Downloads |
Table Of Contents
Configuring NetFlow Aggregation Caches
Prerequisites for Configuring NetFlow Aggregation Caches
Restrictions for Configuring NetFlow Aggregation Caches
Information About Configuring NetFlow Aggregation Caches
NetFlow Cache Aggregation Benefits
NetFlow Cache Aggregation Schemes
NetFlow Aggregation Scheme Fields
NetFlow AS-ToS Aggregation Scheme
NetFlow Destination Prefix Aggregation Scheme
NetFlow Destination Prefix-ToS Aggregation Scheme
NetFlow Prefix Aggregation Scheme
NetFlow Prefix-Port Aggregation Scheme
NetFlow Prefix-ToS Aggregation Scheme
NetFlow Protocol Port Aggregation Scheme
NetFlow Protocol-Port-ToS Aggregation Scheme
NetFlow Source Prefix Aggregation Scheme
NetFlow Source Prefix-ToS Aggregation Scheme
NetFlow Data Export Format Versions 9, and 8 for NetFlow Aggregation Caches: Overview
How to Configure NetFlow Aggregation Caches
Configuring NetFlow Aggregation Caches
Verifying the Aggregation Cache Configuration
Configuration Examples for Configuring NetFlow Aggregation Caches
Configuring an AS Aggregation Cache: Example
Configuring a Destination Prefix Aggregation Cache: Example
Configuring a Prefix Aggregation Cache: Example
Configuring a Protocol Port Aggregation Cache: Example
Configuring a Source Prefix Aggregation Cache: Example
Configuring an AS-ToS Aggregation Cache: Example
Configuring a Prefix-ToS Aggregation Cache: Example
Configuring the Minimum Mask of a Prefix Aggregation Scheme: Example
Configuring the Minimum Mask of a Destination Prefix Aggregation Scheme: Example
Configuring the Minimum Mask of a Source Prefix Aggregation Scheme: Example
Configuring NetFlow Version 9 Data Export for Aggregation Caches: Example
Configuring NetFlow Version 8 Data Export for Aggregation Caches: Example
Feature Information for Configuring NetFlow Aggregation Caches
Configuring NetFlow Aggregation Caches
First Published: June 19, 2006Last Updated: October 02, 2009This module contains information about and instructions for configuring NetFlow aggregation caches. The NetFlow main cache is the default cache used to store the data captured by NetFlow. By maintaining one or more extra caches, called aggregation caches, the NetFlow Aggregation feature allows limited aggregation of NetFlow data export streams on a router. The aggregation scheme that you select determines the specific kinds of data that are exported to a remote host.
NetFlow is a Cisco IOS application that provides statistics on packets flowing through the router. It is emerging as a primary network accounting and security technology.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring NetFlow Aggregation Caches" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Configuring NetFlow Aggregation Caches
•
•
•
•
•
Prerequisites for Configuring NetFlow Aggregation Caches
NetFlow Aggregation Caches
Before you enable NetFlow you must:
•
•
•
If you intend to use Version 8 export format with an aggregation cache, configure Version 5 export format for the main cache.
If you need autonomous system (AS) information from the aggregation, make sure to specify either the peer-as or origin-as keyword in your export command if you have not configured an export format version.
You must explicitly enable each NetFlow aggregation cache by entering the enabled keyword from aggregation cache configuration mode.
Router-based aggregation must be enabled for minimum masking.
Restrictions for Configuring NetFlow Aggregation Caches
Cisco IOS Releases 12.2(14)S, 12.0(22)S, or 12.2(15)T
If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T the ip route-cache flow command is used to enable NetFlow on an interface.
If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T, or later the ip flow ingress command is used to enable NetFlow on an interface.
Memory Impact
During times of heavy traffic, the additional flows can fill up the global flow hash table. If you need to increase the size of the global flow hash table, increase the memory of the router.
Performance Impact
Configuring Egress NetFlow accounting with the ip flow egress command might adversely affect network performance because of the additional accounting-related computation that occurs in the traffic-forwarding path of the router.
NetFlow Data Export
Restrictions for NetFlow Version 9 Data Export
•
•
•
Restrictions for NetFlow Version 8 Export Format
Version 8 export format is available only for aggregation caches, and it cannot be expanded to support new features.
Information About Configuring NetFlow Aggregation Caches
Before configuring the NetFlow main cache, NetFlow aggregation caches and NetFlow aggregation schemes, you should understand the following information:
•
NetFlow Aggregation Caches
•
•
•
•
•
•
•
•
•
•
•
•
•
•
NetFlow Cache Aggregation Benefits
Aggregation of export data is typically performed by NetFlow collection tools on management workstations. Router-based aggregation allows limited aggregation of NetFlow export records to occur on the router. Thus, you can summarize NetFlow export data on the router before the data is exported to a NetFlow data collection system, which has the following benefits:
•
•
•
NetFlow Cache Aggregation Schemes
Cisco IOS NetFlow aggregation maintains one or more extra caches with different combinations of fields that determine which flows are grouped together. These extra caches are called aggregation caches. The combinations of fields that make up an aggregation cache are referred to as schemes. As flows expire from the main cache, they are added to each enabled aggregation cache.
You can configure each aggregation cache with its individual cache size, cache ager timeout parameter, export destination IP address, and export destination UDP port. As data flows expire in the main cache (depending on the aggregation scheme configured), relevant information is extracted from the expired flow and the corresponding flow entry in the aggregation cache is updated. The normal flow ager process runs on each active aggregation cache the same way it runs on the main cache. On-demand aging is also supported. Each aggregation cache contains different field combinations that determine which data flows are grouped. The default aggregation cache size is 4096 bytes.
You configure a cache aggregation scheme through the use of arguments to the ip flow-aggregation cache command. NetFlow supports the following five non-ToS based cache aggregation schemes:
•
•
•
•
•
The NetFlow Type of Service (ToS)-Based Router Aggregation feature introduced support for additional cache aggregation schemes, all of which include the ToS byte as one of the fields in the aggregation cache. The following are the six ToS-based aggregation schemes:
•
•
•
•
•
•
Figure 1 shows an example of how the main NetFlow cache can be aggregated into multiple aggregation caches based upon user-configured aggregation schemes.
Figure 1 Building a NetFlow Aggregation Cache
Note
NetFlow Aggregation Scheme Fields
Each cache aggregation scheme contains field combinations that differ from any other cache aggregation scheme. The combination of fields determines which data flows are grouped and collected when a flow expires from the main cache. A flow is a set of packets that has common fields, such as the source IP address, destination IP address, protocol, source and destination ports, type-of-service, and the same interface on which the flow is monitored. To manage flow aggregation on your router, you need to configure the aggregation cache scheme that groups and collects the fields from which you want to examine data. Table 1 and Table 2 show the NetFlow fields that are grouped and collected for non-ToS and ToS based cache aggregation schemes.
Table 1 shows the NetFlow fields used in the non-TOS based aggregation schemes.
Table 2 shows the NetFlow fields used in the TOS based aggregation schemes.
NetFlow AS Aggregation Scheme
The NetFlow AS aggregation scheme reduces NetFlow export data volume substantially and generates AS-to-AS traffic flow data. The scheme groups data flows that have the same source BGP AS, destination BGP AS, input interface, and output interface.
The aggregated NetFlow data export records report the following:
•
•
•
•
•
•
•
Figure 2 shows the data export format for the AS aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 3.
Figure 2 Data Export Format for AS Aggregation Scheme
Table 3 lists definitions for the data export record fields used in the AS aggregation scheme.
NetFlow AS-ToS Aggregation Scheme
The NetFlow AS-ToS aggregation scheme groups flows that have the same source BGP AS, destination BGP AS, source and destination interfaces, and ToS byte. The aggregated NetFlow export record based on the AS-ToS aggregation scheme reports the following:
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for generating AS-to-AS traffic flow data, and for reducing NetFlow export data volume substantially. Figure 3 show the data export format for the AS-ToS aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 4.
Figure 3 Data Export Format for AS-ToS Aggregation Scheme
Table 4 lists definitions for the data export record terms used in the AS-ToS aggregation scheme.
NetFlow Destination Prefix Aggregation Scheme
The destination prefix aggregation scheme generates data so that you can examine the destinations of network traffic passing through a NetFlow-enabled device. The scheme groups data flows that have the same destination prefix, destination prefix mask, destination BGP AS, and output interface.
The aggregated NetFlow data export records report the following:
•
•
•
•
•
•
•
•
Figure 4 shows the data export format for the destination prefix aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 5.
Figure 4 Destination Prefix Aggregation Data Export Record Format
Table 5 lists definitions for the data export record terms used in the destination prefix aggregation scheme.
NetFlow Destination Prefix-ToS Aggregation Scheme
The NetFlow destination prefix-ToS aggregation scheme groups flows that have the same destination prefix, destination prefix mask, destination BGP AS, ToS byte, and output interface. The aggregated NetFlow export record reports the following:
•
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for capturing data with which you can examine the destinations of network traffic passing through a NetFlow-enabled device. Figure 5 shows the data export format for the Destination prefix-ToS aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 6.
Figure 5 Data Export Format for Destination Prefix-ToS Aggregation Scheme
Table 6 lists definitions for the data export record terms used in the destination prefix-ToS aggregation scheme.
NetFlow Prefix Aggregation Scheme
The NetFlow prefix aggregation scheme generates data so that you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device. The scheme groups data flows that have the same source prefix, destination prefix, source prefix mask, destination prefix mask, source BGP AS, destination BGP AS, input interface, and output interface. See Figure 6.
The aggregated NetFlow data export records report the following:
•
•
•
•
•
•
•
•
Figure 6 shows the data export format for the prefix aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 7.
Figure 6 Data Export Format for Prefix Aggregation Scheme
Table 7 lists definitions for the data export record terms used in the prefix aggregation scheme.
NetFlow Prefix-Port Aggregation Scheme
The NetFlow prefix-port aggregation scheme groups flows that have a common source prefix, source mask, destination prefix, destination mask, source port and destination port when applicable, input interface, output interface, protocol, and ToS byte. The aggregated NetFlow export record reports the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for capturing data with which you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device. Figure 7 shows the data export record for the prefix-port aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 8.
Figure 7 Data Export Record for Prefix-Port Aggregation Scheme
Table 8 lists definitions for the data export record terms used in the prefix-port aggregation scheme.
NetFlow Prefix-ToS Aggregation Scheme
The NetFlow prefix-tos aggregation scheme groups together flows that have a common source prefix, source mask, destination prefix, destination mask, source BGP AS, destination BGP AS, input interface, output interface, and ToS byte. The aggregated NetFlow export record reports the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for capturing data so that you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device. Figure 8 displays the data export format for the prefix-tos aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 9.
Figure 8 Data Export Format for Prefix-ToS Aggregation Scheme
Table 9 lists definitions for the data export record terms used in the prefix-ToS aggregation scheme.
NetFlow Protocol Port Aggregation Scheme
The NetFlow protocol port aggregation scheme captures data so that you can examine network usage by traffic type. The scheme groups data flows with the same IP protocol, source port number, and (when applicable) destination port number.
The aggregated NetFlow data export records report the following:
•
•
•
•
•
•
Figure 9 shows the data export format for the protocol port aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 10.
Figure 9 Data Export Format for Protocol Port Aggregation Scheme
Table 10 lists definitions for the data export record terms used in the protocol port aggregation scheme.
NetFlow Protocol-Port-ToS Aggregation Scheme
The NetFlow protocol-port-tos aggregation scheme groups flows that have a common IP protocol, ToS byte, source and (when applicable) destination port numbers, and source and destination interfaces. The aggregated NetFlow Export record reports the following:
•
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for capturing data so that you can examine network usage by type of traffic. Figure 10 shows the data export format for the protocol-port-tos aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 11.
Figure 10 Data Export Format for Protocol-Port-ToS Aggregation Scheme
Table 11 lists definitions for the data export record terms used in the protocol-port-ToS aggregation scheme.
NetFlow Source Prefix Aggregation Scheme
The NetFlow source prefix aggregation scheme captures data so that you can examine the sources of network traffic passing through a NetFlow-enabled device. The scheme groups data flows that have the same source prefix, source prefix mask, source BGP AS, and input interface.
The aggregated NetFlow data export records report the following:
•
•
•
•
•
•
•
Figure 11 show the data export format for the source prefix aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 12.
Figure 11 Data Export Format for Source Prefix Aggregation Scheme
Table 12 lists definitions for the data export record terms used in the source prefix aggregation scheme.
NetFlow Source Prefix-ToS Aggregation Scheme
The NetFlow source prefix-ToS aggregation scheme groups flows that have a common source prefix, source prefix mask, source BGP AS, ToS byte, and input interface. The aggregated NetFlow export record reports the following:
•
•
•
•
•
•
•
•
This aggregation scheme is particularly useful for capturing data so that you can examine the sources of network traffic passing through a NetFlow-enabled device. Figure 12 show the data export format for the source prefix-ToS aggregation scheme. For a definition of the data export terms used in the aggregation scheme, see Table 13.
Note
Figure 12 Data Export Format for Source Prefix-ToS Aggregation Scheme
Table 13 lists definitions for the data export record terms used in the source prefix-ToS aggregation scheme.
NetFlow Data Export Format Versions 9, and 8 for NetFlow Aggregation Caches: Overview
Export formats available for NetFlow aggregation caches are the Version 9 export format and the Version 8 export format.
•
•
The Version 9 export format is flexible and extensible, which provides the versatility needed for the support of new fields and record types. You can use the Version 9 export format for both main and aggregation caches.
The Version 8 export format was added to support data export from aggregation caches. This format allows export datagrams to contain a subset of the Version 5 export data that is valid for the cache aggregation scheme.
Refer to the NetFlow Data Export section for more details.
How to Configure NetFlow Aggregation Caches
This section is broken down into the following subsections:
•
•
Configuring NetFlow Aggregation Caches
Perform the steps in this required to enable NetFlow and configure a NetFlow aggregation cache.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
DETAILED STEPS
Verifying the Aggregation Cache Configuration
Perform the steps in this optional task to verify that:
•
•
•
SUMMARY STEPS
1.
2.
DETAILED STEPS
Step 1
Use the show ip cache flow aggregation destination-prefix command to verify the configuration of an destination-prefix aggregation cache. For example:
Router# show ip cache flow aggregation destination-prefixIP Flow Switching Cache, 139272 bytes5 active, 2043 inactive, 9 added841 ager polls, 0 flow alloc failuresActive flows timeout in 15 minutesInactive flows timeout in 300 secondsIP Sub Flow Cache, 11144 bytes5 active, 507 inactive, 9 added, 9 added to flow0 alloc failures, 0 force free1 chunk, 2 chunks addedDst If Dst Prefix Msk AS Flows Pkts B/Pk ActiveNull 0.0.0.0 /0 0 5 13 52 138.9Et0/0.1 172.16.6.0 /24 0 1 1 56 0.0Et1/0.1 172.16.7.0 /24 0 3 31K 1314 187.3Et0/0.1 172.16.1.0 /24 0 16 104K 1398 188.4Et1/0.1 172.16.10.0 /24 0 9 99K 1412 183.3Router#Use the show ip cache verbose flow aggregation source-prefix command to verify the configuration of a source-prefix aggregation cache. For example:
Router# show ip cache verbose flow aggregation source-prefixIP Flow Switching Cache, 278544 bytes4 active, 4092 inactive, 4 added51 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 21640 bytes4 active, 1020 inactive, 4 added, 4 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedSrc If Src Prefix Msk AS Flows Pkts B/Pk ActiveEt1/0.1 172.16.10.0 /24 0 4 35K 1391 67.9Et0/0.1 172.16.6.0 /24 0 2 5 88 60.6Et1/0.1 172.16.7.0 /24 0 2 3515 1423 58.6Et0/0.1 172.16.1.0 /24 0 2 20K 1416 71.9Router#Use the show ip cache verbose flow aggregation protocol-port command to verify the configuration of a protocol-port aggregation cache. For example:
Router# show ip cache verbose flow aggregation protocol-portIP Flow Switching Cache, 278544 bytes4 active, 4092 inactive, 4 added158 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 21640 bytes0 active, 1024 inactive, 0 added, 0 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedProtocol Source Port Dest Port Flows Packets Bytes/Packet Active0x01 0x0000 0x0000 6 52K 1405 104.30x11 0x0208 0x0208 1 3 52 56.90x01 0x0000 0x0800 2 846 1500 59.80x01 0x0000 0x0B01 2 10 56 63.0Router#Step 2
Use the show ip flow export command to verify that NetFlow Data Export is operational for the aggregation cache. For example:
Router# show ip flow exportFlow export v1 is disabled for main cacheVersion 1 flow recordsCache for protocol-port aggregation:Exporting flows to 172.16.20.4 (991) 172.30.0.1 (991)Exporting using source IP address 172.16.6.2Cache for source-prefix aggregation:Exporting flows to 172.16.20.4 (991) 172.30.0.1 (991)Exporting using source IP address 172.16.6.2Cache for destination-prefix aggregation:Exporting flows to 172.16.20.4 (991) 172.30.0.1 (991)Exporting using source IP address 172.16.6.240 flows exported in 20 udp datagrams0 flows failed due to lack of export packet20 export packets were sent up to process level0 export packets were dropped due to no fib0 export packets were dropped due to adjacency issues0 export packets were dropped due to fragmentation failures0 export packets were dropped due to encapsulation fixup failuresRouter#
Configuration Examples for Configuring NetFlow Aggregation Caches
This section provides the following examples for configuring an aggregation cache:
•
•
•
•
•
•
•
•
•
•
•
•
Configuring an AS Aggregation Cache: Example
The following example shows how to configure an AS aggregation cache with a cache size of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992:
configure terminal!ip flow-aggregation cache ascache entries 2046cache timeout inactive 200cache timeout active 45export destination 10.42.42.1 9992enabled!interface Ethernet0/0ip flow ingress!endConfiguring a Destination Prefix Aggregation Cache: Example
The following example shows how to configure a destination prefix aggregation cache with a cache size of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992:
configure terminal
!
ip flow-aggregation cache destination-prefixcache entries 2046cache timeout inactive 200cache timeout active 45export destination 10.42.42.1 9992enabled!interface Ethernet0/0ip flow ingress!endConfiguring a Prefix Aggregation Cache: Example
The following example shows how to configure a prefix aggregation cache with a cache size of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992:
configure terminal
!
ip flow-aggregation cache prefixcache entries 2046cache timeout inactive 200cache timeout active 45export destination 10.42.42.1 9992enabled!interface Ethernet0/0ip flow ingress!endConfiguring a Protocol Port Aggregation Cache: Example
The following example shows how to configure a protocol port aggregation cache with a cache size of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992:
configure terminal
!
ip flow-aggregation cache protocol-portcache entries 2046cache timeout inactive 200cache timeout active 45export destination 10.42.42.1 9992enabled!interface Ethernet0/0ip flow ingress!endConfiguring a Source Prefix Aggregation Cache: Example
The following example shows how to configure a source prefix aggregation cache with a cache size of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992:
configure terminal
!
ip flow-aggregation cache source-prefixcache entries 2046cache timeout inactive 200cache timeout active 45export destination 10.42.42.1 9992enabled!interface Ethernet0/0ip flow ingress!endConfiguring an AS-ToS Aggregation Cache: Example
The following example shows how to configure an AS-ToS aggregation cache with a cache active timeout of 20 minutes, an export destination IP address of 10.2.2.2, and a destination port of 9991:
configure terminal
!
ip flow-aggregation cache as-toscache timeout active 20export destination 10.2.2.2 9991enabled!interface Ethernet0/0ip flow ingress!endConfiguring a Prefix-ToS Aggregation Cache: Example
The following example shows how to configure a prefix-ToS aggregation cache with an export destination IP address of 10.4.4.4 and a destination port of 9995:
configure terminal
!
ip flow-aggregation cache prefix-tosexport destination 10.4.4.4 9995enabled!interface Ethernet0/0ip flow ingress!endConfiguring the Minimum Mask of a Prefix Aggregation Scheme: Example
The following example shows how to configure the minimum mask for a prefix aggregation scheme:
configure terminal
!
ip flow-aggregation cache prefixmask source minimum 24mask destination minimum 28enabled!interface Ethernet0/0ip flow ingress!endConfiguring the Minimum Mask of a Destination Prefix Aggregation Scheme: Example
The following example shows how to configure the minimum mask for a destination prefix aggregation scheme:
configure terminal
!
ip flow-aggregation cache destination-prefixmask destination minimum 32enabled!interface Ethernet0/0ip flow ingress!endConfiguring the Minimum Mask of a Source Prefix Aggregation Scheme: Example
The following example shows how to configure the minimum mask for a source prefix aggregation scheme:
configure terminal
!
ip flow-aggregation cache source-prefixmask source minimum 30enabled!interface Ethernet0/0ip flow ingress!endConfiguring NetFlow Version 9 Data Export for Aggregation Caches: Example
The following example shows how to configure NetFlow Version 9 data export for an AS aggregation cache scheme:
configure terminal!ip flow-aggregation cache asexport destination 10.42.42.2 9991export template refresh-rate 10export version 9export template timeout-rate 60enabled!interface Ethernet0/0ip flow ingress!endConfiguring NetFlow Version 8 Data Export for Aggregation Caches: Example
The following example shows how to configure NetFlow Version 8 data export for an AS aggregation cache scheme:
configure terminal!ip flow-aggregation cache asexport destination 10.42.42.2 9991export destination 10.42.41.1 9991export version 8enabled!interface Ethernet0/0ip flow ingress!endAdditional References
The following sections provide references related to configuring NetFlow aggregation caches and schemes.
Related Documents
Overview of Cisco IOS NetFlow
List of the features documented in the Book Title configuration guide
The minimum information about and tasks required for configuring NetFlow and NetFlow Data Export
Getting Started with Configuring NetFlow and NetFlow Data Export
Tasks for configuring NetFlow to capture and export network traffic data
Tasks for configuring Configuring MPLS Aware NetFlow
Tasks for configuring MPLS egress NetFlow accounting
Tasks for configuring NetFlow input filters
Using NetFlow Filtering or Sampling to Select the Network Traffic to Track
Tasks for configuring Random Sampled NetFlow
Using NetFlow Filtering or Sampling to Select the Network Traffic to Track
Tasks for configuring NetFlow BGP next hop support
Configuring NetFlow BGP Next Hop Support for Accounting and Analysis
Tasks for configuring NetFlow multicast support
Tasks for detecting and analyzing network threats with NetFlow
Tasks for configuring NetFlow Reliable Export With SCTP
Tasks for configuring NetFlow Layer 2 and Security Monitoring Exports
Tasks for configuring the SNMP NetFlow MIB
Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data
Tasks for configuring the NetFlow MIB and Top Talkers feature
Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands
Information for installing, starting, and configuring the CNS NetFlow Collection Engine
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Feature Information for Configuring NetFlow Aggregation Caches
Table 14 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or 12.0(3)S or a later version appear in the table.
Not all commands may be available in your Cisco IOS software release. For details on when support for a specific command was introduced, see the command reference documentation.
For information on a feature in this technology that is not documented here, see the Cisco IOS NetFlow Features Roadmap.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Table 14 Feature Information for Configuring NetFlow Aggregation Caches
NetFlow ToS-Based Router Aggregation
12.0(15)S, 12.2(4)T, 12.2(14)S
Cisco IOS XE Release 2.1The NetFlow ToS-Based Router Aggregation feature enables you to limit router-based type of service (ToS) aggregation of NetFlow export data. The aggregation of export data provides a summarized NetFlow export data that can be exported to a collection device. The result is lower bandwidth requirements for NetFlow export data and reduced platform requirements for NetFlow data collection devices.
In Cisco IOS XE Release 2.1, this feature was introduced on Cisco ASR 1000 Series Routers.
The following sections provide information about this feature:
•
•
•
•
•
•
•
•
•
•
•
The following commands were modified by this feature: ip flow-aggregation cache, show ip cache verbose flow aggregation, and show ip flow export.
NetFlow Minimum Prefix Mask for Router-Based Aggregation
12.0(11)S, 12.1(2)T
Cisco IOS XE Release 2.1The NetFlow Minimum Prefix Mask for Router-Based Aggregation feature allows you to set a minimum mask size for prefix aggregation, destination prefix aggregation, and source prefix aggregation schemes.
In Cisco IOS XE Release 2.1, this feature was introduced on Cisco ASR 1000 Series Routers.
The following sections provide configuration information about this feature:
•
•
•
•
•
The following commands were modified by this feature: ip flow-aggregation cache, mask destination, mask source, and show ip cache flow aggregation.
Glossary
AS—autonomous system. A collection of networks under a common administration sharing a common routing strategy. Autonomous systems are subdivided by areas. An autonomous system must be assigned a unique 16-bit number by the Internet Assigned Numbers Authority (IANA).
CEF—Cisco Express Forwarding. A Layer 3 IP switching technology that optimizes network performance and scalability for networks with large and dynamic traffic patterns.
dCEF—Distributed Cisco Express Forwarding. Type of CEF switching in which line cards maintain an identical copy of the forwarding information base (FIB) and adjacency tables. The line cards perform the express forwarding between port adapters; this relieves the Route Switch Processor of involvement in the switching operation.
export packet—Type of packet built by a device (for example, a router) with NetFlow services enabled. The packet contains NetFlow statistics and is addressed to another device (for example, the NetFlow Collection Engine). The other device processes the packet (parses, aggregates, and stores information on IP flows).
flow—A set of packets with the same source IP address, destination IP address, protocol, source/destination ports, and type-of-service, and the same interface on which flow is monitored. Ingress flows are associated with the input interface, and egress flows are associated with the output interface.
flowset—Collection of flow records that follow the packet header in an export packet. A flowset contains information that must be parsed and interpreted by the NetFlow Collection Engine. There are two different types of flowsets: template flowsets and data flowsets. An export packet contains one or more flowsets, and both template and data flowsets can be mixed in the same export packet.
NetFlow—Cisco IOS accounting feature that maintains per-flow information.
NetFlow Aggregation—A NetFlow feature that lets you summarize NetFlow export data on an IOS router before the data is exported to a NetFlow data collection system such as the NetFlow Collection Engine. This feature lowers bandwidth requirements for NetFlow export data and reduces platform requirements for NetFlow data collection devices.
NetFlow Collection Engine (formerly NetFlow FlowCollector)—Cisco application that is used with NetFlow on Cisco routers and Catalyst series switches. The NetFlow Collection Engine collects packets from the router that is running NetFlow and decodes, aggregates, and stores them. You can generate reports on various aggregations that can be set up on the NetFlow Collection Engine.
NetFlow v9—NetFlow export format Version 9. A flexible and extensible means for carrying NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.
QoS—quality of service. A measure of performance for a transmission system that reflects its transmission quality and service availability.
template flowset—One or more template records that are grouped in an export packet.
ToS—type of service. The second byte in the IP header. It indicates the desired quality of service (QoS) for a particular datagram.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006-2009 Cisco Systems, Inc. All rights reserved.
