Configuring Flexible NetFlow

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for NetFlow Lite

The following are prerequisites for your NetFlow Lite configuration:

  • NetFlow Lite is only supported on switches running the LAN Base image. Switches running the LAN Lite image do not support NetFlow Lite.

  • Two targets for attaching a NetFlow Lite monitor are supported:

    • Port—Monitor attachment is only supported on physical interfaces and not on logical interfaces, such as EtherChannels.

    • VLAN—Monitor attachment is supported on VLAN interfaces only (SVI) and not on a Layer 2 VLAN.

Restrictions for NetFlow Lite

The following are restrictions for NetFlow Lite:

  • Monitor restrictions:

    • Monitor attachment is only supported in the ingress direction.

    • One monitor per interface is supported, although multiple exporters per interface are supported.

    • Only permanent and normal cache is supported for the monitor; immediate cache is not supported.

    • Changing any monitor parameter will not be supported when it is applied on any of the interfaces or VLANs.

    • When both the port and VLANs have monitors attached, then VLAN monitor will overwrite the port monitor for traffic coming on the port.

    • Flow monitor type and traffic type (type means IPv4, IPv6, and data link) should be same for the flows to be created.

    • You cannot attach an IP and port-based monitor to an interface at the same time on the switch. A 48-port switch supports a maximum of 48 monitors (IP or port-based) and for 256 SVIs, you can configure up to 256 monitors (IP or port-based).

    • When running the show flow monitor flow_name cache command, the switch displays cache information from an earlier switch software version (Catalyst 2960-S) with all fields entered as zero. Ignore these fields, as they are inapplicable to the switch.

  • Sampler restrictions:

    • Only sampled NetFlow is supported.

    • For both port and VLANS, a total of only 4 samplers (random or deterministic) are supported on the switch.

    • The sampling minimum rate for both modes is 1 out of 32 flows, and the sampling maximum rate for both modes is 1 out of 1022 flows.

    • You must associate a sampler with a monitor while attaching it to an interface. Otherwise, the command will be rejected. Use the ip flow monitor monitor_name sampler sampler_name input interface configuration command to perform this task.

    • When you attach a monitor using a deterministic sampler (for example, s1), every attachment with the same sampler s1 uses one new free sampler from the switch (hardware) out of 4 available samplers. You are not allowed to attach a monitor with any sampler, beyond 4 attachments.

      When you attach a monitor using a random sampler (for example, s2), only the first attachment uses a new sampler from the switch (hardware). The remainder of all of the attachments using the same sampler s2, share the same sampler.

      Because of this behavior, when using a deterministic sampler, you can always make sure that the correct number of flows are sampled by comparing the sampling rate and what the switch sends. If the same random sampler is used with multiple interfaces, flows from any interface can always be sampled, and flows from other interfaces can always be skipped.

  • Stacking Restrictions:

    • The switch supports homogeneous stacking and mixed stacking. Mixed stacking is supported only with the Catalyst 2960-S switches. A homogenous stack can have up to eight stack members, while a mixed stack can have up to four stack members. All switches in a switch stack must be running the LAN Base image.

    • The switch supports NetFlow Lite running on a mixed stack configuration, where both Catalyst 2960-X and Catalyst 2960-S switches reside in the same stack. But in such a mixed stack configuration, the master switch must always be a Catalyst 2960-X switch. The Catalyst 2960-S switch must never be the master switch in this type of mixed stack configuration.
    • Each switch in a stack (hardware) can support the creation of a maximum of 16,000 flows at any time. But as the flows are periodically pushed to the software cache, the software cache can hold a much larger amount of flows (1048 Kb flows). From the hardware flow cache, every 20 seconds (termed as poll timer), 200 flows (termed as poll entries) are pushed to software.

      • Use the remote command all show platform hulc-fnf poll command to report on each switch's current NetFlow polling parameters.

      • Use the show platform hulc-fnf poll command to report on the master switch's current NetFlow polling parameters.

  • Network flows and statistics are collected at the line rate.

  • ACL-based NetFlow is not supported.

  • Only NetFlow Version 9 is supported for Flexible NetFlow exporter using the export-protocol command option. If you configure NetFlow Version 5, this version will be accepted, but the NetFlow Version 5 export functionality is neither currently available nor supported.

Information About NetFlow Lite

NetFlow Lite Overview

NetFlow Lite uses flows to provide statistics for accounting, network monitoring, and network planning.

A flow is a unidirectional stream of packets that arrives on a source interface and has the same values for the keys. A key is an identified value for a field within the packet. You create a flow using a flow record to define the unique keys for your flow.

The switch supports the NetFlow Lite feature that enables enhanced network anomalies and security detection. NetFlow Lite allows you to define an optimal flow record for a particular application by selecting the keys from a large collection of predefined fields.

All key values must match for the packet to count in a given flow. A flow might gather other fields of interest, depending on the export record version that you configure. Flows are stored in the NetFlow Lite cache.

You can export the data that NetFlow Lite gathers for your flow by using an exporter and export this data to a remote system such as a NetFlow Lite collector. The NetFlow Lite collector can use an IPv4 address.

You define the size of the data that you want to collect for a flow using a monitor. The monitor combines the flow record and exporter with the NetFlow Lite cache information.

Flow Records

A flow record defines the keys that NetFlow Lite uses to identify packets in the flow, as well as other fields of interest that NetFlow Lite gathers for the flow. You can define a flow record with any combination of keys and fields of interest.

A flow record also defines the types of counters gathered per flow. You can configure 64-bit packet or byte counters.

Related Tasks
Creating a Flow Record
Related References
Example: Configuring a Flow

NetFlow Lite Match Parameters

The following table describes NetFlow Lite match parameters. Use these match parameters when creating a NetFlow Lite flow record. You must configure at least one of the following match parameters for the flow records.

Table 1 Match Parameters

Command

Purpose

match datalink {ethertype | mac {destination address input | source address input}}

Specifies a match to datalink or Layer 2 fields. The following command options are available:

  • ethertype—Matches to the ethertype of the packet.

  • mac—Matches the source or destination MAC address from packets at input.

Note   

When a datalink flow monitor is assigned to an interface or VLAN record, it only creates flows for non-IPv6 or non-IPv4 traffic. To monitor datalink L2 traffic flows, you would use datalink flow monitor name sampler sampler-name {input} interface command. This specific command associates a datalink L2 flow monitor and required sampler to the interface for input packets.

To monitor IPv4 traffic flows, you would use the ip flow monitor name sampler sampler-name {input} interface command. This specific command associates an IPv4 flow monitor and required sampler to the interface for input packets.

To monitor IPv6 traffic flows, you would use the ipv6 flow monitor name sampler sampler-name {input} interface command. This specific command associates an IPv6 flow monitor and required sampler to the interface for input packets.

match ipv4 {destination {address} | protocol | source {address} | tos}

Specifies a match to the IPv4 fields. The following command options are available:

  • destination—Matches to the IPv4 destination address-based fields.

  • protocol—Matches to the IPv4 protocols.

  • source—Matches to the IPv4 source address based fields.

  • tos—Matches to the IPv4 Type of Service fields.

match ipv6 {destination {address} | flow-label | protocol | source {address} | traffic-class}

Specifies a match to the IPv6 fields. The following command options are available:

  • destination—Matches to the IPv6 destination address-based fields.

  • flow-label—Matches to the IPv6 flow-label fields.

  • protocol—Matches to the IPv6 payload protocol fields.

  • source—Matches to the IPv6 source address based fields.

  • traffic-class—Matches to the IPv6 traffic class.

match transport {destination-port | source-port}

Specifies a match to the Transport Layer fields. The following command options are available:

  • destination-port—Matches to the transport destination port.

  • source-port—Matches to the transport source port.

NetFlow Lite Collect Parameters

The following table describes the NetFlow Lite collect parameters. Use these collect parameters when creating a NetFlow Lite flow record.

Table 2 Collect Parameters

Command

Purpose

collect counter {bytes {long | permanent } | packets { long | permanent}}

Collects the counter fields total bytes and total packets.

collect flow sampler

Collects the ID of the flow sampler to find out the sampling rate.

collect interface {input}

Collects the fields from the input interface.

collect timestamp sys-uptime {first | last}

Collects the fields for the time the first packet was seen or the time the most recent packet was last seen (in milliseconds).

collect transport tcp flags

Collects the following transport TCP flags:
  • ack—TCP acknowledgement flag

  • cwr—TCP congestion window reduced flag

  • ece—TCP ECN echo flag

  • fin—TCP finish flag

  • psh—TCP push flag

  • rst—TCP reset flag

  • syn—TCP synchronize flag

  • urg—TCP urgent flag

Exporters

An exporter contains network layer and transport layer details for the NetFlow Lite export packet. The following table lists the configuration options for an exporter.

Table 3 NetFlow Lite Exporter Configuration Options

Exporter Configuration

Description

default

Sets a command to its default values. You can set the following defaults:

  • description

  • destination

  • dscp

  • export-protocol

  • option

    • exporter-stats—Exporter statistics option

    • interface-table—Interface SNMP-index-to-name table option

    • sampler-table—Export sampler option

  • source

  • template data timeout

  • transport

  • ttl

description

Provides a description for the flow exporter.

destination

Export destination.

dscp

Optional DSCP value.

Enter a DSCP value from 0 to 63.

exit

Exits from the flow exporter configuration mode.

export-protocol

Export protocol version.

no

Negates the command or its default.

option

Selects option for exporting:

  • exporter-stats—Exporter statistics option

  • interface-table—Interface SNMP-index-to-name table option

  • sampler-table—Export sampler option

source

Originating interface for the net flow.

template

Flow exporter template configuration.

transport

Transport protocol.

Enter the UDP transport protocol and a port value. Enter a port value from 1 to 65535.

ttl

Optional TTL or hop limit. Enter a TTL value from 1 to 255.

The switch exports data to the collector whenever a timeout occurs, or when the flow is terminated (TCP Fin or Rst received, for example), or when the cache is full. You can configure the following timers in the flow monitor record to force a flow export:

  • Active timeout—The flow continues to have the packets for the past m seconds since the flow was created.

  • Inactive timeout—The flow does not have any packets for the past n seconds.

Export Formats

The switch supports only NetFlow Version 9 export formats. NetFlow Version 9 export format provides the following features and functionality:

  • Variable field specification format

  • Support for IPv6 and Layer 2 fields

  • More efficient network utilization


Note


For information about the Version 9 export format, see RFC 3954.


Monitors

A monitor references the flow record and flow exporter. You apply a monitor to an interface on the switch.

Related Tasks
Creating a Flow Monitor
Related References
Example: Configuring a Flow

Samplers

You use a NetFlow Lite sampler to specify the rate at which packets are being sampled. The switch supports both deterministic and random modes of sampling.

Related Tasks
Creating a Sampler
Related References
Example: Configuring a Flow

Stacking

NetFlow Lite is supported on both homogenous and mixed switch stacks.

Each stack member has NetFlow information that operates as if they are a standalone switch. After entering a show CLI EXEC command, the master switch queries stack members to obtain their information. During an export, the member switches send the flow packets to the master switch, since member switches cannot route packets. Therefore, export always occurs from the master switch.

During a switchover, previous monitor configurations are not applied, and the new master switch synchronizes the configuration to all stack members. Member switches reapply the configuration on the respective stack members.


Note


The exported flow record's source ID is different between the master switch and member switch. When a flow export collector receives the exported flow record, the source ID would be switch#, if the switch is a master switch. If the flow is created by the member switch, then the source ID would be 0x0100switch#. For example, if switch#1 is the master switch, then the flow record's source ID would be 0x0001 (1); if switch#2 is a member switch, then the source ID would be 0x0102 (258).


In a mixed stack, the NetFlow Lite CLI is available for a mixed stack NetFlow Lite configuration. But a monitor attachment is not supported on a Catalyst 2960-S switch interface. When a monitor is attached to a VLAN, an interface belonging to the Catalyst 2960-S switch ignores this and only the Catalyst 2960-X switch programs NetFlow (in hardware).

Default Settings

The following table lists the NetFlow Lite default settings for the switch.

Table 4 Default NetFlow Lite Settings

Setting

Default

Flow active timeout

1800 seconds

Note   

The default value for this setting may be too high for your specific NetFlow Lite configuration. You may want to consider changing it to a lower value of 180 or 300 seconds.

Flow timeout inactive

Enabled, 30 seconds

Flow update timeout

1800 seconds

Default cache size

16640 bits

How to Configure NetFlow Lite

To configure NetFlow Lite, follow these general steps:

  1. Create a flow record by specifying keys and non-key fields to the flow.

  2. Create an optional flow exporter by specifying the protocol and transport destination port, destination, and other parameters.

  3. Create a flow monitor based on the flow record and flow exporter.

  4. Create a sampler (either deterministic or random).

  5. Apply the flow monitor to a Layer 2 port or VLAN.

Creating a Flow Record

You can create a flow record and add keys to match on and fields to collect in the flow.

SUMMARY STEPS

    1.    configure terminal

    2.    flow record name

    3.    description string

    4.    match type

    5.    collect type

    6.    end

    7.    show flow record [name record-name]

    8.    copy running-config startup-config


DETAILED STEPS
     Command or ActionPurpose
    Step 1configure terminal


    Example:
    
    Switch# configure terminal
    
    
     

    Enters the global configuration mode.

     
    Step 2flow record name


    Example:
    Switch(config)# flow record test
    Switch(config-flow-record)# 
    
    
     

    Creates a flow record and enters flow record configuration mode.

     

    Step 3description string


    Example:
    Switch(config-flow-record)# description Ipv4Flow
    
    
     

    (Optional) Describes this flow record as a maximum 63-character string.

     

    Step 4match type


    Example:
    Switch(config-flow-record)# match ipv4 source address
    Switch(config-flow-record)# match ipv4 destination address
    Switch(config-flow-record)# match ipv4 protocol
    
    
     

    Specifies a match key.

    For information about possible match key values, see NetFlow Lite Match Parameters.

     

    Step 5collect type


    Example:
    Switch(config-flow-record)# collect counter bytes long
    Switch(config-flow-record)# collect timestamp sys-uptime first
    Switch(config-flow-record)# collect transport tcp flags
    
    
     

    Specifies the collection field.

    For information about possible collection field values, see NetFlow Lite Collect Parameters.

     

    Step 6end


    Example:
    
    Switch(config-flow-record)#  end
    
    
     

    Returns to privileged EXEC mode.

     
    Step 7show flow record [name record-name]


    Example:
    Switch show flow record test 
    
    
     

    (Optional) Displays information about NetFlow flow records.

     

    Step 8copy running-config startup-config


    Example:
    
    Switch# copy running-config 
    startup-config
    
    
     

    (Optional) Saves your entries in the configuration file.

     
    What to Do Next

    Define an optional flow exporter by specifying the export format, protocol, destination, and other parameters.

    Related Concepts
    Flow Records
    Related References
    Example: Configuring a Flow

    Creating a Flow Exporter

    You can create a flow export to define the export parameters for a flow.

    SUMMARY STEPS

      1.    configure terminal

      2.    flow exporter name

      3.    description string

      4.    dscp value

      5.    destination { ipv4-address }

      6.    source { source type }

      7.    transport udp number

      8.    end

      9.    show flow exporter [name record-name]

      10.    copy running-config startup-config


    DETAILED STEPS
       Command or ActionPurpose
      Step 1configure terminal


      Example:
      
      Switch# configure terminal
      
      
       

      Enters the global configuration mode.

       
      Step 2flow exporter name


      Example:
      Switch(config)# flow exporter ExportTest
      Switch (config-flow-exporter)#
      
      
       

      Creates a flow exporter and enters flow exporter configuration mode.

       

      Step 3description string


      Example:
      Switch(config-flow-exporter)# description ExportV9
      
      
       

      (Optional) Describes this flow record as a maximum 63-character string.

       

      Step 4dscp value


      Example:
      Switch(config-flow-exporter)# dscp 0
      
      
       

      (Optional) Specifies the differentiated services codepoint value. The range is from 0 to 63.

       

      Step 5destination { ipv4-address }


      Example:
      Switch(config-flow-exporter)# destination 192.0.2.1
      
      
       

      Sets the destination IPv4 address or hostname for this exporter.

       

      Step 6source { source type }


      Example:
      Switch(config-flow-exporter)# source gigabitEthernet1/0/1
      
      
       

      Specifies the interface to use to reach the NetFlow collector at the configured destination.

       

      Step 7transport udp number


      Example:
      Switch(config-flow-exporter)# transport udp 200
      
      
       

      (Optional) Specifies the UDP port to use to reach the NetFlow collector. The range is from 0 to 65535.

       

      Step 8end


      Example:
      
      Switch(config-flow-record)#  end
      
      
       

      Returns to privileged EXEC mode.

       
      Step 9show flow exporter [name record-name]


      Example:
      Switch show flow exporter ExportTest 
      
      
       

      (Optional) Displays information about NetFlow flow exporters.

       

      Step 10copy running-config startup-config


      Example:
      
      Switch# copy running-config 
      startup-config
      
      
       

      (Optional) Saves your entries in the configuration file.

       
      What to Do Next

      Define a flow monitor based on the flow record and flow exporter.

      Related Concepts
      Exporters
      Related References
      Example: Configuring a Flow

      Creating a Flow Exporter Using a Template

      You can create a flow export to define the export parameters for a flow with a template.

      SUMMARY STEPS

        1.    configure terminal

        2.    flow exporter name

        3.    description string

        4.    destination { ipv4-address }

        5.    source { source type }

        6.    transport udp number

        7.    template data timeout timeout_value

        8.    option interface-table

        9.    option sampler-table

        10.    end

        11.    show flow exporter [name record-name]

        12.    copy running-config startup-config


      DETAILED STEPS
         Command or ActionPurpose
        Step 1configure terminal


        Example:
        
        Switch# configure terminal
        
        
         

        Enters the global configuration mode.

         
        Step 2flow exporter name


        Example:
        Switch(config)# flow exporter FE
        Switch (config-flow-exporter)#
        
        
         

        Creates a flow exporter and enters flow exporter configuration mode.

         

        Step 3description string


        Example:
        Switch(config-flow-exporter)# description ExportV9
        
        
         

        (Optional) Describes this flow record as a maximum 63-character string.

         

        Step 4destination { ipv4-address }


        Example:
        Switch(config-flow-exporter)# destination 192.0.2.1
        
        
         

        Sets the destination IPv4 address or hostname for this exporter.

         

        Step 5source { source type }


        Example:
        Switch(config-flow-exporter)# source Vlan 10
        
        
         

        Specifies the VLAN to use to reach the NetFlow collector at the configured destination.

         

        Step 6transport udp number


        Example:
        Switch(config-flow-exporter)# transport udp 2055
        
        
         

        (Optional) Specifies the UDP port to use to reach the NetFlow collector. The range is from 0 to 65535.

         

        Step 7template data timeout timeout_value


        Example:
        Switch(config-flow-exporter)# template data timeout 60
        
        
         

        Creates a template data timeout (with a value in seconds), so that the collector can interpret the flow record contents based on this template.

         

        Step 8option interface-table


        Example:
        Switch(config-flow-exporter)# option interface-table
        
        
         

        Specifies the interface SNMP-index-to-name Table Option.

         

        Step 9option sampler-table


        Example:
        Switch(config-flow-exporter)# option sampler-table
        
        
         

        Specifies the Export Sampler Option.

         

        Step 10end


        Example:
        
        Switch(config-flow-exporter)#  end
        
        
         

        Returns to privileged EXEC mode.

         
        Step 11show flow exporter [name record-name]


        Example:
        Switch show flow exporter FE 
        
        
         

        (Optional) Displays information about NetFlow flow exporters.

         

        Step 12copy running-config startup-config


        Example:
        
        Switch# copy running-config 
        startup-config
        
        
         

        (Optional) Saves your entries in the configuration file.

         

        Creating a Flow Monitor

        You can create a flow monitor and associate it with a flow record and a flow exporter.

        SUMMARY STEPS

          1.    configure terminal

          2.    flow monitor name

          3.    description string

          4.    exporter name

          5.    record name

          6.    cache { type { normal | permanent }

          7.    cache { timeout {active | inactive | update} seconds }

          8.    cache { entries value }

          9.    end

          10.    show flow monitor [name record-name]

          11.    copy running-config startup-config


        DETAILED STEPS
           Command or ActionPurpose
          Step 1configure terminal


          Example:
          
          Switch# configure terminal
          
          
           

          Enters the global configuration mode.

           
          Step 2flow monitor name


          Example:
          Switch(config)# flow monitor MonitorTest
          Switch (config-flow-monitor)#
          
          
           

          Creates a flow monitor and enters flow monitor configuration mode.

           

          Step 3description string


          Example:
          Switch(config-flow-monitor)# description Ipv4Monitor
          
          
           

          (Optional) Describes this flow record as a maximum 63-character string.

           
          Step 4exporter name


          Example:
          Switch(config-flow-monitor)# exporter ExportTest
          
          
           

          Associates a flow exporter with this flow monitor.

           

          Step 5record name


          Example:
          Switch(config-flow-monitor)# record test
          
          
           

          Associates a flow record with the specified flow monitor.

           

          Step 6cache { type { normal | permanent }


          Example:
          Switch(config-flow-monitor)# cache type normal
          
          
           

          Associates a flow cache type for the specified flow monitor. This command specifies the normal cache type. This is the default cache type. The entries in the cache will be aged out according to the timeout active seconds and timeout inactive seconds settings. When a cache entry is aged out, it is removed from the cache and exported via any exporters configured for the monitor associated with the cache.

          This command can also specify the permanent cache type. This type of cache never ages out any flows. This cache type is useful when the number of flows you expect to see has a limit and there is a need to keep long-term statistics on the switch . For example, if the only key field is tos, a limit of 256 flows can be seen, so to monitor the long-term usage of the field, a permanent cache can be used. Update messages are exported via any exporters configured for the monitor associated with this cache in accordance with the timeout update seconds setting.

           

          Step 7cache { timeout {active | inactive | update} seconds }


          Example:
          Switch(config-flow-monitor)# cache timeout active 15000
          
          
           

          Associates a flow cache with an active timeout value (in seconds) for the specified flow monitor.

          cache timeout active — Controls the aging behavior of the normal type of cache. If a flow has been active for a long time, it is usually desirable to age it out (starting a new flow for any subsequent packets in the flow). This age out process allows the monitoring application that is receiving the exports to remain up to date. By default this timeout is 1800 seconds (30 minutes), but it can be adjusted according to system requirements. A larger value ensures that long-lived flows are accounted for in a single flow record; a smaller value results in a shorter delay between starting a new long-lived flow and exporting some data for it.

          cache timeout inactive — Controls the aging behavior of the normal type of cache. If a flow has not seen any activity for a specified amount of time, that flow will be aged out. By default, this timeout is 30 seconds, but this value can be adjusted depending on the type of traffic expected. If a large number of short-lived flows is consuming many cache entries, reducing the inactive timeout can reduce this overhead. If a large number of flows frequently get aged out before they have finished collecting their data, increasing this timeout can result in better flow correlation

          cache timeout update — Controls the periodic updates sent by the permanent type of cache. This behavior is similar to the active timeout, except that it does not result in the removal of the cache entry from the cache. By default this timer value is 1800 seconds (30 minutes).

           

          Step 8cache { entries value }


          Example:
          Switch(config-flow-monitor)# cache entries 10000
          
          
           

          Associates a flow cache with a maximum entry value for the specified flow monitor. Enter a value between 16 and 1048576.

           

          Step 9end


          Example:
          
          Switch(config-flow-monitor)#  end
          
          
           

          Returns to privileged EXEC mode.

           
          Step 10show flow monitor [name record-name]


          Example:
          Switch show flow monitor name MonitorTest 
          
          
           

          (Optional) Displays information about NetFlow flow monitors.

           

          Step 11copy running-config startup-config


          Example:
          
          Switch# copy running-config 
          startup-config
          
          
           

          (Optional) Saves your entries in the configuration file.

           
          What to Do Next

          Apply the flow monitor to a Layer 2 interface or VLAN.

          Related Concepts
          Monitors
          Related References
          Example: Configuring a Flow

          Creating a Sampler

          You can create a sampler to define the NetFlow sampling rate for a flow.

          SUMMARY STEPS

            1.    configure terminal

            2.    sampler name

            3.    description string

            4.    mode { deterministic { m - n } | random { m - n }}

            5.    end

            6.    show sampler [name]

            7.    copy running-config startup-config


          DETAILED STEPS
             Command or ActionPurpose
            Step 1configure terminal


            Example:
            
            Switch# configure terminal
            
            
             

            Enters the global configuration mode.

             
            Step 2sampler name


            Example:
            Switch(config)# sampler SampleTest
            Switch(config-flow-sampler)#
            
            
             

            Creates a sampler and enters flow sampler configuration mode.

             

            Step 3description string


            Example:
            Switch(config-flow-sampler)# description samples
            
            
             

            (Optional) Describes this flow record as a maximum 63-character string.

             

            Step 4mode { deterministic { m - n } | random { m - n }}


            Example:
            Switch(config-flow-sampler)# mode random 1 out-of 1022
            
            
             

            Defines the random sample mode.

            You can configure either a random or deterministic sampler to an interface. Select m packets out of an n packet window. The window size to select packets from ranges from 32 to 1022.

            Note the following when configuring a sampler to an interface:

            • When you attach a monitor using deterministic sampler (for example, s1), every attachment with same sampler s1 uses one new free sampler from the switch (hardware) out of 4 available samplers. Therefore, beyond 4 attachments, you are not allowed to attach a monitor with any sampler.

            • In contrast, when you attach a monitor using random sampler (for example-again, s1), only the first attachment uses a new sampler from the switch (hardware). The rest of all attachments using the same sampler s1, share the same sampler.

            Due to this behavior, when using a deterministic sampler, you can always make sure the correct number of flows are sampled by comparing the sampling rate and what the switch sends. If the same random sampler is used with multiple interfaces, flows from an interface can always be sampled, and the flows from other interfaces could be always skipped.

             

            Step 5end


            Example:
            
            Switch(config-flow-sampler)#  end
            
            
             

            Returns to privileged EXEC mode.

             
            Step 6show sampler [name]


            Example:
            Switch show sample SampleTest
            
            
             

            (Optional) Displays information about NetFlow samplers.

             

            Step 7copy running-config startup-config


            Example:
            
            Switch# copy running-config 
            startup-config
            
            
             

            (Optional) Saves your entries in the configuration file.

             
            What to Do Next

            Apply the flow monitor to a source interface or a VLAN.

            Related Concepts
            Samplers
            Related References
            Example: Configuring a Flow

            Applying a Flow to an Interface

            You can apply a flow monitor and an optional sampler to an interface.

            SUMMARY STEPS

              1.    configure terminal

              2.    interface type

              3.    ip flow monitor name sampler sampler-name { input }

              4.    end

              5.    show flow monitor [name record-name]

              6.    copy running-config startup-config


            DETAILED STEPS
               Command or ActionPurpose
              Step 1configure terminal


              Example:
              
              Switch# configure terminal
              
              
               

              Enters the global configuration mode.

               
              Step 2interface type


              Example:
              Switch(config)# interface GigabitEthernet1/0/1
              Switch(config-if)#
              
              
               

              Enters interface configuration mode and configures an interface.

               

              Step 3ip flow monitor name sampler sampler-name { input }


              Example:
              Switch(config-if)# ip flow monitor MonitorTest sampler SampleTest input
              
              
               

              To monitor IPv4 traffic flows, you would use the ip flow monitor name sampler sampler-name {input} interface command. This specific command associates an IPv4 flow monitor and required sampler to the interface for input packets.

              To monitor IPv6 traffic flows, you would use the ipv6 flow monitor name sampler sampler-name {input} interface command. This specific command associates an IPv6 flow monitor and required sampler to the interface for input packets.

              To monitor datalink L2 traffic flows, you would use datalink flow monitor name sampler sampler-name {input} interface command. This specific command associates a datalink L2 flow monitor and required sampler to the interface for input packets. When a datalink flow monitor is assigned to an interface or VLAN record, it only creates flows for non-IPv6 or non-IPv4 traffic.

              Note   

              Whenever you assign a flow monitor to an interface, you must configure a sampler. If the sampler is missing, you will receive an error message.

               

              Step 4end


              Example:
              
              Switch(config-flow-monitor)#  end
              
              
               

              Returns to privileged EXEC mode.

               
              Step 5show flow monitor [name record-name]


              Example:
              Switch show flow monitor name MonitorTest 
              
              
               

              (Optional) Displays information about NetFlow flow monitor.

               

              Step 6copy running-config startup-config


              Example:
              
              Switch# copy running-config 
              startup-config
              
              
               

              (Optional) Saves your entries in the configuration file.

               

              Configuring a Bridged NetFlow on a VLAN

              You can apply a flow monitor and an optional sampler to a VLAN.

              SUMMARY STEPS

                1.    configure terminal

                2.    interface {vlan} vlan-id

                3.    ip flow monitor name sampler sampler-name { input }

                4.    copy running-config startup-config


              DETAILED STEPS
                 Command or ActionPurpose
                Step 1configure terminal


                Example:
                
                Switch# configure terminal
                
                
                 

                Enters the global configuration mode.

                 
                Step 2interface {vlan} vlan-id


                Example:
                Switch(config)# interface vlan 30
                Switch(config-if)# 
                
                
                 

                Specifies the SVI for the configuration.

                 

                Step 3ip flow monitor name sampler sampler-name { input }


                Example:
                Switch(config-if)# ip flow monitor MonitorTest sampler SampleTest input
                
                
                 

                Associates a flow monitor and an optional sampler to the VLAN for input packets.

                Note   

                Whenever you assign a flow monitor to an interface, you must configure a sampler. If the sampler is missing, you will receive an error message.

                 

                Step 4copy running-config startup-config


                Example:
                
                Switch# copy running-config 
                startup-config
                
                
                 

                (Optional) Saves your entries in the configuration file.

                 

                Configuring Layer 2 NetFlow

                You can define Layer 2 keys in NetFlow Lite records that you can use to capture flows in Layer 2 interfaces.

                SUMMARY STEPS

                  1.    configure terminal

                  2.    flow record name

                  3.    match datalink { ethertype | mac { destination { address input } | source { address input } } }

                  4.    match { ipv4 {destination | protocol | source | tos } | ipv6 {destination | flow-label| protocol| source| traffic-class } | transport {destination-port | source-port} }

                  5.    end

                  6.    show flow record [name ]

                  7.    copy running-config startup-config


                DETAILED STEPS
                   Command or ActionPurpose
                  Step 1configure terminal


                  Example:
                  
                  Switch# configure terminal
                  
                  
                   

                  Enters the global configuration mode.

                   
                  Step 2flow record name


                  Example:
                  Switch(config)# flow record L2_record
                  Switch(config-flow-record)#
                  
                  
                   
                  Enters flow record configuration mode.

                   

                  Step 3match datalink { ethertype | mac { destination { address input } | source { address input } } }


                  Example:
                  Switch(config-flow-record)# match datalink mac source address input
                  Switch(config-flow-record)# match datalink mac destination address input
                  
                  
                   

                  Specifies the Layer 2 attribute as a key. In this example, the keys are the source and destination MAC addresses from the packet at input.

                  Note   

                  When a datalink flow monitor is assigned to an interface or VLAN record, it only creates flows for non-IPv4 or non-IPv6 traffic.

                   

                  Step 4match { ipv4 {destination | protocol | source | tos } | ipv6 {destination | flow-label| protocol| source| traffic-class } | transport {destination-port | source-port} }


                  Example:
                  Switch(config-flow-record)# match ipv4 protocol
                  Switch(config-flow-record)# match ipv4 tos
                  
                  
                   

                  Specifies additional Layer 2 attributes as a key. In this example, the keys are IPv4 protocol and ToS.

                   
                  Step 5end


                  Example:
                  
                  Switch(config-flow-record)#  end
                  
                  
                   

                  Returns to privileged EXEC mode.

                   

                  Step 6show flow record [name ]


                  Example:
                  Switch# show flow record
                  
                  
                   

                  (Optional) Displays information about NetFlow on an interface.

                   

                  Step 7copy running-config startup-config


                  Example:
                  
                  Switch# copy running-config 
                  startup-config
                  
                  
                   

                  (Optional) Saves your entries in the configuration file.

                   

                  Monitoring NetFlow Lite

                  The commands in the following table can be used to monitor NetFlow Lite.

                  Table 5 NetFlow Lite Monitoring Commands

                  Command

                  Purpose

                  show flow exporter [ name | name [statistics | templates] ]

                  Displays information about NetFlow flow exporters and statistics.

                  show flow exporter [ name name ]

                  Displays information about NetFlow flow exporters and statistics.

                  show flow monitor [ name name [ cache { format { csv | record | table } ] | statistics ]

                  Displays information about NetFlow flow monitors and statistics.

                  show flow record [ name record-name]

                  Displays information about NetFlow flow records.

                  show sampler [ name name]

                  Displays information about NetFlow samplers.

                  Configuration Examples for NetFlow Lite

                  Example: Configuring a Flow


                  Note


                  When configuring a flow, you need to have the protocol, source port, destination port, first and last timestamps, and packet and bytes counters defined in the flow record. Otherwise, you will get the following error message: "Warning: Cannot set protocol distribution with this Flow Record. Require protocol, source and destination ports, first and last timestamps and packet and bytes counters."


                  This example shows how to create a flow and apply it to an interface:

                  Switch# configure terminal 
                  Enter configuration commands, one per line. End with CNTL/Z.
                  
                  Switch(config)# flow exporter export1
                  Switch(config-flow-exporter)# destination 10.0.101.254
                  Switch(config-flow-exporter)# transport udp 2055
                  Switch(config-flow-exporter)# template data timeout 60
                  Switch(config-flow-exporter)# exit
                  Switch(config)# flow record record1
                  Switch(config-flow-record)# match ipv4 source address
                  Switch(config-flow-record)# match ipv4 destination address
                  Switch(config-flow-record)# match ipv4 protocol
                  Switch(config-flow-record)# match transport source-port 
                  Switch(config-flow-record)# match transport destination-port 
                  Switch(config-flow-record)# collect counter bytes long
                  Switch(config-flow-record)# collect counter packets long
                  Switch(config-flow-record)# collect timestamp sys-uptime first
                  Switch(config-flow-record)# collect timestamp sys-uptime last 
                  Switch(config-flow-record)# exit
                  Switch(config)# sampler SampleTest
                  Switch(config-sampler)# mode random 1 out-of 100
                  Switch(config-sampler)# exit
                  Switch(config)# flow monitor monitor1
                  Switch(config-flow-monitor)# cache timeout active 300
                  Switch(config-flow-monitor)# cache timeout inactive 120
                  Switch(config-flow-monitor)# record record1
                  Switch(config-flow-monitor)# exporter export1
                  Switch(config-flow-monitor)# exit
                  Switch(config)# interface GigabitEthernet1/0/1
                  Switch(config-if)# ip flow monitor monitor1 sampler SampleTest input
                  Switch(config-if)# end
                  
                  
                  Related Concepts
                  Flow Records
                  Exporters
                  Monitors
                  Samplers
                  Related Tasks
                  Creating a Flow Record
                  Creating a Flow Exporter
                  Creating a Flow Monitor
                  Creating a Sampler

                  Additional References

                  Related Documents

                  Related Topic Document Title

                  For complete syntax and usage information for the commands used in this book.

                  Catalyst 2960-X NetFlow Lite Command Reference

                  Standards and RFCs

                  Standard/RFC Title

                  RFC 3954

                  Cisco Systems NetFlow Services Export Version 9

                  MIBs

                  MIB MIBs Link

                  All supported MIBs for this release.

                  To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

                  http:/​/​www.cisco.com/​go/​mibs

                  Technical Assistance

                  Description Link

                  The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

                  To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

                  Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

                  http:/​/​www.cisco.com/​support

                  Feature History and Information for NetFlow Lite

                  Release Modification

                  Cisco IOS 15.0(2)EX

                  This feature was introduced.