Cisco Nexus 1000V System Management Configuration Guide, Release 4.2(1)SV2(1.1) - Configuring NetFlow [Cisco Nexus 1000V Series Switches]

Contents
Configuring NetFlow
Information about NetFlow
What is a Flow
Flow Record Definition
Predefined Flow Records
Accessing NetFlow Data
Command Line Interface for NetFlow
Flow Monitor
Flow Exporter
NetFlow Collector
Exporting Flows to the NetFlow Collector Server
What NetFlow Data Looks Like
Network Analysis Module
High Availability for NetFlow
Prerequisites for NetFlow
Configuration Guidelines and Limitations for NetFlow
Default Settings for NetFlow
Enabling the NetFlow Feature
Configuring Netflow
Defining a Flow Record
Defining a Flow Exporter
Defining a Flow Monitor
Assigning a Flow Monitor to an Interface
Adding a Flow Monitor to a Port Profile
Verifying the NetFlow Configuration
Netflow Example Configuration
Related Documents for NetFlow
Feature History for NetFlow
Configuring NetFlow

This chapter contains the following sections:

Information about NetFlow
Prerequisites for NetFlow
Configuration Guidelines and Limitations for NetFlow
Default Settings for NetFlow
Enabling the NetFlow Feature
Configuring Netflow
Verifying the NetFlow Configuration
Netflow Example Configuration
Related Documents for NetFlow
Feature History for NetFlow
Information about NetFlow

NetFlow lets you evaluate IP traffic and understand how and where it flows. NetFlow gives visibility into traffic transiting the virtual switch by characterizing IP traffic based on its source, destination, timing, and application information. This information is used to assess network availability and performance, assist in meeting regulatory requirements (compliance), and help with troubleshooting. NetFlow gathers data that can be used in accounting, network monitoring, and network planning.

What is a Flow
A flow is a one-directional stream of packets that arrives on a source interface (or subinterface), matching a set of criteria. All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This condenses a large amount of network information into a database called the NetFlow cache.

Figure 1. NetFlow Cache Example

You create a flow by defining the criteria it gathers. Flows are stored in the NetFlow cache. Flow information tells you the following:

Source address tells you who is originating the traffic.

Destination address tells who is receiving the traffic.

Ports characterize the application using the traffic.

Class of service examines the priority of the traffic.

The device interface tells how traffic is being used by the network device.

Tallied packets and bytes show the amount of traffic.

What is a Flow
Flow Record Definition
Accessing NetFlow Data
Exporting Flows to the NetFlow Collector Server
What NetFlow Data Looks Like
Network Analysis Module
High Availability for NetFlow

What is a Flow

A flow is a one-directional stream of packets that arrives on a source interface (or subinterface), matching a set of criteria. All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This condenses a large amount of network information into a database called the NetFlow cache.

You create a flow by defining the criteria it gathers. Flows are stored in the NetFlow cache. Flow information tells you the following:

Source address tells you who is originating the traffic.

Destination address tells who is receiving the traffic

Ports characterize the application using the traffic

Class of service examines the priority of the traffic

The device interface tells how traffic is being used by the network device

Tallied packets and bytes show the amount of traffic
Flow Record Definition

A flow record defines the information that NetFlow gathers, such as packets in the flow and the types of counters gathered per flow. You can define new flow records or use the pre-defined Cisco Nexus 1000V flow record.

The following table describes the criteria defined in a flow record.

Table 1 Flow record criteria
Flow Record Criteria Description

Match

Defines what information is matched for collection in the flow record.

ip: Data collected in the flow record matches one of the following IP options:
protocol

tos (type of service)

ipv4: Data collected in the flow record matches one of the following ipv4 address options:
source address

destination address

transport: Data collected in the flow record matches one of the following transport options:
destination port

source port

Collect

Defines how the flow record collects information.

counter: Collects Flow Record information in one of the following formats:
bytes: collected in 32-bit counters unless the long 64-bit counter is specified.

packets: collected in 32-bit counters unless the long 64-bit counter is specified.

timestamp sys-uptime: Collects the system up time for the first or last packet in the flow.

transport tcp flags: Collects the TCP transport layer flags for the packets in the flow.

Predefined Flow Records
Predefined Flow Records
Cisco Nexus 1000V Predefined Flow Record: Netflow-Original
switch# show flow record netflow-original
Flow record netflow-original:
    Description: Traditional IPv4 input NetFlow with origin ASs
    No. of users: 0
    Template ID: 0
    Fields:
        match ipv4 source address
        match ipv4 destination address
        match ip protocol
        match ip tos
        match transport source-port
        match transport destination-port
        match interface input
        match interface output
        match flow direction
        collect routing source as
        collect routing destination as
        collect routing next-hop address ipv4
        collect transport tcp flags
        collect counter bytes
        collect counter packets
        collect timestamp sys-uptime first
        collect timestamp sys-uptime last
switch# 
Note
Although the following lines appear in the output of the show flow record command, the commands they are based on are not currently supported in Cisco Nexus 1000V. The use of these commands has no affect on the configuration.
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
Cisco Nexus 1000V Predefined Flow Record: Netflow IPv4 Original-Input
switch# show flow record netflow ipv4 original-input
Flow record ipv4 original-input:
    Description: Traditional IPv4 input NetFlow
    No. of users: 0
    Template ID: 0
    Fields:
        match ipv4 source address
        match ipv4 destination address
        match ip protocol
        match ip tos
        match transport source-port
        match transport destination-port
        match interface input
        match interface output
        match flow direction
        collect routing source as
        collect routing destination as
        collect routing next-hop address ipv4
        collect transport tcp flags
        collect counter bytes
        collect counter packets
        collect timestamp sys-uptime first
        collect timestamp sys-uptime last
switch# 
Cisco Nexus 1000V Predefined Flow Record: Netflow IPv4 Original-Output
switch# show flow record netflow ipv4 original-output
Flow record ipv4 original-output:
    Description: Traditional IPv4 output NetFlow
    No. of users: 0
    Template ID: 0
    Fields:
        match ipv4 source address
        match ipv4 destination address
        match ip protocol
        match ip tos
        match transport source-port
        match transport destination-port
        match interface input
        match interface output
        match flow direction
        collect routing source as
        collect routing destination as
        collect routing next-hop address ipv4
        collect transport tcp flags
        collect counter bytes
        collect counter packets
        collect timestamp sys-uptime first
        collect timestamp sys-uptime last
switch# 
Cisco Nexus 1000V Predefined Flow Record: Netflow Protocol-Port
switch# show flow record netflow protocol-port
Flow record ipv4 protocol-port:
    Description: Protocol and Ports aggregation scheme
    No. of users: 0
    Template ID: 0
    Fields:
        match ip protocol
        match transport source-port
        match transport destination-port
        match interface input
        match interface output
        match flow direction
        collect counter bytes
        collect counter packets
        collect timestamp sys-uptime first
        collect timestamp sys-uptime last
switch# 
Accessing NetFlow Data

There are two primary methods used to access NetFlow data:

Command Line Interface (CLI)

NetFlow Collector

Command Line Interface for NetFlow
Flow Monitor
Flow Exporter
NetFlow Collector

Command Line Interface for NetFlow

Use the Command Line Interface (CLI) to access NetFlow data, and to view what is happening in your network now.

The CLI uses the Flow Monitor and Flow Exporter to capture and export flow records to the Netflow Collector. Cisco Nexus 1000V supports the NetFlow Version 9 export format.

Note
Cisco Nexus 1000V supports UDP as the transport protocol for exporting data to up to two exporters per monitor.

Flow Monitor

A flow monitor creates an association between the following NetFlow components:

a flow record—consisting of matching and collection criteria

a flow exporter—consisting of the export criteria

This flow monitor association enables a set, consisting of a record and an exporter, to be defined once and re-used many times. Multiple flow monitors can be created for different needs. A flow monitor is applied to a specific interface in a specific direction.

Flow Exporter

Use the flow exporter to define where and when the flow records are sent from the cache to the reporting server, called the NetFlow Collector. An exporter definition includes the following.

Destination IP address

Source interface

UDP port number (where the collector is listening)

Export format

Note
NetFlow export packets use the IP address assigned to the source interface. If the source interface does not have an IP address assigned to it, the exporter will be inactive.

NetFlow Collector

You can export NetFlow from the Cisco Nexus 1000V NetFlow cache to a reporting server called the NetFlow Collector. The NetFlow Collector assembles the exported flows and combines them to produce reports used for traffic and security analysis. NetFlow export, unlike SNMP polling, pushes information periodically to the NetFlow reporting collector. The NetFlow cache is constantly filling with flows. Cisco Nexus 1000V searches the cache for flows that have terminated or expired and exports them to the NetFlow collector server. Flows are terminated when the network communication has ended, that is, when a packet contains the TCP FIN flag.

The following steps implement NetFlow data reporting:

NetFlow records are configured to define the information that NetFlow gathers.

Netflow monitor is configured to capture flow records to the NetFlow cache.

NetFlow export is configured to send flows to the collector.

Cisco Nexus 1000V searches the NetFlow cache for flows that have terminated and exports them to the NetFlow collector server.

Flows are bundled together based on space availability in the UDP export packet or based on export timer.

The NetFlow collector software creates real-time or historical reports from the data.

Exporting Flows to the NetFlow Collector Server

Timers determine when a flow is exported to the NetFlow Collector Server. A flow is ready for export when one of the following occurs:

The flow is inactive for a certain time during which no new packets are received for the flow.

The flow has lived longer than the active timer, for example, a long FTP download.

A TCP flag indicates the flow is terminated. That is, a FIN or RST flag is present.

The flow cache is full and some flows must be aged out to make room for new flows.

Figure 2. Exporting Flows to the NetFlow Collector Server

What NetFlow Data Looks Like

The following figure shows an example of NetFlow data.

Figure 3. NetFlow Cache Example

Network Analysis Module

You can also use the Cisco Network Analysis Module (NAM) to monitor NetFlow data sources. NAM enables traffic analysis views and reports such as hosts, applications, conversations, VLAN, and QoS.

To use NAM for monitoring the Cisco Nexus 1000V NetFlow data sources see the Cisco Prime Network Analysis Module (NAM) for Nexus 1010 Installation and Configuration Guide.

High Availability for NetFlow

Cisco Nexus 1000V supports stateful restarts for NetFlow. After a reboot or supervisor switchover, Cisco Nexus 1000V applies the running configuration.
Prerequisites for NetFlow

You must be aware of resource requirements since NetFlow consumes additional memory and CPU resources.

Memory and CPU resources are provided by the VEM hosting the flow monitor interface. Resources are limited by the number of CPU cores present on the VEM.

Configuration Guidelines and Limitations for NetFlow

If a source interface is not configured, the NetFlow exporter will remain disabled.

In Cisco Nexus 1000V, Mgmt0 interface is configured by default as the source interface for an exporter.

Cisco Nexus 1000V includes the following predefined flow records that can be used instead of configuring a new one.
netflow-original Cisco Nexus 1000V predefined traditional IPv4 input NetFlow with origin ASs

Note
The routing-related fields in this predefined flow record are ignored.

netflow ipv4 original-input Cisco Nexus 1000V predefined traditional IPv4 input NetFlow

netflow ipv4 original-output Cisco Nexus 1000V predefined traditional IPv4 output NetFlow

netflow protocol-port Cisco Nexus 1000V predefined protocol and ports aggregation scheme

Up to 256 NetFlow interfaces are allowed per DVS.

Up to 32 NetFlow interfaces are allowed per host

A maximum of one flow monitor per interface per direction is allowed.

Up to 8 flow monitors are allowed per VEM.

Up to 2 flow exporters are permitted per monitor.

Up to 32 NetFlow Policies are allowed per DVS.

Up to 8 NetFlow Policies are allowed per host.

NetFlow is not supported on on port channels or interfaces in a port-channel.

Default Settings for NetFlow

Table 2 Default NetFlow Parameters
Parameters Default

NetFlow version

9

source interface

mgmt0

match

direction and interface (incoming/outgoing)

flow monitor active timeout

1800

flow monitor inactive timeout

15

flow monitor cache size

4096

flow exporter UDP port transport udp command

9995

DSCP

default/best-effort (0)

VRF

default
Enabling the NetFlow Feature
Before You Begin
You are logged in to the CLI in EXEC mode.

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Enters global configuration mode.

Step 2 switch(config)# feature netflow
Enables the NetFlow feature.

Step 3 switch(config)# show feature
(Optional) Displays the available features and whether or not they are enabled.

Step 4 switch(config)# copy running-config startup-config (Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
This example shows how to enable the NetFlow feature:
switch# configure terminal
switch(config)# feature netflow
switch(config)#
Configuring Netflow
Defining a Flow Record
Before You Begin
You know which of the options you want this flow record to match.

You know which options you want this flow record to collect.
Note
Although the following lines appear in the output of the show flow record command, the commands they are based on are not currently supported in Cisco Nexus 1000V. The use of these commands has no affect on the configuration.
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Enters global configuration mode.

Step 2 switch(config)# flow record name
Creates a Flow Record by name, and places you in the CLI Flow Record Configuration mode for that specific record.

Step 3 switch(config#) description string
(Optional) Adds a description of up to 63 characters to the Flow Record and saves it to the running configuration.

Step 4 switch(config#) match {ip {protocol | tos} | ipv4 {destination address | source address} | transport {destination-port | source-port}}
Defines the Flow Record to match one of the following and saves it in the running configuration.

ip: Matches one of the following IP options:
protocol

tos (type of service)

ipv4: Matches one of the following ipv4 address options:
source address

destination address

transport: Matches one of the following transport options:
destination port

source port

Step 5 switch(config)# collect {counter {bytes [long] | packets [long]} | timestamp sys-uptime | transport tcp flags}
Specifies a collection option to define the information to collect in the Flow Record and saves it in the running configuration.

counter: Collects Flow Record information in one of the following formats:
bytes: collected in 32-bit counters unless the long 64-bit counter is specified.

packets: collected in 32-bit counters unless the long 64-bit counter is specified.

timestamp sys-uptime: Collects the system up time for the first or last packet in the flow.

transport tcp flags: Collects the TCP transport layer flags for the packets in the flow.

Step 6 switch(config)# show flow record name
(Optional) Displays information about Flow Records.

Step 7 switch(config)# copy running-config startup-config (Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
The following example shows how to create a flow record:
switch# configure terminal
switch(config)# flow record RecordTest
switch(config-flow-record)# description Ipv4flow
switch(config-flow-record)# match ipv4 destination address
switch(config-flow-record)# collect counter packets
switch(config-flow-record)# show flow record RecordTest
Flow record RecordTest:
    Description: Ipv4flow
    No. of users: 0
    Template ID: 0
    Fields:
        match ipv4 destination address
        match interface input
        match interface output
        match flow direction
        collect counter packets
switch(config-flow-record)# 
Defining a Flow Exporter
A Flow Exporter defines where and how Flow Records are exported to the NetFlow Collector Server.

Export format version 9 is supported.

A maximum of two flow exporters per monitor are permitted.

Before You Begin
You know the destination IP address of the NetFlow Collector Server.

You know the source interface that Flow Records are sent from.

You know the transport UDP that the Collector is listening on.

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Enters global configuration mode.

Step 2 switch(config)#flow exporter name
Creates a Flow Exporter, saves it in the running configuration, and then places you in CLI Flow Exporter Configuration mode.

Step 3 switch(config-flow-exporter)# description string
Adds a description of up to 63 characters to this Flow Exporter and saves it in the running configuration.

Step 4 switch(config-flow-exporter)# destination {ipv4-address | ipv6-address}
Specifies the IP address of the destination interface for this Flow Exporter and saves it in the running configuration.

Step 5 switch(config-flow-exporter)# dscp value
Specifies the differentiated services codepoint value for this Flow Exporter, between 0 and 63, and saves it in the running configuration.

Step 6 switch(config-flow-exporter)# source mgmt interface_number
Specifies the interface and its number, from which the Flow Records are sent to the NetFlow Collector Server, and saves it in the running configuration.

Step 7 switch(config-flow-exporter)# transport udp port-number
Specifies the destination UDP port, between 0 and 65535, used to reach the NetFlow collecton, and saves it in the running configuration.

Step 8 switch(config-flow-exporter)# version {9}
Specifies NetFlow export version 9, saves it in the running configuration, and places you into the export version 9 configuration mode.

Step 9 switch(config-flow-exporter-version-9)# option {exporter-stats | interface-table | sampler-table} timeout value
Specifies one of the following version 9 exporter resend timers and its value, between 1 and 86400 seconds, and saves it in the running configuration.
exporter-stats

interface-table

sampler-table

Step 10 switch(config-flow-exporter-version-9)# template data timeout seconds
Sets the template data resend timer and its value, between 1 and 86400 seconds, and saves it in the running configuration.

Step 11 switch(config-flow-exporter-version-9)# show flow exporter [name]
(Optional) Displays information about the Flow Exporter.

Step 12 switch(config-flow-exporter-version-9)# copy running-config startup-config
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
The following example shows how to create a flow exporter:
switch# configure terminal
switch(config)# flow exporter ExportTest
switch(config-flow-exporter)# description ExportHamilton
switch(config-flow-exporter)# destination 192.0.2.1
switch(config-flow-exporter)# dscp 2
switch(config-flow-exporter)# source mgmt 0
switch(config-flow-exporter)# transport udp 200
switch(config-flow-exporter)# version 9
switch(config-flow-exporter-version-9)# option exporter-stats timeout 1200
switch(config-flow-exporter-version-9)# template data timeout 1200
switch(config-flow-exporter-version-9)# show flow exporter ExportTest
Flow exporter ExportTest:
    Description: ExportHamilton
    Destination: 192.0.2.1
    VRF: default (1)
    Destination UDP Port 200
    Source Interface Mgmt0 
    DSCP 2
    Export Version 9
        Exporter-stats timeout 1200 seconds
        Data template timeout 1200 seconds
    Exporter Statistics
        Number of Flow Records Exported 0
        Number of Templates Exported 0
        Number of Export Packets Sent 0
        Number of Export Bytes Sent 0
        Number of Destination Unreachable Events 0
        Number of No Buffer Events 0
        Number of Packets Dropped (No Route to Host) 0
        Number of Packets Dropped (other) 0
        Number of Packets Dropped (LC to RP Error) 0
        Number of Packets Dropped (Output Drops) 1
        Time statistics were last cleared: Never
switch(config-flow-exporter-version-9)# copy running-config startup-config
switch(config-flow-exporter-version-9)# 
Defining a Flow Monitor
A Flow Monitor is associated with a Flow Record and a Flow Exporter.

A maximum of one flow monitor per interface per direction is permitted.

Before You Begin
You know the name of an existing Flow Exporter to associate with this flow monitor.

You know the name of an existing Flow Record to associate with this flow monitor. You can use either a flow record you previously created, or one of the following Cisco Nexus 1000V predefined flow records:
netflow-original

netflow ipv4 original-input

netflow ipv4 original-output

netflow protocol-port

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Enters global configuration mode.

Step 2 switch(config)# flow monitor name
Creates a flow monitor by name, saves it in the running configuration, and then places you in the CLI Flow Monitor Configuration mode.

Step 3 switch(config-flow-monitor)# description string
(Optional) For the specified flow monitor, adds a descriptive string of up to 63 alphanumeric characters, and saves it in the running configuration.

Step 4 switch(config-flow-monitor)# exporter name
For the specified flow monitor, adds an existing flow exporter and saves it in the running configuration.

Step 5 switch(config-flow-monitor)# record {name | netflow {ipv4}}
For the specified flow monitor, adds an existing flow record and saves it in the running configuration.
name: The name of a flow record you have previously created, or the name of a Cisco provided pre-defined flow record.

netflow: Traditional NetFlow collection schemes ipv4: Traditional IPv4 NetFlow collection schemes

Step 6 switch(config-flow-monitor)# timeout {active value | inactive value}
(Optional) For the specified flow monitor, specifies an aging timer and its value for aging entries from the cache, and saves them in the running configuration.
active: Active, or long, timeout. Allowable values are from 60 to 4092 seconds. Default is 1800.

inactive: Inactive or normal timeout. Allowable values are from 15 to 4092 seconds. Default is 15.

Step 7 switch(config-flow-monitor)# cache {size value}
(Optional) For the specified flow monitor, specifies the cache size, from 256 to 16384, entries, and saves it in the running configuration. Default is 4096.

This option is used to limit the impact of the monitor cache on memory and performance.

Step 8 switch(config-flow-monitor)# show flow monitor [name]
(Optional) Displays information about existing flow monitors.

Step 9 switch(config-flow-monitor)# copy running-config startup-config
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
The following example shows how to create a flow exporter:
switch# configure terminal
switch(config)# flow monitor MonitorTest
switch(config-flow-monitor)# description Ipv4Monitor
switch(config-flow-monitor)# exporter ExportTest
switch(config-flow-monitor)# record RecordTest
switch(config-flow-monitor)# cache size 15000
switch(config-flow-monitor)# timeout inactive 600
switch(config-flow-monitor)# show flow monitor MonitorTest
Flow Monitor monitortest:
    Use count: 0
    Inactive timeout: 600
    Active timeout: 1800
    Cache Size: 15000
switch(config-flow-monitor)# 
Assigning a Flow Monitor to an Interface
Before You Begin
You know the name of the flow monitor you want to use for the interface.

You know the interface type and its number.

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Enters global configuration mode.

Step 2 switch(config)# interface interface-type interface-number
Places you in the CLI Interface Configuration mode for the specified interface.

Step 3 switch(config)# ip flow monitor name {input | output}
For the specified interface, assigns a flow monitor for input or output packets and saves it in the running configuration.

Step 4 switch(config)# show flow interface-type interface-number
(Optional) For the specified interface, displays the NetFlow configuration.

Step 5 switch(config)# copy running-config startup-config (Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
The following example shows how to assign a flow monitor to an interface:
switch# configure terminal
switch(config)# interface veth 2
switch(config-if)# ip flow monitor MonitorTest output
switch(config-if)# show flow interface veth 2
Interface veth 2:
    Monitor: MonitorTest
    Direction: Output
switch(config-if)# 
Adding a Flow Monitor to a Port Profile
Before You Begin
You are logged in to the CLI in EXEC mode.

You have already created the flow monitor.

If using an existing port profile, you have already created the port profile and you know its name.

If creating a new port profile, you know the type of interface (Ethernet or vEthernet), and you know the name you want to give it.

Procedure
Command or Action Purpose
Step 1 switch# configure terminal
Enters global configuration mode.

Step 2 switch(config)# port-profile [type {ethernet | vethernet}] name
Enters port profile configuration mode for the named port profile.

Step 3 switch(config-port-prof)# ip flow monitor name {input | output}
Applies a named flow monitor to the port profile for either incoming (input) or outgoing (output) traffic.

Step 4 switch(config-port-prof)# show port-profile [brief | expand-interface | usage] [name profile-name]
(Optional) Displays the configuration for verification.

Step 5 switch(config-port-prof)# copy running-config startup-config (Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
This example shows how to add a flow monitor to a port profile:
switch# configure terminal
switch(config)# port-profile AccessProf
switch(config-port-prof)# ip flow monitor allacces4 output
switch(config-port-prof)# show port-profile name AccessProf
port-profile AccessProf
  type: vethernet
  status: disabled
  capability l3control: no
  pinning control-vlan: -
  pinning packet-vlan: -
  system vlans: none
  port-group:
  max ports: 32
  inherit:
  config attributes:
    ip flow monitor allaccess4 output
  evaluated config attributes:
    ip flow monitor allaccess4 output
  assigned interfaces:
switch(config-port-prof)# 
Verifying the NetFlow Configuration
Use one of the following commands to verify the configuration:

Table 3 Verifying the NetFlow Configuration
Command Purpose

show flow exporter [name]

Displays information about NetFlow flow exporter maps.

show flow interface [interface-type number]

Displays information about NetFlow interfaces.

show flow monitor [name [cache module number | statistics module number] ]

Displays information about NetFlow flow monitors.

Note
The show flow monitor cache module command differs from the show flow monitor statistics module command in that the cache command also displays cache entries . Since each processor has its own cache, all output of these commands is based on the number of processors on the server (also called module or host). When more than one processor is involved in processing packets for a single flow, then the same flow appears for each processor.

show flow record [name]

Displays information about NetFlow flow records.
Example: show flow exporter
switch(config-flow-exporter-version-9)# show flow exporter ExportTest
Flow exporter ExportTest:
    Description: ExportHamilton
    Destination: 192.0.2.1
    VRF: default (1)
    Destination UDP Port 200
    Source Interface 2 
    DSCP 2
    Export Version 9
        Exporter-stats timeout 1200 seconds
        Data template timeout 1200 seconds
    Exporter Statistics
        Number of Flow Records Exported 0
        Number of Templates Exported 0
        Number of Export Packets Sent 0
        Number of Export Bytes Sent 0
        Number of Destination Unreachable Events 0
        Number of No Buffer Events 0
        Number of Packets Dropped (No Route to Host) 0
        Number of Packets Dropped (other) 0
        Number of Packets Dropped (LC to RP Error) 0
        Number of Packets Dropped (Output Drops) 1
        Time statistics were last cleared: Never
switch(config-flow-exporter-version-9)# 
Example: show flow interface
switch(config-if)# show flow interface VEth2
Interface veth2:
    Monitor: MonitorTest
    Direction: Output
switch(config-if)# 
Example: show flow monitor
switch(config)# show flow monitor 
Flow Monitor MonitorTest:
    Description: Ipv4Monitor
    Use count: 1
    Flow Record: test
    Flow Exporter: ExportTest
    Inactive timeout: 15
    Active timeout: 1800
    Cache Size: 15000
Flow Monitor MonitorIpv4:
    Description: exit
    Use count: 70
    Flow Record: RecordTest
    Flow Exporter: ExportIpv4
    Inactive timeout: 15
    Active timeout: 1800
    Cache Size: 4096
switch(config)#  
Example: show flow monitor cache module
switch# show flow monitor test_mon cache module 5
Cache type:                          Normal
Cache size (per-processor):          4096
High Watermark:                      2
Flows added:                         102
Flows aged:                          099
    - Active timeout                 0
    - Inactive timeout               099
    - Event aged                     0
    - Watermark aged                 0
    - Emergency aged                 0
    - Permanent                      0
    - Immediate aged                 0
    - Fast aged                      0

Cache entries on Processor0
    - Active Flows:                  2
    - Free Flows:                    4094

  IPV4 SRC ADDR    IPV4 DST ADDR  IP PROT            INTF INPUT           INTF OUTPUT  FLOW DIRN
===============  ===============  =======  ====================  ====================  =========
        0.0.0.0  255.255.255.255  17                      Veth1                            Input
   7.192.192.10      7.192.192.2  1                       Veth1                Eth5/2      Input

Cache entries on Processor1
    - Active Flows:                  0
    - Free Flows:                    4096

Cache entries on Processor2
    - Active Flows:                  1
    - Free Flows:                    4095

  IPV4 SRC ADDR    IPV4 DST ADDR  IP PROT            INTF INPUT           INTF OUTPUT  FLOW DIRN
===============  ===============  =======  ====================  ====================  =========
   7.192.192.10      7.192.192.1  1                       Veth1                Eth5/2      Input

Cache entries on Processor3
    - Active Flows:                  0
    - Free Flows:                    4096

Cache entries on Processor4
    - Active Flows:                  0
    - Free Flows:                    4096

Cache entries on Processor5
    - Active Flows:                  0
    - Free Flows:                    4096

Cache entries on Processor6
    - Active Flows:                  0
    - Free Flows:                    4096

Cache entries on Processor7
    - Active Flows:                  0
    - Free Flows:                    4096
switch#
Example: show flow monitor statistics module
switch# show flow monitor test_mon statistics module 5
Cache type:                          Normal
Cache size (per-processor):          4096
High Watermark:                      2
Flows added:                         105
Flows aged:                          103
    - Active timeout                 0
    - Inactive timeout               103
    - Event aged                     0
    - Watermark aged                 0
    - Emergency aged                 0
    - Permanent                      0
    - Immediate aged                 0
    - Fast aged                      0

Cache entries on Processor0
    - Active Flows:                  0
    - Free Flows:                    4096

Cache entries on Processor1
    - Active Flows:                  1
    - Free Flows:                    4095

Cache entries on Processor2
    - Active Flows:                  1
    - Free Flows:                    4095

Cache entries on Processor3
    - Active Flows:                  0
    - Free Flows:                    4096

Cache entries on Processor4
    - Active Flows:                  0
    - Free Flows:                    4096

Cache entries on Processor5
    - Active Flows:                  0
    - Free Flows:                    4096

Cache entries on Processor6
    - Active Flows:                  0
    - Free Flows:                    4096

Cache entries on Processor7
    - Active Flows:                  0
    - Free Flows:                    4096
switch#
Example: show flow record
switch(config-flow-record)# show flow record RecordTest
Flow record RecordTest:
    Description: Ipv4flow
    No. of users: 0
    Template ID: 0
    Fields:
        match ipv4 destination address
        match interface input
        match interface output
        match flow direction
        collect counter packets
switch(config-flow-record)# 
Netflow Example Configuration
The following example shows how to configure flow monitor using a new flow record and apply it to an interface:
switch# configure terminal
switch(config)# flow record RecordTest
switch(config-flow-record)# description Ipv4flow
switch(config-flow-record)# match ipv4 destination address
switch(config-flow-record)# collect counter packets
switch(config-flow-record)# exit
switch(config)# flow exporter ExportTest
switch(config-flow-exporter)# description ExportHamilton
switch(config-flow-exporter)# destination 192.0.2.1
switch(config-flow-exporter)# dscp 2
switch(config-flow-exporter)# source mgmt 0
switch(config-flow-exporter)# transport udp 200
switch(config-flow-exporter)# version 9
switch(config-flow-exporter-version-9)# option exporter-stats timeout 1200
switch(config-flow-exporter-version-9)# template data timeout 1200
switch(config-flow-exporter-version-9)# exit
switch(config-flow-exporter)# exit
switch(config)# flow monitor MonitorTest
switch(config-flow-monitor)# description Ipv4Monitor
switch(config-flow-monitor)# exporter ExportTest
switch(config-flow-monitor)# record RecordTest
switch(config-flow-monitor)# exit
switch(config)# interface veth 2/1
switch(config-if)# ip flow monitor MonitorTest output
switch(config-if)# show flow interface veth 2
Interface veth 2:
    Monitor: MonitorTest
    Direction: Output
switch(config-if)# 
The following example shows how to configure flow monitor using a pre-defined record and apply it to an interface:
switch# configure terminal
switch(config)# flow exporter ExportTest
switch(config-flow-exporter)# description ExportHamilton
switch(config-flow-exporter)# destination 192.0.2.1
switch(config-flow-exporter)# dscp 2
switch(config-flow-exporter)# source mgmt 0
switch(config-flow-exporter)# transport udp 200
switch(config-flow-exporter)# version 9
switch(config-flow-exporter-version-9)# option exporter-stats timeout 1200
switch(config-flow-exporter-version-9)# template data timeout 1200
switch(config-flow-exporter-version-9)# exit
switch(config-flow-exporter)# exit
switch(config)# flow monitor MonitorTest
switch(config-flow-monitor)# description Ipv4Monitor
switch(config-flow-monitor)# exporter ExportTest
switch(config-flow-monitor)# record netflow-original
switch(config-flow-monitor)# exit
switch(config)# interface veth 2/1
switch(config-if)# ip flow monitor MonitorTest output
switch(config-if)# show flow interface veth 2
Interface veth 2:
    Monitor: MonitorTest
    Direction: Output
switch(config-if)# 
Related Documents for NetFlow

Related Topic Document Title

Cisco NetFlow Overview

http://cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html

Feature History for NetFlow

This table includes only the updates for those releases that have resulted in additions or changes to the feature.

Table 4 Feature History
Feature Name Releases Feature Information

NAM support for NetFlow data sources

4.0(4)SV1(3)

NAM support for NetFlow data sources was added.

NetFlow

4.0(4)SV1(1)

NetFlow was introduced.