-
Cisco IOS NetFlow Configuration Guide, Release 12.4
-
Cisco IOS NetFlow Overview
-
Cisco IOS NetFlow Features Roadmap
-
Getting Started with Configuring NetFlow and NetFlow Data Export
- Cisco IOS NetFlow Configuration Guides
-
Cisco IOS NetFlow Advanced Configuration Guides
-
Configuring NetFlow Aggregation Caches
-
Using NetFlow Filtering or Sampling to Select the Network Traffic to Track
-
NetFlow Layer 2 and Security Monitoring Exports
-
Configuring NetFlow BGP Next Hop Support for Accounting and Analysis
-
Configuring MPLS Egress NetFlow Accounting
-
Configuring MPLS-aware NetFlow
-
Configuring NetFlow Multicast Accounting
-
Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data
-
Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands
-
-
Table Of Contents
Configuring NetFlow Aggregation Caches
Prerequisites for Configuring NetFlow Aggregation Caches
Restrictions for Configuring NetFlow Aggregation Caches
Information About Configuring NetFlow Aggregation Caches
NetFlow Cache Aggregation Benefits
NetFlow Cache Aggregation Schemes
NetFlow Aggregation Scheme Fields
NetFlow AS-ToS Aggregation Scheme
NetFlow Destination Prefix Aggregation Scheme
NetFlow Destination Prefix-ToS Aggregation Scheme
NetFlow Prefix Aggregation Scheme
NetFlow Prefix-Port Aggregation Scheme
NetFlow Prefix-ToS Aggregation Scheme
NetFlow Protocol Port Aggregation Scheme
NetFlow Protocol-Port-ToS Aggregation Scheme
NetFlow Source Prefix Aggregation Scheme
NetFlow Source Prefix-ToS Aggregation Scheme
NetFlow Data Export Format Versions 9, and 8 for NetFlow Aggregation Caches: Overview
How to Configure NetFlow Aggregation Caches
Configuring NetFlow Aggregation Caches
Verifying the Aggregation Cache Configuration
Configuration Examples for Configuring NetFlow Aggregation Caches
Configuring an AS Aggregation Cache: Example
Configuring a Destination Prefix Aggregation Cache: Example
Configuring a Prefix Aggregation Cache: Example
Configuring a Protocol Port Aggregation Cache: Example
Configuring a Source Prefix Aggregation Cache: Example
Configuring an AS-ToS Aggregation Cache: Example
Configuring a Prefix-ToS Aggregation Cache: Example
Configuring the Minimum Mask of a Prefix Aggregation Scheme: Example
Configuring the Minimum Mask of a Destination Prefix Aggregation Scheme: Example
Configuring the Minimum Mask of a Source Prefix Aggregation Scheme: Example
Configuring NetFlow Version 9 Data Export for Aggregation Caches: Example
Configuring NetFlow Version 8 Data Export for Aggregation Caches: Example
Feature Information for Configuring NetFlow Aggregation Caches
Configuring NetFlow Aggregation Caches
This module contains information about and instructions for configuring NetFlow aggregation caches. The NetFlow main cache is the default cache used to store the data captured by NetFlow. By maintaining one or more extra caches, called aggregation caches, the NetFlow Aggregation feature allows limited aggregation of NetFlow data export streams on a router. The aggregation scheme that you select determines the specific kinds of data that are exported to a remote host.
NetFlow is a Cisco IOS application that provides statistics on packets flowing through the router. It is emerging as a primary network accounting and security technology.
Module History
This module was first published on May 2, 2005, and last updated on February 16th, 2006.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all features. To find information about feature support and configuration, use the "Feature Information for Configuring NetFlow Aggregation Caches and Schemes" section on page 46.
Contents
•
Prerequisites for Configuring NetFlow Aggregation Caches and Schemes, page 2
•
•
•
•
•
•
•
Prerequisites for Configuring NetFlow Aggregation Caches
NetFlow Aggregation Caches
Before you enable NetFlow you must:
•
•
•
If you intend to use Version 8 export format with an aggregation cache, configure Version 5 export format for the main cache.
If you need autonomous system (AS) information from the aggregation, make sure to specify either the peer-as or origin-as keyword in your export command if you have not configured an export format version.
You must explicitly enable each NetFlow aggregation cache by entering the enabled keyword from aggregation cache configuration mode.
Router-based aggregation must be enabled for minimum masking.
Restrictions for Configuring NetFlow Aggregation Caches
Cisco IOS Releases 12.2(14)S, 12.0(22)S, or 12.2(15)T
If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T the ip route-cache flow command is used to enable NetFlow on an interface.
If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T, or later the ip flow ingress command is used to enable NetFlow on an interface.
Memory Impact
During times of heavy traffic, the additional flows can fill up the global flow hash table. If you need to increase the size of the global flow hash table, increase the memory of the router.
Performance Impact
Configuring Egress NetFlow accounting with the ip flow egress command might adversely affect network performance because of the additional accounting-related computation that occurs in the traffic-forwarding path of the router.
NetFlow Data Export
Restrictions for NetFlow Version 9 Data Export
•
•
•
Restrictions for NetFlow Version 8 Export Format
Version 8 export format is available only for aggregation caches, and it cannot be expanded to support new features.
Information About Configuring NetFlow Aggregation Caches
Before configuring the NetFlow main cache, NetFlow aggregation caches and NetFlow aggregation schemes, you should understand the following information:
•
NetFlow Aggregation Caches
•
•
•
•
•
•
•
•
•
•
•
•
•
•
NetFlow Cache Aggregation Benefits
Aggregation of export data is typically performed by NetFlow collection tools on management workstations. Router-based aggregation allows limited aggregation of NetFlow export records to occur on the router. Thus, you can summarize NetFlow export data on the router before the data is exported to a NetFlow data collection system, which has the following benefits:
•
•
•
NetFlow Cache Aggregation Schemes
Cisco IOS NetFlow aggregation maintains one or more extra caches with different combinations of fields that determine which flows are grouped together. These extra caches are called aggregation caches. The combinations of fields that make up an aggregation cache are referred to as schemes. As flows expire from the main cache, they are added to each enabled aggregation cache.
You can configure each aggregation cache with its individual cache size, cache ager timeout parameter, export destination IP address, and export destination UDP port. As data flows expire in the main cache (depending on the aggregation scheme configured), relevant information is extracted from the expired flow and the corresponding flow entry in the aggregation cache is updated. The normal flow ager process runs on each active aggregation cache the same way it runs on the main cache. On-demand aging is also supported. Each aggregation cache contains different field combinations that determine which data flows are grouped. The default aggregation cache size is 4096 bytes.
You configure a cache aggregation scheme through the use of arguments to the ip flow-aggregation cache command. NetFlow supports the following five non-ToS based cache aggregation schemes:
•
•
•
•
•
The NetFlow Type of Service (ToS)-Based Router Aggregation feature introduced support for additional cache aggregation schemes, all of which include the ToS byte as one of the fields in the aggregation cache. The following are the six ToS-based aggregation schemes:
•
•
•
•
•
•
Figure 1 shows an example of how the main NetFlow cache can be aggregated into multiple aggregation caches based upon user-configured aggregation schemes.
Figure 1 Building a NetFlow Aggregation Cache
NetFlow Aggregation Scheme Fields
Each cache aggregation scheme contains field combinations that differ from any other cache aggregation scheme. The combination of fields determines which data flows are grouped and collected when a flow expires from the main cache. A flow is a set of packets that has common fields, such as the source IP address, destination IP address, protocol, source and destination ports, type-of-service, and the same interface on which the flow is monitored. To manage flow aggregation on your router, you need to configure the aggregation cache scheme that groups and collects the fields from which you want to examine data. Table 1 and Table 2 show the NetFlow fields that are grouped and collected for non-ToS and ToS based cache aggregation schemes.
Table 1 shows the NetFlow fields used in the non-TOS based aggregation schemes.
Table 2 shows the NetFlow fields used in the TOS based aggregation schemes.
NetFlow AS Aggregation Scheme
The NetFlow AS aggregation scheme reduces NetFlow export data volume substantially and generates AS-to-AS traffic flow data. The scheme groups data flows that have the same source BGP AS, destination BGP AS, input interface, and output interface.
The aggregated NetFlow data export records report the following:
•
•
•
•
•
•
•
Figure 2 shows the data export format for the AS aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 3.
Figure 2 Data Export Format for AS Aggregation Scheme
Table 3 lists definitions for the data export record fields used in the AS aggregation scheme.
NetFlow AS-ToS Aggregation Scheme
The NetFlow AS-ToS aggregation scheme groups flows that have the same source BGP AS, destination BGP AS, source and destination interfaces, and ToS byte. The aggregated NetFlow export record based on the AS-ToS aggregation scheme reports the following:
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for generating AS-to-AS traffic flow data, and for reducing NetFlow export data volume substantially. Figure 3 show the data export format for the AS-ToS aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 4.
Figure 3 Data Export Format for AS-ToS Aggregation Scheme
Table 4 lists definitions for the data export record terms used in the AS-ToS aggregation scheme.
NetFlow Destination Prefix Aggregation Scheme
The destination prefix aggregation scheme generates data so that you can examine the destinations of network traffic passing through a NetFlow-enabled device. The scheme groups data flows that have the same destination prefix, destination prefix mask, destination BGP AS, and output interface.
The aggregated NetFlow data export records report the following:
•
•
•
•
•
•
•
•
Figure 4 shows the data export format for the destination prefix aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 5.
Figure 4 Destination Prefix Aggregation Data Export Record Format
Table 5 lists definitions for the data export record terms used in the destination prefix aggregation scheme.
NetFlow Destination Prefix-ToS Aggregation Scheme
The NetFlow destination prefix-ToS aggregation scheme groups flows that have the same destination prefix, destination prefix mask, destination BGP AS, ToS byte, and output interface. The aggregated NetFlow export record reports the following:
•
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for capturing data with which you can examine the destinations of network traffic passing through a NetFlow-enabled device. Figure 5 shows the data export format for the Destination prefix-ToS aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 6.
Figure 5 Data Export Format for Destination Prefix-ToS Aggregation Scheme
Table 6 lists definitions for the data export record terms used in the destination prefix-ToS aggregation scheme.
NetFlow Prefix Aggregation Scheme
The NetFlow prefix aggregation scheme generates data so that you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device. The scheme groups data flows that have the same source prefix, destination prefix, source prefix mask, destination prefix mask, source BGP AS, destination BGP AS, input interface, and output interface. See Figure 6.
The aggregated NetFlow data export records report the following:
•
•
•
•
•
•
•
•
Figure 6 shows the data export format for the prefix aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 7.
Figure 6 Data Export Format for Prefix Aggregation Scheme
Table 7 lists definitions for the data export record terms used in the prefix aggregation scheme.
NetFlow Prefix-Port Aggregation Scheme
The NetFlow prefix-port aggregation scheme groups flows that have a common source prefix, source mask, destination prefix, destination mask, source port and destination port when applicable, input interface, output interface, protocol, and ToS byte. The aggregated NetFlow export record reports the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for capturing data with which you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device. Figure 7 shows the data export record for the prefix-port aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 8.
Figure 7 Data Export Record for Prefix-Port Aggregation Scheme
Table 8 lists definitions for the data export record terms used in the prefix-port aggregation scheme.
NetFlow Prefix-ToS Aggregation Scheme
The NetFlow prefix-tos aggregation scheme groups together flows that have a common source prefix, source mask, destination prefix, destination mask, source BGP AS, destination BGP AS, input interface, output interface, and ToS byte. The aggregated NetFlow export record reports the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for capturing data so that you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device. Figure 8 displays the data export format for the prefix-tos aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 9.
Figure 8 Data Export Format for Prefix-ToS Aggregation Scheme
Table 9 lists definitions for the data export record terms used in the prefix-ToS aggregation scheme.
NetFlow Protocol Port Aggregation Scheme
The NetFlow protocol port aggregation scheme captures data so that you can examine network usage by traffic type. The scheme groups data flows with the same IP protocol, source port number, and (when applicable) destination port number.
The aggregated NetFlow data export records report the following:
•
•
•
•
•
•
Figure 9 shows the data export format for the protocol port aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 10.
Figure 9 Data Export Format for Protocol Port Aggregation Scheme
Table 10 lists definitions for the data export record terms used in the protocol port aggregation scheme.
NetFlow Protocol-Port-ToS Aggregation Scheme
The NetFlow protocol-port-tos aggregation scheme groups flows that have a common IP protocol, ToS byte, source and (when applicable) destination port numbers, and source and destination interfaces. The aggregated NetFlow Export record reports the following:
•
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for capturing data so that you can examine network usage by type of traffic. Figure 10 shows the data export format for the protocol-port-tos aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 11.
Figure 10 Data Export Format for Protocol-Port-ToS Aggregation Scheme
Table 11 lists definitions for the data export record terms used in the protocol-port-ToS aggregation scheme.
NetFlow Source Prefix Aggregation Scheme
The NetFlow source prefix aggregation scheme captures data so that you can examine the sources of network traffic passing through a NetFlow-enabled device. The scheme groups data flows that have the same source prefix, source prefix mask, source BGP AS, and input interface.
The aggregated NetFlow data export records report the following:
•
•
•
•
•
•
•
Figure 11 show the data export format for the source prefix aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 12.
Figure 11 Data Export Format for Source Prefix Aggregation Scheme
Table 12 lists definitions for the data export record terms used in the source prefix aggregation scheme.
NetFlow Source Prefix-ToS Aggregation Scheme
The NetFlow source prefix-ToS aggregation scheme groups flows that have a common source prefix, source prefix mask, source BGP AS, ToS byte, and input interface. The aggregated NetFlow export record reports the following:
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for capturing data so that you can examine the sources of network traffic passing through a NetFlow-enabled device. Figure 12 show the data export format for the source prefix-ToS aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 13.
Note
Figure 12 Data Export Format for Source Prefix-ToS Aggregation Scheme
Table 13 lists definitions for the data export record terms used in the source prefix-ToS aggregation scheme.
NetFlow Data Export Format Versions 9, and 8 for NetFlow Aggregation Caches: Overview
Export formats available for NetFlow aggregation caches are the Version 9 export format and the Version 8 export format.
•
•
The Version 9 export format is flexible and extensible, which provides the versatility needed for the support of new fields and record types. You can use the Version 9 export format for both main and aggregation caches.
The Version 8 export format was added to support data export from aggregation caches. This format allows export datagrams to contain a subset of the Version 5 export data that is valid for the cache aggregation scheme.
Refer to the "NetFlow Data Export" section of the "Configuring NetFlow Aggregation Caches" module for more details on NetFlow Data Export Formats.
How to Configure NetFlow Aggregation Caches
This section is broken down into the following subsections:
•
•
Configuring NetFlow Aggregation Caches
Perform the steps in this required to enable NetFlow and configure a NetFlow aggregation cache.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12. <
