Cisco IOS NetFlow Command Reference

Cisco IOS NetFlow Command Reference

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

C O N T E N T S

backup (NetFlow SCTP) through ip route-cache flow

6

backup (NetFlow SCTP)

7

cache

10

cache-timeout

13

clear fm netflow counters

16

clear ip flow stats

17

clear mls nde flow counters

19

clear mls netflow

20

debug mpls netflow

24

enabled (aggregation cache)

27

export destination

29

export destination sctp (NetFlow aggregation cache)

32

export template

35

export version

38

flow hardware mpls-vpn ip

41

flow-sampler

43

flow-sampler-map

46

ip flow

49

ip flow layer2-switched

52

ip flow-aggregation cache

54

ip flow-cache entries

58

ip flow-cache mpls label-positions

61

ip flow-cache timeout

65

ip flow-capture

67

ip flow-egress input-interface

74

ip flow-export destination

76

ip flow-export destination sctp

80

ip flow-export hardware version

82

ip flow-export interface-names

84

Cisco IOS NetFlow Command Reference ii

Contents

ip flow-export source

86

ip flow-export template

89

ip flow-export version

92

ip flow-export version (Supervisor Engine 2)

96

ip flow-export version (Supervisor Engine 720)

98

ip flow-top-talkers

100

ip multicast netflow

103

ip multicast netflow output-counters

106

ip multicast netflow rpf-failure

108

ip route-cache flow

110

mask (IPv4) through top

112

mask (IPv4)

113

mask

118

match (NetFlow)

120

mls aging fast

127

mls aging long

129

mls aging normal

131

mls exclude acl-deny

133

mls flow

134

mls ip nat netflow-frag-l4-zero

137

mls nde flow

139

mls nde interface

141

mls nde sender

143

mls netflow

145

mls netflow interface

147

mls netflow maximum-flows

148

mls netflow sampling

150

mls netflow usage notify

152

mls sampling

154

mode (flow sampler configuration)

157

mpls netflow egress

160

netflow-sampler

162

platform netflow rp sampling scale

166

reliability (NetFlow SCTP)

168

show flow-sampler

171

Cisco IOS NetFlow Command Reference iii

Contents

show fm nat netflow data

173

show fm netflow

175

show ip cache flow

177

show ip cache flow aggregation

185

show ip cache verbose flow

193

show ip cache verbose flow aggregation

205

show ip flow export

214

show ip flow top

225

show ip flow top-talkers

226

show mls ip non-static

246

show mls ip routes

248

show mls ip static

250

show mls nde

252

show mls netflow

254

show mls netflow ip

259

show mls netflow ipv6

265

show mls netflow ip dynamic

269

show mls netflow ip routes

271

show mls netflow ip sw-installed

273

show mls netflow ipx

275

show mls sampling

277

sort-by

279

top

282

iv


Contents

Cisco IOS NetFlow Command Reference v



6


backup (NetFlow SCTP) through ip route-cache flow backup (NetFlow SCTP)

backup (NetFlow SCTP)

To configure a backup destination for the reliable export of NetFlow accounting information in NetFlow cache entries, use the backupcommand in NetFlow ip flow export stream control transmission protocol

(SCTP) configuration mode. To remove a destination for the reliable export of NetFlow accounting information, use the noform of this command.

backup {destination {ip-address | hostname} sctp-port | fail-over time | mode {fail-over |

redundant} | restore-time time}

no backup {destination {ip-address | hostname} sctp-port | fail-over | mode {fail-over |

redundant} | restore-time}

Syntax Description

ip-address | hostname

port

fail-over time

mode {fail-over | redundant}

restore-time time

IP address or hostname of the workstation to which you want to send the NetFlow information.

Specifies the number of the stream control transmission protocol (SCTP) port on which the workstation is listening for the exported NetFlow datagrams.

(Optional) Specifies the length of time that the primary export destination must be unavailable before SCTP starts using the backup export destination. The default fail-over time for sctp to start using a backup export destination is 25 milliseconds (msec). Range: 0 to 3600 msec.

(Optional) Specifies the mode that SCTP will use to establish a connection to the backup export destination:

• fail-over --Opens an association with the backup export destination when the primary export destination becomes unavailable

• redundant --Maintains a permanent association with the backup export destination.

(Optional) Specifies the length of time that the primary export destination must be available after an outage before SCTP reverts back to it. This is applicable only when SCTP is using the backup export destination. Range: 0 to 3600 seconds.

Command Default

Backup destinations for the reliable export of NetFlow information are not configured.


7

backup (NetFlow SCTP) through ip route-cache flow backup (NetFlow SCTP)

Command Modes

NetFlow ip flow export SCTP (config-flow-export-sctp)

Usage Guidelines

When you configure a backup export destination for SCTP messages are sent to the destination if the primary export destination becomes unavailable. When connectivity with the primary export destination has been lost and a backup export destination is configured, SCTP begins using the backup export destination. The default period of time that SCTP waits until it starts using the backup export destination is

25 sec. You can configure a different with the fail-overtime command.

Note

SCTP retransmits messages that have not been acknowledged three times. The router will initiate fail-over after three retransmissions of the same message are not acknowledged by the primary collector.

The router sends periodic SCTP heart beat messages to the SCTP export destinations that you have configured. The router uses the SCTP heart-beat message acknowledgments from the export destinations to monitor the status of each export destination. This allows an application, such as NetFlow, to be quickly informed when connectivity to an export destination is lost.

You can configure SCTP backup in fail-over or redundant mode. When the router is configured with SCTP backup in fail-over mode the router waits to activate the association with the backup export destination until the router has not received acknowledgments for the SCTP heart beat messages from the primary export destination for the time specified by the fail-overtime command. When the router is configured with

SCTP backup in redundant mode, the router activates the association with the backup export destination immediately instead of waiting for the primary export destination to fail. The router will not start sending

SCTP messages to a backup export destination in redundant mode until the router has not received acknowledgements for the SCTP heart beat messages from the primary export destination for the time specified by the fail-overtime command. Fail-over mode is the preferred method when the backup export destination is on the end of an expensive lower-bandwidth link such as ISDN.

During the time that SCTP is using the backup export destination, SCTP continues to try to restore the association with the primary export destination. SCTP makes this attempt until connectivity is restored or the primary SCTP export destination is removed from the configuration.

When connectivity to the primary export destination is available again, the router waits for a period of time before reverting to using it as the primary destination. You use the restore-timetime command to configure the value of the period of time that SCTP waits until reverting. The default period of time that SCTP waits is 25 msecs.

Under either fail-over mode, any records which have been queued between loss of connectivity with the primary destination and, the establishing of the association with the backup export destination might be lost. A count of how many records were lost can be viewed through the use of the show ip flow export

sctp verbose command.

To avoid a flapping SCTP association with an export destination (the SCTP association going up and down in quick succession), the time period configured with the restore-timetime command should be greater than the period of a typical connectivity problem. For example, your router is configured to use IP fast convergence for its routing table and you have a LAN interface that is going up and down repeatedly

(flapping). This causes the IP route to the primary export destination to be added to and removed from the routing table (route flapping) every 2000 msec (2 sec) you need to configure the restore time for a value greater than 2000 msec.

The backup connection uses stream 0 for sending templates, options templates, and option records. The data stream(s) inherit the reliability settings of the primary export destination.

8



Command History

Release

12.4(4)T

backup (NetFlow SCTP)

Modification

This command was introduced.

Examples

The following example shows how to configure the networking device to use SCTP as the transport protocol for transmissions to multiple export destinations in redundant mode. The router activates the association with the backup export destination immediately instead of waiting until the primary export destination fails. The router starts sending SCTP messages to the backup export destination over the preexisting association after it fails to receive acknowledgments for its SCTP heart-beat messages from the primary export destination for 1500 msec. The router waits 3000 msec after the primary export destination is reachable again before resuming the association with the primary export destination.

Router(config)# ip flow-export destination 172.16.10.2 78 sctp

Router(config-flow-export-sctp)# backup destination 172.16.10.3 78

Router(config-flow-export-sctp)# backup mode redundant

Router(config-flow-export-sctp)# backup fail-over 1500

Router(config-flow-export-sctp)# backup restore-time 3000

The following example shows how to configure the networking device to use SCTP as the transport protocol to multiple export destinations in fail-over mode. The router activates the association with the backup export destination and starts sending SCTP messages to the backup export destination after it fails to receive acknowledgments for its SCTP heart beat messages from the primary export destination for 1500 msec. The router waits 3000 sec after the primary export destination is reachable again before resuming the association with the primary export destination. The SCTP association with the backup export destination is closed after the router resumes sending SCTP messages to the primary export destination.


Router(config-flow-export-sctp)# backup destination 172.16.10.3 78

Router(config-flow-export-sctp)# backup mode fail-over

Router(config-flow-export-sctp)# backup fail-over 1500

Router(config-flow-export-sctp)# backup restore-time 3000

Related Commands

Command

ip flow-export destination sctp

reliability

show ip flow export

Description

Enables the reliable export of NetFlow accounting information in NetFlow cache entries.

Specifies the level of reliability for the reliable export of NetFlow accounting information in

NetFlow cache entries.

Displays the status and the statistics for NetFlow accounting data export.


9

backup (NetFlow SCTP) through ip route-cache flow cache

cache

To configure operational parameters for NetFlow accounting aggregation caches, use the cache command in NetFlow aggregation cache configuration mode. To disable the NetFlow aggregation cache operational parameters for NetFlow accounting, use the no form of this command.

cache {entries number | timeout {active minutes | inactive seconds}}

no cache {entries | timeout {active | inactive}}


entries number

timeout

active minutes

inactive seconds

(Optional) The number of cached entries allowed in the aggregation cache. The range is from 1024 to

524288. The default is 4096.

Note

For the Cisco ASR 1000 Series Aggregation

Services Router, the range is 1024 to

2000000 (2 million). The default is 4096.

(Optional) Configures aggregation cache time-outs.

(Optional) The number of minutes that an active entry will stay in the aggregation cache before it is exported and removed. The range is from 1 to 60 minutes. The default is 30 minutes.

(Optional) The number of seconds that an inactive entry will stay in the aggregation cache before it times out. The range is from 10 to 600 seconds. The default is 15 seconds.

Command Default

The operational parameters for NetFlow accounting aggregation caches are not configured.

Command Modes

NetFlow aggregation cache configuration (config-flow-cache)

Command History

Release

12.0(3)T

12.2(14)S

12.3(7)T

Modification


This command was integrated into Cisco IOS

Release 12.2(14)S.

This command function was modified to support cache entries for IPv6.

10



Release

12.2(28)SB

12.2(18)SXF

12.2(33)SRA

cache

Modification


Release 12.2(28)SB.


Release 12.2(18)SXF.


Release 12.2(33)SRA.


You must have NetFlow accounting configured on your router before you can use this command. .

Examples

The following example shows how to set the NetFlow aggregation cache entry limits and timeout values for the NetFlow protocol-port aggregation cache:

Router(config)#

ip flow-aggregation cache protocol-port

Router(config-flow-cache)#

cache entries 2046


cache timeout inactive 199


cache timeout active 45


enabled


Command

enabled (aggregation cache)

export destination (aggregation cache)

ip flow-aggregation cache

mask (IPv4)

show ip cache flow

show ip cache flow aggregation

show ip cache verbose flow

Description

Enables a NetFlow accounting aggregation cache.

Enables the exporting of NetFlow accounting information from NetFlow aggregation caches.

Enables NetFlow accounting aggregation cache schemes.

Specifies the source or destination prefix mask for a

NetFlow accounting prefix aggregation cache.

Displays a summary of the NetFlow accounting statistics.

Displays the NetFlow accounting aggregation cache statistics.

Displays a detailed summary of the NetFlow accounting statistics.


11

cache

show ip flow interface


Displays NetFlow accounting configuration for interfaces.

12


backup (NetFlow SCTP) through ip route-cache flow cache-timeout

cache-timeout

To specify the length of time for which the list of NetFlow top talkers (unaggregated top flows) is retained, use the cache-timeout command in NetFlow top talkers configuration mode. To return the timeout parameters for the list of top talkers to the default of 5 seconds, use the no form of this command.

cache-timeout milliseconds

no cache-timeout


milliseconds

Length in milliseconds for which the list of top talkers is retained. The range is from 1 to 3,600,000

(1 millisecond to one hour). The default is 5000 (5 seconds).

Command Default

The default time for which the list of top talkers is retained is 5 seconds.

Command Modes

NetFlow top talkers configuration

Command History

Release

12.2(25)S

12.3(11)T

12.2(27)SBC

12.2(33)SRA

12.2SX

Modification


This feature was integrated into Cisco IOS Release

12.3(11)T.


Release 12.2(27)SBC.



This command is supported in the Cisco IOS

Release 12.2SX train. Support in a specific 12.2SX

release of this train depends on your feature set, platform, and platform hardware.


Configuring NetFlow top talkers

You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top


13

backup (NetFlow SCTP) through ip route-cache flow cache-timeout

Examples

flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands.

Optionally, the match command can be configured to specify additional matching criteria.

Cache Timeout

The cache timeout starts after the list of top talkers is requested by entering the show ip flow top-

talkerscommand or through the netflow MIB.

A long timeout period limits the system resources that are used by NetFlow top talkers. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.

A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:

• The list of top talkers is lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required

NetFlow top talkers.

• The list of top talkers is updated every time the top talkers information is requested, possibly causing unnecessary usage of system resources.

A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but recalculate the list of top talkers by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-

talkerscommand to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface

(CLI) or MIB request.

In the following example, the list of top talkers is configured to be retained for 2 seconds (2000 milliseconds). There is a maximum of 4 top talkers, and the sort criterion is configured to sort the list of top talkers by the total number of bytes in each top talker.

Router(config)# ip flow-top-talkers

Router(config-flow-top-talkers)# cache-timeout 2000

Router(config-flow-top-talkers)# top 4

Router(config-flow-top-talkers)# sort-by bytes

The following example shows the output of the show ip flow top talkers command using the configuration from the previous example:

Router# show ip flow top-talkers

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes

Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K

Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K

Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K

Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K

4 of 4 top talkers shown. 11 flows processed

14




Command

ip flow-top-talkers

match (NetFlow)

show ip flow top-talkers

sort-by top




cache-timeout

Description

Enters the configuration mode for the NetFlow

MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.

Specifies match criteria for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.

Displays the statistics for the top talkers (heaviest traffic patterns and most-used applications in the network).

Specifies the sorting criterion for top talkers

(heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow

MIB and top talkers feature.

Specifies the maximum number of top talkers







15

backup (NetFlow SCTP) through ip route-cache flow clear fm netflow counters

clear fm netflow counters

To clear the NetFlow counters, use the clear fm netflow counters command in privileged EXEC mode.

clear fm netflow counters


This command has no arguments or keywords.

Command Default

This command has no default settings.

Command Modes

Privileged EXEC

Command History

Release

12.2(18)SXD

12.2(33)SRA

Modification

Support for this command was introduced on the

Supervisor Engine 720.




This command is not supported on systems that are configured with a Supervisor Engine 2.

Examples

This example shows how to clear the NetFlow counters:

Router# clear fm netflow counters

Router#

16


backup (NetFlow SCTP) through ip route-cache flow clear ip flow stats

clear ip flow stats

To clear the NetFlow accounting statistics, use the clear ip flow stats command in privileged EXEC mode.

clear ip flow stats [nbar]

Syntax Description nbar

(Optional) Clears Network Based Application

Recognition (NBAR) NetFlow statistics.

Command Modes

Privileged EXEC (#)

Command History

Release

11.1CA

12.2(14)S

12.2(14)SX

12.2(17d)SXB

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

12.2(18)ZYA2

Modification



Release 12.2(14)S.



Support for this command on the Supervisor Engine

2 was extended to the 12.2(17d)SXB release.







This command was modified. The nbarkeyword was added.


You must have NetFlow accounting configured on your router before you can use this command.

The show ip cache flowcommand displays the NetFlow accounting statistics. Use the clear ip flow

statscommand to clear the NetFlow accounting statistics.


17

backup (NetFlow SCTP) through ip route-cache flow clear ip flow stats

Examples

The following example shows how to clear the NetFlow accounting statistics on the router:

Router# clear ip flow stats


Command




show ip interface

Description




Displays the usability status of interfaces configured for IP.

18


backup (NetFlow SCTP) through ip route-cache flow clear mls nde flow counters

clear mls nde flow counters

To clear the NDE counters, use the clearmlsndeflowcounters command.

clear mls nde flow counters


This command has no keywords or arguments.

Command Default


Command Modes

Privileged EXEC

Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(33)SRA

Modification




2 was extended to the 12.2 SX release.



Examples

This example shows how to reset the NDE counters:

Router#

clear mls nde flow counters

Router#


Command

show mls nde

Description

Displays information about the NDE hardwareswitched flow.


19

backup (NetFlow SCTP) through ip route-cache flow clear mls netflow

clear mls netflow

To clear the MLS NetFlow-shortcut entries, use the clearmlsnetflowcommand.

clear mls netflow ip [destination ip-addr [source ip-addr-spec]] [dynamic | sw-installed [non-

static | static]] [module mod]

clear mls netflow ipv6 [destination ipv6-addr [slash ipv6-prefix] [source ipv6-addr [slash ipv6-

prefix]]] [flow {tcp | udp}] [{destination | source} port-num] [dynamic | sw-installed [non-static |

static]] [module mod]

clear mls netflow mpls [top-label entry] [dynamic | sw-installed [non-static | static]] [module

mod]

clear mls ipx [[module mod] [destination ipx-network [ipx-node]] [source ipx-network] [macs mac-

addr] [macd mac-addr] [interface interface-num] | [all]]

Syntax Description ip

destination ip-addr

source ip-addr

dynamic

sw-installed non-static

sw-installed static

module mod

ipv6

destination ipv6-addr

/ ipv6-prefix

source iv6p-addr

flow tcp

Clears IP MLS entries.

(Optional) Specifies a destination f ull IP address or a subnet address. See the “Usage Guidelines” section for formatting guidelines.

(Optional) Specifies a source f ull IP address or a subnet address. See the “Usage Guidelines” section for formatting guidelines.

(Optional) Clears NetFlow-statistics entries that are created in the hardware.

(Optional) Clears software-installed nonstatic entries.

(Optional) Clears software-installed static entries.

(Optional) Specifies a module number.

Clears IP version 6 software-installed entries.

(Optional) Specifies a destination f ull IPv6 address or a subnet address. See the “Usage Guidelines” section for formatting guidelines.

(Optional) IPv6 prefix; valid values are from 0 to

128.

(Optional) Specifies a source f ull IPv6 address or a subnet address. See the “Usage Guidelines” section for formatting guidelines.

(Optional) Clears TCP flow information.

20



flow udp destination port-num sourceport-num

mpls

top-label entry

ipx

destination ipx-network

ipx-node

source ipx-network

macs mac-addr

macd mac-addr

interface interface-num

all

Command Default


Command Modes

Privileged EXEC

Command History

Release

12.2(14)SX

clear mls netflow

(Optional) Clears UDP flow information.

(Optional) Specifies a destination port number.

(Optional) Specifies a source port number.

Clears MPLS software-installed entries.

(Optional) Clears top-label entries; valid values are from 1 to 4294967295.

Clears IPX MLS entries.

(Optional) Specifies the destination IPX address.

See the “Usage Guidelines” section for formatting guidelines.

(Optional) IPX node address. See the “Usage

Guidelines” section for formatting guidelines.

(Optional) Specifies the source IPX address. See the “Usage Guidelines” section for formatting guidelines.

(Optional) Specifies the source MAC addresses to consider when searching for entries to purge.

(Optional) Specifies the destination MAC addresses to consider when searching for entries to purge.

(Optional) Clears entries that are associated with the specified VLAN or interface.

(Optional) Clears all entries.

Modification




21


Release

12.2(17a)SX

12.2(17d)SXB

12.2(18)SXF

12.2(33)SRA

Modification

This command was changed as follows:

• Replaced the routes keyword with sw-

installed.

• Replaced the statistics keyword with

dynamic.

•

Changed the syntax from clearmls [ip | ipv6 |

mpls] to clearmlsnetflow [ip | ipv6 | mpls]




•

Removed support for the any keyword.

• Added the /ipv6-prefix argument.




The destinationipx-network, ipx-node, andsourceipx-network keywords and arguments are supported on

Cisco 7600 series routers that are configured with a Supervisor Engine 2 only.

When entering the IPX address syntax, use the following format:

• IPX network address--1..FFFFFFFE

• IPX node address--x.x.x where x is 0..FFFF

• IPX address--ipx_net.ipx_node (for example, 3.0034.1245.AB45, A43.0000.0000.0001)

Entering any combination of input parameters narrows the search of entries to be cleared. The destination or sourceport-num keyword and argument should be specified as one of the following: telnet, FTP, WWW,

SMTP, X, or DNS.

Up to 16 routers can be included explicitly as MLS-RPs.

Use the following syntax to specify an IP subnet address:

• ip-subnet-addr or ipv6-subnet-addr--Short subnet address format. The trailing decimal number 00 in an IP or IPv6 address YY.YY.YY.00 specifies the boundary for an IP or IPv6 subnet address. For example, 172.22.36.00 indicates a 24-bit subnet address (subnet mask 172.22.36.00/255.255.255.0), and 173.24.00.00 indicates a 16-bit subnet address (subnet mask 173.24.00.00/255.255.0.0). However, this format can identify only a subnet address of 8, 16, or 24 bits.

• ip-addr/subnet-mask or ipv6-addr/subnet-mask--Long subnet address format. For example,

172.22.252.00/255.255.252.00 indicates a 22-bit subnet address. This format can specify a subnet address of any bit number. To provide more flexibility, the ip-addr or ipv6-addris a full host address, such as 172.22.253.1/255.255.252.00.

• ip-addr/maskbits or ipv6-addr/maskbits--Simplified long subnet address format. The mask bits specify the number of bits of the network masks. For example, 172.22.252.00/22 indicates a 22-bit subnet address. The ip-addror ipv6-addr is a full host address, such as 193.22.253.1/22, which has the same subnet address as the ip-subnet-addror ipv6-subnet-addr.

22



If you do not use the all keyword, you must specify at least one of the other four keywords (source,

destination, flow, or interface) an d its arguments.

A 0 value for the destination or sourceport-num keyword and argument clears all entries. Unspecified options are treated as wildcards, and all entries are cleared.

Examples

This example shows how to clear all the entries that are associated with a specific module (2) and that have a specific destination IP address (173.11.50.89):

Router#

clear mls netflow ip destination 173.11.50.89 module 2

Router#

This example shows how to clear the IPv6 software-installed entries:

Router#

clear mls netflow ipv6

Router#

This example shows how to clear the statistical information:

Router#

clear mls netflow dynamic

Router#


Command

show mls netflow ip

show mls netflow ipv6

Description

Displays information about the hardware NetFlow

IP.


IPv6 configuration.


23

backup (NetFlow SCTP) through ip route-cache flow debug mpls netflow

debug mpls netflow

To display debug messages for MPLS egress NetFlow accounting, use the debug mpls netflowcommand in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug mpls netflow

no debug mpls netflow



Command Modes

Privileged EXEC (#)

Command History

Release

12.0(10)ST

12.1(5)T

12.0(22)S

12.2(28)SB

12.2(33)SRA

12.2(33)SXI4

Modification



Release 12.1(5)T.


Release 12.0(22)S.


Release 12.2(28)SB.




Release 12.2(33)SXI4.

Examples

Here is sample output from the debug mpls netflow command:

Router# debug mpls netflow

MPLS Egress NetFlow debugging is on

Router#

Router#

Router#

4d00h:Egress flow:entry created, dest 3.3.3.3/32, src 34.0.0.1/8

Router#

Router#


Router# conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# int eth1/4

Router(config-if)# no mpls netflow egress

Router(config-if)#

24


backup (NetFlow SCTP) through ip route-cache flow debug mpls netflow

4d00h:MPLS output feature change, trigger TFIB scan

4d00h:tfib_scanner_walk, prefix 5.5.5.5/32, rewrite flow flag 0















Router(config-if)#

Router(config-if)# mpls netflow egress

Router(config-if)#

4d00h:Interface refcount with output feature enabled = 2

4d00h:MPLS output feature change, trigger TFIB scan

















Router(config-if)#

Router(config-if)# end

Router# show run int eth1/4

Building configuration...

Current configuration:

!

interface Ethernet1/4

ip vrf forwarding vpn1

ip address 180.1.1.1 255.255.255.0

no ip directed-broadcast

mpls netflow egress end

Router#

Router#

4d00h:%SYS-5-CONFIG_I:Configured from console by console

Router#

Note

Flow flag 1 prefixes are reachable through this interface; therefore, MPLS egress NetFlow accounting is applied to all packets going out the destination prefix. Flow flag 0 prefixes are not reachable through this interface; therefore, MPLS egress NetFlow accounting is not applied to any packets going out the destination prefix.


Command

show debug

Description

Displays active debug output.


25

debug mpls netflow backup (NetFlow SCTP) through ip route-cache flow

26


backup (NetFlow SCTP) through ip route-cache flow enabled (aggregation cache)

enabled (aggregation cache)

To enable a NetFlow accounting aggregation cache, use the enabled command in NetFlow aggregation cache configuration mode. To disable a NetFlow accounting aggregation cache, use the no form of thiscommand.

enabled

no enabled



Command Default

No aggregation cache is enabled.

Command Modes

NetFlow aggregation cache configuration

Command History

Release

12.0(3)T

12.2(14)S

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification



Release 12.2(14)S.









Examples

The following example shows how to enable a NetFlow protocol-port aggregation cache:

Router(config)# ip flow-aggregation cache protocol-port

Router(config-flow-cache)# enabled

The following example shows how to disable a NetFlow protocol-port aggregation cache:


27

backup (NetFlow SCTP) through ip route-cache flow enabled (aggregation cache)

Router(config)# ip flow-aggregation cache protocol-port

Router(config-flow-cache)# no

enabled


Command cache



mask (IPv4)





Description

Defines operational parameters for NetFlow accounting aggregation caches.









28


backup (NetFlow SCTP) through ip route-cache flow export destination

export destination

To enable the exporting of NetFlow accounting information from NetFlow aggregation caches, use the

export destination command in NetFlow aggregation cache configuration mode. To disable the export of

NetFlow accounting information from NetFlow aggregation caches, use the no form of this command.

export destination {hostname | ip-address} port [vrf vrf-name] [udp]

no export destination {hostname | ip-address} port [vrf vrf-name] [udp]



port

vrf vrf-name

udp

IP address or hostname of the workstation to which you want to send the NetFlow information

Specifies the number of the user datagram protocol

(UDP) port on which the workstation is listening for the exported NetFlow datagrams.

(Optional) The vrf keyword specifies that the export data packets are to be sent to the named

Virtual Private Network (VPN) routing forwarding instance (VRF) for routing to the destination, instead of to the global routing table.

Note

The vrf-name argument is the name of the

VRF

(Optional) Specifies UDP as the transport protocol.

UDP is the default transport protocol.

Command Default

Export of NetFlow information from NetFlow aggregation caches is disabled.

Command Modes


Command History

Release

12.0(3)T

12.2T

12.3(1)

Modification


This command was modified to enable multiple

NetFlow export destinations to be used.

Support for the NetFlow v9 Export Format feature was added.


29


Release

12.2(14)S

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification


Release 12.2(14)S, and support for the Multiple

Export Destinations feature was added.








If the version of Cisco IOS that you have installed on your networking device supports the NetFlow

Multiple Export Destinations feature, you can configure your networking device to export NetFlow data to a maximum of 2 export destinations (collectors) per cache (main and aggregation caches), using any combination of UDP and SCTP as the transport protocol for the destinations. A destination is identified by a unique combination of hostname or IP address and port number or port type.

Note

UDP is the default transport protocol used by the export destinationcommand. In some Cisco IOS releases you can configure SCTP as the transport protocol if you need reliability and additional redundancy. Refer to the export destination sctp command for more information.

The table below shows examples of the 2 permitted NetFlow export destinations for each cache.

Table 1 Examples of Permitted Multiple NetFlow Export Destinations for Each Cache

First Export Destination

ip flow-export 10.25.89.32 100 udp




ip flow-export 10.25.89.32 100 sctp



Second Export Destination








The most common use of the multiple-destination feature is to send the NetFlow cache entries to two different destinations for redundancy. Therefore, in most cases the second destination IP address is not the same as the first IP address. The port numbers can be the same when you are configuring two unique destination IP addresses. If you want to configure both instances of the command to use the same destination IP address, you must use unique port numbers. You receive a warning message when you

30



configure the two instances of the command with the same IP address. The warning message is,

“%Warning: Second destination address is the same as previous address <ip-address>”.

VRF Destinations for Exporting NetFlow Data

Before Cisco IOS Releases 12.4(4)T and 12.2(18)SXH, only one routing option existed for NetFlow export data packets. NetFlow sent all export data packets to the global routing table for routing to the export destinations you specified.

Cisco IOS 12.4(4)T, 12.2(18)SXH, and later releases provide an additional routing option for NetFlow export data packets. You can send NetFlow data export packets to a Virtual Private Network (VPN) routing/forwarding instance (VRF) for routing to the destinations that you specify.

To send NetFlow data export packets to a VRF for routing to a destination, you enter the optional vrfvrf-

name keyword and argument with the ip flow-export destination ip-addressport command. To configure the global routing table option, enter this command without the optional vrfvrf-name keyword and argument.

Examples

The following example shows how to configure two export destinations for a NetFlow accounting protocolport aggregation cache scheme:

Router(config)#


Router(config-flow-cache)# export destination 10.41.41.1 9992



The following example shows how to configure the networking device for exporting from the NetFlow

source-prefix-tos aggregation cache to an export destination that is reachable in VRF group1:

Router(config)#

ip flow-aggregation cache source-prefix-tos


export destination 172.16.10.2 78 vrf group1


enabled


Command

export template

export version


Description

Configures template options for the export of

NetFlow accounting information in NetFlow aggregation cache entries

Specifies the export version format for the exporting of NetFlow accounting information in

NetFlow aggregation cache entries



31

backup (NetFlow SCTP) through ip route-cache flow export destination sctp (NetFlow aggregation cache)

export destination sctp (NetFlow aggregation cache)

To enable the reliable export of NetFlow accounting information from NetFlow aggregation caches, use the

export destination sctp command in NetFlow aggregation cache configuration mode. To disable the reliable export of NetFlow accounting information from NetFlow aggregation caches, use the no form of this command.

export destination {ip-address | hostname} port [vrf vrf-name] sctp

no export destination {ip-address | hostname} port [vrf vrf-name] sctp



port

vrf vrf-name





Note


VRF

Command Default

Reliable export of NetFlow information from NetFlow aggregation caches is disabled.

Command Modes


Command History

Release

12.4(4)T

12.2(33)SRA

Modification





NetFlow Reliable Export Using SCTP

32


backup (NetFlow SCTP) through ip route-cache flow export destination sctp (NetFlow aggregation cache)

SCTP can be used as an alternative to UDP when you need a more robust and flexible transport protocol than UDP. SCTP is a reliable message-oriented transport layer protocol, which allows data to be transmitted between two end-points in a reliable, partially reliable, or unreliable manner.

An SCTP session consists of an association (connection) between two end-points (peers), which can contain one or more logical channels called streams. The default mode of transmission for a stream is to guarantee reliable ordered delivery of messages using a selective-acknowledgment scheme. SCTP buffers messages until their receipt has been acknowledged by the receiving end-point. SCTP has a congestion control mechanism which limits how much memory is consumed by the SCTP stack, in packet buffering.


Before Cisco IOS Release 12.4(4)T, one routing option existed for NetFlow export data packets. NetFlow sent all export data packets to the global routing table for routing to the destinations you specified.

Cisco IOS 12.4(4)T and later releases provide an additional routing option for NetFlow export data packets.

You can send NetFlow data export packets to a Virtual Private Network (VPN) routing/forwarding instance

(VRF) for routing to the destinations that you specify.


name keyword and argument with the export destination ip-addressport command. To configure the global routing table option, enter this command without the optional vrfvrf-name keyword and argument.

Examples

The following example shows how to configure the networking device to use SCTP as the transport protocol when exporting NetFlow data from a NetFlow AS aggregation cache to a host:

Router(config)#

ip flow-aggregation cache as

Router(config

-flow-cache

)# export destination 172.16.10.2 78 sctp

Router(config

-flow-cache

)# enabled

The following example shows how to configure the networking device to use SCTP as the transport protocol when exporting NetFlow data from a NetFlow AS aggregation cache to a host that is reachable in

VRF group1:

Router(config)#

ip flow-aggregation cache as

Router(config

-flow-cache

)# export destination 172.16.10.2 78 vrf group1 sctp

Router(config

-flow-cache

)# enabled


Command backup

Description

Configures a backup destination for the reliable export of NetFlow accounting information in

NetFlow cache entries


33

export destination sctp (NetFlow aggregation cache)

Command

export destination



reliability



Description

Enables the export of NetFlow accounting information in NetFlow aggregation cache entries to a remote device such as a server running an application that analyzes NetFlow data.








34


backup (NetFlow SCTP) through ip route-cache flow export template

export template

To configure template options for the export of NetFlow accounting information from NetFlow aggregation caches, use the export template command in NetFlow aggregation cache configuration mode. To return to the default behavior, use the noform of this command.

Configure template only

export template {refresh-rate packets | timeout-rate minutes}

no export template {refresh-rate | timeout-rate}

Configure template options

ip export template options {export-stats | refresh-rate packets | timeout-rate minutes | sampler}

no export template options {export-stats | refresh-rate | timeout-rate | sampler}

Syntax Description template

refresh-rate packets

timeout-rate minutes

options export-stats

Enables the refresh-rate and timeout-rate keywords for the configuring of Version 9 export templates.

(Optional) Specifies the number of export packets that are sent before the options and flow templates are resent. Range:1 to 600 packets. The default is

20 packets.

Note

This applies to the export template refresh-

rate packets command.

(Optional) Specifies the interval (in minutes) that the router waits after sending the templates (flow and options) before sending them again. Range: 1 to 3600 minutes. The default is 30 minutes.

Note

This applies to the export template

timeout-rate minutes command.

(Optional) Enables the export-stats, refresh-rate,

sampler and timeout-rate keywords for configuring Version 9 export options.

(Optional) Enables the export of statistics including the total number of flows exported and the total number of packets exported.


35

backup (NetFlow SCTP) through ip route-cache flow export template sampler



(Optional) When Version 9 export is configured, this keyword enables the export of an option containing a random-sampler configuration, including the sampler ID, sampling mode, and sampling interval for each configured random sampler.

Note

You must have a flow sampler map configured before you can configure the sampler keyword for the export template

options command.

(Optional) Specifies the number of packets that are sent before the configured options records are resent. Range: 1 to 600 packets. The default is 20 packets.

Note

This applies to the export template options

refresh-rate packets command.

(Optional) Specifies the interval (in minutes) that the router will wait after sending the options records before they are sent again. Range: 1 to 3600 minutes. The default is 30 minutes.

Note

This applies to the export template options

timeout-rate minutes command.

Command Default

The default parameters as noted in the Syntax Description table are used.

Command Modes


Command History

Release

12.3(2)T

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification








36


backup (NetFlow SCTP) through ip route-cache flow export template


The export template options export-stats command requires that the NetFlow Version 9 export format be already configured on the router.

The export template options sampler command requires that the NetFlow Version 9 export format and a flow sampler map be already configured on the router.

Examples

The following example shows how to configure a NetFlow accounting protocol-port aggregation cache so that the networking device sends the export statistics (total flows and packets exported) as options data:

Router(config)#


Router(config-flow-cache)# export template options export-stats


The following example shows how to configure a NetFlow accounting protocol-port aggregation cache to wait until 100 export packets have been sent, or 60 minutes have passed since the last time the templates were sent (whichever comes first) before the templates are resent to the destination host:

Router(config)#


Router(config-flow-cache)# export template refresh-rate 100

Router(config-flow-cache)# export template timeout-rate 60


The following example shows how to configure a NetFlow accounting protocol-port aggregation cache to enable the export of information about NetFlow random samplers:

Router(config)#


Router(config-flow-cache)# export template option sampler


Tip

You must have a flow-sampler map configured before you can configure the sampler keyword for the ip

flow-export template options command.


Command




Description






37

backup (NetFlow SCTP) through ip route-cache flow export version

export version

To specify the version of the export format of NetFlow accounting information from NetFlow aggregation caches, use the export versioncommand in NetFlow aggregation cache configuration mode. To return to the default behavior, use the no form of this command.

export version {8 | 9}

no export version


version {8| 9}

Version of the format for NetFlow data export.

Command Default

Version 9 is the default format for the exporting of NetFlow accounting information from NetFlow aggregation caches.

Command Modes


Command History

Release

12.0(3)T

12.4(4)T

12.2(33)SRA

Modification


The sctp keyword was added.




NetFlow aggregation caches export data in UDP datagrams using either the Version 9 or Version 8 export format.

The table below describes how to determine the most appropriate export format for your requirements.

38



Table 2

Export Format

Version 9

Selecting a NetFlow Export Format

Version 8

Select When...

You need a flexible and extensible format, which provides the versatility needed for support of new fields and record types.

This format accommodates new NetFlow-supported technologies such as Multicast, IPv6 NetFlow,

Egress NetFlow, NetFlow Layer 2 and security exports, Multiprotocol Label Switching (MPLS), and Border Gateway Protocol (BGP) next hop.

Version 9 export format enables you to use the same version for main and aggregation caches, and because the format is extensible you can use the same export format with future features.

Version 8 export format is available only for export from aggregation caches.

Use Version 8 when your NetFlow Collection

Engine (NFC) does not support Version 9.

The export version command supports two export data formats: Version 8, and Version 9. Version 8 should be used only when it is the only NetFlow data export format version that is supported by the application that you are using to analyze the exported NetFlow data. Version 9 is the only flexible export format version.

The NetFlow Version 9 Export Format feature was introduced in Cisco IOS Release 12.0(24)S and was integrated into Cisco IOS Release 12.3(1) and Cisco IOS Release 12.2(18)S.

NetFlow Version 9 is a flexible and extensible means for transferring NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow

Collection Engine configuration.

Third-party business partners who produce applications that provide NetFlow Collection Engine or display services for NetFlow do not need to recompile their applications each time a new NetFlow technology is added. Instead, with the NetFlow Version 9 Export Format feature, they can use an external data file that documents the known template formats and field types.

NetFlow Version 9 has the following characteristics:

• Record formats are defined by templates.

• Template descriptions are communicated from the router to the NetFlow Collection Engine.

• Flow records are sent from the router to the NetFlow Collection Engine with minimal template information so that the NetFlow Collection Engine can relate the records to the appropriate template.

Version 9 is independent of the underlying transport (UDP, TCP, SCTP, and so on).

Note

In order for the BGP information to be populated in the main cache, you must have either a NetFlow export destination configured or a NetFlow aggregation configured.


39


Note

The AS values for the peer-as and the origin-as keywords are captured only if you have configured an export destination with the ip flow-export destination command.

Note


For more information on the available export data formats, see the Cisco IOS NetFlow Configuration

Guide, Release 12.4T. For more information on the Version 9 data format, see the

Cisco IOS NetFlow

Version 9 Export Format Feature Guide

.

Examples

The following example shows how to configure version 9 as the export format for a NetFlow accounting protocol-port aggregation cache scheme:

Router(config)#


Router(config-flow-cache)# export version 9



Command




Description





40


backup (NetFlow SCTP) through ip route-cache flow flow hardware mpls-vpn ip

flow hardware mpls-vpn ip

To ensure the creation and export of hardware NetFlow cache entries for traffic entering the router on the last MPLS hop of an IPv4 MPLS VPN network, use the flow hardware mpls-vpn ip command in global configuration mode. To disable the creation and export of hardware NetFlow cache entries for this traffic, use the no form of this command.

flow hardware mpls-vpn ip vrf-id

no flow hardware mpls-vpn ip vrf-id


vrf-id

The name of a VRF that you have previously configured.

Command Default

Creation and export of hardware NetFlow cache entries for traffic entering the router on the last MPLS hop of an IPv4 MPLS VPN network is not enabled.

Command Modes

Global configuration

Command History

Release

12.2(33)SRB

12.2SX

Modification






NetFlow Aggregation

If you want to include IPV4 MPLS VPN traffic in a NetFlow aggregation scheme on your router, you must configure the flow hardware mpls-vpn ip command.

NetFlow Sampling

If you want to include IPV4 MPLS VPN traffic in the traffic that is analyzed using NetFlow sampling on your router, you must configure the flow hardware mpls-vpn ip command.

Examples

The following example configures NDE for VRF vpn1:

Router(config)# flow hardware mpls-vpn ip vpn1


41

flow hardware mpls-vpn ip


Command



Description


IP flows.

42


backup (NetFlow SCTP) through ip route-cache flow flow-sampler

flow-sampler

To apply a flow sampler map for random sampled NetFlow accounting to an interface, use the flow-

samplercommand in interface configuration mode. To remove a flow sampler map for random sampled

NetFlow accounting from an interface, use the noform of this command.

flow-sampler sampler-map-name [egress]

no flow-sampler sampler-map-name [egress]


sampler-map-name

egress

Name of the flow sampler map to apply to the interface.

(Optional) Specifies that the sampler map is to be applied to egress traffic.

Command Default

Flow sampler maps for NetFlow accounting are not applied to interfaces by default.

Command Modes

Interface configuration Subinterface configuration

Command History

Release

12.3(2)T

12.2(18)S

12.0(26)S

12.3(11)T

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification



Release 12.2(18)S.


Release 12.0(26)S.

NetFlow egress support was added.








43



You must create and enable the random sampler NetFlow map for random sampled NetFlow accounting using the flow-sampler-map and mode commands before you can use the flow-sampler command to apply the random sampler NetFlow map to an interface.

Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. You must disable ingress NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface, or subinterface, if you want to enable random sampled NetFlow accounting on the interface, or subinterface.

You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command.

Tip

If you disable CEF or DCEF globally using the no ip cef [distributed] command the flow-sampler

sampler-map-name command is removed from any interfaces that you previously configured for random sampled NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable CEF or dCEF to reactivate random sampled NetFlow accounting.

Tip

If your router is running Cisco IOS release 12.2(14)S or a later release, or Cisco IOS Release 12.2(15)T or a later release, NetFlow accounting might be enabled through the use of the ip flow ingress command instead of the ip route-cache flow command. If your router has NetFlow accounting enabled through the use of ip flow ingress command you must disable NetFlow accounting, using the no form of this command, before you apply a random sampler map for random sampled NetFlow accounting on an interface otherwise the full, un-sampled traffic will continue to be seen.

Examples

The following example shows how to create and enable a random sampler map for random sampled

(ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0:

Router(config)# ip cef

Router(config)# flow-sampler-map my-map

Router(config-sampler)# mode random one-out-of 100

Router(config-sampler)# interface ethernet 0/0

Router(config-if)# no ip route-cache flow

Router(config-if)# ip

route-cache cef

Router(config-if)# flow-sampler my-map

The following example shows how to create and enable a random sampler map for random sampled egress

NetFlow accounting with CEF switching on Ethernet interface 1/0:





Router(config-if)# no

ip flow egress


route-cache cef

Router(config-if)# flow-sampler my-map egress

The following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:

Router# show flow-sampler

44



Sampler : my-map, id : 1, packets matched : 7, mode : random sampling mode

sampling interval is : 100


Command flow-sampler-map

mode (flow sampler configuration)

netflow-sampler

show flow-sampler




Description

Defines a flow sampler map for random sampled

NetFlow accounting.

Specifies a packet interval for NetFlow accounting random sampling mode and enables the flow sampler map.

Enables NetFlow accounting with input filter sampling.

Displays the status of random sampled NetFlow

(including mode, packet interval, and number of packets matched for each flow sampler).





45

backup (NetFlow SCTP) through ip route-cache flow flow-sampler-map

flow-sampler-map

To define a flow sampler map for random sampled NetFlow accounting, use the flow-sampler-

mapcommand in global configuration mode. To remove a flow sampler map for random sampled NetFlow accounting, use the no form of this command.

flow-sampler-map sampler-map-name

no flow-sampler-map sampler-map-name


sampler-map-name

Name of the flow sampler map to be defined for random sampled NetFlow accounting.

Command Default

No flow sampler maps for random sampled NetFlow accounting are defined.

Command Modes


Command History

Release

12.3(2)T

12.2(18)S

12.0(26)S

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification



Release 12.2(18)S.


Release 12.0(26)S.








Random sampled NetFlow accounting does not start sampling traffic until (1) the random sampler map is activated through the use of the mode command and (2) the sampler map has been applied to an interface through the use of the flow-sampler command.

Random Sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or

46


backup (NetFlow SCTP) through ip route-cache flow flow-sampler-map

subinterface. You must disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the interface or subinterface, if you want to enable random sampled NetFlow accounting on that interface or subinterface.


Tip

If you disable dCEF globally using the no ip cef [distributed] command, the flow-sampler sampler-map-

name command is removed from any interfaces that you previously configured for random sampled

NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable

CEF or dCEF to reactivate random sampled NetFlow accounting.

Tip


Examples









route-cache cef









ip flow egress


route-cache cef







47

flow-sampler-map


Command flow-sampler-map


netflow-sampler






Description


NetFlow accounting.








48


backup (NetFlow SCTP) through ip route-cache flow ip flow

ip flow

To enable NetFlow accounting for inbound (received) or outbound (transmitted) network traffic, use the ip

flowcommand in interface or subinterface configuration mode. To disable NetFlow accounting, use the no form of this command.

ip flow {ingress | egress}

no ip flow {ingress | egress}

Syntax Description ingress egress

Enables NetFlow accounting for traffic that is received on an interface.

Note

This is also known as ingress NetFlow accounting.

Enables NetFlow accounting for traffic that is transmitted on an interface.

Note

This is also known as egress NetFlow accounting.

Command Default

NetFlow accounting is disabled.

Command Modes

Interface configuration (config-if) Subinterface configuration (config-sub-if)

Command History

Release

12.2(14)S

12.2(25)S

12.2(15)T

12.3(11)T

Modification


Output of the show running configuration command was modified so that the ip route-cache

flowcommand as well as the ip flow ingress command will appear when either command is configured.


Release 12.2(15)T.

The egress keyword was added.


49

backup (NetFlow SCTP) through ip route-cache flow ip flow

Release

12.2(28)SBB

12.2(27)SBC

12.2(31)SB2

12.2(18)SXE

12.2(18)SXF

12.2(33)SRA

Modification


Release 12.2(27)SBB and implemented for the

Cisco 10000 series routers.




Release 12.2(31)SB2.




Release 12.2(18)SXF. This command was changed to allow you to dynamically create NetFlow entries on a 7600.




Cisco 7600 Series Platforms

The ip flow ingresscommand is supported on the Supervisor Engine 720 in PFC3B and PFC3BXL mode.

The ip flow ingresscommand is supported on the Supervisor Engine 2 with a PFC2.

In Release 12.2(18)SXF and later releases, to create a NetFlow entry, you need to enter the ip flow ingress command. In releases prior to Release 12.2(18)SXF, the NetFlow entries are created automatically.

Other Platforms

Use this command on an interface or subinterface to enable NetFlow accounting for traffic.

You must enable CEF or dCEF globally on the networking device, and on the interface or subinterface that you want to enable NetFlow accounting on before you enable either ingress or egress NetFlow accounting.

Examples

The following example shows how to configure ingress NetFlow accounting for traffic that is received on

FastEthernet interface 0/0:

Router(config)# interface fastethernet0/0

Router(config-if)# ip flow ingress

The following example shows how to configure egress NetFlow accounting for traffic that is transmitted on

FastEthernet interface 0/0:

Router(config)# interface fastethernet0/0

Router(config-if)# ip flow egress

50




Command

ip flow-egress input-interface

ip flow-cache timeout

ip flow-cache entries




ip flow

Description

Removes the NetFlow egress accounting flow key that specifies an output interface and adds a flow key that specifies an input interface for NetFlow egress accounting.

Specifies NetFlow accounting flow cache parameters

Changes the number of entries maintained in the

NetFlow accounting cache.





51

backup (NetFlow SCTP) through ip route-cache flow ip flow layer2-switched

ip flow layer2-switched

To enable the creation of switched, bridged, and Layer 2 IP flows for a specific VLAN, use the ip flow

layer2-switched command in global configuration mode. Use the no form of this command to return to the default settings.

ip flow {ingress | export} layer2-switched vlan {num | vlanlist}

no ip flow {ingress | export} layer2-switched vlan {num | vlanlist}

Syntax Description ingress export

vlan num | vlanlist

Enables the collection of switched, bridged, and IP flows in Layer 2.

Enables the export of switched, bridged, and IP flows in Layer 2.

Specifies the VLAN or range of VLANs; valid values are from 1 to 4094. See the “Usage

Guidelines” section for additional information.

Command Default

The defaults are as follows:

• ip flow ingress layer2switch is disabled.

• ip flow export layer2switched is enabled.

Command Modes

Global configuration (config)

Command History

Release

12.2(18)SXE

12.2(33)SRA

12.2SX

Modification








52


backup (NetFlow SCTP) through ip route-cache flow ip flow layer2-switched


The ip flow layer2-switchedcommand is supported on the Supervisor Engine 720 in PFC3B and

PFC3BXL mode only.

The ip flow layer2-switchedcommand is supported on the Supervisor Engine 2 with a PFC2.

Before using this command on Cisco 7600 series routers that are configured with a Supervisor Engine 720, you must ensure that a corresponding VLAN interface is available and has a valid IP address. This guideline does not apply to Cisco 7600 series routers that are configured with a Supervisor Engine 2.

You can enter one or multiple VLANs. The following examples are samples of valid VLAN lists: 1; 1,2,3;

1-3,7.

Examples

This example shows how to enable the collection of Layer 2-switched flows on a specific VLAN:

Router(config)# ip flow ingress layer2-switched vlan 2

Router(config)#

This example shows how to enable export of Layer 2-switched flows on a range of VLANs:

Router(config)# ip flow export layer2-switched vlan 1-3,7

Router(config)#

This example shows how to disable the collection of Layer 2-switched flows on a specific VLAN:

Router(config)# no ip flow ingress layer2-switched vlan 2

Router(config#


53

backup (NetFlow SCTP) through ip route-cache flow ip flow-aggregation cache

ip flow-aggregation cache

To enable NetFlow accounting aggregation cache schemes, use the ip flow-aggregation cachecommand in global configuration mode. To disable NetFlow accounting aggregation cache schemes, use the no form of this command.

ip flow-aggregation cache {as | as-tos | bgp-nexthop-tos | destination-prefix | destination-prefix-

tos | prefix | prefix-port | prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-

prefix-tos | exp-bgp-prefix}

no ip flow-aggregation cache {as | as-tos | bgp-nexthop-tos | destination-prefix | destination-

prefix-tos | prefix | prefix-port | prefix-tos | protocol-port | protocol-port-tos | source-prefix |

source-prefix-tos | exp-bgp-prefix}

Syntax Description as as-tos bgp-nexthop-tos destination-prefix destination-prefix-tos prefix prefix-port prefix-tos protocol-port protocol-port-tos source-prefix

Configures the autonomous system aggregation cache scheme.

Configures the autonomous system type of service

(ToS) aggregation cache scheme.

Configures the Border Gateway Protocol (BGP) next hop ToS aggregation cache scheme.

Note

This keyword is not supported on the Cisco

ASR 1000 Series Aggregation Services

Router.

Configures the destination-prefix aggregation cache scheme.

Configures the destination prefix ToS aggregation cache scheme.

Configures the prefix aggregation cache scheme.

Configures the prefix port aggregation cache scheme.

Configures the prefix ToS aggregation cache scheme.

Configures the protocol-port aggregation cache scheme.

Configures the protocol-port ToS aggregation cache scheme.

Configures the source-prefix aggregation cache scheme.

54


backup (NetFlow SCTP) through ip route-cache flow source-prefix-tos exp-bgp-prefix

Command Default

This command is not enabled by default.

Command Modes


Command History

Release

12.0(3)T

12.0(15)S

12.2(2)T

12.2(14)S

12.3(1)

12.2(18)S

12.2(14)SX

12.2(17d)SXB

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

12.2(31)SB2


Configures the source-prefix ToS aggregation cache scheme.

Configures the exp-bgp-prefix aggregation cache scheme.

Modification


This command was modified to include the ToS aggregation scheme keywords.


NetFlow export destinations.


Release 12.2(14)S.

Support for the BGP Next Hop Support feature was added.





2 was extended to Release 12.2(17d)SXB.








Release 12.2(31)SB2. The exp-bgp-prefix aggregation cache keyword was added.


55

backup (NetFlow SCTP) through ip route-cache flow ip flow-aggregation cache


You must have NetFlow accounting configured on your router before you can use this command. The

export destination command supports a maximum of two concurrent export destinations.

The ToS aggregation cache scheme keywords enable NetFlow accounting aggregation cache schemes that include the ToS byte in their export records. The ToS byte is an 8-bit field in the IP header. The ToS byte specifies the quality of service for a datagram during its transmission through the Internet.

You can enable only one aggregation cache configuration scheme per command line. The following rules apply to configuring source and destination masks.

• The source mask can only be configured in the prefix, prefix-port, prefix-tos, source-prefix and source-prefix-tos aggregation modes.

• The destination mask can only be configured in the prefix, prefix-port, prefix-tos, destination-prefix and destination-prefix-tos aggregation modes.

• No masks can be configured in non-prefix aggregation modes

To enable aggregation (whether or not an aggregation cache is fully configured), you must enter the

enabled command in aggregation cache configuration mode. (You can use the no form of this command to disable aggregation. The cache configuration remains unchanged even if aggregation is disabled.)

Examples

The following example shows how to configure a NetFlow accounting autonomous system aggregation cache scheme:

Router(config)# ip flow-aggregation cache as


The following example shows how to configure a minimum prefix mask of 16 bits for the NetFlow accounting destination-prefix aggregation cache scheme:

Router(config)# ip flow-aggregation cache destination-prefix

Router(config-flow-cache)# mask destination minimum 16


The following example shows how to configure a minimum prefix mask of 16 bits for the NetFlow accounting source-prefix aggregation cache scheme:

Router(config)# ip flow-aggregation cache source-prefix

Router(config-flow-cache)# mask source minimum 16


The following example shows how to configure multiple export destinations for the NetFlow accounting autonomous system ToS aggregation cache scheme:

Router(config)# ip flow-aggregation cache as-tos





Command



Description


Enables the NetFlow aggregation cache.

56



Command mask






Description

Specifies the source or destination prefix mask.

Displays a summary of the NetFlow accounting aggregation cache statistics.





57

backup (NetFlow SCTP) through ip route-cache flow ip flow-cache entries

ip flow-cache entries

To change the number of entries maintained in the NetFlow accounting cache, use the ip flow-cache

entriescommand in global configuration mode. To return to the default number of entries, use the no form of this command.

ip flow-cache entries number

no ip flow-cache entries


number

Number of entries to maintain in the NetFlow cache. The range is from 1024 to 524288. The default is 4096.

Note

For the Cisco ASR 1000 Series Aggregation

Services Router, the range is 1024 to

2000000 (2 million). The default is 200000.

Command Default

The default value of 4096 is used as the size of the NetFlow accounting cache.

Command Modes


Command History

Release

12.0(3)T

12.2(14)S

12.2(14)SX

12.2(17d)SXB

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification



Release 12.2(14)S.











58



Release

12.2(31)SB2


Modification





Normally the default size of the NetFlow cache will meet your needs. However, you can increase or decrease the number of entries maintained in the cache to meet the needs of your flow traffic rates. For environments with a high amount of flow traffic (such as an internet core router), a larger value such as

131072 (128K) is recommended. To obtain information on your flow traffic, use the show ip cache flow

EXEC command.

Each cache entry is approximately 64 bytes of storage. Assuming a cache with the default number of entries, approximately 4 MB of DRAM would be required. Each time a new flow is taken from the free flow queue, the number of free flows is checked. If only a few free flows remain, NetFlow attempts to age

30 flows using an accelerated timeout. If only one free flow remains, NetFlow automatically ages 30 flows regardless of their age. The intent is to ensure that free flow entries are always available.

Caution

We recommend that you not change the number of NetFlow cache entries. To return to the default number of NetFlow cache entries, use the no ip flow-cache entries global configuration command.

Examples

The following example shows how to increase the number of NetFlow cache entries to 131,072 (128K):

Router(config)# ip flow-cache entries 131072

%The change in number of entries will take effect after either the next reboot or when netflow is turned off on all interfaces

Tip

You turn off NetFlow accounting on interfaces by removing the command that you enabled NetFlow accounting with. For example, if you enabled NetFlow accounting on an interface with the ip flow ingress command you turn off NetFlow accounting for the interface using the no form of the command -no ip flow

ingress. Remember to turn NetFlow accounting back on for the interface after you have turned it off.


Command


ip flow egress

Description

Specifies NetFlow accounting flow cache parameters.

Enables NetFlow egress accounting for traffic that the router is forwarding.


59


Command


ip flow ingress





Description


Enables NetFlow (ingress) accounting for traffic arriving on an interface.




60


backup (NetFlow SCTP) through ip route-cache flow ip flow-cache mpls label-positions

ip flow-cache mpls label-positions

To enable Multiprotocol Label Switching (MPLS)-Aware NetFlow, use the ip flow-cache mpls label-

positions command in global configuration mode. To disable MPLS-aware NetFlow, use the no form of this command.

ip flow-cache mpls label-positions [label-position-1 [label-position-2 [label-position-3]]] [exp-bgp-

prefix-fields] [no-ip-fields] [mpls-length]

no ip flow-cache mpls label-positions


label-position-l

exp-bgp-prefix-fields no-ip-fields

(Optional) Position of an MPLS label in the incoming label stack. Label positions are counted from the top of the stack, starting with 1.

(Optional) Generates a MPLS Provider Edge (PE)

PE-to-PE traffic matrix.

The following IP-related flow fields are included:

• Input interface

• BGP Nexthop

• MPLS Experimental (EXP) bits

The MPLS label values will be set to zero on the

Cisco 10000 in the display output of the show ip

cache verbose flow aggregation exp-bgp-prefix

command.

(Optional) Controls the capture and reporting of

MPLS flow fields. If the no-ip-fields keyword is not specified, the following IP-related flow fields are included:

• Source IP address

• Destination IP address

• Transport layer protocol

• Source application port number

• Destination application port number

• IP type of service (ToS)

• TCP flag

If the no-ip-fields keyword is specified, the IPrelated fields are reported with a value of 0.


61

backup (NetFlow SCTP) through ip route-cache flow ip flow-cache mpls label-positions mpls-length

(Optional) Controls the reporting of packet length.

If the mpls-length keyword is specified, the reported length represents the sum of the MPLS packet payload length and the MPLS label stack length. If the mpls-length keyword is not specified, only the length of the MPLS packet payload is reported.

Command Default

MPLS-Aware NetFlow is not enabled.

Command Modes


Command History

Release

12.0(24)S

12.0(25)S

12.3(8)T

12.2(28)SB

12.2(31)SB2

Modification


The no-ip-fields and mpls-length keywords were added.


Release 12.3(8)T.


Release 12.2(28)SB.


Release 12.2(31)SB2. The exp-bgp-prefix-fields keyword was added.



Use this command to configure the MPLS-aware NetFlow feature on a label switch router (LSR) and to specify labels of interest in the incoming label stack. Label positions are counted from the top of the stack, starting with 1. The position of the top label is 1, the position of the second label is 2, and so forth.

With MPLS-aware NetFlow enabled on the router, NetFlow collects data for incoming IP packets and for incoming MPLS packets on all interfaces where NetFlow is enabled in full or in sampled mode.

62


backup (NetFlow SCTP) through ip route-cache flow ip flow-cache mpls label-positions

Caution

When you enter the ip flow-cache mpls label-positions command on a Cisco 12000 series Internet router,

NetFlow will stop collecting data for incoming IP packets on any Engine 4P line cards installed in the router on which NetFlow is enabled in full or in sampled mode. Engine 4P line cards in a Cisco 12000 series Internet router do not support NetFlow data collection of incoming IP packets and MPLS packets concurrently.

Tip

MPLS-aware NetFlow is enabled in global configuration mode. NetFlow is enabled per interface.

Examples

The following example shows how to configure MPLS-aware NetFlow to capture the first (top), third, and fifth label:

Router(config)# ip flow-cache mpls label-positions 1 3 5

The following example shows how to configure MPLS-aware NetFlow to capture only MPLS flow information (no IP-related flow fields) and the length that represents the sum of the MPLS packet payload length and the MPLS label stack length:

Router(config)# ip flow-cache mpls label-positions no-ip-fields mpls-length

The following example shows how to configure MPLS PE-to-PE Traffic Statistics for Netflow:

Router(config)# ip flow-cache mpls label-positions 1 2 exp-bgp-prefix-fields


Command ip flow-cache entries ip flow-cache timeout ip flow egress ip flow-egress input-interface ip flow ingress show ip cache flow

Description









63

ip flow-cache mpls label-positions

Command show ip cache verbose flow show ip flow interface backup (NetFlow SCTP) through ip route-cache flow

Description



64


backup (NetFlow SCTP) through ip route-cache flow ip flow-cache timeout

ip flow-cache timeout

To specify NetFlow accounting flow cache parameters, use the ip flow-cache timeout command in global configuration mode. To disable the flow cache parameters, use the no form of this command.

ip flow-cache timeout [active minutes | inactive seconds]

no ip flow-cache timeout [active | inactive]

Syntax Description active

minutes

inactive

seconds

Specifies the active flow timeout.

(Optional) The number of minutes that an active flow remains in the cache before it times out. The range is from 1 to 60. The default value is 30.

Specifies the inactive flow timeout.

(Optional) The number of seconds that an inactive flow remains in the cache before it times out. The range is from 10 to 600. The default value is 15.

Command Default

The flow-cache timeout values are set to the default values.

Command Modes


Command History

Release

12.3(7)T

12.2(14)S

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification



Release 12.2(14)S.








65

backup (NetFlow SCTP) through ip route-cache flow ip flow-cache timeout



Use this command to specify active and inactive timeout parameters.

A flow is considered to be active if packets belonging to the flow are detected wherever the NetFlow statistics are being collected. A flow is considered to be inactive if no further packets are detected for the flow at the collection point for NetFlow statistics.

Examples

In the following example, an active flow is allowed to remain in the cache for 20 minutes:

Router(config)# ip flow-cache timeout active 20

In the following example, an inactive flow is allowed to remain in the cache for 10 seconds before it times out and is removed:

Router(config)# ip flow-cache timeout inactive 10


Command








Description

Enables NetFlow (egress) accounting for traffic that the router is forwarding.








66


backup (NetFlow SCTP) through ip route-cache flow ip flow-capture

ip flow-capture

To enable the capture of values from Layer 2 or additional Layer 3 fields in NetFlow traffic, use the ip

flow-capture command in global configuration mode. To disable capturing Layer 2 or Layer 3 fields from

NetFlow traffic, use the no form of this command.

ip flow-capture {fragment-offset | icmp | ip-id | mac-addresses | packet-length | ttl | vlan-id |

nbar}

no ip flow-capture {fragment-offset | icmp | ip-id | mac-addresses | packet-length | ttl | vlan-id |

nbar}

Syntax Description fragment-offset icmp ip-id mac-addresses packet-length ttl vlan-id nbar

Captures the value of the 13-bit IP fragment offset field from the first fragmented IP datagram in a flow.

Captures the value of the ICMP type and code fields from the first ICMP datagram in a flow.

Captures the value of the IP-ID field from the first

IP datagram in a flow.

Captures the values of the source MAC addresses from ingress packets and the destination MAC addresses from egress packets from the first packet in a flow.

Note

This command applies only to traffic that is received or transmitted over Ethernet interfaces.

Captures the value of the packet length field from

IP datagrams in a flow.

Captures the value of the time-to-live (TTL) field from IP datagrams in a flow.

Captures the value of the 802.1q or Inter-Switch

Link (ISL) VLAN-ID field from VLANencapsulated frames in a flow when the frames are received or transmitted on trunk ports.

Exports Network Based Application Recognition

(NBAR) information along with the NetFlow

Version 9 record.

Command Default

Values from Layer 2 and Layer 3 fields are not captured.


67


Command Modes


Command History

Release

12.3(14)T

12.4(2)T

12.2(33)SRA

12.2(18)ZYA2

Modification


The fragment-offset keyword was added.



This command was modified. The nbar keyword was added.


You must enable NetFlow accounting on an interface or a subinterface using the ip flow {ingress | egress} command for the ip flow-capture command to take effect. You can enable NetFlow accounting before or after you have entered the ip flow-capture command in global configuration mode.

If you want to export the information captured by the ip flow-capturecommand, you must configure

NetFlow export using the ip flow-export destination command, and you must configure NetFlow to use the Version 9 export format. Use the ip flow-export version 9 command to configure the NetFlow Version

9 export format.

The fields captured by the ip flow-capturecommand are currently not available in the NetFlow MIB.

Note

You can capture the value from only one field at a time. Execute the command once for each value you want to capture.

ip flow-capture fragment-offset

IP fragmentation occurs when the size of an IP datagram exceeds the maximum transmission unit (MTU) of the Layer 2 frame type used by the next-hop network. For example, the IP MTU size of an ATM network is 4470 bytes. When a host needs to transmit an IP datagram that exceeds 4470 bytes on an ATM network, it must first fragment the datagram into two or more smaller IP datagrams.

An IP datagram sent by a host system such as a web server can also be fragmented by a router in the network if the router needs to transmit the IP datagram on a next-hop network that has an MTU that is smaller than the current size of the IP datagram. For example, if a router receives a 4470-byte IP datagram on an ATM interface and the next-hop network is a 100-Mbps Fast Ethernet network with an MTU of

1514, the router must fragment the IP datagram into three smaller IP datagrams (4470/1514). It is possible for an IP datagram to be fragmented two or more times on its path from the sending host to the destination host.

A fragmented IP datagram is reassembled by the destination host. The last fragment of an IP datagram is identified when the “more fragments” flag is set to 0. The length of a complete IP datagram is calculated by the receiving host by means of the fragment offset field and the length of the last fragment.

The ip flow-capture fragment-offsetcommand captures the value of the IP fragment offset field from the first fragmented IP packet in the flow. If you are seeing several flows with the same value for the IP fragment offset field, it is possible that your network is being attacked by a host that is sending the same IP packets again and again.

68


backup (NetFlow SCTP) through ip route-cache flow ip flow-capture ip flow-capture icmp

Internet Control Message Protocol (ICMP) is used for several purposes. One of the most common is the ping command. ICMP echo requests are sent by a host to a destination to verify that the destination is reachable by IP. If the destination is reachable, it should respond by sending an ICMP echo reply. Refer to

RFC 792, Darpa Internet Program Protocol Specification (

http://www.ietf.org/rfc/rfc0792.txt?

number=792

) for more information on ICMP.

ICMP packets have been used in many types of attacks on networks. Two of the most common attacks are the denial-of-service (DoS) attack and the “ping of death” attack.

• DoS attack--Any action or actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized delay of service.

Generally, DoS attacks do not destroy data or resources, but prevent access or use. In network operations, flooding a device with ping packets when the device has not been configured to block or ignore them might effect a denial of service.

• “ping of death”--An attack that sends an improperly large ping echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash.

Finding out the types of ICMP traffic in your network can help you decide if your network is being attacked by ICMP packets.

The ip flow-capture icmp command captures the value of the ICMP type field and the ICMP code field from the first ICMP packet detected in a flow.

ip flow-capture ip-id

It is possible for a host to receive IP datagrams from two or more senders concurrently. It is also possible for a host to receive multiple IP datagrams from the same host for different applications concurrently. For example, a server might be transferring email and HTTP traffic from the same host concurrently. When a host is receiving multiple IP datagrams concurrently, it must be able to identify the fragments from each of the incoming datagrams to ensure that they do not get mixed up during the datagram reassembly process.

The receiving host uses the IP header identification field and the source IP address of the IP datagram fragment to ensure that it rebuilds the IP datagrams correctly.

The ip flow-capture ip-id command captures the value of the IP header identification field from the first packet in the flow. The value in the IP header identification field is a sequence number assigned by the host that originally transmitted the IP datagram. All of the fragments of an IP datagram have the same identifier value. This ensures that the destination host can match the IP datagram to the fragment during the IP datagram reassembly process. The sending host is responsible for ensuring that each subsequent IP datagram it sends to the same destination host has a unique value for the IP header identification field.

If you are seeing several flows with the same value for the IP header identification field, it is possible that your network is being attacked by a host that is sending the same IP packets again and again.

ip flow-capture packet-length

The value in the packet length field in an IP datagram indicates the length of the IP datagram, excluding the

IP header.

Use the ip flow-capture packet-length command to capture the value of the IP header packet length field for packets in the flow. The ip flow-capture packet-length command keeps track of the minimum and maximum values captured from the flow. The minimum and maximum packet length values are stored in separate fields. This data is updated when a packet with a packet length that is lower or higher than the currently stored value is received. For example, if the currently stored value for the minimum packet length is 1024 bytes and the next packet received has a packet length of 512 bytes, the 1024 is replaced by 512.


69


If you are seeing several IP datagrams in the flow with the same value for the packet-length field, it is possible that your network is being attacked by a host that is constantly sending the same IP packets again and again.

ip flow-capture ttl

The TTL field is used to prevent the indefinite forwarding of IP datagrams. The TTL field contains a counter value set by the source host. Each router that processes this datagram decreases the TTL value by

1. When the TTL value reaches 0, the datagram is discarded.

There are two scenarios where an IP packet without a TTL field could live indefinitely in a network:

• The first scenario occurs when a host sends an IP datagram to an IP network that does not exist and the routers in the network have a gateway of last resort configured--that is, a gateway to which they forward IP datagrams for unknown destinations. Each router in the network receives the datagram and attempts to determine the best interface to use to forward it. Because the destination network is unknown, the best interface for the router to use to forward the datagram to the next hop is always the interface to which the gateway of last resort is assigned.

• The second scenario occurs when a wrong configuration in the network results in a routing loop. For example, if one router forwards an IP datagram to another router because it appears to be the correct next-hop router, then the receiving router sends it back because it believes that the correct next-hop router is the router that it received the IP datagram from in the first place.

The ip flow-capture ttl command keeps track of the TTL values captured from packets in the flow. The minimum and maximum TTL values are stored in separate fields. This data is updated when a packet with a

TTL that is lower or higher than the currently stored value is received. For example if the currently stored value for the minimum TTL is 64 and the next packet received has a TTL of 12, the 64 is replaced by 12.

If you are seeing several flows with the same value for the TTL, it is possible that your network is being attacked by a host that is constantly sending the same IP packets again and again. Under normal circumstances, flows come from many sources, each a different distance away. Therefore you should see a variety of TTLs across all the flows that NetFlow is capturing.

ip flow-capture mac-addresses

Note

This command applies only to the traffic that is received or transmitted over Ethernet interfaces.

The ip flow-capture mac-addresses command captures the MAC addresses of the incoming source and the outgoing destination from the first Layer 2 frame in the flow. If you discover that your network is attacked by Layer 3 traffic, use these addresses to identify the device that transmits the traffic received by the router and the next-hop or final destination device to which the router forwards the traffic.

ip flow-capture vlan-id

A virtual LAN (VLAN) is a broadcast domain within a switched network. A broadcast domain is defined by the network boundaries within which a network propagates a broadcast frame generated by a station.

Some switches can be configured to support single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN.

Each VLAN is also a separate Layer 3 network. A router or a multilayer switch must be used to interconnect the Layer 3 networks that are assigned to the VLANs. For example, a device on VLAN 2 with an IP address of 172.16.0.76 communicating with a device on VLAN 3 with an IP address of 172.17.0.34

must use a router as an intermediary device because they are on different Class B IP networks. This is accomplished by connecting a switch to a router and configuring the link between them as a VLAN trunk.

In order for the link to be used as a VLAN trunk, the interfaces on the router and the switch must be configured for the same VLAN encapsulation type.

70



Note

When a router is configured to route traffic between VLANs, it is often referred to as an inter-VLAN router.

When a router or a switch needs to send traffic on a VLAN trunk, it must either tag the frames using the

IEEE 802.1q protocol or encapsulate the frames using the Cisco Inter-Switch Link (ISL) protocol. The

VLAN tag or encapsulation header must contain the correct VLAN ID to ensure that the device receiving the frames can process them properly. The device that receives the VLAN traffic examines the VLAN ID from each frame to find out how it should process the frame. For example, when a switch receives an IP broadcast datagram such as an Address Resolution Protocol (ARP) datagram with an 802.1q tagged VLAN

ID of 6 from a router, it forwards the datagram to every interface that is assigned to VLAN 6 and any interfaces that are configured as VLAN trunks.

The ip flow-capture vlan-idcommand captures the VLAN ID number from the first frame in the flow it receives that has an 802.1q tag or that is encapsulated with ISL. When the received traffic in the flow is transmitted over an interface that is configured with either 802.1q or ISL trunking, the ip flow-capture

vlan-idcommand captures the destination VLAN ID number from the 802.1q or ISL VLAN header from the first frame in the flow.

Note

The ip flow-capture vlan-idcommand does not capture the type of VLAN encapsulation in use. The receiving and transmitting interfaces can use different VLAN protocols. If only one of the interfaces is configured as a VLAN trunk, the VLAN ID field is blank for the other interface.

Your router configuration must meet the following criteria before NetFlow can capture the value in the

VLAN-ID field:

• It must have at least one LAN interface that is configured with one or more subinterfaces.

• The subinterfaces where you want to receive VLAN traffic must have either 802.1q or ISL enabled.

•

The subinterfaces that are configured to receive VLAN traffic must have the ip flow ingress command configured on them.

If you discover that your network is being attacked by Layer 3 traffic, you can use the VLAN-ID information to help you find out which VLAN the device that is sending the traffic is on. The information can also help you identify the VLAN to which the router is forwarding the traffic.

ip flow-capture nbar

The ip flow-capture nbar command captures the application IDs and subapplication IDs exported as part of the NetFlow Version 9 record. The application IDs are mapped to applications. By means of the ip flow-

export template options nbar command, this mapping information is exported to the NetFlow data collector. To capture Network Based Application Recognition (NBAR) information, you must enable

NetFlow Version 9.

Note

The subapplication ID value is always 0 in current release.


71


Examples

The following example shows how to configure NetFlow to capture the value of the IP fragment-offset field from the IP datagrams in the flow:

Router(config)# ip flow-capture fragment-offset

The following example shows how to configure NetFlow to capture the value of the ICMP type field and the value of the code field from the IP datagrams in the flow:

Router(config)# ip flow-capture icmp

The following example shows how to configure NetFlow to capture the value of the IP-ID field from the IP datagrams in the flow:

Router(config)# ip flow-capture ip-id

The following example shows how to configure NetFlow to capture the value of the packet length field from the IP datagrams in the flow:

Router(config)# ip flow-capture packet-length

The following example shows how to configure NetFlow to capture the TTL field from the IP datagrams in the flow:

Router(config)# ip flow-capture ttl

The following example shows how to configure NetFlow to capture the MAC addresses from the IP datagrams in the flow:

Router(config)# ip flow-capture mac-addresses

The following example shows how to configure NetFlow to capture the VLAN ID from the IP datagrams in the flow:

Router(config)# ip flow-capture vlan-id

The following example shows how to configure NetFlow to capture NBAR information:

Router(config)# ip flow-capture nbar


Command





Description






72



Command

ip flow-export template options nbar






ip flow-capture

Description

Exports application mapping information to the

NetFlow data collector.

Enables NetFlow ingress accounting for traffic arriving on an interface.

Displays a summary of NetFlow accounting statistics.



Displays the NetFlow accounting configuration for interfaces.


73

backup (NetFlow SCTP) through ip route-cache flow ip flow-egress input-interface

ip flow-egress input-interface

To remove the NetFlow egress accounting flow key that specifies an output interface and to add a flow key that specifies an input interface for NetFlow egress accounting, use the ip flow-egress input-interface command in global configuration mode. To change the flow key back from an input interface to an output interface for NetFlow egress statistics, use the no form of this command.


no ip flow-egress input-interface



Command Default

By default NetFlow egress statistics use the output interface as part of the flow key.

Command Modes


Command History

Release

12.3(11)T

12.2(33)SRA

12.2SX

Modification








You must have NetFlow egress accounting configured on your router before you can use this command.

When the NetFlow Egress Support feature is configured, by default it uses the output interface as part of the flow key. The ip flow-egress input-interfacecommand changes the key for egress flows so that the ingress interface is used instead of the output interface. This command is used to create a new flow for each input interface.

Examples

In the following example the key for NetFlow reporting of egress traffic is changed from the output interface to the input interface:

Router(config)# ip flow-egress input-interface

74




Command








ip flow-egress input-interface

Description










75

backup (NetFlow SCTP) through ip route-cache flow ip flow-export destination

ip flow-export destination

To enable the export of NetFlow accounting information in NetFlow cache entries to a remote device such as a server running an application that analyzes NetFlow data, use the ip flow-export destination command in global configuration mode. To remove an export destination, use the noform of this command.

ip flow-export destination {hostname | ip-address} port [udp] [vrf vrf-name]

no ip flow-export destination {hostname | ip-address} port [udp] [vrf vrf-name]



port

vrf vrf-name

udp

IP address or hostname of the workstation to which you want to send the NetFlow information

Specifies the number of the user datagram protocol

(UDP) port on which the workstation is listening for the exported NetFlow datagrams.



Note


VRF.

(Optional) Specifies UDP as the transport protocol.

UDP is the default transport protocol.

Command Default

Export of NetFlow information is disabled.

Command Modes

Global configuration (config)#

Command History

Release

11.1 CA

12.0(24)S

12.2(14)S

Modification



Release 12.0(24)S.


Release 12.2(14)S, and support for the Multiple

Export Destinations feature was added.

76



Release

12.2(2)T

12.2(14)SX

12.2(17d)SXB

12.2(18)SXD

12.2(18)SXE

12.2(27)SBC

12.4(4)T

12.2(33)SRA

Cisco IOS XE 2.6

12.2(33)SXI4

ip flow-export destination

Modification


NetFlow export destinations to be used.

This command was introduced on the Supervisor

Engine 720.



This command was changed to allow you to configure multiple NetFlow export destinations to a router.

This command was changed to allow you to enter two destination IP addresses on the Supervisor

Engine 720 only. See the “Usage Guidelines” section for more information.



The vrf keyword and vrf name argument were added.




Release XE 2.6.


Release 12.2(33)SXI4. The vrf keyword and vrf

name argument were added.


Cisco Catalyst 6500 Series Switches

With a PFC3 and Release 12.2(18)SXE and later releases, you can enter multiple NetFlow export destinations on the Supervisor Engine 720 only.

Multiple Export Destinations

If the version of Cisco IOS that you have installed on your networking device supports the NetFlow

Multiple Export Destinations feature, you can configure your networking device to export NetFlow data to a maximum of 2 export destinations (collectors) per cache (main and aggregation caches), using any combination of UDP and SCTP as the transport protocol for the destinations. A destination is identified by a unique combination of hostname or IP address and port number or port type.


77


Note

UDP is the default transport protocol used by the export destinationcommand. In some Cisco IOS releases you can configure SCTP as the transport protocol if you need reliability and additional redundancy. Refer to the ip flow-export sctp command for more information.

The table below shows examples of the 2 permitted NetFlow export destinations for each cache.

Table 3 Examples of Permitted Multiple NetFlow Export Destinations for Each Cache

First Export Destination








Second Export Destination








The most common use of the multiple-destination feature is to send the NetFlow cache entries to two different destinations for redundancy. Therefore, in most cases the second destination IP address is not the same as the first IP address. The port numbers can be the same when you are configuring two unique destination IP addresses. If you want to configure both instances of the command to use the same destination IP address, you must use unique port numbers. You receive a warning message when you configure the two instances of the command with the same IP address. The warning message is,

“%Warning: Second destination address is the same as previous address <ip-address>”.


Before Cisco IOS Releases 12.4(4)T, 12.2(33)SXI4, and Cisco IOS XE Release 2.6, only one routing option existed for NetFlow export data packets. NetFlow sent all export data packets to the global routing table for routing to the export destinations you specified.

Cisco IOS Release 12.4(4)T, Cisco IOS XE Release 2.6, Cisco IOS Release 12.2(33)SXI4, and later releases provide an additional routing option for NetFlow export data packets. You can send NetFlow data export packets to a Virtual Private Network (VPN) routing/forwarding instance (VRF) for routing to the destinations that you specify.



More Information on NetFlow Data Export

For more information on NetFlow Data Export (NDE) on a Cisco Catalyst 6500 series switch, refer to the

“Configuring NDE” chapter in the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide .

For more information on NetFlow Data Export (NDE) on a Cisco 7600 series router, refer to the

“Configuring NDE” chapter in the Cisco 7600 Series Cisco IOS Software Configuration Guide .

78



For more information on NetFlow Data Export (NDE) on Cisco routers, refer to the “Configuring NetFlow and NetFlow Data Export” chapter in the Cisco IOS NetFlow Configuration Guide .

Examples

The following example shows how to configure the networking device to export the NetFlow cache entry to a single export destination system:

Router(config)# ip flow-export destination 10.42.42.1 9991

The following example shows how to configure the networking device to export the NetFlow cache entry to multiple destination systems:



The following example shows how to configure the networking device to export the NetFlow cache entry to two different UDP ports on the same destination system:



%Warning: Second destination address is the same as previous address 10.42.42.1

The following example shows how to configure the networking device to export NetFlow data to a export destination that is reachable in VRF group1:

Router(config)# ip flow-export destination 172.16.10.2 78 vrf group1


Command

ip flow-export interface-names ip flow-export source ip flow-export template ip flow-export version


Description

Enables the inclusion of the interface names for the flows during the export of NetFlow accounting information in NetFlow cache entries.

Specifies the interface from which NetFlow will derive the source IP address for the NetFlow export datagrams containing NetFlow accounting information from NetFlow cache entries.


NetFlow accounting information in NetFlow cache entries





79

backup (NetFlow SCTP) through ip route-cache flow ip flow-export destination sctp

ip flow-export destination sctp

To enable the reliable export of NetFlow accounting information in NetFlow cache entries, use the ip flow-

export destination sctp command in global configuration mode. To disable the reliable export of information, use the noform of this command.

ip flow-export destination {ip-address | hostname} port [vrf vrf-name] sctp

no ip flow-export destination {ip-address | hostname} port [vrf vrf-name] sctp



port

vrf vrf-name





Note


VRF

Command Default

Reliable export of NetFlow information is disabled.

Command Modes


Command History

Release

12.4(4)T

Modification



NetFlow Reliable Export Using SCTP

SCTP can be used as an alternative to UDP when you need a more robust and flexible transport protocol than UDP. SCTP is a reliable message-oriented transport layer protocol, which allows data to be transmitted between two end-points in a reliable, partially reliable, or unreliable manner.

An SCTP session consists of an association (connection) between two end-points (peers), which can contain one or more logical channels called streams. The default mode of transmission for a stream is to

80


backup (NetFlow SCTP) through ip route-cache flow ip flow-export destination sctp

guarantee reliable ordered delivery of messages using a selective-acknowledgment scheme. SCTP buffers messages until their receipt has been acknowledged by the receiving end-point. SCTP has a congestion control mechanism which limits how much memory is consumed by the SCTP stack, in packet buffering.


Before Cisco IOS Release 12.4(4)T, one routing option existed for NetFlow export data packets. NetFlow sent all export data packets to the global routing table for routing to the destinations you specified.

Cisco IOS 12.4(4)T and later releases provide an additional routing option for NetFlow export data packets.

You can send NetFlow data export packets to a Virtual Private Network (VPN) routing/forwarding instance

(VRF) for routing to the destinations that you specify.



Examples

The following example shows how to configure the networking device to use SCTP as the transport protocol when exporting NetFlow data:


The following example shows how to configure the networking device to use SCTP as the transport protocol when exporting NetFlow data to a host that is reachable in VRF group1:

Router(config)# ip flow-export destination 172.16.10.2 78 vrf group1 sctp


Command backup reliability


Description







81

backup (NetFlow SCTP) through ip route-cache flow ip flow-export hardware version

ip flow-export hardware version

To specify the NetFlow Data Export (NDE) version for hardware-switched flows, use the ip flow-export

hardware versioncommand in global configuration mode. To return to the default settings, use the noform of this command.

ip flow-export hardware version [5 | 7]

no ip flow-export hardware version


5

7

Specifies that the export packet uses the version 5 format; see the “Usage Guidelines” section for additional information.


Command Default

Version 7

Command Modes


Command History

Release

12.2(18)SXD

Modification


Supervisor Engine 720 and the Supervisor Engine

2.


The ip flow-export hardware version command is only supported on systems that have a version 2

Supervisior Engine.

Examples

This example shows how to specify the NDE version for hardware-switched flows:

Router(config)#

ip flow-export hardware version 5

Router(config)#

82


backup (NetFlow SCTP) through ip route-cache flow ip flow-export hardware version


Command

ip flow-export interface

ip flow-export version (Supervisor Engine 2)


Description

Enables the interface-based ingress NDE for hardware-switched flows.

Specifies the version for the export of information in NetFlow cache entries.



83

backup (NetFlow SCTP) through ip route-cache flow ip flow-export interface-names

ip flow-export interface-names

To enable the inclusion of the interface names for the flows during the export of NetFlow accounting information in NetFlow cache entries, use the ip flow-export interface-names command in global configuration mode. To return to the default behavior, use the noform of this command.

ip flow-export interface-names

no ip flow-export interface-names


There are no keywords or arguments for this command.

Command Default

Inclusion the interface names for the flows during the export of NetFlow accounting information in

NetFlow cache entries is disabled.

Command Modes


Command History

Release

12.4(2)T

Modification



The interface-names keyword for the ip flow-export command configures NetFlow to include the interface names from the flows when it exports the NetFlow cache entry to a destination system.

Prior to the addition of the interface-names keyword you had to poll the SNMP MIB for this information and correlate IF-index entries to interface names. After you enable the ip flow-export interface-names command the information is included in the exported NetFlow cache entries.

Note

Interface names are exported as options templates/records.

Examples

The following example shows how to configure the networking device to include the interface names from the flows when it exports the NetFlow cache entry to a destination system:

Router(config)# ip flow-export interface-names

84




Command

ip flow-export destination

ip flow-export source

ip flow-export template

ip flow-export version


ip flow-export interface-names

Description

Enables the export of NetFlow accounting information in NetFlow cache entries to a remote device such as a server running an application that analyzes NetFlow data.








85

backup (NetFlow SCTP) through ip route-cache flow ip flow-export source

ip flow-export source

To specify the interface from which NetFlow will derive the source IP address for the NetFlow export datagrams containing NetFlow accounting information from NetFlow cache entries, use the ip flow-export

source command in global configuration mode. To return to the default behavior, use the noform of this command.

ip flow-export source interface type number

no ip flow-export source interface type number


interface type number

Interface name followed by the interface type and number.

Command Default

NetFlow uses the IP address of the interface that the datagram is transmitted over as the source IP address for the NetFlow datagrams.

Command Modes


Command History

Release

11.1 CA

12.0(24)S

12.2(14)S

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

15.0(1)M

Modification



Release 12.0(24)S.


Release 12.2(14)S.







This command was integrated into a release earlier than Cisco IOS Release 15.0(1)M. The interface

type numberkeyword and arguments were added.

86



Release

12.2(33)SRC

12.2(33)SXI

Cisco IOS XE Release2.1

ip flow-export source

Modification

This command was modified. The interface type

numberkeyword and arguments were added.

This command was modified. The interface type

numberkeyword and arguments were added.

This command was integrated into Cisco IOS XE

Release 2.1.


After you configure NetFlow data export, use the ip flow-export sourcecommand to specify the interface that NetFlow will use to obtain the source IP address for the NetFlow datagrams that it sends to destination systems, such as a system running NFC Engine. This will override the default behavior (using the IP address of the interface that the datagram is transmitted over as the source IP address for the NetFlow datagrams).

Some of the benefits of using a consistent IP source address for the datagrams that NetFlow sends are:

• The source IP address of the datagrams exported by NetFlow is used by the destination system to determine which router the NetFlow data is arriving from. If your network has two or more paths that can be used to send NetFlow datagrams from the router to the destination system and you do not specify the source interface from which the source IP address is to obtained, the router uses the IP address of the interface that the datagram is transmitted over as the source IP address of the datagram.

In this situation the destination system might receive NetFlow datagrams from the same router, but with different source IP addresses. This causes the destination system to treat the NetFlow datagrams as if they were being sent from different routers unless you have configured the destination system to aggregate the NetFlow datagrams it receives from all of the possible source IP addresses in the router into a single NetFlow flow.

• If your router has multiple interfaces that can be used to transmit datagrams to the CNS NFC, and you do not configure the ip flow-export source interfacecommand, you will have to add an entry for the

IP address of each interface into any access lists that you create for permitting NetFlow traffic. It is easier to create and maintain access-lists for permitting NetFlow traffic from known sources and blocking it from unknown sources when you limit the source IP address for NetFlow datagrams to a single IP address for each router that is exporting NetFlow traffic.

You can use the IP address of a loopback interface as the source IP address for NetFlow traffic by entering the ip flow-export source interface type[number | slot/port] command (for example, ip flow-export

source interfaceloopback 0 ).Doing so makes it more difficult for people who want to attack your network by spoofing the source IP address of your NetFlow-enabled routers to determine which IP address to use.

This is because the IP addresses assigned to loopback interfaces are not as easy to discover as the IP addresses assigned to physical interfaces on the router. For example, it is easy to determine the IP address of a Fast Ethernet interface on a router that is connected to a LAN that has end user devices on it. You simply check the configuration of one of the devices for its IP default gateway address.

If the export destination is in a VRF, the ip flow-export source command specifies an interface, which is not an interface in the same VRF as the destination. Therefore, the code will automatically pickup an interface on the local router that is in the same VRF as the export-destination and hence ignore the configured export source.


87

backup (NetFlow SCTP) through ip route-cache flow ip flow-export source

Examples

The following example shows how to configure NetFlow to use a loopback interface as the source interface for NetFlow traffic.

Caution

The interface that you configure as the ip flow-export source interface must have an IP address configured and it must be up.

Router(config)# ip flow-export source loopback0


Command



ip flow-export template



Description








88


backup (NetFlow SCTP) through ip route-cache flow ip flow-export template

ip flow-export template

To configure template options for the export of NetFlow accounting information in NetFlow cache entries, use the ip flow-export template command in global configuration mode. To remove the configured refresh-rate and timeout-rate and to return to the default rate, use the noform of this command.

Configure template only

ip flow-export template {refresh-rate packets | timeout-rate minutes}

no ip flow-export template {refresh-rate | timeout-rate}

Configure template options

ip flow-export template options {export-stats | refresh-rate packets | timeout-rate minutes |

sampler | nbar}

no ip flow-export template options {export-stats | refresh-rate | timeout-rate | sampler | nbar}

Syntax Description template



options export-stats sampler

Enables the refresh-rate and timeout-rate keywords for the configuring of Version 9 export templates.

Specifies the number of export packets that are sent before the options and flow templates are resent.

Range: 1 to 600. Default: 20.

Specifies the interval (in minutes) that the router waits after sending the templates (flow and options) before sending them again. Range: 1 to 3600.

Default: 30.

Enables the export-stats, refresh-rate, sampler and timeout-rate keywords for configuring

Version 9 export options.

Enables the export of statistics including the total number of flows exported and the total number of packets exported.

When Version 9 export is configured, this keyword enables the export of an option containing a random-sampler configuration, including the sampler ID, sampling mode, and sampling interval for each configured random sampler.

Note

You must have a flow sampler map configured before you can configure the sampler keyword for the ip flow-export

template options command.


89

backup (NetFlow SCTP) through ip route-cache flow ip flow-export template nbar

Exports application mapping information to the

NetFlow data collector.

Command Default

The export template and export template options are not configured.

Command Modes


Command History

Release

12.3(2)T

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

12.2(18)ZYA2

Modification










The ip flow-export template options export-stats command requires that the NetFlow Version 9 export format be already configured on the router.

The ip flow-export template options sampler command requires that the NetFlow Version 9 export format and a flow sampler map be already configured on the router.

The ip flow-export template options nbar command exports application IDs to string mapping as options.

It displays string values for application IDs to which they are mapped. To export the application mapping information, you must enable NetFlow Export Version 9 export format and have Network Based

Application Recognition (NBAR) configured on the device.

Examples

The following example shows how to configure NetFlow so that the networking device sends the export statistics (total flows and packets exported) as options data:

Router(config)# ip flow-export template options export-stats

The following example shows how to configure NetFlow to wait until 100 export packets have been sent or

60 minutes have passed since the last time the templates were sent (whichever comes first) before the templates are resent to the destination host:

Router(config)# ip flow-export template refresh-rate 100

Router(config)# ip flow-export template timeout-rate 60

90


backup (NetFlow SCTP) through ip route-cache flow ip flow-export template

The following example shows how to configure NetFlow to enable the export of information about

NetFlow random samplers:

Router(config)# ip flow-export template options sampler

Tip

You must have a flow-sampler map configured before you can configure the sampler keyword for the ip

flow-export template options command.

The following example shows how to configure NetFlow to enable the export of application mapping information:

Router(config)# ip flow-export template options nbar


Command






Description








91

backup (NetFlow SCTP) through ip route-cache flow ip flow-export version

ip flow-export version

To specify the export version format for the exporting of NetFlow accounting information in NetFlow cache entries, use the ip flow-export version command in global configuration mode. To return to the default behavior, use the noform of this command.

ip flow-export version {1 | {5 | 9} [origin-as | peer-as] [bgp-nexthop]}

no ip flow-export version {1 | {5 | 9} [origin-as | peer-as] [bgp-nexthop]}


1

5

9 origin-as peer-as bgp-nexthop

Specifies that the export datagram uses the version

1 format. This is the default.

Specifies that the export datagram uses the version

5 format.

(Specifies that the export datagram uses the version

9 format.

(Optional) Specifies that export statistics include the originating autonomous system (AS) for the source and destination.

(Optional) Specifies that export statistics include the peer AS for the source and destination.

(Optional) Specifies that export statistics include

Border Gateway Protocol (BGP) next-hop-related information.

Command Default

Version 1 is the default export format for the exporting of NetFlow accounting information in NetFlow cache entries.

Command Modes


Command History

Release

11.1CA

12.0(24)S

Modification



Release 12.0(24)S, and the 9 keyword was added.

92



Release

12.0(26)S

12.2(14)S

12.3(1)

12.2(18)S

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA


Modification



Release 12.2(14)S.

Support for the BGP Next Hop Support and

NetFlow v9 Export Format features was added.

Support for the BGP Next Hop Support and

NetFlow v9 Export Format features was added.








The ip flow-export version command supports three export data formats: Version 1, Version 5, and

Version 9. Version 1 should be used only when it is the only NetFlow data export format version that is supported by the application that you are using to analyze the exported NetFlow data. Version 5 exports more fields than Version 1. Version 9 is the only flexible export format version.

The NetFlow Version 9 Export Format feature was introduced in Cisco IOS Release 12.0(24)S and was integrated into Cisco IOS Release 12.3(1) and Cisco IOS Release 12.2(18)S.

NetFlow Version 9 is a flexible and extensible means for transferring NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow

Collection Engine configuration.

Third-party business partners who produce applications that provide NetFlow Collection Engine or display services for NetFlow do not need to recompile their applications each time a new NetFlow technology is added. Instead, with the NetFlow Version 9 Export Format feature, they can use an external data file that documents the known template formats and field types.

NetFlow Version 9 has the following characteristics:

• Record formats are defined by templates.

• Template descriptions are communicated from the router to the NetFlow Collection (NFC) Engine.

• Flow records are sent from the router to the NetFlow Collection Engine with minimal template information so that the NetFlow Collection Engine can relate the records to the appropriate template.

Version 9 is independent of the underlying transport (UDP, TCP, SCTP, and so on).

Note

The values for the BGP next hop IP address captured by the bgp-nexthop command are exported to a

NetFlow export destination only when the Version 9 export format is configured.


93

backup (NetFlow SCTP) through ip route-cache flow ip flow-export version

Note

In order for the BGP information to be populated in the main cache, you must have either a NetFlow export destination configured or a NetFlow aggregation configured.

Note


For more information on the available export data formats, see the Cisco IOS NetFlow Configuration

Guide, Release 12.4T. For more information on the Version 9 data format, see the

Cisco IOS NetFlow

Version 9 Export Format Feature Guide

.

Caution

Entering the ip flow-export versionor no ip flow-export versioncommand on the Cisco 12000 series

Internet routers, Cisco 6500 series routers, and Cisco 7600 series routers and specifying a format other than version 1 (in other words, entering the ip flow-export versionor no ip flow-export versioncommand and specifying the 5 keyword) causes packet forwarding to stop for a few seconds while NetFlow reloads the

Route Processor and line card Cisco Express Forwarding tables. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-config file to be executed during a router reboot.

Examples

The following example shows how to configure the networking device to use the NetFlow Version 9 format for the exported data and how to include the originating autonomous system (origin-as) with its corresponding next BGP hop (bgp-nexthop):

Router(config)# ip flow-export version 9 origin-as bgp-nexthop


Command

ip flow-export destination ip flow-export interface-names ip flow-export source

Description




94



Command

ip flow-export template



Description





95

backup (NetFlow SCTP) through ip route-cache flow ip flow-export version (Supervisor Engine 2)

ip flow-export version (Supervisor Engine 2)

To specify the version for the export of information in NetFlow cache entries, use the ip flow-export

versioncommand in global configuration mode. To disable information exporting, use the noform of this command.

ip flow-export version {1 | 5 [origin-as | peer-as] | 6 [origin-as | peer-as]}

no ip flow-export version


1

5 origin-as peer-as

6



(Optional) Specifies that export statistics include the origin autonomous system for the source and destination.

(Optional) Specifies that export statistics include the peer autonomous system for the source and destination.


Command Default

Version 1

Command Modes


Command History

Release

12.2(17d)SXB

Modification




This command documentation applies only to systems that have a version 2 Supervisior Engine.

NDE makes traffic statistics available for analysis by an external data collector. You can use NDE to monitor all Layer 3 switched and all routed IP unicast traffic. In the Cisco 7600 series router, both the

96



Policy Feature Card (PFC) and the Multilayer Switch Feature Card (MSFC) maintain NetFlow caches that capture flow-based traffic statistics. The cache on the PFC captures statistics for Layer 3-switched flows.

The cache on the MSFC captures statistics for routed flows.

Note

NDE can use NDE version 1, 5, or 6 to export the statistics that are captured on the MSFC for routed traffic.

The number of records stored in the datagram is a variable from 1 to 24 for version 1. The number of records stored in the datagram is a variable between 1 and 30 for version 5.

For more information on NDE, refer to the “Configuring NDE” chapter in the Cisco 7600 Series Router

Cisco IOS Software Configuration Guide.

Examples

This example shows how to export the data using the version 5 format and include the peer autonomous system information:

Router# configure terminal

Router(config)# interface loopback0

Router(config-if)# ip address 4.0.0.1 255.0.0.0

Router(config-if)# exit

Router(config)# interface serial 5/0:0

Router(config-if)# ip unnumbered loopback0

Router(config-if)# no ip mroute-cache

Router(config-if)# encapsulation ppp

Router(config-if)# ip route-cache flow


Router(config)# ip flow-export version 5 peer-as

Router(config)# exit


Command



ip route-cache flow

Description

Exports the NetFlow cache entries to a specific destination.

Specifies the source interface IP address that is used in the NDE datagram.

Enables NetFlow switching for IP routing.


97



To specify the version for the export of information in NetFlow cache entries, use the ip flow-export

versioncommand in global configuration mode. To return to the default settings, use the noform of this command.

ip flow-export version {1 | 5 [origin-as | peer-as] | 9 [bgp-nexthop | origin-as | peer-as]}

no ip flow-export version


1

5 origin-as peer-as

9 bgp-nexthop

Specifies that the export packet use the version 1 format; see the “Usage Guidelines” section for additional information.

Specifies that the export packet use the version 5 format; see the “Usage Guidelines” section for additional information.

(Optional) Specifies that export statistics include the origin autonomous system for the source and destination.

(Optional) Specifies that export statistics include the peer autonomous system for the source and destination.


(Optional) Specifies that export statistics include the BGP next hop for the source and destination.

Command Default

Export of information in NetFlow cache entries is disabled.

Command Modes


Command History

Release

12.2(17d)SXB

Modification


Engine 720.

98



Release

12.2(18)SXF

12.2(33)SRA


Modification

Support was added for NetFlow version 9 export format on the Supervisor Engine 720.




Version 5 and version 9 formats include the source and destination autonomous-system addresses and source and destination prefix masks. Also, version 9 includes BGP next-hop information.

The number of records stored in the datagram is a variable from 1 to 24 for version 1. The number of records stored in the datagram is a variable between 1 and 30 for version 5.

For more information on NDE, refer to the “Configuring NDE” chapter in the Cisco 7600 Series Router

Cisco IOS Software Configuration Guide.

Caution

Entering the ip flow-export versionor no ip flow-export versioncommand on the Cisco 12000 series

Internet routers, Cisco 6500 series routers, and Cisco 7600 series routers and specifying a format other than version 1 (in other words, entering the ip flow-export versionor no ip flow-export versioncommand and specifying the 5 keyword) causes packet forwarding to stop for a few seconds while NetFlow reloads the

Route Processor and line card Cisco Express Forwarding tables. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-config file to be executed during a router reboot.

Examples

This example shows how to export the data using the version 5 format:

Router(config)# ip flow-export version 5


Command

ip flow-export version (Supervisor Engine 2)


Description

Specifies the version for the export of information in NetFlow cache entries.



99

backup (NetFlow SCTP) through ip route-cache flow ip flow-top-talkers

ip flow-top-talkers

To configure NetFlow top talkers to capture traffic statistics for the unaggregated top flows of the heaviest traffic patterns and most-used applications in the network, use the ip flow-top-talkerscommand in global configuration mode. To disable NetFlow top talkers, use the no form of this command.


no ip flow-top-talkers



Command Default

NetFlow top talkers is disabled by default.

Command Modes


Command History

Release

12.2(25)S

12.3(11)T

12.2(27)SBC

12.2(33)SRA

12.2SX

Modification



12.3(11)T.









Tip

The ip flow-top-talkerscommand does not appear in the configuration until you have configured the

topnumber and sort-by [bytes | packets] commands.

Enabling NetFlow


100



Examples ip flow-top-talkers



Cache Timeout

The timeout period as specified by the cache-timeout command does not start until the show ip flow top-

talkers command is entered. From that time, the same top talkers are displayed until the timeout period expires. To recalculate a new list of top talkers before the timeout period expires, you can change the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-

talkerscommand.

A long timeout period for the cache-timeout command limits the system resources that are used by the

NetFlow top talkers feature. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.





A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but cause the list of top talkers to be recalculated by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow

top-talkerscommand to display the top talkers. Changing the parameters of the cache-timeout, top, or

sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.

Use the show ip flow top-talkers command to display the list of unaggregated top flows.

In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each Top Talker.




The following example shows the output of the show ip flow top talkers command with the configuration from the previous example:



Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K

Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K

Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K

Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K



101

ip flow-top-talkers


Command cache-timeout



sort-by top





Description

Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and top talkers feature is retained.












102


backup (NetFlow SCTP) through ip route-cache flow ip multicast netflow

ip multicast netflow

To configure multicast NetFlow accounting on an interface, use the ip multicast netflowcommand in interface configuration mode. To disable multicast NetFlow accounting, use the no form of this command.

ip multicast netflow {ingress | egress}

no ip multicast netflow {ingress | egress}

Syntax Description ingress egress

Enables multicast NetFlow (ingress) accounting.

Enables multicast NetFlow (egress) accounting.

Command Default

Multicast ingress NetFlow accounting is enabled.

Multicast egress NetFlow accounting is disabled.

Command Modes

Interface configuration

Command History

Release

12.3(1)

12.2(18)S

12.2(27)SBC

12.2(18)SXD

12.2(18)SXF

12.2(33)SRA

12.2(31)SB2

Modification



Release 12.2(18)S.








Release 12.2(33)SRA




103


Release

12.4(11)T

12.4(12)

12.(33)SRB

12.(33)SXH

12.(33)SB

Modification

In Cisco IOS Release 12.4(11)T this command was moved to global configuration mode and the

ingress and egress keywords were replaced by the

output-counters keyword. See the ip multicast

netflow output-counters command.

In Cisco IOS Release 12.4(12) this command was moved to global configuration mode and the




In Cisco IOS Release 12.(33)SRB this command was moved to global configuration mode and the




In Cisco IOS Release 12.(33)SXH this command was moved to global configuration mode and the




In Cisco IOS Release 12.(33)SB this command was moved to global configuration mode and the






ip multicast netflow ingress

NetFlow (ingress) accounting for multicast traffic is enabled by default. The ip multicast netflow ingress command does not appear in the configuration.

ip multicast netflow egress

You must enable multicast egress NetFlow accounting on all interfaces for which you want to count outgoing multicast streams.

To display the multicast entries, enter the show mls netflow ip command.

Examples

The following example shows how to enable multicast ingress NetFlow accounting on the ingress Ethernet

1/0 interface:

Router(config)# interface ethernet 1/0

Router(config-if)# ip multicast netflow ingress

104



The following example shows how to enable multicast egress NetFlow accounting on the egress Ethernet interface 0/0:

Router(config)# interface ethernet 0/0

Router(config-if)# ip multicast netflow egress


Command

ip multicast netflow rpf-failure




show ip mroute


Description

Enables accounting for multicast data that fails the

RPF check.

Displays a summary of the NetFlow statistics.

Displays a detailed summary of the NetFlow statistics.


Displays the contents of the IP multicast routing

(mroute) table.


IP.


105

backup (NetFlow SCTP) through ip route-cache flow ip multicast netflow output-counters

ip multicast netflow output-counters

To enable NetFlow accounting for the number of bytes and packets of multicast traffic forwarded from an ingress flow, use the ip multicast netflow output-counterscommand in global configuration mode. To disable accounting for the number of bytes and packets forwarded, use the no form of this command.

ip multicast netflow output-counters

no ip multicast netflow output-counters



Command Default

Accounting for the number of bytes and packets of multicast traffic that is forwarded is disabled.

Command Modes


Command History

Release

12.3(1)

12.2(18)S

12.4(11)T

12.4(12)

12.2(33)SRB

12.2(33)SXH

12.2(33)SB

Modification



Release 12.2(18)S.


Release 12.4(11)T.


Release 12.4(12).




Release 12.2(33)SXH.


Release 12.2(33)SB.



106


backup (NetFlow SCTP) through ip route-cache flow ip multicast netflow output-counters

Examples

The following example shows how to enable NetFlow accounting for the number of bytes and packets of multicast traffic forwarded from an ingress flow:


Router(config)# ip multicast netflow output-counters

Router(config)# end


Command

ip multicast netflow





show ip rpf

show ip rpf events

Description

Configures multicast NetFlow accounting on an interface.





(mroute) table.

Displays how IP multicast routing does RPF.

Displays the last 15 triggered multicast RPF check events.


107

backup (NetFlow SCTP) through ip route-cache flow ip multicast netflow rpf-failure

ip multicast netflow rpf-failure

To enable NetFlow accounting for multicast data that fails the reverse path forwarding (RPF) check

(meaning any IP packets that lack a verifiable IP source address), use the ip multicast netflow rpf-failure command in global configuration mode. To disable accounting for multicast data that fails the RPF check, use the no form of this command.

ip multicast netflow rpf-failure

no ip multicast netflow rpf-failure



Command Default

Accounting for multicast data that fails the RPF check is disabled.

Command Modes


Command History

Release

12.3(1)

12.2(18)S

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification



Release 12.2(18)S.









Examples

The following example shows how to enable accounting for multicast data that fails the RPF check:


Router(config)# ip multicast netflow rpf-failure

Router(config)# end

108




Command

ip multicast netflow





show ip rpf

show ip rpf events

ip multicast netflow rpf-failure

Description

Configures multicast NetFlow accounting on an interface.





(mroute) table.

Displays how IP multicast routing does RPF.

Displays the last 15 triggered multicast RPF check events.


109

backup (NetFlow SCTP) through ip route-cache flow ip route-cache flow

ip route-cache flow

Effective with Cisco IOS Releases 12.4(2)T and 12.2(18)SXD, the ip route-cache flowcommand is replaced by the ip flow ingresscommand. See the ip flow ingress command for more information.

To enable NetFlow (ingress) accounting for traffic arriving on an interface, use the ip route-cache

flowcommand in interface configuration mode. To disable NetFlow (ingress) accounting for traffic arriving on an interface, use the no form of this command in interface configuration mode.

ip route-cache flow

no route-cache flow



Command Default

This command is not enabled by default.

Command Modes


Command History

Release

11.1

12.4(2)T

12.2(14)S

12.2(25)S

12.2(14)SX

12.2(27)SBC

12.2(17d)SXB

12.2(18)SXD

Modification


The ip route-cache flow command is automatically remapped to the ip flow-ingress command.


Release 12.2(14)S.









110



Release

12.2(18)SXF

12.2(33)SRA


Command




ip route-cache flow

Modification






Use this command on an interface or subinterface to enable NetFlow (ingress) accounting for traffic that is being received by the router.

Cisco IOS Release 12.2(25)S and 12.2(18)SXD

When you enter the ip route-cache flow command to enable NetFlow (ingress) accounting on an interface in a router that is running Cisco IOS Release 12.2(25)S or later, or Cisco IOS Release 12.2(18)SXD or later, the command is automatically remapped to the ip flow-ingress command before it is added to the in the running configuration. Therefore you must use the no ip flow ingress command to disable NetFlow

(ingress) accounting on the interface.

Examples

The following example shows how to enable NetFlow (ingress) accounting on Ethernet interface 0/0 using the ip route-cache flow command:

Router(config)# interface Ethernet0/0


route-cache flow

The following example shows how to disable NetFlow (ingress) accounting on Ethernet interface 0/0 of a router that is running Cisco IOS Release 12.2(25)S or later using the no ip flow ingress command:


Router(config-if)# no ip flow ingress

Description





111



112


mask (IPv4) through top mask (IPv4)

mask (IPv4)

To specify the source or destination prefix mask for a NetFlow accounting prefix aggregation cache, use the maskcommand in aggregation cache configuration mode. To disable the source or destination mask, use the no form of this command.

mask [destination | source] minimum value

no mask [destination | source] minimum value

Syntax Description destination source minimum

value

Specifies the destination mask for a NetFlow accounting aggregation cache.

Specifies the source mask for a NetFlow accounting aggregation cache.

Configures the minimum value for the mask.

Specifies the value for the mask. Range is from 1 to

32.

Command Default

The default value of the minimum source or destination mask is 0.

Command Modes

NetFlow aggregation cache configuration

Command History

Release

12.1(2)T

12.2(14)S

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification



Release 12.2(14)S.








113




The NetFlow accounting minimum prefix mask allows you to set a minimum mask size for the traffic that will be added to the NetFlow aggregation cache. The source or destination IP address (depending on the type of aggregation cache that you are configuring) is ANDed with the larger of the two masks (the mask that you enter with the mask command and the mask in the IP routing table) to determine if the traffic should be added to the aggregation cache that you are configuring.

To enable the minimum prefix mask for a particular aggregation cache, configure the desired minimum mask value using the NetFlow aggregation cache commands. The minimum mask value in the range of

1-32 is used by the router defines the granularity of the NetFlow data that is collected:

• For coarse NetFlow collection granularity, select a low minimum mask value.

• For fine NetFlow collection granularity, select a high minimum mask value.

Specifying the minimum value for the source or destination mask of a NetFlow accounting aggregation cache is permitted only for the following NetFlow aggregation cache types:

• Destination prefix aggregation (destination mask only)

• Destination prefix TOS aggregation (destination mask only)

• Prefix aggregation (source and destination mask)

• Prefix-port aggregation (source and destination mask)

• Prefix-TOS aggregation (source and destination mask)

• Source prefix aggregation (source mask only)

• Source prefix TOS aggregation (source mask only)

Examples mask source

The following example shows how to configure the source-prefix aggregation cache:


Router(config-flow-cache)# enable

The following output from the show ip cache flow aggregation source-prefix command shows that, with no minimum mask configured, nine flows are included in the NetFlow source prefix aggregation cache:

Router# show ip cache flow aggregation source-prefix

IP Flow Switching Cache, 278544 bytes

9 active, 4087 inactive, 18 added

950 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 21640 bytes

9 active, 1015 inactive, 18 added, 18 added to flow

0 alloc failures, 0 force free

1 chunk, 1 chunk added

Src If Src Prefix Msk AS Flows Pkts B/Pk Active

Et0/0.1 10.10.10.0 /24 0 4 668 762 179.9

Et0/0.1 10.10.10.0 /24 0 4 668 762 180.8

Et0/0.1 10.10.11.0 /24 0 4 668 1115 180.9

Et0/0.1 10.10.11.0 /24 0 4 668 1115 181.9

Et0/0.1 10.1.0.0 /16 0 4 668 1140 179.9

Et0/0.1 10.1.0.0 /16 0 4 668 1140 179.9

Et0/0.1 172.16.6.0 /24 0 1 6 52 138.4

Et0/0.1 172.16.1.0 /24 0 8 1338 1140 182.1

Et0/0.1 172.16.1.0 /24 0 8 1339 1140 181.0

Router#

114



The following example shows how to configure the source-prefix aggregation cache using a minimum source mask of 8:




The following output from the show ip cache flow aggregation source-prefix command shows that with a minimum mask of 8 configured, only five flows from the same traffic used in the previous example are included in the NetFlow source prefix aggregation cache:

Router# show ip cache flow aggregation source-prefix









1 chunk, 7 chunks added

Minimum source mask is configured to /8

Src If Src Prefix Msk AS Flows Pkts B/Pk Active

Et0/0.1 10.0.0.0 /8 0 12 681 1007 64.8

Et0/0.1 172.16.6.0 /24 0 1 3 52 56.1

Et0/0.1 10.0.0.0 /8 0 12 683 1006 64.8

Et0/0.1 172.16.1.0 /24 0 8 450 1140 61.8

Et0/0.1 172.16.1.0 /24 0 8 448 1140 61.5

Router#

mask destination

The following example shows how to configure the destination-prefix aggregation cache:



The following output from the show ip cache flow aggregation destination-prefix command shows that, with no minimum mask configured, only two flows are included in the NetFlow source prefix aggregation cache:

Router# show ip cache flow aggregation destination-prefix










Dst If Dst Prefix Msk AS Flows Pkts B/Pk Active

Et1/0.1 172.16.10.0 /24 0 120 6737 1059 371.0

Et1/0.1 172.16.10.0 /24 0 120 6739 1059 370.9

The following example shows how to configure the destination-prefix aggregation cache using a minimum source mask of 32:





115


The following output from the show ip cache flow aggregation destination-prefix command shows that, with a minimum mask of 32 configured, 20 flows from the same traffic used in the previous example are included in the NetFlow source prefix aggregation cache:

Router# show ip cache flow aggregation destination-prefix










Minimum destination mask is configured to /32

Dst If Dst Prefix Msk AS Flows Pkts B/Pk Active

Et1/0.1 172.16.10.12 /32 0 1 57 1140 60.6

Et1/0.1 172.16.10.12 /32 0 1 57 1140 60.6

Et1/0.1 172.16.10.14 /32 0 1 57 1140 60.6

Et1/0.1 172.16.10.9 /32 0 1 57 1140 60.6

Et1/0.1 172.16.10.11 /32 0 1 57 1140 60.6

Et1/0.1 172.16.10.10 /32 0 1 57 1140 60.6

Et1/0.1 172.16.10.11 /32 0 1 57 1140 60.6

Et1/0.1 172.16.10.10 /32 0 1 57 1140 60.6

Et1/0.1 172.16.10.5 /32 0 1 56 1040 59.5

Et1/0.1 172.16.10.4 /32 0 1 56 940 59.5

Et1/0.1 172.16.10.4 /32 0 1 56 940 59.5

Et1/0.1 172.16.10.7 /32 0 1 57 1140 60.6

Et1/0.1 172.16.10.7 /32 0 1 57 1140 60.6

Et1/0.1 172.16.10.1 /32 0 1 56 628 59.5

Et1/0.1 172.16.10.2 /32 0 1 56 640 59.5

Et1/0.1 172.16.10.17 /32 0 1 56 1140 59.5

Et1/0.1 172.16.10.17 /32 0 1 56 1140 59.5

Et1/0.1 172.16.10.18 /32 0 1 56 1140 59.5

Et1/0.1 172.16.10.19 /32 0 1 56 1140 59.5

Et1/0.1 172.16.10.18 /32 0 1 56 1140 59.5


Command cache







Description








116



Command


mask (IPv4)

Description



117

mask (IPv4) through top mask

mask

To specify the destination or source mask, use the maskcommand in aggregation cache configuration mode. To disable the destination mask, use the no form of this command.

mask {destination | source} minimum value

no mask destination minimum value

Syntax Description destination source

value

Specifies that the destination mask is to be used for determining the aggregation cache.

Specifies that the source mask is to be used for determining the aggregation cache.

Specifies the number of bits to record from the source or destination mask. Range is from 1 to 32.

Command Default

The default value of the minimum mask is zero.

Command Modes

Aggregation cache configuration

Command History

Release

12.1(2)T

12.3(7)T

12.2(30)S

12.2(33)SRA

12.2(33)SXH

Modification


Support was added for IPv6 source and destination addresses to be used for cache aggregation.


Release 12.2(30)S.






This command is only available with router-based aggregation. Minimum masking capability is not available if router-based aggregation is not enabled.

118


mask (IPv4) through top mask

Examples

The following example shows how to configure the mask to use the destination-prefix as the aggregation cache scheme with a minimum mask value of 32:

Router(config)# ipv6 flow-aggregation cache destination-prefix

Router(config-flow-cache)# mask destination minimum 32


Command


ipv6 flow-aggregation cache


show ipv6 cache flow aggregation

Description

Enables aggregation cache configuration mode.

Enables aggregation cache configuration mode for

IPv6 traffic.

Displays the aggregation cache configuration.

Displays the aggregation cache configuration for

IPv6 NetFlow configurations.


119

mask (IPv4) through top match (NetFlow)

match (NetFlow)

To specify match criteria for the NetFlow top talkers (unaggregated top flows), use the match command in

NetFlow top talkers configuration mode. To remove match criteria for NetFlow top talkers, use the no form of this command.

match {byte-range [max-byte-number min-byte-number | max max-byte-number | min min-byte-

number] | class-map map-name | destination [address ip-address [mask | slash nn]] | as as-number |

port [max-port-number min-port-number | max max-port-number | min min-port-number] |

direction [ingress | egress] | flow-sampler flow-sampler-name | input-interface interface-type

interface-number | nexthop-address ip-address [mask | slash nn] | output-interface interface-type

interface-number | packet-range [max-packets min-packets | max max-packets | min min-packets] |

protocol [protocol-number | udp | tcp] | source [address ip-address [mask | slash nn]] | as as-

number | port [max-port-number min-port-number | max max-port-number | min min-port-number] |

tos [tos-byte | dscp dscp | precedence precedence]}

no match {byte-range | class-map | destination [address | as | port] | direction | flow-sampler |

input-interface | nexthop-address | output-interface | packet-range | protocol | source [address |

as | port] | tos}

Syntax Description byte-range

max-byte-number min-byte-number

max max-byte-number

min min-byte-number

class-map

map-name

destination address

ip-address mask

/nn

destination as

The match criterion is based on the size in bytes of the IP datagrams in the flows.

Range of sizes for IP datagrams to be matched in bytes. Range: 1-4294967295.

Maximum size for IP datagrams to be matched in bytes. Range: 1-4294967295.

Minimum size for IP datagrams to be matched in bytes. Range: 1-4294967295.

The match criterion is based on a class map.

Name of the class map to be matched.

The match criterion is based on the destination IP address.

The destination IP address to be matched.

Address mask, in dotted decimal format.

Address mask as entered in classless interdomain routing (CIDR) format. An address mask of

255.255.255.0 is equivalent to a /24 mask in CIDR format.

The match criterion is based on the destination autonomous system.

120



as-number

destination port

max-port-number min-port-number

max max-port-number

min min-port-number

direction ingress egress flow-sampler

flow-sampler-name

input-interface

interface-type interface-number

nexthop address

ip-address mask

/nn

output-interface


packet-range

max-packets min-packets

max max-packet

min min-packets

match (NetFlow)

Autonomous system number to be matched.

The match criterion is based on the destination port.

Range of port numbers for IP datagrams to be matched. Range: 0-65535.

Maximum port number for IP datagrams to be matched. Range: 0-65535.

Minimum port number for IP datagrams to be matched. Range: 0-65535.

Direction of the flow to be matched.

The match criterion is based on ingress flows.

The match criterion is based on egress flows.

The match criterion is based on Top Talker sampling.

Name of the Top Talker sampler to be matched.

The match criterion is based on the input interface.

The input interface to be used

The match criterion is based on the next-hop IP address.

The next-hop IP address to be matched.




The match criterion is based on the output interface.

The output interface to be used

The match criterion is based on the number of IP datagrams in the flows.

Range of number of packets in the flows to be matched. Range: 1-4294967295.

Maximum number of packets in the flows to be matched. Range: 1-4294967295.

Minimum number of packets in the flows to be matched. Range: 1-4294967295.


121

mask (IPv4) through top match (NetFlow) protocol

protocol-number

tcp udp

source address

ip-address mask

/nn

source as

as-number

source port

max-port-number min-port-number

max max-port-number

min min-port-number

tos

tos-value

dscp dscp-value

precedence precedence-value

The match criterion is based on protocol.

Protocol number to be matched. Range: 0 to 255.

Protocol number to be matched as TCP.

Protocol number to be matched as UDP.

The match criterion is based on the source IP address.

The source IP address to be matched.




The match criterion is based on the source autonomous system.

Autonomous system number to be matched.

The match criterion is based on the source port.

Range of port numbers for IP datagrams to be matched. Range: 0-65535.

Maximum port number for IP datagrams to be matched. Range: 0-65535.

Minimum port number for IP datagrams to be matched. Range: 0-65535.

The match criterion is based on type of service

(ToS).

ToS to be matched.

Differentiated services code point (DSCP) value to be matched.

Precedence value to be matched.

Command Default

No matching criteria are specified by default. All top talkers are displayed.

Command Modes


122



Command History

Release

12.2(25)S

12.3(11)T

12.2(27)SBC

12.2(33)SRA

12.2SX

match (NetFlow)

Modification



Release 12.3(11)T. The direction, ingress,and

egresskeywords were added.


Release 12.2(27)SBC







Configuring NetFlow Top Talkers

You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands.

Specifying Match Criteria

Use this command to specify match criteria for NetFlow top talkers. Using matching criteria is useful to restrict the list of top talkers.

If you are using a MIB and using simple network management protocol (SNMP) commands to configure this feature, refer to the table below for a mapping of the command-line interface (CLI) commands to the

MIB SNMP commands:

Table 4 Router CLI Commands and Equivalent SNMP Commands

Router CLI Command

match source address [ip-address][mask | / nn]

match destination address [ip-address][mask | /

nn]

SNMP Command

cnfTopFlowsMatchSrcAddress ip-address

cnfTopFlowsMatchSrcAddressType type

1

cnfTopFlowsMatchSrcAddressMask mask

cnfTopFlowsMatchDstAddress ip-address

cnfTopFlowsMatchDstAddressType type 1

cnfTopFlowsMatchDstAddressMask mask

1 The only IP version type that is currently supported is IPv4 (type 1).


123


Examples

Router CLI Command SNMP Command

match nexthop address ][ip-address][mask | / nn]] cnfTopFlowsMatchNhAddress ip-address

cnfTopFlowsMatchNhAddressType type

cnfTopFlowsMatchNhAddressMask mask

match source port min port cnfTopFlowsMatchSrcPortLo port

match source port max port

match destination port min port

match destination port max port

match source as as-number

match destination as as-number

cnfTopFlowsMatchSrcPortHi port

cnfTopFlowsMatchDstPortLo port

cnfTopFlowsMatchDstPortHi port

cnfTopFlowsMatchSrcAS as-number

cnfTopFlowsMatchDstAS as-number

match input-interface interface

match output-interface interface

cnfTopFlowsMatchInputIf interface

cnfTopFlowsMatchOutputIf interface

match tos [tos-value| dscp dscp-value | precedence

precedence-value]

cnfTopFlowsMatchTOSByte tos-value

match protocol [protocol-number | tcp | udp]

match flow-sampler flow-sampler-name

cnfTopFlowsMatchProtocol protocol-number

cnfTopFlowsMatchSampler flow-sampler-name

match class-map class

match packet-range min minimum-range

match packet-range max maximum-range

match byte-range min minimum-range

match byte-range max maximum-range

direction [ingress | egress]

cnfTopFlowsMatchClass class

cnfTopFlowsMatchMinPackets minimum-range

cnfTopFlowsMatchMaxPackets maximum-range

cnfTopFlowsMatchMinBytes minimum-range

cnfTopFlowsMatchMaxPackets maximum-range

cnfTopFlowsMatchDirection [flowDirNone(0) |

flowDirIngress(1) | flowDirEgress(2)]

The following example shows how you enter NetFlow top talkers configuration mode and specify that the top talkers are to contain the following characteristics:

• The list of top talkers will have a source IP address that begins with 10.10.0.0 and subnet a mask of

255.255.0.0 (/16).


Router(config-flow-top-talkers)# match source address 10.10.0.0/16



124



The following example shows the output of the show ip flow top talkers command when the configuration from the previous example is used:



Et2/0 10.10.11.3 Et1/0.1 172.16.10.7 06 0041 0041 30K

Et0/0.1 10.10.11.4 Et1/0.1 172.16.10.8 06 0041 0041 30K

Et3/0 10.10.11.2 Et1/0.1 172.16.10.6 06 0041 0041 29K

Et3/0 10.10.18.1 Null 172.16.11.5 11 00A1 00A1 28K

4 of 4 top talkers shown. 10 of 27 flows matched

The following example shows how you enter NetFlow top talkers configuration mode and specify that the top talkers are to contain the following characteristics:

• The list of top talkers will have a source IP address that begins with 10.10.0.0 and subnet mask of

255.255.0.0 (/16).

• The list of top talkers will have a destination IP address that begins with 172.16.11.0 and a subnet mask of 255.255.255.0 (/24)


Router(config-flow-top-talkers)# match source address 10.10.0.0/16

Router(config-flow-top-talkers)# match destination address 172.16.11.0/24



The following example shows the output of the show ip flow top talkers command when the configuration from the previous example is used:



Et3/0 10.10.18.1 Null 172.16.11.5 11 00A1 00A1 67K

Et3/0 10.10.19.1 Null 172.16.11.6 11 00A2 00A2 67K

2 of 4 top talkers shown. 2 of 30 flows matched







Description








125

match (NetFlow)

Command


sort-by top mask (IPv4) through top

Description








126


mask (IPv4) through top mls aging fast

mls aging fast

To configure the fast-aging time for unicast entries in the Layer 3 table, use the mls aging fastcommand in global configuration mode. To restore the MLS fast-aging time to the default settings, use the no form of this command.

mls aging fast [threshold packet-count [time seconds]]

mls aging fast [time seconds [threshold packet-count]]

no mls aging fast


threshold packet-count

time seconds

(Optional) Specifies the packet count of the fastaging threshold for Layer 3 fast aging; valid values are from 1 to 128.

(Optional) Specifies how often entries are checked; valid values are fro m 1 to 128 seconds.

Command Default


• Fast aging is disabled.

• If fast aging is enabled, the default packet-count value is 100 packets and the secondsdefault is 32 seconds.

Command Modes


Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(33)SRA

Modification








This command has no effect when you configure sampled NetFlow. You must disable sampled NetFlow to allow this command to take effect.


127

mask (IPv4) through top mls aging fast

Examples

This example shows how to configure the MLS fast-aging threshold:

Router(config)# mls aging fast threshold 50

Router(config)#


Command

show mls netflow

Description

Displays configuration information about the

NetFlow hardware.

128


mask (IPv4) through top mls aging long

mls aging long

To configure the long-aging time for unicast entries in the Layer 3 table, use the mls aging longcommand in global configuration mode. To restore the MLS long-aging time to the default settings, use the no form of this command.

mls aging long seconds

no mls aging long


seconds

Layer 3 long-aging timeout ; valid values are from

64 to 1920 seconds.

Command Default

1920 seconds

Command Modes


Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(33)SRA

Modification









Examples

This example shows how to configure the MLS long-aging threshold:

Router(config)# mls aging long 800

Router(config)#


129

mls aging long


Command



Description


NetFlow hardware.

130


mask (IPv4) through top mls aging normal

mls aging normal

To configure the normal-aging time for unicast entries in the Layer 3 table, use the mls aging

normalcommand in global configuration mode. To restore the MLS normal-aging time to the default settings, use the no form of this command.

mls aging normal seconds

no mls aging normal


seconds

Normal aging timeout for Layer 3; valid v alues are from 32 to 4092 seconds.

Command Default

300 seconds

Command Modes


Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(33)SRA

Modification









Examples

This example shows how to configure the MLS normal-aging threshold:

Router(config)# mls aging normal 200

Router(config)#


131

mls aging normal


Command



Description


NetFlow hardware.

132


mask (IPv4) through top mls exclude acl-deny

mls exclude acl-deny

To disable the creation of NetFlow entries for ingress ACL denied flows, use the mls exclude acl-

denycommand in global configuration mode. To disable the creation of NetFlow entries for ACL denied flows, use the no form of this command.

mls exclude acl-deny

no mls exclude acl-deny



Command Default

By default, the creation of NetFlow entries for ACL denied flows is enabled.

Command Modes


Command History

Release

12.2(33)SXH

Modification



Examples

This example shows how to disable the creation of NetFlow entries for ACL denied flows:

Router(config)#

mls exclude acl-deny

Router(config)#


Command


show mls netflow usage

Description

Displays NetFlow IP entries.

Displays NetFlow table usage.


133

mask (IPv4) through top mls flow

mls flow

To configure the flow mask for NDE, use the mls flow command in global configuration mode. To specify a null flow mask, use the no form of this command. To restore the default flow mask, use the default form of this command.

mls flow {ip | ipv6} {destination | destination-source | full | interface-destination-source |

interface-full | source}

no mls flow {ip | ipv6}

default mls flow {ip | ipv6}

Syntax Description ip ipv6 destination destination-source full interface-destination-source interface-full source

Enables the flow mask for MLS IP packets.

Enables the flow mask for MLS IPv6 packets.

Uses the destination IP address as the key to the

Layer 3 table.

Uses the destination and the source IP address as the key to the Layer 3 table.

Uses the source and destination IP address, the IP protocol (UDP or TCP), and the source and destination port numbers as the keys to the Layer 3 table.

Uses all the information in the destination and source flow mask and the source VLAN number as the keys to the Layer 3 table.

Uses all the information in the full flow mask and the source VLAN number as the keys to the Layer 3 table.

Uses the source IP address as the key to the Layer 3 table.

Command Default


• For Cisco 7600 series routers that are configured with a Supervisor Engine 2, the default flow mask is

destination.

• For Cisco 7600 series routers that are configured with a Supervisor Engine 720, the default flow mask is null.

• For IPv4, the default flow mask is null.

• For IPv6, the default flow mask is null.

134



Command Modes


Command History

Release

12.2(14)SX

12.2(17b)SXA

12.2(17d)SXB

12.2(33)SRA

12.2(33)SRB

mls flow

Modification



This command was changed to support the ipv6 keyword.





This command was changed to accommodate perinterface NetFlow.


This command collects statistics for the supervisor engine.

In Cisco IOS Release 12.2(33)SRB and later, the interface-destination-source and interface-full flow masks are the only masks supported for IPv4 traffic. This change was made to accommodate the per-interface

NetFlow feature. If other flow mask values are used, the router upgrades them as follows:

• Source, destination, and destination-source flow masks are treated as interface-destination-source.

• Full flow masks are treated as interface-full.

Note

To ensure that the Optimized Edge Routing passive-monitoring feature can use NetFlow, you must change the IPv4 flow mask to interface-full.

Examples

This example shows how to set the desired flow mask used to populate the hardware cache for IPv4

NetFlow Data Export:

Router(config)#

mls flow ip full

Router(config)#


Command


Description


NetFlow hardware.


135

mls flow mask (IPv4) through top

136


mask (IPv4) through top mls ip nat netflow-frag-l4-zero

mls ip nat netflow-frag-l4-zero

To zero out the Layer 4 information in the NetFlow lookup table for fragmented packets, use the mls ip nat netflow-frag-l4-zero command in global configuration mode. To restore the default settings, use the no form of this command.

mls ip nat netflow-frag-l4-zero

no mls ip nat netflow-frag-l4-zero



Command Default


Command Modes


Command History

Release

12.2(17d)SXB

12.2(33)SRA

Modification



2.




This command is supported in PFC3BXL or PFC3B mode only.

Use the mls ip nat netflow-frag-l4-zero command to prevent matching the first fragment to the NetFlow shortcut (normal operation) that is sent to the software. The next fragments that are sent to the software are translated based on the Layer 4 port information from the first fragment. The translation based on the Layer

4 port information from the first fragment occurs because there are no fragment bits for matching in the

NetFlow key.

When there is a large feature configuration on an interface that requires a large number of ACL TCAM entries/masks that are programmed in TCAM, if the interface is configured as a NAT-inside interface, the feature configuration may not fit in the ACL TCAM and the traffic on the interface may get switched in the software.

Examples

This example shows how to zero out the Layer 4 information in the NetFlow lookup table for fragmented packets:

Router (config)#


137

mls ip nat netflow-frag-l4-zero mls ip nat netflow-frag-l4-zero

Router (config)#


138


mask (IPv4) through top mls nde flow

mls nde flow

To specify the filter options for NDE, use the mls nde flowcommand in global configuration mode. To clear the NDE flow filter and reset the filter to the default settings, use the no form of this command.

mls nde flow {include | exclude} {dest-port port-num | destination ip-addr ip-mask | protocol {tcp

| udp} | source ip-addr ip-mask | src-port port-num}

no mls nde flow {include | exclude}

Syntax Description include exclude

dest-port port-num

destination ip-addr ip-mask

protocol tcp udp

source ip-addr ip-mask

src-port port-num

Allows exporting of all flows except the flows matching the given filter.

Allows exporting of all flows matching the given filter.

Specifies the destination port to filter; valid values are from 1 to 100.

Specifies a destination IP address and mask to filter.

Specifies the protocol to include or exclude.

Includes or excludes TCP.

Includes or excludes UDP.

Specifies a source IP address and subnet mask bit to filter.

Specifies the source port to filter.

Command Default


• All expired flows are exported until the filter is specified explicitly.

• Interface export is disabled (no mls nde interface).

Command Modes


Command History

Release

12.2(14)SX

Modification




139

mask (IPv4) through top mls nde flow

Release

12.2(17d)SXB

12.2(33)SRA

Modification






The mls nde flow command adds filtering to the NDE. The expired flows matching the specified criteria are exported. These values are stored in NVRAM and do not clear when NDE is disabled. If any option is not specified in this command, it is treated as a wildcard. The NDE filter in NVRAM does not clear when you disable NDE.

Only one filter can be active at a time. If you do not enter the exclude or include keyword, the filter is assumed to be an inclusion filter.

The include and exclude filters are stored in NVRAM and are not removed if you disable NDE.

ip-addr maskbits is the simplified long subnet address format. The mask bits specify the number of bits of the network masks. For example, 172.22.252.00/22 indicates a 22-bit subnet address. The ip-addr is a full host address, such as 193.22.253.1/22.

Examples

This example shows how to specify an interface flow filter so that only expired flows to destination port 23 are exported (assuming that the flow mask is set to ip-flow):

Router(config)#

mls nde flow include dest-port 35

Router(config)#


Command


Description


NetFlow hardware.

140


mask (IPv4) through top mls nde interface

mls nde interface

To populate the additional fields in the NDE packets, use the mls nde interface command in interface configuration mode. To disable the population of the additional fields, use the no form of this command.

mls nde interface

no mls nde interface



Command Default


• Supervisor Engine 2--Disabled

• Supervisor Engine 720--Enabled

Command Modes


Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(33)SRA

Modification








You can configure NDE to populate the following additional fields in the NDE packets:

• Egress interface SNMP index

• Source-autonomous system number

• Destination-autonomous system number

• IP address of the next-hop router

The ingress-interface SNMP index is always populated if the flow mask is interface-full or interface-srcdst.

For detailed information, refer to the “ Configuring NDE ” chapter of the Cisco 7600 Series Router Cisco

IOS Software Configuration Guide .


141

mask (IPv4) through top mls nde interface

Examples

This example shows how to populate the additional fields in the NDE packets:

Router(config)#

mls nde interface

Router(config)#

This example shows how to disable the population of the additional fields:

Router(config)#

no mls nde interface

Router(config)#


Command

mls netflow

mls netflow sampling

Description

Enables NetFlow to gather statistics.

Enables the sampled NetFlow on an interface.

142



mls nde sender

To enable MLS NDE export, use the mls nde sender command in global configuration mode. To disable

MLS NDE export, use the no form of this command.

mls nde sender [version version]

no mls nde sender


version version

(Optional) Specifies the NDE version; valid values are 5 and 7.

Command Default


• MLS NDE export is disabled.

• version is 7

Command Modes


Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(33)SRA

Modification








Note

If MLS NDE export is enabled, do not use version 7.

Examples

This example shows how to enable MLS NDE export:

Router(config)#

mls nde sender

Router(config)#

mls nde sender


143

mask (IPv4) through top mls nde sender

This example shows how to disable MLS NDE export:

Router(config)#

no mls nde sender

Router(config)#


Command


Description


144


mask (IPv4) through top mls netflow

mls netflow

To enable NetFlow to gather statistics, use the mls netflow command in global configuration mode. To disable NetFlow from gathering statistics, use the no form of this command.

mls netflow [interface | cache | usage notify [threshold seconds]]

no mls netflow [interface | cache | usage notify]

Syntax Description interface cache

usage notify

threshold seconds

(Optional) Specifies statistics gathering per interface.

(Optional) Caches the total active flow count in the

Policy Feature Card (PFC) or Distributed

Forwarding Cards (DFCs).

(Optional) Sends a notification when NetFlow table usage crosses the configured threshold limit.

(Optional) Threshold percentage. The range is from

20 to 100.

(Optional) Time interval in seconds.

Command Default

NetFlow statistics are enabled.

Command Modes


Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(33)SRA

15.0(1)S1

Modification


Engine 720.


Release 12.2(17d)SXB.



This command was modified. The cache keyword was added.


145

mask (IPv4) through top mls netflow


NetFlow gathers statistics from traffic that flows through the Cisco 7600 series router and stores the statistics in the NetFlow table. You can gather the statistics globally based on a protocol or optionally per interface.

If you are not using NetFlow Data Export (NDE) or Cisco IOS features that use the hardware NetFlow table (non-Reverse Path Forwarding [non-RPF] multicast traffic, microflow quality of service [QoS], the

Web Cache Communications Protocol [WCCP], TCP intercept, or reflexive access control lists), you can safely disable the use and maintenance of the hardware NetFlow table using the no mls netflow command in global configuration mode.

Use the cache keyword to enable NetFlow to cache the total active flow count in the PFC or DFC. If caching is disabled, the active flow count is retrieved from the router, which causes delay affecting Simple

Network Management Protocol (SNMP)-based applications. When this option is enabled, the total active count in the PFC or DFC is cached every 30 seconds, and the cached value is used for statistics.

Examples

The following example shows how to enable NetFlow to gather statistics:

Router(config)#

mls netflow

The following example shows how to disable NetFlow from gathering the statistics:

Router(config)# no mls netflow

Disabling MLS netflow entry creation.

The following example shows how to enable NetFlow to cache the total active flow count:

Router(config)#

mls netflow cache

The following example shows how to set the threshold value for NetFlow table utilization:

Router(config)#

mls netflow usage notify 75 500


Command


Description


NetFlow hardware.

146


mask (IPv4) through top mls netflow interface

mls netflow interface

To enable the creation of NetFlow entries on a per-VLAN basis, use the mls netflow interface command in global configuration mode. To disable the creation of NetFlow entries, use the no form of this command.

mls netflow interface

no mls netflow interface



Command Default

Creation of NetFlow entries on a per-VLAN basis disabled.

Command Modes


Command History

Release

12.2(33)SXH

Modification

This command was introduced on the Catalyst 6500 series switches.


Entering the mls netflow interface command creates NetFlow entries for all VLANs. NetFlow entries are created both for VLANs on which bridged-flow statistics is enabled and for VLANs on which NetFlow entry creation is enabled.

For example, if you enable Layer 3 per-VLAN entry creation on VLANs 100 and 200 and at the same time you want to enable bridged-flow statistics on VLANs 150 and 250, NetFlow entry creation and bridgedflow statistics are both enabled on all four VLANs. To collect only bridged-flow statistics for VLAN 150 and 250, you must disable the per-VLAN entry creation feature.

Examples

This example shows how to create NetFlow entries on a per-VLAN basis:

Router(config)# mls netflow interface


147

mask (IPv4) through top mls netflow maximum-flows

mls netflow maximum-flows

To configure the maximum flow allocation in the NetFlow table, use the mls netflow maximum-

flowscommand in global configuration mode. To return to the default settings, use the no form of this command.

mls netflow maximum-flows [maximum-flows]

no mls netflow maximum-flows


maximum-flows

(Optional) Maximum number of flows; valid values are 16, 32, 64, 80, 96, and 128. See the “Usage

Guidelines” section for additional information.

Command Default

128

Command Modes


Command History

Release

12.2(18)SXD

12.2(33)SRA

Modification






This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine

720.

The value that you specify for the maximum number of flows is that value times 1000. For example, if you enter 32, you specify that 32,000 is the maximum number of permitted flows.

Examples

This example shows how to configure the maximum flow allocation in the NetFlow table:

Router(config)#

mls netflow maximum-flows 96

Router(config)#

148


mask (IPv4) through top mls netflow maximum-flows

This example shows how to return to the default setting:

Router(config)# no mls netflow maximum-flows

Router(config)#


Command

show mls netflow table-contention

Description

Displays configuration information at the table contention level for the NetFlow hardware.


149

mask (IPv4) through top mls netflow sampling

mls netflow sampling

To enable sampled NetFlow on an interface, use the mls netflow sampling command in interface configuration mode. To disable sampled NetFlow on an interface, use the no form of this command.


no mls netflow sampling



Command Default

Disabled

Command Modes


Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(33)SRA

12.2(33)SRB

Modification







This command was changed to support perinterface NetFlow for IPv4 traffic.


In Cisco IOS Release 12.2SRA and earlier, the sampled NetFlow can be global or per interface, depending on the current flow mask. For interface-full and interface-destination-source flow masks, sampled NetFlow is enabled on a per-interface basis. For all the other flow masks, sampled NetFlow is always global and is turned on or off for all interfaces.

Enter the mls sampling command to enable sampled NetFlow globally.

Cisco IOS Release 12.2(33)SRB and later support per-interface NetFlow for IPv4 traffic. Per-interface

NetFlow has the following configuration requirements:

• In addition to issuing the mls sampling command (to globally enable NetFlow on the router), you must also issue the ip flow ingress and mls netflow sampling commands on individual interfaces to enable sampled NetFlow on the interface.

• The only flow masks allowed for IPv4 traffic are interface-destination-source and interface-full. If other flow mask values are used, the router upgrades them as follows:

150


mask (IPv4) through top mls netflow sampling

◦ Source, destination, and destination-source flow masks are treated as interface-destination-source.

◦ Full flow masks are treated as interface-full.

Note

In addition to populating the hardware NetFlow cache, the flow hardware mpls-vpn ipvrf-id command also enables sampled NetFlow for IPv4 traffic flows on an MPLS VPN VRF interface.

Examples

This example shows how to enable sampled NetFlow on an interface:

Router(config-if)# mls netflow sampling

Router(config-if)#

This example shows how to disable sampled NetFlow on an interface:

Router(config-if)# no mls netflow sampling

Router(config-if)#


Command

flow hardware mpls-vpn ip


mls flow ip

mls sampling

show mls sampling

Description

Enables NetFlow to create and export hardware

NetFlow cache entries for IPv4 traffic on an MPLS

VPN VRF interface.

Enables (ingress) NetFlow accounting for traffic arriving on an interface.

Configures the flow mask to use for NetFlow Data

Export.

Enables the sampled NetFlow and specifies the sampling method.

Displays information about the sampled NDE status.


151

mask (IPv4) through top mls netflow usage notify

mls netflow usage notify

To monitor the NetFlow table usage on the switch processor and the DFCs, use the mls netflow usage

notifycommand in global configuration mode. To return to the default settings, use the no form of this command.

mls netflow usage notify threshold interval

no mls netflow usage notify


threshold interval

Percentage threshold that, if exceeded, displays a warning message; valid values are from 20 to 100 percent.

Frequency that the NetFlow table usage is checked; valid values are from 120 to 1000000 seconds.

Command Default

Disabled

Command Modes


Command History

Release

12.2(17d)SXB1

12.2(33)SRA

Modification



2.




If the NetFlow table usage monitoring is enabled and the NetFlow table usage exceeds the percentage threshold, a warning message is displayed.

NetFlow gathers statistics from traffic and stores the statistics in the NetFlow table. You can gather statistics globally based on a protocol or optionally per interface.

If you are not using NDE or the Cisco IOS features that use the hardware NetFlow table (micro-flow QoS,

WCCP, TCP Intercept, or Reflexive ACLs), you may safely disable the use and maintenance of the hardware NetFlow table using the no mls netflow command in global configuration mode.

152


mask (IPv4) through top mls netflow usage notify

Examples

This example shows how to configure the monitoring of the NetFlow table usage on the switch processor and the DFCs:

Router(config)#

mls netflow usage notify 80 300

Router(config)#


Command

show mls netflow usage

Description


NetFlow hardware.


153

mask (IPv4) through top mls sampling

mls sampling

To enable the sampled NetFlow and specify the sampling method, use the mls sampling command in global configuration mode. To disable the sampled NetFlow, use the no form of this command.

mls sampling {time-based rate | packet-based rate [interval]}

no mls sampling


time-based rate

packet-based rate

interval

Specifies the time-based sampling rate; valid values are 64, 128, 256, 512, 1024, 2046, 4096, and 8192.

See the “Usage Guidelines” section for additional information.

Specifies the packet-based sampling rate; valid values are 64, 128, 256, 512, 1024, 2046, 4096, and

8192.

(Optional) Sampling interval; valid values are fro m

8000 to 16000 millise conds.

Command Default

Disabled

Command Modes


Command History

Release

12.2(14)SX

12.2(17a)SX

12.2(17d)SXB

Modification




• The minimum sampling interval for each rate and period was changed from 4000 to 8000 milliseconds.

• The time pair for each sampling rate of timebased sampling was changed; the table below lists the new time pairs.



154



Release

12.2(33)SRA

12.2(33)SRB

Modification



This command was changed to support perinterface NetFlow for IPv4 traffic.


The sampled NetFlow is supported on Layer 3 interfaces only.

You can enable the sampled NetFlow even if NDE is disabled, but no flows are exported.

With packet-based sampling, a flow with a packet cou nt of n is sampled nm times, where m is the sampling rate.

Cisco IOS Release 12.2(33)SRB and later support per-interface NetFlow for IPv4 traffic. Per-interface

NetFlow has the following configuration requirements:

•

In addition to issuing the mls sampling command (to globally enable NetFlow on the router), you must also issue the ip flow ingress and mls netflow sampling commands on individual interfaces to enable sampled NetFlow on the interface.

• The flow hardware mpls-vpn ipvrf-id command enables sampled NetFlow for IPv4 traffic flows on an MPLS VPN VRF interface.

• The only flow masks allowed for IPv4 traffic are interface-destination-source and interface-full. If other flow mask values are used, the router upgrades them as follows:

◦ Source, destination, and destination-source flow masks are treated as interface-destination-source.

◦ Full flow masks are treated as interface-full.

The time-based sampling is based on a preset interval for each sampling rate.

The table below lists the sample intervals for each rate and period.

Table 5 Time-Based Sampling Intervals

Sampling Rate

1 in 64

1 in 128

1 in 256

1 in 512

1 in 1024

1 in 2048

1 in 4096

1 in 8192

Sampling Time (milliseconds)

128

64

32

16

8

4

4

4

Export Interval (Milliseconds)

8192

8192

8192

8192

8192

8192

16384

32768


155


Examples

This example shows how to enable the time-based NetFlow sampling and set the sampling rate:

Router(config

)# mls sampling time-based 1024

Router(config)#

This example shows how to enable the packet-based NetFlow sampling and set the sampling rate and interval:

Router(config

)# mls sampling packet-based 1024 8192

Router(config)#


Command



mls flow ip



Description

Enables NetFlow to create and export hardware

NetFlow cache entries for IPv4 traffic on an MPLS

VPN VRF interface.



Export.


Displays information about the sampled NDE status.

156


mask (IPv4) through top mode (flow sampler configuration)

mode (flow sampler configuration)

To specify a packet interval for random sampled NetFlow accounting and enable the flow sampler map, use the modecommand in NetFlow flow sampler configuration mode.

mode random one-out-of packet-interval

Syntax Description random

one-out-of packet-interval

Specifies that sampling uses the random mode.

Specifies the packet interval (1 out of every n packets). For n , you can specify from 1 to 65535 packets.

Command Default

The random sampling mode and packet sampling interval are undefined.

Command Modes

NetFlow flow sampler configuration

Command History

Release

12.3(2)T

12.2(18)S

12.0(26)S

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification



Release 12.2(18)S.


Release 12.0(26)S.








The mode random one-out-of command does not have a no format to remove it from the configuration.

To disable NetFlow random sampling and packet interval you must remove the flow sampler map that you enabled with the mode random one-out-ofcommand.

If you want to change the value that you entered for the packet-interval argument repeat the mode random

one-out-of packet-interval command using the new value for packet-interval.


157

mask (IPv4) through top mode (flow sampler configuration)

Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. In order to run random sampled NetFlow accounting, you must first disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling.


Tip

If you disable dCEF globally using the no ip cef [distributed] command, the flow-sampler sampler-map-

name command is removed from any interfaces that you previously configured for random sampled

NetFlow accounting. You must reenter the flow-sampler sampler-map-name command after you reenable

CEF or dCEF to reactivate random sampled NetFlow accounting.

Tip


Examples









route-cache cef









ip flow egress


route-cache cef






158




Command flow-sampler flow-sampler-map netflow-sampler





mode (flow sampler configuration)

Description

Applies a flow sampler map for random sampled

NetFlow accounting to an interface.


NetFlow accounting.








159

mask (IPv4) through top mpls netflow egress

mpls netflow egress

To enable Multiprotocol Label Switching (MPLS) egress NetFlow accounting on an interface, use the mpls

netflow egress command in interface configuration mode. To disable MPLS egress NetFlow accounting, use the no form of this command.

mpls netflow egress

no mpls netflow egress



Command Default

This command is disabled.

Command Modes

Interface configuration (config-if)

Command History

Release

12.0(10)ST

12.1(5)T

12.2(33)SRA

12.2SX

12.2(33)SCA

Modification



Release 12.1(5)T.







Release 12.2(33)SCA.


Use this command to configure the provider edge (PE) to customer edge (CE) interface of a PE router.

Examples

The following example shows how to enable MPLS egress NetFlow accounting on the egress PE interface that connects to the CE interface at the destination Virtual Private Network (VPN) site:

Router(config-if)# mpls netflow egress

160




Command debug mpls netflow show mpls forwarding-table show mpls interfaces mpls netflow egress

Description

Enables debugging of MPLS egress NetFlow accounting.

Displays a message that the quick flag is set for all prefixes learned from the MPLS egress NetFlow accounting enabled interface.

Displays the value of the output_feature_state.


161

mask (IPv4) through top netflow-sampler

netflow-sampler

To enable NetFlow accounting with input filter sampling, use the netflow-samplercommand in QoS policy-map class configuration mode. To disable NetFlow accounting with input filter sampling, use the no form of this command.

netflow-sampler sampler-map-name

no netflow-sampler sampler-map-name


sampler-map-name

Name of the NetFlow sampler map to apply to the class.

Command Default

NetFlow accounting with input filter sampling is disabled.

Command Modes

QoS policy-map class configuration

Command History

Release

12.3(4)T

12.2(25)S

12.2(27)SBC

12.2(31)SB2

12.2(33)SRA

12.2SX

Modification



Release 12.2(25)S.











NetFlow accounting with input filter sampling cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or random sampled NetFlow on the same interface, or subinterface. In order to run NetFlow accounting with input filter sampling, you must first disable (ingress)

NetFlow accounting, egress NetFlow accounting, or random sampled NetFlow.

162



Examples

You can assign only one NetFlow input filter sampler to a class. Assigning another NetFlow input filter sampler to a class overwrites the previous one.

Samplers, also known as filters, are based on classes, but they are enabled on interfaces. You assign a

NetFlow input filters sampler to a class by using the netflow-samplercommand in QoS policy-map class configuration. You the use the service-policycommand to attach the policy map you defined to one or more interfaces.

Tip



The following example shows how to enable NetFlow accounting with input filter sampling for one class of traffic (traffic with 10 as the first octet of the IP source address):


Router(config)# flow-sampler-map network-10


Router(config-sampler)# exit

Router(config)# class-map match-any network-10

Router(config-cmap)# match access-group 100

Router(config-cmap)# exit

Router(config)# policy-map network-10

Router(config-pmap)# class network-10

Router(config-pmap-c)# netflow-sampler network-10

Router(config-pmap-c)# exit

Router(config-pmap)# exit



Router(config-if)# ip route-cache cef

Router(config-if)# interface ethernet 0/0.1

Router(config-if)# service-policy input network-10


Router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any

The following output from the show flow-sampler command verifies that the NetFlow accounting with input filter sampling is active:


Sampler : network-10, id : 1, packets matched : 546, mode : random sampling mode


The following output from the show ip cache verbose flow command shows that combination of the

access-list 100 permit ip 10.0.0.0 0.255.255.255 any command and the match access-group 100 command has filtered out any traffic in which the source IP address does not have 10 as the first octet:

Router# show ip cache verbose flow

IP packet size distribution (116 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .155 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .258 .586 .000 .000 .000 .000 .000 .000


163











last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 6 0.0 1 940 0.0 8.8 51.6

TCP-FTP 5 0.0 1 640 0.0 6.9 53.4

TCP-SMTP 2 0.0 3 1040 0.0 41.7 18.5

TCP-other 36 0.0 1 1105 0.0 18.8 41.5

UDP-other 6 0.0 3 52 0.0 54.8 5.5

ICMP 4 0.0 1 628 0.0 11.3 48.8

Total: 59 0.0 1 853 0.1 20.7 39.6

SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts

Port Msk AS Port Msk AS NextHop B/Pk Active

Et0/0.1 10.10.10.3 Et1/0.1 172.16.10.3 06 80 00 1

0016 /0 0 0016 /0 0 0.0.0.0 840 0.0

Sampler: 1 Class: 1

Et0/0.1 10.10.10.3 Et1/0.1* 172.16.10.3 06 80 00 1

0016 /0 0 0016 /0 0 0.0.0.0 840 0.0

Sampler: 1 Class: 1 FFlags: 01

Et0/0.1 10.10.11.3 Et1/0.1 172.16.10.7 06 80 00 1

0041 /0 0 0041 /0 0 0.0.0.0 1140 0.0

Sampler: 1 Class: 1

Et0/0.1 10.10.11.1 Et1/0.1 172.16.10.5 06 80 00 3

0019 /0 0 0019 /0 0 0.0.0.0 1040 36.7

Sampler: 1 Class: 1

Et0/0.1 10.10.11.1 Et1/0.1* 172.16.10.5 06 80 00 1

0019 /0 0 0019 /0 0 0.0.0.0 1040 0.0

Sampler: 1 Class: 1 FFlags: 01

Et0/0.1 10.1.1.2 Et1/0.1 172.16.10.10 06 80 00 2

0041 /0 0 0041 /0 0 0.0.0.0 1140 37.8

Sampler: 1 Class: 1

Et0/0.1 10.10.10.1 Et1/0.1 172.16.10.1 01 80 10 1

0000 /0 0 0000 /0 0 0.0.0.0 628 0.0

Sampler: 1 Class: 1


Command flow-sampler flow-sampler-map


class-map policy-map

Description




NetFlow accounting.


Creates a class map to be used for matching packets to a specified class.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy

164



Command service-policy





netflow-sampler

Description

Attaches a policy map to an input interface or virtual circuit (VC).







165

mask (IPv4) through top platform netflow rp sampling scale

platform netflow rp sampling scale

To enable applying of sampling scale equivalent to the configured platform sampling ratio on the softwareswitched flows exported by the NetFlow software, use the platform netflow rp sampling scalecommand in global configuration mode. To disable sampling of software-switched flows by the NetFlow software, use the no form of this command.

platform netflow rp sampling scale

no platform netflow rp sampling scale



Command Default

Software switched flows are exported and not sampled by the NetFlow software.

Command Modes


Command History

Release

12.2(33)SRB5

12.2(33)SRC3

12.2(33)SRD1

Modification



Release 12.2(33)SRC3.


Release 12.2(33)SRD1.


Use this command to scale the exported information for flows handled by the Route Processor (RP) equivalent to the platform sampling ratio. Without this command, a NetFlow collector assumes all flows exported by a router are uniformly sampled and multiplies the nonsampled RP flows by the sampling factor, and therefore overestimates the traffic handled by the RP.

The applicable sampling scale is obtained from the Cisco 7600-specific router platform mls sampling command.

Based on configuration, the RP software divides the exported packet/byte counts for a V5 and V9 export by the configured platform sampling ratio. The platform configuration is accomplished using the mls netflow

sampling command. If no such configuration is present, the RP exports the value it observes, and does not divide the exported packet/byte count.

166


mask (IPv4) through top platform netflow rp sampling scale

Note

If the division result is zero, the value 1 is substituted.

Examples

The following example shows how to enable sampling for flows switched in the RP software:

Router(config

)# platform netflow rp sampling scale


Command

mls netflow sampling mls sampling

Description

Enables sampled NetFlow on an interface.



167

mask (IPv4) through top reliability (NetFlow SCTP)

reliability (NetFlow SCTP)

To specify the level of reliability for the reliable export of NetFlow accounting information in NetFlow cache entries, use the reliabilitycommand in NetFlow ip flow export stream control transmission protocol

(SCTP) configuration mode. To return to the default behavior, use the noform of this command.

reliability {full | none | partial buffer-limit}

no reliability {full | none | partial buffer-limit limit}



full none partial

buffer-limit limit


Configures guaranteed reliable, ordered delivery of messages to a export destination. This is the default behavior.

Specifies that each message is sent once. The message is not stored in a buffer and cannot be retransmitted if it is not received by the export destination.

Specifies the limit on the amount of memory the router will use to buffer messages while waiting for them to be acknowledged by the export destination.

Specifies the amount of memory that is available for the buffering of messages that have not been acknowledged by the export destination. Range: 1 to 35000 packets.

Command Default

NetFlow reliable export uses full reliability mode by default.

Command Modes

NetFlow ip flow export SCTP (config-flow-export-sctp)

Command History

Release

12.4(4)T

Modification



NetFlow Reliable Export Using SCTP with Partial Reliability

168


mask (IPv4) through top reliability (NetFlow SCTP)

If a stream is specified as unreliable, the packet is simply sent once and not buffered on the exporter at all.

If the packet is lost en route to the receiver, the exporter is not notified and cannot re-transmit it

When a stream is specified as partially reliable, a limit can be placed on how much memory should be dedicated to storing un-acknowledged packets. The limit is configurable. If the limit is exceeded and the router attempts to buffer another packet, the oldest un-acknowledged packet is discarded. When SCTP discards the oldest unacknowledged packet a message called a forward-tsn (transmit sequence number) is sent to the export destination to indicate that this packet will not be received. This prevents NetFlow from consuming all the free memory on a router when a situation has arisen which requires a large number of packets to be buffered, for example when you are experiencing long response times from an SCTP peer connection.

When SCTP is operating in partially-reliable mode, the limit on how much memory should be dedicated to storing un-acknowledged packets should initially be set as high as possible. The limit on how much memory should be dedicated to storing unacknowledged packets can be reduced if other processes on the router begin to run out of memory. Deciding on the best value for the limit on how much memory should be dedicated to storing un-acknowledged packets involves a trade off between avoiding starving other processes of the memory that they require to operate, and dropping SCTP messages that have not been acknowledged by the export destination.

NetFlow Reliable Export Using SCTP with Reliability Disabled

When an SCTP connection is specified as unreliable, exported messages are sent once only and are not buffered. If the message is lost en route to the export destination, it cannot be retransmitted. Unreliable

SCTP can be used when the export destination that you are using doesn’t support UDP as a transport protocol for receiving NetFlow export datagrams, and you do not want to allocate the resources on your router required to provide reliable, or partially reliable, SCTP connections.

Examples

The following example shows how to configure the networking device to use full SCTP reliability:


Router(config-flow-export-sctp)# reliability full

The following example shows how to configure the networking device to use partial SCTP reliability, with a maximum value for the buffer limit of 35000 export packets:


Router(config-flow-export-sctp)# reliability partial buffer-limit 35000

The following example shows how to configure the networking device to use SCTP with no reliability:


Router(config-flow-export-sctp)# reliability none


Command backup

ip flow-export destination sctp

Description



Enables the reliable export of NetFlow accounting information in NetFlow cache entries.


169

reliability (NetFlow SCTP)

Command



Description


170


mask (IPv4) through top show flow-sampler

show flow-sampler

To display the status and statistics for random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler), use the show flow-sampler command in user EXEC or privileged EXEC mode.

show flow-sampler [sampler-map-name]


sampler-map-name

(Optional) Name of a flow sampler map.

Command Modes

User EXEC Privileged EXEC

Command History

Release

12.3(2)T

12.2(18)S

12.0(26)S

12.2(27)SBC

12.2(18)SXF

12.2(33)SRA

Modification



Release 12.2(18)S.


Release 12.0(26)S.







Examples

The following is sample output from the show flow-sampler command for all flow samplers:

Router> show flow-sampler

Sampler : mysampler1, id : 1, packets matched : 10, mode : random sampling mode


Sampler : myflowsampler2, id : 2, packets matched : 5, mode : random sampling mode


The following is sample output from the show flow-sampler command for a flow sampler named mysampler1:

Router> show flow-sampler mysampler1

Sampler : mysampler1, id : 1, packets matched : 0, mode : random sampling mode



171

mask (IPv4) through top show flow-sampler

The table below describes the fields shown in the displays.

Table 6 show flow-sampler Field Descriptions

Field

Sampler id packets matched mode sampling interval is

Description

Name of the flow sampler

Unique ID of the flow sampler

Number of packets matched for the flow sampler

Flow sampling mode

Flow sampling interval (in packets)


Command flow-sampler flow-sampler-map


netflow-sampler




Description




NetFlow accounting.

Specifies a packet interval for NetFlow accounting random sampling mode.





172


mask (IPv4) through top show fm nat netflow data

show fm nat netflow data

To display the information about the NAT-related NetFlow data, use the show fm nat netflow data command in user EXEC or privileged EXEC mode.

show fm nat netflow data



Command Default


Command Modes


Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(18)SXD

12.2(33)SRA

Modification





The output was changed to display the information about the NetFlow lookup mode state for fragments.



Examples

This example shows how to display the information about the NAT-related NetFlow data:

Router> show fm nat netflow data

FM Pattern with stat push disabled: 1

Default/TCP/UDP Timeouts:

Def s/w timeout: 86400 h/w timeout: 300 Pattern(ingress): 4

Pattern(egress): 4 Push interval: 1333

TCP s/w timeout: 86400 h/w timeout: 300 Pattern(ingress): 4


UDP s/w timeout: 300 h/w timeout: 300 Pattern(ingress): 3


Port Timeouts:

Idle timeout :3600 secs

Fin/Rst timeout :10 secs

Fin/Rst Inband packets sent per timeout :10000

Netflow mode to Zero-out Layer4 information for fragment packet lookup :

Enabled

Router>


173

show fm nat netflow data


Command

show fm summary


Description

Displays a summary of FM Information.

174


mask (IPv4) through top show fm netflow

show fm netflow

To display the feature manager (FM) Netflow information, use the show fm netflow command in User

EXEC or privileged EXEC mode.

show fm netflow {counters | pattern | slotinfo}

Syntax Description counters pattern slotinfo

Displays feature manager Netflow counters.

Displays feature manager Netflow pattern information.

Displays feature manager Netflow slot information.

Command Default


Command Modes

User EXEC (>) Privileged EXEC (#)

Command History

Release

12.2(17)SX

12.2(33)SXI

Modification

Support for this command was introduced.

The output was changed to include the chassis number for virtual switch systems (VSS) only.

Examples

This example shows how to display the information about the feature manager Netflow counters:

Router# show fm netflow counters

FM Netflow Counters IPv4 IPv6

-----------------------------------------------------------------

Netflow Install Request Counters:

Netflow Install Reply Counters:

Netflow Delete Requests Counters:

Netflow Delete Reply Counters:

Netflow nodes in database: 0 0

FM Netflow Outstanding Adjacency Replies, Slot[1] = 0

FM Safe inband mode : Active

FM No. of dummy inbands : 8

FM Netflow Disable shortcut Flag : 0

FM Inband Reply Mode : Inband err reply

FM Netflow Adjacency Block Size : 1024

FM Netflow Max Adjacency Threshold : 131072

FM Number of Items in Netflow Clr Database=0


175

mask (IPv4) through top show fm netflow

This example shows how to display the information about the feature manager Netflow patterns:

Router# show fm netflow pattern

Feature Pattern StatPush Agetime

------- ------- -------- -------

SLB 7 0 0 10

INSPECT 6 0 0 1

TCP_INTERCEPT 5 0 300 1

WCCP_EGRESS 5 0 300 1

NAT_INGRESS 4 1333 300 1

NAT_EGRESS 4 1333 300 1

IP_ACCESS_INGRESS 3 100 300 1

IP_ACCESS_EGRESS 3 100 300 1

NAT_INGRESS 3 100 300 1

NAT_EGRESS 3 100 300 1

IPV6_RACL_EGRESS 3 100 300 1

NF_AGING 2 0 10

DEFAULT_NO_STAT 1 0 0

This example shows how to display the slot information about the feature manager Netflow:

Router# show fm netflow slotinfo

Slotnum=1 free_index=0 num_free_adj=128 adj_arr_size=128

VSS Output

This example shows how to display the information about the feature manager Netflow counters on a VSS:

Router# show fm netflow counters

FM Netflow Counters IPv4 IPv6

-----------------------------------------------------------------

Netflow Install Request Counters:

Netflow Install Reply Counters:

Netflow Delete Requests Counters:

Netflow Delete Reply Counters:

Netflow nodes in database: 0 0

FM Netflow Outstanding Adjacency Replies, Slot[1/1] = 0

FM Netflow Outstanding Adjacency Replies, Slot[1/2] = 0

FM Safe inband mode : Active

FM No. of dummy inbands : 8

FM Netflow Disable shortcut Flag : 0

FM Inband Reply Mode : Inband err reply

FM Netflow Adjacency Block Size : 1024

FM Netflow Max Adjacency Threshold : 131072

FM Number of Items in Netflow Clr Database=0

This example shows how to display the slot information about the feature manager Netflow on a VSS:

Router# show fm netflow slotinfo

Slotnum=1/1 free_index=0 num_free_adj=128 adj_arr_size=128





Command

show fm summary

Description

Displays a summary of feature manager information.

176


mask (IPv4) through top show ip cache flow

show ip cache flow

To display a summary of the NetFlow accounting statistics, use the show ip cache flow command in user


show ip cache [prefix mask] [type number] flow


prefix mask

type number

(Optional) Displays only the entries in the cache that match the prefix and mask combination.

(Optional) Displays only the entries in the cache that match the interface type and number combination.

Command Modes


Command History

Release

11.1

11.1CA

12.2(14)S

12.3(1)

12.2(18)S

12.3(4)T, 12.3(6), 12.2(20)S

12.3(11)T

12.2(27)SBC

12.2(14)SX

Modification


The information display for the command was updated.


Release 12.2(14)S.

Support for the NetFlow Multicast Support feature was added.


The execute-on command was implemented on the

Cisco 7500 platforms to include the remote execution of the show ip cache flowcommand.

Support for egress flow accounting was added, and the [prefix mask] and [type number] arguments were removed.






177


Release

12.2(17b)SXA

12.2(17d)SXB

12.2(18)SXF

12.2(31)SB2

12.2(33)SRB

Modification

The output was changed to include hardware-entry information.







This command was modified to show the VPN name and VPN ID in the display output.


Some of the content in the display of the show ip cache flowcommand uses multiline headings and multiline data fields.

show ip cache flow, page 177

uses an example of the output from the show ip cache

verbose flowto show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.

When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same.

178



Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express

Forwarding

On platforms running distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. To display this information on a distributed platform by use of the show ip cache flow command, you must enter the command at a line card prompt.


The module num keyword and argument are supported on DFC-equipped modules only.

The VPN name and ID are shown in the display output in the format VPN:vpn-id.

Cisco 7500 Series Platform

The Cisco 7500 series platforms are not supported by Cisco IOS Release 12.4T and later. Cisco IOS

Release 12.4 is the last Cisco IOS release to support the Cisco 7500 series platforms.

To display NetFlow cache information using the show ip cache flow command on a Cisco 7500 series router that is running dCEF, enter the following sequence of commands:

Router# if-con slot-number

LC-


179


Examples

slot-number

# show ip cache flow

For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display

NetFlow cache information:

Router# execute-on slot-number



To display NetFlow cache information using the show ip cache flow command on a Cisco 12000 Series

Internet Router, enter the following sequence of commands:

Router# attach slot-number

LCslot-number






The following is a sample display of a main cache using the show ip cache flow command:

Router# show ip cache flow


1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.092 .000 .003 .000 .141 .048 .000 .000 .000 .093 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .048 .189 .381 .000 .000 .000 .000 .000 .000













TCP-FTP 4 0.0 67 840 2.6 59.4 0.7

TCP-SMTP 1 0.0 67 168 0.6 59.4 0.5

TCP-BGP 1 0.0 68 1140 0.6 60.3 0.4

TCP-NNTP 1 0.0 68 1340 0.6 60.2 0.2

TCP-other 7 0.0 68 913 4.7 60.3 0.4

UDP-TFTP 1 0.0 68 156 0.6 60.2 0.1

UDP-other 4 0.0 36 151 1.4 45.6 14.7

ICMP 4 0.0 67 529 2.7 60.0 0.2

Total: 23 0.2 62 710 14.3 57.5 2.9

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Et2/0 192.168.137.78 Et3/0* 192.168.10.67 06 0041 0041 39

Et2/0 172.19.216.196 Et3/0* 192.168.10.38 06 0077 0077 39

Et0/0.1 10.56.78.128 Et1/0.1 172.16.30.231 06 00B3 00B3 48

Et0/0.1 10.10.18.1 Et1/0.1 172.16.30.112 11 0043 0043 47

Et0/0.1 10.162.37.71 Et1/0.1 172.16.30.218 06 027C 027C 48

Et0/0.1 172.16.6.1 Null 224.0.0.9 11 0208 0208 1

180



Et0/0.1 10.231.159.251 Et1/0.1 172.16.10.2 06 00DC 00DC 48

Et2/0 10.234.53.1 Et3/0* 192.168.10.32 06 0016 0015 39

Et2/0 10.210.211.213 Et3/0* 192.168.10.127 06 006E 006E 38

Et0/0.1 10.234.53.1 Et1/0.1 172.16.30.222 01 0000 0000 47

Et0/0.1 10.90.34.193 Et1/0.1 172.16.10.2 06 0016 0015 48

Et0/0.1 10.10.10.2 Et1/0.1 172.16.10.2 06 0016 0015 48

Et2/0 10.10.18.1 Et3/0* 192.168.10.162 11 0045 0045 39

Et0/0.1 192.168.3.185 Et1/0.1 172.16.10.2 06 0089 0089 48

Et0/0.1 10.10.11.1 Et1/0.1 172.16.30.51 06 0019 0019 49

Et0/0.1 10.254.254.235 Et1/0.1 172.16.10.2 11 00A1 00A1 48

Et2/0 192.168.23.2 Et3/0* 192.168.10.2 01 0000 0000 39

Et0/0.1 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0800 47

R3#

Note

The asterisk (*) immediately following the “DstIf” field indicates that the flow being shown is an egress flow.

The following output of the show ip cache flow command on a Cisco 7600 series router shows the source interface some of the traffic in the NetFlow hardware cache on the PFC is VPN Red.

PE1# show ip cache flow

-------------------------------------------------------------------------------

MSFC:


1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .685 .309 .000 .000 .000 .000 .003 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000













TCP-BGP 10 0.0 1 49 0.0 0.0 15.3

TCP-other 6 0.0 2 49 0.0 4.5 15.5

UDP-other 28 0.0 74 63 0.1 320.5 12.7

IP-other 6 0.0 153 80 0.0 1488.3 1.7

Total: 50 0.0 60 68 0.2 358.6 12.2

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Fa1/1 172.16.1.1 Null 224.0.0.2 11 0286 0286 74

Fa1/1 172.16.1.1 Null 224.0.0.5 59 0000 0000 33

-------------------------------------------------------------------------------

PFC:

Displaying Hardware entries in Module 5

SrcIf SrcIPaddress DstIPaddress Pr SrcP Dss

Fa1/1 172.20.1.2 172.20.1.3 0 0 0

Fa1/1 172.20.1.3 172.20.1.2 0 0 0

Fa1/1 172.16.1.2 172.16.2.6 0 0 0

Fa1/1 172.16.1.1 224.0.0.2 udp 646 64

vpn:red 10.2.0.2 10.1.1.1 0 0 0

.

.

.

PE1#

The table below describes the significant fields shown in the flow switching cache lines of the display.


181


Table 7

Field

bytes active inactive added ager polls

show ip cache flow Field Descriptions in Flow Switching Cache Display

flow alloc failures last clearing of statistics

Description

Number of bytes of memory used by the NetFlow cache.

Number of active flows in the NetFlow cache at the time this command was entered.

Number of flow buffers that are allocated in the

NetFlow cache, but were not currently assigned to a specific flow at the time this command was entered.

Number of flows created since the start of the summary period.

Number of times the NetFlow code looked at the cache to cause entries to expire (used by Cisco for diagnostics only).

Number of times the NetFlow code tried to allocate a flow but could not.

Standard time output (hh:mm:ss) since the clear ip

flow stats privileged EXEC command was executed. This time output changes to hours and days after the time exceeds 24 hours.

The table below describes the significant fields shown in the activity by protocol lines of the display.

Table 8 show ip cache flow Field Descriptions in Activity by Protocol Display

Field

Protocol

Description

IP protocol and the well-known port number. (Refer to

http://www.iana.org

, Protocol Assignment

Number Services , for the latest RFC values.)

Note

Only a small subset of all protocols is displayed.

Total Flows

Flows/Sec

Packets/Flow

Number of flows in the cache for this protocol since the last time the statistics were cleared.

Average number of flows for this protocol per second; equal to the total flows divided by the number of seconds for this summary period.

Average number of packets for the flows for this protocol; equal to the total packets for this protocol divided by the number of flows for this protocol for this summary period.

182



Field

Bytes/Pkt

Packets/Sec

Active(Sec)/Flow

Idle(Sec)/Flow

Description

Average number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the total number of packets for this protocol for this summary period.

Average number of packets for this protocol per second; equal to the total packets for this protocol divided by the total number of seconds for this summary period.

Number of seconds from the first packet to the last packet of an expired flow divided by the number of total flows for this protocol for this summary period.

Number of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which the show ip cache verbose flow command was entered divided by the total number of flows for this protocol for this summary period.

The table below describes the significant fields in the NetFlow record lines of the display.

Table 9 show ip cache flow Field Descriptions in NetFlow Record Display

Field

SrcIf

Description

Interface on which the packet was received.

SrcIPaddress

DstIf

IP address of the device that transmitted the packet.

Interface from which the packet was transmitted.

Note

If an asterisk (*) immediately follows the

DstIf field, the flow being shown is an egress flow.

DstIPaddress

Pr

SrcP

DstP

Pkts

IP address of the destination device.

IP protocol “well-known” port number, displayed in hexadecimal format. (Refer to

http:// www.iana.org

, Protocol Assignment Number

Services , for the latest RFC values.)

The source protocol port number in hexadecimal.

The destination protocol port number in hexadecimal.

Number of packets switched through this flow.


183



Command

clear ip flow stats





Description

Clears the NetFlow accounting statistics.




184


mask (IPv4) through top show ip cache flow aggregation

show ip cache flow aggregation

To display the NetFlow accounting aggregation cache statistics, use the show ip cache flow aggregation command in user EXEC or privileged EXEC mode.

show ip cache [prefix mask] [interface-type interface-number] [verbose] flow aggregation {as | as-

tos | bgp-nexthop-tos | destination-prefix | destination-prefix-tos | prefix | prefix-port | prefix-tos

| protocol-port | protocol-port-tos | source-prefix | source-prefix-tos}


prefix mask


verbose as as-tos bgp-nexthop-tos destination-prefix destination-prefix-tos prefix prefix-port prefix-tos protocol-port


(Optional) Displays only the entries in the cache that match the interface type and interface number combination.

(Optional) Displays additional information from the aggregation cache.

Displays the configuration of the autonomous system aggregation cache scheme.

Displays the configuration of the autonomous system type of service (ToS) aggregation cache scheme.

Displays the BGP next hop and ToS aggregation cache scheme.

Note



Router.

Displays the configuration of the destination prefix aggregation cache scheme.

Displays the configuration of the destination prefix

ToS aggregation cache scheme.

Displays the configuration of the prefix aggregation cache scheme.

Displays the configuration of the prefix port aggregation cache scheme.

Displays the configuration of the prefix ToS aggregation cache scheme.

Displays the configuration of the protocol port aggregation cache scheme.


185

show ip cache flow aggregation protocol-port-tos source-prefix source-prefix-tos

Command Modes


Command History

Release

12.0(3)T

12.0(15)S

12.2(14)S

12.3(1)

12.2(18)S

12.0(26)S

12.2(27)SBC

12.2(14)SX

12.2(17b)SXA

12.2(17d)SXB

12.2(18)SXF

12.2(33)SRA

12.2(31)SB2

186

Cisco IOS NetFlow Command Reference mask (IPv4) through top

Displays the configuration of the protocol port ToS aggregation cache scheme.

Displays the configuration of the source prefix aggregation cache scheme.

Displays the configuration of the source prefix ToS aggregation cache scheme.

Modification


This command was modified to include new show output for ToS aggregation schemes.


Release 12.2(14)S.


















Release

12.2(33)SRB

Modification

This command was modified to show the VPN name and VPN ID in the display output.


Some of the content in the display of the show ip cache flow aggregationcommand uses multiline headings and multiline data fields.

show ip cache flow aggregation, page 185

uses an example of the output from the show ip cache verbose flowto show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.



If you enter the show ip cache flow aggregation command without the module num, the softwareswitched aggregation cache on the RP is displayed.


187


Examples


The VPN name and ID are shown in the display output in the format VPN:vpn-id.


Forwarding

On platforms running Distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. To display this information on a distributed platform by use of the show ip cache flow command, you must enter the command at a line card prompt.




To display NetFlow cache information using the show ip cache flow command on a Cisco 7500 series router that is running dCEF, enter the following sequence of commands:


LCslot-number







To display NetFlow cache information using the show ip cache flow command on a Cisco 12000 Series

Internet Router, enter the following sequence of commands:


LCslot-number






The following is a sample display of an autonomous system aggregation cache with the show ip cache flow

aggregation as command:

Router# show ip cache flow aggregation as




Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active

Fa1/0 0 Null 0 1 2 49 10.2

Fa1/0 0 Se2/0 20 1 5 100 0.0

188



The following is a sample display of an autonomous system aggregation cache for the prefix mask 10.0.0.0

255.0.0.0 with the show ip cache flow aggregation ascommand:

Router# show ip cache 10.0.0.0 255.0.0.0 flow aggregation as




Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active e1/2 0 Null 0 1 2 49 10.2

e1/2 0 e1/2 20 1 5 100 0.0

The following is a sample display of an destination prefix TOS cache with the show ip cache flow

aggregation destination-prefix-tos command:

Router# show ip cache flow aggregation destination-prefix-tos










Dst If Dst Prefix Msk AS TOS Flows Pkts B/Pk Active

Null 224.0.0.0 /24 0 C0 2 6 72 132.1

Et1/0.1 172.16.30.0 /24 0 00 2 134 28 121.1

Et1/0.1 172.16.30.0 /24 0 80 12 804 780 124.6

Et1/0.1 172.16.10.0 /24 0 00 4 268 1027 121.1

Et1/0.1 172.16.10.0 /24 0 80 12 804 735 123.6

Et3/0 192.168.10.0 /24 0 80 10 669 755 121.8

Et3/0 192.168.10.0 /24 0 00 2 134 28 121.2

Router#

The following is a sample display of an prefix port aggregation cache with the show ip cache flow

aggregation prefix-portcommand:

Router# show ip cache flow aggregation prefix-port










Src If Src Prefix Msk Dst If Dst Prefix Msk Flows Pkts

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 2 132

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 66

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 67

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 67

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 66

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 66

Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 66

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 66

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 66

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 67

Et0/0.1 172.16.6.0 /24 Null 224.0.0.0 /24 1 3

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 66

Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 66

Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 66

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 66

Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 66

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 67

Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 67

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 66

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 66

Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 67

Router#


189


The following is a sample display of an prefix port aggregation cache for the prefix mask 172.16.0.0

255.255.0.0 with the show ip cache 172.16.0.0 255.255.0.0 flow aggregation prefix-port command:

Router# show ip cache 172.16.0.0 255.255.0.0 flow aggregation prefix-port










Src If Src Prefix Msk Dst If Dst Prefix Msk Flows Pkts

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 6 404

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 203

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 203

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 202

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 203

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 201

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 202

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 202

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 202

Et0/0.1 172.16.6.0 /24 Null 224.0.0.0 /24 2 6

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 203

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 203

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 203

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 202

Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 203

Router#

The following is a sample display of an protocol port aggregation cache with the show ip cache flow

aggregation protocol-port command:

Router# show ip cache flow aggregation protocol-port










Protocol Source Port Dest Port Flows Packets Bytes/Packet Active

0x01 0x0000 0x0000 4 270 28 242.4

0x01 0x0000 0x0000 8 541 290 244.4

0x06 0x0041 0x0041 4 271 1140 243.3

0x06 0x0041 0x0041 4 271 1140 243.4

0x11 0x00A1 0x00A1 4 271 156 243.4

0x11 0x0043 0x0043 4 271 156 243.4

0x06 0x00B3 0x00B3 4 271 1140 243.4

0x06 0x0035 0x0035 4 270 1140 242.5

0x11 0x0045 0x0045 4 271 156 243.3

0x06 0x0016 0x0015 4 270 840 242.5

0x06 0x0016 0x0015 12 810 840 244.5

0x06 0x0077 0x0077 4 271 1340 243.3

0x01 0x0000 0x0800 4 270 1500 242.5

0x06 0x0019 0x0019 4 271 168 243.4

0x06 0x0089 0x0089 4 271 296 243.4

0x11 0x0208 0x0208 3 9 72 222.1

0x06 0x00DC 0x00DC 4 271 1140 243.4

0x06 0x006E 0x006E 4 271 296 243.4

0x06 0x027C 0x027C 4 271 1240 243.4

Router#

The table below describes the significant fields shown in the output of the show ip cache flow aggregation command.

190



Table 10

Field

bytes active inactive added ager polls

Src If

Src AS

Src Prefix

Msk

Dst If

AS

TOS

Dst AS

Dst Prefix

Flows

Pkts

B/Pk

Field Descriptions for the show ip cache flow aggregation command

Description




NetFlow cache, but are not currently assigned to a specific flow at the time this command is entered.


Number of times the NetFlow code looked at the cache to cause entries to expire. (Used by Cisco for diagnostics only.)

Specifies the source interface.

Specifies the source autonomous system.

The prefix for the source IP addresses.

The numbers of bits in the source or destination prefix mask.

Specifies the destination interface.

Autonomous system. This is the source or destination AS number as appropriate for the keyword used. For example, if you enter the show

ip cache flow aggregation destination-prefix-tos command, this is the destination AS number.

The value in the type of service (ToS) field in the packets.

Specifies the destination autonomous system.

The prefix for the destination IP addresses

Number of flows.

Number of packets.

Average number of bytes observed for the packets seen for this protocol (total bytes for this protocol or the total number of flows for this protocol for this summary period).


191


Field

Active

Protocol

Source Port

Dest Port

Packets

Bytes/Packet


Command cache




mask (IPv4)





Description

The time in seconds that this flow has been active at the time this command was entered.





The source port value in hexadecimal.

The destination port value in hexadecimal.

The number of packets sene in the aggregated flow.

The average size of packets sene in the aggregated flow.

Description







Displays a summary of the NetFlow aggregation cache accounting statistics.


Displays the statistics for the data export.


192


mask (IPv4) through top show ip cache verbose flow

show ip cache verbose flow

To display a detailed summary of the NetFlow accounting statistics, use the show ip cache verbose flow command in user EXEC or privileged EXEC mode.

show ip cache [prefix mask] [type number] verbose flow


prefix mask

type number


(Optional) Displays only the entries in the cache that match the interface type and number combination.

Command Modes


Command History

Release

11.1

11.1CA

12.3(1)

12.0(24)S

12.3(4)T

12.3(6)

12.2(14)S

12.2(18)S

12.3(8)T

Modification


The information display for the command was updated.


Multiprotocol Label Switching (MPLS) flow records were added to the command output.

The execute-on command was implemented on the

Cisco 7500 platforms to include the remote execution of the show ip cache verbose

flowcommand.


Release 12.3(6).


Release 12.2(14)S.


MPLS flow records were added to the command output for Cisco IOS Release 12.3(8)T.


193


Release

12.3(11)T

12.3(14)T

12.2(27)SBC

12.2(14)SX

12.2(17b)SXA

12.2(17d)SXB

12.2(18)SXE

12.2(18)SXF

12.2(33)SRA

12.2(31)SB2

Modification

Support for egress flow accounting was added, and the [prefix mask] and [type number] arguments were removed.

Support for NetFlow Layer 2 and Security

Monitoring Exports was added.








The output was changed to add fragment offset

(FO) information on the Supervisor Engine 720 only.








Use the show ip cache verbose flowcommand to display flow record fields in the NetFlow cache in addition to the fields that are displayed with the show ip cache flowcommand. The values in the additional fields that are shown depend on the NetFlow features that are enabled and the flags that are set in the flow.

Note

The flags, and therefore the fields, might vary from flow to flow.

Some of the content in the display of the show ip cache verbose flowcommand uses multiline headings

and multiline data fields.

show ip cache verbose flow, page 193

uses an example of the output from the

show ip cache verbose flowto show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.


194



NetFlow Multicast Support

When the NetFlow Multicast Support feature is enabled, the show ip cache verbose flow command displays the number of replicated packets and the packet byte count for NetFlow multicast accounting.

When you configure the NetFlow Version 9 Export Format feature, this command displays additional

NetFlow fields in the header.

MPLS-aware NetFlow

When you configure the MPLS-aware NetFlow feature, you can use the show ip cache verbose flow command to display both the IP and MPLS portions of MPLS flows in the NetFlow cache on a router line card. To display the IP portion of the flow record in the NetFlow cache when MPLS-aware NetFlow is configured, use the show ip cache flow command. NetFlow accounts for locally destined MPLS to IP VPN packets and displays the destination interface as Null instead of Local for these packets.

NetFlow BGP Nexthop

The NetFlow bgp-nexthop command can be configured when either the Version 5 export format or the

Version 9 export format is configured. The following caveats apply to the bgp-nexthop command:

• The values for the BGP nexthop IP address are exported to a NetFlow collector only when the Version

9 export format is configured.


195


• In order for the BGP information to be populated in the main cache you must either have a NetFlow export destination configured or NetFlow aggregation configured.


Forwarding

On platforms running distributed Cisco Express Forwarding, NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt.


The module number keyword and argument are supported on Distributed Forwarding Card-equipped

(DFC) modules only.




To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed

Cisco Express Forwarding, enter the following sequence of commands:


LCslot-number

# show ip cache verbose

flow

For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information:


show ip cache verbose

flow

Gigabit Switch Router (GSR)

To display detailed NetFlow cache information on a Gigabit Switch Router, enter the following sequence of commands:


LCslot-number


flow




flow

196



Examples show ip cache verbose flow

The following is sample output from the show ip cache verbose flow command:



1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .206 .793 .000 .000 .000 .000 .000 .000

The preceding output shows the percentage distribution of packets by size. In this display, 20.6 percent of the packets fall in the 1024-byte size range and 79.3 percent fall in the 1536-byte range.

The next section of the output can be divided into three sections. The section and the table corresponding to each are as follows:













TCP-Telnet 1 0.0 362 940 2.7 60.2 0.0

TCP-FTP 1 0.0 362 840 2.7 60.2 0.0

TCP-FTPD 1 0.0 362 840 2.7 60.1 0.1

TCP-SMTP 1 0.0 361 1040 2.7 60.0 0.1

UDP-other 5 0.0 1 66 0.0 1.0 10.6

ICMP 2 0.0 8829 1378 135.8 60.7 0.0

Total: 11 0.0 1737 1343 147.0 33.4 4.8



Et0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 06 80 00 65

0015 /0 0 0015 /0 0 0.0.0.0 840 10.8

MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006)

Min plen: 840 Max plen: 840

Min TTL: 59 Max TTL: 59

IP id: 0

Et0/0.1 172.16.6.1 Et1/0.1 172.16.10.2 01 00 00 4880

0000 /0 0 0000 /0 0 0.0.0.0 1354 20.1




ICMP type: 0 ICMP code: 0

IP id: 2943 FO: 185

Et2/0 192.168.137.78 Et3/0* 192.168.10.67 06 80 00 3

0041 /0 0 0041 /24 0 172.17.7.2 1140 1.8

FFlags: 01

MAC: (VLAN id) aabb.cc00.2002 (000) aabb.cc00.2201 (000)


IP id: 0

Et0/0.1 10.10.13.1 Et1/0.1 172.16.10.2 06 80 00 65

0017 /0 0 0017 /0 0 0.0.0.0 940 10.8




IP id: 0

Et2/0 10.234.53.1 Et3/0* 192.168.10.32 06 80 00 3

0016 /0 0 0015 /24 0 172.17.7.2 840 1.7

FFlags: 01



IP id: 0

Et0/0.1 10.106.1.1 Et1/0.1 172.16.10.2 01 00 00 1950

0000 /0 0 0000 /0 0 0.0.0.0 1354 8.6




197



ICMP type: 0 ICMP code: 0

IP id: 13499 FO: 185

Et2/0 10.10.18.1 Et3/0* 192.168.10.162 11 80 10 4

0045 /0 0 0045 /24 0 172.17.7.2 156 2.7

FFlags: 01



IP id: 0

Note

The asterisk (*) immediately following the “DstIf” field indicates that the flow being shown is an egress flow.

GUID-8760A31F-9735-4E81-954F-3C319C902AF82

describes the significant fields shown in the

NetFlow cache section of the output.

Table 11 Field Descriptions in the NetFlow Cache Section of the Output

Field

bytes active inactive added ager polls flow alloc failures last clearing of statistics

Description




NetFlow cache but that were not assigned to a specific flow at the time this command was entered.


Number of times the NetFlow code caused entries to expire (used by Cisco for diagnostics only).

Number of times the NetFlow code tried to allocate a flow but could not.

The period of time that has passed since the clear

ip flow stats privileged EXEC command was last executed. The standard time output format of hours, minutes, and seconds (hh:mm:ss) is used for a period of time less than 24 hours. This time output changes to hours and days after the time exceeds 24 hours.

The table below describes the significant fields shown in the activity by protocol section of the output.

Table 12 Field Descriptions in the Activity by Protocol Section of the Output

Field

Protocol

Description

The types of IP protocols that are in the flows.

198



Field

Total Flows

Flows/Sec

Packets/Flow

Bytes/Pkt

Packets/Sec

Active(Sec)/Flow

Idle(Sec)/Flow

Description

Number of flows in the cache for this protocol since the last time the statistics were cleared.

Average number of flows for this protocol per second; equal to the total flows divided by the number of seconds for this summary period.

Average number of packets for the flows for this protocol; equal to the total packets for this protocol divided by the number of flows for this protocol for this summary period.

Average number of bytes for the packets for this protocol; equal to the total bytes for this protocol divided by the total number of packets for this protocol for this summary period.

Average number of packets for this protocol per second; equal to the total packets for this protocol divided by the total number of seconds for this summary period.

Number of seconds from the first packet to the last packet of an expired flow divided by the number of total flows for this protocol for this summary period.

Number of seconds observed from the last packet in each nonexpired flow for this protocol until the time at which the show ip cache verbose flow command was entered divided by the total number of flows for this protocol for this summary period.

The table below describes the significant fields in the NetFlow record section of the output.

Table 13 Field Descriptions for the NetFlow Record Section of the Output

Field

SrcIf

Port Msk AS

SrcIPaddress

Description

Interface on which the packet was received.

Source port number (displayed in hexadecimal format), IP address mask, and autonomous system number. The value of this field is always set to 0 in

MPLS flows.

IP address of the device that transmitted the packet.


199


Field

DstIf

Port Msk AS

DstIPaddress

NextHop

Pr

ToS

B/Pk

Flgs

Pkts

Active

MAC

VLAN id

Min plen

Max plen

200


Description

Interface from which the packet was transmitted.

Note

If an asterisk (*) immediately follows the

DstIf field, the flow being shown is an egress flow.

Destination port number (displayed in hexadecimal format), IP address mask, and autonomous system.

This is always set to 0 in MPLS flows.

IP address of the destination device.

The BGP next-hop address. This is always set to 0 in MPLS flows.





Type of service, displayed in hexadecimal format.

Average number of bytes observed for the packets seen for this protocol.

TCP flags, shown in hexadecimal format (result of bitwise OR of TCP flags from all packets in the flow).

Number of packets in this flow.


Source and destination MAC addresses from the

Layer 2 frames in the flow.

Source and destination VLAN IDs from the Layer 2 frames in the flow.

Minimum packet length for the packets in the flows.

Note

This value is updated when a datagram with a lower value is received.

Maximum packet length for the packets in the flows.

Note

This value is updated when a datagram with a higher value is received.


Field

Min TTL

Max TTL

IP id

ICMP type

ICMP code

FO

Description

Minimum Time-To-Live (TTL) for the packets in the flows.

Note

This value is updated when a datagram with a lower value is received.

Maximum TTL for the packets in the flows.

Note

This value is updated when a datagram with a higher value is received.

IP identifier field for the packets in the flow.

Internet Control Message Protocol (ICMP) type field from the ICMP datagram in the flow.

ICMP code field from the ICMP datagram in the flow.

Value of the fragment offset field from the first fragmented datagram in the second flow.

The following example shows the NetFlow output from the show ip cache verbose flow command in which the sampler, class ID, and general flags are set. What is displayed for a flow depends on what flags are set in the flow. If the flow was captured by a sampler, the output shows the sampler ID. If the flow was marked by Modular QoS CLI (MQC), the display includes the class ID. If any general flags are set, the output includes the flags.


.

.

.



BGP: BGP NextHop

Et1/0 10.8.8.8 Et0/0* 10.9.9.9 01 00 10 3

0000 /8 302 0800 /8 300 10.3.3.3 100 0.1

BGP: 2.2.2.2 Sampler: 1 Class: 1 FFlags: 01

The table below describes the significant fields shown in the NetFlow output for a sampler, for an MQC policy class, and for general flags.

Table 14 show ip cache verbose flow Field Descriptions for a NetFlow Sampler, an MCQ Policy Class, and

General Flags

Field (with Sample Values)

Sampler

Class

Description

ID of the sampler that captured the flow. The sampler ID in this example is 1.

ID of the Modular QoS CLI (MQC) traffic class.

The class ID in this example is 1.


201


Field (with Sample Values)

FFlags

Description

General flow flag (shown in hexadecimal format), which is either the bitwise or one or more of the following:

• 01 indicates an output (or egress) flow. (If this bit is not set, the flow is an input [or ingress] flow.)

• 02 indicates a flow that was dropped (for example, by an access control list [ACL]).

• 04 indicates a Multiprotocol Label Switching

(MPLS) flow.

• 08 indicates an IP version 6 (IPv6) flow.

The flow flag in this example is 01 (an egress flow).

The following example shows the NetFlow output from the show ip cache verbose flowcommand when

NetFlow BGP next-hop accounting is enabled:


.

.

.



BGP:BGP_NextHop

Et0/0/2 10.0.0.2 Et0/0/4 10.0.0.5 01 00 10 20

0000 /8 0 0800 /8 0 10.0.0.6 100 0.0

BGP:26.0.0.6

Et0/0/2 10.0.0.2 Et0/0/4 10.0.0.7 01 00 10 20

0000 /8 0 0800 /8 0 10.0.0.6 100 0.0

BGP:26.0.0.6

Et0/0/2 10.0.0.2 Et0/0/4 10.0.0.7 01 00 10 20

0000 /8 0 0000 /8 0 10.0.0.6 100 0.0

BGP:26.0.0.6

The table below describes the significant fields shown in the NetFlow BGP next-hop accounting lines of the output.

Table 15 show ip cache verbose flow Field Descriptions in NetFlow BGP Next-Hop Accounting Output

Field

BGP:BGP_NextHop

Description

Destination address for the BGP next hop.

The following example shows the NetFlow output from the show ip cache verbose flowcommand when

NetFlow multicast accounting is configured:


.

.

.



IPM:OPkts OBytes

IPM: 0 0

Et1/1/1 10.0.0.1 Null 192.168.1.1 01 55 10 100

202



0000 /8 0 0000 /0 0 0.0.0.0 28 0.0

IPM: 100 2800

Et1/1/1 10.0.0.1 Se2/1/1.16 192.168.1.1 01 55 10 100

0000 /8 0 0000 /0 0 0.0.0.0 28 0.0

IPM: 0 0

Et1/1/2 10.0.0.1 Et1/1/4 192.168.2.2 01 55 10 100

0000 /8 0 0000 /0 0 0.0.0.0 28 0.1

Et1/1/2 10.0.0.1 Null 192.168.2.2 01 55 10 100

0000 /8 0 0000 /0 0 0.0.0.0 28 0.1

IPM: 100 2800

The table below describes the significant fields shown in the NetFlow multicast accounting lines of the output.

Table 16 show ip cache verbose flow Field Descriptions in NetFlow Multicast Accounting Output

Field

OPkts

OBytes

DstIPaddress

Description

Number of IP multicast (IPM) output packets.

Number of IPM output bytes.

Destination IP address for the IPM output packets.

The following example shows the output for both the IP and MPLS sections of the flow record in the

NetFlow cache when MPLS-aware NetFlow is enabled:


.

.

.



PO3/0 10.1.1.1 PO5/1 10.2.1.1 01 00 10 9

0100 /0 0 0200 /0 0 0.0.0.0 100 0.0

Pos:Lbl-Exp-S 1:12305-6-0 (LDP/10.10.10.10) 2:12312-6-1

The table below describes the significant fields for the IP and MPLS sections of the flow record in the output.

Table 17 show ip cache verbose flow Field Descriptions for the IP and MPLS Sections of the Flow Record in the Output

Field

Pos

Lbl

Exp

S

LDP/10.10.10.10

Description

Position of the MPLS label in the label stack, starting with 1 as the top label.

Value given to the MPLS label by the router.

Value of the experimental bit.

Value of the end-of-stack bit. Set to 1 for the oldest entry in the stack and to 0 for all other entries.

Type of MPLS label and associated IP address for the top label in the MPLS label stack.


203



Command attach

clear ip flow stats

execute-on





Description

Connects to a specific line card for the purpose of executing monitoring and maintenance commands on that line card only.

Clears the NetFlow accounting statistics.

Executes commands on a line card.




204


mask (IPv4) through top show ip cache verbose flow aggregation

show ip cache verbose flow aggregation

To display the aggregation cache configuration, use the show ip cache verbose flow aggregation command in user EXEC and privileged EXEC mode.

show ip cache [prefix mask] [interface-type interface-number] [verbose] flow aggregation {as | as-

tos | bgp-nexthop-tos | destination-prefix | destination-prefix-tos | prefix | prefix-port | prefix-tos

| protocol-port | protocol-port-tos | source-prefix | source-prefix-tos | exp-bgp-prefix}


prefix mask


verbose as as-tos bgp-nexthop-tos destination-prefix destination-prefix-tos prefix prefix-port prefix-tos protocol-port


(Optional) Displays only the entries in the cache that match the interface type and interface number combination.

(Optional) Displays additional information from the aggregation cache.

Displays the configuration of the autonomous system aggregation cache scheme.

Displays the configuration of the autonomous system type of service (ToS) aggregation cache scheme.

Displays the BGP next hop and ToS aggregation cache scheme.

Note



Router.

Displays the configuration of the destination prefix aggregation cache scheme.

Displays the configuration of the destination prefix

ToS aggregation cache scheme.

Displays the configuration of the prefix aggregation cache scheme.

Displays the configuration of the prefix port aggregation cache scheme.

Displays the configuration of the prefix ToS aggregation cache scheme.

Displays the configuration of the protocol port aggregation cache scheme.


205

show ip cache verbose flow aggregation protocol-port-tos source-prefix source-prefix-tos exp-bgp-prefix

Command Modes


Command History

Release

12.0(3)T

12.0(15)S

12.2(14)S

12.3(1)

12.2(18)S

12.2(27)SBC

12.2(14)SX

12.2(17b)SXA

12.2(17d)SXB

12.2(18)SXE

12.2(18)SXF

206


Displays the configuration of the protocol port ToS aggregation cache scheme.

Displays the configuration of the source prefix aggregation cache scheme.

Displays the configuration of the source prefix ToS aggregation cache scheme.

Displays the configuration of the exp-bgp-prefix aggregation cache scheme.

Modification


This command was modified to include new show output for ToS aggregation schemes.


Release 12.2(14)S.










The output was changed to add fragment offset

(FO) information on the Supervisor Engine 720 only.




Release

12.2(33)SRA

12.2(31)SB2

Modification




Release 12.2(31)SB2. The exp-bgp-prefix aggregation cache was added.


Use the show ip cache verbose flow aggregationcommand to display flow record fields in the NetFlow aggregation cache in addition to the fields that are displayed with the show ip cache flow

aggregationcommand. The values in the additional fields that are shown depend on the NetFlow features that are enabled and the flags that are set in the flow.

Note

The flags, and therefore the fields, might vary from flow to flow.

Some of the content in the display of the show ip cache verbose flow aggregationcommand uses multiline headings and multiline data fields.

show ip cache verbose flow aggregation, page 205

uses an example of the output from the show ip cache verbose flowto show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on.

When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same


207

show ip cache verbose flow aggregation mask (IPv4) through top

NetFlow Multicast Support

When the NetFlow Multicast Support feature is enabled, the show ip cache verbose flow command displays the number of replicated packets and the packet byte count for NetFlow multicast accounting.

When you configure the NetFlow Version 9 Export Format feature, this command displays additional

NetFlow fields in the header.

MPLS-aware NetFlow

When you configure the MPLS-aware NetFlow feature, you can use the show ip cache verbose

flowcommand to display both the IP and MPLS portions of MPLS flows in the NetFlow cache on a router line card. To display only the IP portion of the flow record in the NetFlow cache when MPLS-aware

NetFlow is configured, use the show ip cache flowcommand.

NetFlow BGP Nexthop

The NetFlow bgp-nexthop command can be configured when either the Version 5 export format or the

Version 9 export format is configured. The following caveats apply to the bgp-nexthop command:

• The values for the BGP nexthop IP address are exported to a NetFlow collector only when the Version

9 export format is configured.

• In order for the BGP information to be populated in the main cache you must either have a NetFlow export destination configured or NetFlow aggregation configured.

208



Examples show ip cache verbose flow aggregation


Forwarding

On platforms running distributed Cisco Express Forwarding, NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt.






To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed

Cisco Express Forwarding, enter the following sequence of commands:


LCslot-number


flow




flow


To display detailed NetFlow cache information on a Cisco 12000 Series Internet Router, enter the following sequence of commands:


LCslot-number


flow




flow

The following is a sample display of an prefix port aggregation cache with the show ip cache verbose flow

aggregation prefix-portcommand:

Router# show ip cache verbose flow aggregation prefix-port



209










Src If Src Prefix Dst If Dst Prefix TOS Flows Pkts

Port Msk Port Msk Pr B/Pk Active

Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 2 136

0016 /0 0015 /24 06 840 62.2

Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68

00B3 /0 00B3 /24 06 1140 60.3

Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68

0043 /0 0043 /24 11 156 60.3

Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 00 1 68

0000 /0 0000 /24 01 28 60.3

Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 68

0035 /0 0035 /24 06 1140 60.3

Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68

0041 /0 0041 /24 06 1140 60.3

Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68

006E /0 006E /24 06 296 60.3

FFlags: 01

Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68

0016 /0 0015 /24 06 840 60.3

Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 00 1 68

0000 /0 0000 /24 01 554 60.3

Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 68

00A1 /0 00A1 /24 11 156 60.3

Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 67

00DC /0 00DC /24 06 1140 59.4

Et2/0 0.0.0.0 Et3/0 192.168.10.0 00 1 68

0000 /0 0000 /24 01 28 60.2

FFlags: 01

Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 67

0041 /0 0041 /24 06 1140 59.4

FFlags: 01

Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68

0019 /0 0019 /24 06 168 60.3

Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68

0016 /0 0015 /24 06 840 60.3

FFlags: 01

Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 67

027C /0 027C /24 06 1240 59.4

Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68

0077 /0 0077 /24 06 1340 60.2

FFlags: 01

Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 00 1 68

0000 /0 0800 /24 01 1500 60.3

Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 68

0089 /0 0089 /24 06 296 60.3

Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68

0045 /0 0045 /24 11 156 60.2

FFlags: 01

Router#

The table below describes the significant fields shown in the output of the show ip cache verbose flow

aggregation prefix-port command.

Table 18 show ip cache verbose flow aggregation Field Descriptions

Field

Src If

Src AS

Description


Specifies the source autonomous system.

210



Field

Src Prefix

Msk

Dst If

AS

TOS

Dst AS

Dst Prefix

Flows

Pkts

Port

Msk

Pr

B/Pk

Active

Description

The prefix for the source IP addresses.

The numbers of bits in the source or destination prefix mask.

Specifies the destination interface.

Autonomous system. This is the source or destination AS number as appropriate for the keyword used. For example, if you enter the show

ip cache flow aggregation destination-prefix-tos command, this is the destination AS number.

The value in the type of service (ToS) field in the packets.

Specifies the destination autonomous system.

The prefix for the destination IP addresses

Number of flows.

Number of packets.

The source or destination port number.

The source or destination prefix mask.







The following is a sample display of an exp-bgp-prefix aggregation cache with the show ip cache verbose

flow aggregation exp-bgp-prefix command:

Router# show ip cache verbose flow aggregation exp-bgp-prefix










Src If BGP Nexthop Label MPLS EXP Flows Pkts B/Pk Active

Gi4/0/0.102 10.40.40.40 0 0 1 5 100 0.0


211


The table below describes the significant fields shown in the output of the show ip cache verbose flow

aggregation exp-bgp-prefix command.

Table 19 show ip cache verbose flow aggregation Field Descriptions

Field

Src If

Flows

Pkts

B/Pk

Active

BGP Nexthop

Label

Description


Number of flows.

Number of packets.



The exit point from the MPLS cloud.

The MPLS label value.

Note

This value is set to zero on the Cisco 10000.

MPLS EXP The 3-bit value of the MPLS labels EXP field.


Command cache




mask (IPv4)




Description







Displays a summary of the NetFlow aggregation cache accounting statistics.


Displays the statistics for the data export.

212



Command


show ip cache verbose flow aggregation

Description



213

mask (IPv4) through top show ip flow export

show ip flow export

To display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches, use the show ip flow export command in user EXEC or privileged EXEC mode.

show ip flow export [sctp] [verbose] [template | nbar]

Syntax Description sctp verbose template nbar

(Optional) Displays the status and statistics for export destinations that are configured to use the

Stream Control Transmission Protocol (SCTP).

(Optional) Displays the current values for the SCTP fail-over and restore-time timers in addition to the status and statistics that are displayed by the show

ip flow export sctpcommand.

For a Multiprotocol Label Switching (MPLS)

Prefix/Application/Label (PAL) record, displays additional export information, such as the number of MPLS PAL records exported to a NetFlow collector.

(Optional) Displays the data export statistics (such as template timeout and refresh rate) for the template-specific configurations.

(Optional) Displays cumulative Network-Based

Application Recognition (NBAR) statistics.

Command Modes


Command History

Release

11.1CC

12.2(2)T

12.0(24)S

12.3(1)

12.2(14)S

Modification


This command was modified to display multiple

NetFlow export destinations.

The template keyword was added.

Support for the NetFlow v9 Export Format feature was added.


Release 12.2(14)S.

214



Release

12.2(18)S

12.2(27)SBC

12.2(14)SX

12.2(18)SXD

12.2(18)SXF

12.4(4)T

12.2(28)SB

12.2(33)SRA

12.2(31)SB2

12.2(33)SXI

12.4(24)T

12.2(18)ZYA2

Modification

Support for the NetFlow v9 Export Format, and

Multiple Export Destination features was added.





The output was changed to include information about NDE for hardware-switched flows.



The sctp and verbose keywords were added.

The number of MPLS PAL records exported by

NetFlow was added to the verbose keyword output.





The output was modified to display the data export version and aggregation cache scheme.

The output was modified to display information about Border Gateway Protocol (BGP) next-hop.


Examples

The following is sample output from the show ip flow export command with NetFlow export over User

Datagram Protocol (UDP) (the default NetFlow export transport protocol) configured on the networking device:

Note

No NetFlow export over SCTP destinations are configured.

Router# show ip flow export

Flow export v9 is enabled for main cache

Exporting flows to 172.17.10.2 (100)

Exporting using source interface Loopback0

Version 9 flow records, origin-as bgp-nexthop

Cache for as aggregation v9

62 flows exported in 17 udp datagrams

0 flows failed due to lack of export packet

8 export packets were sent up to process level

0 export packets were dropped due to no fib


215


0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

0 export packets were dropped enqueuing for the RP

0 export packets were dropped due to IPC rate limiting

0 export packets were dropped due to output drops

The following is sample output from the show ip flow export command with NetFlow export over UDP and NetFlow SCTP export destinations configured:

Router# show ip flow export



Exporting flows to 172.16.45.57 (100) via SCTP

Exporting using source interface Loopback0


Cache for as aggregation v9

Exporting flows to 192.168.247.198 (200) via SCTP

Exporting using source IP address 172.16.254.254


467 flows exported in 315 sctp messages






0 export packets were dropped due to encapsulation fixup failures

The table below describes the significant fields shown in the display of the show ip flow export command.

Table 20 show ip flow export Field Descriptions

Field

Exporting flows to

Description

Indicates the export destinations and ports. The ports are in parentheses.

Note

When the export destination is configured with the NetFlow Reliable Transport Using

SCTP feature the port number is followed by the text “via SCTP” in the display output.

Exporting using source IP address or Exporting using source interface

Indicates the source IP address or source interface.

Note

The source interface is used when you have configured the ip flow-export

sourceinterface-type interface-number command.

Version flow records

Cache for destination-prefix aggregation

Displays the version of the flow records.

Indicates the type of NetFlow aggregation caches that are configured.

Note

The indented lines below the name of the

NetFlow aggregation cache indicate the export parameters that are configured for this cache.

216



Field

Flows exported in udp datagrams

Flows exported in sctp messages

Description

Indicates the total number of export packets

(datagrams) sent over UDP, and the total number of flows contained within them.

Displays the total number of export packets

(messages) sent over SCTP, and the total number of flows contained within them.

Note

SCTP is a message-oriented transport protocol. Therefore, SCTP traffic is referred to as messages instead of datagrams.

Flows failed due to lack of export packet

Export packets were sent up to process level

Export packets were dropped due to no fib

Export packets were dropped due to adjacency issues

Export packets were dropped due to fragmentation failures

Export packets were dropped due to encapsulation fixup failures

Indicates the number of flows that failed because no memory was available to create an export packet.

The packet could not be processed by Cisco

Express Forwarding or by fast switching.

Indicates the number of packets that Cisco Express

Forwarding was unable to switch, or forward to the process level.

Indicates the number of packets that were dropped because of problems constructing the IP packet.

Export packets were dropped enqueuing for the RP

Export packets were dropped due to IPC rate limiting

Indicates the number of times that there was a problem transferring the export packet between the

RP and the line card.

Export packets were dropped due to output drops Indicates the number of times the packets were dropped when the send queue was full.

The following is sample output from the show ip flow export sctp command with NetFlow SCTP export primary and backup SCTP export destinations configured for the NetFlow main cache and the NetFlow destination-prefix aggregation cache. The primary SCTP export destinations are active:

Router# show ip flow export sctp

IPv4 main cache exporting to 172.16.45.57, port 100, none status: connected backup mode: fail-over

912 flows exported in 619 sctp messages.

0 packets dropped due to lack of SCTP resources fail-over time: 25 milli-seconds restore time: 25 seconds backup: 192.168.247.198, port 200

status: not connected

fail-overs: 2


0 packets dropped due to lack of SCTP resources destination-prefix cache exporting to 172.16.12.200, port 100, full status: connected backup mode: redundant



217



status: connected

fail-overs: 8


0 packets dropped due to lack of SCTP resources

The following is sample output from the show ip flow export sctp command with NetFlow SCTP export primary and backup SCTP export destinations configured for the NetFlow main cache and the NetFlow destination-prefix aggregation cache. The backup SCTP export destinations are active because the primary

SCTP export destinations are unavailable.

Router# show ip flow export sctp

IPv4 main cache exporting to 172.16.45.57, port 100, none status: fail-over backup mode: fail-over



status: connected, active for 00:00:24

fail-overs: 3


0 packets dropped due to lack of SCTP resources destination-prefix cache exporting to 172.16.12.200, port 100, full status: fail-over backup mode: redundant



status: connected, active for 00:00:00

fail-overs: 13


0 packets dropped due to lack of SCTP resources

Router#

The table below describes the significant fields shown in the display of the show ip flow export sctp and the show ip flow export sctp verbosecommands.

Table 21 show ip flow export sctp Field Descriptions

Field

IPv4 main cache exporting to 172.16.45.57, port

100, none

Description

Indicates the type of cache, the IP address and port number used to reach the destination, and the level of reliability for the association:

• IPv4 main cache--The type of NetFlow cache to which the display output applies.

• 172.16.45.57--The IP address used for the

SCTP export destination.

• port 100--The SCTP port used for the SCTP export destination.

• none--The level of reliability for this association.

Note

The reliability options are full and none.

218



Field

status backup mode flows exported in sctp messages packets dropped due to lack of SCTP resources

Description

The current state of each association. The states are:

• initializing--The association is being established.

• connected--The association is established.

Note

If this is a backup SCTP export destination configured for fail-over mode, you see an additional message indicating how long the association has been active. For example, active for 00:00:01.

• not connected--The association will be established when the primary SCTP export backup destination is no longer available.

• fail-over--The primary SCTP export destination is no longer available. The backup

SCTP export destination is being used.

• re-establishing--An association that has been active before is being reestablished.

The backup mode of each association. The modes are:

• redundant--The association is established

(connected).

Note

The fact that the association is established does not mean that it is being used to export

NetFlow data.

• fail-over--The association will be established after the primary association fails.

Indicates the total number of export packets

(messages) sent over SCTP, and the total number of flows contained within them.

Note

SCTP is a message-oriented transport protocol. Therefore, SCTP traffic is referred to as messages instead of datagrams.

The number of packets that were dropped due to lack of SCTP resources.


219


Field

fail-over time: milli-seconds restore time: seconds backup: 192.168.247.198 port 200 fail-overs destination-prefix cache exporting to

172.16.12.200, port 100, full

Description

The period of time that the networking device waits after losing connectivity to the primary SCTP export destination before attempting to use a backup SCTP export destination.

Note

This field is displayed when you use the

verbose keyword after the show ip flow

export sctp command.

The period of time that the networking device waits before reverting to the primary SCTP export destination after connectivity to it has been restored.

Note

This field is displayed when you use the

verbose keyword after the show ip flow

export sctp command.

The IP address and SCTP port used for the SCTP export backup destination.

• 192.168.247.198--The IP address of the SCTP backup association.

• port 200--The SCTP port used for the SCTP backup association.

The number of times that fail-over has occurred.

Indicates the type of cache configures, the destination address and port number for the SCTP export, and the level of reliability for the association:

• destination-prefix cache--The type of NetFlow aggregation cache configured.

• 172.16.12.200--The IP address used for the


• port 100--Indicates the SCTP port used for the


• full--The level of reliability for this association,

The following is sample output from the show ip flow export templatecommand:

Router# show ip flow export template

Template Options Flag = 1

Total number of Templates added = 4

Total active Templates = 4

Flow Templates active = 3

Flow Templates added = 3

Option Templates active = 1

Option Templates added = 1

Template ager polls = 2344

Option Template ager polls = 34

220



Main cache version 9 export is enabled

Template export information

Template timeout = 30

Template refresh rate = 20

Option export information

Option timeout = 800

Option refresh rate = 300

Aggregation cache destination-prefix version 9 export is enabled


Template timeout = 30

Template refresh rate = 20


Option timeout = 30

Option refresh rate = 20

The table below describes the significant fields shown in the display of the show ip flow export

templatecommand.

Table 22 show ip flow export template Field Descriptions

Field

Template Options Flag

Description

Identifies which options are enabled.

The values are:

• 0--No option template configured.

• 1--Version 9 option export statistics configured.

• 2--Random sampler option template configured.

• 4--Version 9 option export statistics for IPv6 configured.

Total number of Templates added

Total active Templates

Indicates the number of Flow Templates and

Option Templates that have been added since

Version 9 export was first configured.

The value in this field is the sum of the “Flow

Templates added” and the “Option Templates added” fields.

The value is incremented when a new template is created, because each template requires a unique

ID.

Sum of the values in the “Flow Templates active” and “Option Templates” active fields.

The value in this field is incremented when a new data template or option template is created.


221


Field

Flow Templates active

Flow Templates added

Option Templates active

Option Templates added

Template ager polls

Option Template ager polls

Main cache version 9 export is enabled

Description

Indicates the number of (data) templates in use for

Version 9 data export.

When a new data template is created, this count, the

“Total active Templates,” the “Flow Templates added,”and the “Total number of Templates added” counts are all incremented.

Note

When a data template is removed, only the

“Flow Templates active” count and the

“Total active Templates” count are decremented.

Indicates the number of Flow Templates and

Option Templates that have been added since

Version 9 export was first configured.

The value is incremented when a new flow template is created, because each template requires a unique

ID.

Indicates the number of option templates which are currently in use for Version 9 options export.

Configuring a new option increments this count and also the “Total active Templates,”the “Option

Templates added,” and the “Total number of

Templates added” counts.

Removing (unconfiguring) an option decrements only the “Option Templates active” count and the

“Total active Templates” count.

Indicates the number of Option Templates that have been added since Version 9 export was first configured.

The count is incremented when a new option template is created, because each template requires a unique ID.

The number of times, since Version 9 export was configured, that the (data) template ager has run.

The template ager checks up to 20 templates per invocation, resending any that need refreshed.

The number of times, since Version 9 export was configured, that the option template ager has run.

The template ager checks up to 20 templates per invocation, resending any that need refreshed.

NetFlow export Version 9 is enabled for the main

NetFlow cache.

222



Field


Description

Template timeout--The interval (in minutes) that the router waits after sending the templates (flow and options) before they are sent again. You can specify from 1 to 3600 minutes. The default is 30 minutes.

• Template refresh rate--The number of export packets that are sent before the options and flow templates are sent again. You can specify from 1 to 600 packets. The default is 20 packets.


• Option timeout--The interval (in minutes) that the router will wait after sending the options records before they are sent again. You can specify from 1 to 3600 minutes. The default is

30 minutes.

• Option refresh rate--The number of packets that are sent before the configured options records are sent again. You can specify from 1 to 600 packets. The default is 20 packets.

Aggregation cache destination-prefix version 9 export is enabled

NetFlow export Version 9 is enabled for the

NetFlow destination-prefix aggregation cache.

The following example displays the additional line in the show ip flow export command output when the

verbose keyword is specified and MPLS PAL records are being exported to a NetFlow collector:

Router# show ip flow export verbose





Cache for destination-prefix aggregation:



182128 MPLS PAL records exported







0 export packets were dropped due to encapsulation fixup failures swat72f3#

The line of output added for the MPLS PAL records precedes the “x flows exported in y UDP datagrams” line. In this example, the additional line of output precedes “189305 flows exported in 6823 UDP datagrams.”

The following example shows the sample output of the show ip flow export nbar command:

Router# show ip flow export nbar

Nbar netflow is enabled

10 nbar flows exported

0 nbar flows failed to export due to lack of internal buffers


223

show ip flow export


Command

ip flow-export




show mpls flow mappings


Description

Enables export of NetFlow accounting information in NetFlow cache entries.



Displays the NetFlow accounting configuration on interfaces.

Displays the full MPLS PAL table.

224


mask (IPv4) through top show ip flow top

show ip flow top

The documentation for the show ip flow top command was merged with the show ip flow top-talkers command in Cisco IOS Release 12.4(9)T.


225

mask (IPv4) through top show ip flow top-talkers

show ip flow top-talkers

To display the statistics for the NetFlow aggregated top talkers or unaggregated top flows, use the show ip

flow top-talkerscommand in user EXEC or privileged EXEC mode.

Cisco IOS Releases 12.4(9)T and Newer

{show ip flow top-talkers [verbose] | [number [from-cache main] aggregate aggregate-field

[sorted-by {aggregate | bytes | flows | packets} [ascending | descending]] [match match-field

match-value]]}

Cisco IOS Releases 12.4(4)T and 12.4(6)

show ip flow top number [from-cache main] aggregate aggregate-field [sorted-by {aggregate |

bytes | flows | packets} [ascending | descending]] [match match-field match-value]

show ip flow top-talkers [verbose]

Cisco IOS Releases Prior to 12.4(4)T

show ip flow top-talkers [verbose]

Syntax Description verbose

number

from-cache main

aggregate aggregate-field

sorted-by

(Optional) Displays additional details for the unaggregated top flows.

(Optional) Specifies the number of top talkers to show in the display. The range is 1 to 100.

(Optional) Specifies the cache that the display output is generated from.

Display output is generated from the main cache.

(Optional) The combination of the aggregate and the aggregate-field keywords and arguments specifies which field to aggregate for the display output. See the table below.

(Optional) Specifies which field to sort by. If this keyword is specified, you must select one of the following keywords:

• aggregate --Sort by the aggregated field in the display data.

•

bytes --Sort by the number of bytes in the display data.

• flows --Sort by the number of flows in the display data.

• packets --Sort by number of packets in the display data.

226


mask (IPv4) through top show ip flow top-talkers ascending descending

match match-field match-value

(Optional) Arranges the display output in ascending order.

(Optional) Arranges the display output in descending order.

(Optional) The combination of the match, match-

field , and match-value keywords and arguments specifies the field from the flows - and the value in the field - to match. See the table below.

Command Default

The show ip flow top-talkers number command string displays output in descending order based on the value in the sorted-by field.

The show ip flow top-talkers number command string displays data from the main NetFlow cache.

Command Modes


Command History

Release

Original version of the show ip flow top-talkers command (unaggregated top flows)

12.2(25)S

12.3(11)T

12.2(27)SBC

12.2(33)SRA

12.2(31)SB2

Modification



12.3(11)T.


12.2(27)SBC.


12.2(33)SRA.



Original version of the show ip flow top command

(aggregated top talkers)

12.4(4)T

Merged show ip flow top-talkers and show ip flow top commands

12.4(9)T


The show ip flow top command was merged into the show ip flow top-talkers command.


227


Release

12.2SX

Modification





You must have NetFlow configured before you can use the show ip flow top-talkerscommand.

The show ip flow top-talkers command can be used to display statistics for unaggregated top flows or aggregated top talkers. Prior to Cisco IOS release 12.4(9)T the show ip flow top-talkers command could only be used to display statistics for unaggregated top flows. In Cisco IOS release 12.4(9)T and newer releases, the show ip flow top-talkers command can be used to display statistics for both unaggregated top flows and aggregated top talkers.

Refer to the following sections for more information on using either of these methods:

Unaggregated Top Flows--All Cisco IOS Releases Prior to 12.4(9)T

When you use the show ip flow top-talkers command in releases prior to Cisco IOS release 12.4(9)T, the display output shows only separate (unaggregated) statistics for the number of top flows that you specified with the top command.

Note

The sort-by and top commands must be configured before you enter the show ip flow top-talkers

[verbose] command. Optionally, the match command can be configured to specify additional matching criteria. Refer to the configuration documentation for the “ NetFlow MIB and Top Talkers ” feature for more information on using the top, sort-by, and match commands.

This method of viewing flow statistics is useful for identifying the unique flows that are responsible for the highest traffic utilization in your network. For example, if you have a centralized WEB server farm and you want to see statistics for the top 50 flows between your servers and your users regardless of the network protocol or application in use, you can configure top 50 and use the show ip flow top-talkers verbose command to view the statistics from the 50 top flows.

Tip

If you want to limit the flows that are displayed to specific protocols or IP addresses, you can configure match criteria with the match command.

Displaying information on individual top flows will not provide you with a true map of your network utilization when the highest volume application or protocol traffic on your network is being generated by a large number of users who are sending small amounts of traffic. For example, if you configure top 10 and there are ten or more users generating more FTP traffic than any other type of traffic in your network, you will see the FTP traffic as the top flows even though there might be 10,000 users using HTTP to access web sites at much lower individual levels of network utilization that account for a much larger aggregated traffic volume. In this situation you need to aggregate the traffic patterns across flows using the show ip flow top-

talkers [number] command string as explained in the

show ip flow top-talkers, page 226

instead.

The timeout period as specified by the cache-timeout command does not start until the show ip flow top-

talkers command is entered. From that time, the same top talkers are displayed until the timeout period expires. To recalculate a new list of top talkers before the timeout period expires, you can change the

228



parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-

talkerscommand.

A long timeout period for the cache-timeout command limits the system resources that are used by the

NetFlow MIB and Top Talkers feature. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.





A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but cause the list of top talkers to be recalculated by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow

top-talkerscommand to display the top talkers. Changing the parameters of the cache-timeout, top, or

sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.

Aggregated Top Talkers--Cisco IOS Releases 12.4(9)T and Newer

The show ip flow top command was merged with the show ip flow top-talkers command in Cisco IOS release 12.4(9)T. The two commands were merged to make it easier for you to display cache information on either unaggregated top flows, or aggregated top talkers, using the same root command.

The CLI help for the show ip flow top-talkers command was modified to help you differentiate between the two command formats.

Router# show ip flow top-talkers ?

Display aggregated top talkers:

<1-100> Number of aggregated top talkers to show

Display unaggregated top flows:

verbose Display extra information about unaggregated top flows

| Output modifiers

<cr>

Router#

When you use the show ip flow top-talkers [number] command the display output will consist of aggregated statistics from the flows (aggregated top talkers) for the number of top talkers that you specified with the number argument.

Unlike the show ip flow top-talkers [verbose] command, the show ip flow top-talkers [number] command string does not require:

• Any pre-configuration of the router for the show ip flow top-talkers [number] command string itself.

You can use the show ip flow top-talkers [number] command string immediately after enabling

NetFlow on at least one interface in the router.

• Manipulating a cache timeout parameter to force a recalculation of the aggregated top talkers. The information in the display output of the show ip flow top-talkers [number] command string always contains the latest, most up-to-date information because it is not cached.

The arguments that are available with the show ip flow top-talkers [number] command enable you to quickly modify the criteria to be used for generating the display output. Refer to the configuration documentation for the “ NetFlow Dynamic Top Talkers CLI ” feature which is included in the Cisco IOS


229


Release 12.4(4)T module “ Detecting and Analyzing Network Threats With NetFlow ”, for additional information using the show ip flow top-talkers [number] command string.

For additional usage guidelines on displaying statistics for aggregated top talkers using the show ip flow

top-talkers [number] command string, see the following sections:

Top Traffic Flows

Using the show ip flow top-talkerscommand to display the aggregated statistics from the flows on a router for the highest volume applications and protocols in your network helps you identify, and classify, security problems such as a denial of service (DoS) attacks because DoS attack traffic almost always show up as one of the highest volume protocols in your network when a DoS attack is in progress. Displaying the aggregated statistics from the flows on a router is also useful for traffic engineering, diagnostics and troubleshooting.

Data Displayed by the show ip flow top command

The data in the display output from the show ip flow top-talkers command is not flow centric. You cannot identify individual flows with the show ip flow top-talkers command.

For example, when you use the show ip flow top-talkers 5 aggregate destination-address command:

• If you do not specify any match criteria, the aggregated statistics for the top five destination IP addresses from the flows on a router are displayed.

• If you specify match criteria, the aggregated statistics for the top five destination IP addresses that meet the match criteria that you specified is displayed.

Top Talkers Display Output With Aggregation Only

If you do not use any of the optional parameters the show ip flow top-talkerscommand displays the aggregated statistics from the flows on the router for the aggregation field that you enter. For example, to aggregate the flows based on the destination IP addresses, and display the top five destination IP addresses, you use the show ip flow top-talkers 5 aggregate destination-address command.

Top Talkers Display Output With Aggregation and Match Criteria

You can limit the display output by adding an optional match criterion. For example, to aggregate the statistics from the flows based on the destination IP addresses, and display the top five destination IP addresses that contain TCP traffic, you use the show ip flow top-talkers 5 aggregate destination-address

match protocol tcp command.

Top Talkers Display Output in Ascending Order With Aggregation and Match Criteria

You can change the default sort order of the display output by using the sorted-by keyword. For example, to aggregate the statistics from the flows based on the destination IP addresses, and display the top five destination IP addresses that contain TCP traffic sorted on the aggregated field in ascending order, you use the show ip flow top-talkers 5 aggregate destination-address sorted-by aggregate ascending match

protocol tcp command.

Tip

This usage of the show ip flow top-talkers 5 aggregate destination-address sorted-by aggregate

ascending match protocol tcp command string is useful for capacity planning because it shows the smallest flows first. The smallest flows indicate the minimum amount of capacity that you need to provide.

Aggregate-field and Match-field Match-value Keywords, Arguments, and Descriptions

The table below shows the keywords and descriptions for the aggregate-field argument of the show ip flow

top-talkers number aggregateaggregate-field command. You must enter one of the keywords from this table.

230



Table 23

Keyword bgp-nexthop bytes max-ttl

Keywords and Descriptions for aggregate-field Argument

destination-address destination-as destination-interface destination-port destination-vlan dscp fragment-offset icmp icmp-code icmp-type incoming-mac ip-id ip-nexthop-address max-packet-length

Description

Flows that have the same value in the bgp-nexthop field are aggregated.

Flows that have the same number of bytes are aggregated.

Flows that have the same value in the destinationaddress field are aggregated.

Flows that have the same value in the destination-as field are aggregated.

Flows that have the same value in the destinationinterface field are aggregated.

Flows that have the same value in the destinationport field are aggregated.

Flows that have the same value in the destinationvlan field are aggregated.

Flows that have the same value in the dscp field are aggregated.

Flows that have the same value in the fragmentoffset field are aggregated.

Flows that have the same value in the icmp-type and icmp code fields are aggregated.

Flows that have the same value in the icmp-code field are aggregated.

Flows that have the same value in the icmp-type field are aggregated.

Flows that have the same value in the incomingmac address field are aggregated.

Flows that have the same value in the ip-id field are aggregated.

Flows that have the same value in the ip-nexthopaddress field are aggregated.

Flows that have the same value in the max-packetlength field are aggregated.

Flows that have the same value in the max-ttl field are aggregated.


231


Keyword min-packet-length min-ttl outgoing-mac packets precedence protocol source-address source-as source-interface source-port source-vlan tcp-flags tos

Description

Flows that have the same value in the min-packetlength field are aggregated.

Flows that have the same value in the min-ttl field are aggregated.

Flows that have the same value in the outgoing-mac address field are aggregated.

Flows that have the same number of packets are aggregated.

Flows that have the same value in the precedence field are aggregated.

Flows that have the same value in the protocol field are aggregated.

Flows that have the same value in the sourceaddress field are aggregated.

Flows that have the same value in the source-as field are aggregated.

Flows that have the same value in the sourceinterface field are aggregated.

Flows that have the same value in the source-port field are aggregated.

Flows that have the same value in the source-vlan field are aggregated.

Flows that have the same value in the tcp-flags field are aggregated.

Flows that have the same value in the tos field are aggregated.

GUID-A8114EA5-9D06-49F5-BC55-AD2BADE79F67D

shows the keywords, arguments, and descriptions for the match-field match-value arguments for the show ip flow top-talkers number

aggregateaggregate-fieldmatchmatch-fieldmatch-value command. These keywords are all optional.

Note

In


the match criteria that you select must be available in the cache. For example, if you use the show ip flow top 20 aggregate destination-address

match destination-vlan 1 command, and you have not configured the ip flow-capture vlan-id command, the “% VLAN id is not available for this cache” error message is displayed.

232



Note

In


the match-field is the keyword in the keyword column and the match-value is the argument(s) for the keyword. For example, for the keyword bgp-

nexthop, bgp-nexthop is the match-field and [ip-address | hostname] is the match-value .

Many of the values shown in the display output of the show ip cache verbose flow command are in hexadecimal. If you want to match these values using the show ip flow top-talkers command with the

match keyword, you must enter the field value that you want to match in hexadecimal. For example, to match on the destination port of 0x00DC in the following excerpt from the show ip cache verbose flow command, you would use the match destination-port0x00DC keywords and argument for the show ip

flow top-talkers command.

R3# show ip cache verbose flow

.

.

.

SrcIf SrcIPaddress DstIf

DstIPaddress Pr TOS Flgs Pkts

Port Msk AS Port

Msk AS NextHop B/Pk Active

Et0/0.1 10.10.11.4 Et1/0.1 172.16.10.8 06 00 00 209

0023

/0 0 00DC

/0 0 0.0.0.0 40 281.4

.

.

.

Table 24 Keywords, Arguments, and Descriptions for match-field match-value

Keyword

bgp-nexthop {ip-address | hostname}

bytes {[bytes ] | [minbytes ] [maxbytes ]}

Description

IP address or hostname of the BGP nexthop router to match in the flows.

Range of bytes to match in the flows.

• min --Minimum number of bytes to match.

•

max --Maximum number of bytes to match.

• Range: 0 to 4294967295

Note

If you want to use min bytes you must enter it before max bytes.

destination-as as-number

destination-interface interface-type interface-

number

Destination Autonomous System number to match in the flows. The range is 0 to 65535.

Destination interface to match in the flows.


233


Keyword Description

destination-port {[port ] | [minport ] [maxport ]}

The range of destination ports to match in the flows.

• min --Minimum port number to match.

•

max --Maximum port number to match.

• Range: 0 to 65535

Note

If you want to use min port you must enter it before max port.

destination-prefix prefix /mask

Destination IP address prefix and mask to match in the flows.

Note

Enter the prefix-mask by using the CIDR method of /number-of-bits. For example,

192.0.0.0/8.

destination-vlan vlan-id

dscp dscp

flows {[flows] | [min flows] [max flows]}

fragment-offset fragment-offset

icmp type type code code

icmp-code code

icmp-type type

incoming-mac mac-address

Destination VLAN ID to match in the flows.

• Range: 0 to 4095

Value in the DSCP field to match in the flows.

• Range: 0x0 to 0x3F

The range of flows in the aggregated data to match in the flows.

• min --Minimum number of flows to match.

• max --Maximum number of flows to match.

• Range: 0 to 4294967295

Note

If you want to use min flows you must enter it before max flows.

Value in the fragment offset field to match in the flows.

• Range: 0 to 8191

ICMP type and code values to match in the flows.

• Range for type and code: 0 to 255.

ICMP code value to match in the flows.

• Range: 0 to 255

ICMP type value to match in the flows.

• Range: 0 to 255

Incoming MAC address to match in the flows.

234



Keyword

ip-id ip-id

ip-nexthop-prefix prefix/mask

max-packet-length {[max-packet-length] | [min

max-packet-length] [max max-packet-length]}

Description

IP ID value to match in the flows.

• Range: 0 to 65535

IP nexthop address prefix and mask to match in the flows.

Note


192.0.0.0/8.

The range of maximum packet length values to match in the flows.

• min --Minimum value in the maximum packet length field to match.

• max --Maximum value in the maximum packet length field to match.

• Range: 0 to 65535

Note

If you want to use min max-packet-length you must enter it before max max-packet-

length.

max-ttl {[max-ttl] | [min max-ttl] [max max-ttl]} The range of maximum TTL values to match in the flows.

•

min --Minimum value in the maximum TTL field to match.

• max --Maximum value in the maximum TTL field to match.

• Range: 0 to 255

Note

If you want to use min max-ttl you must enter it before max max-ttl.

min-packet-length {[min-packet-length] | [min

min-packet-length] [max min-packet-length]}

The range of minimum packet length values to match in the flows.

•

min --Minimum value in the minimum packet length field to match.

• max --Maximum value in the minimum packet length field to match.

• Range: 0 to 65535

Note

If you want to use min min-packet-length you must enter it before max min-packet-

length.


235


Keyword

min-ttl {[min-ttl] | [min min-ttl] [max min-ttl]}

outgoing-mac mac-address

packets {[packet-size] | [min packet-size] [max

packet-size]}

Description

The range of minimum TTL values to match in the flows.

• min --Minimum value in the minimum TTL field to match.

•

max --Maximum value in the minimum TTL field to match.

• Range: 0 to 255

Note

If you want to use min min-ttl you must enter it before max min-ttl.

Outgoing MAC address to match in the flows.

The range of packet sizes to match in the flows.

• min --Minimum size of packets to match.

• max --Maximum size of packets to match.

• Range: 0 to 4294967295

Note

If you want to use min packet-size you must enter it before max packet-size.

precedence precedence

protocol {[protocol-number ] | [tcp | udp | icmp |

igmp | ip-in-ip | gre | ipv6-in-ipv6]}

Precedence value to match in the flows.

• Range: 0 to 7

Protocol value to match in the flows.

• Range: 0 to 255

Note

TCP, UDP, ICMP, IGMP, IP-in-IP, GRE, and IPv6-in-IPv6 are the protocols that

NetFlow tracks for the protocols summary in the display output of the show ip cache

verbose flow command. Other protocols can be matched by specifying their numeric values.

source-as source-as Source autonomous system value to match in the flows.

• Range: 0 to 65535

source-interface interface-type interface-number

Source interface to match in the flows.

236



Keyword

source-port {[port] | [[min port] [max port]]}

source-prefix prefix/mask

source-vlan vlan-id

tcp-flags flag

tos tos

Description

The range of source port values to match in the flows.

• min --Source port value to match.

•

max --Source port value to match.

• Range: 0 to 65535

Note

If you want to use min port you must enter it before max port.

Source address prefix and mask to match in the flows.

Note


192.0.0.0/8.

Source VLAN ID to match in the flows.

• Range: 0 to 4095

Value in the TCP flag field to match in the flows.

• Range: 0x0 to 0xFF

Value in the TOS flag field to match in the flows.

• Range: 0x0 to 0xFF

The Order That Aggregation Occurs in

With the exception of the flows keyword in the table abovr, all matches made with the match-fieldmatch-

value arguments are performed prior to aggregation, and only matching flows are aggregated. For example, the show ip flow top-talkers5aggregate destination-address match destination-prefix172.16.0.0/16 command analyzes all of the available flows looking for any flows that have destination addresses that match the destination-prefix value of 172.16.0.0/16 . If it finds any matches it aggregates them, and then displays the number of aggregated destination-address flows that is equal to the number of top talkers that were requested in the command-in this case five.

The flows keyword matches the number of aggregated flows post-aggregation. For example, the show ip

flow top2aggregate destination-address match flows 6command aggregates all of the flows on the values in their destination IP address field, and then displays the top talkers that have 6 aggregated flows.

Number of Flows Matched

If you do not specify match criteria and there are flows in the cache that include the field that you used to aggregate the flows on, all of the flows will match. For example, if your router has 20 flows with IP traffic and you enter the show ip flow top-talkers 10 aggregate destination-address command the display will indicate that 20 of 20 flows matched, and the 10 top talkers will be displayed.

If you use the match keyword to limit the flows that are aggregated to the flows with a destination prefix of

224.0.0.0/3, and only one flow matches this criterion the output will indicate that one out of 20 flows matched. For example, if your router has 20 flows with IP traffic, but only one of them has a destination prefix of 224.0.0.0/3, and you enter the show ip flow top-talkers 10 aggregate destination-address

match destination-prefix224.0.0.0/3 command, the display will indicate that 1 of 20 flows matched.


237


Examples

If the total number of top talkers is less than the number of top talkers that were requested in the command, the available number of top talkers is displayed. For example, if you enter a value of five for the number of top talkers to display and there are only three top talkers that match the criteria that you used, the display will only include three top talkers.

When a match criterion is included with the show ip flow top-talkerscommand, the display output will indicate “N of M flows matched” where N is the number of matched flows, M is the total number of flows seen, and N is less than or equal to M. The numbers of flows seen could potentially be more than the total number of flows in the cache if some of the analyzed flows were expired from the cache and new flows were created, as the top talkers feature scans through the cache. Therefore, M is NOT the total number of flows in the cache, but rather, the number of flows observed in the cache by the top talkers feature.

If you attempt to display the top talkers by aggregating them on a field that is not in the cache you will see the “% aggregation-field is not available for this cache” message. For example, if you use the show ip flow

top5 aggregate source-vlan command, and you have not enabled the capture of VLAN IDs from the flows, you will see the “% VLAN id is not available for this cache” message.

TCP-Flags

If you want to use the tcp-flags flag match criteria you must enter the hexadecimal values for the type of

TCP flag that you want to match.

The TCP flags as used in the tcp-flags flag match criteria are provided in the table below.

Table 25 Values for the tcp-flags flag match criteria

0x10

0x20

0x40

0x80

Hexadecimal Value

0x01

0x02

0x04

0x08

Field Name

FIN-Finish; end of session

SYN-Synchronize; indicates request to start session

RST-Reset; drop a connection

PUSH-Push; packet is sent immediately

ACK-Acknowledgement

URG-Urgent

ECE-Explicit Congestion Notification Echo

CWR-Congestion Window Reduced

For more information on TCP and TCP flags, refer to RFC 3168 at the following URL:

http://www.ietf.org/ rfc/rfc3168.txt

.

The show ip flow top-talkers command can be used to display information for unaggregated top flows or aggregated top talkers. Refer to the following sections for examples on using either of these methods:

Examples for Unaggregated Top Flows--All Cisco IOS releases that Support the NetFlow MIB and Top

Talkers Feature

The following example shows the output of the show ip flow top-talkers command.

238



In the example, the NetFlow MIB and Top Talkers feature has been configured to allow a maximum of five top talkers to be viewed. The display output is configured to be sorted by the total number of bytes in each top talker, and the list of top talkers is configured to be retained for 2 seconds (2000 milliseconds).




Router(config-flow-top-talkers)# cache-timeout 2000



Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 144K

Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 144K

Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 135K

Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 125K

Et0/0.1 10.92.231.235 Et1/0.1 172.16.10.2 06 0041 0041 115K


The table below describes the significant fields shown in the display.

Table 26 show ip flow top-talkers Field Descriptions

Field

SrcIf

SrcIPaddress

DstIf

DstIPaddress

Pr

SrcP

DstP

Bytes

X of Y top talkers shown flows processed

Description

Source interface

Source IP address

Destination interface

Destination IP address

Protocol number

Source port

Destination port

Total number of bytes in each top talker

Y-The number of Top Talkers specified by the top command.

X-The number of flows displayed.

The value for “X” is always <= the value for “Y”.

For example, if “Y” = 5 and there are 3 Top

Talkers, the display will show 3 of 5 top talkers shown.

The number of flows observed in the NetFlow cache.

The table below shows messages that could be received in response to the show ip flow top-talkers command and their explanations.


239


Table 27 show ip flow top-talkers Message Descriptions

Message

% Top talkers not configured

% Cache is not enabled

% Cache is empty

% There are no matching flows to show

Description

The NetFlow MIB and Top Talkers feature has not yet been configured.

The cache is not enabled

There are no flows in the cache to be viewed.

The match criteria that were specified do not match any flows in the cache.

Examples for Aggregated Top Talkers--All Cisco IOS releases that Support the NetFlow Dynamic Top

Talkers CLI Feature

The following example looks for up to 10 top talkers, aggregates them on the protocol type, sorts them by the number of packets in the flows, and displays the output in descending order:

Router# show ip flow top-talkers 10 aggregate protocol sorted-by packets descending

There are 3 top talkers:

IPV4 PROT bytes pkts flows

========= ========== ========== ==========

1 2009729203 1455464 11

6 33209300 30690 19

17 92 1 1

31 of 31 flows matched.

Things to note in this display output:

• All 31 flows in the router are aggregated into three top talkers. In this example all of the flow traffic is top talker traffic.

• The majority of the traffic that is aggregated into the first flow is ICMP traffic (IP protocol type 1).

This might indicate an ICMP DoS attack is in progress.

GUID-9638B372-2643-49A6-A0A9-2BD902EE6CECD

describes the significant fields shown in the display.

Table 28 show ip flow top-talkers 10 aggregate protocol sorted-by packets descending Field Descriptions

Field

There are top X talkers

Description

The number of top talkers (X) is displayed.

240



Field

IPV4 PROT bytes pkts flows

2

X of Y flows matched.

Description

This position in the display output is used to show the field that you selected to aggregate the flows on.

The protocol keyword aggregates IPv4 traffic in the flows based on the IPv4 protocol type. In this example there are three IPv4 protocol types in the flows:

• 1--ICMP

• 6--TCP

• 17--UDP

Displays the numbers of bytes in the aggregated flows for each top talker.

Displays the numbers of packets in the aggregated flows for each top talker.

Displays the numbers of aggregated flows for each top talker.

Y-Number of flows seen in the cache.

X-Number of flows in the cache that matched the criteria you specified.

The following example looks for up to five top talkers, aggregates them on the source IP address, sorts them in descending order by the numbers of packets, matches on the ICMP type value of 8, and displays the output in descending order:

Router# show ip flow top-talkers 5 aggregate source-address sorted-by packets descending

match icmp-type 8


IPV4 SRC-ADDR bytes pkts flows

=============== ========== ========== ==========

192.168.87.200 23679120 16501 1

10.234.53.1 18849000 12566 1

172.30.231.193 12094620 8778 1


The following example looks for up to five top talkers, aggregates them on the destination IP address, sorts them in descending order by the numbers of packets, matches on the ICMP type value of 8, and displays the output in descending order:

Router# show ip flow top-talkers 5 aggregate destination-address sorted-by packets

descending match icmp-type 8


IPV4 DST-ADDR bytes pkts flows

=============== ========== ========== ==========

172.16.1.2 32104500 21403 2

172.16.10.2 2128620 2134 1



2 IPV4 is shown in upper-case (capital) letters because it is the field that the display is aggregated on. In this example this is the keyword protocol in the show ip flow top-talkers 10 aggregate protocol sorted-by packets descending command.


241


Table 29 show ip flow top-talkers 5 aggregate {source-address | destination-address} sorted-by packets descending match icmp-type 8 Field Descriptions

Field


IPV4 SRC-ADDR

3

Description



The source-addresskeyword aggregates IPv4 traffic in the flows based on the source IPv4 IP address. In this example there are 3 IP source addresses in the flows:

• 192.168.87.200

• 10.234.53.1

• 172.30.231.193

IPV4 DST-ADDR

4


The destination-addresskeyword aggregates IPv4 traffic in the flows based on the destination IPv4 IP address. In this example there are 2 IP destination addresses in the flows:

• 172.16.1.2

• 172.16.10.2

bytes pkts flows







The following example looks for up to five top talkers, aggregates them on the source IP address, sorts them in descending order by the number of bytes in the flow, matches on the port range of 20 to 21 (FTP

Data and control ports, respectively), and displays the output in descending order:

Router# show ip flow top-talkers 5 aggregate source-address sorted-by bytes descending

match destination-port min 20 max 21



3 IPV4 SRC-ADDR is shown in upper-case (capital) letters because it is the field that the display is aggregated on. In this example this is the keyword source-address in the show ip flow top-talkers 5 aggregate source-address sorted-by packets descending match icmp-type 8 command.

4 IPV4 DST-ADDR is shown in upper-case (capital) letters because it is the field that the display is aggregated on. In this example this is the keyword destination-address in the show ip flow top-talkers 5 aggregate destination-address sorted-by packets descending match icmp-type 8 command.

242



=============== ========== ========== ==========

10.231.185.254 920 23 2

10.10.12.1 480 12 2

10.251.138.218 400 10 2

10.132.221.111 400 10 2

10.71.200.138 280 7 1


Tip

You can enter the port numbers in their decimal values as shown (20 and 21), or in their hexadecimal equivalents of 0x14 and 0x15.


Table 30 show ip flow top-talkers 5 aggregate source-address sorted-by packets descending match icmptype 8 Field Descriptions

Field


IPV4 SRC-ADDR

Description




• 10.231.185.254

• 10.10.12.1

• 10.251.138.218

• 10.132.221.111

• 10.71.200.138

bytes pkts flows







The following example looks for up to five top talkers, aggregates them on the source IP address, sorts them in descending order by the aggregated field (source IP address), and displays the output in descending order:

Router# show ip flow top-talkers 5 aggregate source-address sorted-by aggregate descending




243


=============== ========== ========== ==========

172.16.1.85 97360 2434 2

172.16.1.84 97320 2433 2

10.251.138.218 34048 1216 1

10.231.185.254 34048 1216 1

10.132.221.111 34076 1217 1



Table 31 show ip flow top-talkers 5 aggregate source-address sorted-by aggregate descending Field

Descriptions

Field




Description




• 172.16.1.85

• 172.16.1.84

• 10.251.138.218

• 10.231.185.254

• 10.132.221.111








Description

Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and Top Talkers feature is retained.

244



Command



sort-by top




show ip flow top-talkers

Description


MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.

Specifies match criteria for the NetFlow MIB and

Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.



MIB and Top Talkers feature.



MIB and Top Talkers feature.





245

mask (IPv4) through top show mls ip non-static

show mls ip non-static

To display information for the software-installed nonstatic entries, use the show mls ip non-static command in user EXEC or privileged in the EXEC mode.

show mls ip non-static [count [module number] | detail [module number] | module number]

Syntax Description count

module number

detail

(Optional) Displays the total number of nonstatic entries.

(Optional) Designates the module number.

(Optional) Specifies a detailed per-flow output.

Command Modes


Command History

Release

12.2(14)SX

12.2(17a)SX

12.2(17b)SXA

Modification



This command is supported on releases prior to

Release 12.2(17a)SX only.

This command is replaced by the show mls netflow

ip command.



2.

Examples

This sections contains examples from the show mls ip non-static command. The fields shown in the display are self-explanatory.

This example shows how to display the software-installed nonstatic entries:

Router> show mls ip non-static

Displaying Netflow entries in Supervisor Earl

DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr

--------------------------------------------------------------------

Pkts Bytes Age LastSeen Attributes

---------------------------------------------------

Router>

246


mask (IPv4) through top show mls ip non-static

This example shows how to display detailed information for the software-installed nonstatic entries:

Router> show mls ip non-static detail



--------------------------------------------------------------------


---------------------------------------------------

QoS Police Count Threshold Leak Drop Bucket Use-Tbl Use-Enable

-----------+------------+---------+-----------+----+-------+-------+----------+

Router>

This example shows how to display the total number of software-installed nonstatic entries:

Router> show mls ip non-static count


Number of shortcuts = 0

Router>


247

mask (IPv4) through top show mls ip routes

show mls ip routes

To display the NetFlow routing entries, use the show mls ip routescommand in user EXEC or privileged

EXEC mode.

show mls ip routes [non-static | static] [count [module number] | detail [module number] |

module number]

Syntax Description non-static static count

module number

detail

(Optional) Displays the software-installed nonstatic entries.

(Optional) Displays the software-installed static entries.

(Optional) Displays the total number of NetFlow routing entries.

(Optional) Displays the entries that are downloaded on the specified module; see the "Usage

Guidelines" section for valid values.


Command Modes


Command History

Release

12.2(14)SX

12.2(17a)SX

12.2(17b)SXA

Modification






ip sw-installed command



2.

248


mask (IPv4) through top show mls ip routes

Examples

This section contains examples of the show mls ip routes non-static command. The fields shown in the display are self-explanatory.

This example shows how to display the software-installed nonstatic routing entries:

Router> show mls ip routes non-static



--------------------------------------------------------------------


---------------------------------------------------

Router>

This example shows how to display detailed information for the software-installed nonstatic routing entries:

Router> show mls ip routes non-static detail



--------------------------------------------------------------------


---------------------------------------------------


-----------+------------+---------+-----------+----+-------+-------+----------+

Router>

This example shows how to display the total number of software-installed routing entries:

Router> show mls ip routes count



Router>


Command

show mls netflow ip sw-installed

Description

Displays information for the software-installed IP entries.


249

mask (IPv4) through top show mls ip static

show mls ip static

To display the information for the software-installed static IP entries, use the show mls ip static command in user EXEC or privileged EXEC mode.

show mls ip static [count [module number] | detail [module number] | module number]


module number

detail

(Optional) Displays the total number of static entries.

(Optional) Designates the module number.


Command Modes


Command History

Release

12.2(14)SX

12.2(17a)SX

12.2(17b)SXA

Modification






ip sw-installed command.



2.

Examples

This section contains examples from the show mls ip staticcommand. The fields shown in the display are self-explanatory.

This example shows how to display the software-installed static entries:

Router> show mls ip static



--------------------------------------------------------------------


---------------------------------------------------

Router>

250


mask (IPv4) through top show mls ip static

This example shows how to display detailed information for the software-installed static entries:

Router> show mls ip static detail



--------------------------------------------------------------------


---------------------------------------------------


-----------+------------+---------+-----------+----+-------+-------+----------+

Router>

This example shows how to display the total number of software-installed static entries:

Router> show mls ip static count



Router>


251

mask (IPv4) through top show mls nde

show mls nde

To display information about the NetFlow Data Export (NDE) hardware-switched flow, use the show mls

ndecommand in user EXEC or privileged EXEC mode.




Command Default


Command Modes


Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(18)SXD

12.2(33)SRA

12.2(33)SXI

Modification





The output for Cisco 7600 series routers that are configured with a Supervisor Engine 720 was changed to include the current NDE mode.



The output was modified to display the data export version and aggregation cache scheme.


The output for Cisco 7600 series routers that are configured with a Supervisor Engine 720 includes the current NDE mode.

Examples

Supervisor Engine 2 Examples

This example shows the output from Cisco 7600 series routers that are configured with a Supervisor Engine

2.

252


mask (IPv4) through top show mls nde

This example shows how to display information about the NDE status on a Cisco 7600 series router that is configured with a Supervisor Engine 2:

Router# show mls nde

Netflow Data Export is Enabled

Router#


This example shows how to display information about the NDE hardware-switched flow on a Cisco 7600 series router that is configured with a Supervisor Engine 720:

Router# show mls nde

Netflow Data Export enabled (Interface Mode)


Exporting flows from 10.6.60.120 (59020)

Version: 9

Include Filter not configured

Exclude Filter not configured

Total Netflow Data Export Packets are:

as aggregation v9 0 packets, 0 no packets, 0 records

Router#


Command

mls nde sender

show ip flow-export


Description

Enables MLS NDE export.

Displays the information about the hardwareswitched and software-switched flows for the data export, including the main cache and all other enabled caches.


NetFlow hardware.


253

mask (IPv4) through top show mls netflow

show mls netflow

To display configuration information about the NetFlow hardware, use the show mls netflow command in user EXEC or privileged EXEC mode.

show mls netflow {aging | aggregation flowmask | creation | flowmask | {table-contention

detailed | summary}}

IPv6, MLPS, and software Configuration

show mls netflow [ip | ipv6 | mpls] [any | count | destination {hostname | ip-address} | detail |

dynamic | flow {tcp | udp} | module number | nowrap | source {hostname | ip-address} | sw-

installed [non-static | static]]

Syntax Description aging

aggregation flowmask

creation flowmask table-contention detailed summary ip ipv6 mpls any count

Displays the NetFlow-aging information.

Displays the flow mask that is set for the current

NetFlow aggregations.

Displays the configured protocol-creation filters.

Displays the current NetFlow IP and IPX flow mask.

Displays the NetFlow table-contention level information.

Displays detailed NetFlow table-contention level information.

Displays a summary of NetFlow table-contention levels.

(Optional) Displays information about the NetFlow

IP table; see the show mls netflow ip command.


IPv6 table; see the show mls netflow ipv6 command.


Multiprotocol Label Switching(MPLS) table.

(Optional) Displays detailed NetFlow table-entry information with no test wrap.

(Optional) Displays the total number of MLS

NetFlow IP entries.

254



destination hostname

destination ip-address

detail dynamic

flow tcp

flow udp

module number

nowrap

source hostname

source ip-address

sw-installed non-static static

Command Default


Command Modes


show mls netflow

(Optional) Displays the entries for a specific destination hostname.

(Optional) Displays the entries for a specific destination IP address.

(Optional) Specifies a detailed output.

(Optional) Displays the hardware-created dynamic entries; see the show mls netflow ip dynamic command.

(Optional) Displays information about the TCP flows.

(Optional) Displays information about the User

Datagram Protocol(UDP) flows.

(Optional) Displays the entries that are downloaded on the specified module; see the “Usage

Guidelines” section for valid values.

(Optional) Displays information without text wrap.

(Optional) Displays the entries for a specific source address.

(Optional) Displays the entries for a specific source

IP address.

(Optional) Displays the routing NetFlow entries; see the show mls netflow ip sw-installed command.

(Optional) Displays information for softwareinstalled non-static IP entries; see the show mls

netflow ip sw-installed command.

(Optional) Displays information for the softwareinstalled static IP entries; see the show mls netflow



255


Command History

Release

12.2(14)SX

12.2(17a)SX

12.2(17b)SXA

12.2(17d)SXB

12.2(18)SXD

12.2(33)SRA

Modification


Engine 720.


• Enhanced the show mls netflow aggregation

flowmask command output to include a list of aggregation caches with minimum flow mask and NetFlow-aggregation schemes such as destination-prefix, source-prefix, protocol-port, and prefix.

• Included support for the ipv6 option.

This command was changed to add the following keywords and arguments:

•

details

•

nowrap

•

module num

• Changed the syntax from show mls [ip | ipv6 |

mpls] to show mls netflow [ip | ipv6 | mpls].


2 was extended to the 12.2SX train.

The creation keyword was added.




Note

The creation keyword is not supported in releases prior to Release 12.2(18)SXD.

The ipv6 and mpls keywords are not supported on Cisco 7600 series routers that are configured with a


When you view the output, note that a colon (:) is used to separate the fields.

For TCP intercept flows, the packet count is 0 on DFC. TCP intercept will install a zero count entry in each

DFC and PFC for each intercepted flow because TCP intercept is a global feature.

Examples

This example shows how to display the NetFlow-aging configuration:

Router#

show mls netflow aging

enable timeout packet threshold

------ ------- ---------------normal aging true 300 N/A fast aging true 32 100

256



long aging true 900 N/A

Router#

This example shows how to display the configured protocol-creation filters:

Router

# show mls netflow creation

Excluded protocols: port protocol

-------+----------

10 tcp

8 udp/tcp

Router#


These examples show the output from Cisco 7600 series routers that are configured with a Supervisor

Engine 720.

This example shows how to display the flow mask that is set for the current NetFlow aggregation:

Router#

show mls netflow aggregation flowmask

Current flowmask set for netflow aggregation : Dest only

Minimum flowmask required for netflow aggregation schemes

----------------------+-------------------+-----------------

Aggregation Scheme Min. Flowmask Status

----------------------+-------------------+----------------- as Intf Src Dest disabled protocol-port Full Flow disabled source-prefix Intf Src Dest disabled destination-prefix Dest only enabled prefix Intf Src Dest disabled

Router#

This example shows how to display detailed information about the NetFlow table-contention level:

Router# show mls netflow table-contention detailed

Earl in Module 2

Detailed Netflow CAM (TCAM and ICAM) Utilization

================================================

TCAM Utilization : 0%

ICAM Utilization : 0%

Netflow TCAM count : 0

Netflow ICAM count : 0

Router#

This example shows how to display a summary of the NetFlow table-contention level:

Router# show mls netflow table-contention summary

Earl in Module 2

Summary of Netflow CAM Utilization (as a percentage)

====================================================

TCAM Utilization : 0%

ICAM Utilization : 0%

Router#


These examples show the output from Cisco 7600 series routers that are configured with a Supervisor

Engine 2.

This example shows how to display the flow mask that is set for the current NetFlow aggregations:

Router#

show mls netflow aggregation flowmask


257


Current flowmask set for netflow aggregation : interface and full flow

Minimum flowmask required for netflow aggregation schemes

----------------------+-------------------+-----------------

Aggregation Scheme Min. Flowmask Status

----------------------+-------------------+----------------- as if-dst-src enabled protocol-port full enabled source-prefix if-dst-src enabled destination-prefix dst enabled prefix if-dst-src enabled

Router#

This example shows how to display detailed information about the NetFlow table-contention level:

Router# show mls netflow table-contention detailed

Earl in Module 1

Detailed Table Contention Level Information

===========================================

Layer 3

-------

L3 Contention Level: 0

Page Hits Requiring 1 Lookup = 0

Page Hits Requiring 2 Lookups = 0







Page Misses = 0

Router#

This example shows how to display a summary of the NetFlow table-contention level:

Router# show mls netflow table-contention summary

Earl in Module 1

Summary of Table Contention Levels (on a scale of 0 (lowest) to 5 (highest))

============================================================================

L3 Contention Level: 0

Router#


Command


mls netflow usage notify


Description

Creates a flow-aggregation cache and enters aggregation cache configuration mode.

Monitors the NetFlow table usage on the Switch

Processor and the DFCs.

Displays a summary of the NetFlow cache-flow entries.

258


mask (IPv4) through top show mls netflow ip

show mls netflow ip

To display information about MLS NetFlow IP traffic, use the show mls netflow ipcommand in user


show mls netflow ip any

show mls netflow ip count [module number]

show mls netflow ip destination {hostname | ip-address} [slash ip-mask] [count [module number] |

detail | dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | source {hostname | ip-

address} [slash ip-mask] | sw-installed [non-static | static]]

show mls netflow ip detail [module number | nowrap [module number]]

show mls netflow ip dynamic [count [module number]] [detail] [module number] [nowrap

[module number] [qos [module number]] [nowrap [module number]]]

show mls netflow ip flow {icmp | tcp | udp} [count [module number] | destination {hostname | ip-

address} [slash ip-mask] | detail | dynamic | flow {icmp | tcp | udp} | module number | nowrap |

qos | source {hostname | ip-address} | sw-installed [non-static | static]]

show mls netflow ip module number

show mls netflow ip qos [module number | nowrap [module number]]

{show mls netflow ip source {hostname | ip-address} [slash ip-mask] [count [module number]] |

detail | dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | sw-installed [non-

static | static]}

Syntax Description any count


destination ip-address

detail dynamic

flow icmp

flow tcp

flow udp

/ ip-mask

Displays detailed NetFlow table-entry information with no test wrap.

Displays the total number of MLS NetFlow IP entries.

Displays the entries for a specific destination hostname.

Displays the entries for a specific destination IP address.


Displays the hardware-created dynamic entries; see the show mls netflow ip dynamic command.

Displays information about the ICMP flows.

Displays information about the TCP flows.

Displays information about the UDP flows.

Masks the IP address.


259

show mls netflow ip

module number

nowrap qos


source ip-address


Command Default


Command Modes


Command History

Release

12.2(14)SX

12.2(17a)SX

12.2(17b)SXA


Displays the entries on the specified module; see the “Usage Guidelines” section for valid values.

Displays information without text wrap.

Displays QoS microflow policing information.

Displays the entries for a specific source address.

Displays the entries for a specific source IP address.

(Optional) Displays the routing NetFlow entries; see the show mls netflow ip sw-installed command.

(Optional) Displays information for softwareinstalled static IP entries; see the show mls netflow


(Optional) Displays information for the softwareinstalled nonstatic IP entries; see the show mls


Modification




• Enhanced the show mls netflow aggregation

flowmask command output to include a list of aggregation caches with minimum flow mask and NetFlow-aggregation schemes such as destination-prefix, source-prefix, protocol-port, and prefix.

• Included support for the ipv6 option.

Changed the syntax from show mls [ip | ipv6 |

mpls] to show mls netflow [ip | ipv6 | mpls] and added the nowrap keyword.

260



Release

12.2(17d)SXB

12.2(18)SXD

12.2(18)SXF

12.2(33)SRA

12.2(33)SRB

Modification



This command was changed to include the following keywords:

• The icmp keyword to display information about ICMP flows.

•

The qos keyword to display QoS microflow policing information.

This command was changed to remove support for the any keyword.



This command was modified to show the VPN name and VPN ID in the display output. In addition, the command was modified to support per-interface NetFlow.


If you enter the show mls netflow ip command with no arguments, the output of the show mls netflow ip

sw-installed and show mls netflow ip dynamic commands are displayed.

When you view the output, note that a colon (:) is used to separate the fields.

The multicast keyword appears on systems that are not configured with a Supervisor Engine 720.

In Cisco IOS Release 12.2SR and later, the NetFlow cache might contain null entries (with an IP source and destination address of 0.0.0.0). This behavior is the result of changes made to support per-interface

NetFlow, which allows you to enable NetFlow for IPv4 traffic on individual interfaces. By default, the hardware cache is populated with information about packets received on all IP interfaces. However, if

NetFlow is not enabled on an IP interface, a null flowmask is used, which results in a null cache entry being created for the interface.

Examples

This example shows how to display information about any MLS NetFlow IP:

Router# show mls netflow ip



-----------------------------------------------------------------------------


---------------------------------------------------

10.1.1.2 11.1.1.2 tcp :3 :5 Fa5/11 :0x0

459983 21159218 6 07:45:13 L3 - Dynamic

10.1.1.2 11.1.1.3 tcp :3 :5 Fa5/11 :0x0

459984 21159264 6 07:45:13 L3 - Dynamic

Router#

This example shows how to display detailed NetFlow table-entry information:

Router# show mls netflow ip detail


261




--------------------------------------------------------------------


---------------------------------------------------

Mask Pi R CR Xt Prio Dsc IP_EN OP_EN Pattern Rpf FIN_RDT FIN/RST

----+--+-+--+--+----+---+-----+-----+-------+---+-------+-------

Ig/acli Ig/aclo Ig/qosi Ig/qoso Fpkt Gemini MC-hit Dirty Diags

-------+-------+-------+-------+----+------+------+-----+------


-----------+------------+---------+-----------+----+-------+-------+----------+

172.30.46.2 172.30.45.2 4 :0 :0 Gi7/1: 0x0

140063 6442898 15 01:42:52 L3 - Dynamic

1 1 0 0 1 0 0 1 1 0 0 0 0

0 0 0 0 0 0 0 0 0

0x0 672645504 0 0 NO 31784 NO NO

Router#

This example shows how to display NetFlow table-entry information with no test wrap:

Router# show mls netflow ip nowrap


DstIP SrcIP Prot:SrcPort:DstPort Src i/f

:AdjPtr Pkts Bytes Age LastSeen Attributes

-----------------------------------------------------------------------

-

------------------------------------------------------------------

10.1.1.2 11.1.1.92 udp :63 :63 Fa5/11

:0x0 176339 8111594 912 22:31:15 L3 - Dynamic

10.1.1.2 11.1.1.93 udp :63 :63 Fa5/11

:0x0 176338 8111548 912 22:31:15 L3 - Dynamic

10.1.1.2 11.1.1.94 udp :63 :63 Fa5/11

:0x0 176338 8111548 912 22:31:15 L3 - Dynamic

10.1.1.2 11.1.1.95 udp :63 :63 Fa5/11

:0x0 176338 8111548 912 22:31:15 L3 - Dynamic

10.1.1.2 11.1.1.96 udp :63 :63 Fa5/11

:0x0 176338 8111548 912 22:31:15 L3 - Dynamic

10.1.1.2 11.1.1.97 udp :63 :63 Fa5/11

:0x0 176337 8111502 912 22:31:15 L3 - Dynamic

10.1.1.2 11.1.1.98 udp :63 :63 Fa5/11

:0x0 176337 8111502 912 22:31:15 L3 - Dynamic

10.1.1.2 11.1.1.99 udp :63 :63 Fa5/11

:0x0 176337 8111502 912 22:31:15 L3 - Dynamic

10.1.1.2 11.1.1.100 udp :63 :63 Fa5/11

:0x0 176337 8111502 912 22:31:15 L3 - Dynamic

Router#

This example shows how to display information about the MLS NetFlow on a specific interface:

Router#

show mls netflow ip interface FastEthernet 3/1



--------------------------------------------------------------------


---------------------------------------------------

172.20.52.19 0.0.0.0 0 :0 :0 0 : 0

0 0 1635 11:05:26 L3 - Dynamic

Router#

This example shows how to display information about the MLS NetFlow on a specific IP address:

Router#

show mls netflow ip destination 172.20.52.122



--------------------------------------------------------------------


---------------------------------------------------

Router#

262



This example shows how to display information about the MLS NetFlow on a specific flow:

Router#

show mls netflow ip flow udp



--------------------------------------------------------------------


---------------------------------------------------

172.20.52.19 0.0.0.0 0 :0 :0 0 : 0

0 0 1407 11:01:32 L3 - Dynamic

Router#

This example shows how to display detailed information about the MLS NetFlow on a full-flow mask:

Router#

show mls netflow ip detail



--------------------------------------------------------------------


---------------------------------------------------


-----------+------------+---------+-----------+----+-------+-------+----------+

172.20.52.19 0.0.0.0 0 :0 :0 0 : 0

0 0 1464 11:02:31 L3 - Dynamic

0x0 0 0 0 NO 64 NO NO

Router#

This example shows how to display detailed information about a specific flow type:

Router#

show mls netflow ip flow icmp


DstIP SrcIP Prot:SrcPort:DstPort Src i/f

:AdjPtr

>

>---------------------------------------------------------------------------

-

-


---------------------------------------------------

10.1.1.2 11.1.10.151 icmp:0 :0 Fa5/11

:0x0

1945 89470 1062 08:45:15 L3 - Dynamic

10.1.1.2 11.1.10.153 icmp:0 :0 Fa5/11

:0x0

1945 89470 1062 08:45:15 L3 - Dynamic

10.1.1.2 11.1.10.155 icmp:0 :0 Fa5/11

:0x0

1945 89470 1062 08:45:15 L3 - Dynamic

10.1.1.2 11.1.10.157 icmp:0 :0 Fa5/11

:0x0

1945 89470 1062 08:45:15 L3 - Dynamic

10.1.1.2 11.1.10.159 icmp:0 :0 Fa5/11

:0x0

1945 89470 1062 08:45:15 L3 - Dynamic

10.1.1.2 11.1.10.161 icmp:0 :0 Fa5/11

:0x0

1945 89470 1062 08:45:15 L3 - Dynamic

10.1.1.2 11.1.10.163 icmp:0 :0 Fa5/11

:0x0

Router#

This example shows how to display QoS information:

Router

# show mls netflow ip qos

Displaying netflow qos information in Supervisor Earl



263


-------------------------------------------------------------------------

Pkts Bytes LastSeen QoS PoliceCount Threshold Leak

-------------------------------------------------------------------------

Drop Bucket

-----------xxx.xxxx.xxx.xxx xxx.xxx.xxx.xxx xxxx:63 :63 Fa5/11 :0x0

772357 35528422 17:59:01 xxx xxx xxx xxx xxx xxx

Router#

This example shows how to display VPN information on a Cisco 7600 series router:

Router# show mls netflow ip module 5

Displaying Netflow entries in module 5

DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr

-----------------------------------------------------------------------------


---------------------------------------------------

10.1.1.1 10.2.0.2 0 :0 :0 vpn:red

:0x0

504 398020 1 23:20:48 L3 - Dynamic

224.0.0.5 172.16.1.1 89 :0 :0 Fa1/1 :0x0

1 84 7 23:20:42 L2 - Dynamic

0.0.0.0 0.0.0.0 0 :0 :0 -- :0x0

2238 1582910 33 23:20:48 L3 - Dynamic

224.0.0.2 172.16.1.1 udp :646 :646 Fa1/1 :0x0

5 310 21 23:20:46 L2 - Dynamic

172.16.2.6 172.16.1.2 0 :0 :0 Fa1/1 :0x0

1 140 22 23:20:27 L2 - Dynamic

Router#


Command



mls flow ip

show mls netflow ip dynamic


show mls netflow ip routes

Description

Enables NetFlow to create and export hardware cache entries for traffic entering the router on the last MPLS hop of an IPv4 MPLS VPN network.



Export.

Displays the statistics for NetFlow IP entries.


Displays the NetFlow IP routing entries.

264


mask (IPv4) through top show mls netflow ipv6

show mls netflow ipv6

To display information about the hardware NetFlow IPv6 configuration, use the show mls netflow ipv6 command in privileged EXEC mode.

show mls netflow ipv6 any

show mls netflow ipv6 count [module number]

show mls netflow ipv6 destination ipv6-address [/ipv6-prefix] [count [module number] | detail |

dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | source ipv6-address [/ipv6-

prefix] | sw-installed [non-static | static]]

show mls netflow ipv6 detail [module number | nowrap [module number]]

show mls netflow ipv6 dynamic [count [module number]] [detail] [module number] [nowrap

[module number]] [qos [module number]] [nowrap [module number]]

show mls netflow ipv6 flow {icmp | tcp | udp} [count [module number] | destination ipv6-address

[/ipv6-prefix] | detail | dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | source

ipv6-address [/ipv6-prefix] | sw-installed [non-static | static]]

show mls netflow ipv6 [module number]

show mls netflow ipv6 qos [module number | nowrap [module number]]

show mls netflow ipv6 source ipv6-address [/ipv6-prefix] [count [module number] | detail |

dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | sw-installed [non-static |

static]]

Syntax Description any count

module number

destination ipv6-address

/ ipv6-prefix

detail dynamic

flow icmp | tcp | udp nowrap

Displays the NetFlow-aging information.

Displays the total number of Multilayer Switching

(MLS) NetFlow IPv6 entries.

(Optional) Displays the entries that are downloaded on the specified module; see the "Usage

Guidelines" section for valid values.

Displays the entries for a specific destination IPv6 address.

(Optional) IPv6 prefix; valid values are from 0 to

128.

Specifies a detailed output.

Displays the hardware-created dynamic entries.

Specifies the flow type.

Turns off text wrapping.


265

mask (IPv4) through top show mls netflow ipv6 qos

source ipv6-address


Displays information about quality of service (QoS) statistics.

(Optional) Displays the entries for a specific source

IPv6 address.

(Optional) Displays the routing NetFlow entries.

(Optional) Displays information about the softwareinstalled static IPv6 entries.

(Optional) Displays information about the softwareinstalled nonstatic IPv6 entries.

Command Modes

Privileged EXEC (#)

Command History

Examples

Release

12.2(17a)SX

12.2(17d)SXB

12.2(18)SXE

12.2(18)SXF

12.2(33)SRA

Modification


Engine 720.



This command was changed to add the show mls netflow ipv6 qos [module number] [ nowrap ] keywords and argument on the Supervisor Engine

720 only.


• Removed support for the any keyword.

• Added the / ipv6-prefix argument.



This example shows how to display information about the hardware NetFlow configuration:

Router# show mls netflow ipv6


DstIP SrcIP

-------------------------------------------------------------------------------

Prot:SrcPort:DstPort Src i/f :AdjPtr


------------------------------------------------------------------------------------------

50::2 47::2 tcp :16 :32 Vl47 :0x0

23758 1425480 4 23:48:36 L3 (IPv6) - Dynamic

50::2 47::3

266



tcp :16 :32 Vl47 :0x0

23758 1425480 4 23:48:36 L3 (IPv6) - Dynamic

50::2 47::4 tcp :16 :32 Vl47 :0x0

23758 1425480 4 23:48:36 L3 (IPv6) - Dynamic

50::2 47::5 tcp :16 :32 Vl47 :0x0

23758 1425480 4 23:48:36 L3 (IPv6) - Dynamic

50::2 47::6 tcp :16 :32 Vl47 :0x0

23758 1425480 4 23:48:36 L3 (IPv6) - Dynamic

This example shows how to display IPv6 microflow policing information:

Router# show mls netflow ipv6 qos


DstIP SrcIP

--------------------------------------------------------------------------------

Prot:SrcPort:DstPort Src i/f :AdjPtr Pkts Bytes

--------------------------------------------------------------------------------

LastSeen QoS PoliceCount Threshold Leak Drop Bucket

--------------------------------------------------------------------

101::3 100::2 icmp:0 :0 -- 0x0 0 0

22:22:09 0x0 0 0 0 NO 0

101::2 100::2 icmp:0 :0 -- 0x0 0 0

22:22:09 0x0 0 0 0 NO 0

This example shows how to display IPv6 microflow policing information for a specific module:

Router# show mls netflow ipv6 qos module 7


DstIP SrcIP

--------------------------------------------------------------------------------


--------------------------------------------------------------------------------


--------------------------------------------------------------------

101::2 100::2 icmp:0 :0 -- 0x0 0 0

22:22:56 0x0 0 0 0 NO 0

101::3 100::2 icmp:0 :0 -- 0x0 0 0

22:22:56 0x0 0 0 0 NO 0

This example shows the output display when you turn off text wrapping:

Router# show mls netflow ipv6 qos nowrap


DstIP SrcIP



------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------

------------------------------------------------

101::3 100::2 icmp:

0 :0 -- 0x0 0 0 22:22:19

0x0 0 0 0 NO 0

101::2 100::2 icmp:

0 :0 -- 0x0 0 0 22:22:19

0x0 0 0 0 NO 0

This example shows the output display when you turn off text wrapping for a specific module:

Router# show mls netflow ipv6 qos nowrap module 7


DstIP SrcIP



------------------------------------------------------------------------------------------


267


------------------------------------------------------------------------------------------

------------------------------------------------

101::3 100::2 icmp:

0 :0 -- 0x0 0 0 22:22:38

0x0 0 0 0 NO 0

101::2 100::2 icmp:

0 :0 -- 0x0 0 0 22:22:38

0x0 0 0 0 NO 0


Command

clear mls netflow

Description

Clears the MLS NetFlow-shortcut entries.

268


mask (IPv4) through top show mls netflow ip dynamic

show mls netflow ip dynamic

To display the statistics for NetFlow IP entries, use the showmls netflow ip dynamic command in user


show mls netflow ip dynamic [count [module number] | detail [module number] | module number]


module number

detail

(Optional) Displays the total number of NetFlow entries.




Command Default


Command Modes


Command History

Release

12.2(14)SX

12.2(17a)SX

12.2(17d)SXB

12.2(33)SRA

Modification



This command replaced the show mls netflow ip

statistics command.






The show mls netflow ip statisticscommand is supported on releases prior to Release 12.2(17a)SX. For

Release 12.2(17a)SX and later releases, use the show mls netflow ip dynamic command.

Examples

This example shows how to display the statistics for the NetFlow IP entries:

Router> show mls netflow ip dynamic


269

mask (IPv4) through top show mls netflow ip dynamic



--------------------------------------------------------------------


---------------------------------------------------

Router>

This example shows how to display the statistics for the NetFlow IP entries:

Router> show mls netflow ip dynamic detail



--------------------------------------------------------------------


---------------------------------------------------


-----------+------------+---------+-----------+----+-------+-------+----------+

Router>


Command





Description

Displays information about MLS NetFlow IP traffic.




270


mask (IPv4) through top show mls netflow ip routes

show mls netflow ip routes

To display the NetFlow IP routing entries, use the show mls netflow ip routes command in user EXEC or privileged EXEC mode.

show mls netflow ip routes [non-static | static] [count [module number] | detail [module number]

| module number]


module number

detail

(Optional) Displays the software-installed routing entries.

(Optional) Displays the software-installed static routing entries.

(Optional) Displays the total number of NetFlow IP routing entries.




Command Default


Command Modes


Command History

Release

12.2(14)SX

12.2(17a)SX

Modification



This command was changed to the show mls



The show mls netflow ip routescommand is supported on releases prior to Release 12.2(17a)SX. For

Release 12.2(17a)SX and later releases, use the show mls netflow ip sw-installedcommand.


2.


271

mask (IPv4) through top show mls netflow ip routes

Examples

This example shows how to display the software-installed nonstatic routing entries:

Router> show mls netflow ip routes non-static



--------------------------------------------------------------------


---------------------------------------------------

Router>

This example shows how to display detailed information for the software-installed nonstatic routing entries:

Router> show mls netflow ip routes non-static detail



--------------------------------------------------------------------


---------------------------------------------------


-----------+------------+---------+-----------+----+-------+-------+----------+

Router>

This example shows how to display the total number of software-installed routing entries:

Router> show mls netflow ip routes count



Router>


Command

show mls netflow ip

show mls netflow ip dynamic show mls netflow ip sw-installed

Description




272


mask (IPv4) through top show mls netflow ip sw-installed

show mls netflow ip sw-installed

To display information for the software-installed IP entries, use the show mls netflow ip sw-

installedcommand in user EXEC or privileged EXEC mode.

show mls netflow ip sw-installed {non-static | static} [count [module number] | detail [module

number] | module number]


module number

detail

Displays the software-installed routing entries.

Displays the software-installed static routing entries.

(Optional) Displays the total number of nonstatic entries.




Command Default


Command Modes


Command History

Release

12.2(17a)SX

12.2(17d)SXB

12.2(33)SRA

Modification

The show mls netflow ip routes command was changed to the show mls netflow ip sw-installed command.





Examples

This example shows how to display the software-installed nonstatic entries:

Router> show mls netflow ip sw-installed non-static



273

mask (IPv4) through top show mls netflow ip sw-installed


--------------------------------------------------------------------


---------------------------------------------------

Router>

This example shows how to display detailed information for the software-installed nonstatic entries:

Router> show mls netflow ip sw-installed non-static detail



--------------------------------------------------------------------


---------------------------------------------------


-----------+------------+---------+-----------+----+-------+-------+----------+

Router>

This example shows how to display the total number of software-installed nonstatic entries:

Router> show mls netflow ip sw-installed non-static count



Router>


Command




Description




274


mask (IPv4) through top show mls netflow ipx

show mls netflow ipx

To display MLS NetFlow IPX information in the EXEC command mode, use the show mls netflow ipx command.

show mls netflow ipx [count | destination {hostname | ipx-address} | detail | flow {tcp | udp} |

interface interface interface-number | vlan vlan-id | macd destination-mac-address | macs source-

mac-address | routes num | module number | source {hostname | ipx-address} | statistics]



destination ipx-address

detail flow

tcp | udp

interface

interface interface-number

vlan vlan-id

macd destination-mac-address

macs source- mac-address

routes num

module number


(Optional) Displays the total number of MLS

NetFlow IPX entries.

(Optional) Displays the entries for a specific destination IPX hostname.

(Optional) Displays the entries for a specific destination IPX address.


(Optional) Changes the flow type.

Specifies the flow type.

(Optional) Specifies the interface.

(Optional) Interface type; possible valid values are

ethernet, fastethernet, gigabitethernet,

tengigabitethernet, pos, atm, and ge-wan.

(Optional) Module and port number; see the “Usage


(Optional) Specifies the VLAN ID; valid values are from 1 to 4094.

(Optional) Specifies the destination MAC address.

(Optional) Specifies the source MAC address.

(Optional) Displays the routing NetFlow entries.



(Optional) Displays the entries for a specific source address.


275

mask (IPv4) through top show mls netflow ipx

source ipx-address

statistics

(Optional) Displays the entries for a specific destination IPX address.

(Optional) Displays the statistics for NetFlow entries.

Command Default


Command Modes

EXEC

Command History

Release

12.2(17d)SXB

Modification




The show mls netflow ipx command is only supported on systems that have a version 2 Supervisior

Engine.

The interface, macd, and macs keywords are not supported.

When you enter the ipx-network, the format is N.H.H.H.

When you enter the destination-mac-address, the format for the 48-bit MAC address is H.H.H.

The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module used. For example, if you specify a

Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from

1 to 48. These valid values also apply when entering the module number keyword and argument.

Examples

The output from the show mls netflow ipx commands is similar to the show mls netflow ip commands.


Command


Description


IP.

276


mask (IPv4) through top show mls sampling

show mls sampling

To display information about the sampled NDE status, use the show mls sampling command in user EXEC or privileged EXEC mode.



This command has no keywords or arguments.

Command Default


Command Modes


Command History

Release

12.2(14)SX

12.2(17d)SXB

12.2(33)SRA

Modification








Sampled NetFlow is supported on Layer 3 interfaces only.

Examples

This example shows how to display information about the sampled NDE status:

Router# show mls sampling time-based sampling is enabled

1 out of every 1024 packets is being sampled.

Sampling Interval and Period is 4 millisec per 4096 millisec

Router#


Command


Description



277

show mls sampling

Command

mls sampling


Description


278


mask (IPv4) through top sort-by

sort-by

To specify the sorting criterion for the NetFlow top talkers (unaggregated top flows), use the sort-by command in NetFlow top talkers configuration mode. To disable NetFlow top talkers, use the no form of this command.

sort-by [bytes | packets]

no sort-by [bytes | packets]

Syntax Description bytes packets

Sorts the list of top talkers by the total number of bytes in each Top Talker.

Sort the list of top talkers by the total number of packets in each Top Talker.

Command Default

No default behavior or values.

Command Modes


Command History

Release

12.2(25)S

12.3(11)T

12.2(27)SBC

12.2(33)SRA

12.2SX

Modification



12.3(11)T.


12.2(27)SBC.










279

mask (IPv4) through top sort-by

Examples



In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each top talker.







Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K

Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K

Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K

Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K










Description








Displays the statistics for the NetFlow accounting top talkers (heaviest traffic patterns and most-used applications in the network).

280



Command top sort-by

Description





281

mask (IPv4) through top top

top

To specify the maximum number of NetFlow top talkers (unaggregated top flows) to display the statistics for, use the topcommand in NetFlow top talkers configuration mode. To disable NetFlow top talkers, use the no form of this command.

top number

no top


number

The maximum number of top talkers that will be displayed. The range is 1 to 200.

Command Default

No default behavior or values.

Command Modes


Command History

Release

12.2(25)S

12.3(11)T

12.2(27)SBC

12.2(33)SRA

12.2SX

Modification



12.3(11)T.


12.2(27)SBC.








You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands.


282


mask (IPv4) through top top

Examples

In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each top talker.







Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K

Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K

Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K

Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K










sort-by

Description








Displays the statistics from to the top talkers

(heaviest traffic patterns and most-used applications in the network).





283