Feedback
Contents
- Configuring IPv6 NetFlow
- Prerequisites For IPv6 Netflow
- Restrictions For IPv6 Netflow
- Information About IPv6 Netflow
- Understanding Flexible Netflow
- IPv6 Netflow
- How To Configure IPv6 Netflow
- Configuring a Customized Flow Record
- Configuring the Flow Exporters
- Configuring a Customized Flow Monitor
- Applying a Flow Monitor to an Interface
- Configuring and Enabling Flow Sampling
- Verifying IPv6 Netflow
- Monitoring IPv6 Netflow
- Additional References
Configuring IPv6 NetFlow
Prerequisites For IPv6 Netflow
Restrictions For IPv6 Netflow
The following restrictions apply to IPv6 Netflow configurations:
- Locally generated traffic (traffic that is generated by the router, Cisco WLC 5760, on which the Flexible NetFlow Output Accounting feature is configured) is not counted as flow traffic for the Output Flexible NetFlow Accounting feature.
- The Flexible NetFlow Output Accounting feature counts CEF-switched packets only. Process switched transit packets are not counted.
Information About IPv6 Netflow
NetFlow is a monitoring feature used on customer applications for network monitoring, user monitoring and profiling, network planning, security analysis, billing and accounting, and data warehousing and mining. You can use Flexible NetFlow on uplink ports to monitor user-defined flows, collect flow statistics, and perform per-flow policing. It collects and exports flow statistics to a collector device.
Note
Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image.
NoteNot all of the Flexible NetFlow commands in the command reference are available on the switch. Unsupported commands are either not visible or generate an error message if entered.
Understanding Flexible Netflow
With Flexible NetFlow, traffic is processed and packets are classified into flows. New flows are inserted in the NetFlow table, and statistics are automatically updated. You must configure both ingress and egress NetFlow monitoring. The network services module supports one monitor per interface per direction.
Flexible NetFlow consists of the following components:
- Records— These are combinations of key and non-key fields assigned to monitor Flexible NetFlow monitors to define the cache used to store data.
- Flow monitors— These are applied to interfaces to perform network traffic monitoring. A flow monitor includes a user-defined record, an optional flow exporter, and a cache that is automatically created when the monitor is applied to the first interface. The switch supports normal caches that age out according to settings.
- Flow exporters— These export the data in the flow monitor cache to a remote system, such as a server running NetFlow collector.
- Flow samplers— These reduce the load that Flexible NetFlow puts on the networking device to monitor traffic by limiting the number of packets that are analyzed.
You can configure unidirectional flow (destination or source-address based flows), and flow aging. The following features are supported on the network services module:
- Configuring collection statistics for Layer 2-switched (non-routing) traffic, Layer 3 (CAPWAP) IPv4 and IPv6 traffic, and Layer 4 TCP, IGMP, and ICMP traffic.
- NetFlow counting, maintenance, troubleshooting (debugging commands).
- NetFlow analysis is performed on traffic crossing the physical interfaces on the network services module. The switch processes egress (outbound) traffic after forwarding decisions are performed. Locally switched or routed traffic is forced through service module ports by configuring private VLANs or protected ports.
The following NetFlow characteristics are not supported:
Though other modules that can be installed in the switch have 1-Gigabit and 10-Gigabit uplink interfaces, NetFlow is supported only on the network services module.
IPv6 Netflow
Flexible Netflow (FNF) allows the user to define a flow record (a particular set of key, non-key, counter and time-stamp fields of interest) that is optimal for a particular application by selecting the fields from a big collection of pre-defined fields, using CLI configuration commands.
The collection of the pre-defined fields includes the following fields:
How To Configure IPv6 Netflow
Configuring a Customized Flow Record
SUMMARY STEPSYou can match the following fields for the flow record:
- IPv4 or IPv6 destination address
- Datalink fields, to identify Layer 2 source and destination address and VLAN for traffic entering or leaving the interfaces, providing the MAC address of the directly connected host. Class of Service (CoS) and Ethertype datalink header fields are also available.
- Transport field source and destination ports, to identify the type of application: ICMP, IGMP, or TCP traffic.
You can collect the following fields for the flow record:
- The total number of bytes, flows or packets sent by the exporter (exporter) or the number of bytes or packets in a 64-bit counter (long). The timestamp based on system uptime from the time the first packet was sent or from the time the most recent (last) packet was seen.
- The SNMP index of the input or output interface. The interface for traffic entering or leaving the service module is based on the switch forwarding cache. This field is typically used in conjunction with datalink, IPv4, and IPv6 addresses, and provides the actual first-hop interface for directly connected hosts.
The following steps configure the customized flow record:
1. configure terminal
2. flow record recordname
3. description description
4. match{ipv4 | ipv6}{destination | hop-limit | protocol | source | traffic-class| version} address
5. match datalink [dot1q | ethertype | mac | vlan]
6. match transport [destination-port | icmp |igmp | source-port]
7. match interface [input |output]
8. match flow direction
9. collect counter {bytes [ layer2 | long] | packets [ long]}
10. collect timestamp absolute [first | last]
11. collect interface [input | output]
12. collect transport tcp flags {ack | cwr | ece | fin | psh | rst | syn | urg}
13. end
DETAILED STEPSSwitch(config)# flow record Switch(config-flow-record)# description record to monitor network traffic Switch(config-flow-record)# match ipv6 destination address Switch(config-flow-record)# match datalink [dot1q | ethertype | mac | vlan] Switch(config-flow-record)# match transport [destination-port | icmp |igmp | source-port] Switch(config-flow-record)# match interface input Switch(config-flow-record)# match flow direction Switch(config-flow-record)#collect counter bytes layer2 long Switch(config-flow-record)# collect timestamp absolute first Switch(config-flow-record)# collect interface [input | output] Switch(config-flow-record)# collect transport tcp flags ack Switch(config-flow-record)# endConfiguring the Flow Exporters
SUMMARY STEPSThe following steps are used to configure the NetFlow exporter.
Note
The optional export-protocol flow exporter configuration command specifies the NetFlow export protocol used by the exporter. The switch supports only netflow-v9. Though visible in the CLI help, netflow-5 is not supported.
1. configure terminal
2. flow exporter exporter-name
3. description description
4. destination {hostname | ip-address} vrf vrf-name
5. dscp <0-63>
6. source interface-id
7. option {exporter-stats | interface-table | sampler-table} timeout seconds]
8. export-protocolnetflow-v9
9. template data timeout seconds
10. transport udp udp-port
11. ttl seconds
12. end
DETAILED STEPSWhat to Do NextSwitch(config)# flow exporter QoS-Collector Switch(config-flow-exporter)# description QoS Collector Bldg 19 Switch(config-flow-exporter)# destination 172.20.244.28 Switch(config-flow-exporter)# source vlan 1 Switch(config-flow-exporter)# dscp 3 Switch(config-flow-exporter)# transport udp 2055 Switch(config-flow-exporter)# end
Configuring a Customized Flow Monitor.
Configuring a Customized Flow Monitor
SUMMARY STEPS
1. configure terminal
2. flow monitor monitor -name
3. description description
4. record {TestNetflowRecordName|TestRecord}
5. cache {timeout [active| inactive|update] (seconds) | type (normal)}
6. cache {timeout [active| inactive|update] (seconds) | type (normal)}
7. exporter TestNetFlowExporterName
8. cache {timeout [active| inactive|update] (seconds) | type (normal)}
9. end
DETAILED STEPSWhat to Do NextSwitch(config)# flow monitor FLOW-MONITOR-1 Switch(config-flow-monitor)# Used for ipv4 traffic analysis Switch(config-flow-monitor)# record FLOW-RECORD-1 Switch(config-flow-monitor)# cache timeout active 300 Switch(config-flow-monitor)# cache type normal Switch(config-flow-monitor)# exporter EXPORTER-1 Switch(config-flow-monitor)# exit
Apply a flow monitor to an interface
Applying a Flow Monitor to an Interface
SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. wlan ssid
4. [ ip | ipv6 | datalink] flow monitor monitor -name sampler [sampler | input | output]
5. exit
6. Repeat steps 2 and 3
7. end
DETAILED STEPS
Command or Action Purpose
Step 1 configure terminal
Example:Switch# configure terminalEnters global configuration mode.
Step 2 interface interface-id
Example:Switch(config)# interface tengigabitEthernet 1/0/1Identifies an interface and enters interface configuration mode. Flexible Net Flow is supported only on the service module 1-Gigabit or 10-Gigabit Ethernet interfaces.
Note You cannot attach a NetFlow monitor to a port channel interface. If both service module interfaces are part of an EtherChannel, you should attach the monitor to both physical interfaces. Step 3 wlan ssid
Example:Switch (config)# wlan test 1 testConfigures the flow monitor on WLAN.
Step 4 [ ip | ipv6 | datalink] flow monitor monitor -name sampler [sampler | input | output]
Example:Switch(config-if)# ipv6 flow monitor SampleMonitorName inputActivates a previously created flow monitor by assigning it to the interface to analyze incoming or outgoing traffic.
- ip—Enters record matching IPv4 IP addresses.
- ipv6—Enters record matching IPv6 IP addresses.
Note This keyword is visible only when the dual IPv4 and IPv6 Switch Database Management (SDM) template is configured on the switch. - input—Applies the flow monitor on input traffic.
- output—Applies the flow monitor on output traffic.
- sampler—(Optional) Applies the flow monitor sampler.
Step 5 exit
Example:Switch(config-if)# exit Switch(config)#Returns to global configuration mode.
Step 6 Repeat steps 2 and 3
Example:Configures additional cache parameters for the flow monitor.
Step 7 end
Example:Switch(config)# endReturns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.
Configuring and Enabling Flow Sampling
SUMMARY STEPS
1. configure terminal
2. sampler sampler -name
3. description description
4. mode {deterministic|random} (<1-1> )out-of <2-1024>
5. end
6. interface interface-id
7. wlan ssid
8. {ip | ipv6 | datalink] flow monitor monitor-name sampler sampler-name {input | output}
9. end
DETAILED STEPS
Command or Action Purpose
Step 1 configure terminal
Example:Switch# configure terminalEnters global configuration mode.
Step 2 sampler sampler -name
Example:Switch(config)# sampler SampleNameForSAMPLERCreates a flow monitor and enters Flexible NetFlow sampler configuration mode. You can also use this command to modify an existing sampler.
Step 3 description description
Example:Switch(config-sampler)#description SamplerName_1(Optional) Configures a description for the sampler.
Step 4 mode {deterministic|random} (<1-1> )out-of <2-1024>
Example:Switch(config-sampler)#mode random 1 out-of 2Specifies the mode and window size from which to select packets. The window size range is from 2 to 1024.
Note Although visible in the CLI help, the mode deterministic keyword is not supported. Step 5 end
Example:Switch(config-sampler)# endReturns to global configuration mode.
Step 6 interface interface-id
Example:Switch(config)# interface tengigabitethernet 1/0/1Identifies an interface and enters interface configuration mode.
Step 7 wlan ssid
Example:Switch(config)# wlan test 1 testConfigures to apply flow sampler on WLAN.
Step 8 {ip | ipv6 | datalink] flow monitor monitor-name sampler sampler-name {input | output}
Example:Switch(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLE-1 inputActivates a previously created IPv4 or IPv6 flow monitor by assigning it to the interface to analyze traffic.
Step 9 end
Example:Switch(config)# endReturns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.
What to Do NextSwitch(config)# sampler SAMPLER-1 Switch(config-sampler)# description Sample at 50 Switch(config-sampler)# mode random 1 out-of 2 Switch(config-sampler)# exit Switch(config)# interface tengigabitethernet 1/0/1 Switch(config)# wlan test 1 test Switch(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLE-1 input
How to configure netflow v9 for IPv6.
Verifying IPv6 Netflow
This section describes the Netflow related show commands for IPv6. The following commands can be used to verify Netflow on the switch.
Command Purpose show flow record
Displays the status of the flow records. show flow ssid <ssid_name>
Displays SSID interface information. show flow monitor {monitor name} {cache|provisioning|statistics}
Displays the flow monitor information. show flow exporter exporter-name
Displays the status of a flow exporter. show flow monitor monitor -name
Displays the current status of a flow monitor. show flow interface interface-id
Verifies that the Flexible NetFlow is configured on the interface. show flow monitor monitor -name cache format [csv | record | table}
Displays data in the flow monitor cache. show sampler sampler -name
Displays the current status of a flow sampler. Monitoring IPv6 Netflow
Additional References
- For more detailed information about Flexible NetFlow, see the NetFlow Configuration Guide.
- For information about the commands, see the Cisco IOS Flexible NetFlow Command Reference.
- For more information about configuring Flexible NetFlow flow exporters, see: Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters.
