Cisco UCS CLI System Monitoring Guide for Cisco UCS Mini, Release 3.0

NetFlow Monitoring

Note

For Release 3.0(2), NetFlow monitoring is supported for end-host mode only.

NetFlow is a standard network protocol for collecting IP traffic data. NetFlow enables you to define a flow in terms of unidirectional IP packets that share certain characteristics. All packets that match the flow definition are then collected and exported to one or more external NetFlow collectors where they can be further aggregated, analyzed and used for application specific processing.

Cisco UCS Manager uses NetFlow-capable adapters (Cisco UCS VIC 1240, Cisco UCS VIC 1280, and Cisco UCS VIC 1225) to communicate with the routers and switches that collect and export flow information.

Network Flows

A flow is a set of unidirectional IP packets that have common properties such as, the source or destination of the traffic, routing information, or the protocol used. Flows are collected when they match the definitions in the flow record definition.

Flow Record Definitions

A flow record definition contains all information about the properties used to define the flow, which can include both characteristic properties or measured properties. Characteristic properties, also called flow keys, are the properties that define the flow. Cisco UCS Manager supports IPv4, IPv6, and Layer 2 keys. Measured characteristics, also called flow values or nonkeys, are values that you can measure, such as the number of bytes contained in all packets of the flow, or the total number of packets.

A flow record definition is a specific combination of flow keys and flow values. You can use the following type of flow record definitions:

System-defined—Default flow record definitions supplied by Cisco UCS Manager.
User-defined—Flow record definitions that you can create yourself.

Flow Exporters, Flow Exporter Profiles, and Flow Collectors

Flow exporters transfer the flows to the flow connector based on the information in a flow exporter profile. The flow exporter profile contains the networking properties used to export NetFlow packets. The networking properties include a VLAN, the source IP address, and the subnet mask for each fabric interconnect.

Note

In the Cisco UCS Manager GUI, the networking properties are defined in an exporter interface that is included in the profile. In the Cisco UCS Manager CLI, the properties are defined in the profile.

Flow collectors receive the flows from the flow exporter. Each flow collector contains an IP address, port, external gateway IP, and VLAN that defines where the flows are sent.

Flow Monitors and Flow Monitor Sessions

A flow monitor consists of a flow definition, one or two flow exporters, and a timeout policy. You can use a flow monitor to specify which flow information you want to gather, and where you want to collect it from. Each flow monitor operates in either the egress or ingress direction.

A flow monitor session contains up to four flow monitors: two flow monitors in the ingress direction and two flow monitors in the egress direction. A flow monitor session can also be associated with a vNIC.

NetFlow Limitations

Note

For Release 3.0(2), NetFlow monitoring is supported for end-host mode only.

The following limitations apply to NetFlow monitoring:

NetFlow monitoring is not supported on the Cisco UCS 6100 Series Fabric Interconnect.
NetFlow monitoring is supported only on the Cisco UCS VIC 1240, Cisco UCS VIC 1280, and Cisco UCS VIC 1225 adapters. First generation or non-Cisco VIC adapters are not supported.

Beginning with release 2.2(3a), NetFlow monitoring is also supported on the Cisco UCS VIC 1340, Cisco UCS VIC 1380, and Cisco UCS VIC 1227 adapters.
You can have up to 64 flow record definitions, flow exporters, and flow monitors.
NetFlow is not supported in vNIC template objects.
PVLANs and local VLANs are not supported for service VLANs.
All VLANs must be public and must be common to both fabric interconnects.
VLANs must be defined as an exporter interface before they can be used with a flow collector.
You cannot use NetFlow with usNIC, the Virtual Machine queue, or Linux ARFS.

Configuring a Flow Record Definition

Procedure

Command or Action

Purpose

Step 1

UCS-A# scope eth-flow-mon

Enters the ethernet flow monitor mode.

Step 2

UCS-A /eth-flow-mon # enter flow-record flow-record-name

Enters flow record mode for the specified flow record.

Step 3

UCS-A /eth-flow-mon/flow-record # set keytype {ipv4keys | ipv6keys | l2keys}

Specifies the key type.

Step 4

UCS-A /eth-flow-mon/flow-record # set ipv4keys {dest-port | ip-protocol | ip-tos | ipv4-dest-address | ipv4-src-address | src-port}

Specifies the attributes for the key type that you selected in Step 3.

Note

Use this command only if you chose ipv4keys in step 3.

Step 5

UCS-A /eth-flow-mon/flow-record # set ipv6keys {dest-port | ip-protocol | ipv6-dest-address | ipv6-src-address | src-port}

Specifies the attributes for the key type that you selected in Step 3.

Note

Use this command only if you chose ipv6keys in Step 3.

Step 6

UCS-A /eth-flow-mon/flow-record # set l2keys {dest-mac-address | ethertype | src-mac-address}

Specifies the attributes for the key type that you chose in Step 3.

Note

Use this command only if you selected l2keys in step 3.

Step 7

UCS-A /eth-flow-mon/flow-record # set nonkeys {counter-bytes-long | counter-packets-long | sys-uptime-first | sys-uptime-last}

Specifies the nonkey attributes.

Step 8

UCS-A /eth-flow-mon/flow-record # commit-buffer

Commits the transaction to the system configuration.

The following example shows how to create a flow record definition with Layer 2 keys and commit the transaction:

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # enter flow-record r1
UCS-A /eth-flow-mon/flow-record* # set keytype l2keys
UCS-A /eth-flow-mon/flow-record* #set l2keys dest-mac-address src-mac-address
UCS-A /eth-flow-mon/flow-record* # set nonkeys sys-uptime counter-bytes counter-packets
UCS-A /eth-flow-mon/flow-record* # commit-buffer
UCS-A /eth-flow-mon/flow-record #

Configuring an Exporter Profile

Procedure

	Command or Action	Purpose
Step 1	UCS-A# scope eth-flow-mon	Enters the ethernet flow monitor mode.
Step 2	UCS-A /eth-flow-mon # scope flow-profile profile-name	Enters the flow profile mode for the specified profile.
Step 3	UCS-A /eth-flow-mon/flow-profile # show config	Displays the flow profile configuration.
Step 4	UCS-A /eth-flow-mon/flow-profile # enter vlan vlan-name	Specifies the VLAN associated with the exporter profile. PVLANs and local VLAN are not supported. All VLAN must be public and must be common to both fabric interconnects.
Step 5	UCS-A /eth-flow-mon/flow-profile/vlan # enter fabric {a \| b}	Enters flow profile mode for the specified fabric.
Step 6	UCS-A /eth-flow-mon/flow-profile/vlan/fabric/ # set addr ip-addr subnet ip-addr	Specifies the source IP and subnet mask for the exporter profile on the fabric.
Step 7	UCS-A /eth-flow-mon/flow-profile/vlan/fabric/ # commit-buffer	Commits the transaction to the system configuration.

The following example shows how to configure the default exporter profile, set the source IP and subnet mask for the exporter interface on each fabric, and commit the transaction:

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # scope flow-profile default
UCS-A /eth-flow-mon/flow-profile # enter vlan 100
UCS-A /eth-flow-mon/flow-profile/vlan* # enter fabric a
UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # set addr 10.10.10.10 subnet 255.255.255.0
UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # up
UCS-A /eth-flow-mon/flow-profile/vlan* # enter fabric b
UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # set addr 10.10.10.11 subnet 255.255.255.0
UCS-A /eth-flow-mon/flow-profile/vlan/fabric* # commit-buffer
UCS-A /eth-flow-mon/flow-profile/vlan/fabric #

Configuring a Netflow Collector

Procedure

	Command or Action	Purpose
Step 1	UCS-A# scope eth-flow-mon	Enters the ethernet flow monitor mode.
Step 2	UCS-A /eth-flow-mon # enter flow-collector flow-collector-name	Enters the flow collector mode for the specified flow collector.
Step 3	UCS-A /eth-flow-mon/flow-collector # set dest-port port_number	Specifies the destination port for the flow collector.
Step 4	UCS-A /eth-flow-mon/flow-collector # set vlan vlan_id	Specifies the VLAN ID for the flow collector.
Step 5	UCS-A /eth-flow-mon/flow-collector # enter ip-if	Enters IPv4 configuration mode.
Step 6	UCS-A /eth-flow-mon/flow-collector/ip-if # set addr ip-address	Specifies the exporter IP address.
Step 7	UCS-A /eth-flow-mon/flow-collector/ip-if # set exporter-gw gw-address	Specifies the exporter gateway address.
Step 8	UCS-A /eth-flow-mon/flow-collector/ip-if # commit-buffer	Commits the transaction to the system configuration.

The following example shows how to configure a NetFlow collector, set the exporter IP and gateway address, and commit the transaction:

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # enter flow-collector c1
UCS-A /eth-flow-mon/flow-collector* # set dest-port 9999
UCS-A /eth-flow-mon/flow-collector* # set vlan vlan100
UCS-A /eth-flow-mon/flow-collector* # enter ip-if 
UCS-A /eth-flow-mon/flow-collector/ip-if* # set addr 20.20.20.20
UCS-A /eth-flow-mon/flow-collector/ip-if* # set exporter-gw 10.10.10.1
UCS-A /eth-flow-mon/flow-collector/ip-if* # commit-buffer
UCS-A /eth-flow-mon/flow-collector/ip-if #

Configuring a Flow Exporter

Procedure

	Command or Action	Purpose
Step 1	UCS-A# scope eth-flow-mon	Enters the ethernet flow monitor mode.
Step 2	UCS-A /eth-flow-mon # enter flow-exporter flow-exporter-name	Enters the flow exporter mode for the specified flow exporter.
Step 3	UCS-A /eth-flow-mon/flow-exporter # set dscp dscp_number	Specifies the differentiated services code point.
Step 4	UCS-A /eth-flow-mon/flow-exporter # set flow-collector flow-collector_name	Specifies the flow collector.
Step 5	UCS-A /eth-flow-mon/flow-exporter # set exporter-stats-timeout timeout_number	Specifies the timeout period for resending NetFlow flow exporter data.
Step 6	UCS-A /eth-flow-mon/flow-exporter # set interface-table-timeout timeout_number	Specifies the time period for resending the NetFlow flow exporter interface table.
Step 7	UCS-A /eth-flow-mon/flow-exporter # set template-data-timeout timeout_number	Specifies the timeout period for resending NetFlow template data.
Step 8	UCS-A /eth-flow-mon/flow-exporter # commit-buffer	Commits the transaction to the system configuration.

The following example shows how to configure a flow exporter, set the timeout values, and commit the transaction:

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # enter flow-exporter ex1
UCS-A /eth-flow-mon/flow-exporter* # set dscp 6
UCS-A /eth-flow-mon/flow-exporter* # set flow-collector c1
UCS-A /eth-flow-mon/flow-exporter* # set exporter-stats-timeout 600
UCS-A /eth-flow-mon/flow-exporter* # set interface-table-timeout 600
UCS-A /eth-flow-mon/flow-exporter* # set template-data-timeout 600
UCS-A /eth-flow-mon/flow-exporter* # commit-buffer
UCS-A /eth-flow-mon/flow-exporter #

Configuring a Flow Monitor

Procedure

	Command or Action	Purpose
Step 1	UCS-A# scope eth-flow-mon	Enters the ethernet flow monitor mode.
Step 2	UCS-A /eth-flow-mon # enter flow-monitor flow-monitor-name	Enters the flow monitor mode for the specified flow monitor.
Step 3	UCS-A /eth-flow-mon/flow-monitor # set flow-record flow-record-name	Specifies the flow record.
Step 4	UCS-A /eth-flow-mon/flow-monitor # create flow-exporter flow-exporter-name	Specifies the first flow exporter.
Step 5	UCS-A /eth-flow-mon/flow-monitor # create flow-exporter flow-exporter-name	Specifies the second flow exporter.
Step 6	UCS-A /eth-flow-mon/flow-monitor # commit-buffer	Commits the transaction to the system configuration.

The following example shows how to create a flow monitor and commit the transaction:

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # enter flow-monitor m1
UCS-A /eth-flow-mon/flow-monitor* # set flow-record r1
UCS-A /eth-flow-mon/flow-monitor* # create flow-exporter ex1
UCS-A /eth-flow-mon/flow-monitor* # create flow-exporter ex2
UCS-A /eth-flow-mon/flow-monitor* # commit-buffer
UCS-A /eth-flow-mon/flow-monitor #

Configuring a Flow Monitor Session

Procedure

	Command or Action	Purpose
Step 1	UCS-A# scope eth-flow-mon	Enters the ethernet flow monitor mode.
Step 2	UCS-A /eth-flow-mon # enter flow-mon-session flow-monitor-session-name	Enters the flow monitor session mode for the specified flow monitor session.
Step 3	UCS-A /eth-flow-mon/flow-mon-session # create flow-monitor flow-monitor-1	Specifies the first flow monitor.
Step 4	UCS-A /eth-flow-mon/flow-mon-session # create flow-monitor flow-monitor-2	Specifies the second flow monitor.
Step 5	UCS-A /eth-flow-mon/flow-mon-session # commit-buffer	Commits the transaction to the system configuration.

The following example shows how to create a flow monitor session with two flow monitors:

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # enter flow-mon-session s1
UCS-A /eth-flow-mon/flow-mon-session* # create flow-monitor m1
UCS-A /eth-flow-mon/flow-mon-session* # create flow-monitor m2
UCS-A /eth-flow-mon/flow-mon-session* # commit-buffer
UCS-A /eth-flow-mon/flow-mon-session #

Configuring a NetFlow Cache Active and Inactive Timeout

Procedure

	Command or Action	Purpose
Step 1	UCS-A# scope eth-flow-mon	Enters the ethernet flow monitor mode.
Step 2	UCS-A /eth-flow-mon # scope flow-timeout timeout-name	Enters the flow timeout mode for the specified flow timeout.
Step 3	UCS-A /eth-flow-mon/flow-timeout # set cache-timeout-active timeout-value	Specifies the active timeout value. This value can be between 60 and 4092 seconds. The default value is 120 seconds.
Step 4	UCS-A /eth-flow-mon/flow-timeout # set cache-timeout-inactive timeout-value	Specifies the inactive timeout value. This value can be between 15 and 4092 seconds. The default value is 15 seconds.
Step 5	UCS-A /eth-flow-mon/flow-timeout # commit-buffer	Commits the transaction to the system configuration.

The following example shows how to change the NetFlow timeout values and commit the transaction:

UCS-A# scope eth-flow-mon
UCS-A /eth-flow-mon # scope flow-timeout default
UCS-A /eth-flow-mon/flow-timeout # set cache-timeout-active 1800
UCS-A /eth-flow-mon/flow-timeout* # set cache-timeout-inactive 20
UCS-A /eth-flow-mon/flow-timeout* # commit-buffer
UCS-A /eth-flow-mon/flow-timeout #

Associating a Flow Monitor Session to a vNIC

Procedure

	Command or Action	Purpose
Step 1	UCS-A# scope org org-name	Enters the organization mode for the specified organization. To enter the root organization mode, enter / as the org-name.
Step 2	UCS-A /org # scope service-profile profile-name	Enters the organization service profile mode for the specified service profile.
Step 3	UCS-A /org/service-profile # scope vnic vnic-name	Enters the organization service profile mode for the specified vNIC.
Step 4	UCS-A /org/service-profile/vnic # enter flow-mon-src flow-monitor-session-name	Associates the flow monitor session to the vNIC.
Step 5	UCS-A /org/service-profile/vnic # commit-buffer	Commits the transaction to the system configuration.

The following example shows how to associate the flow monitor session s1 to the vNIC eth5:

UCS-A# scope org /
UCS-A /org # scope service-profile sp1
UCS-A /org/service-profile # scope vnic eth5
UCS-A /org/service-profile/vnic # enter flow-mon-src s1
UCS-A /org/service-profile/vnic # commit-buffer

Bias-Free Language

Book Title

Cisco UCS CLI System Monitoring Guide for Cisco UCS Mini, Release 3.0

Chapter Title

NetFlow Monitoring

Results

Chapter: NetFlow Monitoring

NetFlow Monitoring

NetFlow Monitoring

Network Flows

Flow Record Definitions

Flow Exporters, Flow Exporter Profiles, and Flow Collectors

Flow Monitors and Flow Monitor Sessions

NetFlow Limitations

Configuring a Flow Record Definition

Configuring an Exporter Profile

Configuring a Netflow Collector

Configuring a Flow Exporter

Configuring a Flow Monitor

Configuring a Flow Monitor Session

Configuring a NetFlow Cache Active and Inactive Timeout

Associating a Flow Monitor Session to a vNIC

Was this Document Helpful?

Contact Cisco