Cisco IOS Flexible NetFlow Command Reference

Cisco IOS Flexible NetFlow Command Reference
Cisco IOS Flexible NetFlow Command Reference
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
© 2015
Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1
cache (Flexible NetFlow) through match flow 1
cache (Flexible NetFlow) 4
clear flow exporter 10
clear flow monitor 12
clear sampler 14
collect application http 16
collect application name 18
collect application nntp 20
collect application pop3 22
collect application rtsp 24
collect application sip 26
collect application smtp 28
collect connection 30
collect counter 32
collect datalink dot1q vlan 36
collect datalink mac 38
collect flow 41
collect interface 43
collect ipv4 45
collect ipv4 destination 48
collect ipv4 fragmentation 51
collect ipv4 section 53
collect ipv4 source 55
collect ipv4 total-length 58
collect ipv4 ttl 60
collect ipv6 62
collect ipv6 destination 65
collect ipv6 extension map 67
Cisco IOS Flexible NetFlow Command Reference
iii
Contents
collect ipv6 fragmentation 69
collect ipv6 hop-limit 71
collect ipv6 length 73
collect ipv6 section 75
collect ipv6 source 78
collect mpls label 81
collect policy qos classification hierarchy 83
collect policy qos queue index 84
collect routing 85
collect routing is-multicast 90
collect services pfr 92
collect timestamp absolute 94
collect timestamp sys-uptime 96
collect transport 99
collect transport icmp ipv4 101
collect transport icmp ipv6 103
collect transport tcp 105
collect transport udp 109
debug flow exporter 111
debug flow monitor 113
debug flow record 115
debug sampler 120
default (Flexible NetFlow) 122
description (Flexible NetFlow) 124
destination 126
dscp (Flexible NetFlow) 128
execute (Flexible NetFlow) 130
exporter 131
export-protocol 133
flow exporter 135
flow hardware 137
flow monitor 139
flow platform 141
flow record 143
granularity 145
Cisco IOS Flexible NetFlow Command Reference
iv
Contents
ip flow monitor 146
ipv6 flow monitor 150
match application name 154
match connection id 156
match connection transaction-id 157
match datalink dot1q priority 159
match datalink dot1q vlan 160
match datalink ethertype 162
match datalink mac 163
match datalink vlan 165
match flow 166
CHAPTER 2
match interface (Flexible NetFlow) through ttl (Flexible NetFlow) 169
match interface (Flexible NetFlow) 171
match ipv4 174
match ipv4 destination 177
match ipv4 fragmentation 180
match ipv4 section 182
match ipv4 source 185
match ipv4 total-length 188
match ipv4 ttl 190
match ipv6 192
match ipv6 destination 195
match ipv6 extension map 197
match ipv6 fragmentation 199
match ipv6 hop-limit 201
match ipv6 length 203
match ipv6 section 205
match ipv6 source 208
match mpls label 210
match routing 212
match routing is-multicast 217
match routing multicast replication-factor 219
match transport 221
match transport icmp ipv4 223
Cisco IOS Flexible NetFlow Command Reference
v
Contents
match transport icmp ipv6 225
match transport tcp 227
match transport udp 231
mode (Flexible NetFlow) 233
option (Flexible NetFlow) 235
output-features 240
record 241
sampler 246
show flow exporter 248
show flow interface 254
show flow monitor 256
show flow monitor cache aggregate 265
show flow monitor cache filter 271
show flow monitor cache sort 278
show flow record 282
show platform flow 287
show sampler 290
source (Flexible NetFlow) 293
statistics packet 295
template data timeout 297
transport (Flexible NetFlow) 299
ttl (Flexible NetFlow) 301
Cisco IOS Flexible NetFlow Command Reference
vi
cache (Flexible NetFlow) through match flow
• cache (Flexible NetFlow), page 4
• clear flow exporter, page 10
• clear flow monitor, page 12
• clear sampler, page 14
• collect application http, page 16
• collect application name, page 18
• collect application nntp, page 20
• collect application pop3, page 22
• collect application rtsp, page 24
• collect application sip, page 26
• collect application smtp, page 28
• collect connection, page 30
• collect counter, page 32
• collect datalink dot1q vlan, page 36
• collect datalink mac, page 38
• collect flow, page 41
• collect interface, page 43
• collect ipv4, page 45
• collect ipv4 destination, page 48
• collect ipv4 fragmentation, page 51
• collect ipv4 section, page 53
• collect ipv4 source, page 55
• collect ipv4 total-length, page 58
• collect ipv4 ttl, page 60
Cisco IOS Flexible NetFlow Command Reference
1
cache (Flexible NetFlow) through match flow
• collect ipv6, page 62
• collect ipv6 destination, page 65
• collect ipv6 extension map, page 67
• collect ipv6 fragmentation, page 69
• collect ipv6 hop-limit, page 71
• collect ipv6 length, page 73
• collect ipv6 section, page 75
• collect ipv6 source, page 78
• collect mpls label, page 81
• collect policy qos classification hierarchy, page 83
• collect policy qos queue index, page 84
• collect routing, page 85
• collect routing is-multicast, page 90
• collect services pfr, page 92
• collect timestamp absolute, page 94
• collect timestamp sys-uptime, page 96
• collect transport, page 99
• collect transport icmp ipv4, page 101
• collect transport icmp ipv6, page 103
• collect transport tcp, page 105
• collect transport udp, page 109
• debug flow exporter, page 111
• debug flow monitor, page 113
• debug flow record, page 115
• debug sampler, page 120
• default (Flexible NetFlow), page 122
• description (Flexible NetFlow), page 124
• destination, page 126
• dscp (Flexible NetFlow), page 128
• execute (Flexible NetFlow), page 130
• exporter, page 131
• export-protocol, page 133
• flow exporter, page 135
Cisco IOS Flexible NetFlow Command Reference
2
cache (Flexible NetFlow) through match flow
• flow hardware, page 137
• flow monitor, page 139
• flow platform, page 141
• flow record, page 143
• granularity, page 145
• ip flow monitor, page 146
• ipv6 flow monitor, page 150
• match application name, page 154
• match connection id, page 156
• match connection transaction-id, page 157
• match datalink dot1q priority, page 159
• match datalink dot1q vlan, page 160
• match datalink ethertype, page 162
• match datalink mac, page 163
• match datalink vlan, page 165
• match flow, page 166
Cisco IOS Flexible NetFlow Command Reference
3
cache (Flexible NetFlow) through match flow
cache (Flexible NetFlow)
cache (Flexible NetFlow)
To configure the flow cache parameter for a Flexible NetFlow flow monitor, use the cache command in
Flexible NetFlow flow monitor configuration mode. To remove a flow cache parameter for a Flexible NetFlow
flow monitor, use the no form of this command.
cache {entries number | timeout {active seconds | event transaction-end | inactive seconds | update seconds
| synchronized interval [export-spread [spread-interval]]} | type {immediate | normal | permanent |
synchronized}}
no cache {entries | timeout {active | event transaction-end | inactive | update | synchronized} | type
{immediate | normal | permanent | synchronized}}
Syntax Description
entries number
Specifies the maximum number of entries in the flow
monitor cache. The range is from 16 to 2000000.
On the Cisco ISR 4400 Series Integrated
Services Routers, the range is from 16 to
1000000.
Specifies the active flow timeout in seconds. The
range is from 1 to 604800 (7 days). The default is
1800.
Note
timeout active seconds
timeout event transaction-end
Specifies that the record is generated and exported in
the NetFlow cache at the end of a transaction.
timeout inactive seconds
Specifies the inactive flow timeout in seconds. The
range is from 1 to 604800 (7 days).The default is 15.
timeout update seconds
Specifies the update timeout, in seconds, for a
permanent flow cache. The range is from 1 to 604800
(7 days). The default is 1800.
timeout synchronized interval
Specifies the synchronized interval timeout value.
The range is from 1 to 300.
export-spread
Enables export spreading.
spread-interval
The export spreading interval in seconds. The valid
period is 5 or 6.
type
Specifies the type of the flow cache.
immediate
Configures an immediate cache type. This cache type
will age out every record as soon as it is created.
Cisco IOS Flexible NetFlow Command Reference
4
cache (Flexible NetFlow) through match flow
cache (Flexible NetFlow)
Command Default
normal
Configures a normal cache type. The entries in the
flow cache will be aged out according to the timeout
active seconds and timeout inactive seconds settings.
This is the default cache type.
permanent
Configures a permanent cache type. This cache type
disables flow removal from the flow cache.
synchronized
Configures a synchronized cache type.
The default Flexible NetFlow flow monitor flow cache parameters are used.
The following flow cache parameters for a Flexible NetFlow flow monitor are enabled:
• Cache type: normal
• Maximum number of entries in the flow monitor cache: 4096
• Active flow timeout: 1800 seconds
• Inactive flow timeout: 15 seconds
• Update timeout for a permanent flow cache: 1800 seconds
Command Modes
Command History
Flexible NetFlow flow monitor configuration (config-flow-monitor)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
Cisco IOS XE Release 3.4S
This command was modified. The event transaction-end keyword was
added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE with
support for the timeout and type normal keywords only.
Cisco IOS Flexible NetFlow Command Reference
5
cache (Flexible NetFlow) through match flow
cache (Flexible NetFlow)
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.11S
This command was modified. The export-spread keyword was added.
The update keyword was removed.
Each flow monitor has a cache that it uses to store all the flows it monitors. Each cache has various configurable
elements, such as the number of entries and the time that a flow is allowed to remain in it. When a flow times
out, it is removed from the cache and sent to any exporters that are configured for the corresponding flow
monitor.
If a cache is already active (that is, you have applied the flow monitor to at least one interface in the router),
your changes to the record, cache type, and cache size parameters will not take effect until you either reboot
the router or remove the flow monitor from every interface and then reapply it. Therefore whenever possible
you should customize the record, cache type, and cache size parameters for the cache before you apply the
flow monitor to an interface. You can modify the timers, flow exporters, and statistics parameters for a cache
while the cache is active.
cache entries
This command controls the size of the cache. Cache size should be based on a number of factors, including
the number of flows expected, the time the flows are expected to last (based on the configured key fields and
the traffic), and the timeout values configured for the cache. The size should be large enough to minimize
emergency expiry.
Emergency expiry is caused by the Flexible NetFlow cache becoming full. When the Flexible NetFlow cache
becomes full, the router performs “emergency expiry” where a number of flows are immediately aged, expired
from the Flexible NetFlow cache, and exported in order to free up space for more flows.
For a permanent cache (flows never expire), the number of entries should be large enough to accommodate
the number of flows expected for the entire duration of the cache entries. If more flows occur than there are
cache entries, the excess flows are not recorded in the cache.
For an immediate cache (flows expire immediately), the number of entries simply controls the amount of
history that is available for previously seen packets.
cache timeout active
This command controls the aging behavior of the normal type of cache. If a flow has been active for a long
time, it is usually desirable to age it out (starting a new flow for any subsequent packets in the flow). This age
out process allows the monitoring application that is receiving the exports to remain up to date. By default
this timeout is 1800 seconds (30 minutes), but it can be adjusted according to system requirements. A larger
value ensures that long-lived flows are accounted for in a single flow record; a smaller value results in a shorter
delay between starting a new long-lived flow and exporting some data for it.
cache timeout event transaction-end
To use this command, you must configure the match connection transaction id command and the match
application name command for the flow record. This command causes the record to be generated and exported
in the NetFlow cache at the end of a transaction. A transaction is a set of logical exchanges between endpoints.
There is normally one transaction within a flow.
cache timeout inactive
This command controls the aging behavior of the normal type of cache. If a flow has not seen any activity for
a specified amount of time, that flow will be aged out. By default, this timeout is 15 seconds, but this value
can be adjusted depending on the type of traffic expected.
Cisco IOS Flexible NetFlow Command Reference
6
cache (Flexible NetFlow) through match flow
cache (Flexible NetFlow)
If a large number of short-lived flows is consuming many cache entries, reducing the inactive timeout can
reduce this overhead. If a large number of flows frequently get aged out before they have finished collecting
their data, increasing this timeout can result in better flow correlation.
cache timeout update
This command controls the periodic updates sent by the permanent type of cache. This behavior is similar to
the active timeout, except that it does not result in the removal of the cache entry from the cache. By default,
this timer value is 1800 seconds (30 minutes).
cache timeout synchronized interval [export-spread [spread-interval]]
This command configures export spreading on a synchronized cache. As asynchronous monitors need to
aggregate the data in a few seconds, you can enable and configure export spreading only when you configure
the synchronized interval timeout value to more than 10 seconds. Export spreading might start a couple of
seconds after the interval ends in order to complete the aggregation. No export spreading option is visible on
the CLI if the synchronized interval timeout value is lower than 10 seconds. The default export spread interval
is 30 seconds.
cache type immediate
This command specifies the immediate cache type. This type of cache will age out every record as soon as it
is created, with the result that every flow contains just one packet. The commands that display the cache
contents will provide a history of the packets seen.
The use of this cache type is appropriate when very small flows are expected and a minimum amount of
latency between analyzing a packet and exporting a report is desired. We recommend using this command
when you are sampling packet chunks because the number of packets per flow is typically very low.
Caution
Note
This command may result in a large amount of export data that can overload low speed links and overwhelm
any systems to which you are exporting. We recommended that you configure sampling to reduce the
number of packets seen.
The timeout settings have no effect for the immediate cache type.
cache type normal
This command specifies the normal cache type. This is the default cache type. The entries in the cache will
be aged out according to the timeout active seconds and timeout inactive seconds settings. When a cache
entry is aged out, it is removed from the cache and exported via any exporters configured for the monitor
associated with the cache.
cache type permanent
This command specifies the permanent cache type. This type of cache never ages out any flows. This cache
type is useful when the number of flows you expect to see has a limit and there is a need to keep long-term
statistics on the router. For example, if the only key field is IP TOS, a limit of 256 flows can be seen, so to
monitor the long-term usage of the IP TOS field, a permanent cache can be used. Update messages are exported
via any exporters configured for the monitor associated with this cache in accordance with the timeout update
seconds setting.
Cisco IOS Flexible NetFlow Command Reference
7
cache (Flexible NetFlow) through match flow
cache (Flexible NetFlow)
Examples
Note
When a cache becomes full, new flows will not be monitored. If this occurs, a “Flows not added” statistic
will appear in the cache statistics.
Note
A permanent cache uses update counters rather than delta counters. This means that when a flow is exported,
the counters represent the totals seen for the full lifetime of the flow and not the additional packets and
bytes seen since the last export was sent.
The following example shows how to configure the number of entries for the flow monitor cache:
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# cache entries 16
The following example shows how to configure the active timeout for the flow monitor cache:
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# cache timeout active 4800
The following example shows how to configure the inactive timer for the flow monitor cache:
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# cache timeout inactive 3000
The following example shows how to configure the permanent cache update timeout:
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# cache timeout update 5000
The following example shows how to enable and configure export spreading where the synchronized interval
timeout value is 12 seconds and the export spread interval is 5 seconds:
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# cache type synchronized
Device(config-flow-monitor)# cache timeout synchronized 12 export-spread 5
The following example shows how to configure a normal cache:
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# cache type normal
The following example shows how to configure a permanent cache:
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# cache type permanent
The following example shows how to configure an immediate cache:
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# cache type immediate
Cisco IOS Flexible NetFlow Command Reference
8
cache (Flexible NetFlow) through match flow
cache (Flexible NetFlow)
Related Commands
Command
Description
flow monitor
Creates a flow monitor, and enters Flexible NetFlow
flow monitor configuration mode.
Cisco IOS Flexible NetFlow Command Reference
9
cache (Flexible NetFlow) through match flow
clear flow exporter
clear flow exporter
To clear the statistics for a Flexible NetFlow flow exporter, use the clear flow exporter command in privileged
EXEC mode.
clear flow exporter {name exporter-name statistics| statistics}
Syntax Description
Command Modes
Command History
Examples
name
Specifies the name of a flow exporter.
exporter-name
Name of a flow exporter that was previously
configured.
statistics
Clears the flow exporter statistics.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
The following example clears the statistics for all of the flow exporters configured on the router:
Router# clear flow exporter statistics
The following example clears the statistics for the flow exporter named FLOW-EXPORTER-1:
Router# clear flow exporter name FLOW-EXPORTER-1 statistics
Cisco IOS Flexible NetFlow Command Reference
10
cache (Flexible NetFlow) through match flow
clear flow exporter
Related Commands
Command
Description
debug flow exporter
Enables debugging output for flow exporters.
Cisco IOS Flexible NetFlow Command Reference
11
cache (Flexible NetFlow) through match flow
clear flow monitor
clear flow monitor
To clear a Flexible NetFlow flow monitor, flow monitor cache, or flow monitor statistics and to force the
export of the data in the flow monitor cache, use the clear flow monitor command in privileged EXEC mode.
clear flow monitor name monitor-name [cache [force-export]| force-export| statistics]
Syntax Description
Command Modes
Command History
Usage Guidelines
name
Specifies the name of a flow monitor.
monitor-name
Name of a flow monitor that was previously
configured.
cache
(Optional) Clears the flow monitor cache information.
force-export
(Optional) Forces the export of the flow monitor
cache statistics.
statistics
(Optional) Clears the flow monitor statistics.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
cache
Cisco IOS Flexible NetFlow Command Reference
12
cache (Flexible NetFlow) through match flow
clear flow monitor
This keyword removes all entries from the flow monitor cache. These entries will not be exported and the
data gathered in the cache will be lost.
Note
The statistics for the cleared cache entries are maintained.
force-export
This keyword removes all entries from the flow monitor cache and exports them via all flow exporters assigned
to the flow monitor. This action can result in a short-term increase in CPU usage. Use with caution.
Note
The statistics for the cleared cache entries are maintained.
statistics
This keyword clears the statistics for this flow monitor.
Note
Examples
The “Current entries” statistic will not be cleared because this is an indicator of how many entries are in
the cache and the cache is not cleared with this command.
The following example clears the statistics and cache entries for the flow monitor named FLOW-MONITOR-1:
Router# clear flow monitor name FLOW-MONITOR-1
The following example clears the statistics and cache entries for the flow monitor named FLOW-MONITOR-1
and forces an export:
Router# clear flow monitor name FLOW-MONITOR-1 force-export
The following example clears the cache for the flow monitor named FLOW-MONITOR-1 and forces an
export:
Router# clear flow monitor name FLOW-MONITOR-1 cache force-export
The following example clears the statistics for the flow monitor named FLOW-MONITOR-1:
Router# clear flow monitor name FLOW-MONITOR-1 statistics
Related Commands
Command
Description
debug flow monitor
Enables debugging output for flow monitors.
Cisco IOS Flexible NetFlow Command Reference
13
cache (Flexible NetFlow) through match flow
clear sampler
clear sampler
To clear the statistics for a Flexible NetFlow flow sampler, use the clear sampler command in privileged
EXEC mode.
clear sampler [name] [ sampler-name ]
Syntax Description
Command Modes
Command History
Examples
name
(Optional) Specifies the name of a flow sampler.
sampler-name
(Optional) Name of a flow sampler that was
previously configured.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
The following example clears the sampler statistics for all flow samplers configured on the router:
Router# clear sampler
The following example clears the sampler statistics for the flow sampler named SAMPLER-1:
Router# clear sampler name SAMPLER-1
Cisco IOS Flexible NetFlow Command Reference
14
cache (Flexible NetFlow) through match flow
clear sampler
Related Commands
Command
Description
debug sampler
Enables debugging output for flow samplers.
Cisco IOS Flexible NetFlow Command Reference
15
cache (Flexible NetFlow) through match flow
collect application http
collect application http
To configure one of the HTTP application fields as a nonkey field for a flow record, use the collect application
http host command in flow record configuration mode. To disable the use the HTTP application fields as a
key field for a flow record, use the no form of this command.
collect application http {host| uri statistics}
no collect application http {host| uri statistics}
Syntax Description
This command has no arguments or keywords.
Command Default
The HTTP application fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
15.2(4)S
This command was introduced.
Cisco IOS XE Release 3.7S
This command was integrated into Cisco IOS XE Release 3.7S.
15.2(4)M2
This command was integrated into Cisco IOS Release 15.2(4)M2 for
MACE.
15.3(1)T
This command was integrated into Cisco IOS Release 15.3(1)T for
MACE.
This command can be used with Flexible NetFlow, MACE (Measurement, Aggregation, and Correlation
Engine), and Performance Monitor. These products use different commands to enter the configuration mode
in which you issue this command, however the mode prompt is the same for both products. For Performance
Monitor, you must first enter the flow record type performance-monitor command before you can use this
command.
Because the mode prompt is the same for all three products, here we refer to the command mode for these
products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as
Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as
Performance Monitor flow record configuration mode.
The collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing
the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to
provide additional information about the traffic in the flows. A change in the value of a nonkey field does not
create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Cisco IOS Flexible NetFlow Command Reference
16
cache (Flexible NetFlow) through match flow
collect application http
Examples
The following example configures the HTTP application host as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application http host
Examples
The following example configures the HTTP application host as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application http host
The following example configures the HTTP application URI statistics as a nonkey field for Performance
Monitor:
Router(config)# flow record type mace RECORD-1
Router(config-flow-record)# collect application http uri statistics
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
flow record type mace
Creates a flow record, and enters MACE flow record
configuration mode.
Cisco IOS Flexible NetFlow Command Reference
17
cache (Flexible NetFlow) through match flow
collect application name
collect application name
To configure the use of the application name as a nonkey field for a flow record, use the collect application
name command in flow record configuration mode. To disable the use of the application name as a nonkey
field for a flow record, use the no form of this command.
collect application name
no collect application name
Syntax Description
This command has no arguments or keywords.
Command Default
The application name is not configured as a non-key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
15.0(1)M
This command was introduced.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
15.2(3)T
This command was integrated into Cisco IOS Release 15.2(3)T for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Cisco IOS Flexible NetFlow Command Reference
18
cache (Flexible NetFlow) through match flow
collect application name
Examples
The following example configures the application name as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect application name
Examples
The following example configures the application name as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application name
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
match application name
Configures the use of application name as a key field
for a Flexible NetFlow flow record.
Cisco IOS Flexible NetFlow Command Reference
19
cache (Flexible NetFlow) through match flow
collect application nntp
collect application nntp
To configure the NNTP application group name field as a nonkey field for a flow record, use the collect
application nntp group-name command in flow record configuration mode. To disable the use the application
fields as a key field for a flow record, use the no form of this command.
collect application nntp group-name
no collect application nntp group-name
Syntax Description
This command has no arguments or keywords.
Command Default
The application version field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
15.2(4)S
This command was introduced.
Cisco IOS XE Release 3.7S
This command was integrated into Cisco IOS XE Release 3.7S.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the NNTP application group name as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application nntp group-name
Cisco IOS Flexible NetFlow Command Reference
20
cache (Flexible NetFlow) through match flow
collect application nntp
Examples
The following example configures the NNTP application group name as a nonkey field for Performance
Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application nntp group-name
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
21
cache (Flexible NetFlow) through match flow
collect application pop3
collect application pop3
To configure the POP3 application server field as a nonkey field for a flow record, use the collect application
pop3 server command in flow record configuration mode. To disable the use the application fields as a key
field for a flow record, use the no form of this command.
collect application pop3 server
no collect application pop3 server
Syntax Description
This command has no arguments or keywords.
Command Default
The application version field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.7S
This command was introduced.
The fields collected by this command can only extracted using the IPFIX export protocol.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the POP3 application server as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application pop3 server
Cisco IOS Flexible NetFlow Command Reference
22
cache (Flexible NetFlow) through match flow
collect application pop3
Examples
The following example configures the POP3 application server as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application pop3 server
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
23
cache (Flexible NetFlow) through match flow
collect application rtsp
collect application rtsp
To configure the RTSP application hostname field as a nonkey field for a flow record, use the collect
application rtsp host-name command in flow record configuration mode. To disable the use the application
fields as a key field for a flow record, use the no form of this command.
collect application rtsp host-name
no collect application rtsp host-name
Syntax Description
This command has no arguments or keywords.
Command Default
The application version field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.7S
This command was introduced.
The fields collected by this command can only extracted using the IPFIX export protocol.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the RTSP application hostname as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application rtsp host-name
Cisco IOS Flexible NetFlow Command Reference
24
cache (Flexible NetFlow) through match flow
collect application rtsp
Examples
The following example configures the RTSP application hostname as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application rtsp host-name
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
25
cache (Flexible NetFlow) through match flow
collect application sip
collect application sip
To configure the SIP application destination or source field as a nonkey field for a flow record, use the collect
application sip command in flow record configuration mode. To disable the use the application fields as a
key field for a flow record, use the no form of this command.
collect application sip {destination| source}
no collect application sip {destination| source}
Syntax Description
This command has no arguments or keywords.
Command Default
The application version field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.7S
This command was introduced.
The fields collected by this command can only extracted using the IPFIX export protocol.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the SIP application source as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application sip source
Cisco IOS Flexible NetFlow Command Reference
26
cache (Flexible NetFlow) through match flow
collect application sip
Examples
The following example configures the application SMTP hostname as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application sip source
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
27
cache (Flexible NetFlow) through match flow
collect application smtp
collect application smtp
To configure the SMTP application server or sender field as a nonkey field for a flow record, use the collect
application smtp command in flow record configuration mode. To disable the use the application fields as
a key field for a flow record, use the no form of this command.
collect application smtp {sender| server}
no collect application smtp {sender| server}
Syntax Description
This command has no arguments or keywords.
Command Default
The application version field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.7S
This command was introduced.
The fields collected by this command can only extracted using the IPFIX export protocol.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the SMTP application server as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application smtp server
Cisco IOS Flexible NetFlow Command Reference
28
cache (Flexible NetFlow) through match flow
collect application smtp
Examples
The following example configures the SMTP application server as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application smtp server
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
29
cache (Flexible NetFlow) through match flow
collect connection
collect connection
To configure various connection information fields as a nonkey field for a flow record, use the collect
connection command in flow record configuration mode. To disable the use of the connection information
fields as a nonkey field for a flow record, use the no form of this command.
collect connection {initiator| new-translations| sum-duration}
no collect connection {initiator| new-translations| sum-duration}
Syntax Description
initiator
Configures the connection initiator as a nonkey field.
new-translations
Configures the number of TCP or UDP connections
which were opened during an observation period as
a nonkey field.
sum-duration
Configures the total time in seconds for all of the TCP
or UDP connections which were in use during an
observation period as a nonkey field.
Command Default
Connection information fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.4S
This command was introduced.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for
Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for
Cisco Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
Cisco IOS Flexible NetFlow Command Reference
30
cache (Flexible NetFlow) through match flow
collect connection
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The initiator keyword provides the following information about the direction of the flow.
• 0x00=undefined
• 0x01=initiator - the flow source is initiator of the connection.
• 0x02=reverseInitiator - the flow destination is the initiator of the connection.
For the new-translations and sum-duration keywords, the observation period can be specified by the start
and end timestamps for the flow.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures information about the connection initiator as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect connection initiator
Examples
The following example configures information about the connection initiator as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect connection initiator
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
31
cache (Flexible NetFlow) through match flow
collect counter
collect counter
To configure the number of bytes or packets in a flow as a nonkey field for a flow record, use the collect
counter command in Flexible NetFLow flow record configuration mode. To disable the use of the number
of bytes or packets in a flow (counters) as a nonkey field for a flow record, use the no form of this command.
collect counter {bytes [long| replicated [long]| squared long]| packets [long| replicated [long]]}
no collect counter {bytes [long| replicated [long]| squared long]| packets [long| replicated [long]]}
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
collect counter {bytes [long| rate]| packets [dropped [long]| long]}
no collect counter {bytes [long| rate]| packets [dropped [long]| long]}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
collect counter {bytes [long]| packets [long]}
no collect counter {bytes [long]| packets [long]}
Cisco IOS XE Release 3.2SE
no collect counter {bytes {layer2 long| long}| packets long}
no collect counter {bytes {layer2 long| long}| packets long}
Syntax Description
bytes
Configures the number of bytes seen in a flow as a
nonkey field and enables collecting the total number
of bytes from the flow.
layer 2 long
Enables collecting the total number of Layer 2 bytes
or packets from the flow using a 64-bit counter rather
than a 32-bit counter. For Cisco IOS XE Release
3.2SE, use the layer 2 long keywords rather than the
long keyword.
long
(Optional) Enables collecting the total number of
bytes or packets from the flow using a 64-bit counter
rather than a 32-bit counter. For Cisco IOS XE
Release 3.2SE, use the layer 2 long keywords rather
than the long keyword.
replicated
Total number of replicated (multicast) IPv4 packets.
squared long
(Optional) Enables collecting the total of the square
of the number of bytes from the flow.
Cisco IOS Flexible NetFlow Command Reference
32
cache (Flexible NetFlow) through match flow
collect counter
packets
Configures the number of packets seen in a flow as
a nonkey field and enables collecting the total number
of packets from the flow.
rate
Configures the byte rate counter as a nonkey field.
dropped
Configures the dropped packet counter as a nonkey
field.
Command Default
The number of bytes or packets in a flow is not configured as a nonkey field.
Command Modes
Flexible NetFLow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this Cisco was implemented on the
12000 series routers.
12.2(33)SRC
This command was modified. Support for this Cisco was implemented on the
Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.4(22)T
This command was modified. The replicated keyword was added.
12.2(33)SRE
This command was modified. Support for this command was implemented on
the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was modified for the Cisco Performance Monitor. Thereplicated
and squared long keywords were removed and the rate and dropped keywords
were added.
12.2(58)SE
This command was modified for the Cisco Performance Monitor. Thereplicated
and squared long keywords were removed and the rate and dropped keywords
were added.
12.2(50)SY
This command was modified. The replicated and squared long keywords
were removed.
Cisco IOS XE Release
3.2SE
This command was modified. The layer 2 long keyword combination was
added. The replicated and squared long keywords were removed.
Cisco IOS Flexible NetFlow Command Reference
33
cache (Flexible NetFlow) through match flow
collect counter
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record
configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record
configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for
the flow monitor record and to enable capturing the values in the fields for the flow created with the record.
The values in nonkey fields are added to flows to provide additional information about the traffic in the flows.
A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields
are taken from only the first packet in the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The rate and dropped keywords were added and the replicated and squared long keywords were removed.
You must first enter theflow record type performance-monitor command.
collect counter bytes
This command configures a 32-bit counter for the number of bytes seen in a flow.
collect counter packets
This command configures a 32-bit counter that is incremented for each packet seen in the flow. For extremely
long flows it is possible for this counter to restart at 0 (wrap) when it reaches the limit of approximately 4
billion packets. On detection of a situation that would cause this counter to restart at 0, a flow monitor with
a normal cache type exports the flow and starts a new flow.
collect counter packets long
This command configures a 64-bit counter that will be incremented for each packet seen in the flow. It is
unlikely that a 64-bit counter will ever restart at 0.
collect counter bytes squared long
This counter can be used in conjunction with the byte and packet counters in order to calculate the variance
of the packet sizes. Its value is derived from squaring each of the packet sizes in the flow and adding the
results. This value can be used as part of a standard variance function.
The variance and standard deviation of the packet sizes for the flow can be calculated with the following
formulas:
cbs: value from the counter bytes squared field
pkts: value from the counter packets field
bytes: value from the counter bytes field
Variance = (cbs/pkts) - (bytes/pkts)2
Standard deviation = square root of Variance
Example 1:
Packet sizes of the flow: 100, 100, 100, 100
Counter packets: 4
Counter bytes: 400, mean packet size = 100
Counter bytes squared: 40,000
Variance = (40,000/4) - (400/4)2 = 0
Cisco IOS Flexible NetFlow Command Reference
34
cache (Flexible NetFlow) through match flow
collect counter
Standard Deviation = 0
Size = 100 +/- 0
Example 2:
Packet sizes of the flow: 50, 150, 50, 150
Counter packets: 4
Counter bytes: 400, mean packet size = 100
Counter bytes squared: 50,000
Variance = (50,000/4) - (400/4)2 = 2500
Standard deviation = 50
Size = 100 +/- 50
Examples
The following example configures the total number of bytes in the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter bytes
The following example configures the total number of bytes in the flows as a nonkey field using a 64-bit
counter:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter bytes long
The following example configures the sum of the number of bytes of each packet in the flow squared as a
nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter bytes squared long
The following example configures the total number of packets from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter packets
The following example configures the total number of packets from the flows as a nonkey field using a 64-bit
counter:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter packets long
The following example configures the total number of packets from the flows as a nonkey field using a 64-bit
counter:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect counter packets long
Related Commands
Command
Description
flow record
Creates a flow record for Flexible NetFlow.
flow record type performance-monitor
Creates a flow record for Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
35
cache (Flexible NetFlow) through match flow
collect datalink dot1q vlan
collect datalink dot1q vlan
To configure the 802.1Q (dot1q) VLAN ID as a non-key field for a Flexible NetFlow flow record, use the
collectdatalinkdot1qvlan command in Flexible NetFlow flow record configuration mode. To disable the use
of the 802.1Q VLAN ID value as a nonkey field for a Flexible NetFlow flow record, use the no form of this
command.
collect datalink dot1q vlan {input| output}
no collect datalink dot1q vlan {input| output}
Syntax Description
input
Configures the VLAN ID of traffic being received by
the router as a nonkey field.
output
Configures the VLAN ID of traffic being transmitted
by the router as a nonkey field.
Command Default
The 802.1Q VLAN ID is not configured as a nonkey field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
The input and output keywords of the collectdatalinkdot1qvlan command are used to specify the observation
point that is used by the collectdatalinkdot1qvlan command to capture the 802.1q VLAN IDs from network
traffic. For example, when you configure a flow record with the collectdatalinkdot1qvlaninput command
to monitor the simulated denial of service (DoS) attack in the figure below and apply the flow monitor to
which the flow record is assigned in either input (ingress) mode on interface Ethernet 0/0.1 on R3 or output
Cisco IOS Flexible NetFlow Command Reference
36
cache (Flexible NetFlow) through match flow
collect datalink dot1q vlan
(egress) mode on interface Ethernet 1/0.1 on R3, the observation point is always Ethernet 0/0.1 on R3. The
802.1q VLAN ID that is collected is 5.
Figure 4: Simulated DoS Attack (a)
The observation point of collect commands that do not have the input and/or output keywords is always the
interface to which the flow monitor that contains the flow record with the collect commands is applied.
Examples
The following example configures the 802.1Q VLAN ID of traffic being received by the router as a nonkey
field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect datalink dot1q vlan input
Related Commands
Command
Description
flow record
Creates a flow record.
Cisco IOS Flexible NetFlow Command Reference
37
cache (Flexible NetFlow) through match flow
collect datalink mac
collect datalink mac
To configure the use of MAC addresses as a nonkey field for a Flexible NetFlow flow record, use the
collectdatalinkmac command in Flexible NetFlow flow record configuration mode. To disable the use of
Layer 2 MAC addresses as a non-key field for a Flexible NetFlow flow record, use the no form of this
command.
collect datalink mac {destination| source} address {input| output}
no collect datalink mac {destination| source} address {input| output}
Syntax Description
destination address
Configures the use of the destination MAC address
as a non-key field.
source address
Configures the use of the source MAC address as a
non-key field.
input
Packets received by the router.
output
Packets transmitted by the router.
Command Default
MAC addresses are not configured as a nonkey field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into 15.2(2)T without the destination keyword
for Cisco Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitorcommand before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
Cisco IOS Flexible NetFlow Command Reference
38
cache (Flexible NetFlow) through match flow
collect datalink mac
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing
the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to
provide additional information about the traffic in the flows. A change in the value of a nonkey field does not
create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
The input and output keywords of the collectdatalinkmac command are used to specify the observation
point that is used by the collectdatalinkmac command to capture the MAC addressees from network traffic.
For example, when you configure a flow record with the collectdatalinkmacdestinationaddressinputcommand
to monitor the simulated denial of service (DoS) attack in the figure below and apply the flow monitor to
which the flow record is assigned in either input (ingress) mode on interface Ethernet 0/0.1 on R3 or output
(egress) mode on interface Ethernet 1/0.1 on R3, the observation point is always Ethernet 0/0.1 on R3. The
destination MAC address that is collected is aaaa.bbbb.cc04.
Figure 5: Simulated DoS Attack (b)
When the destination output mac address is configured, the value is the destination mac address of the output
packet, even if the monitor the flow record is applied to is input only.
When the destination input mac address is configured, the value is the destination mac address of the input
packet, even if the monitor the flow record is applied to is output only.
When the source output mac address is configured, the value is the source mac address of the output packet,
even if the monitor the flow record is applied to is input only.
When the source input mac address is configured, the value is the source mac address of the input packet,
even if the monitor the flow record is applied to is output only.
Examples
The following example configures the use of the destination MAC address of packets that are received by the
router as a nonkey field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect datalink mac destination address input
The following example configures the use of the source MAC addresses of packets that are transmitted by
the router as a nonkey field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect datalink mac source address output
Cisco IOS Flexible NetFlow Command Reference
39
cache (Flexible NetFlow) through match flow
collect datalink mac
Examples
The following example configures the use of the source MAC addresses of packets that are transmitted by
the router as a nonkey field for a Performance Monitor flow record: :
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect datalink mac source address output
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
40
cache (Flexible NetFlow) through match flow
collect flow
collect flow
To configure the flow direction, the flow sampler ID number, or reason why the flow ended as a nonkey field
for a flow record, use the collect flow command in flow record configuration mode. To disable the use of the
flow direction and the flow sampler ID number as a nonkey field for a flow record, use the no form of this
command.
collect flow {direction| sampler}
no collect flow {direction| sampler}
Cisco IOS Release 15.1(4)M1
collect flow direction
no collect flow direction
Syntax Description
direction
Configures the flow direction as a nonkey field and
enables the collection of the direction in which the
flow was monitored.
sampler
Configures the flow sampler ID as a nonkey field and
enables the collection of the ID of the sampler that is
assigned to the flow monitor.
Command Default
The flow direction and the flow sampler ID number are not configured as nonkey fields.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(4)M1
This command was integrated into Cisco IOS Release 15.1(4)M1 with only
the direction keyword.
Cisco IOS Flexible NetFlow Command Reference
41
cache (Flexible NetFlow) through match flow
collect flow
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record
configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record
configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for
the flow monitor record and to enable capturing the values in the fields for the flow created with the record.
The values in nonkey fields are added to flows to provide additional information about the traffic in the flows.
A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields
are taken from only the first packet in the flow.
collect flow direction
This field indicates the direction of the flow. This is of most use when a single flow monitor is configured for
input and output flows. It can be used to find and eliminate flows that are being monitored twice, once on
input and once on output. This field may also be used to match up pairs of flows in the exported data when
the two flows are flowing in opposite directions.
collect flow sampler
This field contains the ID of the flow sampler used to monitor the flow. This is useful when more than one
flow sampler is being used with different sampling rates. The flow exporter option sampler-table command
exports options records with mappings of the flow sampler ID to sampling rate so the collector can calculate
the scaled counters for each flow.
Examples
The following example configures the ID of the flow sampler that is assigned to the flow as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect flow sampler
Examples
The following example configures the direction in which the flow was monitored as a nonkey field:
Router(config)# flow record type performance-monitor FLOW-RECORD-1
Router(config-flow-record)# collect flow direction
Related Commands
Command
Description
flow exporter
Creates a flow exporter
flow record
Creates a flow record for Flexible NetFlow.
flow record type performance-monitor
Creates a flow record for Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
42
cache (Flexible NetFlow) through match flow
collect interface
collect interface
To configure the input and output interface as a nonkey field for a flow record, use the collect interface
command in flow record configuration mode. To disable the use of the input and output interface as a nonkey
field for a flow record, use the no form of this command.
collect interface {input| output}
no collect interface {input| output}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
collect interface {input [physical]| output} [snmp]
no collect interface {input [physical]| output} [snmp]
Syntax Description
input
Configures the input interface as a nonkey field and
enables collecting the input interface from the flows.
output
Configures the output interface as a nonkey field and
enables collecting the output interface from the flows.
Command Default
The input and output interface is not configured as a nonkey field.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC and
implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco
Performance Monitor.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco
Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
43
cache (Flexible NetFlow) through match flow
collect interface
Usage Guidelines
Release
Modification
12.2(50)SY
This command was modified. The physical and snmpkeywords were added
in Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record
configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record
configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for
the flow monitor record and to enable capturing the values in the fields for the flow created with the record.
The values in nonkey fields are added to flows to provide additional information about the traffic in the flows.
A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields
are taken from only the first packet in the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
You must first enter theflowrecordtypeperformance-monitor command.
Examples
The following example configures the input interface as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect interface input
The following example configures the output interface as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect interface output
Examples
The following example configures the input interface as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect interface input
Related Commands
Command
Description
flow record
Creates a flow record for Flexible NetFlow.
flow record type performance-monitor
Creates a flow record for Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
44
cache (Flexible NetFlow) through match flow
collect ipv4
collect ipv4
To configure one or more of the IPv4 fields as a nonkey field for a flow record, use the collectipv4 command
in flow record configuration mode. To disable the use of one or more of the IPv4 fields as a nonkey field for
a flow record, use the no form of this command.
collect ipv4 {dscp| header-length| id| option map| precedence| protocol| tos| version}
no collect ipv4 {dscp| header-length| id| option map| precedence| protocol| tos| version}
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
collect ipv4 dscp
no collect ipv4 dscp
Syntax Description
dscp
Configures the differentiated services code point
(DCSP) field as a nonkey field and enables collecting
the value in the IPv4 DSCP type of service (ToS)
fields from the flows.
header-length
Configures the IPv4 header length flag as a nonkey
field and enables collecting the value in the IPv4
header length (in 32-bit words) field from the flows.
id
Configures the IPv4 ID flag as a nonkey field and
enables collecting the value in the IPv4 ID field from
the flows.
option map
Configures the IPv4 options flag as a nonkey field
and enables collecting the value in the bitmap
representing which IPv4 options have been seen in
the options field from the flows.
precedence
Configures the IPv4 precedence flag as a nonkey field
and enables collecting the value in the IPv4
precedence (part of ToS) field from the flows.
protocol
Configures the IPv4 payload protocol field as a
nonkey field and enables collecting the IPv4 value of
the payload protocol field for the payload in the flows
tos
Configures the ToS field as a nonkey field and enables
collecting the value in the IPv4 ToS field from the
flows.
version
Configures the version field as a nonkey field and
enables collecting the value in the IPv4 version field
from the flows.
Cisco IOS Flexible NetFlow Command Reference
45
cache (Flexible NetFlow) through match flow
collect ipv4
Command Default
The IPv4 fields are not configured as a nonkey field.
Command Modes
flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC and
implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco
Performance Monitor with only the dscp keyword.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco
Performance Monitor with only the dscp keyword.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record
configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record
configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for
the flow monitor record and to enable capturing the values in the fields for the flow created with the record.
The values in nonkey fields are added to flows to provide additional information about the traffic in the flows.
A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields
are taken from only the first packet in the flow.
Note
Some of the keywords of the collectipv4 command are documented as separate commands. All of the
keywords for the collectipv4 command that are documented separately start with collectipv4. For example,
for information about configuring the IPv4 time-to-live (TTL) field as a nonkey field and collecting its
value for a flow record, refer to the collectipv4ttl command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
Cisco IOS Flexible NetFlow Command Reference
46
cache (Flexible NetFlow) through match flow
collect ipv4
Only the the dscp keyword is available. You must first enter theflowrecordtypeperformance-monitor
command.
Examples
The following example configures the DSCP field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 dscp
Examples
The following example configures the DSCP field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 dscp
Related Commands
Command
Description
flow record
Creates a flow record for Flexible NetFlow.
flow record type performance-monitor
Creates a flow record for Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
47
cache (Flexible NetFlow) through match flow
collect ipv4 destination
collect ipv4 destination
To configure the IPv4 destination address as a nonkey field for a flow record, use the collectipv4destination
command in flow record configuration mode. To disable the use of an IPv4 destination address field as a
nonkey field for a flow record, use the no form of this command.
collect ipv4 destination {address| {mask| prefix} [minimum-mask mask]}
no collect ipv4 destination {address| {mask| prefix} [minimum-mask mask]}
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
collect ipv4 destination mask [minimum-mask mask]
no collect ipv4 destination mask [minimum-mask mask]
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
collect ipv4 destination {mask| prefix}
no collect ipv4 destination {mask| prefix}
Syntax Description
address
Configures the IPv4 destination address as a nonkey
field and enables collecting the value of the IPv4
destination address from the flows.
mask
Configures the IPv4 destination address mask as a
nonkey field and enables collecting the value of the
IPv4 destination address mask from the flows.
prefix
Configures the prefix for the IPv4 destination address
as a nonkey field and enables collecting the value of
the IPv4 destination address prefix from the flows.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum
mask. Range: 1 to 32.
Command Default
The IPv4 destination address is not configured as a nonkey field.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Cisco IOS Flexible NetFlow Command Reference
48
cache (Flexible NetFlow) through match flow
collect ipv4 destination
Usage Guidelines
Release
Modification
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC and
implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco
Performance Monitor with only the maskandminimum-maskkeywords.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco
Performance Monitor with only the maskandminimum-maskkeywords.
12.2(50)SY
This command was modified. The addressand minimum-mask keywords
were not supported in Cisco IOS Release 12.2(50)SY.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record
configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record
configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for
the flow monitor record and to enable capturing the values in the fields for the flow created with the record.
The values in nonkey fields are added to flows to provide additional information about the traffic in the flows.
A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields
are taken from only the first packet in the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
Only the maskandminimum-maskkeywords are available. You must first enter
theflowrecordtypeperformance-monitor command.
Examples
The following example configures the IPv4 destination address prefix from the flows that have a prefix of 16
bits as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 destination prefix minimum-mask 16
Examples
The following example configures the IPv4 destination address prefix from the flows that have a prefix of 16
bits as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 destination prefix minimum-mask 16
Cisco IOS Flexible NetFlow Command Reference
49
cache (Flexible NetFlow) through match flow
collect ipv4 destination
Related Commands
Command
Description
flow record
Creates a flow record for Flexible NetFlow.
flow record type performance-monitor
Creates a flow record for Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
50
cache (Flexible NetFlow) through match flow
collect ipv4 fragmentation
collect ipv4 fragmentation
To configure the IPv4 fragmentation flags and the IPv4 fragmentation offset as a nonkey field for a flow
record, use the collect ipv4 fragmentation command in flow record configuration mode. To disable the use
of the IPv4 fragmentation flags and the IPv4 fragmentation offset as a nonkey field for a flow record, use the
no form of this command.
collect ipv4 fragmentation {flags| offset}
no collect ipv4 fragmentation {flags| offset}
Syntax Description
flags
Configures the IPv4 fragmentation flags as a nonkey
field and enables collecting the value in the IPv4
fragmentation flag fields from the flows.
offset
Configures the IPv4 fragmentation offset value as a
nonkey field and enables collecting the value in the
IPv4 fragmentation offset field from the flows.
Command Default
The IPv4 fragmentation flags and the IPv4 fragmentation offset are not configured as nonkey fields.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Cisco IOS Flexible NetFlow Command Reference
51
cache (Flexible NetFlow) through match flow
collect ipv4 fragmentation
collect ipv4 fragmentation flags
This field collects the "don’t fragment" and "more fragments" flags.
Bit 0: reserved, must be zero.
Bit 1: (DF) 0 = May Fragment, 1 = Don’t Fragment
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments
Bits 3-7: (DC) Don’t Care, value is irrelevant
0
1
2
3
4
5
6
7
+---+---+---+---+---+---+---+---+
|
| D | M | D | D | D | D | D |
| 0 | F | F | C | C | C | C | C |
+---+---+---+---+---+---+---+---+
For more information on IPv4 fragmentation flags, see RFC 791 Internet Protocol at the following URL:
http://www.ietf.org/rfc/rfc791.txt .
Examples
The following example configures the IPv4 fragmentation flags as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 fragmentation flags
Examples
The following example configures the IPv4 fragmentation flags as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 fragmentation flags
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
52
cache (Flexible NetFlow) through match flow
collect ipv4 section
collect ipv4 section
To configure a section of an IPv4 packet as a nonkey field for a flow record, use the collect ipv4 section
command in flow record configuration mode. To disable the use of a section of an IPv4 packet as a nonkey
field for a flow record, use the no form of this command.
collect ipv4 section {header size header-size| payload size payload-size}
no collect ipv4 section {header size header-size| payload size payload-size}
Syntax Description
header size header-size
Configures the number of bytes of raw data starting
at the IPv4 header to use as a nonkey field, and
enables collecting the value in the raw data from the
flows. Range: 1 to 1200.
payload size payload-size
Configures the number of bytes of raw data starting
at the IPv4 payload to use as a nonkey field, and
enables collecting the value in the raw data from the
flows. Range: 1 to 1200.
Command Default
A section of an IPv4 packet is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
Cisco IOS Flexible NetFlow Command Reference
53
cache (Flexible NetFlow) through match flow
collect ipv4 section
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
It is recommended that you configure both header size and payload size so that you know how much data
is going to be captured.
collect ipv4 section header
This command causes the first IPv4 header to be copied into the flow record for this flow. Only the configured
size in bytes will be copied and part of the payload will also be captured if the configured size is larger than
the size of the header.
Note
This command can result in large records which use a lot of router memory and export bandwidth.
collect ipv4 section payload
This command results in a copy of the first IPv4 payload being put into the flow record for this flow. Only
the configured size in bytes will be copied and may end in a series of 0's if the configured size is greater than
the size of the payload.
Note
Examples
This command can result in large records which use a lot of router memory and export bandwidth.
The following example configures the first eight bytes from the IP header of the packets in the flows as a
non-key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 section header size 8
The following example configures the first 16 bytes from the payload of the packets in the flows as a non-key
field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 section payload size 16
Examples
The following example configures the first 16 bytes from the payload of the packets in the flows as a nonkey
field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 section payload size 16
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
54
cache (Flexible NetFlow) through match flow
collect ipv4 source
collect ipv4 source
To configure the IPv4 source address as a nonkey field for a flow record, use the collectipv4source command
in flow record configuration mode. To disable the use of the IPv4 source address field as a nonkey field for
a flow record, use the no form of this command.
collect ipv4 source {address| {mask| prefix} [minimum-mask mask]}
no collect ipv4 source {address| {mask| prefix} [minimum-mask mask]}
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
collect ipv4 source mask [minimum-mask mask]
no collect ipv4 source mask [minimum-mask mask]
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
collect ipv4 source {mask| prefix}
no collect ipv4 source {mask| prefix}
Syntax Description
address
Configures the IPv4 source address as a nonkey field
and enables collecting the value of the IPv4 source
address from the flows.
mask
Configures the IPv4 source address mask as a nonkey
field and enables collecting the value of the IPv4
source address mask from the flows.
prefix
Configures the prefix for the IPv4 source address as
a nonkey field and enables collecting the value of the
IPv4 source address prefix from the flows.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum
mask. Range: 1 to 32.
Command Default
The IPv4 source address is not configured as a nonkey field.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Cisco IOS Flexible NetFlow Command Reference
55
cache (Flexible NetFlow) through match flow
collect ipv4 source
Usage Guidelines
Release
Modification
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC and
implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco
Performance Monitor with only the maskandminimum-maskkeywords.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco
Performance Monitor with only the maskandminimum-maskkeywords.
12.2(50)SY
This command was modified. The addressand minimum-mask keywords
were not supported in Cisco IOS Release 12.2(50)SY.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record
configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record
configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for
the flow monitor record and to enable capturing the values in the fields for the flow created with the record.
The values in nonkey fields are added to flows to provide additional information about the traffic in the flows.
A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields
are taken from only the first packet in the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
Only the maskandminimum-maskkeywords are available. You must first enter
theflowrecordtypeperformance-monitor command.
collect ipv4 source prefix minimum-mask
The source address prefix is the network part of an IPv4 source address. The optional minimum mask allows
more information to be gathered about large networks.
collect ipv4 source mask minimum-mask
The source address mask is the number of bits that make up the network part of the source address. The
optional minimum mask allows a minimum value to be configured. This command is useful when there is a
minimum mask configured for the source prefix field and the mask is to be used with the prefix. In this case,
the values configured for the minimum mask should be the same for the prefix and mask fields.
Alternatively, if the collector is aware of the minimum mask configuration of the prefix field, the mask field
can be configured without a minimum mask so that the true mask and prefix can be calculated.
Cisco IOS Flexible NetFlow Command Reference
56
cache (Flexible NetFlow) through match flow
collect ipv4 source
Examples
The following example configures the IPv4 source address prefix from the flows that have a prefix of 16 bits
as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 source prefix minimum-mask 16
Examples
The following example configures the IPv4 source address prefix from the flows that have a prefix of 16 bits
as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 source prefix minimum-mask 16
Related Commands
Command
Description
flow record
Creates a flow record for Flexible NetFlow.
flow record type performance-monitor
Creates a flow record for Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
57
cache (Flexible NetFlow) through match flow
collect ipv4 total-length
collect ipv4 total-length
To configure the IPv4 total-length field as a nonkey field for a flow record, use the collect ipv4 total-length
command in flow record configuration mode. To disable the use of the IPv4 total-length field as a nonkey
field for a flow record, use the no form of this command.
collect ipv4 total-length [maximum| minimum]
no collect ipv4 total-length [maximum| minimum]
Syntax Description
maximum
(Optional) Configures the maximum value of the total
length field as a nonkey field and enables collecting
the maximum value of the total length field from the
flows.
minimum
(Optional) Configures the minimum value of the total
length field as a nonkey field and enables collecting
the minimum value of the total length field from the
flows.
Command Default
The IPv4 total-length field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
Cisco IOS Flexible NetFlow Command Reference
58
cache (Flexible NetFlow) through match flow
collect ipv4 total-length
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
collect ipv4 total-length [minimum | maximum]
This command is used to collect the lowest and highest IPv4 total length values seen in the lifetime of the
flow. Configuring this command results in more processing than is needed to simply collect the first total
length value seen using the collect ipv4 total-length command.
Examples
The following example configures total-length value as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 total-length
The following example configures minimum total-length value seen in the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 total-length minimum
Examples
The following example configures the minimum total-length value seen in the flows as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 total-length minimum
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
59
cache (Flexible NetFlow) through match flow
collect ipv4 ttl
collect ipv4 ttl
To configure the IPv4 time-to-live (TTL) field as a nonkey field for a flow record, use the collectipv4ttl
command in flow record configuration mode. To disable the use of the IPv4 TTL field as a nonkey field for
a flow record, use the no form of this command.
collect ipv4 ttl [maximum| minimum]
no collect ipv4 ttl [maximum| minimum]
Syntax Description
maximum
(Optional) Configures the maximum value of the TTL
field as a nonkey field and enables collecting the
maximum value of the TTL field from the flows.
minimum
(Optional) Configures the minimum value of the TTL
field as a nonkey field and enables collecting the
minimum value of the TTL field from the flows.
Command Default
The IPv4 time-to-live (TTL) field is not configured as a nonkey field.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC and
implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco
Performance Monitor.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco
Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
60
cache (Flexible NetFlow) through match flow
collect ipv4 ttl
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record
configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record
configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for
the flow monitor record and to enable capturing the values in the fields for the flow created with the record.
The values in nonkey fields are added to flows to provide additional information about the traffic in the flows.
A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields
are taken from only the first packet in the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
You must first enter theflowrecordtypeperformance-monitor command.
collect ipv4 ttl [minimum | maximum]
This command is used to collect the lowest and highest IPv4 TTL values seen in the lifetime of the flow.
Configuring this command results in more processing than is needed to simply collect the first TTL value
seen using the collectipv4ttl command.
Examples
The following example configures the largest value for IPv4 TTL seen in the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 ttl maximum
The following example configures the smallest value for IPv4 TTL seen in the flows as a nonkey field
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 ttl minimum
Examples
The following example configures the smallest value for IPv4 TTL seen in the flows as a nonkey field
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 ttl minimum
Related Commands
Command
Description
flow record
Creates a flow record for Flexible NetFlow.
flow record type performance-monitor
Creates a flow record for Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
61
cache (Flexible NetFlow) through match flow
collect ipv6
collect ipv6
To configure one or more of the IPv6 fields as a nonkey field for a flow record, use the collect ipv6 command
in flow record configuration mode. To disable the use of one or more of the IPv6 fields as a nonkey field for
a flow record, use the no form of this command.
collect ipv6 {dscp| flow-label| next-header| payload-length| precedence| protocol| traffic-class| version}
no collect ipv6 {dscp| flow-label| next-header| payload-length| precedence| protocol| traffic-class| version}
Syntax Description
Command Default
dscp
Configures the differentiated services code point
(DCSP) field as a nonkey field and enables collecting
the value in the IPv6 DSCP type of service (ToS)
fields from the flows.
flow-label
Configures the IPv6 flow label as a nonkey field and
enables collecting the value in the IPv6 flow label
from the flows.
next-header
Configures the next-header field as a nonkey field
and enables collecting the value of the next-header
field in the IPv6 header from the flows.
payload-length
Configures the length of the IPv6 payload as a nonkey
field and enables collecting the number of bytes used
for the payload in the flows.
precedence
Configures the IPv6 precedence flag as a nonkey field
and enables collecting the value in the IPv6
precedence (part of ToS) field from the flows.
protocol
Configures the IPv6 payload protocol field as a
nonkey field and enables collecting the IPv6 value of
the payload protocol field for the payload in the flows.
traffic-class
Configures the IPv6 traffic-class field as a nonkey
field and enables collecting the value in the IPv6
protocol field from the flows.
version
Configures the IPv6 version field as a nonkey field
and enables collecting the value in the IPv6 version
field from the flows.
The IPv6 fields are not configured as a nonkey field.
Cisco IOS Flexible NetFlow Command Reference
62
cache (Flexible NetFlow) through match flow
collect ipv6
Command Modes
Command History
Usage Guidelines
Flow record configuration (config-flow-record)
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Note
Examples
Some of the keywords for the collect ipv6 command are documented as separate commands. All of the
keywords for the collect ipv6 command that are documented separately start with collect ipv6. For example,
for information about configuring the IPv6 hop limit field as a nonkey field and collecting its value for a
flow record, refer to the collect ipv6 hop-limit command.
The following example configures the IPv6 DSCP field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 dscp
Cisco IOS Flexible NetFlow Command Reference
63
cache (Flexible NetFlow) through match flow
collect ipv6
Examples
The following example configures the IPv6 DSCP field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 dscp
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
64
cache (Flexible NetFlow) through match flow
collect ipv6 destination
collect ipv6 destination
To configure the IPv6 destination address as a nonkey field for a flow record, use the collect ipv6 destination
command in flow record configuration mode. To disable the use of an IPv6 destination address field as a
nonkey field for a flow record, use the no form of this command.
collect ipv6 destination {address| {mask| prefix} [minimum-mask mask]}
no collect ipv6 destination {address| {mask| prefix} [minimum-mask mask]}
Command Syntax on Cisco Catalyst 6500 Switches running Cisco IOS Release 12.2(50)SY
collect ipv6 destination {mask| prefix}
no collect ipv6 destination {mask| prefix}
Syntax Description
address
Configures the IPv6 destination address as a nonkey
field and enables collecting the value of the IPv6
destination address from the flows.
mask
Configures the IPv6 destination address mask as a
nonkey field and enables collecting the value of the
IPv6 destination address mask from the flows.
prefix
Configures the prefix for the IPv6 destination address
as a nonkey field and enables collecting the value of
the IPv6 destination address prefix from the flows.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum
mask. Range: 1 to 128.
Command Default
TheIPv6 destination address is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The addressand minimum-mask keywords
were not supported in Cisco IOS Release 12.2(50)SY.
Cisco IOS Flexible NetFlow Command Reference
65
cache (Flexible NetFlow) through match flow
collect ipv6 destination
Usage Guidelines
Release
Modification
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the IPv6 destination address prefix from the flows that have a prefix of 16
bits as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 destination prefix minimum-mask 16
Examples
The following example configures the IPv6 destination address prefix from the flows that have a prefix of 16
bits as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 destination prefix minimum-mask 16
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
66
cache (Flexible NetFlow) through match flow
collect ipv6 extension map
collect ipv6 extension map
To configure the bitmap of the IPv6 extension header map as a nonkey field for a flow record, use the collect
ipv6 extension map command in flow record configuration mode. To disable the use of the IPv6 bitmap of
IPv6 extension header map as a nonkey field for a flow record, use the no form of this command.
collect ipv6 extension map
no collect ipv6 extension map
Syntax Description
This command has no arguments or keywords.
Command Default
The use of the bitmap of the IPv6 extension header map is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Cisco IOS Flexible NetFlow Command Reference
67
cache (Flexible NetFlow) through match flow
collect ipv6 extension map
Bitmap of the IPv6 Extension Header Map
The bitmap of IPv6 extension header map is made up of 32 bits.
0
1
2
3
4
5
6
7
+-----+-----+-----+-----+-----+-----+-----+-----+
| Res | FRA1| RH | FRA0| UNK | Res | HOP | DST |
+-----+-----+-----+-----+-----+-----+-----+-----+
8
9
10
11
12
13
14
15
+-----+-----+-----+-----+-----+-----+-----+-----+
| PAY | AH | ESP |
Reserved
|
+-----+-----+-----+-----+-----+-----+-----+-----+
16
17
18
19
20
21
22
23
+-----+-----+-----+-----+-----+-----+-----+-----+
|
Reserved
|
+-----+-----+-----+-----+-----+-----+-----+-----+
24
25
26
27
28
29
30
31
+-----+-----+-----+-----+-----+-----+-----+-----+
|
Reserved
|
+-----+-----+-----+-----+-----+-----+-----+-----+
0 Res Reserved
1 FRA1 Fragmentation header - not first fragment
2 RH
Routing header
3 FRA0 Fragment header - first fragment
4 UNK Unknown Layer 4 header
(compressed, encrypted, not supported)
5 Res Reserved
6 HOP Hop-by-hop option header
7 DST Destination option header
8 PAY Payload compression header
9 AH Authentication Header
10 ESP Encrypted security payload
11 to 31 Reserved
For more information on IPv6 headers, refer to RFC 2460 Internet Protocol, Version 6 (IPv6) at the following
URL: http://www.ietf.org/rfc/rfc2460.txt .
Examples
The following example configures the bitmap of IPv6 extension header map as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 extension map
Examples
The following example configures the bitmap of IPv6 extension header map as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 extension map
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
68
cache (Flexible NetFlow) through match flow
collect ipv6 fragmentation
collect ipv6 fragmentation
To configure one or more of the IPv6 fragmentation fields as a nonkey field for a flow record, use the collect
ipv6 fragmentation command in flow record configuration mode. To disable the use one or more of the IPv6
fragmentation fields as a nonkey field for a flow record, use the no form of this command.
collect ipv6 fragmentation {flags| id| offset}
no collect ipv6 fragmentation {flags| id| offset}
Syntax Description
flags
Configures the IPv6 fragmentation flags as a non-key
field and enables collecting the value in the IPv6
fragmentation flag fields from the flows.
id
Configures the IPv6 fragmentation ID as a non-key
field and enables collecting the value in the IPv6
fragmentation id fields from the flows
offset
Configures the IPv6 fragmentation offset as a non-key
field and enables collecting the value in the IPv6
fragmentation offset field from the flows.
Command Default
The use of one or more of the IPv6 fragmentation fields is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
Cisco IOS Flexible NetFlow Command Reference
69
cache (Flexible NetFlow) through match flow
collect ipv6 fragmentation
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the IPv6 fragmentation flags field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 fragmentation flags
Examples
The following example configures the IPv6 fragmentation flags field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 fragmentation flags
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
70
cache (Flexible NetFlow) through match flow
collect ipv6 hop-limit
collect ipv6 hop-limit
To configure the IPv6 hop limit as a nonkey field for a flow record, use the collect ipv6 hop-limit command
in flow record configuration mode. To disable the use of the IPv6 hop limit field as a nonkey field for a flow
record, use the no form of this command.
collect ipv6 hop-limit [maximum] [minimum]
no collect ipv6 hop-limit [maximum] [minimum]
Syntax Description
maximum
(Optional) Configures the IPv6 maximum hop limit
as a nonkey field and enables collecting the value of
the IPv6 maximum hop limit from the flows.
minimum
(Optional) Configures the IPv6 minimum hop limit
as a nonkey field and enables collecting the value of
the IPv6 minimum hop limit from the flows.
Command Default
The IPv6 hop limit is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
collect ipv6 hop-limit [minimum | maximum]
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Cisco IOS Flexible NetFlow Command Reference
71
cache (Flexible NetFlow) through match flow
collect ipv6 hop-limit
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
This command is used to collect the lowest and highest IPv6 hop limit values seen in the lifetime of the flow.
Configuring this command results in more processing than is needed to simply collect the first hop limit value
seen using the collect ipv6 hop-limit command.
Examples
The following example configures the IPv6 maximum hop limit from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 hop-limit maximum
Examples
The following example configures the IPv6 maximum hop limit from the flows as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 hop-limit maximum
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
72
cache (Flexible NetFlow) through match flow
collect ipv6 length
collect ipv6 length
To configure one or more of the IPv6 length fields as a nonkey field for a flow record, use the collect ipv6
lengthcommand in flow record configuration mode. To disable the use of one or more of the IPv6 length
fields as a nonkey field for a flow record, use the no form of this command.
collect ipv6 length {header| payload| total [maximum] [minimum]}
no collect ipv6 length {header| payload| total [maximum] [minimum]}
Syntax Description
header
Configures the length in bytes of the IPv6 header, not
including any extension headers, as a nonkey field
and collects the value of it for a flow record.
payload
Configures the length in bytes of the IPv6 payload,
including any extension headers, as a nonkey field
and collects the value of it for a flow record.
total
Configures the total length in bytes of the IPv6 header
and payload as a nonkey field and collects the value
of it for a flow record.
maximum
(Optional) Configures the maximum total length in
bytes of the IPv6 header and payload as a nonkey
field and collects the value of it for a flow record.
minimum
(Optional) Configures the minimum total length in
bytes of the IPv6 header and payload as a nonkey
field and collects the value of it for a flow record.
Command Default
The IPv6 length fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
73
cache (Flexible NetFlow) through match flow
collect ipv6 length
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
collect ipv6 length [minimum | maximum]
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
This command is used to collect the lowest and highest IPv6 length values seen in the lifetime of the flow.
Configuring this command results in more processing than is needed to simply collect the length value seen
using the collect ipv6 length command.
Examples
The following example configures the length of the IPv6 header, not including any extension headers, in bytes
as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 length header
Examples
The following example configures the length of the IPv6 header, not including any extension headers, in bytes
as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 length header
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
74
cache (Flexible NetFlow) through match flow
collect ipv6 section
collect ipv6 section
To configure a section of an IPv6 packet as a nonkey field for a flow record, use the collect ipv6 section
command in flow record configuration mode. To disable the use of a section of an IPv6 packet as a nonkey
field for a flow record, use the no form of this command.
collect ipv6 section {header size header-size| payload size payload-size}
no collect ipv6 section {header size header-size| payload size payload-size}
Syntax Description
header size header-size
Configures the number of bytes of raw data, starting
at the IPv6 header, to use as a nonkey field, and
enables collecting the value in the raw data from the
flows. Range: 1 to 1200.
payload size payload-size
Configures the number of bytes of raw data, starting
at the IPv6 payload, to use as a nonkey field, and
enables collecting the value in the raw data from the
flows. Range: 1 to 1200.
Command Default
A section of an IPv6 packet is not configured as a non-key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Cisco IOS Flexible NetFlow Command Reference
75
cache (Flexible NetFlow) through match flow
collect ipv6 section
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
It is recommended that you configure both header size and payload size so that you know how much data
is going to be captured.
Note
The IPv6 payload data is captured only if the first packet in the flow is an IPv6 packet. If the first packet
in the flow is not an IPv6 packet, information from other packets in the flow such as packet and byte
counters, is still captured.
collect ipv6 section header
This command causes a copy of the first IPv6 header to be put into the flow record for this flow. Only the
configured size in bytes will be copied, and part of the payload will also be captured if the configured size is
larger than the size of the header.
Note
Configuring this command can result in large records that use a lot of router memory and export bandwidth.
collect ipv6 section payload
This command causes a copy of the first IPv6 payload to be put into the flow record for this flow. Only the
configured size in bytes will be copied, and it may end in a series of zeros if the configured size is smaller
than the size of the payload.
Note
Examples
Configuring this command can result in large records that use a lot of router memory and export bandwidth.
The following example configures the first eight bytes from the IPv6 header of the packets in the flows as a
nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 section header size 8
The following example configures the first 16 bytes from the payload of the IPv6 packets in the flows as a
nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 section payload size 16
Cisco IOS Flexible NetFlow Command Reference
76
cache (Flexible NetFlow) through match flow
collect ipv6 section
Examples
The following example configures the first 16 bytes from the payload of the IPv6 packets in the flows as a
nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 section payload size 16
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
77
cache (Flexible NetFlow) through match flow
collect ipv6 source
collect ipv6 source
To configure the IPv6 source address as a nonkey field for a flow record, use the collect ipv6 source command
in flow record configuration mode. To disable the use of the IPv6 source address field as a nonkey field for
a flow record, use the no form of this command.
collect ipv6 source {address| {mask| prefix} [minimum-mask mask]}
no collect ipv6 source {address| {mask| prefix} [minimum-mask mask]}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
collect ipv6 source {mask| prefix}
no collect ipv6 source {mask| prefix}
Syntax Description
address
Configures the IPv6 source address as a nonkey field
and enables collecting the value of the IPv6 source
address from the flows.
mask
Configures the IPv6 source address mask as a nonkey
field and enables collecting the value of the IPv6
source address mask from the flows.
prefix
Configures the prefix for the IPv6 source address as
a nonkey field and enables collecting the value of the
IPv6 source address prefix from the flows.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum
mask. Range: 1 to 128.
Command Default
The IPv6 source address is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The addressand minimum-mask keywords
were not supported in Cisco IOS Release 12.2(50)SY.
Cisco IOS Flexible NetFlow Command Reference
78
cache (Flexible NetFlow) through match flow
collect ipv6 source
Usage Guidelines
Release
Modification
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
collect IPv6 source prefix minimum mask
The source address prefix field is the network part of the source address. The optional minimum mask allows
more information to be gathered about large networks.
collect IPv6 source mask minimum mask
The source address mask is the number of bits that make up the network part of the source address. The
optional minimum mask allows a minimum value to be configured. This command is useful when there is a
minimum mask configured for the source prefix field and the mask is to be used with the prefix. In this case,
the values configured for the minimum mask should be the same for the prefix and mask fields.
Alternatively, if the collector is aware of the minimum mask configuration of the prefix field, the mask field
can be configured without a minimum mask so that the true mask and prefix can be calculated.
Examples
The following example configures the IPv6 source address prefix from the flows that have a prefix of 16 bits
as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 source prefix minimum-mask 16
Examples
The following example configures the IPv6 source address prefix from the flows that have a prefix of 16 bits
as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 source prefix minimum-mask 16
Cisco IOS Flexible NetFlow Command Reference
79
cache (Flexible NetFlow) through match flow
collect ipv6 source
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
80
cache (Flexible NetFlow) through match flow
collect mpls label
collect mpls label
To configure MPLS label fields as a nonkey field for a flow record, use the collect mpls label command in
flow record configuration mode. To disable the use of the MPLS label fields as a nonkey field for a flow
record, use the no form of this command.
collect mpls {label 1| {details| exp| ttl}| label 2| {details}| label 3| {details}| label 4| {details}| label 5|
{details}| label 6| {details}}
no collect mpls {label 1| {details| exp| ttl}| label 2| {details}| label 3| {details}| label 4| {details}| label 5|
{details}| label 6| {details}}
Syntax Description
label 1
Configures the first MPLS label as a nonkey field.
details
Configures the details of the MPLS label as a nonkey
field.
exp
Configures the MPLS experimental level field as a
nonkey field.
ttl
Configures the time-to-life (TTL) for the MPLS label
as a nonkey field.
label 2
Configures the second MPLS label as a nonkey field.
label 3
Configures the third MPLS label as a nonkey field.
label 4
Configures the fourth MPLS label as a nonkey field.
label 5
Configures the fifth MPLS label as a nonkey field.
label 6
Configures the sixth MPLS label as a nonkey field.
Command Default
MPLS label fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Cisco IOS Flexible NetFlow Command Reference
81
cache (Flexible NetFlow) through match flow
collect mpls label
Usage Guidelines
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the details of the first MPLS label as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect mpls label 1 details
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
82
cache (Flexible NetFlow) through match flow
collect policy qos classification hierarchy
collect policy qos classification hierarchy
To configure QoS policy classification hierarchy field as a nonkey field for a flow record, use the collect
policy qos classification hierarchy command in flow record configuration mode. To disable the use of the
MPLS label fields as a nonkey field for a flow record, use the no form of this command.
collect policy qos classification hierarchy
no collect policy qos classification hierarchy
Syntax Description
This command has no arguments or keywords.
Command Default
QoS policy classification hierarchy field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the details of the QoS policy classification hierarchy field as a nonkey
field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect policy qos classification hierarchy
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
83
cache (Flexible NetFlow) through match flow
collect policy qos queue index
collect policy qos queue index
To configure the QoS policy queue index as a nonkey field for a flow record, use the collect policy qos queue
indexcommand in flow record configuration mode. To disable the use of one or more of the routing attributes
as a nonkey field for a flow record, use the no form of this command.
collect policy qos queue index
no collect policy qos queue index
Syntax Description
This command has no arguments or keywords.
Command Default
QoS policy queue index is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the QoS policy queue index as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect policy qos queue index
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
84
cache (Flexible NetFlow) through match flow
collect routing
collect routing
To configure one or more of the routing attributes as a nonkey field for a flow record, use the collect
routingcommand in flow record configuration mode. To disable the use of one or more of the routing attributes
as a nonkey field for a flow record, use the no form of this command.
collect routing {destination| source} [as [4-octet| peer [4-octet]]| traffic-index| forwarding-status| next-hop
address {ipv4| ipv6} [bgp]| vrf input| vrf output]
no collect routing {destination| source} [as [4-octet| peer [4-octet]]| traffic-index| forwarding-status|
next-hop address {ipv4| ipv6} [bgp]| vrf input| vrf output]
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
collect routing forwarding-status [reason]
no collect routing forwarding-status [reason]
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
collect routing {destination| source} [as [peer ]| forwarding-status| next-hop address {ipv4| ipv6} [bgp]]
no collect routing {destination| source} [as [peer ]| forwarding-status| next-hop address {ipv4| ipv6}
[bgp]]
Syntax Description
destination
Configures one or more of the destination routing
attributes fields as a nonkey field and enables
collecting the values from the flows.
source
Configures one or more of the source routing
attributes fields as a nonkey field and enables
collecting the values from the flows.
as
Configures the autonomous system field as a nonkey
field and enables collecting the value in the
autonomous system field from the flows.
4-octet
(Optional) Configures the 32-bit autonomous system
number as a nonkey field.
peer
(Optional) Configures the autonomous system number
of the peer network as a nonkey field and enables
collecting the value of the autonomous system number
of the peer network from the flows.
traffic-index
Configures the Border Gateway Protocol (BGP)
source or destination traffic index as a nonkey field
and enables collecting the value of the BGP
destination traffic index from the flows.
Cisco IOS Flexible NetFlow Command Reference
85
cache (Flexible NetFlow) through match flow
collect routing
forwarding-status
Configures the forwarding status as a nonkey field
and enables collecting the value of the forwarding
status of the packet from the flows.
next-hop address
Configures the next-hop address value as a nonkey
field and enables collecting information regarding the
next hop from the flows. The type of address (IPv4
or IPv6) is determined by the next keyword entered.
ipv4
Specifies that the next-hop address value is an IPv4
address.
ipv6
Specifies that the next-hop address value is an IPv6
address.
bgp
(Optional) Configures the IP address of the next hop
BGP network as a nonkey field and enables collecting
the value of the IP address of the BGP next-hop
network from the flows.
vrf input
Configures the Virtual Routing and Forwarding
(VRF) ID for incoming packets as a nonkey field.
vrf output
Configures the Virtual Routing and Forwarding
(VRF) ID for outgoing packets as a nonkey field.
reason
Configures the reason for the forwarding status as a
nonkey field.
Command Default
The routing attributes are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC and
implemented on the Cisco 7200 series routers.
12.4(20)T
This command was modified. The ipv6 keyword was added.
Cisco IOS Flexible NetFlow Command Reference
86
cache (Flexible NetFlow) through match flow
collect routing
Usage Guidelines
Release
Modification
15.0(1)M
This command was modified. The vrf input keywords were added.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2S
This command was modified. The 4-octet keyword was added.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco
Performance Monitor with only the forwarding-status keyword and the
addition of the reason keyword.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco
Performance Monitor with only the forwarding-status keyword and the
addition of the reason keyword.
12.2(50)SY
This command was modified. The traffic-index and vrf input keywords
were not supported in Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.8S
This command was modified. The vrf output keyword was added.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command; however the mode prompt is
the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record
configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record
configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for
the flow monitor record and to enable capturing the values in the fields for the flow created with the record.
The values in nonkey fields are added to flows to provide additional information about the traffic in the flows.
A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields
are taken from only the first packet in the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The reason keyword was added and only the forwarding-status keyword is available. You must first enter
theflow record type performance-monitor command.
collect routing source as [peer]
This command collects the 16-bit autonomous system number based on a lookup of the router’s routing table
using the source IP address. The optional peer keyword provides the expected next network, as opposed to
the originating network.
collect routing source as 4-octet [peer 4-octet]
This command collects the 32-bit autonomous system number based on a lookup of the router’s routing table
using the source IP address. The optional peer keyword provides the expected next network, as opposed to
the originating network.
collect routing destination as [peer]
Cisco IOS Flexible NetFlow Command Reference
87
cache (Flexible NetFlow) through match flow
collect routing
This command collects the 16-bit autonomous system number based on a lookup of the router’s routing table
using the destination IP address. The optional peer keyword provides the expected next network, as opposed
to the destination network.
collect routing destination as 4-octet [peer 4-octet]
This command collects the 32-bit autonomous system number based on a lookup of the router’s routing table
using the destination IP address. The peer keyword provides the expected next network, as opposed to the
destination network.
collect routing source traffic-index
This command collects the traffic-index field based on the source autonomous system for this flow. The
traffic-index field is a value propagated through BGP.
This command is not supported for IPv6.
collect routing destination traffic-index
This command collects the traffic-index field based on the destination autonomous system for this flow. The
traffic-index field is a value propagated through BGP.
This command is not supported for IPv6.
collect routing forwarding-status
This command collects a field to indicate if the packets were successfully forwarded. The field is in two parts
and may be up to 4 bytes in length. For the releases specified in the Command History table, only the status
field is used:
+-+-+-+-+-+-+-+-+
| S | Reason
|
| t | codes
|
| a | or
|
| t | flags
|
| u |
|
| s |
|
+-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7
Status:
00b=Unknown, 01b = Forwarded, 10b = Dropped, 11b = Consumed
collect routing vrf input
This command collects the VRF ID from incoming packets on a router. In the case where VRFs are associated
with an interface via methods such as VRF Selection Using Policy Based Routing/Source IP Address, a VRF
ID of 0 will be recorded. If a packet arrives on an interface that does not belong to a VRF, a VRF ID of 0 is
recorded.
collect routing vrf output
This command collects the outgoing VRF ID for outgoing packets on a router based on the VRF associated
with the outgoing interface.
Examples
The following example configures the 16-bit autonomous system number based on a lookup of the router’s
routing table using the source IP address as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing source as
Cisco IOS Flexible NetFlow Command Reference
88
cache (Flexible NetFlow) through match flow
collect routing
The following example configures the 16-bit autonomous system number based on a lookup of the router’s
routing table using the destination IP address as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing destination as
The following example configures the value in the traffic-index field based on the source autonomous system
for a flow as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing source traffic-index
The following example configures the forwarding status as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing forwarding-status
The following example configures the VRF ID for incoming packets as a nonkey field for a Flexible NetFlow
flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing vrf input
The following example configures the VRF ID for outgoing packets as a nonkey field for a Flexible NetFlow
flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing vrf output
Examples
The following example configures the forwarding status as a nonkey field for a Performance Monitor flow
record:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect routing forwarding-status reason
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record for Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
89
cache (Flexible NetFlow) through match flow
collect routing is-multicast
collect routing is-multicast
To configure the use of the is-multicast field (indicating that the IPv4 traffic is multicast traffic) as a nonkey
field, use the collect routing is-multicastcommand in flow record configuration mode. To disable the use of
the is-multicast field as a nonkey field for a flow record, use the no form of this command.
collect routing is-multicast
no collect routing is-multicast
Syntax Description
This command has no arguments or keywords
Command Default
The is-multicast field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Cisco IOS Flexible NetFlow Command Reference
90
cache (Flexible NetFlow) through match flow
collect routing is-multicast
Examples
The following example configures the is-multicast field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing is-multicast
Examples
The following example configures the is-multicast field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect routing is-multicast
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
91
cache (Flexible NetFlow) through match flow
collect services pfr
collect services pfr
To configure the Performance Routing (PfR) traffic class ID and the master controller ID per packet as a
nonkey field for a flow record, use the collect services pfr command in Flexible NetFLow flow record
configuration mode. To disable the use of the PfR IDs as a nonkey field for a flow record, use the no form of
this command.
collect services pfr {traffic-class-id| mc-id}
no collect services pfr {traffic-class-id| mc-id}
Syntax Description
traffic-class-id
Configures the Performance Routing (PfR) traffic
class ID per packet as a nonkey field.
mc-id
Configures the Performance Routing (PfR) master
controller ID per packet as a nonkey field.
Command Default
The PfR IDs per packet are not configured as a nonkey field.
Command Modes
Flexible NetFLow flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the PfR traffic class ID per packet as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect services pfr traffic-class-id
Related Commands
Command
Description
flow record
Creates a flow record for Flexible NetFlow.
Cisco IOS Flexible NetFlow Command Reference
92
cache (Flexible NetFlow) through match flow
collect services pfr
Cisco IOS Flexible NetFlow Command Reference
93
cache (Flexible NetFlow) through match flow
collect timestamp absolute
collect timestamp absolute
To configure the absolute time of the first seen or last seen packet in a flow as a nonkey field for a flow record,
use the collect timestamp absolute command in Flexible NetFlow flow record configuration mode. To disable
the use of the first seen or last seen packet in a flow as a nonkey field for a flow record, use the no form of
this command.
collect timestamp absolute {first| last}
no collect timestamp absolute {first| last}
Syntax Description
first
Configures the absolute time that the first packet was seen from the flows as a nonkey field
and enables collecting time stamps based on the system uptime for the time the first packet
was seen from the flows.
last
Configures the absolute time that the last packet was seen from the flows as a nonkey field
and enables collecting time stamps based on the system uptime for the time the most recent
packet was seen from the flows.
Command Default
The absolute time field is not configured as a nonkey field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.2SE
This command was introduced.
Usage Guidelines
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures time stamps for the absolute time that the first packet was seen from the
flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect timestamp absolute first
Cisco IOS Flexible NetFlow Command Reference
94
cache (Flexible NetFlow) through match flow
collect timestamp absolute
The following example configures the time stamps for the absolute time that the most recent packet was seen
from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect timestamp absolute last
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
95
cache (Flexible NetFlow) through match flow
collect timestamp sys-uptime
collect timestamp sys-uptime
To configure the system uptime of the first seen or last seen packet in a flow as a nonkey field for a flow
record, use the collect timestamp sys-uptime command in flow record configuration mode. To disable the
use of the first seen or last seen packet in a flow as a nonkey field for a flow record, use the no form of this
command.
collect timestamp sys-uptime {first| last}
no collect timestamp sys-uptime {first| last}
Syntax Description
first
Configures the system uptime for the time the first
packet was seen from the flows as a nonkey field and
enables collecting time stamps based on the system
uptime for the time the first packet was seen from the
flows.
last
Configures the system uptime for the time the last
packet was seen from the flows as a nonkey field and
enables collecting time stamps based on the system
uptime for the time the most recent packet was seen
from the flows.
Command Default
The system uptime field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS Flexible NetFlow Command Reference
96
cache (Flexible NetFlow) through match flow
collect timestamp sys-uptime
Usage Guidelines
Release
Modification
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures time stamps based on the system uptime for the time the first packet was
seen from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect timestamp sys-uptime first
The following example configures the time stamps based on the system uptime for the time the most recent
packet was seen from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect timestamp sys-uptime last
Examples
The following example configures the time stamps based on the system uptime for the time the most recent
packet was seen from the flows as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect timestamp sys-uptime last
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
97
cache (Flexible NetFlow) through match flow
collect timestamp sys-uptime
Cisco IOS Flexible NetFlow Command Reference
98
cache (Flexible NetFlow) through match flow
collect transport
collect transport
To configure one or more of the transport layer fields as a nonkey field for a flow record, use the collect
transport command in flow record configuration mode. To disable the use of one or more of the transport
layer fields as a nonkey field for a flow record, use the no form of this command.
collect transport {destination-port| igmp type| source-port}
no collect transport {destination-port| igmp type| source-port}
Syntax Description
destination-port
Configures the destination port as a nonkey field and
enables collecting the value of the destination port
from the flows.
igmp type
Configures the Internet Group Management Protocol
(IGMP) type as a nonkey field and enables collecting
the value of the IGMP type from the flows.
source-port
Configures the source port as a nonkey field and
enables collecting the value of the source port from
the flows.
Command Default
The transport layer fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
99
cache (Flexible NetFlow) through match flow
collect transport
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the transport destination port as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport destination-port
The following example configures the transport source port as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport source-port
Examples
The following example configures the transport source port as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport source-port
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
100
cache (Flexible NetFlow) through match flow
collect transport icmp ipv4
collect transport icmp ipv4
To configure the internet control message protocol (ICMP) IPv4 type field and the code field as nonkey fields
for a flow record, use the collect transport icmp ipv4 command in flow record configuration mode. To
disable the use of the ICMP IPv4 type field and code field as nonkey fields for a flow record, use the no form
of this command.
collect transport icmp ipv4 {code| type}
no collect transport icmp ipv4 {code| type}
Syntax Description
code
Configures the ICMP code as a nonkey field and
enables collecting the value of the ICMP code from
the flow.
type
Configures the ICMP type as a nonkey field and
enables collecting the value of the ICMP type from
the flow.
Command Default
The ICMP IPv4 type field and the code field are not configured as nonkey fields.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
101
cache (Flexible NetFlow) through match flow
collect transport icmp ipv4
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the ICMP IPv4 code field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport icmp ipv4 code
The following example configures the ICMP IPv4 type field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport icmp ipv4 type
Examples
The following example configures the ICMP IPv4 type field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport icmp ipv4 type
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
102
cache (Flexible NetFlow) through match flow
collect transport icmp ipv6
collect transport icmp ipv6
To configure the Internet Control Message Protocol (ICMP) IPv6 type field and code field as nonkey fields
for a flow record, use the collect transport icmp ipv6 command in flow record configuration mode. To
disable the use of the ICMP IPv6 type field and code field as nonkey fields for a flow record, use the no form
of this command.
collect transport icmp ipv6 {code| type}
no collect transport icmp ipv6 {code| type}
Syntax Description
code
Configures the ICMP code as a nonkey field and
enables collecting the value of the ICMP code from
the flow.
type
Configures the ICMP type as a nonkey field and
enables collecting the value of the ICMP type from
the flow.
Command Default
The ICMP IPv6 type field and code field are not configured as nonkey fields.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Cisco IOS Flexible NetFlow Command Reference
103
cache (Flexible NetFlow) through match flow
collect transport icmp ipv6
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the ICMP IPv6 code field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport icmp ipv6 code
The following example configures the ICMP IPv6 type field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport icmp ipv6 type
Examples
The following example configures the ICMP IPv6 type field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport icmp ipv6 type
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
104
cache (Flexible NetFlow) through match flow
collect transport tcp
collect transport tcp
To configure one or more of the TCP fields as a nonkey field for a flow record, use the collect transport tcp
command in flow record configuration mode. To disable the use of one or more of the TCP fields as a nonkey
field for a flow record, use the no form of this command.
collect transport tcp {acknowledgement-number| destination-port| flags [ack| cwr| ece| fin| psh| rst| syn|
urg]| header-length| maximum-segment-size| sequence-number| source-port| urgent-pointer| window-size|
window-size-average| window-size-maximum| window-size-minimum}
no collect transport tcp {acknowledgement-number| destination-port| flags [ack| cwr| ece| fin| psh| rst|
syn| urg]| header-length| maximum-segment-size| sequence-number| source-port| urgent-pointer|
window-size| window-size-average| window-size-maximum| window-size-minimum}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
collect transport tcp flags [ack| cwr| ece| fin| psh| rst| syn| urg]
no collect transport tcp flags [ack| cwr| ece| fin| psh| rst| syn| urg]
Cisco IOS XE Release 3.2SE
collect transport tcp flags [ack| cwr| ece| fin| psh| rst| syn| urg]
no collect transport tcp flags [ack| cwr| ece| fin| psh| rst| syn| urg]
Syntax Description
acknowledgement- number
Configures the TCP acknowledgement number as a
nonkey field and enables collecting the value of the
TCP acknowledgment number from the flow.
destination-port
Configures the TCP destination port as a nonkey field
and enables collecting the value of the TCP
destination port from the flow.
flags
Configures one or more of the TCP flags as a nonkey
field and enables collecting the values from the flow.
ack
(Optional) Configures the TCP acknowledgment flag
as a nonkey field.
cwr
(Optional) Configures the TCP congestion window
reduced flag as a nonkey field.
ece
(Optional) Configures the TCP Explicit Congestion
Notification echo (ECE) flag as a nonkey field.
fin
(Optional) Configures the TCP finish flag as a nonkey
field.
Cisco IOS Flexible NetFlow Command Reference
105
cache (Flexible NetFlow) through match flow
collect transport tcp
psh
(Optional) Configures the TCP push flag as a nonkey
field.
rst
(Optional) Configures the TCP reset flag as a nonkey
field.
syn
(Optional) Configures the TCP synchronize flag as a
nonkey field.
urg
(Optional) Configures the TCP urgent flag as a
nonkey field.
header-length
Configures the TCP header length (in 32-bit words)
as a nonkey field and enables collecting the value of
the TCP header length from the flow.
maximum-segment-size
Configures the maximum segment size as a nonkey
field and enables collecting the values from the flow.
sequence-number
Configures the TCP sequence number as a nonkey
field and enables collecting the value of the TCP
sequence number from the flow.
source-port
Configures the TCP source port as a nonkey field and
enables collecting the value of the TCP source port
from the flow.
urgent-pointer
Configures the TCP urgent pointer as a nonkey field
and enables collecting the value of the TCP urgent
pointer from the flow.
window-size
Configures the TCP window size as a nonkey field
and enables collecting the value of the TCP window
size from the flow.
window-size-average
Configures the average window size as a nonkey field
and enables collecting the values from the flow.
window-size-maximum
Configures the maximum window size as a nonkey
field and enables collecting the values from the flow.
window-size-minimum
Configures the minimum window size as a nonkey
field and enables collecting the values from the flow.
Command Default
The TCP fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Cisco IOS Flexible NetFlow Command Reference
106
cache (Flexible NetFlow) through match flow
collect transport tcp
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY without
the support of the acknowledgement-number, destination-port,
header-length, sequence-number,source-port, urgent-pointer,and
window-size keywords.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
Cisco IOS XE Release 3.6S This command was modified. The maximum-segment-size,
window-size-average, window-size-maximum, and window-size-minimum
keywords were added into Cisco IOS XE Release 3.6S for Cisco Performance
Monitor.
Cisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE without the
support for the acknowledgement-number, destination-port, header-length,
sequence-number,source-port, urgent-pointer,and window-size keywords.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing
the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to
provide additional information about the traffic in the flows. A change in the value of a nonkey field does not
create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Cisco IOS Flexible NetFlow Command Reference
107
cache (Flexible NetFlow) through match flow
collect transport tcp
collect transport tcp flags ece
For more information about ECN echo, refer to RFC 3168 The Addition of Explicit Congestion Notification
(ECN) to IP , at the following URL: http://www.ietf.org/rfc/rfc3168.txt .
Examples
The following example configures the TCP acknowledgment number as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp acknowledgement-number
The following example configures the TCP source port as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp source-port
The following example configures the TCP acknowledgment flag as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp flags ack
The following example configures the TCP finish flag as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp flags fin
The following example configures the TCP reset flag as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp flags rst
Examples
The following example configures the TCP reset flag as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport tcp flags rst
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
108
cache (Flexible NetFlow) through match flow
collect transport udp
collect transport udp
To configure one or more of the user datagram protocol UDP fields as a nonkey field for a flow record, use
the collect transport udp command in flow record configuration mode. To disable the use of one or more of
the UDP fields as a nonkey field for a flow record, use the no form of this command.
collect transport udp {destination-port| message-length| source-port}
no collect transport udp {destination-port| message-length| source-port}
Syntax Description
destination-port
Configures the UDP destination port as a nonkey field
and enables collecting the value of the UDP
destination port fields from the flow.
message-length
Configures the UDP message length as a nonkey field
and enables collecting the value of the UDP message
length fields from the flow.
source-port
Configures the UDP source port as a nonkey field
and enables collecting the value of the UDP source
port fields from the flow.
Command Default
The UDP fields are not configured as nonkey fields.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
109
cache (Flexible NetFlow) through match flow
collect transport udp
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and
to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields
are added to flows to provide additional information about the traffic in the flows. A change in the value of
a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the
first packet in the flow.
Examples
The following example configures the UDP destination port as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport udp destination-port
The following example configures the UDP message length as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport udp message-length
The following example configures the UDP source port as a non-key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport udp source-port
Examples
The following example configures the UDP source port as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport udp source-port
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
110
cache (Flexible NetFlow) through match flow
debug flow exporter
debug flow exporter
To enable debugging output for Flexible NetFlow flow exporters, use the debug flow exporter command in
privileged EXEC mode. To disable debugging output, use the no form of this command.
debug flow exporter [[name] exporter-name] [error] [event] [packets number]
no debug flow exporter [[name] exporter-name] [error] [event] [packets number]
Syntax Description
Command Modes
Command History
name
(Optional) Specifies the name of a flow exporter.
exporter-name
(Optional) The name of a flow exporter that was
previously configured.
error
(Optional) Enables debugging for flow exporter
errors.
event
(Optional) Enables debugging for flow exporter
events.
packets
(Optional) Enables packet-level debugging for flow
exporters.
number
(Optional) The number of packets to debug for
packet-level debugging of flow exporters. Range: 1
to 65535.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS Flexible NetFlow Command Reference
111
cache (Flexible NetFlow) through match flow
debug flow exporter
Examples
Release
Modification
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
The following example indicates that a flow exporter packet has been queued for process send:
Router# debug flow exporter
May 21 21:29:12.603: FLOW EXP: Packet queued for process send
Related Commands
Command
Description
clear flow exporter
Clears the Flexible NetFlow statistics for exporters.
Cisco IOS Flexible NetFlow Command Reference
112
cache (Flexible NetFlow) through match flow
debug flow monitor
debug flow monitor
To enable debugging output for Flexible NetFlow flow monitors, use the debug flow monitor command in
privileged EXEC mode. To disable debugging output, use the no form of this command.
debug flow monitor [error] [[name] monitor-name [cache] [error] [packets packets]]
no debug flow monitor [error] [[name] monitor-name [cache] [error] [packets packets]]
Syntax Description
Command Modes
Command History
error
(Optional) Enables debugging for flow monitor errors.
name
(Optional) Specifies the name of a flow monitor.
monitor-name
(Optional) The name of a flow monitor that was
previously configured.
cache
(Optional) Enables debugging for the flow monitor
cache.
packets
(Optional) Enables packet-level debugging for flow
monitors.
packets
(Optional) The number of packets to debug for
packet-level debugging of flow monitors. Range: 1
to 65535.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS Flexible NetFlow Command Reference
113
cache (Flexible NetFlow) through match flow
debug flow monitor
Examples
Release
Modification
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
The following example shows that the cache for FLOW-MONITOR-1 was deleted:
Router# debug flow monitor FLOW-MONITOR-1 cache
May 21 21:53:02.839: FLOW MON: 'FLOW-MONITOR-1' deleted cache
Related Commands
Command
Description
clear flow monitor
Clears the Flexible NetFlow flow monitor.
Cisco IOS Flexible NetFlow Command Reference
114
cache (Flexible NetFlow) through match flow
debug flow record
debug flow record
To enable debugging output for Flexible NetFlow flow records, use the debug flow record command in
privileged EXEC mode. To disable debugging output, use the no form of this command.
debug flow record [[name] record-name| netflow-original| netflow {ipv4| ipv6} record [peer]| netflow-v5|
options {exporter-statistics| interface-table| sampler-table| vrf-id-name-table}]
no debug flow record [[name] record-name| netflow-original| netflow {ipv4| ipv6} record [peer]| netflow-v5|
options {exporter-statistics| interface-table| sampler-table| vrf-id-name-table}]
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
debug flow record [[name] record-name| netflow-v5| options {exporter-statistics| interface-table|
sampler-table| vrf-id-name-table}| platform-original {ipv4| ipv6} record [detailed| error]]
no debug flow record [[name] record-name| netflow-v5| options {exporter-statistics| interface-table|
sampler-table| vrf-id-name-table}| platform-original {ipv4| ipv6} record [detailed| error]]
Cisco IOS XE Release 3.2SE
debug flow record [[name] record-name| netflow {ipv4| ipv6} record [peer]| netflow-v5| options
sampler-table ]
no debug flow record [[name] record-name| netflow {ipv4| ipv6} record [peer]| netflow-v5| options
sampler-table ]
Syntax Description
name
(Optional) Specifies the name of a flow record.
record-name
(Optional) Name of a user-defined flow record that
was previously configured.
netflow-original
(Optional) Specifies the traditional IPv4 input
NetFlow with origin autonomous systems.
netflow {ipv4 | ipv6} record
(Optional) Specifies the name of the NetFlow
predefined record. See the table below.
peer
(Optional) Includes peer information for the NetFlow
predefined records that support the peer keyword.
Note
The peer keyword is not supported for
every type of NetFlow predefined record.
See the table below.
options
(Optional) Includes information on other flow record
options.
exporter-statistics
(Optional) Includes information on the flow exporter
statistics.
Cisco IOS Flexible NetFlow Command Reference
115
cache (Flexible NetFlow) through match flow
debug flow record
Command Modes
Command History
interface-table
(Optional) Includes information on the interface
tables.
sampler-table
(Optional) Includes information on the sampler tables.
vrf-id-name-table
(Optional) Includes information on the virtual routing
and forwarding (VRF) ID-to-name tables.
platform-original ipv4 record
Configures the flow monitor to use one of the
predefined IPv4 records.
platform-original ipv6 record
Configures the flow monitor to use one of the
predefined IPv6 records.
detailed
(Optional) Displays detailed information.
error
(Optional) Displays errors only.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on
the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on
the Cisco 7200 series routers.
12.4(20)T
This command was modified. The ipv6 keyword was added in Cisco IOS
Release 12.4(20)T.
15.0(1)M
This command was modified. The vrf-id-name-table keyword was added.
12.2(33)SRE
This command was modified. Support for this command was implemented on
the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY without
support for the netflow-original, netflow, ipv4, netflow, ipv6 and peer
keywords. The platform-original ipv4 and platform-originalipv6 keywords
were added.
Cisco IOS Flexible NetFlow Command Reference
116
cache (Flexible NetFlow) through match flow
debug flow record
Usage Guidelines
Release
Modification
Cisco IOS XE Release
3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE without the
support for the netflow-original, options exporter-statistics, options
interface-table and option vrf-id-name-table keywords.
The table below describes the keywords and descriptions for the record argument.
Table 1: Keywords and Descriptions for the record Argument
Keyword
Description
IPv4 Support
IPv6 Support
as
Autonomous system
record.
Yes
Yes
as-tos
Autonomous system and Yes
type of service (ToS)
record.
—
bgp-nexthop-tos
BGP next-hop and ToS
record.
Yes
—
bgp-nexthop
BGP next-hop record.
—
Yes
destination
Original 12.2(50)SY
platform IPv4/IPv6
destination record.
Yes
Yes
destination-prefix
Destination prefix record. Yes
Yes
Note
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
Yes
—
destination-prefix-tos
Destination prefix and
ToS record.
destination-source
Original 12.2(50)SY
Yes
platform IPv4/IPv6
destination-source record.
Yes
full
Original 12.2(50)SY
platform IPv4/IPv6 full
record.
Yes
Yes
interface-destination
Original 12.2(50)SY
platform IPv4/IPv6
interface-destination
record.
Yes
Yes
Cisco IOS Flexible NetFlow Command Reference
117
cache (Flexible NetFlow) through match flow
debug flow record
Keyword
Description
interface-destinationsource
Original 12.2(50)SY
Yes
platform IPv4/IPv6
interface-destination-source
record.
Yes
interface-full
Original 12.2(50)SY
platform IPv4/IPv6
interface-full record.
Yes
Yes
interface-source
Original 12.2(50)SY
platform IPv4/IPv6
interface-source only
record.
Yes
Yes
original-input
Traditional IPv4 input
NetFlow.
Yes
Yes
original-output
Traditional IPv4 output
NetFlow.
Yes
Yes
prefix
Source and destination
prefixes record.
Yes
Yes
Yes
—
Note
prefix-port
The peer
keyword is not
available for this
record.
prefix-tos
Prefix ToS record.
Yes
—
protocol-port
Protocol ports record.
Yes
Yes
Yes
—
Note
protocol-port-tos
The peer
keyword is not
available for this
record.
Protocol port and ToS
record.
Note
Cisco IOS Flexible NetFlow Command Reference
118
IPv6 Support
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
Prefix port record.
Note
IPv4 Support
The peer
keyword is not
available for this
record.
cache (Flexible NetFlow) through match flow
debug flow record
Keyword
Description
IPv4 Support
IPv6 Support
source
Original 12.2(50)SY
platform IPv4/IPv6
source only record.
Yes
Yes
source-prefix
Source autonomous
Yes
system and prefix record.
Yes
Note
source-prefix-tos
Examples
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
Source prefix and ToS
record.
Yes
—
The following example enables debugging for the flow record:
Router# debug flow record FLOW-record-1
Related Commands
Command
Description
flow record
Create a Flexible NetFlow flow record.
Cisco IOS Flexible NetFlow Command Reference
119
cache (Flexible NetFlow) through match flow
debug sampler
debug sampler
To enable debugging output for Flexible NetFlow samplers, use the debug sampler command in privileged
EXEC mode. To disable debugging output, use the no form of this command.
debug sampler [detailed| error| [name] sampler-name [detailed| error| sampling samples]]
no debug sampler [detailed| error| [name] sampler-name [detailed| error| sampling]]
Syntax Description
Command Modes
Command History
detailed
(Optional) Enables detailed debugging for sampler
elements.
error
(Optional) Enables debugging for sampler errors.
name
(Optional) Specifies the name of a sampler.
sampler-name
(Optional) Name of a sampler that was previously
configured.
sampling samples
(Optional) Enables debugging for sampling and
specifies the number of samples to debug.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Cisco IOS Flexible NetFlow Command Reference
120
cache (Flexible NetFlow) through match flow
debug sampler
Examples
The following sample output shows that the debug process has obtained the ID for the sampler named
SAMPLER-1:
Router#
*Oct 28
get ID
*Oct 28
get ID
Related Commands
debug sampler detailed
04:14:30.883: Sampler: Sampler(SAMPLER-1: flow monitor FLOW-MONITOR-1 (ip,Et1/0,O)
succeeded:1
04:14:30.971: Sampler: Sampler(SAMPLER-1: flow monitor FLOW-MONITOR-1 (ip,Et0/0,I)
succeeded:1
Command
Description
clear sampler
Clears the Flexible NetFlow sampler statistics.
Cisco IOS Flexible NetFlow Command Reference
121
cache (Flexible NetFlow) through match flow
default (Flexible NetFlow)
default (Flexible NetFlow)
To configure the default values for a Flexible NetFlow (FNF) flow exporter, use the default command in
Flexible NetFlow flow exporter configuration mode.
default {description| destination| dscp| export-protocol| option {application-table| exporter-stats|
interface-table| sampler-table| vrf-table}| output-features| source| template data timeout| transport| ttl}
Cisco IOS XE Release 3.2SE
default {description| destination| dscp| export-protocol| option {exporter-stats| interface-table|
sampler-table}| source| template data timeout| transport| ttl}
Syntax Description
description
Provides a description for the flow exporter.
destination
Configures the export destination.
dscp
Configures optional Differentiated Services Code
Point (DSCP) values.
export-protocol
Configures the export protocol version.
option
Selects the option for exporting.
application-table
Selects the application table option.
exporter-stats
Selects the exporter statistics option.
interface-table
Selects the interface SNMP-index-to-name table
option.
sampler-table
Selects the export sampler option.
vrf-table
Selects the VRF ID-to-name table option.
output-features
Sends export packets via the Cisco IOS output feature
path.
source
Configures the originating interface.
template
Configures the flow exporter template.
data
Configure the flow exporter data.
timeout
Resends data based on a timeout.
transport
Configures the transport protocol.
Cisco IOS Flexible NetFlow Command Reference
122
cache (Flexible NetFlow) through match flow
default (Flexible NetFlow)
Configures optional time-to-live (TTL) or hop limit.
ttl
Command Modes
Command History
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE without
the support for the option application-table , option vrf-table, and
output-features keywords.
Usage Guidelines
Use the default command to configure the default values for an FNF flow exporter. The flow exporter
information is needed to export the data metrics to a specified destination, port number, and so on.
Examples
The following example shows how to set the default destination for an FNF flow exporter:
Router(config)# flow exporter e1
Router(config-flow-exporter)# default destination
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
123
cache (Flexible NetFlow) through match flow
description (Flexible NetFlow)
description (Flexible NetFlow)
To configure a description for a Flexible NetFlow flow sampler, flow monitor, flow exporter, or flow record,
use the description command in the appropriate configuration mode. To remove a description, use the no
form of this command.
description description
no description
Syntax Description
description
Text string that describes the flow sampler, flow
monitor, flow exporter, or flow record.
Command Default
The default description for a Flexible NetFlow flow sampler, flow monitor, flow exporter, or flow record is
“User defined”.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter) Flexible NetFlow flow monitor
configuration (config-flow-monitor) Flexible NetFlow flow record configuration (config-flow-record) Flexible
NetFlow sampler configuration (config-sampler)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Cisco IOS Flexible NetFlow Command Reference
124
cache (Flexible NetFlow) through match flow
description (Flexible NetFlow)
Examples
The following example configures a description for a flow monitor:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# description Monitors traffic to 172.16.100.0 255.255.255.0
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
flow monitor
Creates a flow monitor.
flow record
Creates a flow record.
sampler
Creates a flow sampler.
Cisco IOS Flexible NetFlow Command Reference
125
cache (Flexible NetFlow) through match flow
destination
destination
To configure an export destination for a Flexible NetFlow flow exporter, use the destination command in
Flexible NetFlow flow exporter configuration mode. To remove an export destination for a Flexible NetFlow
flow exporter, use the no form of this command.
destination {{ip-address| hostname}| vrf vrf-name}
no destination
Syntax Description
ip-address
IP address of the workstation to which you want to
send the NetFlow information.
hostname
Hostname of the device to which you want to send
the NetFlow information.
vrf vrf-name
Specifies that the export data packets are to be sent
to the named Virtual Private Network (VPN) routing
and forwarding (VRF) instance for routing to the
destination, instead of to the global routing table.
Command Default
An export destination is not configured.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS Flexible NetFlow Command Reference
126
cache (Flexible NetFlow) through match flow
destination
Usage Guidelines
Release
Modification
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T and added
support for exporting data to a destination using an IPv6 address.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Each flow exporter can have only one destination address or hostname.
For some releases, you can export data to a destination using an IPv6 address.
When you configure a hostname instead of the IP address for the device, the hostname is resolved immediately
and the IP address is stored in the running configuration. If the hostname-to-IP-address mapping that was
used for the original domain name system (DNS) name resolution changes dynamically on the DNS server,
the router does not detect this, and the exported data continues to be sent to the original IP address, resulting
in a loss of data. Resolving the hostname immediately is a prerequisite of the export protocol, to ensure that
the templates and options arrive before the data
Examples
The following example shows how to configure the networking device to export the Flexible NetFlow cache
entry to a destination system:
Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# destination 10.0.0.4
The following example shows how to configure the networking device to export the Flexible NetFlow cache
entry to a destination system using a VRF named VRF-1:
Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# destination 172.16.10.2 vrf VRF-1
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
127
cache (Flexible NetFlow) through match flow
dscp (Flexible NetFlow)
dscp (Flexible NetFlow)
To configure a differentiated services code point (DSCP) value for Flexible NetFlow flow exporter datagrams,
use the dscp command in Flexible NetFlow flow exporter configuration mode. To remove a DSCP value for
Flexible NetFlow flow exporter datagrams, use the no form of this command.
dscp dscp
no dscp
Syntax Description
dscp
The DSCP to be used in the DSCP field in exported
datagrams. Range: 0 to 63. Default: 0.
Command Default
The differentiated services code point (DSCP) value is 0.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Cisco IOS Flexible NetFlow Command Reference
128
cache (Flexible NetFlow) through match flow
dscp (Flexible NetFlow)
Examples
The following example sets 22as the value of the DSCP field in exported datagrams:
Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# dscp 22
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
129
cache (Flexible NetFlow) through match flow
execute (Flexible NetFlow)
execute (Flexible NetFlow)
To execute a shell function for a Flexible NetFlow (FNF) flow exporter, use the execute command in FNF
flow exporter configuration mode.
execute name [description...]
Syntax Description
name
Name of the shell function to execute.
description
(Optional) Description of the shell function parameter
values. You can enter multiple descriptions.
Command Default
No shell function is executed.
Command Modes
FNF flow exporter configuration (config-flow-exporter)
Command History
Examples
Release
Modification
15.4(M)
This command was introduced.
The following example shows how to execute a shell function, function1:
Router(config)# flow exporter e1
Router(config-flow-exporter)# execute function1
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
130
cache (Flexible NetFlow) through match flow
exporter
exporter
To configure a flow exporter for a flow monitor, use the exporter command in the appropriate configuration
mode. To remove a flow exporter for a flow monitor, use the no form of this command.
exporter exporter-name
no exporter exporter-name
Syntax Description
exporter-name
Name of a flow exporter that was previously
configured.
Command Default
An exporter is not configured.
Command Modes
Flow monitor configuration (config-flow-monitor) Policy configuration (config-pmap-c) Policy monitor
configuration (config-pmap-c-flowmon)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor
was added. Support was added for policy configuration mode and policy
monitor configuration configuration mode.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Cisco IOS Flexible NetFlow Command Reference
131
cache (Flexible NetFlow) through match flow
exporter
Usage Guidelines
You must have already created a flow exporter by using the flow exporter command before you can apply
the flow exporter to a flow monitor with the exporter command.
For Performance Monitor, you can associate a flow exporter with a flow monitor while configuring either a
flow monitor, policy map, or service policy.
Note
Examples
You can configure up to 5 flow exporters after using the flow monitor type performance-monitor
command.
The following example configures an exporter for a flow monitor:
Device(config)# flow monitor FLOW-MONITOR-1
Device(config-flow-monitor)# exporter EXPORTER-1
The following example shows one of the ways to configure a flow exporter for Performance Monitor:
Device(config)# policy-map type performance-monitor policy-4
Device(config-pmap)# class class-4
Device(config-pmap-c)# flow monitor monitor-4
Device(config-pmap-c-flowmon)# exporter exporter-4
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
flow monitor
Creates a flow monitor.
flow monitor type performance-monitor
Creates a flow monitor for Performance Monitor.
policy-map type performance-monitor
Creates a policy map for Performance Monitor
service-policy type performance-monitor
Associates policy map with an interface for
Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
132
cache (Flexible NetFlow) through match flow
export-protocol
export-protocol
To configure the export protocol for a Flexible NetFlow exporter, use the export-protocol command in
Flexible NetFlow flow exporter configuration mode. To restore the use of the default export protocol for a
Flexible NetFlow exporter, use the no form of this command.
export-protocol {netflow-v5| netflow-v9| ipfix}
no export-protocol
Cisco IOS XE Release 3.2SE
export-protocol netflow-v9
no export-protocol
Syntax Description
netflow-v5
Configures Netflow Version 5 export as the export
protocol.
netflow-v9
Configures Netflow Version 9 export as the export
protocol.
ipfix
Configures IPFIX as the export protocol. The export
of extracted fields from NBAR is supported only over
IPFIX.
Command Default
Netflow Version 9 export is used as the export protocol for a Flexible NetFlow exporter.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE)
series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS Flexible NetFlow Command Reference
133
cache (Flexible NetFlow) through match flow
export-protocol
Usage Guidelines
Release
Modification
15.2(4)M
This command was modified. The ipfix keyword was added in Cisco
IOS Release 15.2(4)M.
Cisco IOS XE Release 3.8S
This command was integrated into Cisco IOS XE Release 3.8S.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE without
the support for the netflow-v5 and ipfix keywords.
The NetFlow Version 5 export protocol is supported only for flow monitors that use the Flexible NetFlow
predefined records.
The export of extracted fields from NBAR is supported only over IPFIX.
Examples
The following example configures Netflow Version 5 export as the export protocol for a Flexible NetFlow
exporter:
Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# export-protocol netflow-v5
Related Commands
Command
Description
flow exporter
Creates a flow exporter
Cisco IOS Flexible NetFlow Command Reference
134
cache (Flexible NetFlow) through match flow
flow exporter
flow exporter
To create a Flexible NetFlow flow exporter, or to modify an existing Flexible NetFlow flow exporter, and
enter Flexible NetFlow flow exporter configuration mode, use the flow exporter command in global
configuration mode. To remove a Flexible NetFlow flow exporter, use the no form of this command.
flow exporter exporter-name
no flow exporter exporter-name
Syntax Description
exporter-name
Name of the flow exporter that is being created or
modified.
Command Default
Flexible NetFlow flow exporters are not present in the configuration.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(2)S
This command was modified. A hash collision between the name supplied
and any existing name is now possible. If this happens, you can retry,
supplying another name
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Cisco IOS Flexible NetFlow Command Reference
135
cache (Flexible NetFlow) through match flow
flow exporter
Usage Guidelines
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running Flexible
NetFlow collector, for analysis and storage. Flow exporters are created as separate entities in the configuration.
Flow exporters are assigned to flow monitors to provide data export capability for the flow monitors. You
can create several flow exporters and assign them to one or more flow monitors to provide several export
destinations. You can create one flow exporter and apply it to several flow monitors.
In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing
name is possible. If this happens, you can retry, supplying another name.
Examples
The following example creates a flow exporter named FLOW-EXPORTER-1 and enters Flexible NetFlow
flow exporter configuration mode:
Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)#
The following example shows the output when there is a hash collision between the name supplied and any
existing name:
Router(config-flow-exporter)# flow exporter FLOW-EXPORTER-1
% Flow Exporter: Failure creating Flow Exporter 'FLOW-EXPORTER-1' (Hash value in use).
Related Commands
Command
Description
clear flow exporter
Clears the statistics for flow exporters.
debug flow exporter
Enables debugging output for flow exporters.
Cisco IOS Flexible NetFlow Command Reference
136
cache (Flexible NetFlow) through match flow
flow hardware
flow hardware
To configure Flexible NetFlow hardware parameters, use the flowhardware command in global configuration
mode. To unconfigure Flexible NetFlow hardware parameters, use the no form of this command.
flow hardware [egress| export threshold total-cpu-threshold-percentage [linecard
linecard-threshold-percentage]| usage notify {input| output} [table-threshold-percentage seconds]]
no flow hardware [egress| export threshold| usage notify {input| output}]
Syntax Description
egress
(Optional) Configures hardware egress NetFlow
parameters.
export threshold
(Optional) Configures export threshold parameters.
total-cpu-threshold-percentage
(Optional) The total CPU utilization threshold
percentage.
linecard-threshold-percentage
(Optional) The line-card CPU utilization threshold
percentage.
usage notify input
(Optional) Configures NetFlow table utilization
parameters for traffic that the router is receiving.
usage notify output
(Optional) Configures NetFlow table utilization
parameters for traffic that the router is transmitting.
table-threshold-percentage
(Optional) The NetFlow table utilization threshold
percentage.
seconds
(Optional) The NetFlow table utilization time interval,
in seconds.
Command Default
Flexible NetFlow hardware parameters are not configured.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
Cisco IOS Flexible NetFlow Command Reference
137
cache (Flexible NetFlow) through match flow
flow hardware
Usage Guidelines
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running Flexible
NetFlow collector, for analysis and storage. The number and complexity of flow records to be exported is the
prime cause of CPU use in NetFlow. The CPU Friendly NetFlow Export feature (also known as Yielding
NetFlow Data Export, or Yielding NDE) monitors CPU use for both the supervisor and line cards according
to user-configured thresholds and dynamically adjusts the rate of export as needed.
A system reload is needed for egress NetFlow mode change. If egress NetFlow is disabled and you attempt
to configure any feature that requires an egress NetFlow, an error message will be displayed indicating that
egress NetFlow must be enabled for this feature to function. You should enable egress NetFlow, reload the
system, and reconfigure the feature.
Examples
The following example configures CPU utilization thresholds for Flexible NetFlow flow export:
Router(config)# flow hardware export threshold 25 linecard 25
Related Commands
Command
Description
show platform flow
Displays Flexible NetFlow platform parameter
information.
Cisco IOS Flexible NetFlow Command Reference
138
cache (Flexible NetFlow) through match flow
flow monitor
flow monitor
To create a Flexible NetFlow flow monitor, or to modify an existing Flexible NetFlow flow monitor, and
enter Flexible NetFlow flow monitor configuration mode, use the flow monitor command in global
configuration mode or in QoS policy-map-class configuration mode. To remove a Flexible NetFlow flow
monitor, use the no form of this command.
flow monitor monitor-name
no flow monitor monitor-name
Syntax Description
monitor-name
Name of the flow monitor that is being created or
modified.
Command Default
Flexible NetFlow flow monitors are not present in the configuration.
Command Modes
Global configuration (config)
QoS policy-map-class configuration (config-pmap-c)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(2)S
This command was modified. A hash collision between the name supplied
and any existing name is now possible. If this happens, you can retry,
supplying another name
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
15.2(4)M
This command was made available in QoS policy-map-class configuration
mode.
Cisco IOS Flexible NetFlow Command Reference
139
cache (Flexible NetFlow) through match flow
flow monitor
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic
monitoring. Flow monitors consist of a record and a cache. You add the record to the flow monitor after you
create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is
applied to the first interface. Flow data is collected from the network traffic during the monitoring process
based on the key and nonkey fields in the flow monitor's record and stored in the flow monitor cache.
In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing
name is possible. If this happens, you can retry, supplying another name.
Examples
The following example creates a flow monitor named FLOW-MONITOR-1 and enters Flexible NetFlow flow
monitor configuration mode:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)#
The following example shows the output when there is a hash collision between the name supplied and any
existing name:
Router(config)# flow monitor FLOW-MONITOR-1
% Flow Monitor: could not create monitor.
Related Commands
Command
Description
clear flow monitor
Clears the flow monitor.
debug flow monitor
Enables debugging output for flow monitors.
Cisco IOS Flexible NetFlow Command Reference
140
cache (Flexible NetFlow) through match flow
flow platform
flow platform
To configure Flexible NetFlow platform parameters, use the flowplatformcommand in global configuration
mode. To unconfigure Flexible NetFlow platform parameters, use the no form of this command.
flow platform cache timeout {active seconds | fast {threshold count} {time seconds} | inactive seconds}
no flow platform cache timeout {active| fast| inactive}
Syntax Description
cache timeout
Configures platform flow cache timeout parameters.
active seconds
Configures the active flow timeout, in seconds.
fast threshold count
Configures the fast aging threshold packet count.
fast time seconds
Configures the active flow timeout, in seconds.
inactive seconds
Configures the inactive flow timeout, in seconds.
Command Default
Flexible NetFlow platform parameters are not configured.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Release
Modification
12.2(50)SY
This command was introduced.
Hardware Flexible NetFlow table space is a valuable resource and needs to managed. Older flows need to be
identified as quickly as possible and aged out (purged) to make way ultimately for new, more active flows.
The older the Flexible NetFlow data, the less it is useful for real-time monitoring of traffic.
The common aging schemes are:
• Inactive/normal aging: age out flows that have had no activity in the preceding configured time.
• Active/long aging: age out flows that have lived for longer than the configured long aging period.
• Fast aging: age out flows that had some bursty activity followed by inactivity, for example, Domain
Name Service (DNS) resolution requests. This aging scheme is a function of the creation time of a flow
and the packet count.
• TCP session aging: age out flows pertaining to terminated TCP sessions.
Cisco IOS Flexible NetFlow Command Reference
141
cache (Flexible NetFlow) through match flow
flow platform
• Aggressive aging: age out flows with user-configured aggressive aging inactivity timeout when table
space utilization exceeds a user-configured threshold.
In addition to purging older entries, NetFlow entries need to be purged in response to certain configuration
and network topology changes; for example, interface or link going out of service.
Examples
The following example configures the active platform flow cache timeout:
Router(config)# flow platform cache timeout active 60
Related Commands
Command
Description
show platform flow
Displays Flexible NetFlow platform parameter
information.
Cisco IOS Flexible NetFlow Command Reference
142
cache (Flexible NetFlow) through match flow
flow record
flow record
To create a Flexible NetFlow flow record, or to modify an existing Flexible NetFlow flow record, and enter
Flexible NetFlow flow record configuration mode, use the flow record command in global configuration
mode. To remove a Flexible NetFlow flow record, use the no form of this command.
flow record record-name
no flow record record-name
Syntax Description
record-name
Name of the flow record that is being created or
modified.
Command Default
A Flexible NetFlow flow record is not configured.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(2)S
This command was modified. A hash collision between the name supplied
and any existing name is now possible. If this happens, you can retry,
supplying another name
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Flexible NetFlow uses key and nonkey fields just as original NetFlow does to create and populate flows in a
cache. In Flexible NetFlow a combination of key and nonkey fields is called a record. Original NetFlow and
Cisco IOS Flexible NetFlow Command Reference
143
cache (Flexible NetFlow) through match flow
flow record
Flexible NetFlow both use the values in key fields in IP datagrams, such as the IP source or destination address
and the source or destination transport protocol port, as the criteria for determining when a new flow must be
created in the cache while network traffic is being monitored. A flow is defined as a stream of packets between
a given source and a given destination. New flows are created whenever a packet that has a unique value in
one of the key fields is analyzed.
In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing
name is possible. If this happens, you can retry, supplying another name.
Examples
The following example creates a flow record named FLOW-RECORD-1, and enters Flexible NetFlow flow
record configuration mode:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)#
The following example shows the output when there is a hash collision between the name supplied and any
existing name:
Router(config)# flow record FLOW-RECORD-1
% Flow Record: Failure creating new Flow Record (Hash value in use).
Related Commands
Command
Description
show flow record
Displays flow record status and statistics.
Cisco IOS Flexible NetFlow Command Reference
144
cache (Flexible NetFlow) through match flow
granularity
granularity
To configure the granularity of sampling for a Flexible NetFlow sampler, use the granularitycommand in
Flexible NetFlow sampler configuration mode. To return the sampling configuration to the default value, use
the no form of this command.
granularity {connection| packet}
no granularity
Syntax Description
connection
Specifies that the sampling is done by connection.
packet
Specifies that the sampling is done by packet.
Command Default
Sampling is done by packet.
Command Modes
Flexible NetFlow sampler configuration (config-sampler)
Command History
Examples
Release
Modification
Cisco IOS XE Release 3.4S
This command was introduced.
The following example configures the granularity of the sampling to be by connection for a Flexible NetFlow
sampler:
Router(config)# sampler SAMPLER-2
Router(config-sampler)# granularity connection
Router(config-sampler)# mode random 1 out-of 20
Related Commands
Command
Description
sampler
Configures a Flexible NetFlow sampler.
Cisco IOS Flexible NetFlow Command Reference
145
cache (Flexible NetFlow) through match flow
ip flow monitor
ip flow monitor
To enable a Flexible NetFlow flow monitor for IPv4 traffic that the router is receiving or forwarding, use the
ip flow monitor command in interface configuration mode or subinterface configuration mode. To disable a
Flexible NetFlow flow monitor, use the no form of this command.
ip flow monitor monitor-name [sampler sampler-name] [multicast| unicast] {input| output}
no ip flow monitor monitor-name [sampler sampler-name] [multicast| unicast] {input| output}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
ip flow monitor monitor-name [sampler sampler-name] [layer2-switched| multicast| unicast] {input|
output}
no ip flow monitor monitor-name [sampler sampler-name] [layer2-switched| multicast| unicast] {input|
output}
Cisco IOS XE Release 3.2SE
ip flow monitor monitor-name [sampler sampler-name] {input| output}
no ip flow monitor monitor-name [sampler sampler-name] {input| output}
Syntax Description
Command Default
monitor-name
Name of a flow monitor that was previously
configured.
sampler sampler-name
(Optional) Enables a flow sampler for this flow
monitor using the name of a sampler that was
previously configured.
layer2-switched
(Optional) Applies the flow monitor for Layer
2-switched traffic only.
multicast
(Optional) Applies the flow monitor for multicast
traffic only.
unicast
(Optional) Applies the flow monitor for unicast traffic
only.
input
Monitors traffic that the router is receiving on the
interface.
output
Monitors traffic that the router is transmitting on the
interface.
A flow monitor is not enabled.
Cisco IOS Flexible NetFlow Command Reference
146
cache (Flexible NetFlow) through match flow
ip flow monitor
Command Modes
Command History
Interface configuration (config-if) Subinterface configuration (config-subif)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.4(22)T
This command was modified. The unicast and multicast keywords were
added.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The layer2-switched keyword was added.
Cisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE without
the support for the multicast and unicast keywords.
Usage Guidelines
You must have already created a flow monitor by using the flow monitor command before you can apply the
flow monitor to an interface with the ip flowmonitor command to enable traffic monitoring with Flexible
NetFlow.
ip flow monitor sampler
When a sampler is added to a flow monitor, only packets that are selected by the named sampler will be
entered into the cache to form flows. Each use of a sampler causes separate statistics to be stored for that
usage.
You cannot add a sampler to a flow monitor after the flow monitor has been enabled on an interface. You
must remove the flow monitor from the interface prior to enabling the same flow monitor with a sampler. See
the “Examples” section for more information.
Note
The statistics for each flow must be scaled to give the expected true usage. For example, with a 1 in 10
sampler it is expected that the packet and byte counters will have to be multiplied by 10.
Multicast Traffic and Unicast Traffic
In Cisco IOS Release 12.4(22)T and later releases, the default behavior of the ip flow monitorcommand is
to analyze unicast and multicast traffic. If you need to monitor only unicast traffic, use the unicast keyword.
If you need to monitor only multicast traffic, use the multicast keyword.
Cisco IOS Flexible NetFlow Command Reference
147
cache (Flexible NetFlow) through match flow
ip flow monitor
Examples
The following example enables a flow monitor for monitoring input traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
The following example enables a flow monitor for monitoring output traffic on a subinterface:
Router(config)# interface ethernet0/0.1
Router(config-if)# ip flow monitor FLOW-MONITOR-1 output
The following example enables a flow monitor for monitoring only multicast input traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 multicast input
The following example enables a flow monitor for monitoring only unicast output traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 unicast output
The following example enables the same flow monitor on the same interface for monitoring input and output
traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-1 output
The following example enables two different flow monitors on the same interface for monitoring input and
output traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-2 output
The following example enables the same flow monitor on two different interfaces for monitoring input and
output traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# exit
Router(config)# interface ethernet1/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 output
The following example enables two different flow monitors on two different interfaces for monitoring input
and output traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# exit
Router(config)# interface ethernet1/0
Router(config-if)# ip flow monitor FLOW-MONITOR-2 output
The following example enables a flow monitor for monitoring input traffic, with a sampler to limit the input
packets that are sampled:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
The following example enables a flow monitor for monitoring output traffic, with a sampler to limit the output
packets that are sampled:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 output
Cisco IOS Flexible NetFlow Command Reference
148
cache (Flexible NetFlow) through match flow
ip flow monitor
The following example enables two different flow monitors for monitoring input and output traffic, with a
sampler on the flow monitor that is monitoring input traffic to limit the input packets that are sampled:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-2 output
The following example enables two different flow monitors for monitoring input and output traffic, with a
sampler on the flow monitor that is monitoring output traffic to limit the output packets that are sampled:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-2 input
Router(config-if)# ip flow monitor FLOW-MONITOR-2 sampler SAMPLER-2 output
The following example shows what happens when you try to add a sampler to a flow monitor that has already
been enabled on an interface without a sampler:
Router(config)# interface Ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in full mode and cannot be
enabled with a sampler.
The following example shows how to remove a flow monitor from an interface so that it can be enabled with
the sampler:
Router(config)# interface Ethernet0/0
Router(config-if)# no ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
The following example shows what happens when you try to remove a sampler from a flow monitor on an
interface by entering the flow monitor command again without the sampler keyword and argument:
Router(config)# interface Ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in sampled mode and cannot be
enabled in full mode.
The following example shows how to remove the flow monitor that was enabled with a sampler from the
interface so that it can be enabled without the sampler:
Router(config)# interface Ethernet0/0
Router(config-if)# no ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Related Commands
Command
Description
flow monitor
Creates a flow monitor.
sampler
Creates a flow sampler.
Cisco IOS Flexible NetFlow Command Reference
149
cache (Flexible NetFlow) through match flow
ipv6 flow monitor
ipv6 flow monitor
To enable a Flexible NetFlow flow monitor for IPv6 traffic that the router is receiving or forwarding, use the
ipv6 flow monitor command in interface configuration mode or subinterface configuration mode. To disable
a Flexible NetFlow flow monitor, use the no form of this command.
ipv6 flow monitor monitor-name [sampler sampler-name] [multicast| unicast] {input| output}
no ipv6 flow monitor monitor-name [sampler sampler-name] [layer2-bridged] [multicast| unicast] {input|
output}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
ipv6 flow monitor monitor-name [sampler sampler-name] unicast {input| output}
no ipv6 flow monitor monitor-name [sampler sampler-name] [layer2-bridged] unicast {input| output}
Cisco IOS XE Release 3.2SE
ipv6 flow monitor monitor-name [sampler sampler-name] {input| output}
no ipv6 flow monitor monitor-name [sampler sampler-name] [layer2-bridged] {input| output}
Syntax Description
Command Default
monitor-name
Name of a flow monitor that was previously
configured.
sampler sampler-name
(Optional) Enables a flow sampler for this flow
monitor using the name of a sampler that was
previously configured.
multicast
(Optional) Applies the flow monitor for multicast
traffic only.
unicast
(Optional) Applies the flow monitor for unicast traffic
only.
input
Monitors traffic that the router is receiving on the
interface.
output
Monitors traffic that the router is transmitting on the
interface.
layer2-bridged
Monitors IPv6 Layer 2 Bridged traffic that the router
is transmitting on the interface.
A flow monitor is not enabled.
Cisco IOS Flexible NetFlow Command Reference
150
cache (Flexible NetFlow) through match flow
ipv6 flow monitor
Command Modes
Command History
Usage Guidelines
Interface configuration (config-if) Subinterface configuration (config-subif)
Release
Modification
12.4(20)T
This command was introduced.
12.4(22)T
This command was modified. The unicast and multicast keywords were
added.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
12.2(50)SY
This command was modified. The multicast keyword was not supported.
15.1(1)SY
This command was modified. The layer2-bridged keyword was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE without
the support for the multicast and unicast keywords.
You must have already created a flow monitor by using the flow monitor command before you can apply the
flow monitor to an interface with the ipv6 flow monitor command to enable traffic monitoring with Flexible
NetFlow.
ipv6 flow monitor sampler
When a sampler is added to a flow monitor, only packets that are selected by the named sampler will be
entered into the cache to form flows. Each use of a sampler causes separate statistics to be stored for that
usage.
You cannot add a sampler to a flow monitor after the flow monitor has been enabled on an interface. You
must remove the flow monitor from the interface prior to enabling the same flow monitor with a sampler. See
the “Examples” section for more information.
Note
The statistics for each flow must be scaled to give the expected true usage. For example, with a 1 in 10
sampler it is expected that the packet and byte counters will have to be multiplied by 10.
Multicast Traffic and Unicast Traffic
In Cisco IOS Release 12.4(22)T and later releases, the default behavior of the ip flow monitor command is
to analyze unicast and multicast traffic. If you need to monitor only unicast traffic, use the unicast keyword.
If you need to monitor only multicast traffic, use the multicast keyword.
Examples
The following example enables a flow monitor for monitoring input IPv6 traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
Cisco IOS Flexible NetFlow Command Reference
151
cache (Flexible NetFlow) through match flow
ipv6 flow monitor
The following example enables a flow monitor for monitoring output IPv6 traffic on a subinterface:
Router(config)# interface ethernet0/0.1
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 output
The following example enables a flow monitor for monitoring only multicast input traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 multicast input
The following example enables a flow monitor for monitoring only unicast output traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 unicast output
The following example enables the same flow monitor on the same interface for monitoring input and output
IPv6 traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 output
The following example enables two different flow monitors on the same interface for monitoring input and
output IPv6 traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 output
The following example enables the same flow monitor on two different interfaces for monitoring input and
output IPv6 traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
Router(config-if)# exit
Router(config)# interface ethernet1/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 output
The following example enables two different flow monitors on two different interfaces for monitoring input
and output IPv6 traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
Router(config-if)# exit
Router(config)# interface ethernet1/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 output
The following example enables a flow monitor for monitoring input IPv6 traffic, with a sampler to limit the
input packets that are sampled:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
The following example enables a flow monitor for monitoring output IPv6 traffic, with a sampler to limit the
output packets that are sampled:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 output
The following example enables two different flow monitors for monitoring input and output IPv6 traffic, with
a sampler on the flow monitor that is monitoring input IPv6 traffic to limit the input packets that are sampled:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 output
Cisco IOS Flexible NetFlow Command Reference
152
cache (Flexible NetFlow) through match flow
ipv6 flow monitor
The following example enables two different flow monitors for monitoring input and output IPv6 traffic, with
a sampler on the flow monitor that is monitoring output IPv6 traffic to limit the output packets that are sampled:
Router(config)# interface ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-2 sampler SAMPLER-2 output
The following example shows what happens when you try to add a sampler to a flow monitor that has already
been enabled on an interface without a sampler:
Router(config)# interface Ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in full mode and cannot be
enabled with a sampler.
The following example shows how to remove a flow monitor from an interface so that it can be enabled with
the sampler:
Router(config)# interface Ethernet0/0
Router(config-if)# no ipv6 flow monitor FLOW-MONITOR-1 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
The following example shows what happens when you try to remove a sampler from a flow monitor on an
interface by entering the flow monitor command again without the sampler keyword and argument:
Router(config)# interface Ethernet 0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in sampled mode and cannot be
enabled in full mode.
The following example shows how to remove the flow monitor that was enabled with a sampler from the
interface so that it can be enabled without the sampler:
Router(config)# interface Ethernet 0/0
Router(config-if)# no ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
Related Commands
Command
Description
flow monitor
Creates a flow monitor.
sampler
Creates a flow sampler.
Cisco IOS Flexible NetFlow Command Reference
153
cache (Flexible NetFlow) through match flow
match application name
match application name
To configure the use of the application name as a key field for a flow record, use the match application name
command in flow record configuration mode. To disable the use of the application name as a key field for a
flow record, use the no form of this command.
match application name
no match application name
Syntax Description
This command has no arguments or keywords.
Command Default
The application name is not configured as a key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
15.0(1)M
This command was introduced.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for
Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for
Cisco Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the application name as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match application name
Cisco IOS Flexible NetFlow Command Reference
154
cache (Flexible NetFlow) through match flow
match application name
Examples
The following example configures the application name as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match application name
Related Commands
Command
Description
collect application name
Configures the use of application name as a nonkey
field for a Flexible NetFlow flow record.
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
155
cache (Flexible NetFlow) through match flow
match connection id
match connection id
To configure the connection ID as a key field for a flow record, use the match connection id command in
flow record configuration mode. To disable the use of a connection ID field as a key field for a flow record,
use the no form of this command.
match connection id
no match connection id
Syntax Description
This command has no arguments or keywords.
Command Default
The use of the connection ID as a key field for a user-defined flow record is not enabled.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS Release XE 3.9S
This command was introduced.
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the connection ID as a key field:
Router(config)# flow record RECORD-4
Router(config-flow-record)# match connection id
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
156
cache (Flexible NetFlow) through match flow
match connection transaction-id
match connection transaction-id
To configure the transaction ID as a key field for a flow record, use the match connection transaction-id
command in flow record configuration mode. To disable the use of a transaction ID field as a key field for a
flow record, use the no form of this command.
match connection transaction-id
no match connection transaction-id
Syntax Description
This command has no arguments or keywords.
Command Default
The use of the transaction ID as a key field for a user-defined flow record is not enabled.
Command Modes
flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
Cisco IOS XE 3.4S
This command was introduced.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for
Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for
Cisco Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
The transaction ID identifies a transaction within a connection. A transaction is a meaningful exchange of
application data between two network devices or a client and server. A transaction ID is assigned the first
time a flow is reported, so that later reports for the same flow will have the same transaction ID. A different
transaction ID is used for each transaction within a TCP or UDP connection. The identifiers are not required
to be sequential.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Cisco IOS Flexible NetFlow Command Reference
157
cache (Flexible NetFlow) through match flow
match connection transaction-id
The transaction ID field is used to specify the transaction within the connection, for protocols where multiple
transactions are used. The field is composed of the CFT-flow ID/pointer (the most significant bit) and the
transaction counter within the connection specified by NBAR (least significant bit).
Examples
The following example configures the transaction ID as a key field:
Router(config)# flow record RECORD-4
Router(config-flow-record)# match connection transaction-id
Examples
The following example configures the transaction ID as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match connection transaction-id
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
158
cache (Flexible NetFlow) through match flow
match datalink dot1q priority
match datalink dot1q priority
To configure the 802.1Q (dot1q) priority as a key field for a Flexible NetFlow flow record, use the match
datalink dot1q priority command in Flexible NetFlow flow record configuration mode. To disable the use
of the 802.1Q priority as a key field for a Flexible NetFlow flow record, use the no form of this command.
match datalink dot1q priority
no match datalink dot1q priority
Command Default
The 802.1Q priority is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.2SE
This command was introduced. Only the switch ports support
it.
Usage Guidelines
The Flexible NetFlow match commands are used to configure key fields for the flow monitor record and to
enable capturing the values in the fields for the flow created with the record.
Examples
The following example configures the 802.1Q priority of traffic being received by the router as a key field
for a Flexible NetFlow flow record
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink dot1q priority
Related Commands
Command
Description
flow record
Creates a flow record.
Cisco IOS Flexible NetFlow Command Reference
159
cache (Flexible NetFlow) through match flow
match datalink dot1q vlan
match datalink dot1q vlan
To configure the 802.1Q (dot1q) VLAN value as a key field for a Flexible NetFlow flow record, use the
match datalink dot1q vlan command in Flexible NetFlow flow record configuration mode. To disable the
use of the 802.1Q VLAN value as a key field for a Flexible NetFlow flow record, use the no form of this
command.
match datalink dot1q vlan {input| output}
no match datalink dot1q vlan {input| output}
Syntax Description
input
Configures the 802.1Q VLAN ID of traffic being
received by the router as a key field.
output
Configures the 802.1Q VLAN ID of traffic being
transmitted by the router as a key field.
Command Default
The 802.1Q VLAN ID is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE)
series routers.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE. Only
the switch ports support it.
The input and output keywords of the match datalink dot1q vlan command are used to specify the observation
point that is used by the match datalink dot1q vlan command to create flows based on the unique 802.1q
VLAN IDs in the network traffic. For example, when you configure a flow record with the match datalink
dot1q vlan input command to monitor the simulated denial of service (DoS) attack in the figure below and
apply the flow monitor to which the flow record is assigned in either input (ingress) mode on Ethernet interface
Cisco IOS Flexible NetFlow Command Reference
160
cache (Flexible NetFlow) through match flow
match datalink dot1q vlan
0/0.1 on R3 or output (egress) mode on Ethernet interface 1/0.1 on R3, the observation point is always Ethernet
0/0.1 on R3. The 802.1q VLAN ID that is used as a key field is 5.
Figure 27: Simulated DoS Attack (c)
The observation point of match commands that do not have the input and/or output keywords is always the
interface to which the flow monitor that contains the flow record with the match commands is applied.
Examples
The following example configures the 802.1Q VLAN ID of traffic being received by the router as a key field
for a Flexible NetFlow flow record
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink dot1q vlan input
Related Commands
Command
Description
flow record
Creates a flow record.
Cisco IOS Flexible NetFlow Command Reference
161
cache (Flexible NetFlow) through match flow
match datalink ethertype
match datalink ethertype
To configure the ethertype as a key field for a Flexible NetFlow flow record, use the match datalink ethertype
command in Flexible NetFlow flow record configuration mode. To disable the use of the ethertype as a key
field for a Flexible NetFlow flow record, use the no form of this command.
match datalink ethertype
no match datalink ethertype
Command Default
The ethertype is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.2SE
This command was introduced.
Usage Guidelines
The Flexible NetFlow match commands are used to configure key fields for the flow monitor record and to
enable capturing the values in the fields for the flow created with the record.
Examples
The following example configures the ethertype of traffic being received by the router as a key field for a
Flexible NetFlow flow record
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink ethertype
Related Commands
Command
Description
flow record
Creates a flow record.
Cisco IOS Flexible NetFlow Command Reference
162
cache (Flexible NetFlow) through match flow
match datalink mac
match datalink mac
To configure the use of MAC addresses as a key field for a Flexible NetFlow flow record, use the match
datalink mac command in Flexible NetFlow flow record configuration mode. To disable the use of MAC
addresses as a key field for a Flexible NetFlow flow record, use the no form of this command.
match datalink mac {destination| source} address {input| output}
no match datalink mac {destination| source} address {input| output}
Syntax Description
destination address
Configures the use of the destination MAC address
as a key field.
source address
Configures the use of the source MAC address as a
key field.
input
Packets received by the router.
output
Packets transmitted by the router.
Command Default
MAC addresses are not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was
implemented on the Cisco 7200 and Cisco 7300 Network Processing
Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
The input and output keywords of the match datalink mac command are used to specify the observation
point that is used by the match datalink mac command to create flows based on the unique MAC addressees
in the network traffic. For example, when you configure a flow record with the match datalink mac destination
address input command to monitor the simulated denial of service (DoS) attack in the figure below and apply
the flow monitor to which the flow record is assigned in either input (ingress) mode on Ethernet interface
Cisco IOS Flexible NetFlow Command Reference
163
cache (Flexible NetFlow) through match flow
match datalink mac
0/0.1 on R3 or output (egress) mode on Ethernet interface 1/0.1 on R3, the observation point is always Ethernet
0/0.1 on R3. The destination MAC address that is used a key field is aaaa.bbbb.cc04.
Figure 28: Simulated DoS Attack (d)
When the destination output mac address is configured, the value is the destination mac address of the output
packet, even if the monitor the flow record is applied to is input only.
When the destination input mac address is configured, the value is the destination mac address of the input
packet, even if the monitor the flow record is applied to is output only.
When the source output mac address is configured, the value is the source mac address of the output packet,
even if the monitor the flow record is applied to is input only.
When the source input mac address is configured, the value is the source mac address of the input packet,
even if the monitor the flow record is applied to is output only.
Examples
The following example configures the use of the destination MAC address of packets that are received by the
router as a key field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink mac destination address input
The following example configures the use of the source MAC addresses of packets that are transmitted by
the router as a key field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink mac source address output
Related Commands
Command
Description
flow record
Creates a flow record.
Cisco IOS Flexible NetFlow Command Reference
164
cache (Flexible NetFlow) through match flow
match datalink vlan
match datalink vlan
To configure the VLAN ID as a key field for a Flexible NetFlow flow record, use the match datalink vlan
command in Flexible NetFlow flow record configuration mode. To disable the use of the VLAN ID value as
a key field for a Flexible NetFlow flow record, use the no form of this command.
match datalink vlan {input| output}
no match datalink vlan {input| output}
Syntax Description
input
Configures the VLAN ID of traffic being received by
the router as a key field.
output
Configures the VLAN ID of traffic being transmitted
by the router as a key field.
Command Default
The VLAN ID is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Examples
Release
Modification
12.2(50)SY
This command was introduced.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Only the switch ports support it.
The following example configures the VLAN ID of traffic being received by the router as a key field for a
Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink vlan input
Related Commands
Command
Description
flow record
Creates a flow record.
Cisco IOS Flexible NetFlow Command Reference
165
cache (Flexible NetFlow) through match flow
match flow
match flow
To configure the flow direction and the flow sampler ID number as key fields for a flow record, use the match
flow command in Flexible NetFlow flow record configuration or policy inline configuration mode. To disable
the use of the flow direction and the flow sampler ID number as key fields for a flow record, use the no form
of this command.
match flow {direction| sampler}
no match flow {direction| sampler}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY and 15.1(1)SY
match flow {cts {destination| source} group-tag| direction}
no match flow {cts {destination| source} group-tag| direction}
Syntax Description
direction
Configures the direction in which the flow was
monitored as a key field.
sampler
Configures the flow sampler ID as a key field.
cts destination group-tag
Configures the CTS destination field group as a key
field.
cts source group-tag
Configures the CTS source field group as a key field.
Command Default
The CTS destination or source field group, flow direction and the flow sampler ID are not configured as key
fields.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record) Policy inline configuration
(config-if-spolicy-inline)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
Cisco IOS Flexible NetFlow Command Reference
166
cache (Flexible NetFlow) through match flow
match flow
Release
Modification
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco
Performance Monitor. Support was added for policy inline configuration
mode.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(50)SY
This command was modified. The cts destination group-tag and cts source
group-tag keywords were added. The sampler keyword was removed.
15.1(1)SY
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE without the
support for the sampler keyword.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
You must first enter the service-policy type performance-monitor inline command.
match flow direction
This field indicates the direction of the flow. This is of most use when a single flow monitor is configured for
input and output flows. It can be used to find and eliminate flows that are being monitored twice, once on
input and once on output. This field may also be used to match up pairs of flows in the exported data when
the two flows are flowing in opposite directions.
match flow sampler
This field contains the ID of the flow sampler used to monitor the flow. This is useful when more than one
flow sampler is being used with different sampling rates. The flow exporter option sampler-table command
will export options records with mappings of the flow sampler ID to the sampling rate so the collector can
calculate the scaled counters for each flow.
Examples
The following example configures the direction the flow was monitored in as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow direction
Cisco IOS Flexible NetFlow Command Reference
167
cache (Flexible NetFlow) through match flow
match flow
The following example configures the flow sampler ID as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow sampler
The following example configures the CTS destination fields group as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow cts destination group-tag
The following example configures the CTS source fields group as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow cts source group-tag
The following example shows how to use the policy inline configuration mode to configure a service policy
for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the
flow sampler ID will be monitored based on the parameters specified in the flow monitor configuration named
fm2:
Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match flow sampler
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit
Related Commands
Command
Description
class-map
Creates a class map to be used for matching packets
to a specified class.
flow exporter
Creates a flow exporter.
flow record
Creates a flow record.
service-policy type performance-monitor
Associates a Performance Monitor policy with an
interface.
Cisco IOS Flexible NetFlow Command Reference
168
match interface (Flexible NetFlow) through ttl
(Flexible NetFlow)
• match interface (Flexible NetFlow), page 171
• match ipv4, page 174
• match ipv4 destination, page 177
• match ipv4 fragmentation, page 180
• match ipv4 section, page 182
• match ipv4 source, page 185
• match ipv4 total-length, page 188
• match ipv4 ttl, page 190
• match ipv6, page 192
• match ipv6 destination, page 195
• match ipv6 extension map, page 197
• match ipv6 fragmentation, page 199
• match ipv6 hop-limit, page 201
• match ipv6 length, page 203
• match ipv6 section, page 205
• match ipv6 source, page 208
• match mpls label, page 210
• match routing, page 212
• match routing is-multicast, page 217
• match routing multicast replication-factor, page 219
• match transport, page 221
• match transport icmp ipv4, page 223
• match transport icmp ipv6, page 225
Cisco IOS Flexible NetFlow Command Reference
169
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
• match transport tcp, page 227
• match transport udp, page 231
• mode (Flexible NetFlow), page 233
• option (Flexible NetFlow), page 235
• output-features, page 240
• record, page 241
• sampler, page 246
• show flow exporter, page 248
• show flow interface, page 254
• show flow monitor, page 256
• show flow monitor cache aggregate, page 265
• show flow monitor cache filter, page 271
• show flow monitor cache sort, page 278
• show flow record, page 282
• show platform flow, page 287
• show sampler, page 290
• source (Flexible NetFlow), page 293
• statistics packet, page 295
• template data timeout, page 297
• transport (Flexible NetFlow), page 299
• ttl (Flexible NetFlow), page 301
Cisco IOS Flexible NetFlow Command Reference
170
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match interface (Flexible NetFlow)
match interface (Flexible NetFlow)
To configure input and output interfaces as key fields for a flow record, use the match interface command
in Flexible NetFlow flow record configuration mode. To disable the use of the input and output interfaces as
key fields for a flow record, use the no form of this command.
match interface {input| output}
no match interface {input| output}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match interface {input [physical]| output} [snmp]
no match interface {input [physical]| output} [snmp]
Syntax Description
input
Configures the input interface as a key field.
physical
(Optional) Configures the physical input interface as
a key field and enables collecting the input interface
from the flows.
output
Configures the output interface as a key field.
snmp
(Optional) Configures the simple network
management protocol (SNMP) index of the input
interface as a key field.
Command Default
The input and output interfaces are not configured as key fields.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
Cisco IOS Flexible NetFlow Command Reference
171
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match interface (Flexible NetFlow)
Usage Guidelines
Release
Modification
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The physical and snmp keywords were
added.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the input interface as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match interface input
The following example configures the output interface as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match interface output
The following example configures the output interface as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match interface output
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
172
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match interface (Flexible NetFlow)
Command
Description
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
173
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4
match ipv4
To configure one or more of the IPv4 fields as a key field for a flow record, use the match ipv4 command in
Flexible NetFlow flow record configuration mode. To disable the use of one or more of the IPv4 fields as a
key field for a flow record, use the no form of this command.
match ipv4 {dscp| header-length| id| option map| precedence| protocol| tos| version}
no match ipv4 {dscp| header-length| id| option map| precedence| protocol| tos| version}
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
match ipv4 protocol
no match ipv4 protocol
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv4 {dscp| precedence| protocol| tos}
no match ipv4 {dscp| precedence| protocol| tos}
Cisco IOS XE Release 3.2SE
match ipv4 {protocol| tos| version}
match ipv4 {protocol| tos| version}
Syntax Description
dscp
Configures the IPv4 differentiated services code point
(DSCP) (part of type of service [ToS]) as a key field.
header-length
Configures the IPv4 header length (in 32-bit words)
as a key field.
id
Configures the IPv4 ID as a key field.
option map
Configures the bitmap representing which IPv4
options have been seen as a key field.
precedence
Configures the IPv4 precedence (part of ToS) as a
key field.
protocol
Configures the IPv4 protocol as a key field.
tos
Configures the IPv4 ToS as a key field.
version
Configures the IP version from IPv4 header as a key
field.
Cisco IOS Flexible NetFlow Command Reference
174
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4
Command Default
The use of one or more of the IPv4 fields as a key field for a user-defined flow record is not enabled by default.
Command Modes
flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on
the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on
the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on
the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was modified for the Cisco Performance Monitor. The dscp,
header-length, id, option map, precedence, tos, and version keywords were
removed.
12.2(58)SE
This command was modified for the Cisco Performance Monitor. The dscp,
header-length, id, option map, precedence, tos, and version keywords were
removed.
12.2(50)SY
This command was modified. The header-length, id, option, map, and version
keywords were not supported in Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release
3.2SE
This command was modified. The dscp, header-length, id, option map, and
precedence keywords were removed.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Note
Some of the keywords of the match ipv4 command are documented as separate commands. All of the
keywords for the match ipv4 command that are documented separately start with match ipv4. For example,
for information about configuring the IPv4 time-to-live (TTL) field as a key field for a flow record, refer
to the match ipv4 ttl command.
Cisco IOS Flexible NetFlow Command Reference
175
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
Only the protocol keyword is available. You must first enter theflow record type performance-monitor
command.
Examples
The following example configures the IPv4 DSCP field as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 dscp
The following example configures the IPv4 DSCP field as a key field for Cisco Performance Monitor:
Router(config)# flow record type performance-monitor FLOW-RECORD-1
Router(config-flow-record)# match ipv4 dscp
Related Commands
Command
Description
flow record
Creates a flow record.
flow record type performance-monitor
Creates a flow record for Cisco Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
176
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 destination
match ipv4 destination
To configure the IPv4 destination address as a key field for a flow record, use the match ipv4 destination
command in Flexible NetFlow flow record configuration mode. To disable the IPv4 destination address as a
key field for a flow record, use the no form of this command.
match ipv4 destination {address | {mask| prefix} [minimum-mask mask]}
no match ipv4 destination {address | {mask| prefix} [minimum-mask mask]}
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
match ipv4 destination {address| prefix [minimum-mask mask]}
no match ipv4 destination {address| prefix [minimum-mask mask]}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv4 destination address
no match ipv4 destination address
Cisco IOS XE Release 3.2SE
match ipv4 destination address
no match ipv4 destination address
Syntax Description
address
Configures the IPv4 destination address as a key field.
mask
Configures the mask for the IPv4 destination address
as a key field.
prefix
Configures the prefix for the IPv4 destination address
as a key field.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum
mask. The range is 1 to 32.
Command Default
The IPv4 destination address is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
Cisco IOS Flexible NetFlow Command Reference
177
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 destination
Release
Modification
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Gigabit Switch Router (GSR).
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was modified for the Cisco Performance Monitor. The mask
keyword was removed.
12.2(58)SE
This command was modified for the Cisco Performance Monitor. The mask
keyword was removed.
12.2(50)SY
This command was modified. The mask, prefix, and minimum-mask
keywords were removed.
Cisco IOS XE Release 3.2SE This command was modified. The mask, prefix, and minimum-mask
keywords were removed.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The mask keyword is not available. You must first enter theflow record type performance-monitor command.
Examples
The following example configures a 16-bit IPv4 destination address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 destination prefix minimum-mask 16
The following example specifies a 16-bit IPv4 destination address mask as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 destination mask minimum-mask 16
The following example specifies a 16-bit IPv4 destination address mask as a key field for Cisco Performance
Monitor:
Router(config)# flow record type performance-monitor FLOW-RECORD-1
Router(config-flow-record)# match ipv4 destination mask minimum-mask 16
Cisco IOS Flexible NetFlow Command Reference
178
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 destination
Related Commands
Command
Description
flow record
Creates a flow record.
flow record type performance-monitor
Creates a flow record for Cisco Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
179
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 fragmentation
match ipv4 fragmentation
To configure the IPv4 fragmentation flags and the IPv4 fragmentation offset as key fields for a flow record,
use the match ipv4 fragmentation command in flow record configuration mode. To disable the use of the
IPv4 fragmentation flags and the IPv4 fragmentation offset as key fields for a flow record, use the no form
of this command.
match ipv4 fragmentation {flags| offset}
no match ipv4 fragmentation {flags| offset}
Syntax Description
flags
Configures the IPv4 fragmentation flags as a key field.
offset
Configures the IPv4 fragmentation offset as a key
field.
Command Default
The IPv4 fragmentation flags and the IPv4 fragmentation offset arenot configured as key fields.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
Cisco IOS Flexible NetFlow Command Reference
180
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 fragmentation
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
match ipv4 fragmentation flags
This field matches the "don’t fragment" and "more fragments" flags.
Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don’t Fragment
Bit 2: (MF) 0 = Last Fragment,1 = More Fragments
Bits 3-7: (DC) Don’t Care, value is irrelevant
0
1
2
3
4
5
6
7
+---+---+---+---+---+---+---+---+
|
| D | M | D | D | D | D | D |
| 0 | F | F | C | C | C | C | C |
+---+---+---+---+---+---+---+---+
For more information on IPv4 fragmentation flags, see RFC 791, Internet Protocol at the following URL:
http://www.ietf.org/rfc/rfc791.txt .
Examples
The following example configures the IPv4 fragmentation flags as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 fragmentation flags
The following example configures the IPv4 offset flag as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 fragmentation offset
Examples
The following example configures the IPv4 offset flag as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv4 fragmentation offset
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
181
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 section
match ipv4 section
To configure a section of an IPv4 packet as a key field for a flow record, use the match ipv4 section command
in flow record configuration mode. To disable the use of a section of an IPv4 packet as a key field for a flow
record, use the no form of this command.
match ipv4 section {header size header-size| payload size payload-size}
no match ipv4 section {header size header-size| payload size payload-size}
Syntax Description
header size header-size
Configures the number of bytes of raw data starting
at the IPv4 header, to use as a key field. Range: 1 to
1200
payload size payload-size
Configures the number of bytes of raw data starting
at the IPv4 payload, to use as a key field. Range: 1 to
1200
Command Default
A section of an IPv4 packet is not configured as a key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
182
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 section
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
match ipv4 section header
This command uses the section of the IPv4 header indicated by the header sizeheader-size keyword and
argument as a key field. Only the configured size in bytes will be matched, and part of the payload will also
be matched if the configured size is larger than the size of the header.
Note
This command can result in large records that use a large amount of router memory and export bandwidth.
match ipv4 section payload
This command uses the section of the IPv4 payload indicated by the payload sizepayload-size keyword and
argument as a key field.
Note
Examples
This command can result in large records that use a large amount of router memory and export bandwidth.
The following example configures the first four bytes (the IPv4 version field) as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 section header size 4
The following example configures the first 16 bytes from the payload of the IPv4 packets in the flow as a key
field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 section payload size 16
Examples
The following example configures the first 16 bytes from the payload of the IPv4 packets in the flow as a key
field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv4 section payload size 16
Cisco IOS Flexible NetFlow Command Reference
183
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 section
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
184
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 source
match ipv4 source
To configure the IPv4 source address as a key field for a flow record, use the match ipv4 source command
in Flexible NetFlow flow record configuration mode. To disable the use of the IPv4 source address as a key
field for a flow record, use the no form of this command.
match ipv4 source {address | {mask| prefix} [minimum-mask mask]}
no match ipv4 source {address | {mask| prefix} [minimum-mask mask]}
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
match ipv4 source {address| prefix [minimum-mask mask]}
no match ipv4 source {address| prefix [minimum-mask mask]}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv4 source address
no match ipv4 source address
Cisco IOS XE Release 3.2SE
match ipv4 source address
no match ipv4 source address
Syntax Description
address
Configures the IPv4 source address as a key field.
mask
Configures the mask for the IPv4 source address as
a key field.
prefix
Configures the prefix for the IPv4 source address as
a key field.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum
mask. Range: 1 to 128.
Command Default
The IPv4 source address is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
Cisco IOS Flexible NetFlow Command Reference
185
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 source
Usage Guidelines
Release
Modification
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was modified for the Cisco Performance Monitor. The mask
keyword was removed.
12.2(58)SE
This command was modified for the Cisco Performance Monitor. The mask
keyword was removed.
12.2(50)SY
This command was modified. The mask, prefix, and minimum-mask
keywords were removed.
Cisco IOS XE Release 3.2SE
This command was modified. The mask, prefix, and minimum-mask
keywords were removed.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The mask keyword is not available. You must first enter theflow record type performance-monitor command.
match ipv4 source prefix minimum-mask
The source address prefix field is the network part of the source address. The optional minimum mask allows
a more information to be gathered about large networks.
match ipv4 source mask minimum-mask
The source address mask is the number of bits that make up the network part of the source address. The
optional minimum mask allows a minimum value to be configured. This command is useful when there is a
minimum mask configured for the source prefix field and the mask is to be used with the prefix. In this case,
the values configured for the minimum mask should be the same for the prefix and mask fields.
Alternatively, if the collector knows the minimum mask configuration of the prefix field, the mask field can
be configured without a minimum mask so that the true mask and prefix can be calculated.
Examples
The following example configures a 16-bit IPv4 source address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 source prefix minimum-mask 16
Cisco IOS Flexible NetFlow Command Reference
186
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 source
The following example specifies a 16-bit IPv4 source address mask as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 source mask minimum-mask 16
The following example specifies a 16-bit IPv4 source address mask as a key field for Cisco Performance
Monitor:
Router(config)# flow record type performance-monitor FLOW-RECORD-1
Router(config-flow-record)# match ipv4 source mask minimum-mask 16
Related Commands
Command
Description
flow record
Creates a flow record.
flow record type performance-monitor
Creates a flow record for Cisco Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
187
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 total-length
match ipv4 total-length
To configure the IPv4 total-length field as a key field for a flow record, use the match ipv4 total-length
command in flow record configuration mode. To disable the use of the IPv4 total-length field as a key field
for a flow record, use the no form of this command.
match ipv4 total-length
no match ipv4 total-length
Syntax Description
This command has no arguments or keywords.
Command Default
The IPv4 total-length field is not configured as a key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
188
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 total-length
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the total-length value as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 total-length
Examples
The following example configures the total-length value as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv4 total-length
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
189
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 ttl
match ipv4 ttl
To configure the IPv4 time-to-live (TTL) field as a key field for a flow record, use the match ipv4 ttl command
in Flow NetFlow flow record configuration mode. To disable the use of the IPv4 TTL field as a key field for
a flow record, use the no form of this command.
match ipv4 ttl
no match ipv4 ttl
Syntax Description
This command has no arguments or keywords.
Command Default
The IPv4 time-to-live (TTL) field is not configured as a key field.
Command Modes
Flow NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Cisco IOS Flexible NetFlow Command Reference
190
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv4 ttl
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures IPv4 TTL as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv4 ttl
The following example configures the IPv4 TTL as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv4 ttl
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
191
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6
match ipv6
To configure one or more of the IPv6 fields as a key field for a flow record, use the match ipv6 command in
Flexible NetFlow flow record configuration mode. To disable the use of one or more of the IPv6 fields as a
key field for a flow record, use the no form of this command.
match ipv6 {dscp| flow-label| next-header| payload-length| precedence| protocol| traffic-class| version}
no match ipv6 {dscp| flow-label| next-header| payload-length| precedence| protocol| traffic-class| version}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv6 {dscp| precedence| protocol| tos}
no match ipv6 {dscp| precedence| protocol| tos}
Cisco IOS XE Release 3.2SE
match ipv6 {protocol| traffic-class| version}
no match ipv6 {protocol| traffic-class| version}
Syntax Description
dscp
Configures the IPv6 differentiated services code point
DSCP (part of type of service (ToS)) as a key field.
flow-label
Configures the IPv6 flow label as a key field.
next-header
Configures the IPv6 next header as a key field.
payload-length
Configures the IPv6 payload length as a key field.
precedence
Configures the IPv6 precedence (part of ToS) as a
key field.
protocol
Configures the IPv6 protocol as a key field.
tos
Configures the IPv6 ToS as a key field.
traffic-class
Configures the IPv6 traffic class as a key field.
version
Configures the IPv6 version from IPv6 header as a
key field.
Command Default
The IPv6 fields are not configured as a key field.
Command Modes
Flexible Netflow flow record configuration (config-flow-record)
Cisco IOS Flexible NetFlow Command Reference
192
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
12.2(50)SY
This command was modified. The flow-label, next-header,
payload-length,traffic-class, and version keywords were removed.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.2SE
This command was modified. The dscp, flow-label, next-header,
payload-length, and precedence keywords were removed.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Note
Examples
Some of the keywords of the match ipv6 command are documented as separate commands. All of the
keywords for the match ipv6 command that are documented separately start with match ipv6. For example,
for information about configuring the IPv6 hop limit as a key field for a flow record, refer to the match
ipv6 hop-limit command.
The following example configures the IPv6 DSCP field as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 dscp
Cisco IOS Flexible NetFlow Command Reference
193
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6
The following example configures the IPv6 DSCP field as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv6 dscp
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
194
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 destination
match ipv6 destination
To configure the IPv6 destination address as a key field for a flow record, use the match ipv6 destination
command in Flexible Netflow flow record configuration mode. To disable the IPv6 destination address as a
key field for a flow record, use the no form of this command.
match ipv6 destination {address| {mask| prefix} [minimum-mask mask]}
no match ipv6 destination {address| {mask| prefix} [minimum-mask mask]}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv6 destination address
no match ipv6 destination address
Cisco IOS XE Release 3.2SE
match ipv6 destination address
no match ipv6 destination address
Syntax Description
address
Configures the IPv6 destination address as a key field.
mask
Configures the mask for the IPv6 destination address
as a key field.
prefix
Configures the prefix for the IPv6 destination address
as a key field.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum
mask. Range: 1 to 128.
Command Default
The IPv6 destination address is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE)
series routers.
Cisco IOS Flexible NetFlow Command Reference
195
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 destination
Usage Guidelines
Release
Modification
12.2(50)SY
This command was modified. The mask, prefix, and minimum-mask
keywords were removed.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.2SE
This command was modified. The mask, prefix, and minimum-mask
keywords were removed.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures a 16-bit IPv6 destination address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 destination prefix minimum-mask 16
The following example specifies a 16-bit IPv6 destination address mask as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 destination mask minimum-mask 16
The following example configures a 16-bit IPv6 destination address mask as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv6 destination mask minimum-mask 16
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
196
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 extension map
match ipv6 extension map
To configure the bitmap of the IPv6 extension header map as a key field for a flow record, use the match
ipv6 extension map command in flow record configuration mode. To disable the use of the IPv6 bitmap of
the IPv6 extension header map as a key field for a flow record, use the no form of this command.
match ipv6 extension map
no match ipv6 extension map
Syntax Description
This command has no arguments or keywords.
Command Default
The use of the bitmap of the IPv6 extension header map as a key field for a user-defined flow record is not
enabled by default.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Bitmap of the IPv6 Extension Header Map
Cisco IOS Flexible NetFlow Command Reference
197
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 extension map
The bitmap of IPv6 extension header map is made up of 32 bits.
0
1
2
3
4
5
6
7
+-----+-----+-----+-----+-----+-----+-----+-----+
| Res | FRA1| RH | FRA0| UNK | Res | HOP | DST |
+-----+-----+-----+-----+-----+-----+-----+-----+
8
9
10
11
12
13
14
15
+-----+-----+-----+-----+-----+-----+-----+-----+
| PAY | AH | ESP |
Reserved
|
+-----+-----+-----+-----+-----+-----+-----+-----+
16
17
18
19
20
21
22
23
+-----+-----+-----+-----+-----+-----+-----+-----+
|
Reserved
|
+-----+-----+-----+-----+-----+-----+-----+-----+
24
25
26
27
28
29
30
31
+-----+-----+-----+-----+-----+-----+-----+-----+
|
Reserved
|
+-----+-----+-----+-----+-----+-----+-----+-----+
0 Res Reserved
1 FRA1 Fragmentation header - not first fragment
2 RH
Routing header
3 FRA0 Fragment header - first fragment
4 UNK Unknown Layer 4 header
(compressed, encrypted, not supported)
5 Res Reserved
6 HOP Hop-by-hop option header
7 DST Destination option header
8 PAY Payload compression header
9 AH Authentication Header
10 ESP Encrypted security payload
11 to 31 Reserved
For more information on IPv6 headers, refer to RFC 2460 Internet Protocol, Version 6 (IPv6) at the following
URL: http://www.ietf.org/rfc/rfc2460.txt .
Examples
The following example configures the IPv6 bitmap of the IPv6 extension header map of the packets in the
flow as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 extension map
Examples
The following example configures the IPv6 bitmap of the IPv6 extension header map of the packets in the
flow as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv6 extension map
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
198
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 fragmentation
match ipv6 fragmentation
To configure one or more of the IPv6 fragmentation fields as a key field for a flow record, use the match
ipv6 fragmentation command in flow record configuration mode. To disable the use of the IPv6 fragmentation
field as a key field for a flow record, use the no form of this command.
match IPv6 fragmentation {flags| id| offset}
no match IPv6 fragmentation {flags| id| offset}
Syntax Description
flags
Configures the IPv6 fragmentation flags as a key field.
id
Configures the IPv6 fragmentation ID as a key field.
offset
Configures the IPv6 fragmentation offset value as a
key field.
Command Default
The IPv6 fragmentation field is not configured as a key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
Cisco IOS Flexible NetFlow Command Reference
199
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 fragmentation
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the IPv6 fragmentation flags a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 fragmentation flags
The following example configures the IPv6 offset value a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 fragmentation offset
Examples
The following example configures the IPv6 offset value as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv6 fragmentation offset
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
200
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 hop-limit
match ipv6 hop-limit
To configure the IPv6 hop limit as a key field for a flow record, use the match ipv6 hop-limit command in
Flexible NetFlow flow record configuration mode. To disable the use of a section of an IPv6 packet as a key
field for a flow record, use the no form of this command.
match ipv6 hop-limit
no match ipv6 hop-limit
Syntax Description
This command has no arguments or keywords.
Command Default
The use of the IPv6 hop limit as a key field for a user-defined flow record is not enabled by default.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was
implemented on the Cisco 7200 and Cisco 7300 Network Processing
Engine (NPE) series routers.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Cisco IOS Flexible NetFlow Command Reference
201
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 hop-limit
Examples
The following example configures the hop limit of the packets in the flow as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 hop-limit
The following example configures the hop limit of the packets in the flow as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv6 hop-limit
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
202
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 length
match ipv6 length
To configure one or more of the IPv6 length fields as a key field for a flow record, use the match ipv6 length
command in flow record configuration mode. To disable the use of the IPv6 length field as a key field for a
flow record, use the no form of this command.
match ipv6 length {header| payload| total}
no match ipv6 length {header| payload| total}
Syntax Description
header
Configures the length in bytes of the IPv6 header, not
including any extension headers as a key field.
payload
Configures the length in bytes of the IPv6 payload,
including any extension header as a key field.
total
Configures the total length in bytes of the IPv6 header
and payload as a key field.
Command Default
The IPv6 length field is not configured as a key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Cisco IOS Flexible NetFlow Command Reference
203
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 length
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the length of the IPv6 header in bytes, not including any extension headers,
as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 length header
Examples
The following example configures the length of the IPv6 header in bytes, not including any extension headers,
as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv6 length header
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
204
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 section
match ipv6 section
To configure a section of an IPv6 packet as a key field for a flow record, use the match ipv6 section command
in flow record configuration mode. To disable the use of a section of an IPv6 packet as a key field for a flow
record, use the no form of this command.
match ipv6 section {header size header-size| payload size payload-size}
no match ipv6 section {header size header-size| payload size payload-size}
Syntax Description
header size header-size
Configures the number of bytes of raw data starting
at the IPv6 header, to use as a key field. Range: 1 to
1200
payload size payload-size
Configures the number of bytes of raw data starting
at the IPv6 payload, to use as a key field. Range: 1 to
1200
Command Default
A section of an IPv6 packet is not configured as a key.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Cisco IOS Flexible NetFlow Command Reference
205
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 section
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
match ipv6 section header
This command uses the section of the IPv6 header indicated by the headersizeheader-size keyword and
argument as a key field. Only the configured size in bytes will be matched, and part of the payload will also
be matched if the configured size is larger than the size of the header.
Note
This command can result in large records that use a large amount of router memory and export bandwidth.
match ipv6section payload
This command uses the section of the IPv6 payload indicated by the payloadsizepayload-size keyword and
argument as a key field.
Note
Examples
This command can result in large records that use a large amount of router memory and export bandwidth.
The following example configures the first four bytes (the IP version field) from the IPv6 header of the packets
in the flows as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 section header size 4
The following example configures the first 16 bytes from the payload of the IPv6 packets in the flows as a
key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 section payload size 16
Examples
The following example configures the first 16 bytes from the payload of the IPv6 packets in the flows as a
key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv6 section payload size 16
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
206
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 section
Cisco IOS Flexible NetFlow Command Reference
207
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 source
match ipv6 source
To configure the IPv6 source address as a key field for a flow record, use the match ipv6 source command
in Flexible NetFlow flow record configuration mode. To disable the use of the IPv6 source address as a key
field for a flow record, use the no form of this command.
match ipv6 source {address| {mask| prefix} [minimum-mask mask]}
no match ipv6 source {address| {mask| prefix} [minimum-mask mask]}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv6 source address
no match ipv6 source address
Cisco IOS XE Release 3.2SE
match ipv6 source address
no match ipv6 source address
Syntax Description
address
Configures the IPv6 source address as a key field.
mask
Configures the mask for the IPv6 source address as
a key field.
prefix
Configures the prefix for the IPv6 source address as
a key field.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum
mask. Range: 1 to 128.
Command Default
The IPv6 source address is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE)
series routers.
Cisco IOS Flexible NetFlow Command Reference
208
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match ipv6 source
Usage Guidelines
Release
Modification
12.2(50)SY
This command was modified. The mask, prefix, and minimum-mask
keywords were removed.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.2SE
This command was modified. The mask, prefix, and minimum-mask
keywords were removed.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures a 16-bit IPv6 source address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 source prefix minimum-mask 16
The following example specifies a 16-bit IPv6 source address mask as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match ipv6 source mask minimum-mask 16
The following example configures the 16-bit IPv6 source address mask as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match ipv6 source mask minimum-mask 16
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
209
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match mpls label
match mpls label
To configure MPLS label fields as a key field for a flow record, use the match mpls label command in flow
record configuration mode. To disable the use of the MPLS label fields as a key field for a flow record, use
the no form of this command.
match mpls {label 1| {details| exp| ttl}| label 2| {details}| label 3| {details}| label 4| {details}| label 5|
{details}| label 6| {details}}
no match mpls {label 1| {details| exp| ttl}| label 2| {details}| label 3| {details}| label 4| {details}| label 5|
{details}| label 6| {details}}
Syntax Description
label 1
Configures the first MPLS label as a nonkey field.
details
Configures the details of the MPLS label as a nonkey
field.
exp
Configures the MPLS experimental level field as a
nonkey field.
ttl
Configures the time-to-life (TTL) for the MPLS label
as a nonkey field.
label 2
Configures the second MPLS label as a nonkey field.
label 3
Configures the third MPLS label as a nonkey field.
label 4
Configures the fourth MPLS label as a nonkey field.
label 5
Configures the fifth MPLS label as a nonkey field.
label 6
Configures the sixth MPLS label as a nonkey field.
Command Default
MPLS label fields are not configured as a key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Cisco IOS Flexible NetFlow Command Reference
210
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match mpls label
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the details of the first MPLS label as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match mpls label 1 details
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
211
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match routing
match routing
To configure one or more of the routing fields as a key field for a flow record, use the match routing command
in flow record configuration mode. To disable the use of one or more of the routing fields as a key field for
a flow record, use the no form of this command.
match routing {destination| source} [as [4-octet| peer [4-octet]]| traffic-index| forwarding-status| next-hop
address {ipv4| ipv6} [bgp]| vrf input| vrf output]
no match routing {destination| source} [as [4-octet| peer [4-octet]]| traffic-index| forwarding-status|
next-hop address {ipv4| ipv6} [bgp]| vrf input| vrf output]
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match routing vrf input
no match routing vrf input
Syntax Description
destination
Specifies one or more of the destination routing
attributes fields as a key field.
source
Specifies one or more of the source routing attributes
fields as a key field.
as
Configures the autonomous system field as a key
field.
4-octet
(Optional) Configures the 32-bit autonomous system
number as a key field.
peer
(Optional) Configures the autonomous system number
of the peer network as a key field.
traffic-index
Configures the Border Gateway Protocol (BGP)
destination traffic index as a key field.
forwarding-status
Configures the forwarding status of the packet as a
key field.
next-hop address
Configures the next-hop address value as a key field.
The type of address (IPv4 or IPv6) is determined by
the next keyword entered.
ipv4
Specifies that the next-hop address value is an IPv4
address.
ipv6
Specifies that the next-hop address value is an IPv6
address.
Cisco IOS Flexible NetFlow Command Reference
212
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match routing
bgp
(Optional) Configures the IPv4 address of the BGP
next hop as a key field.
vrf input
Configures the virtual routing and forwarding (VRF)
ID for incoming packets as a key field.
vrf output
Configures the virtual routing and forwarding (VRF)
ID for outgoing packets as a key field.
Command Default
The use of one or more of the routing fields as a key field for a user-defined flow record is disabled.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in
Cisco IOS Release 12.2(33)SRC.
12.4(20)T
ipv6 keyword was added.
15.0(1)M
This command was modified. The vrf input keywords were added.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS Release XE 3.2S
This command was modified. The 4-octet keyword was added.
12.2(50)SY
This command was modified. The vrf input keywords are the only
keywords supported in Cisco IOS Release 12.2(50)SY.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
Cisco IOS XE Release 3.8S
This command was modified. The vrf output keywords were added.
Cisco IOS Flexible NetFlow Command Reference
213
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match routing
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command; however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
match routing source as [peer]
This command matches the 16-bit autonomous system number based on a lookup of the router’s routing table
using the source IP address. The optional peer keyword provides the expected next network, as opposed to
the originating network.
match routing source as [peer [4-octet ]]
This command matches the 32-bit autonomous system number based on a lookup of the router’s routing table
using the source IP address. The optional peer keyword provides the expected next network, as opposed to
the originating network.
match routing destination as [peer]
This command matches the 16-bit autonomous system number based on a lookup of the router’s routing table
using the destination IP address. The peer keyword provides the expected next network, as opposed to the
destination network.
match routing destination as [peer [4-octet ]]
This command matches the 32-bit autonomous system number based on a lookup of the router’s routing table
using the destination IP address. The peer keyword provides the expected next network, as opposed to the
destination network.
match routing destination traffic-index
This command matches the traffic-index field based on the destination autonomous system for this flow. The
traffic-index field is a value propagated through BGP.
This command is not supported for IPv6.
match routing source traffic-index
This command matches the traffic-index field based on the source autonomous system for this flow. The
traffic-index field is a value propagated through BGP.
This command is not supported for IPv6.
match routing forwarding-status
This command matches a field to indicate if the packets were successfully forwarded. The field is in two parts
and may be up to 4 bytes in length. For the releases specified in the Command History table, only the status
field is used:
+-+-+-+-+-+-+-+-+
| S | Reason
|
Cisco IOS Flexible NetFlow Command Reference
214
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match routing
| t | codes
|
| a | or
|
| t | flags
|
| u |
|
| s |
|
+-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7
Status:
00b=Unknown, 01b = Forwarded, 10b = Dropped, 11b = Consumed
match routing vrf input
This command matches the VRF ID from incoming packets on a router. In the case where VRFs are associated
with an interface via methods such as VRF Selection Using Policy Based Routing/Source IP Address, a VRF
ID of 0 will be recorded. If a packet arrives on an interface that does not belong to a VRF, a VRF ID of 0 is
recorded.
match routing vrf output
This command matches the VRF ID from outgoing packets on a router.
Examples
The following example configures the source autonomous system as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match routing source as
The following example configures the destination autonomous system as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match routing destination as
The following example configures the BGP source traffic index as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match routing source traffic-index
The following example configures the forwarding status as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match routing forwarding-status
The following example configures the VRF ID for incoming packets as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match routing vrf input
The following example configures the VRF ID for outgoing packets as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match routing vrf output
Examples
The following example configures the VRF ID for incoming packets as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match routing vrf input
Related Commands
Command
Description
flow record
Creates a flow record and enters Flexible NetFlow
flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
215
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match routing
Command
Description
flow record type performance-monitor
Creates a flow record and enters Performance Monitor
flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
216
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match routing is-multicast
match routing is-multicast
To configure the use of the is-multicast field (indicating that the IPv4 traffic is multicast traffic) as a key field
for a flow record, use the match routing is-multicast command in flow record configuration mode. To disable
the use of the is-multicast field as a key field for a flow record, use the no form of this command.
match routing is-multicast
no match routing is-multicast
Syntax Description
This command has no arguments or keywords
Command Default
The is-multicast field is not configured as a key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
Examples
The following example configures the is-multicast field as a key field for a flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match routing is-multicast
Cisco IOS Flexible NetFlow Command Reference
217
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match routing is-multicast
Examples
The following example configures the is-multicast field as a key field for a Performance Monitor flow record:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match routing multicast replication-factor
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
218
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match routing multicast replication-factor
match routing multicast replication-factor
To configure the multicast replication factor value for IPv4 traffic as a key field for a flow record, use the
match multicast replication-factorcommand in flow record configuration mode. To disable the use of the
multicast replication factor value as a key field for a flow record, use the no form of this command.
match routing multicast replication-factor
no match routing multicast replication-factor
Syntax Description
This command has no arguments or keywords.
Command Default
The multicast replication factor value is not configured as a key field.
Command Modes
Flow record configuration(config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
When the replication-factor field is used in a flow record, it will only have a non-zero value in the cache for
ingress multicast traffic that is forwarded by the router. If the flow record is used with a flow monitor in output
(egress) mode or to monitor unicast traffic or both, the cache data for the replication factor field is set to 0.
Cisco IOS Flexible NetFlow Command Reference
219
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match routing multicast replication-factor
Note
Examples
This command is not supported on ASR and ISR platforms.
The following example configures the multicast replication factor value as a key field for a flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match routing multicast replication-factor
Examples
The following example configures the multicast replication factor value as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match routing multicast replication-factor
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
220
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport
match transport
To configure one or more of the transport fields as a key field for a flow record, use the match transport
command in Flexible NetFlow flow record configuration mode. To disable the use of one or more of the
transport fields as a key field for a flow record, use the no form of this command.
match transport {destination-port| igmp type| source-port}
no match transport {destination-port| igmp type| source-port}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match transport {destination-port| source-port}
no match transport {destination-port| source-port}
Syntax Description
destination-port
Configures the transport destination port as a key
field.
igmp type
Configures time stamps based on the system uptime
as a key field.
source-port
Configures the transport source port as a key field.
Command Default
The transport fields are not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The igmp type keyword combination was
removed.
Cisco IOS Flexible NetFlow Command Reference
221
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport
Usage Guidelines
Release
Modification
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the destination port as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport destination-port
The following example configures the source port as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport source-port
The following example configures the source port as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match transport source-port
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
222
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport icmp ipv4
match transport icmp ipv4
To configure the ICMP IPv4 type field and the code field as key fields for a flow record, use the match
transport icmp ipv4 command in Flexible NetFlow flow record configuration mode. To disable the use of
the ICMP IPv4 type field and code field as key fields for a flow record, use the no form of this command.
match transport icmp ipv4 {code| type}
no match transport icmp ipv4 {code| type}
Syntax Description
code
Configures the IPv4 ICMP code as a key field.
type
Configures the IPv4 ICMP type as a key field.
Command Default
The ICMP IPv4 type field and the code field are not configured as key fields.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Cisco IOS Flexible NetFlow Command Reference
223
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport icmp ipv4
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the IPv4 ICMP code field as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport icmp ipv4 code
The following example configures the IPv4 ICMP type field as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport icmp ipv4 type
The following example configures the IPv4 ICMP type field as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match transport icmp ipv4 type
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
224
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport icmp ipv6
match transport icmp ipv6
To configure the internet control message protocol ICMP IPv6 type field and the code field as key fields for
a flow record, use the match transport icmp ipv6 command in Flexible NetFlow flow record configuration
mode. To disable the use of the ICMP IPv6 type field and code field as key fields for a flow record, use the
no form of this command.
match transport icmp ipv6 {code| type}
no match transport icmp ipv6 {code| type}
Syntax Description
code
Configures the ICMP code as a key field.
type
Configures the ICMP type as a key field.
Command Default
The ICMP IPv6 type field and the code field are not configured as key fields.
Command Modes
Flexible Netflow flow record configuration (config-flow-record)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was
implemented on for the Cisco 7200 and Cisco 7300 Network Processing
Engine (NPE) series routers.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor
was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
Cisco IOS Flexible NetFlow Command Reference
225
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport icmp ipv6
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A Flow Record requires at least one key field before it can be used in a Flow Monitor. The Key fields
differentiate Flows, with each flow having a unique set of values for the key fields. The key fields are defined
using the match command.
Examples
The following example configures the IPv6 ICMP code field as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport icmp ipv6 code
The following example configures the IPv6 ICMP type field as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport icmp ipv6 type
The following example configures the IPv6 ICMP type field as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match transport icmp ipv6 type
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
226
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport tcp
match transport tcp
To configure one or more of the TCP fields as a key field for a flow record, use the match transport tcp
command in flow record configuration mode. To disable the use of a TCP field as a key field for a flow record,
use the no form of this command.
match transport tcp {acknowledgement-number| bytes out-of-order| destination-port| flags {[ack]|
[cwr]| [ece]| [fin]| [psh]| [rst]| [syn]| [urg]}| header-length| maximum-segment-size| packets out-of-order|
sequence-number| source-port| urgent-pointer| window-size| window-size-average| window-size-maximum|
window-size-minimum}
no match transport tcp {acknowledgement-number| bytes out-of-order| destination-port| flags {[ack]|
[cwr]| [ece]| [fin]| [psh]| [rst]| [syn]| [urg]}| header-length| maximum-segment-size| packets out-of-order|
sequence-number| source-port| urgent-pointer| window-size| window-size-average| window-size-maximum|
window-size-minimum}
Syntax Description
acknowledgement -number
Configures the TCP acknowledgement number as a
key field.
bytes out-of-order
Configures the number of out-of-order bytes as a key
field.
destination-port
Configures the TCP destination port as a key field.
flags
Configures one or more of the TCP flags as a key
field. If you configure the flags keyword you must
also configure at least one of the optional keywords
for the flags keyword.
ack
(Optional) Configures the TCP acknowledgement
flag as a key field.
cwr
(Optional) Configures the TCP congestion window
reduced flag as a key field.
ece
(Optional) Configures the TCP Explicit Notification
Congestion echo (ECE) flag as a key field.
fin
(Optional) Configures the TCP finish flag as a key
field.
psh
(Optional) Configures the TCP push flag as a key
field.
rst
(Optional) Configures the TCP reset flag as a key
field.
Cisco IOS Flexible NetFlow Command Reference
227
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport tcp
syn
(Optional) Configures the TCP synchronize flag as a
key field.
urg
(Optional) Configures the TCP urgent flag as a key
field.
header-length
Configures the TCP header length (in 32-bit words)
as a key field.
maximum-segment-size
Configures the maximum segment size as a key field.
packets out-of-order
Configures the number of out-of-order packets as a
key field.
sequence-number
Configures the TCP sequence number as a key field.
source-port
Configures the TCP source port as a key field.
urgent-pointer
Configures the TCP urgent pointer as a key field.
window-size
Configures the TCP window size as a key field.
window-size-average
Configures the average window size as a key field.
window-size-maximum
Configures the maximum window size as a key field.
window-size-minimum
Configures the minimum window size as a key field.
Command Default
The use of one or more of the TCP fields as a key field for a user-defined flow record is not enabled by default.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS Flexible NetFlow Command Reference
228
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport tcp
Usage Guidelines
Release
Modification
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
Cisco IOS XE Release 3.6S
This command was modified. The bytes out-of-order, packets out-of-order,
maximum-segment-size, window-size-average, window-size-maximum,
and window-size-minimum keywords were added into Cisco IOS XE Release
3.6S for Cisco Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the TCP acknowledgement flag as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport tcp flags ack
The following example configures the TCP finish flag as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport tcp flags fin
The following example configures the TCP reset flag as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport tcp flags rst
The following example configures the transport destination port as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport tcp destination-port
The following example configures the transport source port as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport tcp source-port
Cisco IOS Flexible NetFlow Command Reference
229
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport tcp
Examples
The following example configures the IPv4 ICMP type field as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match transport tcp source-port
Related Commands
Command
Description
flow record
Creates a flow record, and enters Flexible NetFlow
flow record configuration mode.
flow record type performance-monitor
Creates a flow record, and enters Performance
Monitor flow record configuration mode.
Cisco IOS Flexible NetFlow Command Reference
230
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport udp
match transport udp
To configure one or more of the user datagram protocol UDP fields as a key field for a Flexible NetFlow flow
record, use the match transport udp command in Flexible NetFlow flow record configuration mode. To
disable the use of a UDP field as a key field for a Flexible NetFlow flow record, use the no form of this
command.
match transport udp {destination-port| message-length| source-port}
no match transport udp {destination-port| message-length| source-port}
Syntax Description
destination-port
Configures the UDP destination port as a key field.
message-length
Configures the UDP message length as a key field.
source-port
Configures the UDP source port as a key field.
Command Default
The UDP fields are not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the
Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco
Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco
Performance Monitor.
Cisco IOS Flexible NetFlow Command Reference
231
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
match transport udp
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different
commands to enter the configuration mode in which you issue this command, however the mode prompt is
the same for both products. For Performance Monitor, you must first enter the flow record type
performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products
as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible
NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance
Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate
flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the UDP destination port as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport udp destination-port
The following example configures the UDP message length as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport udp message-length
The following example configures the UDP source port as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match transport udp source-port
Examples
The following example configures the UDP source port as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match transport udp source-port
Related Commands
Command
Description
flow record
Creates a flow record.
Cisco IOS Flexible NetFlow Command Reference
232
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
mode (Flexible NetFlow)
mode (Flexible NetFlow)
To specify the type of sampling and the packet interval for a Flexible NetFlow sampler, use the mode command
in Flexible NetFlow sampler configuration mode. To unconfigure the type of sampling and the packet interval
for a Flexible NetFlow sampler, use the no form of this command.
mode {deterministic| random} 1 out-of window-size
no mode
Syntax Description
deterministic
Enables deterministic mode sampling for the sampler.
random
Enables random mode sampling for the sampler.
1 out-of window-size
Specifies the window size from which to select
packets. Range: 2 to 32768.
Command Default
The mode and the packet interval for a sampler are not configured.
Command Modes
Flexible NetFlow sampler configuration (config-sampler)
Command History
Usage Guidelines
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Deterministic Mode
Cisco IOS Flexible NetFlow Command Reference
233
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
mode (Flexible NetFlow)
In deterministic mode, packets are chosen periodically based on the configured interval. This mode has less
overhead than random mode and can be useful when the router samples traffic that is random in nature.
Random Mode
In random mode, packets are chosen in a manner that should eliminate any bias from traffic patterns and
counter any attempt by users to avoid monitoring.
Examples
The following example enables deterministic sampling with a window size of 1000:
Router(config)# sampler SAMPLER-1
Router(config-sampler)# mode deterministic 1 out-of 1000
The following example enables random sampling with a window size of 1000:
Router(config)# sampler SAMPLER-1
Router(config-sampler)# mode random 1 out-of 1000
Related Commands
Command
Description
clear sampler
Clears the sampler statistics.
debug sampler
Enables debugging output for samplers.
show sampler
Displays sampler status and statistics.
Cisco IOS Flexible NetFlow Command Reference
234
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
option (Flexible NetFlow)
option (Flexible NetFlow)
To configure optional data parameters for a flow exporter for Flexible NetFlow or the Cisco Performance
Monitor, use the option command in Flexible NetFlow flow exporter configuration mode. To remove optional
data parameters for a flow exporter, use the no form of this command.
option {application-attributes | application-table | c3pl-class-table | c3pl-policy-table | class-qos-table |
exporter-stats | inspect-class-table | inspect-ext-event-table | inspect-protocol-table | inspect-zonepair-table
| interface-table | metadata-version-table | policy-qos-table | sampler-table | sub-application-table |
vrf-table} [timeout seconds]
no option {application-attributes | application-table | c3pl-class-table | c3pl-policy-table | class-qos-table
| exporter-stats | inspect-class-table | inspect-ext-event-table | inspect-protocol-table |
inspect-zonepair-table | interface-table | metadata-version-table | policy-qos-table | sampler-table |
sub-application-table | vrf-table}
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
option {exporter-stats | interface-table | sampler-table | vrf-table} [timeout seconds]
no option {exporter-stats | interface-table | sampler-table | vrf-table}
Cisco IOS XE Release 3.2SE
option {exporter-stats | interface-table | sampler-table} [timeout seconds]
option {exporter-stats | interface-table | sampler-table} [timeout seconds]
Syntax Description
application-attributes
Configures the application attributes option for flow
exporters.
application-table
Configures the application table option for flow
exporters.
c3pl-class-table
Configures the Cisco Common Classification Policy
Language (C3PL) class table.
c3pl-policy-table
Configures the C3PL policy table.
class-qos-table
Configures the quality of service (QoS) class table
option for flow exporters.
exporter-stats
Configures the exporter statistics option for flow
exporters.
inspect-class-table
Configures the policy-firewall class table option for
flow exporters.
inspect-ext-event-table
Configures the policy-firewall extended events table
for flow exporters.
Cisco IOS Flexible NetFlow Command Reference
235
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
option (Flexible NetFlow)
inspect-protocol-table
Configures the policy-firewall protocol table for flow
exporters.
inspect-zonepair-table
Configures the policy-firewall zone pair table for flow
exporters.
interface-table
Configures the interface table option for flow
exporters.
metadata-version-table
Configures the metadata version table for flow
exporters.
policy-qos-table
Configures the QoS policy table option for flow
exporters.
sampler-table
Configures the export sampler information option for
flow exporters.
sub-application-table
Configures the subapplication table option for flow
exporters.
vrf-table
Configures the virtual routing and forwarding (VRF)
ID-to-name table option for flow exporters.
timeout seconds
(Optional) Configures the option resend time in
seconds for flow exporters. The range is from 1 to
86400. The default is 600.
Command Default
The optional data parameters are not configured.
Command Modes
Flow exporter configuration (config-flow-exporter)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release
12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command
was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command
was implemented on the Cisco 7200 series routers.
Cisco IOS Flexible NetFlow Command Reference
236
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
option (Flexible NetFlow)
Usage Guidelines
Release
Modification
15.0(1)M
This command was modified. The application-table and
vrf-table keywords were added.
12.2(33)SRE
This command was modified. Support for this command
was implemented on the Cisco 7300 Network Processing
Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release
3.1S.
15.1(3)T
This command was modified. Support for the Cisco
Performance Monitor was added.
12.2(58)SE
This command was modified. Support for the Cisco
Performance Monitor was added.
12.2(50)SY
This command was modified. The application-table
keyword was removed.
Cisco IOS XE Release 3.5S
This command was modified. The application-attributes
keyword was added.
15.2(1)S2
This command was modified. The sub-application-table
keyword was added.
15.2(4)M2
This command was modified. The class-qos-table and
policy-qos-table keywords were added.
Cisco IOS XE Release 3.2SE
This command was modified. The application-attributes,
application-table , and vrf-table keywords were removed.
15.4(2)T
This command was modified. The c3pl-class-table,
c3pl-policy-table, inspect-class-table,
inspect-ext-event-table, inspect-protocol-table,
inspect-zonepair-table, and metadata-version-table
keywords were added.
The option command can be used with both Flexible NetFlow and the Cisco Performance Monitor.
Use the timeout keyword to alter the frequency at which reports are sent.
The option application-attributes command causes the periodic sending of network-based application
recognition (NBAR) application attributes to an external collector.
The following application attributes are sent to the collector per protocol:
• Application-Group—Group applications that belong to the same networking application.
• Category—Provides first-level categorization for each application.
Cisco IOS Flexible NetFlow Command Reference
237
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
option (Flexible NetFlow)
• Encrypted—Specifies whether the application is an encrypted networking protocol.
• P2P-Technology—Specifies whether the application is based on peer-to-peer technology.
• Sub-Category—Provides second-level categorization for each application.
• Tunnel-Technology—Specifies whether the application tunnels the traffic of other protocols.
The option application-table command enables the periodic sending of an options table that allows the
collector to map NBAR application IDs provided in the flow records to application names.
The option class-qos-table command enables the periodic sending of an options table that allows the collector
to map QoS class IDs to class names in the flow records.
The option exporter-stats command enables the periodic sending of exporter statistics, including the number
of records, bytes, and packets. This command allows the collector to estimate packet loss for the export records
it receives.
The option inspect-class-table command enables the export of option templates that map inspect
class-ID-to-class-name.
The option inspect-ext-event-table command enables the export option templates that map the firewall
Event-ID-to-Event-name.
The option inspect-protocol-table command enables the export of option templates that map the firewall
protocol-ID-to-protocol-name.
The option inspect-zonepair-table command enables the export of option templates that map
Zone-Pair-ID-to-Zone-Pair-Name.
The option interface-table enables the periodic sending of an options table that allows the collector to map
the interface Simple Network Management Protocol (SNMP) indexes provided in flow records to interface
names.
The option policy-qos-table command enables the periodic sending of an options table that allows the collector
to map QoS policy IDs to policy names in the flow records.
The option sampler-table command enables the periodic sending of an options table that provides complete
information about the configuration of each sampler and allows the collector to map the sampler ID provided
in any flow record to a configuration that it can use to scale up the flow statistics.
The option sub-application-table command enables the periodic sending of an options table that allows the
collector to map NBAR subapplication tags, subapplication names, and subapplication descriptions provided
in the flow records to application IDs.
The option vrf-table command enables the periodic sending of an options table that allows the collector to
map the VRF IDs provided in the flow records to VRF names.
Examples
The following example shows how to enable the periodic sending of NBAR application attributes to the
collector:
Device(config)# flow exporter FLOW-EXPORTER-1
Device(config-flow-exporter)# option application-attributes
The following example shows how to enable the periodic sending of an options table that allows the collector
to map QoS class IDs provided in flow records to class names:
Device(config)# flow exporter FLOW-EXPORTER-1
Cisco IOS Flexible NetFlow Command Reference
238
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
option (Flexible NetFlow)
Device(config-flow-exporter)# option class-qos-table
The following example shows how to enable the periodic sending of an options table that allows the collector
to map QoS policy IDs provided in flow records to policy names:
Device(config)# flow exporter FLOW-EXPORTER-1
Device(config-flow-exporter)# option policy-qos-table
The following example shows how to enable the periodic sending of exporter statistics, including the number
of records, bytes, and packets sent:
Device(config)# flow exporter FLOW-EXPORTER-1
Device(config-flow-exporter)# option exporter-stats
The following example shows how to enable the periodic sending of an options table that allows the collector
to map the interface SNMP indexes provided in flow records to interface names:
Device(config)# flow exporter FLOW-EXPORTER-1
Device(config-flow-exporter)# option interface-table
The following example shows how to enable the periodic sending of an options table that allows the collector
to map NBAR application IDs provided in flow records to application names:
Device(config)# flow exporter FLOW-EXPORTER-1
Device(config-flow-exporter)# option application-table
The following example shows how to enable the periodic sending of an options table that details the
configuration of each sampler and allows the collector to map the sampler ID provided in any flow record to
a configuration that the collector can use to scale up the flow statistics:
Device(config)# flow exporter FLOW-EXPORTER-1
Device(config-flow-exporter)# option sampler-table
The following example shows how to enable the periodic sending of an options table that allows the collector
to map the NBAR subapplication tags, subapplication names, and subapplication descriptions provided in
flow records to application IDs:
Device(config)# flow exporter FLOW-EXPORTER-1
Device(config-flow-exporter)# option sub-application-table
The following example shows how to enable the periodic sending of an options table that allows the collector
to map the virtual routing and forwarding (VRF) IDs provided in flow records to VRF names:
Device(config)# flow exporter FLOW-EXPORTER-1
Device(config-flow-exporter)# option vrf-table
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
239
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
output-features
output-features
To enable sending export packets for Flexible NetFlow or Performance Monitor using quality of service (QoS)
or encryption, use the output-features command in flow exporter configuration mode. To disable sending
export packets using QoS or encryption, use the no form of this command.
output-features
no output-features
Syntax Description
This command has no arguments or keywords.
Command Default
If QoS or encryption is configured on the router, neither QoS or encryption is run on Flexible NetFlow or
Performance Monitor export packets.
Command Modes
flow exporter configuration (config-flow-exporter)
Command History
Usage Guidelines
Release
Modification
12.4(20)T
This command was introduced.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco
Performance Monitor.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco
Performance Monitor.
This command can be used with both Flexible NetFlow and Performance Monitor.
If the router has the output feature quality of service (QoS) or encryption configured, the output-features
command causes the output features to be run on Flexible NetFlow or Performance Monitor export packets.
Examples
The following example configures the use of QoS or encryption on Flexible NetFlow or Performance Monitor
export packets:
Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# output-features
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
240
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
record
record
To configure a flow record for a Flexible NetFlow flow monitor, use the record command in Flexible NetFlow
flow monitor configuration mode. To remove a flow record for a Flexible NetFlow flow monitor, use the no
form of this command.
record {record-name| netflow-original| netflow {ipv4| ipv6} record [peer]}
no record
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
record {record-name| platform-original {ipv4| ipv6} record}
no record
Cisco IOS XE Release 3.2SE
record record-name
no record
Syntax Description
record-name
Name of a user-defined flow record that was
previously configured.
netflow-original
Configures the flow monitor to use the Flexible
NetFlow implementation of original NetFlow with
origin autonomous systems.
netflow ipv4
Configures the flow monitor to use one of the
predefined IPv4 records.
netflow ipv6
Configures the flow monitor to use one of the
predefined IPv6 records. This keyword is not
supported on the Cisco ASR 1000 Series Aggregation
Services router.
record
Name of the predefined record. See the table below
for a listing of the available records and their
definitions.
peer
(Optional) Configures the flow monitor to use one of
the predefined records with peer autonomous systems.
The peer keyword is not supported for every type of
Flexible NetFlow predefined record. See the table
below.
platform-original ipv4
Configures the flow monitor to use one of the
predefined IPv4 records.
Cisco IOS Flexible NetFlow Command Reference
241
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
record
Configures the flow monitor to use one of the
predefined IPv6 records.
platform-original ipv4
Command Default
A flow record is not configured.
Command Modes
Flexible NetFlow flow monitor configuration (config-flow-monitor)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.4(20)T
This command was modified. The ipv6 keyword was added.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
12.2(50)SY
This command was modified. The netflow-original , netflow ipv4 , and
netflow ipv6 keywords were removed.
The platform-originalipv4a nd platform-originalipv4 keywords were
added.
Cisco IOS XE Release 3.2SE This command was modified. The netflow-original , netflow ipv4 , and
netflow ipv6 keywords were removed.
Usage Guidelines
Note
Each flow monitor requires a record to define the contents and layout of its cache entries. The flow monitor
can use one of the wide range of predefined record formats, or advanced users may create their own record
formats.
You must use the no ip flowmonitor command to remove a flow monitor from all of the interfaces to
which you have applied it before you can modify the parameters for the record command for the flow
monitor.
Cisco IOS Flexible NetFlow Command Reference
242
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
record
The table below describes the keywords and descriptions for the record argument.
Table 2: Keywords and Descriptions for the record Argument
Keyword
Description
IPv4 Support
IPv6 Support
as
Autonomous system
record.
Yes
Yes
as-tos
Autonomous system and Yes
ToS record.
—
bgp-nexthop-tos
BGP next-hop and ToS
record.
Yes
—
bgp-nexthop
BGP next-hop record.
—
Yes
destination
Original 12.2(50)SY
platform IPv4/IPv6
destination record.
Yes
Yes
destination-prefix
Destination Prefix record. Yes
Yes
Note
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
Yes
—
destination-prefix-tos
Destination prefix and
ToS record.
destination-source
Original 12.2(50)SY
Yes
platform IPv4/IPv6
destination-source record.
Yes
full
Original 12.2(50)SY
platform IPv4/IPv6 full
record.
Yes
Yes
interface-destination
Original 12.2(50)SY
platform IPv4/IPv6
interface-destination
record.
Yes
Yes
interface-destinationsource
Original 12.2(50)SY
Yes
platform IPv4/IPv6
interface-destination-source
record.
Yes
interface-full
Original 12.2(50)SY
platform IPv4/IPv6
interface-full record.
Yes
Yes
Cisco IOS Flexible NetFlow Command Reference
243
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
record
Keyword
Description
IPv4 Support
IPv6 Support
interface-source
Original 12.2(50)SY
platform IPv4/IPv6
interface-source only
record.
Yes
Yes
original-input
Traditional IPv4 input
NetFlow.
Yes
Yes
original-output
Traditional IPv4 output
NetFlow.
Yes
Yes
prefix
Source and destination
prefixes record.
Yes
Yes
Yes
--
Note
prefix-port
Prefix port record.
Note
The peer
keyword is not
available for this
record.
prefix-tos
Prefix ToS record.
Yes
--
protocol-port
Protocol ports record.
Yes
Yes
Yes
—
Note
protocol-port-tos
source-prefix
The peer
keyword is not
available for this
record.
Source autonomous
Yes
system and prefix record.
Note
source-prefix-tos
The peer
keyword is not
available for this
record.
Protocol port and ToS
record.
Note
Yes
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
Source Prefix and ToS
record.
Cisco IOS Flexible NetFlow Command Reference
244
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
Yes
—
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
record
Examples
The following example configures the flow monitor to use the NetFlow original record:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# record netflow-original
The following example configures the flow monitor to use a user-defined record named collect-ipv4-data:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# record collect-ipv4-data
The following example configures the flow monitor to use the Flexible NetFlow IPv4 destination prefix record:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# record netflow ipv4 destination-prefix
The following example configures the flow monitor to use a the Flexible NetFlow IPv6 destination prefix
record:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# record netflow ipv6 destination-prefix
Related Commands
Command
Description
flow monitor
Creates a flow monitor.
Cisco IOS Flexible NetFlow Command Reference
245
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
sampler
sampler
To create a Flexible NetFlow flow sampler, or to modify an existing Flexible NetFlow flow sampler, and to
enter Flexible NetFlow sampler configuration mode, use the sampler command in global configuration mode.
To remove a sampler, use the no form of this command.
sampler sampler-name
no sampler sampler-name
Syntax Description
sampler-name
Name of the flow sampler that is being created or
modified.
Command Default
Flexible NetFlow flow samplers are not configured.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(2)S
This command was modified. A hash collision between the name supplied
and any existing name is now possible. If this happens, you can retry,
supplying another name.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Flow samplers are used to reduce the load placed by Flexible NetFlow on the networking device to monitor
traffic by limiting the number of packets that are analyzed. You configure a rate of sampling that is 1 out of
Cisco IOS Flexible NetFlow Command Reference
246
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
sampler
a range of 2 to 32,768 packets. For example, a rate of 1 out of 2 results in analysis of 50 percent of the packets
sampled. Flow samplers are applied to interfaces in conjunction with a flow monitor to implement sampled
Flexible NetFlow.
To enable flow sampling, you configure the record that you want to use for traffic analysis and assign it to a
flow monitor. When you apply a flow monitor with a sampler to an interface, the sampled packets are analyzed
at the rate specified by the sampler and compared with the flow record associated with the flow monitor. If
the analyzed packets meet the criteria specified by the flow record, they are added to the flow monitor cache.
In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing
name is possible. If this happens, you can retry, supplying another name.
Examples
The following example creates a flow sampler name SAMPLER-1:
Router(config)# sampler SAMPLER-1
Router(config-sampler)#
The following example shows the output when there is a hash collision between the name supplied and any
existing name:
Router(config-sampler)# sampler SAMPLER-1
% sampler: Failed to create a new Sampler (Hash value in use).
Router(config)#
Related Commands
Command
Description
clear sampler
Clears the flow sampler statistics.
debug sampler
Enables debugging output for flow samplers.
mode
Configures a packet interval for a flow sampler.
show sampler
Displays flow sampler status and statistics.
Cisco IOS Flexible NetFlow Command Reference
247
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow exporter
show flow exporter
To display Flexible NetFlow flow exporter status and statistics, use the show flow exporter command in
privileged EXEC mode.
show flow exporter [export-ids {netflow-v5| netflow-v9}| [name] exporter-name [statistics| templates]
[option application {engines| table}]]
Cisco IOS XE Release 3.2SE
show flow exporter [export-ids netflow-v9| [name] exporter-name [statistics| templates]]
Syntax Description
Command Modes
Command History
export-ids netflow-v5
(Optional) Displays the NetFlow Version 5 export
fields that can be exported and their IDs.
export-ids netflow-v9
(Optional) Displays the NetFlow Version 9 export
fields that can be exported and their IDs.
name
(Optional) Specifies the name of a flow exporter.
exporter-name
(Optional) Name of a flow exporter that was
previously configured.
statistics
(Optional) Displays flow exporter statistics.
templates
(Optional) Displays flow exporter template
information.
option application engines
(Optional) Displays the application engines option
for flow exporters.
option application table
(Optional) Displays the application table option for
flow exporters.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
Cisco IOS Flexible NetFlow Command Reference
248
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow exporter
Examples
Release
Modification
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE 3.1S
This command was modified. The option and application keywords
were added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
15.2.(2)T
This command was modified. The ability to display IPv6 addresses was
added.
Cisco IOS XE 3.5S
This command was modified. The ability to display IPv6 addresses was
added.
Cisco IOS XE Release 3.2SE
This command was modified. The export-ids netflow-v5 , option
application engines , and option application table keywords were
removed.
The following example displays the status and statistics for all of the flow exporters configured on a router:
Router# show flow exporter
Flow Exporter FLOW-MONITOR-1:
Description:
Exports to the datacenter
Export protocol:
NetFlow Version 9
Transport Configuration:
Destination IP address: 172.16.10.2
Source IP address:
172.16.6.2
Source Interface:
Ethernet0/0
Transport Protocol:
UDP
Destination Port:
650
Source Port:
55864
DSCP:
0x3F
TTL:
15
Output Features:
Used
Flow Exporter FLOW-MONITOR-2:
Description:
Exports to the datacenter
Export protocol:
NetFlow Version 9
Transport Configuration:
Destination IP address: 2222::2/64
Source IP address:
1111::1/64
Transport Protocol:
UDP
Destination Port:
4739
Source Port:
49936
DSCP:
0x0
TTL:
255
Output Features:
Not Used
Options Configuration:
exporter-stats (timeout 120 seconds)
interface-table (timeout 120 seconds)
sampler-table (timeout 120 seconds)
Cisco IOS Flexible NetFlow Command Reference
249
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow exporter
The table below describes the significant fields shown in the display.
Table 3: show flow exporter Field Descriptions
Field
Description
Flow Exporter
The name of the flow exporter that you configured.
Description
The description that you configured for the exporter,
or the default description “User defined”.
Transport Configuration
The transport configuration fields for this exporter.
Destination IP address
The IP address of the destination host.
Source IP address
The source IP address used by the exported packets.
Transport Protocol
The transport layer protocol used by the exported
packets.
Destination Port
The destination UDP port to which the exported
packets are sent.
Source Port
The source UDP port from which the exported packets
are sent.
DSCP
The differentiated services code point (DSCP) value.
TTL
The time-to-live value.
The following example displays the NetFlow Version 9 export IDs for all of the flow exporters configured
on a router. This output will vary according to the flow record configured:
Router# show flow exporter export-ids netflow-v9
Export IDs used by fields in NetFlow-common export format:
ip version
:
60
ip tos
:
194
ip dscp
:
195
ip precedence
:
196
ip protocol
:
4
ip ttl
:
192
ip ttl minimum
:
52
ip ttl maximum
:
53
ip length header
:
189
ip length payload
:
204
ip section header
:
313
ip section payload
:
314
routing source as
:
16
routing destination as
:
17
routing source as peer
:
129
routing destination as peer
:
128
routing source traffic-index
:
92
routing destination traffic-index
:
93
routing forwarding-status
:
89
routing is-multicast
:
206
routing next-hop address ipv4
:
15
Cisco IOS Flexible NetFlow Command Reference
250
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow exporter
routing next-hop address ipv4 bgp
routing next-hop address ipv6 bgp
ipv4 header-length
ipv4 tos
ipv4 total-length
ipv4 total-length minimum
ipv4 total-length maximum
ipv4 id
ipv4 fragmentation flags
ipv4 fragmentation offset
ipv4 source address
ipv4 source prefix
ipv4 source mask
ipv4 destination address
ipv4 destination prefix
ipv4 destination mask
ipv4 options
transport source-port
transport destination-port
transport icmp-ipv4 type
transport icmp-ipv4 code
transport igmp type
transport tcp source-port
transport tcp destination-port
transport tcp sequence-number
transport tcp acknowledgement-number
transport tcp header-length
transport tcp window-size
transport tcp urgent-pointer
transport tcp flags
transport udp source-port
transport udp destination-port
transport udp message-length
interface input snmp
interface output snmp
interface name
interface description
flow direction
flow exporter
flow sampler
flow sampler algorithm export
flow sampler interval
flow sampler name
flow class
v9-scope system
v9-scope interface
v9-scope linecard
v9-scope cache
v9-scope template
counter flows
counter bytes
counter bytes long
counter packets
counter packets long
counter bytes squared long
counter bytes permanent
counter packets permanent
counter bytes squared permanent
counter bytes exported
counter packets exported
counter flows exported
timestamp sys-uptime first
timestamp sys-uptime last
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
18
63
207
5
190
25
26
54
197
88
8
44
9
12
45
13
208
7
11
176
177
33
182
183
184
185
188
186
187
6
180
181
205
10
14
82
83
61
144
48
49
50
84
51
1
2
3
4
5
3
1
1
2
2
198
85
86
199
40
41
42
22
21
The following example displays the status and statistics for all of the flow exporters configured on a router:
Router# show flow exporter name FLOW-MONITOR-1 statistics
Flow Exporter FLOW-MONITOR-1:
Packet send statistics:
Ok 0
No FIB 0
Adjacency failure 0
Cisco IOS Flexible NetFlow Command Reference
251
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow exporter
Enqueued to process level 488
Enqueueing failed 0
IPC failed 0
Output failed 0
Fragmentation failed 0
Encap fixup failed 0
No destination address 0
Client send statistics:
Client: Flow Monitor FLOW-MONITOR-1
Records added 558
Packets sent 486 (51261 bytes)
Packets dropped 0 (0 bytes)
No Packet available errors 0
The table below describes the significant fields shown in the display.
Table 4: show flow exporter name exporter-name statistics Field Descriptions
Field
Description
Flow Exporter
The name of the flow exporter that you configured.
Packet send statistics
The packet transmission statistics for this exporter.
Ok
The number of packets that have been sent
successfully.
No FIB
No entry in the Forwarding Information Base (FIB)
to forward to.
Adjacency failure
No Cisco Express Forwarding (CEF) adjacency
available for forwarding.
Enqueued to process level
Packets that were sent to the processor for forwarding.
Enqueueing failed
Packets that could not be queued for transmission.
IPC failed
Packets for which interprocess communication (IPC)
failed.
Output failed
Packets that were dropped because the output queue
was full.
Fragmentation failed
Packets that were not able to be fragmented.
Encap fixup failed
Packets that were not able to be encapsulated for
transmission on the egress interface.
No destination address
No destination address configured for the exporter.
Client send statistics
Statistics for the flow monitors that are using the
exporters.
Client
The name of the flow monitor that is using the
exporter.
Cisco IOS Flexible NetFlow Command Reference
252
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow exporter
Field
Description
Records added
The number of flow records that have been added for
this flow monitor.
Packets sent
The number of packets that have been exported for
this flow monitor.
Packets dropped
The number of packets that were dropped for this
flow monitor.
No Packet available error
The number of times that no packets were available
to transmit the records.
The following example displays the template format for the exporters configured on the router. This output
will vary according to the flow record configured:
Router# show flow exporter FLOW_EXPORTER-1 templates
Flow Exporter FLOW-MONITOR-1:
Client: Flow Monitor FLOW-MONITOR-1
Exporter Format: NetFlow Version 9
Template ID
: 256
Record Size
: 53
Template layout
_____________________________________________________________________
|
Field
| Type1 | Offset2 | Size3 |
--------------------------------------------------------------------| ipv4 source address
|
8 |
0 |
4 |
| ipv4 destination address
|
12 |
4 |
4 |
| interface input snmp
|
10 |
8 |
4 |
| flow sampler
|
48 |
12 |
4 |
| transport source-port
|
7 |
16 |
2 |
| transport destination-port
|
11 |
18 |
2 |
| ip tos
|
194 |
20 |
1 |
| ip protocol
|
4 |
21 |
1 |
| ipv4 source mask
|
9 |
22 |
1 |
| ipv4 destination mask
|
13 |
23 |
1 |
| transport tcp flags
|
6 |
24 |
1 |
| routing source as
|
16 |
25 |
2 |
| routing destination as
|
17 |
27 |
2 |
| routing next-hop address ipv4
|
15 |
29 |
4 |
| interface output snmp
|
14 |
33 |
4 |
| counter bytes
|
1 |
37 |
4 |
| counter packets
|
2 |
41 |
4 |
| timestamp sys-uptime first
|
22 |
45 |
4 |
| timestamp sys-uptime last
|
21 |
49 |
4 |
---------------------------------------------------------------------
Related Commands
Command
Description
clear flow exporter
Clears the statistics for exporters.
debug flow exporter
Enables debugging output for flow exporters.
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
253
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow interface
show flow interface
To display the Flexible NetFlow configuration and status for an interface, use the show flow interface
command in privileged EXEC mode.
show flow interface [type number]
Syntax Description
Command Modes
Command History
Examples
type
(Optional) The type of interface on which you want
to display Flexible NetFlow accounting configuration
information.
number
(Optional) The number of the interface on which you
want to display Flexible NetFlow accounting
configuration information.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
The following example displays the Flexible NetFlow accounting configuration on Ethernet interfaces 0/0
and 0/1:
Router# show flow interface ethernet 1/0
Interface Ethernet1/0
FNF: monitor:
direction:
Cisco IOS Flexible NetFlow Command Reference
254
FLOW-MONITOR-1
Output
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow interface
traffic(ip):
on
Router# show flow interface ethernet 0/0
Interface Ethernet0/0
FNF: monitor:
FLOW-MONITOR-1
direction:
Input
traffic(ip):
sampler SAMPLER-2#
The table below describes the significant fields shown in the display.
Table 5: show flow interface Field Descriptions
Field
Description
Interface
The interface to which the information applies.
monitor
The name of the flow monitor that is configured on
the interface.
direction:
The direction of traffic that is being monitored by the
flow monitor.
The possible values are:
• Input—Traffic is being received by the
interface.
• Output—Traffic is being transmitted by the
interface.
traffic(ip)
Indicates if the flow monitor is in normal mode or
sampler mode.
The possible values are:
• on—The flow monitor is in normal mode.
• sampler—The flow monitor is in sampler mode
(the name of the sampler will be included in the
display).
Related Commands
Command
Description
show flow monitor
Displays flow monitor status and statistics.
Cisco IOS Flexible NetFlow Command Reference
255
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor
show flow monitor
To display the status and statistics for a Flexible NetFlow flow monitor, use the show flow monitor command
in privileged EXEC mode.
show flow monitor [[name] monitor-name [cache [format {csv| record| table}]] [statistics]]
Syntax Description
Command Modes
Command History
name
(Optional) Specifies the name of a flow monitor.
monitor-name
(Optional) Name of a flow monitor that was
previously configured.
cache
(Optional) Displays the contents of the cache for the
flow monitor.
format
(Optional) Specifies the use of one of the format
options for formatting the display output.
csv
(Optional) Displays the flow monitor cache contents
in comma separated variables (CSV) format.
record
(Optional) Displays the flow monitor cache contents
in record format.
table
(Optional) Displays the flow monitor cache contents
in table format.
statistics
(Optional) Displays the statistics for the flow monitor.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
Cisco IOS Flexible NetFlow Command Reference
256
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor
Release
Modification
12.4(20)T
This command was modified. Support for displaying IPv6 data in Flexible
NetFlow flow monitor caches was added.
15.0(1)M
This command was modified. Support for displaying virtual routing and
forwarding (VRF) and Network Based Application Recognition (NBAR) data
in Flexible NetFlow flow monitor caches was added.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series
routers.
Cisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The cache keyword uses the table format by default.
The uppercase field names in the display output of the show flowmonitor monitor-name cache command
are key fields that Flexible NetFlow uses to differentiate flows. The lowercase field names in the display
output of the show flow monitor monitor-name cache command are nonkey fields from which Flexible
NetFlow collects values as additional data for the cache.
Examples
The following example displays the status for a flow monitor:
Router# show flow monitor FLOW-MONITOR-1
Flow Monitor FLOW-MONITOR-1:
Description:
Used for basic traffic analysis
Flow Record:
netflow-original
Flow Exporter:
EXP-DC-TOPEKA
EXP-DC-PHOENIX
Cache:
Type:
normal
Status:
allocated
Size:
4096 entries / 311316 bytes
Inactive Timeout: 15 secs
Active Timeout:
1800 secs
Update Timeout:
1800 secs
The table below describes the significant fields shown in the display.
Table 6: show flow monitor monitor-name Field Descriptions
Field
Description
Flow Monitor
Name of the flow monitor that you configured.
Description
Description that you configured or the monitor, or
the default description “User defined”.
Flow Record
Flow record assigned to the flow monitor.
Flow Exporter
Exporters that are assigned to the flow monitor.
Cisco IOS Flexible NetFlow Command Reference
257
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor
Field
Description
Cache
Information about the cache for the flow monitor.
Type
Flow monitor cache type.
The possible values are:
• immediate—Flows are expired immediately.
• normal—Flows are expired normally.
• Permanent—Flows are never expired.
Status
Status of the flow monitor cache.
The possible values are:
• allocated—The cache is allocated.
• being deleted—The cache is being deleted.
• not allocated—The cache is not allocated.
Size
Current cache size.
Inactive Timeout
Current value for the inactive timeout in seconds.
Active Timeout
Current value for the active timeout in seconds.
Update Timeout
Current value for the update timeout in seconds.
The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-1:
Router# show flow monitor FLOW-MONITOR-1 cache
Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
( 1800 secs)
- Inactive timeout (
15 secs)
- Event aged
- Watermark aged
- Emergency aged
IP TOS:
0x00
IP PROTOCOL:
6
IPV4 SOURCE ADDRESS:
10.10.10.2
IPV4 DESTINATION ADDRESS: 172.16.10.2
TRNS SOURCE PORT:
20
TRNS DESTINATION PORT:
20
INTERFACE INPUT:
Et0/0
FLOW SAMPLER ID:
0
ip source as:
0
ip destination as:
0
ipv4 next hop address:
172.16.7.2
ipv4 source mask:
/0
ipv4 destination mask:
/24
Cisco IOS Flexible NetFlow Command Reference
258
Normal
4096
8
10
1560
1552
24
1528
0
0
0
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
0x00
Et1/0
198520
4963
10564356
12154104
The table below describes the significant fields shown in the display.
Table 7: show flow monitor monitor-name cache Field Descriptions
Field
Description
Cache type
Flow monitor cache type.
The possible values are:
• Immediate—Flows are expired immediately.
• Normal—Flows are expired normally.
• Permanent—Flows are never expired.
Cache Size
Number of entries in the cache.
Current entries
Number of entries in the cache that are in use.
High Watermark
Highest number of cache entries seen.
Flows added
Flows added to the cache since the cache was created.
Flows aged
Flows expired from the cache since the cache was
created.
Active timeout
Current value for the active timeout in seconds.
Inactive timeout
Current value for the inactive timeout in seconds.
Event aged
Number of flows that have been aged by an event
such as using the force-export option for the clear
flow monitor command.
Watermark aged
Number of flows that have been aged because they
exceeded the maximum high watermark value.
Emergency aged
Number of flows that have been aged because the
cache size was exceeded.
IP TOS
IP type of service (ToS) value.
IP PROTOCOL
Protocol number.
IPV4 SOURCE ADDRESS
IPv4 source address.
IPV4 DESTINATION ADDRESS
IPv4 destination address.
Cisco IOS Flexible NetFlow Command Reference
259
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor
Field
Description
TRNS SOURCE PORT
Source port for the transport protocol.
TRNS DESTINATION PORT
Destination port for the transport protocol.
INTERFACE INPUT
Interface on which the input is received.
FLOW SAMPLER ID
Flow sampler ID number.
ip source as
Border Gateway Protocol (BGP) source autonomous
system number.
ip destination as
BGP destination autonomous system number.
ipv4 next hop address
IPv4 address of the next hop to which the packet is
forwarded.
ipv4 source mask
IPv4 source address mask.
ipv4 destination mask
IPv4 destination address mask.
tcp flags
Value of the TCP flags.
interface output
Interface on which the input is transmitted.
counter bytes
Number of bytes that have been counted.
counter packets
Number of packets that have been counted.
timestamp first
Time stamp of the first packet in the flow.
timestamp last
Time stamp of the last packet in the flow.
The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-1
in a table format:
Router# show flow monitor FLOW-MONITOR-1 cache format table
Cache type:
Normal
Cache size:
4096
Current entries:
4
High Watermark:
6
Flows added:
90
Flows aged:
86
- Active timeout
( 1800 secs)
0
- Inactive timeout (
15 secs)
86
- Event aged
0
- Watermark aged
0
- Emergency aged
0
IP TOS IP PROT IPV4 SRC ADDR
IPV4 DST ADDR
====== ======= =============== ===============
0x00
1 10.251.10.1
172.16.10.2
0x00
1 10.251.10.1
172.16.10.2
0xC0
17 172.16.6.1
224.0.0.9
Cisco IOS Flexible NetFlow Command Reference
260
TRNS SRC PORT
=============
0
0
520
TRNS DST PORT
==============
02
20484
5202
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor
0x00
Router#
6
10.10.11.1
172.16.10.5
25
252
The following example displays the status, statistics, and data for the flow monitor named
FLOW-MONITOR-IPv6 (the cache contains IPv6 data) in record format:
Router# show flow monitor name FLOW-MONITOR-IPv6 cache format record
Cache type:
Normal
Cache size:
4096
Current entries:
6
High Watermark:
8
Flows added:
1048
Flows aged:
1042
- Active timeout
( 1800 secs)
11
- Inactive timeout (
15 secs)
1031
- Event aged
0
- Watermark aged
0
- Emergency aged
0
IPV6 FLOW LABEL:
0
IPV6 EXTENSION MAP:
0x00000040
IPV6 SOURCE ADDRESS:
2001:DB8:1:ABCD::1
IPV6 DESTINATION ADDRESS: 2001:DB8:4:ABCD::2
TRNS SOURCE PORT:
3000
TRNS DESTINATION PORT:
55
INTERFACE INPUT:
Et0/0
FLOW DIRECTION:
Input
FLOW SAMPLER ID:
0
IP PROTOCOL:
17
IP TOS:
0x00
ip source as:
0
ip destination as:
0
ipv6 next hop address:
::
ipv6 source mask:
/48
ipv6 destination mask:
/0
tcp flags:
0x00
interface output:
Null
counter bytes:
521192
counter packets:
9307
timestamp first:
9899684
timestamp last:
11660744
The table below describes the significant fields shown in the display.
Table 8: show flow monitor monitor-name cache format record Field Descriptions
Field
Description
Cache type
Flow monitor cache type.
The possible values are:
• Immediate—Flows are expired immediately.
• Normal—Flows are expired normally.
• Permanent—Flows are never expired.
Cache Size
Number of entries in the cache.
Current entries
Number of entries in the cache that are in use.
High Watermark
Highest number of cache entries seen.
Flows added
Flows added to the cache since the cache was created.
Cisco IOS Flexible NetFlow Command Reference
261
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor
Field
Description
Flows aged
Flows expired from the cache since the cache was
created.
Active timeout
Current value for the active timeout in seconds.
Inactive timeout
Current value for the inactive timeout in seconds.
Event aged
Number of flows that have been aged by an event
such as using the force-export option for the clear
flow monitor command.
Watermark aged
Number of flows that have been aged because they
exceeded the maximum high watermark value.
Emergency aged
Number of flows that have been aged because the
cache size was exceeded.
IPV6 FLOW LABEL
Label number for the flow.
IPV6 EXTENSION MAP
Pointer to the IPv6 extensions.
IPV6 SOURCE ADDRESS
IPv6 source address.
IPV6 DESTINATION ADDRESS
IPv6 destination address.
TRNS SOURCE PORT
source port for the transport protocol.
TRNS DESTINATION PORT
Destination port for the transport protocol.
INTERFACE INPUT
Interface on which the input is received.
FLOW DIRECTION
Input or output.
FLOW SAMPLER ID
Flow sampler ID number.
IP PROTOCOL
IP protocol number.
IP TOS
IP ToS number.
ip source as
BGP source autonomous system number.
ip destination as
BGP destination autonomous system number.
ipv6 next hop address
IPv4 address of the next hop to which the packet is
forwarded.
ipv6 source mask
IPv6 source address mask.
ipv6 destination mask
IPv6 destination address mask.
Cisco IOS Flexible NetFlow Command Reference
262
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor
Field
Description
tcp flags
Value of the TCP flags.
interface output
Interface on which the input is transmitted.
counter bytes
Number of bytes that have been counted.
counter packets
Number of packets that have been counted.
timestamp first
Time stamp of the first packet in the flow.
timestamp last
Time stamp of the last packet in the flow.
The following example displays the status and statistics for a flow monitor:
Router# show flow monitor FLOW-MONITOR-1 statistics
Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
(
- Inactive timeout (
- Event aged
- Watermark aged
- Emergency aged
1800 secs)
15 secs)
Normal
4096
4
6
116
112
0
112
0
0
0
The table below describes the significant fields shown in the display.
Table 9: show flow monitor monitor-name statistics Field Descriptions
Field
Description
Cache Type
Flow monitor cache type.
The possible values are:
• Immediate—Flows are expired immediately.
• Normal—Flows are expired normally.
• Permanent—Flows are never expired.
Cache Size
Size of the cache.
Current entries
Number of entries in the cache that are in use.
High Watermark
Highest number of cache entries seen.
Flows added
Flows added to the cache since the cache was created.
Flows aged
Flows expired from the cache since the cache was
created.
Cisco IOS Flexible NetFlow Command Reference
263
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor
Related Commands
Field
Description
Active Timeout
Current value for the active timeout in seconds.
Inactive Timeout
Current value for the inactive timeout in seconds.
Event aged
Number of flows that have been aged by an event
such as using the force-export option for the clear
flow monitor command.
Watermark aged
Number of flows that have been aged because they
exceeded the maximum high watermark value.
Emergency aged
Number of flows that have been aged because the
cache size was exceeded.
Command
Description
clear flow monitor
Clears the flow monitor.
debug flow monitor
Enables debugging output for flow monitors.
Cisco IOS Flexible NetFlow Command Reference
264
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache aggregate
show flow monitor cache aggregate
To display aggregated flow statistics from a flow monitor cache, use the show flow monitor cache aggregate
command in privileged EXEC mode.
show flow monitor [name] monitor-name cache aggregate {options [... options] [collect options [... options]]|
record record-name} [format {csv| record| table}]
Syntax Description
Command Modes
Command History
name
(Optional) Specifies the name of a flow monitor.
monitor-name
Name of a flow monitor that was previously
configured.
options
Fields upon which aggregation is performed; and from
which additional data from the cache is displayed
when the collect keyword is used. You can specify
multiple values for the options argument. See the
“Usage Guidelines” section.
collect
(Optional) Displays additional data from the cache.
See the “Usage Guidelines” section.
record record-name
Specifies the name of a user-defined flow record or
a predefined flow record. See the first table below for
a listing of the available predefined records and their
definitions.
format
(Optional) Specifies the use of one of the format
options for formatting the display output.
csv
Displays the flow monitor cache contents in
comma-separated variables (CSV) format.
record
Displays the flow monitor cache contents in record
format.
table
Displays the flow monitor cache contents in table
format.
Privileged EXEC (#)
Release
Modification
12.4(22)T
This command was introduced.
Cisco IOS Flexible NetFlow Command Reference
265
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache aggregate
Usage Guidelines
Release
Modification
12.2(33)SRE
This command was modified. Support for this command was
implemented on the Cisco 7200 and Cisco 7300 Network Processing
Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Flexible NetFlow—Top N Talkers Support
The show flow monitor cacheaggregate command is one of a set of three commands that make up the Flexible
NetFlow—Top N Ta lkers Support feature. The Flexible NetFlow—Top N Talkers Support feature is used
to manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible NetFlow—Top N Talkers Support feature are show flow
monitor cache filter and show flow monitor cache sort. The three commands can be used together or on
their own, depending on your requirements. For more detailed information about these commands, see the
show flow monitor cache filter command and the show flow monitor cache sort command. For information
about how the three commands are used together, refer to the “Configuring Cisco IOS Flexible NetFlow—Top
N Talkers Support” module in the Configuring Cisco IOS Flexible NetFlow Configuration Guide.
Flow Aggregation
Flow aggregation using the showflow monitor cache aggregate command allows you to dynamically display
the flow information in a cache using a different flow record than the cache was originally created from. Only
the fields in the cache will be available for the aggregated flows.
Note
The key and nonkey fields in the flows are defined in the flow record that you assigned to the flow monitor
from which the cache data is being aggregated.
Aggregation helps you achieve a higher-level view of the traffic in your network by combining flow data
from multiple flows based on the criteria that interest you, for example, displaying flow data for:
• All the HTTP traffic in your network.
• All the traffic being forwarded to a specific Border Gateway Protocol (BGP) next hop.
• Identifying a device that is sending several types of traffic to one or more hosts in your network, perhaps
as part of a denial of service (DoS) attack.
Aggregation options Argument
The options that you can use for the options argument of the show flow monitor cache aggregate command
are dependent on the fields that are used for the user-defined flow record that you configured for the flow
monitor using the record command. To identify the options that you can use, use the show flow
recordrecord-name command in privileged EXEC mode, where record-name is the name of the record that
you configured for the flow monitor.
Cisco IOS Flexible NetFlow Command Reference
266
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache aggregate
For example, if you assigned the “NetFlow Original” predefined record to a flow monitor, you use the show
flow record netflow-original command to display its key (match) and nonkey (collect) fields. The following
is partial output from the show flow record netflow-original command:
flow record netflow-original:
Description:
Traditional IPv4 input NetFlow with origin ASs
No. of users:
2
Total field space: 53 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
.
.
.
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
The fields from this partial output that you can use for the option argument follow the match (key fields) and
collect (nonkey fields) words. For example, you can use the “ipv4 tos” field to aggregate the flows as shown
in the first example in the “Examples section.
Cache Data Fields Displayed
By default the data fields from the cache that are shown in the display output of the show flow monitor cache
aggregate command are limited to the field used for aggregation and the counter fields such as flows, number
of bytes, and the number of packets. The following is partial output from the show flow monitor
FLOW-MONITOR-3 cache aggregate ipv4 destination address command:
IPV4 DST ADDR
===============
224.192.16.1
224.192.18.1
224.192.16.4
224.192.45.12
255.255.255.255
flows
==========
2
3
4
3
1
bytes
==========
97340
96080
79760
77480
52
pkts
==========
4867
4804
3988
3874
1
Notice that the data contains only the IPv4 destination addresses for which flows have been aggregated and
the counter values.
The flow monitor (FLOW-MONITOR-3) referenced by the show flow monitor FLOW-MONITOR-3 cache
aggregate ipv4 destination address command uses the “NetFlow Original” predefined record, which contains
the following key and nonkey fields:
• match ipv4 tos
• match ipv4 protocol
• match ipv4 source address
• match ipv4 destination address
• match transport source-port
• match transport destination-port
• match interface input
• match flow sampler
• collect routing source as
• collect routing destination as
Cisco IOS Flexible NetFlow Command Reference
267
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache aggregate
• collect routing next-hop address ipv4
• collect ipv4 source mask
• collect ipv4 destination mask
• collect transport tcp flags
• collect interface output
• collect counter bytes
• collect counter packets
• collect timestamp sys-uptime first
• collect timestamp sys-uptime last
The collect keyword is used to include additional cache data in the display output of the show flow monitor
cache aggregate command. The following partial output from theshow flow monitor FLOW-MONITOR-3
cache aggregate ipv4 destination address collect transport tcp flags command shows the transport TCP
flags data from the cache:
IPV4 DST ADDR
===============
224.192.16.1
224.192.18.1
224.192.16.4
224.192.45.12
255.255.255.255
224.0.0.13
tcp flags
=========
0x00
0x00
0x00
0x00
0x00
0x00
flows
==========
4
4
3
4
1
1
bytes
==========
165280
158660
146740
145620
52
54
pkts
==========
8264
7933
7337
7281
1
1
You can add cache data fields after the collect keyword to show additional data from the cache in the display
output of the show flow monitor cache aggregate command.
Keywords and Descriptions for the record Argument
The table below describes the keywords for the record argument.
Table 10: Keywords and Descriptions for the Aggregate record Argument
Keyword
Description
IPv4 Support
IPv6 Support
as
Autonomous system
record.
Yes
Yes
as-tos
Autonomous system and Yes
ToS record.
No
bgp-nexthop-tos
BGP next-hop and ToS
record.
Yes
No
bgp-nexthop
BGP next-hop record.
No
Yes
destination-prefix
Destination prefix record. Yes
Yes
Note
Cisco IOS Flexible NetFlow Command Reference
268
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache aggregate
Keyword
Description
IPv4 Support
IPv6 Support
destination-prefix-tos
Destination prefix and
ToS record.
Yes
No
original-input
Traditional IPv4 input
NetFlow.
Yes
Yes
original-output
Traditional IPv4 output
NetFlow.
Yes
Yes
prefix
Source and destination
prefixes record.
Yes
Yes
Yes
No
Note
prefix-port
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
Prefix port record.
Note
The peer
keyword is not
available for this
record.
prefix-tos
Prefix ToS record.
Yes
No
protocol-port
Protocol ports record.
Yes
Yes
Yes
No
Source autonomous
Yes
system and prefix record.
Yes
Note
protocol-port-tos
Protocol port and ToS
record.
Note
source-prefix
Note
source-prefix-tos
The peer
keyword is not
available for this
record.
The peer
keyword is not
available for this
record.
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
Source prefix and ToS
record.
Yes
No
Cisco IOS Flexible NetFlow Command Reference
269
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache aggregate
Examples
The following example aggregates the flow monitor cache data on the destination and source IPv4 addresses:
Router# show flow monitor FLOW-MONITOR-1 cache aggregate ipv4 destination address ipv4
source address
Processed 26 flows
Aggregated to 17 flows
IPV4 SRC ADDR
IPV4 DST ADDR
=============== ===============
10.251.10.1
172.16.10.2
192.168.67.6
172.16.10.200
10.234.53.1
172.16.10.2
172.30.231.193
172.16.10.2
10.10.10.2
172.16.10.2
192.168.87.200
172.16.10.2
10.10.10.4
172.16.10.4
10.10.11.1
172.16.10.5
10.10.11.2
172.16.10.6
10.10.11.3
172.16.10.7
10.10.11.4
172.16.10.8
10.1.1.1
172.16.10.9
10.1.1.2
172.16.10.10
10.1.1.3
172.16.10.11
172.16.1.84
172.16.10.19
172.16.1.85
172.16.10.20
172.16.6.1
224.0.0.9
flows
==========
2
1
3
3
2
2
1
1
1
1
1
1
1
1
2
2
1
bytes
==========
1400828
19096
73656
73616
54560
54560
27280
27280
27280
27280
27280
27280
27280
27280
54520
54520
52
pkts
==========
1364
682
2046
2045
1364
1364
682
682
682
682
682
682
682
682
1363
1363
1
The table below describes the significant fields shown in the display.
Table 11: show flow monitor cache aggregate Field Descriptions
Related Commands
Field
Description
IPV4 SOURCE ADDRESS
IPv4 source address.
IPV4 DESTINATION ADDRESS
IPv4 destination address.
flows
Numbers of flows associated with the
source/destination IP address combination
bytes
Number of bytes contained in the flows.
packets
Number of packets contained in the flows.
Command
Description
show flow monitor cache filter
Filters the display output of flow records from a flow
monitor cache.
show flow monitor cache sort
Sorts the display output of flow records from a flow
monitor cache.
Cisco IOS Flexible NetFlow Command Reference
270
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache filter
show flow monitor cache filter
To filter the display output of statistics from the flows in a flow monitor cache, use the show flow monitor
cache filter command in privileged EXEC mode.
show flow monitor [name] monitor-name cache filter options [regexp regexp] [... options [regexp regexp]]
[format {csv| record| table}]
Syntax Description
Command Modes
Command History
name
(Optional) Specifies the name of a flow monitor.
monitor-name
Name of a flow monitor that was previously
configured.
options
Fields upon which filtering is performed. You can
specify multiple values for the options argument. See
the “Usage Guidelines” section.
regexp regexp
(Optional) Match the field specified with the options
argument against a regular expression. See the “Usage
Guidelines” section.
format
(Optional) Specifies the use of one of the format
options for formatting the display output.
csv
Displays the flow monitor cache contents in
comma-separated variables (CSV) format.
record
Displays the flow monitor cache contents in record
format.
table
Displays the flow monitor cache contents in table
format.
Privileged EXEC (#)
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was
implemented on the Cisco 7200 and Cisco 7300 Network Processing
Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS Flexible NetFlow Command Reference
271
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache filter
Usage Guidelines
Release
Modification
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Flexible NetFlow—Top N Talkers Support
The show flow monitor cache filter command is one of a set of three commands that make up the Flexible
NetFlow—Top N Talkers Support feature. The Flexible NetFlow—Top N Talkers Support feature is used to
manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible NetFlow—Top N Talkers Support feature are show flow
monitor cache sort and show flow monitor cache aggregate. The three commands can be used together or
on their own, depending on your requirements. For more detailed information about these commands, see the
show flow monitor cache sort command and the show flow monitor cache aggregate command. For
information about how the three commands are used together, refer to the “Configuring Cisco IOS Flexible
NetFlow—Top N Talkers Support” module in the Configuring Cisco IOS Flexible NetFlow Configuration
Guide.
Filter options Argument
The options that you can use for the options argument of the show flow monitor cache filter command are
dependent on the fields that are used for the record that you configured for the flow monitor using the record
command. To identify the options that you can use, use the show flow record record-name command in
privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the “NetFlow Original” predefined record to a flow monitor, you use the show
flow record netflow-original command to display its key (match) and nonkey (collect) fields. The following
is partial output from the show command:
flow record netflow-original:
Description:
Traditional IPv4 input NetFlow with origin ASs
No. of users:
2
Total field space: 53 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
.
.
.
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
The fields from this partial output that you can use for the option argument follow the match (key fields) and
collect (nonkey fields) words. For example, you can use the “ipv4 tos” field to filter the flows as shown in the
first example in the “Examples” section.
Filtering Criteria
The following are examples of the types of filtering criteria available for the show flow monitorcache filter
command:
• Perform an exact match on any numerical fields in either decimal or hexadecimal format. For example,
these two commands match flows in the flow monitor cache that contain either “0xA001” or “1”:
• show flow monitor FLOW-MONITOR-1 cache filter transport source-port 0xA001
Cisco IOS Flexible NetFlow Command Reference
272
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache filter
• show flow monitor FLOW-MONITOR-1 cache filter transport source-port 1
• Perform a match on a range for any numerical fields in either decimal or hexadecimal format. For
example, these two commands match flows in the flow monitor cache that contain either “0xA000
0xB000” or “1 1024”:
• show flow monitor FLOW-MONITOR-1 cache filter transport source-port 0xA000 0xB000
• show flow monitor FLOW-MONITOR-1 cache filter transport source-port 1 1024
• Perform an exact match for any alphanumerical field. For example, this command matches flows in the
flow monitor cache having a MAC address of ABCD:0012:01FE:
• show flow monitor FLOW-MONITOR-1 cache filter datalink mac source address
ABCD:0012:01FE
• Perform a regular-expression match on any alphanumerical field. For example, this command matches
flows in the flow monitor cache having a MAC address that starts with ABCD:
• show flow monitor FLOW-MONITOR-1 cache filter datalink mac source address regexp
ABCD:*
• Perform a match on flag fields with an implicit <and>. For example, this command matches flows in
the flow monitor cache that contain the urg and syn TCP flags:
• show flow monitor FLOW-MONITOR-1 cache filter transport tcp flags urg syn
• Perform a match against flags that are not present. For example, this command matches flows in the
flow monitor cache that contain the syn and rst TCP flags and do not contain the urg and fin TCP flags:
• show flow monitor FLOW-MONITOR-1 cache filter transport tcp flags syn rst not urg fin
• Perform an exact match on an IP address field. For example, this command matches flows in the flow
monitor cache that contain the source IPv4 address “192.168.0.1”:
• show flow monitor FLOW-MONITOR-1 cache filter ipv4 source address 192.168.0.1
• Perform a prefix match on an IPv4 or IPv6 address field. For example, these two commands match flows
in the flow monitor cache that contain either “192.168.0.0 255.255.0.0” or “7:20ac::/64”:
• show flow monitor FLOW-MONITOR-1 cache filter ipv4 source address 192.168.0.0
255.255.0.0
• show flow monitor FLOW-MONITOR-1 cache filter ipv6 source address 7:20ac::/64
• Perform a match on a range of relative time stamps. For example, this command matches flows in the
flow monitor cache that were created within the last “500” seconds:
• show flow monitor FLOW-MONITOR-1 cache filter timestamp sys-uptime first 0 500 seconds
• Perform a match on range of the time stamp that is configured (uptime or absolute). For example, this
command matches flows in the flow monitor cache that were created between 0800 and 0815, within
the last 24 hours:
Cisco IOS Flexible NetFlow Command Reference
273
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache filter
• show flow monitor FLOW-MONITOR-1 cache filter timestamp sys-uptime last 08:00:00
08:15:00 t
• Perform an exact match on an interface. For example, this command matches flows in the flow monitor
cache which are received on Ethernet interface 0/0.
• show flow monitor FLOW-MONITOR-1 cache filter interface input Ethernet0/0
• Perform a regular-expression match on an interface. For example, this command matches flows in the
flow monitor cache that begin with Ethernet0/ and have either 1, 2, or 3 as the port number:
• show flow monitor FLOW-MONITOR-1 cache filter interface input regexp Ethernet0/1
Regular Expressions
The table below shows the syntax for regular expressions.
Table 12: Syntax for Regular Expressions
Examples
Option
Description
*
Match zero or more characters in this position.
?
Match any one character in this position.
|
Match any one character in this position.
(|)
Match one of a choice of characters in a range. For
example, aa:(0033|4455):3456 matches either
aa:0033:3456 or aa:4455:3456.
[]
Match any character in the range specified, or one of
the special characters. For example, [0-9] is all of the
digits. [*] is the “*” character, and [[] is the “[ ”
character.
The following example filters the flow monitor cache data on the source IPv4 address of 10.234.53.1:
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 source address 10.234.53.1
Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
( 1800 secs)
- Inactive timeout (
15 secs)
- Event aged
- Watermark aged
- Emergency aged
IPV4 SOURCE ADDRESS:
10.234.53.1
IPV4 DESTINATION ADDRESS: 172.16.10.2
TRNS SOURCE PORT:
0
Cisco IOS Flexible NetFlow Command Reference
274
Normal
4096
26
26
87
61
0
61
0
0
0
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache filter
TRNS DESTINATION PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 next hop address:
ipv4 source mask:
ipv4 destination mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
IPV4 SOURCE ADDRESS:
IPV4 DESTINATION ADDRESS:
TRNS SOURCE PORT:
TRNS DESTINATION PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 next hop address:
ipv4 source mask:
ipv4 destination mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
IPV4 SOURCE ADDRESS:
IPV4 DESTINATION ADDRESS:
TRNS SOURCE PORT:
TRNS DESTINATION PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 next hop address:
ipv4 source mask:
ipv4 destination mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
Matched 3 flows
2048
Et0/0.1
0
0x00
1
0
0
172.16.7.2
/0
/24
0x00
Et1/0.1
24724
883
16:03:56.007
16:27:07.063
10.234.53.1
172.16.10.2
20
20
Et0/0.1
0
0x00
6
0
0
172.16.7.2
/0
/24
0x00
Et1/0.1
35320
883
16:03:56.267
16:27:07.323
10.234.53.1
172.16.10.2
21
21
Et0/0.1
0
0x00
6
0
0
172.16.7.2
/0
/24
0x00
Et1/0.1
35320
883
16:03:56.327
16:27:07.363
The table below describes the significant fields shown in the display.
Cisco IOS Flexible NetFlow Command Reference
275
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache filter
Table 13: show flow monitor monitor-name cache filter Field Descriptions
Field
Description
Cache type
Flow monitor cache type.
The possible values are:
• Immediate—Flows are expired immediately.
• Normal—Flows are expired normally.
• Permanent—Flows are never expired.
Cache Size
Number of entries in the cache.
Current entries
Number of entries in the cache that are in use.
High Watermark
Highest number of cache entries seen.
Flows added
Flows added to the cache since the cache was created.
Flows aged
Flows expired from the cache since the cache was
created.
Active timeout
Current value for the active timeout in seconds.
Inactive timeout
Current value for the inactive timeout in seconds.
Event aged
Number of flows that have been aged by an event
such as using the force-export option for the clear
flow monitor command.
Watermark aged
Number of flows that have been aged because they
exceeded the maximum high watermark value.
Emergency aged
Number of flows that have been aged because the
cache size was exceeded.
IPV4 SOURCE ADDRESS
IPv4 source address.
IPV4 DESTINATION ADDRESS
IPv4 destination address.
TRNS SOURCE PORT
source port for the transport protocol.
TRNS DESTINATION PORT
Destination port for the transport protocol.
INTERFACE INPUT
Interface on which the input is received.
FLOW DIRECTION
Input or output.
FLOW SAMPLER ID
Flow sampler ID number.
Cisco IOS Flexible NetFlow Command Reference
276
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache filter
Related Commands
Field
Description
IP PROTOCOL
IP protocol number.
IP TOS
IP ToS number.
ip source as
BGP source autonomous system number.
ip destination as
BGP destination autonomous system number.
ipv4 next hop address
IPv4 address of the next hop to which the packet is
forwarded.
ipv4 source mask
IPv4 source address mask.
ipv4 destination mask
IPv4 destination address mask.
tcp flags
Value of the TCP flags.
interface output
Interface on which the input is transmitted.
counter bytes
Number of bytes that have been counted.
counter packets
Number of packets that have been counted.
timestamp first
Time stamp of the first packet in the flow.
timestamp last
Time stamp of the last packet in the flow.
Command
Description
show flow monitor cache aggregate
Displays aggregated flow records of flows in a flow
monitor cache.
show flow monitor cache sort
Sorts the display output of flow records from a flow
monitor cache.
Cisco IOS Flexible NetFlow Command Reference
277
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache sort
show flow monitor cache sort
To sort the display output of statistics from the flows in a flow monitor cache, use the show flow monitor
cache sort command in privileged EXEC mode.
show flow monitor [name] monitor-name cache sort options [top [ number ]] [format {csv| record| table}]
Syntax Description
Command Modes
Command History
name
(Optional) Specifies the name of a flow monitor.
monitor-name
Name of a flow monitor that was previously
configured.
options
Fields upon which aggregation can be performed. See
the “Usage Guidelines” section.
top
(Optional) Limits the display output to the 20 highest
volume flows (top talkers) unless overridden by the
specification of a value for the number argument.
number
(Optional) Overrides the default value of top talkers
to display.
format
(Optional) Specifies the use of one of the format
options for formatting the display output.
csv
Displays the flow monitor cache contents in
comma-separated variables (CSV) format.
record
Displays the flow monitor cache contents in record
format.
table
Displays the flow monitor cache contents in table
format.
Privileged EXEC (#)
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was
implemented on the Cisco 7200 and Cisco 7300 Network Processing
Engine (NPE) series routers.
Cisco IOS Flexible NetFlow Command Reference
278
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache sort
Usage Guidelines
Release
Modification
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Flexible NetFlowNetFlow—Top N Talkers Support
The show flow monitor cache sort command is one of a set of three commands that make up the Flexible
NetFlow—Top N Talkers Support feature. The Flexible NetFlow—Top N Talkers Support feature is used to
manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible NetFlow—Top N Talkers Support feature are show flow
monitor cache filter and show flow monitor cache aggregate. The three commands can be used together
or on their own, depending on your requirements. For more detailed information about these commands, see
the show flow monitor cache filter command and the show flow monitor cache aggregate command. For
information about how the three commands are used together, refer to the “Configuring Cisco IOS Flexible
NetFlow—Top N Talkers Support” module in the Configuring Cisco IOS Flexible NetFlow Configuration
Guide.
Flow Sorting
The flow sorting function of the Flexible NetFlow—Top N Talkers Support feature sorts flow data from the
Flexible NetFlow cache based on the criteria that you specify, and displays the data. You can also use the
flow sorting function of the Flexible NetFlow—Top N Talkers Support feature to limit the display output to
a specific number of entries (Top N Talkers) by using the top keyword.
Sort options Argument
The options that you can use for the options argument of the show flow monitor cache filter command are
dependent on the fields that are used for the record that you configured for the flow monitor using the record
command. To identify the options that you can use, use the show flow record record-name command in
privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the “NetFlow Original” predefined record to a flow monitor, you use the show
flow record netflow-original command to display its key (match) and nonkey (collect) fields. The following
is partial output from the show command:
flow record netflow-original:
Description:
Traditional IPv4 input NetFlow with origin ASs
No. of users:
2
Total field space: 53 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
.
.
.
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
The fields from this partial output that you can use for the option argument follow the match (key fields) and
collect (nonkey fields) words. For example, you can use the “ipv4 tos” field to sort the flows as shown in the
first example in the “Examples” section.
Cisco IOS Flexible NetFlow Command Reference
279
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache sort
Examples
The following example sorts the flow monitor cache data on the IPv4 ToS value and limits the display output
to the top two flows:
Router# show flow monitor FLOW-MONITOR-3 cache sort ipv4 tos top 2
Processed 17 flows
Aggregated to 17 flows
Showing the top 2 flows
IPV4 SOURCE ADDRESS:
IPV4 DESTINATION ADDRESS:
TRNS SOURCE PORT:
TRNS DESTINATION PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 next hop address:
ipv4 source mask:
ipv4 destination mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
10.1.1.1
224.192.16.1
0
3073
Et0/0
0
0x55
1
0
0
0.0.0.0
/24
/0
0x00
Null
33680
1684
18:39:27.563
19:04:28.459
IPV4 SOURCE ADDRESS:
IPV4 DESTINATION ADDRESS:
TRNS SOURCE PORT:
TRNS DESTINATION PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 next hop address:
ipv4 source mask:
ipv4 destination mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
10.1.1.1
224.192.16.1
0
0
Et0/0
0
0x55
1
0
0
0.0.0.0
/24
/0
0x00
Et3/0.1
145040
7252
18:42:34.043
19:04:28.459
The table below describes the significant fields shown in the display.
Table 14: show flow monitor monitor-name cache sort Field Descriptions
Field
Description
IPV4 SOURCE ADDRESS
IPv4 source address.
IPV4 DESTINATION ADDRESS
IPv4 destination address.
TRNS SOURCE PORT
source port for the transport protocol.
TRNS DESTINATION PORT
Destination port for the transport protocol.
INTERFACE INPUT
Interface on which the input is received.
Cisco IOS Flexible NetFlow Command Reference
280
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow monitor cache sort
Related Commands
Field
Description
FLOW DIRECTION
Input or output.
FLOW SAMPLER ID
Flow sampler ID number.
IP PROTOCOL
IP protocol number.
IP TOS
IP ToS number.
ip source as
BGP source autonomous system number.
ip destination as
BGP destination autonomous system number.
ipv4 next hop address
IPv4 address of the next hop to which the packet is
forwarded.
ipv4 source mask
IPv4 source address mask.
ipv4 destination mask
IPv4 destination address mask.
tcp flags
Value of the TCP flags.
interface output
Interface on which the input is transmitted.
counter bytes
Number of bytes that have been counted.
counter packets
Number of packets that have been counted.
timestamp first
Time stamp of the first packet in the flow.
timestamp last
Time stamp of the last packet in the flow.
Command
Description
show flow monitor cache aggregate
Displays aggregated flow records of flows in a flow
monitor cache.
show flow monitor cache filter
Filters the display output of flow records from a flow
monitor cache.
Cisco IOS Flexible NetFlow Command Reference
281
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow record
show flow record
To display the status and statistics for a Flexible NetFlow flow record, use the show flow record command
in privileged EXEC mode.
show flow record [[name] record-name| netflow-original| netflow {ipv4| ipv6} record [peer]]
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
show flow record [[name] record-name| platform-original {ipv4| ipv6} record]
Cisco IOS XE Release 3.2SE
show flow record [[name] record-name]
Syntax Description
name
(Optional) Specifies the name of a flow record.
record-name
(Optional) Name of a user-defined flow record that
was previously configured.
netflow-original
(Optional) Specifies the Flexible NetFlow
implementation of original NetFlow with origin
autonomous systems.
netflow ipv4
(Optional) Configures the flow monitor to use one of
the IPv4 predefined records.
netflow ipv6
(Optional) Configures the flow monitor to use one of
the IPv6 predefined records.
record
(Optional) Name of the predefined record. See the
first table below for a listing of the available records
and their definitions.
peer
(Optional) Configures the flow monitor to use one of
the predefined records with peer autonomous systems.
The peer keyword is not supported for every type of
Flexible NetFlow predefined record. See the first table
below.
platform-original ipv4
Configures the flow monitor to use one of the
predefined IPv4 records.
platform-original ipv6
Configures the flow monitor to use one of the
predefined IPv6 records.
Cisco IOS Flexible NetFlow Command Reference
282
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow record
Command Modes
Command History
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.4(20)T
This command was modified. The ipv6 keyword was added.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The netflow-original, netflow ipv4, and
netflow ipv6 keywords were removed. The platform-originalipv4 and
platform-originalipv6 keywords were added.
Cisco IOS XE Release 3.2SE This command was modified. The netflow-original, netflow ipv4, and
netflow ipv6 keywords were removed.
Usage Guidelines
The table below describes the keywords and descriptions for the record argument.
Table 15: Keywords and Descriptions for the record Argument
Keyword
Description
IPv4 Support
IPv6 Support
as
Autonomous system
record.
Yes
Yes
as-tos
Autonomous system and Yes
Type of Service (ToS)
record.
—
bgp-nexthop-tos
BGP next-hop and ToS
record.
Yes
—
bgp-nexthop
BGP next-hop record.
—
Yes
Cisco IOS Flexible NetFlow Command Reference
283
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow record
Keyword
Description
IPv4 Support
IPv6 Support
destination
Original platform
IPv4/IPv6 destination
record.
Yes
Yes
destination-prefix
Destination prefix record. Yes
Yes
Note
Yes
—
destination-prefix-tos
Destination prefix and
ToS record.
destination-source
Original platform
Yes
IPv4/IPv6
destination-source record.
Yes
full
Original platform
IPv4/IPv6 full record.
Yes
Yes
interface-destination
Original platform
IPv4/IPv6
interface-destination
record.
Yes
Yes
interface-destinationsource
Original platform
Yes
IPv4/IPv6
interface-destination-source
record.
Yes
interface-full
Original platform
IPv4/IPv6 interface-full
record.
Yes
Yes
interface-source
Original platform
IPv4/IPv6
interface-source only
record.
Yes
Yes
original-input
Traditional IPv4 input
NetFlow.
Yes
Yes
original-output
Traditional IPv4 output
NetFlow.
Yes
Yes
Cisco IOS Flexible NetFlow Command Reference
284
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow record
Keyword
Description
IPv4 Support
IPv6 Support
prefix
Source and destination
prefixes record.
Yes
Yes
Yes
—
Note
prefix-port
Prefix port record.
Note
The peer
keyword is not
available for this
record.
prefix-tos
Prefix ToS record.
Yes
protocol-port
Protocol ports record.
Yes
Yes
Yes
—
Note
protocol-port-tos
The peer
keyword is not
available for this
record.
Protocol port and ToS
record.
Note
The peer
keyword is not
available for this
record.
source
Original platform
IPv4/IPv6 source only
record.
Yes
Yes
source-prefix
Source autonomous
Yes
system and prefix record.
Yes
Note
source-prefix-tos
Examples
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
For IPv6, a
minimum prefix
mask length of 0
bits is assumed.
Source prefix and ToS
record.
Yes
—
The following example displays the status and statistics for the original Flexible NetFlow record:
Router# show flow record FLOW-RECORD-1 platform-original ipv4 destination
flow record FLOW_RECORD-1:
Description: Flow Record for IPv4 traffic
Cisco IOS Flexible NetFlow Command Reference
285
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show flow record
No. of users:
3
Total field space: 53 bytes
Fields:
match interface input
match transport destination-port
match transport source-port
match ipv4 destination address
match ipv4 source address
match ipv4 protocol
match ipv4 tos
collect counter bytes
collect counter packets
collect timestamp sys-uptime last
collect timestamp sys-uptime first
collect ipv4 destination mask
collect ipv4 source mask
collect routing destination as
collect routing source as
collect transport tcp flags
collect routing next-hop address ipv4
collect interface output
The table below describes the significant fields shown in the display.
Table 16: show flow record netflow-original Field Descriptions
Related Commands
Field
Description
Description
Description that you configured for the record, or the
default description “User defined.”
No. of users
Number of monitors in the configuration that use the
flow record.
Total field space
Number of bytes required to store these fields for one
flow.
Fields
The fields that are included in this record. For more
information about the fields, refer to the match and
collect commands.
Command
Description
record
Configures a flow record for a flow monitor.
Cisco IOS Flexible NetFlow Command Reference
286
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show platform flow
show platform flow
To display information for Flexible NetFlow platform parameters. use the showplatformflowcommand in
privileged EXEC mode.
show platform flow [aging| {export| usage| table-contention {aggregate| detailed| summary}} [instance|
module]| {ip| ipv6} [count| destination| instance| module| multicast| protocol| source]| {layer2| mpls} [count|
instance| module]]
Syntax Description
aging
(Optional) Displays the Flexible NetFlow parameter
aging information.
export
(Optional) Displays the Flexible NetFlow parameter
export information.
usage
(Optional) Displays the Flexible NetFlow table usage
information.
table-contention
(Optional) Displays the Flexible NetFlow table
contention information.
aggregate
(Optional) Displays the Flexible NetFlow table
contention aggregate information.
detailed
(Optional) Displays the Flexible NetFlow table
contention detailed information.
summary
(Optional) Displays theFlexible NetFlow table
contention summary information.
ip
(Optional) Displays the Flexible NetFlow IP entry
information.
ipv6
(Optional) Displays the Flexible NetFlow IPv6 entry
information.
count
Total number of entries.
destination
(Optional) Information on entries with destination
address.
instance
(Optional) Platform instance information.
module
(Optional) Platform module information.
multicast
(Optional) Flexible NetFlow multicast entry
information.
Cisco IOS Flexible NetFlow Command Reference
287
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show platform flow
Command Modes
Command History
Examples
protocol
(Optional) Flexible NetFlow Layer 4 protocol
information.
source
(Optional) Information on entries with source address.
layer2
(Optional) Displays the Flexible NetFlow Layer 2
entry information.
mpls
(Optional) Displays the Flexible NetFlow MPLS entry
information.
Privileged EXEC (#)
Release
Modification
12.2(50)SY
This command was introduced.
The following example displays Flexible NetFlow parameter export information:
Router# show platform flow export
Yielding NDE is enabled.
Supervisor CPU threshold = 25
Linecard CPU threshold
= 25
Module 3:
---------No of flows read and exported
No of flows discarded
No of capture+purge requests
No of purge-only requests
Module 5:
---------No of flows read and exported
No of flows discarded
No of capture+purge requests
No of purge-only requests
lionel#
=
=
=
=
0
0
1695104
19
=
=
=
=
0
0
1695158
0
The table below describes the significant fields shown in the display.
Cisco IOS Flexible NetFlow Command Reference
288
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show platform flow
Table 17: show platform flow export Field Descriptions
Related Commands
Field
Description
Supervisor CPU threshold
The platform (supervisor) CPU utilization threshold
(in percent) up to which NetFlow export is permitted.
The number and complexity of flow records to be
exported is the prime cause of CPU use in NetFlow.
The CPU Friendly NetFlow Export feature (also
known as Yielding NetFlow Data Export, or Yielding
NDE) monitors CPU use for both the supervisor and
line cards according to user-configured thresholds
and dynamically adjusts the rate of export as needed.
Linecard CPU threshold
The line-card CPU utilization threshold (in percent)
up to which NetFlow export is permitted. The number
and complexity of flow records to be exported is the
prime cause of CPU use in NetFlow. The CPU
Friendly NetFlow Export feature (also known as
Yielding NetFlow Data Export, or Yielding NDE)
monitors CPU use for both the supervisor and line
cards according to user-configured thresholds and
dynamically adjusts the rate of export as needed.
No of flows read and exported
Number of Flexible NetFlow flows processed and
exported.
No of flows discarded
Number of Flexible NetFlow flows discarded.
No of capture+purge requests
Number of Flexible NetFlow flow capture and purge
requests.
No of purge-only requests
Number of Flexible NetFlow flow purge requests.
Command
Description
flow hardware
Configures Flexible NetFlow hardware parameters.
flow platform
Configures Flexible NetFlow platform parameters.
Cisco IOS Flexible NetFlow Command Reference
289
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show sampler
show sampler
To display the status and statistics for a Flexible NetFlow sampler, use the show sampler command in
privileged EXEC mode.
show sampler [[name] sampler-name]
Syntax Description
Command Modes
Command History
Examples
name
(Optional) Specifies the name of a flow sampler.
sampler-name
(Optional) Name of a sampler that was previously
configured.
Privileged EXEC (#)
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
The following example displays the status and statistics for all of the flow samplers configured:
Router# show sampler
Sampler SAMPLER-1:
ID:
1
Description:
User defined
Type:
random
Rate:
1 out of 3
Samples:
189
Requests:
23243
Users (2):
flow monitor FLOW-MONITOR-1 (ip,Et0/0,Input) 65 out of 10786
Cisco IOS Flexible NetFlow Command Reference
290
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show sampler
flow monitor FLOW-MONITOR-2 (ipv6,Et0/0, Input) 124 out of 12457
Sampler sampler-2:
ID:
2
Description:
User defined
Type:
deterministic
Rate:
1 out of 100
Samples:
1
Requests:
124
Users (1):
flow monitor FLOW-MONITOR-1 (ip,Et0/0,Input) 1 out of 124
The table below describes the significant fields shown in the display.
Table 18: show sampler Field Descriptions
Field
Description
ID
ID number of the flow sampler. This is used to
identify the sampler at the collector.
Description
Description that you configured for the flow sampler,
or the default description “User defined.”
Type
Sampling mode that you configured for the flow
sampler.
• deterministic—Deterministic mode of sampling.
• random—Random mode of sampling.
Related Commands
Rate
Window size (for packet selection) that you
configured for the flow sampler. Range: 2 to 32768.
Samples
Number of packets sampled since the flow sampler
was configured or the router was restarted. This is
equivalent to the number of times a positive response
was received when the sampler was queried to
determine if the traffic needed to be sampled. Refer
to the explanation of the “Requests” field in this table.
Requests
Number of times the flow sampler was queried to
determine if the traffic needed to be sampled.
Users
Interfaces on which the flow sampler is configured.
Command
Description
clear sampler
Clears the flow sampler statistics.
debug sampler
Enables debugging output for flow samplers.
sampler
Creates a flow sampler.
Cisco IOS Flexible NetFlow Command Reference
291
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
show sampler
Cisco IOS Flexible NetFlow Command Reference
292
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
source (Flexible NetFlow)
source (Flexible NetFlow)
To configure the source IP address interface for all of the packets sent by a Flexible NetFlow flow exporter,
use the source command in Flexible NetFlow flow exporter configuration mode. To remove the source IP
address interface for all of the packets sent by a Flexible NetFlow flow exporter, use the no form of this
command.
source interface-type interface-number
no source
Syntax Description
interface-type
Type of interface whose IP address you want to use
for the source IP address of the packets sent by a
Flexible NetFlow flow exporter.
interface-number
Interface number whose IP address you want to use
for the source IP address of the packets sent by a
Flexible NetFlow flow exporter.
Command Default
The IP address of the interface over which the Flexible NetFlow datagram is transmitted is used as the source
IP address.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Usage Guidelines
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
The benefits of using a consistent IP source address for the datagrams that NetFlow sends include the following:
Cisco IOS Flexible NetFlow Command Reference
293
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
source (Flexible NetFlow)
• The source IP address of the datagrams exported by Flexible NetFlow is used by the destination system
to determine from which router the Flexible NetFlow data is arriving. If your network has two or more
paths that can be used to send Flexible NetFlow datagrams from the router to the destination system and
you do not specify the source interface from which the source IP address is to be obtained, the router
uses the IP address of the interface over which the datagram is transmitted as the source IP address of
the datagram. In this situation the destination system might receive Flexible NetFlow datagrams from
the same router, but with different source IP addresses. When the destination system receives Flexible
NetFlow datagrams from the same router with different source IP addresses, the destination system treats
the Flexible NetFlow datagrams as if they were being sent from different routers. To avoid having the
destination system treat the Flexible NetFlow datagrams as if they were being sent from different routers,
you must configure the destination system to aggregate the Flexible NetFlow datagrams it receives from
all of the possible source IP addresses in the router into a single Flexible NetFlow flow.
• If your router has multiple interfaces that can be used to transmit datagrams to the destination system,
and you do not configure the source command, you will have to add an entry for the IP address of each
interface into any access lists that you create for permitting Flexible NetFlow traffic. Creating and
maintaining access lists for permitting Flexible NetFlow traffic from known sources and blocking it
from unknown sources is easier when you limit the source IP address for Flexible NetFlow datagrams
to a single IP address for each router that is exporting Flexible NetFlow traffic.
Caution
The interface that you configure as the source interface must have an IP address configured, and it must
be up.
Tip
When a transient outage occurs on the interface that you configured with the source command, the Flexible
NetFlow exporter reverts to the default behavior of using the IP address of the interface over which the
datagrams are being transmitted as the source IP address for the datagrams. To avoid this problem, use a
loopback interface as the source interface because loopback interfaces are not subject to the transient
outages that can occur on physical interfaces.
Examples
The following example shows how to configure Flexible NetFlow to use a loopback interface as the source
interface for NetFlow traffic:
Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# source loopback 0
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
294
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
statistics packet
statistics packet
To collect protocol distribution statistics and size distribution statistics for a Flexible NetFlow flow monitor,
use the statisticspacket command in Flexible NetFlow flow monitor configuration mode. To disable collecting
protocol distribution statistics and size distribution statistics for a Flexible NetFlow flow monitor, use the no
form of this command.
statistics packet {protocol| size}
no statistics packet {protocol| size}
Syntax Description
protocol
Collects packet protocol distribution statistics.
size
Collects packet size distribution statistic.
Command Default
The collection of protocol distribution statistics and size distribution statistics for a Flexible NetFlow flow
monitor is not enabled by default.
Command Modes
Flexible NetFlow flow monitor configuration (config-flow-monitor)
Command History
Examples
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco
IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for
the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
The following example enables the collection of protocol distribution statistics for flow monitors:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# statistics packet protocol
Cisco IOS Flexible NetFlow Command Reference
295
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
statistics packet
The following example enables the collection of size distribution statistics for flow monitors:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)# statistics packet size
Related Commands
Command
Description
flow monitor
Creates a flow monitor.
Cisco IOS Flexible NetFlow Command Reference
296
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
template data timeout
template data timeout
To configure the template resend timeout for a flow exporter, use the template data timeout command in
Flexible NetFlow flow exporter configuration mode. To remove the template resend timeout for a flow exporter,
use the no form of this command.
template data timeout seconds
no template data timeout
Syntax Description
seconds
Configures resending of templates based on the
timeout value in seconds, that you enter. Range: 1 to
86400. Default: 600.
Command Default
The default template resend timeout for a flow exporter is 600 seconds.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Cisco IOS Flexible NetFlow Command Reference
297
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
template data timeout
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor.
Examples
The following example configures resending templates based on a timeout of 1000 seconds:
Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# template data timeout 1000
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
298
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
transport (Flexible NetFlow)
transport (Flexible NetFlow)
To configure the transport protocol for a flow exporter for Flexible NetFlow or Performance Monitor, use the
transport command in Flexible NetFlow flow exporter configuration mode. To remove the transport protocol
for a flow exporter, use the no form of this command.
transport udp udp-port
no transport
Syntax Description
udp udp-port
Specifies User Datagram Protocol (UDP) as the
transport protocol and the UDP port number.
Command Default
Flow exporters use UDP on port 9995.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Cisco IOS Flexible NetFlow Command Reference
299
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
transport (Flexible NetFlow)
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor.
Examples
The following example configures UDP as the transport protocol and a UDP port number of 250:
Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# transport udp 250
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
300
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
ttl (Flexible NetFlow)
ttl (Flexible NetFlow)
To configure the time-to-live (TTL) value for a flow exporter for Flexible NetFlow or Performance Monitor,
use the ttl command in Flexible NetFlow flow exporter configuration mode. To remove the TTL value for a
flow exporter, use the no form of this command.
ttl ttl
no ttl
Syntax Description
ttl
Time-to-live (TTL) value for exported datagrams.
Range: 1 to 255. Default: 255.
Command Default
Flow exporters use a TTL of 255.
Command Modes
Flexible NetFlow flow exporter configuration (config-flow-exporter)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented
on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented
on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented
on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor
was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Cisco IOS Flexible NetFlow Command Reference
301
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
ttl (Flexible NetFlow)
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor.
Examples
The following example specifies a TTL of 15:
Router(config)# flow exporter FLOW-EXPORTER-1
Router(config-flow-exporter)# ttl 15
Related Commands
Command
Description
flow exporter
Creates a flow exporter.
Cisco IOS Flexible NetFlow Command Reference
302
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement