Feedback
Table Of Contents
ip flow-cache mpls label-positions
ip flow-egress input-interface
ip multicast netflow rpf-failure
mode (flow sampler configuration)
show ip cache flow aggregation
show ip cache verbose flow aggregation
Cisco IOS NetFlow Commands
This book presents the Cisco IOS NetFlow commands.
Some commands found in previous releases of this book have been replaced. Older commands generally continue to provided the same functionality in the current release, but are no longer documented. Support for the older version of these commands may already be removed on your system, or may be removed in a future Cisco IOS software release.
Table 1 maps the old commands to their replacements.
Table 1 Cisco IOS NetFlow Old Commands and Replacement Commands
ip flow-export ip-address udp-port
ip flow-export destination ip-address udp-port
cache
To configure operational parameters for NetFlow accounting aggregation caches, use the cache command in NetFlow aggregation cache configuration mode. To disable the NetFlow aggregation cache operational parameters for NetFlow accounting, use the no form of this command.
cache {entries number | timeout {active minutes | inactive seconds}}
no cache {entries | timeout {active | inactive}}
Syntax Description
Defaults
The default for cache entries is 4096.
The default for active cache entries is 30 minutes.
The default for inactive cache entries is 15 seconds.Command Modes
NetFlow aggregation cache configuration
Command History
12.0(3)T
This command was introduced.
12.3(7)T
This command function was modified to support cache entries for IPv6.
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Examples
The following example shows how to set the NetFlow aggregation cache entry limits and timeout values for the NetFlow protocol-port aggregation cache:
Router(config)# ip flow-aggregation cache protocol-portRouter(config-flow-cache)# cache entries 2046Router(config-flow-cache)# cache timeout inactive 199Router(config-flow-cache)# cache timeout active 45Router(config-flow-cache)# enabledRelated Commands
cache-timeout
To specify the length of time for which the list of NetFlow top talkers (unaggregated top flows) is retained, use the cache-timeout command in NetFlow top talkers configuration mode. To return the timeout parameters for the list of top talkers to the default of 5 seconds, use the no form of this command.
cache-timeout milliseconds
no cache-timeout
Syntax Description
milliseconds
Length in milliseconds for which the list of top talkers is retained. The range is from 1 to 3,600,000 (1 millisecond to one hour). The default is 5000 (5 seconds).
Defaults
The default time for which the list of top talkers is retained is 5 seconds.
Command Modes
NetFlow top talkers configuration
Command History
Usage Guidelines
Configuring NetFlow top talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Cache Timeout
The cache timeout starts after the list of top talkers is requested by entering the show ip flow top-talkers command or through the netflow MIB.
A long timeout period limits the system resources that are used by NetFlow top talkers. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.
A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:
•
The list of top talkers is lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required NetFlow top talkers.
•
A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but recalculate the list of top talkers by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.
Examples
In the following example, the list of top talkers is configured to be retained for 2 seconds (2000 milliseconds). There is a maximum of 4 top talkers, and the sort criterion is configured to sort the list of top talkers by the total number of bytes in each top talker.
Router(config)# ip flow-top-talkersRouter(config-flow-top-talkers)# cache-timeout 2000Router(config-flow-top-talkers)# top 4Router(config-flow-top-talkers)# sort-by bytesThe following example shows the output of the show ip flow top talkers command using the configuration from the previous example:
Router# show ip flow top-talkersSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP BytesEt0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349KEt0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349KEt0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328KEt0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K4 of 4 top talkers shown. 11 flows processedRelated Commands
clear ip flow stats
To clear the NetFlow accounting statistics, use the clear ip flow stats command in privileged EXEC mode.
clear ip flow stats
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
The show ip cache flow command displays the NetFlow accounting statistics. Use the clear ip flow stats command to clear the NetFlow accounting statistics.
Examples
The following example shows how to clear the NetFlow accounting statistics on the router:
Router# clear ip flow statsRelated Commands
enabled (aggregation cache)
To enable a NetFlow accounting aggregation cache, use the enabled command in NetFlow aggregation cache configuration mode. To disable a NetFlow accounting aggregation cache, use the no form of this command.
enabled
no enabled
Syntax Description
This command has no arguments or keywords.
Defaults
No aggregation cache is enabled.
Command Modes
NetFlow aggregation cache configuration
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Examples
The following example shows how to enable a NetFlow protocol-port aggregation cache:
Router(config)# ip flow-aggregation cache protocol-port
Router(config-flow-cache)# enabledThe following example shows how to disable a NetFlow protocol-port aggregation cache:
Router(config)# ip flow-aggregation cache protocol-port
Router(config-flow-cache)# no enabledRelated Commands
export
To enable the exporting of NetFlow accounting information from NetFlow aggregation caches, use the export command in NetFlow aggregation cache configuration mode. To disable the export of NetFlow accounting information from NetFlow aggregation caches, use the no form of this command.
export {destination ip-address | hostname} udp-port | version [8 | 9] | template [refresh-rate packets | timeout-rate minutes]}
no export {destination ip-address | hostname} udp-port | version | template [refresh-rate | timeout-rate]}
Syntax Description
Defaults
A NetFlow aggregation cache export destination is not set.
The default version format is Version 8.
The default for refresh-rate is 20 packets.
The default for timeout-rate is 30 minutes.Command Modes
NetFlow aggregation cache configuration
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
export destination
You can configure a maximum of two concurrent destinations per-cache using the destination keyword with the export command.
Determine the Appropriate Export Version for Your Requirements
NetFlow aggregation caches export data in UDP datagrams using either the Version 9 or Version 8 export format. Table 2 describe how to determine the most appropriate export format for your requirements.
NetFlow Version 9 Data Export Format Overview
The NetFlow Version 9 Export Format feature was introduced in Cisco IOS Release 12.0(24)S and was integrated into Cisco IOS Release 12.3(1) and Cisco IOS Release 12.2(18)S.
NetFlow Version 9 is a flexible and extensible means for transferring NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.
Third-party business partners who produce applications that provide NetFlow Collection Engine or display services for NetFlow do not need to recompile their applications each time a new NetFlow technology is added. Instead, with the NetFlow v9 Export Format feature, they can use an external data file that documents the known template formats and field types.
NetFlow Version 9 has the following characteristics:
•
•
•
•
NetFlow Version 9 Template-Based Flow Record Format
The main feature of NetFlow Version 9 export format is that it is template based. A template describes a NetFlow record format and the attributes of the fields (such as type and length) within the record. The router assigns each template an ID, which is communicated to the NetFlow Collection Engine along with the template description. The template ID is used for all further communication from the router to the NetFlow Collection Engine.
NetFlow Version 9 Export Flow Records
The basic output of NetFlow is a flow record. In NetFlow Version 9 export format, a flow record follows the same sequence of fields that is found in the template definition. The template to which NetFlow flow records belong is determined by the prefixing of the template ID to the group of NetFlow flow records that belong to a template. For a complete discussion of existing NetFlow flow-record formats, see the NetFlow Services Solutions Guide.
NetFlow Version 9 Export Packet
In NetFlow Version 9, an export packet consists of the packet header and flowsets. The packet header identifies identifies the NetFlow Export version'. Flowsets are of two types: template flowsets and data flowsets. The template flowset describes the fields that will be in the data flowsets (or flow records). Each data flowset contains the values or statistics of one or more flows that have the same template ID. When the NetFlow Collection Engine receives a template flowset, it stores the flowset and export source address so that subsequent data flowsets that match the flowset ID and source combination are parsed according to the field definitions in the template flowset. Version 9 is supported by NetFlow Collection Engine Version 4.0.
For a complete description of the Version 9 packet headers, template flowsets, and data flowsets, see the Cisco IOS NetFlow Version 9 Flow-Record Format white paper.
NetFlow Version 8 Data Export Format Overview
The Version 8 data export format is the NetFlow export format used when the router-based NetFlow aggregation feature is enabled on Cisco IOS router platforms. The Version 8 format allows for export datagrams to contain a subset of the Version 5 export data that is based on the configured aggregation cache scheme. For example, a certain subset of the Version 5 export data is exported for the destination prefix aggregation scheme, and a different subset is exported for the source-prefix aggregation scheme.
The Version 8 export format was introduced in Cisco IOS 12.0(3)T for the Cisco IOS NetFlow Aggregation feature. An additional six aggregation schemes that also use Version 8 format were defined for the NetFlow ToS-Based Router Aggregation feature introduced in Cisco IOS 12.0(15)S and integrated into Cisco IOS Releases 12.2(4)T and 12.2(14)S.
The Version 8 datagram consists of a header with the version number (which is 8) and time stamp information, followed by one or more records corresponding to individual entries in the NetFlow cache.
Table 3 lists the NetFlow Version 8 export packet header field names and descriptions.
For version 8 data exports, the maximum number of aggregated flow records and the maximum size in bytes of each UDP datagram are shown in Table 4.
Examples
The following example shows how to configure two export destinations for a NetFlow accounting protocol-port aggregation cache scheme:
Router(config)# ip flow-aggregation cache protocol-portRouter(config-flow-cache)# export destination 10.41.41.1 9992Router(config-flow-cache)# export destination 172.16.89.1 9992Router(config-flow-cache)# enabled'The following example shows how to configure the Version 9 template refresh-rate and timeout-rate parameters for a NetFlow accounting protocol-port aggregation cache scheme:
Router(config)# ip flow-aggregation cache protocol-portRouter(config-flow-cache)# version 9Router(config-flow-cache)# export template refresh-rate 100Router(config-flow-cache)# export template timeout-rate 120Router(config-flow-cache)# enabledRelated Commands
flow-sampler
To apply a flow sampler map for random sampled NetFlow accounting to an interface, use the flow-sampler command in interface configuration mode. To remove a flow sampler map for random sampled NetFlow accounting from an interface, use the no form of this command.
flow-sampler sampler-map-name [egress]
no flow-sampler sampler-map-name [egress]
Syntax Description
sampler-map-name
Name of the flow sampler map to apply to the interface.
egress
(Optional) Specifies that the sampler map is to be applied to egress traffic.
Defaults
Flow sampler maps for NetFlow accounting are not applied to interfaces by default. If flow sampler maps for NetFlow accounting are applied to an interface, they are applied for ingress (incoming) traffic unless otherwise specified with the egress keyword.
Command Modes
Interface configuration
Subinterface configurationCommand History
12.3(2)T
This command was introduced.
12.0(26)S
This command was integrated into Cisco IOS Release 12.0(26)S.
12.3(11)T
NetFlow egress support was added.
Usage Guidelines
You must create and enable the random sampler NetFlow map for random sampled NetFlow accounting using the flow-sampler-map and mode commands before you can use the flow-sampler command to apply the random sampler NetFlow map to an interface.
Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface, or subinterface, if you want to enable random sampled NetFlow accounting on the interface, or subinterface.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip
Tip
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 0/0Router(config-if)# no ip route-cache flowRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-mapThe following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 1/0Router(config-if)# no ip flow egressRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-map egressThe following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-samplerSampler : my-map, id : 1, packets matched : 7, mode : random sampling modesampling interval is : 100Related Commands
flow-sampler-map
To define a flow sampler map for random sampled NetFlow accounting, use the flow-sampler-map command in global configuration mode. To remove a flow sampler map for random sampled NetFlow accounting use the no form of this command.
flow-sampler-map sampler-map-name
no flow-sampler-map sampler-map-name
Syntax Description
sampler-map-name
Name of the flow sampler map to be defined for for random sampled NetFlow accounting.
Defaults
No Flow sampler maps for random sampled NetFlow accounting are defined.
Command Modes
Global configuration
Command History
12.3(2)T
This command was introduced.
12.0(26)S
This command was integrated into Cisco IOS Release 12.0(26)S.
Usage Guidelines
Random sampled NetFlow accounting does not start sampling traffic until (1) the random sampler map is activated through the use of the mode command and (2) the sampler map has been applied to an interface through the use of the flow-sampler command.
Random Sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface or subinterface, if you want to enable random sampled NetFlow accounting on that interface or subinterface.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip
Tip
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 0/0Router(config-if)# no ip route-cache flowRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-mapThe following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 1/0Router(config-if)# no ip flow egressRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-map egressThe following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-samplerSampler : my-map, id : 1, packets matched : 7, mode : random sampling modesampling interval is : 100Related Commandssampling interval is : 100
ip flow egress
To enable egress NetFlow accounting for traffic that the router is forwarding, use the ip flow egress command in interface, or subinterface, configuration mode. To disable egress NetFlow accounting for traffic that the router is forwarding, use the no form of this command.
ip flow egress
no ip flow egress
Syntax Description
This command has no arguments or keywords.
Defaults
This command is not enabled by default.
Command Modes
Interface configuration
Subinterface configurationCommand History
Usage Guidelines
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Use this command on an interface or subinterface to enable NetFlow accounting for traffic that is being forwarded by the router.
Examples
The following example shows how to configure egress NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# ip cefRouter(config)# interface Ethernet0/0Router(config-if)# ip route-cache cefRouter(config-if)# ip flow egressThe following example shows how to configure egress NetFlow accounting with dCEF on Ethernet interface 0/0:
Router(config)# ip cef distributedRouter(config)# interface Ethernet0/0Router(config-if)# ip route-cache cefRouter(config-if)# ip flow egressRelated Commands
ip flow ingress
To enable (ingress) NetFlow accounting for traffic arriving on an interface, use the ip flow ingress command in interface configuration mode. To disable NetFlow (ingress) accounting for traffic arriving on an interface, use the no form of this command.
ip flow ingress
no ip flow ingress
Syntax Description
This command has no arguments or keywords.
Defaults
This command is not enabled by default.
Command Modes
Interface configuration
Subinterface configurationCommand History
12.2(14)S
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
Usage Guidelines
Use this command on an interface or subinterface to enable (ingress) NetFlow accounting for traffic that is being received by the router.
You must enable one of the high-speed switching methods on the interface before using this command:
•
•
•
Examples
The following example shows how to configure (ingress) NetFlow accounting with fast switching on Ethernet interface 0/0:
Router(config)# interface Ethernet0/0Router(config-if)# ip route-cacheRouter(config-if)# ip flow ingressThe following example shows how to configure (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# ip cefRouter(config)# interface Ethernet0/0Router(config-if)# ip route-cache cefRouter(config-if)# ip flow ingressThe following example shows how to configure (ingress) NetFlow accounting with dCEF switching on Ethernet interface 0/0:
Router(config)# ip cef distributedRouter(config)# interface Ethernet0/0Router(config-if)# ip route-cache cefRouter(config-if)# ip flow ingressRelated Commands
ip flow-aggregation cache
To enable NetFlow accounting aggregation cache schemes, use the ip flow-aggregation cache command in global configuration mode. To disable NetFlow accounting aggregation cache schemes, use the no form of this command.
ip flow-aggregation cache {as | as-tos | bgp-nexthop-tos | destination-prefix | destination-prefix-tos | prefix | prefix-port | prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-prefix-tos}
no ip flow-aggregation cache {as | as-tos | bgp-nexthop-tos | destination-prefix | destination-prefix-tos | prefix | prefix-port | prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-prefix-tos}
Syntax Description
Defaults
This command is not enabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command. The export destination command supports a maximum of two concurrent export destinations.
The ToS aggregation cache scheme keywords enable NetFlow accounting aggregation cache schemes that include the ToS byte in their export records. The ToS byte is an 8-bit field in the IP header. The ToS byte specifies the quality of service for a datagram during its transmission through the Internet.
You can enable only one aggregation cache configuration scheme per command line. The following rules apply to configuring source and destination masks.
•
•
•
To enable aggregation (whether or not an aggregation cache is fully configured), you must enter the enabled command in aggregation cache configuration mode. (You can use the no form of this command to disable aggregation. The cache configuration remains unchanged even if aggregation is disabled.)
Examples
The following example shows how to configure a NetFlow accounting autonomous system aggregation cache scheme:
Router(config)# ip flow-aggregation cache asRouter(config-flow-cache)# enabledThe following example shows how to configure a minimum prefix mask of 16 bits for the NetFlow accounting destination-prefix aggregation cache scheme:
Router(config)# ip flow-aggregation cache destination-prefixRouter(config-flow-cache)# mask destination minimum 16Router(config-flow-cache)# enabledThe following example shows how to configure a minimum prefix mask of 16 bits for the NetFlow accounting source-prefix aggregation cache scheme:
Router(config)# ip flow-aggregation cache source-prefixRouter(config-flow-cache)# mask source minimum 16Router(config-flow-cache)# enabledThe following example shows how to configure multiple export destinations for the NetFlow accounting autonomous system ToS aggregation cache scheme:
Router(config)# ip flow-aggregation cache as-tosRouter(config-flow-cache)# export destination 172.17.24.65 9991Router(config-flow-cache)# export destination 172.16.10.2 9991Router(config-flow-cache)# enabledRelated Commands
ip flow-cache entries
To change the number of entries maintained in the NetFlow accounting cache, use the ip flow-cache entries command in global configuration mode. To return to the default number of entries, use the no form of this command.
ip flow-cache entries number
no ip flow-cache entries
Syntax Description
number
Number of entries to maintain in the NetFlow cache. The valid range is from 1024 to 524288 entries. The default is 65536 (64K).
Defaults
65536 entries (64K)
Command Modes
Global configuration
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Normally the default size of the NetFlow cache will meet your needs. However, you can increase or decrease the number of entries maintained in the cache to meet the needs of your flow traffic rates. For environments with a high amount of flow traffic (such as an internet core router), a larger value such as 131072 (128K) is recommended. To obtain information on your flow traffic, use the show ip cache flow EXEC command.
The default is 64K flow cache entries. Each cache entry is approximately 64 bytes of storage. Assuming a cache with the default number of entries, approximately 4 MB of DRAM would be required. Each time a new flow is taken from the free flow queue, the number of free flows is checked. If only a few free flows remain, NetFlow attempts to age 30 flows using an accelerated timeout. If only one free flow remains, NetFlow automatically ages 30 flows regardless of their age. The intent is to ensure that free flow entries are always available.
Caution
Examples
The following example shows how to increase the number of NetFlow cache entries to 131,072 (128K):
Router(config)# ip flow-cache entries 131072%The change in number of entries will take effect after either the next reboot or when netflow is turned off on all interfaces
Tip
Related Commands
ip flow-cache mpls label-positions
To enable Multiprotocol Label Switching (MPLS)-aware NetFlow, use the ip flow-cache mpls label-positions command in global configuration mode. To disable MPLS-aware NetFlow, use the no form of this command.
ip flow-cache mpls label-positions [label-position-1 [label-position-2 [label-position-3]]] [no-ip-fields] [mpls-length]
no ip flow-cache mpls label-positions
Syntax Description
Defaults
MPLS-aware NetFlow is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Use this command to configure the MPLS-aware NetFlow feature on a label switch router (LSR) and to specify labels of interest in the incoming label stack. Label positions are counted from the top of the stack, starting with 1. The position of the top label is 1, the position of the second label is 2, and so forth.
With MPLS-aware NetFlow enabled on the router, NetFlow collects data for incoming IP packets as well as for incoming MPLS packets on all interfaces where NetFlow is enabled in full or in sampled mode.
Caution
Tip
Examples
The following example shows how to configure MPLS-aware NetFlow to capture the first (top), third, and fifth label:
Router(config)# ip flow-cache mpls label-positions 1 3 5The following example shows how to configure MPLS-aware NetFlow to capture only MPLS flow information (no IP-related flow fields) and the length that represents the sum of the MPLS packet payload length and the MPLS label stack length:
Router(config)# ip flow-cache mpls label-positions no-ip-fields mpls-lengthRelated Commands
ip flow-cache timeout
To specify NetFlow accounting flow cache parameters, use the ip flow-cache timeout command in global configuration mode. To disable the flow cache parameters, use the no form of this command.
ip flow-cache timeout [active minutes | inactive seconds]
no ip flow-cache timeout [active | inactive]
Syntax Description
Defaults
The default value for the number of minutes that an active flow remains in the cache before it times out is 30.
The default value for the number of seconds that an inactive flow remains in the cache before it times out is 15.
Command Modes
Global configuration
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Use this command to specify active and inactive timeout parameters.
A flow is considered to be active if packets belonging to the flow are detected wherever the NetFlow statistics are being collected. A flow is considered to be inactive if no further packets are detected for the flow at the collection point for NetFlow statistics.
Examples
In the following example, an active flow is allowed to remain in the cache for 20 minutes:
Router(config)# ip flow-cache timeout active 20In the following example, an inactive flow is allowed to remain in the cache for 10 seconds before it times out and is removed:
Router(config)# ip flow-cache timeout inactive 10Related Commands
ip flow-capture
To enable the capture of values from Layer 2 or additional Layer 3 fields in NetFlow traffic, use the ip flow-capture command in global configuration mode. To disable capturing Layer 2 or Layer 3 fields from NetFlow traffic, use the no form of this command.
ip flow-capture {icmp | ip-id | mac-addresses | packet-length | ttl | vlan-id}
no ip flow-capture {icmp | ip-id | mac-addresses | packet-length | ttl | vlan-id}
Syntax Description
Defaults
The ip flow-capture command is not enabled by default. You must select one of the keywords when you configure the ip flow-capture command.
Command Modes
Global configuration
Command History
Usage Guidelines
•
•
Note
Note
Note
ip flow-capture icmp
ICMP is used for several purposes. ''One of the most common is the ping command. ICMP echo requests are sent by a host to a destination to verify that the destination is reachable by IP. If the destination is reachable, it should respond by sending an ICMP echo reply. Refer to RFC 792 (http://www.ietf.org/rfc/rfc0792.txt) for more information on ICMP.
ICMP packets have been used in many types of attacks on networks. Two of the most common attacks are denial-of-service (DoS) attacks and the "ping of death" attack.
•
•
Finding out the types of ICMP traffic in your network can help you decide if your network is being attacked by ICMP packets.
The ip flow-capture icmp command captures the value of the ICMP type field and the ICMP code field from the first ICMP packet detected in a flow.
ip flow-capture ip-id
It is possible for a host to receive IP datagrams from two or more senders concurrently. It is also possible for a host to receive multiple IP datagrams from the same host for different applications concurrently. For example, a server might be transferring email and HTTP traffic from the same host concurrently. When a host is receiving multiple IP datagrams concurrently it must be able to identify the fragments from each of the incoming datagrams to ensure that they do not get mixed up during the datagram reassembly process. The receiving host uses the IP header identification field and the source IP address of the IP datagram fragment to ensure that it rebuilds the IP datagrams correctly.
The ip flow-capture ip-id command captures the value of the IP header identification field from the first packet in the flow. The value in the IP header identification field is a sequence number assigned by the host that originally transmitted the IP datagram. All of the fragments of an IP datagram have the same identifier value. This ensures that the destination host can match the IP datagram to the fragment during the IP datagram reassembly process. The sending host is responsible for ensuring that each subsequent IP datagram it sends to the same destination host has a unique value for the IP header identification field.
If you are seeing several flows with the same value for the IP header identification field, it is possible that your network is being attacked by a host that is sending the same IP packets over and over.
ip flow-capture packet-length
The value in the packet length field in an IP datagram indicates the length of the IP datagram, excluding the IP header.
Use the ip flow-capture packet-length command to capture the value of the IP header packet length field for packets in the flow. The ip flow-capture packet-length command keeps track of the minimum and maximum values captured from the flow. The minimum and maximum packet length values are stored in separate fields. This data is updated when a packet with a packet length that is lower or higher than the currently stored value is received. For example if the currently stored value for the minimum packet length is 1024 bytes and the next packet received has a packet length of 512 bytes, the 1024 is replaced with 512.
If you are seeing several IP datagrams in the flow with the same value for the packet-length field, it is possible that your network is being attacked by a host that is constantly sending the same IP packets over-and-over.
ip flow-capture ttl
The TTL field is used to prevent the indefinite forwarding of IP datagrams. The TTL field contains a counter value set by the source host. Each router that processes this datagram decreases the TTL value by 1. When the TTL value reaches 0, the datagram is discarded.
There are two scenarios where an IP packet without a TTL field could live indefinitely in a network:
•
•
The ip flow-capture ttl command keeps track of the TTL values captured from packets in the flow. The minimum and maximum TTL values are stored in separate fields. This data is updated when a packet with a TTL that is lower or higher than the currently stored value is received. For example if the currently stored value for the minimum TTL is 64 and the next packet received has a TTL of 12, the 64 is replaced by 12.
If you are seeing several flows with the same value for the TTL, it is possible that your network is being attacked by a host that is constantly sending the same IP packets over and over. Under normal circumstances, flows come from many sources, each a different distance away. Therefore you should see a variety of TTLs across all the flows that NetFlow is capturing.
ip flow-capture mac-addresses
The ip flow-capture mac-addresses command captures the incoming source mac-address and the outgoing destination mac-address from the first Layer 2 frame in the flow. If you discover that your network is being attacked by Layer 3 traffic, you can use these addresses to identify the device that is transmitting the traffic that is being received by the router and the next hop or final destination device to which the router is forwarding the traffic.
Note
ip flow-capture vlan-id
A VLAN is a broadcast domain within a switched network. A broadcast domain is defined by the network boundaries within which a network propagates a broadcast frame generated by a station. Some switches can be configured to support single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN.
Each VLAN is also a separate Layer 3 network. A router or a multilayer switch must be be used to interconnect the Layer 3 networks that are assigned to the VLANs. For example, in order for a device on VLAN 2 with an IP address of 172.16.0.76 to communicate with a device on VLAN 3 with an IP address of 172.17.0.34, the two devices must use a router as an intermediary device, because they are on different Class B IP networks. This is typically accomplished by connecting a switch to a router and configuring the link between them as a VLAN trunk. In order for the link to be used as a VLAN trunk, the interfaces on the router and the switch must be configured for the same VLAN encapsulation type.
Note
When a router or a switch needs to send traffic on a VLAN trunk, it must either tag the frames using the IEEE 802.1q protocol or encapsulate the frames using the Cisco Inter-Switch Link (ISL) protocol. The VLAN tag or encapsulation header must contain the correct VLAN ID to ensure that the device receiving the frames can process them properly. The device that receives the VLAN traffic examines the VLAN ID from each frame to find out how it should process the frame. For example, when a switch receives an IP broadcast datagram such as an Address Resolution Protocol (ARP) datagram with an 802.1q tagged VLAN ID of 6 from a router, it forwards the datagram to every interface that is assigned to VLAN 6 and any interfaces that are configured as VLAN trunks.
The ip flow-capture vlan-id command captures the VLAN ID number from the first frame in the flow it receives that has an 802.1q tag or that is encapsulated with ISL. When the received traffic in the flow is transmitted over an interface that is configured with either 802.1q or ISL trunking, the ip flow-capture vlan-id command captures the destination VLAN ID number from the 802.1q or ISL VLAN header from the first frame in the flow.
Note
Your router configuration must meet the following criteria before NetFlow can capture the value in the VLAN-ID field:
•
•
•
If you discover that your network is being attacked by Layer 3 traffic, you can use the VLAN-ID information to help you find out which VLAN the device that is sending the traffic is on. The information can also help you identify the VLAN to which the router is forwarding the traffic.
Examples
•
•
ip flow-capture icmp
The following example shows how to configure NetFlow to capture the value of the ICMP Type field and the value of the Code field from the IP datagrams in the flow:
Router(config)# ip flow-capture icmpip flow-capture ip-id
The following example shows how to configure NetFlow to capture the value of the IP-ID field from the IP datagrams in the flow:
Router(config)# ip flow-capture ip-idip flow-capture packet-length
The following example shows how to configure NetFlow to capture the value of the packet length field from the IP datagrams in the flow:
Router(config)# ip flow-capture packet-lengthip flow-capture ttl
The following example shows how to configure NetFlow to capture the TTL field from the IP datagrams in the flow:
Router(config)# ip flow-capture ttlip flow-capture mac-addresses
The following example shows how to configure NetFlow to capture the MAC addresses from the IP datagrams in the flow:
Router(config)# ip flow-capture mac-addressesip flow-capture vlan-id
The following example shows how to configure NetFlow to capture the vlan-id from the IP datagrams in the flow:
Router(config)# ip flow-capture vlan-idRelated Commands
ip flow-egress input-interface
To remove the NetFlow egress accounting flow key that specifies an output interface and to add a flow key that specifies an input interface for NetFlow egress accounting, use the ip flow-egress input-interface command in global configuration mode. To change the flow key back from an input interface to an output interface for NetFlow egress statistics, use the no form of this command.
ip flow-egress input-interface
no ip flow-egress input-interface
Syntax Description
This command has no arguments or keywords.
Defaults
By default NetFlow egress statistics use the output interface as part of the flow key.
Command Modes
Global configuration
Command History
Usage Guidelines
You must have NetFlow egress accounting configured on your router before you can use this command.
When the NetFlow Egress Support feature is configured, by default it uses the output interface as part of the flow key. The ip flow-egress input-interface command changes the key for egress flows so that the ingress interface is used instead of the output interface. This command is used to create a new flow for each input interface.
Examples
In the following example the key for NetFlow reporting of egress traffic is changed from the output interface to the input interface:
Router(config)# ip flow-egress input-interfaceRelated Commands
ip flow-export
To enable the export of NetFlow accounting information in NetFlow cache entries, use the ip flow-export command in global configuration mode. To disable the export of information, use the no form of this command.
ip flow-export {destination {{ip-address | hostname} udp-port} | source interface-type interface-number | version {1 | [[5 | 9] [origin-as | peer-as] bgp-nexthop]} | [template {[refresh-rate packets | timeout-rate minutes] | options {export-stats | [refresh-rate packets | timeout-rate minutes}]}
no ip flow-export {destination {{ip-address | hostname} udp-port} | source | version | [template {[refresh-rate | timeout-rate] | options {export-stats | refresh-rate | sampler | timeout-rate}]}
Syntax Description
Defaults
Export of NetFlow information is disabled. When the export of NetFlow information is enabled, the best source IP address for NetFlow datagrams is picked automatically. The NetFlow Version 1 export format is used. Neither AS nor BGP next hop information is exported. No additional templates or options are exported. When Version 9 export is enabled, templates and options are resent after every 20 export packets or after 30 minutes, whichever is sooner.
Command Modes
Global configuration
Command History
Usage Guidelines
•
•
ip flow-export destination.
When NetFlow accounting is enabled you can use the ip flow-export destination command to configure the router to export the flow cache entries to a destination system (such as a system running CNS NFC Engine. NetFlow exports the flow cache entries to the destination system when the flows in the cache expire. You can use this command to supply data for applications such as statistical analysis, billing, and security.
The ip flow-export destination command can support a maximum of two destination ip-address and udp-port combinations. The most common usage of the multiple-destination feature is to send the NetFlow cache entries to two different destinations for redundancy. Therefore, in most cases the second destination IP address is not the same as the first IP address. The udp-port numbers can be the same when you are configuring two unique destination IP addresses. If you want to configure both instances of the command to use the same destination IP address, you must use unique udp-port numbers. You receive a warning message when you configure the two instances of the command with the same IP address. The warning message is %Warning: Second destination address is the same as previous address <ip-address>.
ip flow-export version
The ip flow-export version command supports three export data formats: Version 1, Version 5, and Version 9. Version 1 should be used only when it is the only NetFlow data export format version that is supported by the application that you are using to analyze the exported NetFlow data. Version 5 exports more fields than Version 1. Version 9 is the only flexible export format version.
The NetFlow bgp-nexthop command can be configured when either the Version 5 export format (ip flow-export version 5 bgp-nexthop) or the Version 9 export format (ip flow-export version 9 bgp-nexthop) is configured.
The following caveats apply to the bgp-nexthop command:
•
•
Note
Caution
ip flow-export source
After you configure NetFlow data export, use the ip flow-export source interface command to specify the interface that NetFlow will use to obtain the source IP address for the NetFlow datagrams that it sends to destination systems, such as a system running CNS NFC Engine. This overrides the default behavior (using the IP address of the interface that the datagram is transmitted over as the source IP address for the NetFlow datagrams).
Some of the benefits of using a consistent IP source address for the datagrams that NetFlow sends are:
•
•
•
ip flow-export template options export-stats
The ip flow-export template options export-stats command enables you to export statistics for the total number of exported flows and the total number of exported packets.
Note
ip flow-export template options sampler
The configuring of Version 9 export enables you to export an options record containing a random-sampler configuration, including the sampler ID, sampling mode, and sampling interval for each configured random sampler.
Note
Note
NetFlow Data Export of Template Options
The ip flow-export options refresh-rate command enables you to configure how frequently the export-stats and/or sampler options records are sent
Note
Examples
•
ip flow-export destination
The following example shows how to configure the networking device to export the NetFlow cache entry to a single export destination system:
Router(config)# ip flow-export destination 10.42.42.1 9991The following example shows how to configure the networking device to export the NetFlow cache entry to multiple destination systems:
Router(config)# ip flow-export destination 10.42.42.1 9991Router(config)# ip flow-export destination 10.0.101.254 9991The following example shows how to configure the networking device to export the NetFlow cache entry to two different UDP ports on the same destination system:
Router(config)# ip flow-export destination 10.42.42.1 9991Router(config)# ip flow-export destination 10.42.42.1 9992%Warning: Second destination address is the same as previous address 10.42.42.1ip flow-export source
The following example shows how to configure NetFlow to use a loopback interface as the source interface for NetFlow traffic.
Caution
Router(config)# ip flow-export source loopback0ip flow-export version
The following example shows how to configure the networking device to use the NetFlow Version 9 format for the exported data and how to include the originating autonomous-system (origin-as) with its corresponding next BGP hop (bgp-nexthop):
Router(config)# ip flow-export version 9 origin-as bgp-nexthopip flow-export template options export-stats
The following example shows how to configure NetFlow to export the statistics for the total number of exported flows and the total number of exported packets:
Router(config)# ip flow-export template options export-statsip flow-export template
The following example shows how to configure NetFlow so that the networking device sends the export statistics (total flows and packets exported) as options data:
Router(config)# ip flow-export template refresh-rate 100Router(config)# ip flow-export template timeout-rate 60The following example shows how to configure NetFlow so that the export statistics include the total number of flows exported and the total number of packets exported:
Router(config)# ip flow-export template option export-statsThe following example shows how to configure NetFlow to enable the export of information about NetFlow random samplers:
Router(config)# ip flow-export template option sampler
Tip
Related Commands
ip flow-export destination
The destination keyword for the ip flow-export command is no longer documented as a separate command.
The information for using the destination keyword for the ip flow-export command has been incorporated into the ip flow-export command documentation. See the ip flow-export command documentation for more information.
ip flow-export source
The source keyword for the ip flow-export command is no longer documented as a separate command.
The information for using the source keyword for the ip flow-export command has been incorporated into the ip flow-export command documentation. See the ip flow-export command documentation for more information.
ip flow-top-talkers
To configure NetFlow top talkers to capture traffic statistics for the unaggregated top flows of the heaviest traffic patterns and most-used applications in the network, use the ip flow-top-talkers command in global configuration mode. To disable NetFlow top talkers, use the no form of this command.
ip flow-top-talkers
no ip flow-top-talkers
Tip
Syntax Description
This command has no arguments or keywords.
Defaults
NetFlow top talkers is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
Enabling NetFlow
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Cache Timeout
The timeout period as specified by the cache-timeout command does not start until the show ip flow top-talkers command is entered. From that time, the same top talkers are displayed until the timeout period expires. To recalculate a new list of top talkers before the timeout period expires, you can change the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command.
A long timeout period for the cache-timeout command limits the system resources that are used by the NetFlow top talkers feature. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.
A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:
•
•
A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but cause the list of top talkers to be recalculated by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.
Use the show ip flow top-talkers command to display the list of unaggregated top flows.
Examples
In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each Top Talker.
Router(config)# ip flow-top-talkersRouter(config-flow-top-talkers)# top 4Router(config-flow-top-talkers)# sort-by bytesThe following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkersSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP BytesEt0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349KEt0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349KEt0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328KEt0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K4 of 4 top talkers shown. 11 flows processedRelated Commands
ip multicast netflow
To configure multicast NetFlow accounting on an interface, use the ip multicast netflow command in interface configuration mode. To disable multicast NetFlow accounting, use the no form of this command.
ip multicast netflow {ingress | egress}
no ip multicast netflow {ingress | egress}
Syntax Description
ingress
Enables multicast NetFlow (ingress) accounting.
egress
Enables multicast NetFlow (ingress) accounting.
Defaults
Multicast ingress NetFlow accounting is enabled.
Multicast egress NetFlow accounting is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
ip multicast netflow ingress
NetFlow (ingress) accounting for multicast traffic is enabled by default. The ip multicast netflow ingress command does not appear in the configuration.
ip multicast netflow egress
You must enable multicast egress NetFlow accounting on all interfaces for which you want to count outgoing multicast streams.
Examples
The following example shows how to enable multicast ingress NetFlow accounting on the ingress Ethernet 1/0 interface:
Router(config)# interface ethernet 1/0Router(config-if)# ip multicast netflow ingressThe following example shows how to enable multicast egress NetFlow accounting on the egress Ethernet interface 0/0:
Router(config)# interface ethernet 0/0Router(config-if)# ip multicast netflow egressRelated Commands
ip multicast netflow egress
The egress keyword for the ip multicast netflow command is no longer documented as a separate command.
The information for using the egress keyword for the ip multicast netflow command has been incorporated into the ip multicast netflow command documentation. See the ip multicast netflow command documentation for more information.
ip multicast netflow ingress
The ingress keyword for the ip multicast netflow command is no longer documented as a separate command.
The information for using the ingress keyword for the ip multicast netflow command has been incorporated into the ip multicast netflow command documentation. See the ip multicast netflow command documentation for more information.
ip multicast netflow rpf-failure
To enable NetFlow accounting for multicast data that fails the reverse path forwarding (RPF) check (meaning any IP packets that lack a verifiable IP source address), use the ip multicast netflow rpf-failure command in global configuration mode. To disable accounting for multicast data that fails the RPF check, use the no form of this command.
ip multicast netflow rpf-failure
no ip multicast netflow rpf-failure
Syntax Description
This command has no arguments or keywords.
Defaults
Accounting for multicast data that fails the RPF check is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Examples
The following example shows how to enable accounting for multicast data that fails the RPF check:
Router# configure terminalRouter(config)# ip multicast netflow rpf-failureRouter(config)# endRelated Commands
ip route-cache flow
To enable NetFlow (ingress) accounting for traffic arriving on an interface, use the ip route-cache flow command in interface configuration mode. To disable NetFlow (ingress) accounting for traffic arriving on an interface, use the no form of this command in interface configuration mode.
ip route-cache flow
no route-cache flow
Syntax Description
This command has no arguments or keywords.
Defaults
This command is not enabled by default.
Command Modes
Interface configuration
Subinterface configurationCommand History
Usage Guidelines
Use this command on an interface or subinterface to enable NetFlow (ingress) accounting for traffic that is being received by the router.
Examples
The following example shows how to configure NetFlow (ingress) accounting on Ethernet interface 0/0 using the ip route-cache flow command:
Router(config)# interface Ethernet0/0Router(config-if)# ip route-cache flowRelated Commands
mask (IPv4)
To specify the source or destination prefix mask for a NetFlow accounting prefix aggregation cache, use the mask command in aggregation cache configuration mode. To disable the source or destination mask, use the no form of this command.
mask {[destination | source] minimum value}
no mask {[destination | source] minimum value}
Syntax Description
Defaults
The default value of the minimum source or destination mask is 0.
Command Modes
NetFlow aggregation cache configuration
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
The NetFlow accounting minimum prefix mask allows you to set a minimum mask size for the traffic that will be added to the NetFlow aggregation cache. The source or destination IP address (depending on the type of aggregation cache that you are configuring) is ANDed with the larger of the two masks (the mask that you enter with the mask command and the mask in the IP routing table) to determine if the traffic should be added to the aggregation cache that you are configuring.
To enable the minimum prefix mask for a particular aggregation cache, configure the desired minimum mask value using the NetFlow aggregation cache commands. The minimum mask value in the range of 1-32 is used by the router defines the granularity of the NetFlow data that is collected:
•
•
Specifying the minimum value for the source or destination mask of a NetFlow accounting aggregation cache is permitted only for the following NetFlow aggregation cache types:
•
•
•
•
•
•
•
Examples
mask source
The following example shows how to configure the source-prefix aggregation cache:
Router(config)# ip flow-aggregation cache source-prefixRouter(config-flow-cache)# enableThe following output from the show ip cache flow aggregation source-prefix command shows that, with no minimum mask configured, nine flows are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation source-prefixIP Flow Switching Cache, 278544 bytes9 active, 4087 inactive, 18 added950 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 21640 bytes9 active, 1015 inactive, 18 added, 18 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedSrc If Src Prefix Msk AS Flows Pkts B/Pk ActiveEt0/0.1 10.10.10.0 /24 0 4 668 762 179.9Et0/0.1 10.10.10.0 /24 0 4 668 762 180.8Et0/0.1 10.10.11.0 /24 0 4 668 1115 180.9Et0/0.1 10.10.11.0 /24 0 4 668 1115 181.9Et0/0.1 10.1.0.0 /16 0 4 668 1140 179.9Et0/0.1 10.1.0.0 /16 0 4 668 1140 179.9Et0/0.1 172.16.6.0 /24 0 1 6 52 138.4Et0/0.1 172.16.1.0 /24 0 8 1338 1140 182.1Et0/0.1 172.16.1.0 /24 0 8 1339 1140 181.0Router#The following example shows how to configure the source-prefix aggregation cache using a minimum source mask of 8:
Router(config)# ip flow-aggregation cache source-prefixRouter(config-flow-cache)# mask source minimum 8Router(config-flow-cache)# enableThe following output from the show ip cache flow aggregation source-prefix command shows that with a minimum mask of 8 configured, only five flows from the same traffic used in the previous example are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation source-prefixIP Flow Switching Cache, 278544 bytes5 active, 4091 inactive, 41 added3021 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 21640 bytes5 active, 1019 inactive, 59 added, 59 added to flow0 alloc failures, 0 force free1 chunk, 7 chunks addedMinimum source mask is configured to /8Src If Src Prefix Msk AS Flows Pkts B/Pk ActiveEt0/0.1 10.0.0.0 /8 0 12 681 1007 64.8Et0/0.1 172.16.6.0 /24 0 1 3 52 56.1Et0/0.1 10.0.0.0 /8 0 12 683 1006 64.8Et0/0.1 172.16.1.0 /24 0 8 450 1140 61.8Et0/0.1 172.16.1.0 /24 0 8 448 1140 61.5Router#mask destination
The following example shows how to configure the destination-prefix aggregation cache:
Router(config)# ip flow-aggregation cache destination-prefixRouter(config-flow-cache)# enableThe following output from the show ip cache flow aggregation destination-prefix command shows that, with no minimum mask configured, only two flows are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation destination-prefixIP Flow Switching Cache, 278544 bytes3 active, 4093 inactive, 3 added4841 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 21640 bytes3 active, 1021 inactive, 9 added, 9 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedDst If Dst Prefix Msk AS Flows Pkts B/Pk ActiveEt1/0.1 172.16.10.0 /24 0 120 6737 1059 371.0Et1/0.1 172.16.10.0 /24 0 120 6739 1059 370.9The following example shows how to configure the destination-prefix aggregation cache using a minimum source mask of 32:
Router(config)# ip flow-aggregation cache destination-prefixRouter(config-flow-cache)# mask source minimum 32Router(config-flow-cache)# enableThe following output from the show ip cache flow aggregation destination-prefix command shows that, with a minimum mask of 32 configured, 20 flows from the same traffic used in the previous example are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation destination-prefixIP Flow Switching Cache, 278544 bytes20 active, 4076 inactive, 23 added4984 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 21640 bytes20 active, 1004 inactive, 29 added, 29 added to flow0 alloc failures, 0 force free1 chunk, 2 chunks addedMinimum destination mask is configured to /32Dst If Dst Prefix Msk AS Flows Pkts B/Pk ActiveEt1/0.1 172.16.10.12 /32 0 1 57 1140 60.6Et1/0.1 172.16.10.12 /32 0 1 57 1140 60.6Et1/0.1 172.16.10.14 /32 0 1 57 1140 60.6Et1/0.1 172.16.10.9 /32 0 1 57 1140 60.6Et1/0.1 172.16.10.11 /32 0 1 57 1140 60.6Et1/0.1 172.16.10.10 /32 0 1 57 1140 60.6Et1/0.1 172.16.10.11 /32 0 1 57 1140 60.6Et1/0.1 172.16.10.10 /32 0 1 57 1140 60.6Et1/0.1 172.16.10.5 /32 0 1 56 1040 59.5Et1/0.1 172.16.10.4 /32 0 1 56 940 59.5Et1/0.1 172.16.10.4 /32 0 1 56 940 59.5Et1/0.1 172.16.10.7 /32 0 1 57 1140 60.6Et1/0.1 172.16.10.7 /32 0 1 57 1140 60.6Et1/0.1 172.16.10.1 /32 0 1 56 628 59.5Et1/0.1 172.16.10.2 /32 0 1 56 640 59.5Et1/0.1 172.16.10.17 /32 0 1 56 1140 59.5Et1/0.1 172.16.10.17 /32 0 1 56 1140 59.5Et1/0.1 172.16.10.18 /32 0 1 56 1140 59.5Et1/0.1 172.16.10.19 /32 0 1 56 1140 59.5Et1/0.1 172.16.10.18 /32 0 1 56 1140 59.5Related Commands
mask destination
The destination keyword for the mask command is no longer documented as a separate command.
The information for using the destination keyword for the mask command has been incorporated into the mask (IPv4) command documentation. See the mask (IPv4) command documentation for more information.
mask source
The source keyword for the mask command is no longer documented as a separate command.
The information for using the source keyword for the mask command has been incorporated into the mask (IPv4) command documentation. See the mask (IPv4) command documentation for more information.
match (NetFlow)
To specify match criteria for the NetFlow top talkers (unaggregated top flows), use the match command in NetFlow top talkers configuration mode. To remove match criteria for NetFlow top talkers, use the no form of this command.
match {[byte-range [max-byte-number min-byte-number | max max-byte-number | min min-byte-number] | class-map map-name | destination [address ip-address [mask | /nn] | as as-number | port [max-port-number min-port-number | max max-port-number | min min-port-number] | direction [ingress | egress] | flow-sampler flow-sampler-name | input-interface interface-type interface-number | nexthop-address ip-address [mask | /nn] | output-interface interface-type interface-number | packet-range [max-packets min-packets | max max-packets | min min-packets] | protocol [protocol-number | udp | tcp] | source [address ip-address [mask | /nn] | as as-number | port max-port-number min-port-number | max max-port-number | min min-port-number] | tos [tos-byte | dscp dscp | precedence precedence]
no match {byte-range | class-map | destination [address | as | port] | direction | flow-sampler | input-interface | nexthop-address | output-interface | packet-range | protocol | source [address | as | port] | tos}
Syntax Description
Defaults
No matching criteria are specified by default. All top talkers are displayed.
Command Modes
NetFlow top talkers configuration
Command History
Usage Guidelines
Configuring NetFlow top talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands.
Specifying Match Criteria
Use this command to specify match criteria for NetFlow top talkers. Using matching criteria is useful to restrict the list of top talkers.
If you are using a MIB and using simple network management protocol (SNMP) commands to configure this feature, refer to Table 5 for a mapping of the command-line interface (CLI) commands to the MIB SNMP commands:
Table 5 Router CLI Commands and Equivalent SNMP Commands
match source address [ip-address] [mask | /nn]
cnfTopFlowsMatchSrcAddress ip-address
cnfTopFlowsMatchSrcAddressType type1
cnfTopFlowsMatchSrcAddressMask mask
match destination address [ip-address] [mask | /nn]
cnfTopFlowsMatchDstAddress ip-address
cnfTopFlowsMatchDstAddressType type1
cnfTopFlowsMatchDstAddressMask mask
match nexthop address] [ip-address] [mask | /nn]]
cnfTopFlowsMatchNhAddress ip-address
cnfTopFlowsMatchNhAddressType type1
cnfTopFlowsMatchNhAddressMask mask
match source port min port
cnfTopFlowsMatchSrcPortLo port
match source port max port
cnfTopFlowsMatchSrcPortHi port
match destination port min port
cnfTopFlowsMatchDstPortLo port
match destination port max port
cnfTopFlowsMatchDstPortHi port
match source as as-number
cnfTopFlowsMatchSrcAS as-number
match destination as as-number
cnfTopFlowsMatchDstAS as-number
match input-interface interface
cnfTopFlowsMatchInputIf interface
match output-interface interface
cnfTopFlowsMatchOutputIf interface
match tos [tos-value | dscp dscp-value | precedence precedence-value]
cnfTopFlowsMatchTOSByte tos-value2
match protocol [protocol-number | tcp | udp]
cnfTopFlowsMatchProtocol protocol-number
match flow-sampler flow-sampler-name
cnfTopFlowsMatchSampler flow-sampler-name
match class-map class
cnfTopFlowsMatchClass class
match packet-range min minimum-range
cnfTopFlowsMatchMinPackets minimum-range
match packet-range max maximum-range
cnfTopFlowsMatchMaxPackets maximum-range
match byte-range min minimum-range
cnfTopFlowsMatchMinBytes minimum-range
match byte-range max maximum-range
cnfTopFlowsMatchMaxPackets maximum-range
direction [ingress | egress]
cnfTopFlowsMatchDirection [flowDirNone(0) | flowDirIngress(1) | flowDirEgress(2)]
1 The only IP version type that is currently supported is IPv4 (type 1).
2 The tos-value argument consists of 6 bits for DSCP, 3 bits for precedence, and 8 bits (one byte) for ToS.
Examples
The following example shows how you enter NetFlow top talkers configuration mode and specify that the top talkers are to contain the following characteristics:
•
Router(config)# ip flow-top-talkersRouter(config-flow-top-talkers)# match source address 10.10.0.0/16Router(config-flow-top-talkers)# top 4Router(config-flow-top-talkers)# sort-by bytesThe following example shows the output of the show ip flow top talkers command when the configuration from the previous example is used:
Router# show ip flow top-talkersSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP BytesEt2/0 10.10.11.3 Et1/0.1 172.16.10.7 06 0041 0041 30KEt0/0.1 10.10.11.4 Et1/0.1 172.16.10.8 06 0041 0041 30KEt3/0 10.10.11.2 Et1/0.1 172.16.10.6 06 0041 0041 29KEt3/0 10.10.18.1 Null 172.16.11.5 11 00A1 00A1 28K4 of 4 top talkers shown. 10 of 27 flows matchedThe following example shows how you enter NetFlow top talkers configuration mode and specify that the top talkers are to contain the following characteristics:
•
•
Router(config)# ip flow-top-talkersRouter(config-flow-top-talkers)# match source address 10.10.0.0/16Router(config-flow-top-talkers)# match destination address 172.16.11.0/24Router(config-flow-top-talkers)# top 4Router(config-flow-top-talkers)# sort-by bytesThe following example shows the output of the show ip flow top talkers command when the configuration from the previous example is used:
Router# show ip flow top-talkersSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP BytesEt3/0 10.10.18.1 Null 172.16.11.5 11 00A1 00A1 67KEt3/0 10.10.19.1 Null 172.16.11.6 11 00A2 00A2 67K2 of 4 top talkers shown. 2 of 30 flows matchedRelated Commands
mode (flow sampler configuration)
To specify a packet interval for random sampled NetFlow accounting and enable the flow sampler map, use the mode command in NetFlow flow sampler configuration mode.
mode random one-out-of packet-interval
Syntax Description
Defaults
The random sampling mode and packet sampling interval are undefined.
Command Modes
NetFlow flow sampler configuration
Command History
12.3(2)T
This command was introduced.
12.0(26)S
This command was integrated into Cisco IOS Release 12.0(26)S.
Usage Guidelines
The mode random one-out-of does not have a no format to remove it from the configuration. To disable NetFlow random sampling and packet interval you must remove the flow sampler map that you enabled with the mode random one-out-of command.
If you want to change the value that you entered for the packet-interval argument repeat the mode random one-out-of packet-interval command using the new value for packet-interval.
Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. In order to run random sampled NetFlow accounting, you must first disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip
Tip
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 0/0Router(config-if)# no ip route-cache flowRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-mapThe following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# ip cefRouter(config)# flow-sampler-map my-mapRouter(config-sampler)# mode random one-out-of 100Router(config-sampler)# interface ethernet 1/0Router(config-if)# no ip flow egressRouter(config-if)# ip route-cache cefRouter(config-if)# flow-sampler my-map egressThe following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-samplerSampler : my-map, id : 1, packets matched : 7, mode : random sampling modesampling interval is : 100Related Commands
netflow-sampler
To enable NetFlow accounting with input filter sampling, use the netflow-sampler command in QoS policy-map class configuration mode. To disable NetFlow accounting with input filter sampling, use the no form of this command.
netflow-sampler sampler-map-name
no netflow-sampler sampler-map-name
Syntax Description
Defaults
NetFlow accounting with input filter sampling is disabled.
Command Modes
QoS policy-map class configuration
Command History
Usage Guidelines
NetFlow accounting with input filter sampling cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or random sampled NetFlow on the same interface, or subinterface. In order to run NetFlow accounting with input filter sampling, you must first disable (ingress) NetFlow accounting, egress NetFlow accounting, or random sampled NetFlow.
You can assign only one NetFlow input filter sampler to a class. Assigning another NetFlow input filter sampler to a class overwrites the previous one.
Samplers, also known as filters, are based on classes, but they are enabled on interfaces. You assign a NetFlow input filters sampler to a class by using the netflow-sampler command in QoS policy-map class configuration. You the use the service-policy command to attach the policy map you defined to one or more interfaces.
Tip
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Examples
The following example shows how to enable NetFlow accounting with input filter sampling for one class of traffic (traffic with 10 as the first octet of the IP source address):
Router(config)# ip cefRouter(config)# flow-sampler-map network-10Router(config-sampler)# mode random one-out-of 100Router(config-sampler)# exitRouter(config)# class-map match-any network-10Router(config-cmap)# match access-group 100Router(config-cmap)# exitRouter(config)# policy-map network-10Router(config-pmap)# class network-10Router(config-pmap-c)# netflow-sampler network-10Router(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface Ethernet0/0Router(config-if)# no ip route-cache flowRouter(config-if)# ip route-cache cefRouter(config-if)# interface ethernet 0/0.1Router(config-if)# service-policy input network-10Router(config-if)# exitRouter(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 anyThe following output from the show flow-sampler command verifies that the NetFlow accounting with input filter sampling is active:
Router# show flow-samplerSampler : network-10, id : 1, packets matched : 546, mode : random sampling modesampling interval is : 100The following output from the show ip cache verbose flow command shows that combination of the access-list 100 permit ip 10.0.0.0 0.255.255.255 any command and the match access-group 100 command has filtered out any traffic in which the source IP address does not have 10 as the first octet:
Router# show ip cache verbose flowIP packet size distribution (116 total packets):1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.000 .155 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .000 .258 .586 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 278544 bytes7 active, 4089 inactive, 66 added3768 ager polls, 0 flow alloc failuresActive flows timeout in 1 minutesInactive flows timeout in 120 secondsIP Sub Flow Cache, 21640 bytes6 active, 1018 inactive, 130 added, 62 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedlast clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-Telnet 6 0.0 1 940 0.0 8.8 51.6TCP-FTP 5 0.0 1 640 0.0 6.9 53.4TCP-SMTP 2 0.0 3 1040 0.0 41.7 18.5TCP-other 36 0.0 1 1105 0.0 18.8 41.5UDP-other 6 0.0 3 52 0.0 54.8 5.5ICMP 4 0.0 1 628 0.0 11.3 48.8Total: 59 0.0 1 853 0.1 20.7 39.6SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveEt0/0.1 10.10.10.3 Et1/0.1 172.16.10.3 06 80 00 10016 /0 0 0016 /0 0 0.0.0.0 840 0.0Sampler: 1 Class: 1Et0/0.1 10.10.10.3 Et1/0.1* 172.16.10.3 06 80 00 10016 /0 0 0016 /0 0 0.0.0.0 840 0.0Sampler: 1 Class: 1 FFlags: 01Et0/0.1 10.10.11.3 Et1/0.1 172.16.10.7 06 80 00 10041 /0 0 0041 /0 0 0.0.0.0 1140 0.0Sampler: 1 Class: 1Et0/0.1 10.10.11.1 Et1/0.1 172.16.10.5 06 80 00 30019 /0 0 0019 /0 0 0.0.0.0 1040 36.7Sampler: 1 Class: 1Et0/0.1 10.10.11.1 Et1/0.1* 172.16.10.5 06 80 00 10019 /0 0 0019 /0 0 0.0.0.0 1040 0.0Sampler: 1 Class: 1 FFlags: 01Et0/0.1 10.1.1.2 Et1/0.1 172.16.10.10 06 80 00 20041 /0 0 0041 /0 0 0.0.0.0 1140 37.8Sampler: 1 Class: 1Et0/0.1 10.10.10.1 Et1/0.1 172.16.10.1 01 80 10 10000 /0 0 0000 /0 0 0.0.0.0 628 0.0Sampler: 1 Class: 1Related Commands
show flow-sampler
To display the status and statistics for random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler), use the show flow-sampler command in user EXEC or privileged EXEC mode.
show flow-sampler [sampler-map-name]
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
12.3(2)T
This command was introduced.
12.0(26)S
This command was integrated into Cisco IOS Release 12.0(26)S.
Examples
The following is sample output from the show flow-sampler command for all flow samplers:
Router> show flow-samplerSampler : mysampler1, id : 1, packets matched : 10, mode : random sampling modesampling interval is : 100Sampler : myflowsampler2, id : 2, packets matched : 5, mode : random sampling modesampling interval is : 200The following is sample output from the show flow-sampler command for a flow sampler named mysampler1:
Router> show flow-sampler mysampler1Sampler : mysampler1, id : 1, packets matched : 0, mode : random sampling modesampling interval is : 100Table 6 describes the fields shown in the displays.
Related Commands
show ip cache flow
To display a summary of the NetFlow accounting statistics, use the show ip cache flow command in user EXEC or privileged EXEC mode.
show ip cache [prefix mask] [type number] flow
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
Some of the content in the display of the show ip cache flow command uses multiline headings and multiline data fields. Figure 1 uses an example of the output from the show ip cache verbose flow to show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.
When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same.
Figure 1 How to Use the Multiline Headings and Multiline Data Fields in the Display Output of the show ip cache verbose flow Command
Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding
On platforms running Distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. To display this information on a distributed platform by use of the show ip cache flow command, you must enter the command at a line card prompt.
Cisco 7500 Series Platform
To display NetFlow cache information using the show ip cache flow command on a Cisco 7500 series router that is running dCEF, enter the following sequence of commands:
Router# if-con slot-numberLC-slot-number# show ip cache flowFor Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display NetFlow cache information:
Router# execute-on slot-number show ip cache flowCisco 12000 Series Platform
To display NetFlow cache information using the show ip cache flow command on a Cisco 12000 Series Internet Router, enter the following sequence of commands:
Router# attach slot-numberLC-slot-number# show ip cache flowFor Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display NetFlow cache information:
Router# execute-on slot-number show ip cache flowExamples
The following is a sample display of a main cache using the show ip cache flow command:
Router# show ip cache flowIP packet size distribution (44027 total packets):1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.119 .800 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .039 .000 .039 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 278544 bytes51 active, 4045 inactive, 173 added84752 ager polls, 0 flow alloc failuresActive flows timeout in 3 minutesInactive flows timeout in 60 secondsIP Sub Flow Cache, 25800 bytes153 active, 871 inactive, 451 added, 173 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedlast clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-FTP 8 0.0 871 40 3.4 1394.5 0.4TCP-FTPD 8 0.0 872 40 3.4 1394.9 0.1TCP-WWW 4 0.0 871 40 1.7 1393.3 1.1TCP-SMTP 4 0.0 871 40 1.7 1393.3 1.4TCP-other 16 0.0 871 40 6.8 1393.3 1.1UDP-other 72 0.0 1 53 0.0 0.0 15.4ICMP 10 0.0 871 427 4.3 1394.6 0.3Total: 122 0.0 357 117 21.6 571.3 9.4SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP PktsEt0/0.1 192.168.67.6 Et1/0.1* 172.16.10.200 01 0000 0C01 7Et0/0.1 192.168.67.6 Et1/0.1 172.16.10.200 01 0000 0C01 7Et0/0.1 172.16.6.1 Null 224.0.0.9 11 0208 0208 1Et0/0.1 10.234.53.1 Et1/0.1* 172.16.10.2 01 0000 0800 7Et0/0.1 10.234.53.1 Et1/0.1 172.16.10.2 01 0000 0800 7Et0/0.1 192.168.87.200 Et1/0.1 172.16.10.2 06 0015 0015 7Et0/0.1 192.168.87.200 Et1/0.1 172.16.10.2 06 0014 0014 7Et0/0.1 192.168.87.200 Et1/0.1* 172.16.10.2 06 0015 0015 7Et0/0.1 192.168.87.200 Et1/0.1* 172.16.10.2 06 0014 0014 7Et0/0.1 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0000 8Et0/0.1 10.251.10.1 Et1/0.1* 172.16.10.2 01 0000 0000 8Et0/0.1 172.30.231.193 Et1/0.1 172.16.10.2 01 0000 0C01 7Et0/0.1 172.30.231.193 Et1/0.1* 172.16.10.2 01 0000 0C01 7Et0/0.1 10.10.11.4 Et1/0.1* 172.16.10.8 06 00DC 00DC 8
Note
Table 7 describes the significant fields shown in the flow switching cache lines of the display.
Table 8 describes the significant fields shown in the activity by protocol lines of the display.
Table 8 show ip cache flow Field Descriptions in Activity by Protocol Display
Protocol
IP protocol and the well-known port number. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
Note
Total Flows
Number of flows in the cache for this protocol since the last time the statistics were cleared.
Flows/Sec
Average number of flows for this protocol per second; equal to the total flows divided by the number of seconds for this summary period.
Packets/Flow
Average number of packets for the flows for this protocol; equal to the total packets for this protocol divided by the number of flows for this protocol for this summary period.
Bytes/Pkt
Average number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the total number of packets for this protocol for this summary period.
Packets/Sec
Average number of packets for this protocol per second; equal to the total packets for this protocol divided by the total number of seconds for this summary period.
Active(Sec)/Flow
Number of seconds from the first packet to the last packet of an expired flow divided by the number of total flows for this protocol for this summary period.
Idle(Sec)/Flow
Number of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which the show ip cache verbose flow command was entered divided by the total number of flows for this protocol for this summary period.
Table 9 describes the significant fields in the NetFlow record lines of the display.
Related Commands
show ip cache flow aggregation
To display the NetFlow accounting aggregation cache statistics, use the show ip cache flow aggregation command in user EXEC or privileged EXEC mode.
show ip cache [prefix mask] [type number] [verbose] flow aggregation {as | as-tos | bgp-nexthop-tos | destination-prefix | destination-prefix-tos | prefix | prefix-port | prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-prefix-tos}
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
Some of the content in the display of the show ip cache flow aggregation command uses multiline headings and multiline data fields. Figure 2 uses an example of the output from the show ip cache verbose flow to show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.
When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same.
Figure 2 How to Use the Multiline Headings and Multiline Data Fields in the Display Output of the show ip cache verbose flow Command
Examples
The following is a sample display of an autonomous system aggregation cache with the show ip cache flow aggregation as command:
Router# show ip cache flow aggregation asIP Flow Switching Cache, 278544 bytes2 active, 4094 inactive, 13 added178 ager polls, 0 flow alloc failuresSrc If Src AS Dst If Dst AS Flows Pkts B/Pk ActiveFa1/0 0 Null 0 1 2 49 10.2Fa1/0 0 Se2/0 20 1 5 100 0.0The following is a sample display of an autonomous system aggregation cache for the prefix mask 10.0.0.1 255.0.0.0 with the show ip cache flow aggregation as command:
Router# show ip cache 10.0.0.1 255.0.0.0 flow aggregation asIP Flow Switching Cache, 278544 bytes2 active, 4094 inactive, 13 added178 ager polls, 0 flow alloc failuresSrc If Src AS Dst If Dst AS Flows Pkts B/Pk Activee1/2 0 Null 0 1 2 49 10.2e1/2 0 e1/2 20 1 5 100 0.0The following is a sample display of an autonomous system aggregation cache for 10.0.0.1 255.0.0.0 Ethernet1/2 with the show ip cache verbose flow aggregation as command:
Router# show ip cache 10.0.0.1 255.0.0.0 e1/2 verbose flow aggregation asIP Flow Switching Cache, 278544 bytes2 active, 4094 inactive, 13 added178 ager polls, 0 flow alloc failuresSrc If Src AS Dst If Dst AS Flows Pkts B/Pk Activee1/2 0 Null 0 1 2 49 10.2e1/2 0 e1/2 20 1 5 100 0.0The following is a sample display of an autonomous system ToS aggregation cache with the show ip cache verbose flow aggregation as-tos command:
Router# show ip cache verbose flow aggregation as-tosIP Flow Switching Cache, 278544 bytes4 active, 4092 inactive, 103 added1609 ager polls, 0 flow alloc failuresSrc If Src AS Dst If Dst AS TOS Flows Pkts B/Pk ActiveEt1/2 50 Fd4/0 40 CC 1 3568 28 17.8Et1/2 0 Fd4/0 40 C0 15 17K 28 17.8Et1/1 50 Fd4/0 40 55 1 3748 28 17.8Fd4/0 0 Null 0 C0 1 2 49 0.9The following is a sample display of a protocol port ToS aggregation cache with the show ip cache verbose flow aggregation protocol-port-tos command:
Router# show ip cache verbose flow aggregation protocol-port-tosIP Flow Switching Cache, 278544 bytes4 active, 4092 inactive, 102 added1584 ager polls, 0 flow alloc failuresProt Src If SrcPort Dst If DstPort TOS Flows Pkts B/Pk Active0x01 Et1/2 0000 Fd4/0 0000 C0 15 17K 28 17.80x01 Et1/2 0000 Fd4/0 0000 CC 1 3568 28 17.80x01 Et1/1 0000 Fd4/0 0000 55 1 3748 28 17.80x06 Fd4/0 00B3 Null 2AF9 C0 1 2 49 0.9The following is a sample display of a source prefix ToS aggregation cache with the show ip cache verbose flow aggregation source-prefix-tos command:
Router# show ip cache verbose flow aggregation source-prefix-tosIP Flow Switching Cache, 278544 bytes4 active, 4092 inactive, 105 added1683 ager polls, 0 flow alloc failuresSrc If Src Prefix Msk AS TOS Flows Pkts B/Pk ActiveEt1/1 52.0.0.0 /8 50 55 1 3748 28 17.8Et1/2 52.0.0.0 /8 50 CC 1 3568 28 17.8Et1/2 0.0.0.0 /0 0 C0 15 17K 28 17.8Fd4/0 20.20.20.1 /32 0 C0 1 2 49 0.9The following is a sample display of a destination prefix ToS aggregation cache with the show ip cache verbose flow aggregation destination-prefix-tos command:
Router# show ip cache verbose flow aggregation destination-prefix-tosIP Flow Switching Cache, 278544 bytes4 active, 4092 inactive, 86 added1480 ager polls, 0 flow alloc failuresDst If Dst Prefix Msk AS TOS Flows Pkts B/Pk ActiveLocal 31.31.31.1 /32 0 C0 1 2 49 0.9Fd4/0 42.0.0.0 /8 40 55 1 3748 28 17.8Fd4/0 42.0.0.0 /8 40 CC 1 3568 28 17.8Fd4/0 42.0.0.0 /8 40 C0 15 17K 28 17.8The following is a sample display of a prefix ToS aggregation cache with the show ip cache verbose flow aggregation prefix-tos command:
Router# show ip cache verbose flow aggregation prefix-tosIP Flow Switching Cache, 278544 bytes4 active, 4092 inactive, 4 added14 ager polls, 0 flow alloc failuresSrc If Src Prefix Dst If Dst Prefix TOS Flows PktsMsk AS Msk AS B/Pk ActiveEt1/2 0.0.0.0 Fd4/0 42.0.0.0 C0 15 3933/0 0 /8 40 28 3.9Et1/1 52.0.0.0 Fd4/0 42.0.0.0 55 1 826/8 50 /8 40 28 3.9Et1/2 52.0.0.0 Fd4/0 42.0.0.0 CC 1 787/8 50 /8 40 28 3.9The following is a sample display of a prefix port aggregation cache with the show ip cache verbose flow aggregation prefix-port command:
Router# show ip cache verbose flow aggregation prefix-portIP Flow Switching Cache, 278544 bytes4 active, 4092 inactive, 105 added1679 ager polls, 0 flow alloc failuresSrc If Src Prefix Dst If Dst Prefix TOS Flows PktsPort Msk Port Msk Pr B/Pk ActiveFd4/0 20.20.20.1 Local 31.31.31.1 C0 1 200B3 /32 2AF9 /32 06 49 0.9Et1/2 0.0.0.0 Fd4/0 42.0.0.0 C0 15 17K0000 /0 0000 /8 01 28 17.8Et1/1 52.0.0.0 Fd4/0 42.0.0.0 55 1 37480000 /8 0000 /8 01 28 17.8Et1/2 52.0.0.0 Fd4/0 42.0.0.0 CC 1 35680000 /8 0000 /8 01 28 17.8Table 10 describes the significant fields shown in the output of the show ip cache verbose flow aggregation command.
Related Commands
show ip cache verbose flow
To displays a detailed summary of the NetFlow accounting statistics, use the show ip cache verbose flow command in user EXEC or privileged EXEC mode.
show ip cache [prefix mask] [type number] verbose flow
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
Use the show ip cache verbose flow command to display flow record fields in the NetFlow cache in addition to the fields that are displayed with the show ip cache flow command. The values in the additional fields that are shown depend on the NetFlow features that are enabled and the flags that are set in the flow.
Note
Some of the content in the display of the show ip cache verbose flow command uses multiline headings and multiline data fields. Figure 3 uses an example of the output from the show ip cache verbose flow to show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.
When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same.
Figure 3 How to Use the Multiline Headings and Multiline Data Fields in the Display Output from the show ip cache verbose flow Command
NetFlow Multicast Support
When the NetFlow Multicast Support feature is enabled, the show ip cache verbose flow command displays the number of replicated packets and the packet byte count for NetFlow multicast accounting. When you configure the NetFlow Version 9 Export Format feature, this command displays additional NetFlow fields in the header.
MPLS-aware NetFlow
When you configure the MPLS-aware NetFlow feature, you can use the show ip cache verbose flow command to display both the IP and MPLS portions of MPLS flows in the NetFlow cache on a router line card. To display only the IP portion of the flow record in the NetFlow cache when MPLS-aware NetFlow is configured, use the show ip cache flow command.
NetFlow BGP Nexthop
The NetFlow bgp-nexthop command can be configured when either the Version 5 export format or the Version 9 export format is configured. The following caveats apply to the bgp-nexthop command:
•
•
Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding
On platforms running Distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt.
Cisco 7500 Series Platform
To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed dCEF, enter the following sequence of commands:
Router# if-con slot-numberLC-slot-number# show ip cache verbose flowFor Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:
Router# execute-on slot-number show ip cache verbose flowCisco 12000 Series Platform
To display detailed NetFlow cache information on a Cisco 12000 Series Internet Router, enter the following sequence of commands:
Router# attach slot-numberLC-slot-number# show ip cache verbose flowFor Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:
Router# execute-on slot-number show ip cache verbose flowExamples
The following example shows output from the show ip cache verbose flow command:
Router# show ip cache verbose flowIP packet size distribution (25229 total packets):1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .000 .206 .793 .000 .000 .000 .000 .000 .000The preceding output shows the percentage distribution of packets by size. In this display, 20.6 percent of the packets fall in the 1024-byte size range and 79.3 percent fall in the 1536-byte range.
The next section of the output can be divided into three sections. The section and the table corresponding to each are as follows:
•
•
•
IP Flow Switching Cache, 278544 bytes6 active, 4090 inactive, 17 added505 ager polls, 0 flow alloc failuresActive flows timeout in 1 minutesInactive flows timeout in 10 secondsIP Sub Flow Cache, 25736 bytes12 active, 1012 inactive, 39 added, 17 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedlast clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-Telnet 1 0.0 362 940 2.7 60.2 0.0TCP-FTP 1 0.0 362 840 2.7 60.2 0.0TCP-FTPD 1 0.0 362 840 2.7 60.1 0.1TCP-SMTP 1 0.0 361 1040 2.7 60.0 0.1UDP-other 5 0.0 1 66 0.0 1.0 10.6ICMP 2 0.0 8829 1378 135.8 60.7 0.0Total: 11 0.0 1737 1343 147.0 33.4 4.8SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveEt0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 06 80 00 650015 /0 0 0015 /0 0 0.0.0.0 840 10.8MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 840 Max plen: 840Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 172.16.6.1 Et1/0.1 172.16.10.2 01 00 00 48800000 /0 0 0000 /0 0 0.0.0.0 1354 20.1MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 772 Max plen: 1500Min TTL: 255 Max TTL: 255ICMP type: 0 ICMP code: 0IP id: 2943 FO: 185Et0/0.1 10.10.13.1 Et1/0.1 172.16.10.2 06 80 00 650017 /0 0 0017 /0 0 0.0.0.0 940 10.8MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 940 Max plen: 940Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 10.89.38.215 Et1/0.1 172.16.10.2 06 80 00 650014 /0 0 0014 /0 0 0.0.0.0 840 10.8MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 840 Max plen: 840Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 10.10.14.1 Et1/0.1 172.16.10.2 06 80 00 660019 /0 0 0019 /0 0 0.0.0.0 1040 11.0MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 1040 Max plen: 1040Min TTL: 59 Max TTL: 59IP id: 0Et0/0.1 172.16.6.1 Et1/0.1 172.16.10.2 01 00 10 9750000 /0 0 0800 /0 0 0.0.0.0 1500 20.1MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)Min plen: 1500 Max plen: 1500Min TTL: 255 Max TTL: 255ICMP type: 8 ICMP code: 0IP id: 2944R3#Table 11 describes the significant fields shown in the NetFlow cache section of the output.
Table 12 describes the significant fields shown in the activity by protocol section of the output.
Table 12 Field Descriptions in the Activity by Protocol Section of the Output
Protocol
IP protocol and the well-known port number. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
Note
Total Flows
Number of flows in the cache for this protocol since the last time the statistics were cleared.
Flows/Sec
Average number of flows for this protocol per second; equal to the total flows divided by the number of seconds for this summary period.
Packets/Flow
Average number of packets for the flows for this protocol; equal to the total packets for this protocol divided by the number of flows for this protocol for this summary period.
Bytes/Pkt
Average number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the total number of packets for this protocol for this summary period.
Packets/Sec
Average number of packets for this protocol per second; equal to the total packets for this protocol divided by the total number of seconds for this summary period.
Active(Sec)/Flow
Number of seconds from the first packet to the last packet of an expired flow divided by the number of total flows for this protocol for this summary period.
Idle(Sec)/Flow
Number of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which the show ip cache verbose flow command was entered divided by the total number of flows for this protocol for this summary period.
Table 13 describes the significant fields in the NetFlow record section of the output.
Table 13 Field Descriptions for the NetFlow Record Section of the Output
SrcIf
Interface on which the packet was received.
Port Msk AS
Source port number (displayed in hexadecimal format), IP address mask, and autonomous system number. The value of this field is always set to 0 in MPLS flows.
SrcIPaddress
IP address of the device that transmitted the packet.
DstIf
Interface from which the packet was transmitted.
Note
Port Msk AS
Destination port number (displayed in hexadecimal format), IP address mask, and autonomous system. This is always set to 0 in MPLS flows.
DstIPaddress
IP address of the destination device.
NextHop
The BGP next-hop address. This is always set to 0 in MPLS flows.
Pr
IP protocol "well-known" port number, displayed in hexadecimal format. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
ToS
Type of service, displayed in hexadecimal format.
B/Pk
Average number of bytes observed for the packets seen for this protocol.
Flgs
TCP flags, shown in hexadecimal format (result of bitwise OR of TCP flags from all packets in the flow).
Pkts
Number of packets in this flow.
Active
The time in seconds that this flow has been active at the time this command was entered.
MAC
Source and destination MAC addresses from the Layer 2 frames in the flow.
VLAN id
Source and destination VLAN IDs from the Layer 2 frames in the flow.
Min plen
Minimum packet length for the packets in the flows.
Note
Max plen
Maximum packet length for the packets in the flows.
Note
Min TTL
Minimum Time-To-Live (TTL) for the packets in the flows.
Note
Max TTL
Maximum TTL for the packets in the flows.
Note
IP id
IP identifier field for the packets in the flow.
ICMP type
Internet Control Message Protocol (ICMP) type field from the ICMP datagram in the flow.
ICMP code
ICMP code field from the ICMP datagram in the flow.
The following example shows the NetFlow output of the show ip cache verbose flow command in which the sampler, class-id, and general flags are set. What is displayed for a flow depends on what flags are set in the flow. If the flow was captured by a sampler, the output shows the sampler ID. If the flow was marked by Modular QoS CLI (MQC), the display includes the class ID. If any general flags are set, the output includes the flags.
Router# show ip cache verbose flowSrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveBGP: BGP NextHopEt1/0 8.8.8.8 Et0/0* 9.9.9.9 01 00 10 30000 /8 302 0800 /8 300 3.3.3.3 100 0.1BGP: 2.2.2.2 Sampler: 1 Class: 1 FFlags: 01Table 14 describes the significant fields shown in the NetFlow output for a sampler, for an MQC policy class, and for general flags.
The following example shows the NetFlow output for the show ip cache verbose flow command when NetFlow BGP next-hop accounting is enabled:
Router# show ip cache verbose flow...SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveBGP:BGP_NextHopEt0/0/2 12.0.0.2 Et0/0/4 13.0.0.5 01 00 10 200000 /8 0 0800 /8 0 11.0.0.6 100 0.0BGP:26.0.0.6Et0/0/2 12.0.0.2 Et0/0/4 15.0.0.7 01 00 10 200000 /8 0 0800 /8 0 11.0.0.6 100 0.0BGP:26.0.0.6Et0/0/2 12.0.0.2 Et0/0/4 15.0.0.7 01 00 10 200000 /8 0 0000 /8 0 11.0.0.6 100 0.0BGP:26.0.0.6Table 15 describes the significant fields shown in the NetFlow BGP next-hop accounting lines of the output.
Table 15 show ip cache verbose flow Field Descriptions in NetFlow BGP Next-Hop Accounting Output
BGP:BGP_NextHop
Destination address for the BGP next hop
The following example shows the NetFlow output for the show ip cache verbose flow command when NetFlow multicast accounting is configured:
Router# show ip cache verbose flow...SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActiveIPM:OPkts OBytesIPM: 0 0Et1/1/1 11.0.0.1 Null 227.1.1.1 01 55 10 1000000 /8 0 0000 /0 0 0.0.0.0 28 0.0IPM: 100 2800Et1/1/1 11.0.0.1 Se2/1/1.16 227.1.1.1 01 55 10 1000000 /8 0 0000 /0 0 0.0.0.0 28 0.0IPM: 0 0Et1/1/2 12.0.0.1 Et1/1/4 227.2.2.2 01 55 10 1000000 /8 0 0000 /0 0 0.0.0.0 28 0.1Et1/1/2 12.0.0.1 Null 227.2.2.2 01 55 10 1000000 /8 0 0000 /0 0 0.0.0.0 28 0.1IPM: 100 2800Table 16 describes the significant fields shown in the NetFlow multicast accounting lines of the output.
The following example shows the output for both the IP and MPLS sections of the flow record in the NetFlow cache when MPLS-aware NetFlow is enabled:
Router# show ip cache verbose flow...SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActivePO3/0 10.1.1.1 PO5/1 10.2.1.1 01 00 10 90100 /0 0 0200 /0 0 0.0.0.0 100 0.0Pos:Lbl-Exp-S 1:12305-6-0 (LDP/10.10.10.10) 2:12312-6-1Table 17 describes the significant fields for the IP and MPLS sections of the flow record in the output.
Related Commands
show ip cache verbose flow aggregation
To display the aggregation cache configuration, use the show ip cache verbose flow aggregation command in user EXEC and privileged EXEC mode.
show ip cache [prefix mask] [interface-type interface-number] [verbose] flow aggregation {as | as-tos | bgp-nexthop-tos | destination-prefix | destination-prefix-tos | prefix | prefix-port | prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-prefix-tos | exp-bgp-prefix}
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
Use the show ip cache verbose flow aggregation command to display flow record fields in the NetFlow aggregation cache in addition to the fields that are displayed with the show ip cache flow aggregation command. The values in the additional fields that are shown depend on the NetFlow features that are enabled and the flags that are set in the flow.
Note
Some of the content in the display of the show ip cache verbose flow aggregation command uses multiline headings and multiline data fields. Figure 4 uses an example of the output from the show ip cache verbose flow to show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.
When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same
Figure 4 How to Use the Multiline Headings and Multiline Data Fields in the Display Output of the show ip cache verbose flow aggregation Command
NetFlow Multicast Support
When the NetFlow Multicast Support feature is enabled, the show ip cache verbose flow command displays the number of replicated packets and the packet byte count for NetFlow multicast accounting. When you configure the NetFlow Version 9 Export Format feature, this command displays additional NetFlow fields in the header.
MPLS-aware NetFlow
When you configure the MPLS-aware NetFlow feature, you can use the show ip cache verbose flow command to display both the IP and MPLS portions of MPLS flows in the NetFlow cache on a router line card. To display only the IP portion of the flow record in the NetFlow cache when MPLS-aware NetFlow is configured, use the show ip cache flow command.
NetFlow BGP Nexthop
The NetFlow bgp-nexthop command can be configured when either the Version 5 export format or the Version 9 export format is configured. The following caveats apply to the bgp-nexthop command:
•
•
Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding
On platforms running distributed Cisco Express Forwarding, NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt.
Cisco 7600 Series Platforms
The module num keyword and argument are supported on DFC-equipped modules only.
Examples
The following is a sample display of an prefix port aggregation cache with the show ip cache verbose flow aggregation prefix-port command:
Router# show ip cache verbose flow aggregation prefix-portIP Flow Switching Cache, 278544 bytes20 active, 4076 inactive, 377 added98254 ager polls, 0 flow alloc failuresActive flows timeout in 5 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 25736 bytes0 active, 1024 inactive, 0 added, 0 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedSrc If Src Prefix Dst If Dst Prefix TOS Flows PktsPort Msk Port Msk Pr B/Pk ActiveEt0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 2 1360016 /0 0015 /24 06 840 62.2Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 6800B3 /0 00B3 /24 06 1140 60.3Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 680043 /0 0043 /24 11 156 60.3Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 00 1 680000 /0 0000 /24 01 28 60.3Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 680035 /0 0035 /24 06 1140 60.3Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 680041 /0 0041 /24 06 1140 60.3Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68006E /0 006E /24 06 296 60.3FFlags: 01Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 680016 /0 0015 /24 06 840 60.3Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 00 1 680000 /0 0000 /24 01 554 60.3Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 6800A1 /0 00A1 /24 11 156 60.3Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 6700DC /0 00DC /24 06 1140 59.4Et2/0 0.0.0.0 Et3/0 192.168.10.0 00 1 680000 /0 0000 /24 01 28 60.2FFlags: 01Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 670041 /0 0041 /24 06 1140 59.4FFlags: 01Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 680019 /0 0019 /24 06 168 60.3Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 680016 /0 0015 /24 06 840 60.3FFlags: 01Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 67027C /0 027C /24 06 1240 59.4Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 680077 /0 0077 /24 06 1340 60.2FFlags: 01Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 00 1 680000 /0 0800 /24 01 1500 60.3Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 680089 /0 0089 /24 06 296 60.3Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 680045 /0 0045 /24 11 156 60.2FFlags: 01Router#Table 18 describes the significant fields shown in the output of the show ip cache verbose flow aggregation prefix-port command.
Table 18 show ip cache verbose flow aggregation Field Descriptions
Src If
Specifies the source interface.
Src AS
Specifies the source autonomous system.
Src Prefix
The prefix for the source IP addresses.
Msk
The numbers of bits in the source or destination prefix mask.
Dst If
Specifies the destination interface.
AS
Autonomous system. This is the source or destination AS number as appropriate for the keyword used. For example, if you enter the show ip cache flow aggregation destination-prefix-tos command, this is the destination AS number.
TOS
The value in the type of service (ToS) field in the packets.
Dst AS
Specifies the destination autonomous system.
Dst Prefix
The prefix for the destination IP addresses
Flows
Number of flows.
Pkts
Number of packets.
Port
The source or destination port number.
Msk
The source or destination prefix mask.
Pr
IP protocol "well-known" port number, displayed in hexadecimal format. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
B/Pk
Average number of bytes observed for the packets seen for this protocol (total bytes for this protocol or the total number of flows for this protocol for this summary period).
Active
Number of active flows in the NetFlow cache at the time this command was entered.
The following is a sample display of an exp-bgp-prefix aggregation cache with the show ip cache verbose flow aggregation exp-bgp-prefix command:
Router# show ip cache verbose flow aggregation exp-bgp-prefixIP Flow Switching Cache, 278544 bytes1 active, 4095 inactive, 4 added97 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 17032 bytes1 active, 1023 inactive, 4 added, 4 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedSrc If BGP Nexthop Label MPLS EXP Flows Pkts B/Pk ActiveGi4/0/0.102 10.40.40.40 0 0 1 5 100 0.0Table 18 describes the significant fields shown in the output of the show ip cache verbose flow aggregation exp-bgp-prefix command.
Related Commands
show ip flow export
To display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches, use the show ip flow export command in user EXEC or privileged EXEC mode.
show ip flow export [template]
Syntax Description
template
(Optional) Shows the data export statistics (such as template timeout and refresh rate) for the template-specific configurations.
Command Modes
User EXEC
Privileged EXECCommand History
Examples
The following is sample output from the show ip flow export command:
Router# show ip flow exportFlow export v5 is enabled for main cacheExporting flows to 10.51.12.4 (9991) 10.1.97.50 (9111)Exporting using source IP address 10.1.97.17Version 5 flow records11 flows exported in 8 udp datagrams0 flows failed due to lack of export packet0 export packets were sent up to process level0 export packets were dropped due to no fib0 export packets were dropped due to adjacency issues0 export packets were dropped due to fragmentation failures0 export packets were dropped due to encapsulation fixup failures0 export packets were dropped enqueuing for the RP0 export packets were dropped due to IPC rate limiting0 export packets were dropped due to output dropsTable 20 describes the significant fields shown in the display.
Related Commands
show ip flow interface
To display NetFlow accounting configuration on interfaces, use the show ip flow interface command in user EXEC or privileged EXEC mode.
show ip flow interface
Syntax Description
This command has no keywords or arguments.
Command Modes
User EXEC
Privileged EXECCommand History
12.3(7)T
This command was introduced.
12.3(11)T
Support for egress NetFlow accounting was added.
Usage Guidelines
Use this command to display the type of NetFlow configuration that is used on the router interfaces.
Examples
The following example shows that four interface configurations have been applied:
•
•
•
•
Router# show ip flow interfaceEthernet0/0ip flow egressflow-sampler my_medium_samplingEthernet1/0ip route-cache flownetflow-sampler my_high_samplingRelated Commands
show ip flow top-talkers
To display the traffic statistics for the NetFlow top talkers (unaggregated top flows), use the show ip flow top-talkers command in user EXEC or privileged EXEC mode.
show ip flow top-talkers [verbose]
Syntax Description
Defaults
No default behavior or values.
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
Configuring NetFlow Top Talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow Top Talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows of the heaviest traffic patterns and most-used applications in the network. NetFlow Top Talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Cache Timeout
The timeout period as specified by the cache-timeout command does not start until the show ip flow top-talkers command is entered. From that time, the same top talkers are displayed until the timeout period expires. To recalculate a new list of top talkers before the timeout period expires, you can change the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command.
A long timeout period for the cache-timeout command limits the system resources that are used by the NetFlow Top Talkers feature. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.
A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:
•
•
A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but cause the list of top talkers to be recalculated by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.
Examples
The following example shows the output of the show ip flow top-talkers command.
In the example, the NetFlow MIB and Top Talkers feature is configured to allow a maximum of five top talkers to be viewed. The display output is configured to be sorted by the total number of bytes in each top talker, and the list of top talkers is configured to be retained for 2 seconds (2000 milliseconds).
Router(config)# ip flow-top-talkersRouter(config-flow-top-talkers)# top 5Router(config-flow-top-talkers)# sort-by bytesRouter(config-flow-top-talkers)# cache-timeout 2000Router# show ip flow top-talkersSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP BytesEt0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 144KEt0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 144KEt0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 135KEt0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 125KEt0/0.1 10.92.231.235 Et1/0.1 172.16.10.2 06 0041 0041 115K5 of 5 top talkers shown. 11 flows processedTable 21 describes the significant fields shown in the display.
Table 22 shows messages that could be received in response to the show ip flow top-talkers command and their explanations.
Related Commands
sort-by
To specify the sorting criterion for the NetFlow top talkers (unaggregated top flows), use the sort-by command in NetFlow top talkers configuration mode. To disable NetFlow top talkers, use the no form of this command.
sort-by [bytes | packets]
no sort-by [bytes | packets]
Syntax Description
bytes
Sorts the list of top talkers by the total number of bytes in each Top Talker.
packets
Sort the list of top talkers by the total number of packets in each Top Talker.
Defaults
No default behavior or values.
Command Modes
NetFlow top talkers configuration
Command History
Usage Guidelines
Configuring NetFlow top talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Examples
In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each Top Talker.
Router(config)# ip flow-top-talkersRouter(config-flow-top-talkers)# top 4Router(config-flow-top-talkers)# sort-by bytesThe following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkersSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP BytesEt0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349KEt0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349KEt0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328KEt0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K4 of 4 top talkers shown. 11 flows processedRelated Commands
top
To specify the maximum number of NetFlow top talkers (unaggregated top flows) to display the statistics for, use the top command in NetFlow top talkers configuration mode. To disable NetFlowtop talkers, use the no form of this command.
top number
no top
Syntax Description
Defaults
No default behavior or values.
Command Modes
NetFlow top talkers configuration
Command History
Usage Guidelines
Configuring NetFlow top talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Examples
In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each Top Talker.
Router(config)# ip flow-top-talkersRouter(config-flow-top-talkers)# top 4Router(config-flow-top-talkers)# sort-by bytesThe following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkersSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP BytesEt0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349KEt0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349KEt0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328KEt0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K4 of 4 top talkers shown. 11 flows processedRelated Commands
