Downloads |
Table Of Contents
Prerequisites for NetFlow Input Filters
Restrictions for NetFlow Input Filters
Information About NetFlow Input Filters
Modular QoS Command-Line Interface (MQC)
How to Configure NetFlow Input Filters
Creating a Policy Containing NetFlow Sampling Actions
Applying a Policy to an Interface
Configuration Examples for NetFlow Input Filters
Creating a Policy Containing NetFlow Sampling Actions: Example
Applying a Policy to an Interface: Example
NetFlow Input Filters
Full NetFlow accounts for all traffic ingress to the subinterface on which it is enabled. But in some cases, you must gather NetFlow data only on a specific subset of traffic. The NetFlow Input Filters feature provides this capability by letting you create filters to select flows for NetFlow processing. For example, you can select flows from a specific group of hosts. This feature also lets you select various sampling rates for selected flows.
This feature requires the classification of packets in a variety of ways: IP source and destination addresses, Layer 4 protocol and port numbers, incoming interface, MAC address, IP Precedence, DSCP value, Layer 2 information (such as Frame-Relay DE bits or Ethernet 802.1p bits), and NBAR (Network-Based Application Recognition)information. The packets are classified (filtered) on the above criteria, and flow accounting is applied to them on subinterfaces.
This feature is closely related to the Random Sampled NetFlow features, because both features provide ways to limit incoming traffic to only traffic of interest for NetFlow processing. The Random Sampled NetFlow algorithms are applied after input filtering.
History for NetFlow Input Filters Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for NetFlow Input Filters
•
•
•
•
Prerequisites for NetFlow Input Filters
Before you can configure the NetFlow Input Filters feature, you must configure CEF switching or dCEF switching, fast switching is not supported.
Restrictions for NetFlow Input Filters
On Cisco 7500 series platforms, the NetFlow Input Filters feature is supported only in distributed mode.
Information About NetFlow Input Filters
To configure the NetFlow Input Filters feature, you must understand the following concepts:
•
•
Flow
NetFlow provides highly granular per-flow traffic statistics in a Cisco router. A flow is a unidirectional set of packets that arrive at the router on the same subinterface, have the same source and destination IP addresses, Layer 4 protocol, TCP/UDP source and destination ports, and the same type of service (TOS) byte in the IP headers. The router accumulates NetFlow statistics in a NetFlow cache and can export them to an external device (such as the Cisco CNS NetFlow Collection Engine) for further processing.
Modular QoS Command-Line Interface (MQC)
The filtering mechanism uses the Modular QoS Command-Line Interface (MQC) to classify flows. You can create multiple filters with matching samplers on a per subinterface basis. For example, you can subdivide subinterface traffic into multiple classes based on ToS values or destination prefix (or both), and for each class, configure sampling at a different rate—using higher rates for higher-priority classes of traffic and lower rates for lower-priority ones.
Example uses of NetFlow Input Filters are class-based traffic analysis and monitoring on-network or off-network traffic.
Filtering
MQC has many policies (actions) such as bandwidth and queuing. These policies are applied only if a packet matches a criterion in a class map that is applied to the subinterface. A class map contains a set of "match" clauses and instructions on how to evaluate the clauses and acts as a filter for the policies, which are applied only if a packet's content satisfies the match clause. The NetFlow Input Filters feature adds NetFlow accounting to the MQC infrastructure, which means that flow accounting is done on a packet only if it satisfies the match clauses.
There are two types of filter algorithms available: ACL-based flow-mask filters and fields of filter (source IP address, destination IP address, source application port, destination application port, port protocol, ToS bits, and TCP flags).
Export Format
The NetFlow Input Filters feature is supported in the version 5 and version 9 NetFlow export formats.
Subinterface Support
NetFlow Input Filters is supported at the subinterface level. You can configure NetFlow Input Filters per subinterface as well as per physical interface. You can simultaneously select more than one filter per subinterface.
Memory Impact
Performance Impact
How to Configure NetFlow Input Filters
NetFlow Input Filters uses MQC, which is a framework that separates the specification of a classification policy (meaning the definition of traffic classes) and the specification of actions (such as with bandwidth management) that occur based on the results of the applied classification. This feature introduces new type of actions: sending traffic through a sampler and processing it by NetFlow if it is selected by the sampler.
This section describes how to configure a NetFlow policy and consists of the following configuration tasks:
•
•
•
•
Prerequisites
Before you configure NetFlow Input Filters, you must first create traffic classes and define NetFlow sampler maps. For more information about creating traffic classes, refer to the "Modular Quality of Service Command-Line Interface" part in the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.3 and the Cisco IOS Quality of Service Solutions Command Reference, Release 12.3 T. For more information about defining NetFlow sampler maps, see the Random Sampled NetFlow feature module, release 12.3 T.
Creating a Policy Containing NetFlow Sampling Actions
This section shows how to create a class-based policy that contains NetFlow sampling actions. You can assign only one NetFlow Input Filters sampler to a class (assigning a subsequent NetFlow Input Filters sampler to a class overwrites the previous sampler). Removing a NetFlow sampler map also removes the NetFlow Input Filters sampler under the corresponding policy map.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Applying a Policy to an Interface
This section shows how to apply a policy containing NetFlow sampling actions to an interface. After you define a service policy with the policy-map command, you use the service-policy command in interface configuration mode to attach it to one or more interfaces to specify the service policy for those interfaces. Although you can assign the same service policy to multiple interfaces, each interface can have only one service policy attached. You can apply the service policy only in the input direction.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Troubleshooting Tips
Use the debug flow-sampler class-based command to display debugging output for the NetFlow Input Filters feature.
Configuration Examples for NetFlow Input Filters
This section provides the following configuration examples:
•
•
Creating a Policy Containing NetFlow Sampling Actions: Example
The following example shows how to create a class-based policy containing NetFlow sampling actions. In this example, a sampling action named my_high_sampling is applied to a class named my_high_importance_class, a sampling action named my_medium_sampling is applied to a class named my_medium_importance_class, and a sampling action named my_low_sampling is applied to the default class.
Router> enablePassword:Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# policy-map mypolicymapRouter(config-pmap)# class my_high_importance_classRouter(config-pmap-c)# netflow-sampler my_high_samplingRouter(config-pmap-c)# exitRouter(config-pmap)# class my_medium_importance_classRouter(config-pmap-c)# netflow-sampler my_medium_samplingRouter(config-pmap-c)# exitRouter(config-pmap)# class class-defaultRouter(config-pmap-c)# netflow-sampler my_low_samplingRouter(config-pmap-c)# endRouter#3w5d:%SYS-5-CONFIG_I: Configured from console by consoleApplying a Policy to an Interface: Example
The following example shows how to apply a policy containing NetFlow sampling actions to an interface. In this example, a policy named mypolicymap is attached to interface POS1/0 and also to interface ATM2/0:
Router> enablePassword:Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface POS1/0Router(config-if)# service-policy input mypolicymapRouter(config-if)# exitRouter(config)# interface ATM2/0Router(config-if)# service-policy input mypolicymapRouter(config-if)# endRouter#3w5d:%SYS-5-CONFIG_I: Configured from console by consoleRouter(config)# class-map my_high_importance_classRouter(config-cmap)# match access-group 101Router(config-cmap)# exitRouter(config)# class-map my_medium_importance_classRouter(config-cmap)# match access-group 102Router(config-cmap)# exitRouter(config)# flow-sampler-map my_high_samplingRouter(config-sampler-map)# mode random one-out-of 1Router(config-sampler-map)# exitRouter(config)# flow-sampler-map my_medium_samplingRouter(config-sampler-map)# mode random one-out-of 100Router(config-sampler-map)# exitRouter(config)# flow-sampler-map my_low_samplingRouter(config-sampler-map)# mode random one-out-of 1000Router(config-sampler-map)# exitAdditional References
The following sections provide references related to NetFlow input filters:
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents the following new and modified commands only.
New Commands
Modified Commands
debug flow-sampler
To enable debugging output for NetFlow sampler activity, use the debug flow-sampler command in privileged EXEC mode. To disable debugging output for NetFlow sampler activity, use the no form of this command.
debug flow-sampler {class-based | events | ipc | match}
no debug flow-sampler {class-based | events | ipc | match}
Syntax Description
Defaults
Debugging output for NetFlow sampler activity is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, you should use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, you should use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The following is sample output from the debug flow-sampler events command:
Router# debug flow-sampler eventsFlow sampler events debugging is onRouter# configure terminalRouter(config# no flow-sampler mysampler2Router(config)#5d00h: Flow: Sampler mysampler2 detached from FastEthernet0/15d00h: Flow: Sampler mysampler2 deletedThe following is sample output from the debug flow-sampler match command:
Router# debug flow-sampler matchFlow sampler match debugging is onRouter#4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0Router#4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0Router#4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0Router#4d23h: Flow: Packet matched sampler mysampler1 on interface FastEthernet0/0Table 1 describes the significant fields shown in the display.
Related Commands
netflow-sampler
To enable NetFlow accounting with input filter sampling, use the netflow-sampler command in QoS policy-map class configuration mode. To disable NetFlow accounting with input filter sampling, use the no form of this command.
netflow-sampler sampler-map-name
no netflow-sampler sampler-map-name
Syntax Description
Defaults
NetFlow accounting with input filter sampling is disabled.
Command Modes
QoS policy-map class configuration
Command History
12.3(4)T
This command was introduced.
12.2(27)SBC
This command was integrated into Cisco IOS Release 12.2(27)SBC.
Usage Guidelines
NetFlow accounting with input filter sampling cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or random sampled NetFlow on the same interface, or subinterface. In order to run NetFlow accounting with input filter sampling, you must first disable (ingress) NetFlow accounting, egress NetFlow accounting, or random sampled NetFlow.
You can assign only one NetFlow input filter sampler to a class. Assigning another NetFlow input filter sampler to a class overwrites the previous one.
Samplers, also known as filters, are based on classes, but they are enabled on interfaces. You assign a NetFlow input filters sampler to a class by using the netflow-sampler command in QoS policy-map class configuration. You the use the service-policy command to attach the policy map you defined to one or more interfaces.
Tip
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Examples
The following example shows how to enable NetFlow accounting with input filter sampling for one class of traffic (traffic with 10 as the first octet of the IP source address):
Router(config)# ip cefRouter(config)# flow-sampler-map network-10Router(config-sampler)# mode random one-out-of 100Router(config-sampler)# exitRouter(config)# class-map match-any network-10Router(config-cmap)# match access-group 100Router(config-cmap)# exitRouter(config)# policy-map network-10Router(config-pmap)# class network-10Router(config-pmap-c)# netflow-sampler network-10Router(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface Ethernet0/0Router(config-if)# no ip route-cache flowRouter(config-if)# ip route-cache cefRouter(config-if)# interface ethernet 0/0.1Router(config-if)# service-policy input network-10Router(config-if)# exitRouter(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 anyThe following output from the show flow-sampler command verifies that the NetFlow accounting with input filter sampling is active:
Router# show flow-samplerSampler : network-10, id : 1, packets matched : 546, mode : random sampling modesampling interval is : 100The following output from the show ip cache verbose flow command shows that combination of the access-list 100 permit ip 10.0.0.0 0.255.255.255 any command and the match access-group 100 command has filtered out any traffic in which the source IP address does not have 10 as the first octet:
Router# show ip cache verbose flowIP packet size distribution (116 total packets):1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.000 .155 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .000 .258 .586 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 278544 bytes7 active, 4089 inactive, 66 added3768 ager polls, 0 flow alloc failuresActive flows timeout in 1 minutesInactive flows timeout in 120 secondsIP Sub Flow Cache, 21640 bytes6 active, 1018 inactive, 130 added, 62 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedlast clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-Telnet 6 0.0 1 940 0.0 8.8 51.6TCP-FTP 5 0.0 1 640 0.0 6.9 53.4TCP-SMTP 2 0.0 3 1040 0.0 41.7 18.5TCP-other 36 0.0 1 1105 0.0 18.8 41.5UDP-other 6 0.0 3 52 0.0 54.8 5.5ICMP 4 0.0 1 628 0.0 11.3 48.8Total: 59 0.0 1 853 0.1 20.7 39.6SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveEt0/0.1 10.10.10.3 Et1/0.1 172.16.10.3 06 80 00 10016 /0 0 0016 /0 0 0.0.0.0 840 0.0Sampler: 1 Class: 1Et0/0.1 10.10.10.3 Et1/0.1* 172.16.10.3 06 80 00 10016 /0 0 0016 /0 0 0.0.0.0 840 0.0Sampler: 1 Class: 1 FFlags: 01Et0/0.1 10.10.11.3 Et1/0.1 172.16.10.7 06 80 00 10041 /0 0 0041 /0 0 0.0.0.0 1140 0.0Sampler: 1 Class: 1Et0/0.1 10.10.11.1 Et1/0.1 172.16.10.5 06 80 00 30019 /0 0 0019 /0 0 0.0.0.0 1040 36.7Sampler: 1 Class: 1Et0/0.1 10.10.11.1 Et1/0.1* 172.16.10.5 06 80 00 10019 /0 0 0019 /0 0 0.0.0.0 1040 0.0Sampler: 1 Class: 1 FFlags: 01Et0/0.1 10.1.1.2 Et1/0.1 172.16.10.10 06 80 00 20041 /0 0 0041 /0 0 0.0.0.0 1140 37.8Sampler: 1 Class: 1Et0/0.1 10.10.10.1 Et1/0.1 172.16.10.1 01 80 10 10000 /0 0 0000 /0 0 0.0.0.0 628 0.0Sampler: 1 Class: 1Related Commands
Glossary
ACL—Access control list. A roster of users and groups of users kept by a router to control access to or from the router for a number of services.
BGP—Border Gateway Protocol. Interdomain routing protocol that replaces Exterior Border Gateway Protocol (EBGP). BGP exchanges reachability information with other BGP systems. It is defined by RFC 1163.
BGP next hop—IP address of the next hop to be used to reach a certain destination.
CEF—Cisco Express Forwarding. Layer 3 IP switching technology that optimizes network performance and scalability for networks with large and dynamic traffic patterns.
data flowset—Collection of one or more data records that are grouped together in an export packet.
data record—Provides information about an IP flow that exists on the device that produced an export packet. Each group of data records (meaning each data flowset) references a previously transmitted template ID, which can be used to parse the data within the records.
dCEF—Distributed Cisco Express Forwarding. Type of CEF switching in which line cards (such as VIP line cards) maintain an identical copy of the forwarding information base (FIB) and adjacency tables. The line cards perform the express forwarding between port adapters; this relieves the route/switch processor of involvement in the switching operation.
export packet—Type of packet built by a device (for example, a router) with NetFlow services enabled that is addressed to another device (for example, a NetFlow Collection Engine). The packet contains NetFlow statistics. The other device processes the packet (parses, aggregates, and stores information on IP flows).
fast switching—Cisco feature in which a route cache is used to expedite packet switching through a router.
flow—Unidirectional stream of packets between a given source and destination—both defined by a network-layer IP address and transport-layer source and destination port numbers.
flowset—Collection of flow records that follow the packet header in an export packet. A flowset contains information that must be parsed and interpreted by the NetFlow Collection Engine device. There are two different types of flowsets: template flowsets and data flowsets. An export packet contains one or more flowsets, and both template and data flowsets can be mixed in the same export packet.
MQC—Modular QoS CLI (command line interface). A CLI structure that lets you create traffic polices and attach them to interfaces. A traffic policy contains a traffic class and one or more QoS features. A traffic class is used to classify traffic, and the QoS features in the traffic policy determine how to treat the classified traffic.
NBAR—Network-Based Application Recognition. A classification engine in Cisco IOS software that recognizes a wide variety of applications, including Web-based applications and client/server applications that dynamically assign Transmission Control Protocol (TCP) or UDP port numbers. After the application is recognized, the network can invoke specific services for that application. NBAR is a key part of the Cisco Content Networking architecture and works with QoS features to let you use network bandwidth efficiently.
NetFlow—Cisco IOS acceleration and accounting feature that maintains per-flow information.
NetFlow Aggregation—A NetFlow feature that lets you summarize NetFlow export data on an IOS router before the data is exported to a NetFlow data collection system such as the NetFlow Collection Engine. This feature lowers bandwidth requirements for NetFlow export data and reduces platform requirements for NetFlow data collection devices.
NetFlow Collection Engine (formerly NetFlow FlowCollector)—Cisco application that is used with NetFlow on Cisco routers and Catalyst 5000 series switches. The NetFlow Collection Engine collects packets from the router that is running NetFlow and decodes, aggregates, and stores them. You can generate reports on various aggregations that can be set up on the NetFlow Collection Engine.
NetFlow sampler—NetFlow sampler map that has been applied to at least one physical interface or subinterface.
NetFlow sampler map—Defines a set of properties (such as the sampling rate) for NetFlow sampling.
NetFlow v9—NetFlow export format version 9. A flexible and extensible means to carry NetFlow records from a network node to a collector. NetFlow version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.
options data record—Special type of data record (which is based on an options template) with a reserved template ID that provides information about the NetFlow process itself.
options template—Type of template record used to communicate the format of data related to the NetFlow process.
packet header—First part of an export packet. It provides basic information about the packet (such as the NetFlow version, number of records contained in the packet, and sequence numbering) so that lost packets can be detected.
template flowset—Collection of one or more template records that are grouped in an export packet.
template ID—Unique number that distinguishes a template record from other template records produced by the same export device. A NetFlow Collection Engine application that receives export packets from several devices should be aware that uniqueness is not guaranteed across export devices. Thus, the NetFlow Collection Engine should also cache the address of the export device that produced the template ID in order to enforce uniqueness.
template record—Defines the format of subsequent data records that might be received in current or future export packets. A template record within an export packet does not necessarily indicate the format of data records within that same packet. A NetFlow Collection Engine application must cache any template records received and then parse any data records it encounters by locating the appropriate template record in the cache.
ToS—type of service byte. Second byte in the IP header that indicates the desired quality of service for a specific datagram.
Note
© 2003-2005 Cisco Systems, Inc. All rights reserved.
