Table Of Contents
Cisco IOS NetFlow Commands
cache
cache-timeout
clear ip flow stats
enabled (aggregation cache)
export
flow-sampler
flow-sampler-map
ip flow egress
ip flow ingress
ip flow-aggregation cache
ip flow-cache entries
ip flow-cache mpls label-positions
ip flow-cache timeout
ip flow-capture
ip flow-egress input-interface
ip flow-export
ip flow-export destination
ip flow-export source
ip flow-top-talkers
ip multicast netflow
ip multicast netflow egress
ip multicast netflow ingress
ip multicast netflow rpf-failure
ip route-cache flow
mask (IPv4)
mask destination
mask source
match (NetFlow)
mode (flow sampler configuration)
netflow-sampler
show flow-sampler
show ip cache flow
show ip cache flow aggregation
show ip cache verbose flow
show ip cache verbose flow aggregation
show ip flow export
show ip flow interface
show ip flow top-talkers
sort-by
top
Cisco IOS NetFlow Commands
This book presents the Cisco IOS NetFlow commands.
Some commands found in previous releases of this book have been replaced. Older commands generally continue to provided the same functionality in the current release, but are no longer documented. Support for the older version of these commands may already be removed on your system, or may be removed in a future Cisco IOS software release.
Table 1 maps the old commands to their replacements.
Table 1 Cisco IOS NetFlow Old Commands and Replacement Commands
Old Command
|
Replacement Command
|
ip flow-export ip-address udp-port
|
ip flow-export destination ip-address udp-port
|
cache
To configure operational parameters for NetFlow accounting aggregation caches, use the cache command in NetFlow aggregation cache configuration mode. To disable the NetFlow aggregation cache operational parameters for NetFlow accounting, use the no form of this command.
cache {entries number | timeout {active minutes | inactive seconds}}
no cache {entries | timeout {active | inactive}}
Syntax Description
entries number
|
(Optional) The number of cached entries allowed in the aggregation cache. The number of entries can be 1024 to 524288. The default is 4096.
|
timeout
|
(Optional) Configures aggregation cache time-outs'.
|
active minutes
|
(Optional) The number of minutes that an active entry will stay in the aggregation cache before it is exported and removed. The range is from 1 to 60 minutes. The default is 30 minutes.
|
inactive seconds
|
(Optional) The number of seconds that an inactive entry will stay in the aggregation cache before it times out. The range is from 10 to 600 seconds. The default is 15 seconds.
|
Defaults
The default for cache entries is 4096.
The default for active cache entries is 30 minutes.
The default for inactive cache entries is 15 seconds.
Command Modes
NetFlow aggregation cache configuration
Command History
Release
|
Modification
|
12.0(3)T
|
This command was introduced.
|
12.3(7)T
|
This command function was modified to support cache entries for IPv6.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Examples
The following example shows how to set the NetFlow aggregation cache entry limits and timeout values for the NetFlow protocol-port aggregation cache:
Router(config)# ip flow-aggregation cache protocol-port
Router(config-flow-cache)# cache entries 2046
Router(config-flow-cache)# cache timeout inactive 199
Router(config-flow-cache)# cache timeout active 45
Router(config-flow-cache)# enabled
Related Commands
Command
|
Description
|
enabled (aggregation cache)
|
Enables a NetFlow accounting aggregation cache.
|
export destination (aggregation cache)
|
Enables the exporting of NetFlow accounting information from NetFlow aggregation caches.
|
ip flow-aggregation cache
|
Enables NetFlow accounting aggregation cache schemes.
|
mask (IPv4)
|
Specifies the source or destination prefix mask for a NetFlow accounting prefix aggregation cache.
|
show ip cache flow aggregation
|
Displays the NetFlow accounting aggregation cache statistics.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
cache-timeout
To specify the length of time for which the list of NetFlow top talkers (unaggregated top flows) is retained, use the cache-timeout command in NetFlow top talkers configuration mode. To return the timeout parameters for the list of top talkers to the default of 5 seconds, use the no form of this command.
cache-timeout milliseconds
no cache-timeout
Syntax Description
milliseconds
|
Length in milliseconds for which the list of top talkers is retained. The range is from 1 to 3,600,000 (1 millisecond to one hour). The default is 5000 (5 seconds).
|
Defaults
The default time for which the list of top talkers is retained is 5 seconds.
Command Modes
NetFlow top talkers configuration
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
Configuring NetFlow top talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Cache Timeout
The cache timeout starts after the list of top talkers is requested by entering the show ip flow top-talkers command or through the netflow MIB.
A long timeout period limits the system resources that are used by NetFlow top talkers. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.
A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:
•The list of top talkers is lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required NetFlow top talkers.
•The list of top talkers is updated every time the top talkers information is requested, possibly causing unnecessary usage of system resources.
A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but recalculate the list of top talkers by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.
Examples
In the following example, the list of top talkers is configured to be retained for 2 seconds (2000 milliseconds). There is a maximum of 4 top talkers, and the sort criterion is configured to sort the list of top talkers by the total number of bytes in each top talker.
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# cache-timeout 2000
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command using the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
Command
|
Description
|
ip flow-top-talkers
|
Enters the configuration mode for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
match (NetFlow)
|
Specifies match criteria for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
show ip flow top-talkers
|
Displays the statistics for the top talkers (heaviest traffic patterns and most-used applications in the network).
|
sort-by
|
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature.
|
top
|
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
clear ip flow stats
To clear the NetFlow accounting statistics, use the clear ip flow stats command in privileged EXEC mode.
clear ip flow stats
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
11.1CA
|
This command was introduced.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
The show ip cache flow command displays the NetFlow accounting statistics. Use the clear ip flow stats command to clear the NetFlow accounting statistics.
Examples
The following example shows how to clear the NetFlow accounting statistics on the router:
Router# clear ip flow stats
Related Commands
Command
|
Description
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
show ip interface
|
Displays the usability status of interfaces configured for IP.
|
enabled (aggregation cache)
To enable a NetFlow accounting aggregation cache, use the enabled command in NetFlow aggregation cache configuration mode. To disable a NetFlow accounting aggregation cache, use the no form of this command.
enabled
no enabled
Syntax Description
This command has no arguments or keywords.
Defaults
No aggregation cache is enabled.
Command Modes
NetFlow aggregation cache configuration
Command History
Release
|
Modification
|
12.0(3)T
|
This command was introduced.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Examples
The following example shows how to enable a NetFlow protocol-port aggregation cache:
Router(config)# ip flow-aggregation cache protocol-port
Router(config-flow-cache)# enabled
The following example shows how to disable a NetFlow protocol-port aggregation cache:
Router(config)# ip flow-aggregation cache protocol-port
Router(config-flow-cache)# no enabled
Related Commands
Command
|
Description
|
cache
|
Defines operational parameters for NetFlow accounting aggregation caches.
|
export destination (aggregation cache)
|
Enables the exporting of NetFlow accounting information from NetFlow aggregation caches.
|
ip flow-aggregation cache
|
Enables NetFlow accounting aggregation cache schemes.
|
mask (IPv4)
|
Specifies the source or destination prefix mask for a NetFlow accounting prefix aggregation cache.
|
show ip cache flow aggregation
|
Displays the NetFlow accounting aggregation cache statistics.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
export
To enable the exporting of NetFlow accounting information from NetFlow aggregation caches, use the export command in NetFlow aggregation cache configuration mode. To disable the export of NetFlow accounting information from NetFlow aggregation caches, use the no form of this command.
export {destination ip-address | hostname} udp-port | version [8 | 9] | template [refresh-rate
packets | timeout-rate minutes]}
no export {destination ip-address | hostname} udp-port | version | template [refresh-rate |
timeout-rate]}
Syntax Description
destination ip-address | hostname udp-port
|
IP address or hostname of the workstation to which you want to send the NetFlow information and the number of the UDP port on which the workstation is listening for this input.
|
version [8 | 9]
|
(Optional) Version of the format for the export.
|
template
|
Enables the refresh-rate and timeout-rate keywords for configuring Version 9 export templates.
|
refresh-rate packets
|
(Optional) Specifies the number of export datagrams that are sent before the templates are resent. You can specify from 1 to 600 packets. The default is 20 packets.
|
timeout-rate minutes
|
(Optional) Specifies the interval (in minutes) between which the templates are resent. You can specify from 1 to 3600 minutes. The default is 30 minutes.
|
Defaults
A NetFlow aggregation cache export destination is not set.
The default version format is Version 8.
The default for refresh-rate is 20 packets.
The default for timeout-rate is 30 minutes.
Command Modes
NetFlow aggregation cache configuration
Command History
Release
|
Modification
|
12.0(3)T
|
This command was introduced.
|
12.0(24)S
|
The version, template, refresh-rate, and timeout-rate keywords were added.
|
12.3(1)
|
This command was integrated into Cisco IOS Release 12.3(1).
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
export destination
You can configure a maximum of two concurrent destinations per-cache using the destination keyword with the export command.
Determine the Appropriate Export Version for Your Requirements
NetFlow aggregation caches export data in UDP datagrams using either the Version 9 or Version 8 export format. Table 2 describe how to determine the most appropriate export format for your requirements.
Table 2 When to Select a Particular NetFlow Export Format
Export Format
|
Select When...
|
Version 9
|
You need a flexible and extensible format, which provides the versatility needed for support of new fields and record types.
This format accommodates new NetFlow-supported technologies such as Multicast, IPv6 NetFlow, Egress NetFlow, NetFlow Layer 2 and security exports, Multiprotocol Label Switching (MPLS), and Border Gateway Protocol (BGP) next hop.
Version 9 export format enables you to use the same version for main and aggregation caches, and the format is extendable, so you can use the same export format with future features
|
Version 8
|
You need to export data from aggregation caches or you need to export data from a Catalyst 6000 series switch with a Multilayer Switch Feature Card (MSFC). You do not plan to support new features.
Version 8 export format is available only for export from aggregation caches.
|
NetFlow Version 9 Data Export Format Overview
The NetFlow Version 9 Export Format feature was introduced in Cisco IOS Release 12.0(24)S and was integrated into Cisco IOS Release 12.3(1) and Cisco IOS Release 12.2(18)S.
NetFlow Version 9 is a flexible and extensible means for transferring NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.
Third-party business partners who produce applications that provide NetFlow Collection Engine or display services for NetFlow do not need to recompile their applications each time a new NetFlow technology is added. Instead, with the NetFlow v9 Export Format feature, they can use an external data file that documents the known template formats and field types.
NetFlow Version 9 has the following characteristics:
•Record formats are defined by templates.
•Template descriptions are communicated from the router to the NetFlow Collection Engine.
•Flow records are sent from the router to the NetFlow Collection Engine with minimal template information so that the NetFlow Collection Engine can relate the records to the appropriate template.
•Version 9 is independent of the underlying transport (UDP, TCP, SCTP, and so on).
NetFlow Version 9 Template-Based Flow Record Format
The main feature of NetFlow Version 9 export format is that it is template based. A template describes a NetFlow record format and the attributes of the fields (such as type and length) within the record. The router assigns each template an ID, which is communicated to the NetFlow Collection Engine along with the template description. The template ID is used for all further communication from the router to the NetFlow Collection Engine.
NetFlow Version 9 Export Flow Records
The basic output of NetFlow is a flow record. In NetFlow Version 9 export format, a flow record follows the same sequence of fields that is found in the template definition. The template to which NetFlow flow records belong is determined by the prefixing of the template ID to the group of NetFlow flow records that belong to a template. For a complete discussion of existing NetFlow flow-record formats, see the NetFlow Services Solutions Guide.
NetFlow Version 9 Export Packet
In NetFlow Version 9, an export packet consists of the packet header and flowsets. The packet header identifies identifies the NetFlow Export version'. Flowsets are of two types: template flowsets and data flowsets. The template flowset describes the fields that will be in the data flowsets (or flow records). Each data flowset contains the values or statistics of one or more flows that have the same template ID. When the NetFlow Collection Engine receives a template flowset, it stores the flowset and export source address so that subsequent data flowsets that match the flowset ID and source combination are parsed according to the field definitions in the template flowset. Version 9 is supported by NetFlow Collection Engine Version 4.0.
For a complete description of the Version 9 packet headers, template flowsets, and data flowsets, see the Cisco IOS NetFlow Version 9 Flow-Record Format white paper.
NetFlow Version 8 Data Export Format Overview
The Version 8 data export format is the NetFlow export format used when the router-based NetFlow aggregation feature is enabled on Cisco IOS router platforms. The Version 8 format allows for export datagrams to contain a subset of the Version 5 export data that is based on the configured aggregation cache scheme. For example, a certain subset of the Version 5 export data is exported for the destination prefix aggregation scheme, and a different subset is exported for the source-prefix aggregation scheme.
The Version 8 export format was introduced in Cisco IOS 12.0(3)T for the Cisco IOS NetFlow Aggregation feature. An additional six aggregation schemes that also use Version 8 format were defined for the NetFlow ToS-Based Router Aggregation feature introduced in Cisco IOS 12.0(15)S and integrated into Cisco IOS Releases 12.2(4)T and 12.2(14)S.
The Version 8 datagram consists of a header with the version number (which is 8) and time stamp information, followed by one or more records corresponding to individual entries in the NetFlow cache.
Table 3 lists the NetFlow Version 8 export packet header field names and descriptions.
Table 3 NetFlow Version 8 Export Packet Header Field Names and Descriptions
Field Name
|
Description
|
Version
|
Flow export format version number. In this case 8.
|
Count
|
Number of export records in the datagram.
|
System Uptime
|
Number of milliseconds since the router last booted.
|
UNIX Seconds
|
Number of seconds since 0000 UTC 1970.
|
UNIX NanoSeconds
|
Number of residual nanoseconds since 0000 UTC 1970.
|
Flow Sequence Number
|
Sequence counter of total flows sent for this export stream.
|
Engine Type
|
The type of switching engine. RP = 0 and LC = 1.
|
Engine ID
|
Slot number of the NetFlow engine.
|
Aggregation
|
Type of aggregation scheme being used.
|
Agg Version
|
Aggregation subformat version number. The current value is 2.
|
Sampling Interval
|
Interval value used if Sampled NetFlow is configured.
|
Reserved
|
Zero field.
|
For version 8 data exports, the maximum number of aggregated flow records and the maximum size in bytes of each UDP datagram are shown in Table 4.
Table 4 NetFlow Version 8 Aggregation Scheme, Number of Flow Records and UDP Packet Size
Aggregation Scheme
|
Maximum Number of Flow Records
|
UDP Packet Size
|
BGP Autonomous System
|
51
|
1456 bytes
|
Destination Prefix
|
44
|
1436 bytes
|
Prefix
|
35
|
1428 bytes
|
Protocol Port
|
51
|
1456 bytes
|
Source Prefix
|
44
|
1436 bytes
|
Examples
The following example shows how to configure two export destinations for a NetFlow accounting protocol-port aggregation cache scheme:
Router(config)# ip flow-aggregation cache protocol-port
Router(config-flow-cache)# export destination 10.41.41.1 9992
Router(config-flow-cache)# export destination 172.16.89.1 9992
Router(config-flow-cache)# enabled
'The following example shows how to configure the Version 9 template refresh-rate and timeout-rate parameters for a NetFlow accounting protocol-port aggregation cache scheme:
Router(config)# ip flow-aggregation cache protocol-port
Router(config-flow-cache)# version 9
Router(config-flow-cache)# export template refresh-rate 100
Router(config-flow-cache)# export template timeout-rate 120
Router(config-flow-cache)# enabled
Related Commands
Command
|
Description
|
cache
|
Defines operational parameters for NetFlow accounting aggregation caches.
|
enabled (aggregation cache)
|
Enables a NetFlow accounting aggregation cache.
|
ip flow-aggregation cache
|
Enables NetFlow accounting aggregation cache schemes.
|
mask (IPv4)
|
Specifies the source or destination prefix mask for a NetFlow accounting prefix aggregation cache.
|
show ip cache flow aggregation
|
Displays the NetFlow accounting aggregation cache statistics.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
flow-sampler
To apply a flow sampler map for random sampled NetFlow accounting to an interface, use the flow-sampler command in interface configuration mode. To remove a flow sampler map for random sampled NetFlow accounting from an interface, use the no form of this command.
flow-sampler sampler-map-name [egress]
no flow-sampler sampler-map-name [egress]
Syntax Description
sampler-map-name
|
Name of the flow sampler map to apply to the interface.
|
egress
|
(Optional) Specifies that the sampler map is to be applied to egress traffic.
|
Defaults
Flow sampler maps for NetFlow accounting are not applied to interfaces by default. If flow sampler maps for NetFlow accounting are applied to an interface, they are applied for ingress (incoming) traffic unless otherwise specified with the egress keyword.
Command Modes
Interface configuration
Subinterface configuration
Command History
Release
|
Modification
|
12.3(2)T
|
This command was introduced.
|
12.0(26)S
|
This command was integrated into Cisco IOS Release 12.0(26)S.
|
12.3(11)T
|
NetFlow egress support was added.
|
Usage Guidelines
You must create and enable the random sampler NetFlow map for random sampled NetFlow accounting using the flow-sampler-map and mode commands before you can use the flow-sampler command to apply the random sampler NetFlow map to an interface.
Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface, or subinterface, if you want to enable random sampled NetFlow accounting on the interface, or subinterface.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip If you disable CEF or DCEF globally using the no ip cef [distributed] command the flow-sampler sampler-map-name command is removed from any interfaces that you previously configured for random sampled NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable CEF or dCEF to reactivate random sampled NetFlow accounting.
Tip If your router is running Cisco IOS release 12.2(14)S or a later release, or Cisco IOS Release 12.2(15)T or a later release, NetFlow accounting might be enabled through the use of the ip flow ingress command instead of the ip route-cache flow command. If your router has NetFlow accounting enabled through the use of ip flow ingress command you must disable NetFlow accounting, using the no form of this command, before you apply a random sampler map for random sampled NetFlow accounting on an interface otherwise the full, un-sampled traffic will continue to be seen.
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 0/0
Router(config-if)# no ip route-cache flow
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map
The following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 1/0
Router(config-if)# no ip flow egress
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map egress
The following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-sampler
Sampler : my-map, id : 1, packets matched : 7, mode : random sampling mode
sampling interval is : 100
Related Commands
Command
|
Description
|
flow-sampler-map
|
Defines a flow sampler map for random sampled NetFlow accounting.
|
mode (flow sampler configuration)
|
Specifies a packet interval for NetFlow accounting random sampling mode and enables the flow sampler map.
|
netflow-sampler
|
Enables NetFlow accounting with input filter sampling.
|
show flow-sampler
|
Displays the status of random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler).
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
flow-sampler-map
To define a flow sampler map for random sampled NetFlow accounting, use the flow-sampler-map command in global configuration mode. To remove a flow sampler map for random sampled NetFlow accounting use the no form of this command.
flow-sampler-map sampler-map-name
no flow-sampler-map sampler-map-name
Syntax Description
sampler-map-name
|
Name of the flow sampler map to be defined for for random sampled NetFlow accounting.
|
Defaults
No Flow sampler maps for random sampled NetFlow accounting are defined.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(2)T
|
This command was introduced.
|
12.0(26)S
|
This command was integrated into Cisco IOS Release 12.0(26)S.
|
Usage Guidelines
Random sampled NetFlow accounting does not start sampling traffic until (1) the random sampler map is activated through the use of the mode command and (2) the sampler map has been applied to an interface through the use of the flow-sampler command.
Random Sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface or subinterface, if you want to enable random sampled NetFlow accounting on that interface or subinterface.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip If you disable CEF or DCEF globally using the no ip cef [distributed] command the flow-sampler sampler-map-name command is removed from any interfaces that you previously configured for random sampled NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable CEF or dCEF to reactivate random sampled NetFlow accounting.
Tip If your router is running Cisco IOS release 12.2(14)S or a later release, or Cisco IOS Release 12.2(15)T or a later release, NetFlow accounting might be enabled through the use of the ip flow ingress command instead of the ip route-cache flow command. If your router has NetFlow accounting enabled through the use of ip flow ingress command you must disable NetFlow accounting, using the no form of this command, before you apply a random sampler map for random sampled NetFlow accounting on an interface otherwise the full, un-sampled traffic will continue to be seen.
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 0/0
Router(config-if)# no ip route-cache flow
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map
The following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 1/0
Router(config-if)# no ip flow egress
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map egress
The following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-sampler
Sampler : my-map, id : 1, packets matched : 7, mode : random sampling mode
sampling interval is : 100
Related Commandssampling interval is : 100
Command
|
Description
|
flow-sampler
|
Applies a flow sampler map for random sampled NetFlow accounting to an interface.
|
mode (flow sampler configuration)
|
Specifies a packet interval for NetFlow accounting random sampling mode and enables the flow sampler map.
|
netflow-sampler
|
Enables NetFlow accounting with input filter sampling.
|
show flow-sampler
|
Displays the status of random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler).
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow egress
To enable egress NetFlow accounting for traffic that the router is forwarding, use the ip flow egress command in interface, or subinterface, configuration mode. To disable egress NetFlow accounting for traffic that the router is forwarding, use the no form of this command.
ip flow egress
no ip flow egress
Syntax Description
This command has no arguments or keywords.
Defaults
This command is not enabled by default.
Command Modes
Interface configuration
Subinterface configuration
Command History
Release
|
Modification
|
12.3(11)T
|
This command was introduced.
|
Usage Guidelines
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Use this command on an interface or subinterface to enable NetFlow accounting for traffic that is being forwarded by the router.
Examples
The following example shows how to configure egress NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# interface Ethernet0/0
Router(config-if)# ip route-cache cef
Router(config-if)# ip flow egress
The following example shows how to configure egress NetFlow accounting with dCEF on Ethernet interface 0/0:
Router(config)# ip cef distributed
Router(config)# interface Ethernet0/0
Router(config-if)# ip route-cache cef
Router(config-if)# ip flow egress
Related Commands
Command
|
Description
|
ip flow ingress
|
Enables NetFlow (ingress) accounting for traffic arriving on an interface.
|
ip flow-egress input-interface
|
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting.
|
ip flow-cache timeout
|
Specifies NetFlow accounting flow cache parameters.
|
ip flow-cache entries
|
Changes the number of entries maintained in the NetFlow accounting cache.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow ingress
To enable (ingress) NetFlow accounting for traffic arriving on an interface, use the ip flow ingress command in interface configuration mode. To disable NetFlow (ingress) accounting for traffic arriving on an interface, use the no form of this command.
ip flow ingress
no ip flow ingress
Syntax Description
This command has no arguments or keywords.
Defaults
This command is not enabled by default.
Command Modes
Interface configuration
Subinterface configuration
Command History
Release
|
Modification
|
12.2(14)S
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
Usage Guidelines
Use this command on an interface or subinterface to enable (ingress) NetFlow accounting for traffic that is being received by the router.
You must enable one of the high-speed switching methods on the interface before using this command:
•Fast switching
•Cisco Express Forwarding (CEF)
•Distributed CEF (dCEF)
Examples
The following example shows how to configure (ingress) NetFlow accounting with fast switching on Ethernet interface 0/0:
Router(config)# interface Ethernet0/0
Router(config-if)# ip route-cache
Router(config-if)# ip flow ingress
The following example shows how to configure (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# interface Ethernet0/0
Router(config-if)# ip route-cache cef
Router(config-if)# ip flow ingress
The following example shows how to configure (ingress) NetFlow accounting with dCEF switching on Ethernet interface 0/0:
Router(config)# ip cef distributed
Router(config)# interface Ethernet0/0
Router(config-if)# ip route-cache cef
Router(config-if)# ip flow ingress
Related Commands
Command
|
Description
|
ip flow egress
|
Enables NetFlow egress accounting for traffic that the router is forwarding.
|
ip flow-egress input-interface
|
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting.
|
ip flow-cache timeout
|
Specifies NetFlow accounting flow cache parameters
|
ip flow-cache entries
|
Changes the number of entries maintained in the NetFlow accounting cache.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow-aggregation cache
To enable NetFlow accounting aggregation cache schemes, use the ip flow-aggregation cache command in global configuration mode. To disable NetFlow accounting aggregation cache schemes, use the no form of this command.
ip flow-aggregation cache {as | as-tos | bgp-nexthop-tos | destination-prefix |
destination-prefix-tos | prefix | prefix-port | prefix-tos | protocol-port | protocol-port-tos |
source-prefix | source-prefix-tos}
no ip flow-aggregation cache {as | as-tos | bgp-nexthop-tos | destination-prefix |
destination-prefix-tos | prefix | prefix-port | prefix-tos | protocol-port | protocol-port-tos |
source-prefix | source-prefix-tos}
Syntax Description
as
|
Configures the autonomous system aggregation cache scheme.
|
as-tos
|
Configures the autonomous system type of service (ToS) aggregation cache scheme.
|
bgp-nexthop-tos
|
Configures the Border Gateway Protocol (BGP) next hop ToS aggregation cache scheme.
|
destination-prefix
|
Configures the destination-prefix aggregation cache scheme.
|
destination-prefix-tos
|
Configures the destination prefix ToS aggregation cache scheme.
|
prefix
|
Configures the prefix aggregation cache scheme.
|
prefix-port
|
Configures the prefix port aggregation cache scheme.
|
prefix-tos
|
Configures the prefix ToS aggregation cache scheme.
|
protocol-port
|
Configures the protocol-port aggregation cache scheme.
|
protocol-port-tos
|
Configures the protocol-port ToS aggregation cache scheme.
|
source-prefix
|
Configures the source-prefix aggregation cache scheme.
|
source-prefix-tos
|
Configures the source-prefix ToS aggregation cache scheme.
|
Defaults
This command is not enabled by default.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(3)T
|
This command was introduced.
|
12.0(15)S
|
This command was modified to include the ToS aggregation scheme keywords.
|
12.2(2)T
|
This command was modified to enable multiple NetFlow export destinations.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.3(1)
|
The bgp-nexthop-tos aggregation scheme keyword was added.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command. The export destination command supports a maximum of two concurrent export destinations.
The ToS aggregation cache scheme keywords enable NetFlow accounting aggregation cache schemes that include the ToS byte in their export records. The ToS byte is an 8-bit field in the IP header. The ToS byte specifies the quality of service for a datagram during its transmission through the Internet.
You can enable only one aggregation cache configuration scheme per command line. The following rules apply to configuring source and destination masks.
•The source mask can only be configured in the prefix, prefix-port, prefix-tos, source-prefix and source-prefix-tos aggregation modes.
•The destination mask can only be configured in the prefix, prefix-port, prefix-tos, destination-prefix and destination-prefix-tos aggregation modes.
•No masks can be configured in non-prefix aggregation modes
To enable aggregation (whether or not an aggregation cache is fully configured), you must enter the enabled command in aggregation cache configuration mode. (You can use the no form of this command to disable aggregation. The cache configuration remains unchanged even if aggregation is disabled.)
Examples
The following example shows how to configure a NetFlow accounting autonomous system aggregation cache scheme:
Router(config)# ip flow-aggregation cache as
Router(config-flow-cache)# enabled
The following example shows how to configure a minimum prefix mask of 16 bits for the NetFlow accounting destination-prefix aggregation cache scheme:
Router(config)# ip flow-aggregation cache destination-prefix
Router(config-flow-cache)# mask destination minimum 16
Router(config-flow-cache)# enabled
The following example shows how to configure a minimum prefix mask of 16 bits for the NetFlow accounting source-prefix aggregation cache scheme:
Router(config)# ip flow-aggregation cache source-prefix
Router(config-flow-cache)# mask source minimum 16
Router(config-flow-cache)# enabled
The following example shows how to configure multiple export destinations for the NetFlow accounting autonomous system ToS aggregation cache scheme:
Router(config)# ip flow-aggregation cache as-tos
Router(config-flow-cache)# export destination 172.17.24.65 9991
Router(config-flow-cache)# export destination 172.16.10.2 9991
Router(config-flow-cache)# enabled
Related Commands
Command
|
Description
|
export destination (aggregation cache)
|
Enables the exporting of NetFlow accounting information from NetFlow aggregation caches.
|
enabled (aggregation cache)
|
Enables the NetFlow aggregation cache.
|
mask
|
Specifies the source or destination prefix mask.
|
show ip cache flow aggregation
|
Displays a summary of the NetFlow accounting aggregation cache statistics.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow-cache entries
To change the number of entries maintained in the NetFlow accounting cache, use the ip flow-cache entries command in global configuration mode. To return to the default number of entries, use the no form of this command.
ip flow-cache entries number
no ip flow-cache entries
Syntax Description
number
|
Number of entries to maintain in the NetFlow cache. The valid range is from 1024 to 524288 entries. The default is 65536 (64K).
|
Defaults
65536 entries (64K)
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(3)T
|
This command was introduced.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Normally the default size of the NetFlow cache will meet your needs. However, you can increase or decrease the number of entries maintained in the cache to meet the needs of your flow traffic rates. For environments with a high amount of flow traffic (such as an internet core router), a larger value such as 131072 (128K) is recommended. To obtain information on your flow traffic, use the show ip cache flow EXEC command.
The default is 64K flow cache entries. Each cache entry is approximately 64 bytes of storage. Assuming a cache with the default number of entries, approximately 4 MB of DRAM would be required. Each time a new flow is taken from the free flow queue, the number of free flows is checked. If only a few free flows remain, NetFlow attempts to age 30 flows using an accelerated timeout. If only one free flow remains, NetFlow automatically ages 30 flows regardless of their age. The intent is to ensure that free flow entries are always available.
Caution We recommend that you not change the number of NetFlow cache entries. To return to the default number of NetFlow cache entries, use the
no ip flow-cache entries global configuration command.
Examples
The following example shows how to increase the number of NetFlow cache entries to 131,072 (128K):
Router(config)# ip flow-cache entries 131072
%The change in number of entries will take effect after either the next reboot or when
netflow is turned off on all interfaces
Tip You turn off NetFlow accounting on interfaces by removing the command that you enabled NetFlow accounting with. For example, if you enabled NetFlow accounting on an interface with the ip flow ingress command you turn off NetFlow accounting for the interface using the no form of the command -no ip flow ingress. Remember to turn NetFlow accounting back on for the interface after you have turned it off.
Related Commands
Command
|
Description
|
ip flow ingress
|
Enables NetFlow (ingress) accounting for traffic arriving on an interface.
|
ip flow egress
|
Enables NetFlow egress accounting for traffic that the router is forwarding.
|
ip flow-egress input-interface
|
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting.
|
ip flow-cache timeout
|
Specifies NetFlow accounting flow cache parameters.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow-cache mpls label-positions
To enable Multiprotocol Label Switching (MPLS)-aware NetFlow, use the ip flow-cache mpls label-positions command in global configuration mode. To disable MPLS-aware NetFlow, use the no form of this command.
ip flow-cache mpls label-positions [label-position-1 [label-position-2 [label-position-3]]]
[no-ip-fields] [mpls-length]
no ip flow-cache mpls label-positions
Syntax Description
label-position-l
|
Position of an MPLS label in the incoming label stack. Label positions are counted from the top of the stack, starting with 1.
|
no-ip-fields
|
Controls the capture and reporting of MPLS flow fields. If the no-ip-fields keyword is not specified, the following IP-related flow fields are included:
•Source IP address
•Destination IP address
•Transport layer protocol
•Source application port number
•Destination application port number
•IP type of service (ToS)
•TCP flag
If the no-ip-fields keyword is specified, the IP-related fields are not captured and reported.
|
mpls-length
|
Controls the reporting of packet length. If the mpls-length keyword is specified, the reported length represents the sum of the MPLS packet payload length and the MPLS label stack length. If the mpls-length keyword is not specified, only the length of the MPLS packet payload is reported.
|
Defaults
MPLS-aware NetFlow is not enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(24)S
|
This command was introduced.
|
12.0(25)S
|
The no-ip-fields and mpls-length keywords were added to the command.
|
12.3(8)T
|
This command was integrated into Cisco IOS Release 12.3(8)T.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Use this command to configure the MPLS-aware NetFlow feature on a label switch router (LSR) and to specify labels of interest in the incoming label stack. Label positions are counted from the top of the stack, starting with 1. The position of the top label is 1, the position of the second label is 2, and so forth.
With MPLS-aware NetFlow enabled on the router, NetFlow collects data for incoming IP packets as well as for incoming MPLS packets on all interfaces where NetFlow is enabled in full or in sampled mode.
Caution When you enter the
ip flow-cache mpls label-positions command on a Cisco 12000 Series Internet Router, NetFlow will stop collecting data for incoming IP packets on any Engine 4P line cards installed in the router on which NetFlow is enabled in full or in sampled mode. Engine 4P line cards in a Cisco 12000 Series Internet Router do not support NetFlow data collection of incoming IP packets and MPLS packets concurrently.
Tip MPLS-aware NetFlow is enabled in global configuration mode. NetFlow is enabled per interface.
Examples
The following example shows how to configure MPLS-aware NetFlow to capture the first (top), third, and fifth label:
Router(config)# ip flow-cache mpls label-positions 1 3 5
The following example shows how to configure MPLS-aware NetFlow to capture only MPLS flow information (no IP-related flow fields) and the length that represents the sum of the MPLS packet payload length and the MPLS label stack length:
Router(config)# ip flow-cache mpls label-positions no-ip-fields mpls-length
Related Commands
Command
|
Description
|
ip flow ingress
|
Enables NetFlow (ingress) accounting for traffic arriving on an interface.
|
ip flow egress
|
Enables NetFlow egress accounting for traffic that the router is forwarding.
|
ip flow-egress input-interface
|
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting.
|
ip flow-cache timeout
|
Specifies NetFlow accounting flow cache parameters.
|
ip flow-cache entries
|
Changes the number of entries maintained in the NetFlow accounting cache.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow-cache timeout
To specify NetFlow accounting flow cache parameters, use the ip flow-cache timeout command in global configuration mode. To disable the flow cache parameters, use the no form of this command.
ip flow-cache timeout [active minutes | inactive seconds]
no ip flow-cache timeout [active | inactive]
Syntax Description
active
|
Specifies the active flow timeout.
|
minutes
|
(Optional) The number of minutes that an active flow remains in the cache before it times out. The range is from 1 to 60.
|
inactive
|
Specifies the inactive flow timeout.
|
seconds
|
(Optional) The number of seconds that an inactive flow remains in the cache before it times out. The range is from 10 to 600.
|
Defaults
The default value for the number of minutes that an active flow remains in the cache before it times out is 30.
The default value for the number of seconds that an inactive flow remains in the cache before it times out is 15.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(7)T
|
This command was introduced.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Use this command to specify active and inactive timeout parameters.
A flow is considered to be active if packets belonging to the flow are detected wherever the NetFlow statistics are being collected. A flow is considered to be inactive if no further packets are detected for the flow at the collection point for NetFlow statistics.
Examples
In the following example, an active flow is allowed to remain in the cache for 20 minutes:
Router(config)# ip flow-cache timeout active 20
In the following example, an inactive flow is allowed to remain in the cache for 10 seconds before it times out and is removed:
Router(config)# ip flow-cache timeout inactive 10
Related Commands
Command
|
Description
|
ip flow ingress
|
Enables NetFlow (ingress) accounting for traffic arriving on an interface.
|
ip flow egress
|
Enables NetFlow egress accounting for traffic that the router is forwarding.
|
ip flow-egress input-interface
|
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting.
|
ip flow-cache entries
|
Changes the number of entries maintained in the NetFlow accounting cache.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow-capture
To enable the capture of values from Layer 2 or additional Layer 3 fields in NetFlow traffic, use the ip flow-capture command in global configuration mode. To disable capturing Layer 2 or Layer 3 fields from NetFlow traffic, use the no form of this command.
ip flow-capture {icmp | ip-id | mac-addresses | packet-length | ttl | vlan-id}
no ip flow-capture {icmp | ip-id | mac-addresses | packet-length | ttl | vlan-id}
Syntax Description
icmp
|
Captures the value of the ICMP type and code fields from the first ICMP datagram in a flow.
|
ip-id
|
Captures the value of the IP-ID field from the first IP datagram in a flow.
|
mac-addresses
|
Captures the values of the source MAC addresses from ingress packets and the destination MAC addresses from egress packets from from the first packet in a flow.
Note This command only applies to traffic that is received or transmitted over Ethernet interfaces
|
packet-length
|
Captures the value of the packet length field from IP datagrams in a flow.
|
ttl
|
Captures the value of the Time-to-Live (TTL) field from IP datagrams in a flow.
|
vlan-id
|
Captures the value of the 802.1q or ISL VLAN-ID field from VLAN- encapsulated frames in a flow when the frames are received or transmitted on trunk ports.
|
Defaults
The ip flow-capture command is not enabled by default. You must select one of the keywords when you configure the ip flow-capture command.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
•ip flow-capture icmp
•ip flow-capture ip-id
•ip flow-capture packet-length
•ip flow-capture ttl
•ip flow-capture mac-addresses
•ip flow-capture vlan-id
Note You must enable NetFlow accounting on an interface or a subinterface using the ip flow {ingress | egress} command for the ip flow-capture command to take effect. You can enable NetFlow accounting before or after you have entered the ip flow-capture command in global configuration mode.
Note If you want to export the information captured by the ip flow-capture command, you must configure NetFlow export using the ip flow-export destination command, and you must configure NetFlow to use the Version 9 export format. Use the ip flow-export version 9 command to configure the NetFlow Version 9 export format.
Note The fields captured by the ip flow-capture command are currently not available in the NetFlow MIB.
ip flow-capture icmp
ICMP is used for several purposes. ''One of the most common is the ping command. ICMP echo requests are sent by a host to a destination to verify that the destination is reachable by IP. If the destination is reachable, it should respond by sending an ICMP echo reply. Refer to RFC 792 (http://www.ietf.org/rfc/rfc0792.txt) for more information on ICMP.
ICMP packets have been used in many types of attacks on networks. Two of the most common attacks are denial-of-service (DoS) attacks and the "ping of death" attack.
•DoS attack—Any action or actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized delay of service. Generally, DoS attacks do not destroy data or resources, but prevent access or use. In network operations, flooding a device with ping packets when the device has not been configured to block or ignore them might effect a denial of service.
•"ping of death"—An attack that sends an improperly large ping echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash.
Finding out the types of ICMP traffic in your network can help you decide if your network is being attacked by ICMP packets.
The ip flow-capture icmp command captures the value of the ICMP type field and the ICMP code field from the first ICMP packet detected in a flow.
ip flow-capture ip-id
It is possible for a host to receive IP datagrams from two or more senders concurrently. It is also possible for a host to receive multiple IP datagrams from the same host for different applications concurrently. For example, a server might be transferring email and HTTP traffic from the same host concurrently. When a host is receiving multiple IP datagrams concurrently it must be able to identify the fragments from each of the incoming datagrams to ensure that they do not get mixed up during the datagram reassembly process. The receiving host uses the IP header identification field and the source IP address of the IP datagram fragment to ensure that it rebuilds the IP datagrams correctly.
The ip flow-capture ip-id command captures the value of the IP header identification field from the first packet in the flow. The value in the IP header identification field is a sequence number assigned by the host that originally transmitted the IP datagram. All of the fragments of an IP datagram have the same identifier value. This ensures that the destination host can match the IP datagram to the fragment during the IP datagram reassembly process. The sending host is responsible for ensuring that each subsequent IP datagram it sends to the same destination host has a unique value for the IP header identification field.
If you are seeing several flows with the same value for the IP header identification field, it is possible that your network is being attacked by a host that is sending the same IP packets over and over.
ip flow-capture packet-length
The value in the packet length field in an IP datagram indicates the length of the IP datagram, excluding the IP header.
Use the ip flow-capture packet-length command to capture the value of the IP header packet length field for packets in the flow. The ip flow-capture packet-length command keeps track of the minimum and maximum values captured from the flow. The minimum and maximum packet length values are stored in separate fields. This data is updated when a packet with a packet length that is lower or higher than the currently stored value is received. For example if the currently stored value for the minimum packet length is 1024 bytes and the next packet received has a packet length of 512 bytes, the 1024 is replaced with 512.
If you are seeing several IP datagrams in the flow with the same value for the packet-length field, it is possible that your network is being attacked by a host that is constantly sending the same IP packets over-and-over.
ip flow-capture ttl
The TTL field is used to prevent the indefinite forwarding of IP datagrams. The TTL field contains a counter value set by the source host. Each router that processes this datagram decreases the TTL value by 1. When the TTL value reaches 0, the datagram is discarded.
There are two scenarios where an IP packet without a TTL field could live indefinitely in a network:
•The first scenario occurs when a host sends an IP datagram to an IP network that doesn't exist and all of the routers in the network have a gateway of last resort configured—that is, a gateway to which they forward IP datagrams for unknown destinations. Each router in the network receives the datagram and attempts to determine the best interface to use to forward it. Because the destination network is unknown, the best interface for the router to use to forward the datagram to the next hop is always the interface to which the gateway of last resort is assigned.
•The second scenario occurs when there is a mis-configuration in the network that results in a routing loop. For example, suppose that one router forwards an IP datagram to another router because it appears to be the correct next-hop router. The receiving router sends it back because it believes that the correct next-hop router is the router that it received the IP datagram from in the first place.
The ip flow-capture ttl command keeps track of the TTL values captured from packets in the flow. The minimum and maximum TTL values are stored in separate fields. This data is updated when a packet with a TTL that is lower or higher than the currently stored value is received. For example if the currently stored value for the minimum TTL is 64 and the next packet received has a TTL of 12, the 64 is replaced by 12.
If you are seeing several flows with the same value for the TTL, it is possible that your network is being attacked by a host that is constantly sending the same IP packets over and over. Under normal circumstances, flows come from many sources, each a different distance away. Therefore you should see a variety of TTLs across all the flows that NetFlow is capturing.
ip flow-capture mac-addresses
The ip flow-capture mac-addresses command captures the incoming source mac-address and the outgoing destination mac-address from the first Layer 2 frame in the flow. If you discover that your network is being attacked by Layer 3 traffic, you can use these addresses to identify the device that is transmitting the traffic that is being received by the router and the next hop or final destination device to which the router is forwarding the traffic.
Note This command only applies to traffic that is received or transmitted over Ethernet interfaces.
ip flow-capture vlan-id
A VLAN is a broadcast domain within a switched network. A broadcast domain is defined by the network boundaries within which a network propagates a broadcast frame generated by a station. Some switches can be configured to support single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN.
Each VLAN is also a separate Layer 3 network. A router or a multilayer switch must be be used to interconnect the Layer 3 networks that are assigned to the VLANs. For example, in order for a device on VLAN 2 with an IP address of 172.16.0.76 to communicate with a device on VLAN 3 with an IP address of 172.17.0.34, the two devices must use a router as an intermediary device, because they are on different Class B IP networks. This is typically accomplished by connecting a switch to a router and configuring the link between them as a VLAN trunk. In order for the link to be used as a VLAN trunk, the interfaces on the router and the switch must be configured for the same VLAN encapsulation type.
Note When a router is configured to route traffic between VLANs, it is often referred to as an inter-VLAN router.
When a router or a switch needs to send traffic on a VLAN trunk, it must either tag the frames using the IEEE 802.1q protocol or encapsulate the frames using the Cisco Inter-Switch Link (ISL) protocol. The VLAN tag or encapsulation header must contain the correct VLAN ID to ensure that the device receiving the frames can process them properly. The device that receives the VLAN traffic examines the VLAN ID from each frame to find out how it should process the frame. For example, when a switch receives an IP broadcast datagram such as an Address Resolution Protocol (ARP) datagram with an 802.1q tagged VLAN ID of 6 from a router, it forwards the datagram to every interface that is assigned to VLAN 6 and any interfaces that are configured as VLAN trunks.
The ip flow-capture vlan-id command captures the VLAN ID number from the first frame in the flow it receives that has an 802.1q tag or that is encapsulated with ISL. When the received traffic in the flow is transmitted over an interface that is configured with either 802.1q or ISL trunking, the ip flow-capture vlan-id command captures the destination VLAN ID number from the 802.1q or ISL VLAN header from the first frame in the flow.
Note The ip flow-capture vlan-id command does not capture the type of VLAN encapsulation in use. The receiving and transmitting interfaces can use different VLAN protocols. If only one of the interfaces is configured as a VLAN trunk, the VLAN ID field is blank for the other interface.
Your router configuration must meet the following criteria before NetFlow can capture the value in the VLAN-ID field:
•It must have have at least one LAN interface that is configured with one or more subinterfaces.
•The subinterfaces where you want to receive VLAN traffic must have either 802.1q or ISL enabled.
•The subinterfaces that are configured to receive VLAN traffic must have the ip flow ingress command configured on them.
If you discover that your network is being attacked by Layer 3 traffic, you can use the VLAN-ID information to help you find out which VLAN the device that is sending the traffic is on. The information can also help you identify the VLAN to which the router is forwarding the traffic.
Examples
•ip flow-capture icmp
•ip flow-capture ip-id
•ip flow-capture packet-length
•ip flow-capture ttl
•ip flow-capture mac-addresses
•ip flow-capture vlan-id
ip flow-capture icmp
The following example shows how to configure NetFlow to capture the value of the ICMP Type field and the value of the Code field from the IP datagrams in the flow:
Router(config)# ip flow-capture icmp
ip flow-capture ip-id
The following example shows how to configure NetFlow to capture the value of the IP-ID field from the IP datagrams in the flow:
Router(config)# ip flow-capture ip-id
ip flow-capture packet-length
The following example shows how to configure NetFlow to capture the value of the packet length field from the IP datagrams in the flow:
Router(config)# ip flow-capture packet-length
ip flow-capture ttl
The following example shows how to configure NetFlow to capture the TTL field from the IP datagrams in the flow:
Router(config)# ip flow-capture ttl
ip flow-capture mac-addresses
The following example shows how to configure NetFlow to capture the MAC addresses from the IP datagrams in the flow:
Router(config)# ip flow-capture mac-addresses
ip flow-capture vlan-id
The following example shows how to configure NetFlow to capture the vlan-id from the IP datagrams in the flow:
Router(config)# ip flow-capture vlan-id
Related Commands
Command
|
Description
|
ip flow ingress
|
Enables NetFlow (ingress) accounting for traffic arriving on an interface.
|
ip flow egress
|
Enables NetFlow egress accounting for traffic that the router is forwarding.
|
ip flow-egress input-interface
|
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting.
|
ip flow-cache timeout
|
Specifies NetFlow accounting flow cache parameters.
|
ip flow-cache entries
|
Changes the number of entries maintained in the NetFlow accounting cache.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow-egress input-interface
To remove the NetFlow egress accounting flow key that specifies an output interface and to add a flow key that specifies an input interface for NetFlow egress accounting, use the ip flow-egress input-interface command in global configuration mode. To change the flow key back from an input interface to an output interface for NetFlow egress statistics, use the no form of this command.
ip flow-egress input-interface
no ip flow-egress input-interface
Syntax Description
This command has no arguments or keywords.
Defaults
By default NetFlow egress statistics use the output interface as part of the flow key.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(11)T
|
This command was introduced.
|
Usage Guidelines
You must have NetFlow egress accounting configured on your router before you can use this command.
When the NetFlow Egress Support feature is configured, by default it uses the output interface as part of the flow key. The ip flow-egress input-interface command changes the key for egress flows so that the ingress interface is used instead of the output interface. This command is used to create a new flow for each input interface.
Examples
In the following example the key for NetFlow reporting of egress traffic is changed from the output interface to the input interface:
Router(config)# ip flow-egress input-interface
Related Commands
Command
|
Description
|
ip flow ingress
|
Enables NetFlow (ingress) accounting for traffic arriving on an interface.
|
ip flow egress
|
Enables NetFlow egress accounting for traffic that the router is forwarding.
|
ip flow-cache timeout
|
Specifies NetFlow accounting flow cache parameters.
|
ip flow-cache entries
|
Changes the number of entries maintained in the NetFlow accounting cache.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow-export
To enable the export of NetFlow accounting information in NetFlow cache entries, use the ip flow-export command in global configuration mode. To disable the export of information, use the no form of this command.
ip flow-export {destination {{ip-address | hostname} udp-port} | source interface-type
interface-number | version {1 | [[5 | 9] [origin-as | peer-as] bgp-nexthop]} | [template
{[refresh-rate packets | timeout-rate minutes] | options {export-stats | [refresh-rate packets
| timeout-rate minutes}]}
no ip flow-export {destination {{ip-address | hostname} udp-port} | source | version | [template
{[refresh-rate | timeout-rate] | options {export-stats | refresh-rate | sampler |
timeout-rate}]}
Syntax Description
destination {ip-address | hostname udp-port}
|
IP address or hostname of the workstation to which you want to send the NetFlow information and the number of the UDP port on which the workstation is listening for this input.
|
source {interface-name}
|
(Optional) IP address and interface type and number for the source address.
|
version 1
|
(Optional) Specifies that the export datagram uses the Version 1 format. This is the default. The version field occupies the first 2 bytes of the export record. The number of records stored in the datagram is variable from 1 to 24 for Version 1.
|
version 5
|
(Optional) Specifies that the export datagram uses the Version 5 format. The number of records stored in the datagram is variable between 1 and 30 for Version 5.
|
version 9
|
(Optional) Specifies that the export datagram uses the Version 9 format.
|
origin-as
|
(Optional) Specifies that export statistics include the originating autonomous system (AS) for the source and destination.
|
peer-as
|
(Optional) Specifies that export statistics include the peer AS for the source and destination.
|
bgp-nexthop
|
(Optional) Specifies that export statistics include Border Gateway Protocol (BGP) next-hop related information.
|
template
|
Enables the refresh-rate and timeout-rate keywords for configuring Version 9 export templates.
|
refresh-rate packets
|
(Optional) Specifies the number of export datagrams that are sent before the options and flow templates are resent. You can specify from 1 to 600 packets. The default is 20 packets.
Note This applies to the ip flow-export template refresh-rate packets command.
|
timeout-rate minutes
|
(Optional) Specifies the interval (in minutes) that the router will wait after sending the templates (flow and options) before they are sent again. You can specify from 1 to 3600 minutes. The default is 30 minutes.
Note This applies to the ip flow-export template timeout-rate minutes.
|
options
|
Enables the export-stats, refresh-rate, sampler, and timeout-rate keywords for configuring Version 9 export options.
|
export-stats
|
(Optional) Enables the export of statistics including the total number of flows exported and the total number of packets exported.
|
sampler
|
(Optional) When Version 9 export is configured, this keyword enables the export of an option containing a random-sampler configuration, including the sampler ID, sampling mode, and sampling interval for each configured random sampler.
Note You must have a flow-sampler map configured before you can configure the sampler keyword for the ip flow-export template options command.
|
refresh-rate packets
|
(Optional) Specifies the number of datagrams that are sent before the configured options records are resent. You can specify from 1 to 600 packets. The default is 20 packets.
Note This applies to the ip flow-export template options refresh-rate packets command.
|
timeout-rate minutes
|
(Optional) Specifies the interval (in minutes) that the router will wait after sending the options records before they are sent again. You can specify from 1 to 3600 minutes. The default is 30 minutes.
Note This applies to the ip flow-export template options timeout-rate minutes command.
|
Defaults
Export of NetFlow information is disabled. When the export of NetFlow information is enabled, the best source IP address for NetFlow datagrams is picked automatically. The NetFlow Version 1 export format is used. Neither AS nor BGP next hop information is exported. No additional templates or options are exported. When Version 9 export is enabled, templates and options are resent after every 20 export packets or after 30 minutes, whichever is sooner.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.1 CA
|
This command was introduced.
|
11.1(15)CA
|
The ip flow-export ip-address udp-port syntax was changed to a hidden command in preparation for deprecating it. The new syntax ip flow-export destination ip-address udp-port was added.
|
12.0(24)S
|
This command was integrated into Cisco IOS Release 12.0(24)S, and the 9 keyword was added.
|
12.3(1)
|
This command was integrated into Cisco IOS Release 12.3(1), and the bgp-nexthop keyword was added.
|
12.0(26)S
|
The bgp-nexthop and sampler keywords were added.
|
12.2(2)T
|
This command was modified to enable multiple NetFlow export destinations to be used.
|
12.3(13)
|
The ip flow-export ip-address udp-port syntax was removed from the command-line interface (CLI).
|
12.2(28)S
|
The ip flow-export ip-address udp-port syntax was removed from the CLI.
|
12.3(14)T
|
The ip flow-export ip-address udp-port syntax was removed from the CLI.
|
Usage Guidelines
•ip flow-export destination.
•ip flow-export source
•ip flow-export version
•ip flow-export template options export-stats
•ip flow-export template options sampler
ip flow-export destination.
When NetFlow accounting is enabled you can use the ip flow-export destination command to configure the router to export the flow cache entries to a destination system (such as a system running CNS NFC Engine. NetFlow exports the flow cache entries to the destination system when the flows in the cache expire. You can use this command to supply data for applications such as statistical analysis, billing, and security.
The ip flow-export destination command can support a maximum of two destination ip-address and udp-port combinations. The most common usage of the multiple-destination feature is to send the NetFlow cache entries to two different destinations for redundancy. Therefore, in most cases the second destination IP address is not the same as the first IP address. The udp-port numbers can be the same when you are configuring two unique destination IP addresses. If you want to configure both instances of the command to use the same destination IP address, you must use unique udp-port numbers. You receive a warning message when you configure the two instances of the command with the same IP address. The warning message is %Warning: Second destination address is the same as previous address <ip-address>.
ip flow-export version
The ip flow-export version command supports three export data formats: Version 1, Version 5, and Version 9. Version 1 should be used only when it is the only NetFlow data export format version that is supported by the application that you are using to analyze the exported NetFlow data. Version 5 exports more fields than Version 1. Version 9 is the only flexible export format version.
The NetFlow bgp-nexthop command can be configured when either the Version 5 export format (ip flow-export version 5 bgp-nexthop) or the Version 9 export format (ip flow-export version 9 bgp-nexthop) is configured.
The following caveats apply to the bgp-nexthop command:
•The values for the BGP nexthop IP address are exported to a NetFlow collector only when the Version 9 export format is configured.
•In order for the BGP information to be populated in the main cache you must either have a NetFlow export destination configured or NetFlow aggregation configured.
Note The AS values for the peer-as and the origin-as keywords are captured only if you have configured an export destination with the ip flow-export destination command.
Caution Entering the
ip flow-export or
no ip flow-export command on the Cisco 12000 Series Internet routers and specifying any format version other than Version 1 (in other words, entering the
ip flow-export or
no ip flow-export command and specifying either the
version 5 or
version 9 keyword) causes packet forwarding to stop for a few seconds while NetFlow reloads the route processor and line card Cisco Express Forwarding (CEF) tables. To avoid interruption of service to a live network, either apply this command during a change window or include it in the startup-config file to be executed during a router reboot.
ip flow-export source
After you configure NetFlow data export, use the ip flow-export source interface command to specify the interface that NetFlow will use to obtain the source IP address for the NetFlow datagrams that it sends to destination systems, such as a system running CNS NFC Engine. This overrides the default behavior (using the IP address of the interface that the datagram is transmitted over as the source IP address for the NetFlow datagrams).
Some of the benefits of using a consistent IP source address for the datagrams that NetFlow sends are:
•The source IP address of the datagrams exported by NetFlow is used by the destination system to determine which router the NetFlow data is arriving from. If your network has two or more paths that can be used to send NetFlow datagrams from the router to the destination system and you do not specify the source interface from which the source IP address is to obtained, the router uses the IP address of the interface that the datagram is transmitted over as the source IP address of the datagram. In this situation the destination system might receive NetFlow datagrams from the same router, but with different source IP addresses. This causes the destination system to treat the NetFlow datagrams as if they were being sent from different routers unless you have configured the destination system to aggregate the NetFlow datagrams it receives from all of the possible source IP addresses in the router into a single NetFlow flow.
•If your router has multiple interfaces that can be used to transmit datagrams to the CNS NFC, and you do not configure the ip flow-export source interface command you will have to add an entry for the IP address of each interfaces into any access lists that you create for permitting NetFlow traffic. It is easier to create and maintain access-lists for controlling NetFlow traffic when you limit the source IP address for NetFlow datagrams to a single IP address for each router that is exporting NetFlow traffic.
•Using the IP address of a loopback interface as the source IP address for NetFlow traffic by entering the ip flow-export source interface type [number | slot/port] command (for example, ip flow-export source interface loopback 0) makes it more difficult for people who want to attack your network by spoofing the source IP address of your NetFlow-enabled routers to determine which IP address to use. This is because the IP addresses assigned to loopback interfaces are not as easy to discover as the IP addresses assigned to physical interfaces on the router. For example, it is easy to determine the IP address of a Fast Ethernet interface on a router that is connected to a LAN that has end user devices on it—you simply check the configuration of one of the devices for its IP default gateway address.
ip flow-export template options export-stats
The ip flow-export template options export-stats command enables you to export statistics for the total number of exported flows and the total number of exported packets.
Note The ip flow-export template options export-stats command requires that the NetFlow Version 9 export format be already configured on the router.
ip flow-export template options sampler
The configuring of Version 9 export enables you to export an options record containing a random-sampler configuration, including the sampler ID, sampling mode, and sampling interval for each configured random sampler.
Note The ip flow-export template options sampler command requires that the NetFlow Version 9 export format be already configured on the router.
Note The ip flow-export template options sampler option is not available for NetFlow aggregation caches. However, the options will be sent to destinations configured under the aggregation cache, if they are configured for the main cache.
NetFlow Data Export of Template Options
The ip flow-export options refresh-rate command enables you to configure how frequently the export-stats and/or sampler options records are sent
Note The ip flow-export template refresh-rate command specifies how frqeuently the options templates will be sent.
Examples
•ip flow-export destination
•ip flow-export source
•ip flow-export version
•ip flow-export template options export-stats
•ip flow-export template
ip flow-export destination
The following example shows how to configure the networking device to export the NetFlow cache entry to a single export destination system:
Router(config)# ip flow-export destination 10.42.42.1 9991
The following example shows how to configure the networking device to export the NetFlow cache entry to multiple destination systems:
Router(config)# ip flow-export destination 10.42.42.1 9991
Router(config)# ip flow-export destination 10.0.101.254 9991
The following example shows how to configure the networking device to export the NetFlow cache entry to two different UDP ports on the same destination system:
Router(config)# ip flow-export destination 10.42.42.1 9991
Router(config)# ip flow-export destination 10.42.42.1 9992
%Warning: Second destination address is the same as previous address 10.42.42.1
ip flow-export source
The following example shows how to configure NetFlow to use a loopback interface as the source interface for NetFlow traffic.
Caution The interface that you configure as the
ip flow-export source interface must have an IP address configured and it must be up.
Router(config)# ip flow-export source loopback0
ip flow-export version
The following example shows how to configure the networking device to use the NetFlow Version 9 format for the exported data and how to include the originating autonomous-system (origin-as) with its corresponding next BGP hop (bgp-nexthop):
Router(config)# ip flow-export version 9 origin-as bgp-nexthop
ip flow-export template options export-stats
The following example shows how to configure NetFlow to export the statistics for the total number of exported flows and the total number of exported packets:
Router(config)# ip flow-export template options export-stats
ip flow-export template
The following example shows how to configure NetFlow so that the networking device sends the export statistics (total flows and packets exported) as options data:
Router(config)# ip flow-export template refresh-rate 100
Router(config)# ip flow-export template timeout-rate 60
The following example shows how to configure NetFlow so that the export statistics include the total number of flows exported and the total number of packets exported:
Router(config)# ip flow-export template option export-stats
The following example shows how to configure NetFlow to enable the export of information about NetFlow random samplers:
Router(config)# ip flow-export template option sampler
Tip You must have a flow-sampler map configured before you can configure the sampler keyword for the ip flow-export template options command.
Related Commands
Command
|
Description
|
show ip flow export
|
Displays the status and the statistics for NetFlow accounting data export.
|
ip flow ingress
|
Enables NetFlow (ingress) accounting for traffic arriving on an interface.
|
ip flow egress
|
Enables NetFlow egress accounting for traffic that the router is forwarding.
|
ip flow-egress input-interface
|
Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting.
|
ip flow-cache timeout
|
Specifies NetFlow accounting flow cache parameters.
|
ip flow-cache entries
|
Changes the number of entries maintained in the NetFlow accounting cache.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow-export destination
The destination keyword for the ip flow-export command is no longer documented as a separate command.
The information for using the destination keyword for the ip flow-export command has been incorporated into the ip flow-export command documentation. See the ip flow-export command documentation for more information.
ip flow-export source
The source keyword for the ip flow-export command is no longer documented as a separate command.
The information for using the source keyword for the ip flow-export command has been incorporated into the ip flow-export command documentation. See the ip flow-export command documentation for more information.
ip flow-top-talkers
To configure NetFlow top talkers to capture traffic statistics for the unaggregated top flows of the heaviest traffic patterns and most-used applications in the network, use the ip flow-top-talkers command in global configuration mode. To disable NetFlow top talkers, use the no form of this command.
ip flow-top-talkers
no ip flow-top-talkers
Tip The ip flow-top-talkers command does not appear in the configuration until you have configured the top number and sort-by [bytes | packets] commands.
Syntax Description
This command has no arguments or keywords.
Defaults
NetFlow top talkers is disabled by default.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
Enabling NetFlow
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Cache Timeout
The timeout period as specified by the cache-timeout command does not start until the show ip flow top-talkers command is entered. From that time, the same top talkers are displayed until the timeout period expires. To recalculate a new list of top talkers before the timeout period expires, you can change the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command.
A long timeout period for the cache-timeout command limits the system resources that are used by the NetFlow top talkers feature. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.
A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:
•The list of top talkers is lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required NetFlow top talkers.
•The list of top talkers is updated every time the top talkers information is requested, possibly causing unnecessary usage of system resources.
A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but cause the list of top talkers to be recalculated by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.
Use the show ip flow top-talkers command to display the list of unaggregated top flows.
Examples
In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each Top Talker.
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
Command
|
Description
|
cache-timeout
|
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and top talkers feature is retained.
|
match (NetFlow)
|
Specifies match criteria for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
show ip flow top-talkers
|
Displays the statistics for the top talkers (heaviest traffic patterns and most-used applications in the network).
|
sort-by
|
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature.
|
top
|
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip multicast netflow
To configure multicast NetFlow accounting on an interface, use the ip multicast netflow command in interface configuration mode. To disable multicast NetFlow accounting, use the no form of this command.
ip multicast netflow {ingress | egress}
no ip multicast netflow {ingress | egress}
Syntax Description
ingress
|
Enables multicast NetFlow (ingress) accounting.
|
egress
|
Enables multicast NetFlow (ingress) accounting.
|
Defaults
Multicast ingress NetFlow accounting is enabled.
Multicast egress NetFlow accounting is disabled.
Command Modes
Interface configuration
Command History
Release
|
Modification
|
12.3(1)
|
This command was introduced.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
ip multicast netflow ingress
NetFlow (ingress) accounting for multicast traffic is enabled by default. The ip multicast netflow ingress command does not appear in the configuration.
ip multicast netflow egress
You must enable multicast egress NetFlow accounting on all interfaces for which you want to count outgoing multicast streams.
Examples
The following example shows how to enable multicast ingress NetFlow accounting on the ingress Ethernet 1/0 interface:
Router(config)# interface ethernet 1/0
Router(config-if)# ip multicast netflow ingress
The following example shows how to enable multicast egress NetFlow accounting on the egress Ethernet interface 0/0:
Router(config)# interface ethernet 0/0
Router(config-if)# ip multicast netflow egress
Related Commands
Command
|
Description
|
show ip mroute
|
Displays the contents of the IP multicast routing (mroute) table.
|
ip multicast netflow rpf-failure
|
Enables accounting for multicast data that fails the reverse path forwarding (RPF) check.
|
show ip cache flow
|
Displays a summary of the NetFlow statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip multicast netflow egress
The egress keyword for the ip multicast netflow command is no longer documented as a separate command.
The information for using the egress keyword for the ip multicast netflow command has been incorporated into the ip multicast netflow command documentation. See the ip multicast netflow command documentation for more information.
ip multicast netflow ingress
The ingress keyword for the ip multicast netflow command is no longer documented as a separate command.
The information for using the ingress keyword for the ip multicast netflow command has been incorporated into the ip multicast netflow command documentation. See the ip multicast netflow command documentation for more information.
ip multicast netflow rpf-failure
To enable NetFlow accounting for multicast data that fails the reverse path forwarding (RPF) check (meaning any IP packets that lack a verifiable IP source address), use the ip multicast netflow rpf-failure command in global configuration mode. To disable accounting for multicast data that fails the RPF check, use the no form of this command.
ip multicast netflow rpf-failure
no ip multicast netflow rpf-failure
Syntax Description
This command has no arguments or keywords.
Defaults
Accounting for multicast data that fails the RPF check is disabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(1)
|
This command was introduced.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Examples
The following example shows how to enable accounting for multicast data that fails the RPF check:
Router# configure terminal
Router(config)# ip multicast netflow rpf-failure
Related Commands
Command
|
Description
|
ip multicast netflow
|
Configures multicast NetFlow accounting on an interface.
|
show ip mroute
|
Displays the contents of the IP multicast routing (mroute) table.
|
show ip rpf
|
Displays how IP multicast routing does Reverse Path Forwarding (RPF).
|
show ip rpf events
|
Displays the last 15 triggered multicast Reverse Path Forwarding (RPF) check events.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip route-cache flow
To enable NetFlow (ingress) accounting for traffic arriving on an interface, use the ip route-cache flow command in interface configuration mode. To disable NetFlow (ingress) accounting for traffic arriving on an interface, use the no form of this command in interface configuration mode.
ip route-cache flow
no route-cache flow
Syntax Description
This command has no arguments or keywords.
Defaults
This command is not enabled by default.
Command Modes
Interface configuration
Subinterface configuration
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
Usage Guidelines
Use this command on an interface or subinterface to enable NetFlow (ingress) accounting for traffic that is being received by the router.
Examples
The following example shows how to configure NetFlow (ingress) accounting on Ethernet interface 0/0 using the ip route-cache flow command:
Router(config)# interface Ethernet0/0
Router(config-if)# ip route-cache flow
Related Commands
Command
|
Description
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
ip flow ingress
|
Enables NetFlow (ingress) accounting for traffic arriving on an interface.
|
mask (IPv4)
To specify the source or destination prefix mask for a NetFlow accounting prefix aggregation cache, use the mask command in aggregation cache configuration mode. To disable the source or destination mask, use the no form of this command.
mask {[destination | source] minimum value}
no mask {[destination | source] minimum value}
Syntax Description
destination
|
Specifies the destination mask for a NetFlow accounting aggregation cache.
|
source
|
Specifies the source mask for a NetFlow accounting aggregation cache.
|
minimum
|
Configures the minimum value for the mask.
|
value
|
Specifies the value for the mask. Range is from 1 to 32.
|
Defaults
The default value of the minimum source or destination mask is 0.
Command Modes
NetFlow aggregation cache configuration
Command History
Release
|
Modification
|
12.1(2)T
|
This command was introduced.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
The NetFlow accounting minimum prefix mask allows you to set a minimum mask size for the traffic that will be added to the NetFlow aggregation cache. The source or destination IP address (depending on the type of aggregation cache that you are configuring) is ANDed with the larger of the two masks (the mask that you enter with the mask command and the mask in the IP routing table) to determine if the traffic should be added to the aggregation cache that you are configuring.
To enable the minimum prefix mask for a particular aggregation cache, configure the desired minimum mask value using the NetFlow aggregation cache commands. The minimum mask value in the range of 1-32 is used by the router defines the granularity of the NetFlow data that is collected:
•For coarse NetFlow collection granularity, select a low minimum mask value.
•For fine NetFlow collection granularity, select a high minimum mask value.
Specifying the minimum value for the source or destination mask of a NetFlow accounting aggregation cache is permitted only for the following NetFlow aggregation cache types:
•Destination prefix aggregation (destination mask only)
•Destination prefix TOS aggregation (destination mask only)
•Prefix aggregation (source and destination mask)
•Prefix-port aggregation (source and destination mask)
•Prefix-TOS aggregation (source and destination mask)
•Source prefix aggregation (source mask only)
•Source prefix TOS aggregation (source mask only)
Examples
•mask source
•mask destination
mask source
The following example shows how to configure the source-prefix aggregation cache:
Router(config)# ip flow-aggregation cache source-prefix
Router(config-flow-cache)# enable
The following output from the show ip cache flow aggregation source-prefix command shows that, with no minimum mask configured, nine flows are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation source-prefix
IP Flow Switching Cache, 278544 bytes
9 active, 4087 inactive, 18 added
950 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
9 active, 1015 inactive, 18 added, 18 added to flow
0 alloc failures, 0 force free
Src If Src Prefix Msk AS Flows Pkts B/Pk Active
Et0/0.1 10.10.10.0 /24 0 4 668 762 179.9
Et0/0.1 10.10.10.0 /24 0 4 668 762 180.8
Et0/0.1 10.10.11.0 /24 0 4 668 1115 180.9
Et0/0.1 10.10.11.0 /24 0 4 668 1115 181.9
Et0/0.1 10.1.0.0 /16 0 4 668 1140 179.9
Et0/0.1 10.1.0.0 /16 0 4 668 1140 179.9
Et0/0.1 172.16.6.0 /24 0 1 6 52 138.4
Et0/0.1 172.16.1.0 /24 0 8 1338 1140 182.1
Et0/0.1 172.16.1.0 /24 0 8 1339 1140 181.0
The following example shows how to configure the source-prefix aggregation cache using a minimum source mask of 8:
Router(config)# ip flow-aggregation cache source-prefix
Router(config-flow-cache)# mask source minimum 8
Router(config-flow-cache)# enable
The following output from the show ip cache flow aggregation source-prefix command shows that with a minimum mask of 8 configured, only five flows from the same traffic used in the previous example are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation source-prefix
IP Flow Switching Cache, 278544 bytes
5 active, 4091 inactive, 41 added
3021 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
5 active, 1019 inactive, 59 added, 59 added to flow
0 alloc failures, 0 force free
Minimum source mask is configured to /8
Src If Src Prefix Msk AS Flows Pkts B/Pk Active
Et0/0.1 10.0.0.0 /8 0 12 681 1007 64.8
Et0/0.1 172.16.6.0 /24 0 1 3 52 56.1
Et0/0.1 10.0.0.0 /8 0 12 683 1006 64.8
Et0/0.1 172.16.1.0 /24 0 8 450 1140 61.8
Et0/0.1 172.16.1.0 /24 0 8 448 1140 61.5
mask destination
The following example shows how to configure the destination-prefix aggregation cache:
Router(config)# ip flow-aggregation cache destination-prefix
Router(config-flow-cache)# enable
The following output from the show ip cache flow aggregation destination-prefix command shows that, with no minimum mask configured, only two flows are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation destination-prefix
IP Flow Switching Cache, 278544 bytes
3 active, 4093 inactive, 3 added
4841 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
3 active, 1021 inactive, 9 added, 9 added to flow
0 alloc failures, 0 force free
Dst If Dst Prefix Msk AS Flows Pkts B/Pk Active
Et1/0.1 172.16.10.0 /24 0 120 6737 1059 371.0
Et1/0.1 172.16.10.0 /24 0 120 6739 1059 370.9
The following example shows how to configure the destination-prefix aggregation cache using a minimum source mask of 32:
Router(config)# ip flow-aggregation cache destination-prefix
Router(config-flow-cache)# mask source minimum 32
Router(config-flow-cache)# enable
The following output from the show ip cache flow aggregation destination-prefix command shows that, with a minimum mask of 32 configured, 20 flows from the same traffic used in the previous example are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation destination-prefix
IP Flow Switching Cache, 278544 bytes
20 active, 4076 inactive, 23 added
4984 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
20 active, 1004 inactive, 29 added, 29 added to flow
0 alloc failures, 0 force free
Minimum destination mask is configured to /32
Dst If Dst Prefix Msk AS Flows Pkts B/Pk Active
Et1/0.1 172.16.10.12 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.12 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.14 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.9 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.11 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.10 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.11 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.10 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.5 /32 0 1 56 1040 59.5
Et1/0.1 172.16.10.4 /32 0 1 56 940 59.5
Et1/0.1 172.16.10.4 /32 0 1 56 940 59.5
Et1/0.1 172.16.10.7 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.7 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.1 /32 0 1 56 628 59.5
Et1/0.1 172.16.10.2 /32 0 1 56 640 59.5
Et1/0.1 172.16.10.17 /32 0 1 56 1140 59.5
Et1/0.1 172.16.10.17 /32 0 1 56 1140 59.5
Et1/0.1 172.16.10.18 /32 0 1 56 1140 59.5
Et1/0.1 172.16.10.19 /32 0 1 56 1140 59.5
Et1/0.1 172.16.10.18 /32 0 1 56 1140 59.5
Related Commands
Command
|
Description
|
cache
|
Defines operational parameters for NetFlow accounting aggregation caches.
|
enabled (aggregation cache)
|
Enables a NetFlow accounting aggregation cache.
|
export destination (aggregation cache)
|
Enables the exporting of NetFlow accounting information from NetFlow aggregation caches.
|
ip flow-aggregation cache
|
Enables NetFlow accounting aggregation cache schemes.
|
show ip cache flow aggregation
|
Displays the NetFlow accounting aggregation cache statistics.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
mask destination
The destination keyword for the mask command is no longer documented as a separate command.
The information for using the destination keyword for the mask command has been incorporated into the mask (IPv4) command documentation. See the mask (IPv4) command documentation for more information.
mask source
The source keyword for the mask command is no longer documented as a separate command.
The information for using the source keyword for the mask command has been incorporated into the mask (IPv4) command documentation. See the mask (IPv4) command documentation for more information.
match (NetFlow)
To specify match criteria for the NetFlow top talkers (unaggregated top flows), use the match command in NetFlow top talkers configuration mode. To remove match criteria for NetFlow top talkers, use the no form of this command.
match {[byte-range [max-byte-number min-byte-number | max max-byte-number |
min min-byte-number] | class-map map-name | destination [address ip-address [mask | /nn] |
as as-number | port [max-port-number min-port-number | max max-port-number |
min min-port-number] | direction [ingress | egress] | flow-sampler flow-sampler-name |
input-interface interface-type interface-number | nexthop-address ip-address [mask | /nn] |
output-interface interface-type interface-number | packet-range [max-packets min-packets |
max max-packets | min min-packets] | protocol [protocol-number | udp | tcp] | source [address
ip-address [mask | /nn] | as as-number | port max-port-number min-port-number | max
max-port-number | min min-port-number] | tos [tos-byte | dscp dscp | precedence precedence]
no match {byte-range | class-map | destination [address | as | port] | direction | flow-sampler |
input-interface | nexthop-address | output-interface | packet-range | protocol |
source [address | as | port] | tos}
Syntax Description
byte-range
|
The match criterion is based on the size in bytes of the IP datagrams in the flows.
|
max-byte-number min-byte-number
|
Range of sizes for ip datagrams to be matched in bytes. Range: 1-4294967295.
|
max max-byte-number
|
Maximum size for ip datagrams to be matched in bytes. Range: 1-4294967295.
|
min min-byte-number
|
Minimum size for ip datagrams to be matched in bytes. Range: 1-4294967295.
|
class-map
|
The match criterion is based on a class map.
|
map-name
|
Name of the class map to be matched.
|
destination address
|
The match criterion is based on the destination IP address.
|
ip-address
|
The destination IP address to be matched.
|
mask
|
Address mask, in dotted decimal format.
|
/nn
|
Address mask as entered in classless interdomain routing (CIDR) format. An address mask of 255.255.255.0 is equivalent to a /24 mask in CIDR format.
|
destination as
|
The match criterion is based on the destination autonomous system.
|
as-number
|
Autonomous system number to be matched.
|
destination port
|
The match criterion is based on the destination port.
|
max-port-number min-port-number
|
Range of port numbers for ip datagrams to be matched. Range: 0-65535.
|
max max-port-number
|
Maximum port number for ip datagrams to be matched. Range: 0-65535.
|
min min-port-number
|
Minimum port number for ip datagrams to be matched. Range: 0-65535.
|
direction
|
Direction of the flow to be matched.
|
ingress
|
The match criterion is based on ingress flows.
|
egress
|
The match criterion is based on egress flows.
|
flow-sampler
|
The match criterion is based on Top Talker sampling.
|
flow-sampler-name
|
Name of the Top Talker sampler to be matched.
|
input-interface
|
The match criterion is based on the input interface.
|
interface-type interface-number
|
The input interface to be used
|
nexthop address
|
The match criterion is based on the next-hop IP address.
|
ip-address
|
The next-hop IP address to be matched.
|
mask
|
Address mask, in dotted decimal format.
|
/nn
|
Address mask as entered in classless interdomain routing (CIDR) format. An address mask of 255.255.255.0 is equivalent to a /24 mask in CIDR format.
|
output-interface
|
The match criterion is based on the output interface.
|
interface-type interface-number
|
The output interface to be used
|
packet-range
|
The match criterion is based on the number of IP datagrams in the flows.
|
max-packets min-packets
|
Range of number of packets in the flows to be matched. Range: 1-4294967295.
|
max max-packet
|
Maximum number of packets in the flows to be matched. Range: 1-4294967295.
|
min min-packets
|
Minimum number of packets in the flows to be matched. Range: 1-4294967295.
|
protocol
|
The match criterion is based on protocol.
|
protocol-number
|
Protocol number to be matched. Range: 0 to 255.
|
tcp
|
Protocol number to be matched as TCP.
|
udp
|
Protocol number to be matched as UDP.
|
source address
|
The match criterion is based on the source IP address.
|
ip-address
|
The source IP address to be matched.
|
mask
|
Address mask, in dotted decimal format.
|
/nn
|
Address mask as entered in classless interdomain routing (CIDR) format. An address mask of 255.255.255.0 is equivalent to a /24 mask in CIDR format.
|
source as
|
The match criterion is based on the source autonomous system.
|
as-number
|
Autonomous system number to be matched.
|
source port
|
The match criterion is based on the source port.
|
max-port-number min-port-number
|
Range of port numbers for ip datagrams to be matched. Range: 0-65535.
|
max max-port-number
|
Maximum port number for ip datagrams to be matched. Range: 0-65535.
|
min min-port-number
|
Minimum port number for ip datagrams to be matched. Range: 0-65535.
|
tos
|
The match criterion is based on type of service (ToS).
|
tos-value
|
ToS to be matched.
|
dscp dscp-value
|
Differentiated services code point (DSCP) value to be matched.
|
precedence precedence-value
|
Precedence value to be matched.
|
Defaults
No matching criteria are specified by default. All top talkers are displayed.
Command Modes
NetFlow top talkers configuration
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This command was integrated into Cisco IOS Release 12.3(11)T. The direction, ingress, and egress keywords were added.
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
Configuring NetFlow top talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands.
Specifying Match Criteria
Use this command to specify match criteria for NetFlow top talkers. Using matching criteria is useful to restrict the list of top talkers.
If you are using a MIB and using simple network management protocol (SNMP) commands to configure this feature, refer to Table 5 for a mapping of the command-line interface (CLI) commands to the MIB SNMP commands:
Table 5 Router CLI Commands and Equivalent SNMP Commands
Router CLI Command
|
SNMP Command
|
match source address [ip-address] [mask | /nn]
|
cnfTopFlowsMatchSrcAddress ip-address
cnfTopFlowsMatchSrcAddressType type1
cnfTopFlowsMatchSrcAddressMask mask
|
match destination address [ip-address] [mask | /nn]
|
cnfTopFlowsMatchDstAddress ip-address
cnfTopFlowsMatchDstAddressType type1
cnfTopFlowsMatchDstAddressMask mask
|
match nexthop address] [ip-address] [mask | /nn]]
|
cnfTopFlowsMatchNhAddress ip-address
cnfTopFlowsMatchNhAddressType type1
cnfTopFlowsMatchNhAddressMask mask
|
match source port min port
|
cnfTopFlowsMatchSrcPortLo port
|
match source port max port
|
cnfTopFlowsMatchSrcPortHi port
|
match destination port min port
|
cnfTopFlowsMatchDstPortLo port
|
match destination port max port
|
cnfTopFlowsMatchDstPortHi port
|
match source as as-number
|
cnfTopFlowsMatchSrcAS as-number
|
match destination as as-number
|
cnfTopFlowsMatchDstAS as-number
|
match input-interface interface
|
cnfTopFlowsMatchInputIf interface
|
match output-interface interface
|
cnfTopFlowsMatchOutputIf interface
|
match tos [tos-value | dscp dscp-value | precedence precedence-value]
|
cnfTopFlowsMatchTOSByte tos-value2
|
match protocol [protocol-number | tcp | udp]
|
cnfTopFlowsMatchProtocol protocol-number
|
match flow-sampler flow-sampler-name
|
cnfTopFlowsMatchSampler flow-sampler-name
|
match class-map class
|
cnfTopFlowsMatchClass class
|
match packet-range min minimum-range
|
cnfTopFlowsMatchMinPackets minimum-range
|
match packet-range max maximum-range
|
cnfTopFlowsMatchMaxPackets maximum-range
|
match byte-range min minimum-range
|
cnfTopFlowsMatchMinBytes minimum-range
|
match byte-range max maximum-range
|
cnfTopFlowsMatchMaxPackets maximum-range
|
direction [ingress | egress]
|
cnfTopFlowsMatchDirection [flowDirNone(0) | flowDirIngress(1) | flowDirEgress(2)]
|
Examples
The following example shows how you enter NetFlow top talkers configuration mode and specify that the top talkers are to contain the following characteristics:
•The list of top talkers will have a source IP address that begins with 10.10.0.0 and subnet a mask of 255.255.0.0 (/16).
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# match source address 10.10.0.0/16
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command when the configuration from the previous example is used:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et2/0 10.10.11.3 Et1/0.1 172.16.10.7 06 0041 0041 30K
Et0/0.1 10.10.11.4 Et1/0.1 172.16.10.8 06 0041 0041 30K
Et3/0 10.10.11.2 Et1/0.1 172.16.10.6 06 0041 0041 29K
Et3/0 10.10.18.1 Null 172.16.11.5 11 00A1 00A1 28K
4 of 4 top talkers shown. 10 of 27 flows matched
The following example shows how you enter NetFlow top talkers configuration mode and specify that the top talkers are to contain the following characteristics:
•The list of top talkers will have a source IP address that begins with 10.10.0.0 and subnet mask of 255.255.0.0 (/16).
•The list of top talkers will have a destination IP address that begins with 172.16.11.0 and a subnet mask of 255.255.255.0 (/24)
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# match source address 10.10.0.0/16
Router(config-flow-top-talkers)# match destination address 172.16.11.0/24
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command when the configuration from the previous example is used:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et3/0 10.10.18.1 Null 172.16.11.5 11 00A1 00A1 67K
Et3/0 10.10.19.1 Null 172.16.11.6 11 00A2 00A2 67K
2 of 4 top talkers shown. 2 of 30 flows matched
Related Commands
Command
|
Description
|
cache-timeout
|
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and top talkers feature is retained.
|
ip flow-top-talkers
|
Enters the configuration mode for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
show ip flow top-talkers
|
Displays the statistics for the top talkers (heaviest traffic patterns and most-used applications in the network).
|
sort-by
|
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature.
|
top
|
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
mode (flow sampler configuration)
To specify a packet interval for random sampled NetFlow accounting and enable the flow sampler map, use the mode command in NetFlow flow sampler configuration mode.
mode random one-out-of packet-interval
Syntax Description
random
|
Specifies that sampling uses the random mode.
|
one-out-of packet-interval
|
Specifies the packet interval (one out of every n packets) from which to sample. For n, you can specify from 1 to 65535 packets.
|
Defaults
The random sampling mode and packet sampling interval are undefined.
Command Modes
NetFlow flow sampler configuration
Command History
Release
|
Modification
|
12.3(2)T
|
This command was introduced.
|
12.0(26)S
|
This command was integrated into Cisco IOS Release 12.0(26)S.
|
Usage Guidelines
The mode random one-out-of does not have a no format to remove it from the configuration. To disable NetFlow random sampling and packet interval you must remove the flow sampler map that you enabled with the mode random one-out-of command.
If you want to change the value that you entered for the packet-interval argument repeat the mode random one-out-of packet-interval command using the new value for packet-interval.
Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. In order to run random sampled NetFlow accounting, you must first disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Tip If you disable CEF or DCEF globally using the no ip cef [distributed] command the flow-sampler sampler-map-name command is removed from any interfaces that you previously configured for random sampled NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable CEF or dCEF to reactivate random sampled NetFlow accounting.
Tip If your router is running Cisco IOS release 12.2(14)S or a later release, or Cisco IOS Release 12.2(15)T or a later release, NetFlow accounting might be enabled through the use of the ip flow ingress command instead of the ip route-cache flow command. If your router has NetFlow accounting enabled through the use of ip flow ingress command you must disable NetFlow accounting, using the no form of this command, before you apply a random sampler map for random sampled NetFlow accounting on an interface otherwise the full, un-sampled traffic will continue to be seen.
Examples
The following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 0/0
Router(config-if)# no ip route-cache flow
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map
The following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0:
Router(config)# flow-sampler-map my-map
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# interface ethernet 1/0
Router(config-if)# no ip flow egress
Router(config-if)# ip route-cache cef
Router(config-if)# flow-sampler my-map egress
The following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-sampler
Sampler : my-map, id : 1, packets matched : 7, mode : random sampling mode
sampling interval is : 100
Related Commands
Command
|
Description
|
flow-sampler
|
Applies a flow sampler map for random sampled NetFlow accounting to an interface.
|
flow-sampler-map
|
Defines a flow sampler map for random sampled NetFlow accounting.
|
netflow-sampler
|
Enables NetFlow accounting with input filter sampling.
|
show flow-sampler
|
Displays the status of random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler).
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
netflow-sampler
To enable NetFlow accounting with input filter sampling, use the netflow-sampler command in QoS policy-map class configuration mode. To disable NetFlow accounting with input filter sampling, use the no form of this command.
netflow-sampler sampler-map-name
no netflow-sampler sampler-map-name
Syntax Description
sampler-map-name
|
Name of the NetFlow sampler map to apply to the class.
|
Defaults
NetFlow accounting with input filter sampling is disabled.
Command Modes
QoS policy-map class configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
NetFlow accounting with input filter sampling cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or random sampled NetFlow on the same interface, or subinterface. In order to run NetFlow accounting with input filter sampling, you must first disable (ingress) NetFlow accounting, egress NetFlow accounting, or random sampled NetFlow.
You can assign only one NetFlow input filter sampler to a class. Assigning another NetFlow input filter sampler to a class overwrites the previous one.
Samplers, also known as filters, are based on classes, but they are enabled on interfaces. You assign a NetFlow input filters sampler to a class by using the netflow-sampler command in QoS policy-map class configuration. You the use the service-policy command to attach the policy map you defined to one or more interfaces.
Tip If your router is running Cisco IOS release 12.2(14)S or a later release, or Cisco IOS Release 12.2(15)T or a later release, NetFlow accounting might be enabled through the use of the ip flow ingress command instead of the ip route-cache flow command. If your router has NetFlow accounting enabled through the use of ip flow ingress command you must disable NetFlow accounting, using the no form of this command, before you apply a random sampler map for random sampled NetFlow accounting on an interface otherwise the full, un-sampled traffic will continue to be seen.
You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.
Examples
The following example shows how to enable NetFlow accounting with input filter sampling for one class of traffic (traffic with 10 as the first octet of the IP source address):
Router(config)# flow-sampler-map network-10
Router(config-sampler)# mode random one-out-of 100
Router(config-sampler)# exit
Router(config)# class-map match-any network-10
Router(config-cmap)# match access-group 100
Router(config-cmap)# exit
Router(config)# policy-map network-10
Router(config-pmap)# class network-10
Router(config-pmap-c)# netflow-sampler network-10
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface Ethernet0/0
Router(config-if)# no ip route-cache flow
Router(config-if)# ip route-cache cef
Router(config-if)# interface ethernet 0/0.1
Router(config-if)# service-policy input network-10
Router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any
The following output from the show flow-sampler command verifies that the NetFlow accounting with input filter sampling is active:
Router# show flow-sampler
Sampler : network-10, id : 1, packets matched : 546, mode : random sampling mode
sampling interval is : 100
The following output from the show ip cache verbose flow command shows that combination of the access-list 100 permit ip 10.0.0.0 0.255.255.255 any command and the match access-group 100 command has filtered out any traffic in which the source IP address does not have 10 as the first octet:
Router# show ip cache verbose flow
IP packet size distribution (116 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .155 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .258 .586 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
7 active, 4089 inactive, 66 added
3768 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 120 seconds
IP Sub Flow Cache, 21640 bytes
6 active, 1018 inactive, 130 added, 62 added to flow
0 alloc failures, 0 force free
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 6 0.0 1 940 0.0 8.8 51.6
TCP-FTP 5 0.0 1 640 0.0 6.9 53.4
TCP-SMTP 2 0.0 3 1040 0.0 41.7 18.5
TCP-other 36 0.0 1 1105 0.0 18.8 41.5
UDP-other 6 0.0 3 52 0.0 54.8 5.5
ICMP 4 0.0 1 628 0.0 11.3 48.8
Total: 59 0.0 1 853 0.1 20.7 39.6
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et0/0.1 10.10.10.3 Et1/0.1 172.16.10.3 06 80 00 1
0016 /0 0 0016 /0 0 0.0.0.0 840 0.0
Et0/0.1 10.10.10.3 Et1/0.1* 172.16.10.3 06 80 00 1
0016 /0 0 0016 /0 0 0.0.0.0 840 0.0
Sampler: 1 Class: 1 FFlags: 01
Et0/0.1 10.10.11.3 Et1/0.1 172.16.10.7 06 80 00 1
0041 /0 0 0041 /0 0 0.0.0.0 1140 0.0
Et0/0.1 10.10.11.1 Et1/0.1 172.16.10.5 06 80 00 3
0019 /0 0 0019 /0 0 0.0.0.0 1040 36.7
Et0/0.1 10.10.11.1 Et1/0.1* 172.16.10.5 06 80 00 1
0019 /0 0 0019 /0 0 0.0.0.0 1040 0.0
Sampler: 1 Class: 1 FFlags: 01
Et0/0.1 10.1.1.2 Et1/0.1 172.16.10.10 06 80 00 2
0041 /0 0 0041 /0 0 0.0.0.0 1140 37.8
Et0/0.1 10.10.10.1 Et1/0.1 172.16.10.1 01 80 10 1
0000 /0 0 0000 /0 0 0.0.0.0 628 0.0
Related Commands
Command
|
Description
|
flow-sampler
|
Applies a flow sampler map for random sampled NetFlow accounting to an interface.
|
flow-sampler-map
|
Defines a flow sampler map for random sampled NetFlow accounting.
|
mode (flow sampler configuration)
|
Specifies a packet interval for NetFlow accounting random sampling mode and enables the flow sampler map.
|
class-map
|
Creates a class map to be used for matching packets to a specified class.
|
policy-map
|
Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy
|
service-policy
|
Attaches a policy map to an input interface or virtual circuit (VC).
|
show flow-sampler
|
Displays the status of random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler).
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
show flow-sampler
To display the status and statistics for random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler), use the show flow-sampler command in user EXEC or privileged EXEC mode.
show flow-sampler [sampler-map-name]
Syntax Description
sampler-map-name
|
(Optional) Name of a flow sampler map.
|
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
12.3(2)T
|
This command was introduced.
|
12.0(26)S
|
This command was integrated into Cisco IOS Release 12.0(26)S.
|
Examples
The following is sample output from the show flow-sampler command for all flow samplers:
Router> show flow-sampler
Sampler : mysampler1, id : 1, packets matched : 10, mode : random sampling mode
sampling interval is : 100
Sampler : myflowsampler2, id : 2, packets matched : 5, mode : random sampling mode
sampling interval is : 200
The following is sample output from the show flow-sampler command for a flow sampler named mysampler1:
Router> show flow-sampler mysampler1
Sampler : mysampler1, id : 1, packets matched : 0, mode : random sampling mode
sampling interval is : 100
Table 6 describes the fields shown in the displays.
Table 6 show flow-sampler Field Descriptions
Field
|
Description
|
Sampler
|
Name of the flow sampler
|
id
|
Unique ID of the flow sampler
|
packets matched
|
Number of packets matched for the flow sampler
|
mode
|
Flow sampling mode
|
sampling interval is
|
Flow sampling interval (in packets)
|
Related Commands
Command
|
Description
|
flow-sampler
|
Applies a flow sampler map for random sampled NetFlow accounting to an interface.
|
flow-sampler-map
|
Defines a flow sampler map for random sampled NetFlow accounting.
|
mode (flow sampler configuration)
|
Specifies a packet interval for NetFlow accounting random sampling mode.
|
netflow-sampler
|
Enables NetFlow accounting with input filter sampling.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
show ip cache flow
To display a summary of the NetFlow accounting statistics, use the show ip cache flow command in user EXEC or privileged EXEC mode.
show ip cache [prefix mask] [type number] flow
Syntax Description
prefix mask
|
(Optional) Displays only the entries in the cache that match the prefix and mask combination.
|
type number
|
(Optional) Displays only the entries in the cache that match the interface type and number combination.
|
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
11.1CA
|
The information display for the command was updated.
|
12.3(4)T, 12.3(6), 12.2(20)S
|
The execute-on command was implemented on the Cisco 7500 platforms to include the remote execution of the show ip cache flow command.
|
12.3(11)T
|
Support for egress flow accounting was added, and the [prefix mask] and [type number] arguments were removed.
|
Usage Guidelines
Some of the content in the display of the show ip cache flow command uses multiline headings and multiline data fields. Figure 1 uses an example of the output from the show ip cache verbose flow to show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.
When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same.
Figure 1 How to Use the Multiline Headings and Multiline Data Fields in the Display Output of the show ip cache verbose flow Command
Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding
On platforms running Distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. To display this information on a distributed platform by use of the show ip cache flow command, you must enter the command at a line card prompt.
Cisco 7500 Series Platform
To display NetFlow cache information using the show ip cache flow command on a Cisco 7500 series router that is running dCEF, enter the following sequence of commands:
Router# if-con slot-number
LC-slot-number# show ip cache flow
For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display NetFlow cache information:
Router# execute-on slot-number show ip cache flow
Cisco 12000 Series Platform
To display NetFlow cache information using the show ip cache flow command on a Cisco 12000 Series Internet Router, enter the following sequence of commands:
Router# attach slot-number
LC-slot-number# show ip cache flow
For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display NetFlow cache information:
Router# execute-on slot-number show ip cache flow
Examples
The following is a sample display of a main cache using the show ip cache flow command:
Router# show ip cache flow
IP packet size distribution (44027 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.119 .800 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .039 .000 .039 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
51 active, 4045 inactive, 173 added
84752 ager polls, 0 flow alloc failures
Active flows timeout in 3 minutes
Inactive flows timeout in 60 seconds
IP Sub Flow Cache, 25800 bytes
153 active, 871 inactive, 451 added, 173 added to flow
0 alloc failures, 0 force free
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-FTP 8 0.0 871 40 3.4 1394.5 0.4
TCP-FTPD 8 0.0 872 40 3.4 1394.9 0.1
TCP-WWW 4 0.0 871 40 1.7 1393.3 1.1
TCP-SMTP 4 0.0 871 40 1.7 1393.3 1.4
TCP-other 16 0.0 871 40 6.8 1393.3 1.1
UDP-other 72 0.0 1 53 0.0 0.0 15.4
ICMP 10 0.0 871 427 4.3 1394.6 0.3
Total: 122 0.0 357 117 21.6 571.3 9.4
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et0/0.1 192.168.67.6 Et1/0.1* 172.16.10.200 01 0000 0C01 7
Et0/0.1 192.168.67.6 Et1/0.1 172.16.10.200 01 0000 0C01 7
Et0/0.1 172.16.6.1 Null 224.0.0.9 11 0208 0208 1
Et0/0.1 10.234.53.1 Et1/0.1* 172.16.10.2 01 0000 0800 7
Et0/0.1 10.234.53.1 Et1/0.1 172.16.10.2 01 0000 0800 7
Et0/0.1 192.168.87.200 Et1/0.1 172.16.10.2 06 0015 0015 7
Et0/0.1 192.168.87.200 Et1/0.1 172.16.10.2 06 0014 0014 7
Et0/0.1 192.168.87.200 Et1/0.1* 172.16.10.2 06 0015 0015 7
Et0/0.1 192.168.87.200 Et1/0.1* 172.16.10.2 06 0014 0014 7
Et0/0.1 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0000 8
Et0/0.1 10.251.10.1 Et1/0.1* 172.16.10.2 01 0000 0000 8
Et0/0.1 172.30.231.193 Et1/0.1 172.16.10.2 01 0000 0C01 7
Et0/0.1 172.30.231.193 Et1/0.1* 172.16.10.2 01 0000 0C01 7
Et0/0.1 10.10.11.4 Et1/0.1* 172.16.10.8 06 00DC 00DC 8
Note The asterisk (*) immediately following the "DstIf" field indicates that the flow being shown is an egress flow.
Table 7 describes the significant fields shown in the flow switching cache lines of the display.
Table 7 show ip cache flow Field Descriptions in Flow Switching Cache Display
Field
|
Description
|
bytes
|
Number of bytes of memory used by the NetFlow cache.
|
active
|
Number of active flows in the NetFlow cache at the time this command was entered.
|
inactive
|
Number of flow buffers that are allocated in the NetFlow cache, but were not currently assigned to a specific flow at the time this command was entered.
|
added
|
Number of flows created since the start of the summary period.
|
ager polls
|
Number of times the NetFlow code looked at the cache to cause entries to expire (used by Cisco for diagnostics only).
|
flow alloc failures
|
Number of times the NetFlow code tried to allocate a flow but could not.
|
last clearing of statistics
|
Standard time output (hh:mm:ss) since the clear ip flow stats privileged EXEC command was executed. This time output changes to hours and days after the time exceeds 24 hours.
|
Table 8 describes the significant fields shown in the activity by protocol lines of the display.
Table 8 show ip cache flow Field Descriptions in Activity by Protocol Display
Field
|
Description
|
Protocol
|
IP protocol and the well-known port number. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
Note Only a small subset of all protocols is displayed.
|
Total Flows
|
Number of flows in the cache for this protocol since the last time the statistics were cleared.
|
Flows/Sec
|
Average number of flows for this protocol per second; equal to the total flows divided by the number of seconds for this summary period.
|
Packets/Flow
|
Average number of packets for the flows for this protocol; equal to the total packets for this protocol divided by the number of flows for this protocol for this summary period.
|
Bytes/Pkt
|
Average number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the total number of packets for this protocol for this summary period.
|
Packets/Sec
|
Average number of packets for this protocol per second; equal to the total packets for this protocol divided by the total number of seconds for this summary period.
|
Active(Sec)/Flow
|
Number of seconds from the first packet to the last packet of an expired flow divided by the number of total flows for this protocol for this summary period.
|
Idle(Sec)/Flow
|
Number of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which the show ip cache verbose flow command was entered divided by the total number of flows for this protocol for this summary period.
|
Table 9 describes the significant fields in the NetFlow record lines of the display.
Table 9 show ip cache flow Field Descriptions in NetFlow Record Display
Field
|
Description
|
SrcIf
|
Interface on which the packet was received.
|
Port Msk AS
|
Source Border Gateway Protocol (BGP) autonomous system. This is always set to 0 in MPLS flows.
|
SrcIPaddress
|
IP address of the device that transmitted the packet.
|
DstIf
|
Interface from which the packet was transmitted.
Note If an asterisk (*) immediately follows the DstIf field, the flow being shown is an egress flow.
|
Port Msk AS
|
Destination BGP autonomous system. This is always set to 0 in MPLS flows.
|
DstIPaddress
|
IP address of the destination device.
|
NextHop
|
Specifies the BGP next-hop address. This is always set to 0 in MPLS flows.
|
Pr
|
IP protocol well-known port number as described in RFC 1340, displayed in hexadecimal format.
|
B/Pk
|
Average number of bytes observed for the packets seen for this protocol (total bytes for this protocol or the total number of flows for this protocol for this summary period).
|
Flgs
|
TCP flags (result of bitwise OR of TCP flags from all packets in the flow).
|
Active
|
The time in seconds that this flow has been active at the time this command was entered.
|
Pkts
|
Number of packets switched through this flow.
|
Related Commands
Command
|
Description
|
clear ip flow stats
|
Clears the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
show ip interface
|
Displays the usability status of interfaces configured for IP.
|
show ip cache flow aggregation
To display the NetFlow accounting aggregation cache statistics, use the show ip cache flow aggregation command in user EXEC or privileged EXEC mode.
show ip cache [prefix mask] [type number] [verbose] flow aggregation {as | as-tos |
bgp-nexthop-tos | destination-prefix | destination-prefix-tos | prefix | prefix-port |
prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-prefix-tos}
Syntax Description
prefix mask
|
(Optional) Displays only the entries in the cache that match the prefix and mask combination.
|
type number
|
(Optional) Displays only the entries in the cache that match the interface type and number combination.
|
verbose
|
(Optional) Displays additional information from the aggregation cache.
|
as
|
Displays the configuration of the autonomous system aggregation cache scheme.
|
as-tos
|
Displays the configuration of the autonomous system type of service (ToS) aggregation cache scheme.
|
bgp-nexthop-tos
|
Displays the BGP next hop and ToS aggregation cache scheme.
|
destination-prefix
|
Displays the configuration of the destination prefix aggregation cache scheme.
|
destination-prefix-tos
|
Displays the configuration of the destination prefix ToS aggregation cache scheme.
|
prefix
|
Displays the configuration of the prefix aggregation cache scheme.
|
prefix-port
|
Displays the configuration of the prefix port aggregation cache scheme.
|
prefix-tos
|
Displays the configuration of the prefix ToS aggregation cache scheme.
|
protocol-port
|
Displays the configuration of the protocol port aggregation cache scheme.
|
protocol-port-tos
|
Displays the configuration of the protocol port ToS aggregation cache scheme.
|
source-prefix
|
Displays the configuration of the source prefix aggregation cache scheme.
|
source-prefix-tos
|
Displays the configuration of the source prefix ToS aggregation cache scheme.
|
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
12.0(3)T
|
This command was introduced.
|
12.0(15)S
|
This command was modified to include new show output for ToS aggregation schemes.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.3(1)
|
The bgp-nexthop-tos keyword was added.
|
Usage Guidelines
Some of the content in the display of the show ip cache flow aggregation command uses multiline headings and multiline data fields. Figure 2 uses an example of the output from the show ip cache verbose flow to show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.
When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same.
Figure 2 How to Use the Multiline Headings and Multiline Data Fields in the Display Output of the show ip cache verbose flow Command
Examples
The following is a sample display of an autonomous system aggregation cache with the show ip cache flow aggregation as command:
Router# show ip cache flow aggregation as
IP Flow Switching Cache, 278544 bytes
2 active, 4094 inactive, 13 added
178 ager polls, 0 flow alloc failures
Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active
Fa1/0 0 Null 0 1 2 49 10.2
Fa1/0 0 Se2/0 20 1 5 100 0.0
The following is a sample display of an autonomous system aggregation cache for the prefix mask 10.0.0.1 255.0.0.0 with the show ip cache flow aggregation as command:
Router# show ip cache 10.0.0.1 255.0.0.0 flow aggregation as
IP Flow Switching Cache, 278544 bytes
2 active, 4094 inactive, 13 added
178 ager polls, 0 flow alloc failures
Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active
e1/2 0 Null 0 1 2 49 10.2
e1/2 0 e1/2 20 1 5 100 0.0
The following is a sample display of an autonomous system aggregation cache for 10.0.0.1 255.0.0.0 Ethernet1/2 with the show ip cache verbose flow aggregation as command:
Router# show ip cache 10.0.0.1 255.0.0.0 e1/2 verbose flow aggregation as
IP Flow Switching Cache, 278544 bytes
2 active, 4094 inactive, 13 added
178 ager polls, 0 flow alloc failures
Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active
e1/2 0 Null 0 1 2 49 10.2
e1/2 0 e1/2 20 1 5 100 0.0
The following is a sample display of an autonomous system ToS aggregation cache with the show ip cache verbose flow aggregation as-tos command:
Router# show ip cache verbose flow aggregation as-tos
IP Flow Switching Cache, 278544 bytes
4 active, 4092 inactive, 103 added
1609 ager polls, 0 flow alloc failures
Src If Src AS Dst If Dst AS TOS Flows Pkts B/Pk Active
Et1/2 50 Fd4/0 40 CC 1 3568 28 17.8
Et1/2 0 Fd4/0 40 C0 15 17K 28 17.8
Et1/1 50 Fd4/0 40 55 1 3748 28 17.8
Fd4/0 0 Null 0 C0 1 2 49 0.9
The following is a sample display of a protocol port ToS aggregation cache with the show ip cache verbose flow aggregation protocol-port-tos command:
Router# show ip cache verbose flow aggregation protocol-port-tos
IP Flow Switching Cache, 278544 bytes
4 active, 4092 inactive, 102 added
1584 ager polls, 0 flow alloc failures
Prot Src If SrcPort Dst If DstPort TOS Flows Pkts B/Pk Active
0x01 Et1/2 0000 Fd4/0 0000 C0 15 17K 28 17.8
0x01 Et1/2 0000 Fd4/0 0000 CC 1 3568 28 17.8
0x01 Et1/1 0000 Fd4/0 0000 55 1 3748 28 17.8
0x06 Fd4/0 00B3 Null 2AF9 C0 1 2 49 0.9
The following is a sample display of a source prefix ToS aggregation cache with the show ip cache verbose flow aggregation source-prefix-tos command:
Router# show ip cache verbose flow aggregation source-prefix-tos
IP Flow Switching Cache, 278544 bytes
4 active, 4092 inactive, 105 added
1683 ager polls, 0 flow alloc failures
Src If Src Prefix Msk AS TOS Flows Pkts B/Pk Active
Et1/1 52.0.0.0 /8 50 55 1 3748 28 17.8
Et1/2 52.0.0.0 /8 50 CC 1 3568 28 17.8
Et1/2 0.0.0.0 /0 0 C0 15 17K 28 17.8
Fd4/0 20.20.20.1 /32 0 C0 1 2 49 0.9
The following is a sample display of a destination prefix ToS aggregation cache with the show ip cache verbose flow aggregation destination-prefix-tos command:
Router# show ip cache verbose flow aggregation destination-prefix-tos
IP Flow Switching Cache, 278544 bytes
4 active, 4092 inactive, 86 added
1480 ager polls, 0 flow alloc failures
Dst If Dst Prefix Msk AS TOS Flows Pkts B/Pk Active
Local 31.31.31.1 /32 0 C0 1 2 49 0.9
Fd4/0 42.0.0.0 /8 40 55 1 3748 28 17.8
Fd4/0 42.0.0.0 /8 40 CC 1 3568 28 17.8
Fd4/0 42.0.0.0 /8 40 C0 15 17K 28 17.8
The following is a sample display of a prefix ToS aggregation cache with the show ip cache verbose flow aggregation prefix-tos command:
Router# show ip cache verbose flow aggregation prefix-tos
IP Flow Switching Cache, 278544 bytes
4 active, 4092 inactive, 4 added
14 ager polls, 0 flow alloc failures
Src If Src Prefix Dst If Dst Prefix TOS Flows Pkts
Msk AS Msk AS B/Pk Active
Et1/2 0.0.0.0 Fd4/0 42.0.0.0 C0 15 3933
Et1/1 52.0.0.0 Fd4/0 42.0.0.0 55 1 826
Et1/2 52.0.0.0 Fd4/0 42.0.0.0 CC 1 787
The following is a sample display of a prefix port aggregation cache with the show ip cache verbose flow aggregation prefix-port command:
Router# show ip cache verbose flow aggregation prefix-port
IP Flow Switching Cache, 278544 bytes
4 active, 4092 inactive, 105 added
1679 ager polls, 0 flow alloc failures
Src If Src Prefix Dst If Dst Prefix TOS Flows Pkts
Port Msk Port Msk Pr B/Pk Active
Fd4/0 20.20.20.1 Local 31.31.31.1 C0 1 2
00B3 /32 2AF9 /32 06 49 0.9
Et1/2 0.0.0.0 Fd4/0 42.0.0.0 C0 15 17K
0000 /0 0000 /8 01 28 17.8
Et1/1 52.0.0.0 Fd4/0 42.0.0.0 55 1 3748
0000 /8 0000 /8 01 28 17.8
Et1/2 52.0.0.0 Fd4/0 42.0.0.0 CC 1 3568
0000 /8 0000 /8 01 28 17.8
Table 10 describes the significant fields shown in the output of the show ip cache verbose flow aggregation command.
Table 10 Field Descriptions for the show ip cache verbose flow aggregation command
Field
|
Description
|
bytes
|
Number of bytes of memory used by the NetFlow cache.
|
active
|
Number of active flows in the NetFlow cache at the time this command was entered.
|
inactive
|
Number of flow buffers that are allocated in the NetFlow cache, but are not currently assigned to a specific flow at the time this command is entered.
|
added
|
Number of flows created since the start of the summary period.
|
ager polls
|
Number of times the NetFlow code looked at the cache to cause entries to expire. (used by Cisco for diagnostics only).
|
flow alloc failures
|
Number of times the NetFlow code tried to allocate a flow but could not.
|
Src If
|
Specifies the source interface.
|
Src AS
|
Specifies the source autonomous system.
|
Dst If
|
Specifies the destination interface.
|
Dst AS
|
Specifies the destination autonomous system.
|
Flows
|
Number of flows.
|
Pkts
|
Number of packets.
|
B/Pk
|
Average number of bytes observed for the packets seen for this protocol (total bytes for this protocol or the total number of flows for this protocol for this summary period).
|
Active
|
The time in seconds that this flow has been active at the time this command was entered.
|
Related Commands
Command
|
Description
|
cache
|
Defines operational parameters for NetFlow accounting aggregation caches.
|
enabled (aggregation cache)
|
Enables a NetFlow accounting aggregation cache.
|
export destination (aggregation cache)
|
Enables the exporting of NetFlow accounting information from NetFlow aggregation caches.
|
ip flow-aggregation cache
|
Enables NetFlow accounting aggregation cache schemes.
|
mask (IPv4)
|
Specifies the source or destination prefix mask for a NetFlow accounting prefix aggregation cache.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
show ip cache verbose flow
To displays a detailed summary of the NetFlow accounting statistics, use the show ip cache verbose flow command in user EXEC or privileged EXEC mode.
show ip cache [prefix mask] [type number] verbose flow
Syntax Description
prefix mask
|
(Optional) Displays only the entries in the cache that match the prefix and mask combination.
|
type number
|
(Optional) Displays only the entries in the cache that match the interface type and number combination.
|
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
11.1CA
|
The information display for the command was updated.
|
12.3(1)
|
The command output was updated to display additional NetFlow fields.
|
12.0(24)S
|
MPLS flow records were added to the command output.
|
12.3(4)T, 12.3(6), 12.2(20)S
|
The execute-on command was modified on the Cisco 7500 platforms to include the remote execution of the show ip cache verbose flow command.
|
12.3(8)T
|
MPLS flow records were added to the command output for Cisco IOS Release 12.3(8)T.
|
12.3(11)T
|
Support for egress flow accounting was added, and the [prefix mask] and [type number] arguments were removed.
|
12.3(14)T
|
Support for NetFlow Layer 2 and Security Monitoring Exports was added.
|
Usage Guidelines
Use the show ip cache verbose flow command to display flow record fields in the NetFlow cache in addition to the fields that are displayed with the show ip cache flow command. The values in the additional fields that are shown depend on the NetFlow features that are enabled and the flags that are set in the flow.
Note The flags, and therefore the fields, might vary from flow to flow.
Some of the content in the display of the show ip cache verbose flow command uses multiline headings and multiline data fields. Figure 3 uses an example of the output from the show ip cache verbose flow to show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.
When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same.
Figure 3 How to Use the Multiline Headings and Multiline Data Fields in the Display Output from the show ip cache verbose flow Command
NetFlow Multicast Support
When the NetFlow Multicast Support feature is enabled, the show ip cache verbose flow command displays the number of replicated packets and the packet byte count for NetFlow multicast accounting. When you configure the NetFlow Version 9 Export Format feature, this command displays additional NetFlow fields in the header.
MPLS-aware NetFlow
When you configure the MPLS-aware NetFlow feature, you can use the show ip cache verbose flow command to display both the IP and MPLS portions of MPLS flows in the NetFlow cache on a router line card. To display only the IP portion of the flow record in the NetFlow cache when MPLS-aware NetFlow is configured, use the show ip cache flow command.
NetFlow BGP Nexthop
The NetFlow bgp-nexthop command can be configured when either the Version 5 export format or the Version 9 export format is configured. The following caveats apply to the bgp-nexthop command:
•The values for the BGP nexthop IP address are exported to a NetFlow collector only when the Version 9 export format is configured.
•In order for the BGP information to be populated in the main cache you must either have a NetFlow export destination configured or NetFlow aggregation configured.
Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding
On platforms running Distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt.
Cisco 7500 Series Platform
To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed dCEF, enter the following sequence of commands:
Router# if-con slot-number
LC-slot-number# show ip cache verbose flow
For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:
Router# execute-on slot-number show ip cache verbose flow
Cisco 12000 Series Platform
To display detailed NetFlow cache information on a Cisco 12000 Series Internet Router, enter the following sequence of commands:
Router# attach slot-number
LC-slot-number# show ip cache verbose flow
For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:
Router# execute-on slot-number show ip cache verbose flow
Examples
The following example shows output from the show ip cache verbose flow command:
Router# show ip cache verbose flow
IP packet size distribution (25229 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .206 .793 .000 .000 .000 .000 .000 .000
The preceding output shows the percentage distribution of packets by size. In this display, 20.6 percent of the packets fall in the 1024-byte size range and 79.3 percent fall in the 1536-byte range.
The next section of the output can be divided into three sections. The section and the table corresponding to each are as follows:
•Field Descriptions in the NetFlow Cache Section of the Output (Table 11)
•Field Descriptions in the Activity by Protocol Section of the Output (Table 12)
•Field Descriptions in the NetFlow Record Section of the Output (Table 13)
IP Flow Switching Cache, 278544 bytes
6 active, 4090 inactive, 17 added
505 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 10 seconds
IP Sub Flow Cache, 25736 bytes
12 active, 1012 inactive, 39 added, 17 added to flow
0 alloc failures, 0 force free
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 1 0.0 362 940 2.7 60.2 0.0
TCP-FTP 1 0.0 362 840 2.7 60.2 0.0
TCP-FTPD 1 0.0 362 840 2.7 60.1 0.1
TCP-SMTP 1 0.0 361 1040 2.7 60.0 0.1
UDP-other 5 0.0 1 66 0.0 1.0 10.6
ICMP 2 0.0 8829 1378 135.8 60.7 0.0
Total: 11 0.0 1737 1343 147.0 33.4 4.8
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 06 80 00 65
0015 /0 0 0015 /0 0 0.0.0.0 840 10.8
MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)
Min plen: 840 Max plen: 840
Et0/0.1 172.16.6.1 Et1/0.1 172.16.10.2 01 00 00 4880
0000 /0 0 0000 /0 0 0.0.0.0 1354 20.1
MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)
Min plen: 772 Max plen: 1500
Min TTL: 255 Max TTL: 255
ICMP type: 0 ICMP code: 0
Et0/0.1 10.10.13.1 Et1/0.1 172.16.10.2 06 80 00 65
0017 /0 0 0017 /0 0 0.0.0.0 940 10.8
MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)
Min plen: 940 Max plen: 940
Et0/0.1 10.89.38.215 Et1/0.1 172.16.10.2 06 80 00 65
0014 /0 0 0014 /0 0 0.0.0.0 840 10.8
MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)
Min plen: 840 Max plen: 840
Et0/0.1 10.10.14.1 Et1/0.1 172.16.10.2 06 80 00 66
0019 /0 0 0019 /0 0 0.0.0.0 1040 11.0
MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)
Min plen: 1040 Max plen: 1040
Et0/0.1 172.16.6.1 Et1/0.1 172.16.10.2 01 00 10 975
0000 /0 0 0800 /0 0 0.0.0.0 1500 20.1
MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)
Min plen: 1500 Max plen: 1500
Min TTL: 255 Max TTL: 255
ICMP type: 8 ICMP code: 0
Table 11 describes the significant fields shown in the NetFlow cache section of the output.
Table 11 Field Descriptions in the NetFlow Cache Section of the Output
Field
|
Description
|
bytes
|
Number of bytes of memory used by the NetFlow cache.
|
active
|
Number of active flows in the NetFlow cache at the time this command was entered.
|
inactive
|
Number of flow buffers that are allocated in the NetFlow cache but that were not assigned to a specific flow at the time this command was entered.
|
added
|
Number of flows created since the start of the summary period.
|
ager polls
|
Number of times the NetFlow code caused entries to expire (used by Cisco for diagnostics only).
|
flow alloc failures
|
Number of times the NetFlow code tried to allocate a flow but could not.
|
last clearing of statistics
|
The period of time that has passed since the clear ip flow stats privileged EXEC command was last executed. The standard time output format of hours, minutes, and seconds (hh:mm:ss) is used for a period of time less than 24 hours. This time output changes to hours and days after the time exceeds 24 hours.
|
Table 12 describes the significant fields shown in the activity by protocol section of the output.
Table 12 Field Descriptions in the Activity by Protocol Section of the Output
Field
|
Description
|
Protocol
|
IP protocol and the well-known port number. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
Note Only a small subset of all protocols is displayed.
|
Total Flows
|
Number of flows in the cache for this protocol since the last time the statistics were cleared.
|
Flows/Sec
|
Average number of flows for this protocol per second; equal to the total flows divided by the number of seconds for this summary period.
|
Packets/Flow
|
Average number of packets for the flows for this protocol; equal to the total packets for this protocol divided by the number of flows for this protocol for this summary period.
|
Bytes/Pkt
|
Average number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the total number of packets for this protocol for this summary period.
|
Packets/Sec
|
Average number of packets for this protocol per second; equal to the total packets for this protocol divided by the total number of seconds for this summary period.
|
Active(Sec)/Flow
|
Number of seconds from the first packet to the last packet of an expired flow divided by the number of total flows for this protocol for this summary period.
|
Idle(Sec)/Flow
|
Number of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which the show ip cache verbose flow command was entered divided by the total number of flows for this protocol for this summary period.
|
Table 13 describes the significant fields in the NetFlow record section of the output.
Table 13 Field Descriptions for the NetFlow Record Section of the Output
Field
|
Description
|
SrcIf
|
Interface on which the packet was received.
|
Port Msk AS
|
Source port number (displayed in hexadecimal format), IP address mask, and autonomous system number. The value of this field is always set to 0 in MPLS flows.
|
SrcIPaddress
|
IP address of the device that transmitted the packet.
|
DstIf
|
Interface from which the packet was transmitted.
Note If an asterisk (*) immediately follows the DstIf field, the flow being shown is an egress flow.
|
Port Msk AS
|
Destination port number (displayed in hexadecimal format), IP address mask, and autonomous system. This is always set to 0 in MPLS flows.
|
DstIPaddress
|
IP address of the destination device.
|
NextHop
|
The BGP next-hop address. This is always set to 0 in MPLS flows.
|
Pr
|
IP protocol "well-known" port number, displayed in hexadecimal format. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
|
ToS
|
Type of service, displayed in hexadecimal format.
|
B/Pk
|
Average number of bytes observed for the packets seen for this protocol.
|
Flgs
|
TCP flags, shown in hexadecimal format (result of bitwise OR of TCP flags from all packets in the flow).
|
Pkts
|
Number of packets in this flow.
|
Active
|
The time in seconds that this flow has been active at the time this command was entered.
|
MAC
|
Source and destination MAC addresses from the Layer 2 frames in the flow.
|
VLAN id
|
Source and destination VLAN IDs from the Layer 2 frames in the flow.
|
Min plen
|
Minimum packet length for the packets in the flows.
Note This value is updated when a datagram with a lower value is received.
|
Max plen
|
Maximum packet length for the packets in the flows.
Note This value is updated when a datagram with a higher value is received.
|
Min TTL
|
Minimum Time-To-Live (TTL) for the packets in the flows.
Note This value is updated when a datagram with a lower value is received.
|
Max TTL
|
Maximum TTL for the packets in the flows.
Note This value is updated when a datagram with a higher value is received.
|
IP id
|
IP identifier field for the packets in the flow.
|
ICMP type
|
Internet Control Message Protocol (ICMP) type field from the ICMP datagram in the flow.
|
ICMP code
|
ICMP code field from the ICMP datagram in the flow.
|
The following example shows the NetFlow output of the show ip cache verbose flow command in which the sampler, class-id, and general flags are set. What is displayed for a flow depends on what flags are set in the flow. If the flow was captured by a sampler, the output shows the sampler ID. If the flow was marked by Modular QoS CLI (MQC), the display includes the class ID. If any general flags are set, the output includes the flags.
Router# show ip cache verbose flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et1/0 8.8.8.8 Et0/0* 9.9.9.9 01 00 10 3
0000 /8 302 0800 /8 300 3.3.3.3 100 0.1
BGP: 2.2.2.2 Sampler: 1 Class: 1 FFlags: 01
Table 14 describes the significant fields shown in the NetFlow output for a sampler, for an MQC policy class, and for general flags.
Table 14 show ip cache verbose flow Field Descriptions for a NetFlow Sampler, an MCQ Policy Class, and General Flags
Field (with Sample Values)
|
Description
|
Sampler: 1
|
Shows the ID of the sampler that captured the flow. The sampler ID in this example is 1.
|
Class: 1
|
Shows the ID of the Modular QoS CLI (MQC) traffic class. The class ID in this example is 1.
|
FFlags: 01
|
Shows the general flow flag (shown in hexadecimal format), which is the bitwise OR of one or more of the following:
•01 indicates an output (or egress) flow. (If this bit is not set, the flow is an input [or ingress] flow.)
•02 indicates a flow that was dropped (for example, by an access control list [ACL]).
•04 indicates a Multiprotocol Label Switching (MPLS) flow.
•08 indicates an IP version 6 (IPv6) flow.
The flow flag in this example is 01 (an egress flow).
|
The following example shows the NetFlow output for the show ip cache verbose flow command when NetFlow BGP next-hop accounting is enabled:
Router# show ip cache verbose flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et0/0/2 12.0.0.2 Et0/0/4 13.0.0.5 01 00 10 20
0000 /8 0 0800 /8 0 11.0.0.6 100 0.0
Et0/0/2 12.0.0.2 Et0/0/4 15.0.0.7 01 00 10 20
0000 /8 0 0800 /8 0 11.0.0.6 100 0.0
Et0/0/2 12.0.0.2 Et0/0/4 15.0.0.7 01 00 10 20
0000 /8 0 0000 /8 0 11.0.0.6 100 0.0
Table 15 describes the significant fields shown in the NetFlow BGP next-hop accounting lines of the output.
Table 15 show ip cache verbose flow Field Descriptions in NetFlow BGP Next-Hop Accounting Output
Field
|
Description
|
BGP:BGP_NextHop
|
Destination address for the BGP next hop
|
The following example shows the NetFlow output for the show ip cache verbose flow command when NetFlow multicast accounting is configured:
Router# show ip cache verbose flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et1/1/1 11.0.0.1 Null 227.1.1.1 01 55 10 100
0000 /8 0 0000 /0 0 0.0.0.0 28 0.0
Et1/1/1 11.0.0.1 Se2/1/1.16 227.1.1.1 01 55 10 100
0000 /8 0 0000 /0 0 0.0.0.0 28 0.0
Et1/1/2 12.0.0.1 Et1/1/4 227.2.2.2 01 55 10 100
0000 /8 0 0000 /0 0 0.0.0.0 28 0.1
Et1/1/2 12.0.0.1 Null 227.2.2.2 01 55 10 100
0000 /8 0 0000 /0 0 0.0.0.0 28 0.1
Table 16 describes the significant fields shown in the NetFlow multicast accounting lines of the output.
Table 16 show ip cache verbose flow Field Descriptions in NetFlow Multicast Accounting Output
Field
|
Description
|
OPkts
|
Displays the number of IP multicast (IPM) output packets
|
OBytes
|
Displays the number of IPM output bytes
|
DstIPaddress
|
Displays the destination IP address for the IPM output packets
|
The following example shows the output for both the IP and MPLS sections of the flow record in the NetFlow cache when MPLS-aware NetFlow is enabled:
Router# show ip cache verbose flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
PO3/0 10.1.1.1 PO5/1 10.2.1.1 01 00 10 9
0100 /0 0 0200 /0 0 0.0.0.0 100 0.0
Pos:Lbl-Exp-S 1:12305-6-0 (LDP/10.10.10.10) 2:12312-6-1
Table 17 describes the significant fields for the IP and MPLS sections of the flow record in the output.
Table 17 show ip cache verbose flow Field Descriptions for the IP and MPLS Sections of the Flow Record in the Output
Field
|
Description
|
Pos
|
Position of the MPLS label in the label stack, starting with 1 as the top label.
|
Lbl
|
Value given to the MPLS label by the router.
|
Exp
|
Value of the experimental bit.
|
S
|
Value of the end-of-stack bit. Set to 1 for the oldest entry in the stack and to 0 for all other entries.
|
LDP/10.10.10.10
|
Type of MPLS label and associated IP address for the top label in the MPLS label stack.
|
Related Commands
Command
|
Description
|
clear ip flow stats
|
Clears the NetFlow accounting statistics.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
show ip interface
|
Displays the usability status of interfaces configured for IP.
|
show ip cache verbose flow aggregation
To display the aggregation cache configuration, use the show ip cache verbose flow aggregation command in user EXEC and privileged EXEC mode.
show ip cache [prefix mask] [interface-type interface-number] [verbose] flow aggregation {as |
as-tos | bgp-nexthop-tos | destination-prefix | destination-prefix-tos | prefix | prefix-port |
prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-prefix-tos |
exp-bgp-prefix}
Syntax Description
prefix mask
|
(Optional) Displays only the entries in the cache that match the prefix and mask combination.
|
interface-type interface-number
|
(Optional) Displays only the entries in the cache that match the interface type and interface number combination.
|
verbose
|
(Optional) Displays additional information from the aggregation cache.
|
as
|
Displays the configuration of the autonomous system aggregation cache scheme.
|
as-tos
|
Displays the configuration of the autonomous system type of service (ToS) aggregation cache scheme.
|
bgp-nexthop-tos
|
Displays the BGP next hop and ToS aggregation cache scheme.
|
destination-prefix
|
Displays the configuration of the destination prefix aggregation cache scheme.
|
destination-prefix-tos
|
Displays the configuration of the destination prefix ToS aggregation cache scheme.
|
prefix
|
Displays the configuration of the prefix aggregation cache scheme.
|
prefix-port
|
Displays the configuration of the prefix port aggregation cache scheme.
|
prefix-tos
|
Displays the configuration of the prefix ToS aggregation cache scheme.
|
protocol-port
|
Displays the configuration of the protocol port aggregation cache scheme.
|
protocol-port-tos
|
Displays the configuration of the protocol port ToS aggregation cache scheme.
|
source-prefix
|
Displays the configuration of the source prefix aggregation cache scheme.
|
source-prefix-tos
|
Displays the configuration of the source prefix ToS aggregation cache scheme.
|
exp-bgp-prefix
|
Displays the configuration of the exp-bgp-prefix aggregation cache scheme.
|
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
12.0(3)T
|
This command was introduced.
|
12.0(15)S
|
This command was modified to include new show output for ToS aggregation schemes.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.3(1)
|
Support for the BGP Next Hop Support feature was added.
|
12.2(18)S
|
Support for the BGP Next Hop Support feature was added.
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC.
|
12.2(14)SX
|
Support for this command was introduced on the Supervisor Engine 720.
|
12.2(17b)SXA
|
The output was changed to include hardware-entry information.
|
12.2(17d)SXB
|
Support for this command on the Supervisor Engine 2 was extended to the 12.2 SX release.
|
12.2(18)SXE
|
The output was changed to add fragment offset (FO) information on the Supervisor Engine 720 only.
|
12.2(18)SXF
|
This command was integrated into Cisco IOS Release 12.2(18)SXF.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2(31)SB2
|
This command was integrated into Cisco IOS Release 12.2(31)SB2. The exp-bgp-prefix aggregation cache was added.
|
Usage Guidelines
Use the show ip cache verbose flow aggregation command to display flow record fields in the NetFlow aggregation cache in addition to the fields that are displayed with the show ip cache flow aggregation command. The values in the additional fields that are shown depend on the NetFlow features that are enabled and the flags that are set in the flow.
Note The flags, and therefore the fields, might vary from flow to flow.
Some of the content in the display of the show ip cache verbose flow aggregation command uses multiline headings and multiline data fields. Figure 4 uses an example of the output from the show ip cache verbose flow to show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.
When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same
Figure 4 How to Use the Multiline Headings and Multiline Data Fields in the Display Output of the show ip cache verbose flow aggregation Command
NetFlow Multicast Support
When the NetFlow Multicast Support feature is enabled, the show ip cache verbose flow command displays the number of replicated packets and the packet byte count for NetFlow multicast accounting. When you configure the NetFlow Version 9 Export Format feature, this command displays additional NetFlow fields in the header.
MPLS-aware NetFlow
When you configure the MPLS-aware NetFlow feature, you can use the show ip cache verbose flow command to display both the IP and MPLS portions of MPLS flows in the NetFlow cache on a router line card. To display only the IP portion of the flow record in the NetFlow cache when MPLS-aware NetFlow is configured, use the show ip cache flow command.
NetFlow BGP Nexthop
The NetFlow bgp-nexthop command can be configured when either the Version 5 export format or the Version 9 export format is configured. The following caveats apply to the bgp-nexthop command:
•The values for the BGP nexthop IP address are exported to a NetFlow collector only when the Version 9 export format is configured.
•In order for the BGP information to be populated in the main cache you must either have a NetFlow export destination configured or NetFlow aggregation configured.
Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding
On platforms running distributed Cisco Express Forwarding, NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt.
Cisco 7600 Series Platforms
The module num keyword and argument are supported on DFC-equipped modules only.
Examples
The following is a sample display of an prefix port aggregation cache with the show ip cache verbose flow aggregation prefix-port command:
Router# show ip cache verbose flow aggregation prefix-port
IP Flow Switching Cache, 278544 bytes
20 active, 4076 inactive, 377 added
98254 ager polls, 0 flow alloc failures
Active flows timeout in 5 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25736 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
Src If Src Prefix Dst If Dst Prefix TOS Flows Pkts
Port Msk Port Msk Pr B/Pk Active
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 2 136
0016 /0 0015 /24 06 840 62.2
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68
00B3 /0 00B3 /24 06 1140 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68
0043 /0 0043 /24 11 156 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 00 1 68
0000 /0 0000 /24 01 28 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 68
0035 /0 0035 /24 06 1140 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68
0041 /0 0041 /24 06 1140 60.3
Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68
006E /0 006E /24 06 296 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68
0016 /0 0015 /24 06 840 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 00 1 68
0000 /0 0000 /24 01 554 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 68
00A1 /0 00A1 /24 11 156 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 67
00DC /0 00DC /24 06 1140 59.4
Et2/0 0.0.0.0 Et3/0 192.168.10.0 00 1 68
0000 /0 0000 /24 01 28 60.2
Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 67
0041 /0 0041 /24 06 1140 59.4
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68
0019 /0 0019 /24 06 168 60.3
Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68
0016 /0 0015 /24 06 840 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 67
027C /0 027C /24 06 1240 59.4
Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68
0077 /0 0077 /24 06 1340 60.2
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 00 1 68
0000 /0 0800 /24 01 1500 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 68
0089 /0 0089 /24 06 296 60.3
Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68
0045 /0 0045 /24 11 156 60.2
Table 18 describes the significant fields shown in the output of the show ip cache verbose flow aggregation prefix-port command.
Table 18 show ip cache verbose flow aggregation Field Descriptions
Field
|
Description
|
Src If
|
Specifies the source interface.
|
Src AS
|
Specifies the source autonomous system.
|
Src Prefix
|
The prefix for the source IP addresses.
|
Msk
|
The numbers of bits in the source or destination prefix mask.
|
Dst If
|
Specifies the destination interface.
|
AS
|
Autonomous system. This is the source or destination AS number as appropriate for the keyword used. For example, if you enter the show ip cache flow aggregation destination-prefix-tos command, this is the destination AS number.
|
TOS
|
The value in the type of service (ToS) field in the packets.
|
Dst AS
|
Specifies the destination autonomous system.
|
Dst Prefix
|
The prefix for the destination IP addresses
|
Flows
|
Number of flows.
|
Pkts
|
Number of packets.
|
Port
|
The source or destination port number.
|
Msk
|
The source or destination prefix mask.
|
Pr
|
IP protocol "well-known" port number, displayed in hexadecimal format. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
|
B/Pk
|
Average number of bytes observed for the packets seen for this protocol (total bytes for this protocol or the total number of flows for this protocol for this summary period).
|
Active
|
Number of active flows in the NetFlow cache at the time this command was entered.
|
The following is a sample display of an exp-bgp-prefix aggregation cache with the show ip cache verbose flow aggregation exp-bgp-prefix command:
Router# show ip cache verbose flow aggregation exp-bgp-prefix
IP Flow Switching Cache, 278544 bytes
1 active, 4095 inactive, 4 added
97 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 17032 bytes
1 active, 1023 inactive, 4 added, 4 added to flow
0 alloc failures, 0 force free
Src If BGP Nexthop Label MPLS EXP Flows Pkts B/Pk Active
Gi4/0/0.102 10.40.40.40 0 0 1 5 100 0.0
Table 18 describes the significant fields shown in the output of the show ip cache verbose flow aggregation exp-bgp-prefix command.
Table 19 show ip cache verbose flow aggregation Field Descriptions
Field
|
Description
|
Src If
|
Specifies the source interface.
|
Flows
|
Number of flows.
|
Pkts
|
Number of packets.
|
B/Pk
|
Average number of bytes observed for the packets seen for this protocol (total bytes for this protocol or the total number of flows for this protocol for this summary period).
|
Active
|
The time in seconds that this flow has been active at the time this command was entered.
|
BGP Nexthop
|
The exit point from the MPLS cloud.
|
Label
|
The MPLS label value.
Note This value is set to zero on the Cisco 10000.
|
MPLS EXP
|
The 3-bit value of the MPLS labels EXP field.
|
Related Commands
Command
|
Description
|
cache
|
Defines operational parameters for NetFlow accounting aggregation caches.
|
enabled (aggregation cache)
|
Enables a NetFlow accounting aggregation cache.
|
export destination (aggregation cache)
|
Enables the exporting of NetFlow accounting information from NetFlow aggregation caches.
|
ip flow-aggregation cache
|
Enables NetFlow accounting aggregation cache schemes.
|
mask (IPv4)
|
Specifies the source or destination prefix mask for a NetFlow accounting prefix aggregation cache.
|
show ip cache flow aggregation
|
Displays a summary of the NetFlow aggregation cache accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow export
|
Displays the statistics for the data export.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
show ip flow export
To display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches, use the show ip flow export command in user EXEC or privileged EXEC mode.
show ip flow export [template]
Syntax Description
template
|
(Optional) Shows the data export statistics (such as template timeout and refresh rate) for the template-specific configurations.
|
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
11.1CC
|
This command was introduced.
|
12.2(2)T
|
This command was modified to display multiple NetFlow export destinations.
|
12.0(24)S
|
The template keyword was added.
|
12.3(1)
|
This command was integrated into Cisco IOS Release 12.3(1).
|
Examples
The following is sample output from the show ip flow export command:
Router# show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 10.51.12.4 (9991) 10.1.97.50 (9111)
Exporting using source IP address 10.1.97.17
11 flows exported in 8 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to output drops
Table 20 describes the significant fields shown in the display.
Table 20 show ip flow export Field Descriptions
Field
|
Description
|
Exporting flows to 10.51.12.4 (9991) 10.1.97.50 (9111)
|
Specifies the export destinations and ports. The ports are in parentheses.
|
Exporting using source IP address 10.1.97.17
|
Specifies the source address or interface.
|
Version 5 flow records
|
Specifies the version of the flow.
|
11 flows exported in 8 udp datagrams
|
The total number of export datagrams sent, and the total number of flows contained within them.
|
0 flows failed due to lack of export packet
|
The total number of export packets that were not sent because no memory was available to create an export packet.
|
0 export packets were sent up to process level
|
The total number of export packets that could not be processed by CEF or by fast switching, possibly because another feature requires running on the packet.
|
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
|
The total number of export packets that CEF was unable to switch or forward up to the process level.
|
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
|
The total number of export packets that were dropped because of problems constructing the IP packet.
|
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
|
The total number of export packets that were dropped because there was a problem transferring the export packet between the RP and the line card.
|
0 export packets were dropped due to output drops
|
The total number of export packets that were dropped because the send queue was full while the packet was being transmitted.
|
Related Commands
Command
|
Description
|
ip flow-export
|
Enables the export of NetFlow accounting information in NetFlow cache entries
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays the NetFlow accounting configuration on interfaces.
|
show ip flow interface
To display NetFlow accounting configuration on interfaces, use the show ip flow interface command in user EXEC or privileged EXEC mode.
show ip flow interface
Syntax Description
This command has no keywords or arguments.
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
12.3(7)T
|
This command was introduced.
|
12.3(11)T
|
Support for egress NetFlow accounting was added.
|
Usage Guidelines
Use this command to display the type of NetFlow configuration that is used on the router interfaces.
Examples
The following example shows that four interface configurations have been applied:
•NetFlow accounting for egress flows has been enabled on interface Ethernet 0/0.
•The "my_medium_sampling" flow sampler map has been applied to interface Ethernet 0/0.
•NetFlow accounting has been enabled on interface Ethernet 1/0.
•The "my_high_sampling" policy map has been applied to interface Ethernet 1/0:
Router# show ip flow interface
flow-sampler my_medium_sampling
netflow-sampler my_high_sampling
Related Commands
Command
|
Description
|
clear ip flow stats
|
Clears the NetFlow accounting statistics.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip interface
|
Displays the usability status of interfaces configured for IP.
|
show ip flow top-talkers
To display the traffic statistics for the NetFlow top talkers (unaggregated top flows), use the show ip flow top-talkers command in user EXEC or privileged EXEC mode.
show ip flow top-talkers [verbose]
Syntax Description
verbose
|
Displays additional details for the top flows.
|
Defaults
No default behavior or values.
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This feature was integrated into Cisco IOS Release 12.2(27)SBC.
|
12.2(33)SRA
|
This feature was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
Configuring NetFlow Top Talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow Top Talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows of the heaviest traffic patterns and most-used applications in the network. NetFlow Top Talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Cache Timeout
The timeout period as specified by the cache-timeout command does not start until the show ip flow top-talkers command is entered. From that time, the same top talkers are displayed until the timeout period expires. To recalculate a new list of top talkers before the timeout period expires, you can change the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command.
A long timeout period for the cache-timeout command limits the system resources that are used by the NetFlow Top Talkers feature. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.
A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:
•The list of top talkers is lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required NetFlow top talkers.
•The list of top talkers is updated every time the top talkers information is requested, possibly causing unnecessary usage of system resources.
A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but cause the list of top talkers to be recalculated by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.
Examples
The following example shows the output of the show ip flow top-talkers command.
In the example, the NetFlow MIB and Top Talkers feature is configured to allow a maximum of five top talkers to be viewed. The display output is configured to be sorted by the total number of bytes in each top talker, and the list of top talkers is configured to be retained for 2 seconds (2000 milliseconds).
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# top 5
Router(config-flow-top-talkers)# sort-by bytes
Router(config-flow-top-talkers)# cache-timeout 2000
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 144K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 144K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 135K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 125K
Et0/0.1 10.92.231.235 Et1/0.1 172.16.10.2 06 0041 0041 115K
5 of 5 top talkers shown. 11 flows processed
Table 21 describes the significant fields shown in the display.
Table 21 show ip flow top-talkers Field Descriptions
Field
|
Description
|
SrcIf
|
Source interface
|
SrcIPaddress
|
Source IP address
|
DstIf
|
Destination interface
|
DstIPaddress
|
Destination IP address
|
Pr
|
Protocol number
|
SrcP
|
Source port
|
DstP
|
Destination port
|
Bytes
|
Total number of bytes in each top talker
|
X of Y top talkers shown
|
Y-The number of Top Talkers specified by the top command.
X-The number of flows displayed.
The value for "X" is always <= the value for "Y". For example, if "Y" = 5 and there are 3 Top Talkers, the display will show 3 of 5 top talkers shown.
|
flows processed
|
The number of flows observed in the NetFlow cache.
|
Table 22 shows messages that could be received in response to the show ip flow top-talkers command and their explanations.
Table 22 show ip flow top-talkers Message Descriptions
Message
|
Description
|
% Top talkers not configured
|
The NetFlow MIB and Top Talkers feature has not yet been configured.
|
% Cache is not enabled
|
The cache is not enabled
|
% Cache is empty
|
There are no flows in the cache to be viewed.
|
% There are no matching flows to show
|
The match criteria that were specified do not match any flows in the cache.
|
Related Commands
Command
|
Description
|
cache-timeout
|
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and Top Talkers feature is retained.
|
ip flow-top-talkers
|
Enters the configuration mode for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
match (NetFlow)
|
Specifies match criteria for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
sort-by
|
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature.
|
top
|
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
sort-by
To specify the sorting criterion for the NetFlow top talkers (unaggregated top flows), use the sort-by command in NetFlow top talkers configuration mode. To disable NetFlow top talkers, use the no form of this command.
sort-by [bytes | packets]
no sort-by [bytes | packets]
Syntax Description
bytes
|
Sorts the list of top talkers by the total number of bytes in each Top Talker.
|
packets
|
Sort the list of top talkers by the total number of packets in each Top Talker.
|
Defaults
No default behavior or values.
Command Modes
NetFlow top talkers configuration
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This feature was integrated into Cisco IOS Release 12.2(27)SBC.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
Configuring NetFlow top talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Examples
In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each Top Talker.
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
Command
|
Description
|
cache-timeout
|
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and top talkers feature is retained.
|
ip flow-top-talkers
|
Enters the configuration mode for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
match (NetFlow)
|
Specifies match criteria for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
show ip flow top-talkers
|
Displays the statistics for the NetFlow accounting top talkers (heaviest traffic patterns and most-used applications in the network).
|
top
|
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
top
To specify the maximum number of NetFlow top talkers (unaggregated top flows) to display the statistics for, use the top command in NetFlow top talkers configuration mode. To disable NetFlowtop talkers, use the no form of this command.
top number
no top
Syntax Description
number
|
The maximum number of top talkers that will be displayed. The range is 1 to 200.
|
Defaults
No default behavior or values.
Command Modes
NetFlow top talkers configuration
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This feature was integrated into Cisco IOS Release 12.2(27)SBC.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
Configuring NetFlow top talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Examples
In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each Top Talker.
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
Command
|
Description
|
cache-timeout
|
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and top talkers feature is retained.
|
ip flow-top-talkers
|
Enters the configuration mode for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
match (NetFlow)
|
Specifies match criteria for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
show ip flow top-talkers
|
Displays the statistics from to the top talkers (heaviest traffic patterns and most-used applications in the network).
|
sort-by
|
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|