the first packet in the flow. |
|
timestamp last |
Time stamp of the last packet in the flow. |
The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-1 in a table format:
Router# show flow monitor FLOW-MONITOR-1 cache format table
Cache type: Normal
Cache size: 4096
Current entries: 4
High Watermark: 6
Flows added: 90
Flows aged: 86
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 86
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IP TOS IP PROT IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT
====== ======= =============== =============== ============= ==============
0x00 1 10.251.10.1 172.16.10.2 0 02
0x00 1 10.251.10.1 172.16.10.2 0 20484
0xC0 17 172.16.6.1 224.0.0.9 520 5202
0x00 6 10.10.11.1 172.16.10.5 25 252
Router#
The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-IPv6 (the cache contains IPv6 data) in record format:
Router# show flow monitor name FLOW-MONITOR-IPv6 cache format record
Cache type: Normal
Cache size: 4096
Current entries: 6
High Watermark: 8
Flows added: 1048
Flows aged: 1042
- Active timeout ( 1800 secs) 11
- Inactive timeout ( 15 secs) 1031
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV6 FLOW LABEL: 0
IPV6 EXTENSION MAP: 0x00000040
IPV6 SOURCE ADDRESS: 2001:DB8:1:ABCD::1
IPV6 DESTINATION ADDRESS: 2001:DB8:4:ABCD::2
TRNS SOURCE PORT: 3000
TRNS DESTINATION PORT: 55
INTERFACE INPUT: Et0/0
FLOW DIRECTION: Input
FLOW SAMPLER ID: 0
IP PROTOCOL: 17
IP TOS: 0x00
ip source as: 0
ip destination as: 0
ipv6 next hop address: ::
ipv6 source mask: /48
ipv6 destination mask: /0
tcp flags: 0x00
interface output: Null
counter bytes: 521192
counter packets: 9307
timestamp first: 9899684
timestamp last: 11660744
The table below describes the significant fields shown in the display.
| Table 7 | show flow monitor monitor-name cache format record Field Descriptions |
|
Field |
Description |
|---|---|
|
Cache type |
Flow monitor cache type. The possible values are: |
|
Cache Size |
Number of entries in the cache. |
|
Current entries |
Number of entries in the cache that are in use. |
|
High Watermark |
Highest number of cache entries seen. |
|
Flows added |
Flows added to the cache since the cache was created. |
|
Flows aged |
Flows expired from the cache since the cache was created. |
|
Active timeout |
Current value for the active timeout in seconds. |
|
Inactive timeout |
Current value for the inactive timeout in seconds. |
|
Event aged |
Number of flows that have been aged by an event such as using the force-export option for the clearflowmonitor command. |
|
Watermark aged |
Number of flows that have been aged because they exceeded the maximum high watermark value. |
|
Emergency aged |
Number of flows that have been aged because the cache size was exceeded. |
|
IPV6 FLOW LABEL |
Label number for the flow. |
|
IPV6 EXTENSION MAP |
Pointer to the IPv6 extensions. |
|
IPV6 SOURCE ADDRESS |
IPv6 source address. |
|
IPV6 DESTINATION ADDRESS |
IPv6 destination address. |
|
TRNS SOURCE PORT |
source port for the transport protocol. |
|
TRNS DESTINATION PORT |
Destination port for the transport protocol. |
|
INTERFACE INPUT |
Interface on which the input is received. |
|
FLOW DIRECTION |
Input or output. |
|
FLOW SAMPLER ID |
Flow sampler ID number. |
|
IP PROTOCOL |
IP protocol number. |
|
IP TOS |
IP ToS number. |
|
ip source as |
BGP source autonomous system number. |
|
ip destination as |
BGP destination autonomous system number. |
|
ipv6 next hop address |
IPv4 address of the next hop to which the packet is forwarded. |
|
ipv6 source mask |
IPv6 source address mask. |
|
ipv6 destination mask |
IPv6 destination address mask. |
|
tcp flags |
Value of the TCP flags. |
|
interface output |
Interface on which the input is transmitted. |
|
counter bytes |
Number of bytes that have been counted. |
|
counter packets |
Number of packets that have been counted. |
|
timestamp first |
Time stamp of the first packet in the flow. |
|
timestamp last |
Time stamp of the last packet in the flow. |
The following example displays the status and statistics for a flow monitor:
Router# show flow monitor FLOW-MONITOR-1 statistics
Cache type: Normal
Cache size: 4096
Current entries: 4
High Watermark: 6
Flows added: 116
Flows aged: 112
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 112
- Event aged 0
- Watermark aged 0
- Emergency aged 0
The table below describes the significant fields shown in the display.
| Table 8 | show flow monitor monitor-name statistics Field Descriptions |
|
Field |
Description |
|---|---|
|
Cache Type |
Flow monitor cache type. The possible values are: |
|
Cache Size |
Size of the cache. |
|
Current entries |
Number of entries in the cache that are in use. |
|
High Watermark |
Highest number of cache entries seen. |
|
Flows added |
Flows added to the cache since the cache was created. |
|
Flows aged |
Flows expired from the cache since the cache was created. |
|
Active Timeout |
Current value for the active timeout in seconds. |
|
Inactive Timeout |
Current value for the inactive timeout in seconds i. |
|
Event aged |
Number of flows that have been aged by an event such as using the force-export option for the clearflowmonitor command. |
|
Watermark aged |
Number of flows that have been aged because they exceeded the maximum high watermark value. |
|
Emergency aged |
Number of flows that have been aged because the cache size was exceeded. |
show flow monitor cache aggregate
To display aggregated flow statistics from a flow monitor cache, use the showflowmonitorcacheaggregate command in privileged EXEC mode.
Syntax Description
|
name |
(Optional) Specifies the name of a flow monitor. |
|
monitor-name |
Name of a flow monitor that was previously configured. |
|
options |
Fields upon which aggregation is performed; and from which additional data from the cache is displayed when the collect keyword is used. You can specify multiple values for the options argument. See the "Usage Guidelines" section. |
|
collect |
(Optional) Displays additional data from the cache. See the "Usage Guidelines" section. |
|
record record-name |
Specifies the name of a user-defined flow record or a predefined flow record. See the first table below for a listing of the available predefined records and their definitions. |
|
format |
(Optional) Specifies the use of one of the format options for formatting the display output. |
|
csv |
Displays the flow monitor cache contents in comma-separated variables (CSV) format. |
|
record |
Displays the flow monitor cache contents in record format. |
|
table |
Displays the flow monitor cache contents in table format. |
Usage Guidelines
Flexible NetFlow--Top N Talkers Support
The showflowmonitorcacheaggregate command is one of a set of three commands that make up the Flexible NetFlow--Top N Talkers Support feature. The Flexible NetFlow--Top N Talkers Support feature is used to manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible NetFlow--Top N Talkers Support feature are showflowmonitorcachefilter and showflowmonitorcachesort. The three commands can be used together or on their own, depending on your requirements. For more detailed information about these commands, see the showflowmonitorcachefilter command and the showflowmonitorcachesort command. For information about how the three commands are used together, refer to the " Configuring Cisco IOS Flexible NetFlow -- Top N Talkers Support " module in the Configuring Cisco IOS Flexible NetFlow Configuration Guide.
Flow Aggregation
Flow aggregation using the showflowmonitorcacheaggregate command allows you to dynamically display the flow information in a cache using a different flow record than the cache was originally created from. Only the fields in the cache will be available for the aggregated flows.
Note | The key and nonkey fields in the flows are defined in the flow record that you assigned to the flow monitor from which the cache data is being aggregated. |
Aggregation helps you achieve a higher-level view of the traffic in your network by combining flow data from multiple flows based on the criteria that interest you, for example, displaying flow data for:
- All the HTTP traffic in your network.
- All the traffic being forwarded to a specific Border Gateway Protocol (BGP) next hop.
- Identifying a device that is sending several types of traffic to one or more hosts in your network, perhaps as part of a denial of service (DoS) attack.
Aggregation options Argument
The options that you can use for the options argument of the showflowmonitorcacheaggregate command are dependent on the fields that are used for the user-defined flow record that you configured for the flow monitor using the record command. To identify the options that you can use, use the showflowrecordrecord-name command in privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the "N etFlow Original" predefined record to a flow monitor, you use the showflowrecordnetflow-original command to display its key (match) and nonkey (collect) fields. The following is partial output from the showflowrecordnetflow-originalcommand:
flow record netflow-original:
Description: Traditional IPv4 input NetFlow with origin ASs
No. of users: 2
Total field space: 53 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
.
.
.
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
The fields from this partial output that you can use for the option argument follow the match (key fields) and collect (nonkey fields) words. For example, you can use the "ipv4 tos" field to aggregate the flows as shown in the first example in the "Examples" section.
Cache Data Fields Displayed
By default the data fields from the cache that are shown in the display output of the showflowmonitorcacheaggregate command are limited to the field used for aggregation and the counter fields such as flows, number of bytes, and the number of packets. The following is partial output from the showflowmonitorFLOW-MONITOR-3cacheaggregateipv4destinationaddress command:
IPV4 DST ADDR flows bytes pkts =============== ========== ========== ========== 224.192.16.1 2 97340 4867 224.192.18.1 3 96080 4804 224.192.16.4 4 79760 3988 224.192.45.12 3 77480 3874 255.255.255.255 1 52 1
Notice that the data contains only the IPv4 destination addresses for which flows have been aggregated and the counter values.
The flow monitor (FLOW-MONITOR-3) referenced by the showflowmonitorFLOW-MONITOR-3cacheaggregateipv4destinationaddress command uses the "NetFlow Original" predefined record, which contains the following key and nonkey fields:
- match ipv4 tos
- match ipv4 protocol
- match ipv4 source address
- match ipv4 destination address
- match transport source-port
- match transport destination-port
- match interface input
- match flow sampler
- collect routing source as
- collect routing destination as
- collect routing next-hop address ipv4
- collect ipv4 source mask
- collect ipv4 destination mask
- collect transport tcp flags
- collect interface output
- collect counter bytes
- collect counter packets
- collect timestamp sys-uptime first
- collect timestamp sys-uptime last
The collect keyword is used to include additional cache data in the display output of the showflowmonitorcacheaggregate command. The following partial output from theshowflowmonitorFLOW-MONITOR-3cacheaggregateipv4destinationaddresscollecttransporttcpflags command shows the transport TCP flags data from the cache:
IPV4 DST ADDR tcp flags flows bytes pkts =============== ========= ========== ========== ========== 224.192.16.1 0x00 4 165280 8264 224.192.18.1 0x00 4 158660 7933 224.192.16.4 0x00 3 146740 7337 224.192.45.12 0x00 4 145620 7281 255.255.255.255 0x00 1 52 1 224.0.0.13 0x00 1 54 1
You can add cache data fields after the collect keyword to show additional data from the cache in the display output of the showflowmonitorcacheaggregate command.
Keywords and Descriptions for the record Argument
The table below describes the keywords for the record argument.
| Table 9 | Keywords and Descriptions for the Aggregate record Argument |
|
Keyword |
Description |
IPv4 Support |
IPv6 Support |
||
|---|---|---|---|---|---|
|
as |
Autonomous system record. |
Yes |
Yes |
||
|
as-tos |
Autonomous system and ToS record. |
Yes |
No |
||
|
bgp-nexthop-tos |
BGP next-hop and ToS record. |
Yes |
No |
||
|
bgp-nexthop |
BGP next-hop record. |
No |
Yes |
||
|
destination-prefix |
Destination prefix record.
|
Yes |
Yes |
||
|
destination-prefix-tos |
Destination prefix and ToS record. |
Yes |
No |
||
|
original-input |
Traditional IPv4 input NetFlow. |
Yes |
Yes |
||
|
original-output |
Traditional IPv4 output NetFlow. |
Yes |
Yes |
||
|
prefix |
Source and destination prefixes record.
|
Yes |
Yes |
||
|
prefix-port |
Prefix port record.
|
Yes |
No |
||
|
prefix-tos |
Prefix ToS record. |
Yes |
No |
||
|
protocol-port |
Protocol ports record.
|
Yes |
Yes |
||
|
protocol-port-tos |
Protocol port and ToS record.
|
Yes |
No |
||
|
source-prefix |
Source autonomous system and prefix record.
|
Yes |
Yes |
||
|
source-prefix-tos |
Source prefix and ToS record. |
Yes |
No |
Examples
The following example aggregates the flow monitor cache data on the destination and source IPv4 addresses:
Router# show flow monitor FLOW-MONITOR-1 cache aggregate ipv4 destination address ipv4 source address
Processed 26 flows
Aggregated to 17 flows
IPV4 SRC ADDR IPV4 DST ADDR flows bytes pkts
=============== =============== ========== ========== ==========
10.251.10.1 172.16.10.2 2 1400828 1364
192.168.67.6 172.16.10.200 1 19096 682
10.234.53.1 172.16.10.2 3 73656 2046
172.30.231.193 172.16.10.2 3 73616 2045
10.10.10.2 172.16.10.2 2 54560 1364
192.168.87.200 172.16.10.2 2 54560 1364
10.10.10.4 172.16.10.4 1 27280 682
10.10.11.1 172.16.10.5 1 27280 682
10.10.11.2 172.16.10.6 1 27280 682
10.10.11.3 172.16.10.7 1 27280 682
10.10.11.4 172.16.10.8 1 27280 682
10.1.1.1 172.16.10.9 1 27280 682
10.1.1.2 172.16.10.10 1 27280 682
10.1.1.3 172.16.10.11 1 27280 682
172.16.1.84 172.16.10.19 2 54520 1363
172.16.1.85 172.16.10.20 2 54520 1363
172.16.6.1 224.0.0.9 1 52 1
The table below describes the significant fields shown in the display.
| Table 10 | show flow monitor cache aggregate Field Descriptions |
|
Field |
Description |
|---|---|
|
IPV4 SOURCE ADDRESS |
IPv4 source address. |
|
IPV4 DESTINATION ADDRESS |
IPv4 destination address. |
|
flows |
Numbers of flows associated with the source/destination IP address combination |
|
bytes |
Number of bytes contained in the flows. |
|
packets |
Number of packets contained in the flows. |
show flow monitor cache filter
To filter the display output of statistics from the flows in a flow monitor cache, use the showflowmonitorcachefilter command in privileged EXEC mode.
Syntax Description
|
name |
(Optional) Specifies the name of a flow monitor. |
|
monitor-name |
Name of a flow monitor that was previously configured. |
|
options |
Fields upon which filtering is performed. You can specify multiple values for the options argument. See the "Usage Guidelines" section. |
|
regexp regexp |
(Optional) Match the field specified with the optionsargument against a regular expression. See the "Usage Guidelines" section. |
|
format |
(Optional) Specifies the use of one of the format options for formatting the display output. |
|
csv |
Displays the flow monitor cache contents in comma-separated variables (CSV) format. |
|
record |
Displays the flow monitor cache contents in record format. |
|
table |
Displays the flow monitor cache contents in table format. |
Usage Guidelines
Flexible NetFlow--Top N Talkers Support
The showflowmonitorcachefilter command is one of a set of three commands that make up the Flexible NetFlow--Top N Talkers Support feature. The Flexible NetFlow--Top N Talkers Support feature is used to manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible NetFlow--Top N Talkers Support feature are showflowmonitorcachesort and showflowmonitorcacheaggregate. The three commands can be used together or on their own, depending on your requirements. For more detailed information about these commands, see the showflowmonitorcachesort command and the showflowmonitorcacheaggregate command. For information about how the three commands are used together, refer to the " Configuring Cisco IOS Flexible NetFlow -- Top N Talkers Support " module in the Configuring Cisco IOS Flexible NetFlow Configuration Guide.
Filter options Argument
The options that you can use for the options argument of the showflowmonitorcachefilter command are dependent on the fields that are used for the record that you configured for the flow monitor using the record command. To identify the options that you can use, use the showflowrecordrecord-name command in privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the "N etFlow Original" predefined record to a flow monitor, you use the showflowrecordnetflow-original command to display its key (match) and nonkey (collect) fields. The following is partial output from the show command:
flow record netflow-original:
Description: Traditional IPv4 input NetFlow with origin ASs
No. of users: 2
Total field space: 53 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
.
.
.
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
The fields from this partial output that you can use for the option argument follow the match (key fields) and collect (nonkey fields) words. For example, you can use the "ipv4 tos" field to filter the flows as shown in the first example in the "Examples" section.
Filtering Criteria
The following are examples of the types of filtering criteria available for the showflowmonitorcachefilter command:
- Perform an exact match on any numerical fields in either decimal or hexadecimal format. For example, these two commands match flows in the flow monitor cache that contain either" 0xA001" or "1":
- Perform a match on a range for any numerical fields in either decimal or hexadecimal format. For example, these two commands match flows in the flow monitor cache that contain either "0xA000 0xB000" or "1 1024":
- Perform an exact match for any alphanumerical field. For example, this command matches flows in the flow monitor cache having a MAC address of ABCD:0012:01FE:
- Perform a regular-expression match on any alphanumerical field. For example, this command matches flows in the flow monitor cache having a MAC address that starts with ABCD:
- Perform a match on flag fields with an implicit <and>. For example, this command matches flows in the flow monitor cache that contain the urg and syn TCP flags:
- Perform a match against flags that are not present. For example, this command matches flows in the flow monitor cache that contain the syn and rst TCP flags and do not contain the urg and fin TCP flags:
- Perform an exact match on an IP address field. For example, this command matches flows in the flow monitor cache that contain the source IPv4 address "192.168.0.1":
- Perform a prefix match on an IPv4 or IPv6 address field. For example, these two commands match flows in the flow monitor cache that contain either "192.168.0.0 255.255.0.0" or "7:20ac::/64":
- Perform a match on a range of relative time stamps. For example, this command matches flows in the flow monitor cache that were created within the last "500" seconds:
- Perform a match on range of the time stamp that is configured (uptime or absolute). For example, this command matches flows in the flow monitor cache that were created between 0800 and 0815, within the last 24 hours:
- Perform an exact match on an interface. For example, this command matches flows in the flow monitor cache which are received on Ethernet interface 0/0.
- Perform a regular-expression match on an interface. For example, this command matches flows in the flow monitor cache that begin with Ethernet0/ and have either "1", "2", or "3" as the port number:
Regular Expressions
The table below shows the syntax for regular expressions.
| Table 11 | Syntax for Regular Expressions |
|
Option |
Description |
|---|---|
|
* |
Match zero or more characters in this position. |
|
? |
Match any one character in this position. |
|
| |
Match any one character in this position. |
|
(|) |
Match one of a choice of characters in a range. For example, aa:(0033|4455):3456 matches either aa:0033:3456 or aa:4455:3456. |
|
[] |
Match any character in the range specified, or one of the special characters. For example, [0-9] is all of the digits. [*] is the "*" character, and [[] is the "[ " character. |
Examples
The following example filters the flow monitor cache data on the source IPv4 address of 10.234.53.1:
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 source address 10.234.53.1
Cache type: Normal
Cache size: 4096
Current entries: 26
High Watermark: 26
Flows added: 87
Flows aged: 61
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 61
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV4 SOURCE ADDRESS: 10.234.53.1
IPV4 DESTINATION ADDRESS: 172.16.10.2
TRNS SOURCE PORT: 0
TRNS DESTINATION PORT: 2048
INTERFACE INPUT: Et0/0.1
FLOW SAMPLER ID: 0
IP TOS: 0x00
IP PROTOCOL: 1
ip source as: 0
ip destination as: 0
ipv4 next hop address: 172.16.7.2
ipv4 source mask: /0
ipv4 destination mask: /24
tcp flags: 0x00
interface output: Et1/0.1
counter bytes: 24724
counter packets: 883
timestamp first: 16:03:56.007
timestamp last: 16:27:07.063
IPV4 SOURCE ADDRESS: 10.234.53.1
IPV4 DESTINATION ADDRESS: 172.16.10.2
TRNS SOURCE PORT: 20
TRNS DESTINATION PORT: 20
INTERFACE INPUT: Et0/0.1
FLOW SAMPLER ID: 0
IP TOS: 0x00
IP PROTOCOL: 6
ip source as: 0
ip destination as: 0
ipv4 next hop address: 172.16.7.2
ipv4 source mask: /0
ipv4 destination mask: /24
tcp flags: 0x00
interface output: Et1/0.1
counter bytes: 35320
counter packets: 883
timestamp first: 16:03:56.267
timestamp last: 16:27:07.323
IPV4 SOURCE ADDRESS: 10.234.53.1
IPV4 DESTINATION ADDRESS: 172.16.10.2
TRNS SOURCE PORT: 21
TRNS DESTINATION PORT: 21
INTERFACE INPUT: Et0/0.1
FLOW SAMPLER ID: 0
IP TOS: 0x00
IP PROTOCOL: 6
ip source as: 0
ip destination as: 0
ipv4 next hop address: 172.16.7.2
ipv4 source mask: /0
ipv4 destination mask: /24
tcp flags: 0x00
interface output: Et1/0.1
counter bytes: 35320
counter packets: 883
timestamp first: 16:03:56.327
timestamp last: 16:27:07.363
Matched 3 flows
The table below describes the significant fields shown in the display.
| Table 12 | show flow monitor monitor-name cache filter Field Descriptions |
|
Field |
Description |
|---|---|
|
Cache type |
Flow monitor cache type. The possible values are: |
|
Cache Size |
Number of entries in the cache. |
|
Current entries |
Number of entries in the cache that are in use. |
|
High Watermark |
Highest number of cache entries seen. |
|
Flows added |
Flows added to the cache since the cache was created. |
|
Flows aged |
Flows expired from the cache since the cache was created. |
|
Active timeout |
Current value for the active timeout in seconds. |
|
Inactive timeout |
Current value for the inactive timeout in seconds. |
|
Event aged |
Number of flows that have been aged by an event such as using the force-export option for the clearflowmonitor command. |
|
Watermark aged |
Number of flows that have been aged because they exceeded the maximum high watermark value. |
|
Emergency aged |
Number of flows that have been aged because the cache size was exceeded. |
|
IPV4 SOURCE ADDRESS |
IPv4 source address. |
|
IPV4 DESTINATION ADDRESS |
IPv4 destination address. |
|
TRNS SOURCE PORT |
source port for the transport protocol. |
|
TRNS DESTINATION PORT |
Destination port for the transport protocol. |
|
INTERFACE INPUT |
Interface on which the input is received. |
|
FLOW DIRECTION |
Input or output. |
|
FLOW SAMPLER ID |
Flow sampler ID number. |
|
IP PROTOCOL |
IP protocol number. |
|
IP TOS |
IP ToS number. |
|
ip source as |
BGP source autonomous system number. |
|
ip destination as |
BGP destination autonomous system number. |
|
ipv4 next hop address |
IPv4 address of the next hop to which the packet is forwarded. |
|
ipv4 source mask |
IPv4 source address mask. |
|
ipv4 destination mask |
IPv4 destination address mask. |
|
tcp flags |
Value of the TCP flags. |
|
interface output |
Interface on which the input is transmitted. |
|
counter bytes |
Number of bytes that have been counted. |
|
counter packets |
Number of packets that have been counted. |
|
timestamp first |
Time stamp of the first packet in the flow. |
|
timestamp last |
Time stamp of the last packet in the flow. |
show flow monitor cache sort
To sort the display output of statistics from the flows in a flow monitor cache, use the showflowmonitorcachesort command in privileged EXEC mode.
Syntax Description
|
name |
(Optional) Specifies the name of a flow monitor. |
|
monitor-name |
Name of a flow monitor that was previously configured. |
|
options |
Fields upon which aggregation can be performed. See the "Usage Guidelines" section. |
|
top |
(Optional) Limits the display output to the 20 highest volume flows (top talkers) unless overridden by the specification of a value for the numberargument. |
|
number |
(Optional) Overrides the default value of top talkers to display. |
|
format |
(Optional) Specifies the use of one of the format options for formatting the display output. |
|
csv |
Displays the flow monitor cache contents in comma-separated variables (CSV) format. |
|
record |
Displays the flow monitor cache contents in record format. |
|
table |
Displays the flow monitor cache contents in table format. |
Usage Guidelines
Flexible NetFlowNetFlow--Top N Talkers Support
The showflowmonitorcachesort command is one of a set of three commands that make up the Flexible NetFlow--Top N Talkers Support feature. The Flexible NetFlow--Top N Talkers Support feature is used to manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible NetFlow--Top N Talkers Support feature are showflowmonitorcachefilter and showflowmonitorcacheaggregate. The three commands can be used together or on their own, depending on your requirements. For more detailed information about these commands, see the showflowmonitorcachefilter command and the showflowmonitorcacheaggregate command. For information about how the three commands are used together, refer to the " Configuring Cisco IOS Flexible NetFlow -- Top N Talkers Support " module in the Configuring Cisco IOS Flexible NetFlow Configuration Guide.
Flow Sorting
The flow sorting function of the Flexible NetFlow--Top N Talkers Support feature sorts flow data from the Flexible NetFlow cache based on the criteria that you specify, and displays the data. You can also use the flow sorting function of the Flexible NetFlow--Top N Talkers Support feature to limit the display output to a specific number of entries (Top N Talkers) by using the top keyword.
Sort options Argument
The options that you can use for the options argument of the showflowmonitorcachefilter command are dependent on the fields that are used for the record that you configured for the flow monitor using the record command. To identify the options that you can use, use the showflowrecordrecord-name command in privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the "N etFlow Original" predefined record to a flow monitor, you use the showflowrecordnetflow-original command to display its key (match) and nonkey (collect) fields. The following is partial output from the show command:
flow record netflow-original:
Description: Traditional IPv4 input NetFlow with origin ASs
No. of users: 2
Total field space: 53 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
.
.
.
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
The fields from this partial output that you can use for the option argument follow the match (key fields) and collect (nonkey fields) words. For example, you can use the "ipv4 tos" field to sort the flows as shown in the first example in the "Examples" section.
Examples
The following example sorts the flow monitor cache data on the IPv4 ToS value and limits the display output to the top two flows:
Router# show flow monitor FLOW-MONITOR-3 cache sort ipv4 tos top 2
Processed 17 flows
Aggregated to 17 flows
Showing the top 2 flows
IPV4 SOURCE ADDRESS: 10.1.1.1
IPV4 DESTINATION ADDRESS: 224.192.16.1
TRNS SOURCE PORT: 0
TRNS DESTINATION PORT: 3073
INTERFACE INPUT: Et0/0
FLOW SAMPLER ID: 0
IP TOS: 0x55
IP PROTOCOL: 1
ip source as: 0
ip destination as: 0
ipv4 next hop address: 0.0.0.0
ipv4 source mask: /24
ipv4 destination mask: /0
tcp flags: 0x00
interface output: Null
counter bytes: 33680
counter packets: 1684
timestamp first: 18:39:27.563
timestamp last: 19:04:28.459
IPV4 SOURCE ADDRESS: 10.1.1.1
IPV4 DESTINATION ADDRESS: 224.192.16.1
TRNS SOURCE PORT: 0
TRNS DESTINATION PORT: 0
INTERFACE INPUT: Et0/0
FLOW SAMPLER ID: 0
IP TOS: 0x55
IP PROTOCOL: 1
ip source as: 0
ip destination as: 0
ipv4 next hop address: 0.0.0.0
ipv4 source mask: /24
ipv4 destination mask: /0
tcp flags: 0x00
interface output: Et3/0.1
counter bytes: 145040
counter packets: 7252
timestamp first: 18:42:34.043
timestamp last: 19:04:28.459
The table below describes the significant fields shown in the display.
| Table 13 | show flow monitor monitor-name cache sort Field Descriptions |
|
Field |
Description |
|---|---|
|
IPV4 SOURCE ADDRESS |
IPv4 source address. |
|
IPV4 DESTINATION ADDRESS |
IPv4 destination address. |
|
TRNS SOURCE PORT |
source port for the transport protocol. |
|
TRNS DESTINATION PORT |
Destination port for the transport protocol. |
|
INTERFACE INPUT |
Interface on which the input is received. |
|
FLOW DIRECTION |
Input or output. |
|
FLOW SAMPLER ID |
Flow sampler ID number. |
|
IP PROTOCOL |
IP protocol number. |
|
IP TOS |
IP ToS number. |
|
ip source as |
BGP source autonomous system number. |
|
ip destination as |
BGP destination autonomous system number. |
|
ipv4 next hop address |
IPv4 address of the next hop to which the packet is forwarded. |
|
ipv4 source mask |
IPv4 source address mask. |
|
ipv4 destination mask |
IPv4 destination address mask. |
|
tcp flags |
Value of the TCP flags. |
|
interface output |
Interface on which the input is transmitted. |
|
counter bytes |
Number of bytes that have been counted. |
|
counter packets |
Number of packets that have been counted. |
|
timestamp first |
Time stamp of the first packet in the flow. |
|
timestamp last |
Time stamp of the last packet in the flow. |
show flow record
To display the status and statistics for a Flexible NetFlow flow record, use the showflowrecordcommand in privileged EXEC mode.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Syntax Description
|
name |
(Optional) Specifies the name of a flow record. |
|
record-name |
(Optional) Name of a user-defined flow record that was previously configured. |
|
netflow-original |
(Optional) Specifies the Flexible NetFlow implementation of original NetFlow with origin autonomous systems. |
|
netflow ipv4 |
(Optional) Configures the flow monitor to use one of the IPv4 predefined records. |
|
netflow ipv6 |
(Optional) Configures the flow monitor to use one of the IPv6 predefined records. |
|
record |
(Optional) Name of the predefined record. See the first table below for a listing of the available records and their definitions. |
|
peer |
(Optional) Configures the flow monitor to use one of the predefined records with peer autonomous systems. The peer keyword is not supported for every type of Flexible NetFlow predefined record. See the first table below. |
|
platform-original ipv4 |
Configures the flow monitor to use one of the predefined IPv4 records. |
|
platform-original ipv6 |
Configures the flow monitor to use one of the predefined IPv6 records. |
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.4(20)T |
The ipv6 and bgp-nexthop keywords were added in Cisco IOS Release 12.4(20)T. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
12.2(50)SY |
This command was modified. The netflow-original,netflowipv4,netflowipv6,andpeerkeywords were removed in Cisco IOS Release 12.2(50)SY. The platform-originalipv4and platform-originalipv4keywords were added. |
Usage Guidelines
The table below describes the keywords and descriptions for the record argument.
| Table 14 | Keywords and Descriptions for the record Argument |
|
Keyword |
Description |
IPv4 Support |
IPv6 Support |
||
|---|---|---|---|---|---|
|
as |
Autonomous system record. |
Yes |
Yes |
||
|
as-tos |
Autonomous system and Type of Service (ToS) record. |
Yes |
-- |
||
|
bgp-nexthop-tos |
BGP next-hop and ToS record. |
Yes |
-- |
||
|
bgp-nexthop |
BGP next-hop record. |
-- |
Yes |
||
|
destination |
Original platform IPv4/IPv6 destination record. |
Yes |
Yes |
||
|
destination-prefix |
Destination prefix record.
|
Yes |
Yes |
||
|
destination-prefix-tos |
Destination prefix and ToS record. |
Yes |
-- |
||
|
destination-source |
Original platform IPv4/IPv6 destination-source record. |
Yes |
Yes |
||
|
full |
Original platform IPv4/IPv6 full record. |
Yes |
Yes |
||
|
interface-destination |
Original platform IPv4/IPv6 interface-destination record. |
Yes |
Yes |
||
|
interface-destination- source |
Original platform IPv4/IPv6 interface-destination-source record. |
Yes |
Yes |
||
|
interface-full |
Original platform IPv4/IPv6 interface-full record. |
Yes |
Yes |
||
|
interface-source |
Original platform IPv4/IPv6 interface-source only record. |
Yes |
Yes |
||
|
original-input |
Traditional IPv4 input NetFlow. |
Yes |
Yes |
||
|
original-output |
Traditional IPv4 output NetFlow. |
Yes |
Yes |
||
|
prefix |
Source and destination prefixes record.
|
Yes |
Yes |
||
|
prefix-port |
Prefix port record.
|
Yes |
-- |
||
|
prefix-tos |
Prefix ToS record. |
Yes |
-- |
||
|
protocol-port |
Protocol ports record.
|
Yes |
Yes |
||
|
protocol-port-tos |
Protocol port and ToS record.
|
Yes |
-- |
||
|
source |
Original platform IPv4/IPv6 source only record. |
Yes |
Yes |
||
|
source-prefix |
Source autonomous system and prefix record.
|
Yes |
Yes |
||
|
source-prefix-tos |
Source prefix and ToS record. |
Yes |
-- |
Examples
The following example displays the status and statistics for the original Flexible NetFlow record:
Router# show flow record FLOW-RECORD-1 platform-original ipv4 destination
flow record FLOW_RECORD-1:
Description: Flow Record for IPv4 traffic
No. of users: 3
Total field space: 53 bytes
Fields:
match interface input
match transport destination-port
match transport source-port
match ipv4 destination address
match ipv4 source address
match ipv4 protocol
match ipv4 tos
collect counter bytes
collect counter packets
collect timestamp sys-uptime last
collect timestamp sys-uptime first
collect ipv4 destination mask
collect ipv4 source mask
collect routing destination as
collect routing source as
collect transport tcp flags
collect routing next-hop address ipv4
collect interface output
The table below describes the significant fields shown in the display.
| Table 15 | show flow record netflow-original Field Descriptions |
|
Field |
Description |
|---|---|
|
Description |
Description that you configured for the record, or the default description "User defined." |
|
No. of users |
Number of monitors in the configuration that use the flow record. |
|
Total field space |
Number of bytes required to store these fields for one flow. |
|
Fields |
The fields that are included in this record. For more information about the fields, refer to the match and collect commands. |
show platform flow
To display information for Flexible NetFlow platform parameters. use the showplatformflowcommand in privileged EXEC mode.
Syntax Description
|
aging |
(Optional) Displays the Flexible NetFlow parameter aging information. |
|
export |
(Optional) Displays the Flexible NetFlow parameter export information. |
|
usage |
(Optional) Displays the Flexible NetFlow table usage information. |
|
table-contention |
(Optional) Displays the Flexible NetFlow table contention information. |
|
aggregate |
(Optional) Displays the Flexible NetFlow table contention aggregate information. |
|
detailed |
(Optional) Displays the Flexible NetFlow table contention detailed information. |
|
summary |
(Optional) Displays theFlexible NetFlow table contention summary information. |
|
ip |
(Optional) Displays the Flexible NetFlow IP entry information. |
|
ipv6 |
(Optional) Displays the Flexible NetFlow IPv6 entry information. |
|
count |
Total number of entries. |
|
destination |
(Optional) Information on entries with destination address. |
|
instance |
(Optional) Platform instance information. |
|
module |
(Optional) Platform module information. |
|
multicast |
(Optional) Flexible NetFlow multicast entry information. |
|
protocol |
(Optional) Flexible NetFlow Layer 4 protocol information. |
|
source |
(Optional) Information on entries with source address. |
|
layer2 |
(Optional) Displays the Flexible NetFlow Layer 2 entry information. |
|
mpls |
(Optional) Displays the Flexible NetFlow MPLS entry information. |
Examples
The following example displays Flexible NetFlow parameter export information:
Router# show platform flow export Yielding NDE is enabled. Supervisor CPU threshold = 25 Linecard CPU threshold = 25 Module 3: ---------- No of flows read and exported = 0 No of flows discarded = 0 No of capture+purge requests = 1695104 No of purge-only requests = 19 Module 5: ---------- No of flows read and exported = 0 No of flows discarded = 0 No of capture+purge requests = 1695158 No of purge-only requests = 0 lionel#
The table below describes the significant fields shown in the display.
| Table 16 | show platform flow export Field Descriptions |
|
Field |
Description |
|---|---|
|
Supervisor CPU threshold |
The platform (supervisor) CPU utilization threshold (in percent) up to which NetFlow export is permitted. The number and complexity of flow records to be exported is the prime cause of CPU use in NetFlow. The CPU Friendly NetFlow Export feature (also known as Yielding NetFlow Data Export, or Yielding NDE) monitors CPU use for both the supervisor and line cards according to user-configured thresholds and dynamically adjusts the rate of export as needed. |
|
Linecard CPU threshold |
The line-card CPU utilization threshold (in percent) up to which NetFlow export is permitted. The number and complexity of flow records to be exported is the prime cause of CPU use in NetFlow. The CPU Friendly NetFlow Export feature (also known as Yielding NetFlow Data Export, or Yielding NDE) monitors CPU use for both the supervisor and line cards according to user-configured thresholds and dynamically adjusts the rate of export as needed. |
|
No of flows read and exported |
Number of Flexible NetFlow flows processed and exported. |
|
No of flows discarded |
Number of Flexible NetFlow flows discarded. |
|
No of capture+purge requests |
Number of Flexible NetFlow flow capture and purge requests. |
|
No of purge-only requests |
Number of Flexible NetFlow flow purge requests. |
show sampler
To display the status and statistics for a Flexible NetFlow sampler, use the showsampler command in privileged EXEC mode.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
12.2(50)SY |
This command was integrated into Cisco IOS Release 12.2(50)SY. |
Examples
The following example displays the status and statistics for all of the flow samplers configured:
Router# show sampler
Sampler SAMPLER-1:
ID: 1
Description: User defined
Type: random
Rate: 1 out of 3
Samples: 189
Requests: 23243
Users (2):
flow monitor FLOW-MONITOR-1 (ip,Et0/0,Input) 65 out of 10786
flow monitor FLOW-MONITOR-2 (ipv6,Et0/0, Input) 124 out of 12457
Sampler sampler-2:
ID: 2
Description: User defined
Type: deterministic
Rate: 1 out of 100
Samples: 1
Requests: 124
Users (1):
flow monitor FLOW-MONITOR-1 (ip,Et0/0,Input) 1 out of 124
The table below describes the significant fields shown in the display.
| Table 17 | show sampler Field Descriptions |
|
Field |
Description |
|---|---|
|
ID |
ID number of the flow sampler. This is used to identify the sampler at the collector. |
|
Description |
Description that you configured for the flow sampler, or the default description "User defined." |
|
Type |
Sampling mode that you configured for the flow sampler. |
|
Rate |
Window size (for packet selection) that you configured for the flow sampler. Range: 2 to 32768. |
|
Samples |
Number of packets sampled since the flow sampler was configured or the router was restarted. This is equivalent to the number of times a positive response was received when the sampler was queried to determine if the traffic needed to be sampled. Refer to the explanation of the "Requests" field in this table. |
|
Requests |
Number of times the flow sampler was queried to determine if the traffic needed to be sampled. |
|
Users |
Interfaces on which the flow sampler is configured. |
source (Flexible NetFlow)
To configure the source IP address interface for all of the packets sent by a Flexible NetFlow flow exporter, use the source command in Flexible NetFlow flow exporter configuration mode. To remove the source IP address interface for all of the packets sent by a Flexible NetFlow flow exporter, use the no form of this command.
Command Default
The IP address of the interface over which the Flexible NetFlow datagram is transmitted is used as the source IP address.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
Usage Guidelines
The benefits of using a consistent IP source address for the datagrams that NetFlow sends include the following:
- The source IP address of the datagrams exported by Flexible NetFlow is used by the destination system to determine from which router the Flexible NetFlow data is arriving. If your network has two or more paths that can be used to send Flexible NetFlow datagrams from the router to the destination system and you do not specify the source interface from which the source IP address is to be obtained, the router uses the IP address of the interface over which the datagram is transmitted as the source IP address of the datagram. In this situation the destination system might receive Flexible NetFlow datagrams from the same router, but with different source IP addresses. When the destination system receives Flexible NetFlow datagrams from the same router with different source IP addresses, the destination system treats the Flexible NetFlow datagrams as if they were being sent from different routers. To avoid having the destination system treat the Flexible NetFlow datagrams as if they were being sent from different routers, you must configure the destination system to aggregate the Flexible NetFlow datagrams it receives from all of the possible source IP addresses in the router into a single Flexible NetFlow flow.
- If your router has multiple interfaces that can be used to transmit datagrams to the destination system, and you do not configure the source command, you will have to add an entry for the IP address of each interface into any access lists that you create for permitting Flexible NetFlow traffic. Creating and maintaining access lists for permitting Flexible NetFlow traffic from known sources and blocking it from unknown sources is easier when you limit the source IP address for Flexible NetFlow datagrams to a single IP address for each router that is exporting Flexible NetFlow traffic.
 Caution | The interface that you configure as the source interface must have an IP address configured, and it must be up. |
 Tip | When a transient outage occurs on the interface that you configured with the source command, the Flexible NetFlow exporter reverts to the default behavior of using the IP address of the interface over which the datagrams are being transmitted as the source IP address for the datagrams. To avoid this problem, use a loopback interface as the source interface because loopback interfaces are not subject to the transient outages that can occur on physical interfaces. |
statistics packet
To collect protocol distribution statistics and size distribution statistics for a Flexible NetFlow flow monitor, use the statisticspacket command in Flexible NetFlow flow monitor configuration mode. To disable collecting protocol distribution statistics and size distribution statistics for a Flexible NetFlow flow monitor, use the no form of this command.
Command Default
The collection of protocol distribution statistics and size distribution statistics for a Flexible NetFlow flow monitor is not enabled by default.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
Cisco IOS XE 3.1S |
This command was integrated into Cisco IOS XE Release 3.1S. |
|
12.2(50)SY |
This command was integrated into Cisco IOS Release 12.2(50)SY. |
Examples
The following example enables the collection of protocol distribution statistics for flow monitors:
Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)# statistics packet protocol
The following example enables the collection of size distribution statistics for flow monitors:
Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)# statistics packet size
template data timeout
To configure the template resend timeout for a flow exporter, use the templatedatatimeout command in flow exporter configuration mode. To remove the template resend timeout for a flow exporter, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
Cisco IOS XE Release 3.1S |
This command was integrated into Cisco IOS XE Release 3.1S. |
|
15.1(3)T |
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. |
|
12.2(58)SE |
This command was integrated into Cisco IOS Release 12.2(58)SE. |
|
12.2(50)SY |
This command was integrated into Cisco IOS Release 12.2(50)SY. |
transport (Flexible NetFlow)
To configure the transport protocol for a flow exporter for Flexible NetFlow or Performance Monitor, use the transport command in flow exporter configuration mode. To remove the transport protocol for a flow exporter, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
This command was integrated into Cisco IOS Release 12.2(33)SRC and implemented on the Cisco 7200 series routers. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
Cisco IOS XE Release 3.1S |
This command was integrated into Cisco IOS XE Release 3.1S. |
|
15.1(3)T |
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. |
|
12.2(58)SE |
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor. |
|
12.2(50)SY |
This command was integrated into Cisco IOS Release 12.2(50)SY. |
ttl (Flexible NetFlow)
To configure the time-to-live (TTL) value for a flow exporter for Flexible NetFlow or Performance Monitor, use the ttl command in flow exporter configuration mode. To remove the TTL value for a flow exporter, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.4(9)T |
This command was introduced. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.0(33)S |
This command was implemented on the Cisco 12000 series routers. |
|
12.2(33)SRC |
This command was integrated into Cisco IOS Release 12.2(33)SRC and implemented on the Cisco 7200 series routers. |
|
12.2(33)SRE |
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers. |
|
Cisco IOS XE Release 3.1S |
This command was integrated into Cisco IOS XE Release 3.1S. |
|
15.1(3)T |
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. |
|
12.2(58)SE |
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor. |
|
12.2(50)SY |
This command was integrated into Cisco IOS Release 12.2(50)SY. |