- New and Changed Information
- Preface
- Overview
- Configuring CFS
- Configuring NTP
- Configuring PTP
- Configuring CDP
- Configuring System Message Logging
- Configuring Smart Call Home
- Configuring Rollback
- Configuring Session Manager
- Configuring the Scheduler
- Configuring SNMP
- Configuring RMON
- Configuring Online Diagnostics
- Configuring the Embedded Event Manager
- Configuring Onboard Failure Logging
- Configuring SPAN
- Configuring ERSPAN
- Configuring LLDP
- Configuring NetFlow
- Supported RFCs
- EEM Events and Examples
- Configuration Limits for Cisco NX-OS System Management
- Information About NetFlow
- Licensing Requirements for NetFlow
- Prerequisites for NetFlow
- Guidelines and Limitations
- Default Settings
- Configuring NetFlow
- Verifying the NetFlow Configuration
- Monitoring NetFlow
- Configuration Example for NetFlow
- Additional References
- Feature History for NetFlow
Configuring NetFlow
This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.
Information About NetFlow
NetFlow identifies packet flows for both ingress and egress IP packets and provides statistics based on these packet flows. NetFlow does not require any change to either the packets themselves or to any networking device.
This section includes the following topics:
NetFlow Overview
NetFlow uses flows to provide statistics for accounting, network monitoring, and network planning. A flow is a unidirectional stream of packets that arrives on a source interface (or VLAN) and has the same values for the keys. A key is an identified value for a field within the packet. You create a flow using a flow record to define the unique keys for your flow.
Cisco NX-OS supports the Flexible NetFlow feature that enables enhanced network anomalies and security detection. Flexible NetFlow allows you to define an optimal flow record for a particular application by selecting the keys from a large collection of predefined fields. For more information on the flow records, see the “Flow Records” section.
All key values must match for the packet to count in a given flow. A flow might gather other fields of interest, depending on the export record version that you configure. Flows are stored in the NetFlow cache.
You can export the data that NetFlow gathers for your flow by using an exporter and export this data to a remote NetFlow collector. Cisco NX-OS exports a flow as part of a NetFlow export User Datagram Protocol (UDP) datagram under the following circumstances:
- The flow has been inactive or active for too long.
- The flow cache is getting full.
- One of the counters (packets or bytes) has exceeded its maximum value.
- You have forced the flow to export.
For more information on exporters, see the “Exporters” section.
You define the size of the data that you want to collect for a flow using a monitor. The monitor combines the flow record and exporter with the NetFlow cache information. For more information on monitors, see the “Monitors” section.
Cisco NX-OS can gather NetFlow statistics in either full or sampled mode. Cisco NX-OS analyzes all packets on the interface or subinterface for full NetFlow mode. For sampled mode, you configure the sampling algorithm and rate that Cisco NX-OS analyzes packets. For more information on samplers, see the “Samplers” section.
Flow Records
A flow record defines the keys that NetFlow uses to identify packets in the flow as well as other fields of interest that NetFlow gathers for the flow. You can define a flow record with any combination of keys and fields of interest. Cisco NX-OS supports a rich set of keys. A flow record also defines the types of counters gathered per flow. You can configure 32-bit or 64-bit packet or byte counters. Cisco NX-OS enables the following match fields as the defaults when you create a flow record:
For more information, see the “Creating a Flow Record” section.
Exporters
An exporter contains network layer and transport layer details for the NetFlow export packet. You can configure the following information in an exporter:
- Export destination IP address
- Source interface
- UDP port number (where the collector is listening for NetFlow packets)
- Export format
Note NetFlow export packets use the IP address that is assigned to the source interface. If the source interface does not have an IP address assigned to it, the exporter will be inactive.
Cisco NX-OS exports data to the collector whenever a timeout occurs or when the flow is terminated (TCP Fin or Rst received, for example). You can configure the following timers to force a flow export:
Export Formats
Cisco NX-OS supports the Version 5 and Version 9 export formats. We recommend that you use the Version 9 export format for the following reasons:
- Variable field specification format
- Support for IPv6, Layer 2, and MPLS fields
- More efficient network utilization
If you configure the Version 5 export format, you have these limitations:
- Fixed field specifications
- No support for IPv6, Layer 2, or MPLS fields
- The Netflow.InputInterface and Netflow.OutputInterface represent a 16-bit I/O descriptor (IOD) of the interface.
Note The IOD information of the interface can be retrieved using the show system internal im info global command.
For information about the Version 9 export format, see RFC 3954 .
Note Cisco NX-OS supports UDP as the transport protocol for exports to up to two collectors.
Monitors
A monitor references the flow record and flow exporter. You apply a monitor to an interface.
Samplers
If you are using sampled mode, you use the sampler to specify the rate at which packets are sampled. On high bandwidth interfaces, applying NetFlow processing to every single packet can result in high CPU utilization. Sampler configuration is for high-speed interfaces. You can configure samples for M out of N. For example, 100 out of every 10,000 packets are sampled.
High Availability
Cisco NX-OS supports stateful restarts for NetFlow. After a reboot or supervisor switchover, Cisco NX-OS applies the running configuration.
Virtualization Support
A virtual device context (VDC) is a logical representation of a set of system resources. Within each VDC, you can configure NetFlow. By default, Cisco NX-OS places you in the default VDC and any flows that you define in this mode are only available for interfaces in the default VDC.
For information about configuring VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide, Release 5.x .
Licensing Requirements for NetFlow
Prerequisites for NetFlow
NetFlow has the following prerequisites:
- You must understand the resources required on your device because NetFlow consumes additional memory and CPU resources.
- If you configure VDCs, install the Advanced Services license and enter the desired VDC. For more information, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide, Release 5.x.
Guidelines and Limitations
NetFlow has the following configuration guidelines and limitations:
- You must configure a source interface. If you do not configure a source interface, the exporter will remain in a disabled state.
- You must configure a valid record name for every flow monitor.
- A rollback will fail if you try to modify a record that is programmed in the hardware during a rollback.
- Only Layer 2 NetFlow is applied on Layer 2 interfaces, and only Layer 3 NetFlow is applied on Layer 3 interfaces.
- If you add a member to a port channel that is already configured for Layer 2 NetFlow, its NetFlow configuration is removed and the Layer 2 configuration of the port channel is added to it.
- If you change a Layer 2 interface to a Layer 3 interface, the software removes the Layer 2 NetFlow configuration from the interface.
- Use v9 export to see the full 32-bit SNMP ifIndex values at the NetFlow connector.
- The maximum number of supported NetFlow entries is 512K.
- The Cisco Nexus 2000 Series Fabric Extender supports bridged NetFlow.
- Beginning with Cisco NX-OS Release 5.2, NetFlow is supported on switch virtual interfaces (SVIs) for F1 Series ports. Bridged NetFlow on F1 Series ports is not supported.
Default Settings
Table 21-1 lists the default settings for NetFlow parameters.
Configuring NetFlow
To configure NetFlow, follow these steps:
Step 1 Enable the NetFlow feature (see the “Enabling the NetFlow Feature” section).
Step 2 Define a flow record by specifying keys and fields to the flow (see the “Creating a Flow Record” section).
Step 3 Define an optional flow exporter by specifying the export format, protocol, destination, and other parameters (see the “Creating a Flow Exporter” section).
Step 4 Define a flow monitor based on the flow record and flow exporter (see the “Creating a Flow Monitor” section).
Step 5 Apply the flow monitor to a source interface, subinterface, VLAN interface (see the “Applying a Flow to an Interface” section), or a VLAN (see the “Configuring Bridged NetFlow on a VLAN” section).
This section includes the following topics:
- Enabling the NetFlow Feature
- Creating a Flow Record
- Creating a Flow Exporter
- Creating a Flow Monitor
- Creating a Sampler
- Applying a Flow to an Interface
- Configuring Bridged NetFlow on a VLAN
- Configuring Layer 2 NetFlow
- Configuring NetFlow Timeouts
Note Be aware that the Cisco NX-OS commands for this feature may differ from those used in Cisco IOS.
Enabling the NetFlow Feature
You must globally enable NetFlow before you can configure any flows.
Use the following command in global configuration mode to enable NetFlow:
Use the following command in global configuration mode to disable NetFlow and remove all flows:
Creating a Flow Record
You can create a flow record and add keys to match on and fields to collect in the flow.
BEFORE YOU BEGIN
Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.
SUMMARY STEPS
6. show flow record [ name ] [ record-name | netflow-original | netflow protocol-port | netflow { ipv4 | ipv6 } { original-input | original-output }}
DETAILED STEPS
|
Enter configuration commands, one per line. End with CNTL/Z. |
||
Creates a flow record and enters flow record configuration mode. |
||
(Optional) Describes this flow record as a maximum 63-character string. |
||
|
switch(config-flow-record)# match transport destination-port |
Specifies a match key. See the “Specifying the Match Parameters” section for more information on the type argument. |
|
Specifies the collection field. See the “Specifying the Collect Parameters” section for more information on the type argument. |
||
show flow record [ name ] [ record-name | netflow-original | netflow protocol-port | netflow { ipv4 | ipv6 } { original-input | original-output }} switch(config-flow-exporter)# show flow record netflow protocol-port |
||
copy running-config startup-config switch(config-flow-exporter)# copy running-config startup-config |
Specifying the Match Parameters
You must configure at least one of the following match parameters for flow records:
Specifying the Collect Parameters
You must configure at least one of the following collect parameters for flow records:
BEFORE YOU BEGIN
Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.
SUMMARY STEPS
3. destination { ipv4-address | ipv6-address } [ use-vrf name ]
4. source interface-type number
DETAILED STEPS
You can optionally configure the following parameters for flow exporters:
You can optionally configure the following parameters in flow exporter version configuration submode:
Creating a Flow Monitor
You can create a flow monitor and associate it with a flow record and a flow exporter.
BEFORE YOU BEGIN
Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.
SUMMARY STEPS
5. record { name | netflow-original | netflow protocol-port | netflow { ipv4 | ipv6 } { original-input | original-output }}
DETAILED STEPS
BEFORE YOU BEGIN
Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.
DETAILED STEPS
Applying a Flow to an Interface
You can apply a flow monitor and an optional sampler to an interface.
BEFORE YOU BEGIN
Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.
SUMMARY STEPS
2. interface interface-type number
3. ip flow monitor name { input | output } [ sampler name ]
4. ipv6 flow monitor name { input | output } [ sampler name ]
DETAILED STEPS
Configuring Bridged NetFlow on a VLAN
You can apply a flow monitor and an optional sampler to a VLAN.
BEFORE YOU BEGIN
Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.
SUMMARY STEPS
2. vlan [configuration] vlan-id
DETAILED STEPS
Configuring Layer 2 NetFlow
You can define Layer 2 keys in flexible NetFlow records that you can use to capture flows in Layer 2 interfaces. The Layer 2 keys are as follows:
You can apply Layer 2 NetFlow to the following interfaces for the ingress direction:
Note You cannot apply Layer 2 NetFlow to VLANs, egress interfaces, or Layer 3 interfaces such as VLAN interfaces.
BEFORE YOU BEGIN
Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.
SUMMARY STEPS
3. match datalink { mac source-address | mac destination-address | ethertype | vlan }
4. interface { ethernet slot / port } | { port-channel number }
7. layer2-switched flow monitor flow-name input [ sampler sampler-name ]
DETAILED STEPS
|
Enter configuration commands, one per line. End with CNTL/Z. |
||
Enters flow record configuration mode. For more information about configuring flow records, see the “Creating a Flow Record” section. |
||
match datalink { mac source-address | mac destination-address | ethertype | vlan } |
||
interface { ethernet slot / port } | { port-channel number } switch(config)# interface ethernet 2/1 |
Enters interface configuration mode. The interface type can be a physical Ethernet port or a port channel. |
|
Changes the interface to a Layer 2 physical interface. For information about configuring switch ports, see the Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guide, Release 5.x . |
||
Forces MAC classification of packets. For more information about using the mac packet-classify command, see the Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 5.x . |
||
layer2-switched flow monitor flow-name input [ sampler sampler-name ] switch(config-vlan)# layer2-switched flow monitor L2_monitor input sampler L2_sampler |
Associates a flow monitor and an optional sampler to the switch port input packets. For information about flow monitors, see the “Creating a Flow Monitor” section. For information about samplers, see the “Creating a Sampler” section. |
|
show flow record netflow layer2-switched input switch(config-if# show flow record netflow layer2-switched input |
(Optional) Displays information about the Layer 2 NetFlow default record. |
|
Configuring NetFlow Timeouts
You can optionally configure global NetFlow timeouts that apply to all flows.
Use the following commands in global configuration mode to configure NetFlow timeout parameters:
Verifying the NetFlow Configuration
To display NetFlow configuration information, perform one of the following tasks:
Monitoring NetFlow
Use the show flow exporter command to display NetFlow statistics.
Use the clear flow exporter command to clear NetFlow exporter statistics. Use the clear flow monitor command to clear the monitor cache and statistics.
Configuration Example for NetFlow
This example shows how to create a flow and apply it to an interface:
Additional References
For additional information related to implementing NetFlow, see the following sections:
Feature History for NetFlow
Table 21-2 lists the release history for this feature.
NetFlow is supported on switch virtual interfaces (SVIs) for F1 Series ports. |
||
VLAN configuration mode, which enables you to configure VLANs independently of their creation, is supported when configuring bridged NetFlow on a VLAN. |
||
You can specify the NetFlow instance for which you want to display NetFlow IPv4 flows and NetFlow table utilization. |
||
You can define Layer 2 keys in flexible NetFlow records that you can use to capture flows in Layer 2 interfaces. See the “Guidelines and Limitations” section and the “Configuring Layer 2 NetFlow” section. |
||
Rollback fails for NetFlow if, during rollback, you try to modify a record that is programmed in the hardware. See the “Guidelines and Limitations” section. |
Feedback