Contents

Getting Started with Configuring Cisco IOS NetFlow and NetFlow Data Export

This module contains the minimum amount of information about and instructions necessary for configuring NetFlow to capture and export network traffic data. This module is intended to help you get started using NetFlow and NetFlow Data Export as quickly as possible. If you want more detailed information about this feature and instructions for configuring NetFlow and NetFlow Data Export, please refer to Configuring NetFlow and NetFlow Data Export.

NetFlow capture and export are performed independently on each internetworking device on which NetFlow is enabled. NetFlow need not be operational on each router in the network.

NetFlow is a Cisco IOS application that provides statistics on packets flowing through the router. NetFlow is emerging as a primary network accounting and security technology.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Configuring NetFlow and NetFlow Data Export

Before you enable NetFlow:

  • Configure the router for IP routing.

  • Ensure that one of the following is enabled on your router, and on the interfaces that you want to configure NetFlow on: Cisco Express Forwarding (CEF), distributed CEF, or fast switching.

  • Understand the resources required on your router because NetFlow consumes additional memory and CPU resources.

Restrictions for Configuring NetFlow and NetFlow Data Export

NetFlow Data Capture

NetFlow consumes additional memory. If you have memory constraints, you might want to preset the size of the NetFlow cache so that it contains a smaller number of entries. The default cache size depends on the platform. For example, the default cache size for the Cisco 7500 router is 65536 (64K) entries.

Memory Impact

During times of heavy traffic, the additional flows can fill up the global flow hash table. If you need to increase the size of the global flow hash table, increase the memory of the router.

Cisco IOS Releases 12.2(14)S, 12.0(22)S, or 12.2(15)T

If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T, the ip route-cache flow command is used to enable NetFlow on an interface.

If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T, or later, the ip flow ingress command is used to enable NetFlow on an interface.

Egress NetFlow Accounting in Cisco IOS 12.3T Releases, 12.3(11)T, or Later

The Egress NetFlow Accounting feature captures NetFlow statistics for IP traffic only. MPLS statistics are not captured. The MPLS Egress NetFlow Accounting feature can be used on a provider edge (PE) router to capture IP traffic flow information for egress IP packets that arrived at the router as MPLS packets and underwent label disposition.

Egress NetFlow accounting might adversely affect network performance because of the additional accounting-related computation that occurs in the traffic-forwarding path of the router.

Locally generated traffic (traffic that is generated by the router on which the Egress NetFlow Accounting feature is configured) is not counted as flow traffic for the Egress NetFlow Accounting feature.


Note


In Cisco IOS 12.2S releases, egress NetFlow captures either IPv4 packets or MPLS packets as they leave the router.


The Egress NetFlow Accounting feature counts CEF-switched packets only. Process-switched transit packets are not counted.

NetFlow Data Export

Restrictions for NetFlow Version 9 Data Export

  • Backward compatibility--Version 9 is not backward-compatible with Version 5 or Version 8. If you need Version 5 or Version 8, you must configure it.

  • Export bandwidth--Export bandwidth use increases for Version 9 (because of template flowsets) versus Version 5. The increase in bandwidth usage versus Version 5 varies with the frequency with which template flowsets are sent. The default is to resend templates every 20 packets, which has a bandwidth cost of about 4 percent. If necessary, you can lower the resend rate with the ip flow-export template refresh-rate packets command.

  • Performance impact--Version 9 slightly decreases overall performance, because generating and maintaining valid template flowsets require additional processing.

Information About Configuring NetFlow and NetFlow Data Export

NetFlow Data Capture

NetFlow captures data from ingress (incoming) and egress (outgoing) packets. NetFlow gathers statistics for the following ingress IP packets:

  • IP-to-IP packets

  • IP-to-Multiprotocol Label Switching (MPLS) packets

  • Frame Relay-terminated packets

  • ATM-terminated packets

NetFlow captures data for all egress (outgoing) packets through the use of the following features:

  • Egress NetFlow Accounting--NetFlow gathers statistics for all egress packets for IP traffic only.

  • NetFlow MPLS Egress--NetFlow gathers statistics for all egress MPLS-to-IP packets.

NetFlow Flows Key Fields

A network flow is identified as a unidirectional stream of packets between a given source and destination--both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:

  • Source IP address

  • Destination IP address

  • Source port number

  • Destination port number

  • Layer 3 protocol type

  • Type of service (ToS)

  • Input logical interface

These seven key fields define a unique flow. If a packet has one key field different from another packet, it is considered to belong to another flow. A flow might contain other accounting fields (such as the AS number in the NetFlow export Version 5 flow format) that depend on the export record version that you configure. Flows are stored in the NetFlow cache.

NetFlow Data Export Using the Version 9 Export Format

NetFlow Data Export format Version 9 is a flexible and extensible format, which provides the versatility needed for support of new fields and record types. This format accommodates new NetFlow-supported technologies such as Multicast, Multiprotocol Label Switching (MPLS), and Border Gateway Protocol (BGP) next hop. The Version 9 export format enables you to use the same version for main and aggregation caches, and the format is extendable, so you can use the same export format with future features.

How to Configure NetFlow and NetFlow Data Export

Configuring NetFlow and NetFlow Data Export Using the Version 9 Export Format

Perform this task to configure NetFlow and NetFlow Data Export using the Version 9 export format.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip flow-export destination {ip-address | hostname} udp-port

    4.    Repeat Step 3 once to configure a second NetFlow export destination.

    5.    ip flow-export version 9

    6.    interface interface-type interface-number

    7.    ip flow {ingress | egress}

    8.    exit

    9.    Repeat Steps 6 through 8 to enable NetFlow on other interfaces

    10.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    (Required) Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    (Required) Enters global configuration mode.

     
    Step 3 ip flow-export destination {ip-address | hostname} udp-port


    Example:
    Router(config)# ip flow-export destination 172.16.10.2 99
     

    (Optional) IP address or hostname of the workstation to which you want to send the NetFlow information and the number of the UDP port on which the workstation is listening for this input.

    Note   

    The workstation is running an application such as NetFlow Collection Engine (NFC) that is used to analyze the exported data.

     
    Step 4 Repeat Step 3 once to configure a second NetFlow export destination.  

    (Optional) You can configure a maximum of two export destinations for NetFlow.

     
    Step 5 ip flow-export version 9


    Example:
    Router(config)# ip flow-export version 9
     

    (Optional) Enables the export of information in NetFlow cache entries.

    • The version 9keyword specifies that the export packet uses the Version 9 format.

    Caution   

    Entering this command on a Cisco 12000 Series Internet Router causes packet forwarding to stop for a few seconds while NetFlow reloads the route processor and line card CEF tables. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-config file to be executed during a router reboot.

     
    Step 6 interface interface-type interface-number


    Example:
    Router(config)# interface ethernet 0/0
     

    (Required) Specifies the interface that you want to enable NetFlow on and enters interface configuration mode.

     
    Step 7 ip flow {ingress | egress}


    Example:
    Router(config-if)# ip flow ingress
     

    (Required) Enables NetFlow on the interface.

    • ingress --Captures traffic that is being received by the interface.

    • egress --Captures traffic that is being transmitted by the interface.

     
    Step 8 exit


    Example:
    Router(config-if)# exit
     

    (Optional) Exits interface configuration mode and returns to global configuration mode.

    Note   

    You only need to use this command if you want to enable NetFlow on another interface.

     
    Step 9 Repeat Steps 6 through 8 to enable NetFlow on other interfaces  

    (Optional) --

     
    Step 10 end


    Example:
    Router(config-if)# end
     

    (Required) Exits the current configuration mode and returns to privileged EXEC mode.

     

    Verifying That NetFlow Is Operational and View NetFlow Statistics

    To verify that NetFlow is working properly, perform this optional task.

    SUMMARY STEPS

      1.    show ip flow interface

      2.    show ip cache flow

      3.    show ip cache verbose flow


    DETAILED STEPS
      Step 1   show ip flow interface

      Use this command to display the NetFlow configuration for an interface. The following is sample output from this command:



      Example:
      Router# show ip flow interface
      Ethernet0/0
        ip flow ingress
      
      Step 2   show ip cache flow

      Use this command to verify that NetFlow is operational and to display a summary of the NetFlow statistics. The following is sample output from this command:



      Example:
      Router# show ip cache flow
      IP packet size distribution (1103746 total packets):
         1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
         .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
          512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
         .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
      IP Flow Switching Cache, 278544 bytes
        35 active, 4061 inactive, 980 added
        2921778 ager polls, 0 flow alloc failures
        Active flows timeout in 30 minutes
        Inactive flows timeout in 15 seconds
      IP Sub Flow Cache, 21640 bytes
        0 active, 1024 inactive, 0 added, 0 added to flow
        0 alloc failures, 0 force free
        1 chunk, 1 chunk added
        last clearing of statistics never
      Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
      --------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
      TCP-FTP            108      0.0      1133    40      2.4    1799.6       0.9
      TCP-FTPD           108      0.0      1133    40      2.4    1799.6       0.9
      TCP-WWW             54      0.0      1133    40      1.2    1799.6       0.8
      TCP-SMTP            54      0.0      1133    40      1.2    1799.6       0.8
      TCP-BGP             27      0.0      1133    40      0.6    1799.6       0.7
      TCP-NNTP            27      0.0      1133    40      0.6    1799.6       0.7
      TCP-other          297      0.0      1133    40      6.8    1799.7       0.8
      UDP-TFTP            27      0.0      1133    28      0.6    1799.6       1.0
      UDP-other          108      0.0      1417    28      3.1    1799.6       0.9
      ICMP               135      0.0      1133   427      3.1    1799.6       0.8
      Total:             945      0.0      1166    91     22.4    1799.6       0.8
      SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
      Et0/0         192.168.67.6    Et1/0.1       172.16.10.200   01 0000 0C01    51 
      Et0/0         10.10.18.1      Null          172.16.11.5     11 0043 0043    51 
      Et0/0         10.10.18.1      Null          172.16.11.5     11 0045 0045    51 
      Et0/0         10.234.53.1     Et1/0.1       172.16.10.2     01 0000 0800    51 
      Et0/0         10.10.19.1      Null          172.16.11.6     11 0044 0044    51 
      Et0/0         10.10.19.1      Null          172.16.11.6     11 00A2 00A2    51 
      Et0/0         192.168.87.200  Et1/0.1       172.16.10.2     06 0014 0014    50 
      Et0/0         192.168.87.200  Et1/0.1       172.16.10.2     06 0015 0015    52 
      .
      .
      .
      Et0/0         172.16.1.84     Et1/0.1       172.16.10.19    06 0087 0087    50 
      Et0/0         172.16.1.84     Et1/0.1       172.16.10.19    06 0050 0050    51 
      Et0/0         172.16.1.85     Et1/0.1       172.16.10.20    06 0089 0089    49 
      Et0/0         172.16.1.85     Et1/0.1       172.16.10.20    06 0050 0050    50 
      Et0/0         10.251.10.1     Et1/0.1       172.16.10.2     01 0000 0800    51 
      Et0/0         10.162.37.71    Null          172.16.11.3     06 027C 027C    49 
      
      Step 3   show ip cache verbose flow

      Use this command to verify that NetFlow is operational and to display a detailed summary of the NetFlow statistics. The following is sample output from this command:



      Example:
      Router# show ip cache verbose flow
      IP packet size distribution (1130681 total packets):
         1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
         .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
          512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
         .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
      IP Flow Switching Cache, 278544 bytes
        35 active, 4061 inactive, 980 added
        2992518 ager polls, 0 flow alloc failures
        Active flows timeout in 30 minutes
        Inactive flows timeout in 15 seconds
      IP Sub Flow Cache, 21640 bytes
        0 active, 1024 inactive, 0 added, 0 added to flow
        0 alloc failures, 0 force free
        1 chunk, 1 chunk added
        last clearing of statistics never
      Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
      --------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
      TCP-FTP            108      0.0      1133    40      2.4    1799.6       0.9
      TCP-FTPD           108      0.0      1133    40      2.4    1799.6       0.9
      TCP-WWW             54      0.0      1133    40      1.2    1799.6       0.8
      TCP-SMTP            54      0.0      1133    40      1.2    1799.6       0.8
      TCP-BGP             27      0.0      1133    40      0.6    1799.6       0.7
      TCP-NNTP            27      0.0      1133    40      0.6    1799.6       0.7
      TCP-other          297      0.0      1133    40      6.6    1799.7       0.8
      UDP-TFTP            27      0.0      1133    28      0.6    1799.6       1.0
      UDP-other          108      0.0      1417    28      3.0    1799.6       0.9
      ICMP               135      0.0      1133   427      3.0    1799.6       0.8
      Total:             945      0.0      1166    91     21.9    1799.6       0.8
      SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
      Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
      Et0/0          192.168.67.6    Et1/0.1        172.16.10.200   01 00  10     799 
      0000 /0  0                     0C01 /0  0     0.0.0.0                28  1258.1
      Et0/0          10.10.18.1      Null           172.16.11.5     11 00  10     799 
      0043 /0  0                     0043 /0  0     0.0.0.0                28  1258.0
      Et0/0          10.10.18.1      Null           172.16.11.5     11 00  10     799 
      0045 /0  0                     0045 /0  0     0.0.0.0                28  1258.0
      Et0/0          10.234.53.1     Et1/0.1        172.16.10.2     01 00  10     799 
      0000 /0  0                     0800 /0  0     0.0.0.0                28  1258.1
      Et0/0          10.10.19.1      Null           172.16.11.6     11 00  10     799 
      0044 /0  0                     0044 /0  0     0.0.0.0                28  1258.1
      .
      .
      .
      Et0/0          172.16.1.84     Et1/0.1        172.16.10.19    06 00  00     799 
      0087 /0  0                     0087 /0  0     0.0.0.0                40  1258.1
      Et0/0          172.16.1.84     Et1/0.1        172.16.10.19    06 00  00     799 
      0050 /0  0                     0050 /0  0     0.0.0.0                40  1258.0
      Et0/0          172.16.1.85     Et1/0.1        172.16.10.20    06 00  00     798 
      0089 /0  0                     0089 /0  0     0.0.0.0                40  1256.5
      Et0/0          172.16.1.85     Et1/0.1        172.16.10.20    06 00  00     799 
      0050 /0  0                     0050 /0  0     0.0.0.0                40  1258.0
      Et0/0          10.251.10.1     Et1/0.1        172.16.10.2     01 00  10     799 
      0000 /0  0                     0800 /0  0     0.0.0.0              1500  1258.1
      Et0/0          10.162.37.71    Null           172.16.11.3     06 00  00     798 
      027C /0  0                     027C /0  0     0.0.0.0                40  1256.4
      

      Verifying That NetFlow Data Export Is Operational

      To verify that NetFlow data export is operational and to view the statistics for NetFlow data export perform the step in this optional task.

      SUMMARY STEPS

        1.    show ip flow export


      DETAILED STEPS
      show ip flow export

      Use this command to display the statistics for the NetFlow data export, including statistics for the main cache and for all other enabled caches. The following is sample output from this command:



      Example:
      Router# show ip flow export
      Flow export v9 is enabled for main cache
        Exporting flows to 172.16.10.2 (99) 
        Exporting using source interface Ethernet0/0
        Version 9 flow records
        0 flows exported in 0 udp datagrams
        0 flows failed due to lack of export packet
        0 export packets were sent up to process level
        0 export packets were dropped due to no fib
        0 export packets were dropped due to adjacency issues
        0 export packets were dropped due to fragmentation failures
        0 export packets were dropped due to encapsulation fixup failures
      

      Configuration Examples for Configuring NetFlow and NetFlow Data Export

      Example Configuring Egress NetFlow Accounting

      The following example shows how to configure Egress NetFlow Accounting:

      configure terminal
      !
      interface ethernet 0/0
       ip flow egress
      !

      Example Configuring NetFlow Subinterface Support

      NetFlow Subinterface Support For Ingress (Received) Traffic On a Subinterface

      configure terminal
      !
      interface ethernet 0/0.1
       ip flow ingress
      !
      

      NetFlow SubInterface Support For Egress (Transmitted) Traffic On a Subinterface

      configure terminal
      !
      interface ethernet 1/0.1
       ip flow egress
      !
      

      Note


      NetFlow performs additional checks for the status of each subinterface that requires more CPU processing time and bandwidth. If you have several subinterfaces configured and you want to configure NetFlow data capture on all of them, we recommend that you configure NetFlow on the main interface instead of on the individual subinterfaces.


      Example Configuring NetFlow Multiple Export Destinations

      The following example shows how to configure NetFlow multiple export destinations:

      configure terminal
      !
      ip flow-export destination 10.10.10.10 9991
      ip flow-export destination 172.16.10.2 9991
      !
      

      Note


      You can configure a maximum of two export destinations for the main cache and for each aggregation cache.


      Example Configuring NetFlow and NetFlow Data Export Using the Version 9 Export Format

      The following example shows how to configure NetFlow and NetFlow data export using the Version 9 export format:

      configure terminal
      !
      ip flow-export destination 10.10.10.10 9991
      ip flow-export version 9
      !

      Example Configuring NetFlow for Analyzing PPPoE Session Traffic

      If you want to obtain accurate NetFlow traffic statistics for PPPoE sessions, you must configure NetFlow on the virtual-template interface, not on the physical interface that is configured with VLAN encapsulation. For example, if you configure NetFlow on the physical interface that is configured for VLAN encapsulation as shown in the following configuration, the NetFlow traffic statistics will not be an accurate representation of the traffic on the PPPoE sessions.

      !
      interface GigabitEthernet2/0/0.10
       encapsulation dot1Q 10
       ip flow egress
       pppoe enable

      The following example shows how to configure egress NetFlow on a virtual template interface so that you can accurately analyze the packet size distribution statistics of the traffic that the router is sending to the end user over the PPoE session:

      interface Virtual-Template 1
       ip unnumbered ethernet 0 
       encapsulation ppp 
       ip flow egress
      

      The following display output from the show ip cache flow command shows that this PPPoE session traffic is comprised primarily of 1536-byte packets.

      Router# show ip cache flow
      IP packet size distribution (11014160 total packets):
        1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
        .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
         512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
        .000 .000 .000 .000 .999 .000 .000 .000 .000 .000 .000

      Additional References

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Cisco IOS Master Commands List, All Releases

      Overview of Cisco IOS NetFlow

      Cisco IOS NetFlow Overview

      Tasks for configuring NetFlow to capture and export network traffic data

      Configuring NetFlow and NetFlow Data Export

      Tasks for configuring Configuring MPLS Aware NetFlow

      Configuring MPLS Aware NetFlow

      Tasks for configuring MPLS egress NetFlow accounting

      Configuring MPLS Egress NetFlow Accounting and Analysis

      Tasks for configuring NetFlow input filters

      Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

      Tasks for configuring random sampled NetFlow

      Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

      Tasks for configuring NetFlow aggregation caches

      Configuring NetFlow Aggregation Caches

      Tasks for configuring NetFlow BGP next hop support

      Configuring NetFlow BGP Next Hop Support for Accounting and Analysis

      Tasks for configuring NetFlow multicast support

      Configuring NetFlow Multicast Accounting

      Tasks for detecting and analyzing network threats with NetFlow

      Detecting and Analyzing Network Threats With NetFlow

      Tasks for configuring NetFlow Reliable Export With SCTP

      NetFlow Reliable Export With SCTP

      Tasks for configuring NetFlow Layer 2 and Security Monitoring Exports

      NetFlow Layer 2 and Security Monitoring Exports

      Tasks for configuring the SNMP NetFlow MIB

      Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

      Tasks for configuring the NetFlow MIB and Top Talkers feature

      Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands

      Information for installing, starting, and configuring the CNS NetFlow Collection Engine

      Cisco CNS NetFlow Collection Engine Documentation

      Configuration commands for NetFlow

      Cisco IOS NetFlow Command Reference

      Standards

      Standards

      Title

      No new or modified standards are supported , and support for existing standards has not been modified.

      --

      MIBs

      MIBs

      MIBs Link

      No new or modified MIBs are supported, and support for existing MIBs has not been modified.

      To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

      http:/​/​www.cisco.com/​go/​mibs

      RFCs

      RFCs

      Title

      No new or modified RFCs are supported, and support for existing RFCs has not been modified .

      --

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for Configuring NetFlow and NetFlow Data Export

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
      Table 1 Feature Information for Configuring NetFlow and NetFlow Data Export

      Feature Name

      Releases

      Feature Configuration Information

      Egress NetFlow Accounting

      12.3(11)T 15.0(1)S

      The Egress NetFlow Accounting feature allows NetFlow statistics to be gathered on egress traffic that is exiting the router. Previous versions of NetFlow allow statistics to be gathered only on ingress traffic that is entering the router.

      The following commands were introduced by this feature: ip flow egress and ip flow-egress input-interface.

      The following commands were modified by this feature: flow-sampler, match, show ip cache flow, show ip cache verbose flow, and show ip flow interface.

      NetFlow Multiple Export Destinations

      12.0(19)S 12.2(2)T 12.2(14)S 15.0(1)S

      The NetFlow Multiple Export Destinations feature enables configuration of multiple destinations of the NetFlow data.

      The following commands were modified by this feature: ip flow-aggregation cache, ip flow-export destination, and show ip flow export.

      NetFlow Subinterface Support

      12.0(22)S 12.2(14)S 12.2(15)T

      The NetFlow Subinterface Support feature provides the ability to enable NetFlow on a per-subinterface basis.

      The following command was introduced by this feature: ip flow ingress.

      The following command was modified by this feature: show ip interface.

      NetFlow v9 Export Format

      12.0(24)S 12.2(18)S 12.2(27)SBC 12.2(18)SXF 12.3(1) 15.0(1)S

      The NetFlow v9 Export Format is flexible and extensible, which provides the versatility needed to support new fields and record types. This format accommodates new NetFlow-supported technologies such as Multicast, MPLS, NAT, and BGP next hop.

      The following commands were modified by this feature: debug ip flow export, export, ip flow-export, and show ip flow export.

      Glossary

      AS --autonomous system. A collection of networks under a common administration sharing a common routing strategy. Autonomous systems are subdivided by areas. An autonomous system must be assigned a unique 16-bit number by the Internet Assigned Numbers Authority (IANA).

      CEF --Cisco Express Forwarding. Layer 3 IP switching technology that optimizes network performance and scalability for networks with large and dynamic traffic patterns.

      BGP --Border Gateway Protocol. An interdomain routing protocol that replaces Exterior Gateway Protocol (EGP). A BGP system exchanges reachability information with other BGP systems. BGP is defined by RFC 1163.

      BGP next hop --IP address of the next hop to be used by a router to reach a certain destination.

      dCEF --distributed Cisco Express Forwarding. A type of CEF switching in which line cards (such as Versatile Interface Processor (VIP) line cards) maintain identical copies of the forwarding information base (FIB) and adjacency tables. The line cards perform the express forwarding between port adapters; this relieves the Route Switch Processor of involvement in the switching operation.

      export packet --Type of packet built by a device (for example, a router) with NetFlow services enabled that is addressed to another device (for example, the NetFlow Collection Engine). The packet contains NetFlow statistics. The other device processes the packet (parses, aggregates, and stores information on IP flows).

      fast switching --Cisco feature in which a route cache is used to expedite packet switching through a router.

      flow --A set of packets with the same source IP address, destination IP address, protocol, source/destination ports, and type-of-service, and the same interface on which the flow is monitored. Ingress flows are associated with the input interface, and egress flows are associated with the output interface.

      MPLS --Multiprotocol Label Switching. An emerging industry standard for the forwarding of packets along a normally routed path (sometimes called MPLS hop-by-hop forwarding).

      NetFlow --A Cisco IOS application that provides statistics on packets flowing through the router. It is emerging as a primary network accounting and security technology.

      NetFlow Aggregation --A NetFlow feature that lets you summarize NetFlow export data on an IOS router before the data is exported to a NetFlow data collection system such as the NetFlow Collection Engine. This feature lowers bandwidth requirements for NetFlow export data and reduces platform requirements for NetFlow data collection devices.

      NetFlow Collection Engine (formerly NetFlow FlowCollector)--Cisco application that is used with NetFlow on Cisco routers and Catalyst series switches. The NetFlow Collection Engine collects packets from the router that is running NetFlow and decodes, aggregates, and stores them. You can generate reports on various aggregations that can be set up on the NetFlow Collection Engine.

      NetFlow v9 --NetFlow export format Version 9. A flexible and extensible means for carrying NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.

      RP --Route Processor. A processor module in the Cisco 7000 series routers that contains the CPU, system software, and most of the memory components that are used in the router. Sometimes called a Supervisory Processor.


      Getting Started with Configuring Cisco IOS NetFlow and NetFlow Data Export

      Contents

      Getting Started with Configuring Cisco IOS NetFlow and NetFlow Data Export

      This module contains the minimum amount of information about and instructions necessary for configuring NetFlow to capture and export network traffic data. This module is intended to help you get started using NetFlow and NetFlow Data Export as quickly as possible. If you want more detailed information about this feature and instructions for configuring NetFlow and NetFlow Data Export, please refer to Configuring NetFlow and NetFlow Data Export.

      NetFlow capture and export are performed independently on each internetworking device on which NetFlow is enabled. NetFlow need not be operational on each router in the network.

      NetFlow is a Cisco IOS application that provides statistics on packets flowing through the router. NetFlow is emerging as a primary network accounting and security technology.

      Finding Feature Information

      Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

      Prerequisites for Configuring NetFlow and NetFlow Data Export

      Before you enable NetFlow:

      • Configure the router for IP routing.

      • Ensure that one of the following is enabled on your router, and on the interfaces that you want to configure NetFlow on: Cisco Express Forwarding (CEF), distributed CEF, or fast switching.

      • Understand the resources required on your router because NetFlow consumes additional memory and CPU resources.

      Restrictions for Configuring NetFlow and NetFlow Data Export

      NetFlow Data Capture

      NetFlow consumes additional memory. If you have memory constraints, you might want to preset the size of the NetFlow cache so that it contains a smaller number of entries. The default cache size depends on the platform. For example, the default cache size for the Cisco 7500 router is 65536 (64K) entries.

      Memory Impact

      During times of heavy traffic, the additional flows can fill up the global flow hash table. If you need to increase the size of the global flow hash table, increase the memory of the router.

      Cisco IOS Releases 12.2(14)S, 12.0(22)S, or 12.2(15)T

      If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T, the ip route-cache flow command is used to enable NetFlow on an interface.

      If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T, or later, the ip flow ingress command is used to enable NetFlow on an interface.

      Egress NetFlow Accounting in Cisco IOS 12.3T Releases, 12.3(11)T, or Later

      The Egress NetFlow Accounting feature captures NetFlow statistics for IP traffic only. MPLS statistics are not captured. The MPLS Egress NetFlow Accounting feature can be used on a provider edge (PE) router to capture IP traffic flow information for egress IP packets that arrived at the router as MPLS packets and underwent label disposition.

      Egress NetFlow accounting might adversely affect network performance because of the additional accounting-related computation that occurs in the traffic-forwarding path of the router.

      Locally generated traffic (traffic that is generated by the router on which the Egress NetFlow Accounting feature is configured) is not counted as flow traffic for the Egress NetFlow Accounting feature.


      Note


      In Cisco IOS 12.2S releases, egress NetFlow captures either IPv4 packets or MPLS packets as they leave the router.


      The Egress NetFlow Accounting feature counts CEF-switched packets only. Process-switched transit packets are not counted.

      NetFlow Data Export

      Restrictions for NetFlow Version 9 Data Export

      • Backward compatibility--Version 9 is not backward-compatible with Version 5 or Version 8. If you need Version 5 or Version 8, you must configure it.

      • Export bandwidth--Export bandwidth use increases for Version 9 (because of template flowsets) versus Version 5. The increase in bandwidth usage versus Version 5 varies with the frequency with which template flowsets are sent. The default is to resend templates every 20 packets, which has a bandwidth cost of about 4 percent. If necessary, you can lower the resend rate with the ip flow-export template refresh-rate packets command.

      • Performance impact--Version 9 slightly decreases overall performance, because generating and maintaining valid template flowsets require additional processing.

      Information About Configuring NetFlow and NetFlow Data Export

      NetFlow Data Capture

      NetFlow captures data from ingress (incoming) and egress (outgoing) packets. NetFlow gathers statistics for the following ingress IP packets:

      • IP-to-IP packets

      • IP-to-Multiprotocol Label Switching (MPLS) packets

      • Frame Relay-terminated packets

      • ATM-terminated packets

      NetFlow captures data for all egress (outgoing) packets through the use of the following features:

      • Egress NetFlow Accounting--NetFlow gathers statistics for all egress packets for IP traffic only.

      • NetFlow MPLS Egress--NetFlow gathers statistics for all egress MPLS-to-IP packets.

      NetFlow Flows Key Fields

      A network flow is identified as a unidirectional stream of packets between a given source and destination--both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:

      • Source IP address

      • Destination IP address

      • Source port number

      • Destination port number

      • Layer 3 protocol type

      • Type of service (ToS)

      • Input logical interface

      These seven key fields define a unique flow. If a packet has one key field different from another packet, it is considered to belong to another flow. A flow might contain other accounting fields (such as the AS number in the NetFlow export Version 5 flow format) that depend on the export record version that you configure. Flows are stored in the NetFlow cache.

      NetFlow Data Export Using the Version 9 Export Format

      NetFlow Data Export format Version 9 is a flexible and extensible format, which provides the versatility needed for support of new fields and record types. This format accommodates new NetFlow-supported technologies such as Multicast, Multiprotocol Label Switching (MPLS), and Border Gateway Protocol (BGP) next hop. The Version 9 export format enables you to use the same version for main and aggregation caches, and the format is extendable, so you can use the same export format with future features.

      How to Configure NetFlow and NetFlow Data Export

      Configuring NetFlow and NetFlow Data Export Using the Version 9 Export Format

      Perform this task to configure NetFlow and NetFlow Data Export using the Version 9 export format.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    ip flow-export destination {ip-address | hostname} udp-port

        4.    Repeat Step 3 once to configure a second NetFlow export destination.

        5.    ip flow-export version 9

        6.    interface interface-type interface-number

        7.    ip flow {ingress | egress}

        8.    exit

        9.    Repeat Steps 6 through 8 to enable NetFlow on other interfaces

        10.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable
         

        (Required) Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example:
        Router# configure terminal
         

        (Required) Enters global configuration mode.

         
        Step 3 ip flow-export destination {ip-address | hostname} udp-port


        Example:
        Router(config)# ip flow-export destination 172.16.10.2 99
         

        (Optional) IP address or hostname of the workstation to which you want to send the NetFlow information and the number of the UDP port on which the workstation is listening for this input.

        Note   

        The workstation is running an application such as NetFlow Collection Engine (NFC) that is used to analyze the exported data.

         
        Step 4 Repeat Step 3 once to configure a second NetFlow export destination.  

        (Optional) You can configure a maximum of two export destinations for NetFlow.

         
        Step 5 ip flow-export version 9


        Example:
        Router(config)# ip flow-export version 9
         

        (Optional) Enables the export of information in NetFlow cache entries.

        • The version 9keyword specifies that the export packet uses the Version 9 format.

        Caution   

        Entering this command on a Cisco 12000 Series Internet Router causes packet forwarding to stop for a few seconds while NetFlow reloads the route processor and line card CEF tables. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-config file to be executed during a router reboot.

         
        Step 6 interface interface-type interface-number


        Example:
        Router(config)# interface ethernet 0/0
         

        (Required) Specifies the interface that you want to enable NetFlow on and enters interface configuration mode.

         
        Step 7 ip flow {ingress | egress}


        Example:
        Router(config-if)# ip flow ingress
         

        (Required) Enables NetFlow on the interface.

        • ingress --Captures traffic that is being received by the interface.

        • egress --Captures traffic that is being transmitted by the interface.

         
        Step 8 exit


        Example:
        Router(config-if)# exit
         

        (Optional) Exits interface configuration mode and returns to global configuration mode.

        Note   

        You only need to use this command if you want to enable NetFlow on another interface.

         
        Step 9 Repeat Steps 6 through 8 to enable NetFlow on other interfaces  

        (Optional) --

         
        Step 10 end


        Example:
        Router(config-if)# end
         

        (Required) Exits the current configuration mode and returns to privileged EXEC mode.

         

        Verifying That NetFlow Is Operational and View NetFlow Statistics

        To verify that NetFlow is working properly, perform this optional task.

        SUMMARY STEPS

          1.    show ip flow interface

          2.    show ip cache flow

          3.    show ip cache verbose flow


        DETAILED STEPS
          Step 1   show ip flow interface

          Use this command to display the NetFlow configuration for an interface. The following is sample output from this command:



          Example:
          Router# show ip flow interface
          Ethernet0/0
            ip flow ingress
          
          Step 2   show ip cache flow

          Use this command to verify that NetFlow is operational and to display a summary of the NetFlow statistics. The following is sample output from this command:



          Example:
          Router# show ip cache flow
          IP packet size distribution (1103746 total packets):
             1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
             .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
              512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
             .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
          IP Flow Switching Cache, 278544 bytes
            35 active, 4061 inactive, 980 added
            2921778 ager polls, 0 flow alloc failures
            Active flows timeout in 30 minutes
            Inactive flows timeout in 15 seconds
          IP Sub Flow Cache, 21640 bytes
            0 active, 1024 inactive, 0 added, 0 added to flow
            0 alloc failures, 0 force free
            1 chunk, 1 chunk added
            last clearing of statistics never
          Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
          --------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
          TCP-FTP            108      0.0      1133    40      2.4    1799.6       0.9
          TCP-FTPD           108      0.0      1133    40      2.4    1799.6       0.9
          TCP-WWW             54      0.0      1133    40      1.2    1799.6       0.8
          TCP-SMTP            54      0.0      1133    40      1.2    1799.6       0.8
          TCP-BGP             27      0.0      1133    40      0.6    1799.6       0.7
          TCP-NNTP            27      0.0      1133    40      0.6    1799.6       0.7
          TCP-other          297      0.0      1133    40      6.8    1799.7       0.8
          UDP-TFTP            27      0.0      1133    28      0.6    1799.6       1.0
          UDP-other          108      0.0      1417    28      3.1    1799.6       0.9
          ICMP               135      0.0      1133   427      3.1    1799.6       0.8
          Total:             945      0.0      1166    91     22.4    1799.6       0.8
          SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
          Et0/0         192.168.67.6    Et1/0.1       172.16.10.200   01 0000 0C01    51 
          Et0/0         10.10.18.1      Null          172.16.11.5     11 0043 0043    51 
          Et0/0         10.10.18.1      Null          172.16.11.5     11 0045 0045    51 
          Et0/0         10.234.53.1     Et1/0.1       172.16.10.2     01 0000 0800    51 
          Et0/0         10.10.19.1      Null          172.16.11.6     11 0044 0044    51 
          Et0/0         10.10.19.1      Null          172.16.11.6     11 00A2 00A2    51 
          Et0/0         192.168.87.200  Et1/0.1       172.16.10.2     06 0014 0014    50 
          Et0/0         192.168.87.200  Et1/0.1       172.16.10.2     06 0015 0015    52 
          .
          .
          .
          Et0/0         172.16.1.84     Et1/0.1       172.16.10.19    06 0087 0087    50 
          Et0/0         172.16.1.84     Et1/0.1       172.16.10.19    06 0050 0050    51 
          Et0/0         172.16.1.85     Et1/0.1       172.16.10.20    06 0089 0089    49 
          Et0/0         172.16.1.85     Et1/0.1       172.16.10.20    06 0050 0050    50 
          Et0/0         10.251.10.1     Et1/0.1       172.16.10.2     01 0000 0800    51 
          Et0/0         10.162.37.71    Null          172.16.11.3     06 027C 027C    49 
          
          Step 3   show ip cache verbose flow

          Use this command to verify that NetFlow is operational and to display a detailed summary of the NetFlow statistics. The following is sample output from this command:



          Example:
          Router# show ip cache verbose flow
          IP packet size distribution (1130681 total packets):
             1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
             .249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
              512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
             .000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000
          IP Flow Switching Cache, 278544 bytes
            35 active, 4061 inactive, 980 added
            2992518 ager polls, 0 flow alloc failures
            Active flows timeout in 30 minutes
            Inactive flows timeout in 15 seconds
          IP Sub Flow Cache, 21640 bytes
            0 active, 1024 inactive, 0 added, 0 added to flow
            0 alloc failures, 0 force free
            1 chunk, 1 chunk added
            last clearing of statistics never
          Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
          --------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
          TCP-FTP            108      0.0      1133    40      2.4    1799.6       0.9
          TCP-FTPD           108      0.0      1133    40      2.4    1799.6       0.9
          TCP-WWW             54      0.0      1133    40      1.2    1799.6       0.8
          TCP-SMTP            54      0.0      1133    40      1.2    1799.6       0.8
          TCP-BGP             27      0.0      1133    40      0.6    1799.6       0.7
          TCP-NNTP            27      0.0      1133    40      0.6    1799.6       0.7
          TCP-other          297      0.0      1133    40      6.6    1799.7       0.8
          UDP-TFTP            27      0.0      1133    28      0.6    1799.6       1.0
          UDP-other          108      0.0      1417    28      3.0    1799.6       0.9
          ICMP               135      0.0      1133   427      3.0    1799.6       0.8
          Total:             945      0.0      1166    91     21.9    1799.6       0.8
          SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
          Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
          Et0/0          192.168.67.6    Et1/0.1        172.16.10.200   01 00  10     799 
          0000 /0  0                     0C01 /0  0     0.0.0.0                28  1258.1
          Et0/0          10.10.18.1      Null           172.16.11.5     11 00  10     799 
          0043 /0  0                     0043 /0  0     0.0.0.0                28  1258.0
          Et0/0          10.10.18.1      Null           172.16.11.5     11 00  10     799 
          0045 /0  0                     0045 /0  0     0.0.0.0                28  1258.0
          Et0/0          10.234.53.1     Et1/0.1        172.16.10.2     01 00  10     799 
          0000 /0  0                     0800 /0  0     0.0.0.0                28  1258.1
          Et0/0          10.10.19.1      Null           172.16.11.6     11 00  10     799 
          0044 /0  0                     0044 /0  0     0.0.0.0                28  1258.1
          .
          .
          .
          Et0/0          172.16.1.84     Et1/0.1        172.16.10.19    06 00  00     799 
          0087 /0  0                     0087 /0  0     0.0.0.0                40  1258.1
          Et0/0          172.16.1.84     Et1/0.1        172.16.10.19    06 00  00     799 
          0050 /0  0                     0050 /0  0     0.0.0.0                40  1258.0
          Et0/0          172.16.1.85     Et1/0.1        172.16.10.20    06 00  00     798 
          0089 /0  0                     0089 /0  0     0.0.0.0                40  1256.5
          Et0/0          172.16.1.85     Et1/0.1        172.16.10.20    06 00  00     799 
          0050 /0  0                     0050 /0  0     0.0.0.0                40  1258.0
          Et0/0          10.251.10.1     Et1/0.1        172.16.10.2     01 00  10     799 
          0000 /0  0                     0800 /0  0     0.0.0.0              1500  1258.1
          Et0/0          10.162.37.71    Null           172.16.11.3     06 00  00     798 
          027C /0  0                     027C /0  0     0.0.0.0                40  1256.4
          

          Verifying That NetFlow Data Export Is Operational

          To verify that NetFlow data export is operational and to view the statistics for NetFlow data export perform the step in this optional task.

          SUMMARY STEPS

            1.    show ip flow export


          DETAILED STEPS
          show ip flow export

          Use this command to display the statistics for the NetFlow data export, including statistics for the main cache and for all other enabled caches. The following is sample output from this command:



          Example:
          Router# show ip flow export
          Flow export v9 is enabled for main cache
            Exporting flows to 172.16.10.2 (99) 
            Exporting using source interface Ethernet0/0
            Version 9 flow records
            0 flows exported in 0 udp datagrams
            0 flows failed due to lack of export packet
            0 export packets were sent up to process level
            0 export packets were dropped due to no fib
            0 export packets were dropped due to adjacency issues
            0 export packets were dropped due to fragmentation failures
            0 export packets were dropped due to encapsulation fixup failures
          

          Configuration Examples for Configuring NetFlow and NetFlow Data Export

          Example Configuring Egress NetFlow Accounting

          The following example shows how to configure Egress NetFlow Accounting:

          configure terminal
          !
          interface ethernet 0/0
           ip flow egress
          !

          Example Configuring NetFlow Subinterface Support

          NetFlow Subinterface Support For Ingress (Received) Traffic On a Subinterface

          configure terminal
          !
          interface ethernet 0/0.1
           ip flow ingress
          !
          

          NetFlow SubInterface Support For Egress (Transmitted) Traffic On a Subinterface

          configure terminal
          !
          interface ethernet 1/0.1
           ip flow egress
          !
          

          Note


          NetFlow performs additional checks for the status of each subinterface that requires more CPU processing time and bandwidth. If you have several subinterfaces configured and you want to configure NetFlow data capture on all of them, we recommend that you configure NetFlow on the main interface instead of on the individual subinterfaces.


          Example Configuring NetFlow Multiple Export Destinations

          The following example shows how to configure NetFlow multiple export destinations:

          configure terminal
          !
          ip flow-export destination 10.10.10.10 9991
          ip flow-export destination 172.16.10.2 9991
          !
          

          Note


          You can configure a maximum of two export destinations for the main cache and for each aggregation cache.


          Example Configuring NetFlow and NetFlow Data Export Using the Version 9 Export Format

          The following example shows how to configure NetFlow and NetFlow data export using the Version 9 export format:

          configure terminal
          !
          ip flow-export destination 10.10.10.10 9991
          ip flow-export version 9
          !

          Example Configuring NetFlow for Analyzing PPPoE Session Traffic

          If you want to obtain accurate NetFlow traffic statistics for PPPoE sessions, you must configure NetFlow on the virtual-template interface, not on the physical interface that is configured with VLAN encapsulation. For example, if you configure NetFlow on the physical interface that is configured for VLAN encapsulation as shown in the following configuration, the NetFlow traffic statistics will not be an accurate representation of the traffic on the PPPoE sessions.

          !
          interface GigabitEthernet2/0/0.10
           encapsulation dot1Q 10
           ip flow egress
           pppoe enable

          The following example shows how to configure egress NetFlow on a virtual template interface so that you can accurately analyze the packet size distribution statistics of the traffic that the router is sending to the end user over the PPoE session:

          interface Virtual-Template 1
           ip unnumbered ethernet 0 
           encapsulation ppp 
           ip flow egress
          

          The following display output from the show ip cache flow command shows that this PPPoE session traffic is comprised primarily of 1536-byte packets.

          Router# show ip cache flow
          IP packet size distribution (11014160 total packets):
            1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
            .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
             512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
            .000 .000 .000 .000 .999 .000 .000 .000 .000 .000 .000

          Additional References

          Related Documents

          Related Topic

          Document Title

          Cisco IOS commands

          Cisco IOS Master Commands List, All Releases

          Overview of Cisco IOS NetFlow

          Cisco IOS NetFlow Overview

          Tasks for configuring NetFlow to capture and export network traffic data

          Configuring NetFlow and NetFlow Data Export

          Tasks for configuring Configuring MPLS Aware NetFlow

          Configuring MPLS Aware NetFlow

          Tasks for configuring MPLS egress NetFlow accounting

          Configuring MPLS Egress NetFlow Accounting and Analysis

          Tasks for configuring NetFlow input filters

          Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

          Tasks for configuring random sampled NetFlow

          Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

          Tasks for configuring NetFlow aggregation caches

          Configuring NetFlow Aggregation Caches

          Tasks for configuring NetFlow BGP next hop support

          Configuring NetFlow BGP Next Hop Support for Accounting and Analysis

          Tasks for configuring NetFlow multicast support

          Configuring NetFlow Multicast Accounting

          Tasks for detecting and analyzing network threats with NetFlow

          Detecting and Analyzing Network Threats With NetFlow

          Tasks for configuring NetFlow Reliable Export With SCTP

          NetFlow Reliable Export With SCTP

          Tasks for configuring NetFlow Layer 2 and Security Monitoring Exports

          NetFlow Layer 2 and Security Monitoring Exports

          Tasks for configuring the SNMP NetFlow MIB

          Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

          Tasks for configuring the NetFlow MIB and Top Talkers feature

          Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands

          Information for installing, starting, and configuring the CNS NetFlow Collection Engine

          Cisco CNS NetFlow Collection Engine Documentation

          Configuration commands for NetFlow

          Cisco IOS NetFlow Command Reference

          Standards

          Standards

          Title

          No new or modified standards are supported , and support for existing standards has not been modified.

          --

          MIBs

          MIBs

          MIBs Link

          No new or modified MIBs are supported, and support for existing MIBs has not been modified.

          To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

          http:/​/​www.cisco.com/​go/​mibs

          RFCs

          RFCs

          Title

          No new or modified RFCs are supported, and support for existing RFCs has not been modified .

          --

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for Configuring NetFlow and NetFlow Data Export

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
          Table 1 Feature Information for Configuring NetFlow and NetFlow Data Export

          Feature Name

          Releases

          Feature Configuration Information

          Egress NetFlow Accounting

          12.3(11)T 15.0(1)S

          The Egress NetFlow Accounting feature allows NetFlow statistics to be gathered on egress traffic that is exiting the router. Previous versions of NetFlow allow statistics to be gathered only on ingress traffic that is entering the router.

          The following commands were introduced by this feature: ip flow egress and ip flow-egress input-interface.

          The following commands were modified by this feature: flow-sampler, match, show ip cache flow, show ip cache verbose flow, and show ip flow interface.

          NetFlow Multiple Export Destinations

          12.0(19)S 12.2(2)T 12.2(14)S 15.0(1)S

          The NetFlow Multiple Export Destinations feature enables configuration of multiple destinations of the NetFlow data.

          The following commands were modified by this feature: ip flow-aggregation cache, ip flow-export destination, and show ip flow export.

          NetFlow Subinterface Support

          12.0(22)S 12.2(14)S 12.2(15)T

          The NetFlow Subinterface Support feature provides the ability to enable NetFlow on a per-subinterface basis.

          The following command was introduced by this feature: ip flow ingress.

          The following command was modified by this feature: show ip interface.

          NetFlow v9 Export Format

          12.0(24)S 12.2(18)S 12.2(27)SBC 12.2(18)SXF 12.3(1) 15.0(1)S

          The NetFlow v9 Export Format is flexible and extensible, which provides the versatility needed to support new fields and record types. This format accommodates new NetFlow-supported technologies such as Multicast, MPLS, NAT, and BGP next hop.

          The following commands were modified by this feature: debug ip flow export, export, ip flow-export, and show ip flow export.

          Glossary

          AS --autonomous system. A collection of networks under a common administration sharing a common routing strategy. Autonomous systems are subdivided by areas. An autonomous system must be assigned a unique 16-bit number by the Internet Assigned Numbers Authority (IANA).

          CEF --Cisco Express Forwarding. Layer 3 IP switching technology that optimizes network performance and scalability for networks with large and dynamic traffic patterns.

          BGP --Border Gateway Protocol. An interdomain routing protocol that replaces Exterior Gateway Protocol (EGP). A BGP system exchanges reachability information with other BGP systems. BGP is defined by RFC 1163.

          BGP next hop --IP address of the next hop to be used by a router to reach a certain destination.

          dCEF --distributed Cisco Express Forwarding. A type of CEF switching in which line cards (such as Versatile Interface Processor (VIP) line cards) maintain identical copies of the forwarding information base (FIB) and adjacency tables. The line cards perform the express forwarding between port adapters; this relieves the Route Switch Processor of involvement in the switching operation.

          export packet --Type of packet built by a device (for example, a router) with NetFlow services enabled that is addressed to another device (for example, the NetFlow Collection Engine). The packet contains NetFlow statistics. The other device processes the packet (parses, aggregates, and stores information on IP flows).

          fast switching --Cisco feature in which a route cache is used to expedite packet switching through a router.

          flow --A set of packets with the same source IP address, destination IP address, protocol, source/destination ports, and type-of-service, and the same interface on which the flow is monitored. Ingress flows are associated with the input interface, and egress flows are associated with the output interface.

          MPLS --Multiprotocol Label Switching. An emerging industry standard for the forwarding of packets along a normally routed path (sometimes called MPLS hop-by-hop forwarding).

          NetFlow --A Cisco IOS application that provides statistics on packets flowing through the router. It is emerging as a primary network accounting and security technology.

          NetFlow Aggregation --A NetFlow feature that lets you summarize NetFlow export data on an IOS router before the data is exported to a NetFlow data collection system such as the NetFlow Collection Engine. This feature lowers bandwidth requirements for NetFlow export data and reduces platform requirements for NetFlow data collection devices.

          NetFlow Collection Engine (formerly NetFlow FlowCollector)--Cisco application that is used with NetFlow on Cisco routers and Catalyst series switches. The NetFlow Collection Engine collects packets from the router that is running NetFlow and decodes, aggregates, and stores them. You can generate reports on various aggregations that can be set up on the NetFlow Collection Engine.

          NetFlow v9 --NetFlow export format Version 9. A flexible and extensible means for carrying NetFlow records from a network node to a collector. NetFlow Version 9 has definable record types and is self-describing for easier NetFlow Collection Engine configuration.

          RP --Route Processor. A processor module in the Cisco 7000 series routers that contains the CPU, system software, and most of the memory components that are used in the router. Sometimes called a Supervisory Processor.