The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
NetFlow lets you evaluate IP traffic and understand how and where it flows. NetFlow gives visibility into traffic transiting the virtual switch by characterizing IP traffic based on its source, destination, timing, and application information. This information is used to assess network availability and performance, assist in meeting regulatory requirements (compliance), and help with troubleshooting. NetFlow gathers data that can be used in accounting, network monitoring, and network planning.
A flow is a one-directional stream of packets that arrives on a source interface (or subinterface), matching a set of criteria. All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This condenses a large amount of network information into a database called the NetFlow cache.
You create a flow by defining the criteria it gathers. Flows are stored in the NetFlow cache. Flow information tells you the following:
A flow record defines the information that NetFlow gathers, such as packets in the flow and the types of counters gathered per flow. You can define new flow records or use the pre-defined Cisco Nexus 1000V flow record.
The following table describes the criteria defined in a flow record.
Flow Record Criteria | Description |
---|---|
Match |
Defines what information is matched for collection in the flow record. |
Collect |
Defines how the flow record collects information. |
switch# show flow record netflow-original Flow record netflow-original: Description: Traditional IPv4 input NetFlow with origin ASs No. of users: 0 Template ID: 0 Fields: match ipv4 source address match ipv4 destination address match ip protocol match ip tos match transport source-port match transport destination-port match interface input match interface output match flow direction collect routing source as collect routing destination as collect routing next-hop address ipv4 collect transport tcp flags collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last switch#
Note |
Although the following lines appear in the output of the show flow record command, the commands they are based on are not currently supported in Cisco Nexus 1000V. The use of these commands has no affect on the configuration. collect routing source as collect routing destination as collect routing next-hop address ipv4 |
switch# show flow record netflow ipv4 original-input Flow record ipv4 original-input: Description: Traditional IPv4 input NetFlow No. of users: 0 Template ID: 0 Fields: match ipv4 source address match ipv4 destination address match ip protocol match ip tos match transport source-port match transport destination-port match interface input match interface output match flow direction collect routing source as collect routing destination as collect routing next-hop address ipv4 collect transport tcp flags collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last switch#
switch# show flow record netflow ipv4 original-output Flow record ipv4 original-output: Description: Traditional IPv4 output NetFlow No. of users: 0 Template ID: 0 Fields: match ipv4 source address match ipv4 destination address match ip protocol match ip tos match transport source-port match transport destination-port match interface input match interface output match flow direction collect routing source as collect routing destination as collect routing next-hop address ipv4 collect transport tcp flags collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last switch#
switch# show flow record netflow protocol-port Flow record ipv4 protocol-port: Description: Protocol and Ports aggregation scheme No. of users: 0 Template ID: 0 Fields: match ip protocol match transport source-port match transport destination-port match interface input match interface output match flow direction collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last switch#
There are two primary methods used to access NetFlow data:
Use the Command Line Interface (CLI) to access NetFlow data, and to view what is happening in your network now.
The CLI uses the Flow Monitor and Flow Exporter to capture and export flow records to the Netflow Collector. Cisco Nexus 1000V supports the NetFlow Version 9 export format.
Note |
Cisco Nexus 1000V supports UDP as the transport protocol for exporting data to up to two exporters per monitor. |
A flow monitor creates an association between the following NetFlow components:
This flow monitor association enables a set, consisting of a record and an exporter, to be defined once and re-used many times. Multiple flow monitors can be created for different needs. A flow monitor is applied to a specific interface in a specific direction.
Use the flow exporter to define where the flow records are sent from the cache to the reporting server, called the NetFlow Collector. An exporter definition includes the following.
You can export NetFlow from the Cisco Nexus 1000V NetFlow cache to a reporting server called the NetFlow Collector. The NetFlow Collector assembles the exported flows and combines them to produce reports used for traffic and security analysis. NetFlow export, unlike SNMP polling, pushes information periodically to the NetFlow reporting collector. The NetFlow cache is constantly filling with flows. Cisco Nexus 1000V searches the cache for flows that have terminated or expired and exports them to the NetFlow collector server.
The following steps implement NetFlow data reporting:
Timers determine when a flow is exported to the NetFlow Collector Server. A flow is ready for export when one of the following occurs:
The following figure shows an example of NetFlow data.
You can also use the Cisco Network Analysis Module (NAM) to monitor NetFlow data sources. NAM enables traffic analysis views and reports such as hosts, applications, conversations, VLAN, and QoS.
Cisco Nexus 1000V supports stateful restarts for NetFlow. After a reboot or supervisor switchover, Cisco Nexus 1000V applies the running configuration.
Note |
The routing-related fields in this predefined flow record are ignored. |
Parameters | Default |
---|---|
NetFlow version |
9 |
source interface |
mgmt0 |
match |
direction and interface (incoming/outgoing) |
flow monitor active timeout |
1800 |
flow monitor inactive timeout |
300 |
flow monitor cache size |
65536 |
flow exporter UDP port transport udp command |
9995 |
DSCP |
default/best-effort (0) |
VRF |
default |
You are logged in to the CLI in EXEC mode.
This example shows how to enable the NetFlow feature:
switch# configure terminal switch(config)# feature netflow switch(config)#
Configuring NetFlow
Note |
Although the following lines appear in the output of the show flow record command, the commands they are based on are not currently supported in Cisco Nexus 1000V. The use of these commands has no affect on the configuration. collect routing source as collect routing destination as collect routing next-hop address ipv4 |
The following example shows how to create a flow record:
switch# configure terminal switch(config)# flow record RecordTest switch(config-flow-record)# description Ipv4flow switch(config-flow-record)# match ipv4 destination address switch(config-flow-record)# collect counter packets switch(config-flow-record)# show flow record RecordTest Flow record RecordTest: Description: Ipv4flow No. of users: 0 Template ID: 0 Fields: match ipv4 destination address match interface input match interface output match flow direction collect counter packets switch(config-flow-record)#
A Flow Exporter defines where and how Flow Records are exported to the NetFlow Collector Server.
The following example displays the output of the command show flow exporter [exp2-192]:
switch(config-flow-exporter)# show flow exporter ExportTest Flow exporter exp2-192: Destination: 10.106.192.200 VRF: management (1) Destination UDP Port 9012 Source IP Address 10.106.192.137/24 Export from Line Card Export Version 9 Data template timeout 1800 seconds Exporter Statistics Number of Flow Records Exported 27060 Number of Templates Exported 175 Number of Export Packets Sent 10674 Number of Export Bytes Sent 595388 Number of Destination Unreachable Events 0 Number of No Buffer Events 0 Number of Packets Dropped (No Route to Host) 0 Number of Packets Dropped (other) 0 Number of Packets Dropped (LC to RP Error) 0 Number of Packets Dropped (Output Drops) 0 Time statistics were last cleared: Never
A Flow Monitor is associated with a Flow Record and a Flow Exporter.
A maximum of one flow monitor per interface per direction is permitted.
The following example shows how to create a flow monitor:
switch# configure terminal switch(config)# flow monitor MonitorTest switch(config-flow-monitor)# description Ipv4Monitor switch(config-flow-monitor)# exporter ExportTest switch(config-flow-monitor)# record RecordTest switch(config-flow-monitor)# show flow monitor MonitorTest Flow Monitor monitortest: Description :Ipv4Monitor Use count: 0 Flow Record: RecordTest Flow Exporter: ExportTest switch(config-flow-monitor)#
The following example shows how to assign a flow monitor to an interface:
switch# configure terminal switch(config)# interface veth 2 switch(config-if)# ip flow monitor MonitorTest output switch(config-if)# show flow interface veth 2 Interface veth 2: Monitor: MonitorTest Direction: Output switch(config-if)#
This example shows how to add a flow monitor to a port profile:
switch# configure terminal switch(config)# port-profile AccessProf switch(config-port-prof)# ip flow monitor allacces4 output switch(config-port-prof)# show port-profile name AccessProf port-profile AccessProf type: vethernet status: disabled capability l3control: no pinning control-vlan: - pinning packet-vlan: - system vlans: none port-group: max ports: 32 inherit: config attributes: ip flow monitor allaccess4 output evaluated config attributes: ip flow monitor allaccess4 output assigned interfaces: switch(config-port-prof)#
Use one of the following commands to verify the configuration:
Command | Purpose | ||
---|---|---|---|
show flow exporter [name] |
Displays information about NetFlow flow exporter maps. |
||
show flow interface [interface-type number] |
Displays information about NetFlow interfaces. |
||
show flow monitor [name [cache module number | statistics module number] ] |
Displays information about NetFlow flow monitors.
|
||
show flow record [name] |
Displays information about NetFlow flow records. |
Related Topic | Document Title |
---|---|
Cisco NetFlow Overview |
http://cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html |
This table includes only the updates for those releases that have resulted in additions or changes to the feature.
Feature Name | Releases | Feature Information |
---|---|---|
NetFlow |
Release 5.2(1)IC1(1.2) |
NetFlow was introduced. |