Table Of Contents
match interface (Flexible NetFlow)
match routing multicast replication-factor
show flow monitor cache aggregate
show flow monitor cache filter
match interface (Flexible NetFlow)
To configure the input and/or output interface as a key field for a Flexible NetFlow flow record, use the match interface command in Flexible NetFlow flow record configuration mode. To disable the use of the input and/or output interface as a key field for a Flexible NetFlow flow record, use the no form of this command.
match interface {input | output}
no match interface {input | output}
Syntax Description
input
Configures the input interface as a key field.
output
Configures the output interface as a key field.
Command Default
The input and/or output interface is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the input interface as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match flow interface inputThe following example configures the output interface as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match flow interface outputRelated Commands
match ipv4
To configure one or more of the IPv4 fields as a key field for a Flexible NetFlow flow record, use the match ipv4 command in Flexible NetFlow flow record configuration mode. To disable the use of one or more of the IPv4 fields as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv4 {dscp | header-length | id | option map | precedence | protocol | tos | version}
no match ipv4 {dscp | header-length | id | option map | precedence | protocol | tos | version}
Syntax Description
Command Default
The use of one or more of the IPv4 fields as a key field for a user-defined Flexible NetFlow flow record is not enabled by default.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Note
Some of the keywords of the match ipv4 command are documented as separate commands. All of the keywords for the match ipv4 command that are documented separately start with match ipv4. For example, for information about configuring the IPv4 time-to-live (TTL) field as a key field for a Flexible NetFlow flow record, refer to the match ipv4 ttl command.
Examples
The following example configures the IPv4 TTL field as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 ttlRelated Commands
match ipv4 destination
To configure the IPv4 destination address as a key field for a Flexible NetFlow flow record, use the match ipv4 destination command in Flexible NetFlow flow record configuration mode. To disable the IPv4 destination address as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv4 destination {address | [{mask | prefix} [minimum-mask mask]]}
no match ipv4 destination {address | [{mask | prefix} [minimum-mask mask]]}
Syntax Description
Command Default
The IPv4 destination address is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures a 16-bit IPv4 destination address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 destination prefix minimum-mask 16The following example specifies a 16-bit IPv4 destination address mask as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 destination mask minimum-mask 16Related Commands
match ipv4 fragmentation
To configure the IPv4 fragmentation flags and/or the IPv4 fragmentation offset as a key field for a Flexible NetFlow flow record, use the match ipv4 fragmentation command in Flexible NetFlow flow record configuration mode. To disable the use of the IPv4 fragmentation flags and/or the IPv4 fragmentation offset as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv4 fragmentation {flags | offset}
no match ipv4 fragmentation {flags | offset}
Syntax Description
flags
Configures the IPv4 fragmentation flags as a key field.
offset
Configures the IPv4 fragmentation offset as a key field.
Command Default
The IPv4 fragmentation flags and/or the IPv4 fragmentation offset is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
match ipv4 fragmentation flags
This field matches the "don't fragment" and "more fragments" flags.
Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment
Bit 2: (MF) 0 = Last Fragment,1 = More Fragments
Bits 3-7: (DC) Don't Care, value is irrelevant
0 1 2 3 4 5 6 7+---+---+---+---+---+---+---+---+| | D | M | D | D | D | D | D || 0 | F | F | C | C | C | C | C |+---+---+---+---+---+---+---+---+For more information on IPv4 fragmentation flags, see RFC 791, Internet Protocol at the following URL: http://www.ietf.org/rfc/rfc791.txt.
Examples
The following example configures the IPv4 fragmentation flags a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 fragmentation flagsThe following example configures the IPv4 offset flag a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 fragmentation offsetRelated Commands
match ipv4 section
To configure a section of an IPv4 packet as a key field for a Flexible NetFlow flow record, use the match ipv4 section command in Flexible NetFlow flow record configuration mode. To disable the use of a section of an IPv4 packet as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv4 section {header size header-size | payload size payload-size}
no match ipv4 section {header size header-size | payload size payload-size}
Syntax Description
Command Default
A section of an IPv4 packet is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
match ipv4 section header
This command uses the section of the IPv4 header indicated by the header size header-size keyword and argument as a key field. Only the configured size in bytes will be matched, and part of the payload will also be matched if the configured size is larger than the size of the header.
Note
match ipv4 section payload
This command uses the section of the IPv4 payload indicated by the payload size payload-size keyword and argument as a key field.
Note
Examples
The following example configures the first four bytes (the IPv4 version field) as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 section header size 4The following example configures the first 16 bytes from the payload of the IPv4 packets in the flow as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 section payload size 16Related Commands
match ipv4 source
To configure the IPv4 source address as a key field for a Flexible NetFlow flow record, use the match ipv4 command in Flexible NetFlow flow record configuration mode. To disable the use of the IPv4 source address as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv4 source {address | [{mask | prefix} [minimum-mask mask]]}
no match ipv4 source {address | [{mask | prefix} [minimum-mask mask]]}
Syntax Description
Command Default
The IPv4 source address is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
match ipv4 source prefix minimum-mask
The source address prefix field is the network part of the source address. The optional minimum mask allows a more information to be gathered about large networks.
match ipv4 source mask minimum-mask
The source address mask is the number of bits that make up the network part of the source address. The optional minimum mask allows a minimum value to be configured. This command is useful when there is a minimum mask configured for the source prefix field and the mask is to be used with the prefix. In this case, the values configured for the minimum mask should be the same for the prefix and mask fields.
Alternatively, if the collector knows the minimum mask configuration of the prefix field, the mask field can be configured without a minimum mask so that the true mask and prefix can be calculated.
Examples
The following example configures a 16-bit IPv4 source address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 source prefix minimum-mask 16The following example specifies a 16-bit IPv4 source address mask as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 source mask minimum-mask 16Related Commands
match ipv4 total-length
To configure the IPv4 total-length field as a key field for a Flexible NetFlow flow record, use the match ipv4 total-length command in Flexible NetFlow flow record configuration mode. To disable the use of the IPv4 total-length field as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv4 total-length
no match ipv4 total-length
Syntax Description
This command has no arguments or keywords.
Command Default
The IPv4 total-length field is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the total-length value as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 total-lengthRelated Commands
match ipv4 ttl
To configure the IPv4 time-to-live (TTL) field as a key field for a Flexible NetFlow flow record, use the match ipv4 ttl command in Flexible NetFlow flow record configuration mode. To disable the use of the IPv4 TTL field as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv4 ttl
no match ipv4 ttl
Syntax Description
This command has no arguments or keywords.
Command Default
The IPv4 time-to-live (TTL) field is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures IPv4 TTL as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv4 ttlRelated Commands
match ipv6
To configure one or more of the IPv6 fields as a key field for a Flexible NetFlow flow record, use the match ipv6 command in Flexible NetFlow flow record configuration mode. To disable the use of one or more of the IPv6 fields as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv6 {dscp | flow-label | next-header | payload-length | precedence | protocol | traffic-class | version}
no match ipv6 {dscp | flow-label | next-header | payload-length | precedence | protocol | traffic-class | version}
Syntax Description
Command Default
The IPv6 fields are not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Note
Examples
The following example configures the IPv6 DSCP field as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv6 dscpRelated Commands
match ipv6 destination
To configure the IPv6 destination address as a key field for a Flexible NetFlow flow record, use the match ipv6 destination command in Flexible NetFlow flow record configuration mode. To disable the IPv6 destination address as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv6 destination {address | [{mask | prefix} [minimum-mask mask]]}
no match ipv6 destination {address | [{mask | prefix} [minimum-mask mask]]}
Syntax Description
Command Default
The IPv6 destination address is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures a 16-bit IPv6 destination address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv6 destination prefix minimum-mask 16The following example specifies a 16-bit IPv6 destination address mask as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv6 destination mask minimum-mask 16Related Commands
match ipv6 extension map
To configure the bitmap of the IPv6 extension header map as a key field for a Flexible NetFlow flow record, use the match ipv6 extension map command in Flexible NetFlow flow record configuration mode. To disable the use of the IPv6 bitmap of the IPv6 extension header map as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv6 extension map
no match ipv6 extension map
Syntax Description
This command has no arguments or keywords.
Command Default
The use of the bitmap of the IPv6 extension header map as a key field for a user-defined Flexible NetFlow flow record is not enabled by default.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Bitmap of the IPv6 Extension Header Map
The bitmap of IPv6 extension header map is made up of 32 bits.
0 1 2 3 4 5 6 7+-----+-----+-----+-----+-----+-----+-----+-----+| Res | FRA1| RH | FRA0| UNK | Res | HOP | DST |+-----+-----+-----+-----+-----+-----+-----+-----+8 9 10 11 12 13 14 15+-----+-----+-----+-----+-----+-----+-----+-----+| PAY | AH | ESP | Reserved |+-----+-----+-----+-----+-----+-----+-----+-----+16 17 18 19 20 21 22 23+-----+-----+-----+-----+-----+-----+-----+-----+| Reserved |+-----+-----+-----+-----+-----+-----+-----+-----+24 25 26 27 28 29 30 31+-----+-----+-----+-----+-----+-----+-----+-----+| Reserved |+-----+-----+-----+-----+-----+-----+-----+-----+0 Res Reserved1 FRA1 Fragmentation header - not first fragment2 RH Routing header3 FRA0 Fragment header - first fragment4 UNK Unknown Layer 4 header(compressed, encrypted, not supported)5 Res Reserved6 HOP Hop-by-hop option header7 DST Destination option header8 PAY Payload compression header9 AH Authentication Header10 ESP Encrypted security payload11 to 31 ReservedFor more information on IPv6 headers, refer to RFC 2460 Internet Protocol, Version 6 (IPv6) at the following URL: http://www.ietf.org/rfc/rfc2460.txt.
Examples
The following example configures the IPv6 bitmap of the IPv6 extension header map of the packets in the flow as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv6 extension mapRelated Commands
match ipv6 fragmentation
To configure one or more of the IPv6 fragmentation fields as a key field for a Flexible NetFlow flow record, use the match ipv6 fragmentation command in Flexible NetFlow flow record configuration mode. To disable the use of the IPv6 fragmentation field as a key field for a Flexible NetFlow flow record, use the no form of this command.
match IPv6 fragmentation {flags | id | offset}
no match IPv6 fragmentation {flags | id | offset}
Syntax Description
flags
Configures the IPv6 fragmentation flags as a key field.
id
Configures the IPv6 fragmentation ID as a key field.
offset
Configures the IPv6 fragmentation offset value as a key field.
Command Default
The IPv6 fragmentation field is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the IPv6 fragmentation flags a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv6 fragmentation flagsThe following example configures the IPv6 offset value a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv6 fragmentation offsetRelated Commands
match ipv6 hop-limit
To configure the IPv6 hop limit as a key field for a Flexible NetFlow flow record, use the match ipv6 hop-limit command in Flexible NetFlow flow record configuration mode. To disable the use of a section of an IPv6 packet as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv6 hop-limit
no match ipv6 hop-limit
Syntax Description
This command has no arguments or keywords.
Command Default
The use of the IPv6 hop limit as a key field for a user-defined Flexible NetFlow flow record is not enabled by default.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the hop limit of the packets in the flow as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv6 hop-limitRelated Commands
match ipv6 length
To configure one or more of the IPv6 length fields as a key field for a Flexible NetFlow flow record, use the match ipv6 length command in Flexible NetFlow flow record configuration mode. To disable the use of the IPv6 length field as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv6 length {header | payload | total}
no match ipv6 length {header | payload | total}
Syntax Description
Command Default
The IPv6 length field is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the length of the IPv6 header in bytes, not including any extension headers, as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv6 length headerRelated Commands
match ipv6 section
To configure a section of an IPv6 packet as a key field for a Flexible NetFlow flow record, use the match ipv6 section command in Flexible NetFlow flow record configuration mode. To disable the use of a section of an IPv6 packet as a key field for a Flexible NetFlow flow record, use the no form of this command.
match ipv6 section {header size header-size | payload size payload-size}
no match ipv6 section {header size header-size | payload size payload-size}
Syntax Description
Command Default
A section of an IPv6 packet is not configured as a key.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
match ipv6 section header
This command uses the section of the IPv6 header indicated by the header size header-size keyword and argument as a key field. Only the configured size in bytes will be matched, and part of the payload will also be matched if the configured size is larger than the size of the header.
Note
match ipv6section payload
This command uses the section of the IPv6 payload indicated by the payload size payload-size keyword and argument as a key field.
Note
Examples
The following example configures the first four bytes (the IP version field) from the IPv6 header of the packets in the flows as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv6 section header size 4The following example configures the first 16 bytes from the payload of the IPv6 packets in the flows as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match ipv6 section payload size 16Related Commands
match routing
To configure one or more of the routing fields as a key field for a Flexible NetFlow flow record, use the match routing command in Flexible NetFlow flow record configuration mode. To disable the use of one or more of the routing fields as a key field for a Flexible NetFlow flow record, use the no form of this command.
match routing {{destination | source} {as [peer] | traffic-index} | forwarding-status | next-hop address {ipv4 | ipv6} [bgp] | vrf input}
no match routing {{destination | source} {as [peer] | traffic-index} | forwarding-status | next-hop address {ipv4 | ipv6} [bgp] | vrf input}
Syntax Description
Command Default
The use of one or more of the routing fields as a key field for a user-defined Flexible NetFlow flow record is not enabled by default.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
match routing source as [peer]
This command matches the 16-bit autonomous system number based on a lookup of the router's routing table using the source IP address. The peer keyword provides the expected next network, as opposed to the originating network.
match routing destination as [peer]
This command matches the 16-bit autonomous system number based on a lookup of the router's routing table using the destination IP address. The peer keyword will provide the expected next network as opposed to the destination network.
collect routing destination traffic-index
This command is not supported for IPv6.
match routing source traffic-index
This command collects the traffic-index field based on the source autonomous system for this flow. The traffic-index field is a value propagated through BGP.
This command is not supported for IPv6.
match routing forwarding-status
This command matches a field to indicate if the packets were successfully forwarded. The field is in two parts and may be up to 4 bytes in length. At this time only the status field is used:
+-+-+-+-+-+-+-+-+| S | Reason || t | codes || a | or || t | flags || u | || s | |+-+-+-+-+-+-+-+-+0 1 2 3 4 5 6 7Status:00b=Unknown, 01b = Forwarded, 10b = Dropped, 11b = Consumedmatch routing vrf input
This command collects the virtual route forwarding (VRF) ID from incoming packets on a router. In the case where VRFs are associated with an interface via methods such as VRF Selection Using Policy Based Routing/ Source IP Address, a VRF ID of 0 will be recorded. If a packet arrives on an interface that does not belong to a VRF, a VRF ID of 0 is recorded.
Examples
The following example configures the source autonomous system as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match routing source asThe following example configures the destination autonomous system as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match routing destination asThe following example configures the BGP source traffic index as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match routing source traffic-indexThe following example configures the forwarding status as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match routing forwarding-statusThe following example configures the VRF ID for incoming packets as a key field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match routing vrf inputRelated Commands
match routing is-multicast
To configure the use of the is-multicast field (indicating that the IPv4 traffic is multicast traffic) as a key field for a Flexible NetFlow flow record, use the match routing is-multicast command in Flexible NetFlow flow record configuration mode. To disable the use of the is-multicast field as a key field for a Flexible NetFlow flow record, use the no form of this command.
match routing is-multicast
no match routing is-multicast
Syntax Description
This command has no arguments or keywords
Command Default
The is-multicast field is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Examples
The following example configures the is-multicast field as a key field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match routing is-multicastRelated Commands
match routing multicast replication-factor
To configure the multicast replication factor value for IPv4 traffic as a key field for a Flexible NetFlow flow record, use the match multicast replication-factor command in Flexible NetFlow flow record configuration mode. To disable the use of the multicast replication factor value as a key field for a Flexible NetFlow flow record, use the no form of this command.
match routing multicast replication-factor
no match routing multicast replication-factor
Syntax Description
This command has no arguments or keywords.
Command Default
The multicast replication factor value is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
When the replication-factor field is used in a flow record, it will only have a non-zero value in the cache for ingress multicast traffic that is forwarded by the router. If the flow record is used with a flow monitor in output (egress) mode or to monitor unicast traffic or both, the cache data for the replication factor field is set to 0.
Examples
The following example configures the multicast replication factor value as a key field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match routing multicast replication-factorRelated Commands
match transport
To configure one or more of the transport fields as a key field for a Flexible NetFlow flow record, use the match transport command in Flexible NetFlow flow record configuration mode. To disable the use of one or more of the transport fields as a key field for a Flexible NetFlow flow record, use the no form of this command.
match transport {destination-port | igmp type | source-port}
no match transport {destination-port | igmp type | source-port}
Syntax Description
Command Default
The transport fields are not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the destination port as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport destination-portThe following example configures the source port as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport source-portRelated Commands
match transport icmp ipv4
To configure the ICMP IPv4 type field and/or the code field as a key field for a Flexible NetFlow flow record, use the match transport icmp ipv4 command in Flexible NetFlow flow record configuration mode. To disable the use of the ICMP IPv4 type field and/or code field as a key field for a Flexible NetFlow flow record, use the no form of this command.
match transport icmp ipv4 {code | type}
no match transport icmp ipv4 {code | type}
Syntax Description
code
Configures the IPv4 ICMP code as a key field.
type
Configures the IPv4 ICMP type as a key field.
Command Default
The ICMP IPv4 type field and/or the code field is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the IPv4 ICMP code field as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport icmp ipv4 codeThe following example configures the IPv4 ICMP type field as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport icmp ipv4 typeRelated Commands
match transport icmp ipv6
To configure the internet control message protocol ICMP IPv6 type field and/or the code field as a key field for a Flexible NetFlow flow record, use the match transport icmp ipv6 command in Flexible NetFlow flow record configuration mode. To disable the use of the ICMP IPv6 type field and/or code field as a key field for a Flexible NetFlow flow record, use the no form of this command.
match transport icmp ipv6 {code | type}
no match transport icmp ipv6 {code | type}
Syntax Description
Command Default
The ICMP IPv6 type field and/or the code field is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
A Flow Record requires at least one key field before it can be used in a Flow Monitor. The Key fields differentiate Flows, with each flow having a unique set of values for the key fields. The Key fields are defined using the match command.
Examples
The following example configures the IPv6 ICMP code field as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport icmp ipv6 codeThe following example configures the IPv6 ICMP type field as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport icmp ipv6 typeRelated Commands
match transport tcp
To configure one or more of the TCP fields as a key field for a Flexible NetFlow flow record, use the match transport tcp command in Flexible NetFlow flow record configuration mode. To disable the use of a TCP field as a key field for a Flexible NetFlow flow record, use the no form of this command.
match transport tcp {acknowledgement-number | destination-port | flags {[ack] [cwr] [ece] [fin] [psh] [rst] [syn] [urg]} | header-length | sequence-number | source-port | urgent-pointer | window-size}
no match transport tcp {acknowledgement-number | destination-port | flags {[ack] [cwr] [ece] [fin] [psh] [rst] [syn] [urg]} | header-length | sequence-number | source-port | urgent-pointer | window-size}
Syntax Description
Command Default
The use of one or more of the TCP fields as a key field for a user-defined Flexible NetFlow flow record is not enabled by default.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the TCP acknowledgement flag as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport tcp flags ackThe following example configures the TCP finish flag as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport tcp flags finThe following example configures the TCP reset flag as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport tcp flags rstThe following example configures the transport destination port as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport destination-portThe following example configures the transport source port as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport source-port
Related Commands
match transport udp
To configure one or more of the user datagram protocol UDP fields as a key field for a Flexible NetFlow flow record, use the match transport udp command in Flexible NetFlow flow record configuration mode. To disable the use of a UDP field as a key field for a Flexible NetFlow flow record, use the no form of this command.
match transport udp {destination-port | message-length | source-port}
no match transport udp {destination-port | message-length | source-port}
Syntax Description
destination-port
Configures the UDP destination port as a key field.
message-length
Configures the UDP message length as a key field.
source-port
Configures the UDP source port as a key field.
Command Default
The UDP fields are not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
The following example configures the UDP destination port as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport udp destination-portThe following example configures the UDP message length as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport udp message-lengthThe following example configures the UDP source port as a key field:
Router(config)# flow record FLOW-RECORD-1Router(config-flow-record)# match transport udp source-portRelated Commands
mode (Flexible NetFlow)
To specify the type of sampling and the packet interval for a Flexible NetFlow sampler, use the mode command in Flexible NetFlow sampler configuration mode. To unconfigure the type of sampling and the packet interval for a Flexible NetFlow sampler, use the no form of this command.
mode {deterministic | random} 1 out-of window-size
no mode
Syntax Description
Command Default
The mode and the packet interval for a sampler is not configured.
Command Modes
Flexible NetFlow sampler configuration (config-sampler)
Command History
Usage Guidelines
deterministic
In deterministic mode, packets are chosen periodically based on the configured interval. This mode has less overhead than random mode and can be useful when sampling traffic that is random in nature. For more information about deterministic sampling, refer to the "Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic" module in the Cisco IOS Flexible NetFlow Configuration Guide at the following URL: http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/use_fnflow_redce_cpu.html.
random
In random mode, packets are chosen in a manner that should eliminate any bias from traffic patterns and counter any attempt by users to avoid monitoring. For more information about random sampling, refer to the "Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic" module in the Cisco IOS Flexible NetFlow Configuration Guide at the following URL: http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/use_fnflow_redce_cpu.html.
Examples
The following example enables deterministic sampling with a window size of 1000:
Router(config)# sampler SAMPLER-1Router(config-sampler)# mode deterministic 1 out-of 1000The following example enables random sampling with a window size of 1000:
Router(config)# sampler SAMPLER-1Router(config-sampler)# mode random 1 out-of 1000Related Commands
clear sampler
Clears the sampler statistics.
debug sampler
Enables debugging output for samplers.
show sampler
Displays sampler status and statistics.
option (Flexible NetFlow)
To configure options data parameters for a Flexible NetFlow flow exporter, use the option command in Flexible NetFlow flow exporter configuration mode. To remove options for a Flexible NetFlow flow exporter, use the no form of this command.
option {{application-table | exporter-stats | interface-table | sampler-table | vrf-table} [timeout seconds]}
no option {application-table | exporter-stats | interface-table | sampler-table | vrf-table}
Syntax Description
Command Default
The options data parameters are not configured.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Usage Guidelines
option application-table
This command causes the periodic sending of an options table, which will allow the collector to map the NBAR application IDs provided in the flow records to application names. The optional timeout can alter the frequency at which the reports are sent.
option exporter-stats
This command causes the periodic sending of the exporter statistics, including the number of records, bytes and packets sent. This command allows your collector to estimate packet loss for the export records it is receiving. The optional timeout alters the frequency at which the reports are sent.
option interface-table
This command causes the periodic sending of an options table, which will allow the collector to map the interface SNMP indexes provided in the flow records to interface names. The optional timeout can alter the frequency at which the reports are sent.
option sampler-table
This command causes the periodic sending of an options table, which details the configuration of each sampler and allows the collector to map the sampler ID provided in any flow record to a configuration that it can use to scale up the flow statistics. The optional timeout can alter the frequency at which the reports are sent.
option vrf-table
This command causes the periodic sending of an options table, which will allow the collector to map the VRF IDs provided in the flow records to VRF names. The optional timeout can alter the frequency at which the reports are sent.
Examples
The following example causes the periodic sending of the exporter statistics, including the number of records, bytes, and packets sent:
Router(config)# flow exporter FLOW-EXPORTER-1Router(config-flow-exporter)# option exporter-statsThe following example causes the periodic sending of an options table, which allows the collector to map the interface SNMP indexes provided in the flow records to interface names:
Router(config)# flow exporter FLOW-EXPORTER-1Router(config-flow-exporter)# option interface-tableThe following example causes the periodic sending of an options table, which details the configuration of each sampler and allows the collector to map the sampler ID provided in any flow record to a configuration that it can use to scale up the flow statistics:
Router(config)# flow exporter FLOW-EXPORTER-1Router(config-flow-exporter)# option sampler-tableThe following example causes the periodic sending of an options table, which allows the collector to map the NBAR application IDs provided in the flow records to application names:
Router(config)# flow exporter FLOW-EXPORTER-1Router(config-flow-exporter)# option application-tableThe following example causes the periodic sending of an options table, which allows the collector to map the VRF IDs provided in the flow records to VRF names:
Router(config)# flow exporter FLOW-EXPORTER-1Router(config-flow-exporter)# option vrf-tableRelated Commands
output-features
To enable sending Flexible NetFlow export packets using quality of service (QoS) or encryption, use the output-features command in Flexible NetFlow flow exporter configuration mode. To disable sending export packets using QoS or encryption, use the no form of this command.
output-features
no output-features
Syntax Description
This command has no arguments or keywords.
Command Default
If QoS or encryption is configured on the router, neither QoS or encryption is run on Flexible NetFlow export packets.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Usage Guidelines
If the router has the output feature quality of service (QoS) or encryption configured, the output-features command causes the output features to be run on Flexible NetFlow export packets.
Examples
The following example configures the use of QoS or encryption on Flexible NetFlow export packets:
Router(config)# flow exporter FLOW-EXPORTER-1Router(config-flow-exporter)# output-featuresRelated Commands
record
To configure a flow record for a Flexible NetFlow flow monitor, use the record command in Flexible NetFlow flow monitor configuration mode. To remove a flow record for a Flexible NetFlow flow monitor, use the no form of this command.
record {record-name | netflow-original | netflow {ipv4 | ipv6} record [peer]}
no record
Syntax Description
record-name
Name of a user-defined flow record that was previously configured.
netflow-original
Configures the flow monitor to use the Flexible NetFlow implementation of original NetFlow with origin autonomous systems.
netflow ipv4
Configures the flow monitor to use one of the predefined IPv4 records.
netflow ipv6
Configures the flow monitor to use one of the predefined IPv6 records.
record
Name of the predefined record. See Table 9 for a listing of the available records and their definitions.
peer
(Optional) Configures the flow monitor to use one of the predefined records with peer autonomous systems. The peer keyword is not supported for every type of Flexible NetFlow predefined record. See Table 9.
Command Default
A flow record is not configured.
Command Modes
Flexible NetFlow flow monitor configuration (config-flow-monitor)
Command History
Usage Guidelines
Each flow monitor requires a record to define the contents and layout of its cache entries. The flow monitor can use one of the wide range of predefined record formats, or advanced users may create their own record formats.
Note
Table 9 describes the keywords and descriptions for the record argument.
Examples
The following example configures the flow monitor to use the NetFlow original record:
Router(config)# flow monitor FLOW-MONITOR-1Router(config-flow-monitor)# record netflow-originalThe following example configures the flow monitor to use a user-defined record named `collect-ipv4-data':
Router(config)# flow monitor FLOW-MONITOR-1Router(config-flow-monitor)# record collect-ipv4-dataThe following example configures the flow monitor to use the Flexible NetFlow IPv4 destination prefix record:
Router(config)# flow monitor FLOW-MONITOR-1Router(config-flow-monitor)# record netflow ipv4 destination-prefixThe following example configures the flow monitor to use a the Flexible NetFlow IPv6 destination prefix record:
Router(config)# flow monitor FLOW-MONITOR-1Router(config-flow-monitor)# record netflow ipv6 destination-prefixRelated Commands
sampler
To create a Flexible NetFlow flow sampler, or to modify an existing Flexible NetFlow flow sampler, and to enter Flexible NetFlow sampler configuration mode, use the sampler command in global configuration mode. To remove a sampler, use the no form of this command.
sampler sampler-name
no sampler sampler-name
Syntax Description
Command Default
Samplers are not configured.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Flow samplers are used to reduce the load placed by Flexible NetFlow on the networking device to monitor traffic by limiting the number of packets that are analyzed. You configure a rate of sampling that is 1 out of a range of 2 to 32768 packets. For example, a rate of 1 out of 2 results in analysis of 50 percent of the packets sampled. Flow samplers are applied to interfaces in conjunction with a flow monitor to implement sampled Flexible NetFlow.
To enable flow sampling, you configure the record that you want to use for traffic analysis and assign it to a flow monitor. When you apply a flow monitor with a sampler to an interface, the sampled packets are analyzed at the rate specified by the sampler and compared with the flow record associated with the flow monitor. If the analyzed packets meet the criteria specified by the flow record, they are added to the flow monitor cache.
Examples
The following example creates a flow sampler name SAMPLER-1:
Router(config)# sampler SAMPLER-1Router(config-sampler)#Related Commands
show flow exporter
To display Flexible NetFlow flow exporter status and statistics, use the show flow exporter command in privileged EXEC mode.
show flow exporter [export-ids netflow-v9 | [name] exporter-name [statistics | templates]]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example displays the status and statistics for all of the flow exporters configured on a router:
Router# show flow exporterFlow Exporter NFC-DC-PHOENIX:Description: NFC server in the Phoenix data centerTransport Configuration:Destination IP address: 172.16.10.2Source IP address: 172.16.7.1Transport Protocol: UDPDestination Port: 850Source Port: 56196DSCP: 0x0TTL: 15Table 10 describes the significant fields shown in the display.
The following example displays the NetFlow Version 9 export IDs for all of the flow exporters configured on a router:
Router# show flow exporter export-ids netflow-v9Export IDs used by fields in NetFlow-common export format:ip version : 60ip tos : 194ip dscp : 195ip precedence : 196ip protocol : 4ip ttl : 192ip ttl minimum : 52ip ttl maximum : 53ip length header : 189ip length payload : 204ip section header : 313ip section payload : 314routing source as : 16routing destination as : 17routing source as peer : 129routing destination as peer : 128routing source traffic-index : 92routing destination traffic-index : 93routing forwarding-status : 89routing is-multicast : 206routing next-hop address ipv4 : 15routing next-hop address ipv4 bgp : 18routing next-hop address ipv6 bgp : 63ipv4 header-length : 207ipv4 tos : 5ipv4 total-length : 190ipv4 total-length minimum : 25ipv4 total-length maximum : 26ipv4 id : 54ipv4 fragmentation flags : 197ipv4 fragmentation offset : 88ipv4 source address : 8ipv4 source prefix : 44ipv4 source mask : 9ipv4 destination address : 12ipv4 destination prefix : 45ipv4 destination mask : 13ipv4 options : 208transport source-port : 7transport destination-port : 11transport icmp-ipv4 type : 176transport icmp-ipv4 code : 177transport igmp type : 33transport tcp source-port : 182transport tcp destination-port : 183transport tcp sequence-number : 184transport tcp acknowledgement-number : 185transport tcp header-length : 188transport tcp window-size : 186transport tcp urgent-pointer : 187transport tcp flags : 6transport udp source-port : 180transport udp destination-port : 181transport udp message-length : 205interface input snmp : 10interface output snmp : 14interface name : 82interface description : 83flow direction : 61flow exporter : 144flow sampler : 48flow sampler algorithm export : 49flow sampler interval : 50flow sampler name : 84flow class : 51v9-scope system : 1v9-scope interface : 2v9-scope linecard : 3v9-scope cache : 4v9-scope template : 5counter flows : 3counter bytes : 1counter bytes long : 1counter packets : 2counter packets long : 2counter bytes squared long : 198counter bytes permanent : 85counter packets permanent : 86counter bytes squared permanent : 199counter bytes exported : 40counter packets exported : 41counter flows exported : 42timestamp sys-uptime first : 22timestamp sys-uptime last : 21The following example displays the status and statistics for all of the flow exporters configured on a router:
Router# show flow exporter name NFC-DC-PHOENIX statisticsFlow Exporter NFC-DC-PHOENIX:Packet send statistics:Ok 0No FIB 0Adjacency failure 0Enqueued to process level 488Enqueueing failed 0IPC failed 0Output failed 0Fragmentation failed 0Encap fixup failed 0No destination address 0Client send statistics:Client: Flow Monitor FLOW-MONITOR-1Records added 558Packets sent 486 (51261 bytes)Packets dropped 0 (0 bytes)No Packet available errors 0Table 11 describes the significant fields shown in the display.
The following example displays the template format for the exporters configured on the router:
Router# show flow exporter templatesFlow Exporter NFC-DC-PHOENIX:Client: Flow Monitor FLOW-MONITOR-1Exporter Format: NetFlow Version 9Template ID : 256Record Size : 53Template layout_____________________________________________________________________| Field | Type1 | Offset2 | Size3 |---------------------------------------------------------------------| ipv4 source address | 8 | 0 | 4 || ipv4 destination address | 12 | 4 | 4 || interface input snmp | 10 | 8 | 4 || flow sampler | 48 | 12 | 4 || transport source-port | 7 | 16 | 2 || transport destination-port | 11 | 18 | 2 || ip tos | 194 | 20 | 1 || ip protocol | 4 | 21 | 1 || ipv4 source mask | 9 | 22 | 1 || ipv4 destination mask | 13 | 23 | 1 || transport tcp flags | 6 | 24 | 1 || routing source as | 16 | 25 | 2 || routing destination as | 17 | 27 | 2 || routing next-hop address ipv4 | 15 | 29 | 4 || interface output snmp | 14 | 33 | 4 || counter bytes | 1 | 37 | 4 || counter packets | 2 | 41 | 4 || timestamp sys-uptime first | 22 | 45 | 4 || timestamp sys-uptime last | 21 | 49 | 4 |---------------------------------------------------------------------1The field type from the display output of the show flow exporter export-ids netflow-v9 command.
2Where this field is located in the flow record.
3Size of the field in octets (8-bit bytes).Related Commands
clear flow exporter
Clears the statistics for exporters.
debug flow exporter
Enables debugging output for flow exporters.
flow exporter
Creates a flow exporter.
show flow interface
To display the Flexible NetFlow configuration and status for an interface, use the show flow interface command in privileged EXEC mode.
show flow interface [type number]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example displays the Flexible NetFlow accounting configuration on Ethernet interfaces 0/0 and 0/1:
Router# show flow interface ethernet 1/0Interface Ethernet1/0FNF: monitor: NFC-DC-PHOENIXdirection: Outputtraffic(ip): onRouter# show flow interface ethernet 0/0Interface Ethernet0/0FNF: monitor: FLOW-MONITOR-1direction: Inputtraffic(ip): sampler SAMPLER-2#Table 12 describes the significant fields shown in the display.
Related Commands
show flow monitor
To display the status and statistics for a Flexible NetFlow flow monitor, use the show flow monitor command in privileged EXEC mode.
show flow monitor [{[name] monitor-name [cache [format {csv | record | table}] | statistics}]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The cache keyword uses the table format by default.
The upper case field names in the display output of the show flow monitor monitor-name cache command are key fields that Flexible NetFlow uses to differentiate flows. The lower case field names in the display output of the show flow monitor monitor-name cache command are non-key fields from which Flexible NetFlow collects values as additional data for the cache.
Router# show flow monitor NFC-DC-PHOENIX cache...IP TOS: 0x00IP PROTOCOL: 6IPV4 SOURCE ADDRESS: 10.10.10.2IPV4 DESTINATION ADDRESS: 172.16.10.2TRNS SOURCE PORT: 20TRNS DESTINATION PORT: 20INTERFACE INPUT: Et0/0FLOW SAMPLER ID: 0ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0counter bytes: 198520counter packets: 4963timestamp first: 10564356timestamp last: 12154104Examples
The following example displays the status for a flow monitor:
Router# show flow monitor NFC-DC-PHOENIXFlow Monitor NFC-DC-PHOENIX:Description: Used for basic traffic analysisFlow Record: netflow-originalFlow Exporter: EXP-DC-TOPEKAEXP-DC-PHOENIXCache:Type: normalStatus: allocatedSize: 4096 entries / 311316 bytesInactive Timeout: 15 secsActive Timeout: 1800 secsUpdate Timeout: 1800 secsTable 13 describes the significant fields shown in the display.
The following example displays the status, statistics, and data for the flow monitor named NFC-DC-PHOENIX:
Router# show flow monitor NFC-DC-PHOENIX cacheCache type: NormalCache size: 4096Current entries: 8High Watermark: 10Flows added: 1560Flows aged: 1552- Active timeout ( 1800 secs) 24- Inactive timeout ( 15 secs) 1528- Event aged 0- Watermark aged 0- Emergency aged 0IP TOS: 0x00IP PROTOCOL: 6IPV4 SOURCE ADDRESS: 10.10.10.2IPV4 DESTINATION ADDRESS: 172.16.10.2TRNS SOURCE PORT: 20TRNS DESTINATION PORT: 20INTERFACE INPUT: Et0/0FLOW SAMPLER ID: 0ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0counter bytes: 198520counter packets: 4963timestamp first: 10564356timestamp last: 12154104Table 14 describes the significant fields shown in the display.
The following example displays the status, statistics, and data for the flow monitor named NFC-DC-PHOENIX in a table format:
Router# show flow monitor NFC-DC-PHOENIX cache format tableCache type: NormalCache size: 4096Current entries: 4High Watermark: 6Flows added: 90Flows aged: 86- Active timeout ( 1800 secs) 0- Inactive timeout ( 15 secs) 86- Event aged 0- Watermark aged 0- Emergency aged 0IP TOS IP PROT IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT====== ======= =============== =============== ============= ==============0x00 1 10.251.10.1 172.16.10.2 0 020x00 1 10.251.10.1 172.16.10.2 0 204840xC0 17 172.16.6.1 224.0.0.9 520 52020x00 6 10.10.11.1 172.16.10.5 25 252Router#The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-IPv6 (the cache contains IPv6 data) in record format:
Router# show flow monitor name FLOW-MONITOR-IPv6 cache format recordCache type: NormalCache size: 4096Current entries: 6High Watermark: 8Flows added: 1048Flows aged: 1042- Active timeout ( 1800 secs) 11- Inactive timeout ( 15 secs) 1031- Event aged 0- Watermark aged 0- Emergency aged 0IPV6 FLOW LABEL: 0IPV6 EXTENSION MAP: 0x00000040IPV6 SOURCE ADDRESS: 2001:DB8:1:ABCD::1IPV6 DESTINATION ADDRESS: 2001:DB8:4:ABCD::2TRNS SOURCE PORT: 3000TRNS DESTINATION PORT: 55INTERFACE INPUT: Et0/0FLOW DIRECTION: InputFLOW SAMPLER ID: 0IP PROTOCOL: 17IP TOS: 0x00ip source as: 0ip destination as: 0ipv6 next hop address: ::ipv6 source mask: /48ipv6 destination mask: /0tcp flags: 0x00interface output: Nullcounter bytes: 521192counter packets: 9307timestamp first: 9899684timestamp last: 11660744Table 15 describes the significant fields shown in the display.
The following example displays the status and statistics for a flow monitor:
Router# show flow monitor NFC-DC-PHOENIX statisticsCache type: NormalCache size: 4096Current entries: 4High Watermark: 6Flows added: 116Flows aged: 112- Active timeout ( 1800 secs) 0- Inactive timeout ( 15 secs) 112- Event aged 0- Watermark aged 0- Emergency aged 0Table 16 describes the significant fields shown in the display.
Related Commands
clear flow monitor
Clears the flow monitor.
debug flow monitor
Enables debugging output for flow monitors.
show flow monitor cache aggregate
To display aggregated flow statistics from a flow monitor cache, use the show flow monitor cache aggregate command in privileged EXEC mode.
show flow monitor [name] monitor-name cache aggregate {{options [...options] [collect options [...options]] | record record-name} [format {csv | record | table}}
Syntax Description
name
(Optional) Specifies the name of a flow monitor.
monitor-name
Name of a flow monitor that was previously configured.
options
Fields upon which aggregation is performed; and from which additional data from the cache is displayed when the collect keyword is used. You can specify multiple values for the options argument. See the "Aggregation Options Argument" section in the "Usage Guidelines".
collect
(Optional) Display additional data from the cache. See the "Cache Data Fields Displayed" section in the "Usage Guidelines".
record record-name
Specifies the name of a user-defined flow record or a predefined flow record. See Table 17 for a listing of the available predefined records and their definitions.
format
(Optional) Specifies the use of one of the format options for formatting the display output.
csv
Displays the flow monitor cache contents in comma-separated variables (CSV) format.
record
Displays the flow monitor cache contents in record format.
table
Displays the flow monitor cache contents in table format.
Command Modes
Privileged EXEC (#)
Command History
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
Flexible Netflow - Top N Talkers Support
The show flow monitor cache aggregate command is one of a set of three commands that make up the Flexible Netflow - Top N Talkers Support feature. The Flexible Netflow - Top N Talkers Support feature is used to manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible Netflow - Top N Talkers Support feature are show flow monitor cache filter and show flow monitor cache sort. The three commands can be used together or on their own, depending on your requirements. For more detailed information about these commands, see the show flow monitor cache filter command and the show flow monitor cache sort command. For information about how the three commands are used together, refer to the "Configuring Cisco IOS Flexible Netflow - Top N Talkers Support" module in the Configuring Cisco IOS Flexible Netflow Configuration Guide.
Flow Aggregation
Flow aggregation using the show flow monitor cache aggregate command allows you to dynamically view the flow information in a cache using a different flow record than the cache was originally created from. Only the fields in the cache will be available for the aggregated flows.
Note
Aggregation helps you achieve a higher- level view of the traffic in your network by combining flow data from multiple flows based on the criteria which you are interested; for example, displaying flow data for:
•
•
•
Aggregation Options Argument
The options that you can use for the options argument of the show flow monitor cache aggregate command are dependent on the fields that are used for the user-defined flow record that you configured for the flow monitor using the record command. To identify the options that you can use, use the show flow record record-name command in privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the "NetFlow Original" predefined record to a flow monitor, you use the show flow record netflow-original command to display its key (match) and non-key (collect) fields. The following is partial output from the show flow record netflow-original command:
flow record netflow-original:Description: Traditional IPv4 input NetFlow with origin ASsNo. of users: 2Total field space: 53 bytesFields:match ipv4 tosmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination address...collect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime lastThe fields from this partial output above that you can use for the option argument follow the match (key fields) and collect (non-key fields) words. For example, you can use the "ipv4 tos" field to aggregate the flows as shown in the first example in the "Examples" section.
Cache Data Fields Displayed
By default the data fields from the cache that are shown in the display output of the show flow monitor cache aggregate command are limited to the field used for aggregation and the counter fields such as flows, number of bytes, and the number of packets. The following is partial output from the show flow monitor FLOW-MONITOR-3 cache aggregate ipv4 destination address command:
IPV4 DST ADDR flows bytes pkts=============== ========== ========== ==========224.192.16.1 2 97340 4867224.192.18.1 3 96080 4804224.192.16.4 4 79760 3988224.192.45.12 3 77480 3874255.255.255.255 1 52 1Notice that the data contains only the IPv4 destination addresses for which flows have been aggregated and the counter values.
The flow monitor (FLOW-MONITOR-3) referenced by the show flow monitor FLOW-MONITOR-3 cache aggregate ipv4 destination address command uses the "NetFlow Original" predefined record, which contains the following key and non-key fields:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The collect keyword is used to include additional cache data in the display output of the show flow monitor cache aggregate command. The following partial output from the show flow monitor FLOW-MONITOR-3 cache aggregate ipv4 destination address collect transport tcp flags command shows the transport TCP flags data from the cache:
IPV4 DST ADDR tcp flags flows bytes pkts=============== ========= ========== ========== ==========224.192.16.1 0x00 4 165280 8264224.192.18.1 0x00 4 158660 7933224.192.16.4 0x00 3 146740 7337224.192.45.12 0x00 4 145620 7281255.255.255.255 0x00 1 52 1224.0.0.13 0x00 1 54 1You can add cache data fields after the collect keyword to show additional data from the cache in the display output of the show flow monitor cache aggregate command.
Keywords and Descriptions for the record Argument
Table 17 describes the keywords and descriptions for the record argument.
Examples
The following example aggregates the flow monitor cache data on the IPv4 type of service (ToS) value:
Router# show flow monitor FLOW-MONITOR-2 cache aggregate ipv4 tosProcessed 12 flowsAggregated to 3 flowsIP TOS flows bytes pkts====== ========== ========== ==========0x90 6 706800 353400xC8 4 345192 428710xAC 2 7865 342The following example aggregates the flow monitor cache data on the IPv4 destination address and displays the cache data for the IPv4 protocol type and input interface non-key fields:
Router# show flow monitor FLOW-MONITOR-3 cache aggregate ipv4 destination address collect ipv4 protocol interface inputProcessed 17 flowsAggregated to 7 flowsIPV4 DST ADDR intf input flows bytes pkts ip prot=============== ==================== ========== ========== ========== =======224.192.16.4 Et0/0 3 42200 2110 1224.192.16.1 Et0/0 3 17160 858 1224.192.18.1 Et0/0 4 18180 909 1224.192.45.12 Et0/0 4 14440 722 1255.255.255.255 Et0/0 1 52 1 17224.0.0.13 Et0/0 1 54 1 103224.0.0.1 Et0/0 1 28 1 2The following example aggregates the flow monitor cache data on the destination and source IPv4 addresses:
Router# show flow monitor FLOW-MONITOR-1 cache aggregate ipv4 destination address ipv4 source addressProcessed 26 flowsAggregated to 17 flowsIPV4 SRC ADDR IPV4 DST ADDR flows bytes pkts=============== =============== ========== ========== ==========10.251.10.1 172.16.10.2 2 1400828 1364192.168.67.6 172.16.10.200 1 19096 68210.234.53.1 172.16.10.2 3 73656 2046172.30.231.193 172.16.10.2 3 73616 204510.10.10.2 172.16.10.2 2 54560 1364192.168.87.200 172.16.10.2 2 54560 136410.10.10.4 172.16.10.4 1 27280 68210.10.11.1 172.16.10.5 1 27280 68210.10.11.2 172.16.10.6 1 27280 68210.10.11.3 172.16.10.7 1 27280 68210.10.11.4 172.16.10.8 1 27280 68210.1.1.1 172.16.10.9 1 27280 68210.1.1.2 172.16.10.10 1 27280 68210.1.1.3 172.16.10.11 1 27280 682172.16.1.84 172.16.10.19 2 54520 1363172.16.1.85 172.16.10.20 2 54520 1363172.16.6.1 224.0.0.9 1 52 1Related Commands
show flow monitor cache filter
To filter the display output of statistics from the flows in a flow monitor cache, use the show flow monitor cache filter command in privileged EXEC mode.
show flow monitor [name] monitor-name cache filter options [regexp regexp] [...options [regexp regexp] [format {csv | record | table}
Syntax Description
name
(Optional) Specifies the name of a flow monitor.
monitor-name
Name of a flow monitor that was previously configured.
options
Fields upon which filtering is performed. You can specify multiple values for the options argument. See the "Filter Options Argument" section section in "Usage Guidelines".
regexp regexp
(Optional) Match the field specified with the options argument against a regular expression. See the "Regular Expressions" section section in "Usage Guidelines".
Command Modes
Privileged EXEC (#)
Command History
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
Flexible Netflow - Top N Talkers Support
The show flow monitor cache filter command is one of a set of three commands that make up the Flexible Netflow - Top N Talkers Support feature. The Flexible Netflow - Top N Talkers Support feature is used to manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible Netflow - Top N Talkers Support feature are show flow monitor cache sort and show flow monitor cache aggregate. The three commands can be used together or on their own, depending on your requirements. For more detailed information about these commands, see the show flow monitor cache sort command and the show flow monitor cache aggregate command. For information about how the three commands are used together, refer to the "Configuring Cisco IOS Flexible Netflow - Top N Talkers Support" module in the Configuring Cisco IOS Flexible Netflow Configuration Guide.
Filter Options Argument
The options that you can use for the options argument of the show flow monitor cache filter command are dependent on the fields that are used for the record that you configured for the flow monitor using the record command. To identify the options that you can use, use the show flow record record-name command in privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the "NetFlow Original" predefined record to a flow monitor, you use the show flow record netflow-original command to display its key (match) and non-key (collect) fields. The following is partial output from the show command:
flow record netflow-original:Description: Traditional IPv4 input NetFlow with origin ASsNo. of users: 2Total field space: 53 bytesFields:match ipv4 tosmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination address...collect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime lastThe fields from this partial output above that you can use for the option argument follow the match (key fields) and collect (non-key fields) words. For example, you can use the "ipv4 tos" field to filter the flows as shown in the first example in the "Examples" section.
Filtering Criteria
The following are examples of the types of filtering criteria available for the show flow monitor cache filter command:
•
–
–
•
–
–
•
–
•
–
•
–
•
–
•
–
•
–
–
•
–
•
–
•
–
•
–
Regular Expressions
Table 18 shows the syntax for regular expressions.
Examples
The following example filters the flow monitor cache data on the IPv4 type of service (ToS) value:
Router# show flow monitor FLOW-MONITOR-3 cache filter ipv4 tos regexp 0x(C0|50)Cache type: NormalCache size: 4096Current entries: 19High Watermark: 38Flows added: 3516Flows aged: 3497- Active timeout ( 1800 secs) 52- Inactive timeout ( 15 secs) 3445- Event aged 0- Watermark aged 0- Emergency aged 0IPV4 SOURCE ADDRESS: 10.1.1.1IPV4 DESTINATION ADDRESS: 255.255.255.255TRNS SOURCE PORT: 520TRNS DESTINATION PORT: 520INTERFACE INPUT: Et0/0FLOW SAMPLER ID: 0IP TOS: 0xC0IP PROTOCOL: 17ip source as: 0ip destination as: 0ipv4 next hop address: 0.0.0.0ipv4 source mask: /24ipv4 destination mask: /0tcp flags: 0x00interface output: Nullcounter bytes: 52counter packets: 1timestamp first: 18:59:46.199timestamp last: 18:59:46.199Matched 1 flowThe following example filters the flow monitor cache data on the source IPv4 address of 10.234.53.1:
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 source address 10.234.53.1Cache type: NormalCache size: 4096Current entries: 26High Watermark: 26Flows added: 87Flows aged: 61- Active timeout ( 1800 secs) 0- Inactive timeout ( 15 secs) 61- Event aged 0- Watermark aged 0- Emergency aged 0IPV4 SOURCE ADDRESS: 10.234.53.1IPV4 DESTINATION ADDRESS: 172.16.10.2TRNS SOURCE PORT: 0TRNS DESTINATION PORT: 2048INTERFACE INPUT: Et0/0.1FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 1ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0.1counter bytes: 24724counter packets: 883timestamp first: 16:03:56.007timestamp last: 16:27:07.063IPV4 SOURCE ADDRESS: 10.234.53.1IPV4 DESTINATION ADDRESS: 172.16.10.2TRNS SOURCE PORT: 20TRNS DESTINATION PORT: 20INTERFACE INPUT: Et0/0.1FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 6ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0.1counter bytes: 35320counter packets: 883timestamp first: 16:03:56.267timestamp last: 16:27:07.323IPV4 SOURCE ADDRESS: 10.234.53.1IPV4 DESTINATION ADDRESS: 172.16.10.2TRNS SOURCE PORT: 21TRNS DESTINATION PORT: 21INTERFACE INPUT: Et0/0.1FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 6ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0.1counter bytes: 35320counter packets: 883timestamp first: 16:03:56.327timestamp last: 16:27:07.363Matched 3 flowsThe following example uses multiple filtering criteria to filter the cache data on the IPv4 destination address and the destination port:
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 destination address regexp 172.16.10* transport destination-port 21Cache type: NormalCache size: 4096Current entries: 26High Watermark: 26Flows added: 241Flows aged: 215- Active timeout ( 1800 secs) 50- Inactive timeout ( 15 secs) 165- Event aged 0- Watermark aged 0- Emergency aged 0IPV4 SOURCE ADDRESS: 10.10.10.2IPV4 DESTINATION ADDRESS: 172.16.10.2TRNS SOURCE PORT: 21TRNS DESTINATION PORT: 21INTERFACE INPUT: Et0/0.1FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 6ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0.1counter bytes: 17200counter packets: 430timestamp first: 17:03:58.071timestamp last: 17:15:14.615IPV4 SOURCE ADDRESS: 172.30.231.193IPV4 DESTINATION ADDRESS: 172.16.10.2TRNS SOURCE PORT: 21TRNS DESTINATION PORT: 21INTERFACE INPUT: Et0/0.1FLOW SAMPLER ID: 0IP TOS: 0x00IP PROTOCOL: 6ip source as: 0ip destination as: 0ipv4 next hop address: 172.16.7.2ipv4 source mask: /0ipv4 destination mask: /24tcp flags: 0x00interface output: Et1/0.1counter bytes: 17160counter packets: 429timestamp first: 17:03:59.963timestamp last: 17:15:14.887Matched 2 flowsRelated Commands
show flow monitor cache sort
To sort the display output of statistics from the flows in a flow monitor cache, use the show flow monitor cache sort command in privileged EXEC mode.
show flow monitor [name] monitor-name cache sort options [top [number]] [format {csv | record | table}]
Syntax Description
name
(Optional) Specifies the name of a flow monitor.
monitor-name
Name of a flow monitor that was previously configured.
options
Fields upon which aggregation can be performed. See the "Sort Options Argument" section section in "Usage Guidelines".
top
(Optional) Limits the display output to the 20 highest volume flows (top talkers) unless overridden by the specification of a value for the number argument.
number
(Optional) Overrides the default value of top talkers to display.
format
(Optional) Specifies the use of one of the format options for formatting the display output.
csv
Displays the flow monitor cache contents in comma-separated variables (CSV) format.
record
Displays the flow monitor cache contents in record format.
table
Displays the flow monitor cache contents in table format.
Command Modes
Privileged EXEC (#)
Command History
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 NPE series routers.
Usage Guidelines
Flexible Netflow - Top N Talkers Support
The show flow monitor cache sort command is one of a set of three commands that make upthe Flexible Netflow - Top N Talkers Support feature. The Flexible Netflow - Top N Talkers Support feature is used to manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible Netflow - Top N Talkers Support feature are show flow monitor cache filter and show flow monitor cache aggregate. The three commands can be used together or on their own, depending on your requirements. For more detailed information about these commands, see the show flow monitor cache filter command and the show flow monitor cache aggregate command. For information about how the three commands are used together, refer to the "Configuring Cisco IOS Flexible Netflow - Top N Talkers Support" module in the Configuring Cisco IOS Flexible Netflow Configuration Guide.
Flow Sorting
The flow sorting function of the Flexible Netflow - Top N Talkers Support feature sorts flow data from the Flexible NetFlow cache based on the criteria that you specify, and displays the data. You can also use the flow sorting function of the Flexible Netflow - Top N Talkers Support feature to limit the display output to a specific number of entries (Top N Talkers) by using the top keyword.
Sort Options Argument
The options that you can use for the options argument of the show flow monitor cache filter command are dependent on the fields that are used for the record that you configured for the flow monitor using the record command. To identify the options that you can use, use the show flow record record-name command in privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the "NetFlow Original" predefined record to a flow monitor, you use the show flow record netflow-original command to display its key (match) and non-key (collect) fields. The following is partial output from the show command:
flow record netflow-original:Description: Traditional IPv4 input NetFlow with origin ASsNo. of users: 2Total field space: 53 bytesFields:match ipv4 tosmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination address...collect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime lastThe fields from this partial output above that you can use for the option argument follow the match (key fields) and collect (non-key fields) words. For example, you can use the "ipv4 tos" field to sort the flows as shown in the first example in the "Examples" section.
Examples
The following example sorts the flow monitor cache data on the IPv4 type of service (ToS) value and limits the display output to the top 2 flows:
Router# show flow monitor FLOW-MONITOR-3 cache sort ipv4 tos top 2Processed 17 flowsAggregated to 17 flowsShowing the top 2 flowsIPV4 SOURCE ADDRESS: 10.1.1.1IPV4 DESTINATION ADDRESS: 224.192.16.1TRNS SOURCE PORT: 0TRNS DESTINATION PORT: 3073INTERFACE INPUT: Et0/0FLOW SAMPLER ID: 0IP TOS: 0x55IP PROTOCOL: 1ip source as: 0ip destination as: 0ipv4 next hop address: 0.0.0.0ipv4 source mask: /24ipv4 destination mask: /0tcp flags: 0x00interface output: Nullcounter bytes: 33680counter packets: 1684timestamp first: 18:39:27.563timestamp last: 19:04:28.459IPV4 SOURCE ADDRESS: 10.1.1.1IPV4 DESTINATION ADDRESS: 224.192.16.1TRNS SOURCE PORT: 0TRNS DESTINATION PORT: 0INTERFACE INPUT: Et0/0FLOW SAMPLER ID: 0IP TOS: 0x55IP PROTOCOL: 1ip source as: 0ip destination as: 0ipv4 next hop address: 0.0.0.0ipv4 source mask: /24ipv4 destination mask: /0tcp flags: 0x00interface output: Et3/0.1counter bytes: 145040counter packets: 7252timestamp first: 18:42:34.043timestamp last: 19:04:28.459The following example displays the top three flows from the cache sorted on the IPv4 destination addresses from lowest to highest (no aggregation is performed):
Router# show flow monitor FLOW-MONITOR-1 cache sort lowest ipv4 destination address top 3Processed 10 flowsAggregated to 10 flowsShowing the top 3 flowsIPV4 SOURCE ADDRESS: 10.1.4.2IPV4 DESTINATION ADDRESS: 10.1.2.2datalink dot1q vlan output: 0datalink mac source address input: AABB.CC00.2300datalink mac source address output: AABB.CC00.2001datalink mac destination address input: AABB.CC00.2003flow direction: Outputcounter bytes: 50511396counter packets: 35558IPV4 SOURCE ADDRESS: 10.1.4.2IPV4 DESTINATION ADDRESS: 10.1.3.2datalink dot1q vlan output: 0datalink mac source address input: AABB.CC00.2300datalink mac source address output: AABB.CC00.2002datalink mac destination address input: AABB.CC00.2003flow direction: Outputcounter bytes: 1154150counter packets: 787IPV4 SOURCE ADDRESS: 10.1.2.2IPV4 DESTINATION ADDRESS: 10.1.4.2datalink dot1q vlan output: 15datalink mac source address input: AABB.CC00.2100datalink mac source address output: AABB.CC00.2003datalink mac destination address input: AABB.CC00.2001flow direction: Outputcounter bytes: 50750405counter packets: 35722Related Commands
show flow record
To display the status and statistics for a Flexible NetFlow flow record, use the show flow record command in privileged EXEC mode.
show flow record [[name] record-name | netflow-original | netflow {ipv4 | ipv6} record [peer]]
Syntax Description
name
(Optional) Specifies the name of a flow record.
record-name
(Optional) Name of a user-defined flow record that was previously configured.
netflow-original
(Optional) Specifies the Flexible NetFlow implementation of original NetFlow with origin autonomous systems.
netflow ipv4
(Optional) Configures the flow monitor to use one of the IPv4 predefined records.
netflow ipv6
(Optional) Configures the flow monitor to use one of the IPv6 predefined records.
record
(Optional) Name of the predefined record. See Table 19 for a listing of the available records and their definitions.
peer
(Optional) Configures the flow monitor to use one of the predefined records with peer autonomous systems. The peer keyword is not supported for every type of Flexible NetFlow predefined record. See Table 19.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Keywords and Descriptions for the record Argument
Table 19 describes the keywords and descriptions for the record argument.
Examples
The following example displays the status and statistics for the original Flexible NetFlow record:
Router# show flow record netflow-originalflow record netflow-original:Description: Traditional IPv4 input NetFlow with origin ASsNo. of users: 3Total field space: 53 bytesFields:match flow samplermatch interface inputmatch transport destination-portmatch transport source-portmatch ipv4 destination addressmatch ipv4 source addressmatch ipv4 protocolmatch ipv4 toscollect counter bytescollect counter packetscollect timestamp sys-uptime lastcollect timestamp sys-uptime firstcollect ipv4 destination maskcollect ipv4 source maskcollect routing destination ascollect routing source ascollect transport tcp flagscollect routing next-hop address ipv4collect interface outputTable 20 describes the significant fields shown in the display.
Related Commands
show sampler
To display the status and statistics for a Flexible NetFlow sampler, use the show sampler command in privileged EXEC mode.
show sampler [[name] sampler-name]
Syntax Description
name
(Optional) Specifies the name of a flow sampler.
sampler-name
(Optional) Name of a sampler that was previously configured.
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example displays the status and statistics for all of the flow samplers configured:
Router# show samplerSampler SAMPLER-1:ID: 1Description: User definedType: randomRate: 1 out of 3Samples: 189Requests: 23243Users (2):flow monitor FLOW-MONITOR-1 (ip,Et0/0,Input) 65 out of 10786flow monitor FLOW-MONITOR-2 (ipv6,Et0/0, Input) 124 out of 12457Sampler sampler-2:ID: 2Description: User definedType: deterministicRate: 1 out of 100Samples: 1Requests: 124Users (1):flow monitor FLOW-MONITOR-1 (ip,Et0/0,Input) 1 out of 124Table 21 describes the significant fields shown in the display.
Related Commands
clear sampler
Clears the flow sampler statistics.
debug sampler
Enables debugging output for flow samplers.
sampler
Creates a flow sampler.
source (Flexible NetFlow)
To configure the source IP address interface for all of the packets sent by a Flexible NetFlow flow exporter, use the source command in Flexible NetFlow flow exporter configuration mode. To remove the source IP address interface for all of the packets sent by a Flexible NetFlow flow exporter, use the no form of this command.
source type number
no source
Syntax Description
Command Default
The IP address of the interface over which the Flexible NetFlow datagram is transmitted is used as the source IP address.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Usage Guidelines
These are some of the benefits of using a consistent IP source address for the datagrams that NetFlow sends:
•
•
Caution
Tip
Examples
The following example shows how to configure Flexible NetFlow to use a loopback interface as the source interface for NetFlow traffic:
Router(config)# flow exporter FLOW-EXPORTER-1Router(config-flow-exporter)# source loopback 0Related Commands
statistics packet
To collect protocol distribution statistics and/or size distribution statistics for a Flexible NetFlow flow monitor, use the statistics packet command in Flexible NetFlow flow monitor configuration mode. To disable collecting protocol distribution statistics and/or size distribution statistics for a Flexible NetFlow flow monitor, use the no form of this command.
statistics packet {protocol | size}
no statistics packet {protocol | size}
Syntax Description
protocol
Collects packet protocol distribution statistics.
size
Collects packet size distribution statistic.
Command Default
The collection of protocol distribution statistics and/or size distribution statistics for a Flexible NetFlow flow monitor is not enabled by default.
Command Modes
Flexible NetFlow flow monitor configuration (config-flow-monitor)
Command History
Examples
The following example enables the collection of protocol distribution statistics for flow monitors:
Router(config)# flow monitor FLOW-MONITOR-1Router(config-flow-monitor)# statistics packet protocolThe following example enables the collection of size distribution statistics for flow monitors:
Router(config)# flow monitor FLOW-MONITOR-1Router(config-flow-monitor)# statistics packet sizeRelated Commands
template data timeout
To configure the template resend timeout for a Flexible NetFlow flow exporter, use the template data timeout command in Flexible NetFlow flow exporter configuration mode. To remove the template resend timeout for a Flexible NetFlow flow exporter, use the no form of this command.
template data timeout seconds
no template data timeout
Syntax Description
seconds
Configures resending of templates based on the timeout value in seconds, that you enter. Range: 1 to 86400. Default 600.
Command Default
The default template resend timeout for a Flexible NetFlow flow exporter is 600 seconds.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Examples
The following example configures resending templates based on a timeout of 1000 seconds:
Router(config)# flow exporter FLOW-EXPORTER-1Router(config-flow-exporter)# template data timeout 1000Related Commands
transport (Flexible NetFlow)
To configure the transport protocol for a Flexible NetFlow flow exporter, use the transport command in Flexible NetFlow flow exporter configuration mode. To remove the transport protocol for a Flexible NetFlow flow exporter, use the no form of this command.
transport udp udp-port
no transport
Syntax Description
udp udp-port
Specifies user datagram protocol (UDP) as the transport protocol and the UDP port number.
Command Default
Flow exporters use UDP on port 9995.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Examples
The following example configures UDP as the transport protocol and a UDP port number of 250:
Router(config)# flow exporter FLOW-EXPORTER-1Router(config-flow-exporter)# transport udp 250Related Commands
ttl (Flexible NetFlow)
To configure the time-to-live (TTL) value for a Flexible NetFlow flow exporter, use the ttl command in Flexible NetFlow flow exporter configuration mode. To remove the TTL value for a Flexible NetFlow flow exporter, use the no form of this command.
ttl ttl
no ttl
Syntax Description
Command Default
Flow exporters use a TTL of 255.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Examples
The following example specifies a TTL of 15:
Router(config)# flow exporter FLOW-EXPORTER-1Router(config-flow-exporter)# ttl 15Related Commands
