Network Management Configuration Guide, Cisco IOS XE Everest

Network Management Configuration Guide, Cisco IOS XE Everest
Network Management Configuration Guide, Cisco IOS XE Everest
16.5.1a (Catalyst 9300 Switches)
First Published: 2017-06-20
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2017
Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1
Configuring Cisco IOS Configuration Engine 1
Finding Feature Information 1
Prerequisites for Configuring the Configuration Engine 1
Restrictions for Configuring the Configuration Engine 2
Information About Configuring the Configuration Engine 2
Cisco Configuration Engine Software 2
Configuration Service 3
Event Service 4
NameSpace Mapper 4
Cisco Networking Services IDs and Device Hostnames 4
ConfigID 4
DeviceID 5
Hostname and DeviceID 5
Hostname, DeviceID, and ConfigID 5
Cisco IOS CNS Agents 6
Initial Configuration 6
Incremental (Partial) Configuration 7
Synchronized Configuration 7
Automated CNS Configuration 7
How to Configure the Configuration Engine 8
Enabling the CNS Event Agent 8
Enabling the Cisco IOS CNS Agent 10
Enabling an Initial Configuration for Cisco IOS CNS Agent 12
Refreshing DeviceIDs 17
Enabling a Partial Configuration for Cisco IOS CNS Agent 19
Monitoring CNS Configurations 21
CHAPTER 2
Configuring Cisco Plug and Play 23
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
iii
Contents
Finding Feature Information 23
Configuring Cisco Plug and Play 23
CHAPTER 3
Configuring the Cisco Discovery Protocol 25
Finding Feature Information 25
Information About CDP 25
CDP Overview 25
Default CDP Configuration 26
How to Configure CDP 26
Configuring CDP Characteristics 26
Disabling CDP 28
Enabling CDP 30
Disabling CDP on an Interface 31
Enabling CDP on an Interface 33
Monitoring and Maintaining CDP 35
CHAPTER 4
Configuring Simple Network Management Protocol 37
Finding Feature Information 37
Prerequisites for SNMP 37
Restrictions for SNMP 40
Information About SNMP 40
SNMP Overview 40
SNMP Manager Functions 40
SNMP Agent Functions 41
SNMP Community Strings 41
SNMP MIB Variables Access 41
SNMP Notifications 42
SNMP ifIndex MIB Object Values 42
Default SNMP Configuration 43
SNMP Configuration Guidelines 43
How to Configure SNMP 44
Disabling the SNMP Agent 44
Configuring Community Strings 45
Configuring SNMP Groups and Users 48
Configuring SNMP Notifications 51
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
iv
Contents
Setting the Agent Contact and Location Information 54
Limiting TFTP Servers Used Through SNMP 56
Configuring Trap Flags for SNMP 57
Monitoring SNMP Status 59
SNMP Examples 60
Feature History and Information for Simple Network Management Protocol 61
CHAPTER 5
Configuring Service Level Agreements 63
Finding Feature Information 63
Restrictions on SLAs 63
Information About SLAs 64
Cisco IOS IP Service Level Agreements (SLAs) 64
Network Performance Measurement with Cisco IOS IP SLAs 65
IP SLA Responder and IP SLA Control Protocol 66
Response Time Computation for IP SLAs 66
IP SLAs Operation Scheduling 67
IP SLA Operation Threshold Monitoring 68
UDP Jitter 68
How to Configure IP SLAs Operations 69
Default Configuration 69
Configuration Guidelines 69
Configuring the IP SLA Responder 70
Implementing IP SLA Network Performance Measurement 71
Analyzing IP Service Levels by Using the UDP Jitter Operation 75
Analyzing IP Service Levels by Using the ICMP Echo Operation 79
Monitoring IP SLA Operations 82
Monitoring IP SLA Operation Examples 83
Additional References 84
CHAPTER 6
Configuring SPAN and RSPAN 87
Finding Feature Information 87
Prerequisites for SPAN and RSPAN 87
Restrictions for SPAN and RSPAN 88
Information About SPAN and RSPAN 89
SPAN and RSPAN 89
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
v
Contents
Local SPAN 90
Remote SPAN 91
SPAN and RSPAN Concepts and Terminology 92
SPAN Sessions 93
Monitored Traffic 94
Source Ports 95
Source VLANs 95
VLAN Filtering 96
Destination Port 96
RSPAN VLAN 97
SPAN and RSPAN Interaction with Other Features 97
SPAN and RSPAN and Device Stacks 99
Flow-Based SPAN 99
Default SPAN and RSPAN Configuration 100
Configuration Guidelines 100
SPAN Configuration Guidelines 100
RSPAN Configuration Guidelines 100
FSPAN and FRSPAN Configuration Guidelines 101
How to Configure SPAN and RSPAN 101
Creating a Local SPAN Session 101
Creating a Local SPAN Session and Configuring Incoming Traffic 104
Specifying VLANs to Filter 106
Configuring a VLAN as an RSPAN VLAN 108
Creating an RSPAN Source Session 110
Specifying VLANs to Filter 112
Creating an RSPAN Destination Session 114
Creating an RSPAN Destination Session and Configuring Incoming Traffic 116
Configuring an FSPAN Session 119
Configuring an FRSPAN Session 121
Monitoring SPAN and RSPAN Operations 124
SPAN and RSPAN Configuration Examples 125
Example: Configuring Local SPAN 125
Examples: Creating an RSPAN VLAN 126
Feature History and Information for SPAN and RSPAN 127
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
vi
Contents
CHAPTER 7
Configuring ERSPAN 129
Configuring ERSPAN 129
Prerequisites for Configuring ERSPAN 129
Restrictions for Configuring ERSPAN 129
Information for Configuring ERSPAN 130
ERSPAN Overview 130
ERSPAN Sources 131
How to Configure ERSPAN 131
Configuring an ERSPAN Source Session 131
Configuration Examples for ERSPAN 134
Example: Configuring an ERSPAN Source Session 134
Verifying ERSPAN 134
Additional References 135
Feature Information for Configuring ERSPAN 136
CHAPTER 8
Configuring Packet Capture 137
Finding Feature Information 137
Prerequisites for Packet Capture 137
Prerequisites for Packet Capture 137
Restrictions for Packet Capture 138
Restrictions for Packet Capture 138
Introduction to Packet Capture 140
Overview of Packet Capture Tool 140
Information about Wireshark 140
Wireshark Overview 140
Capture Points 141
Attachment Points 141
Filters 142
Actions 143
Storage of Captured Packets to Buffer in Memory 143
Storage of Captured Packets to a .pcap File 143
Packet Decoding and Display 144
Packet Storage and Display 145
Wireshark Capture Point Activation and Deactivation 145
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
vii
Contents
Wireshark Features 145
Guidelines for Wireshark 146
Default Wireshark Configuration 148
Information About Embedded Packet Capture 148
Embedded Packet Capture Overview 148
Benefits of Embedded Packet Capture 148
Packet Data Capture 149
Configuring Packet Capture 149
How to Configure Wireshark 149
Defining a Capture Point 150
Adding or Modifying Capture Point Parameters 153
Deleting Capture Point Parameters 155
Deleting a Capture Point 156
Activating and Deactivating a Capture Point 158
Clearing the Capture Point Buffer 161
How to Implement Embedded Packet Capture 163
Managing Packet Data Capture 163
Monitoring and Maintaining Captured Data 164
Monitoring Packet Capture 166
Configuration Examples for Wireshark 166
Example: Displaying a Brief Output from a .pcap File 166
Example: Displaying Detailed Output from a .pcap File 167
Example: Displaying a Packet Dump Output from a .pcap File. 168
Example: Displaying Packets from a .pcap File using a Display Filter 168
Example: Displaying the Number of Packets Captured in a .pcap File 169
Example: Displaying a Single Packet Dump from a .pcap File 169
Example: Displaying Statistics of Packets Captured in a .pcap File 169
Example: Simple Capture and Display 169
Example: Simple Capture and Store 171
Example: Using Buffer Capture 173
Example: Simple Capture and Store of Packets in Egress Direction 179
Configuration Examples for Embedded Packet Capture 180
Example: Managing Packet Data Capture 180
Example: Monitoring and Maintaining Captured Data 181
Additional References 183
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
viii
Contents
CHAPTER 9
Configuring Flexible NetFlow 185
Prerequisites for Flexible NetFlow 185
Restrictions for Flexible NetFlow 186
Information About Flexible Netflow 188
Flexible NetFlow Overview 188
Original NetFlow and Benefits of Flexible NetFlow 188
Flexible NetFlow Components 189
Flow Records 189
NetFlow Predefined Records 190
User-Defined Records 190
Flexible NetFlow Match Parameters 191
Flexible NetFlow Collect Parameters 193
Flow Exporters 194
Flow Monitors 196
Flow Samplers 198
Supported Flexible NetFlow Fields 198
Default Settings 203
How to Configure Flexible Netflow 203
Creating a Customized Flow Record 203
Creating a Flow Exporter 206
Creating a Customized Flow Monitor 208
Configuring and Enabling Flow Sampling 211
Applying a Flow to an Interface 213
Configuring a Bridged NetFlow on a VLAN 214
Configuring Layer 2 NetFlow 215
Monitoring Flexible NetFlow 216
Configuration Examples for Flexible NetFlow 217
Example: Configuring a Flow 217
Example: Monitoring IPv4 ingress traffic 218
Example: Monitoring IPv4 egress traffic 219
Additional References for NetFlow 220
Feature Information for Flexible NetFlow 221
Notices 223
Trademarks 223
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
ix
Contents
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
x
CHAPTER
1
Configuring Cisco IOS Configuration Engine
• Finding Feature Information, page 1
• Prerequisites for Configuring the Configuration Engine, page 1
• Restrictions for Configuring the Configuration Engine, page 2
• Information About Configuring the Configuration Engine, page 2
• How to Configure the Configuration Engine, page 8
• Monitoring CNS Configurations, page 21
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Prerequisites for Configuring the Configuration Engine
• Obtain the name of the configuration engine instance to which you are connecting.
• Because the CNS uses both the event bus and the configuration server to provide configurations to
devices, you must define both ConfigID and Device ID for each configured device.
• All devices configured with the cns config partial global configuration command must access the event
bus. The DeviceID, as originated on the device, must match the DeviceID of the corresponding device
definition in the Cisco Configuration Engine. You must know the hostname of the event bus to which
you are connecting.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
1
Configuring Cisco IOS Configuration Engine
Restrictions for Configuring the Configuration Engine
Related Topics
Cisco Networking Services IDs and Device Hostnames, on page 4
DeviceID, on page 5
Restrictions for Configuring the Configuration Engine
• Within the scope of a single instance of the configuration server, no two configured devices can share
the same value for ConfigID.
• Within the scope of a single instance of the event bus, no two configured devices can share the same
value for DeviceID.
Related Topics
Cisco Networking Services IDs and Device Hostnames, on page 4
Information About Configuring the Configuration Engine
Cisco Configuration Engine Software
The Cisco Configuration Engine is network management utility software that acts as a configuration service
for automating the deployment and management of network devices and services. Each Cisco Configuration
Engine manages a group of Cisco devices (devices and routers) and the services that they deliver, storing their
configurations and delivering them as needed. The Cisco Configuration Engine automates initial configurations
and configuration updates by generating device-specific configuration changes, sending them to the device,
executing the configuration change, and logging the results.
The Cisco Configuration Engine supports standalone and server modes and has these Cisco Networking
Services (CNS) components:
• Configuration service:
◦Web server
◦File manager
◦Namespace mapping server
• Event service (event gateway)
• Data service directory (data models and schema)
Note
Support for Cisco Configuration Engine will be deprecated in future releases. Use the configuration
described in Cisco Plug and Play Feature Guide .
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
2
Configuring Cisco IOS Configuration Engine
Configuration Service
In standalone mode, the Cisco Configuration Engine supports an embedded directory service. In this mode,
no external directory or other data store is required. In server mode, the Cisco Configuration Engine supports
the use of a user-defined external directory.
Figure 1: Cisco Configuration Engine Architectural Overview
Configuration Service
The Configuration Service is the core component of the Cisco Configuration Engine. It consists of a
Configuration Server that works with Cisco IOS CNS agents on the device. The Configuration Service delivers
device and service configurations to the device for initial configuration and mass reconfiguration by logical
groups. Devices receive their initial configuration from the Configuration Service when they start up on the
network for the first time.
The Configuration Service uses the CNS Event Service to send and receive configuration change events and
to send success and failure notifications.
The Configuration Server is a web server that uses configuration templates and the device-specific configuration
information stored in the embedded (standalone mode) or remote (server mode) directory.
Configuration templates are text files containing static configuration information in the form of CLI commands.
In the templates, variables are specified by using Lightweight Directory Access Protocol (LDAP) URLs that
reference the device-specific configuration information stored in a directory.
The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show
the success or failure of the syntax check. The configuration agent can either apply configurations immediately
or delay the application until receipt of a synchronization event from the configuration server.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
3
Configuring Cisco IOS Configuration Engine
Event Service
Event Service
The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events.
The Event Service consists of an event agent and an event gateway. The event agent is on the device and
facilitates the communication between the device and the event gateway on the Cisco Configuration Engine.
The Event Service is a highly capable publish-and-subscribe communication method. The Event Service uses
subject-based addressing to send messages to their destinations. Subject-based addressing conventions define
a simple, uniform namespace for messages and their destinations.
Related Topics
Enabling the CNS Event Agent, on page 8
NameSpace Mapper
The Cisco Configuration Engine includes the NameSpace Mapper (NSM) that provides a lookup service for
managing logical groups of devices based on application, device or group ID, and event.
Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software;
for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using
any desired naming convention. When you have populated your data store with your subject names, NSM
changes your event subject-name strings to those known by Cisco IOS.
For a subscriber, when given a unique device ID and event, the namespace mapping service returns a set of
events to which to subscribe. Similarly, for a publisher, when given a unique group ID, device ID, and event,
the mapping service returns a set of events on which to publish.
Cisco Networking Services IDs and Device Hostnames
The Cisco Configuration Engine assumes that a unique identifier is associated with each configured device.
This unique identifier can take on multiple synonyms, where each synonym is unique within a particular
namespace. The event service uses namespace content for subject-based addressing of messages.
The Cisco Configuration Engine intersects two namespaces, one for the event bus and the other for the
configuration server. Within the scope of the configuration server namespace, the term ConfigID is the unique
identifier for a device. Within the scope of the event bus namespace, the term DeviceID is the CNS unique
identifier for a device.
Related Topics
Prerequisites for Configuring the Configuration Engine, on page 1
Restrictions for Configuring the Configuration Engine, on page 2
ConfigID
Each configured device has a unique ConfigID, which serves as the key into the Cisco Configuration Engine
directory for the corresponding set of device CLI attributes. The ConfigID defined on the device must match
the ConfigID for the corresponding device definition on the Cisco Configuration Engine.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
4
Configuring Cisco IOS Configuration Engine
Cisco Networking Services IDs and Device Hostnames
The ConfigID is fixed at startup time and cannot be changed until the device restarts, even if the device
hostname is reconfigured.
DeviceID
Each configured device participating on the event bus has a unique DeviceID, which is analogous to the device
source address so that the device can be targeted as a specific destination on the bus.
The origin of the DeviceID is defined by the Cisco IOS hostname of the device. However, the DeviceID
variable and its usage reside within the event gateway adjacent to the device.
The logical Cisco IOS termination point on the event bus is embedded in the event gateway, which in turn
functions as a proxy on behalf of the device. The event gateway represents the device and its corresponding
DeviceID to the event bus.
The device declares its hostname to the event gateway immediately after the successful connection to the
event gateway. The event gateway couples the DeviceID value to the Cisco IOS hostname each time this
connection is established. The event gateway retains this DeviceID value for the duration of its connection to
the device.
Related Topics
Prerequisites for Configuring the Configuration Engine, on page 1
Hostname and DeviceID
The DeviceID is fixed at the time of the connection to the event gateway and does not change even when the
device hostname is reconfigured.
When changing the device hostname on the device, the only way to refresh the DeviceID is to break the
connection between the device and the event gateway. For instructions on refreshing DeviceIDs, see "Related
Topics."
When the connection is reestablished, the device sends its modified hostname to the event gateway. The event
gateway redefines the DeviceID to the new value.
Caution
When using the Cisco Configuration Engine user interface, you must first set the DeviceID field to the
hostname value that the device acquires after, not before, and you must reinitialize the configuration for
your Cisco IOS CNS agent. Otherwise, subsequent partial configuration command operations may
malfunction.
Related Topics
Refreshing DeviceIDs, on page 17
Hostname, DeviceID, and ConfigID
In standalone mode, when a hostname value is set for a device, the configuration server uses the hostname as
the DeviceID when an event is sent on hostname. If the hostname has not been set, the event is sent on the
cn=<value> of the device.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
5
Configuring Cisco IOS Configuration Engine
Cisco IOS CNS Agents
In server mode, the hostname is not used. In this mode, the unique DeviceID attribute is always used for
sending an event on the bus. If this attribute is not set, you cannot update the device.
These and other associated attributes (tag value pairs) are set when you run Setup on the Cisco Configuration
Engine.
Cisco IOS CNS Agents
The CNS event agent feature allows the device to publish and subscribe to events on the event bus and works
with the Cisco IOS CNS agent. These agents, embedded in the device Cisco IOS software, allow the device
to be connected and automatically configured.
Related Topics
Enabling the Cisco IOS CNS Agent, on page 10
Initial Configuration
When the device first comes up, it attempts to get an IP address by broadcasting a Dynamic Host Configuration
Protocol (DHCP) request on the network. Assuming there is no DHCP server on the subnet, the distribution
device acts as a DHCP relay agent and forwards the request to the DHCP server. Upon receiving the request,
the DHCP server assigns an IP address to the new device and includes the Trivial File Transfer Protocol
(TFTP) server Internet Protocol (IP) address, the path to the bootstrap configuration file, and the default
gateway IP address in a unicast reply to the DHCP relay agent. The DHCP relay agent forwards the reply to
the device.
The device automatically configures the assigned IP address on interface VLAN 1 (the default) and downloads
the bootstrap configuration file from the TFTP server. Upon successful download of the bootstrap configuration
file, the device loads the file in its running configuration.
The Cisco IOS CNS agents initiate communication with the Configuration Engine by using the appropriate
ConfigID and EventID. The Configuration Engine maps the Config ID to a template and downloads the full
configuration file to the device.
The following figure shows a sample network configuration for retrieving the initial bootstrap configuration
file by using DHCP-based autoconfiguration.
Figure 2: Initial Configuration
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
6
Configuring Cisco IOS Configuration Engine
Automated CNS Configuration
Related Topics
Enabling an Initial Configuration for Cisco IOS CNS Agent, on page 12
Monitoring CNS Configurations, on page 21
Incremental (Partial) Configuration
After the network is running, new services can be added by using the Cisco IOS CNS agent. Incremental
(partial) configurations can be sent to the device. The actual configuration can be sent as an event payload by
way of the event gateway (push operation) or as a signal event that triggers the device to initiate a pull operation.
The device can check the syntax of the configuration before applying it. If the syntax is correct, the device
applies the incremental configuration and publishes an event that signals success to the configuration server.
If the device does not apply the incremental configuration, it publishes an event showing an error status. When
the device has applied the incremental configuration, it can write it to nonvolatile random-access memory
(NVRAM) or wait until signaled to do so.
Related Topics
Enabling a Partial Configuration for Cisco IOS CNS Agent, on page 19
Monitoring CNS Configurations, on page 21
Synchronized Configuration
When the device receives a configuration, it can defer application of the configuration upon receipt of a
write-signal event. The write-signal event tells the device not to save the updated configuration into its
NVRAM. The device uses the updated configuration as its running configuration. This ensures that the device
configuration is synchronized with other network activities before saving the configuration in NVRAM for
use at the next reboot.
Automated CNS Configuration
To enable automated CNS configuration of the device, you must first complete the prerequisites listed in this
topic. When you complete them, power on the device. At the setup prompt, do nothing; the device begins the
initial configuration. When the full configuration file is loaded on your device, you do not need to do anything
else.
For more information on what happens during initial configuration, see "Related Topics."
Table 1: Prerequisites for Enabling Automatic Configuration
Device
Required Configuration
Access device
Factory default (no configuration file)
Distribution device
• IP helper address
• Enable DHCP relay agent1
• IP routing (if used as default gateway)
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
7
Configuring Cisco IOS Configuration Engine
How to Configure the Configuration Engine
Device
Required Configuration
DHCP server
• IP address assignment
• TFTP server IP address
• Path to bootstrap configuration file on the TFTP
server
• Default gateway IP address
TFTP server
• A bootstrap configuration file that includes the
CNS configuration commands that enable the
device to communicate with the Configuration
Engine
• The device configured to use either the device
MAC address or the serial number (instead of
the default hostname) to generate the ConfigID
and EventID
• The CNS event agent configured to push the
configuration file to the device
CNS Configuration Engine
One or more templates for each type of device, with
the ConfigID of the device mapped to the template.
1 A DHCP Relay is needed only when the DHCP Server is on a different subnet from the client.
How to Configure the Configuration Engine
Enabling the CNS Event Agent
Note
You must enable the CNS event agent on the device before you enable the CNS configuration agent.
Follow these steps to enable the CNS event agent on the device.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
8
Configuring Cisco IOS Configuration Engine
Enabling the CNS Event Agent
SUMMARY STEPS
1. enable
2. configure terminal
3. cns event {hostname | ip-address} [port-number] [ [keepalive seconds retry-count] [failover-time seconds
] [reconnect-time time] | backup]
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
Enters the global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
cns event {hostname | ip-address}
[port-number] [ [keepalive seconds
retry-count] [failover-time seconds ]
[reconnect-time time] | backup]
Enables the event agent, and enters the gateway parameters.
• For {hostname | ip-address}, enter either the hostname or the
IP address of the event gateway.
• (Optional) For port number, enter the port number for the event
gateway. The default port number is 11011.
Example:
Device(config)# cns event 10.180.1.27
keepalive 120 10
• (Optional) For keepalive seconds, enter how often the device sends
keepalive messages. For retry-count, enter the number of unanswered
keepalive messages that the device sends before the connection is
terminated. The default for each is 0.
• (Optional) For failover-time seconds, enter how long the device
waits for the primary gateway route after the route to the backup
gateway is established.
• (Optional) For reconnect-time time, enter the maximum time interval
that the device waits before trying to reconnect to the event gateway.
• (Optional) Enter backup to show that this is the backup gateway.
(If omitted, this is the primary gateway.)
Note
Though visible in the command-line help string, the encrypt
and the clock-timeout time keywords are not supported.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
9
Configuring Cisco IOS Configuration Engine
Enabling the Cisco IOS CNS Agent
Step 4
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 5
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
What to Do Next
To verify information about the event agent, use the show cns event connections command in privileged
EXEC mode.
To disable the CNS event agent, use the no cns event { ip-address | hostname } global configuration command.
Related Topics
Event Service, on page 4
Enabling the Cisco IOS CNS Agent
Follow these steps to enable the Cisco IOS CNS agent on the device.
Before You Begin
You must enable the CNS event agent on the device before you enable this agent.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
10
Configuring Cisco IOS Configuration Engine
Enabling the Cisco IOS CNS Agent
SUMMARY STEPS
1. enable
2. configure terminal
3. cns config initial {hostname | ip-address} [port-number]
4. cns config partial {hostname | ip-address} [port-number]
5. end
6. show running-config
7. copy running-config startup-config
8. Start the Cisco IOS CNS agent on the device.
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
Enters the global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
cns config initial {hostname | ip-address}
[port-number]
Enables the Cisco IOS CNS agent, and enters the configuration
server parameters.
• For {hostname | ip-address}, enter either the hostname or the
IP address of the configuration server.
Example:
Device(config)# cns config initial
10.180.1.27 10
• (Optional) For port number, enter the port number for the
configuration server.
This command enables the Cisco IOS CNS agent and initiates an
initial configuration on the device.
Step 4
cns config partial {hostname | ip-address}
[port-number]
Enables the Cisco IOS CNS agent, and enters the configuration
server parameters.
• For {hostname | ip-address}, enter either the hostname or the
IP address of the configuration server.
Example:
Device(config)# cns config partial
10.180.1.27 10
• (Optional) For port number, enter the port number for the
configuration server.
Enables the Cisco IOS CNS agent and initiates a partial
configuration on the device.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
11
Configuring Cisco IOS Configuration Engine
Enabling an Initial Configuration for Cisco IOS CNS Agent
Step 5
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 6
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 7
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Step 8
Start the Cisco IOS CNS agent on the device.
What to Do Next
You can now use the Cisco Configuration Engine to remotely send incremental configurations to the device.
Related Topics
Cisco IOS CNS Agents, on page 6
Enabling an Initial Configuration for Cisco IOS CNS Agent
Follow these steps to enable the CNS configuration agent and initiate an initial configuration on the device.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
12
Configuring Cisco IOS Configuration Engine
Enabling an Initial Configuration for Cisco IOS CNS Agent
SUMMARY STEPS
1. enable
2. configure terminal
3. cns template connect name
4. cli config-text
5. Repeat Steps 3 to 4 to configure another CNS connect template.
6. exit
7. cns connect name [retries number] [retry-interval seconds] [sleep seconds] [timeout seconds]
8. discover {controller controller-type | dlci [subinterface subinterface-number] | interface [interface-type]
| line line-type}
9. template name [... name]
10. Repeat Steps 8 to 9 to specify more interface parameters and CNS connect templates in the CNS connect
profile.
11. exit
12. hostname name
13. ip route network-number
14. cns id interface num {dns-reverse | ipaddress | mac-address} [event] [image]
15. cns id {hardware-serial | hostname | string string | udi} [event] [image]
16. cns config initial {hostname | ip-address} [port-number] [event] [no-persist] [page page] [source
ip-address] [syntax-check]
17. end
18. show running-config
19. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
Enters the global configuration mode.
configure terminal
Example:
Device# configure terminal
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
13
Configuring Cisco IOS Configuration Engine
Enabling an Initial Configuration for Cisco IOS CNS Agent
Step 3
Command or Action
Purpose
cns template connect name
Enters CNS template connect configuration mode, and specifies the name
of the CNS connect template.
Example:
Device(config)# cns template connect
template-dhcp
Step 4
cli config-text
Enters a command line for the CNS connect template. Repeat this step for
each command line in the template.
Example:
Device(config-tmpl-conn)# cli ip
address dhcp
Step 5
Repeat Steps 3 to 4 to configure another
CNS connect template.
Step 6
exit
Returns to global configuration mode.
Example:
Device(config)# exit
Step 7
cns connect name [retries number]
[retry-interval seconds] [sleep seconds]
[timeout seconds]
Example:
Device(config)# cns connect dhcp
Enters CNS connect configuration mode, specifies the name of the CNS
connect profile, and defines the profile parameters. The device uses the
CNS connect profile to connect to the Configuration Engine.
• Enter the name of the CNS connect profile.
• (Optional) For retries number, enter the number of connection retries.
The range is 1 to 30. The default is 3.
• (Optional) For retry-interval seconds, enter the interval between
successive connection attempts to the Configuration Engine. The
range is 1 to 40 seconds. The default is 10 seconds.
• (Optional) For sleep seconds, enter the amount of time before which
the first connection attempt occurs. The range is 0 to 250 seconds.
The default is 0.
• (Optional) For timeout seconds, enter the amount of time after which
the connection attempts end. The range is 10 to 2000 seconds. The
default is 120.
Step 8
discover {controller controller-type | dlci Specifies the interface parameters in the CNS connect profile.
[subinterface subinterface-number] |
• For controller controller-type, enter the controller type.
interface [interface-type] | line line-type}
• For dlci, enter the active data-link connection identifiers (DLCIs).
Example:
Device(config-cns-conn)# discover
interface gigabitethernet
(Optional) For subinterface subinterface-number, specify the
point-to-point subinterface number that is used to search for active
DLCIs.
• For interface [interface-type], enter the type of interface.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
14
Configuring Cisco IOS Configuration Engine
Enabling an Initial Configuration for Cisco IOS CNS Agent
Command or Action
Purpose
• For line line-type, enter the line type.
Step 9
template name [... name]
Specifies the list of CNS connect templates in the CNS connect profile to
be applied to the device configuration. You can specify more than one
template.
Example:
Device(config-cns-conn)# template
template-dhcp
Step 10
Repeat Steps 8 to 9 to specify more interface
parameters and CNS connect templates in
the CNS connect profile.
Step 11
exit
Returns to global configuration mode.
Example:
Device(config-cns-conn)# exit
Step 12
hostname name
Enters the hostname for the device.
Example:
Device(config)# hostname device1
Step 13
ip route network-number
(Optional) Establishes a static route to the Configuration Engine whose IP
address is network-number.
Example:
RemoteDevice(config)# ip route
172.28.129.22 255.255.255.255
11.11.11.1
Step 14
(Optional) Sets the unique EventID or ConfigID used by the Configuration
cns id interface num {dns-reverse |
ipaddress | mac-address} [event] [image] Engine. If you enter this command, do not enter the cns id {hardware-serial
| hostname | string string | udi} [event] [image] command.
Example:
RemoteDevice(config)# cns id
GigabitEthernet1/0/1 ipaddress
• For interface num, enter the type of interface. For example, ethernet,
group-async, loopback, or virtual-template. This setting specifies from
which interface the IP or MAC address should be retrieved to define
the unique ID.
• For {dns-reverse | ipaddress | mac-address}, enter dns-reverse to
retrieve the hostname and assign it as the unique ID, enter ipaddress
to use the IP address, or enter mac-address to use the MAC address
as the unique ID.
• (Optional) Enter event to set the ID to be the event-id value used to
identify the device.
• (Optional) Enter image to set the ID to be the image-id value used to
identify the device.
Note
If both the event and image keywords are omitted, the image-id
value is used to identify the device.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
15
Configuring Cisco IOS Configuration Engine
Enabling an Initial Configuration for Cisco IOS CNS Agent
Step 15
Command or Action
Purpose
cns id {hardware-serial | hostname |
string string | udi} [event] [image]
(Optional) Sets the unique EventID or ConfigID used by the Configuration
Engine. If you enter this command, do not enter the cns id interface num
{dns-reverse | ipaddress | mac-address} [event] [image] command.
Example:
RemoteDevice(config)# cns id hostname
Step 16
• For { hardware-serial | hostname | string string | udi }, enter
hardware-serial to set the device serial number as the unique ID,
enter hostname (the default) to select the device hostname as the
unique ID, enter an arbitrary text string for string string as the unique
ID, or enter udi to set the unique device identifier (UDI) as the unique
ID.
cns config initial {hostname | ip-address} Enables the Cisco IOS agent, and initiates an initial configuration.
[port-number] [event] [no-persist] [page
• For {hostname | ip-address}, enter the hostname or the IP address of
page] [source ip-address] [syntax-check]
the configuration server.
Example:
RemoteDevice(config)# cns config
initial 10.1.1.1 no-persist
• (Optional) For port-number, enter the port number of the configuration
server. The default port number is 80.
• (Optional) Enable event for configuration success, failure, or warning
messages when the configuration is finished.
• (Optional) Enable no-persist to suppress the automatic writing to
NVRAM of the configuration pulled as a result of entering the cns
config initial global configuration command. If the no-persist
keyword is not entered, using the cns config initial command causes
the resultant configuration to be automatically written to NVRAM.
• (Optional) For page page, enter the web page of the initial
configuration. The default is /Config/config/asp.
• (Optional) Enter source ip-address to use for source IP address.
• (Optional) Enable syntax-check to check the syntax when this
parameter is entered.
Note
Step 17
end
Though visible in the command-line help string, the encrypt,
status url, and inventory keywords are not supported.
Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 18
show running-config
Verifies your entries.
Example:
Device# show running-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
16
Configuring Cisco IOS Configuration Engine
Refreshing DeviceIDs
Step 19
Command or Action
Purpose
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
What to Do Next
To verify information about the configuration agent, use the show cns config connections command in
privileged EXEC mode.
To disable the CNS Cisco IOS agent, use the no cns config initial { ip-address | hostname } global configuration
command.
Related Topics
Initial Configuration, on page 6
Monitoring CNS Configurations, on page 21
Refreshing DeviceIDs
Follow these steps to refresh a DeviceID when changing the hostname on the device.
SUMMARY STEPS
1. enable
2. show cns config connections
3. Make sure that the CNS event agent is properly connected to the event gateway.
4. show cns event connections
5. Record from the output of Step 4 the information for the currently connected connection listed below.
You will be using the IP address and port number in subsequent steps of these instructions.
6. configure terminal
7. no cns event ip-address port-number
8. cns event ip-address port-number
9. end
10. Make sure that you have reestablished the connection between the device and the event connection by
examining the output from show cns event connections.
11. show running-config
12. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
17
Configuring Cisco IOS Configuration Engine
Refreshing DeviceIDs
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if
prompted.
Example:
Device> enable
Step 2
show cns config connections
Example:
Displays whether the CNS event agent is connecting to the
gateway, connected, or active, and the gateway used by the
event agent, its IP address and port number.
Device# show cns config connections
Step 3
Make sure that the CNS event agent is properly
connected to the event gateway.
Examine the output of show cns config connections for the
following:
• Connection is active.
• Connection is using the currently configured device
hostname. The DeviceID will be refreshed to
correspond to the new hostname configuration using
these instructions.
Step 4
show cns event connections
Displays the event connection information for your device.
Example:
Device# show cns event connections
Step 5
Record from the output of Step 4 the information for
the currently connected connection listed below. You
will be using the IP address and port number in
subsequent steps of these instructions.
Step 6
configure terminal
Enters global configuration mode.
Example:
Device# configure terminal
Step 7
no cns event ip-address port-number
Specifies the IP address and port number that you recorded
in Step 5 in this command.
Example:
This command breaks the connection between the device
and the event gateway. It is necessary to first break, then
reestablish, this connection to refresh the DeviceID.
Device(config)# no cns event 172.28.129.22 2012
Step 8
cns event ip-address port-number
Specifies the IP address and port number that you recorded
in Step 5 in this command.
Example:
This command reestablishes the connection between the
device and the event gateway.
Device(config)# cns event 172.28.129.22 2012
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
18
Configuring Cisco IOS Configuration Engine
Enabling a Partial Configuration for Cisco IOS CNS Agent
Step 9
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 10
Make sure that you have reestablished the connection
between the device and the event connection by
examining the output from show cns event connections.
Step 11
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 12
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Related Topics
Hostname and DeviceID, on page 5
Enabling a Partial Configuration for Cisco IOS CNS Agent
Follow these steps to enable the Cisco IOS CNS agent and to initiate a partial configuration on the device.
SUMMARY STEPS
1. enable
2. configure terminal
3. cns config partial {ip-address | hostname} [port-number] [source ip-address]
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
19
Configuring Cisco IOS Configuration Engine
Enabling a Partial Configuration for Cisco IOS CNS Agent
Command or Action
Purpose
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
cns config partial {ip-address | hostname}
[port-number] [source ip-address]
Example:
Device(config)# cns config partial
172.28.129.22 2013
Enables the configuration agent, and initiates a partial
configuration.
• For {ip-address | hostname}, enter the IP address or the
hostname of the configuration server.
• (Optional) For port-number, enter the port number of the
configuration server. The default port number is 80.
• (Optional) Enter source ip-address to use for the source IP
address.
Note
Step 4
Though visible in the command-line help string, the
encrypt keyword is not supported.
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 5
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
What to Do Next
To verify information about the configuration agent, use either the show cns config stats or the show cns
config outstanding command in privileged EXEC mode.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
20
Configuring Cisco IOS Configuration Engine
Monitoring CNS Configurations
To disable the Cisco IOS agent, use the no cns config partial { ip-address | hostname } global configuration
command. To cancel a partial configuration, use the cns config cancel global configuration command.
Related Topics
Incremental (Partial) Configuration, on page 7
Monitoring CNS Configurations, on page 21
Monitoring CNS Configurations
Table 2: CNS show Commands
Command
Purpose
show cns config connections
Displays the status of the CNS Cisco IOS CNS agent
connections.
Device# show cns config connections
Device# show cns config outstanding
Displays information about incremental (partial) CNS
configurations that have started but are not yet
completed.
show cns config stats
Displays statistics about the Cisco IOS CNS agent.
show cns config outstanding
Device# show cns config stats
show cns event connections
Displays the status of the CNS event agent
connections.
Device# show cns event connections
show cns event gateway
Displays the event gateway information for your
device.
Device# show cns event gateway
show cns event stats
Displays statistics about the CNS event agent.
Device# show cns event stats
show cns event subject
Displays a list of event agent subjects that are
subscribed to by applications.
Device# show cns event subject
Related Topics
Enabling a Partial Configuration for Cisco IOS CNS Agent, on page 19
Incremental (Partial) Configuration, on page 7
Enabling an Initial Configuration for Cisco IOS CNS Agent, on page 12
Initial Configuration, on page 6
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
21
Configuring Cisco IOS Configuration Engine
Monitoring CNS Configurations
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
22
CHAPTER
2
Configuring Cisco Plug and Play
• Finding Feature Information, page 23
• Configuring Cisco Plug and Play, page 23
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Configuring Cisco Plug and Play
For information about configuring Plug and Play, see
• Cisco Plug and Play Feature Guide
• Configuration Guide for Cisco Network Plug and Play on APIC-EM
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
23
Configuring Cisco Plug and Play
Configuring Cisco Plug and Play
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
24
CHAPTER
3
Configuring the Cisco Discovery Protocol
• Finding Feature Information, page 25
• Information About CDP, page 25
• How to Configure CDP, page 26
• Monitoring and Maintaining CDP, page 35
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Information About CDP
CDP Overview
CDP is a device discovery protocol that runs over Layer 2 (the data-link layer) on all Cisco-manufactured
devices (routers, bridges, access servers, controllers, and switches) and allows network management applications
to discover Cisco devices that are neighbors of already known devices. With CDP, network management
applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address
of neighboring devices running lower-layer, transparent protocols. This feature enables applications to send
SNMP queries to neighboring devices.
CDP runs on all media that support Subnetwork Access Protocol (SNAP). Because CDP runs over the data-link
layer only, two systems that support different network-layer protocols can learn about each other.
Each CDP-configured device sends periodic messages to a multicast address, advertising at least one address
at which it can receive SNMP messages. The advertisements also contain time-to-live, or holdtime information,
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
25
Configuring the Cisco Discovery Protocol
Default CDP Configuration
which is the length of time a receiving device holds CDP information before discarding it. Each device also
listens to the messages sent by other devices to learn about neighboring devices.
On the device, CDP enables Network Assistant to display a graphical view of the network. The device uses
CDP to find cluster candidates and maintain information about cluster members and other devices up to three
cluster-enabled devices away from the command device by default.
Related Topics
Configuring CDP Characteristics, on page 26
Monitoring and Maintaining CDP, on page 35
Default CDP Configuration
This table shows the default CDP configuration.
Feature
Default Setting
CDP global state
Enabled
CDP interface state
Enabled
CDP timer (packet update frequency)
60 seconds
CDP holdtime (before discarding)
180 seconds
CDP Version-2 advertisements
Enabled
Related Topics
Enabling CDP, on page 30
Disabling CDP, on page 28
Enabling CDP on an Interface, on page 33
Disabling CDP on an Interface, on page 31
How to Configure CDP
Configuring CDP Characteristics
You can configure these CDP characteristics:
• Frequency of CDP updates
• Amount of time to hold the information before discarding it
• Whether or not to send Version-2 advertisements
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
26
Configuring the Cisco Discovery Protocol
Configuring CDP Characteristics
Note
Steps 3 through 5 are all optional and can be performed in any order.
Follow these steps to configure the CDP characteristics.
SUMMARY STEPS
1. enable
2. configure terminal
3. cdp timer seconds
4. cdp holdtime seconds
5. cdp advertise-v2
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if
prompted.
Example:
Device> enable
Step 2
Enters the global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
cdp timer seconds
(Optional) Sets the transmission frequency of CDP updates in
seconds.
Example:
The range is 5 to 254; the default is 60 seconds.
Device(config)# cdp timer 20
Step 4
Step 5
cdp holdtime seconds
Example:
(Optional) Specifies the amount of time a receiving device
should hold the information sent by your device before
discarding it.
Device(config)# cdp holdtime 60
The range is 10 to 255 seconds; the default is 180 seconds.
cdp advertise-v2
(Optional) Configures CDP to send Version-2 advertisements.
This is the default state.
Example:
Device(config)# cdp advertise-v2
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
27
Configuring the Cisco Discovery Protocol
Disabling CDP
Step 6
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 7
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
What to Do Next
Use the no form of the CDP commands to return to the default settings.
Related Topics
CDP Overview, on page 25
Monitoring and Maintaining CDP, on page 35
Disabling CDP
CDP is enabled by default.
Note
Device clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages.
Disabling CDP can interrupt cluster discovery and device connectivity.
Follow these steps to disable the CDP device discovery capability.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
28
Configuring the Cisco Discovery Protocol
Disabling CDP
SUMMARY STEPS
1. enable
2. configure terminal
3. no cdp run
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your
password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
Disables CDP.
no cdp run
Example:
Device(config)# no cdp run
Step 4
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 5
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration
file.
Example:
Device# copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
29
Configuring the Cisco Discovery Protocol
Enabling CDP
What to Do Next
You must reenable CDP to use it.
Related Topics
Enabling CDP, on page 30
Default CDP Configuration, on page 26
Enabling CDP
CDP is enabled by default.
Note
Device clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages.
Disabling CDP can interrupt cluster discovery and device connectivity.
Follow these steps to enable CDP when it has been disabled.
Before You Begin
CDP must be disabled, or it cannot be enabled.
SUMMARY STEPS
1. enable
2. configure terminal
3. cdp run
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password
if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
30
Configuring the Cisco Discovery Protocol
Disabling CDP on an Interface
Step 3
Command or Action
Purpose
cdp run
Enables CDP if it has been disabled.
Example:
Device(config)# cdp run
Step 4
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 5
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
What to Do Next
Use the show run all command to show that CDP has been enabled. If you enter only show run, the enabling
of CDP may not be displayed.
Related Topics
Default CDP Configuration, on page 26
Disabling CDP, on page 28
Disabling CDP on an Interface
CDP is enabled by default on all supported interfaces to send and to receive CDP information.
Note
Device clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages.
Disabling CDP can interrupt cluster discovery and device connectivity.
Follow these steps to disable CDP on a port.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
31
Configuring the Cisco Discovery Protocol
Disabling CDP on an Interface
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. no cdp enable
5. end
6. show running-config
7. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password
if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
interface interface-id
Specifies the interface on which you are disabling CDP,
and enters interface configuration mode.
Example:
Device(config)# interface gigabitethernet1/0/1
Step 4
no cdp enable
Disables CDP on the interface specified in Step 3.
Example:
Device(config-if)# no cdp enable
Step 5
end
Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 6
show running-config
Verifies your entries.
Example:
Device# show running-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
32
Configuring the Cisco Discovery Protocol
Enabling CDP on an Interface
Step 7
Command or Action
Purpose
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Related Topics
Enabling CDP on an Interface, on page 33
Default CDP Configuration, on page 26
Enabling CDP on an Interface
CDP is enabled by default on all supported interfaces to send and to receive CDP information.
Note
Device clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages.
Disabling CDP can interrupt cluster discovery and device connectivity.
Follow these steps to enable CDP on a port on which it has been disabled.
Before You Begin
CDP must be disabled on the port that you are trying to CDP enable on, or it cannot be enabled.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. cdp enable
5. end
6. show running-config
7. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
33
Configuring the Cisco Discovery Protocol
Enabling CDP on an Interface
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password
if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
interface interface-id
Specifies the interface on which you are enabling CDP,
and enters interface configuration mode.
Example:
Device(config)# interface gigabitethernet1/0/1
Step 4
cdp enable
Enables CDP on a disabled interface.
Example:
Device(config-if)# cdp enable
Step 5
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 6
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 7
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Related Topics
Default CDP Configuration, on page 26
Disabling CDP on an Interface, on page 31
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
34
Configuring the Cisco Discovery Protocol
Monitoring and Maintaining CDP
Monitoring and Maintaining CDP
Table 3: Commands for Displaying CDP Information
Command
Description
clear cdp counters
Resets the traffic counters to zero.
clear cdp table
Deletes the CDP table of information about neighbors.
show cdp
Displays global information, such as frequency of transmissions
and the holdtime for packets being sent.
show cdp entry entry-name [version]
[protocol]
Displays information about a specific neighbor.
You can enter an asterisk (*) to display all CDP neighbors, or
you can enter the name of the neighbor about which you want
information.
You can also limit the display to information about the protocols
enabled on the specified neighbor or information about the version
of software running on the device.
show cdp interface [interface-id]
Displays information about interfaces where CDP is enabled.
You can limit the display to the interface about which you want
information.
show cdp neighbors [interface-id]
[detail]
Displays information about neighbors, including device type,
interface type and number, holdtime settings, capabilities,
platform, and port ID.
You can limit the display to neighbors of a specific interface or
expand the display to provide more detailed information.
show cdp traffic
Displays CDP counters, including the number of packets sent
and received and checksum errors.
Related Topics
Configuring CDP Characteristics, on page 26
CDP Overview, on page 25
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
35
Configuring the Cisco Discovery Protocol
Monitoring and Maintaining CDP
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
36
CHAPTER
4
Configuring Simple Network Management
Protocol
• Finding Feature Information, page 37
• Prerequisites for SNMP, page 37
• Restrictions for SNMP, page 40
• Information About SNMP, page 40
• How to Configure SNMP, page 44
• Monitoring SNMP Status, page 59
• SNMP Examples, page 60
• Feature History and Information for Simple Network Management Protocol, page 61
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Prerequisites for SNMP
Supported SNMP Versions
This software release supports the following SNMP versions:
• SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
37
Configuring Simple Network Management Protocol
Prerequisites for SNMP
• SNMPv2C replaces the Party-based Administrative and Security Framework of SNMPv2Classic with
the community-string-based Administrative Framework of SNMPv2C while retaining the bulk retrieval
and improved error handling of SNMPv2Classic. It has these features:
◦SNMPv2—Version 2 of the Simple Network Management Protocol, a Draft Internet Standard,
defined in RFCs 1902 through 1907.
◦SNMPv2C—The community-string-based Administrative Framework for SNMPv2, an Experimental
Internet Protocol defined in RFC 1901.
• SNMPv3—Version 3 of the SNMP is an interoperable standards-based protocol defined in RFCs 2273
to 2275. SNMPv3 provides secure access to devices by authenticating and encrypting packets over the
network and includes these security features:
◦Message integrity—Ensures that a packet was not tampered with in transit.
◦Authentication—Determines that the message is from a valid source.
◦Encryption—Mixes the contents of a package to prevent it from being read by an unauthorized
source.
Note
To select encryption, enter the priv keyword.
Both SNMPv1 and SNMPv2C use a community-based form of security. The community of managers able to
access the agent’s MIB is defined by an IP address access control list and password.
SNMPv2C includes a bulk retrieval function and more detailed error message reporting to management
stations. The bulk retrieval function retrieves tables and large quantities of information, minimizing the number
of round-trips required. The SNMPv2C improved error-handling includes expanded error codes that distinguish
different kinds of error conditions; these conditions are reported through a single error code in SNMPv1. Error
return codes in SNMPv2C report the error type.
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy
set up for a user and the group within which the user resides. A security level is the permitted level of security
within a security model. A combination of the security level and the security model determine which security
method is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and
SNMPv3.
The following table identifies characteristics and compares different combinations of security models and
levels:
Table 4: SNMP Security Models and Levels
Model
Level
Authentication
Encryption
Result
SNMPv1
noAuthNoPriv
Community string
No
Uses a community
string match for
authentication.
SNMPv2C
noAuthNoPriv
Community string
No
Uses a community
string match for
authentication.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
38
Configuring Simple Network Management Protocol
Prerequisites for SNMP
Model
Level
Authentication
Encryption
Result
SNMPv3
noAuthNoPriv
Username
No
Uses a username
match for
authentication.
SNMPv3
authNoPriv
Message Digest 5
(MD5) or Secure
Hash Algorithm
(SHA)
No
Provides
authentication based
on the HMAC-MD5
or HMAC-SHA
algorithms.
SNMPv3
authPriv
MD5 or SHA
Data Encryption
Standard (DES) or
Advanced
Encryption Standard
(AES)
Provides
authentication based
on the HMAC-MD5
or HMAC-SHA
algorithms.
Allows specifying
the User-based
Security Model
(USM) with these
encryption
algorithms:
• DES 56-bit
encryption in
addition to
authentication
based on the
CBC-DES
(DES-56)
standard.
• 3DES 168-bit
encryption
• AES 128-bit,
192-bit, or
256-bit
encryption
You must configure the SNMP agent to use the SNMP version supported by the management station. Because
an agent can communicate with multiple managers, you can configure the software to support communications
using SNMPv1, SNMPv2C, or SNMPv3.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
39
Configuring Simple Network Management Protocol
Restrictions for SNMP
Restrictions for SNMP
Version Restrictions
• SNMPv1 does not support informs.
Information About SNMP
SNMP Overview
SNMP is an application-layer protocol that provides a message format for communication between managers
and agents. The SNMP system consists of an SNMP manager, an SNMP agent, and a management information
base (MIB). The SNMP manager can be part of a network management system (NMS) such as Cisco Prime
Infrastructure. The agent and MIB reside on the device. To configure SNMP on the device, you define the
relationship between the manager and the agent.
The SNMP agent contains MIB variables whose values the SNMP manager can request or change. A manager
can get a value from an agent or store a value into the agent. The agent gathers data from the MIB, the repository
for information about device parameters and network data. The agent can also respond to a manager's requests
to get or set data.
An agent can send unsolicited traps to the manager. Traps are messages alerting the SNMP manager to a
condition on the network. Traps can mean improper user authentication, restarts, link status (up or down),
MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant
events.
SNMP Manager Functions
The SNMP manager uses information in the MIB to perform the operations described in the following table:
Table 5: SNMP Operations
Operation
Description
get-request
Retrieves a value from a specific variable.
get-next-request Retrieves a value from a variable within a table.2
get-bulk-request3 Retrieves large blocks of data, such as multiple rows in a table, that would otherwise
require the transmission of many small blocks of data.
get-response
Replies to a get-request, get-next-request, and set-request sent by an NMS.
set-request
Stores a value in a specific variable.
trap
An unsolicited message sent by an SNMP agent to an SNMP manager when some event
has occurred.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
40
Configuring Simple Network Management Protocol
SNMP Agent Functions
2 With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from
within a table.
3 The get-bulk command only works with SNMPv2 or later.
SNMP Agent Functions
The SNMP agent responds to SNMP manager requests as follows:
• Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The
agent retrieves the value of the requested MIB variable and responds to the NMS with that value.
• Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
The SNMP agent changes the value of the MIB variable to the value requested by the NMS.
The SNMP agent also sends unsolicited trap messages to notify an NMS that a significant event has occurred
on the agent. Examples of trap conditions include, but are not limited to, when a port or module goes up or
down, when spanning-tree topology changes occur, and when authentication failures occur.
Related Topics
Disabling the SNMP Agent, on page 44
Monitoring SNMP Status, on page 59
SNMP Community Strings
SNMP community strings authenticate access to MIB objects and function as embedded passwords. In order
for the NMS to access the device, the community string definitions on the NMS must match at least one of
the three community string definitions on the device.
A community string can have one of the following attributes:
• Read-only (RO)—Gives all objects in the MIB except the community strings read access to authorized
management stations, but does not allow write access.
• Read-write (RW)—Gives all objects in the MIB read and write access to authorized management stations,
but does not allow access to the community strings.
• When a cluster is created, the command device manages the exchange of messages among member
devices and the SNMP application. The Network Assistant software appends the member device number
(@esN, where N is the device number) to the first configured RW and RO community strings on the
command device and propagates them to the member devices.
Related Topics
Configuring Community Strings, on page 45
SNMP MIB Variables Access
An example of an NMS is the Cisco Prime Infrastructure network management software. Cisco Prime
Infrastructure 3.1 software uses the device MIB variables to set device variables and to poll devices on the
network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
41
Configuring Simple Network Management Protocol
SNMP Notifications
internetworking problems, increase network performance, verify the configuration of devices, monitor traffic
loads, and more.
As shown in the figure, the SNMP agent gathers data from the MIB. The agent can send traps, or notification
of certain events, to the SNMP manager, which receives and processes the traps. Traps alert the SNMP manager
to a condition on the network such as improper user authentication, restarts, link status (up or down), MAC
address tracking, and so forth. The SNMP agent also responds to MIB-related queries sent by the SNMP
manager in get-request, get-next-request, and set-request format.
Figure 3: SNMP Network
SNMP Notifications
SNMP allows the device to send notifications to SNMP managers when particular events occur. SNMP
notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the
command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use
the snmp-server host command to specify whether to send SNMP notifications as traps or informs.
Note
SNMPv1 does not support informs.
Traps are unreliable because the receiver does not send an acknowledgment when it receives a trap, and the
sender cannot determine if the trap was received. When an SNMP manager receives an inform request, it
acknowledges the message with an SNMP response protocol data unit (PDU). If the sender does not receive
a response, the inform request can be sent again. Because they can be resent, informs are more likely than
traps to reach their intended destination.
The characteristics that make informs more reliable than traps also consume more resources in the device and
in the network. Unlike a trap, which is discarded as soon as it is sent, an inform request is held in memory
until a response is received or the request times out. Traps are sent only once, but an inform might be resent
or retried several times. The retries increase traffic and contribute to a higher overhead on the network.
Therefore, traps and informs require a trade-off between reliability and resources. If it is important that the
SNMP manager receive every notification, use inform requests. If traffic on the network or memory in the
device is a concern and notification is not required, use traps.
Related Topics
Configuring SNMP Notifications, on page 51
Monitoring SNMP Status, on page 59
SNMP ifIndex MIB Object Values
The SNMP agent's IF-MIB module comes up shortly after reboot. As various physical interface drivers are
initialized they register with the IF-MIB module, essentially saying "Give me an ifIndex number". The IF-MIB
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
42
Configuring Simple Network Management Protocol
Default SNMP Configuration
module assigns the next available ifIndex number on a first-come-first-served basis. That is, minor differences
in driver initialization order from one reboot to another can result in the same physical interface getting a
different ifIndex number than it had before the reboot (unless ifIndex persistency is enabled of course).
Default SNMP Configuration
4
Feature
Default Setting
SNMP agent
Disabled4.
SNMP trap receiver
None configured.
SNMP traps
None enabled except the trap for TCP connections (tty).
SNMP version
If no version keyword is present, the default is Version 1.
SNMPv3 authentication
If no keyword is entered, the default is the noauth (noAuthNoPriv) security
level.
SNMP notification type
If no type is specified, all notifications are sent.
This is the default when the device starts and the startup configuration does not have any snmp-server global configuration commands.
SNMP Configuration Guidelines
If the device starts and the device startup configuration has at least one snmp-server global configuration
command, the SNMP agent is enabled.
An SNMP group is a table that maps SNMP users to SNMP views. An SNMP user is a member of an SNMP
group. An SNMP host is the recipient of an SNMP trap operation. An SNMP engine ID is a name for the local
or remote SNMP engine.
When configuring SNMP, follow these guidelines:
• When configuring an SNMP group, do not specify a notify view. The snmp-server host global
configuration command auto-generates a notify view for the user and then adds it to the group associated
with that user. Modifying the group's notify view affects all users associated with that group.
• To configure a remote user, specify the IP address or port number for the remote SNMP agent of the
device where the user resides.
• Before you configure remote users for a particular agent, configure the SNMP engine ID, using the
snmp-server engineID global configuration command with the remote option. The remote agent's
SNMP engine ID and user password are used to compute the authentication and privacy digests. If you
do not configure the remote engine ID first, the configuration command fails.
• When configuring SNMP informs, you need to configure the SNMP engine ID for the remote agent in
the SNMP database before you can send proxy requests or informs to it.
• If a local user is not associated with a remote host, the device does not send informs for the auth
(authNoPriv) and the priv (authPriv) authentication levels.
• Changing the value of the SNMP engine ID has significant results. A user's password (entered on the
command line) is converted to an MD5 or SHA security digest based on the password and the local
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
43
Configuring Simple Network Management Protocol
How to Configure SNMP
engine ID. The command-line password is then destroyed, as required by RFC 2274. Because of this
deletion, if the value of the engine ID changes, the security digests of SNMPv3 users become invalid,
and you need to reconfigure SNMP users by using the snmp-server user username global configuration
command. Similar restrictions require the reconfiguration of community strings when the engine ID
changes.
Related Topics
Configuring SNMP Groups and Users, on page 48
Monitoring SNMP Status, on page 59
How to Configure SNMP
Disabling the SNMP Agent
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C,
and Version 3) of the SNMP agent on the device. You reenable all versions of the SNMP agent by the first
snmp-server global configuration command that you enter. There is no Cisco IOS command specifically
designated for enabling SNMP.
Follow these steps to disable the SNMP agent.
Before You Begin
The SNMP Agent must be enabled before it can be disabled. The SNMP agent is enabled by the first
snmp-server global configuration command entered on the device.
SUMMARY STEPS
1. enable
2. configure terminal
3. no snmp-server
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password
if prompted.
Example:
Device> enable
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
44
Configuring Simple Network Management Protocol
Configuring Community Strings
Step 2
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
Disables the SNMP agent operation.
no snmp-server
Example:
Device(config)# no snmp-server
Step 4
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 5
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration
file.
Example:
Device# copy running-config startup-config
Related Topics
SNMP Agent Functions, on page 41
Monitoring SNMP Status, on page 59
Configuring Community Strings
You use the SNMP community string to define the relationship between the SNMP manager and the agent.
The community string acts like a password to permit access to the agent on the device. Optionally, you can
specify one or more of these characteristics associated with the string:
• An access list of IP addresses of the SNMP managers that are permitted to use the community string to
gain access to the agent
• A MIB view, which defines the subset of all MIB objects accessible to the given community
• Read and write or read-only permission for the MIB objects accessible to the community
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
45
Configuring Simple Network Management Protocol
Configuring Community Strings
Follow these steps to configure a community string on the device.
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server community string [view view-name] [ro | rw] [access-list-number]
4. access-list access-list-number {deny | permit} source [source-wildcard]
5. end
6. show running-config
7. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
snmp-server community string [view Configures the community string.
The @ symbol is used for delimiting the context information. Avoid
view-name] [ro | rw] [access-list-number] Note
using the @ symbol as part of the SNMP community string when
configuring this command.
Example:
• For string, specify a string that acts like a password and permits access
Device(config)# snmp-server
to the SNMP protocol. You can configure one or more community strings
community comaccess ro 4
of any length.
• (Optional) For view, specify the view record accessible to the community.
• (Optional) Specify either read-only (ro) if you want authorized
management stations to retrieve MIB objects, or specify read-write (rw)
if you want authorized management stations to retrieve and modify MIB
objects. By default, the community string permits read-only access to
all objects.
• (Optional) For access-list-number, enter an IP standard access list
numbered from 1 to 99 and 1300 to 1999.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
46
Configuring Simple Network Management Protocol
Configuring Community Strings
Step 4
Command or Action
Purpose
access-list access-list-number {deny |
permit} source [source-wildcard]
(Optional) If you specified an IP standard access list number in Step 3, then
create the list, repeating the command as many times as necessary.
• For access-list-number, enter the access list number specified in Step 3.
Example:
Device(config)# access-list 4 deny
any
• The deny keyword denies access if the conditions are matched. The
permit keyword permits access if the conditions are matched.
• For source, enter the IP address of the SNMP managers that are permitted
to use the community string to gain access to the agent.
• (Optional) For source-wildcard, enter the wildcard bits in dotted decimal
notation to be applied to the source. Place ones in the bit positions that
you want to ignore.
Recall that the access list is always terminated by an implicit deny statement
for everything.
Step 5
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 6
Verifies your entries.
show running-config
Example:
Device# show running-config
Step 7
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
What to Do Next
To disable access for an SNMP community, set the community string for that community to the null string
(do not enter a value for the community string).
To remove a specific community string, use the no snmp-server community string global configuration
command.
You can specify an identification name (engine ID) for the local or remote SNMP server engine on the device.
You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users
to the SNMP group.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
47
Configuring Simple Network Management Protocol
Configuring SNMP Groups and Users
Related Topics
SNMP Community Strings, on page 41
Configuring SNMP Groups and Users
You can specify an identification name (engine ID) for the local or remote SNMP server engine on the device.
You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users
to the SNMP group.
Follow these steps to configure SNMP groups and users on the device.
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server engineID {local engineid-string | remote ip-address [udp-port port-number] engineid-string}
4. snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview]
[notify notifyview] [access access-list]
5. snmp-server user username group-name {remote host [ udp-port port]} {v1 [access access-list] | v2c
[access access-list] | v3 [encrypted] [access access-list] [auth {md5 | sha} auth-password] } [priv {des
| 3des | aes {128 | 192 | 256}} priv-password]
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
snmp-server engineID {local
Configures a name for either the local or remote copy of SNMP.
engineid-string | remote ip-address
• The engineid-string is a 24-character ID string with the name of the copy
[udp-port port-number] engineid-string}
of SNMP. You need not specify the entire 24-character engine ID if it has
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
48
Configuring Simple Network Management Protocol
Configuring SNMP Groups and Users
Command or Action
Purpose
trailing zeros. Specify only the portion of the engine ID up to the point
where only zeros remain in the value. The Step Example configures an
engine ID of 123400000000000000000000.
Example:
Device(config)# snmp-server
engineID local 1234
Step 4
snmp-server group group-name {v1 |
v2c | v3 {auth | noauth | priv}} [read
readview] [write writeview] [notify
notifyview] [access access-list]
• If you select remote, specify the ip-address of the device that contains the
remote copy of SNMP and the optional User Datagram Protocol (UDP)
port on the remote device. The default is 162.
Configures a new SNMP group on the remote device.
For group-name, specify the name of the group.
Specify one of the following security models:
• v1 is the least secure of the possible security models.
Example:
Device(config)# snmp-server group
public v2c access lmnop
• v2c is the second least secure model. It allows transmission of informs and
integers twice the normal width.
• v3, the most secure, requires you to select one of the following
authentication levels:
auth—Enables the Message Digest 5 (MD5) and the Secure Hash Algorithm
(SHA) packet authentication.
noauth—Enables the noAuthNoPriv security level. This is the default if
no keyword is specified.
priv—Enables Data Encryption Standard (DES) packet encryption (also
called privacy).
(Optional) Enter read readview with a string (not to exceed 64 characters) that
is the name of the view in which you can only view the contents of the agent.
(Optional) Enter write writeview with a string (not to exceed 64 characters) that
is the name of the view in which you enter data and configure the contents of the
agent.
(Optional) Enter notify notifyview with a string (not to exceed 64 characters)
that is the name of the view in which you specify a notify, inform, or trap.
(Optional) Enter access access-list with a string (not to exceed 64 characters)
that is the name of the access list.
Step 5
snmp-server user username group-name
{remote host [ udp-port port]} {v1
[access access-list] | v2c [access
access-list] | v3 [encrypted] [access
access-list] [auth {md5 | sha}
auth-password] } [priv {des | 3des | aes
{128 | 192 | 256}} priv-password]
Adds a new user for an SNMP group.
The username is the name of the user on the host that connects to the agent.
The group-name is the name of the group to which the user is associated.
Enter remote to specify a remote SNMP entity to which the user belongs and
the hostname or IP address of that entity with the optional UDP port number.
The default is 162.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
49
Configuring Simple Network Management Protocol
Configuring SNMP Groups and Users
Command or Action
Purpose
Example:
Enter the SNMP version number (v1, v2c, or v3). If you enter v3, you have these
additional options:
Device(config)#
Pat public v2c
snmp-server user
• encrypted specifies that the password appears in encrypted format. This
keyword is available only when the v3 keyword is specified.
• auth is an authentication level setting session that can be either the
HMAC-MD5-96 (md5) or the HMAC-SHA-96 (sha) authentication level
and requires a password string auth-password (not to exceed 64 characters).
If you enter v3 you can also configure a private (priv) encryption algorithm and
password string priv-password using the following keywords (not to exceed 64
characters):
• priv specifies the User-based Security Model (USM).
• des specifies the use of the 56-bit DES algorithm.
• 3des specifies the use of the 168-bit DES algorithm.
• aes specifies the use of the DES algorithm. You must select either 128-bit,
192-bit, or 256-bit encryption.
(Optional) Enter access access-list with a string (not to exceed 64 characters)
that is the name of the access list.
Step 6
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 7
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Related Topics
SNMP Configuration Guidelines, on page 43
Monitoring SNMP Status, on page 59
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
50
Configuring Simple Network Management Protocol
Configuring SNMP Notifications
Configuring SNMP Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the
device generates when certain events occur. By default, no trap manager is defined, and no traps are sent.
Devices running this Cisco IOS release can have an unlimited number of trap managers.
Note
Many commands use the word traps in the command syntax. Unless there is an option in the command
to select either traps or informs, the keyword traps refers to traps, informs, or both. Use the snmp-server
host global configuration command to specify whether to send SNMP notifications as traps or informs.
You can use the snmp-server enable traps global configuration command combined with the snmp-server
host global configuration command for a specific host to receive the notification types listed in the following
table. You can enable any or all of these traps and configure a trap manager to receive them.
Note
The snmp-server enable trapscommand does not support traps for local-authentication on your device.
Follow these steps to configure the device to send traps or informs to a host.
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server engineID remote ip-address engineid-string
4. snmp-server user username group-name {remote host [ udp-port port]} {v1 [access access-list] | v2c
[access access-list] | v3 [encrypted] [access access-list] [auth {md5 | sha} auth-password] }
5. snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview]
[notify notifyview] [access access-list]
6. snmp-server host host-addr [informs | traps] [version {1 | 2c | 3 {auth | noauth | priv}}]
community-string [notification-type]
7. snmp-server enable traps notification-types
8. snmp-server trap-source interface-id
9. snmp-server queue-length length
10. snmp-server trap-timeout seconds
11. end
12. show running-config
13. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
51
Configuring Simple Network Management Protocol
Configuring SNMP Notifications
Command or Action
Purpose
Example:
Device> enable
Step 2
Enters the global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
snmp-server engineID remote ip-address
engineid-string
Specifies the engine ID for the remote host.
Example:
Device(config)# snmp-server engineID remote
192.180.1.27 00000063000100a1c0b4011b
Step 4
snmp-server user username group-name {remote Configures an SNMP user to be associated with the remote host
host [ udp-port port]} {v1 [access access-list] | created in Step 3.
v2c [access access-list] | v3 [encrypted] [access Note
You cannot configure a remote user for an address without
access-list] [auth {md5 | sha} auth-password] }
first configuring the engine ID for the remote host.
Otherwise, you receive an error message, and the command
Example:
is not executed.
Device(config)#
public v2c
Step 5
snmp-server user Pat
Configures an SNMP group.
snmp-server group group-name {v1 | v2c | v3
{auth | noauth | priv}} [read readview] [write
writeview] [notify notifyview] [access access-list]
Example:
Device(config)# snmp-server group public
v2c access lmnop
Step 6
snmp-server host host-addr [informs | traps]
[version {1 | 2c | 3 {auth | noauth | priv}}]
community-string [notification-type]
Example:
Device(config)# snmp-server host
203.0.113.1 comaccess snmp
Specifies the recipient of an SNMP trap operation.
For host-addr, specify the name or Internet address of the host (the
targeted recipient).
(Optional) Specify traps (the default) to send SNMP traps to the
host.
(Optional) Specify informs to send SNMP informs to the host.
(Optional) Specify the SNMP version (1, 2c, or 3). SNMPv1 does
not support informs.
(Optional) For Version 3, select authentication level auth, noauth,
or priv.
Note
The priv keyword is available only when the cryptographic
software image is installed.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
52
Configuring Simple Network Management Protocol
Configuring SNMP Notifications
Command or Action
Purpose
For community-string, when version 1 or version 2c is specified,
enter the password-like community string sent with the notification
operation. When version 3 is specified, enter the SNMPv3 username.
The @ symbol is used for delimiting the context information. Avoid
using the @ symbol as part of the SNMP community string when
configuring this command.
(Optional) For notification-type, use the keywords listed in the table
above. If no type is specified, all notifications are sent.
Step 7
snmp-server enable traps notification-types
Example:
Device(config)# snmp-server enable traps
snmp
Enables the device to send traps or informs and specifies the type of
notifications to be sent. For a list of notification types, see the table
above, or enter snmp-server enable traps ?
To enable multiple types of traps, you must enter a separate
snmp-server enable traps command for each trap type.
Note
When you configure a trap by using the notification type
port-security, configure the port security trap first, and
then configure the port security trap rate:
1 snmp-server enable traps port-security
2 snmp-server enable traps port-security trap-rate rate
Step 8
snmp-server trap-source interface-id
Example:
(Optional) Specifies the source interface, which provides the IP
address for the trap message. This command also sets the source IP
address for informs.
Device(config)# snmp-server trap-source
GigabitEthernet1/0/1
Step 9
snmp-server queue-length length
(Optional) Establishes the message queue length for each trap host.
The range is 1 to 1000; the default is 10.
Example:
Device(config)# snmp-server queue-length
20
Step 10
snmp-server trap-timeout seconds
(Optional) Defines how often to resend trap messages. The range is
1 to 1000; the default is 30 seconds.
Example:
Device(config)# snmp-server trap-timeout
60
Step 11
end
Returns to privileged EXEC mode.
Example:
Device(config)# end
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
53
Configuring Simple Network Management Protocol
Setting the Agent Contact and Location Information
Step 12
Command or Action
Purpose
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 13
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
What to Do Next
The snmp-server host command specifies which hosts receive the notifications. The snmp-server enable
traps command globally enables the method for the specified notification (for traps and informs). To enable
a host to receive an inform, you must configure an snmp-server host informs command for the host and
globally enable informs by using the snmp-server enable traps command.
To remove the specified host from receiving traps, use the no snmp-server host host global configuration
command. The no snmp-server host command with no keywords disables traps, but not informs, to the host.
To disable informs, use the no snmp-server host informs global configuration command. To disable a specific
trap type, use the no snmp-server enable traps notification-types global configuration command.
Related Topics
SNMP Notifications, on page 42
Monitoring SNMP Status, on page 59
Setting the Agent Contact and Location Information
Follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be
accessed through the configuration file.
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server contact text
4. snmp-server location text
5. end
6. show running-config
7. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
54
Configuring Simple Network Management Protocol
Setting the Agent Contact and Location Information
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your
password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
snmp-server contact text
Sets the system contact string.
Example:
Device(config)# snmp-server contact Dial System
Operator at beeper 21555
Step 4
snmp-server location text
Sets the system location string.
Example:
Device(config)# snmp-server location Building 3/Room
222
Step 5
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 6
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 7
copy running-config startup-config
(Optional) Saves your entries in the configuration
file.
Example:
Device# copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
55
Configuring Simple Network Management Protocol
Limiting TFTP Servers Used Through SNMP
Limiting TFTP Servers Used Through SNMP
Follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP
to the servers specified in an access list.
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server tftp-server-list access-list-number
4. access-list access-list-number {deny | permit} source [source-wildcard]
5. end
6. show running-config
7. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
snmp-server tftp-server-list
access-list-number
Limits the TFTP servers used for configuration file copies through
SNMP to the servers in the access list.
Example:
For access-list-number, enter an IP standard access list numbered from
1 to 99 and 1300 to 1999.
Device(config)# snmp-server
tftp-server-list 44
Step 4
access-list access-list-number {deny | permit} Creates a standard access list, repeating the command as many times
as necessary.
source [source-wildcard]
Example:
Device(config)# access-list 44 permit
10.1.1.2
For access-list-number, enter the access list number specified in Step
3.
The deny keyword denies access if the conditions are matched. The
permit keyword permits access if the conditions are matched.
For source, enter the IP address of the TFTP servers that can access
the device.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
56
Configuring Simple Network Management Protocol
Configuring Trap Flags for SNMP
Command or Action
Purpose
(Optional) For source-wildcard, enter the wildcard bits, in dotted
decimal notation, to be applied to the source. Place ones in the bit
positions that you want to ignore.
The access list is always terminated by an implicit deny statement for
everything.
Step 5
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 6
Verifies your entries.
show running-config
Example:
Device# show running-config
Step 7
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Configuring Trap Flags for SNMP
SUMMARY STEPS
1. configure terminal
2. trapflags ap { interfaceup | register}
3. trapflags client {dot11 | excluded}
4. trapflags dot11-security {ids-sig-attack | wep-decrypt-error}
5. trapflags mesh
6. trapflags rogueap
7. trapflags rrm-params {channels | tx-power}
8. trapflags rrm-profile {coverage | interference | load | noise}
9. end
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
57
Configuring Simple Network Management Protocol
Configuring Trap Flags for SNMP
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 2
trapflags ap { interfaceup | register}
Example:
Device(config)# trapflags ap
interfaceup
Step 3
trapflags client {dot11 | excluded}
Example:
Device(config)# trapflags client
excluded
Step 4
trapflags dot11-security {ids-sig-attack |
wep-decrypt-error}
Example:
Device(config)# trapflags
dot11-security wep-decrypt-error
Step 5
trapflags mesh
Enables sending AP-related traps. Use the no form of the command to
disable the trap flags.
• interfaceup– Enables trap when a Cisco AP interface (A or B)
comes up.
• register– Enables trap when a Cisco AP registers with a Cisco
device.
Enables sending client-related dot11 traps. Use the no form of the
command to disable the trap flags.
• dot11– Enables Dot11 traps for clients.
• excluded– Enables excluded traps for clients.
Enables sending 802.11 security-related traps. Use the no form of the
command to disable the trap flags.
• ids-sig-attack– Enables IDS signature attack traps.
• wep-decrypt-error– Enables traps for WEP decrypt error for
clients.
Enables trap for the mesh. Use the no form of the command to disable
the trap flags.
Example:
Device(config)# trapflags mesh
Step 6
trapflags rogueap
Enables trap for rogue AP detection. Use the no form of the command
to disable the trap flags.
Example:
Device(config)# trapflags rogueap
Step 7
trapflags rrm-params {channels | tx-power} Enables sending RRM-parameter update-related traps. Use the no form
of the command to disable the trap flags.
Example:
Device(config)# trapflags rrm-params
tx-power
• channels– Enables trap when RF Manager automatically changes
a channel number for the Cisco AP interface.
• tx-power– Enables the trap when RF Manager automatically
changes Tx-Power level for the Cisco AP interface.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
58
Configuring Simple Network Management Protocol
Monitoring SNMP Status
Step 8
Command or Action
Purpose
trapflags rrm-profile {coverage |
interference | load | noise}
Enables sending RRM-profile-related traps. Use the no form of the
command to disable the trap flags.
• coverage– Enables the trap when the coverage profile maintained
by RF Manager fails.
Example:
Device(config)# trapflags rrm-profile
interference
• interference– Enables the trap when the interference profile
maintained by RF Manager fails.
• load– Enables trap when the load profile maintained by RF
Manager fails.
• noise– Enables trap when the noise profile maintained by RF
Manager fails.
Step 9
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Monitoring SNMP Status
To display SNMP input and output statistics, including the number of illegal community string entries, errors,
and requested variables, use the show snmp privileged EXEC command. You also can use the other privileged
EXEC commands listed in the table to display SNMP information.
Table 6: Commands for Displaying SNMP Information
Command
Purpose
show snmp
Displays SNMP statistics.
Displays information on the local SNMP engine and all remote
engines that have been configured on the device.
show snmp group
Displays information on each SNMP group on the network.
show snmp pending
Displays information on pending SNMP requests.
show snmp sessions
Displays information on the current SNMP sessions.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
59
Configuring Simple Network Management Protocol
SNMP Examples
Command
Purpose
show snmp user
Displays information on each SNMP user name in the SNMP
users table.
Note
You must use this command to display SNMPv3
configuration information for auth | noauth | priv mode.
This information is not displayed in the show
running-config output.
Related Topics
Disabling the SNMP Agent, on page 44
SNMP Agent Functions, on page 41
Configuring SNMP Groups and Users, on page 48
SNMP Configuration Guidelines, on page 43
Configuring SNMP Notifications, on page 51
SNMP Notifications, on page 42
SNMP Examples
This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to
access all objects with read-only permissions using the community string public. This configuration does not
cause the device to send any traps.
Device(config)# snmp-server community public
This example shows how to permit any SNMP manager to access all objects with read-only permission using
the community string public. The device also sends VTP traps to the hosts 192.180.1.111 and 192.180.1.33
using SNMPv1 and to the host 192.180.1.27 using SNMPv2C. The community string public is sent with the
traps.
Device(config)#
Device(config)#
Device(config)#
Device(config)#
Device(config)#
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
community public
enable traps vtp
host 192.180.1.27 version 2c public
host 192.180.1.111 version 1 public
host 192.180.1.33 public
This example shows how to allow read-only access for all objects to members of access list 4 that use the
comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication
Failure traps are sent by SNMPv2C to the host cisco.com using the community string public.
Device(config)# snmp-server community comaccess ro 4
Device(config)# snmp-server enable traps snmp authentication
Device(config)# snmp-server host cisco.com version 2c public
This example shows how to send Entity MIB traps to the host cisco.com. The community string is restricted.
The first line enables the device to send Entity MIB traps in addition to any traps previously enabled. The
second line specifies the destination of these traps and overwrites any previous snmp-server host commands
for the host cisco.com.
Device(config)# snmp-server enable traps entity
Device(config)# snmp-server host cisco.com restricted entity
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
60
Configuring Simple Network Management Protocol
Feature History and Information for Simple Network Management Protocol
This example shows how to enable the device to send all traps to the host myhost.cisco.com using the community
string public:
Device(config)# snmp-server enable traps
Device(config)# snmp-server host myhost.cisco.com public
This example shows how to associate a user with a remote host and to send auth (authNoPriv)
authentication-level informs when the user enters global configuration mode:
Device(config)# snmp-server engineID remote 192.180.1.27 00000063000100a1c0b4011b
Device(config)# snmp-server group authgroup v3 auth
Device(config)# snmp-server user authuser authgroup remote 192.180.1.27 v3 auth md5 mypassword
Device(config)# snmp-server user authuser authgroup v3 auth md5 mypassword
Device(config)# snmp-server host 192.180.1.27 informs version 3 auth authuser config
Device(config)# snmp-server enable traps
Device(config)# snmp-server inform retries 0
Feature History and Information for Simple Network
Management Protocol
Release
Modification
Cisco IOS XE Everest 16.5.1a
This feature was introduced.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
61
Configuring Simple Network Management Protocol
Feature History and Information for Simple Network Management Protocol
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
62
CHAPTER
5
Configuring Service Level Agreements
This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the switch.
Unless otherwise noted, the term switch refers to a standalone switch or a switch stack.
• Finding Feature Information, page 63
• Restrictions on SLAs, page 63
• Information About SLAs, page 64
• How to Configure IP SLAs Operations, page 69
• Monitoring IP SLA Operations, page 82
• Monitoring IP SLA Operation Examples, page 83
• Additional References, page 84
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Restrictions on SLAs
This section lists the restrictions on SLAs.
The following are restrictions on IP SLAs network performance measurement:
• The device does not support VoIP service levels using the gatekeeper registration delay operations
measurements.
• Only a Cisco IOS device can be a source for a destination IP SLAs responder.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
63
Configuring Service Level Agreements
Information About SLAs
• You cannot configure the IP SLAs responder on non-Cisco devices and Cisco IOS IP SLAs can send
operational packets only to services native to those devices.
Related Topics
Implementing IP SLA Network Performance Measurement, on page 71
Network Performance Measurement with Cisco IOS IP SLAs, on page 65
IP SLA Responder and IP SLA Control Protocol, on page 66
Information About SLAs
Cisco IOS IP Service Level Agreements (SLAs)
Cisco IOS IP SLAs send data across the network to measure performance between multiple network locations
or across multiple network paths. They simulate network data and IP services and collect network performance
information in real time. Cisco IOS IP SLAs generate and analyze traffic either between Cisco IOS devices
or from a Cisco IOS device to a remote IP device such as a network application server. Measurements provided
by the various Cisco IOS IP SLA operations can be used for troubleshooting, for problem analysis, and for
designing network topologies.
Depending on the specific Cisco IOS IP SLA operations, various network performance statistics are monitored
within the Cisco device and stored in both command-line interface (CLI) and Simple Network Management
Protocol (SNMP) MIBs. IP SLA packets have configurable IP and application layer options such as source
and destination IP address, User Datagram Protocol (UDP)/TCP port numbers, a type of service (ToS) byte
(including Differentiated Services Code Point [DSCP] and IP Prefix bits), Virtual Private Network (VPN)
routing/forwarding instance (VRF), and URL web address.
Because Cisco IP SLAs are Layer 2 transport independent, you can configure end-to-end operations over
disparate networks to best reflect the metrics that an end user is likely to experience. IP SLAs collect and
analyze the following performance metrics:
• Delay (both round-trip and one-way)
• Jitter (directional)
• Packet loss (directional)
• Packet sequencing (packet ordering)
• Path (per hop)
• Connectivity (directional)
• Server or website download time
Because Cisco IOS IP SLAs is SNMP-accessible, it can also be used by performance-monitoring applications
like Cisco Prime Internetwork Performance Monitor (IPM) and other third-party Cisco partner performance
management products.
Using IP SLAs can provide the following benefits:
• Service-level agreement monitoring, measurement, and verification.
• Network performance monitoring
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
64
Configuring Service Level Agreements
Network Performance Measurement with Cisco IOS IP SLAs
◦Measurement of jitter, latency, or packet loss in the network.
◦Continuous, reliable, and predictable measurements.
• IP service network health assessment to verify that the existing QoS is sufficient for new IP services.
• Edge-to-edge network availability monitoring for proactive verification and connectivity testing of
network resources (for example, shows the network availability of an NFS server used to store business
critical data from a remote site).
• Network operation troubleshooting by providing consistent, reliable measurement that immediately
identifies problems and saves troubleshooting time.
• Multiprotocol Label Switching (MPLS) performance monitoring and network verification (if the device
supports MPLS).
Network Performance Measurement with Cisco IOS IP SLAs
You can use IP SLAs to monitor the performance between any area in the network—core, distribution, and
edge—without deploying a physical probe. It uses generated traffic to measure network performance between
two networking devices.
The following figure shows how IP SLAs begin when the source device sends a generated packet to the
destination device. After the destination device receives the packet, depending on the type of IP SLAs operation,
it responds with time-stamp information for the source to make the calculation on performance metrics. An
IP SLAs operation performs a network measurement from the source device to a destination in the network
using a specific protocol such as UDP.
Figure 4: Cisco IOS IP SLAs Operation
Related Topics
Implementing IP SLA Network Performance Measurement, on page 71
Restrictions on SLAs, on page 63
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
65
Configuring Service Level Agreements
IP SLA Responder and IP SLA Control Protocol
IP SLA Responder and IP SLA Control Protocol
The IP SLA responder is a component embedded in the destination Cisco device that allows the system to
anticipate and respond to IP SLA request packets. The responder provides accurate measurements without
the need for dedicated probes. The responder uses the Cisco IOS IP SLA Control Protocol to provide a
mechanism through which it can be notified on which port it should listen and respond.
Note
The IP SLA responder can be a Cisco IOS Layer 2, responder-configurable device. The responder does
not need to support full IP SLA functionality.
The following figure shows where the Cisco IOS IP SLA responder fits in the IP network. The responder
listens on a specific port for control protocol messages sent by an IP SLA operation. Upon receipt of the
control message, it enables the specified UDP or TCP port for the specified duration. During this time, the
responder accepts the requests and responds to them. It disables the port after it responds to the IP SLA packet,
or when the specified time expires. MD5 authentication for control messages is available for added security.
Figure 5: Cisco IOS IP SLAs Operation
You do not need to enable the responder on the destination device for all IP SLA operations. For example, a
responder is not required for services that are already provided by the destination router (such as Telnet or
HTTP).
Related Topics
Restrictions on SLAs, on page 63
Response Time Computation for IP SLAs
Switches, controllers, and routers can take tens of milliseconds to process incoming packets due to other high
priority processes. This delay affects the response times because the test-packet reply might be in a queue
while waiting to be processed. In this situation, the response times would not accurately represent true network
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
66
Configuring Service Level Agreements
IP SLAs Operation Scheduling
delays. IP SLAs minimize these processing delays on the source device as well as on the target device (if the
responder is being used) to determine true round-trip times. IP SLA test packets use time stamping to minimize
the processing delays.
When the IP SLA responder is enabled, it allows the target device to take time stamps when the packet arrives
on the interface at interrupt level and again just as it is leaving, eliminating the processing time. This time
stamping is made with a granularity of sub-milliseconds (ms).
The following figure demonstrates how the responder works. Four time stamps are taken to make the calculation
for round-trip time. At the target router, with the responder functionality enabled, time stamp 2 (TS2) is
subtracted from time stamp 3 (TS3) to produce the time spent processing the test packet as represented by
delta. This delta value is then subtracted from the overall round-trip time. Notice that the same principle is
applied by IP SLAs on the source router where the incoming time stamp 4 (TS4) is also taken at the interrupt
level to allow for greater accuracy.
Figure 6: Cisco IOS IP SLA Responder Time Stamping
An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter,
and directional packet loss. Because much network behavior is asynchronous, it is critical to have these
statistics. However, to capture one-way delay measurements, you must configure both the source router and
target router with Network Time Protocol (NTP) so that the source and target are synchronized to the same
clock source. One-way jitter measurements do not require clock synchronization.
IP SLAs Operation Scheduling
When you configure an IP SLAs operation, you must schedule the operation to begin capturing statistics and
collecting error information. You can schedule an operation to start immediately or to start at a certain month,
day, and hour. You can use the pending option to set the operation to start at a later time. The pending option
is an internal state of the operation that is visible through SNMP. The pending state is also used when an
operation is a reaction (threshold) operation waiting to be triggered. You can schedule a single IP SLAs
operation or a group of operations at one time.
You can schedule several IP SLAs operations by using a single command through the Cisco IOS CLI or the
CISCO RTTMON-MIB. Scheduling the operations to run at evenly distributed times allows you to control
the amount of IP SLAs monitoring traffic. This distribution of IP SLA operations helps minimize the CPU
utilization and thus improves network scalability.
For more details about the IP SLA multi-operations scheduling functionality, see the “IP SLAs—Multiple
Operation Scheduling” chapter of the Cisco IOS IP SLAs Configuration Guide.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
67
Configuring Service Level Agreements
IP SLA Operation Threshold Monitoring
IP SLA Operation Threshold Monitoring
To support successful service level agreement monitoring, you must have mechanisms that notify you
immediately of any possible violation. IP SLAs can send SNMP traps that are triggered by events such as the
following:
• Connection loss
• Timeout
• Round-trip time threshold
• Average jitter threshold
• One-way packet loss
• One-way jitter
• One-way mean opinion score (MOS)
• One-way latency
An IP SLA threshold violation can also trigger another IP SLA operation for further analysis. For example,
the frequency could be increased or an Internet Control Message Protocol (ICMP) path echo or ICMP path
jitter operation could be initiated for troubleshooting.
ICMP Echo
The ICMP echo operation measures the end-to-end response time between a Cisco device and any other device
that uses IP. The response time is computed by measuring the time it takes to send an ICMP echo request
message to a destination and receive an ICMP echo reply. Many customers use IP SLA ICMP-based operations,
in-house ping testing, or ping-based dedicated probes to measure this response time. The IP SLA ICMP echo
operation conforms to the same specifications as ICMP ping testing, and both methods result in the same
response times.
Related Topics
Analyzing IP Service Levels by Using the ICMP Echo Operation, on page 79
UDP Jitter
Jitter is a simple term that describes interpacket delay variance. When multiple packets are sent consecutively
at an interval of 10 ms from source to destination, the destination should receive them 10 ms apart (if the
network is behaving correctly). However, if there are delays in the network (such as queuing, arriving through
alternate routes, and so on), the time interval between packet arrivals might be more or less than 10 ms. A
positive jitter value indicates that the packets arrived more than 10 ms apart. A negative jitter value indicates
that the packets arrived less than 10 ms apart. If the packets arrive 12 ms apart, the positive jitter is 2 ms; if
the packets arrive 8 ms apart, the negative jitter is 2 ms. For delay-sensitive networks, positive jitter values
are undesirable, and a jitter value of 0 is ideal.
In addition to monitoring jitter, the IP SLA UDP jitter operation can be used as a multipurpose data gathering
operation. The packets generated by IP SLAs carry sequence information and time stamps from the source
and operational target that include packet sending and receiving data. Based on this data, UDP jitter operations
measure the following:
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
68
Configuring Service Level Agreements
How to Configure IP SLAs Operations
• Per-direction jitter (source to destination and destination to source)
• Per-direction packet-loss
• Per-direction delay (one-way delay)
• Round-trip delay (average round-trip time)
Because the paths for the sending and receiving of data can be different (asymmetric), you can use the
per-direction data to more readily identify where congestion or other problems are occurring in the network.
The UDP jitter operation generates synthetic (simulated) UDP traffic and sends a number of UDP packets,
each of a specified size, sent a specified number of milliseconds apart, from a source router to a target router,
at a given frequency. By default, ten packet-frames, each with a payload size of 10 bytes are generated every
10 ms, and the operation is repeated every 60 seconds. You can configure each of these parameters to best
simulate the IP service you want to provide.
To provide accurate one-way delay (latency) measurements, time synchronization (as provided by NTP) is
required between the source and the target device. Time synchronization is not required for the one-way jitter
and packet loss measurements. If the time is not synchronized between the source and target devices, one-way
jitter and packet loss data is returned, but values of 0 are returned for the one-way delay measurements provided
by the UDP jitter operation.
Related Topics
Analyzing IP Service Levels by Using the UDP Jitter Operation, on page 75
How to Configure IP SLAs Operations
This section does not include configuration information for all available operations as the configuration
information details are included in the Cisco IOS IP SLAs Configuration Guide. It does include several
operations as examples, including configuring the responder, configuring a UDP jitter operation, which requires
a responder, and configuring an ICMP echo operation, which does not require a responder. For details about
configuring other operations, see the Cisco IOS IP SLAs Configuration Guide.
Default Configuration
No IP SLAs operations are configured.
Configuration Guidelines
For information on the IP SLA commands, see the Cisco IOS IP SLAs Command Reference, Release 12.4T
command reference.
For detailed descriptions and configuration procedures, see the Cisco IOS IP SLAs Configuration Guide,
Release 12.4TL.
Not all of the IP SLA commands or operations described in the referenced guide are supported on the device.
The device supports IP service level analysis by using UDP jitter, UDP echo, HTTP, TCP connect, ICMP
echo, ICMP path echo, ICMP path jitter, FTP, DNS, and DHCP, as well as multiple operation scheduling and
proactive threshold monitoring. It does not support VoIP service levels using the gatekeeper registration delay
operations measurements.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
69
Configuring Service Level Agreements
Configuring the IP SLA Responder
Before configuring any IP SLAs application, you can use the show ip sla application privileged EXEC
command to verify that the operation type is supported on your software image. This is an example of the
output from the command:
Device# show ip sla application
IP Service Level Agreements
Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-III
Supported Operation Types:
icmpEcho, path-echo, path-jitter, udpEcho, tcpConnect, http
dns, udpJitter, dhcp, ftp, udpApp, wspApp
Supported Features:
IPSLAs Event Publisher
IP SLAs low memory water mark: 33299323
Estimated system max number of entries: 24389
Estimated number of configurable operations: 24389
Number of Entries configured : 0
Number of active Entries
: 0
Number of pending Entries
: 0
Number of inactive Entries
: 0
Time of last change in whole IP SLAs: *13:04:37.668 UTC Wed Dec 19 2012
Configuring the IP SLA Responder
The IP SLA responder is available only on Cisco IOS software-based devices, including some Layer 2 devices
that do not support full IP SLA functionality.
Follow these steps to configure the IP SLA responder on the target device (the operational target):
SUMMARY STEPS
1. enable
2. configure terminal
3. ip sla responder {tcp-connect | udp-echo} ipaddress ip-address port port-number
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
70
Configuring Service Level Agreements
Implementing IP SLA Network Performance Measurement
Step 2
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
ip sla responder {tcp-connect | udp-echo}
ipaddress ip-address port port-number
Configures the device as an IP SLA responder.
The keywords have these meanings:
• tcp-connect—Enables the responder for TCP connect
operations.
Example:
Device(config)# ip sla responder udp-echo
172.29.139.134 5000
• udp-echo—Enables the responder for User Datagram
Protocol (UDP) echo or jitter operations.
• ipaddress ip-address—Enter the destination IP address.
• port port-number—Enter the destination port number.
Note
Step 4
The IP address and port number must match those
configured on the source device for the IP SLA
operation.
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 5
Verifies your entries.
show running-config
Example:
Device# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Implementing IP SLA Network Performance Measurement
Follow these steps to implement IP SLA network performance measurement on your device:
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
71
Configuring Service Level Agreements
Implementing IP SLA Network Performance Measurement
Before You Begin
Use the show ip sla application privileged EXEC command to verify that the desired operation type is
supported on your software image.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip sla operation-number
4. udp-jitter {destination-ip-address | destination-hostname} destination-port [source-ip {ip-address |
hostname}] [source-port port-number] [control {enable | disable}] [num-packets number-of-packets]
[interval interpacket-interval]
5. frequency seconds
6. threshold milliseconds
7. exit
8. ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day
month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring]
9. end
10. show running-config
11. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
ip sla operation-number
Creates an IP SLA operation, and enters IP SLA configuration mode.
Example:
Device(config)# ip sla 10
Step 4
udp-jitter {destination-ip-address |
destination-hostname} destination-port
[source-ip {ip-address | hostname}]
[source-port port-number] [control
Configures the IP SLA operation as the operation type of your choice (a UDP
jitter operation is used in the example), and enters its configuration mode
(UDP jitter configuration mode is used in the example).
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
72
Configuring Service Level Agreements
Implementing IP SLA Network Performance Measurement
Command or Action
Purpose
{enable | disable}] [num-packets
number-of-packets] [interval
interpacket-interval]
Example:
Device(config-ip-sla)# udp-jitter
172.29.139.134 5000
• destination-ip-address | destination-hostname—Specifies the destination
IP address or hostname.
• destination-port—Specifies the destination port number in the range
from 1 to 65535.
• (Optional) source-ip {ip-address | hostname}—Specifies the source
IP address or hostname. When a source IP address or hostname is not
specified, IP SLA chooses the IP address nearest to the destination
• (Optional) source-port port-number—Specifies the source port number
in the range from 1 to 65535. When a port number is not specified, IP
SLA chooses an available port.
• (Optional) control—Enables or disables sending of IP SLA control
messages to the IP SLA responder. By default, IP SLA control messages
are sent to the destination device to establish a connection with the IP
SLA responder
• (Optional) num-packets number-of-packets—Enters the number of
packets to be generated. The range is 1 to 6000; the default is 10.
• (Optional) interval inter-packet-interval—Enters the interval between
sending packets in milliseconds. The range is 1 to 6000; the default
value is 20 ms.
Step 5
frequency seconds
(Optional) Configures options for the SLA operation. This example sets the
rate at which a specified IP SLA operation repeats. The range is from 1 to
604800 seconds; the default is 60 seconds.
Example:
Device(config-ip-sla-jitter)#
frequency 45
Step 6
threshold milliseconds
(Optional) Configures threshold conditions. This example sets the threshold
of the specified IP SLA operation to 200. The range is from 0 to 60000
milliseconds.
Example:
Device(config-ip-sla-jitter)#
threshold 200
Step 7
Exits the SLA operation configuration mode (UDP jitter configuration mode
in this example), and returns to global configuration mode.
exit
Example:
Device(config-ip-sla-jitter)# exit
Step 8
Configures the scheduling parameters for an individual IP SLA operation.
ip sla schedule operation-number [life
{forever | seconds}] [start-time {hh:mm
• operation-number—Enter the RTR entry number.
[:ss] [month day | day month] | pending |
now | after hh:mm:ss] [ageout seconds]
• (Optional) life—Sets the operation to run indefinitely (forever) or for
[recurring]
a specific number of seconds. The range is from 0 to 2147483647. The
default is 3600 seconds (1 hour).
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
73
Configuring Service Level Agreements
Implementing IP SLA Network Performance Measurement
Command or Action
Purpose
• (Optional) start-time—Enters the time for the operation to begin
collecting information:
Example:
Device(config)# ip sla schedule 10
start-time now life forever
To start at a specific time, enter the hour, minute, second (in 24-hour
notation), and day of the month. If no month is entered, the default is
the current month.
Enter pending to select no information collection until a start time is
selected.
Enter now to start the operation immediately.
Enter after hh:mm:ss to show that the operation should start after the
entered time has elapsed.
• (Optional) ageout seconds—Enter the number of seconds to keep the
operation in memory when it is not actively collecting information.
The range is 0 to 2073600 seconds, the default is 0 seconds (never ages
out).
• (Optional) recurring—Set the operation to automatically run every
day.
Step 9
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 10
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 11
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
UDP Jitter Configuration
This example shows how to configure a UDP jitter IP SLA operation:
Device(config)# ip sla 10
Device(config-ip-sla)# udp-jitter 172.29.139.134 5000
Device(config-ip-sla-jitter)# frequency 30
Device(config-ip-sla-jitter)# exit
Device(config)# ip sla schedule 5 start-time now life forever
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
74
Configuring Service Level Agreements
Analyzing IP Service Levels by Using the UDP Jitter Operation
Device(config)# end
Device# show ip sla configuration 10
IP SLAs, Infrastructure Engine-II.
Entry number: 10
Owner:
Tag:
Type of operation to perform: udp-jitter
Target address/Source address: 1.1.1.1/0.0.0.0
Target port/Source port: 2/0
Request size (ARR data portion): 32
Operation timeout (milliseconds): 5000
Packet Interval (milliseconds)/Number of packets: 20/10
Type Of Service parameters: 0x0
Verify data: No
Vrf Name:
Control Packets: enabled
Schedule:
Operation frequency (seconds): 30
Next Scheduled Start Time: Pending trigger
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): 3600
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): notInService
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Enhanced History:
Related Topics
Network Performance Measurement with Cisco IOS IP SLAs, on page 65
Restrictions on SLAs, on page 63
Analyzing IP Service Levels by Using the UDP Jitter Operation
Follow these steps to configure a UDP jitter operation on the source device:
Before You Begin
You must enable the IP SLA responder on the target device (the operational target) to configure a UDP jitter
operation on the source device.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
75
Configuring Service Level Agreements
Analyzing IP Service Levels by Using the UDP Jitter Operation
SUMMARY STEPS
1. enable
2. configure terminal
3. ip sla operation-number
4. udp-jitter {destination-ip-address | destination-hostname} destination-port [source-ip {ip-address |
hostname}] [source-port port-number] [control {enable | disable}] [num-packets number-of-packets]
[interval interpacket-interval]
5. frequency seconds
6. exit
7. ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day
month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring]
8. end
9. show running-config
10. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
ip sla operation-number
Creates an IP SLA operation, and enters IP SLA configuration mode.
Example:
Device(config)# ip sla 10
Step 4
Configures the IP SLA operation as a UDP jitter operation, and enters UDP
udp-jitter {destination-ip-address |
jitter configuration mode.
destination-hostname} destination-port
[source-ip {ip-address | hostname}]
• destination-ip-address | destination-hostname—Specifies the
[source-port port-number] [control {enable
destination IP address or hostname.
| disable}] [num-packets
number-of-packets] [interval
• destination-port—Specifies the destination port number in the range
interpacket-interval]
from 1 to 65535.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
76
Configuring Service Level Agreements
Analyzing IP Service Levels by Using the UDP Jitter Operation
Command or Action
Purpose
• (Optional) source-ip {ip-address | hostname}—Specifies the source
IP address or hostname. When a source IP address or hostname is not
specified, IP SLA chooses the IP address nearest to the destination.
Example:
Device(config-ip-sla)# udp-jitter
172.29.139.134 5000
• (Optional) source-port port-number—Specifies the source port number
in the range from 1 to 65535. When a port number is not specified, IP
SLA chooses an available port.
• (Optional) control—Enables or disables sending of IP SLA control
messages to the IP SLA responder. By default, IP SLA control
messages are sent to the destination device to establish a connection
with the IP SLA responder.
• (Optional) num-packets number-of-packets—Enters the number of
packets to be generated. The range is 1 to 6000; the default is 10.
• (Optional) interval inter-packet-interval—Enters the interval between
sending packets in milliseconds. The range is 1 to 6000; the default
value is 20 ms.
Step 5
frequency seconds
(Optional) Sets the rate at which a specified IP SLA operation repeats. The
range is from 1 to 604800 seconds; the default is 60 seconds.
Example:
Device(config-ip-sla-jitter)#
frequency 45
Step 6
Exits UDP jitter configuration mode, and returns to global configuration
mode.
exit
Example:
Device(config-ip-sla-jitter)# exit
Step 7
ip sla schedule operation-number [life
{forever | seconds}] [start-time {hh:mm
[:ss] [month day | day month] | pending |
now | after hh:mm:ss] [ageout seconds]
[recurring]
Example:
Device(config)# ip sla schedule 10
start-time now life forever
Configures the scheduling parameters for an individual IP SLA operation.
• operation-number—Enter the RTR entry number.
• (Optional) life—Sets the operation to run indefinitely (forever) or for
a specific number of seconds. The range is from 0 to 2147483647. The
default is 3600 seconds (1 hour).
• (Optional) start-time—Enters the time for the operation to begin
collecting information:
To start at a specific time, enter the hour, minute, second (in 24-hour
notation), and day of the month. If no month is entered, the default is
the current month.
Enter pending to select no information collection until a start time is
selected.
Enter now to start the operation immediately.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
77
Configuring Service Level Agreements
Analyzing IP Service Levels by Using the UDP Jitter Operation
Command or Action
Purpose
Enter after hh:mm:ss to show that the operation should start after the
entered time has elapsed.
• (Optional) ageout seconds—Enter the number of seconds to keep the
operation in memory when it is not actively collecting information.
The range is 0 to 2073600 seconds, the default is 0 seconds (never
ages out).
• (Optional) recurring—Set the operation to automatically run every
day.
Step 8
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 9
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 10
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Configuring a UDP Jitter IP SLA Operation
This example shows how to configure a UDP jitter IP SLA operation:
Device(config)# ip sla 10
Device(config-ip-sla)# udp-jitter 172.29.139.134 5000
Device(config-ip-sla-jitter)# frequency 30
Device(config-ip-sla-jitter)# exit
Device(config)# ip sla schedule 5 start-time now life forever
Device(config)# end
Device# show ip sla configuration 10
IP SLAs, Infrastructure Engine-II.
Entry number: 10
Owner:
Tag:
Type of operation to perform: udp-jitter
Target address/Source address: 1.1.1.1/0.0.0.0
Target port/Source port: 2/0
Request size (ARR data portion): 32
Operation timeout (milliseconds): 5000
Packet Interval (milliseconds)/Number of packets: 20/10
Type Of Service parameters: 0x0
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
78
Configuring Service Level Agreements
Analyzing IP Service Levels by Using the ICMP Echo Operation
Verify data: No
Vrf Name:
Control Packets: enabled
Schedule:
Operation frequency (seconds): 30
Next Scheduled Start Time: Pending trigger
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): 3600
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): notInService
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Enhanced History:
Related Topics
UDP Jitter, on page 68
Analyzing IP Service Levels by Using the ICMP Echo Operation
Follow these steps to configure an ICMP echo operation on the source device:
Before You Begin
This operation does not require the IP SLA responder to be enabled.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip sla operation-number
4. icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} |
source-interface interface-id]
5. frequency seconds
6. exit
7. ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day
month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring]
8. end
9. show running-config
10. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
79
Configuring Service Level Agreements
Analyzing IP Service Levels by Using the ICMP Echo Operation
Command or Action
Purpose
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
ip sla operation-number
Creates an IP SLA operation and enters IP SLA configuration mode.
Example:
Device(config)# ip sla 10
Step 4
Configures the IP SLA operation as an ICMP Echo operation and enters
icmp-echo {destination-ip-address |
destination-hostname} [source-ip {ip-address ICMP echo configuration mode.
| hostname} | source-interface interface-id]
• destination-ip-address | destination-hostname—Specifies the
destination IP address or hostname.
Example:
Device(config-ip-sla)# icmp-echo
172.29.139.134
• (Optional) source-ip {ip-address | hostname}—Specifies the source
IP address or hostname. When a source IP address or hostname is
not specified, IP SLA chooses the IP address nearest to the
destination.
• (Optional) source-interface interface-id—Specifies the source
interface for the operation.
Step 5
frequency seconds
(Optional) Sets the rate at which a specified IP SLA operation repeats.
The range is from 1 to 604800 seconds; the default is 60 seconds.
Example:
Device(config-ip-sla-echo)# frequency
30
Step 6
exit
Exits UDP echo configuration mode, and returns to global configuration
mode.
Example:
Device(config-ip-sla-echo)# exit
Step 7
Configures the scheduling parameters for an individual IP SLA operation.
ip sla schedule operation-number [life
{forever | seconds}] [start-time {hh:mm [:ss]
• operation-number—Enter the RTR entry number.
[month day | day month] | pending | now |
after hh:mm:ss] [ageout seconds] [recurring]
• (Optional) life—Sets the operation to run indefinitely (forever) or
for a specific number of seconds. The range is from 0 to
2147483647. The default is 3600 seconds (1 hour)
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
80
Configuring Service Level Agreements
Analyzing IP Service Levels by Using the ICMP Echo Operation
Command or Action
Purpose
• (Optional) start-time—Enter the time for the operation to begin
collecting information:
Example:
Device(config)# ip sla schedule 5
start-time now life forever
To start at a specific time, enter the hour, minute, second (in 24-hour
notation), and day of the month. If no month is entered, the default
is the current month.
Enter pending to select no information collection until a start time
is selected.
Enter now to start the operation immediately.
Enter after hh:mm:ss to indicate that the operation should start after
the entered time has elapsed.
• (Optional) ageout seconds—Enter the number of seconds to keep
the operation in memory when it is not actively collecting
information. The range is 0 to 2073600 seconds; the default is 0
seconds (never ages out).
• (Optional) recurring—Sets the operation to automatically run every
day.
Step 8
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 9
Verifies your entries.
show running-config
Example:
Device# show running-config
Step 10
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Configuring an ICMP Echo IP SLA Operation
This example shows how to configure an ICMP echo IP SLA operation:
Device(config)# ip sla 12
Device(config-ip-sla)# icmp-echo 172.29.139.134
Device(config-ip-sla-echo)# frequency 30
Device(config-ip-sla-echo)# exit
Device(config)# ip sla schedule 5 start-time now life forever
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
81
Configuring Service Level Agreements
Monitoring IP SLA Operations
Device(config)# end
Device# show ip sla configuration 22
IP SLAs, Infrastructure Engine-II.
Entry number: 12
Owner:
Tag:
Type of operation to perform: echo
Target address: 2.2.2.2
Source address: 0.0.0.0
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Vrf Name:
Schedule:
Operation frequency (seconds): 60
Next Scheduled Start Time: Pending trigger
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): 3600
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): notInService
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None
Enhanced History:
Related Topics
IP SLA Operation Threshold Monitoring, on page 68
Monitoring IP SLA Operations
The following table describes the commands used to display IP SLA operation configurations and results:
Table 7: Monitoring IP SLA Operations
show ip sla application
Displays global information about Cisco IOS
IP SLAs.
show ip sla authentication
Displays IP SLA authentication information.
show ip sla configuration [entry-number]
Displays configuration values including all
defaults for all IP SLA operations or a
specific operation.
show ip sla enhanced-history {collection-statistics |
distribution statistics} [entry-number]
Displays enhanced history statistics for
collected history buckets or distribution
statistics for all IP SLA operations or a
specific operation.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
82
Configuring Service Level Agreements
Monitoring IP SLA Operation Examples
show ip sla ethernet-monitor configuration [entry-number] Displays IP SLA automatic Ethernet
configuration.
show ip sla group schedule [schedule-entry-number]
Displays IP SLA group scheduling
configuration and details.
show ip sla history [entry-number | full | tabular]
Displays history collected for all IP SLA
operations.
show ip sla mpls-lsp-monitor {collection-statistics |
configuration | ldp operational-state | scan-queue |
summary [entry-number] | neighbors}
Displays MPLS label switched path (LSP)
Health Monitor operations.
show ip sla reaction-configuration [entry-number]
Displays the configured proactive threshold
monitoring settings for all IP SLA operations
or a specific operation.
show ip sla reaction-trigger [entry-number]
Displays the reaction trigger information for
all IP SLA operations or a specific operation.
show ip sla responder
Displays information about the IP SLA
responder.
show ip sla statistics [entry-number | aggregated | details] Displays current or aggregated operational
status and statistics.
Monitoring IP SLA Operation Examples
The following example shows all IP SLAs by application:
Device# show ip sla application
IP Service Level Agreements
Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-III
Supported Operation Types:
icmpEcho, path-echo, path-jitter, udpEcho, tcpConnect, http
dns, udpJitter, dhcp, ftp, udpApp, wspApp
Supported Features:
IPSLAs Event Publisher
IP SLAs low memory water mark: 33299323
Estimated system max number of entries: 24389
Estimated number of configurable operations: 24389
Number of Entries configured : 0
Number of active Entries
: 0
Number of pending Entries
: 0
Number of inactive Entries
: 0
Time of last change in whole IP SLAs: *13:04:37.668 UTC Wed Dec 19 2012
The following example shows all IP SLA distribution statistics:
Device# show ip sla enhanced-history distribution-statistics
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
83
Configuring Service Level Agreements
Additional References
Point by
Entry
Int
BucI
StartT
Pth
Hop
Comps
OvrTh
SumCmp
SumCmp2L
SumCmp2H
TMax
TMin
point Enhanced History
= Entry Number
= Aggregation Interval
= Bucket Index
= Aggregation Start Time
= Path index
= Hop in path index
= Operations completed
= Operations completed over thresholds
= Sum of RTT (milliseconds)
= Sum of RTT squared low 32 bits (milliseconds)
= Sum of RTT squared high 32 bits (milliseconds)
= RTT maximum (milliseconds)
= RTT minimum (milliseconds)
Entry Int BucI StartT
Max
TMin
Pth Hop Comps OvrTh SumCmp
SumCmp2L
SumCmp2H
T
Additional References
Related Documents
Related Topic
Document Title
Cisco Medianet Metadata Guide
htp:/www.cisco.com/c/en/us/td/docs/ios-xml/ios/mdata/configuration/15-sy/mdata-15sy-book/metadata-framework.pdf
Cisco Media Services Proxy Configuration Guide
http:/www.cisco.com/c/en/us/td/docs/ios-xml/ios/msp/configuration/15-mt/msp-15-mt-book.pdf
Cisco Mediatrace and Cisco Performance Monitor
Configuration Guide
htp:/wwwc.iscoc.om/c/en/us/td/docs/ios-xml/ios/media_monitoring/configuration/15-mt/mm-15-mt-book/mm-mediatraceh.tml
Error Message Decoder
Description
Link
To help you research and resolve system error
messages in this release, use the Error Message
Decoder tool.
https://www.cisco.com/cgi-bin/Support/Errordecoder/
index.cgi
Standards and RFCs
Standard/RFC
Title
None
-
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
84
Configuring Service Level Agreements
Additional References
MIBs
MIB
MIBs Link
All supported MIBs for this release.
To locate and download MIBs for selected platforms,
Cisco IOS releases, and feature sets, use Cisco MIB
Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
85
Configuring Service Level Agreements
Additional References
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
86
CHAPTER
6
Configuring SPAN and RSPAN
• Finding Feature Information, page 87
• Prerequisites for SPAN and RSPAN, page 87
• Restrictions for SPAN and RSPAN, page 88
• Information About SPAN and RSPAN, page 89
• How to Configure SPAN and RSPAN, page 101
• Monitoring SPAN and RSPAN Operations, page 124
• SPAN and RSPAN Configuration Examples, page 125
• Feature History and Information for SPAN and RSPAN, page 127
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Prerequisites for SPAN and RSPAN
SPAN
• You can limit SPAN traffic to specific VLANs by using the filter vlan keyword. If a trunk port is being
monitored, only traffic on the VLANs specified with this keyword is monitored. By default, all VLANs
are monitored on a trunk port.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
87
Configuring SPAN and RSPAN
Restrictions for SPAN and RSPAN
RSPAN
• We recommend that you configure an RSPAN VLAN before you configure an RSPAN source or a
destination session.
Restrictions for SPAN and RSPAN
SPAN
The restrictions for SPAN are as follows:
• On each device, you can configure 66 sessions. A maximum of 8 source sessions can be configured
and the remaining sessions can be configured as RSPAN destinations sessions. A source session is either
a local SPAN session or an RSPAN source session.
• For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports or
VLANs for each session. You cannot mix source ports and source VLANs within a single SPAN session.
• The destination port cannot be a source port; a source port cannot be a destination port.
• You cannot have two SPAN sessions using the same destination port.
• When you configure a device port as a SPAN destination port, it is no longer a normal device port; only
monitored traffic passes through the SPAN destination port.
• Entering SPAN configuration commands does not remove previously configured SPAN parameters.
You must enter the no monitor session {session_number | all | local | remote} global configuration
command to delete configured SPAN parameters.
• For local SPAN, outgoing packets through the SPAN destination port carry the original encapsulation
headers—untagged, ISL, or IEEE 802.1Q—if the encapsulation replicate keywords are specified. If
the keywords are not specified, the packets are sent in native form.
• You can configure a disabled port to be a source or destination port, but the SPAN function does not
start until the destination port and at least one source port or source VLAN are enabled.
• You cannot mix source VLANs and filter VLANs within a single SPAN session.
Traffic monitoring in a SPAN session has the following restrictions:
• Sources can be ports or VLANs, but you cannot mix source ports and source VLANs in the same session.
• Wireshark does not capture egress packets when egress span is active.
• You can run both a local SPAN and an RSPAN source session in the same device or device stack. The
device or device stack supports a total of 66 source and RSPAN destination sessions.
• You can configure two separate SPAN or RSPAN source sessions with separate or overlapping sets of
SPAN source ports and VLANs. Both switched and routed ports can be configured as SPAN sources
and destinations.
• You can have multiple destination ports in a SPAN session, but no more than 64 destination ports per
device stack.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
88
Configuring SPAN and RSPAN
Information About SPAN and RSPAN
• SPAN sessions do not interfere with the normal operation of the device. However, an oversubscribed
SPAN destination, for example, a 10-Mb/s port monitoring a 100-Mb/s port, can result in dropped or
lost packets.
• When SPAN or RSPAN is enabled, each packet being monitored is sent twice, once as normal traffic
and once as a monitored packet. Monitoring a large number of ports or VLANs could potentially generate
large amounts of network traffic.
• You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active
unless you enable the destination port and at least one source port or VLAN for that session.
• The device does not support a combination of local SPAN and RSPAN in a single session.
◦An RSPAN source session cannot have a local destination port.
◦An RSPAN destination session cannot have a local source port.
◦An RSPAN destination session and an RSPAN source session that are using the same RSPAN
VLAN cannot run on the same device or device stack.
RSPAN
The restrictions for RSPAN are as follows:
• RSPAN does not support BPDU packet monitoring or other Layer 2 device protocols.
• The RSPAN VLAN is configured only on trunk ports and not on access ports. To avoid unwanted traffic
in RSPAN VLANs, make sure that the VLAN remote-span feature is supported in all the participating
devices.
• RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports have
active RSPAN VLANs. RSPAN VLANs can also be sources in SPAN sessions. However, since the
device does not monitor spanned traffic, it does not support egress spanning of packets on any RSPAN
VLAN identified as the destination of an RSPAN source session on the device.
• If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted
flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005.
• To use RSPAN, the switch must be running the LAN Base image.
Information About SPAN and RSPAN
SPAN and RSPAN
You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to send a copy
of the traffic to another port on the device or on another device that has been connected to a network analyzer
or other monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or both) on source
ports or source VLANs to a destination port for analysis. SPAN does not affect the switching of network
traffic on the source ports or VLANs. You must dedicate the destination port for SPAN use. Except for traffic
that is required for the SPAN or RSPAN session, destination ports do not receive or forward traffic.
Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be monitored
by using SPAN; traffic routed to a source VLAN cannot be monitored. For example, if incoming traffic is
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
89
Configuring SPAN and RSPAN
SPAN and RSPAN
being monitored, traffic that gets routed from another VLAN to the source VLAN cannot be monitored;
however, traffic that is received on the source VLAN and routed to another VLAN can be monitored.
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example,
if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device
can send TCP reset packets to close down the TCP session of a suspected attacker.
Local SPAN
Local SPAN supports a SPAN session entirely within one device; all source ports or source VLANs and
destination ports are in the same device or device stack. Local SPAN copies traffic from one or more source
ports in any VLAN or from one or more VLANs to a destination port for analysis.
All traffic on port 5 (the source port) is mirrored to port 10 (the destination port). A network analyzer on port
10 receives all network traffic from port 5 without being physically attached to port 5.
Figure 7: Example of Local SPAN Configuration on a Single Device
This is an example of a local SPAN in a device stack, where the source and destination ports reside on different
stack members.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
90
Configuring SPAN and RSPAN
SPAN and RSPAN
Figure 8: Example of Local SPAN Configuration on a Device Stack
Related Topics
Creating a Local SPAN Session, on page 101
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 104
Example: Configuring Local SPAN, on page 125
Remote SPAN
RSPAN supports source ports, source VLANs, and destination ports on different devices (or different device
stacks), enabling remote monitoring of multiple devices across your network.
The figure below shows source ports on Device A and Device B. The traffic for each RSPAN session is carried
over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating devices.
The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over
trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
91
Configuring SPAN and RSPAN
SPAN and RSPAN
source device must have either ports or VLANs as RSPAN sources. The destination is always a physical port,
as shown on Device C in the figure.
Figure 9: Example of RSPAN Configuration
Related Topics
Creating an RSPAN Source Session, on page 110
Creating an RSPAN Destination Session, on page 114
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 116
Examples: Creating an RSPAN VLAN, on page 126
SPAN and RSPAN Concepts and Terminology
• SPAN Sessions
• Monitored Traffic
• Source Ports
• Source VLANs
• VLAN Filtering
• Destination Port
• RSPAN VLAN
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
92
Configuring SPAN and RSPAN
SPAN and RSPAN
SPAN Sessions
SPAN sessions (local or remote) allow you to monitor traffic on one or more ports, or one or more VLANs,
and send the monitored traffic to one or more destination ports.
A local SPAN session is an association of a destination port with source ports or source VLANs, all on a
single network device. Local SPAN does not have separate source and destination sessions. Local SPAN
sessions gather a set of ingress and egress packets specified by the user and form them into a stream of SPAN
data, which is directed to the destination port.
RSPAN consists of at least one RSPAN source session, an RSPAN VLAN, and at least one RSPAN destination
session. You separately configure RSPAN source sessions and RSPAN destination sessions on different
network devices. To configure an RSPAN source session on a device, you associate a set of source ports or
source VLANs with an RSPAN VLAN. The output of this session is the stream of SPAN packets that are
sent to the RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the
destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends
it out the RSPAN destination port.
An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is
directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed
over normal trunk ports to the destination device.
An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging,
and presents them on the destination port. The session presents a copy of all RSPAN VLAN packets (except
Layer 2 control packets) to the user for analysis.
Traffic monitoring in a SPAN session has these restrictions:
• Sources can be ports or VLANs, but you cannot mix source ports and source VLANs in the same session.
• You can run both a local SPAN and an RSPAN source session in the same device or device stack. The
device or device stack supports a total of 66 source and RSPAN destination sessions.
• You can configure two separate SPAN or RSPAN source sessions with separate or overlapping sets of
SPAN source ports and VLANs. Both switched and routed ports can be configured as SPAN sources
and destinations.
• You can have multiple destination ports in a SPAN session, but no more than 64 destination ports per
device stack.
• SPAN sessions do not interfere with the normal operation of the device. However, an oversubscribed
SPAN destination, for example, a 10-Mb/s port monitoring a 100-Mb/s port, can result in dropped or
lost packets.
• When SPAN or RSPAN is enabled, each packet being monitored is sent twice, once as normal traffic
and once as a monitored packet. Therefore monitoring a large number of ports or VLANs could potentially
generate large amounts of network traffic.
• You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active
unless you enable the destination port and at least one source port or VLAN for that session.
• The device does not support a combination of local SPAN and RSPAN in a single session.
◦An RSPAN source session cannot have a local destination port.
◦An RSPAN destination session cannot have a local source port.
◦An RSPAN destination session and an RSPAN source session that are using the same RSPAN
VLAN cannot run on the same device or device stack.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
93
Configuring SPAN and RSPAN
SPAN and RSPAN
Related Topics
Creating a Local SPAN Session, on page 101
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 104
Example: Configuring Local SPAN, on page 125
Monitored Traffic
SPAN sessions can monitor these traffic types:
• Receive (Rx) SPAN—Receive (or ingress) SPAN monitors as much as possible all of the packets received
by the source interface or VLAN before any modification or processing is performed by the device. A
copy of each packet received by the source is sent to the destination port for that SPAN session.
Packets that are modified because of routing or Quality of Service (QoS)—for example, modified
Differentiated Services Code Point (DSCP)—are copied before modification.
Features that can cause a packet to be dropped during receive processing have no effect on ingress SPAN;
the destination port receives a copy of the packet even if the actual incoming packet is dropped. These
features include IP standard and extended input Access Control Lists (ACLs), ingress QoS policing,
VLAN ACLs, and egress QoS policing.
• Transmit (Tx) SPAN—Transmit (or egress) SPAN monitors as much as possible all of the packets sent
by the source interface after all modification and processing is performed by the device. A copy of each
packet sent by the source is sent to the destination port for that SPAN session. The copy is provided
after the packet is modified.
Packets that are modified because of routing (for example, with modified time-to-live (TTL), MAC
address, or QoS values) are duplicated (with the modifications) at the destination port.
Features that can cause a packet to be dropped during transmit processing also affect the duplicated copy
for SPAN. These features include IP standard and extended output ACLs and egress QoS policing.
• Both—In a SPAN session, you can also monitor a port or VLAN for both received and sent packets.
This is the default.
The default configuration for local SPAN session ports is to send all packets untagged. However, when you
enter the encapsulation replicate keywords while configuring a destination port, these changes occur:
• Packets are sent on the destination port with the same encapsulation (untagged or IEEE 802.1Q) that
they had on the source port.
• Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.
Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged and
IEEE 802.1Q tagged packets appear on the destination port.
Device congestion can cause packets to be dropped at ingress source ports, egress source ports, or SPAN
destination ports. In general, these characteristics are independent of one another. For example:
• A packet might be forwarded normally but dropped from monitoring due to an oversubscribed SPAN
destination port.
• An ingress packet might be dropped from normal forwarding, but still appear on the SPAN destination
port.
• An egress packet dropped because of device congestion is also dropped from egress SPAN.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
94
Configuring SPAN and RSPAN
SPAN and RSPAN
In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination
port. For example, a bidirectional (both Rx and Tx) SPAN session is configured for the Rx monitor on port
A and Tx monitor on port B. If a packet enters the device through port A and is switched to port B, both
incoming and outgoing packets are sent to the destination port. Both packets are the same unless a Layer 3
rewrite occurs, in which case the packets are different because of the packet modification.
Source Ports
A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic
analysis.
In a local SPAN session or RSPAN source session, you can monitor source ports or VLANs for traffic in one
or both directions.
The device supports any number of source ports (up to the maximum number of available ports on the device)
and any number of source VLANs (up to the maximum number of VLANs supported).
However, the device supports a maximum of two sessions (local or RSPAN) with source ports or VLANs.
You cannot mix ports and VLANs in a single session.
A source port has these characteristics:
• It can be monitored in multiple SPAN sessions.
• Each source port can be configured with a direction (ingress, egress, or both) to monitor.
• It can be any port type (for example, EtherChannel, Gigabit Ethernet, and so forth).
• For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a
physical port as it participates in the port channel.
• It can be an access port, trunk port, routed port, or voice VLAN port.
• It cannot be a destination port.
• Source ports can be in the same or different VLANs.
• You can monitor multiple source ports in a single session.
Source VLANs
VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN
or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.
VSPAN has these characteristics:
• All active ports in the source VLAN are included as source ports and can be monitored in either or both
directions.
• On a given port, only traffic on the monitored VLAN is sent to the destination port.
• If a destination port belongs to a source VLAN, it is excluded from the source list and is not monitored.
• If ports are added to or removed from the source VLANs, the traffic on the source VLAN received by
those ports is added to or removed from the sources being monitored.
• You cannot use filter VLANs in the same session with VLAN sources.
• You can monitor only Ethernet VLANs.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
95
Configuring SPAN and RSPAN
SPAN and RSPAN
VLAN Filtering
When you monitor a trunk port as a source port, by default, all VLANs active on the trunk are monitored.
You can limit SPAN traffic monitoring on trunk source ports to specific VLANs by using VLAN filtering.
• VLAN filtering applies only to trunk ports or to voice VLAN ports.
• VLAN filtering applies only to port-based sessions and is not allowed in sessions with VLAN sources.
• When a VLAN filter list is specified, only those VLANs in the list are monitored on trunk ports or on
voice VLAN access ports.
• SPAN traffic coming from other port types is not affected by VLAN filtering; that is, all VLANs are
allowed on other ports.
• VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the
switching of normal traffic.
Destination Port
Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring
port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user,
usually a network analyzer.
A destination port has these characteristics:
• For a local SPAN session, the destination port must reside on the same device or device stack as the
source port. For an RSPAN session, it is located on the device containing the RSPAN destination session.
There is no destination port on a device or device stack running only an RSPAN source session.
• When a port is configured as a SPAN destination port, the configuration overwrites the original port
configuration. When the SPAN destination configuration is removed, the port reverts to its previous
configuration. If a configuration change is made to the port while it is acting as a SPAN destination port,
the change does not take effect until the SPAN destination configuration had been removed.
Note
When QoS is configured on the SPAN destination port, QoS takes effect immediately.
• If the port was in an EtherChannel group, it is removed from the group while it is a destination port. If
it was a routed port, it is no longer a routed port.
• It can be any Ethernet physical port.
• It cannot be a secure port.
• It cannot be a source port.
• It can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be
a destination port for a second SPAN session).
• When it is active, incoming traffic is disabled. The port does not transmit any traffic except that required
for the SPAN session. Incoming traffic is never learned or forwarded on a destination port.
• If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic
at Layer 2.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
96
Configuring SPAN and RSPAN
SPAN and RSPAN
• It does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).
• A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list
and is not monitored.
• The maximum number of destination ports in a device or device stack is 64.
Local SPAN and RSPAN destination ports function differently with VLAN tagging and encapsulation:
• For local SPAN, if the encapsulation replicate keywords are specified for the destination port, these
packets appear with the original encapsulation (untagged, ISL, or IEEE 802.1Q). If these keywords are
not specified, packets appear in the untagged format. Therefore, the output of a local SPAN session with
encapsulation replicate enabled can contain a mixture of untagged, ISL, or IEEE 802.1Q-tagged packets.
• For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification.
Therefore, all packets appear on the destination port as untagged.
RSPAN VLAN
The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. RSPAN VLAN
has these special characteristics:
• All traffic in the RSPAN VLAN is always flooded.
• No MAC address learning occurs on the RSPAN VLAN.
• RSPAN VLAN traffic only flows on trunk ports.
• RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN
configuration mode command.
• STP can run on RSPAN VLAN trunks but not on SPAN destination ports.
• An RSPAN VLAN cannot be a private-VLAN primary or secondary VLAN.
For VLANs 1 to 1005 that are visible to VLAN Trunking Protocol (VTP), the VLAN ID and its associated
RSPAN characteristic are propagated by VTP. If you assign an RSPAN VLAN ID in the extended VLAN
range (1006 to 4094), you must manually configure all intermediate devices.
It is normal to have multiple RSPAN VLANs in a network at the same time with each RSPAN VLAN defining
a network-wide RSPAN session. That is, multiple RSPAN source sessions anywhere in the network can
contribute packets to the RSPAN session. It is also possible to have multiple RSPAN destination sessions
throughout the network, monitoring the same RSPAN VLAN and presenting traffic to the user. The RSPAN
VLAN ID separates the sessions.
Related Topics
Creating an RSPAN Source Session, on page 110
Creating an RSPAN Destination Session, on page 114
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 116
Examples: Creating an RSPAN VLAN, on page 126
SPAN and RSPAN Interaction with Other Features
SPAN interacts with these features:
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
97
Configuring SPAN and RSPAN
SPAN and RSPAN
• Routing—SPAN does not monitor routed traffic. VSPAN only monitors traffic that enters or exits the
device, not traffic that is routed between VLANs. For example, if a VLAN is being Rx-monitored and
the device routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored and
not received on the SPAN destination port.
• STP—A destination port does not participate in STP while its SPAN or RSPAN session is active. The
destination port can participate in STP after the SPAN or RSPAN session is disabled. On a source port,
SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN.
• CDP—A SPAN destination port does not participate in CDP while the SPAN session is active. After
the SPAN session is disabled, the port again participates in CDP.
• VTP—You can use VTP to prune an RSPAN VLAN between devices.
• VLAN and trunking—You can modify VLAN membership or trunk settings for source or destination
ports at any time. However, changes in VLAN membership or trunk settings for a destination port do
not take effect until you remove the SPAN destination configuration. Changes in VLAN membership
or trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically
adjust accordingly.
• EtherChannel—You can configure an EtherChannel group as a source port a SPAN destination port.
When a group is configured as a SPAN source, the entire group is monitored.
If a physical port is added to a monitored EtherChannel group, the new port is added to the SPAN source
port list. If a port is removed from a monitored EtherChannel group, it is automatically removed from
the source port list.
A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and
still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates
in the EtherChannel. However, if a physical port that belongs to an EtherChannel group is configured
as a SPAN destination, it is removed from the group. After the port is removed from the SPAN session,
it rejoins the EtherChannel group. Ports removed from an EtherChannel group remain members of the
group, but they are in the inactive or suspended state.
If a physical port that belongs to an EtherChannel group is a destination port and the EtherChannel group
is a source, the port is removed from the EtherChannel group and from the list of monitored ports.
• Multicast traffic can be monitored. For egress and ingress port monitoring, only a single unedited packet
is sent to the SPAN destination port. It does not reflect the number of times the multicast packet is sent.
• A private-VLAN port cannot be a SPAN destination port.
• A secure port cannot be a SPAN destination port.
For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding
is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports
with monitored egress.
• An IEEE 802.1x port can be a SPAN source port. You can enable IEEE 802.1x on a port that is a SPAN
destination port; however, IEEE 802.1x is disabled until the port is removed as a SPAN destination.
For SPAN sessions, do not enable IEEE 802.1x on ports with monitored egress when ingress forwarding
is enabled on the destination port. For RSPAN source sessions, do not enable IEEE 802.1x on any ports
that are egress monitored.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
98
Configuring SPAN and RSPAN
Flow-Based SPAN
SPAN and RSPAN and Device Stacks
Because the stack of devices represents one logical device, local SPAN source ports and destination ports can
be in different devices in the stack. Therefore, the addition or deletion of devices in the stack can affect a local
SPAN session, as well as an RSPAN source or destination session. An active session can become inactive
when a device is removed from the stack or an inactive session can become active when a device is added to
the stack.
Flow-Based SPAN
You can control the type of network traffic to be monitored in SPAN or RSPAN sessions by using flow-based
SPAN (FSPAN) or flow-based RSPAN (FRSPAN), which apply access control lists (ACLs) to the monitored
traffic on the source ports. The FSPAN ACLs can be configured to filter IPv4, IPv6, and non-IP monitored
traffic.
You apply an ACL to a SPAN session through the interface. It is applied to all the traffic that is monitored
on all interfaces in the SPAN session.The packets that are permitted by this ACL are copied to the SPAN
destination port. No other packets are copied to the SPAN destination port.
The original traffic continues to be forwarded, and any port, VLAN, and router ACLs attached are applied.
The FSPAN ACL does not have any effect on the forwarding decisions. Similarly, the port, VLAN, and router
ACLs do not have any effect on the traffic monitoring. If a security input ACL denies a packet and it is not
forwarded, the packet is still copied to the SPAN destination ports if the FSPAN ACL permits it. But if the
security output ACL denies a packet and it is not sent, it is not copied to the SPAN destination ports. However,
if the security output ACL permits the packet to go out, it is only copied to the SPAN destination ports if the
FSPAN ACL permits it. This is also true for an RSPAN session.
You can attach three types of FSPAN ACLs to the SPAN session:
• IPv4 FSPAN ACL— Filters only IPv4 packets.
• IPv6 FSPAN ACL— Filters only IPv6 packets.
• MAC FSPAN ACL— Filters only non-IP packets.
If a VLAN-based FSPAN session configured on a stack cannot fit in the hardware memory on one or more
devices, it is treated as unloaded on those devices, and traffic meant for the FSPAN ACL and sourcing on
that device is not copied to the SPAN destination ports. The FSPAN ACL continues to be correctly applied,
and traffic is copied to the SPAN destination ports on the devices where the FSPAN ACL fits in the hardware
memory.
When an empty FSPAN ACL is attached, some hardware functions copy all traffic to the SPAN destination
ports for that ACL. If sufficient hardware resources are not available, even an empty FSPAN ACL can be
unloaded.
IPv4 and MAC FSPAN ACLs are supported on all feature sets. IPv6 FSPAN ACLs are supported only in the
advanced IP Services feature set.
Related Topics
Configuring an FSPAN Session, on page 119
Configuring an FRSPAN Session, on page 121
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
99
Configuring SPAN and RSPAN
Default SPAN and RSPAN Configuration
Default SPAN and RSPAN Configuration
Table 8: Default SPAN and RSPAN Configuration
Feature
Default Setting
SPAN state (SPAN and RSPAN)
Disabled.
Source port traffic to monitor
Both received and sent traffic (both).
Encapsulation type (destination port)
Native form (untagged packets).
Ingress forwarding (destination port)
Disabled.
VLAN filtering
On a trunk interface used as a source port, all VLANs are
monitored.
RSPAN VLANs
None configured.
Configuration Guidelines
SPAN Configuration Guidelines
• To remove a source or destination port or VLAN from the SPAN session, use the no monitor session
session_number source {interface interface-id | vlan vlan-id} global configuration command or the no
monitor session session_number destination interface interface-id global configuration command.
For destination interfaces, the encapsulation options are ignored with the no form of the command.
• To monitor all VLANs on the trunk port, use the no monitor session session_number filter global
configuration command.
Related Topics
Creating a Local SPAN Session, on page 101
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 104
Example: Configuring Local SPAN, on page 125
RSPAN Configuration Guidelines
• All the SPAN configuration guidelines apply to RSPAN.
• As RSPAN VLANs have special properties, you should reserve a few VLANs across your network for
use as RSPAN VLANs; do not assign access ports to these VLANs.
• You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. Specify
these ACLs on the RSPAN VLAN in the RSPAN source devices.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
100
Configuring SPAN and RSPAN
How to Configure SPAN and RSPAN
• For RSPAN configuration, you can distribute the source ports and the destination ports across multiple
devices in your network.
• Access ports (including voice VLAN ports) on the RSPAN VLAN are put in the inactive state.
• You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:
◦The same RSPAN VLAN is used for an RSPAN session in all the devices.
◦All participating devices support RSPAN.
Related Topics
Creating an RSPAN Source Session, on page 110
Creating an RSPAN Destination Session, on page 114
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 116
Examples: Creating an RSPAN VLAN, on page 126
FSPAN and FRSPAN Configuration Guidelines
• When at least one FSPAN ACL is attached, FSPAN is enabled.
• When you attach at least one FSPAN ACL that is not empty to a SPAN session, and you have not
attached one or more of the other FSPAN ACLs (for instance, you have attached an IPv4 ACL that is
not empty, and have not attached IPv6 and MAC ACLs), FSPAN blocks the traffic that would have
been filtered by the unattached ACLs. Therefore, this traffic is not monitored.
Related Topics
Configuring an FSPAN Session, on page 119
Configuring an FRSPAN Session, on page 121
How to Configure SPAN and RSPAN
Creating a Local SPAN Session
Follow these steps to create a SPAN session and specify the source (monitored) ports or VLANs and the
destination (monitoring) ports.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
101
Configuring SPAN and RSPAN
Creating a Local SPAN Session
SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
5. monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]}
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
no monitor session {session_number | all Removes any existing SPAN configuration for the session.
| local | remote}
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Device(config)# no monitor session
all
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 4
monitor session session_number source Specifies the SPAN session and the source port (monitored port).
{interface interface-id | vlan vlan-id} [, |
• For session_number, the range is 1 to 66.
-] [both | rx | tx]
• For interface-id, specify the source port to monitor. Valid interfaces
include physical interfaces and port-channel logical interfaces
Example:
(port-channel port-channel-number). Valid port-channel numbers are
Device(config)# monitor session 1
1 to 48.
source interface
gigabitethernet1/0/1
• For vlan-id, specify the source VLAN to monitor. The range is 1 to 4094
(excluding the RSPAN VLAN).
Note
A single session can include multiple sources (ports or VLANs)
defined in a series of commands, but you cannot combine source
ports and source VLANs in one session.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
102
Configuring SPAN and RSPAN
Creating a Local SPAN Session
Command or Action
Purpose
• (Optional) [, | -] Specifies a series or range of interfaces. Enter a space
before and after the comma; enter a space before and after the hyphen.
• (Optional) both | rx | tx—Specifies the direction of traffic to monitor.
If you do not specify a traffic direction, the source interface sends both
sent and received traffic.
◦both—Monitors both received and sent traffic.
◦rx—Monitors received traffic.
◦tx—Monitors sent traffic.
Note
Step 5
You can use the monitor session session_number source
command multiple times to configure multiple source
ports.
Specifies the SPAN session and the destination port (monitoring port).
monitor session session_number
destination {interface interface-id [, | -] Note
For local SPAN, you must use the same session number for the source
[encapsulation replicate]}
and destination interfaces.
• For session_number, specify the session number entered in step 4.
Example:
Device(config)# monitor session 1
destination interface
gigabitethernet1/0/2 encapsulation
replicate
• For interface-id, specify the destination port. The destination interface
must be a physical port; it cannot be an EtherChannel, and it cannot be
a VLAN.
• (Optional) [, | -] Specifies a series or range of interfaces. Enter a space
before and after the comma; enter a space before and after the hyphen.
(Optional) encapsulation replicate specifies that the destination interface
replicates the source interface encapsulation method. If not selected, the default
is to send packets in native form (untagged).
Note
Step 6
You can use monitor session session_number destination command
multiple times to configure multiple destination ports.
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 7
Verifies your entries.
show running-config
Example:
Device# show running-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
103
Configuring SPAN and RSPAN
Creating a Local SPAN Session and Configuring Incoming Traffic
Step 8
Command or Action
Purpose
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Related Topics
Local SPAN, on page 90
SPAN Sessions, on page 93
SPAN Configuration Guidelines, on page 100
Creating a Local SPAN Session and Configuring Incoming Traffic
Follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports,
and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS
Sensor Appliance).
SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
5. monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]
[ingress {dot1q vlan vlan-id | untagged vlan vlan-id | vlan vlan-id}]}
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
104
Configuring SPAN and RSPAN
Creating a Local SPAN Session and Configuring Incoming Traffic
Step 2
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 3
no monitor session {session_number | all | local Removes any existing SPAN configuration for the session.
| remote}
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Device(config)# no monitor session all
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 4
Specifies the SPAN session and the source port (monitored port).
monitor session session_number source
{interface interface-id | vlan vlan-id} [, | -] [both
| rx | tx]
Example:
Device(config)# monitor session 2 source
gigabitethernet1/0/1 rx
Step 5
monitor session session_number destination
{interface interface-id [, | -] [encapsulation
replicate] [ingress {dot1q vlan vlan-id |
untagged vlan vlan-id | vlan vlan-id}]}
Example:
Device(config)# monitor session 2
destination interface gigabitethernet1/0/2
encapsulation replicate ingress dot1q
vlan 6
Specifies the SPAN session, the destination port, the packet
encapsulation, and the ingress VLAN and encapsulation.
• For session_number, specify the session number entered in Step
4.
• For interface-id, specify the destination port. The destination
interface must be a physical port; it cannot be an EtherChannel,
and it cannot be a VLAN.
• (Optional) [, | -]—Specifies a series or range of interfaces. Enter
a space before and after the comma or hyphen.
• (Optional) encapsulation replicate specifies that the destination
interface replicates the source interface encapsulation method.
If not selected, the default is to send packets in native form
(untagged).
• ingress enables forwarding of incoming traffic on the destination
port and to specify the encapsulation type:
◦dot1q vlan vlan-id—Accepts incoming packets with IEEE
802.1Q encapsulation with the specified VLAN as the
default VLAN.
◦untagged vlan vlan-id or vlan vlan-id—Accepts incoming
packets with untagged encapsulation type with the
specified VLAN as the default VLAN.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
105
Configuring SPAN and RSPAN
Specifying VLANs to Filter
Step 6
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 7
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Related Topics
Local SPAN, on page 90
SPAN Sessions, on page 93
SPAN Configuration Guidelines, on page 100
Example: Configuring Local SPAN, on page 125
Specifying VLANs to Filter
Follow these steps to limit SPAN source traffic to specific VLANs.
SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source interface interface-id
5. monitor session session_number filter vlan vlan-id [, | -]
6. monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]}
7. end
8. show running-config
9. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
106
Configuring SPAN and RSPAN
Specifying VLANs to Filter
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
Enters the global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
no monitor session {session_number | all | local Removes any existing SPAN configuration for the session.
| remote}
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Device(config)# no monitor session all
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 4
monitor session session_number source
interface interface-id
• For session_number, the range is 1 to 66.
Example:
Device(config)# monitor session 2 source
interface gigabitethernet1/0/2 rx
Step 5
monitor session session_number filter vlan
vlan-id [, | -]
Example:
Device(config)# monitor session 2 filter
vlan 1 - 5 , 9
Step 6
Specifies the characteristics of the source port (monitored port) and
SPAN session.
monitor session session_number destination
{interface interface-id [, | -] [encapsulation
replicate]}
Example:
Device(config)# monitor session 2
destination interface
gigabitethernet1/0/1
• For interface-id, specify the source port to monitor. The interface
specified must already be configured as a trunk port.
Limits the SPAN source traffic to specific VLANs.
• For session_number, enter the session number specified in Step
4.
• For vlan-id, the range is 1 to 4094.
• (Optional) Use a comma (,) to specify a series of VLANs, or use
a hyphen (-) to specify a range of VLANs. Enter a space before
and after the comma; enter a space before and after the hyphen.
Specifies the SPAN session and the destination port (monitoring port).
• For session_number, specify the session number entered in Step
4.
• For interface-id, specify the destination port. The destination
interface must be a physical port; it cannot be an EtherChannel,
and it cannot be a VLAN.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
107
Configuring SPAN and RSPAN
Configuring a VLAN as an RSPAN VLAN
Command or Action
Purpose
• (Optional) [, | -] Specifies a series or range of interfaces. Enter a
space before and after the comma; enter a space before and after
the hyphen.
• (Optional) encapsulation replicate specifies that the destination
interface replicates the source interface encapsulation method. If
not selected, the default is to send packets in native form
(untagged).
Step 7
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 8
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 9
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Configuring a VLAN as an RSPAN VLAN
Follow these steps to create a new VLAN, then configure it to be the RSPAN VLAN for the RSPAN session.
SUMMARY STEPS
1. enable
2. configure terminal
3. vlan vlan-id
4. remote-span
5. end
6. show running-config
7. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
108
Configuring SPAN and RSPAN
Configuring a VLAN as an RSPAN VLAN
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if
prompted.
Example:
Device> enable
Step 2
Enters the global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
vlan vlan-id
Enters a VLAN ID to create a VLAN, or enters the VLAN ID
of an existing VLAN, and enters VLAN configuration mode.
The range is 2 to 1001 and 1006 to 4094.
Example:
Device(config)# vlan 100
Step 4
The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or
VLAN IDs 1002 through 1005 (reserved for Token Ring and
FDDI VLANs).
Configures the VLAN as an RSPAN VLAN.
remote-span
Example:
Device(config-vlan)# remote-span
Step 5
Returns to privileged EXEC mode.
end
Example:
Device(config-vlan)# end
Step 6
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 7
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
109
Configuring SPAN and RSPAN
Creating an RSPAN Source Session
What to Do Next
You must create the RSPAN VLAN in all devices that will participate in RSPAN. If the RSPAN VLAN-ID
is in the normal range (lower than 1005) and VTP is enabled in the network, you can create the RSPAN VLAN
in one device, and VTP propagates it to the other devices in the VTP domain. For extended-range VLANs
(greater than 1005), you must configure RSPAN VLAN on both source and destination devices and any
intermediate devices.
Use VTP pruning to get an efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all
trunks that do not need to carry the RSPAN traffic.
To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no
remote-span VLAN configuration command.
To remove a source port or VLAN from the SPAN session, use the no monitor session session_number
source {interface interface-id | vlan vlan-id} global configuration command. To remove the RSPAN VLAN
from the session, use the no monitor session session_number destination remote vlan vlan-id.
Creating an RSPAN Source Session
Follow these steps to create and start an RSPAN source session and to specify the monitored source and the
destination RSPAN VLAN.
SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
5. monitor session session_number destination remote vlan vlan-id
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
110
Configuring SPAN and RSPAN
Creating an RSPAN Source Session
Command or Action
Step 3
Purpose
no monitor session {session_number | all | Removes any existing SPAN configuration for the session.
local | remote}
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Device(config)# no monitor session 1
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 4
Specifies the RSPAN session and the source port (monitored port).
monitor session session_number source
{interface interface-id | vlan vlan-id} [, | -]
• For session_number, the range is 1 to 66.
[both | rx | tx]
• Enter a source port or source VLAN for the RSPAN session:
Example:
Device(config)# monitor session 1
source interface gigabitethernet1/0/1
tx
◦For interface-id, specifies the source port to monitor. Valid
interfaces include physical interfaces and port-channel logical
interfaces (port-channel port-channel-number). Valid
port-channel numbers are 1 to 48.
◦For vlan-id, specifies the source VLAN to monitor. The range
is 1 to 4094 (excluding the RSPAN VLAN).
A single session can include multiple sources (ports or VLANs),
defined in a series of commands, but you cannot combine
source ports and source VLANs in one session.
• (Optional) [, | -]—Specifies a series or range of interfaces. Enter a
space before and after the comma; enter a space before and after the
hyphen.
• (Optional) both | rx | tx—Specifies the direction of traffic to monitor.
If you do not specify a traffic direction, the source interface sends
both sent and received traffic.
◦both—Monitors both received and sent traffic.
◦rx—Monitors received traffic.
◦tx—Monitors sent traffic.
Step 5
monitor session session_number destination Specifies the RSPAN session, the destination RSPAN VLAN, and the
destination-port group.
remote vlan vlan-id
• For session_number, enter the number defined in Step 4.
Example:
Device(config)# monitor session 1
destination remote vlan 100
• For vlan-id, specify the source RSPAN VLAN to monitor.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
111
Configuring SPAN and RSPAN
Specifying VLANs to Filter
Step 6
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 7
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Related Topics
Remote SPAN, on page 91
RSPAN VLAN, on page 97
RSPAN Configuration Guidelines, on page 100
Specifying VLANs to Filter
Follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs.
SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source interface interface-id
5. monitor session session_number filter vlan vlan-id [, | -]
6. monitor session session_number destination remote vlan vlan-id
7. end
8. show running-config
9. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
112
Configuring SPAN and RSPAN
Specifying VLANs to Filter
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
Enters the global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
no monitor session {session_number | all | local Removes any existing SPAN configuration for the session.
| remote}
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Device(config)# no monitor session 2
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 4
monitor session session_number source interface Specifies the characteristics of the source port (monitored port) and
SPAN session.
interface-id
• For session_number, the range is 1 to 66.
Example:
Device(config)# monitor session 2 source
interface gigabitethernet1/0/2 rx
Step 5
monitor session session_number filter vlan
vlan-id [, | -]
Example:
Device(config)# monitor session 2 filter
vlan 1 - 5 , 9
Step 6
monitor session session_number destination
remote vlan vlan-id
• For interface-id, specify the source port to monitor. The
interface specified must already be configured as a trunk port.
Limits the SPAN source traffic to specific VLANs.
• For session_number, enter the session number specified in
step 4.
• For vlan-id, the range is 1 to 4094.
• (Optional) , | - Use a comma (,) to specify a series of VLANs
or use a hyphen (-) to specify a range of VLANs. Enter a space
before and after the comma; enter a space before and after the
hyphen.
Specifies the RSPAN session and the destination remote VLAN
(RSPAN VLAN).
• For session_number, enter the session number specified in
Step 4.
Example:
Device(config)# monitor session 2
destination remote vlan 902
• For vlan-id, specify the RSPAN VLAN to carry the monitored
traffic to the destination port.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
113
Configuring SPAN and RSPAN
Creating an RSPAN Destination Session
Step 7
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 8
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 9
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Creating an RSPAN Destination Session
You configure an RSPAN destination session on a different device or device stack; that is, not the device or
device stack on which the source session was configured.
Follow these steps to define the RSPAN VLAN on that device, to create an RSPAN destination session, and
to specify the source RSPAN VLAN and the destination port.
SUMMARY STEPS
1. enable
2. configure terminal
3. vlan vlan-id
4. remote-span
5. exit
6. no monitor session {session_number | all | local | remote}
7. monitor session session_number source remote vlan vlan-id
8. monitor session session_number destination interface interface-id
9. end
10. show running-config
11. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
114
Configuring SPAN and RSPAN
Creating an RSPAN Destination Session
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
Enters the global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
vlan vlan-id
Specifies the VLAN ID of the RSPAN VLAN created from the source
device, and enters VLAN configuration mode.
Example:
If both devices are participating in VTP and the RSPAN VLAN ID
is from 2 to 1005, Steps 3 through 5 are not required because the
RSPAN VLAN ID is propagated through the VTP network.
Device(config)# vlan 901
Step 4
Identifies the VLAN as the RSPAN VLAN.
remote-span
Example:
Device(config-vlan)# remote-span
Step 5
Returns to global configuration mode.
exit
Example:
Device(config-vlan)# exit
Step 6
no monitor session {session_number | all |
local | remote}
Removes any existing SPAN configuration for the session.
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Device(config)# no monitor session 1
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 7
monitor session session_number source
remote vlan vlan-id
Specifies the RSPAN session and the source RSPAN VLAN.
• For session_number, the range is 1 to 66.
• For vlan-id, specify the source RSPAN VLAN to monitor.
Example:
Device(config)# monitor session 1 source
remote vlan 901
Step 8
monitor session session_number destination Specifies the RSPAN session and the destination interface.
interface interface-id
• For session_number, enter the number defined in Step 7.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
115
Configuring SPAN and RSPAN
Creating an RSPAN Destination Session and Configuring Incoming Traffic
Command or Action
Purpose
In an RSPAN destination session, you must use the same session
number for the source RSPAN VLAN and the destination port.
Example:
Device(config)# monitor session 1
destination interface
gigabitethernet2/0/1
• For interface-id, specify the destination interface. The destination
interface must be a physical interface.
• Though visible in the command-line help string, encapsulation
replicate is not supported for RSPAN. The original VLAN ID
is overwritten by the RSPAN VLAN ID, and all packets appear
on the destination port as untagged.
Step 9
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 10
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 11
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Related Topics
Remote SPAN, on page 91
RSPAN VLAN, on page 97
RSPAN Configuration Guidelines, on page 100
Creating an RSPAN Destination Session and Configuring Incoming Traffic
Follow these steps to create an RSPAN destination session, to specify the source RSPAN VLAN and the
destination port, and to enable incoming traffic on the destination port for a network security device (such as
a Cisco IDS Sensor Appliance).
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
116
Configuring SPAN and RSPAN
Creating an RSPAN Destination Session and Configuring Incoming Traffic
SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source remote vlan vlan-id
5. monitor session session_number destination {interface interface-id [, | -] [ingress {dot1q vlan vlan-id
| untagged vlan vlan-id | vlan vlan-id}]}
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
Enters the global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
no monitor session {session_number | all |
local | remote}
Removes any existing SPAN configuration for the session.
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Device(config)# no monitor session 2
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 4
monitor session session_number source
remote vlan vlan-id
Specifies the RSPAN session and the source RSPAN VLAN.
• For session_number, the range is 1 to 66.
• For vlan-id, specify the source RSPAN VLAN to monitor.
Example:
Device(config)# monitor session 2
source remote vlan 901
Step 5
monitor session session_number destination Specifies the SPAN session, the destination port, the packet encapsulation,
{interface interface-id [, | -] [ingress {dot1q and the incoming VLAN and encapsulation.
vlan vlan-id | untagged vlan vlan-id | vlan
• For session_number, enter the number defined in Step 5.
vlan-id}]}
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
117
Configuring SPAN and RSPAN
Creating an RSPAN Destination Session and Configuring Incoming Traffic
Command or Action
Purpose
In an RSPAN destination session, you must use the same session
number for the source RSPAN VLAN and the destination port.
Example:
Device(config)# monitor session 2
destination interface
gigabitethernet1/0/2 ingress vlan 6
• For interface-id, specify the destination interface. The destination
interface must be a physical interface.
• Though visible in the command-line help string, encapsulation
replicate is not supported for RSPAN. The original VLAN ID is
overwritten by the RSPAN VLAN ID, and all packets appear on the
destination port as untagged.
• (Optional) [, | -] Specifies a series or range of interfaces. Enter a
space before and after the comma; enter a space before and after the
hyphen.
• Enter ingress with additional keywords to enable forwarding of
incoming traffic on the destination port and to specify the
encapsulation type:
◦dot1q vlan vlan-id—Forwards incoming packets with IEEE
802.1Q encapsulation with the specified VLAN as the default
VLAN.
◦untagged vlan vlan-id or vlan vlan-id—Forwards incoming
packets with untagged encapsulation type with the specified
VLAN as the default VLAN.
Step 6
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 7
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Related Topics
Remote SPAN, on page 91
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
118
Configuring SPAN and RSPAN
Configuring an FSPAN Session
RSPAN VLAN, on page 97
RSPAN Configuration Guidelines, on page 100
Examples: Creating an RSPAN VLAN, on page 126
Configuring an FSPAN Session
Follow these steps to create a SPAN session, specify the source (monitored) ports or VLANs and the destination
(monitoring) ports, and configure FSPAN for the session.
SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
5. monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]}
6. monitor session session_number filter {ip | ipv6 | mac} access-group {access-list-number | name}
7. end
8. show running-config
9. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Device# configure terminal
Step 3
no monitor session {session_number | all Removes any existing SPAN configuration for the session.
| local | remote}
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Device(config)# no monitor session
2
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
119
Configuring SPAN and RSPAN
Configuring an FSPAN Session
Command or Action
Step 4
Purpose
monitor session session_number source Specifies the SPAN session and the source port (monitored port).
{interface interface-id | vlan vlan-id} [, |
• For session_number, the range is 1 to 66.
-] [both | rx | tx]
• For interface-id, specifies the source port to monitor. Valid interfaces
include physical interfaces and port-channel logical interfaces
Example:
(port-channel port-channel-number). Valid port-channel numbers are
Device(config)# monitor session 2
1 to 48.
source interface
gigabitethernet1/0/1
• For vlan-id, specify the source VLAN to monitor. The range is 1 to 4094
(excluding the RSPAN VLAN).
Note
A single session can include multiple sources (ports or VLANs)
defined in a series of commands, but you cannot combine source
ports and source VLANs in one session.
• (Optional) [, | -]—Specifies a series or range of interfaces. Enter a space
before and after the comma; enter a space before and after the hyphen.
• (Optional) [both | rx | tx]—Specifies the direction of traffic to monitor.
If you do not specify a traffic direction, the SPAN monitors both sent
and received traffic.
◦both—Monitors both sent and received traffic. This is the default.
◦rx—Monitors received traffic.
◦tx—Monitors sent traffic.
Note
Step 5
monitor session session_number
destination {interface interface-id [, | -]
[encapsulation replicate]}
You can use the monitor session session_number source
command multiple times to configure multiple source
ports.
Specifies the SPAN session and the destination port (monitoring port).
• For session_number, specify the session number entered in Step 4.
• For destination, specify the following parameters:
Example:
Device(config)# monitor session 2
destination interface
gigabitethernet1/0/2 encapsulation
replicate
◦For interface-id, specify the destination port. The destination
interface must be a physical port; it cannot be an EtherChannel,
and it cannot be a VLAN.
◦(Optional) [, | -] Specifies a series or range of interfaces. Enter a
space before and after the comma; enter a space before and after
the hyphen.
◦(Optional) encapsulation replicate specifies that the destination
interface replicates the source interface encapsulation method. If
not selected, the default is to send packets in native form
(untagged).
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
120
Configuring SPAN and RSPAN
Configuring an FRSPAN Session
Command or Action
Purpose
Note
For local SPAN, you must use the same session number for the source
and destination interfaces.
You can use monitor session session_number destination command
multiple times to configure multiple destination ports.
Step 6
monitor session session_number filter {ip Specifies the SPAN session, the types of packets to filter, and the ACLs to
use in an FSPAN session.
| ipv6 | mac} access-group
{access-list-number | name}
• For session_number, specify the session number entered in Step 4.
• For access-list-number, specify the ACL number that you want to use
to filter traffic.
Example:
Device(config)# monitor session 2
filter ipv6 access-group 4
Step 7
• For name, specify the ACL name that you want to use to filter traffic.
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 8
Verifies your entries.
show running-config
Example:
Device# show running-config
Step 9
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Related Topics
Flow-Based SPAN, on page 99
FSPAN and FRSPAN Configuration Guidelines, on page 101
Configuring an FRSPAN Session
Follow these steps to start an RSPAN source session, specify the monitored source and the destination RSPAN
VLAN, and configure FRSPAN for the session.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
121
Configuring SPAN and RSPAN
Configuring an FRSPAN Session
SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session {session_number | all | local | remote}
4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]
5. monitor session session_number destination remote vlan vlan-id
6. vlan vlan-id
7. remote-span
8. exit
9. monitor session session_number filter {ip | ipv6 | mac} access-group {access-list-number | name}
10. end
11. show running-config
12. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Device# configure terminal
Step 3
no monitor session {session_number | all |
local | remote}
Removes any existing SPAN configuration for the session.
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Device(config)# no monitor session 2
• local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 4
Specifies the SPAN session and the source port (monitored port).
monitor session session_number source
{interface interface-id | vlan vlan-id} [, | -]
• For session_number, the range is 1 to 66.
[both | rx | tx]
• For interface-id, specifies the source port to monitor. Valid
interfaces include physical interfaces and port-channel logical
Example:
interfaces (port-channel port-channel-number). Valid port-channel
Device(config)# monitor session 2
numbers are 1 to 48.
source interface gigabitethernet1/0/1
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
122
Configuring SPAN and RSPAN
Configuring an FRSPAN Session
Command or Action
Purpose
• For vlan-id, specify the source VLAN to monitor. The range is 1
to 4094 (excluding the RSPAN VLAN).
Note
A single session can include multiple sources (ports or
VLANs) defined in a series of commands, but you cannot
combine source ports and source VLANs in one session.
• (Optional) [, | -]—Specifies a series or range of interfaces. Enter a
space before and after the comma; enter a space before and after
the hyphen.
• (Optional) [both | rx | tx]—Specifies the direction of traffic to
monitor. If you do not specify a traffic direction, the SPAN monitors
both sent and received traffic.
• both—Monitors both sent and received traffic. This is the default.
• rx—Monitors received traffic.
• tx—Monitors sent traffic.
Note
Step 5
You can use the monitor session session_number source
command multiple times to configure multiple source
ports.
monitor session session_number destination Specifies the RSPAN session and the destination RSPAN VLAN.
remote vlan vlan-id
• For session_number, enter the number defined in Step 4.
• For vlan-id, specify the destination RSPAN VLAN to monitor.
Example:
Device(config)# monitor session 2
destination remote vlan 5
Step 6
vlan vlan-id
Enters the VLAN configuration mode. For vlan-id, specify the source
RSPAN VLAN to monitor.
Example:
Device(config)# vlan 10
Step 7
Specifies that the VLAN you specified in Step 5 is part of the RSPAN
VLAN.
remote-span
Example:
Device(config-vlan)# remote-span
Step 8
Returns to global configuration mode.
exit
Example:
Device(config-vlan)# exit
Step 9
monitor session session_number filter {ip | Specifies the RSPAN session, the types of packets to filter, and the ACLs
to use in an FRSPAN session.
ipv6 | mac} access-group
{access-list-number | name}
• For session_number, specify the session number entered in Step
4.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
123
Configuring SPAN and RSPAN
Monitoring SPAN and RSPAN Operations
Command or Action
• For access-list-number, specify the ACL number that you want to
use to filter traffic.
Example:
Device(config)# monitor session 2
filter ip access-group 7
Step 10
Purpose
• For name, specify the ACL name that you want to use to filter
traffic.
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 11
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 12
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Related Topics
Flow-Based SPAN, on page 99
FSPAN and FRSPAN Configuration Guidelines, on page 101
Monitoring SPAN and RSPAN Operations
The following table describes the command used to display SPAN and RSPAN operations configuration and
results to monitor operations:
Table 9: Monitoring SPAN and RSPAN Operations
Command
Purpose
show monitor
Displays the current SPAN, RSPAN, FSPAN,
or FRSPAN configuration.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
124
Configuring SPAN and RSPAN
SPAN and RSPAN Configuration Examples
SPAN and RSPAN Configuration Examples
Example: Configuring Local SPAN
This example shows how to set up SPAN session 1 for monitoring source port traffic to a destination port.
First, any existing SPAN configuration for session 1 is deleted, and then bidirectional traffic is mirrored from
source Gigabit Ethernet port 1 to destination Gigabit Ethernet port 2, retaining the encapsulation method.
Device> enable
Device# configure terminal
Device(config)# no monitor session 1
Device(config)# monitor session 1 source interface gigabitethernet1/0/1
Device(config)# monitor session 1 destination interface gigabitethernet1/0/2
encapsulation replicate
Device(config)# end
This example shows how to remove port 1 as a SPAN source for SPAN session 1:
Device> enable
Device# configure terminal
Device(config)# no monitor session 1 source interface gigabitethernet1/0/1
Device(config)# end
This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional
monitoring:
Device> enable
Device# configure terminal
Device(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx
The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.
This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session
2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit
Ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to VLAN
10.
Device> enable
Device# configure terminal
Device(config)# no monitor session 2
Device(config)# monitor session 2 source vlan 1 - 3 rx
Device(config)# monitor session 2 destination interface gigabitethernet1/0/2
Device(config)# monitor session 2 source vlan 10
Device(config)# end
This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session
2 to monitor received traffic on Gigabit Ethernet source port 1, and send it to destination Gigabit Ethernet
port 2 with the same egress encapsulation type as the source port, and to enable ingress forwarding with IEEE
802.1Q encapsulation and VLAN 6 as the default ingress VLAN:
Device> enable
Device# configure terminal
Device(config)# no monitor session 2
Device(config)# monitor session 2 source gigabitethernet1/0/1 rx
Device(config)# monitor session 2 destination interface gigabitethernet1/0/2 encapsulation
replicate ingress dot1q vlan 6
Device(config)# end
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
125
Configuring SPAN and RSPAN
Examples: Creating an RSPAN VLAN
This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session
2 to monitor traffic received on Gigabit Ethernet trunk port 2, and send traffic for only VLANs 1 through 5
and VLAN 9 to destination Gigabit Ethernet port 1:
Device> enable
Device# configure terminal
Device(config)# no monitor session 2
Device(config)# monitor session 2 source interface gigabitethernet1/0/2 rx
Device(config)# monitor session 2 filter vlan 1 - 5 , 9
Device(config)# monitor session 2 destination interface gigabitethernet1/0/1
Device(config)# end
Related Topics
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 104
Local SPAN, on page 90
SPAN Sessions, on page 93
SPAN Configuration Guidelines, on page 100
Examples: Creating an RSPAN VLAN
This example shows how to create the RSPAN VLAN 901:
Device> enable
Device# configure terminal
Device(config)# vlan 901
Device(config-vlan)# remote span
Device(config-vlan)# end
This example shows how to remove any existing RSPAN configuration for session 1, configure RSPAN
session 1 to monitor multiple source interfaces, and configure the destination as RSPAN VLAN 901:
Device> enable
Device# configure terminal
Device(config)# no monitor session 1
Device(config)# monitor session 1 source interface gigabitethernet1/0/1 tx
Device(config)# monitor session 1 source interface gigabitethernet1/0/2 rx
Device(config)# monitor session 1 source interface port-channel 2
Device(config)# monitor session 1 destination remote vlan 901
Device(config)# end
This example shows how to remove any existing configuration on RSPAN session 2, configure RSPAN
session 2 to monitor traffic received on trunk port 2, and send traffic for only VLANs 1 through 5 and 9 to
destination RSPAN VLAN 902:
Device> enable
Device# configure terminal
Device(config)# no monitor session 2
Device(config)# monitor session 2 source interface gigabitethernet1/0/2 rx
Device(config)# monitor session 2 filter vlan 1 - 5 , 9
Device(config)# monitor session 2 destination remote vlan 902
Device(config)# end
This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination
interface:
Device> enable
Device# configure terminal
Device(config)# monitor session 1 source remote vlan 901
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
126
Configuring SPAN and RSPAN
Feature History and Information for SPAN and RSPAN
Device(config)# monitor session 1 destination interface gigabitethernet2/0/1
Device(config)# end
This example shows how to configure VLAN 901 as the source remote VLAN in RSPAN session 2, to
configure Gigabit Ethernet source port 2 as the destination interface, and to enable forwarding of incoming
traffic on the interface with VLAN 6 as the default receiving VLAN:
Device> enable
Device# configure terminal
Device(config)# monitor session 2 source remote vlan 901
Device(config)# monitor session 2 destination interface gigabitethernet1/0/2 ingress vlan 6
Device(config)# end
Related Topics
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 116
Remote SPAN, on page 91
RSPAN VLAN, on page 97
RSPAN Configuration Guidelines, on page 100
Feature History and Information for SPAN and RSPAN
Release
Modification
Cisco IOS XE Everest 16.5.1a
Switch Port Analyzer (SPAN):
Allows monitoring of device traffic
on a port or VLAN using a
sniffer/analyzer or RMON probe.
This feature was introduced.
Cisco IOS XE Everest 16.5.1a
SPAN destination port support on
EtherChannels: Provides the ability
to configure a SPAN destination
port on an EtherChannel.
This feature was introduced.
Cisco IOS XE Everest 16.5.1a
Switch Port Analyzer (SPAN) distributed egress SPAN: Provides
distributed egress SPAN
functionality onto line cards in
conjunction with ingress SPAN
already been distributed to line
cards. By distributing egress SPAN
functionalities onto line cards, the
performance of the system is
improved.
This feature was introduced.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
127
Configuring SPAN and RSPAN
Feature History and Information for SPAN and RSPAN
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
128
CHAPTER
7
Configuring ERSPAN
• Configuring ERSPAN, page 129
Configuring ERSPAN
This module describes how to configure Encapsulated Remote Switched Port Analyzer (ERSPAN). The Cisco
ERSPAN feature allows you to monitor traffic on ports or VLANs and send the monitored traffic to destination
ports.
Prerequisites for Configuring ERSPAN
• Only IPv4 delivery/transport header is supported.
• Access control list (ACL) filter is applied before sending the monitored traffic on to the tunnel.
• Only supports Type-II ERSPAN header.
Restrictions for Configuring ERSPAN
The following restrictions apply for this feature:
• Destination sessions are not supported.
• A device supports up to 66 sessions. A maximum of 8 source sessions can be configured and the remaining
sessions can be configured as RSPAN destinations sessions. A source session can be a local SPAN
source session or an RSPAN source session or an ERSPAN source session.
• You can configure either a list of ports or a list of VLANs as a source, but cannot configure both for a
given session.
• When a session is configured through the ERSPAN CLI, the session ID and the session type cannot be
changed. To change them, you must use the no form of the configuration commands to remove the
session and then reconfigure the session.
• ERSPAN source sessions do not copy locally-sourced Remote SPAN (RSPAN) VLAN traffic from
source trunk ports that carry RSPAN VLANs.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
129
Configuring ERSPAN
Information for Configuring ERSPAN
• ERSPAN source sessions do not copy locally-sourced ERSPAN GRE-encapsulated traffic from source
ports.
Information for Configuring ERSPAN
ERSPAN Overview
The Cisco ERSPAN feature allows you to monitor traffic on ports or VLANs, and send the monitored traffic
to destination ports. ERSPAN sends traffic to a network analyzer, such as a Switch Probe device or a Remote
Monitoring (RMON) probe. ERSPAN supports source ports, source VLANs, and destination ports on different
devices, which helps remote monitoring of multiple devices across a network.
ERSPAN supports encapsulated packets of up to 9180 bytes. ERSPAN consists of an ERSPAN source session,
routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination session.
ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN
destination session. You can configure an ERSPAN source session, an ERSPAN destination session, or both
on a device. A device on which only an ERSPAN source session is configured is called an ERSPAN source
device, and a device on which only an ERSPAN destination session is configured is called an ERSPAN
termination device. A device can act as both; an ERSPAN source device and a termination device.
For a source port or a source VLAN, the ERSPAN can monitor the ingress, egress, or both ingress and egress
traffic. By default, ERSPAN monitors all traffic, including multicast, and Bridge Protocol Data Unit (BPDU)
frames.
An ERSPAN source session is defined by the following parameters:
• A session ID
• List of source ports or source VLANs to be monitored by the session
• The destination and origin IP addresses, which are used as the destination and source IP addresses of
the generic routing encapsulation (GRE) envelope for the captured traffic, respectively
• ERSPAN flow ID
• Optional attributes, such as, IP Time to Live (TTL), related to the GRE envelope
Note
ERSPAN source sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN
source session can have either ports or VLANs as sources, but not both.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
130
Configuring ERSPAN
How to Configure ERSPAN
Note
Because encapsulation is performed in the hardware, the CPU performance is not impacted.
Figure 10: ERSPAN Configuration
ERSPAN Sources
The Cisco ERSPAN feature supports the following sources:
• Source ports—A source port that is monitored for traffic analysis. Source ports in any VLAN can be
configured and trunk ports can be configured as source ports along with nontrunk source ports.
• Source VLANs—A VLAN that is monitored for traffic analysis.
The following interfaces are supported as source ports:
• GigabitEthernet
• PortChannel
• TenGigabitEthernet
How to Configure ERSPAN
Configuring an ERSPAN Source Session
The ERSPAN source session defines the session configuration parameters and the ports or VLANs to be
monitored.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
131
Configuring ERSPAN
How to Configure ERSPAN
SUMMARY STEPS
1. enable
2. configure terminal
3. monitor session span-session-number type erspan-source
4. description description
5. source {interface type number | vlan vlan-ID} [, | -| both | rx | tx]
6. filter {ip access-group {standard-access-list | expanded-access-list | acl-name } | ipv6 access-group
acl-name | mac access-group acl-name | vlan vlan-ID [, -]}
7. no shutdown
8. destination
9. ip address ip-address
10. erspan-id erspan-ID
11. origin ip-address
12. ip ttl ttl-value
13. end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Switch> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Switch# configure terminal
Step 3
monitor session span-session-number type
erspan-source
Example:
Switch(config)# monitor session
span-session-number type erspan-source
Defines an ERSPAN source session using the session ID and
the session type, and enters ERSPAN monitor source session
configuration mode.
• Session IDs for source sessions or destination sessions
are in the same global ID space, so each session ID is
globally unique for both session types.
• The span-session-number and the session type (configured
by the erspan-source keyword) cannot be changed once
configured. Use the no form of this command to remove
the session and then re-create the session with a new
session ID or a new session type.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
132
Configuring ERSPAN
How to Configure ERSPAN
Step 4
Command or Action
Purpose
description description
Describes the ERSPAN source session.
Example:
Switch(config-mon-erspan-src)# description
source1
Step 5
source {interface type number | vlan vlan-ID} [, | -| Configures the source interface or the VLAN, and the traffic
direction to be monitored.
both | rx | tx]
Example:
Switch(config-mon-erspan-src)# source
interface fastethernet 0/1 rx
Step 6
(Optional) Configures source VLAN filtering when the
filter {ip access-group {standard-access-list |
expanded-access-list | acl-name } | ipv6 access-group ERSPAN source is a trunk port.
acl-name | mac access-group acl-name | vlan vlan-ID
You cannot include source VLANs and filter
• Note
[, -]}
VLANs in the same session.
Example:
Switch(config-mon-erspan-src)# filter vlan 3
Step 7
Disables the shutting down of the configured session.
no shutdown
Example:
Switch(config-mon-erspan-src)# no shutdown
Step 8
Defines an ERSPAN destination session and enters ERSPAN
monitor destination session configuration mode.
destination
Example:
Switch(config-mon-erspan-src)# destination
Step 9
ip address ip-address
Configures an IP address for the ERSPAN destination session.
Example:
Switch(config-mon-erspan-src-dst)# ip address
192.0.2.9
Step 10
erspan-id erspan-ID
Configures the ID used by the destination session to identify
the ERSPAN traffic.
Example:
Switch(config-mon-erspan-src-dst)# erspan-id
2
Step 11
origin ip-address
Configures the IP address used as the destination for the
ERSPAN traffic.
Example:
Switch(config-mon-erspan-src-dst)# origin
ip-address 203.0.113.2
Step 12
ip ttl ttl-value
Configures Time to Live (TTL) values for packets in the
ERSPAN traffic.
Example:
Switch(config-mon-erspan-src-dst)# erspan ttl
32
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
133
Configuring ERSPAN
Configuration Examples for ERSPAN
Step 13
Command or Action
Purpose
end
Exits ERSPAN monitor destination session configuration mode
and returns to privileged EXEC mode.
Example:
Switch(config-mon-erspan-src-dst)# end
Configuration Examples for ERSPAN
Example: Configuring an ERSPAN Source Session
Switch> enable
Switch# configure terminal
Switch(config)# monitor session 1 type erspan-source
Switch(config-mon-erspan-src)# description source1
Switch(config-mon-erspan-src)# source interface fastethernet 0/1 rx
Switch(config-mon-erspan-src)# filter vlan 3
Switch(config-mon-erspan-src)# no shutdown
Switch(config-mon-erspan-src)# destination
Switch(config-mon-erspan-src-dst)# ip address 192.0.2.9
Switch(config-mon-erspan-src-dst)# erspan-id 2
Switch(config-mon-erspan-src-dst)# origin ip-address 203.0.113.2
Switch(config-mon-erspan-src-dst)# ip ttl 32
Switch(config-mon-erspan-src-dst)# end
Verifying ERSPAN
To verify the ERSPAN configuration, use the following commands:
The following is sample output from the show monitor session erspan-source command:
Switch# show monitor session erspan-source session
Type : ERSPAN Source Session
Status : Admin Enabled
Source Ports :
RX Only : Gi1/4/33
Destination IP Address : 192.0.2.1
Destination ERSPAN ID : 110
Origin IP Address : 10.10.10.216
IPv6 Flow Label : None
The following is sample output from the show monitor session erspan-source detail command:
Switch# show monitor session erspan-source detail
Type : ERSPAN Source Session
Status : Admin Enabled
Description : Source Ports :
RX Only : Gi1/4/33
TX Only : None
Both : None
Source VLANs :
RX Only : None
TX Only : None
Both : None
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
134
Configuring ERSPAN
Additional References
Source RSPAN VLAN : None
Destination Ports : None
Filter VLANs : None
Filter Addr Type :
RX Only : None
TX Only : None
Both : None
Filter Pkt Type :
RX Only : None
Dest RSPAN VLAN : None
IP Access-group : None
IPv6 Access-group : None
Destination IP Address : 192.0.2.1
Destination IPv6 Address : None
Destination IP VRF : None
Destination ERSPAN ID : 110
Origin IP Address : 10.10.10.216
IP QOS PREC : 0
IP TTL : 255
The following output from the show capability feature monitor erspan-source command displays information
about the configured ERSPAN source sessions:
Switch# show capability feature monitor erspan-source
ERSPAN Source Session Supported: true
No of Rx ERSPAN source session: 8
No of Tx ERSPAN source session: 8
ERSPAN Header Type supported: II
ACL filter Supported: true
Fragmentation Supported: true
Truncation Supported: false
Sequence number Supported: false
QOS Supported: true
The following output from the show capability feature monitor erspan-destination command displays all
the configured global built-in templates:
Switch# show capability feature monitor erspan-destination
ERSPAN Destination Session Supported: false
Additional References
Related Documents
Related Topic
Document Title
Cisco IOS commands
Cisco IOS Master Commands List, All Releases
RFCs
Standard/RFC
Title
RFC 2784
Generic Routing Encapsulation (GRE)
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
135
Configuring ERSPAN
Feature Information for Configuring ERSPAN
Technical Assistance
Description
Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for Configuring ERSPAN
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 10: Feature Information for Configuring ERSPAN
Feature Name
Releases
Feature Information
ERSPAN
Cisco IOS XE Everest
16.5.1a
This feature was introduced
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
136
CHAPTER
8
Configuring Packet Capture
• Finding Feature Information, page 137
• Prerequisites for Packet Capture, page 137
• Restrictions for Packet Capture, page 138
• Introduction to Packet Capture, page 140
• Configuring Packet Capture, page 149
• Monitoring Packet Capture, page 166
• Additional References, page 183
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Prerequisites for Packet Capture
Prerequisites for Packet Capture
• Packet capture is supported on Catalyst 3850 and Catalyst 3650.
• Wireshark is supported only on switches running Network Essentials or Network Advantage license.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
137
Configuring Packet Capture
Restrictions for Packet Capture
The Embedded Packet Capture (EPC) software subsystem consumes CPU and memory resources during its
operation. You must have adequate system resources for different types of operations. Some guidelines for
using the system resources are provided in the table below.
Table 11: System Requirements for the EPC Subsystem
System Resources
Requirements
Hardware
CPU utilization requirements are platform dependent.
Memory
The packet buffer is stored in DRAM. The size of the packet buffer is
user specified.
Diskspace
Packets can be exported to external devices. No intermediate storage
on flash disk is required.
Restrictions for Packet Capture
Restrictions for Packet Capture
• Global packet capture on Wireshark is not supported.
• Display filters are supported on Wireshark.
• The CLI for configuring Wireshark requires that the feature be executed only from EXEC mode. Actions
that usually occur in configuration submode (such as defining capture points), are handled at the EXEC
mode instead. All key commands are not NVGEN’d and are not synchronized to the standby supervisor
in NSF and SSO scenarios.
• Packets captured in the output direction of an interface might not reflect the changes made by rewrite
(includes TTL, VLAN tag, CoS, checksum, MAC addresses, DSCP, precedent, UP, etc.).
• The Rewrite information of both ingress and egress packets are not captured.
• Limiting circular file storage by file size is not supported.
• File limit is limited to the size of the flash in Network Essentials and Network Advantage.
• In Network Essentials and Network Advantage, in file mode, the packets will be written to the files
without export.
• Embedded Wireshark is supported with the following limitations:
• Capture filters and display filters are not supported.
• Active capture decoding is not available.
• The output format is different from previous releases.
• Embedded Packet Capture (EPC) captures multicast packets only on ingress and does not capture the
replicated packets on egress.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
138
Configuring Packet Capture
Restrictions for Packet Capture
Configuration Limitations
• Up to 8 capture points can be defined, but only one can be active at a time. You need to stop one before
you can start the other.
• Neither VRFs, management ports, nor private VLANs can be used as attachment points.
• Only one ACL (IPv4, IPv6 or MAC) is allowed in a Wireshark class map.
• Wireshark cannot capture packets on a destination SPAN port.
• Wireshark stops capturing when one of the attachment points (interfaces) attached to a capture point
stops working. For example, if the device that is associated with an attachment point is unplugged from
the . To resume capturing, the capture must be restarted manually.
• CPU-injected packets are considered control plane packets. Therefore, these types of packets will not
be captured on an interface egress capture.
• MAC ACL is only used for non-IP packets such as ARP. It will not be supported on a Layer 3 port or
SVI.
• MAC filter will not capture IP packets even if it matches the MAC address. This applies to all interfaces
(L2 Switchport, L3 Routed Port)
• MAC filter cannot capture L2 packets (ARP) on L3 interfaces.
• IPv6-based ACLs are not supported in VACL.
• Layer 2 EtherChannels are not supported.
• Starting from Cisco IOS release 16.1, Layer 3 PortChannel Support is available.
• It is not possible to modify a capture point parameter when a capture is already active or has started.
• ACL logging and Wireshark are incompatible. Once Wireshark is activated, it takes priority. All traffic,
including that being captured by ACL logging on any ports, will be redirected to Wireshark. We
recommended that you deactivate ACL logging before starting Wireshark. Otherwise, Wireshark traffic
will be contaminated by ACL logging traffic.
• Wireshark does not capture packets dropped by floodblock.
• Starting from Cisco IOS release 16.1:
• L3 port channel support is added.
• Minor changes have been made in the display format.
• Ability to display the number of packets in a cap file
• Clearing the captured buffer deletes the buffer along with its contents. It cannot be run when the
packet capture is active.
• Additional warning message is displayed for control plane capturing.
• In buffer mode, the packet display is allowed only after stop.
• Packet statistics displayed at stop, in IP Services and IP Base.
• Ability to query the number of packets captured in a pcap file.
• When the display is from a cap file, display details of the selected packet can be viewed using
packet-number.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
139
Configuring Packet Capture
Introduction to Packet Capture
• Display filter can be used in file mode.
• Statistics of packet capture (packets and bytes received, dropped) can be displayed either during
the capture or after capture stop.
• The system can query statistics on a pcap cap file's contents, as supported by Wireshark.
• The packet capture session is always in streaming mode irrespective of the size of the buffer. There
is no lock-step mode anymore.
Warning
Control plane packets are not rate limited and performance impacting. Please use filters
to limit control plane packet capture.
• If the user changes interface from Switch port to routed port (L2 -> L3) or vice versa, they must delete
the capture point and create a new one, once the interface comes back up. Stop/start the capture point
will not work.
• If the user deletes the file used by an active capture session, the capture session cannot create a new file,
and all further packets captured are lost. The user will then need to restart the capture point.
Introduction to Packet Capture
Overview of Packet Capture Tool
The Packet Capture feature is an onboard packet capture facility that allows network administrators to capture
packets flowing to, through, and from the device and to analyze them locally or save and export them for
offline analysis by using tools such as Wireshark and Embedded Packet Capture (EPC). This feature simplifies
network operations by allowing devices to become active participants in the management and operation of
the network. This feature facilitates troubleshooting by gathering information about the packet format. This
feature also facilitates application analysis and security.
Embedded Packet Capture with Wireshark is supported on Network Essentials and Network Advantage
licenses.
Information about Wireshark
Wireshark Overview
Wireshark is a packet analyzer program, formerly known as Ethereal, that supports multiple protocols and
presents information in a text-based user interface.
The ability to capture and analyze traffic provides data on network activity. Prior to Cisco IOS Release XE
3.3.0, only two features addressed this need: SPAN and debug platform packet. Both have limitations. SPAN
is ideal for capturing packets, but can only deliver them by forwarding them to some specified local or remote
destination; it provides no local display or analysis support.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
140
Configuring Packet Capture
Information about Wireshark
So the need exists for a traffic capture and analysis mechanism that is applicable to both hardware and software
forwarded traffic and that provides strong packet capture, display, and analysis support, preferably using a
well known interface.
Wireshark dumps packets to a file using a well known format called .pcap, and is applied or enabled on
individual interfaces. You specify an interface in EXEC mode along with the filter and other parameters. The
Wireshark application is applied only when you enter a start command, and is removed only when Wireshark
stops capturing packets either automatically or manually.
Note
The current version of Wireshark installed on the switch is 1.10.8.
Capture Points
A capture point is the central policy definition of the Wireshark feature. The capture point describes all of the
characteristics associated with a given instance of Wireshark: which packets to capture, where to capture them
from, what to do with the captured packets, and when to stop. Capture points can be modified after creation,
and do not become active until explicitly activated with a start command. This process is termed activating
the capture point or starting the capture point. Capture points are identified by name and can also be manually
or automatically deactivated or stopped.
Multiple capture points can be defined.
In case of stacked systems, the capture point is activated on the active member. A switchover will terminate
any active packet capture session and it will have to be restarted.
Related Topics
Defining a Capture Point, on page 150
Adding or Modifying Capture Point Parameters, on page 153
Deleting Capture Point Parameters, on page 155
Deleting a Capture Point, on page 156
Activating and Deactivating a Capture Point, on page 158
Clearing the Capture Point Buffer, on page 161
Example: Simple Capture and Display, on page 169
Example: Simple Capture and Store, on page 171
Example: Using Buffer Capture, on page 173
Example: Simple Capture and Store of Packets in Egress Direction, on page 179
Attachment Points
An attachment point is a point in the logical packet process path associated with a capture point. An attachment
point is an attribute of the capture point. Packets that impact an attachment point are tested against capture
point filters; packets that match are copied and sent to the associated Wireshark instance of the capture point.
A specific capture point can be associated with multiple attachment points, with limits on mixing attachment
points of different types. Some restrictions apply when you specify attachment points of different types.
Attachment points are directional (input or output or both) with the exception of the Layer 2 VLAN attachment
point, which is always bidirectional.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
141
Configuring Packet Capture
Information about Wireshark
In case of stacked systems, the attachment points on all stack members are valid. EPC captures the packets
from all the defined attachment points. However these packets are processed only on the active member.
Related Topics
Defining a Capture Point, on page 150
Adding or Modifying Capture Point Parameters, on page 153
Deleting Capture Point Parameters, on page 155
Deleting a Capture Point, on page 156
Activating and Deactivating a Capture Point, on page 158
Clearing the Capture Point Buffer, on page 161
Example: Simple Capture and Display, on page 169
Example: Simple Capture and Store, on page 171
Example: Using Buffer Capture, on page 173
Example: Simple Capture and Store of Packets in Egress Direction, on page 179
Filters
Filters are attributes of a capture point that identify and limit the subset of traffic traveling through the
attachment point of a capture point, which is copied and passed to Wireshark. To be displayed by Wireshark,
a packet must pass through an attachment point, as well as all of the filters associated with the capture point.
A capture point has the following types of filters:
• Core system filter—The core system filter is applied by hardware, and its match criteria is limited by
hardware. This filter determines whether hardware-forwarded traffic is copied to software for Wireshark
purposes.
• Display filter—The display filter is applied by Wireshark. Packets that fail the display filter are not
displayed.
Core System Filter
You can specify core system filter match criteria by using the class map or ACL, or explicitly by using the
CLI.
In some installations, you need to obtain authorization to modify the configuration, which can lead to extended
delays if the approval process is lengthy. This can limit the ability of network administrators to monitor and
analyze traffic. To address this situation, Wireshark supports explicit specification of core system filter match
criteria from the EXEC mode CLI. The disadvantage is that the match criteria that you can specify is a limited
subset of what class map supports, such as MAC, IP source and destination addresses, ether-type, IP protocol,
and TCP/UDP source and destination ports.
If you prefer to use configuration mode, you can define ACLs or have class maps refer capture points to them.
Explicit and ACL-based match criteria are used internally to construct class maps and policy maps.
Note The ACL and class map configuration are part of the system and not aspects of the Wireshark feature.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
142
Configuring Packet Capture
Information about Wireshark
Display Filter
With the display filter, you can direct Wireshark to further narrow the set of packets to display when decoding
and displaying from a .pcap file.
Related Topics
Additional References
Actions
Wireshark can be invoked on live traffic or on a previously existing .pcap file. When invoked on live traffic,
it can perform four types of actions on packets that pass its display filters:
• Captures to buffer in memory to decode and analyze and store
• Stores to a .pcap file
• Decodes and displays
• Stores and displays
When invoked on a .pcap file only, only the decode and display action is applicable.
Storage of Captured Packets to Buffer in Memory
Packets can be stored in the capture buffer in memory for subsequent decode, analysis, or storage to a .pcap
file.
The capture buffer can be in linear or circular mode. In linear mode, new packets are discarded when the
buffer is full. In circular mode, if the buffer is full, the oldest packets are discarded to accommodate the new
packets. Although the buffer can also be cleared when needed, this mode is mainly used for debugging network
traffic. However, it is not possible to only clear the contents of the buffer alone without deleting it. Stop the
current captures and restart the capture again for this to take effect.
Note
If you have more than one capture that is storing packets in a buffer, clear the buffer before starting a new
capture to avoid memory loss.
Storage of Captured Packets to a .pcap File
Note
When WireShark is used on switches in a stack, packet captures can be stored only on flash or USB flash
devices connected to the active switch.
For example, if flash1 is connected to the active switch, and flash2 is connected to the secondary switch,
only flash1 can be used to store packet captures.
Attempts to store packet captures on devices other than flash or USB flash devices connected to the active
switch will probably result in errors.
Wireshark can store captured packets to a .pcap file. The capture file can be located on the following storage
devices:
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
143
Configuring Packet Capture
Information about Wireshark
• on-board flash storage (flash:)
• USB drive
Note
Attempts to store packet captures on unsupported devices or devices not connected to the active switch
will probably result in errors.
When configuring a Wireshark capture point, you can associate a filename. When the capture point is activated,
Wireshark creates a file with the specified name and writes packets to it. If the file already exists at the time
of creation of the capture point, Wireshark queries you as to whether the file can be overwritten. If the file
already exists at the time of activating the capture point, Wireshark will overwrite the existing file. Only one
capture point may be associated with a given filename.
If the destination of the Wireshark writing process is full, Wireshark fails with partial data in the file. You
must ensure that there is sufficient space in the file system before you start the capture session. With Cisco
IOS Release IOS XE 3.3.0, the file system full status is not detected for some storage devices.
You can reduce the required storage space by retaining only a segment, instead of the entire packet. Typically,
you do not require details beyond the first 64 or 128 bytes. The default behavior is to store the entire packet.
To avoid possible packet drops when processing and writing to the file system, Wireshark can optionally use
a memory buffer to temporarily hold packets as they arrive. Memory buffer size can be specified when the
capture point is associated with a .pcap file.
Packet Decoding and Display
Wireshark can decode and display packets to the console. This functionality is possible for capture points
applied to live traffic and for capture points applied to a previously existing .pcap file.
Note
Decoding and displaying packets may be CPU intensive.
Wireshark can decode and display packet details for a wide variety of packet formats. The details are displayed
by entering the monitor capture name start command with one of the following keyword options, which
place you into a display and decode mode:
• brief—Displays one line per packet (the default).
• detailed—Decodes and displays all the fields of all the packets whose protocols are supported. Detailed
modes require more CPU than the other two modes.
• (hexadecimal) dump—Displays one line per packet as a hexadecimal dump of the packet data and the
printable characters of each packet.
When you enter the capture command with the decode and display option, the Wireshark output is returned
to Cisco IOS and displayed on the console unchanged.
Live Traffic Display
Wireshark receives copies of packets from the core system. Wireshark applies its display filters to discard
uninteresting packets, and then decodes and displays the remaining packets.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
144
Configuring Packet Capture
Information about Wireshark
.pcap File Display
Wireshark can decode and display packets from a previously stored .pcap file and direct the display filter to
selectively displayed packets.
Packet Storage and Display
Functionally, this mode is a combination of the previous two modes. Wireshark stores packets in the specified
.pcap file and decodes and displays them to the console. Only the core filters are applicable here.
Wireshark Capture Point Activation and Deactivation
After a Wireshark capture point has been defined with its attachment points, filters, actions, and other options,
it must be activated. Until the capture point is activated, it does not actually capture packets.
Before a capture point is activated, some functional checks are performed. A capture point cannot be activated
if it has neither a core system filter nor attachment points defined. Attempting to activate a capture point that
does not meet these requirements generates an error.
The display filters are specified as needed.
After Wireshark capture points are activated, they can be deactivated in multiple ways. A capture point that
is storing only packets to a .pcap file can be halted manually or configured with time or packet limits, after
which the capture point halts automatically.
When a Wireshark capture point is activated, a fixed rate policer is applied automatically in the hardware so
that the CPU is not flooded with Wireshark-directed packets. The disadvantage of the rate policer is that you
cannot capture contiguous packets beyond the established rate even if more resources are available.
The set packet capture rate is 1000 packets per sec (pps). The 1000 pps limit is applied to the sum of all
attachment points. For example, if we have a capture session with 3 attachment points, the rates of all 3
attachment points added together is policed to 1000 pps.
Note
Policer is not supported for control-plane packet capture. When activating control-plane capture points,
you need to be extra cautious, so that it does not flood the CPU.
Wireshark Features
This section describes how Wireshark features function in the environment:
• Redirection features—In the input direction, features traffic redirected by Layer 3 (such as PBR and
WCCP) are logically later than Layer 3 Wireshark attachment points. Wireshark captures these packets
even though they might later be redirected out another Layer 3 interface. Symmetrically, output features
redirected by Layer 3 (such as egress WCCP) are logically prior to Layer 3 Wireshark attachment points,
and Wireshark will not capture them.
• SPAN—Wireshark cannot capture packets on interface configured as a SPAN destination.
• SPAN—Wireshark is able to capture packets on interfaces configured as a SPAN source in the ingress
direction, and may be available for egress direction too.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
145
Configuring Packet Capture
Information about Wireshark
Guidelines for Wireshark
• During Wireshark packet capture, hardware forwarding happens concurrently.
• Before starting a Wireshark capture process, ensure that CPU usage is moderate and that sufficient
memory (at least 200 MB) is available.
• If you plan to store packets to a storage file, ensure that sufficient space is available before beginning a
Wireshark capture process.
• The CPU usage during Wireshark capture depends on how many packets match the specified conditions
and on the intended actions for the matched packets (store, decode and display, or both).
• Where possible, keep the capture to the minimum (limit by packets, duration) to avoid high CPU usage
and other undesirable conditions.
• Because packet forwarding typically occurs in hardware, packets are not copied to the CPU for software
processing. For Wireshark packet capture, packets are copied and delivered to the CPU, which causes
an increase in CPU usage.
To avoid high CPU usage, do the following:
◦Attach only relevant ports.
◦Use a class map, and secondarily, an access list to express match conditions. If neither is viable,
use an explicit, in-line filter.
◦Adhere closely to the filter rules. Restrict the traffic type (such as, IPv4 only) with a restrictive,
rather than relaxed ACL, which elicits unwanted traffic.
• Always limit packet capture to either a shorter duration or a smaller packet number. The parameters of
the capture command enable you to specify the following:
◦Capture duration
◦Number of packets captured
◦File size
◦Packet segment size
• Run a capture session without limits if you know that very little traffic matches the core filter.
• You might experience high CPU (or memory) usage if:
◦You leave a capture session enabled and unattended for a long period of time, resulting in
unanticipated bursts of traffic.
◦You launch a capture session with ring files or capture buffer and leave it unattended for a long
time, resulting in performance or system health issues.
• During a capture session, watch for high CPU usage and memory consumption due to Wireshark that
may impact performance or health. If these situations arise, stop the Wireshark session immediately.
• Avoid decoding and displaying packets from a .pcap file for a large file. Instead, transfer the .pcap file
to a PC and run Wireshark on the PC.
• To avoid packet loss, consider the following:
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
146
Configuring Packet Capture
Information about Wireshark
◦Use store-only (when you do not specify the display option) while capturing live packets rather
than decode and display, which is an CPU-intensive operation (especially in detailed mode).
◦If you have more than one capture that is storing packets in a buffer, clear the buffer before starting
a new capture to avoid memory loss.
◦Writing to flash disk is a CPU-intensive operation, so if the capture rate is insufficient, you may
want to use a buffer capture.
◦The Wireshark capture session always operates in streaming mode at the rate of 1000 pps.
• The streaming capture mode rate is 1000 pps.
• If you want to decode and display live packets in the console window, ensure that the Wireshark session
is bounded by a short capture duration.
Warning
A Wireshark session with either a longer duration limit or no capture duration (using a terminal with no
auto-more support using the term len 0 command) may make the console or terminal unusable.
• When using Wireshark to capture live traffic that leads to high CPU, usage, consider applying a QoS
policy temporarily to limit the actual traffic until the capture process concludes.
• All Wireshark-related commands are in EXEC mode; no configuration commands exist for Wireshark.
If you need to use access list or class-map in the Wireshark CLI, you must define an access list and class
map with configuration commands.
• No specific order applies when defining a capture point; you can define capture point parameters in any
order, provided that CLI allows this. The Wireshark CLI allows as many parameters as possible on a
single line. This limits the number of commands required to define a capture point.
• All parameters except attachment points take a single value. Generally, you can replace the value with
a new one by reentering the command. After user confirmation, the system accepts the new value and
overrides the older one. A no form of the command is unnecessary to provide a new value, but it is
necessary to remove a parameter.
• Wireshark allows you to specify one or more attachment points. To add more than one attachment point,
reenter the command with the new attachment point. To remove an attachment point, use the no form
of the command. You can specify an interface range as an attachment point. For example, enter where
interface is an attachment point.
• The action you want to perform determines which parameters are mandatory. The Wireshark CLI allows
you to specify or modify any parameter prior to entering the start command. When you enter the start
command, Wireshark will start only after determining that all mandatory parameters have been provided.
• If the file already exists at the time of creation of the capture point, Wireshark queries you as to whether
the file can be overwritten. If the file already exists at the time of activating the capture point, Wireshark
will overwrite the existing file.
• The core filter can be an explicit filter, access list, or class map. Specifying a newer filter of these types
replaces the existing one.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
147
Configuring Packet Capture
Information About Embedded Packet Capture
Note
A core filter is required.
• You can terminate a Wireshark session with an explicit stop command or by entering q in automore
mode. The session could terminate itself automatically when a stop condition such as duration or packet
capture limit is met, or if an internal error occurs, or resource is full (specifically if disk is full in file
mode).
• Dropped packets will not be shown at the end of the capture. However, only the count of dropped,
oversized packets will be displayed.
Default Wireshark Configuration
The table below shows the default Wireshark configuration.
Feature
Default Setting
Duration
No limit
Packets
No limit
Packet-length
No limit (full packet)
File size
No limit
Ring file storage
No
Buffer storage mode
Linear
Information About Embedded Packet Capture
Embedded Packet Capture Overview
Embedded Packet Capture (EPC) provides an embedded systems management facility that helps in tracing
and troubleshooting packets. This feature allows network administrators to capture data packets flowing
through, to, and from a Cisco device. The network administrator may define the capture buffer size and type
(circular, or linear) and the maximum number of bytes of each packet to capture. The packet capture rate can
be throttled using further administrative controls. For example, options allow for filtering the packets to be
captured using an Access Control List and, optionally, further defined by specifying a maximum packet capture
rate or by specifying a sampling interval.
Benefits of Embedded Packet Capture
• Ability to capture IPv4 and IPv6 packets in the device, and also capture non-IP packets with MAC filter
or match any MAC address.
• Extensible infrastructure for enabling packet capture points. A capture point is a traffic transit point
where a packet is captured and associated with a buffer.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
148
Configuring Packet Capture
Configuring Packet Capture
• Facility to export the packet capture in packet capture file (PCAP) format suitable for analysis using
any external tool.
• Methods to decode data packets captured with varying degrees of detail.
Packet Data Capture
Packet data capture is the capture of data packets that are then stored in a buffer. You can define packet data
captures by providing unique names and parameters.
You can perform the following actions on the capture:
• Activate captures at any interface.
• Apply access control lists (ACLs) or class maps to capture points.
Note
Network Based Application Recognition (NBAR) and MAC-style class map is not
supported.
• Destroy captures.
• Specify buffer storage parameters such as size and type. The size ranges from 1 MB to 100 MB. The
default buffer is linear;; the other option for the buffer is circular.
• Specify match criteria that includes information about the protocol, IP address or port address.
Related Topics
Managing Packet Data Capture, on page 163
Example: Managing Packet Data Capture, on page 180
Monitoring and Maintaining Captured Data, on page 164
Example: Monitoring and Maintaining Captured Data, on page 181
Configuring Packet Capture
How to Configure Wireshark
To configure Wireshark, perform these basic steps.
1 Define a capture point.
2 (Optional) Add or modify the capture point's parameters.
3 Activate or deactivate a capture point.
4 Delete the capture point when you are no longer using it.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
149
Configuring Packet Capture
How to Configure Wireshark
Related Topics
Defining a Capture Point, on page 150
Adding or Modifying Capture Point Parameters, on page 153
Deleting Capture Point Parameters, on page 155
Deleting a Capture Point, on page 156
Activating and Deactivating a Capture Point, on page 158
Clearing the Capture Point Buffer, on page 161
Example: Simple Capture and Display, on page 169
Example: Simple Capture and Store, on page 171
Example: Using Buffer Capture, on page 173
Example: Simple Capture and Store of Packets in Egress Direction, on page 179
Defining a Capture Point
The example in this procedure defines a very simple capture point. If you choose, you can define a capture
point and all of its parameters with one instance of the monitor capture command.
Note
You must define an attachment point, direction of capture, and core filter to have a functional capture
point.
Follow these steps to define a capture point.
SUMMARY STEPS
1. enable
2. monitor capture {capture-name}{interface interface-type interface-id | control-plane}{in | out | both}
3. monitor capture {capture-name}[match {any | ipv4 any any | ipv6} any any}]
4. show monitor capture {capture-name}[ parameter]
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Device> enable
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
150
Configuring Packet Capture
How to Configure Wireshark
Command or Action
Step 2
Purpose
monitor capture {capture-name}{interface Defines the capture point, specifies the attachment point with which the
capture point is associated, and specifies the direction of the capture.
interface-type interface-id |
control-plane}{in | out | both}
The keywords have these meanings:
Example:
Device# monitor capture mycap
interface GigabitEthernet1/0/1 in
• capture-name—Specifies the name of the capture point to be defined
(mycap is used in the example). Capture Name should be less than or
equal to 8 characters. Only alphanumeric characters and underscore (_)
is permitted
• (Optional) interface interface-type interface-id—Specifies the
attachment point with which the capture point is associated
(GigabitEthernet1/0/1 is used in the example).
Note
Optionally, you can define multiple attachment points and all
of the parameters for this capture point with this one command
instance. These parameters are discussed in the instructions
for modifying capture point parameters. Range support is also
available both for adding and removing attachment points.
Use one of the following for interface-type:
◦GigabitEthernet—Specifies the attachment point as
GigabitEthernet.
◦vlan—Specifies the attachment point as a VLAN.
Note
Only ingress capture (in) is allowed when using this
interface as an attachment point.
• (Optional) control-plane—Specifies the control plane as an attachment
point.
• in | out | both—Specifies the direction of capture.
Step 3
monitor capture {capture-name}[match
{any | ipv4 any any | ipv6} any any}]
Example:
Device# monitor capture mycap
interface GigabitEthernet1/0/1 in
match any
Defines the core system filter.
The keywords have these meanings:
• capture-name—Specifies the name of the capture point to be defined
(mycap is used in the example).
• match—Specifies a filter. The first filter defined is the core filter.
Note
A capture point cannot be activated if it has neither a core
system filter nor attachment points defined. Attempting to
activate a capture point that does not meet these requirements
generates an error.
• ipv4—Specifies an IP version 4 filter.
• ipv6—Specifies an IP version 6 filter.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
151
Configuring Packet Capture
How to Configure Wireshark
Step 4
Command or Action
Purpose
show monitor capture {capture-name}[
parameter]
Displays the capture point parameters that you defined in Step 2 and confirms
that you defined a capture point.
Example:
Device# show monitor capture mycap
parameter
monitor capture mycap interface
GigabitEthernet1/0/1 in
monitor capture mycap match any
Step 5
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
What to Do Next
You can add additional attachment points, modify the parameters of your capture point, then activate it, or if
you want to use your capture point just as it is, you can now activate it.
Note
You cannot change a capture point's parameters using the methods presented in this topic.
If the user enters an incorrect capture name, or an invalid/non existing attachment point, the switch will show
errors like "Capture Name should be less than or equal to 8 characters. Only alphanumeric characters and
underscore (_) is permitted" and "% Invalid input detected at '^' marker" respectively.
Related Topics
How to Configure Wireshark, on page 149
Capture Points, on page 141
Attachment Points, on page 141
Example: Simple Capture and Display, on page 169
Example: Simple Capture and Store, on page 171
Example: Using Buffer Capture, on page 173
Example: Simple Capture and Store of Packets in Egress Direction, on page 179
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
152
Configuring Packet Capture
How to Configure Wireshark
Adding or Modifying Capture Point Parameters
Although listed in sequence, the steps to specify values for the parameters can be executed in any order. You
can also specify them in one, two, or several lines. Except for attachment points, which can be multiple, you
can replace any value with a more recent value by redefining the same option. You will need to confirm
interactively when certain parameters already specified are being modified.
Follow these steps to modify a capture point's parameters.
Before You Begin
A capture point must be defined before you can use these instructions.
SUMMARY STEPS
1. enable
2. monitor capture {capture-name} match {any | mac mac-match-string | ipv4 {any | host | protocol}{any
| host} | ipv6 {any | host | protocol}{any | host}}
3. monitor capture {capture-name} limit {[duration seconds][packet-length size][packets num]}
4. monitor capture {capture-name} file {location filename}
5. monitor capture {capture-name} file {buffer-size size}
6. show monitor capture {capture-name}[ parameter]
7. end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password
if prompted.
Example:
Device> enable
Step 2
monitor capture {capture-name} match {any | mac
mac-match-string | ipv4 {any | host | protocol}{any | host} |
ipv6 {any | host | protocol}{any | host}}
Defines the core system filter (ipv4 any any), defined
either explicitly, through ACL or through a class map.
Example:
Device# monitor capture mycap match ipv4 any any
Step 3
monitor capture {capture-name} limit {[duration
seconds][packet-length size][packets num]}
Specifies the session limit in seconds (60), packets
captured, or the packet segment length to be retained
by Wireshark (400).
Example:
Device# monitor capture mycap limit duration 60
packet-len 400
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
153
Configuring Packet Capture
How to Configure Wireshark
Step 4
Step 5
Command or Action
Purpose
monitor capture {capture-name} file {location filename}
Example:
Specifies the file association, if the capture point
intends to capture packets rather than only display
them.
Device# monitor capture mycap file location
flash:mycap.pcap
Note
monitor capture {capture-name} file {buffer-size size}
Specifies the size of the memory buffer used by
Wireshark to handle traffic bursts.
If the file already exists, you have to confirm
if it can be overwritten.
Example:
Device# monitor capture mycap file buffer-size 100
Step 6
show monitor capture {capture-name}[ parameter]
Displays the capture point parameters that you defined
previously.
Example:
Device# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/1
in
monitor capture mycap match ipv4 any any
monitor capture mycap limit duration 60 packet-len
400
monitor capture point mycap file location
bootdisk:mycap.pcap
monitor capture mycap file buffer-size 100
Step 7
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Examples
Modifying Parameters
Associating or Disassociating a Capture File
Device# monitor capture point mycap file location flash:mycap.pcap
Device# no monitor capture mycap file
Specifying a Memory Buffer Size for Packet Burst Handling
Device# monitor capture mycap buffer size 100
Defining an Explicit Core System Filter to Match Both IPv4 and IPv6
Device# monitor capture mycap match any
What to Do Next
if your capture point contains all of the parameters you want, activate it.
Related Topics
How to Configure Wireshark, on page 149
Capture Points, on page 141
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
154
Configuring Packet Capture
How to Configure Wireshark
Attachment Points, on page 141
Example: Simple Capture and Display, on page 169
Example: Simple Capture and Store, on page 171
Example: Using Buffer Capture, on page 173
Example: Simple Capture and Store of Packets in Egress Direction, on page 179
Deleting Capture Point Parameters
Although listed in sequence, the steps to delete parameters can be executed in any order. You can also delete
them in one, two, or several lines. Except for attachment points, which can be multiple, you can delete any
parameter.
Follow these steps to delete a capture point's parameters.
Before You Begin
A capture point parameter must be defined before you can use these instructions to delete it.
SUMMARY STEPS
1. enable
2. no monitor capture {capture-name} match
3. no monitor capture {capture-name} limit [duration][packet-length][packets]
4. no monitor capture {capture-name} file [location] [buffer-size]
5. show monitor capture {capture-name}[ parameter]
6. end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if
prompted.
Example:
Device> enable
Step 2
no monitor capture {capture-name} match
Deletes all filters defined on capture point (mycap).
Example:
Device# no monitor capture mycap match
Step 3
no monitor capture {capture-name} limit
[duration][packet-length][packets]
Deletes the session time limit and the packet segment length
to be retained by Wireshark. It leaves other specified limits in
place.
Example:
Deletes all limits on Wireshark.
Device# no monitor capture mycap limit duration
packet-len
Device# no monitor capture mycap limit
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
155
Configuring Packet Capture
How to Configure Wireshark
Step 4
Command or Action
Purpose
no monitor capture {capture-name} file [location]
[buffer-size]
Deletes the file association. The capture point will no longer
capture packets. It will only display them.
Example:
Deletes the file location association. The file location will no
longer be associated with the capture point. However, other
defined fille association will be unaffected by this action.
Device# no monitor capture mycap file
Device# no monitor capture mycap file location
Step 5
show monitor capture {capture-name}[ parameter] Displays the capture point parameters that remain defined after
your parameter deletion operations. This command can be run
at any point in the procedure to see what parameters are
Example:
Device# show monitor capture mycap parameter associated with a capture point.
monitor capture mycap interface
GigabitEthernet1/0/1 in
Step 6
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
What to Do Next
If your capture point contains all of the parameters you want, activate it.
Note
If the parameters are deleted when the capture point is active, the switch will show an error "Capture is
active".
Related Topics
How to Configure Wireshark, on page 149
Capture Points, on page 141
Attachment Points, on page 141
Example: Simple Capture and Display, on page 169
Example: Simple Capture and Store, on page 171
Example: Using Buffer Capture, on page 173
Example: Simple Capture and Store of Packets in Egress Direction, on page 179
Deleting a Capture Point
Follow these steps to delete a capture point.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
156
Configuring Packet Capture
How to Configure Wireshark
Before You Begin
A capture point must be defined before you can use these instructions to delete it. You have to stop the capture
point before you can delete it.
SUMMARY STEPS
1. enable
2. no monitor capture {capture-name}
3. show monitor capture {capture-name}[ parameter]
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password
if prompted.
Example:
Device> enable
Step 2
no monitor capture {capture-name}
Deletes the specified capture point (mycap).
Example:
Device# no monitor capture mycap
Step 3
show monitor capture {capture-name}[ parameter]
Example:
Displays a message indicating that the specified
capture point does not exist because it has been
deleted.
Device# show monitor capture mycap parameter
Capture mycap does not exist
Step 4
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 5
show running-config
Verifies your entries.
Example:
Device# show running-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
157
Configuring Packet Capture
How to Configure Wireshark
Step 6
Command or Action
Purpose
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
What to Do Next
You can define a new capture point with the same name as the one you deleted. These instructions are usually
performed when one wants to start over with defining a capture point.
Related Topics
How to Configure Wireshark, on page 149
Capture Points, on page 141
Attachment Points, on page 141
Example: Simple Capture and Display, on page 169
Example: Simple Capture and Store, on page 171
Example: Using Buffer Capture, on page 173
Example: Simple Capture and Store of Packets in Egress Direction, on page 179
Activating and Deactivating a Capture Point
Follow these steps to activate or deactivate a capture point.
Before You Begin
A capture point can be activated even if an attachment point and a core system filter have been defined and
the associated filename already exists. In such an instance, the existing file will be overwritten.
A capture point with no associated filename can only be activated to display. When the filename is not specified,
the packets are captured into the buffer. Live display (display during capture) is available in both file and
buffer modes.
If no display filters are specified, packets are not displayed live, and all the packets captured by the core system
filter are displayed. The default display mode is brief.
SUMMARY STEPS
1. enable
2. monitor capture {capture-name} stop
3. end
4. show running-config
5. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
158
Configuring Packet Capture
How to Configure Wireshark
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your
password if prompted.
Example:
Device> enable
Step 2
monitor capture {capture-name} stop
Deactivates a capture point.
Example:
Device# monitor capture name stop
Step 3
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Step 4
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 5
copy running-config startup-config
(Optional) Saves your entries in the configuration
file.
Example:
Device# copy running-config startup-config
What to Do Next
While activating and deactivating a capture point, you could encounter a few errors. Here are examples of
some of the possible errors.
Missing attachment point on activation
Switch#monitor capture mycap match any
Switch#monitor capture mycap start
No Target is attached to capture failed to disable provision featurefailed to remove
policyfailed to disable provision featurefailed to remove policyfailed to disable provision
featurefailed to remove policy
Capture statistics collected at software (Buffer):
Capture duration - 0 seconds
Packets received - 0
Packets dropped - 0
Packets oversized - 0
Unable to activate Capture.
Switch# unable to get action unable to get action unable to get action
Switch#monitor capture mycap interface g1/0/1 both
Switch#monitor capture mycap start
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
159
Configuring Packet Capture
How to Configure Wireshark
Switch#
*Nov 5 12:33:43.906: %BUFCAP-6-ENABLE: Capture Point mycap enabled.
Missing filter on activation
Switch#monitor capture mycap int g1/0/1 both
Switch#monitor capture mycap start
Filter not attached to capture
Capture statistics collected at software (Buffer):
Capture duration - 0 seconds
Packets received - 0
Packets dropped - 0
Packets oversized - 0
Unable to activate Capture.
Switch#monitor capture mycap match any
Switch#monitor capture mycap start
Switch#
*Nov 5 12:35:37.200: %BUFCAP-6-ENABLE: Capture Point mycap enabled.
Attempting to activate a capture point while another one is already active
Switch#monitor capture mycap start
PD start invoked while previous run is active Failed to start capture : Wireshark operation
failure
Unable to activate Capture.
Switch#show monitor capture
Status Information for Capture test
Target Type:
Interface: GigabitEthernet1/0/13, Direction: both
Interface: GigabitEthernet1/0/14, Direction: both
Status : Active
Filter Details:
Capture all packets
Buffer Details:
Buffer Type: LINEAR (default)
Buffer Size (in MB): 10
File Details:
Associated file name: flash:cchh.pcap
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/1, Direction: both
Status : Inactive
Filter Details:
Capture all packets
Buffer Details:
Buffer Type: LINEAR (default)
Buffer Size (in MB): 10
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Switch#monitor capture test stop
Capture statistics collected at software (Buffer & Wireshark):
Capture duration - 157 seconds
Packets received - 0
Packets dropped - 0
Packets oversized - 0
Switch#
*Nov 5 13:18:17.406: %BUFCAP-6-DISABLE: Capture Point test disabled.
Switch#monitor capture mycap start
Switch#
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
160
Configuring Packet Capture
How to Configure Wireshark
*Nov 5 13:18:22.664: %BUFCAP-6-ENABLE: Capture Point mycap enabled.
Switch#
Related Topics
How to Configure Wireshark, on page 149
Capture Points, on page 141
Attachment Points, on page 141
Example: Simple Capture and Display, on page 169
Example: Simple Capture and Store, on page 171
Example: Using Buffer Capture, on page 173
Example: Simple Capture and Store of Packets in Egress Direction, on page 179
Clearing the Capture Point Buffer
Follow these steps to clear the buffer contents or save them to an external file for storage.
Note
If you have more than one capture that is storing packets in a buffer, clear the buffer before starting a new
capture to avoid memory loss. Do not try to clear buffer on an active capture point.
SUMMARY STEPS
1. enable
2. monitor capture {capture-name} [clear | export filename]
3. end
4. show running-config
5. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password
if prompted.
Example:
Device> enable
Step 2
monitor capture {capture-name} [clear | export
filename]
Clear - Completely deletes the buffer.
Export - Saves the captured packets in the buffer as well
as deletes the buffer.
Example:
Device# monitor capture mycap clear
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
161
Configuring Packet Capture
How to Configure Wireshark
Step 3
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Device(config)# end
Step 4
show running-config
Verifies your entries.
Example:
Device# show running-config
Step 5
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Examples: Capture Point Buffer Handling
Exporting Capture to a File
Device# monitor capture mycap export flash:mycap.pcap
Storage configured as File for this capture
Clearing Capture Point Buffer
Device# monitor capture mycap clear
Capture configured with file options
Related Topics
How to Configure Wireshark, on page 149
Capture Points, on page 141
Attachment Points, on page 141
Example: Simple Capture and Display, on page 169
Example: Simple Capture and Store, on page 171
Example: Using Buffer Capture, on page 173
Example: Simple Capture and Store of Packets in Egress Direction, on page 179
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
162
Configuring Packet Capture
How to Implement Embedded Packet Capture
How to Implement Embedded Packet Capture
Managing Packet Data Capture
To manage Packet Data Capture in the buffer mode, perform the following steps:
SUMMARY STEPS
1. enable
2. monitor capture capture-name access-list access-list-name
3. monitor capture capture-name limit duration seconds
4. monitor capture capture-name interface interface-name both
5. monitor capture capture-name buffer circular size bytes
6. monitor capture capture-name start
7. monitor capture capture-name stop
8. monitor capture capture-name export file-location/file-name
9. end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your
password if prompted.
Example:
Device> enable
Step 2
monitor capture capture-name access-list access-list-name
Configures a monitor capture specifying an access
list as the core filter for the packet capture.
Example:
Device# monitor capture mycap access-list v4acl
Step 3
monitor capture capture-name limit duration seconds
Configures monitor capture limits.
Example:
Device# monitor capture mycap limit duration 1000
Step 4
monitor capture capture-name interface interface-name both Configures monitor capture specifying an
attachment point and the packet flow direction.
Example:
Device# monitor capture mycap interface
GigabitEthernet 0/0/1 both
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
163
Configuring Packet Capture
How to Implement Embedded Packet Capture
Step 5
Command or Action
Purpose
monitor capture capture-name buffer circular size bytes
Configures a buffer to capture packet data.
Example:
Device# monitor capture mycap buffer circular size
10
Step 6
monitor capture capture-name start
Starts the capture of packet data at a traffic trace
point into a buffer.
Example:
Device# monitor capture mycap start
Step 7
monitor capture capture-name stop
Stops the capture of packet data at a traffic trace
point.
Example:
Device# monitor capture mycap stop
Step 8
monitor capture capture-name export file-location/file-name Exports captured data for analysis.
Example:
Device# monitor capture mycap export
tftp://10.1.88.9/mycap.pcap
Step 9
Returns to privileged EXEC mode.
end
Example:
Device# end
Related Topics
Packet Data Capture, on page 149
Example: Managing Packet Data Capture, on page 180
Monitoring and Maintaining Captured Data
Perform this task to monitor and maintain the packet data captured. Capture buffer details and capture point
details are displayed.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
164
Configuring Packet Capture
How to Implement Embedded Packet Capture
SUMMARY STEPS
1. enable
2. show monitor capture capture-buffer-name buffer dump
3. show monitor capture capture-buffer-name parameter
4. debug epc capture-point
5. debug epc provision
6. end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password
if prompted.
Example:
Device> enable
Step 2
show monitor capture capture-buffer-name buffer dump (Optional) Displays a hexadecimal dump of captured
packet and its metadata.
Example:
Device# show monitor capture mycap buffer dump
Step 3
show monitor capture capture-buffer-name parameter (Optional) Displays a list of commands that were used
to specify the capture.
Example:
Device# show monitor capture mycap parameter
Step 4
debug epc capture-point
(Optional) Enables packet capture point debugging.
Example:
Device# debug epc capture-point
Step 5
debug epc provision
(Optional) Enables packet capture provisioning
debugging.
Example:
Device# debug epc provision
Step 6
Returns to privileged EXEC mode.
end
Example:
Device(config)# end
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
165
Configuring Packet Capture
Monitoring Packet Capture
Related Topics
Packet Data Capture, on page 149
Example: Monitoring and Maintaining Captured Data, on page 181
Monitoring Packet Capture
Configuration Examples for Wireshark
Example: Displaying a Brief Output from a .pcap File
You can display the output from a .pcap file by entering:
Device# show monitor capture file flash:mycap.pcap brief
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
1 0.000000000
10.10.10.2 -> 10.10.10.1
seq=0/0, ttl=254
2 0.000051000
10.10.10.1 -> 10.10.10.2
seq=0/0, ttl=255 (request in 1)
3 0.000908000
10.10.10.2 -> 10.10.10.1
seq=1/256, ttl=254
4 0.001782000
10.10.10.1 -> 10.10.10.2
seq=1/256, ttl=255 (request in 3)
5 0.002961000
10.10.10.2 -> 10.10.10.1
seq=2/512, ttl=254
6 0.003676000
10.10.10.1 -> 10.10.10.2
seq=2/512, ttl=255 (request in 5)
7 0.004835000
10.10.10.2 -> 10.10.10.1
seq=3/768, ttl=254
8 0.005579000
10.10.10.1 -> 10.10.10.2
seq=3/768, ttl=255 (request in 7)
9 0.006850000
10.10.10.2 -> 10.10.10.1
seq=4/1024, ttl=254
10 0.007586000
10.10.10.1 -> 10.10.10.2
seq=4/1024, ttl=255 (request in 9)
11 0.008768000
10.10.10.2 -> 10.10.10.1
seq=5/1280, ttl=254
12 0.009497000
10.10.10.1 -> 10.10.10.2
seq=5/1280, ttl=255 (request in 11)
13 0.010695000
10.10.10.2 -> 10.10.10.1
seq=6/1536, ttl=254
14 0.011427000
10.10.10.1 -> 10.10.10.2
seq=6/1536, ttl=255 (request in 13)
15 0.012728000
10.10.10.2 -> 10.10.10.1
seq=7/1792, ttl=254
16 0.013458000
10.10.10.1 -> 10.10.10.2
seq=7/1792, ttl=255 (request in 15)
17 0.014652000
10.10.10.2 -> 10.10.10.1
seq=8/2048, ttl=254
18 0.015394000
10.10.10.1 -> 10.10.10.2
seq=8/2048, ttl=255 (request in 17)
19 0.016682000
10.10.10.2 -> 10.10.10.1
seq=9/2304, ttl=254
20 0.017439000
10.10.10.1 -> 10.10.10.2
seq=9/2304, ttl=255 (request in 19)
21 0.018655000
10.10.10.2 -> 10.10.10.1
seq=10/2560, ttl=254
22 0.019385000
10.10.10.1 -> 10.10.10.2
seq=10/2560, ttl=255 (request in 21)
23 0.020575000
10.10.10.2 -> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) reply
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
166
Configuring Packet Capture
Configuration Examples for Wireshark
seq=11/2816, ttl=254
--More‹
Example: Displaying Detailed Output from a .pcap File
You can display the detailed .pcap file output by entering:
Device# show monitor capture file flash:mycap.pcap detailed
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
Frame 1: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
Interface id: 0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 6, 2015 11:44:48.322497000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1446810288.322497000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 114 bytes (912 bits)
Capture Length: 114 bytes (912 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:icmp:data]
Ethernet II, Src: Cisco_f3:63:46 (00:e1:6d:f3:63:46), Dst: Cisco_31:f1:c6 (00:e1:6d:31:f1:c6)
Destination: Cisco_31:f1:c6 (00:e1:6d:31:f1:c6)
Address: Cisco_31:f1:c6 (00:e1:6d:31:f1:c6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Cisco_f3:63:46 (00:e1:6d:f3:63:46)
Address: Cisco_f3:63:46 (00:e1:6d:f3:63:46)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.10.10.2 (10.10.10.2), Dst: 10.10.10.1 (10.10.10.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not
ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport)
(0x00)
Total Length: 100
Identification: 0x04ba (1210)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: ICMP (1)
Header checksum: 0x8fc8 [validation disabled]
[Good: False]
[Bad: False]
Source: 10.10.10.2 (10.10.10.2)
Destination: 10.10.10.1 (10.10.10.1)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xe4db [correct]
Identifier (BE): 46 (0x002e)
Identifier (LE): 11776 (0x2e00)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (72 bytes)
0000
0010
00 00 00 00 09 c9 8f 77 ab cd ab cd ab cd ab cd
ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd
.......w........
................
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
167
Configuring Packet Capture
Configuration Examples for Wireshark
0020
0030
0040
ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd
................
ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd
................
ab cd ab cd ab cd ab cd
........
Data: 0000000009c98f77abcdabcdabcdabcdabcdabcdabcdabcd...
[Length: 72]
Frame 2: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
Interface id: 0
Example: Displaying a Packet Dump Output from a .pcap File.
You can display the packet dump output by entering:
Device# show monitor capture file flash:mycap.pcap dump
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
0000
0010
0020
0030
0040
0050
0060
0070
00
00
0a
8f
ab
ab
ab
ab
e1
64
01
77
cd
cd
cd
cd
6d
04
08
ab
ab
ab
ab
31
ba
00
cd
cd
cd
cd
f1
00
e4
ab
ab
ab
ab
c6
00
db
cd
cd
cd
cd
00
fe
00
ab
ab
ab
ab
e1
01
2e
cd
cd
cd
cd
6d
8f
00
ab
ab
ab
ab
f3
c8
00
cd
cd
cd
cd
63
0a
00
ab
ab
ab
ab
46
0a
00
cd
cd
cd
cd
08
0a
00
ab
ab
ab
ab
00
02
00
cd
cd
cd
cd
45
0a
09
ab
ab
ab
ab
00
0a
c9
cd
cd
cd
cd
..m1....m.cF..E.
.d..............
................
.w..............
................
................
................
..
0000
0010
0020
0030
0040
0050
0060
0070
00
00
0a
8f
ab
ab
ab
ab
e1
64
02
77
cd
cd
cd
cd
6d
04
00
ab
ab
ab
ab
31
ba
00
cd
cd
cd
cd
f1
00
ec
ab
ab
ab
ab
80
00
db
cd
cd
cd
cd
00
ff
00
ab
ab
ab
ab
e1
01
2e
cd
cd
cd
cd
6d
8e
00
ab
ab
ab
ab
31
c8
00
cd
cd
cd
cd
f1
0a
00
ab
ab
ab
ab
80
0a
00
cd
cd
cd
cd
08
0a
00
ab
ab
ab
ab
00
01
00
cd
cd
cd
cd
45
0a
09
ab
ab
ab
ab
00
0a
c9
cd
cd
cd
cd
..m1....m1....E.
.d..............
................
.w..............
................
................
................
..
0000
0010
0020
0030
0040
00
00
0a
8f
ab
e1
64
01
7a
cd
6d
04
08
ab
ab
31
bb
00
cd
cd
f1
00
e4
ab
ab
c6
00
d7
cd
cd
00
fe
00
ab
ab
e1
01
2e
cd
cd
6d
8f
00
ab
ab
f3
c7
01
cd
cd
63
0a
00
ab
ab
46
0a
00
cd
cd
08
0a
00
ab
ab
00
02
00
cd
cd
45
0a
09
ab
ab
00
0a
c9
cd
cd
..m1....m.cF..E.
.d..............
................
.z..............
................
Example: Displaying Packets from a .pcap File using a Display Filter
You can display the .pcap file packets output by entering:
Device# show monitor capture file flash:mycap.pcap display-filter "ip.src == 10.10.10.2"
brief
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
1 0.000000000
10.10.10.2
seq=0/0, ttl=254
3 0.000908000
10.10.10.2
seq=1/256, ttl=254
5 0.002961000
10.10.10.2
seq=2/512, ttl=254
7 0.004835000
10.10.10.2
seq=3/768, ttl=254
9 0.006850000
10.10.10.2
seq=4/1024, ttl=254
11 0.008768000
10.10.10.2
seq=5/1280, ttl=254
13 0.010695000
10.10.10.2
seq=6/1536, ttl=254
15 0.012728000
10.10.10.2
seq=7/1792, ttl=254
17 0.014652000
10.10.10.2
seq=8/2048, ttl=254
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x002e,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x002e,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x002e,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x002e,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x002e,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x002e,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x002e,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x002e,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x002e,
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
168
Configuring Packet Capture
Configuration Examples for Wireshark
19 0.016682000
10.10.10.2 -> 10.10.10.1
seq=9/2304, ttl=254
21 0.018655000
10.10.10.2 -> 10.10.10.1
seq=10/2560, ttl=254
23 0.020575000
10.10.10.2 -> 10.10.10.1
seq=11/2816, ttl=254
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
ICMP 114 Echo (ping) request
id=0x002e,
Example: Displaying the Number of Packets Captured in a .pcap File
You can display the number of packets captured in a .pcap file by entering:
Device# show monitor capture file flash:mycap.pcap packet-count
File name:
/flash/mycap.pcap
Number of packets:
50
Example: Displaying a Single Packet Dump from a .pcap File
You can display a single packet dump from a .pcap file by entering:
Device# show monitor capture file flash:mycap.pcap packet-number 10 dump
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
0000
0010
0020
0030
0040
0050
0060
0070
00
00
0a
8f
ab
ab
ab
ab
e1
64
02
80
cd
cd
cd
cd
6d
04
00
ab
ab
ab
ab
31
be
00
cd
cd
cd
cd
f1
00
ec
ab
ab
ab
ab
80
00
ce
cd
cd
cd
cd
00
ff
00
ab
ab
ab
ab
e1
01
2e
cd
cd
cd
cd
6d
8e
00
ab
ab
ab
ab
31
c4
04
cd
cd
cd
cd
f1
0a
00
ab
ab
ab
ab
80
0a
00
cd
cd
cd
cd
08
0a
00
ab
ab
ab
ab
00
01
00
cd
cd
cd
cd
45
0a
09
ab
ab
ab
ab
00
0a
c9
cd
cd
cd
cd
..m1....m1....E.
.d..............
................
................
................
................
................
Example: Displaying Statistics of Packets Captured in a .pcap File
You can display the statistics of the packets captured in a .pcap file by entering:
Device# show monitor capture file flash:mycap.pcap statistics "h225,counter"
================== H225 Message and Reason Counter ==================
RAS-Messages:
Call Signalling:
=====================================================================
Example: Simple Capture and Display
This example shows how to monitor traffic in the Layer 3 interface Gigabit Ethernet 1/0/1:
Step 1: Define a capture point to match on the relevant traffic by entering:
Device#
Device#
Device#
Device#
monitor
monitor
monitor
monitor
capture
capture
capture
capture
mycap
mycap
mycap
mycap
interface GigabitEthernet1/0/3 in
match ipv4 any any
limit duration 60 packets 50
buffer size 100
To avoid high CPU utilization, a low packet count and duration as limits has been set.
Step 2: Confirm that the capture point has been correctly defined by entering:
Device# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/3 in
monitor capture mycap match ipv4 any any
monitor capture mycap buffer size 100
monitor capture mycap limit packets 50 duration 60
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
169
Configuring Packet Capture
Configuration Examples for Wireshark
Device# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/3, Direction: in
Status : Inactive
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: LINEAR (default)
Buffer Size (in MB): 100
File Details:
File not associated
Limit Details:
Number of Packets to capture: 50
Packet Capture duration: 60
Packet Size to capture: 0 (no limit)
Packet sampling rate: 0 (no sampling)
Step 3: Start the capture process and display the results.
Device# monitor capture mycap start display
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
1
0.000000
10.10.10.2 -> 10.10.10.1
ICMP 114 Echo (ping) request id=0x0030, seq=0/0,
ttl=254
2
0.003682
10.10.10.2 -> 10.10.10.1
ICMP 114 Echo (ping) request id=0x0030,
seq=1/256, ttl=254
3
0.006586
10.10.10.2 -> 10.10.10.1
ICMP 114 Echo (ping) request id=0x0030,
seq=2/512, ttl=254
4
0.008941
10.10.10.2 -> 10.10.10.1
ICMP 114 Echo (ping) request id=0x0030,
seq=3/768, ttl=254
5
0.011138
10.10.10.2 -> 10.10.10.1
ICMP 114 Echo (ping) request id=0x0030,
seq=4/1024, ttl=254
6
0.014099
10.10.10.2 -> 10.10.10.1
ICMP 114 Echo (ping) request id=0x0030,
seq=5/1280, ttl=254
7
0.016868
10.10.10.2 -> 10.10.10.1
ICMP 114 Echo (ping) request id=0x0030,
seq=6/1536, ttl=254
8
0.019210
10.10.10.2 -> 10.10.10.1
ICMP 114 Echo (ping) request id=0x0030,
seq=7/1792, ttl=254
9
0.024785
10.10.10.2 -> 10.10.10.1
ICMP 114 Echo (ping) request id=0x0030,
seq=8/2048, ttl=254
--More--
Step 4: Delete the capture point by entering:
Device# no monitor capture mycap
Note
A stop command is not required in this particular case since we have set a limit and the capture will
automatically stop once that limit is reached.
For more information on syntax to be used for pcap statistics, refer the "Additional References" section.
Related Topics
Defining a Capture Point, on page 150
Adding or Modifying Capture Point Parameters, on page 153
Deleting Capture Point Parameters, on page 155
Deleting a Capture Point, on page 156
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
170
Configuring Packet Capture
Configuration Examples for Wireshark
Activating and Deactivating a Capture Point, on page 158
Clearing the Capture Point Buffer, on page 161
How to Configure Wireshark, on page 149
Capture Points, on page 141
Attachment Points, on page 141
Example: Simple Capture and Store
This example shows how to capture packets to a filter:
Step 1: Define a capture point to match on the relevant traffic and associate it to a file by entering:
Device#
Device#
Device#
Device#
monitor
monitor
monitor
monitor
capture
capture
capture
capture
mycap
mycap
mycap
mycap
interface GigabitEthernet1/0/3 in
match ipv4 any any
limit duration 60 packets 50
file location flash:mycap.pcap
Step 2: Confirm that the capture point has been correctly defined by entering:
Device# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/3 in
monitor capture mycap match ipv4 any any
monitor capture mycap file location flash:mycap.pcap
monitor capture mycap limit packets 50 duration 60
Device# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/3, Direction: in
Status : Inactive
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: LINEAR (default)
File Details:
Associated file name: flash:mycap.pcap
Limit Details:
Number of Packets to capture: 50
Packet Capture duration: 60
Packet Size to capture: 0 (no limit)
Packet sampling rate: 0 (no sampling)
Step 3: Launch packet capture by entering:
Device# monitor capture mycap start
Step 4: Display extended capture statistics during runtime by entering:
Device# show monitor capture mycap capture-statistics
Capture statistics collected at software:
Capture duration - 15 seconds
Packets received - 40
Packets dropped - 0
Packets oversized - 0
Packets errored - 0
Packets sent - 40
Bytes received - 7280
Bytes dropped - 0
Bytes oversized - 0
Bytes errored - 0
Bytes sent ¬ 4560
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
171
Configuring Packet Capture
Configuration Examples for Wireshark
Step 5: After sufficient time has passed, stop the capture by entering:
Device# monitor capture mycap stop
Capture statistics collected at software (Buffer & Wireshark):
Capture duration - 20 seconds
Packets received - 50
Packets dropped - 0
Packets oversized - 0
Note
Alternatively, you could allow the capture operation stop automatically after the time has elapsed or the
packet count has been met.
The mycap.pcap file now contains the captured packets.
Step 6: Display extended capture statistics after stop by entering:
Device# show monitor capture mycap capture-statistics
Capture statistics collected at software:
Capture duration - 20 seconds
Packets received - 50
Packets dropped - 0
Packets oversized - 0
Packets errored - 0
Packets sent - 50
Bytes received - 8190
Bytes dropped - 0
Bytes oversized - 0
Bytes errored - 0
Bytes sent ¬ 5130
Step 7: Display the packets by entering:
Device# show monitor capture file flash:mycap.pcap
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
1 0.000000000
10.10.10.2
seq=0/0, ttl=254
2 0.002555000
10.10.10.2
seq=1/256, ttl=254
3 0.006199000
10.10.10.2
seq=2/512, ttl=254
4 0.009199000
10.10.10.2
seq=3/768, ttl=254
5 0.011647000
10.10.10.2
seq=4/1024, ttl=254
6 0.014168000
10.10.10.2
seq=5/1280, ttl=254
7 0.016737000
10.10.10.2
seq=6/1536, ttl=254
8 0.019403000
10.10.10.2
seq=7/1792, ttl=254
9 0.022151000
10.10.10.2
seq=8/2048, ttl=254
10 0.024722000
10.10.10.2
seq=9/2304, ttl=254
11 0.026890000
10.10.10.2
seq=10/2560, ttl=254
12 0.028862000
10.10.10.2
seq=11/2816, ttl=254
--More--
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0031,
For more information on syntax to be used for pcap statistics, refer the "Additional References" section.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
172
Configuring Packet Capture
Configuration Examples for Wireshark
Step 8: Delete the capture point by entering:
Device# no monitor capture mycap
Related Topics
Defining a Capture Point, on page 150
Adding or Modifying Capture Point Parameters, on page 153
Deleting Capture Point Parameters, on page 155
Deleting a Capture Point, on page 156
Activating and Deactivating a Capture Point, on page 158
Clearing the Capture Point Buffer, on page 161
How to Configure Wireshark, on page 149
Capture Points, on page 141
Attachment Points, on page 141
Example: Using Buffer Capture
This example shows how to use buffer capture:
Step 1: Launch a capture session with the buffer capture option by entering:
Device#
Device#
Device#
Device#
monitor
monitor
monitor
monitor
capture
capture
capture
capture
mycap
mycap
mycap
mycap
interface GigabitEthernet1/0/3 in
match ipv4 any any
buffer circular size 1
start
Step 2: Determine whether the capture is active by entering:
Device# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/3, Direction: in
Status : Active
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 1
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Step 3: Display extended capture statistics during runtime by entering:
Device# show monitor capture mycap capture-statistics
Capture statistics collected at software:
Capture duration - 88 seconds
Packets received - 1000
Packets dropped - 0
Packets oversized - 0
Packets errored - 0
Packets sent - 1000
Bytes received - 182000
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
173
Configuring Packet Capture
Configuration Examples for Wireshark
Bytes
Bytes
Bytes
Bytes
dropped - 0
oversized - 0
errored - 0
sent - 114000
Step 4: Stop the capture by entering:
Device# monitor capture mycap stop
Capture statistics collected at software (Buffer):
Capture duration - 2185 seconds
Packets received - 51500
Packets dropped - 0
Packets oversized - 0
Step 5: Display extended capture statistics after stop by entering:
Device# show monitor capture mycap capture-statistics
Capture statistics collected at software:
Capture duration - 156 seconds
Packets received - 2000
Packets dropped - 0
Packets oversized - 0
Packets errored - 0
Packets sent - 2000
Bytes received - 364000
Bytes dropped - 0
Bytes oversized - 0
Bytes errored - 0
Bytes sent - 228000
Step 6: Determine whether the capture is active by entering:
Device# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/3, Direction: in
Status : Inactive
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 1
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Step 7: Display the packets in the buffer by entering:
Device# show monitor capture mycap buffer brief
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
1
0.000000
seq=40057/31132,
2
0.000030
seq=40058/31388,
3
0.000052
seq=40059/31644,
4
0.000073
seq=40060/31900,
5
0.000094
seq=40061/32156,
6
0.000115
10.10.10.2
ttl=254
10.10.10.2
ttl=254
10.10.10.2
ttl=254
10.10.10.2
ttl=254
10.10.10.2
ttl=254
10.10.10.2
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
174
Configuring Packet Capture
Configuration Examples for Wireshark
seq=40062/32412,
7
0.000137
seq=40063/32668,
8
0.000158
seq=40064/32924,
9
0.000179
seq=40065/33180,
10
0.000200
seq=40066/33436,
11
0.000221
seq=40067/33692,
12
0.000243
seq=40068/33948,
--More--
ttl=254
10.10.10.2
ttl=254
10.10.10.2
ttl=254
10.10.10.2
ttl=254
10.10.10.2
ttl=254
10.10.10.2
ttl=254
10.10.10.2
ttl=254
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0038,
Notice that the packets have been buffered.
Step 8: Display the packets in other display modes.
Device# show monitor capture mycap buffer detailed
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
Frame 1: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
Interface id: 0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 6, 2015 18:10:06.297972000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1446833406.297972000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 114 bytes (912 bits)
Capture Length: 114 bytes (912 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:icmp:data]
Ethernet II, Src: Cisco_f3:63:46 (00:e1:6d:f3:63:46), Dst: Cisco_31:f1:c6 (00:e1:6d:31:f1:c6)
Destination: Cisco_31:f1:c6 (00:e1:6d:31:f1:c6)
Address: Cisco_31:f1:c6 (00:e1:6d:31:f1:c6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Cisco_f3:63:46 (00:e1:6d:f3:63:46)
Address: Cisco_f3:63:46 (00:e1:6d:f3:63:46)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.10.10.2 (10.10.10.2), Dst: 10.10.10.1 (10.10.10.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not
ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport)
(0x00)
Total Length: 100
Identification: 0xabdd (43997)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: ICMP (1)
Header checksum: 0xe8a4 [validation disabled]
[Good: False]
[Bad: False]
Source: 10.10.10.2 (10.10.10.2)
Destination: 10.10.10.1 (10.10.10.1)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
175
Configuring Packet Capture
Configuration Examples for Wireshark
Code: 0
Checksum: 0xa620 [correct]
Identifier (BE): 56 (0x0038)
Identifier (LE): 14336 (0x3800)
Sequence number (BE): 40057 (0x9c79)
Sequence number (LE): 31132 (0x799c)
Data (72 bytes)
0000
0010
0020
0030
0040
00 00 00 00 0b 15 30 63 ab cd ab cd ab cd ab cd
......0c........
ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd
................
ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd
................
ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd
................
ab cd ab cd ab cd ab cd
........
Data: 000000000b153063abcdabcdabcdabcdabcdabcdabcdabcd...
[Length: 72]
Frame 2: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
Device# show monitor capture mycap buffer dump
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
0000
0010
0020
0030
0040
0050
0060
0070
00
00
0a
30
ab
ab
ab
ab
e1
64
01
63
cd
cd
cd
cd
6d
ab
08
ab
ab
ab
ab
31
dd
00
cd
cd
cd
cd
f1
00
a6
ab
ab
ab
ab
c6
00
20
cd
cd
cd
cd
00
fe
00
ab
ab
ab
ab
e1
01
38
cd
cd
cd
cd
6d
e8
9c
ab
ab
ab
ab
f3
a4
79
cd
cd
cd
cd
63
0a
00
ab
ab
ab
ab
46
0a
00
cd
cd
cd
cd
08
0a
00
ab
ab
ab
ab
00
02
00
cd
cd
cd
cd
45
0a
0b
ab
ab
ab
ab
00
0a
15
cd
cd
cd
cd
..m1....m.cF..E.
.d..............
..... .8.y......
0c..............
................
................
................
..
0000
0010
0020
0030
0040
0050
0060
0070
00
00
0a
30
ab
ab
ab
ab
e1
64
01
65
cd
cd
cd
cd
6d
ab
08
ab
ab
ab
ab
31
de
00
cd
cd
cd
cd
f1
00
a6
ab
ab
ab
ab
c6
00
1d
cd
cd
cd
cd
00
fe
00
ab
ab
ab
ab
e1
01
38
cd
cd
cd
cd
6d
e8
9c
ab
ab
ab
ab
f3
a3
7a
cd
cd
cd
cd
63
0a
00
ab
ab
ab
ab
46
0a
00
cd
cd
cd
cd
08
0a
00
ab
ab
ab
ab
00
02
00
cd
cd
cd
cd
45
0a
0b
ab
ab
ab
ab
00
0a
15
cd
cd
cd
cd
..m1....m.cF..E.
.d..............
.......8.z......
0e..............
................
................
................
Step 9: Clear the buffer by entering:
Device# monitor capture mycap clear
Note
NOTE - Clearing the buffer deletes the buffer along with the contents.
Note
If you require the buffer contents to be displayed, run the clear commands after show commands.
Step 10: Restart the traffic, wait for 10 seconds, then display the buffer contents by entering:
Note
We cannot run show from buffer during an active capture. Capture should be stopped before running show
from buffer. We can however run a show on a pcap file during an active capture in both file and buffer
mode. In file mode, we can display the packets in the current capture session's pcap file as well when the
capture is active.
Device# monitor capture mycap start
Switch# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
176
Configuring Packet Capture
Configuration Examples for Wireshark
Interface: GigabitEthernet1/0/3, Direction: in
Status : Active
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 1
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Step 11: Stop the packet capture and display the buffer contents by entering:
Device# monitor capture mycap stop
Capture statistics collected at software (Buffer):
Capture duration - 111 seconds
Packets received - 5000
Packets dropped - 0
Packets oversized - 0
Step 12: Determine whether the capture is active by entering:
Device# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/3, Direction: in
Status : Inactive
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 1
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Step 13: Display the packets in the buffer by entering:
Device# show monitor capture mycap buffer brief
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
1 0.000000000
10.10.10.2
seq=0/0, ttl=254
2 0.000030000
10.10.10.2
seq=1/256, ttl=254
3 0.000051000
10.10.10.2
seq=2/512, ttl=254
4 0.000072000
10.10.10.2
seq=3/768, ttl=254
5 0.000093000
10.10.10.2
seq=4/1024, ttl=254
6 0.000114000
10.10.10.2
seq=5/1280, ttl=254
7 0.000136000
10.10.10.2
seq=6/1536, ttl=254
8 0.000157000
10.10.10.2
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
177
Configuring Packet Capture
Configuration Examples for Wireshark
seq=7/1792, ttl=254
9 0.000178000
10.10.10.2
seq=8/2048, ttl=254
10 0.000199000
10.10.10.2
seq=9/2304, ttl=254
11 0.000220000
10.10.10.2
seq=10/2560, ttl=254
12 0.000241000
10.10.10.2
seq=11/2816, ttl=254
--More‹
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
Step 14: Store the buffer contents to the mycap.pcap file in the internal flash: storage device by entering:
Device# monitor capture mycap export flash:mycap.pcap
Exported Successfully
Note
The current implementation of export is such that when the command is run, export is "started" but not
complete when it returns the prompt to the user. So we have to wait for a message display on the console
from Wireshark before it can run a display of packets in the file.
Step 15: Display capture packets from the file by entering:
Device# show monitor capture file flash:mycap.pcap
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
1 0.000000000
10.10.10.2
seq=0/0, ttl=254
2 0.000030000
10.10.10.2
seq=1/256, ttl=254
3 0.000051000
10.10.10.2
seq=2/512, ttl=254
4 0.000072000
10.10.10.2
seq=3/768, ttl=254
5 0.000093000
10.10.10.2
seq=4/1024, ttl=254
6 0.000114000
10.10.10.2
seq=5/1280, ttl=254
7 0.000136000
10.10.10.2
seq=6/1536, ttl=254
8 0.000157000
10.10.10.2
seq=7/1792, ttl=254
9 0.000178000
10.10.10.2
seq=8/2048, ttl=254
10 0.000199000
10.10.10.2
seq=9/2304, ttl=254
11 0.000220000
10.10.10.2
seq=10/2560, ttl=254
12 0.000241000
10.10.10.2
seq=11/2816, ttl=254
--More--
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
-> 10.10.10.1
ICMP 114 Echo (ping) request
id=0x0039,
Step 16: Delete the capture point by entering:
Device# no monitor capture mycap
Related Topics
Defining a Capture Point, on page 150
Adding or Modifying Capture Point Parameters, on page 153
Deleting Capture Point Parameters, on page 155
Deleting a Capture Point, on page 156
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
178
Configuring Packet Capture
Configuration Examples for Wireshark
Activating and Deactivating a Capture Point, on page 158
Clearing the Capture Point Buffer, on page 161
How to Configure Wireshark, on page 149
Capture Points, on page 141
Attachment Points, on page 141
Example: Simple Capture and Store of Packets in Egress Direction
This example shows how to capture packets to a filter:
Step 1: Define a capture point to match on the relevant traffic and associate it to a file by entering:
Device# monitor capture mycap interface Gigabit 1/0/1 out match ipv4 any any
Device# monitor capture mycap limit duration 60 packets 100
Device# monitor capture mycap file location flash:mycap.pcap buffer-size 90
Step 2: Confirm that the capture point has been correctly defined by entering:
Device# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/1 out
monitor capture mycap match ipv4 any any
monitor capture mycap file location flash:mycap.pcap buffer-size 90
monitor capture mycap limit packets 100 duration 60
Device# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/1, Direction: out
Status : Inactive
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: LINEAR (default)
File Details:
Associated file name: flash:mycap.pcap
Size of buffer(in MB): 90
Limit Details:
Number of Packets to capture: 100
Packet Capture duration: 60
Packet Size to capture: 0 (no limit)
Packets per second: 0 (no limit)
Packet sampling rate: 0 (no sampling)
Step 3: Launch packet capture by entering:
Device# monitor capture mycap start
A file by the same capture file name already exists, overwrite?[confirm]
Turning on lock-step mode
Device#
*Oct 14 09:35:32.661: %BUFCAP-6-ENABLE: Capture Point mycap enabled.
Note
Allow the capture operation stop automatically after the time has elapsed or the packet count has been
met. When you see the following message in the output, will know that the capture operation has stopped:
*Oct 14 09:36:34.632: %BUFCAP-6-DISABLE_ASYNC: Capture Point mycap disabled. Rea
son : Wireshark Session Ended
The mycap.pcap file now contains the captured packets.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
179
Configuring Packet Capture
Configuration Examples for Embedded Packet Capture
Step 4: Display the packets by entering:
Device# show monitor capture file flash:mycap.pcap
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
0.000000
1.000000
2.000000
3.000000
4.000000
5.000000
6.000000
7.000000
8.000000
9.000000
10.1.1.30
10.1.1.31
10.1.1.32
10.1.1.33
10.1.1.34
10.1.1.35
10.1.1.36
10.1.1.37
10.1.1.38
10.1.1.39
->
->
->
->
->
->
->
->
->
->
20.1.1.2
20.1.1.2
20.1.1.2
20.1.1.2
20.1.1.2
20.1.1.2
20.1.1.2
20.1.1.2
20.1.1.2
20.1.1.2
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Source
Source
Source
Source
Source
Source
Source
Source
Source
Source
port:
port:
port:
port:
port:
port:
port:
port:
port:
port:
20001
20001
20001
20001
20001
20001
20001
20001
20001
20001
Destination
Destination
Destination
Destination
Destination
Destination
Destination
Destination
Destination
Destination
Step 5: Delete the capture point by entering:
Device# no monitor capture mycap
Related Topics
Defining a Capture Point, on page 150
Adding or Modifying Capture Point Parameters, on page 153
Deleting Capture Point Parameters, on page 155
Deleting a Capture Point, on page 156
Activating and Deactivating a Capture Point, on page 158
Clearing the Capture Point Buffer, on page 161
How to Configure Wireshark, on page 149
Capture Points, on page 141
Attachment Points, on page 141
Configuration Examples for Embedded Packet Capture
Example: Managing Packet Data Capture
The following example shows how to manage packet data capture:
Device>
Device#
Device#
Device#
Device#
Device#
Device#
Device#
Device#
Device#
enable
monitor
monitor
monitor
monitor
monitor
monitor
monitor
monitor
end
capture
capture
capture
capture
capture
capture
capture
capture
mycap
mycap
mycap
mycap
mycap
mycap
mycap
mycap
start
access-list v4acl
limit duration 1000
interface GigabitEthernet 0/0/1 both
buffer circular size 10
start
export tftp://10.1.88.9/mycap.pcap
stop
Related Topics
Managing Packet Data Capture, on page 163
Packet Data Capture, on page 149
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
180
port:
port:
port:
port:
port:
port:
port:
port:
port:
port:
20002
20002
20002
20002
20002
20002
20002
20002
20002
20002
Configuring Packet Capture
Configuration Examples for Embedded Packet Capture
Example: Monitoring and Maintaining Captured Data
The following example shows how to dump packets in ASCII format:
Device# show monitor capture mycap buffer dump
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
0
0000:
0010:
0020:
0030:
1
0000:
0010:
0020:
2
0000:
0010:
0020:
0030:
3
0000:
0010:
0020:
0030:
0040:
01005E00
00300000
000207C1
1D006369
00020000
00000111
07C1001C
73636F00
0C07AC1D
CFDC091D
802A0000
0000091D
080045C0 ..^...........E.
0002E000 .0..............
10030AFA .........*......
0001 ..example.......
01005E00 0002001B 2BF69280 080046C0 ..^.....+.....F.
00200000 00000102 44170000 0000E000 . ......D.......
00019404 00001700 E8FF0000 0000 ..............
01005E00
00300000
000207C1
1D006369
0002001B
00000111
07C1001C
73636F00
2BF68680
CFDB091D
88B50000
0000091D
080045C0 ..^.....+.....E.
0003E000 .0..............
08030A6E ...............n
0001 ..example.......
01005E00
003C0000
000A0205
00000000
000F0004
000A001C
00000258
F3000000
00D10001
00080501
0F2EDC00
CE7F091D
00000000
000C0100
0300
080045C0
0004E000
00000000
01000000
..^...........E.
.<.....X........
................
................
The following example shows how to display the list of commands used to configure the capture named
mycap:
Device#
monitor
monitor
monitor
monitor
show monitor capture mycap parameter
capture mycap interface GigabitEthernet 1/0/1 both
capture mycap match any
capture mycap buffer size 10
capture mycap limit pps 1000
The following example shows how to debug the capture point:
Device# debug epc capture-point
EPC capture point operations debugging is on
Device# monitor capture mycap start
*Jun 4 14:17:15.463: EPC CP: Starting the capture cap1
*Jun 4 14:17:15.463: EPC CP: (brief=3, detailed=4, dump=5) = 0
*Jun 4 14:17:15.463: EPC CP: final check before activation
*Jun 4 14:17:15.463: EPC CP: setting up c3pl infra
*Jun 4 14:17:15.463: EPC CP: Setup c3pl acl-class-policy
*Jun 4 14:17:15.463: EPC CP: Creating a class
*Jun 4 14:17:15.464: EPC CP: Creating a class : Successful
*Jun 4 14:17:15.464: EPC CP: class-map Created
*Jun 4 14:17:15.464: EPC CP: creating policy-name epc_policy_cap1
*Jun 4 14:17:15.464: EPC CP: Creating Policy epc_policy_cap1 of type 49 and client type 21
*Jun 4 14:17:15.464: EPC CP: Storing a Policy
*Jun 4 14:17:15.464: EPC CP: calling ppm_store_policy with epc_policy
*Jun 4 14:17:15.464: EPC CP: Creating Policy : Successful
*Jun 4 14:17:15.464: EPC CP: policy-map created
*Jun 4 14:17:15.464: EPC CP: creating filter for ANY
*Jun 4 14:17:15.464: EPC CP: Adding acl to class : Successful
*Jun 4 14:17:15.464: EPC CP: Setup c3pl class to policy
*Jun 4 14:17:15.464: EPC CP: Attaching Class to Policy
*Jun 4 14:17:15.464: EPC CP: Attaching epc_class_cap1 to epc_policy_cap1
*Jun 4 14:17:15.464: EPC CP: Attaching Class to Policy : Successful
*Jun 4 14:17:15.464: EPC CP: setting up c3pl qos
*Jun 4 14:17:15.464: EPC CP: DBG> Set packet rate limit to 1000
*Jun 4 14:17:15.464: EPC CP: creating action for policy_map epc_policy_cap1 class_map
epc_class_cap1
*Jun 4 14:17:15.464: EPC CP: DBG> Set packet rate limit to 1000
*Jun 4 14:17:15.464: EPC CP: Activating Interface GigabitEthernet1/0/1 direction both
*Jun 4 14:17:15.464: EPC CP: Id attached 0
*Jun 4 14:17:15.464: EPC CP: inserting into active lists
*Jun 4 14:17:15.464: EPC CP: Id attached 0
*Jun 4 14:17:15.465: EPC CP: inserting into active lists
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
181
Configuring Packet Capture
Configuration Examples for Embedded Packet Capture
*Jun
*Jun
*Jun
*Jun
4
4
4
4
14:17:15.465:
14:17:15.465:
14:17:15.465:
14:17:15.465:
EPC CP: Activating Vlan
EPC CP: Deleting all temp interfaces
%BUFCAP-6-ENABLE: Capture Point cap1 enabled.
EPC CP: Active Capture 1
Device# monitor capture mycap1 stop
*Jun 4 14:17:31.963: EPC CP: Stopping the capture cap1
*Jun 4 14:17:31.963: EPC CP: Warning: unable to unbind capture cap1
*Jun 4 14:17:31.963: EPC CP: Deactivating policy-map
*Jun 4 14:17:31.963: EPC CP: Policy epc_policy_cap1
*Jun 4 14:17:31.964: EPC CP: Deactivating policy-map Successful
*Jun 4 14:17:31.964: EPC CP: removing povision feature
*Jun 4 14:17:31.964: EPC CP: Found action for policy-map epc_policy_cap1 class-map
epc_class_cap1
*Jun 4 14:17:31.964: EPC CP: cleanning up c3pl infra
*Jun 4 14:17:31.964: EPC CP: Removing Class epc_class_cap1 from Policy
*Jun 4 14:17:31.964: EPC CP: Removing Class from epc_policy_cap1
*Jun 4 14:17:31.964: EPC CP: Successfully removed
*Jun 4 14:17:31.964: EPC CP: Removing acl mac from class
*Jun 4 14:17:31.964: EPC CP: Removing acl from class : Successful
*Jun 4 14:17:31.964: EPC CP: Removing all policies
*Jun 4 14:17:31.964: EPC CP: Removing Policy epc_policy_cap1
*Jun 4 14:17:31.964: EPC CP: Removing Policy : Successful
*Jun 4 14:17:31.964: EPC CP: Removing class epc_class_cap1
*Jun 4 14:17:31.965: EPC CP: Removing class : Successful
*Jun 4 14:17:31.965: %BUFCAP-6-DISABLE: Capture Point cap1 disabled.
*Jun 4 14:17:31.965: EPC CP: Active Capture 0
The following example shows how to debug the Embedded Packet Capture (EPC) provisioning:
Device# debug epc provision
EPC provisionioning debugging is on
Device# monitor capture mycap start
*Jun 4 14:17:54.991: EPC PROV: No action found for policy-map epc_policy_cap1 class-map
epc_class_cap1
*Jun 4 14:17:54.991: EPC PROV:
*Jun 4 14:17:54.991: Attempting to install service policy epc_policy_cap1
*Jun 4 14:17:54.992: EPC PROV: Attached service policy to epc idb subblock
*Jun 4 14:17:54.992: EPC PROV: Successful. Create feature object
*Jun 4 14:17:54.992: EPC PROV:
*Jun 4 14:17:54.992: Attempting to install service policy epc_policy_cap1
*Jun 4 14:17:54.992: EPC PROV: Successful. Create feature object
*Jun 4 14:17:54.992: %BUFCAP-6-ENABLE: Capture Point cap1 enabled.
Device# monitor capture mycap stop
*Jun 4 14:18:02.503: EPC PROV: Successful. Remove feature object
*Jun 4 14:18:02.504: EPC PROV: Successful. Remove feature object
*Jun 4 14:18:02.504: EPC PROV: Destroyed epc idb subblock
*Jun 4 14:18:02.504: EPC PROV: Found action for policy-map epc_policy_cap1 class-map
epc_class_cap1
*Jun 4 14:18:02.504: EPC PROV: Deleting EPC action
*Jun 4 14:18:02.504: EPC PROV: Successful. CLASS_REMOVE, policy-map epc_policy_cap1, class
epc_class_cap1
*Jun 4 14:18:02.504: %BUFCAP-6-DISABLE: Capture Point cap1 disabled.
Related Topics
Monitoring and Maintaining Captured Data, on page 164
Packet Data Capture, on page 149
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
182
Configuring Packet Capture
Additional References
Additional References
Related Documents
Related Topic
Document Title
Display Filters
For syntax of Display Filters, refer to:
Display Filter Reference
Pcap file statistics
For syntax used to display pcap file statistics, refer
to "-z" option details at:
Tshark Command Reference
Error Message Decoder
Description
Link
To help you research and resolve system error
messages in this release, use the Error Message
Decoder tool.
https://www.cisco.com/cgi-bin/Support/Errordecoder/
index.cgi
Standards and RFCs
Standard/RFC
Title
None
-
MIBs
MIB
MIBs Link
All supported MIBs for this release.
To locate and download MIBs for selected platforms,
Cisco IOS releases, and feature sets, use Cisco MIB
Locator found at the following URL:
http://www.cisco.com/go/mibs
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
183
Configuring Packet Capture
Additional References
Technical Assistance
Description
Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
184
CHAPTER
9
Configuring Flexible NetFlow
• Prerequisites for Flexible NetFlow, page 185
• Restrictions for Flexible NetFlow, page 186
• Information About Flexible Netflow, page 188
• How to Configure Flexible Netflow, page 203
• Monitoring Flexible NetFlow, page 216
• Configuration Examples for Flexible NetFlow, page 217
• Additional References for NetFlow, page 220
• Feature Information for Flexible NetFlow, page 221
Prerequisites for Flexible NetFlow
The following are prerequisites for your Flexible NetFlow configuration:
• You must configure a source interface. If you do not configure a source interface, the exporter remains
in a disabled state.
• You must configure a valid record name for every flow monitor.
• You must enable IPv6 routing to export the flow records to an IPv6 destination server.
• You must configure IPFIX export protocol for the flow exporter to export netflow records in IPFIX
format.
• You are familiar with the Flexible NetFlow key fields as they are defined in the following commands
in the Cisco IOS Flexible NetFlow Command Reference:
◦match datalink—Datalink (layer2) fields
◦match flow—Flow identifying fields
◦match interface—Interface fields
◦match ipv4—IPv4 fields
◦match ipv6—IPv6 fields
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
185
Configuring Flexible NetFlow
Restrictions for Flexible NetFlow
◦match transport—Transport layer fields
◦match flow cts—CTS fields
• You are familiar with the Flexible NetFlow non-key fields as they are defined in the following commands
in the Cisco IOS Flexible NetFlow Command Reference :
◦collect counter—Counter fields
◦collect flow—Flow identifying fields
◦collect interface—Interface fields
◦collect timestamp—Timestamp fields
◦collect transport—Transport layer fields
IPv4 Traffic
• The networking device must be configured for IPv4 routing.
• One of the following must be enabled on your device and on any interfaces on which you want to enable
Flexible NetFlow: Cisco Express Forwarding or distributed Cisco Express Forwarding.
IPv6 Traffic
• The networking device must be configured for IPv6 routing.
• One of the following must be enabled on your device and on any interfaces on which you want to enable
Flexible NetFlow: Cisco Express Forwarding IPv6 or distributed Cisco Express Forwarding.
Restrictions for Flexible NetFlow
The following are restrictions for Flexible NetFlow:
• Flexible NetFlow is not supported on the L2 port-channel interface, but is supported on the L2
port-channel member ports.
• Flexible NetFlow is not supported on the L3 port-channel interface, but is supported on the L3
port-channel member ports.
• Traditional NetFlow (TNF) accounting is not supported.
• Flexible NetFlow version 9 and version 10 export formats are supported. However, if you have not
configured the export protocol, version 9 export format is applied by default.
• For wired AVC traffic, only one flow monitor can be configured on one or more Layer 2 or Layer 3
physical interfaces on the system.
• Layer 2, IPv4, and IPv6 traffic types are supported. Multiple flow monitors of different traffic types can
be applied for a given interface and direction. Multiple flow monitors of same traffic type cannot be
applied for a given interface and direction.
• Layer 2, VLAN and Layer 3 interfaces are supported, but the device does not support SVI and tunnels.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
186
Configuring Flexible NetFlow
Restrictions for Flexible NetFlow
• The following NetFlow table sizes are supported:
Trim Level
Ingress NetFlow Table
Egress NetFlow Table
Network Essentials
16 K
16 K
Network Advantage
16 K
16 K
• Depending on the switch type, a switch will have one or two forwarding ASICs. The capacities listed
in the above table are on a per-Core/per-ASIC basis.
• The switch can support either one or two cores. Each core has 16K ingress and 16K egress entries,
whereas each TCAM can handle up to 256 ingress and 768 egress entries.
• The NetFlow tables are on separate compartments and cannot be combined. Depending on which core
processed the packet, the flows will be created in the table in the corresponding core.
• NetFlow hardware implementation supports four hardware samplers. You can select a sampler rate from
1 out of 2 to 1 out of 1024. Both — random and deterministic — sampling modes are supported.
• NetFlow hardware uses hash tables internally. Hash collisions can occur in the hardware. Therefore, in
spite of the internal overflow Content Addressable Memory (CAM), the actual NetFlow table utilization
could be about 80 percent.
• Depending on the fields that are used for the flow, a single flow could take two consecutive entries. IPv6
and datalink flows also take two entries. In these situations, the effective usage of NetFlow entries is
half the table size, which is separate from the above hash collision limitation.
• The device supports up to 63 flow monitors.
•
• The NetFlow software implementation supports distributed NetFlow export, so the flows are exported
from the same device in which the flow was created.
• Ingress flows are present in the ASIC that first received the packets for the flow. Egress flows are present
in the ASIC from which the packets actually left the device set up.
• The reported value for the bytes count field (called “bytes long”) is Layer-2-packet-size—18 bytes. For
classic Ethernet traffic (802.3), this will be accurate. For all other Ethernet types, this field will not be
accurate. Use the "bytes layer2” field, which always reports the accurate Layer 2 packet size. For
information about supported Flexible NetFlow fields, see Supported Flexible NetFlow Fields, on page
198.
• Configuration of IPFIX exporter on an AVC flow monitor is not supported.
• Flexible NetFlow export is not supported on the Ethernet management port, Gi0/0.
• When a flow record has only Source Group Tag (SGT) and Destination Group Tag (DGT) fields (or
only either of the two) and if both the values are not applicable, then a flow will still be created with
zero values for SGT and DGT. The flow records are expected to include source and destination IP
addresses, along with SGT and DGT fields.
• When QoS marked packet is received on an interface which has NetFlow configured on the ingress
direction, the QoS value of the packet will be captured by the collector. However, when the packet is
received on an interface which has NetFlow configured on the egress direction, the QoS value of the
packet will not be captured by the collector.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
187
Configuring Flexible NetFlow
Information About Flexible Netflow
Information About Flexible Netflow
Flexible NetFlow Overview
Flexible NetFlow uses flows to provide statistics for accounting, network monitoring, and network planning.
A flow is a unidirectional stream of packets that arrives on a source interface and has the same values for the
keys. A key is an identified value for a field within the packet. You create a flow using a flow record to define
the unique keys for your flow.
The device supports the Flexible NetFlow feature that enables enhanced network anomalies and security
detection. Flexible NetFlow allows you to define an optimal flow record for a particular application by selecting
the keys from a large collection of predefined fields.
All key values must match for the packet to count in a given flow. A flow might gather other fields of interest,
depending on the export record version that you configure. Flows are stored in the Flexible NetFlow cache.
You can export the data that Flexible NetFlow gathers for your flow by using an exporter and export this data
to a remote system such as a Flexible NetFlow collector. The Flexible NetFlow collector can use an IPv4
address.
You define the size of the data that you want to collect for a flow using a monitor. The monitor combines the
flow record and exporter with the Flexible NetFlow cache information.
Original NetFlow and Benefits of Flexible NetFlow
Original NetFlow uses a fixed seven tuples of IP information to identify a flow.
Flexible NetFlow allows the flow to be user defined. The benefits of Flexible NetFlow include:
• High-capacity flow recognition, including scalability and aggregation of flow information.
• Enhanced flow infrastructure for security monitoring and dDoS detection and identification.
• New information from packets to adapt flow information to a particular service or operation in the
network. The flow information available will be customizable by Flexible NetFlow users.
• Extensive use of Cisco’s flexible and extensible NetFlow Version 9 and version 10 export formats. With
version 10 export format, support for variable length field for the wireless client's SSID is available.
• A comprehensive IP accounting feature that can be used to replace many accounting features, such as
IP accounting, Border Gateway Protocol (BGP) Policy Accounting, and persistent caches.
Original NetFlow allows you to understand the activities in the network and thus to optimize network design
and reduce operational costs.
Flexible NetFlow allows you to understand network behavior with more efficiency, with specific flow
information tailored for various services used in the network. The following are some example applications
for a Flexible NetFlow feature:
• Flexible NetFlow enhances Cisco NetFlow as a security monitoring tool. For instance, new flow keys
can be defined for packet length or MAC address, allowing users to search for a specific type of attack
in the network.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
188
Configuring Flexible NetFlow
Flexible NetFlow Components
• Flexible NetFlow allows you to quickly identify how much application traffic is being sent between
hosts by specifically tracking TCP or UDP applications by the class of service (CoS) in the packets.
• The accounting of traffic entering a Multiprotocol Label Switching (MPLS) or IP core network and its
destination for each next hop per class of service. This capability allows the building of an edge-to-edge
traffic matrix.
The figure below is an example of how Flexible NetFlow might be deployed in a network.
Figure 11: Typical Deployment for Flexible NetFlow
Flexible NetFlow Components
Flexible NetFlow consists of components that can be used together in several variations to perform traffic
analysis and data export. The user-defined flow records and the component structure of Flexible NetFlow
facilitates the creation of various configurations for traffic analysis and data export on a networking device
with a minimum number of configuration commands. Each flow monitor can have a unique combination of
flow record, flow exporter, and cache type. If you change a parameter such as the destination IP address for
a flow exporter, it is automatically changed for all the flow monitors that use the flow exporter. The same
flow monitor can be used in conjunction with different flow samplers to sample the same type of network
traffic at different rates on different interfaces. The following sections provide more information on Flexible
NetFlow components:
Flow Records
In Flexible NetFlow a combination of key and nonkey fields is called a record. Flexible NetFlow records are
assigned to Flexible NetFlow flow monitors to define the cache that is used for storing flow data.
A flow record defines the keys that Flexible NetFlow uses to identify packets in the flow, as well as other
fields of interest that Flexible NetFlow gathers for the flow. You can define a flow record with any combination
of keys and fields of interest. The device supports a rich set of keys. A flow record also defines the types of
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
189
Configuring Flexible NetFlow
Flexible NetFlow Components
counters gathered per flow. You can configure 64-bit packet or byte counters. The device enables the following
match fields as the defaults when you create a flow record:
• match datalink—Layer 2 attributes
• match ipv4—IPv4 attributes
• match ipv6—IPv6 attributes
• match transport—Transport layer fields
Related Topics
Creating a Flow Record
NetFlow Predefined Records
Flexible NetFlow includes several predefined records that you can use to start monitoring traffic in your
network. The predefined records are available to help you quickly deploy Flexible NetFlow and are easier to
use than user-defined flow records. You can choose from a list of already defined records that may meet the
needs for network monitoring. As Flexible NetFlow evolves, popular user-defined flow records will be made
available as predefined records to make them easier to implement.
The predefined records ensure backward compatibility with your existing NetFlow collector configurations
for the data that is exported. Each of the predefined records has a unique combination of key and nonkey
fields that offer you the built-in ability to monitor various types of traffic in your network without customizing
Flexible NetFlow on your router.
Two of the predefined records (NetFlow original and NetFlow IPv4/IPv6 original output), which are functionally
equivalent, emulate original (ingress) NetFlow and the Egress NetFlow Accounting feature in original NetFlow,
respectively. Some of the other Flexible NetFlow predefined records are based on the aggregation cache
schemes available in original NetFlow. The Flexible NetFlow predefined records that are based on the
aggregation cache schemes available in original NetFlow do not perform aggregation. Instead each flow is
tracked separately by the predefined records.
User-Defined Records
Flexible NetFlow enables you to define your own records for a Flexible NetFlow flow monitor cache by
specifying the key and nonkey fields to customize the data collection to your specific requirements. When
you define your own records for a Flexible NetFlow flow monitor cache, they are referred to as user-defined
records. The values in nonkey fields are added to flows to provide additional information about the traffic in
the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for
nonkey fields are taken from only the first packet in the flow. Flexible NetFlow enables you to capture counter
values such as the number of bytes and packets in a flow as nonkey fields.
You can create user-defined records for applications such as QoS and bandwidth monitoring, application and
end user traffic profiling, and security monitoring for dDoS attacks. Flexible NetFlow also includes several
predefined records that emulate original NetFlow. Flexible NetFlow user-defined records provide the capability
to monitor a contiguous section of a packet of a user-configurable size, and use it in a flow record as a key or
a nonkey field along with other fields and attributes of the packet. The section may include any Layer 3 data
from the packet. The packet section fields allow the user to monitor any packet fields that are not covered by
the Flexible NetFlow predefined keys. The ability to analyze packet fields that are not collected with the
predefined keys enables more detailed traffic monitoring, facilitates the investigation of dDoS attacks, and
enables implementation of other security applications such as URL monitoring.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
190
Configuring Flexible NetFlow
Flexible NetFlow Components
Flexible NetFlow provides predefined types of packet sections of a user-configurable size. The following
Flexible NetFlow commands (used in Flexible NetFlow flow record configuration mode) can be used to
configure the predefined types of packet sections:
• collect ipv4 section header size bytes --Starts capturing the number of bytes specified by the
bytesargument from the beginning of the IPv4 header of each packet.
• collect ipv4 section payload size bytes --Starts capturing bytes immediately after the IPv4 header from
each packet. The number of bytes captured is specified by the bytes argument.
• collect ipv6 section header size bytes --Starts capturing the number of bytes specified by the
bytesargument from the beginning of the IPv6 header of each packet.
• collect ipv6 section payload size bytes --Starts capturing bytes immediately after the IPv6 header from
each packet. The number of bytes captured is specified by the bytes argument.
The bytes values are the sizes in bytes of these fields in the flow record. If the corresponding fragment of the
packet is smaller than the requested section size, Flexible NetFlow will fill the rest of the section field in the
flow record with zeros. If the packet type does not match the requested section type, Flexible NetFlow will
fill the entire section field in the flow record with zeros.
Flexible NetFlow adds a new Version 9 export format field type for the header and packet section types.
Flexible NetFlow will communicate to the NetFlow collector the configured section sizes in the corresponding
Version 9 export template fields. The payload sections will have a corresponding length field that can be used
to collect the actual size of the collected section.
Flexible NetFlow Match Parameters
The following table describes Flexible NetFlow match parameters. You must configure at least one of the
following match parameters for the flow records.
Table 12: Match Parameters
Command
Purpose
match datalink {dot1q | ethertype | mac | vlan }
Specifies a match to datalink or Layer 2 fields. The
following command options are available:
• dot1q—Matches to the dot1q field.
• ethertype—Matches to the ethertype of the
packet.
• mac—Matches the source or destination MAC
fields.
• vlan—Matches to the VLAN that the packet is
located on (input or output).
match flow direction
Specifies a match to the flow identifying fields.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
191
Configuring Flexible NetFlow
Flexible NetFlow Components
Command
Purpose
match interface {input | output}
Specifies a match to the interface fields. The
following command options are available:
• input—Matches to the input interface.
• output—Matches to the output interface.
match ipv4 {destination | protocol | source | tos |
ttl | version}
Specifies a match to the IPv4 fields. The following
command options are available:
• destination—Matches to the IPv4 destination
address-based fields.
• protocol—Matches to the IPv4 protocols.
• source—Matches to the IPv4 source address
based fields.
• tos—Matches to the IPv4 Type of Service
fields.
• ttl—Matches to the IPv4 Time To Live fields.
• version—Matches to the IP version from the
IPv4 header.
match ipv6 {destination | hop-limit | protocol |
source | traffic-class | version }
Specifies a match to the IPv6 fields. The following
command options are available:
• destination—Matches to the IPv6 destination
address-based fields.
• hop-limit—Matches to the IPv6 hop limit fields.
• protocol—Matches to the IPv6 payload protocol
fields.
• source—Matches to the IPv6 source address
based fields.
• traffic-class—Matches to the IPv6 traffic class.
• version—Matches to the IP version from the
IPv6 header.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
192
Configuring Flexible NetFlow
Flexible NetFlow Components
Command
Purpose
match transport {destination-port | igmp | icmp | Specifies a match to the Transport Layer fields. The
following command options are available:
source-port}
• destination-port—Matches to the transport
destination port.
• icmp—Matches to ICMP fields, including
ICMP IPv4 and IPv6 fields.
• igmp—Matches to IGMP fields.
• source-port—Matches to the transport source
port.
match flow cts {source | destination} group-tag
Specifies a match to the CTS fields support in FNF
record. The following command options are available:
• source —Matches to the source of CTS entering
the domain.
• destination —Matches to the destination of the
CTS leaving the domain.
Flexible NetFlow Collect Parameters
The following table describes the Flexible NetFlow collect parameters.
Table 13: Collect Parameters
Command
Purpose
collect counter { bytes { layer2 { long } | long } |
packets { long } }
Collects the counter fields total bytes and total
packets.
collect interface {input | output}
Collects the fields from the input or output interface.
collect timestamp absolute {first | last}
Collects the fields for the absolute time the first packet
was seen or the absolute time the most recent packet
was last seen (in milliseconds).
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
193
Configuring Flexible NetFlow
Flexible NetFlow Components
Command
Purpose
collect transport tcp flags
Collects the following transport TCP flags:
• ack—TCP acknowledgement flag
• cwr—TCP congestion window reduced flag
• ece—TCP ECN echo flag
• fin—TCP finish flag
• psh—TCP push flag
• rst—TCP reset flag
• syn—TCP synchronize flag
• urg—TCP urgent flag
Note
On the device, you cannot specify which
TCP flag to collect. You can only specify to
collect transport TCP flags. All TCP flags
will be collected with this command.
Flow Exporters
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running NetFlow
collector, for analysis and storage. Flow exporters are created as separate entities in the configuration. Flow
exporters are assigned to flow monitors to provide data export capability for the flow monitors. You can create
several flow exporters and assign them to one or more flow monitors to provide several export destinations.
You can create one flow exporter and apply it to several flow monitors.
NetFlow Data Export Format Version 9
The basic output of NetFlow is a flow record. Several different formats for flow records have evolved as
NetFlow has matured. The most recent evolution of the NetFlow export format is known as Version 9. The
distinguishing feature of the NetFlow Version 9 export format is that it is template-based. Templates provide
an extensible design to the record format, a feature that should allow future enhancements to NetFlow services
without requiring concurrent changes to the basic flow-record format. Using templates provides several key
benefits:
• Third-party business partners who produce applications that provide collector or display services for
NetFlow do not have to recompile their applications each time a new NetFlow feature is added. Instead,
they should be able to use an external data file that documents the known template formats.
• New features can be added to NetFlow quickly without breaking current implementations.
• NetFlow is “future-proofed” against new or developing protocols because the Version 9 format can be
adapted to provide support for them.
The Version 9 export format consists of a packet header followed by one or more template flow or data flow
sets. A template flow set provides a description of the fields that will be present in future data flow sets. These
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
194
Configuring Flexible NetFlow
Flexible NetFlow Components
data flow sets may occur later within the same export packet or in subsequent export packets. Template flow
and data flow sets can be intermingled within a single export packet, as illustrated in the figure below.
Figure 12: Version 9 Export Packet
NetFlow Version 9 will periodically export the template data so the NetFlow collector will understand what
data is to be sent and also export the data flow set for the template. The key advantage to Flexible NetFlow
is that the user configures a flow record, which is effectively converted to a Version 9 template and then
forwarded to the collector. The figure below is a detailed example of the NetFlow Version 9 export format,
including the header, template flow, and data flow sets.
Figure 13: Detailed Example of the NetFlow Version 9 Export Format
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
195
Configuring Flexible NetFlow
Flexible NetFlow Components
For more information on the Version 9 export format, refer to the white paper titled Cisco IOS NetFlow
Version 9 Flow-Record Format, available at this URL: http://www.cisco.com/en/US/tech/tk648/tk362/
technologies_white_paper09186a00800a3db9.shtml.
Flow Monitors
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic
monitoring.
Flow data is collected from the network traffic and added to the flow monitor cache during the monitoring
process based on the key and nonkey fields in the flow record.
Flexible NetFlow can be used to perform different types of analysis on the same traffic. In the figure below,
packet 1 is analyzed using a record designed for standard traffic analysis on the input interface and a record
designed for security analysis on the output interface.
Figure 14: Example of Using Two Flow Monitors to Analyze the Same Traffic
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
196
Configuring Flexible NetFlow
Flexible NetFlow Components
The figure below shows a more complex example of how you can apply different types of flow monitors with
custom records.
Figure 15: Complex Example of Using Multiple Types of Flow Monitors with Custom Records
There are three types of flow monitor caches. You change the type of cache used by the flow monitor after
you create the flow monitor. The three types of flow monitor caches are described in the following sections:
Normal
The default cache type is “normal”. In this mode, the entries in the cache are aged out according to the timeout
active and timeout inactive settings. When a cache entry is aged out, it is removed from the cache and exported
via any exporters configured.
Immediate
A cache of type "immediate" ages out every record as soon as it is created. As a result, every flow contains
just one packet. The commands that display the cache contents will provide a history of the packets seen.
This mode is desirable when you expect only very small flows and you want a minimum amount of latency
between seeing a packet and exporting a report.
Caution
This mode may result in a large amount of export data that can overload low-speed links and overwhelm
any systems that you are exporting to. We recommended that you configure sampling to reduce the number
of packets that are processed.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
197
Configuring Flexible NetFlow
Supported Flexible NetFlow Fields
Note
The cache timeout settings have no effect in this mode.
Permanent
A cache of type "permanent" never ages out any flows. A permanent cache is useful when the number of
flows you expect to see is low and there is a need to keep long-term statistics on the router. For example, if
the only key field in the flow record is the 8-bit IP ToS field, only 256 flows can be monitored. To monitor
the long-term usage of the IP ToS field in the network traffic, you can use a permanent cache. Permanent
caches are useful for billing applications and for an edge-to-edge traffic matrix for a fixed set of flows that
are being tracked. Update messages will be sent periodically to any flow exporters configured according to
the "timeout update" setting.
Note
When a cache becomes full in permanent mode, new flows will not be monitored. If this occurs, a "Flows
not added" message will appear in the cache statistics.
Note
A permanent cache uses update counters rather than delta counters. This means that when a flow is exported,
the counters represent the totals seen for the full lifetime of the flow and not the additional packets and
bytes seen since the last export was sent.
Flow Samplers
Flow samplers are created as separate components in a router’s configuration. Flow samplers are used to
reduce the load on the device that is running Flexible NetFlow by limiting the number of packets that are
selected for analysis.
Flow sampling exchanges monitoring accuracy for router performance. When you apply a sampler to a flow
monitor, the overhead load on the router of running the flow monitor is reduced because the number of packets
that the flow monitor must analyze is reduced. The reduction in the number of packets that are analyzed by
the flow monitor causes a corresponding reduction in the accuracy of the information stored in the flow
monitor’s cache.
Samplers are combined with flow monitors when they are applied to an interface with the ip flow monitor
command.
Supported Flexible NetFlow Fields
The following tables provide a consolidated list of supported fields in Flexible NetFlow (FNF) for various
traffic types and traffic direction.
Note
If the packet has a VLAN field, then that length is not accounted for.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
198
Configuring Flexible NetFlow
Supported Flexible NetFlow Fields
Field
Layer 2
In
Layer 2
Out
IPv4 In IP v4 Out
Yes
—
Yes
IPv6 In IPv6 Out
Notes
Key or
Collect
Fields
Interface
input
—
Yes
—
If you apply a flow monitor in
the input direction:
• Use the match keyword
and use the input
interface as a key field.
• Use the collect keyword
and use the output
interface as a collect
field. This field will be
present in the exported
records but with a value
of 0.
Interface
output
—
—
Yes
Yes
—
Yes
If you apply a flow monitor in
the output direction:
• Use the match keyword
and use the output
interface as a key field.
• Use the collect keyword
and use the input
interface as a collect
field. This field will be
present in the exported
records but with a value
of 0.
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Flow
direction
Yes
Yes
Yes
Yes
Yes
Yes
Ethertype
Yes
Yes
—
—
—
—
VLAN
input
Yes
—
Yes
—
Yes
—
Notes
Key Fields
Supported
only for a
switch port.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
199
Configuring Flexible NetFlow
Supported Flexible NetFlow Fields
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Notes
VLAN
output
—
Yes
—
Yes
—
Yes
Supported
only for a
switch port.
dot1q
VLAN
input
Yes
—
Yes
—
Yes
—
Supported
only for a
switch port.
dot1q
VLAN
output
—
Yes
—
Yes
—
Yes
Supported
only for a
switch port.
dot1q
priority
Yes
Yes
Yes
Yes
Yes
Yes
Supported
only for a
switch port.
MAC
source
address
input
Yes
Yes
Yes
Yes
Yes
Yes
MAC
source
address
output
—
—
—
—
—
—
MAC
destination
address
input
Yes
—
Yes
—
Yes
—
MAC
destination
address
output
—
Yes
—
Yes
—
Yes
IPv4
version
—
—
Yes
Yes
Yes
Yes
IPv4 TOS
—
—
Yes
Yes
Yes
Yes
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
200
Configuring Flexible NetFlow
Supported Flexible NetFlow Fields
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Notes
IPv4
protocol
—
—
Yes
Yes
Yes
Yes
Must use if
any of
src/dest
port, ICMP
code/type,
IGMP type
or TCP
flags are
used.
IPv4 TTL
—
—
Yes
Yes
Yes
Yes
IPv4 source —
address
—
Yes
Yes
—
—
—
—
Yes
Yes
—
—
ICMP IPv4 —
type
—
Yes
Yes
—
—
ICMP IPv4 —
code
—
Yes
Yes
—
—
IGMP type —
—
Yes
Yes
—
—
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Notes
IPv6
version
—
—
Yes
Yes
Yes
Yes
Same as IP
version.
IPv6
protocol
—
—
Yes
Yes
Yes
Yes
Same as IP
protocol.
Must use if
any of
src/dest
port, ICMP
code/type,
IGMP type
or TCP
flags are
used.
IPv4
destination
address
Key Fields
continued
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
201
Configuring Flexible NetFlow
Supported Flexible NetFlow Fields
Field
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
IPv6 source —
address
—
—
—
Yes
Yes
—
—
—
—
Yes
Yes
IPv6
—
traffic-class
—
Yes
Yes
Yes
Yes
Same as IP
TOS.
—
—
Yes
Yes
Yes
Yes
Same as IP
TTL.
ICMP IPv6 —
type
—
—
—
Yes
Yes
ICMP IPv6 —
code
—
—
—
Yes
Yes
source-port —
—
Yes
Yes
Yes
Yes
dest-port
—
—
Yes
Yes
Yes
Yes
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Notes
Yes
Yes
Yes
Yes
Yes
Packet size
= (Ethernet
frame size
including
FCS - 18
bytes)
IPv6
destination
address
IPv6
hop-limit
Layer 2 In
Notes
Collect
Fields
Bytes long
Yes
Recommended:
Avoid this
field and
use Bytes
layer2 long.
Packets
long
Yes
Yes
Yes
Yes
Yes
Yes
Timestamp Yes
absolute
first
Yes
Yes
Yes
Yes
Yes
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
202
Configuring Flexible NetFlow
Default Settings
Field
Layer 2 In
Layer 2 Out IPv4 In
IP v4 Out
IPv6 In
IPv6 Out
Timestamp Yes
absolute
last
Yes
Yes
Yes
Yes
Yes
TCP flags
Yes
Yes
Yes
Yes
Yes
Yes
Bytes
Yes
layer2 long
Yes
Yes
Yes
Yes
Yes
Notes
Collects all
flags.
Default Settings
The following table lists the Flexible NetFlow default settings for the device.
Table 14: Default Flexible NetFlow Settings
Setting
Default
Flow active timeout
1800 seconds
Flow timeout inactive
15 seconds
How to Configure Flexible Netflow
To configure Flexible Netflow, follow these general steps:
1 Create a flow record by specifying keys and non-key fields to the flow.
2 Create an optional flow exporter by specifying the protocol and transport destination port, destination,
and other parameters.
3 Create a flow monitor based on the flow record and flow exporter.
4 Create an optional sampler.
5 Apply the flow monitor to a Layer 2 port, Layer 3 port, or VLAN.
Creating a Customized Flow Record
Perform this task to configure a customized flow record.
Customized flow records are used to analyze traffic data for a specific purpose. A customized flow record
must have at least one match criterion for use as the key field and typically has at least one collect criterion
for use as a nonkey field.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
203
Configuring Flexible NetFlow
Creating a Customized Flow Record
There are hundreds of possible permutations of customized flow records. This task shows the steps that are
used to create one of the possible permutations. Modify the steps in this task as appropriate to create a
customized flow record for your requirements.
SUMMARY STEPS
1. enable
2. configure terminal
3. flow record record-name
4. description description
5. match {ip | ipv6} {destination | source} address
6. Repeat Step 5 as required to configure additional key fields for the record.
7. match flow cts {source | destination} group-tag
8.
9. Repeat the above step as required to configure additional nonkey fields for the record.
10. end
11. show flow record record-name
12. show running-config flow record record-name
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Device> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Device# configure terminal
Step 3
flow record record-name
Example:
Device(config)# flow record FLOW-RECORD-1
Step 4
description description
Creates a flow record and enters Flexible NetFlow flow record
configuration mode.
• This command also allows you to modify an existing flow
record.
(Optional) Creates a description for the flow record.
Example:
Device(config-flow-record)# description
Used for basic traffic analysis
Step 5
match {ip | ipv6} {destination | source}
address
Configures a key field for the flow record.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
204
Configuring Flexible NetFlow
Creating a Customized Flow Record
Command or Action
Purpose
Note
Example:
Device(config-flow-record)# match ipv4
destination address
Step 6
Repeat Step 5 as required to configure additional —
key fields for the record.
Step 7
match flow cts {source | destination}
group-tag
Note
Example:
Device(config-flow-record)# match flow
cts source group-tag
Note
This example configures the IPv4 destination address as a
key field for the record. For information about the other key
fields available for the match ipv4 command, and the other
match commands that are available to configure key fields.
This example configures the CTS source group tag and
destination group tag as a key field for the record. For
information about the other key fields available for the
match ipv4 command, and the other match commands that
are available to configure key fields.
• Ingress:
• In an incoming packet, if a header is present,
SGT will reflect the same value as the header.
If no value is present, it will show zero.
Device(config-flow-record)# match flow
cts destination group-tag
• The DGT value will not depend on the ingress
port SGACL configuration.
• Egress:
• If either propagate SGT or CTS is disabled on
the egress interface, then SGT will be zero.
• In an outgoing packet, if SGACL configuration
that corresponds to the (SGT, DGT) exists, DGT
will be non-zero.
• If SGACL is disabled on the egress port/VLAN
or if global SGACL enforcement is disabled,
then DGT will be zero
Step 8
Configures the input interface as a nonkey field for the record.
Example:
Note
Step 9
Repeat the above step as required to configure
additional nonkey fields for the record.
—
Step 10
end
Exits Flexible NetFlow flow record configuration mode and returns
to privileged EXEC mode.
This example configures the input interface as a nonkey
field for the record.
Example:
Device(config-flow-record)# end
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
205
Configuring Flexible NetFlow
Creating a Flow Exporter
Step 11
Command or Action
Purpose
show flow record record-name
(Optional) Displays the current status of the specified flow record.
Example:
Device# show flow record FLOW_RECORD-1
Step 12
show running-config flow record record-name (Optional) Displays the configuration of the specified flow record.
Example:
Device# show running-config flow record
FLOW_RECORD-1
Creating a Flow Exporter
You can create a flow export to define the export parameters for a flow.
Note
Each flow exporter supports only one destination. If you want to export the data to multiple destinations,
you must configure multiple flow exporters and assign them to the flow monitor.
You can export to a destination using IPv4 address.
SUMMARY STEPS
1. configure terminal
2. flow exporter name
3. description string
4. destination {ipv4-address}
5. dscp value
6. source { |}
7. transport udp number
8. ttl seconds
9. export-protocol {netflow-v9}
10. end
11. show flow exporter [name record-name]
12. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
206
Configuring Flexible NetFlow
Creating a Flow Exporter
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 2
flow exporter name
Creates a flow exporter and enters flow exporter
configuration mode.
Example:
Device(config)# flow exporter ExportTest
Step 3
description string
(Optional) Describes this flow record as a maximum
63-character string.
Example:
Device(config-flow-exporter)# description
ExportV9
Step 4
destination {ipv4-address}
Sets the IPv4 destination address or hostname for this
exporter.
Example:
Device(config-flow-exporter)# destination
192.0.2.1 (IPv4 destination)
Step 5
dscp value
(Optional) Specifies the differentiated services codepoint
value. The range is from 0 to 63. The default is 0.
Example:
Device(config-flow-exporter)# dscp 0
Step 6
source { |}
(Optional) Specifies the interface to use to reach the
NetFlow collector at the configured destination. The
following interfaces can be configured as source:
Example:
Device(config-flow-exporter)# source
gigabitEthernet1/0/1
Step 7
transport udp number
\
(Optional) Specifies the UDP port to use to reach the
NetFlow collector.
Example:
Device(config-flow-exporter)# transport udp
200
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
207
Configuring Flexible NetFlow
Creating a Customized Flow Monitor
Step 8
Command or Action
Purpose
ttl seconds
(Optional) Configures the time-to-live (TTL) value for
datagrams sent by the exporter. The range is from 1 to 255
seconds. The default is 255.
Example:
Device(config-flow-exporter)# ttl 210
Step 9
export-protocol {netflow-v9}
Specifies the version of the NetFlow export protocol used
by the exporter.
Example:
Device(config-flow-exporter)# export-protocol
netflow-v9
Step 10
Returns to privileged EXEC mode.
end
Example:
Device(config-flow-record)# end
Step 11
show flow exporter [name record-name]
(Optional) Displays information about NetFlow flow
exporters.
Example:
Device# show flow exporter ExportTest
Step 12
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
What to Do Next
Define a flow monitor based on the flow record and flow exporter.
Related Topics
Exporters
Example: Configuring a Flow, on page 217
Example: Monitoring IPv4 ingress traffic, on page 218
Example: Monitoring IPv4 egress traffic, on page 219
Creating a Customized Flow Monitor
Perform this required task to create a customized flow monitor.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
208
Configuring Flexible NetFlow
Creating a Customized Flow Monitor
Each flow monitor has a separate cache assigned to it. Each flow monitor requires a record to define the
contents and layout of its cache entries. These record formats can be one of the predefined formats or a
user-defined format. An advanced user can create a customized format using the flow record command.
Before You Begin
If you want to use a customized record instead of using one of the Flexible NetFlow predefined records, you
must create the customized record before you can perform this task. If you want to add a flow exporter to the
flow monitor for data export, you must create the exporter before you can complete this task.
Note
You must use the no ip flow monitor command to remove a flow monitor from all of the interfaces to
which you have applied it before you can modify the parameters for the record command on the flow
monitor.
SUMMARY STEPS
1. enable
2. configure terminal
3. flow monitor monitor-name
4. description description
5. record {record-name | netflow-original | netflow {ipv4 | ipv6} record [peer]}
6. cache {entries number | timeout {active | inactive | update} seconds | {immediate | normal |
permanent}}
7. Repeat Step 6 as required to finish modifying the cache parameters for this flow monitor.
8. statistics packet protocol
9. statistics packet size
10. exporter exporter-name
11. end
12. show flow monitor [[name] monitor-name [cache [format {csv | record | table}]] [statistics]]
13. show running-config flow monitor monitor-name
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Device# configure terminal
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
209
Configuring Flexible NetFlow
Creating a Customized Flow Monitor
Step 3
Command or Action
Purpose
flow monitor monitor-name
Creates a flow monitor and enters Flexible NetFlow
flow monitor configuration mode.
Example:
• This command also allows you to modify an
existing flow monitor.
Device(config)# flow monitor FLOW-MONITOR-1
Step 4
description description
(Optional) Creates a description for the flow monitor.
Example:
Device(config-flow-monitor)# description Used for
basic ipv4 traffic analysis
Step 5
record {record-name | netflow-original | netflow {ipv4 | Specifies the record for the flow monitor.
ipv6} record [peer]}
Example:
Device(config-flow-monitor)# record FLOW-RECORD-1
Step 6
The values for the keywords associated with the timeout
cache {entries number | timeout {active | inactive |
update} seconds | {immediate | normal | permanent}} keyword have no effect when the cache type is set to
immediate.
Example:
Step 7
Repeat Step 6 as required to finish modifying the cache
parameters for this flow monitor.
—
Step 8
statistics packet protocol
(Optional) Enables the collection of protocol distribution
statistics for Flexible NetFlow monitors.
Example:
Device(config-flow-monitor)# statistics packet
protocol
Step 9
statistics packet size
(Optional) Enables the collection of size distribution
statistics for Flexible NetFlow monitors.
Example:
Device(config-flow-monitor)# statistics packet
size
Step 10
exporter exporter-name
(Optional) Specifies the name of an exporter that was
created previously.
Example:
Device(config-flow-monitor)# exporter EXPORTER-1
Step 11
end
Exits Flexible NetFlow flow monitor configuration mode
and returns to privileged EXEC mode.
Example:
Device(config-flow-monitor)# end
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
210
Configuring Flexible NetFlow
Configuring and Enabling Flow Sampling
Command or Action
Step 12
Purpose
show flow monitor [[name] monitor-name [cache [format (Optional) Displays the status and statistics for a Flexible
NetFlow flow monitor.
{csv | record | table}]] [statistics]]
Example:
Device# show flow monitor FLOW-MONITOR-2 cache
Step 13
show running-config flow monitor monitor-name
(Optional) Displays the configuration of the specified
flow monitor.
Example:
Device# show running-config flow monitor
FLOW_MONITOR-1
Configuring and Enabling Flow Sampling
Perform this required task to configure and enable a flow sampler.
Note
When you specify the "NetFlow original," or the "NetFlow IPv4 original input," or the "NetFlow IPv6
original input" predefined record for the flow monitor to emulate original NetFlow, the flow monitor can
be used only for analyzing input (ingress) traffic.
When you specify the "NetFlow IPv4 original output" or the "NetFlow IPv6 original output" predefined
record for the flow monitor to emulate the Egress NetFlow Accounting feature, the flow monitor can be
used only for analyzing output (egress) traffic.
SUMMARY STEPS
1. enable
2. configure terminal
sampler-name
3. sampler
4. description description
5. mode {random} 1 out-of window-size
6. exit
7. interface type number
8. {ip | ipv6} flow monitor monitor-name [[sampler] sampler-name] {input | output}
9. end
10. show sampler sampler-name
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
211
Configuring Flexible NetFlow
Configuring and Enabling Flow Sampling
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Device# configure terminal
Step 3
sampler
sampler-name
Example:
Creates a sampler and enters sampler configuration mode.
• This command also allows you to modify an existing
sampler.
Device(config)# sampler SAMPLER-1
Step 4
description description
(Optional) Creates a description for the flow sampler.
Example:
Device(config-sampler)# description Sample at
50%
Step 5
mode {random} 1 out-of window-size
Example:
Device(config-sampler)# mode random 1 out-of
2
Step 6
exit
Specifies the sampler mode and the flow sampler window
size.
• The range for the window-size argument is from 2 to
32768.
Exits sampler configuration mode and returns to global
configuration mode.
Example:
Device(config-sampler)# exit
Step 7
interface type number
Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface GigabitEthernet 0/0/0
Step 8
{ip | ipv6} flow monitor monitor-name [[sampler]
sampler-name] {input | output}
Assigns the flow monitor and the flow sampler that you
created to the interface to enable sampling.
Example:
Device(config-if)# ip flow monitor
FLOW-MONITOR-1 sampler SAMPLER-1 input
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
212
Configuring Flexible NetFlow
Applying a Flow to an Interface
Step 9
Command or Action
Purpose
end
Exits interface configuration mode and returns to privileged
EXEC mode.
Example:
Device(config-if)# end
Step 10
Displays the status and statistics of the flow sampler that
you configured and enabled.
show sampler sampler-name
Example:
Device# show sampler SAMPLER-1
Applying a Flow to an Interface
You can apply a flow monitor and an optional sampler to an interface.
SUMMARY STEPS
1. configure terminal
2. interface type
3. {ip flow monitor | ipv6 flow monitor}name [| sampler name] {input}
4. end
5. show flow interface [interface-type number]
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 2
interface type
Enters interface configuration mode and configures an interface.
Example:
Flexible NetFlow is not supported on the L2 port-channel interface,
but is supported on the L2 port-channel member ports.
Device(config)# interface
GigabitEthernet1/0/1
Flexible NetFlow is not supported on the L3 port-channel interface,
but is supported on the L3 port-channel member ports.
Command parameters for the interface configuration include:
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
213
Configuring Flexible NetFlow
Configuring a Bridged NetFlow on a VLAN
Step 3
Command or Action
Purpose
{ip flow monitor | ipv6 flow monitor}name [|
sampler name] {input}
Associate an IPv4 or an IPv6 flow monitor, and an optional sampler
to the interface for input or output packets.
Example:
You can associate multiple monitors to an interface in both input
and output directions.
Device(config-if)# ip flow monitor
MonitorTest input
Step 4
Returns to privileged EXEC mode.
end
Example:
Device(config-flow-monitor)#
Step 5
end
show flow interface [interface-type number]
(Optional) Displays information about NetFlow on an interface.
Example:
Device# show flow interface
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Device# copy running-config
startup-config
Configuring a Bridged NetFlow on a VLAN
You can apply a flow monitor and an optional sampler to a VLAN.
SUMMARY STEPS
1. configure terminal
2. vlan [configuration] vlan-id
3. ip flow monitor monitor name [sampler sampler name] {input }
4. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
214
Configuring Flexible NetFlow
Configuring Layer 2 NetFlow
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 2
vlan [configuration] vlan-id
Enters VLAN or VLAN configuration mode.
Example:
Device(config)# vlan configuration 30
Device(config-vlan-config)#
Step 3
ip flow monitor monitor name [sampler sampler name] {input Associates a flow monitor and an optional sampler
to the VLAN for input packets.
}
Example:
Device(config-vlan-config)# ip flow monitor
MonitorTest input
Step 4
copy running-config startup-config
(Optional) Saves your entries in the configuration
file.
Example:
Device# copy running-config
startup-config
Configuring Layer 2 NetFlow
You can define Layer 2 keys in Flexible NetFlow records that you can use to capture flows in Layer 2 interfaces.
SUMMARY STEPS
1. configure terminal
2. flow record name
3. match datalink {dot1q |ethertype | mac | vlan}
4. end
5. show flow record [name ]
6. copy running-config startup-config
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
215
Configuring Flexible NetFlow
Monitoring Flexible NetFlow
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters the global configuration mode.
Example:
Device# configure terminal
Step 2
flow record name
Enters flow record configuration mode.
Example:
Device(config)# flow record L2_record
Device(config-flow-record)#
Step 3
match datalink {dot1q |ethertype | mac | vlan}
Specifies the Layer 2 attribute as a key.
Example:
Device(config-flow-record)# match datalink ethertype
Step 4
Returns to privileged EXEC mode.
end
Example:
Device(config-flow-record)#
Step 5
end
show flow record [name ]
(Optional) Displays information about NetFlow
on an interface.
Example:
Device# show flow record
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration
file.
Example:
Device# copy running-config
startup-config
Monitoring Flexible NetFlow
The commands in the following table can be used to monitor Flexible NetFlow.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
216
Configuring Flexible NetFlow
Configuration Examples for Flexible NetFlow
Table 15: Flexible NetFlow Monitoring Commands
Command
Purpose
show flow exporter [broker | export-ids | name |
name | statistics | templates]
Displays information about NetFlow flow exporters
and statistics.
show flow exporter [ name exporter-name]
Displays information about NetFlow flow exporters
and statistics.
show flow interface
Displays information about NetFlow interfaces.
show flow monitor [ name exporter-name]
Displays information about NetFlow flow monitors
and statistics.
show flow monitor statistics
Displays the statistics for the flow monitor
show flow monitor cache format {table | record |
csv}
Displays the contents of the cache for the flow
monitor, in the format specified.
show flow record [ name record-name]
Displays information about NetFlow flow records.
show sampler [broker | name | name]
Displays information about NetFlow samplers.
Configuration Examples for Flexible NetFlow
Example: Configuring a Flow
This example shows how to create a flow and apply it to an interface:
Device# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)# flow export export1
Device(config-flow-exporter)# destination 10.0.101.254
Device(config-flow-exporter)# transport udp 2055
Device(config-flow-exporter)# exit
Device(config)# flow record record1
Device(config-flow-record)# match ipv4 source address
Device(config-flow-record)# match ipv4 destination address
Device(config-flow-record)# match ipv4 protocol
Device(config-flow-record)# match transport source-port
Device(config-flow-record)# match transport destination-port
Device(config-flow-record)# match flow cts source group-tag
Device(config-flow-record)# match flow cts destination group-tag
Device(config-flow-record)# collect counter byte long
Device(config-flow-record)# collect counter packet long
Device(config-flow-record)# collect timestamp absolute first
Device(config-flow-record)# collect timestamp absolute last
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
217
Configuring Flexible NetFlow
Example: Monitoring IPv4 ingress traffic
Device(config-flow-record)# exit
Device(config)# flow monitor monitor1
Device(config-flow-monitor)# record record1
Device(config-flow-monitor)# exporter export1
Device(config-flow-monitor)# exit
Device(config)# interface tenGigabitEthernet 1/0/1
Device(config-if)# ip flow monitor monitor1 input
Device(config-if)# end
Related Topics
Creating a Flow Exporter, on page 206
Exporters
Creating a Flow Monitor
Monitors
Example: Monitoring IPv4 ingress traffic
This example shows how to monitor IPv4 ingress traffic (int g1/0/11 sends traffic to int g1/0/36 and int
g3/0/11).
Device# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)# flow record fr-1
Device(config-flow-record)# match ipv4 source address
Device(config-flow-record)# match ipv4 destination address
Device(config-flow-record)# match interface input
Device(config-flow-record)# collect counter bytes long
Device(config-flow-record)# collect counter packets long
Device(config-flow-record)# collect timestamp absolute first
Device(config-flow-record)# collect timestamp absolute last
Device(config-flow-record)# collect counter bytes layer2 long
Device(config-flow-record)# exit
Device(config)# flow exporter
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
fe-ipfix6
destination 2001:0:0:24::10
source Vlan106
transport udp 4739
export-protocol ipfix
template data timeout 240
exit
Device(config)# flow exporter
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
fe-ipfix
description IPFIX format collector 100.0.0.80
destination 100.0.0.80
dscp 30
ttl 210
transport udp 4739
export-protocol ipfix
template data timeout 240
exit
Device(config)# flow exporter
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
fe-1
destination 10.5.120.16
source Vlan105
dscp 32
ttl 200
transport udp 2055
Device(config-flow-exporter)# template data timeout 240
Device(config-flow-exporter)# exit
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
218
Configuring Flexible NetFlow
Example: Monitoring IPv4 egress traffic
Device(config)# flow monitor
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device#
Device#
Device#
Device#
show
show
show
show
fm-1
exporter fe-ipfix6
exporter fe-ipfix
exporter fe-1
cache timeout inactive 60
cache timeout active 180
record fr-1
end
running-config interface g1/0/11
running-config interface g1/0/36
running-config interface g3/0/11
flow monitor fm-1 cache format table
Related Topics
Creating a Flow Exporter, on page 206
Exporters
Creating a Flow Monitor
Monitors
Example: Monitoring IPv4 egress traffic
Device# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)# flow record fr-1 out
Device(config-flow-record)# match ipv4 source address
Device(config-flow-record)# match ipv4 destination address
Device(config-flow-record)# match interface output
Device(config-flow-record)# collect counter bytes long
Device(config-flow-record)# collect counter packets long
Device(config-flow-record)# collect timestamp absolute first
Device(config-flow-record)# collect timestamp absolute last
Device(config-flow-record)# exit
Device(config)# flow exporter
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
fe-1
destination 10.5.120.16
source Vlan105
dscp 32
ttl 200
transport udp 2055
template data timeout 240
exit
Device(config)# flow exporter
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
fe-ipfix6
destination 2001:0:0:24::10
source Vlan106
transport udp 4739
export-protocol ipfix
template data timeout 240
exit
Device(config)# flow exporter
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
Device(config-flow-exporter)#
fe-ipfix
description IPFIX format collector 100.0.0.80
destination 100.0.0.80
dscp 30
ttl 210
transport udp 4739
export-protocol ipfix
template data timeout 240
exit
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
219
Configuring Flexible NetFlow
Additional References for NetFlow
Device(config)# flow monitor
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device(config-flow-monitor)#
Device(config-flow-monitor)#
fm-1-output
exporter fe-1
exporter fe-ipfix6
exporter fe-ipfix
cache timeout inactive 50
cache timeout active 120
record fr-1-out
end
Device# show flow monitor fm-1-output cache format table
Related Topics
Creating a Flow Exporter, on page 206
Exporters
Creating a Flow Monitor
Monitors
Additional References for NetFlow
Related Documents
Related Topic
Document Title
For complete syntax and usage information for the commands used in Command Reference (Catalyst
this chapter
9500 Series Switches)
Error Message Decoder
Description
Link
To help you research and resolve system error
messages in this release, use the Error Message
Decoder tool.
https://www.cisco.com/cgi-bin/Support/Errordecoder/
index.cgi
Standards and RFCs
Standard/RFC
Title
RFC 3954
Cisco Systems NetFlow Services Export Version 9
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
220
Configuring Flexible NetFlow
Feature Information for Flexible NetFlow
MIBs
MIB
MIBs Link
All supported MIBs for this release.
To locate and download MIBs for selected platforms,
Cisco IOS releases, and feature sets, use Cisco MIB
Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for Flexible NetFlow
Release
Modification
Cisco IOS XE Everest 16.5.1a
This feature was introduced.
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
221
Configuring Flexible NetFlow
Feature Information for Flexible NetFlow
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
222
Notices
Trademarks
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and
other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
223
Notices
Trademarks
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
224
INDEX
B
bridged NetFlow 214
C
Cisco IOS IP SLAs 64
Cisco Networking Services 4
CNS 4
collect parameters 193
Configuration Engine 2
restrictions 2
D
default configuration 100
RSPAN 100
SPAN 100
default settings 203
defined 4
Event Service 4
NameSpace Mapper 4
ICMP Echo operation (continued)
IP SLAs 79
Inter-Switch Link 88
See ISL 88
interface configuration 213
Intrusion Detection System 90
See IDS appliances 90
IP SLA 66, 68, 69, 70
configuration guidelines 69
responder 66, 70
described 66
enabling 70
threshold monitoring 68
IP SLAs 64, 65, 66, 67, 68, 69, 75, 79
benefits 64
configuration 69
ICMP echo operation 79
measuring network performance 65
multi-operations scheduling 67
response time 66
SNMP support 64
supported metrics 64
UDP jitter operation 68, 75
L
E
Event Service 4
Layer 2 NetFlow 215
local SPAN 90
F
M
flow exporter 206
flow record 189
match 189
datalink 189
flow 189
interface 189
ipv4 189
ipv6 189
transport 189
match parameters 191
I
ICMP Echo operation 79
configuring 79
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
IN-1
Index
mirroring traffic for analysis 89
monitoring 90, 216
network traffic for analysis with probe 90
multi-operations scheduling, IP SLAs 67
N
NameSpace Mapper 4
network performance, measuring with IP SLAs 65
R
remote SPAN 91
responder, IP SLA 66, 70
described 66
enabling 70
response time, measuring with IP SLAs 66
restrictions 2
Configuration Engine 2
RSPAN 88, 89, 90, 91, 93, 94, 95, 96, 97, 99, 100, 108, 110, 112, 116
and stack changes 99
characteristics 97
configuration guidelines 100
default configuration 100
destination ports 96
in a device stack 90
interaction with other features 97
monitored ports 95
monitoring ports 96
overview 89
received traffic 94
session limits 88
sessions 93, 108, 110, 112, 116
creating 108, 110
defined 93
limiting source traffic to specific VLANs 112
specifying monitored ports 108, 110
with ingress traffic enabled 116
source ports 95
transmitted traffic 94
VLAN-based 95
SNMP 64
and IP SLAs 64
SPAN 88, 89, 93, 94, 95, 96, 97, 99, 100, 101, 104, 106, 119
and stack changes 99
configuration guidelines 100
default configuration 100
destination ports 96
interaction with other features 97
monitored ports 95
monitoring ports 96
overview 89
received traffic 94
session limits 88
sessions 93, 100, 101, 104, 106, 119
creating 101, 119
defined 93
limiting source traffic to specific VLANs 106
removing destination (monitoring) ports 100
specifying monitored ports 101, 119
with ingress traffic enabled 104
source ports 95
transmitted traffic 94
VLAN-based 95
SPAN traffic 94
stack changes, effects on 99
SPAN and RSPAN 99
T
threshold monitoring, IP SLA 68
U
UDP jitter operation, IP SLAs 68, 75
UDP jitter, configuring 75
V
VLAN filtering and SPAN 96
VLANs 106, 112
limiting source traffic with RSPAN 112
limiting source traffic with SPAN 106
S
services 4
networking 4
Network Management Configuration Guide, Cisco IOS XE Everest 16.5.1a (Catalyst 9300 Switches)
IN-2
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement