Configuring Flexible NetFlow

Configuring Flexible NetFlow
Configuring Flexible NetFlow
• Prerequisites for Flexible NetFlow, page 1
• Restrictions for Flexible NetFlow, page 2
• Information About Flexible Netflow, page 4
• How to Configure , page 20
• Monitoring Flexible NetFlow, page 36
• Configuration Examples for , page 37
• Additional References, page 43
• Feature Information for Flexible NetFlow, page 44
Prerequisites for Flexible NetFlow
The following are prerequisites for your Flexible NetFlow configuration:
• You must configure a source interface. If you do not configure a source interface, the exporter will
remain in a disabled state.
• You must configure a valid record name for every flow monitor.
• You must enable IPv6 routing to export the flow records to an IPv6 destination server.
• You must configure IPFIX export protocol for the flow exporter to export netflow records in IPFIX
format.
• You are familiar with the Flexible NetFlow key fields as they are defined in the following commands
in the Cisco IOS Flexible NetFlow Command Reference :
◦match datalink—Datalink (layer2) fields
◦match flow—Flow identifying fields
◦match interface—Interface fields
◦match ipv4—IPv4 fields
◦match ipv6—IPv6 fields
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
1
Configuring Flexible NetFlow
Restrictions for Flexible NetFlow
◦match transport—Transport layer fields
◦match wireless—Wireless fields
• You are familiar with the Flexible NetFlow non key fields as they are defined in the following commands
in the Cisco IOS Flexible NetFlow Command Reference :
◦collect counter—Counter fields
◦collect flow—Flow identifying fields
◦collect interface—Interface fields
◦collect timestamp—Timestamp fields
◦collect transport—Transport layer fields
◦collect wireless—Wireless fields
IPv4 Traffic
• The networking device must be configured for IPv4 routing.
• One of the following must be enabled on your router and on any interfaces on which you want to enable
Flexible NetFlow: Cisco Express Forwarding or distributed Cisco Express Forwarding.
IPv6 Traffic
• The networking device must be configured for IPv6 routing.
• One of the following must be enabled on your router and on any interfaces on which you want to enable
Flexible NetFlow: Cisco Express Forwarding IPv6 or distributed Cisco Express Forwarding.
Restrictions for Flexible NetFlow
The following are restrictions for Flexible NetFlow:
• Flexible NetFlow is not supported on the L2 port-channel interface, but is supported on the L2
port-channel member ports.
• Flexible NetFlow is not supported on the L3 port-channel member ports, but is supported on the L3
port-channel interface.
• Traditional NetFlow (TNF) accounting is not supported.
• Flexible NetFlow version 9 and version 10 export formats are supported. However, if you have not
configured the export protocol, version 9 export format is applied by default.
• Microflow policing feature shares the NetFlow hardware resource with FNF.
• Only one flow monitor per interface and per direction is supported .
• Layer 2, IPv4, and IPv6 traffic types are supported; however, the switch can apply a flow monitor to
only one of these types at a time for a given direction and interface.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
2
Configuring Flexible NetFlow
Restrictions for Flexible NetFlow
• Layer 2, VLAN, WLAN and Layer 3 interfaces are supported, but the switch does not support SVI and
tunnels.
• The following NetFlow table sizes are supported:
Trim Level
Ingress NetFlow Table
Egress NetFlow Table
LAN Base
Not supported
Not supported
IP Base
8K
16 K
IP Services
8K
16 K
• Depending on the switch type, a switch will have one or two forwarding ASICs. The capacities listed
in the above table are on a per-ASIC basis.
• The switch can support either one or two ASICs. Each ASIC has 8K ingress and 16 K egress entries,
whereas each TCAM can handle up to 6K ingress and 12K egress entries.
• The NetFlow tables are on separate compartments and cannot be combined. Depending on which ASIC
processed the packet, the flows will be created in the table in the corresponding ASIC.
• NetFlow hardware implementation supports four hardware samplers. You can select a sampler rate from
1 out of 2 to 1 out of 1024. Only random sampling mode is supported.
• With the microflow policing feature (which is enabled only for wireless implementation), NetFlow can
and should be used only in full flow mode i.e. NetFlow policing cannot be used. For wireless traffic,
applying a sampler is not permitted, as it hinders microflow QoS.
• Only full flow accounting is supported for wireless traffic.
• NetFlow hardware uses hash tables internally. Hash collisions can occur in the hardware. Therefore, in
spite of the internal overflow Content Addressable Memory (CAM), the actual NetFlow table utilization
could be about 80 percent.
• Depending on the fields that are used for the flow, a single flow could take two consecutive entries. IPv6
flows also take two entries. In these situations, the effective usage of NetFlow entries is half the table
size, which is separate from the above hash collision limitation.
• The switch supports up to 63 flow monitors.
• SSID-based NetFlow accounting is supported. SSID is treated in a manner similar to an interface.
However, certain fields are not supported such as user ID .
• The NetFlow software implementation supports distributed NetFlow export, so the flows are exported
from the same switch in which the flow was created.
• Ingress flows are present in the ASIC that first received the packets for the flow. Egress flows are present
in the ASIC from which the packets actually left the switch set up.
• The reported value for the bytes count field (called “bytes long”) is Layer-2-packet-size—18 bytes. For
classic Ethernet traffic (802.3), this will be accurate. For all other Ethernet types, this field will not be
accurate. Use the "bytes layer2” field, which always reports the accurate Layer 2 packet size. For
information about supported Flexible NetFlow fields, see Supported Flexible NetFlow Fields, on page
15.
• Configuration of IPFIX exporter on an AVC flow monitor is not supported.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
3
Configuring Flexible NetFlow
Information About Flexible Netflow
• Flexible NetFlow export is not supported on the Ethernet management port, Gi0/0.
• When a flow record has only Source Group Tag (SGT) and Destination Group Tag (DGT) fields (or
only either of the two) and if both the values are not applicable, then a flow will still be created with
zero values for SGT and DGT. The flow records are expected to include source and destination IP
addresses, along with SGT and DGT fields.
• The flow monitor with flow record, that contains the CTS field, cannot be attached on the WLAN (SSID).
Information About Flexible Netflow
Overview
uses flows to provide statistics for accounting, network monitoring, and network planning.
A flow is a unidirectional stream of packets that arrives on a source interface and has the same values for the
keys. A key is an identified value for a field within the packet. You create a flow using a flow record to define
the unique keys for your flow.
The switch supports the feature that enables enhanced network anomalies and security detection. allows you
to define an optimal flow record for a particular application by selecting the keys from a large collection of
predefined fields.
All key values must match for the packet to count in a given flow. A flow might gather other fields of interest,
depending on the export record version that you configure. Flows are stored in the cache.
You can export the data that gathers for your flow by using an exporter and export this data to a remote system
such as a collector. The collector can use an IPv4 or IPv6 address.
You define the size of the data that you want to collect for a flow using a monitor. The monitor combines the
flow record and exporter with the cache information.
Wireless Flexible NetFlow Overview
The wireless Flexible NetFlow infrastructure supports the following:
• Flexible NetFlow Version 9.0
• User-based rate limiting
• Microflow policing
• Voice and video flow monitoring
• Reflexive access control list (ACL)
Microflow Policing and User-Based Rate Limiting
Microflow policing associates a 2-color 1-rate policer and related drop statistics to each flow present in the
NetFlow table. When the flow mask comprises all packet fields, this functionality is known as microflow
policing. When the flow mask comprises either source or destination only, this functionality is known as
user-based rate limiting.
Voice and Video Flow Monitoring
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
4
Configuring Flexible NetFlow
Original NetFlow and Benefits of Flexible NetFlow
Voice and video flows are full flow mask-based entries. The ASIC provides the flexibility to program the
policer parameters, share policers across multiple flows and rewrite the IP address and Layer 4 port numbers
of these flows.
Note
For dynamic entries, the NetFlow engine will use the policer parameters that are derived for the flow based
on the policy (ACL/QoS-based policies). Dynamic entries cannot share policer across multiple flows.
Reflexive ACL
Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. The ACLs allow
outbound traffic and limit inbound traffic in response to the sessions that originate inside the trusted network.
The reflexive ACLs are transparent to the filtering mechanism until a data packet that matches the reflexive
entry activates it. At this time, a temporary ACL entry is created and added to the IP-named access lists. The
information obtained from the data packet to generate the reflexive ACL entry is permit/deny bit, the source
IP address and port, the destination IP address, port, and the protocol type. During reflexive ACL entry
evaluation, if the protocol type is either TCP or UDP, then the port information must match exactly. For other
protocols, there is no port information to match. After this ACL is installed, the firewall is then opened for
the reply packets to pass through. At this time, a potential hacker could have access to the network behind the
firewall. To narrow this window, an idle timeout period can be defined. However, in the case of TCP, if two
FIN bits or an RST is detected, the ACL entry can be removed.
Related Topics
Configuring WLAN to Apply Flow Monitor in IPV4 and IPv6 Input/Output Direction, on page 35
Example: Configuring IPv4 Flexible NetFlow in WLAN (Ingress Direction), on page 40
Example: Configuring IPv6 and Transport Flag Flexible NetFlow in WLAN (Egress Direction), on page
40
Example: Configuring IPv6 Flexible NetFlow in WLAN (Both Ingress and Egress Directions), on page
41
Original NetFlow and Benefits of Flexible NetFlow
Original NetFlow uses a fixed seven tuples of IP information to identify a flow.
Flexible NetFlow allows the flow to be user defined. The benefits of Flexible NetFlow include:
• High-capacity flow recognition, including scalability and aggregation of flow information.
• Enhanced flow infrastructure for security monitoring and dDoS detection and identification.
• New information from packets to adapt flow information to a particular service or operation in the
network. The flow information available will be customizable by Flexible NetFlow users.
• Extensive use of Cisco’s flexible and extensible NetFlow Version 9 and version 10 export formats. With
version 10 export format, support for variable length field for the wireless client's SSID is available.
• A comprehensive IP accounting feature that can be used to replace many accounting features, such as
IP accounting, Border Gateway Protocol (BGP) Policy Accounting, and persistent caches.
• Support for ingress and egress NetFlow accounting.
• Support for full flow accounting and sampled NetFlow accounting.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
5
Configuring Flexible NetFlow
Flexible NetFlow Components
Original NetFlow allows you to understand the activities in the network and thus to optimize network design
and reduce operational costs.
Flexible NetFlow allows you to understand network behavior with more efficiency, with specific flow
information tailored for various services used in the network. The following are some example applications
for a Flexible NetFlow feature:
• Flexible NetFlow enhances Cisco NetFlow as a security monitoring tool. For instance, new flow keys
can be defined for packet length or MAC address, allowing users to search for a specific type of attack
in the network.
• Flexible NetFlow allows you to quickly identify how much application traffic is being sent between
hosts by specifically tracking TCP or UDP applications by the class of service (CoS) in the packets.
• The accounting of traffic entering a Multiprotocol Label Switching (MPLS) or IP core network and its
destination for each next hop per class of service. This capability allows the building of an edge-to-edge
traffic matrix.
The figure below is an example of how Flexible NetFlow might be deployed in a network.
Figure 1: Typical Deployment for Flexible NetFlow
Flexible NetFlow Components
Flexible NetFlow consists of components that can be used together in several variations to perform traffic
analysis and data export. The user-defined flow records and the component structure of Flexible NetFlow
facilitates the creation of various configurations for traffic analysis and data export on a networking device
with a minimum number of configuration commands. Each flow monitor can have a unique combination of
flow record, flow exporter, and cache type. If you change a parameter such as the destination IP address for
a flow exporter, it is automatically changed for all the flow monitors that use the flow exporter. The same
flow monitor can be used in conjunction with different flow samplers to sample the same type of network
traffic at different rates on different interfaces. The following sections provide more information on Flexible
NetFlow components:
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
6
Configuring Flexible NetFlow
Flexible NetFlow Components
Note
Starting from Cisco IOS XE Release 3.10S, the number of configurable flow record fields have been
increased from 32 to 40.
Flow Records
In Flexible NetFlow a combination of key and nonkey fields is called a record. Flexible NetFlow records are
assigned to Flexible NetFlow flow monitors to define the cache that is used for storing flow data. Flexible
NetFlow includes several predefined records that can help you get started using Flexible NetFlow.
A flow record defines the keys that Flexible NetFlow uses to identify packets in the flow, as well as other
fields of interest that Flexible NetFlow gathers for the flow. You can define a flow record with any combination
of keys and fields of interest. The switch supports a rich set of keys. A flow record also defines the types of
counters gathered per flow. You can configure 64-bit packet or byte counters. The switch enables the following
match fields as the defaults when you create a flow record:
• match datalink—Layer 2 attributes
• match flow direction — Specifies a match to the fields identifying the direction of flow.
• match interface—Interface attributes
• match ipv4—IPv4 attributes
• match ipv6—IPv6 attributes
• match transport—Transport layer fields
• match wireless—Wireless fields
Related Topics
Creating a Flow Record
NetFlow Predefined Records
Flexible NetFlow includes several predefined records that you can use to start monitoring traffic in your
network. The predefined records are available to help you quickly deploy Flexible NetFlow and are easier to
use than user-defined flow records. You can choose from a list of already defined records that may meet the
needs for network monitoring. As Flexible NetFlow evolves, popular user-defined flow records will be made
available as predefined records to make them easier to implement.
The predefined records ensure backward compatibility with your existing NetFlow collector configurations
for the data that is exported. Each of the predefined records has a unique combination of key and nonkey
fields that offer you the built-in ability to monitor various types of traffic in your network without customizing
Flexible NetFlow on your router.
Two of the predefined records (NetFlow original and NetFlow IPv4/IPv6 original output), which are functionally
equivalent, emulate original (ingress) NetFlow and the Egress NetFlow Accounting feature in original NetFlow,
respectively. Some of the other Flexible NetFlow predefined records are based on the aggregation cache
schemes available in original NetFlow. The Flexible NetFlow predefined records that are based on the
aggregation cache schemes available in original NetFlow do not perform aggregation. Instead each flow is
tracked separately by the predefined records.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
7
Configuring Flexible NetFlow
Flexible NetFlow Components
User-Defined Records
Flexible NetFlow enables you to define your own records for a Flexible NetFlow flow monitor cache by
specifying the key and nonkey fields to customize the data collection to your specific requirements. When
you define your own records for a Flexible NetFlow flow monitor cache, they are referred to as user-defined
records. The values in nonkey fields are added to flows to provide additional information about the traffic in
the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for
nonkey fields are taken from only the first packet in the flow. Flexible NetFlow enables you to capture counter
values such as the number of bytes and packets in a flow as nonkey fields.
You can create user-defined records for applications such as QoS and bandwidth monitoring, application and
end user traffic profiling, and security monitoring for dDoS attacks. Flexible NetFlow also includes several
predefined records that emulate original NetFlow. Flexible NetFlow user-defined records provide the capability
to monitor a contiguous section of a packet of a user-configurable size, and use it in a flow record as a key or
a nonkey field along with other fields and attributes of the packet. The section may include any Layer 3 data
from the packet. The packet section fields allow the user to monitor any packet fields that are not covered by
the Flexible NetFlow predefined keys. The ability to analyze packet fields that are not collected with the
predefined keys enables more detailed traffic monitoring, facilitates the investigation of dDoS attacks, and
enables implementation of other security applications such as URL monitoring.
Flexible NetFlow provides predefined types of packet sections of a user-configurable size. The following
Flexible NetFlow commands (used in Flexible NetFlow flow record configuration mode) can be used to
configure the predefined types of packet sections:
• collect ipv4 section header size bytes --Starts capturing the number of bytes specified by the
bytesargument from the beginning of the IPv4 header of each packet.
• collect ipv4 section payload size bytes --Starts capturing bytes immediately after the IPv4 header from
each packet. The number of bytes captured is specified by the bytes argument.
• collect ipv6 section header size bytes --Starts capturing the number of bytes specified by the
bytesargument from the beginning of the IPv6 header of each packet.
• collect ipv6 section payload size bytes --Starts capturing bytes immediately after the IPv6 header from
each packet. The number of bytes captured is specified by the bytes argument.
The bytes values are the sizes in bytes of these fields in the flow record. If the corresponding fragment of the
packet is smaller than the requested section size, Flexible NetFlow will fill the rest of the section field in the
flow record with zeros. If the packet type does not match the requested section type, Flexible NetFlow will
fill the entire section field in the flow record with zeros.
Flexible NetFlow adds a new Version 9 export format field type for the header and packet section types.
Flexible NetFlow will communicate to the NetFlow collector the configured section sizes in the corresponding
Version 9 export template fields. The payload sections will have a corresponding length field that can be used
to collect the actual size of the collected section.
Note
In Cisco IOS Release 12.2(50)SY, packet sections and payloads are not supported.
Flexible NetFlow Match Parameters
The following table describes Flexible NetFlow match parameters. You must configure at least one of the
following match parameters for the flow records.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
8
Configuring Flexible NetFlow
Flexible NetFlow Components
Table 1: Match Parameters
Command
Purpose
match datalink {dot1q | ethertype | mac | vlan }
Specifies a match to datalink or Layer 2 fields. The
following command options are available:
• dot1q—Matches to the dot1q field.
• ethertype—Matches to the ethertype of the
packet.
• mac—Matches the source or destination MAC
fields.
• vlan—Matches to the VLAN that the packet is
located on (input or output).
match flow direction
Specifies a match to the flow identifying fields.
match interface {input | output}
Specifies a match to the interface fields. The
following command options are available:
• input—Matches to the input interface.
• output—Matches to the output interface.
match ipv4 {destination | protocol | source | tos |
ttl | version}
Specifies a match to the IPv4 fields. The following
command options are available:
• destination—Matches to the IPv4 destination
address-based fields.
• protocol—Matches to the IPv4 protocols.
• source—Matches to the IPv4 source address
based fields.
• tos—Matches to the IPv4 Type of Service
fields.
• ttl—Matches to the IPv4 Time To Live fields.
• version—Matches to the IP version from the
IPv4 header.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
9
Configuring Flexible NetFlow
Flexible NetFlow Components
Command
Purpose
match ipv6 {destination | hop-limit | protocol |
source | traffic-class | version }
Specifies a match to the IPv6 fields. The following
command options are available:
• destination—Matches to the IPv6 destination
address-based fields.
• hop-limit—Matches to the IPv6 hop limit fields.
• protocol—Matches to the IPv6 payload protocol
fields.
• source—Matches to the IPv6 source address
based fields.
• traffic-class—Matches to the IPv6 traffic class.
• version—Matches to the IP version from the
IPv6 header.
match transport {destination-port | igmp | icmp | Specifies a match to the Transport Layer fields. The
following command options are available:
source-port}
• destination-port—Matches to the transport
destination port.
• icmp—Matches to ICMP fields, including
ICMP IPv4 and IPv6 fields.
• igmp—Matches to IGMP fields.
• source-port—Matches to the transport source
port.
Flexible NetFlow Collect Parameters
The following table describes the Flexible NetFlow collect parameters.
Table 2: Collect Parameters
Command
Purpose
collect counter { bytes { layer2 { long } | long } |
packets { long } }
Collects the counter fields total bytes and total
packets.
collect interface {input | output}
Collects the fields from the input or output interface.
collect timestamp absolute {first | last}
Collects the fields for the absolute time the first packet
was seen or the absolute time the most recent packet
was last seen (in milliseconds).
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
10
Configuring Flexible NetFlow
Flexible NetFlow Components
Command
Purpose
collect transport tcp flags
Collects the following transport TCP flags:
• ack—TCP acknowledgement flag
• cwr—TCP congestion window reduced flag
• ece—TCP ECN echo flag
• fin—TCP finish flag
• psh—TCP push flag
• rst—TCP reset flag
• syn—TCP synchronize flag
• urg—TCP urgent flag
Note
On the switch, you cannot specify which
TCP flag to collect. You can only specify to
collect transport TCP flags. All TCP flags
will be collected with this command.
Flow Exporters
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running NetFlow
collector, for analysis and storage. Flow exporters are created as separate entities in the configuration. Flow
exporters are assigned to flow monitors to provide data export capability for the flow monitors. You can create
several flow exporters and assign them to one or more flow monitors to provide several export destinations.
You can create one flow exporter and apply it to several flow monitors.
NetFlow Data Export Format Version 9
The basic output of NetFlow is a flow record. Several different formats for flow records have evolved as
NetFlow has matured. The most recent evolution of the NetFlow export format is known as Version 9. The
distinguishing feature of the NetFlow Version 9 export format is that it is template-based. Templates provide
an extensible design to the record format, a feature that should allow future enhancements to NetFlow services
without requiring concurrent changes to the basic flow-record format. Using templates provides several key
benefits:
• Third-party business partners who produce applications that provide collector or display services for
NetFlow do not have to recompile their applications each time a new NetFlow feature is added. Instead,
they should be able to use an external data file that documents the known template formats.
• New features can be added to NetFlow quickly without breaking current implementations.
• NetFlow is “future-proofed” against new or developing protocols because the Version 9 format can be
adapted to provide support for them.
The Version 9 export format consists of a packet header followed by one or more template flow or data flow
sets. A template flow set provides a description of the fields that will be present in future data flow sets. These
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
11
Configuring Flexible NetFlow
Flexible NetFlow Components
data flow sets may occur later within the same export packet or in subsequent export packets. Template flow
and data flow sets can be intermingled within a single export packet, as illustrated in the figure below.
Figure 2: Version 9 Export Packet
NetFlow Version 9 will periodically export the template data so the NetFlow collector will understand what
data is to be sent and also export the data flow set for the template. The key advantage to Flexible NetFlow
is that the user configures a flow record, which is effectively converted to a Version 9 template and then
forwarded to the collector. The figure below is a detailed example of the NetFlow Version 9 export format,
including the header, template flow, and data flow sets.
Figure 3: Detailed Example of the NetFlow Version 9 Export Format
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
12
Configuring Flexible NetFlow
Flexible NetFlow Components
For more information on the Version 9 export format, refer to the white paper titled Cisco IOS NetFlow
Version 9 Flow-Record Format, available at this URL: http://www.cisco.com/en/US/tech/tk648/tk362/
technologies_white_paper09186a00800a3db9.shtml.
Flow Monitors
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic
monitoring.
Flow monitors consist of a user-defined record, an optional flow exporter, and a cache that is automatically
created at the time the flow monitor is applied to the first interface.
Flow data is collected from the network traffic and added to the flow monitor cache during the monitoring
process based on the key and nonkey fields in the flow record.
Flexible NetFlow can be used to perform different types of analysis on the same traffic. In the figure below,
packet 1 is analyzed using a record designed for standard traffic analysis on the input interface and a record
designed for security analysis on the output interface.
Figure 4: Example of Using Two Flow Monitors to Analyze the Same Traffic
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
13
Configuring Flexible NetFlow
Flexible NetFlow Components
The figure below shows a more complex example of how you can apply different types of flow monitors with
custom records.
Figure 5: Complex Example of Using Multiple Types of Flow Monitors with Custom Records
There are three types of flow monitor caches. You change the type of cache used by the flow monitor after
you create the flow monitor. The three types of flow monitor caches are described in the following sections:
Normal
The default cache type is “normal”. In this mode, the entries in the cache are aged out according to the timeout
active and timeout inactive settings. When a cache entry is aged out, it is removed from the cache and exported
via any exporters configured.
Immediate
A cache of type "immediate" ages out every record as soon as it is created. As a result, every flow contains
just one packet. The commands that display the cache contents will provide a history of the packets seen.
This mode is desirable when you expect only very small flows and you want a minimum amount of latency
between seeing a packet and exporting a report.
Caution
This mode may result in a large amount of export data that can overload low-speed links and overwhelm
any systems that you are exporting to. We recommended that you configure sampling to reduce the number
of packets that are processed.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
14
Configuring Flexible NetFlow
Supported Flexible NetFlow Fields
Note
The cache timeout settings have no effect in this mode.
Permanent
A cache of type "permanent" never ages out any flows. A permanent cache is useful when the number of
flows you expect to see is low and there is a need to keep long-term statistics on the router. For example, if
the only key field in the flow record is the 8-bit IP ToS field, only 256 flows can be monitored. To monitor
the long-term usage of the IP ToS field in the network traffic, you can use a permanent cache. Permanent
caches are useful for billing applications and for an edge-to-edge traffic matrix for a fixed set of flows that
are being tracked. Update messages will be sent periodically to any flow exporters configured according to
the "timeout update" setting.
Note
When a cache becomes full in permanent mode, new flows will not be monitored. If this occurs, a "Flows
not added" message will appear in the cache statistics.
Note
A permanent cache uses update counters rather than delta counters. This means that when a flow is exported,
the counters represent the totals seen for the full lifetime of the flow and not the additional packets and
bytes seen since the last export was sent.
Flow Samplers
Flow samplers are created as separate components in a router’s configuration. Flow samplers are used to
reduce the load on the device that is running by limiting the number of packets that are selected for analysis.
Samplers use random sampling techniques (modes); that is, a randomly selected sampling position is used
each time a sample is taken.
Flow sampling exchanges monitoring accuracy for router performance. When you apply a sampler to a flow
monitor, the overhead load on the router of running the flow monitor is reduced because the number of packets
that the flow monitor must analyze is reduced. The reduction in the number of packets that are analyzed by
the flow monitor causes a corresponding reduction in the accuracy of the information stored in the flow
monitor’s cache.
Samplers are combined with flow monitors when they are applied to an interface with the ip flow monitor
command.
Supported Flexible NetFlow Fields
The following tables provide a consolidated list of supported fields in Flexible NetFlow (FNF) for various
traffic types and traffic direction.
Note
If the packet has a VLAN field, then that length is not accounted for.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
15
Configuring Flexible NetFlow
Supported Flexible NetFlow Fields
Field
Layer 2
In
Layer 2
Out
IPv4 In IP v4 Out
Yes
—
Yes
IPv6 In IPv6 Out
Notes
Key or
Collect
Fields
Interface
input
—
Yes
—
If you apply a flow monitor in
the input direction:
• Use the match keyword
and use the input
interface as a key field.
• Use the collect keyword
and use the output
interface as a collect
field. This field will be
present in the exported
records but with a value
of 0.
Interface
output
—
—
Yes
—
Yes
Yes
If you apply a flow monitor in
the output direction:
• Use the match keyword
and use the output
interface as a key field.
• Use the collect keyword
and use the input
interface as a collect
field. This field will be
present in the exported
records but with a value
of 0.
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Flow
direction
Yes
Yes
Yes
Yes
Yes
Yes
Ethertype
Yes
Yes
—
—
—
—
VLAN
input
Yes
—
Yes
—
Yes
—
Notes
Key Fields
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
16
Supported
only for a
switch port.
Configuring Flexible NetFlow
Supported Flexible NetFlow Fields
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Notes
VLAN
output
—
Yes
—
Yes
—
Yes
Supported
only for a
switch port.
dot1q
VLAN
input
Yes
—
Yes
—
Yes
—
Supported
only for a
switch port.
dot1q
VLAN
output
—
Yes
—
Yes
—
Yes
Supported
only for a
switch port.
dot1q
priority
Yes
Yes
Yes
Yes
Yes
Yes
Supported
only for a
switch port.
MAC
source
address
input
Yes
Yes
Yes
Yes
Yes
Yes
MAC
source
address
output
—
—
—
—
—
—
MAC
destination
address
input
Yes
—
Yes
—
Yes
—
MAC
destination
address
output
—
Yes
—
Yes
—
Yes
IPv4
version
—
—
Yes
Yes
Yes
Yes
IPv4 TOS
—
—
Yes
Yes
Yes
Yes
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
17
Configuring Flexible NetFlow
Supported Flexible NetFlow Fields
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Notes
IPv4
protocol
—
—
Yes
Yes
Yes
Yes
Must use if
any of
src/dest
port, ICMP
code/type,
IGMP type
or TCP
flags are
used.
IPv4 TTL
—
—
Yes
Yes
Yes
Yes
IPv4 source —
address
—
Yes
Yes
—
—
—
—
Yes
Yes
—
—
ICMP IPv4 —
type
—
Yes
Yes
—
—
ICMP IPv4 —
code
—
Yes
Yes
—
—
IGMP type —
—
Yes
Yes
—
—
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Notes
IPv6
version
—
—
Yes
Yes
Yes
Yes
Same as IP
version.
IPv6
protocol
—
—
Yes
Yes
Yes
Yes
Same as IP
protocol.
Must use if
any of
src/dest
port, ICMP
code/type,
IGMP type
or TCP
flags are
used.
IPv4
destination
address
Key Fields
continued
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
18
Configuring Flexible NetFlow
Supported Flexible NetFlow Fields
Field
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
IPv6 source —
address
—
—
—
Yes
Yes
—
—
—
—
Yes
Yes
IPv6
—
traffic-class
—
Yes
Yes
Yes
Yes
Same as IP
TOS.
—
—
Yes
Yes
Yes
Yes
Same as IP
TTL.
ICMP IPv6 —
type
—
—
—
Yes
Yes
ICMP IPv6 —
code
—
—
—
Yes
Yes
source-port —
—
Yes
Yes
Yes
Yes
dest-port
—
—
Yes
Yes
Yes
Yes
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Notes
Yes
Yes
Yes
Yes
Yes
Packet size
= (Ethernet
frame size
including
FCS - 18
bytes)
IPv6
destination
address
IPv6
hop-limit
Layer 2 In
Notes
Collect
Fields
Bytes long
Yes
Recommended:
Avoid this
field and
use Bytes
layer2 long.
Packets
long
Yes
Yes
Yes
Yes
Yes
Yes
Timestamp Yes
absolute
first
Yes
Yes
Yes
Yes
Yes
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
19
Configuring Flexible NetFlow
Default Settings
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Timestamp Yes
absolute
last
Yes
Yes
Yes
Yes
Yes
TCP flags
Yes
Yes
Yes
Yes
Yes
Yes
Bytes
Yes
layer2 long
Yes
Yes
Yes
Yes
Yes
Notes
Collects all
flags.
Default Settings
The following table lists the Flexible NetFlow default settings for the switch.
Table 3: Default Flexible NetFlow Settings
Setting
Default
Flow active timeout
1800 seconds
Flow timeout inactive
15 seconds
How to Configure
To configure , follow these general steps:
1 Create a flow record by specifying keys and non-key fields to the flow.
2 Create an optional flow exporter by specifying the protocol and transport destination port, destination,
and other parameters.
3 Create a flow monitor based on the flow record and flow exporter.
4 Create an optional sampler.
5 Apply the flow monitor to a Layer 2 port, Layer 3 port, or VLAN.
6 If applicable to your configuration, configure a WLAN to apply a flow monitor to.
Configuring a Customized Flow Record
Perform this task to configure a customized flow record.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
20
Configuring Flexible NetFlow
Configuring a Customized Flow Record
Customized flow records are used to analyze traffic data for a specific purpose. A customized flow record
must have at least one match criterion for use as the key field and typically has at least one collect criterion
for use as a nonkey field.
There are hundreds of possible permutations of customized flow records. This task shows the steps that are
used to create one of the possible permutations. Modify the steps in this task as appropriate to create a
customized flow record for your requirements.
SUMMARY STEPS
1. enable
2. configure terminal
3. flow record record-name
4. description description
5. match {ipv4 | ipv6} {destination | source} address
6. Repeat Step 5 as required to configure additional key fields for the record.
7. collect interface {input | output}
8. Repeat the above step as required to configure additional nonkey fields for the record.
9. end
10. show flow record record-name
11. show running-config flow record record-name
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
flow record record-name
Creates a flow record and enters Flexible NetFlow flow record
configuration mode.
Example:
Device(config)# flow record FLOW-RECORD-1
Step 4
description description
• This command also allows you to modify an existing flow
record.
(Optional) Creates a description for the flow record.
Example:
Device(config-flow-record)# description Used
for basic traffic analysis
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
21
Configuring Flexible NetFlow
Creating a Flow Exporter
Command or Action
Step 5
Purpose
match {ipv4 | ipv6} {destination | source} address Configures a key field for the flow record.
Note
Example:
Device(config-flow-record)# match ipv4
destination address
Step 6
Repeat Step 5 as required to configure additional key —
fields for the record.
Step 7
collect interface {input | output}
This example configures the IPv4 destination address
as a key field for the record. For information about the
other key fields available for the match ipv4
command, and the other match commands that are
available to configure key fields, refer to the Cisco
IOS Flexible NetFlow Command Reference .
Configures the input interface as a nonkey field for the record.
Note
Example:
Device(config-flow-record)# collect interface
input
This example configures the input interface as a
nonkey field for the record. For information on the
other collect commands that are available to configure
nonkey fields, refer to the Cisco IOS Flexible NetFlow
Command Reference.
Step 8
Repeat the above step as required to configure
additional nonkey fields for the record.
—
Step 9
end
Exits Flexible NetFlow flow record configuration mode and
returns to privileged EXEC mode.
Example:
Device(config-flow-record)# end
Step 10
show flow record record-name
(Optional) Displays the current status of the specified flow
record.
Example:
Device# show flow record FLOW_RECORD-1
Step 11
show running-config flow record record-name
(Optional) Displays the configuration of the specified flow
record.
Example:
Device# show running-config flow record
FLOW_RECORD-1
Creating a Flow Exporter
You can create a flow export to define the export parameters for a flow.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
22
Configuring Flexible NetFlow
Creating a Flow Exporter
Note
Each flow exporter supports only one destination. If you want to export the data to multiple destinations,
you must configure multiple flow exporters and assign them to the flow monitor.
You can export to a destination using IPv4 or IPv6 address.
SUMMARY STEPS
1. configure terminal
2. flow exporter name
3. description string
4. destination {ipv4-address|ipv6-address}
5. dscp value
6. source { source type }
7. transport udp number
8. ttl seconds
9. export-protocol {netflow-v9 | ipfix}
10. end
11. show flow exporter [name record-name]
12. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Switch# configure terminal
Step 2
flow exporter name
Creates a flow exporter and enters flow exporter configuration
mode.
Example:
Switch(config)# flow exporter ExportTest
Step 3
description string
(Optional) Describes this flow record as a maximum 63-character
string.
Example:
Switch(config-flow-exporter)# description
ExportV9
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
23
Configuring Flexible NetFlow
Creating a Flow Exporter
Step 4
Command or Action
Purpose
destination {ipv4-address|ipv6-address}
Sets the IPv4/IPv6 destination address or hostname for this
exporter.
Example:
Switch(config-flow-exporter)# destination
192.0.2.1 (IPv4 destination)
Switch(config-flow-exporter)# destination
2001:0:0:24::10 (IPv6 destination)
Step 5
dscp value
(Optional) Specifies the differentiated services codepoint value.
The range is from 0 to 63. The default is 0.
Example:
Switch(config-flow-exporter)# dscp 0
Step 6
source { source type }
Example:
Switch(config-flow-exporter)# source
gigabitEthernet1/0/1
(Optional) Specifies the interface to use to reach the NetFlow
collector at the configured destination. The following interfaces
can be configured as source:
• Auto Template—Auto-Template interface
• Capwap—CAPWAP tunnel interface
• GigabitEthernet—Gigabit Ethernet IEEE 802
• GroupVI—Group virtual interface
• Internal Interface—Internal interface
• Loopback—Loopback interface
• Null—Null interface
• Port-channel—Ethernet Channel of interface
• TenGigabitEthernet—10-Gigabit Ethernet
• Tunnel—Tunnel interface
• Vlan—Catalyst VLANs
Step 7
transport udp number
Example:
(Optional) Specifies the UDP port to use to reach the NetFlow
collector. The range is from 0 to 65535. For IPFIX exporting
protocol, the default destination port is 4739.
Switch(config-flow-exporter)# transport udp
200
Step 8
ttl seconds
Example:
(Optional) Configures the time-to-live (TTL) value for datagrams
sent by the exporter. The range is from 1 to 255 seconds. The
default is 255.
Switch(config-flow-exporter)# ttl 210
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
24
Configuring Flexible NetFlow
Creating a Customized Flow Monitor
Step 9
Command or Action
Purpose
export-protocol {netflow-v9 | ipfix}
Specifies the version of the NetFlow export protocol used by the
exporter.
Example:
• Default: netflow-v9.
Switch(config-flow-exporter)#
export-protocol netflow-v9
Step 10
Returns to privileged EXEC mode.
end
Example:
Switch(config-flow-record)#
Step 11
end
show flow exporter [name record-name]
(Optional) Displays information about NetFlow flow exporters.
Example:
Switch show flow exporter ExportTest
Step 12
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
What to Do Next
Define a flow monitor based on the flow record and flow exporter.
Related Topics
Exporters
Example: Configuring a Flow, on page 37
Example: Monitoring IPv4 ingress traffic, on page 38
Example: Monitoring IPv4 egress traffic, on page 39
Creating a Customized Flow Monitor
Perform this required task to create a customized flow monitor.
Each flow monitor has a separate cache assigned to it. Each flow monitor requires a record to define the
contents and layout of its cache entries. These record formats can be one of the predefined formats or a
user-defined format. An advanced user can create a customized format using the flow record command.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
25
Configuring Flexible NetFlow
Creating a Customized Flow Monitor
Before You Begin
If you want to use a customized record instead of using one of the Flexible NetFlow predefined records, you
must create the customized record before you can perform this task. If you want to add a flow exporter to the
flow monitor for data export, you must create the exporter before you can complete this task.
Note
You must use the no ip flow monitor command to remove a flow monitor from all of the interfaces to
which you have applied it before you can modify the parameters for the record command on the flow
monitor. For information about the ip flow monitor command, refer to the Cisco IOS Flexible NetFlow
Command Reference.
SUMMARY STEPS
1. enable
2. configure terminal
3. flow monitor monitor-name
4. description description
5. record {record-name | netflow-original | netflow {ipv4 | ipv6} record [peer]}
6. cache {entries number | timeout {active | inactive | update} seconds | type {immediate | normal |
permanent}}
7. Repeat Step 6 as required to finish modifying the cache parameters for this flow monitor.
8. statistics packet protocol
9. statistics packet size
10. exporter exporter-name
11. end
12. show flow monitor [[name] monitor-name [cache [format {csv | record | table}]] [statistics]]
13. show running-config flow monitor monitor-name
14. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Switch> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Switch# configure terminal
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
26
Configuring Flexible NetFlow
Creating a Customized Flow Monitor
Command or Action
Step 3
flow
Purpose
monitor monitor-name
Creates a flow monitor and enters Flexible NetFlow
flow monitor configuration mode.
Example:
• This command also allows you to modify an
existing flow monitor.
Switch(config)# flow monitor FLOW-MONITOR-1
Step 4
description description
(Optional) Creates a description for the flow monitor.
Example:
Switch(config-flow-monitor)# description Used for
basic ipv4 traffic analysis
Step 5
record {record-name | netflow-original | netflow {ipv4 | Specifies the record for the flow monitor.
ipv6} record [peer]}
Example:
Switch(config-flow-monitor)# record FLOW-RECORD-1
Step 6
cache {entries number | timeout {active | inactive |
update} seconds | type {immediate | normal |
permanent}}
The values for the keywords associated with the timeout
keyword have no effect when the cache type is set to
immediate.
Associates a flow cache with the specified flow monitor.
Example:
Device(config-flow-monitor)# cache type normal
Step 7
Repeat Step 6 as required to finish modifying the cache
parameters for this flow monitor.
—
Step 8
statistics packet protocol
(Optional) Enables the collection of protocol distribution
statistics for Flexible NetFlow monitors.
Example:
Switch(config-flow-monitor)# statistics packet
protocol
Step 9
(Optional) Enables the collection of size distribution
statistics for Flexible NetFlow monitors.
statistics packet size
Example:
Switch(config-flow-monitor)# statistics packet
size
Step 10
exporter exporter-name
(Optional) Specifies the name of an exporter that was
created previously.
Example:
Switch(config-flow-monitor)# exporter EXPORTER-1
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
27
Configuring Flexible NetFlow
Configuring and Enabling Flow SamplingCreating a Flow Sampler
Step 11
Command or Action
Purpose
end
Exits Flexible NetFlow flow monitor configuration mode
and returns to privileged EXEC mode.
Example:
Switch(config-flow-monitor)# end
Step 12
show flow monitor [[name] monitor-name [cache [format (Optional) Displays the status and statistics for a Flexible
NetFlow flow monitor.
{csv | record | table}]] [statistics]]
Example:
Switch# show flow monitor FLOW-MONITOR-2 cache
Step 13
show running-config flow monitor monitor-name
(Optional) Displays the configuration of the specified
flow monitor.
Example:
Switch# show running-config flow monitor
FLOW_MONITOR-1
Step 14
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Configuring and Enabling Flow SamplingCreating a Flow Sampler
Perform this required task to configure and enable a flow sampler.
Note
When you specify the "NetFlow original," or the "NetFlow IPv4 original input," or the "NetFlow IPv6
original input" predefined record for the flow monitor to emulate original NetFlow, the flow monitor can
be used only for analyzing input (ingress) traffic.
When you specify the "NetFlow IPv4 original output" or the "NetFlow IPv6 original output" predefined
record for the flow monitor to emulate the Egress NetFlow Accounting feature, the flow monitor can be
used only for analyzing output (egress) traffic.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
28
Configuring Flexible NetFlow
Configuring and Enabling Flow SamplingCreating a Flow Sampler
SUMMARY STEPS
1. enable
2. configure terminal
sampler-name
3. sampler
4. description description
5. mode {random} 1 out-of window-size
6. exit
7. interface type number
8. {ip | ipv6} flow monitor monitor-name [[sampler] sampler-name] {input | output}
9. end
10. show sampler sampler-name
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
sampler
sampler-name
Creates a sampler and enters sampler configuration mode.
• This command also allows you to modify an existing
sampler.
Example:
Device(config)# sampler SAMPLER-1
Step 4
description description
(Optional) Creates a description for the flow sampler.
Example:
Device(config-sampler)# description Sample at
50%
Step 5
mode {random} 1 out-of window-size
Example:
Device(config-sampler)# mode random 1 out-of
2
Specifies the sampler mode and the flow sampler window
size.
• The range for the window-size argument is from 0 to
1024 2 to 32768.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
29
Configuring Flexible NetFlow
Applying a Flow to an Interface
Step 6
Command or Action
Purpose
exit
Exits sampler configuration mode and returns to global
configuration mode.
Example:
Device(config-sampler)# exit
Step 7
interface type number
Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface GigabitEthernet 0/0/0
Step 8
{ip | ipv6} flow monitor monitor-name [[sampler]
sampler-name] {input | output}
Assigns the flow monitor and the flow sampler that you
created to the interface to enable sampling.
Example:
Device(config-if)# ip flow monitor
FLOW-MONITOR-1 sampler SAMPLER-1 input
Step 9
Exits interface configuration mode and returns to privileged
EXEC mode.
end
Example:
Device(config-if)# end
Step 10
show sampler sampler-name
Displays the status and statistics of the flow sampler that
you configured and enabled.
Example:
Device# show sampler SAMPLER-1
Applying a Flow to an Interface
You can apply a flow monitor and an optional sampler to an interface.
SUMMARY STEPS
1. configure terminal
2. interface type
3. {ip flow monitor | ipv6 flow monitor}name [|sampler name] { input}
4. end
5. show flow interface [interface-type number]
6. copy running-config startup-config
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
30
Configuring Flexible NetFlow
Applying a Flow to an Interface
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Switch# configure terminal
Step 2
interface type
Enters interface configuration mode and configures an interface.
Example:
Flexible NetFlow is not supported on the L2 port-channel interface,
but is supported on the L2 port-channel member ports.
Switch(config)# interface
GigabitEthernet1/0/1
Flexible NetFlow is not supported on the L3 port-channel member
ports, but is supported on the L3 port-channel interface.
Command parameters for the interface configuration include:
• GigabitEthernet—GigabitEthernet IEEE 802
• Loopback—Loopback interface
• TenGigabitEthernet—10- Gigabit Ethernet
• Vlan—Catalyst VLANs
• Range—Interface range
• WLAN—WLAN interface
Step 3
{ip flow monitor | ipv6 flow monitor}name
[|sampler name] { input}
Associate an IPv4 or an IPv6 flow monitor, and an optional sampler
to the interface for input or output packets.
Example:
Switch(config-if)# ip flow monitor
MonitorTest input
Step 4
Returns to privileged EXEC mode.
end
Example:
Switch(config-flow-monitor)#
Step 5
end
show flow interface [interface-type number]
(Optional) Displays information about NetFlow on an interface.
Example:
Switch# show flow interface
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
31
Configuring Flexible NetFlow
Configuring a Bridged NetFlow on a VLAN
Command or Action
Purpose
Example:
Switch# copy running-config
startup-config
Configuring a Bridged NetFlow on a VLAN
You can apply a flow monitor and an optional sampler to a VLAN.
SUMMARY STEPS
1. configure terminal
2. vlan [configuration] vlan-id
3. ip flow monitor monitor name [sampler sampler name] {input |output}
4. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Switch# configure terminal
Step 2
vlan [configuration] vlan-id
Enters VLAN or VLAN configuration mode.
Example:
Switch(config)# vlan configuration 30
Switch(config-vlan-config)#
Step 3
ip flow monitor monitor name [sampler sampler name] {input Associates a flow monitor and an optional sampler
to the VLAN for input or output packets.
|output}
Example:
Switch(config-vlan-config)# ip flow monitor
MonitorTest input
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
32
Configuring Flexible NetFlow
Configuring Layer 2 NetFlow
Step 4
Command or Action
Purpose
copy running-config startup-config
(Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Configuring Layer 2 NetFlow
You can define Layer 2 keys in Flexible NetFlow records that you can use to capture flows in Layer 2 interfaces.
SUMMARY STEPS
1. configure terminal
2. flow record name
3. match datalink {dot1q |ethertype | mac | vlan}
4. end
5. show flow record [name ]
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Switch# configure terminal
Step 2
flow record name
Enters flow record configuration mode.
Example:
Switch(config)# flow record L2_record
Switch(config-flow-record)#
Step 3
match datalink {dot1q |ethertype | mac | vlan}
Specifies the Layer 2 attribute as a key.
Example:
Switch(config-flow-record)# match datalink ethertype
Step 4
end
Returns to privileged EXEC mode.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
33
Configuring Flexible NetFlow
Configuring WLAN to Apply Flow Monitor in Data Link Input/Output Direction
Command or Action
Purpose
Example:
Switch(config-flow-record)#
Step 5
end
(Optional) Displays information about NetFlow
on an interface.
show flow record [name ]
Example:
Switch# show flow record
Step 6
(Optional) Saves your entries in the configuration
file.
copy running-config startup-config
Example:
Switch# copy running-config
startup-config
Configuring WLAN to Apply Flow Monitor in Data Link Input/Output Direction
SUMMARY STEPS
1. configure terminal
2. wlan [wlan-name { wlan-id SSID_NetworkName | wlan_id} | wlan-name | shutdown}
3. datalink flow monitor monitor-name {input | output}
4. end
5. show run wlan wlan-name
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Switch# configure terminal
Step 2
wlan [wlan-name { wlan-id SSID_NetworkName |
wlan_id} | wlan-name | shutdown}
Example:
Enters WLAN configuration submode.
wlan-id is the wireless LAN identifier. The range is 1 to 64.
SSID_NetworkName is the SSID which can contain 32
alphanumeric characters.
Switch (config) # wlan wlan1
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
34
Configuring Flexible NetFlow
Configuring WLAN to Apply Flow Monitor in IPV4 and IPv6 Input/Output Direction
Command or Action
Purpose
Note
Step 3
If you have already configured this command, enter
the wlan wlan-name command.
datalink flow monitor monitor-name {input | output} Applies flow monitor to Layer 2 traffic in the direction of
interest.
Example:
Switch (config-wlan) # datalink flow monitor
flow-monitor-1 {input | output}
Step 4
Returns to privileged EXEC mode.
end
Example:
Switch (config) # end
Step 5
show run wlan wlan-name
(Optional) Verifies your configuration.
Example:
Switch # show wlan mywlan
Configuring WLAN to Apply Flow Monitor in IPV4 and IPv6 Input/Output
Direction
SUMMARY STEPS
1. configure terminal
2. wlan {wlan-name { wlan-id SSID_NetworkName | wlan_id} | wlan-name | shutdown}
3. {ip | ipv6} flow monitor monitor-name {input | output}
4. end
5. show run wlan wlan-name
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode
Example:
Switch# configure terminal
Step 2
wlan {wlan-name { wlan-id SSID_NetworkName |
wlan_id} | wlan-name | shutdown}
Enters WLAN configuration submode.
wlan-id is the wireless LAN identifier. The range is 1 to 64.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
35
Configuring Flexible NetFlow
Monitoring Flexible NetFlow
Command or Action
Purpose
Example:
SSID_NetworkName is the SSID which can contain 32
alphanumeric characters.
Switch (config) # wlan wlan1
Step 3
{ip | ipv6} flow monitor monitor-name {input |
output}
If you have already configured this command, enter
the wlan wlan-name command.
Note
Associates a flow monitor to the WLAN for input or output
packets.
Example:
Switch (config-wlan) # ip flow monitor
flow-monitor-1 input
Step 4
Returns to privileged EXEC mode.
end
Example:
Switch (config) # end
Step 5
show run wlan wlan-name
(Optional) Verifies your configuration.
Example:
Switch # show wlan mywlan
Related Topics
Wireless Flexible NetFlow Overview, on page 4
Example: Configuring IPv4 Flexible NetFlow in WLAN (Ingress Direction), on page 40
Example: Configuring IPv6 and Transport Flag Flexible NetFlow in WLAN (Egress Direction), on page
40
Example: Configuring IPv6 Flexible NetFlow in WLAN (Both Ingress and Egress Directions), on page
41
Monitoring Flexible NetFlow
The commands in the following table can be used to monitor Flexible NetFlow.
Table 4: Flexible NetFlow Monitoring Commands
Command
Purpose
show flow exporter [broker | export-ids | name |
name | statistics | templates]
Displays information about NetFlow flow exporters
and statistics.
show flow exporter [ name exporter-name]
Displays information about NetFlow flow exporters
and statistics.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
36
Configuring Flexible NetFlow
Configuration Examples for
Command
Purpose
show flow interface
Displays information about NetFlow interfaces.
show flow monitor [ name exporter-name]
Displays information about NetFlow flow monitors
and statistics.
show flow monitor statistics
Displays the statistics for the flow monitor
show flow monitor cache format {table | record |
csv}
Displays the contents of the cache for the flow
monitor, in the format specified.
show flow record [ name record-name]
Displays information about NetFlow flow records.
show flow ssid
Displays NetFlow monitor installation status for a
WLAN.
show sampler [broker | name | name]
Displays information about NetFlow samplers.
show wlan wlan-name
Displays the WLAN configured on the device.
Configuration Examples for
Example: Configuring a Flow
This example shows how to create a flow and apply it to an interface:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# flow export export1
Switch(config-flow-exporter)# destination 10.0.101.254
Switch(config-flow-exporter)# transport udp 2055
Switch(config-flow-exporter)# exit
Switch(config)# flow record record1
Switch(config-flow-record)# match ipv4 source address
Switch(config-flow-record)# match ipv4 destination address
Switch(config-flow-record)# match ipv4 protocol
Switch(config-flow-record)# match transport source-port
Switch(config-flow-record)# match transport destination-port
Switch(config-flow-record)# collect counter byte long
Switch(config-flow-record)# collect counter packet long
Switch(config-flow-record)# collect timestamp absolute first
Switch(config-flow-record)# collect timestamp absolute last
Switch(config-flow-record)# exit
Switch(config)# flow monitor monitor1
Switch(config-flow-monitor)# record record1
Switch(config-flow-monitor)# exporter export1
Switch(config-flow-monitor)# exit
Switch(config)# interface tenGigabitEthernet 1/0/1
Switch(config-if)# ip flow monitor monitor1 input
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
37
Configuring Flexible NetFlow
Example: Monitoring IPv4 ingress traffic
Switch(config-if)# end
Related Topics
Creating a Flow Exporter, on page 22
Exporters
Creating a Flow Monitor
Monitors
Example: Monitoring IPv4 ingress traffic
This example shows how to monitor IPv4 ingress traffic (int g1/0/11 sends traffic to int g1/0/36 and int
g3/0/11).
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# flow record fr-1
Switch(config-flow-record)# match ipv4 source address
Switch(config-flow-record)# match ipv4 destination address
Switch(config-flow-record)# match interface input
Switch(config-flow-record)# collect counter bytes long
Switch(config-flow-record)# collect counter packets long
Switch(config-flow-record)# collect timestamp absolute first
Switch(config-flow-record)# collect timestamp absolute last
Switch(config-flow-record)# collect counter bytes layer2 long
Switch(config-flow-record)# exit
Switch(config)# flow exporter
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
fe-ipfix6
destination 2001:0:0:24::10
source Vlan106
transport udp 4739
export-protocol ipfix
template data timeout 240
exit
Switch(config)# flow exporter
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
fe-ipfix
description IPFIX format collector 100.0.0.80
destination 100.0.0.80
dscp 30
ttl 210
transport udp 4739
export-protocol ipfix
template data timeout 240
exit
Switch(config)# flow exporter
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
fe-1
destination 10.5.120.16
source Vlan105
dscp 32
ttl 200
transport udp 2055
Switch(config-flow-exporter)# template data timeout 240
Switch(config-flow-exporter)# exit
Switch(config)# flow monitor
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
fm-1
exporter fe-ipfix6
exporter fe-ipfix
exporter fe-1
cache timeout inactive 60
cache timeout active 180
record fr-1
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
38
Configuring Flexible NetFlow
Example: Monitoring IPv4 egress traffic
Switch(config-flow-monitor)# end
Switch#
Switch#
Switch#
Switch#
show
show
show
show
running-config interface g1/0/11
running-config interface g1/0/36
running-config interface g3/0/11
flow monitor fm-1 cache format table
Related Topics
Creating a Flow Exporter, on page 22
Exporters
Creating a Flow Monitor
Monitors
Example: Monitoring IPv4 egress traffic
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# flow record fr-1 out
Switch(config-flow-record)# match ipv4 source address
Switch(config-flow-record)# match ipv4 destination address
Switch(config-flow-record)# match interface output
Switch(config-flow-record)# collect counter bytes long
Switch(config-flow-record)# collect counter packets long
Switch(config-flow-record)# collect timestamp absolute first
Switch(config-flow-record)# collect timestamp absolute last
Switch(config-flow-record)# exit
Switch(config)# flow exporter
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
fe-1
destination 10.5.120.16
source Vlan105
dscp 32
ttl 200
transport udp 2055
template data timeout 240
exit
Switch(config)# flow exporter
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
fe-ipfix6
destination 2001:0:0:24::10
source Vlan106
transport udp 4739
export-protocol ipfix
template data timeout 240
exit
Switch(config)# flow exporter
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
fe-ipfix
description IPFIX format collector 100.0.0.80
destination 100.0.0.80
dscp 30
ttl 210
transport udp 4739
export-protocol ipfix
template data timeout 240
exit
Switch(config)# flow monitor
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
fm-1-output
exporter fe-1
exporter fe-ipfix6
exporter fe-ipfix
cache timeout inactive 50
cache timeout active 120
record fr-1-out
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
39
Configuring Flexible NetFlow
Example: Configuring IPv4 Flexible NetFlow in WLAN (Ingress Direction)
Switch(config-flow-monitor)# end
Switch# show flow monitor fm-1-output cache format table
Related Topics
Creating a Flow Exporter, on page 22
Exporters
Creating a Flow Monitor
Monitors
Example: Configuring IPv4 Flexible NetFlow in WLAN (Ingress Direction)
The following example shows how to configure IPv4 Flexible NetFlow on WLAN ingress direction:
Switch# configure terminal
Switch(config)# flow record
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
fr_v4
match ipv4 destination address
match ipv4 source address
match ipv4 protocol
match ipv4 tos
match ipv4 ttl
match ipv4 version
match wireless ssid
collect wireless ap mac address
collect counter packets long
collect counter bytes long
collect timestamp absolute first
collect timestamp absolute last
exit
Switch(config)# flow monitor fm_v4
Switch(config-flow-monitor)# record fr_v4
Switch(config-flow-record)# exit
Switch(config)# wlan wlan_1
Switch(config-wlan)# ip flow monitor fm_v4 in
Switch(config-wlan)# end
Switch# show flow monitor fm_v4 cache
Related Topics
Configuring WLAN to Apply Flow Monitor in IPV4 and IPv6 Input/Output Direction, on page 35
Wireless Flexible NetFlow Overview, on page 4
Example: Configuring IPv6 and Transport Flag Flexible NetFlow in WLAN
(Egress Direction)
The following example shows how to configure IPv6 and transport flag Flexible NetFlow on WLAN egress
direction:
Switch# configure terminal
Switch(config)# flow record fr_v6
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
40
Configuring Flexible NetFlow
Example: Configuring IPv6 Flexible NetFlow in WLAN (Both Ingress and Egress Directions)
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
Switch(config-flow-record)#
match ipv6 destination address
match ipv6 source address
match ipv6 hop-limit
match ipv6 protocol
match ipv6 traffic
match ipv6 version
match wireless ssid
collect wireless ap mac address
collect counter bytes long
collect transport tcp flags
exit
Switch(config)# flow monitor fm_v6
Switch(config-flow-monitor)# record fr_v6
Switch(config-flow-monitor)# exit
Switch(config)# wlan wlan_1
Switch(config-wlan)# ipv6 flow monitor fm_v6 out
Switch(config-wlan)# end
Switch# show flow monitor fm_v6 cache
Note
On the switch, you cannot specify which TCP flag to collect. You can only specify to collect transport
TCP flags.
Related Topics
Configuring WLAN to Apply Flow Monitor in IPV4 and IPv6 Input/Output Direction, on page 35
Wireless Flexible NetFlow Overview, on page 4
Example: Configuring IPv6 Flexible NetFlow in WLAN (Both Ingress and Egress
Directions)
The following example shows how to configure IPv6 Flexible NetFlow on WLAN in both directions:
Switch# configure terminal
Switch (config)# flow record
Switch (config-flow-record)#
Switch (config-flow-record)#
Switch (config-flow-record)#
Switch (config-flow-record)#
Switch (config-flow-record)#
Switch (config-flow-record)#
Switch (config-flow-record)#
Switch (config-flow-record)#
Switch (config-flow-record)#
Switch (config-flow-record)#
fr_v6
match ipv6 destination address
match ipv6 source address
match ipv6 hop-limit
match ipv6 protocol
match ipv6 traffic
match ipv6 version
match wireless ssid
collect wireless ap mac address
collect counter packets long
exit
Switch (config)# flow monitor fm_v6
Switch (config-flow-monitor)# record fr_v6
Switch (config-flow-monitor)# exit
Switch
Switch
Switch
Switch
(config)# wlan
(config-wlan)#
(config-wlan)#
(config-wlan)#
wlan_1
ipv6 flow monitor fm_v6 in
ipv6 flow monitor fm_v6 out
end
Switch# show flow monitor fm_v6 cache
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
41
Configuring Flexible NetFlow
Example: Monitoring wireless ingress traffic
Related Topics
Configuring WLAN to Apply Flow Monitor in IPV4 and IPv6 Input/Output Direction, on page 35
Wireless Flexible NetFlow Overview, on page 4
Example: Monitoring wireless ingress traffic
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# flow record fr-wlan-input
Switch(config-flow-record)# match datalink mac source address input
Switch(config-flow-record)# match datalink mac destination address input
Switch(config-flow-record)# match ipv4 source address
Switch(config-flow-record)# match ipv4 destination address
Switch(config-flow-record)# match wireless ssid
Switch(config-flow-record)# collect counter bytes long
Switch(config-flow-record)# collect counter packets long
Switch(config-flow-record)# collect timestamp absolute first
Switch(config-flow-record)# collect timestamp absolute last
Switch(config-flow-record)# exit
Switch(config)# flow exporter
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
fe-ipfix
description IPFIX format collector 100.0.0.80
destination 100.0.0.80
dscp 30
ttl 210
transport udp 4739
export-protocol ipfix
template data timeout 240
exit
Switch(config)# flow exporter
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
Switch(config-flow-exporter)#
fe-ipfix6
destination 2001:0:0:24::10
source Vlan106
transport udp 4739
export-protocol ipfix
template data timeout 240
exit
Switch(config)# flow monitor
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
Switch(config-flow-monitor)#
fm-wlan-input
exporter fe-ipfix
exporter fe-ipfix6
cache timeout inactive 30
cache timeout active 180
record fr-wlan-input
end
Switch# show running-config wlan nfl_1
Switch# show flow monitor fm-wlan-input cache format table
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
42
Configuring Flexible NetFlow
Additional References
Additional References
Related Documents
Related Topic
Document Title
Platform-independent command references
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
Platform-independent configuration information
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
Flexible NetFlow CLI Commands
Cisco Flexible NetFlow Command
Reference (Catalyst 3650 Switches)
Flexible NetFlow Command
Reference, Cisco IOS XE Release
3SE (Cisco WLC 5700 Series)
Error Message Decoder
Description
Link
To help you research and resolve system error
messages in this release, use the Error Message
Decoder tool.
https://www.cisco.com/cgi-bin/Support/Errordecoder/
index.cgi
Standards and RFCs
Standard/RFC
Title
RFC 3954
Cisco Systems NetFlow Services Export Version 9
MIBs
MIB
MIBs Link
All supported MIBs for this release.
To locate and download MIBs for selected platforms,
Cisco IOS releases, and feature sets, use Cisco MIB
Locator found at the following URL:
http://www.cisco.com/go/mibs
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
43
Configuring Flexible NetFlow
Feature Information for Flexible NetFlow
Technical Assistance
Description
Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for Flexible NetFlow
Release
Modification
Cisco IOS XE 3.3SECisco IOS XE 3.3SE
This feature was introduced.
Software Configuration Guide, Cisco IOS XE Denali 16.1.x (Catalyst 3650 Switches)
44
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement