Catalyst 6500 Series Software Configuration Guide, 7.6 - Configuring NDE [Cisco Catalyst 6500 Series Switches]

Table Of Contents

Configuring NDE

Understanding How NDE Works

Overview of NDE and Integrated Layer 3 Switching Management

Traffic Statistics Data Collection

Using NDE Filters

Using Bridged Flow Statistics

NDE Versions

Default NDE Configuration

Configuring NDE on the Switch

NDE Configuration Guidelines

Specifying an NDE Collector

Configuring NetFlow Switching on the MSFC

Enabling NetFlow Switching

Configuring the MSFC NDE Source Interface

Configuring the NDE Destination

Enabling NDE

Enabling and Disabling Bridged Flow Statistics on VLANs

Specifying a Destination Host Filter

Specifying a Destination and Source Subnet Filter

Specifying a Destination TCP/UDP Port Filter

Specifying a Source Host and Destination TCP/UDP Port Filter

Specifying a Protocol Filter

Specifying Protocols for Statistics Collection

Removing Protocols for Statistics Collection

Clearing the NDE Flow Filter

Disabling NDE

Removing the NDE IP Address

Displaying the NDE Configuration

Configuring NDE

This chapter describes how to configure NetFlow Data Export (NDE) on the Catalyst 6500 series switches.

Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.

This chapter consists of these sections:

•Understanding How NDE Works

•Default NDE Configuration

•Configuring NDE on the Switch

Understanding How NDE Works

These sections describe how NDE works:

•Overview of NDE and Integrated Layer 3 Switching Management

•Traffic Statistics Data Collection

•Using NDE Filters

•Using Bridged Flow Statistics

•NDE Versions

Overview of NDE and Integrated Layer 3 Switching Management

Catalyst 6500 series switches provide Layer 3 switching with Cisco Express Forwarding for Policy Feature Card 2 (CEF for PFC2) or with Multilayer Switching (MLS). You can use NDE to monitor all Layer 3-switched traffic through the Multilayer Switch Feature Card (MSFC). NDE complements the embedded Remote Monitoring (RMON) capabilities on the switch that allow you to see all port traffic.

Note NDE is not supported for IP multicast or Internetwork Packet Exchange (IPX) traffic.

Note NDE version 7 and NDE version 8 are not supported for the MSFC.

Note For information on configuring CEF for PFC2, see "Configuring CEF for PFC2." For information on configuring MLS, see "Configuring MLS."

Integrated Layer 3-switching management includes products, management utilities, and partner applications that are designed to gather flow statistics, export the statistics, collect and perform data reduction on the exported statistics, and forward them to applications for traffic monitoring, planning, and accounting. Flow collectors, such as the Cisco SwitchProbe and NetFlow FlowCollector, gather and classify flows. This flow information is then aggregated and fed to applications such as TrafficDirector, NetSys, or NetFlow Analyzer.

Traffic Statistics Data Collection

An external data collector gathers flow entries from the statistics cache of one or more switches or Cisco routers. The switch or router transmits data to the flow collector by grouping flow entries for expired flows from its statistics cache into a User Datagram Protocol (UDP) datagram, which consists of a header and a series of flow entries. See Figure 15-1.

Figure 15-1 Integrated Layer 3 Switching Management

Using NDE Filters

By default, all expired flows are exported until you specify a filter. After specifying a filter, only expired and purged flows matching the specified filter criteria are exported. Filter values are stored in NVRAM and are not cleared when NDE is disabled.

If the flow mask is destination-ip mode and the NDE filter contains a filter on both source and destination, only the destination filter is effective. For example, in the filter that is specified in the following display if the flow mask is in destination-ip mode, all flows with destination address 9.1.2.15 are exported. The source filter for host 10.1.2.15 is not effective (it is ignored).
Console> (enable) set mls nde flow destination 9.1.2.15/32 source 10.1.2.15/32
Netflow data export: destination filter set to 9.1.2.15/32
Netflow data export: source filter set to 10.1.2.15/32
Console> (enable)
Using Bridged Flow Statistics

You can set bridged flow statistics reporting per VLAN. Bridged flows are exported through NDE when you enable bridged flow statistics.

Caution Use this feature carefully. As NetFlow entries increase in the NetFlow table, NDE performance may degrade. See the "NDE Configuration Guidelines" section for information on configuring bridged flow statistics.

NDE Versions

NDE on the PFC supports the following NDE versions to export the statistics captured on the PFC for Layer 3-switched traffic:

•Supervisor Engine 1 and PFC

–NDE version 5 with software release 7.5 and later releases

–NDE version 7 with software release 6.1 and later releases

•Supervisor Engine 2 and PFC2

–NDE version 5 with software release 7.5 and later releases

–NDE version 7 with software release 6.1 and later releases

Depending on the current flow mask, some fields in the flow records might not have values. When the PFC exports cached entries, unsupported fields are filled with a zero (0).

The following tables list the supported NDE fields:

•Table 15-1—Version 5 header format

•Table 15-2—Version 5 flow record format

•Table 15-3—Version 7 header format

•Table 15-4—Version 7 flow record format

Table 15-1 NDE Version 5 Header Format

Bytes

Content

Description

0-1

version

Netflow export format version number

2-3

count

Number of flows exported in this packet (1-30)

4-7

SysUptime

Current time in milliseconds since router booted

8-11

unix_secs

Current seconds since 0000 UTC 1970

12-15

unix_nsecs

Residual nanoseconds since 0000 UTC 1970

16-19

flow_sequence

Sequence counter of total flows seen

20-21

engine_type

Type of flow switching engine
(VS_ENGINE_TYPE_CATALYST_SWITCH)

21-23

engine_id

0

Table 15-2 NDE Version 5 Flow Record Format

Bytes

Content

Description

Flow masks:

· X=Populated

Destination

Destination
Source

Full

Full
VLAN¹

0-3

srcaddr

Source IP address

0

X

X

X

4-7

dstaddr

Destination IP address

X

X

X

X

8-11

nexthop

Next hop router's IP address

X

X

X

X

12-13

input

Ingress interface SNMP ifIndex²

0

X

X

X

14-15

output

Egress interface SNMP ifIndex

X

X

X

X

16-19

dPkts

Packets in the flow

X

X

X

X

20-23

dOctets

Octets (bytes) in the flow

X

X

X

X

24-27

first

SysUptime at start of the flow (milliseconds)

X

X

X

X

28-31

last

SysUptime at the time the last packet of the flow was received (milliseconds)

X

X

X

X

32-33

srcport

Layer 4 source port number or equivalent

0

0

X

X

34-35

dstport

Layer 4 destination port number or equivalent

0

0

X

X

36

pad1

Unused (zero) byte

37

tcp_flags

Cumulative OR of TCP flags

0

0

0

0

38

prot

Layer 4 protocol (for example, 6=TCP, 17=UDP)

0

0

X

X

39

tos

IP type-of-service byte

X

X

X

X

40-41

src_as

Autonomous system number of the source, either origin or peer

0

0

0

0

42-43

dst_as

Autonomous system number of the destination, either origin or peer

0

0

0

0

44-45

src_mask

Source address prefix mask bits

0

0

0

0

46-47

dst_mask

Destination address prefix mask bits

0

0

0

0

48

pad2

Pad 2 is unused (zero) bytes

¹This flow mask is not configurable from the CLI. It is only turned on if certain features such as reflexive ACLs are set up.

²This feature is not supported on Supervisor Engine 1 or 1A.

Table 15-3 NDE Version 7 Header Format

Bytes

Content

Description

0-1

version

Netflow export format version number

2-3

count

Number of flows exported in this packet (1-30)

4-7

SysUptime

Current time in milliseconds since router booted

8-11

unix_secs

Current seconds since 0000 UTC 1970

12-15

unix_nsecs

Residual nanoseconds since 0000 UTC 1970

16-19

flow_sequence

Sequence counter of total flows seen

20-24

reserved

Unused (zero) bytes

Table 15-4 NDE Version 7 Flow Record Format

Bytes

Content

Description

Flow masks:

· X=Populated

Destination

Destination
Source

Full

Full
VLAN¹

0-3

srcaddr

Source IP address

0

X

X

X

4-7

dstaddr

Destination IP address

X

X

X

X

8-11

nexthop

Next hop router's IP address

X

X

X

X

12-13

input

Ingress interface SNMP ifIndex²

0

X

X

X

14-15

output

Egress interface SNMP ifIndex

X

X

X

X

16-19

dPkts

Packets in the flow

X

X

X

X

20-23

dOctets

Octets (bytes) in the flow

X

X

X

X

24-27

First

SysUptime at start of the flow (milliseconds)

X

X

X

X

28-31

Last

SysUptime at the time the last packet of the flow was received (milliseconds)

X

X

X

X

32-33

srcport

Layer 4 source port number or equivalent

0

0

X

X

34-35

dstport

Layer 4 destination port number or equivalent

0

0

X

X

36

flags

Flow mask in use

X

X

X

X

37

tcp_flags

Cumulative OR of TCP flags

0

0

0

0

38

prot

Layer 4 protocol (for example, 6=TCP, 17=UDP)

0

0

X

X

39

tos

IP type-of-service byte

X

X

X

X

40-41

src_as

Autonomous system number of the source, either origin or peer

0

0

0

0

42-43

dst_as

Autonomous system number of the destination, either origin or peer

0

0

0

0

44

src_mask

Source address prefix mask bits

0

0

0

0

45

dst_mask

Destination address prefix mask bits

0

0

0

0

46-47

pad2

Pad 2 uses two bytes

48-51

MLS RP

IP address of MLS router

X³

X2

X2

X2

¹This flow mask is not configurable from the CLI. It is only turned on if certain features such as reflexive ACLs are set up.

²This feature is not supported on Supervisor Engine 1 or 1A.

³For switched entries.

Default NDE Configuration

Table 15-5 shows the default NDE configuration.

Table 15-5 Default NDE Configuration

Feature

Default Value

NDE

Disabled

NDE data collector address and UDP port

None specified

NDE filters

None configured

Configuring NDE on the Switch

These sections describe how to configure NDE:

•NDE Configuration Guidelines

•Specifying an NDE Collector

•Configuring NetFlow Switching on the MSFC

•Enabling NDE

•Enabling and Disabling Bridged Flow Statistics on VLANs

•Specifying a Destination Host Filter

•Specifying a Destination and Source Subnet Filter

•Specifying a Destination TCP/UDP Port Filter

•Specifying a Source Host and Destination TCP/UDP Port Filter

•Specifying a Protocol Filter

•Specifying Protocols for Statistics Collection

•Removing Protocols for Statistics Collection

•Clearing the NDE Flow Filter

•Disabling NDE

•Removing the NDE IP Address

•Displaying the NDE Configuration

NDE Configuration Guidelines

If too many entries are added to the NetFlow table, follow these guidelines:

•Reduce the MLS aging time. For PFC2, set the aging time high enough to keep the number of entries within the 32k-flow range of the PFC2. When using bridged flow statistics with a Supervisor Engine 2, set the aging time to one second. For information on how to change the MLS aging time, see the "Specifying MLS Aging-Time Value" section in "Configuring MLS."

•If there are protocols with fewer packets per flow running, reduce the MLS fast aging time. For information on how to change the MLS fast aging time, see the "Specifying IP MLS Long-Duration Aging Time, Fast Aging Time, and Packet Threshold Values" section in "Configuring MLS."

•Use the flow mask that is required to extract the kind of information that you want. A full flow mask gives more information but as the number of flows increase, the load on the Layer 3 aging also increases. Try to use a flow mask with the minimum granularity required to get the data that you need. With a full flow mask, you might need to decrease the MLS aging time because a full flow mask increases the number of flows per second. For information on setting the flow mask, see the "Setting the Minimum IP MLS Flow Mask" section in "Configuring MLS."

•Exclude entries with fewer packets per flow. Some query protocols, like the Domain Name System (DNS), generate fewer packets per flow and can be excluded from the NetFlow table with the set mls exclude protocol command. You can specify up to four protocol filters, but packets from filtered protocols will go to the MSFC.

•Keep specific flows from being added to the NetFlow table with the set mls nde flow exclude command.

•Enable bridged flow statistics on a VLAN to increase the number of flows in the NetFlow table with bridged flows for VLANs appearing with the Layer 3 flows. As NetFlow entries increase in the NetFlow table, performance degrades.

On the Supervisor Engine 1, if there is no space in the hardware NetFlow table to report VLAN flows, the packets are sent to the MSFC for software forwarding and the NetFlow Full Errors register is incremented.

On the Supervisor Engine 2, if a flow entry is not found in the NetFlow table, packets are forwarded and the NetFlow Full Errors register is incremented resulting in a loss of statistics.

To prevent the NetFlow table from overflowing, you can do the following:

–Keep the flow mask at the least granular value. For example, if the protocol and Layer 4 port information is not required, set the flow mask to the destination-source or to the destination instead of to full flow.

–Set the aging time to the least possible value (one second), depending on the traffic profile.

–Enable bridged flow statistics only on the VLANs on which the intraVLAN statistics are required. InterVLAN statistics are reported by default.

Specifying an NDE Collector

Before enabling NDE for the first time, you must specify an NDE collector and UDP port to receive the exported statistics. The collector address and UDP port number are saved in NVRAM and are preserved if NDE is disabled and reenabled or if the switch is power cycled.

Note If you are using the NetFlow FlowCollector application for data collection, verify that the UDP port number that you specify is the same port number that is shown in the FlowCollector's nfconfig.file. This file is located at /opt/csconfc/config/nfconfig.file in the FlowCollector application.

To specify an NDE collector, perform this task in privileged mode:

Task

Command

Specify an NDE collector and UDP port for data export of hardware-switched packets.

set mls nde {collector_ip | collector_name} {udp_port_number}

This example shows how to specify an NDE collector:
Console> (enable) set mls nde Stargate 9996
Netflow data export not enabled.
Netflow data export to port 9996 on 172.20.15.1(Stargate)
Console> (enable)
Configuring NetFlow Switching on the MSFC

You must enable NetFlow switching on the MSFC Layer 3 interfaces to support NDE.

Refer to these publications for more information about configuring NetFlow switching on the MSFC:

•Cisco IOS Switching Services Configuration Guide, Release 12.1, "NetFlow Switching," at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/switch_c/xcprt3/index.htm

•Cisco IOS Switching Services Command Reference, Release 12.1, at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/switch_r/index.htm

These sections describe how to configure NetFlow switching on the MSFC:

•Enabling NetFlow Switching

•Configuring the MSFC NDE Source Interface

•Configuring the NDE Destination

Enabling NetFlow Switching

To enable NetFlow switching, perform this task for each Layer 3 interface for which you want NDE:
Task

Command
Step 1

Select a VLAN interface to configure.
Router(config)# interface vlan vlan_ID 
Step 2

Enable NetFlow switching.
Router(config-if)# ip route-cache flow 
Configuring the MSFC NDE Source Interface

To configure the interface used as the source of the NDE packets containing statistics from the MSFC, perform this task:
Task

Command
Configure the interface that is used as the source of the NDE packets containing statistics from the MSFC:

•Select an interface configured with an IP address.

•Use a loopback interface.
Router(config)# ip flow-export source {vlan | loopback} 
number 
This example shows how to configure a loopback interface as the NDE flow source:
Router(config)# ip flow-export source loopback 0 
Router(config)#
Configuring the NDE Destination

To configure the destination IP address and UDP port to receive the NDE statistics, perform this task:
Task

Command
Configure the NDE destination IP address and UDP port.
Router(config)# ip flow-export destination ip_address 
udp_port_number
This example shows how to configure the NDE flow destination IP address and UDP port:
Router(config)# ip flow-export destination 172.20.52.37 200
Router(config)#
Enabling NDE

To enable NDE, perform this task in privileged mode:

Task

Command

Enable NDE on the switch.

set mls nde enable

This example shows how to enable NDE on the switch:
Console> (enable) set mls nde enable
Netflow data export enabled.
Netflow data export to port 9996 on 172.20.15.1 (Stargate)
Console> (enable)
If you attempt to enable NDE without first specifying a collector, you see this display:
Console> (enable) set mls nde enable
Please set host name and UDP port number with `set mls nde <collector_ip> 
<udp_port_number>'.
Console> (enable)
Enabling and Disabling Bridged Flow Statistics on VLANs

Note This feature is supported on the Supervisor Engine 1 or 1A/PFC, Supervisor Engine 2/PFC2 and no MSFC/MSFC2 is required. This feature is not supported on the Supervisor Engine 720.

Use the set mls bridged-flow-statistics command to enable or disable bridged flow statistics for specified VLANs. You can enter one or multiple VLANs.

To enable or disable bridged flow statistics for a VLAN or for a range of VLANs, perform this task in privileged mode:

Task

Command

Enable or disable bridged flow statistics for a VLAN or for a range of VLANs.

set mls bridged-flow-statistics {enable | disable} {vlanlist}

This example shows how to enable bridged flow statistics on the specified VLANs:
Console> (enable) set mls bridged-flow-statistics enable 1,20-21
Netflow statistics is enabled for bridged packets on vlan(s) 1,20-21.
Console> show mls nde
Netflow Data Export version: 7
Netflow Data Export enabled
Netflow Data Export configured for port 9991 on host 21.0.0.1
Total packets exported = 0
Bridged flow statistics is enabled on vlan(s) 1,20-21.
Console> 
Specifying a Destination Host Filter

To specify a destination host filter, perform this task in privileged mode:

Task

Command

Specify a destination host filter for an NDE flow.

set mls nde flow destination [ip_addr_spec]

This example shows how to specify a destination host filter so that only expired flows to host 171.69.194.140 are exported:
Console> (enable) set mls nde flow destination 171.69.194.140
Netflow Data Export successfully set
Destination filter is 171.69.194.140/255.255.255.255
Filter type: include
Console> (enable)
Specifying a Destination and Source Subnet Filter

To specify a destination and source subnet filter, perform this task in privileged mode:

Task

Command

Specify a destination and source subnet filter for an NDE flow.

set mls nde flow destination [ip_addr_spec] source [ip_addr_spec]

This example shows how to specify a destination and source subnet filter so that only expired flows to subnet 171.69.194.0 from subnet 171.69.173.0 are exported (assuming the flow mask is set to source-destination-ip):
Console> (enable) set mls nde flow destination 171.69.194.140/24 source 171.69.173.5/24
Netflow Data Export successfully set
Source filter is 171.69.173.0/24
Destination filter is 171.69.194.0/24
Filter type: include
Console> (enable)
Specifying a Destination TCP/UDP Port Filter

To specify a destination TCP/UDP port filter, perform this task in privileged mode:

Task

Command

Specify a destination TCP/UDP port filter for an NDE flow.

set mls nde flow dst_prt [port_number]

This example shows how to specify a destination TCP/UDP port filter so that only expired flows to destination port 23 are exported (assuming the flow mask is set to ip-flow):
Console> (enable) set mls nde flow dst_port 23
Netflow Data Export successfully set
Destination port filter is 23
Filter type: include
Console> (enable)
Specifying a Source Host and Destination TCP/UDP Port Filter

To specify a source host and destination TCP/UDP port filter, perform this task in privileged mode:

Task

Command

Specify a source host and destination TCP/UDP port filter for an NDE flow.

set mls nde flow source [ip_addr_spec] dst_prt [port_number]

This example shows how to specify a source host and destination TCP/UDP port filter so that only expired flows from host 171.69.194.140 to destination port 23 are exported (assuming the flow mask is set to ip-flow):
Console> (enable) set mls nde flow source 171.69.194.140 dst_port 23
Netflow Data Export successfully set
Source filter is 171.69.194.140/255.255.255.255
Destination port filter is 23
Filter type: include
Console> (enable)
Specifying a Protocol Filter

To specify a protocol filter, perform this task in privileged mode:

Task

Command

Specify a protocol filter for an NDE flow.

set mls nde flow protocol protocol

This example shows how to specify a protocol filter so that only expired flows from protocol 17 are exported:
Console> (enable) set mls nde flow protocol 17
Netflow Data Export filter successfully set.
Protocol filter is 17
Filter type: include
Console> (enable)
Specifying Protocols for Statistics Collection

You can enter the set mls statistics protocol protocol port command to specify up to 64 different protocols for which to collect statistics to be exported using NDE. The protocol argument can be ip, ipinip, icmp, igmp, tcp, and udp, or a decimal number for other protocol families. The port argument specifies the protocol port.

To specify protocols for statistics collection, perform this task in privileged mode:

Task

Command

Specify protocols for statistics collection.

set mls statistics protocol protocol port

This example shows how to specify a protocol for statistics collection:
Console> (enable) set mls statistics protocol 17 1934
Protocol 17 port 1934 is added to protocol statistics list.
Console> (enable)
Removing Protocols for Statistics Collection

You can enter the clear mls statistics protocol {protocol port | all} command to specify up to 64 different protocols for which to collect statistics to be exported using NDE. The protocol argument can be tcp, udp, icmp, or a decimal number for other protocol families. The port argument specifies the protocol port. Use the all keyword to remove all protocols for statistics collection.

To remove protocols for statistics collection, perform this task in privileged mode:

Task

Command

Remove protocols for statistics collection.

clear mls statistics protocol {protocol port | all}

This example shows how to remove a protocol for statistics collection:
Console> (enable) clear mls statistics protocol 17 1934
Protocol 17 port 1934 cleared from protocol statistics list.
Console> (enable)
Clearing the NDE Flow Filter

To clear the NDE flow filter and reset the filter to the default (all flows exported), perform this task in privileged mode:

Task

Command

Clear the NDE flow filter.

clear mls nde flow

This example shows how to clear the NDE flow filter so that all flows are exported:
Console> (enable) clear mls nde flow 
Netflow data export filter cleared.
Console> (enable)
Disabling NDE

Note With Supervisor Engine 1 and a PFC, if NDE is enabled and you disable MLS, you lose the statistics for existing cache entries—they are not exported.

To disable NDE on the switch, perform this task in privileged mode:

Task

Command

Disable NDE on the switch.

set mls nde disable

This example shows how to disable NDE on the switch:
Console> (enable) set mls nde disable
Netflow data export disabled.
Console> (enable)
Removing the NDE IP Address

To remove the NDE IP address from the MSFC, perform this task in global configuration mode:

Task

Command

Remove the NDE IP address from the MSFC.

Router(config)# no mls nde-address [ip_addr]

This example shows how to remove the NDE IP addresses from the MSFC:
Router(config)# no mls nde-address 170.170.2.1
Router(config)# 
Displaying the NDE Configuration

To display the NDE configuration on the switch, perform this task in privileged mode:

Task

Command

Display the NDE configuration on the switch.

show mls nde

This example shows how to display the NDE configuration on the switch:
Console> (enable) show mls nde
Netflow Data Export enabled
Netflow Data Export configured for port 1098 on host 172.20.15.1 
Source filter is 171.69.194.140/255.255.255.0
Destination port filter is 23
Total packets exported = 26784
Console> (enable)
This example shows how to display the NDE configuration when bridged flow statistics are enabled on the switch:
Console> (enable) show mls nde
Netflow Data Export version:7
Netflow Data Export enabled
Netflow Data Export configured for port 9991 on host 21.0.0.1
Total packets exported = 0
Bridged flow statistics is enabled on vlan(s) 1,20-21.