Cisco IOS Software Releases 12.3 T

Table Of Contents

NetFlow Layer 2 and Security Monitoring Exports

Contents

Prerequisites for NetFlow Layer 2 and Security Monitoring Exports

Restrictions for NetFlow Layer 2 and Security Monitoring Exports

Information About NetFlow Layer 2 and Security Monitoring Exports

Understanding the NetFlow Application

NetFlow Benefits

NetFlow Cisco IOS Packaging Information

Understanding NetFlow Network Flows

NetFlow Main Cache Operation

NetFlow Data Capture

NetFlow Export Formats

Benefits of NetFlow Layer 2 and Security Monitoring

Layer 3 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports

Layer 2 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports

How to Configure NetFlow Layer 2 and Security Monitoring Exports

Configuring NetFlow Layer 2 and Security Monitoring Exports

Prerequisites

Restrictions

Verifying NetFlow Layer 2 and Security Monitoring Exports

Configuration Examples for NetFlow Layer 2 and Security Monitoring Exports

Configuring and Using NetFlow Layer 2 and Security Monitoring Exports to Analyze a Simulated FTP Attack: Example

Configuring and Using NetFlow Layer 2 and Security Monitoring Exports to Analyze a Simulated ICMP Ping Attack: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

ip flow-capture

show ip cache verbose flow

NetFlow Layer 2 and Security Monitoring Exports

---

NetFlow is a Cisco IOS application that provides statistics on packets flowing through the router. It is emerging as a primary network accounting and security technology. This document describes the NetFlow application and the new NetFlow Layer 2 and Security Monitoring Exports feature.

The NetFlow Layer 2 and Security Monitoring Exports feature adds the ability for NetFlow to capture the values from several fields in Layer 3 IP traffic and Layer 2 LAN traffic to obtain information that can be used to classify and identify network traffic. This information can be used to help identify network attacks and their origin.

Feature History for NetFlow Layer 2 and Security Monitoring

Release	Modification
12.3(14)T	This feature was introduced.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for NetFlow Layer 2 and Security Monitoring Exports

•Restrictions for NetFlow Layer 2 and Security Monitoring Exports

•Information About NetFlow Layer 2 and Security Monitoring Exports

•How to Configure NetFlow Layer 2 and Security Monitoring Exports

•Configuration Examples for NetFlow Layer 2 and Security Monitoring Exports

•Additional References

•Command Reference

Prerequisites for NetFlow Layer 2 and Security Monitoring Exports

NetFlow and Cisco Express Forwarding (CEF), distributed CEF (dCEF), or fast switching must be configured on your system.

Restrictions for NetFlow Layer 2 and Security Monitoring Exports

If you want to export the data captured with the NetFlow Layer 2 and Security Monitoring feature you must configure Netflow to use the NetFlow Version 9 data export format.

Information About NetFlow Layer 2 and Security Monitoring Exports

To configure the NetFlow feature, you should understand the following concepts:

•Understanding the NetFlow Application

•NetFlow Benefits

•NetFlow Cisco IOS Packaging Information

•Understanding NetFlow Network Flows

•NetFlow Main Cache Operation

•NetFlow Data Capture

•NetFlow Export Formats

•Benefits of NetFlow Layer 2 and Security Monitoring

Understanding the NetFlow Application

NetFlow identifies packet flows for both ingress and egress IP packets. It does not involve any connection-setup protocol. NetFlow is completely transparent to the existing network, including end stations and application software and network devices like LAN switches. Also, NetFlow capture and export are performed independently on each internetworking device; NetFlow need not be operational on each router in the network.

NetFlow can capture a rich set of traffic statistics. These traffic statistics include user, protocol, port, and type of service (ToS) information that can be used for a wide variety of purposes, including network traffic analysis and capacity planning, security, enterprise accounting and departmental chargebacks, Internet Service Provider (ISP) billing, data warehousing, and data mining for marketing purposes.

NetFlow is supported on IP and IP encapsulated traffic over most interface types and Layer 2 encapsulations.

You can display and clear NetFlow statistics. NetFlow statistics consist of IP packet size distribution, IP flow switching cache information, and flow information.

NetFlow Benefits

NetFlow captures a rich set of traffic statistics. These traffic statistics include user, protocol, port, and type of service (ToS) information that can be used for a wide variety of purposes such as network application and user monitoring (user monitoring is performed by monitoring the IP addresses of the devices that users are running applications on), network analysis and planning, denial of service (DoS) and Security Analysis, Accounting and Billing, Traffic Engineering, and Data Mining.

Network Application and User Monitoring

NetFlow data enables you to view detailed, time - and application- based usage of a network. This information allows you to plan and allocate network and application resources, and provides for extensive near real-time network monitoring capabilities. It can be used to display traffic patterns and application-based views. NetFlow provides proactive problem detection and efficient troubleshooting, and it facilitates rapid problem resolution. You can use NetFlow information to efficiently allocate network resources and to detect and resolve potential security and policy violations.

Network Analysis and Planning

You can use NetFlow to capture data over a long period of time, which enables you to track and anticipate network growth and plan upgrades. NetFlow service data can be used to optimize network planning, which includes peering, backbone upgrades, and routing policy planning. It also enables you to minimize the total cost of network operations while maximizing network performance, capacity, and reliability. NetFlow detects unwanted WAN traffic, validates bandwidth and quality of service (QoS) behavior, and enables the analysis of new network applications. NetFlow offers valuable information that you can use to reduce the cost of operating the network.

Denial of Service and Security Analysis

You can use NetFlow data to identify and classify denial of service (DoS) attacks, viruses, and worms in real time. Changes in network behavior indicate anomalies that are clearly reflected in NetFlow data. The data is also a valuable forensic tool that you can use to understand and replay the history of security incidents.

Accounting and Billing

NetFlow data provides fine-grained metering for highly flexible and detailed resource utilization accounting. For example, flow data includes details such as IP addresses, packet and byte counts, timestamps, and information about type of service (ToS) and application ports. Service providers might utilize the information for billing based on time-of-day, bandwidth usage, application usage, or QoS. Enterprise customers might utilize the information for departmental chargeback or cost allocation for resource utilization.

Traffic Engineering

NetFlow provides autonomous system (AS) traffic engineering details. You can use NetFlow-captured traffic data to understand source-to-destination traffic trends. This data can be used for load-balancing traffic across alternate paths or for forwarding traffic along a preferred route. NetFlow can measure the amount of traffic crossing peering or transit points to help you decide if a peering arrangement with other service providers is fair and equitable.

NetFlow Data Storage and Data Mining

NetFlow data (or derived information) can be stored for later retrieval and analysis in support of marketing and customer service programs. For example, the data can be mined to find out which applications and services are being used by internal and external users and target the users for improved service and advertising. In addition, NetFlow data gives market researchers access to the who, what, where, and how long information relevant to enterprises and service providers

NetFlow Cisco IOS Packaging Information

Cisco 7200/7500/7400/MGX/AS5850

Although NetFlow functionality is included in all software images for these platforms, you must purchase a separate NetFlow feature license. NetFlow licenses are sold on a per-node basis.

Other Routers

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Understanding NetFlow Network Flows

A NetFlow network flow is defined as a unidirectional stream of packets between a given source and destination. The source and destination are each defined by a network-layer IP address and transport-layer source and destination port numbers. Specifically, a flow is defined by the combination of the following seven key fields:

•Source IP address

•Destination IP address

•Source port number

•Destination port number

•Layer 3 protocol type

•Type of service

•Input logical interface

These seven key fields define a unique flow. If a packet has one key field different from another packet, it is considered to belong to another flow. A flow might also contain other accounting fields (such as the AS number in the NetFlow export Version 5 flow format), depending on the export record version that you configure. Flows are stored in the NetFlow cache.

NetFlow Main Cache Operation

The key components of NetFlow are the NetFlow cache that stores IP flow information and the NetFlow export or transport mechanism that sends NetFlow data to a network management collector, such as the NetFlow Collection Engine. NetFlow operates by creating a NetFlow cache entry (a flow record) for each active flow. NetFlow maintains a flow record within the cache for each active flow. Each flow record in the NetFlow cache contains fields that can later be exported to a collection device, such as the NetFlow Collection Engine.

NetFlow Data Capture

NetFlow captures data from ingress (incoming) and egress (outgoing) packets. NetFlow gathers data for the following ingress IP packets:

•IP-to-IP packets

•IP-to-Multiprotocol Label Switching (MPLS) packets

NetFlow captures data for all egress (outgoing) packets through use of the following features:

•Egress NetFlow Accounting—NetFlow gathers data for all egress packets for IP traffic only.

•NetFlow MPLS Egress—NetFlow gathers data for all egress MPLS-to-IP packets.

NetFlow Export Formats

NetFlow exports data in User Datagram Protocol (UDP) datagrams in one of five formats: Version 9, Version 8, Version 7, Version 5, or Version 1. Version 9 export format, the latest version, is the most flexible and extensible format. Version 1 was the initial NetFlow export format; Version 8 only supports export from aggregation caches, and Version 7 is supported only on certain platforms. (Versions 2 through 4 and Version 6 were either not released or are not supported.)

•Version 9—A flexible and extensible format, which provides the versatility needed for support of new fields and record types. This format accommodates new NetFlow-supported technologies such as MPLS, and Border Gateway Protocol (BGP) next hop. The distinguishing feature of the NetFlow Version 9 format is that it is template based. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format. Internet Protocol Information Export (IPFIX) was based on the Version 9 export format.

•Version 8—A format added to support data export from aggregation caches. Version 8 allows export datagrams to contain a subset of the usual Version 5 export data, if that data is valid for a particular aggregation cache scheme.

•Version 7—A version supported on a Catalyst 5000 series switch equipped with a NetFlow feature card (NFFC) and on Catalyst 6000 series switches with a multilayer switch feature card (MSFC) on CatOS Release 5.5(7) and later. On a Catalyst 6000 series switches with an MSFC, you can export using either the Version 7 or the Version 8 format.

•Version 5—A version that adds BGP AS information and flow sequence numbers.

•Version 1—The initially released export format, rarely used today. Do not use the Version 1 export format unless the legacy collection system you are using requires it. Use either the Version 9 export format or the Version 5 export format for data export from the main cache.

Benefits of NetFlow Layer 2 and Security Monitoring

The Layer 2 and Layer 3 fields supported by the NetFlow Layer 2 and Security Monitoring Exports feature increase the amount of information that can be obtained by NetFlow about the traffic in your network. You can use this new information for applications such as traffic engineering and usage-based billing.

The new Layer 3 IP header fields that the NetFlow Layer 2 and Security Monitoring Exports feature captures the values of are:

•Time-to-Live field

•Packet Length field

•ID field

•ICMP type and code fields

See the "Layer 3 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports" section for more information on these Layer 3 fields.

The new Layer 2 fields that NetFlow Layer 2 and Security Monitoring Exports feature captures the values of are:

•Source MAC address field from frames that are received by the NetFlow router

•Destination MAC address field from frames that are transmitted by the NetFlow router

•VLAN ID field from frames that are received by the NetFlow router

•VLAN ID field from frames that are transmitted by the NetFlow router

See the "Layer 2 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports" section for more information on these Layer 2 fields.

The Layer 3 fields captured by the NetFlow Layer 2 and Security Monitoring Exports feature improve NetFlow's capabilities for identifying DoS attacks. The Layer 2 fields captured by the NetFlow Layer 2 and Security Monitoring Exports feature can help you identify the path that the DoS attack is taking through the network.

The Layer 2 and Layer 3 fields captured by the NetFlow Layer 2 and Security Monitoring Exports feature are not key fields. They provide additional information about the traffic in an existing flow. Changes in the values of NetFlow key fields such as the source IP address from one packet to the next packet result in the creation of a new flow. For example if the first packet captured by NetFlow has a source IP address of 10.34.0.2 and the second packet captured by NetFlow has a source IP of 172.16.213.65, NetFlow will create two separate flows.

Many DoS attacks consist of an attacker sending the same type of IP datagram over and over again in an attempt to overwhelm the target systems. In such cases the incoming traffic often has similar characteristics such as the same values in each datagram for one or more of the fields that the NetFlow Layer 2 and Security Monitoring Exports feature can capture.

There is no easy way to identify the originator of many DoS attacks because the IP source address of the device sending the traffic is usually forged. However by capturing the MAC address and VLAN-ID fields using the NetFlow Layer 2 and Security Monitoring Exports feature, you can easily trace the traffic back through the network to the router that it is arriving on. If the router that the traffic is arriving on supports NetFlow, you can configure the NetFlow Layer 2 and Security Monitoring Exports feature on it to identify the interface where the traffic is arriving. Figure 1 shows an example of an attack in progress.

Figure 1 DoS Attack Arriving over the Internet

---

Note You can analyze the data captured by NetFlow directly from the router using the show ip cache verbose flow command or with the CNS NetFlow Collector Engine.

---

Once you have concluded that a DoS attack is taking place by analyzing the Layer 3 fields in the NetFlow flows, you can analyze the Layer 2 fields in the flows to discover the path that the DoS attack is taking through the network.

An analysis of the data captured by the NetFlow Layer 2 and Security Monitoring Exports feature for the scenario shown in Figure 1 indicates that the DoS attack is arriving on Router C because the upstream MAC address is from the interface that connects Router C to Switch A. It is also evident that there are no routers between the target host (the email server) and the NetFlow router because the destination MAC address of the DoS traffic that the NetFlow router is forwarding to the email server is the MAC address of the email server.

You can find out the MAC address that Host C is using to send the traffic to Router C by configuring the NetFlow Layer 2 and Security Monitoring Exports feature on Router C. The source MAC address will be from Host C. The destination MAC address will be for the interface on the NetFlow router.

Once you know the MAC address that Host C is using and the interface on Router C that Host C's DoS attack is arriving on, you can mitigate the attack by reconfiguring Router C to block Host C's traffic. If Host C is on a dedicated interface you, disable the interface. If Host C is using an interface that carries traffic from other users, you must configure your firewall to block Host C's traffic but still allow the traffic from the other users to flow through Router C.

The "Configuration Examples for NetFlow Layer 2 and Security Monitoring Exports" section has two examples for using the NetFlow Layer 2 and Security Monitoring Exports feature to identify an attack in progress and the path that the attack is taking through a network.

Layer 3 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports

The NetFlow Layer 2 and Security Monitoring Exports feature adds support for capturing four fields from Layer 3 IP traffic in a flow:

•Time-to-Live field

•Packet Length field

•ID field

•ICMP type and code

Figure 2 shows the fields in an IP packet header. Figure 3 shows the fields in an ICMP datagram. ICMP datagrams are carried in the data area of an IP datagram, after the IP header.

Figure 2 IP Packet Header Fields

Table 1 IP Packet Header Fields 

Field	Description
Version	The version of the IP protocol. If this field is set to 4 it is an IPv4 datagram. If this field is set to 6 it is an IPv6 datagram. Note The IPv6 header has a different structure than an IPv4 header.
IHL (Internet Header Length)	Internet Header Length is the length of the internet header in 32-bit word and thus points to the beginning of the data. Note The minimum value for a correct header is 5.
ToS	ToS provides an indication of the abstract parameters of the quality of service desired. These parameters are to be used to guide the selection of the actual service parameters when a networking device transmits a datagram through a particular network.
Total Length	Total length is the length of the datagram, measured in octets, including internet header and data.
Identification (ID)	The value in the ID field is entered by the sender. All of the fragments of an IP datagram have the same value in the ID field. Subsequent IP datagrams from the same sender will have different values in the ID field. It is very common for a host to be receiving fragmented IP datagrams from several senders concurrently. It is also common for a host to be receiving multiple IP datagrams from the same sender concurrently. The value in the ID field is used by the destination host to ensure that the fragments of an IP datagram are assigned to the same packet buffer during the IP datagram reassembly process. The unique value in the ID field is also used to prevent the receiving host from mixing together IP datagram fragments of different IP datagrams from the same sender during the IP datagram reassembly process.
Flags	A sequence of 3 bits used to set and track IP datagram fragmentation parameters. •001 = The IP datagram can be fragmented. There are more fragments of the current IP datagram in transit. •000 = The IP datagram can be fragmented. This is the last fragment of the current IP datagram. •010 = The IP Datagram cannot be fragmented. This is the entire IP datagram.
Fragment Offset	This field indicates where in the datagram this fragment belongs.
TTL (Time-to-Live)	This field indicates the maximum time the datagram is allowed to remain in the internet system. If this field contains the value 0, then the datagram must be destroyed. This field is modified in internet header processing. The time is measured in units of seconds, but since every module that processes a datagram must decrease the TTL by at least 1 even if it processes the datagram in less than a second, the TTL must be thought of only as an upper bound on the time a datagram can exist. The intention is to cause undeliverable datagrams to be discarded, and to bound the maximum datagram lifetime.
Protocol	Indicates the type of transport packet included in the data portion of the IP datagram. Common values are: 1 = ICMP 6 = TCP 17 = UDP
Header checksum	A checksum on the header only. Since some header fields, such as the time-to-live field, change every time an IP datagram is forwarded, this value is recomputed and verified at each point that the internet header is processed.
Source IP Address	IP address of the sending station.
Destination IP Address	IP address of the destination station.
Options and Padding	The options and padding may or may not appear or not in datagrams. If they do appear, they must be implemented by all IP modules (host and gateways). What is optional is their transmission in any particular datagram, not their implementation.

Figure 3 ICMP Datagram

Table 2 ICMP Packet Format 

Type	Name	Codes
0	Echo reply	0—None
1	Unassigned	—
2	Unassigned	—
3	Destination unreachable	0—Net unreachable. 1—Host unreachable. 2—Protocol unreachable. 3—Port unreachable. 4—Fragmentation needed and DF bit set. 5—Source route failed. 6—Destination network unknown. 7—Destination host unknown. 8—Source host isolated. 9—Communication with destination network is administratively prohibited. 10—Communication with destination host is administratively prohibited. 11—Destination network unreachable for ToS. 12—Destination host unreachable for ToS.
4	Source quench	0—None.
5	Redirect	0—None. 0—Redirect datagram for the network. 1—Redirect datagram for the host. 2—Redirect datagram for the TOS and network. 3—Redirect datagram for the TOS and host.
6	Alternate host address	0—Alternate address for host.
7	Unassigned	—
8	Echo	0—None.
9	Router advertisement	0—None.
10	Router selection	0—None.
11	Time Exceeded	0—Time to live exceeded in transit.
12	Parameter problem	0—Pointer indicates the error. 1—Missing a required option. 2—Bad length.
13	Timestamp	0—None.
14	Timestamp reply	0—None.
15	Information request	0—None.
16	Information reply	0—None.
17	Address mask request	0—None.
18	Address mask reply	0—None.
19	Reserved (for security)	—
20-29	Reserved (for robustness experiment)	—
30	Trace route	—
31	Datagram conversion error	—
32	Mobile host redirect	—
33	IPv6 where-are-you	—
34	IPv6 I-am-here	—
35	Mobile registration request	—
36	Mobile registration reply	—
37-255	Reserved	—

Layer 2 Information Capture Using NetFlow Layer 2 and Security Monitoring Exports

The NetFlow Layer 2 and Security Monitoring Exports feature adds the ability to capture the values of the MAC address and VLAN ID fields from flows. The two supported VLAN types are 802.1q and Cisco's Inter-Switch Link (ISL).

•Understanding Layer 2 MAC Address Fields

•Understanding Layer 2 VLAN ID Fields

Understanding Layer 2 MAC Address Fields

The new Layer 2 fields that the NetFlow Layer 2 and Security Monitoring Exports feature captures the values of are:

•The source MAC address field from frames that are received by the NetFlow router

•The destination MAC address field from frames that are transmitted by the NetFlow router

•The VLAN ID field from frames that are received by the NetFlow router

•The VLAN ID field from frames that are transmitted by the NetFlow router

The Ethernet Type II and Ethernet 802.3 frame formats are shown in Figure 4. The destination address field and the source address field in the frame formats are the MAC addresses whose values NetFlow captures. The fields for the Ethernet frame formats are explained in Table 3.

Figure 4 Ethernet Type II and 802.3 Frame Formats

Table 3 Ethernet Type II and 802.3 Frame Fields 

Field	Description
Preamble	The entry in the Preamble field is an alternating pattern of 1s and 0s that tells receiving stations that a frame is coming. It also provides a means for the receiving stations to synchronize their clocks with the incoming bit stream.
SOF (Start of frame )	The SOF field holds an alternating pattern of 1s and 0s, ending with two consecutive 1-bits indicating that the next bit is the first bit of the first byte of the destination MAC address.
Destination Address	The 48-bit destination address identifies which station(s) on the LAN should receive the frame. The first two bits of the destination MAC address are reserved for special functions: •The first bit in the DA field indicates whether the address is an individual address (0) or a group address (1). •The second bit indicates whether the DA is globally administered (0) or locally administered (1). The remaining 46 bits are a uniquely assigned value that identifies a single station, a defined group of stations, or all stations on the network.
Source Address	The 48-bit source address identifies which station transmitted the frame. The source address is always an individual address and the left-most bit in the SA field is always 0.
Type or Length	Type—In an Ethernet Type II frame this part of the frame is used for the Type field. The Type field is used to identify the next layer protocol in the frame. Length—In an 802.3 Ethernet frame this part of the frame is used for the Length field. The Length field is used to indicate the length of the Ethernet frame. The value can be between 46 and 1500 bytes.
Data or 802.2 header and data	(Ethernet type II) 46-1500 bytes of data or (802.3/802.2) 8 bytes of header and 38-1492 bytes of data.
FCS (Frame Check Sequence)	This field contains a 32-bit cyclic redundancy check (CRC) value, which is created by the sending station and is recalculated by the receiving station to check for damaged frames. The FCS is generated for the DA, SA, Type, and Data fields of the frame. The FCS does not include the data portion of the frame.

For examples of other types of LAN frame formats refer to the Cisco Internetworking Technology Handbook. Refer to the NetFlow on Logical Interfaces white paper for more information on the other types of interfaces that NetFlow can be used with.

Understanding Layer 2 VLAN ID Fields

NetFlow can capture the value in the VLAN ID field for 802.1q tagged VLANs and Cisco ISL encapsulated VLANs. The section describes the two types of VLANs.

---

Note It has become common to refer to both 802.1q and ISL as VLAN encapsulation protocols.

---

•Understanding 802.1q VLANs

•Understanding Cisco ISL VLANs

Understanding 802.1q VLANs

Devices that use 802.1q insert a four-byte tag into the original frame before it is transmitted. Figure 5 shows the format of an 802.1q tagged Ethernet frame. The fields for 802.1q VLANs are described in Table 4.

Figure 5 802.1q Tagged Ethernet Type II or 802.3 Frame

Table 4 802.1q VLAN Encapsulation Fields 

Field	Description
DA, SA, Type or Length, Data, and FCS	These fields are described in Table 3.
Tag Protocol ID (TPID)	This 16-bit field is set to a value of 0x8100 to identify the frame as an IEEE 802.1q tagged frame.
Priority	Also known as user priority, this 3-bit field refers to the 802.1p priority. It indicates the frame priority level which can be used for prioritizing traffic and is capable of representing 8 levels (0-7).
Tag Control Information	The 2-byte Tag Control Information field is comprised of two sub-fields: •(CFI)Canonical Format Indicator (CFI)—If the value of this 1-bit field is 1, then the MAC address is in noncanonical format. If the value of this field is 0, then the MAC address is in canonical format. •VLAN ID—This 12-bit field uniquely identifies the VLAN to which the frame belongs. It can have a value between 0 and 4095.

Understanding Cisco ISL VLANs

ISL is a Cisco proprietary protocol for encapsulating frames on a VLAN trunk. Devices that use ISL add an ISL header to the frame. This process is known as VLAN encapsulation. 802.1Q is the IEEE standard for tagging frames on a VLAN trunk. Figure 6 shows the format of a Cisco ISL-encapsulated Ethernet frame. The fields for 802.1q VLANs are described in Table 5.

Figure 6 Cisco ISL Tagged Ethernet Frame

Table 5 ISL VLAN Encapsulation 

Field	Description
DA (destination address)	This 40-bit field is a multicast address and is set at 0x01-00-0C-00-00 or 0x03-00-0c-00-00. The receiving host determines that the frame is encapsulated in ISL by reading the 40-bit DA field and matching it to one of the two ISL multicast addresses.
Type	This 4-bit field indicates the type of frame that is encapsulated and could be used in the future to indicate alternative encapsulations. TYPE codes: •0000 = Ethernet •0001 = Token Ring •0010 = FDDI •0011 = ATM
USER	This 4-bit field is used to extend the meaning of the Frame TYPE field. The default USER field value is 0000. For Ethernet frames, the USER field bits 0 and 1 indicate the priority of the packet as it passes through the switch. Whenever traffic can be handled more quickly, the packets with this bit set should take advantage of the quicker path. Such paths however are not required. USER codes: •XX00 = Normal priority •XX01 = Priority 1 •XX10 = Priority 2 •XX11 = Highest priority
SA	This 48-bit field is the source address field of the ISL packet. It should be set to the 802.3 MAC address of the switch port transmitting the frame. The receiving device can ignore the SA field of the frame.
LEN	This 16-bit value field stores the actual packet size of the original packet. The LEN field represents the length of the packet in bytes, excluding the DA, TYPE, USER, SA, LEN, and FCS fields. The total length of the excluded fields is 18 bytes, so the LEN field represents the total length minus 18 bytes.
AAAA03(SNAP)	The AAAA03 SNAP field is a 24-bit constant value of 0xAAAA03.
HSA	This 24-bit field represents the upper three bytes (the manufacturer's ID portion) of the SA field. It must contain the value 0x00-00-0C.
VLAN	This 15-bit field is the Virtual LAN ID of the packet. This value is used to mark frames on different VLANs.
BPDU	The bit in the BPDU field is set for all BPDU packets that are encapsulated by the ISL frame. The BPDUs are used by the spanning tree algorithm to find out information about the topology of the network. This bit is also set for CDP and VTP frames that are encapsulated.
INDEX	This 16-bit field indicates the port index of the source of the packet as it exits the switch. It is used for diagnostic purposes only, and may be set to any value by other devices. It is ignored in received packets.
RES	This 16-bit field is used when Token Ring or FDDI packets are encapsulated with an ISL frame.
Encapsulated FRAME	This field contains the encapsulated Layer 2 frame.
FCS	The FCS field consists of 4 bytes. It includes a 32-bit CRC value, which is created by the sending station and is recalculated by the receiving station to check for damaged frames. The FCS covers the DA, SA, Length/Type, and Data fields. When an ISL header is attached to a Layer 2 frame, a new FCS is calculated over the entire ISL packet and added to the end of the frame. Note The addition of the new FCS does not alter the original FCS that is contained within the encapsulated frame.

How to Configure NetFlow Layer 2 and Security Monitoring Exports

This section contains the following procedure:

•Configuring NetFlow Layer 2 and Security Monitoring Exports

•Verifying NetFlow Layer 2 and Security Monitoring Exports (Optional)

Configuring NetFlow Layer 2 and Security Monitoring Exports

Prerequisites

CEF, dCEF, or fast switching for IP must be configured on your system before you configure NetFlow Layer 2 and Security Monitoring Exports.

The optional Verifying NetFlow Layer 2 and Security Monitoring Exports task uses the show ip cache verbose flow command to display the values of the fields that you have configured the NetFlow Layer 2 and Security Monitoring Exports feature to capture. In order for you to see the values of the fields that you have configured the NetFlow Layer 2 and Security Monitoring Exports feature to capture your router must be forwarding IP traffic that meets the criteria for these fields. For example, if you configure the ip flow-capture ipid command your router must be forwarding IP datagrams to capture the IP id values from the IP datagrams in the flow.

Restrictions

The "Verifying NetFlow Layer 2 and Security Monitoring Exports" uses the show ip cache verbose flow command. The following restrictions apply to using the show ip cache verbose flow command.

Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding

On platforms running dCEF, NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt.

Cisco 7500 Series Platform

To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed dCEF, enter the following sequence of commands:

Router# if-con slot-number

LC-slot-number# show ip cache verbose flow 

For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:

Router# execute-on slot-number show ip cache verbose flow 

Cisco 12000 Series Platform

To display detailed NetFlow cache information on a Cisco 12000 Series Internet Router, enter the following sequence of commands:

Router# attach slot-number

LC-slot-number# show ip cache verbose flow

For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:

Router# execute-on slot-number show ip cache verbose flow .

SUMMARY STEPS

1. enable

2. configure terminal

3. ip flow-capture icmp

4. ip flow-capture ip-id

5. ip flow-capture mac-addresses

6. ip flow-capture packet-length

7. ip flow-capture ttl

8. ip flow-capture vlan-id

9. interface type [number | slot/port]

10. ip flow ingress
and/or
ip flow egress

11. end

12. copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip flow-capture icmp Example: Router(config)# ip flow-capture icmp	(Optional) Enables you to capture the value of the ICMP type and code fields from ICMP datagrams in a flow.
Step 4	ip flow-capture ip-id Example: Router(config)# ip flow-capture ip-id	(Optional) Enables you to capture the value of the IP-ID field from the first IP datagram in a flow.
Step 5	ip flow-capture mac-addresses Example: Router(config)# ip flow-capture mac-addresses	(Optional) Enables you to capture the values of the source and destination MAC addresses from the traffic in a flow.
Step 6	ip flow-capture packet-length Example: Router(config)# ip flow-capture packet-length	(Optional) Enables you to capture the minimum and maximum values of the packet length field from IP datagrams in a flow.
Step 7	ip flow-capture ttl Example: Router(config)# ip flow-capture ttl	(Optional) Enables you to capture the minimum and maximum values of the Time-to-Live (TTL) field from IP datagrams in a flow.
Step 8	ip flow-capture vlan-id Example: Router(config)# ip flow-capture vlan-id	(Optional) Enables you to capture the 802.1q or ISL VLAN-ID field from VLAN encapsulated frames in a flow that are received or transmitted on trunk ports.
Step 9	interface type [number | slot/port] Example: Router(config)# interface ethernet 0/0	Enters interface configuration mode for the type of interface specified in the command.
Step 10	ip flow ingress and/or ip flow egress Example: Router(config-if)# ip flow ingress and/or Example: Router(config-if)# ip flow egress	Enables ingress NetFlow data collection on the interface. or Enables egress NetFlow data collection on the interface.
Step 11	end Example: Router(config)# end	Exits global configuration mode.
Step 12	copy running-config startup-config Example: Router# copy running-config startup-config	(Optional) Saves the running configuration to the startup configuration.

Verifying NetFlow Layer 2 and Security Monitoring Exports

To verify the configuration of NetFlow Layer 2 and Security Monitoring Exports use the following step.

SUMMARY STEPS

1. show ip cache verbose flow

DETAILIED STEPS

---

Step 1 show ip cache verbose flow

The display output below shows that NetFlow Layer 2 and Security Monitoring Exports is working properly because the values have been captured from the Layer 2 and Layer 3 fields in the flows. The values captured by the NetFlow Layer 2 and Security Monitoring Exports feature from the Layer 2 and Layer 3 fields in the flows are shown in bold text.

Router# show ip cache verbose flow

IP packet size distribution (25229 total packets):

   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

   .000 .000 .000 .206 .793 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes

  6 active, 4090 inactive, 17 added

  505 ager polls, 0 flow alloc failures

  Active flows timeout in 1 minutes

  Inactive flows timeout in 10 seconds

IP Sub Flow Cache, 25736 bytes

  12 active, 1012 inactive, 39 added, 17 added to flow

  0 alloc failures, 0 force free

  1 chunk, 1 chunk added

  last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

TCP-Telnet           1      0.0       362   940      2.7      60.2       0.0

TCP-FTP              1      0.0       362   840      2.7      60.2       0.0

TCP-FTPD             1      0.0       362   840      2.7      60.1       0.1

TCP-SMTP             1      0.0       361  1040      2.7      60.0       0.1

UDP-other            5      0.0         1    66      0.0       1.0      10.6

ICMP                 2      0.0      8829  1378    135.8      60.7       0.0

Total:              11      0.0      1737  1343    147.0      33.4       4.8

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

Et0/0.1        10.251.138.218  Et1/0.1        172.16.10.2     06 80  00      65 

0015 /0  0                     0015 /0  0     0.0.0.0               840    10.8

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      840                            Max plen:       840

Min TTL:        59                            Max TTL:         59

IP id:           0

Configuration Examples for NetFlow Layer 2 and Security Monitoring Exports

This section provides the following configuration examples:

•Configuring and Using NetFlow Layer 2 and Security Monitoring Exports to Analyze a Simulated FTP Attack: Example

•Configuring and Using NetFlow Layer 2 and Security Monitoring Exports to Analyze a Simulated ICMP Ping Attack: Example

Configuring and Using NetFlow Layer 2 and Security Monitoring Exports to Analyze a Simulated FTP Attack: Example

The following example shows how to use the NetFlow Layer 2 and Security Monitoring Exports feature to find out whether your network is being attacked by a host that is sending fake FTP traffic in an attempt to overwhelm the FTP server. This attack might cause end users to see a degradation in the ability of the FTP server to accept new connections or to service existing connections.

This example uses the network shown in Figure 7. Host A is sending fake FTP packets to the FTP server.

This example also shows you how to use the Layer 2 data captured by the NetFlow Layer 2 and Security Monitoring Exports feature to learn where the traffic is originating and what path it is taking through the network.

Figure 7 Test Network

---

Tip Keep track of the MAC addresses and IP addresses of the devices in your network. You can use them to analyze attacks and to resolve problems.

---

---

Note This example does not include the ip flow-capture icmp command that captures the value of the ICMP type and code fields. The use of the ip flow-capture icmp command is described in "Configuring and Using NetFlow Layer 2 and Security Monitoring Exports to Analyze a Simulated ICMP Ping Attack: Example."

---

R2

!

hostname R2

!

interface Ethernet0/0

 mac-address aaaa.bbbb.cc02

 ip address 172.16.1.2 255.255.255.0

!

interface Ethernet1/0

 mac-address aaaa.bbbb.cc03

 no ip address

!

interface Ethernet1/0.1

 encapsulation dot1Q 5

 ip address 172.16.6.1 255.255.255.0

!

!

router rip

 version 2

 network 172.16.0.0

 no auto-summary

!

R3

!

hostname R3

!

ip flow-capture packet-length

ip flow-capture ttl

ip flow-capture vlan-id

ip flow-capture ip-id

ip flow-capture mac-addresses

!

interface Ethernet0/0

 mac-address aaaa.bbbb.cc04

 no ip address

!

interface Ethernet0/0.1

 encapsulation dot1Q 5

 ip address 172.16.6.2 255.255.255.0

 ip accounting output-packets

 ip flow ingress

!

interface Ethernet1/0

 mac-address aaaa.bbbb.cc05

 no ip address

!

interface Ethernet1/0.1

 encapsulation dot1Q 6

 ip address 172.16.7.1 255.255.255.0

 ip accounting output-packets

 ip flow egress

!

router rip

 version 2

 network 172.16.0.0

 no auto-summary

!

R4

!

hostname R4

!

interface Ethernet0/0

 mac-address aaaa.bbbb.cc07

 ip address 172.16.10.1 255.255.255.0

!

interface Ethernet1/0

 mac-address aaaa.bbbb.cc06

 no ip address

!

interface Ethernet1/0.1

 encapsulation dot1Q 6

 ip address 172.16.7.2 255.255.255.0

!

router rip

 version 2

 network 172.16.0.0

 no auto-summary

!

The show ip cache verbose flow command displays the NetFlow flows that have been captured from the FTP traffic that Host A is sending.

The fields that have the values captured by the ip flow-capture command are in Table 9. These are the fields and the values that are used to analyze the traffic for this example. The other fields captured by the show ip cache verbose flow command are explained in Table 6, Table 7, and Table 8.

R3# show ip cache verbose flow 

IP packet size distribution (3596 total packets):

   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

   .000 .003 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

   .000 .000 .000 .995 .000 .000 .000 .000 .000 .000 .000

The preceding output shows the percentage distribution of packets by size. In this display, 99.5 percent of the packets fall in the 1024-byte size range, and 0.3 percent fall in the 64-byte range.

The next section of the output can be divided into four parts. The section and the table corresponding to each are as follows:

•Field Descriptions in the NetFlow Cache Section of the Output (Table 6)

•Field Descriptions in the Activity by Protocol Section of the Output (Table 7)

•Field Descriptions in the NetFlow Record Section of the Output (Table 8)

•NetFlow Layer 2 and Security Monitoring Exports Fields in the NetFlow Record Section of the Output (Table 9)

IP Flow Switching Cache, 278544 bytes

  5 active, 4091 inactive, 25 added

  719 ager polls, 0 flow alloc failures

  Active flows timeout in 1 minutes

  Inactive flows timeout in 10 seconds

IP Sub Flow Cache, 25736 bytes

  10 active, 1014 inactive, 64 added, 25 added to flow

  0 alloc failures, 0 force free

  1 chunk, 1 chunk added

  last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

TCP-FTP              5      0.0       429   840      6.6      58.1       1.8

Total:               5      0.0       129   835      6.6      17.6       7.9

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

Et0/0.1        10.132.221.111  Et1/0.1        172.16.10.2     06 80  00     198 

0015 /0  0                     0015 /0  0     0.0.0.0               840    41.2

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      840                            Max plen:       840

Min TTL:        59                            Max TTL:         59

IP id:           0 

Et0/0.1        10.251.138.218  Et1/0.1        172.16.10.2     06 80  00     198 

0015 /0  0                     0015 /0  0     0.0.0.0               840    41.2

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      840                            Max plen:       840

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        10.10.12.1      Et1/0.1        172.16.10.2     06 80  00     203 

0015 /0  0                     0015 /0  0     0.0.0.0               840    42.2

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      840                            Max plen:       840

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        10.231.185.254  Et1/0.1        172.16.10.2     06 80  00     203 

0015 /0  0                     0015 /0  0     0.0.0.0               840    42.2

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      840                            Max plen:       840

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        10.71.200.138   Et1/0.1        172.16.10.2     06 80  00     203 

0015 /0  0                     0015 /0  0     0.0.0.0               840    42.2

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      840                            Max plen:       840

Min TTL:        59                            Max TTL:         59

IP id:           0

R3#

Table 6 describes the significant fields shown in the NetFlow cache section of the output.

Table 6 Field Descriptions in the NetFlow Cache Section of the Output 

Field	Description
bytes	Number of bytes of memory used by the NetFlow cache.
active	Number of active flows in the NetFlow cache at the time this command was entered.
inactive	Number of flow buffers that are allocated in the NetFlow cache but that were not assigned to a specific flow at the time this command was entered.
added	Number of flows created since the start of the summary period.
ager polls	Number of times the NetFlow code caused entries to expire (used by Cisco for diagnostics only).
flow alloc failures	Number of times the NetFlow code tried to allocate a flow but could not.
last clearing of statistics	The period of time that has passed since the clear ip flow stats privileged EXEC command was last executed. The standard time output format of hours, minutes, and seconds (hh:mm:ss) is used for a period of time less than 24 hours. This time output changes to hours and days after the time exceeds 24 hours.

Table 7 describes the significant fields shown in the activity by protocol section of the output.

Table 7 Field Descriptions in the Activity by Protocol Section of the Output 

Field	Description
Protocol	IP protocol and the well-known port number. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.) Note Only a small subset of all protocols is displayed.
Total Flows	Number of flows for this protocol since the last time statistics were cleared.
Flows/Sec	Average number of flows for this protocol per second; equal to the total flows divided by the number of seconds for this summary period.
Packets/Flow	Average number of packets for the flows for this protocol; equal to the total packets for this protocol divided by the number of flows for this protocol for this summary period.
Bytes/Pkt	Average number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the total number of packets for this protocol for this summary period.
Packets/Sec	Average number of packets for this protocol per second; equal to the total packets for this protocol divided by the total number of seconds for this summary period.
Active(Sec)/Flow	Number of seconds from the first packet to the last packet of an expired flow divided by the number of total flows for this protocol for this summary period.
Idle(Sec)/Flow	Number of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which the show ip cache verbose flow command was entered divided by the total number of flows for this protocol for this summary period.

Table 8 describes the significant fields in the NetFlow record section of the output.

Table 8 Field Descriptions in the NetFlow Record Section of the Output 

Field	Description
SrcIf	Interface on which the packet was received.
Port Msk AS	Source port number (displayed in hexadecimal format), IP address mask, and autonomous system number. This is always set to 0 in MPLS flows.
SrcIPaddress	This is the source IP address of the traffic in the five flows. The traffic is using five different IP source addresses •10.132.221.111 •10.251.138.218 •10.10.12.1 •10.231.185.254 •10.71.200.138
DstIf	Interface from which the packet was transmitted. Note If an asterisk (*) immediately follows the DstIf field, the flow being shown is an egress flow.
Port Msk AS	Source port number (displayed in hexadecimal format), IP address mask, and autonomous system number. The value of this field is always set to 0 in MPLS flows.
DstIPaddress	This is the destination IP address of the traffic. Note 172.17.10.2 is the IP address of the FTP server.
NextHop	The BGP next-hop address. This is always set to 0 in MPLS flows.
Pr	IP protocol "well-known" port number, displayed in hexadecimal format. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
ToS	Type of service, displayed in hexadecimal format.
B/Pk	Average number of bytes observed for the packets seen for this flow.
Flgs	TCP flags, shown in hexadecimal format. This value is the result of bitwise OR of the TCP flags from all packets in the flow.
Pkts	Number of packets in this flow.
Active	Time the flow has been active.

Table 9 describes the fields and values for the NetFlow Traffic Classification and Identification fields for the NetFlow record section of the output.

Table 9 NetFlow Layer 2 and Security Monitoring Exports Fields in the NetFlow Record Section of the Output 

Field	Description
MAC	These are the source and destination MAC addresses from the traffic. The source and destination MAC address are read from left to right in the output. •The traffic is being received from MAC address aaa.bbb.cc03. Note This MAC address is interface 1/0.1 on router R2. •The traffic is being transmitted to MAC address aaa.bbb.cc06. Note This MAC address is interface 1/0.1 on router R4.
VLAN id	These are the source and destination VLAN IDs. The source and destination VLAN IDs are read from left to right in the output. •The traffic is being received from VLAN 5. •The traffic is being transmitted to VLAN 6.
Min plen	This is the minimum packet length for the packets captured in the five flows. The current value is 840.
Max plen	This is the maximum packet length for the packets captured in the five flows. The current value is 840.
Min TTL	This is the minimum Time-to-Live (TTL) for the packets captured in the five flows. The current value is 59.
Max TTL	This is the maximum TTL for the packets captured in the five flows. The current value is 59.
IP id	This is the IP identifier field for the traffic in the five flows. The current value is 0.

The fact that the Layer 3 TTL, identifier and packet length fields in the five flows have the same values is a good indication that this traffic is a DoS attack. If this data had been captured from real traffic the values would typically be different. The fact that all six of these flows have a TTL value of 59 indicates that this traffic is originating from points that are the same distance away from R3. Real user traffic would normally be arriving from many different distances away; therefore the TTL values would be different.

If this traffic is identified as a DoS attack (based on the data captured in the Layer 3 fields) you can use the Layer 2 information in the flows to identify the path the traffic is taking through the network. In this example, the traffic is being sent to R3 on VLAN 5 by R2. You can demonstrate that R2 is transmitting the traffic over interface 1/0.1 because the source MAC address (aaaa.bbb.cc03) belongs to 1/0.1 on R2. You can identify that R3 is transmitting the traffic using VLAN 6 on interface 1/0.1 to interface 1/0.1 on R4 because the destination MAC address (aaaa.bbbb.cc06) belongs to interface 1/0.1 on R4.

You can use this information to develop a plan to mitigate this attack. One possible way to mitigate this attack is by configuring an extended IP access list that blocks FTP traffic from any host with a source address that is on the 10.0.0.0 network. Another possible solution is to configure a default route for the 10.0.0.0 network that points to the null interface on the router.

---

Caution Each of these solutions blocks traffic from legitimate hosts on the 10.0.0.0 network. Therefore these solutions should be used only temporarily while you identify the point of origin of the attack and decide how to stop it there.

---

Configuring and Using NetFlow Layer 2 and Security Monitoring Exports to Analyze a Simulated ICMP Ping Attack: Example

The following example shows how to use the NetFlow Layer 2 and Security Monitoring Exports feature to find out that your network is being attacked by ICMP traffic. It uses the network shown in Figure 7. Host A is sending very large ICMP ping packets to the FTP server.

R2

!

hostname R2

!

interface Ethernet0/0

 mac-address aaaa.bbbb.cc02

 ip address 172.16.1.2 255.255.255.0

!

interface Ethernet1/0

 mac-address aaaa.bbbb.cc03

 no ip address

!

interface Ethernet1/0.1

 encapsulation dot1Q 5

 ip address 172.16.6.1 255.255.255.0

!

!

router rip

 version 2

 network 172.16.0.0

 no auto-summary

!

R3

!

hostname R3

!

ip flow-capture packet-length

ip flow-capture ttl

ip flow-capture vlan-id

ip flow-capture icmp

ip flow-capture ip-id

ip flow-capture mac-addresses

!

interface Ethernet0/0

 mac-address aaaa.bbbb.cc04

 no ip address

!

interface Ethernet0/0.1

 encapsulation dot1Q 5

 ip address 172.16.6.2 255.255.255.0

 ip accounting output-packets

 ip flow ingress

!

interface Ethernet1/0

 mac-address aaaa.bbbb.cc05

 no ip address

!

interface Ethernet1/0.1

 encapsulation dot1Q 6

 ip address 172.16.7.1 255.255.255.0

 ip accounting output-packets

 ip flow egress

!

router rip

 version 2

 network 172.16.0.0

 no auto-summary

!

R4

!

hostname R4

!

interface Ethernet0/0

 mac-address aaaa.bbbb.cc07

 ip address 172.16.10.1 255.255.255.0

!

interface Ethernet1/0

 mac-address aaaa.bbbb.cc06

 no ip address

!

interface Ethernet1/0.1

 encapsulation dot1Q 6

 ip address 172.16.7.2 255.255.255.0

!

router rip

 version 2

 network 172.16.0.0

 no auto-summary

!

The show ip cache verbose flow command displays the NetFlow flows that have been captured from the ICMP traffic that Host A is sending.

The fields that have their values captured by the ip flow-capture command are explained in Table 13. These are the fields and the values that are used to analyze the traffic for this example. The other fields captured by the show ip cache verbose flow command are explained in Table 10, Table 11 and Table 12.

R3# show ip cache verbose flow

IP packet size distribution (5344 total packets):

   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

   .000 .000 .000 .166 .832 .000 .000 .000 .000 .000 .000

The preceding output shows the percentage distribution of packets by size. In this display, 16.6 percent of the packets fall in the 1024-byte size range and 83.2 percent fall in the 1536-byte range.

The next section of the output can be divided into four sections. The section and the table corresponding to each are as follows:

•Field Descriptions in the NetFlow Cache Section of the Output (Table 10)

•Field Descriptions in the Activity by Protocol Section of the Output (Table 11)

•Field Descriptions in the NetFlow Record Section of the Output (Table 12)

•NetFlow Layer 2 and Security Monitoring Exports Fields in the NetFlow Record Section of the Output (Table 13)

IP Flow Switching Cache, 278544 bytes

  3 active, 4093 inactive, 7 added

  91 ager polls, 0 flow alloc failures

  Active flows timeout in 1 minutes

  Inactive flows timeout in 10 seconds

IP Sub Flow Cache, 25736 bytes

  7 active, 1017 inactive, 17 added, 7 added to flow

  0 alloc failures, 0 force free

  1 chunk, 0 chunks added

  last clearing of statistics 00:01:13

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

ICMP                 2      0.0      1500  1378     42.8      11.4      10.9

Total:               2      0.0       600  1378     42.9      11.5      10.8

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

Et0/0.1        10.106.1.1      Et1/0.1        172.16.10.2     01 00  10     391 

0000 /0  0                     0800 /0  0     0.0.0.0              1500     8.6

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      1500                            Max plen:       1500

Min TTL:         59                            Max TTL:          59

ICMP type:       8                            ICMP code:        0

IP id:       13499

Et0/0.1        10.106.1.1      Et1/0.1        172.16.10.2     01 00  00    1950 

0000 /0  0                     0000 /0  0     0.0.0.0              1354     8.6

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      772                            Max plen:       1500

Min TTL:         59                           Max TTL:          59

ICMP type:       0                            ICMP code:        0

IP id:       13499

R3#

Table 10 describes the significant fields shown in the NetFlow cache lines of the output.

Table 10 Field Descriptions in the NetFlow Cache Section of the Output 

Field	Description
bytes	Number of bytes of memory used by the NetFlow cache.
active	Number of active flows in the NetFlow cache at the time this command was entered.
inactive	Number of flow buffers that are allocated in the NetFlow cache but that were not assigned to a specific flow at the time this command was entered.
added	Number of flows created since the start of the summary period.
ager polls	Number of times the NetFlow code caused entries to expire (used by Cisco for diagnostics only).
flow alloc failures	Number of times the NetFlow code tried to allocate a flow but could not.
last clearing of statistics	The period of time that has passed since the clear ip flow stats privileged EXEC command was last executed. The standard time output format of hours, minutes, and seconds (hh:mm:ss) is used for a period of time less than 24 hours. This time output changes to hours and days after the time exceeds 24 hours.

Table 11 describes the significant fields shown in the activity by protocol lines of the output.

Table 11 Field Descriptions in the Activity by Protocol Section of the Output 

Field	Description
Protocol	IP protocol and the well-known port number. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.) Note Only a small subset of all protocols is displayed.
Total Flows	Number of flows for this protocol since the last time statistics were cleared.
Flows/Sec	Average number of flows for this protocol per second; equal to the total flows divided by the number of seconds for this summary period.
Packets/Flow	Average number of packets for the flows for this protocol; equal to the total packets for this protocol divided by the number of flows for this protocol for this summary period.
Bytes/Pkt	Average number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the total number of packets for this protocol for this summary period.
Packets/Sec	Average number of packets for this protocol per second; equal to the total packets for this protocol divided by the total number of seconds for this summary period.
Active(Sec)/Flow	Number of seconds from the first packet to the last packet of an expired flow divided by the total number of flows for this protocol for this summary period.
Idle(Sec)/Flow	Number of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which the show ip cache verbose flow command was entered divided by the total number of flows for this protocol for this summary period.

Table 12 describes the significant fields in the NetFlow record lines of the output.

Table 12 Field Descriptions in the NetFlow Record Section of the Output 

Field	Description
SrcIf	Interface on which the packet was received.
Port Msk AS	Source port number (displayed in hexadecimal format), IP address mask, and autonomous system number. The value of this field is always set to 0 in MPLS flows.
SrcIPaddress	IP address of the device that transmitted the packet. The sending host is using 10.106.1.1 as the source IP address.
DstIf	Interface from which the packet was transmitted. Note If an asterisk (*) immediately follows the DstIf field, the flow being shown is an egress flow.
Port Msk AS	Destination port number (displayed in hexadecimal format), IP address mask, and autonomous system. This is always set to 0 in MPLS flows.
DstIPaddress	IP address of the destination device.
NextHop	The BGP next-hop address. This is always set to 0 in MPLS flows.
Pr	IP protocol "well-known" port number, displayed in hexadecimal format. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
ToS	Type of service, displayed in hexadecimal format.
B/Pk	Average number of bytes observed for the packets seen for this flow.
Flgs	TCP flags, shown in hexadecimal format. This value is the result of bitwise OR of the TCP flags from all packets in the flow.
Pkts	Number of packets in this flow.
Active	Time the flow has been active.

Table 13 describes the fields and values for the NetFlow Traffic Classification and Identification fields for the NetFlow record lines of the output.

Table 13 NetFlow Layer 2 and Security Monitoring Exports Fields in the NetFlow Record Section of the Output 

Field	Description
MAC	These are the source and destination MAC addresses from the traffic. The source and destination MAC address are read from left to right in the output. •The traffic is being received from MAC address aaa.bbb.cc03. Note This MAC address is interface 1/0.1 on router R2. •The traffic is being transmitted to MAC address aaa.bbb.cc06. Note This MAC address is interface 1/0.1 on router R4.
VLAN id	These are the source and destination VLAN IDs. The source and destination VLAN IDs are read from left to right in the output. •The traffic is being received from VLAN 5. •The traffic is being transmitted to VLAN 6.
Min plen	This is the minimum packet length for the packets captured in the two flows. The current value for the first flow is 1500. The current value for the second flow is 772.
Max plen	This is the maximum packet length for the packets captured in the two flows. The current value for the first flow is 1500. The current value for the second flow is 1500.
Min TTL	This is the minimum Time-to-Live (TTL) for the packets captured in the two flows. The current value is 59.
Max TTL	This is the maximum TTL for the packets captured in the two flows. The current value is 59.
IP id	This is the IP identifier field for the traffic in the flows. The current value is 0 for all three flows.
ICMP type	This is the Internet Control Message Protocol (ICMP) type field from the ICMP datagram captured in the first flow. The value is: 8
ICMP code	This is the ICMP code field from the ICMP datagram captured in the third flow. The value is: 0

There are two ICMP flows shown in the output. You can tell that they are from the same ICMP datagram because they have the same IP id field value of 13499. When two ICMP flows have the same IP id value, the ICMP datagram being analyzed has been fragmented. The first flow has the ICMP type field set to 8, which indicates that this is an ICMP echo request (ping) datagram. The value of 0 in the ICMP type field of the second flow does not mean that this flow is an ICMP echo reply as Table 2 shows. In this case the ICMP type field value is set to 0 because the ICMP headers for fragments of ICMP datagrams do not have the type and code fields. The default value of 0 has been inserted instead.

---

Note If this data were captured from a real ICMP attack it would probably have more than one flow.

---

Although you cannot find out the original size of the ICMP datagram from the information shown by the show ip cache verbose flow the fact that it was large enough to be fragmented in transit is a good indication that this is not a normal ICMP datagram. Notice the values in the minimum and maximum packet length fields for both flows. The values for both fields are set to 1500 for the first flow. The value for the minimum packet length is set to 772 and the value for the maximum packet length is set to 1500 for the second flow.

If this traffic is identified as a DoS attack based on the data captured in the Layer 3 fields, you can use the Layer 2 information in the flows to identify the path the traffic is taking through the network. In this example, the traffic is being sent to R3 on VLAN 5 by R2. You can demonstrate that R2 is transmitting the traffic over interface 1/0.1 because the source MAC address (aaaa.bbb.cc03) belongs to 1/0.1 on R2. You can demonstrate that R3 is transmitting the traffic using VLAN 6 on interface 1/0.1 to interface 1/0.1 on R4, because the destination MAC address (aaaa.bbbb.cc06) belongs to interface 1/0.1 on R4.

You can use this information to mitigate this attack. One possible way to mitigate this attack is by configuring an extended IP access list that blocks ICMP traffic from any host with a source address that is on the 10.0.0.0 network. Another possible solution is to configure a default route for the 10.0.0.0 network that points to the null interface on the router.

---

Caution Each of these solutions blocks traffic from legitimate hosts on the 10.0.0.0 network. Therefore these solutions should be used only temporarily while you identify the point of origin of the attack and decide how to stop it there.

---

Additional References

The following sections provide references related to NetFlow Layer 2 and Security Monitoring Exports.

Related Documents

Related Topic	Document Title
General NetFlow Overview	NetFlow Overview section of the Cisco IOS Switching Configuration Guide, Release 12.3

Standards

Standards	Title
There are no new or modified standards associated with this feature

MIBs

MIBs	MIBs Link
There are no new or modified MIBs associated with this feature	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
There are no new or modified RFCs associated with this feature

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS command reference publications.

•ip flow-capture

•show ip cache verbose flow

ip flow-capture

To capture Layer 2 or Layer 3 fields from NetFlow traffic, use the ip flow-capture command in global configuration mode. To disable capturing Layer 2 or Layer 3 fields from NetFlow traffic, use the no ip flow-capture command.

ip flow-capture {icmp | ip-id | mac-addresses | packet-length | ttl | vlan-id}

no ip flow-capture {icmp | ip-id | mac-addresses | packet-length | ttl | vlan-id}

Syntax Description

icmp	Captures the value of the ICMP type and code fields from ICMP datagrams in a flow.
ip-id	Captures the value of the IP-ID field from the first IP datagram in a flow.
mac-addresses	Captures the values of the source and destination MAC addresses from the traffic in a flow.
packet-length	Captures the value of the packet length field from IP datagrams in a flow.
ttl	Captures the value of the Time-to-Live (TTL) field from IP datagrams in a flow.
vlan-id	Captures the value of the 802.1q or ISL VLAN-ID field from VLAN- encapsulated frames in a flow when the frames are received or transmitted on trunk ports.

Defaults

The ip flow-capture command is disabled by default. You must select one of the keywords when you configure the ip flow-capture command.

Command Modes

Global configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

•ip flow-capture icmp

•ip flow-capture ip-id

•ip flow-capture packet-length

•ip flow-capture ttl

•ip flow-capture mac-addresses

•ip flow-capture vlan-id

---

Note You must enable NetFlow accounting on an interface or a subinterface using the ip flow {ingress | egress} command for the ip flow-capture command to take effect. You can enable NetFlow accounting before or after you have entered the ip flow-capture command in global configuration mode.

---

---

Note If you want to export the information captured by the ip flow-capture command, you must configure NetFlow export using the ip flow-export destination command, and you must configure NetFlow to use the Version 9 export format. Use the ip flow-export version 9 command to configure the NetFlow Version 9 export format.

---

---

Note The fields captured by the ip flow-capture command are not available in the NetFlow MIB.

---

ip flow-capture icmp

ICMP is used for several purposes. One of the most common is the ICMP ping command. ICMP ping echo packets are sent by a host to a destination host to verify that the destination host is reachable by IP. If the destination is reachable, it should respond by sending ICMP ping reply. Refer to RFC792 (http://www.freesoft.org/CIE/RFC/792/) for more information on ICMP.

ICMP packets have been used in many types of attacks on networks. Two of the most common attacks are denial-of-service (DoS) attacks and the ping of death attack.

•DoS attack—Any action or actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized delay of service. Generally, DoS attacks do not destroy data or resources, but prevent access or use. In network operations, flooding a device with ping packets when the device has not been configured to block or ignore them might effect a denial of service.

•ping of death—An attack that sends an improperly large ping echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash.

Finding out the types of ICMP traffic in your network can help you decide if your network is being attacked by ICMP packets.

The ip flow-capture icmp command captures the value of the ICMP type field and the ICMP code field from the first ICMP packet detected in a flow.

ip flow-capture ip-id

It is possible for a host to receive IP datagrams from two or more senders concurrently. When this happens the receiving host must be able to identify the fragments from each of the incoming datagrams to ensure that it does combine datagram fragments from different sources into the same datagram during the datagram reassembly process. The IP header identification field is used for this purpose.

The ip flow-capture ip-id command captures the value of the IP header identification field from the first packet in the flow. The value in the IP header identification field is a sequence number assigned by the host that originally transmitted the IP datagram. All of the fragments of an IP datagram have the same identifier value. This ensures that the destination host can match the IP datagram to the fragment during the IP datagram reassembly process. The sending host is responsible for ensuring that each subsequent IP datagram it sends to the same destination host has a unique value for the IP header identification field.

If you are seeing several flows with the same value for the IP header identification field, it is possible that your network is being attacked by a host that is constantly sending the same IP packets over and over.

ip flow-capture packet-length

The value in the length field in an IP datagram indicates the length of the IP datagram, excluding the IP header.

Use the ip flow-capture packet-length command to capture the value of the IP header length field for packets in the flow. The ip flow-capture packet-length command keeps track of the minimum and maximum values captured from the flow. This data is updated when a packet with a packet length that is lower or higher than the currently stored value is received. For example if the currently stored value for the minimum packet length is 1024 bytes and the next packet received has a packet length of 512 bytes, the 1024 is replaced with 512.

If you are seeing several IP datagrams in the flow with the same value for the packet-length field, it is possible that your network is being attacked by a host that is constantly sending the same IP packets over-and-over.

ip flow-capture ttl

The TTL field is used to prevent the indefinite forwarding of IP datagrams. The TTL field contains a counter value set by the source host. Each router that processes this datagram decreases the TTL value by 1. When the TTL value reaches 0, the datagram is discarded.

There are two scenarios where an IP packet without a TTL field could live indefinitely in a network:

•The first scenario occurs when a host sends an IP datagram to an IP network that doesn't exist and all of the routers in the network have a gateway of last resort configured, that is, a gateway to which they forward IP datagrams for unknown destinations. Each router in the network receives the datagram and attempts to determine the best interface to use to forward it. Because the destination network is unknown, the best interface for the router to use to forward the datagram to the next hop is always the interface to which the gateway of last resort is assigned.

•The second scenario occurs when there is a mis-configuration in the network that results in a routing loop. For example, suppose that one router forwards an IP datagram to another router because it appears to be the correct next-hop router. The receiving router sends it back because it believes that the correct next-hop router is the router that it received the IP datagram from in the first place.

The ip flow-capture ttl command keeps track of the minimum and maximum values captured from the flow. This data is updated when a packet with a TTL that is lower or higher than the currently stored value is received. For example if the currently stored value for the minimum TTL is 64 and the next packet received has a TTL of 12, the 64 is replaced by 12.

If you are seeing several flows with the same value for the TTL, it is possible that your network is being attacked by a host that is constantly sending the same IP packets over and over. Under normal circumstances, flows come from many sources, each a different distance away. Therefore you should see a variety of TTLs across all the flows that NetFlow is capturing.

ip flow-capture mac-addresses

The ip flow-capture mac-addresses command captures the incoming source mac-address and the outgoing destination mac-address from the first Layer 2 frame in the flow. If you discover that your network is being attacked by Layer 3 traffic, you can use these addresses to identify the device that is transmitting the traffic that is being received by the router and the next hop or final destination device to which the router is forwarding the traffic.

ip flow-capture vlan-id

VLANs are a broadcast domain within a switched network. Broadcast domains are the domain where a network propagates a broadcast frame generated by a station. Some switches can be configured to support single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN.

Each VLAN is also a separate Layer 3 network. A router or a multilayer switch must be be used to interconnect the Layer 3 networks that are assigned to the VLANs. For example in order for a device on VLAN 2 with an IP address of 172.16.0.76 to communicate with a device on VLAN 3 with an IP address of 172.17.0.34, the two devices must use a router as an intermediary device, because they are on different Class B IP networks. This is typically accomplished by connecting a switch to a router and configuring the link between them as a VLAN trunk. In order for the link to be used as a VLAN trunk, the interfaces on the router and the switch must be configured for the same VLAN encapsulation type.

---

Note When a router is configured to route traffic between VLANs, it is often referred to as an inter-VLAN router.

---

When a router or a switch needs to send traffic on a VLAN trunk, it must either tag the frames using the IEEE 802.1q protocol or encapsulate the frames using the Cisco Inter-Switch Link (ISL) protocol. The VLAN tag or encapsulation header must contain the correct VLAN ID to ensure that the device receiving the frames can process them properly. The device that receives the VLAN traffic examines the VLAN ID from each frame to find out how it should process the frame. For example when a switch receives an IP broadcast datagram such as an Address Resolution Protocol (ARP) datagram with an 802.1q tagged VLAN ID of 6 from a router, it forwards the datagram to every interface that is assigned to VLAN 6 and any interfaces that are configured as VLAN trunks.

The ip flow-capture vlan-id command captures the VLAN ID number from the first frame in the flow it receives that has an 802.1q tag or that is encapsulated with ISL. When the received traffic in the flow is transmitted over an interface that is configured with either 802.1q or ISL trunking, the ip flow-capture vlan-id command captures the destination VLAN ID number from the 802.1q or ISL VLAN header from the first frame in the flow.

---

Note The ip flow-capture vlan-id command does not capture the type of VLAN encapsulation in use. The receiving and transmitting interfaces can use different VLAN protocols. If only one of the interfaces is configured as a VLAN trunk, the VLAN ID field is blank for the other interface.

---

Your router configuration must meet the following criteria before NetFlow can capture the value in the VLAN-ID field:

•It must have have at least one LAN interface that is configured with one or more subinterfaces.

•The subinterfaces where you want to receive VLAN traffic must have either 802.1q or ISL enabled.

•The subinterfaces that are configured to receive VLAN traffic must have the ip flow ingress command configured on them in order for NetFlow to capture the value in the VLAN-ID field.

If you discover that your network is being attacked by Layer 3 traffic, you can use the VLAN-ID information to help you find out which VLAN the device that is sending the traffic is on. The information can also help you identify the VLAN to which the router is forwarding the traffic.

Examples

•ip flow-capture icmp

•ip flow-capture ip-id

•ip flow-capture packet-length

•ip flow-capture ttl

•ip flow-capture mac-addresses

•ip flow-capture vlan-id

ip flow-capture icmp

The following example shows how to configure NetFlow to capture the value of the ICMP Type field and the value of the Code field from the IP datagrams in the flow:

RouterA(config)# ip flow-capture icmp

ip flow-capture ip-id

The following example shows how to configure NetFlow to capture the value of the IP-ID field from the IP datagrams in the flow:

RouterA(config)# ip flow-capture ip-id

ip flow-capture packet-length

The following example shows how to configure NetFlow to capture the value of the packet length field from the IP datagrams in the flow:

RouterA(config)# ip flow-capture packet-length

ip flow-capture ttl

The following example shows how to configure NetFlow to capture the TTL field from the IP datagrams in the flow:

RouterA(config)# ip flow-capture ttl

ip flow-capture mac-addresses

The following example shows how to configure NetFlow to capture the MAC addresses from the IP datagrams in the flow:

RouterA(config)# ip flow-capture mac-addresses

ip flow-capture vlan-id

The following example shows how to configure NetFlow to capture the vlan-id from the IP datagrams in the flow:

RouterA(config)# ip flow-capture vlan-id

Related Commands

Command	Description
ip flow {ingress | egress}	Enables ingress or egress NetFlow data collection on the interface.
ip route-cache flow	Enables ingress NetFlow data collection on the interface.
ip flow-export version	Enable NetFlow Version 9 data export.
ip flow-cache mpls label-positions	Enables MPLS-aware NetFlow.
ip flow {ingress | egress}	Enables ingress or egress NetFlow data collection on the interface.
ip flow-export version	Enable NetFlow Version 9 data export.
show ip cache verbose flow	Displays the NetFlow switching statistics.
show ip flow export	Displays NetFlow export statistics.
show ip flow interfaces	Display flow configuration on interfaces.
show ip flow top-talkers	Display top talkers.

show ip cache verbose flow

To display a detailed summary of NetFlow statistics, use the show ip cache verbose flow command in privileged EXEC mode.

show ip cache verbose flow

Syntax Description

This command has no keywords or arguments.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.1	This command was introduced.
11.1CA	The information display for the command was updated.
12.3(1)	The command output was updated to display additional NetFlow fields.
12.0(24)S	MPLS flow records were added to the command output.
12.3(4)T, 12.3(6), 12.2(20)S	The execute-on command was implemented on the Cisco 7500 platforms to include the remote execution of the show ip cache verbose flow command.
12.3(8)T	MPLS flow records were added to the command output for Cisco IOS Release 12.3(8)T.
12.3(11)T	Support for egress flow accounting was added, and the [prefix mask] and [type number] arguments were removed.
12.3(14)T	Support for NetFlow Layer 2 and Security Monitoring Exports was added.

Usage Guidelines

Use the show ip cache verbose flow command to display flow record fields in the NetFlow cache in addition to the fields that are displayed with the show ip cache flow command. The values in the additional fields that are shown depend on the NetFlow features that are enabled and the flags that are set in the flow.

---

Note The flags, and therefore the fields, might vary from flow to flow.

---

Some of the content in the display of the show ip cache verbose flow command uses multiline headings and multiline data fields. Figure 8 shows how to associate the headings with the correct data fields when there are two lines of headings and two lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields.

When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same.

Figure 8 How to use the Multiline Headings and Multiline Data Fields in the Display Output of the show ip cache verbose flow Command

When the NetFlow Multicast Support feature is enabled, the show ip cache verbose flow command displays the number of replicated packets and the packet byte count for NetFlow multicast accounting. When you configure the NetFlow Version 9 Export Format feature, this command displays additional NetFlow fields in the header.

When you configure the MPLS-aware NetFlow feature, you can use the show ip cache verbose flow command to display both the IP and MPLS portions of MPLS flows in the NetFlow cache on a router line card. To display only the IP portion of the flow record in the NetFlow cache when MPLS-aware NetFlow is configured, use the show ip cache flow command.

Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding

On platforms running Distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt.

Cisco 7500 Series Platform

To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed dCEF, enter the following sequence of commands:

Router# if-con slot-number

LC-slot-number# show ip cache verbose flow 

For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:

Router# execute-on slot-number show ip cache verbose flow 

Cisco 12000 Series Platform

To display detailed NetFlow cache information on a Cisco 12000 Series Internet Router, enter the following sequence of commands:

Router# attach slot-number

LC-slot-number# show ip cache verbose flow

For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:

Router# execute-on slot-number show ip cache verbose flow 

Examples

The following example shows output from the show ip cache verbose flow command:

Router# show ip cache verbose flow

IP packet size distribution (25229 total packets):

   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

   .000 .000 .000 .206 .793 .000 .000 .000 .000 .000 .000

The preceding output shows the percentage distribution of packets by size. In this display, 20.6 percent of the packets fall in the 1024-byte size range and 79.3 percent fall in the 1536-byte range.

The next section of the output can be divided into three sections. The section and the table corresponding to each are as follows:

•Field Descriptions in the NetFlow Cache Section of the Output (Table 14)

•Field Descriptions in the Activity by Protocol Section of the Output (Table 15)

•Field Descriptions in the NetFlow Record Section of the Output (Table 16)

IP Flow Switching Cache, 278544 bytes

  6 active, 4090 inactive, 17 added

  505 ager polls, 0 flow alloc failures

  Active flows timeout in 1 minutes

  Inactive flows timeout in 10 seconds

IP Sub Flow Cache, 25736 bytes

  12 active, 1012 inactive, 39 added, 17 added to flow

  0 alloc failures, 0 force free

  1 chunk, 1 chunk added

  last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

TCP-Telnet           1      0.0       362   940      2.7      60.2       0.0

TCP-FTP              1      0.0       362   840      2.7      60.2       0.0

TCP-FTPD             1      0.0       362   840      2.7      60.1       0.1

TCP-SMTP             1      0.0       361  1040      2.7      60.0       0.1

UDP-other            5      0.0         1    66      0.0       1.0      10.6

ICMP                 2      0.0      8829  1378    135.8      60.7       0.0

Total:              11      0.0      1737  1343    147.0      33.4       4.8

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

Et0/0.1        10.251.138.218  Et1/0.1        172.16.10.2     06 80  00      65 

0015 /0  0                     0015 /0  0     0.0.0.0               840    10.8

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      840                            Max plen:       840

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        172.16.6.1      Et1/0.1        172.16.10.2     01 00  00    4880 

0000 /0  0                     0000 /0  0     0.0.0.0              1354    20.1

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      772                            Max plen:       1500

Min TTL:       255                            Max TTL:        255

ICMP type:       0                            ICMP code:        0

IP id:        2943                            FO:            185

Et0/0.1        10.10.13.1      Et1/0.1        172.16.10.2     06 80  00      65 

0017 /0  0                     0017 /0  0     0.0.0.0               940    10.8

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      940                            Max plen:       940

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        10.89.38.215    Et1/0.1        172.16.10.2     06 80  00      65 

0014 /0  0                     0014 /0  0     0.0.0.0               840    10.8

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      840                            Max plen:       840

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        10.10.14.1      Et1/0.1        172.16.10.2     06 80  00      66 

0019 /0  0                     0019 /0  0     0.0.0.0              1040    11.0

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      1040                            Max plen:       1040

Min TTL:        59                            Max TTL:         59

IP id:           0

Et0/0.1        172.16.6.1      Et1/0.1        172.16.10.2     01 00  10     975 

0000 /0  0                     0800 /0  0     0.0.0.0              1500    20.1

MAC: (VLAN id) aaaa.bbbb.cc03  (005)          aaaa.bbbb.cc06  (006)

Min plen:      1500                            Max plen:       1500

Min TTL:       255                            Max TTL:        255

ICMP type:       8                            ICMP code:        0

IP id:        2944

R3#

Table 14 describes the significant fields shown in the NetFlow cache section of the output.

Table 14 Field Descriptions in the NetFlow Cache Section of the Output 

Field	Description
bytes	Number of bytes of memory used by the NetFlow cache.
active	Number of active flows in the NetFlow cache at the time this command was entered.
inactive	Number of flow buffers that are allocated in the NetFlow cache but that were not assigned to a specific flow at the time this command was entered.
added	Number of flows created since the start of the summary period.
ager polls	Number of times the NetFlow code caused entries to expire (used by Cisco for diagnostics only).
flow alloc failures	Number of times the NetFlow code tried to allocate a flow but could not.
last clearing of statistics	The period of time that has passed since the clear ip flow stats privileged EXEC command was last executed. The standard time output format of hours, minutes, and seconds (hh:mm:ss) is used for a period of time less than 24 hours. This time output changes to hours and days after the time exceeds 24 hours.

Table 15 describes the significant fields shown in the activity by protocol section of the output.

Table 15 Field Descriptions in the Activity by Protocol Section of the Output 

Field	Description
Protocol	IP protocol and the well-known port number. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.) Note Only a small subset of all protocols is displayed.
Total Flows	Number of flows in the cache for this protocol since the last time the statistics were cleared.
Flows/Sec	Average number of flows for this protocol per second; equal to the total flows divided by the number of seconds for this summary period.
Packets/Flow	Average number of packets for the flows for this protocol; equal to the total packets for this protocol divided by the number of flows for this protocol for this summary period.
Bytes/Pkt	Average number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the total number of packets for this protocol for this summary period.
Packets/Sec	Average number of packets for this protocol per second; equal to the total packets for this protocol divided by the total number of seconds for this summary period.
Active(Sec)/Flow	Number of seconds from the first packet to the last packet of an expired flow divided by the number of total flows for this protocol for this summary period.
Idle(Sec)/Flow	Number of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which the show ip cache verbose flow command was entered divided by the total number of flows for this protocol for this summary period.

Table 16 describes the significant fields in the NetFlow record section of the output.

Table 16 Field Descriptions in the NetFlow Record Section of the Output 

Field	Description
SrcIf	Interface on which the packet was received.
Port Msk AS	Source port number (displayed in hexadecimal format), IP address mask, and autonomous system number. The value of this field is always set to 0 in MPLS flows.
SrcIPaddress	IP address of the device that transmitted the packet.
DstIf	Interface from which the packet was transmitted. Note If an asterisk (*) immediately follows the DstIf field, the flow being shown is an egress flow.
Port Msk AS	Destination port number (displayed in hexadecimal format), IP address mask, and autonomous system. This is always set to 0 in MPLS flows.
DstIPaddress	IP address of the destination device.
NextHop	The BGP next-hop address. This is always set to 0 in MPLS flows.
Pr	IP protocol "well-known" port number, displayed in hexadecimal format. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
ToS	Type of service, displayed in hexadecimal format.
B/Pk	Average number of bytes observed for the packets seen for this Flow.
Flgs	TCP flags, shown in hexadecimal format (result of bitwise OR of TCP flags from all packets in the flow).
Pkts	Number of packets in this flow.
Active	Time the flow has been active.
MAC	Source and destination MAC addresses from the Layer 2 frames in the flow.
VLAN id	Source and destination VLAN IDs from the Layer 2 frames in the flow.
Min plen	Minimum packet length for the packets in the flows. Note This value is updated when a datagram with a lower value is received
Max plen	Maximum packet length for the packets in the flows. Note This value is updated when a datagram with a higher value is received.
Min TTL	Minimum Time-To-Live (TTL) for the packets in the flows. Note This value is updated when a datagram with a lower value is received.
Max TTL	Maximum TTL for the packets in the flows. Note This value is updated when a datagram with a higher value is received.
IP id	IP identifier field for the packets in the flow.
ICMP type	Internet Control Message Protocol (ICMP) type field from the ICMP datagram in the flow.
ICMP code	ICMP code field from the ICMP datagram in the flow.
FO	Fragment offset field from the first fragmented datagram in the flow.

The following example shows the NetFlow output of the show ip cache verbose cache flow command in which the sampler, class-id, and general flags are set. What is displayed for a flow depends on what flags are set in the flow. If the flow was captured by a sampler, the output shows the sampler ID. If the flow was marked by Modular QoS CLI (MQC), the display includes the class ID. If any general flags are set, the output includes the flags.

...

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

BGP: BGP NextHop

Et1/0          8.8.8.8         Et0/0*         9.9.9.9         01 00  10       3 

0000 /8  302                   0800 /8  300   3.3.3.3               100     0.1

BGP: 2.2.2.2         Sampler: 1  Class: 1  FFlags: 01  

Table 17 describes the significant fields shown in the NetFlow output for a sampler, for an MQC policy class, and for general flags.

Table 17 show ip cache verbose flow Field Descriptions for a NetFlow Sampler, an MCQ Policy Class, and General Flags 

Field (With Sample Values)	Description
Sampler: 1	Shows the ID of the sampler that captured the flow. The sampler ID in this example is 1.
Class: 1	Shows the ID of the Modular QoS CLI (MQC) traffic class. The class ID in this example is 1.
FFlag: 01	Shows the general flow flag (shown in hexadecimal format), which is the bitwise OR of one or more of the following: •01 indicates an output (or egress) flow. (If this bit is not set, the flow is an input [or ingress] flow.) •02 indicates a flow that was dropped (for example, by an access control list [ACL]). •04 indicates a Multiprotocol Label Switching (MPLS) flow. •08 indicates an IP version 6 (IPv6) flow. The flow flag in this example is 01 (an egress flow).

The following example shows the NetFlow output for the show ip cache verbose flow command when NetFlow BGP next-hop accounting is enabled:

Router# show ip cache verbose flow 

...

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs   Pkts 

Port Msk AS                    Port Msk AS    NextHop              B/Pk   Active 

MUL:M_Opaks  M_Obytes BGP:BGP_NextHop 

Et0/0/2        12.0.0.2        Et0/0/4        13.0.0.5        01 00  10      20 

0000 /8  0                     0800 /8  0     11.0.0.6              100     0.0 

BGP:26.0.0.6 

Et0/0/2        12.0.0.2        Et0/0/4        15.0.0.7        01 00  10      20 

0000 /8  0                     0800 /8  0     11.0.0.6              100     0.0 

BGP:26.0.0.6 

Et0/0/2        12.0.0.2        Et0/0/4        15.0.0.7        01 00  10      20 

0000 /8  0                     0000 /8  0     11.0.0.6              100     0.0 

BGP:26.0.0.6

Table 18 describes the significant fields shown in the NetFlow BGP next-hop accounting lines of the output.

Table 18 show ip cache verbose flow Field Descriptions in NetFlow BGP Next-Hop Accounting Output

Field	Description
M_Opaks	Displays the number of multiprotocol BGP next-hop output packets.
M_Obytes	Displays the number of multiprotocol BGP next-hop output bytes.
BGP:BGP_NextHop	Destination address for the BGP next hop.

The following example shows the NetFlow output for the show ip cache verbose flow command when NetFlow multicast accounting is configured:

Router# show ip cache verbose flow 

...

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts 

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active 

IPM:OPkts    OBytes 

IPM:    0       0 

Et1/1/1        11.0.0.1        Null           227.1.1.1       01 55  10     100 

0000 /8  0                     0000 /0  0     0.0.0.0                28     0.0 

IPM:  100    2800 

Et1/1/1        11.0.0.1        Se2/1/1.16     227.1.1.1       01 55  10     100 

0000 /8  0                     0000 /0  0     0.0.0.0                28     0.0 

IPM:    0       0 

Et1/1/2        12.0.0.1        Et1/1/4        227.2.2.2       01 55  10     100 

0000 /8  0                     0000 /0  0     0.0.0.0                28     0.1 

Et1/1/2        12.0.0.1        Null           227.2.2.2       01 55  10     100 

0000 /8  0                     0000 /0  0     0.0.0.0                28     0.1 

IPM:  100    2800 

Table 19 describes the significant fields shown in the NetFlow multicast accounting lines of the output.

Table 19 show ip cache verbose flow Field Descriptions in NetFlow Multicasting Accounting Output

Field	Description
OPkts	Displays the number of IP multicast (IPM) output packets.
OBytes	Displays the number of IPM output bytes.
DstIPaddress	Displays the destination IP address for the IPM output packets.

The following example shows the output for both the IP and MPLS sections of the flow record in the NetFlow cache when MPLS-aware NetFlow is enabled:

Router# show ip cache verbose flow

...             

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts

Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active

PO3/0          10.1.1.1        PO5/1          10.2.1.1        01 00  10       9

0100 /0  0                     0200 /0  0     0.0.0.0               100     0.0

Pos:Lbl-Exp-S 1:12305-6-0 (LDP/10.10.10.10) 2:12312-6-1

Table 20 describes the significant fields for the IP and MPLS sections of the flow record in the output.

Table 20 show ip cache verbose flow Field Descriptions for the IP and MPLS Sections of the Flow Record in the Output 

Field	Description
Pos	Position of the MPLS label in the label stack, starting with 1 as the top label.
Lbl	Value given to the MPLS label by the router.
Exp	Value of the experimental bit.
S	Value of the end-of-stack bit. Set to 1 for the oldest entry in the stack and to 0 for all other entries.
LDP/10.10.10.10	Type of MPLS label and associated IP address for the top label in the MPLS label stack.

Related Commands

Command	Description
show ip cache verbose flow	Displays the NetFlow switching statistics
show ip flow export	Displays NetFlow export statistics.
show ip cache flow	Displays a summary of the NetFlow switching statistics.
show ip flow interfaces	Display NetFlow configuration on interfaces.
show ip flow top-talkers	Display NetFlow top talkers.