- Index
- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring VSS
- Configuring the Cisco IOS In-Service Software Upgrade Process
- Configuring the Cisco IOS XE In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Trustsec
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Engine 6L-E
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor Engine 7L-E
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring SmartPort Macros
- Configuring Cisco IOS Auto Smartport Macros
- Configuring STP and MST
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering
- Configuring IPv6 MLD Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring CDP
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Bidirection Forwarding Detection
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring MACsec Encryption
- Configuring 802.1X Port-Based Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Port Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring Dynamic ARP Inspection
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring Network Security with ACLs
- Support for IPv6
- Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN and RSPAN
- Configuring Wireshark
- Configuring Enhanced Object Tracking
- Configuring System Message Logging
- Configuring OBFL
- Configuring SNMP
- Configuring NetFlow-lite
- Configuring Flexible NetFlow
- Configuring Ethernet OAM and CFM
- Configuring Y.1731 (AIS and RDI)
- Configuring Call Home
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- Configuring MIB Support
- ROM Monitor
- Acronyms and Abbreviations
Catalyst 4500 Series Switch Software Configuration Guide, Release IOS XE 3.4.xSG and IOS 15.1(2)SGx
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- September 19, 2014
Chapter: Configuring Flexible NetFlow
Configuring Flexible NetFlow
Note
Flexible NetFlow is only supported on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X.
Flow is defined as a unique set of key fields attributes, which might include fields of packet, packet routing attributes, and input and output interface information. A NetFlow feature defines a flow as a sequence of packets that have the same values for the feature key fields. Flexible NetFlow (FNF) allows you to collect and optionally export a flow record that specifies various flow attributes. NetFlow collection supports IP, IPv6 and Layer 2 traffic.
Note This chapter provides Catalyst 4500 switch specific information. For more information, refer to the URL:
http://www.cisco.com/en/US/products/ps6965/products_ios_protocol_option_home.html
Restrictions for Configuring Flexible NetFlow
When IP routing is disabled, on the interface configured with NetFlow Lite, packets are not received on NetFlow collector. Enable IP routing for the NetFlow collector to work.
VSS Environment
The following items apply to a Catalyst 4500 series switch that belongs to a Virtual Switch System:
1. The Catalyst 4500 series switch supports ingress flow statistics collection for switched and routed packets; it does not support Flexible Netflow on egress traffic.
2. Each switch in an VSS has an independent NFE (Netflow Engine). This means that when there is ingress traffic on both the VSS Active and Standby switches, each is capable of creating flows for its ingress traffic
3. Configuration is performed on the VSS Active switch, which is synchronized to the VSS Standby switch.
4. Netflow show commands including Top Talkers, aggregate cache, and clear commands must be executed independently on VSS Active and Standby switch. The VSS Standby console will be available via remote console access from the VSS Active switch.
5. Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X support a 100,000 entry hardware flow table. Both VSS Active and Standby switch have independent hardware flow tables of 100,000 entries. The hardware flow table is shared by all the flow monitors on a switch. To prevent one monitor from using all the flow table entries, the number of entries that it uses on a switch can be limited by the cache entries number command. This limit is per flow monitor, irrespective of the number of targets it is attached to.
The following example illustrates how to configure the flow monitor m1 cache to hold 1000 entries. With this configuration, interface gig 1/3/1 (on the VSS Active) can create a maximum of 1000 flows and interface gig 2/3/2 (on the VSS Standby) can create a maximum of 1000 flows:
6. Flow collection is supported on multiple targets (Port, VLAN, per-port per-VLAN (FNF can be enabled on a specific VLAN on a given port)) and on a port-channel (FNF is configured on the port-channel interface, rather than individual member ports). These targets can be on the VSS Active or on the VSS Standby. For example, if the target is a VLAN, it can consist of ports belonging to both switches. If there is ingress traffic in that VLAN on both switches, flows will be created in their independent flow caches. However, no Netflow configuration can be applied on the Virtual Switch Link (VSL) ports.
Note The switch does not support tunnels and SVI statistics.
7. 64 unique flow record configurations are supported.
8. Flow QoS/UBRL and FNF cannot be configured on the same target. (For information on Flow-based QoS, see the section Flow-based QoS.)
9. 14,000 unique IPv6 addresses can be monitored.
10. On a given target, one monitor per traffic type is allowed. However, you can configure multiple monitors on the same target for different traffic types.
For example, the following configuration is allowed:
The following configuration is not allowed:
11. On a given target monitoring Layer 2 and Layer 3, simultaneous traffic is not supported:
12. Selection of Layer 2 and Layer 3 packet fields in a single flow record definition is not allowed. However, ingress 802.1Q VLAN Id of packet and Layer 3 packet field selection is allowed.
13. To attach a monitor to port or port-vlan targets, a flow record matching on ingress 802.1Q VLANId key field, must match on input interface also as key field.
Note The match datalink dot1q vlan input option is unavailable prior to IOS Release XE 3.3.0; you would only see the input option starting with the IOS Release XE 3.3.0.
14. Flow monitor matching on ingress 802.1Q VLANId as key field cannot be attached on a VNET trunk port target.
15. Only permanent and normal flow cache types are supported.
16. Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X do not support predefined records like traditional routers (record netflow ipv4 original-input).
17. Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X do not support flow based sampler.
18. On VLAN interfaces, when you use the interface option with the Cos, Tos, TTL or Packet length options, the system displays inaccurate results for the interface input field
19. The VSS Active and VSS Standby independently export flows, to the same or different Netflow collectors depending on flow exporter configuration. An IP route to the Netflow collector must exist and it is should be reachable from the VSS for flow export.
20. At the collector, the flow sequence numbers are local to a switch and will be monotonically increasing for each member of VSS. Additionally, the SourceId field of the v9 export packet uniquely identifies the VSS switch number that it was exported from.
21. The configuration of the flow exporter does not support the option output features.
22. Maximum number of VRFs that can be used for the flow exporter destination address configuration in VSS is 5. This limit includes the Global Routing Table and is common across all flow exporters in the VSS.
For example, when the user tries to configure an exporter destination address using a sixth VRF limit is exceeded, the following warning is displayed:
23. Flow aging in flow cache is controlled through active and in-active timer configuration. The minimum for active and in-active aging timers is 5 seconds. The timers must be in units of 5 seconds.
Note Flows in the hardware table are deleted after 5 seconds of in-activity irrespective of the active or in-active timer configuration values. This allows you to create new hardware flows quickly.
24. First and Last-seen flow timestamp accuracy is within 3 seconds.
25. 2048 Flow monitors and records are supported.
- When TTL is configured as a flow field, the following values are reported for a given packet TTL value. Table 1-1 lists the packet TTL and reported values.
|
|
|
|---|---|
- When packet length is configured as a flow field, the following values are reported for a given packet length value. Table 1-2 lists the packet length and reported values.
|
|
|
|---|---|
The following table lists the options available through FNF and the supported fields.
|
|
|
|
|---|---|---|
|
|
||
Indicator of an IPv4 multicast packet (0 - if it's not, 1 - if it is) |
||
Values are reported based on Table 1-2 . |
||
Values are reported based on Table 1-1 . |
||
|
|
||
Indicator of an IPv6 multicast packet (0 - if it's not, 1 - if it is) |
||
Values are reported based on Table 1-1 . |
||
Values are based on Table 1-2 . |
||
|
|
||
Forwarding status for the packet (forwarded, terminated in the router, dropped by ACL, RPF, CAR) |
||
|
|
||
Time-stamp of the first packet that is accounted in the flow (in milliseconds, starting from the router boot-up) |
||
Time-stamp of the last packet that is accounted in the flow (in milliseconds, starting from the router boot-up) |
||
Configuring Flow Monitor Cache Values
Setting active cache timeout to a small value may cause the flows to be exported more frequently to the remote collector. This also causes software to delete flows from the local cache after exporting. So, cache statistics reported by switch may not display the actual flows being monitored.
Non-VSS Environment
The following items apply to the Catalyst 4500 series switch:
The Catalyst 4500 series switch supports ingress flow statistics collection for switched and routed packets; it does not support Flexible Netflow on egress traffic.
1. Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X support a 100,000 entry hardware flow table. The hardware flow table is shared by all the flow monitors on a switch. To prevent one monitor from using all the flow table entries, the number of entries that it uses on a switch can be limited by the cache entries number command. This limit is per flow monitor, irrespective of the number of targets it is attached to.
The following example illustrates how to configure the flow monitor m1 cache to hold 1000 entries. With this configuration, interface gig 3/1 can create a maximum of 1000 flows and interface gig 3/2 can create a maximum of 1000 flows:
2. Flow collection is supported on multiple targets (Port, VLAN, per-port per-VLAN (FNF can be enabled on a specific VLAN on a given port)) and on a port-channel (FNF is configured on the port-channel interface, rather than individual member ports).
Note The switch does not support tunnels and SVI statistics.
3. 64 unique flow record configurations are supported.
4. Flow QoS/UBRL and FNF cannot be configured on the same target. (For information on Flow-based QoS, see the section Flow-based QoS.)
5. 14,000 unique IPv6 addresses can be monitored.
6. On a given target, one monitor per traffic type is allowed. However, you can configure multiple monitors on the same target for different traffic types.
For example, the following configuration is allowed:
The following configuration is not allowed:
7. On a given target monitoring Layer 2 and Layer 3, simultaneous traffic is not supported:
8. Selection of Layer 2 and Layer 3 packet fields in a single flow record definition is disallowed. However, ingress 802.1Q VLAN Id of packet and Layer 3 packet field selection is allowed.
9. To attach a monitor to port or port-vlan targets, a flow record matching on ingress 802.1Q VLAN Id as the key field, must also match on the input interface as the key field.
Note Flow monitor matching on ingress 802.1Q VLAN Id as the key field cannot be attached on a VNET trunk port target.
10. Only permanent and normal flow cache types are supported.
11. Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X do not support predefined records like traditional routers (record netflow ipv4 original-input).
12. Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X do not support flow based sampler.
13. The configuration of the flow exporter does not support the option output features.
14. Flow aging in flow cache is controlled through active and in-active timer configuration. The minimum for active and in-active aging timers is 5 seconds. The timers must be in units of 5 seconds.
Note Flows in the hardware table are deleted after 5 seconds of in-activity irrespective of the active or in-active timer configuration values. This allows you to create new hardware flows quickly.
15. First and Last-seen flow timestamp accuracy is within 3 seconds.
16. 2048 Flow monitors and records are supported.
- When TTL is configured as a flow field, the following values are reported for a given packet TTL value. Table 1-4 lists the packet TTL and reported values.
|
|
|
|---|---|
- When packet length is configured as a flow field, the following values are reported for a given packet length value. Table 1-5 lists the packet length and reported values.
|
|
|
|---|---|
The following table lists the options available through FNF and the supported fields.
|
|
|
|
|---|---|---|
|
|
||
Indicator of an IPv4 multicast packet (0 - if it's not, 1 - if it is) |
||
Values are reported based on Table 1-5 . |
||
Values are reported based on Table 1-4 . |
||
|
|
||
Indicator of an IPv6 multicast packet (0 - if it's not, 1 - if it is) |
||
Values are reported based on Table 1-4 . |
||
Values are based on Table 1-5 . |
||
|
|
||
Forwarding status for the packet (forwarded, terminated in the router, dropped by ACL, RPF, CAR) |
||
|
|
||
Time-stamp of the first packet that is accounted in the flow (in milliseconds, starting from the router boot-up) |
||
Time-stamp of the last packet that is accounted in the flow (in milliseconds, starting from the router boot-up) |
||
Configuring Flow Monitor Cache Values
Setting active cache timeout to a small value may cause the flows to be exported more frequently to the remote collector. This also causes software to delete flows from the local cache after exporting. So, cache statistics reported by switch may not display the actual flows being monitored.
Feedback