- Finding Feature Information
- Prerequisites for NetFlow Lite
- Restrictions for NetFlow Lite
- Information About NetFlow Lite
- How to Configure NetFlow Lite
- Monitoring Flexible NetFlow
- Configuration Examples for NetFlow Lite
- Additional References
- Feature Information for Flexible NetFlow
Configuring NetFlow Lite
- Finding Feature Information
- Prerequisites for NetFlow Lite
- Restrictions for NetFlow Lite
- Information About NetFlow Lite
- How to Configure NetFlow Lite
- Monitoring Flexible NetFlow
- Configuration Examples for NetFlow Lite
- Additional References
- Feature Information for Flexible NetFlow
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for NetFlow Lite
NetFlow Lite is only supported on a Catalyst 2960-X Switch with a LAN Base license and on a Catalyst 2960-XR Switch with an IP Lite license. Catalyst 2960-XR is not stackable with the Catalyst 2960-X platform.
The following two targets for attaching a NetFlow Lite monitor are supported:
Restrictions for NetFlow Lite
The following are restrictions for NetFlow Lite:
-
Monitor restrictions:
-
Monitor attachment is only supported in the ingress direction.
-
One monitor per interface is supported, although multiple exporters per interface are supported.
-
Only permanent and normal cache is supported for the monitor; immediate cache is not supported.
-
Changing any monitor parameter will not be supported when it is applied on any of the interfaces or VLANs.
-
When both the port and VLANs have monitors attached, then VLAN monitor will overwrite the port monitor for traffic coming on the port.
-
Flow monitor type and traffic type (type means IPv4, IPv6, and data link) should be same for the flows to be created.
-
You cannot attach an IP and port-based monitor to an interface at the same time on the switch. A 48-port switch supports a maximum of 48 monitors (IP or port-based) and for 256 SVIs, you can configure up to 256 monitors (IP or port-based).
-
When running the show flow monitor flow_name cache command, the switch displays cache information from an earlier switch software version (Catalyst 2960-S) with all fields entered as zero. Ignore these fields, as they are inapplicable to the switch.
-
-
Sampler restrictions:
-
Only sampled NetFlow is supported.
-
For both port and VLANS, a total of only 4 samplers (random or deterministic) are supported on the switch.
-
The sampling minimum rate for both modes is 1 out of 32 flows, and the sampling maximum rate for both modes is 1 out of 1022 flows.
-
You must associate a sampler with a monitor while attaching it to an interface. Otherwise, the command will be rejected. Use the ip flow monitor monitor_name sampler sampler_name input interface configuration command to perform this task.
-
When you attach a monitor using a deterministic sampler, every attachment with the same sampler uses one new free sampler from the switch (hardware) out of 4 available samplers. You are not allowed to attach a monitor with any sampler, beyond 4 attachments.
When you attach a monitor using a random sampler, only the first attachment uses a new sampler from the switch (hardware). The remainder of all of the attachments using the same sampler, share the same sampler.
Because of this behavior, when using a deterministic sampler, you can always make sure that the correct number of flows are sampled by comparing the sampling rate and what the switch sends. If the same random sampler is used with multiple interfaces, flows from any interface can always be sampled, and flows from other interfaces can always be skipped.
-
-
Stacking Restrictions:
-
The switch supports homogeneous stacking and mixed stacking. Mixed stacking is supported only with the Catalyst 2960-S switches. A homogenous stack can have up to eight stack members, while a mixed stack can have up to four stack members. All switches in a switch stack must be running the LAN Base image.
- The switch supports NetFlow Lite running on a mixed stack configuration, where both Catalyst 2960-X and Catalyst 2960-S switches reside in the same stack. But in such a mixed stack configuration, the master switch must always be a Catalyst 2960-X switch. The Catalyst 2960-S switch must never be the master switch in this type of mixed stack configuration.
-
Each switch in a stack (hardware) can support the creation of a maximum of 16,000 flows at any time. But as the flows are periodically pushed to the software cache, the software cache can hold a much larger amount of flows (1048 Kb flows). From the hardware flow cache, every 20 seconds (termed as poll timer), 200 flows (termed as poll entries) are pushed to software.
-
-
Network flows and statistics are collected at the line rate.
-
ACL-based NetFlow is not supported.
- Only NetFlow Version 9 is supported for Flexible NetFlow exporter using the export-protocol command option. If you configure NetFlow Version 5, this version will be accepted, but the NetFlow Version 5 export functionality is neither currently available nor supported.
-
The switch supports homogeneous stacking, but does not support mixed stacking.
Information About NetFlow Lite
NetFlow Lite Overview
NetFlow Lite uses flows to provide statistics for accounting, network monitoring, and network planning.
A flow is a unidirectional stream of packets that arrives on a source interface and has the same values for the keys. A key is an identified value for a field within the packet. You create a flow using a flow record to define the unique keys for your flow.
The switch supports the NetFlow Lite feature that enables enhanced network anomalies and security detection. NetFlow Lite allows you to define an optimal flow record for a particular application by selecting the keys from a large collection of predefined fields.
All key values must match for the packet to count in a given flow. A flow might gather other fields of interest, depending on the export record version that you configure. Flows are stored in the NetFlow Lite cache.
You can export the data that NetFlow Lite gathers for your flow by using an exporter and export this data to a remote system such as a NetFlow Lite collector. The NetFlow Lite collector can use an IPv4 address.
You define the size of the data that you want to collect for a flow using a monitor. The monitor combines the flow record and exporter with the NetFlow Lite cache information.
Flexible NetFlow Components
Flexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export. The user-defined flow records and the component structure of Flexible NetFlow facilitates the creation of various configurations for traffic analysis and data export on a networking device with a minimum number of configuration commands. Each flow monitor can have a unique combination of flow record, flow exporter, and cache type. If you change a parameter such as the destination IP address for a flow exporter, it is automatically changed for all the flow monitors that use the flow exporter. The same flow monitor can be used in conjunction with different flow samplers to sample the same type of network traffic at different rates on different interfaces. The following sections provide more information on Flexible NetFlow components:
Flow Records
In Flexible NetFlow a combination of key and nonkey fields is called a record. Flexible NetFlow records are assigned to Flexible NetFlow flow monitors to define the cache that is used for storing flow data.
A flow record defines the keys that Flexible NetFlow uses to identify packets in the flow, as well as other fields of interest that Flexible NetFlow gathers for the flow. You can define a flow record with any combination of keys and fields of interest. The switch supports a rich set of keys. A flow record also defines the types of counters gathered per flow. You can configure 64-bit packet or byte counters. The switch enables the following match fields as the defaults when you create a flow record:
- NetFlow Predefined Records
- User-Defined Records
- NetFlow Lite Match Parameters
- NetFlow Lite Collect Parameters
NetFlow Predefined Records
Flexible NetFlow includes several predefined records that you can use to start monitoring traffic in your network. The predefined records are available to help you quickly deploy Flexible NetFlow and are easier to use than user-defined flow records. You can choose from a list of already defined records that may meet the needs for network monitoring. As Flexible NetFlow evolves, popular user-defined flow records will be made available as predefined records to make them easier to implement.
The predefined records ensure backward compatibility with your existing NetFlow collector configurations for the data that is exported. Each of the predefined records has a unique combination of key and nonkey fields that offer you the built-in ability to monitor various types of traffic in your network without customizing Flexible NetFlow on your router.
Two of the predefined records (NetFlow original and NetFlow IPv4/IPv6 original output), which are functionally equivalent, emulate original (ingress) NetFlow and the Egress NetFlow Accounting feature in original NetFlow, respectively. Some of the other Flexible NetFlow predefined records are based on the aggregation cache schemes available in original NetFlow. The Flexible NetFlow predefined records that are based on the aggregation cache schemes available in original NetFlow do not perform aggregation. Instead each flow is tracked separately by the predefined records.
User-Defined Records
Flexible NetFlow enables you to define your own records for a Flexible NetFlow flow monitor cache by specifying the key and nonkey fields to customize the data collection to your specific requirements. When you define your own records for a Flexible NetFlow flow monitor cache, they are referred to as user-defined records. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow. Flexible NetFlow enables you to capture counter values such as the number of bytes and packets in a flow as nonkey fields.
Flexible NetFlow adds a new Version 9 export format field type for the header and packet section types. Flexible NetFlow will communicate to the NetFlow collector the configured section sizes in the corresponding Version 9 export template fields. The payload sections will have a corresponding length field that can be used to collect the actual size of the collected section.
NetFlow Lite Match Parameters
You can match these key fields for the flow record:
-
IPv4 or IPv6 destination address
-
Datalink fields (source and destination MAC address, and MAC ethertype (type of networking protocol)).
-
Transport field source and destination ports to identify the type of application: ICMP, IGMP, or TCP traffic.
The following table describes NetFlow Lite match parameters. You must configure at least one of the following match parameters for the flow records.
NetFlow Lite Collect Parameters
You can collect these key fields in the flow record:
-
The total number of bytes, flows or packets sent by the exporter (exporter) or the number of bytes or packets in a 64-bit counter (long).
-
The timestamp based on system uptime from the time the first packet was sent or from the time the most recent (last) packet was seen.
-
The SNMP index of the input interface. The interface for traffic entering the service module is based on the switch forwarding cache. This field is typically used in conjunction with datalink, IPv4, and IPv6 addresses, and provides the actual first-hop interface for directly connected hosts.
The following table describes NetFlow Lite collect parameters.
Command |
Purpose |
---|---|
collect counter {bytes {long | permanent } | packets { long | permanent}} |
Collects the counter fields total bytes and total packets. |
collect flow {sampler} |
Collects the flow sampler identifier (ID). |
collect interface {input} |
Collects the fields from the input interface. |
collect timestamp sys-uptime {first | last} |
Collects the fields for the time the first packet was seen or the time the most recent packet was last seen (in milliseconds). |
collect transport tcp flags |
|
Collects the MAC addresses of the access points that the wireless client is associated with. |
Flow Exporters
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running NetFlow collector, for analysis and storage. Flow exporters are created as separate entities in the configuration. Flow exporters are assigned to flow monitors to provide data export capability for the flow monitors. You can create several flow exporters and assign them to one or more flow monitors to provide several export destinations. You can create one flow exporter and apply it to several flow monitors.
NetFlow Data Export Format Version 9
The basic output of NetFlow is a flow record. Several different formats for flow records have evolved as NetFlow has matured. The most recent evolution of the NetFlow export format is known as Version 9. The distinguishing feature of the NetFlow Version 9 export format is that it is template-based. Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format. Using templates provides several key benefits:
-
Third-party business partners who produce applications that provide collector or display services for NetFlow do not have to recompile their applications each time a new NetFlow feature is added. Instead, they should be able to use an external data file that documents the known template formats.
-
New features can be added to NetFlow quickly without breaking current implementations.
-
NetFlow is “future-proofed” against new or developing protocols because the Version 9 format can be adapted to provide support for them.
The Version 9 export format consists of a packet header followed by one or more template flow or data flow sets. A template flow set provides a description of the fields that will be present in future data flow sets. These data flow sets may occur later within the same export packet or in subsequent export packets. Template flow and data flow sets can be intermingled within a single export packet, as illustrated in the figure below.
NetFlow Version 9 will periodically export the template data so the NetFlow collector will understand what data is to be sent and also export the data flow set for the template. The key advantage to Flexible NetFlow is that the user configures a flow record, which is effectively converted to a Version 9 template and then forwarded to the collector. The figure below is a detailed example of the NetFlow Version 9 export format, including the header, template flow, and data flow sets.
For more information on the Version 9 export format, refer to the white paper titled Cisco IOS NetFlow Version 9 Flow-Record Format, available at this URL: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_white_paper09186a00800a3db9.shtml.
Flow Monitors
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring.
Flow data is collected from the network traffic and added to the flow monitor cache during the monitoring process based on the key and nonkey fields in the flow record.
Flexible NetFlow can be used to perform different types of analysis on the same traffic. In the figure below, packet 1 is analyzed using a record designed for standard traffic analysis on the input interface and a record designed for security analysis on the output interface.
The figure below shows a more complex example of how you can apply different types of flow monitors with custom records.
Normal
The default cache type is “normal”. In this mode, the entries in the cache are aged out according to the timeout active and timeout inactive settings. When a cache entry is aged out, it is removed from the cache and exported via any exporters configured.
Flow Samplers
Flow samplers are created as separate components in a router’s configuration. Flow samplers are used to reduce the load on the device that is running NetFlow Lite by limiting the number of packets that are selected for analysis.
Samplers use random sampling techniques (modes); that is, a randomly selected sampling position is used each time a sample is taken.
Flow sampling exchanges monitoring accuracy for router performance. When you apply a sampler to a flow monitor, the overhead load on the router of running the flow monitor is reduced because the number of packets that the flow monitor must analyze is reduced. The reduction in the number of packets that are analyzed by the flow monitor causes a corresponding reduction in the accuracy of the information stored in the flow monitor’s cache.
Samplers are combined with flow monitors when they are applied to an interface with the ip flow monitor command.
NetFlow Lite and Stacking
The switch supports NetFlow Lite running on a mixed stack configuration, where both Catalyst 2960-X and Catalyst 2960-S switches reside in the same stack. But in such a mixed stack configuration, the master switch must always be a Catalyst 2960-X switch. The Catalyst 2960-S switch must never be the master switch in this type of mixed stack configuration.
Default Settings
The following table lists the NetFlow Lite default settings for the switch.
Setting |
Default |
||
---|---|---|---|
Flow active timeout |
1800 seconds
|
||
Flow timeout inactive |
Enabled, 30 seconds |
||
Flow update timeout |
1800 seconds |
||
Default cache size |
16640 bits |
How to Configure NetFlow Lite
To configure NetFlow Lite, follow these general steps:
-
Create a flow record by specifying keys and non-key fields to the flow.
-
Create an optional flow exporter by specifying the protocol and transport destination port, destination, and other parameters.
-
Create a flow monitor based on the flow record and flow exporter.
-
Create an optional sampler.
-
Apply the flow monitor to a Layer 2 port, Layer 3 port, or VLAN.
- Creating a Flow Record
- Creating a Flow Exporter
- Creating a Flow Monitor
- Creating a Sampler
- Applying a Flow to an Interface
- Configuring a Bridged NetFlow on a VLAN
- Configuring Layer 2 NetFlow
Creating a Flow Record
You can create a flow record and add keys to match on and fields to collect in the flow.
2.
flow record
name
3.
description
string
4.
match
type
5.
collect
type
7.
show flow record [name
record-name]
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | configure
terminal
Example: Switch# configure terminal | |||
Step 2 | flow record
name
Example: Switch(config)# flow record test Switch(config-flow-record)# |
Creates a flow record and enters flow record configuration mode. | ||
Step 3 | description
string
Example:
Switch(config-flow-record)# description Ipv4Flow
|
(Optional) Describes this flow record as a maximum 63-character string. | ||
Step 4 | match
type
Example: Switch(config-flow-record)# match ipv4 source address Switch(config-flow-record)# match ipv4 destination address Switch(config-flow-record)# match flow direction |
Specifies a match key. For information about possible match key values, see Flexible NetFlow Match Parameters. | ||
Step 5 | collect
type
Example: Switch(config-flow-record)# collect counter bytes layer2 long Switch(config-flow-record)# collect counter bytes long Switch(config-flow-record)# collect timestamp absolute first Switch(config-flow-record)# collect transport tcp flags Switch(config-flow-record)# collect interface output |
Specifies the collection field. For information about possible collection field values, see Flexible NetFlow Collect Parameters.
| ||
Step 6 | end
Example: Switch(config-flow-record)# end | |||
Step 7 | show flow record [name
record-name]
Example:
Switch show flow record test
|
(Optional) Displays information about NetFlow flow records. | ||
Step 8 | copy
running-config startup-config
Example: Switch# copy running-config startup-config |
Define an optional flow exporter by specifying the export format, protocol, destination, and other parameters.
Creating a Flow Exporter
You can create a flow export to define the export parameters for a flow.
Note | Each flow exporter supports only one destination. If you want to export the data to multiple destinations, you must configure multiple flow exporters and assign them to the flow monitor. You can export to a destination using IPv4 address. |
2.
flow exporter
name
3.
description
string
4.
destination {ipv4-address}
[
vrf
vrf-name]
5.
dscp
value
6.
source { source type }
7.
transport
udp
number
8.
ttl
seconds
9.
export-protocol
{netflow-v9}
11.
show flow exporter
[name
record-name]
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure
terminal
Example: Switch# configure terminal | |
Step 2 | flow exporter
name
Example:
Switch(config)# flow exporter ExportTest
|
Creates a flow exporter and enters flow exporter configuration mode. |
Step 3 | description
string
Example:
Switch(config-flow-exporter)# description ExportV9
|
(Optional) Describes this flow record as a maximum 63-character string. |
Step 4 | destination {ipv4-address}
[
vrf
vrf-name]
Example:
Switch(config-flow-exporter)# destination 192.0.2.1 (IPv4 destination)
|
Sets the IPv4 destination address or hostname for this exporter. |
Step 5 |
dscp
value
Example:
Switch(config-flow-exporter)# dscp 0
|
(Optional) Specifies the differentiated services codepoint value. The range is from 0 to 63. The default is 0. |
Step 6 | source { source type }
Example:
Switch(config-flow-exporter)# source gigabitEthernet1/0/1
|
(Optional) Specifies the interface to use to reach the NetFlow collector at the configured destination. The following interfaces can be configured as source: |
Step 7 | transport
udp
number
Example:
Switch(config-flow-exporter)# transport udp 200
|
(Optional) Specifies the UDP port to use to reach the NetFlow collector. The range is from 1 to 65536 |
Step 8 | ttl
seconds
Example: Switch(config-flow-exporter)# ttl 210
|
(Optional) Configures the time-to-live (TTL) value for datagrams sent by the exporter. The range is from 1 to 255 seconds. The default is 255. |
Step 9 |
export-protocol
{netflow-v9}
Example:
Switch(config-flow-exporter)# export-protocol netflow-v9
|
Specifies the version of the NetFlow export protocol used by the exporter. |
Step 10 | end
Example: Switch(config-flow-record)# end | |
Step 11 | show flow exporter
[name
record-name]
Example:
Switch show flow exporter ExportTest
|
(Optional) Displays information about NetFlow flow exporters. |
Step 12 | copy
running-config startup-config
Example: Switch# copy running-config startup-config |
Define a flow monitor based on the flow record and flow exporter.
Creating a Flow Monitor
You can create a flow monitor and associate it with a flow record and a flow exporter.
2.
flow monitor name
3.
description string
4.
exporter name
5.
record name
6.
cache { timeout {active | inactive} seconds | type normal }
8.
show flow monitor [name record-name]
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure
terminal
Example: Switch# configure terminal | |
Step 2 | flow monitor name Example: Switch(config)# flow monitor MonitorTest Switch (config-flow-monitor)# | Creates a flow monitor and enters flow monitor configuration mode. |
Step 3 | description string Example:
Switch(config-flow-monitor)# description Ipv4Monitor
| (Optional) Describes this flow record as a maximum 63-character string. |
Step 4 | exporter name Example:
Switch(config-flow-monitor)# exporter ExportTest
| Associates a flow exporter with this flow monitor. |
Step 5 | record name Example:
Switch(config-flow-monitor)# record test
| Associates a flow record with the specified flow monitor. |
Step 6 | cache { timeout {active | inactive} seconds | type normal } Example:
Switch(config-flow-monitor)# cache timeout active 15000
| Associates a flow cache with the specified flow monitor. |
Step 7 | end Example: Switch(config-flow-monitor)# end | |
Step 8 | show flow monitor [name record-name] Example:
Switch show flow monitor name MonitorTest
| (Optional) Displays information about NetFlow flow monitors. |
Step 9 | copy running-config startup-config Example: Switch# copy running-config startup-config |
Apply the flow monitor to a Layer 2 interface, Layer 3 interface, or VLAN.
Creating a Sampler
You can create a sampler to define the NetFlow sampling rate for a flow.
2.
sampler name
3.
description string
4.
mode { deterministic { m - n } | random { m - n }}
6.
show sampler [name]
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure
terminal
Example: Switch# configure terminal | |
Step 2 | sampler name Example: Switch(config)# sampler SampleTest Switch(config-flow-sampler)# | Creates a sampler and enters flow sampler configuration mode. |
Step 3 | description string Example:
Switch(config-flow-sampler)# description samples
| (Optional) Describes this flow record as a maximum 63-character string. |
Step 4 | mode { deterministic { m - n } | random { m - n }} Example:
Switch(config-flow-sampler)# mode random 1 out-of 1022
| Defines the random sample mode. You can configure either a random or deterministic sampler to an interface. Select m packets out of an n packet window. The window size to select packets from ranges from 32 to 1022. Note the following when configuring a sampler to an interface:
Due to this behavior, when using a deterministic sampler, you can always make sure the correct number of flows are sampled by comparing the sampling rate and what the switch sends. If the same random sampler is used with multiple interfaces, flows from an interface can always be sampled, and the flows from other interfaces could be always skipped. |
Step 5 | end Example: Switch(config-flow-sampler)# end | |
Step 6 | show sampler [name] Example: Switch show sample SampleTest
| (Optional) Displays information about NetFlow samplers. |
Step 7 | copy running-config startup-config Example: Switch# copy running-config startup-config |
Apply the flow monitor to a source interface or a VLAN.
Applying a Flow to an Interface
You can apply a flow monitor and an optional sampler to an interface.
2.
interface
type
3.
{ip flow monitor |
ipv6 flow
monitor}name
[|sampler
name] { input |output
}
5.
show flow interface
[interface-type
number]
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | configure
terminal
Example: Switch# configure terminal | |||
Step 2 | interface
type
Example:
Switch(config)# interface GigabitEthernet1/0/1
|
Enters interface configuration mode and configures an interface. Command parameters for the interface configuration include: You cannot attach a NetFlow monitor to a port channel interface. If both service module interfaces are part of an EtherChannel, you should attach the monitor to both physical interfaces. | ||
Step 3 | {ip flow monitor |
ipv6 flow
monitor}name
[|sampler
name] { input |output
}
Example:
Switch(config-if)# ip flow monitor MonitorTest input
|
Associate an IPv4 or an IPv6 flow monitor, and an optional sampler to the interface for input or output packets. To monitor datalink L2 traffic flows, you would use datalink flow monitor name sampler sampler-name {input} interface command. This specific command associates a datalink L2 flow monitor and required sampler to the interface for input packets. When a datalink flow monitor is assigned to an interface or VLAN record, it only creates flows for non-IPv6 or non-IPv4 traffic.
| ||
Step 4 | end
Example: Switch(config-flow-monitor)# end | |||
Step 5 | show flow interface
[interface-type
number]
Example:
Switch# show flow interface
|
(Optional) Displays information about NetFlow on an interface. | ||
Step 6 | copy
running-config startup-config
Example: Switch# copy running-config startup-config |
Configuring a Bridged NetFlow on a VLAN
You can apply a flow monitor and an optional sampler to a VLAN.
2.
vlan [configuration]
vlan-id
3.
interface {vlan}
vlan-id
4.
ip flow monitor
monitor
name [sampler
sampler
name] {input
|output}
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure
terminal
Example: Switch# configure terminal | |
Step 2 | vlan [configuration]
vlan-id
Example: Switch(config)# vlan configuration 30 Switch(config-vlan-config)# |
Enters VLAN or VLAN configuration mode. |
Step 3 | interface {vlan}
vlan-id
Example:
Switch(config)# interface vlan 30
|
Specifies the SVI for the configuration. |
Step 4 | ip flow monitor
monitor
name [sampler
sampler
name] {input
|output}
Example:
Switch(config-vlan-config)# ip flow monitor MonitorTest input
|
Associates a flow monitor and an optional sampler to the VLAN for input or output packets. |
Step 5 | copy
running-config startup-config
Example: Switch# copy running-config startup-config |
Configuring Layer 2 NetFlow
You can define Layer 2 keys in NetFlow Lite records that you can use to capture flows in Layer 2 interfaces.
2.
flow record name
3.
match datalink { ethertype | mac { destination { address input } | source { address input } } }
4.
match { ipv4 {destination | protocol | source | tos } | ipv6 {destination | flow-label| protocol| source| traffic-class } | transport {destination-port | source-port} }
6.
show flow record [name ]
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | configure
terminal
Example: Switch# configure terminal | |||
Step 2 | flow record name Example: Switch(config)# flow record L2_record Switch(config-flow-record)# | Enters flow record configuration mode. | ||
Step 3 | match datalink { ethertype | mac { destination { address input } | source { address input } } } Example: Switch(config-flow-record)# match datalink mac source address input Switch(config-flow-record)# match datalink mac destination address input | Specifies the Layer 2 attribute as a key. In this example, the keys are the source and destination MAC addresses from the packet at input.
| ||
Step 4 | match { ipv4 {destination | protocol | source | tos } | ipv6 {destination | flow-label| protocol| source| traffic-class } | transport {destination-port | source-port} } Example: Switch(config-flow-record)# match ipv4 protocol Switch(config-flow-record)# match ipv4 tos | Specifies additional Layer 2 attributes as a key. In this example, the keys are IPv4 protocol and ToS. | ||
Step 5 | end Example: Switch(config-flow-record)# end | |||
Step 6 | show flow record [name ] Example:
Switch# show flow record
| (Optional) Displays information about NetFlow on an interface. | ||
Step 7 | copy running-config startup-config Example: Switch# copy running-config startup-config |
Monitoring Flexible NetFlow
Command |
Purpose |
---|---|
show flow exporter [broker | export-ids | name | name | statistics | templates] |
Displays information about NetFlow flow exporters and statistics. |
show flow exporter [ name exporter-name] |
Displays information about NetFlow flow exporters and statistics. |
show flow interface |
Displays information about NetFlow interfaces. |
show flow monitor [ name exporter-name] |
Displays information about NetFlow flow monitors and statistics. |
show flow monitor statistics |
Displays the statistics for the flow monitor |
show flow monitor cache format {table | record | csv} |
Displays the contents of the cache for the flow monitor, in the format specified. |
show flow record [ name record-name] |
Displays information about NetFlow flow records. |
show flow ssid |
Displays NetFlow monitor installation status for a WLAN. |
show sampler [broker | name | name] |
Displays information about NetFlow samplers. |
show wlan wlan-name |
Displays the WLAN configured on the device. |
Configuration Examples for NetFlow Lite
Example: Configuring a Flow
Note | When configuring a flow, you need to have the protocol, source port, destination port, first and last timestamps, and packet and bytes counters defined in the flow record. Otherwise, you will get the following error message: "Warning: Cannot set protocol distribution with this Flow Record. Require protocol, source and destination ports, first and last timestamps and packet and bytes counters." |
This example shows how to create a flow and apply it to an interface:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# flow exporter export1 Switch(config-flow-exporter)# destination 10.0.101.254 Switch(config-flow-exporter)# transport udp 2055 Switch(config-flow-exporter)# template data timeout 60 Switch(config-flow-exporter)# exit Switch(config)# flow record record1 Switch(config-flow-record)# match ipv4 source address Switch(config-flow-record)# match ipv4 destination address Switch(config-flow-record)# match ipv4 protocol Switch(config-flow-record)# match transport source-port Switch(config-flow-record)# match transport destination-port Switch(config-flow-record)# collect counter bytes long Switch(config-flow-record)# collect counter packets long Switch(config-flow-record)# collect timestamp sys-uptime first Switch(config-flow-record)# collect timestamp sys-uptime last Switch(config-flow-record)# exit Switch(config)# sampler SampleTest Switch(config-sampler)# mode random 1 out-of 100 Switch(config-sampler)# exit Switch(config)# flow monitor monitor1 Switch(config-flow-monitor)# cache timeout active 300 Switch(config-flow-monitor)# cache timeout inactive 120 Switch(config-flow-monitor)# record record1 Switch(config-flow-monitor)# exporter export1 Switch(config-flow-monitor)# exit Switch(config)# interface GigabitEthernet1/0/1 Switch(config-if)# ip flow monitor monitor1 sampler SampleTest input Switch(config-if)# end
Additional References
Related Documents
Related Topic | Document Title |
---|---|
Flexible NetFlow CLI Commands |
Flexible NetFlow Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series) |
Error Message Decoder
Description | Link |
---|---|
To help you research and resolve system error messages in this release, use the Error Message Decoder tool. |
https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi |
Standards and RFCs
Standard/RFC | Title |
---|---|
RFC 3954 |
Cisco Systems NetFlow Services Export Version 9 |
MIBs
MIB | MIBs Link |
---|---|
All supported MIBs for this release. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Flexible NetFlow
Release |
Modification |
---|---|
Cisco IOS 15.0(2)EX |
This feature was introduced. |