In this tech tips document, we'll take a quick view of Cisco NetFlow, and walk you through the steps to configure. NetFlow versions v5 & v9 on a Cisco router. Configuration Guides. Cisco IOS NetFlow Configuration Guide, Release 12.2SR; Support Documentation. All Support Documentation for this Series; Configure. Configuration Examples and TechNotes. Follow Us News & Events Newsroom Events Blogs Community.
Items
Intro
This document offers an example to configure NetFIow on the Switch 6500/6000 Change that operates Local IOS or Crossbreed OS. It can be required to monitor the visitors that runs through the Switch 6500/6000 when it works as a primary device in the system.
Prerequisites
Specifications
There are usually no specific requirements for this document.
Parts Used
The info in this record is structured on these software program and hardware versions:
- Catalyst 6500 with Supervisor Motor 32, MSFC2A ánd PFC3
Prompt 6500 that runs Cisco IOS? Software program Release 12.2(18)SXF4
Notice:Netflow designs are furthermore backed on Path Switch Processor 720, Manager Engine 720. There is usually no distinction between Supervisor Motor 720 and Route Switch Processor chip 720 as considerably as NetFlow will be concerned. So the exact same configuration applies fór both for Supervisor Motor 720 and Path Switch Processor chip 720.
The information in this record was produced from the devices in a specific lab environment. All of the devices used in this record began with a cleared (default) configuration. If your network is live, make certain that you understand the possible influence of any command word.
Promotions
Réfer to Cisco Complex Tips Conventions for more information on record conferences.
History Info
NetFlow is definitely a Cisco IOS program that offers figures on packets that circulation through the router. NetFlow gathers statistics internationally from traffic that runs through the switch and stores the data in the NetFlow desk. You can use the command word collection to access the NetFlow desk. You can furthermore move the NetFlow figures to a reporting server which is called a NetFlow enthusiast. You need to configure NetFlow Information Export (NDE) on the change in purchase to move the NetFlow figures to a NetFlow enthusiast. Netflow will only monitor traffic that can be CEF/Fast-switched. To enable fast switching get into théip routé-cachecommand to the interfaces that are need to become supervised.
There are few factors you should understand before you configuré NetFlow:
Thé NetFlow cache ón the Multilayer Switch Feature Card (MSFC) captures figures for moves sent in software.
The NetFIow cache on thé Plan Feature Card (PFC) catches figures for flows routed in equipment.
A circulation mask specifies the format of a cache admittance in the NetFlow cache table. There are a several sorts of movement masks backed by PFC, and NetFlow utilizes just one flow face mask for all data. You can configure the circulation mask type based on your requirement. This is the checklist of circulation masks available in thé PFC:
sourcé-only-A Iess-specific stream mask. The PFC maintains one entrance for each source IP address. All flows from a given source IP tackle make use of this entry.
déstination-A less-spécific flow mask. The PFC keeps one entry for each destination IP address. All moves to a given location IP address make use of this entry.
destination-sourcé-A more-spécific stream cover up. The PFC maintains one entry for each supply and location IP deal with set. All runs between exact same resource and destination IP handles make use of this access.
destination-sourcé-interface-A moré-specific movement mask. Adds the resource VLAN Basic Network Management Protocol (SNMP) ifIndex to the details in the destination-source flow cover up.
fuIl-A more-spécific movement mask. The PFC generates and keeps a independent cache admittance for each IP movement. A full entry contains the supply IP deal with, destination IP address, process, and process interfaces.
fuIl-interface-The móst-specific flow mask. Adds the source VLAN SNMP iflndex to the information in the full-flow cover up.
NDE ón the PFC supports NDE versions 5 and 7 for the statistics captured on thé PFC.
Take note:In PFC3C or PFC3BXL mode with Cisco IOS Software program Launch 12.2(18)SXE and later, you can configuré NDE in order to collect statistics for both routéd and bridged traffic. In PFC3A mode or with produces earlier than Cisco IOS Software Launch 12.2(18)SXE, NDE collects statistics just for routed traffic.
Configuré
Thé configuration illustration in this section displays how to configuré NetFlow on thé switch and how to configure NDE in purchase to move the NetFlow caché to the NetFIow extractor. It also talks about the various variables which can end up being used to track NetFlow to fit your network. In this illustration, the Catalyst 6500 Change offers two VLANs, 10 and 20, for the inside of the system. The interface fa3/1 is definitely connected to the outside of the system.
In this area, you are usually displayed with the information to configure the features explained in this record.
Notice:The cónfiguration of Netflow néither disturbs the visitors nor disables the configured interface.
System Diagram
This document utilizes this network setup:
Designs in Native IOS
This record uses these designs:
EnabIe NetFIow
Thé initial stage to configure NetFIow in your network is certainly to allow NetFlow in bóth the MSFC ánd PFC. This instance displays the step-by-step process on how to enable NetFlow:
Enable Netflow on the PFC.
Configure flow mask on thé PFC.
EnabIe NetFlow on thé MSFC.
EnabIe NetFlow for Level 2-changed traffic on thé PFC.
Switch |
---|
Configuré NDE
NetFIow maintains the active NetFlow in thé NetFlow cache desk. You can issue theshow mls netflow ipcommand word in purchase to view the active NetFlow cache in the change. As soon as the NetFlow caché expires, you simply no longer notice the NetFlow visitors that utilizes the control line. You can export the expired NetFlow cache tó the NetFlow information enthusiast. If you use the NetFlow information extractor to shop the historical NetFlow traffic, you require to configure thé NDE on thé Catalyst 6500 Switch. There are many NetFlow collectors accessible. This contains Cisco NetFlow Enthusiast and Ciscó CS-Mars. lt is usually not required for the NDE sender edition be the same as the ip-flow move edition because the NDE sender is certainly about Coating 2 visitors and ip route-cache flow can be about Level 3 traffic.You can find the listing of NetFlow enthusiasts in Desk 2 of Intro to Cisco I0S NetFlow - A Techie Summary. This section clarifies the NDE cónfiguration on the Switch 6500 Switch.
- Configure NDE on the PFC.
- Configure NDE on the MSFC.
- Enable NDE for Level 2-changed traffic on thé PFC.
Switch |
---|
0ptional Settings
There are several optional options available in NetFlow. This depends on your system style, the amount of visitors that runs on the network, and your necessity on the NetFlow information. These are usually brief explanations of the elective adjustments:
- Configure NetFlow sample
- Configuré NDE movement filtration system
- Thé packets are being process changed.
- Packets meant for the routér
- Static path to nuIl0
- Configureip route-cache movementin the main interface. This sends the moves from all thé subinterfaces.
- Configuréip flow ingresson the subinterfaces, which in this case, the major interface does not have any netflow cónfiguration, and it sends the flow from each subintérface where théip stream ingressorder is allowed.
muItilayer switching (MLS) maturing-If the NetFlow traffic is active, the NetFlow cache does not run out. If it will not end, the NetFlow cache will not export to the NetFlow data collector. In order to assure periodic credit reporting of frequently active flows, entries for frequently active runs expire at the finish of the time period which is definitely set up with themls ageing lengthycommand word (default 32 mins). This output displays the default mls cache aging span:
NetFIow sample-By default, NetFlow records all the packéts in the stream. When you use NetFlow sampling, you can capture a subset óf packets. NetFlow sample can be allowed either as timé-based or packét-based.
NetFIow aggregation-Aggrégation cache is an extra NetFlow cache table in the switch that offers the aggregated flow statistics of the NetFlow visitors. The Driver 6500 offers different techniques such as source prefix, destination prefix, and protocol port for NetFlow aggrégation. You can configuré more than one structure in the change and you can use NDE in order to move the data to the NetFlow extractor. NetFlow aggregation caches reduce the bandwidth needed between the switch and the NetFlow collector.
NDE flow filter systems-You cán configure án NDE stream filter to export only interested NetFlow cache. Aftér you configure á filter, only expired and purged moves that match the selected filter requirements are usually exported. You can filtering the NetFlow cache admittance centered on the resource address, location address, resource slot, and location slot.
NetFIow Cache Posts-You can increase or decrease number of NetFlow entries in the NetFIow cache.
This area describes the various configuration. This configuration varies depending on your necessity.
Configuré MLS growing older
Configure NetFIow aggregation
Configure NetFIow Cache Records
Change |
---|
Designs in Crossbreed OS
This section shows a configuration illustration for the Catalyst 6500 Switch that operates Cross types OS. The configuration uses the same diagram ás in the I0S section. The record utilizes these constructions:
EnabIe NetFIow
lt can be believed that the VLANs are usually already developed in the manager component and the VLAN interface IPs are usually assigned in the MSFC. Here the NetFlow is definitely enabled both in the boss component and in thé MSFC. Netflow cán just be enabled on Level 3 interfaces.
Switch |
---|
Configuré NDE
This section displays the NDE cónfiguration on both thé manager module and MSFC. In this example, VLAN 1 is certainly used instead of loopback 0.
Change |
---|
0ptional Construction
This illustration displays the NetFlow aging period configuration in supervisor module.
Switch |
---|
Vérify
This area displays how to verify the NetFlow cache desk and NDE. Also, a sample NetFlow enthusiast output is usually supplied.
The Output Interpreter Device (registered customers only) (OIT) supports particularshowcommands. Make use of the OIT to watch an evaluation ofdisplayorder output.
Thépresent mls netflow ipcommand word displays the NetFlow cache posts in the supervisor module. This will be a trial output:
In a manufacturing atmosphere, this result is large. Thepresent mls netflow ipcommand word offers a few options to listing just the interested visitors. This result displays the listing of choices:
Thépresent mls ndecommand word displays the NetFlow export details. This details shows which NetFlow extractor it exports and the amount of packéts it éxports. This is certainly a sample result:
Problem theclear mls nde flow surfacescommand in order to clear the NDE data.
This diágram displays a trial result from a NetFlow extractor:
TroubIeshoot
This section provides details you can use to troubleshoot yóur cónfiguration.
Thére are some points you require to understand in order to make sure your configuration functions:
Yóu must enable NetFlow on the MSFC Layer 3 interfaces in order to help NDE on thé PFC, ánd NDE on thé MSFC. Yóu must configure thé change as per the Enable NetFlow section. If you perform not need Coating 2 bridged traffic enabled, undo theip circulation ingress layer2-switchedcommand with thénó ip movement ingress coating2-switchedcontrol.
You cannót enable NetFlow on the Network Deal with Translation (NAT) allowed interfaces if you possess configured thefullándinterface-fuIlstream goggles. This means if the user interface is configured with either théip nát insideorder or theip nat outsidecontrol and you possess configured thefullándinterface-fuIlcirculation masks, after that you cannot allow NetFlow on the user interface. You notice this error information:
The Plan Feature Credit card 3 (PFC3) and Policy Feature Card 2 (PFC2) perform not use the NetFlow desk for Coating 3 changing in hardware.
NetFlow aggrégation utilizes NDE version 8. You need to create certain your NetFlow enthusiast supports the version 8 file format.
Be aware:NetFIow on the present Cisco Driver 6500 Manager 720 family members is just an ingress interface feature. Cisco IOS Software program Discharge 12.2(33)SXH and afterwards support per-interface NDE, which enables PFC NetFlow information collection on a per-interface schedule. With Cisco IOS software program releases earlier than Cisco I0S SoftwareEelease 12.2(33)SXH, NetFlow on the PFC can end up being only become enabled and disabled globally.
NetfIow must become allowed on the local router in order to perform a Layer 2 analysis.
MLS Getting older Disabled
In the Cisco Catalyst 6500 Fuses that are operate with Local IOS, MLS long maturing fails to age group the NetFlow cache posts when you allow Server Load Balancing (SLB). This issue is noted in Cisco pest Identification CSCea83612 (registered customers just). Update to the latest Cisco IOS that is certainly not affected by this insect.
NetFlow Displays Traffic in a Individual Direction
After you allow NetFlow, thedisplay mls netflow ipcontrol shows just the traffic in a individual path. By default, NetFlow caches only the ingress traffic. Concern théip routé-cache circulationorder on both thé inbound and óutbound interfaces in order to cache both inbound and outbound traffic.
NetFlow Will Not Display Switched or Bridged Visitors
By defauIt, NetFlow will not show data for traffic going across the same VLAN, but just for visitors that comes in from oné VLAN and óut to another. Fór example, VLAN interfaces, when those interfaces have got théip routé-cache circulationcommand configured separately.
Take note:To look at the data for traffic heading across the exact same VLAN, disable software program switched netflow, i actually.e. do not really configuréip routé-cache streamon the coating 3 interface.
In order to enable the creation of switched, bridged, and Layer 2 IP runs for a specific VLAN, issue theip stream level2-switchedorder.
In order to enable the selection of switched, bridgéd, and IP flows in Layer 2, problem theip movement ingress coating2-switched vlannum vlanlistcommand. In order to allow the export of switched, bridgéd, and IP runs in Layer 2, problem theip stream export level2-switched vlannum vlanlistcommand.
The command word is supported on Supervisor Engine 720 in PFC3N and PFC3BXL mode just and on Boss Engine 2 with a PFC2.
Before you use this command word on Prompt 6500 Collection Buttons that are configured with Manager Engine 720, you must assure that a corresponding VLAN user interface is available and offers a valid IP address. This guide does not apply to Catalyst 6500 Series Buttons that are usually configured with Supervisor Motor 2. When NetFlow details is exported by the manager 720 Engine to the collector for analysis, the tcp banner is set toZERO. This will be credited to the hardware limitation of Manager 720 as it uses EARL7 ASIC. The assistance for TCP flag is integrated in EARL8 ASlC.
Source IP tackle and Destination IP tackle are not noticed in IP Movement
These are the factors for IP Stream does not display the supply and location IP tackle.
The packéts are usually blocked by án ACL.
Multicast visitors
Tunnels (lPIP, GRE, IPSEC, M2TP) amp; WCCP
DstIf is NULL when the traffic is fallen because of CAR.
In purchase to prevent this concern, use theip movement ingress infer-fieldsorder in purchase to allow Netflow with inferred input/output interfaces and source/destination data.
If the moves on the subinterfaces are require to be checked, after that there are two choices:
Support for Bridged-Flow Statistics ón VLANs
This function is backed on the Boss Motor 1 or 1A/PFC, Supervisor Engine 2/PFC2 and no MSFC/MSFC2 will be needed. This feature is supported on the Supervisor 720/PFC3BXL with limited features from Cisco Driver OS 8.5(1) or later on releases.
Use theset mls bridged-fIow-statisticscontrol in purchase to allow or disable the bridged-flow data for the specified VLANs. You can enter one or several VLANs. You can enable the NetFlow desk entry creation on a per-VLAN basis. But, because thé bridged-flow statistics and per-VLAN entry creation use the same system for the selection of the figures, the VLAN articles can overlap.
Wrong BGPNEXTHOP in NetFIow
lf the NetFIow BGP Next Jump is configured to support for Marketing and Evaluation, then the BGP Next Jump is various than the normal next hop.
Thé NetFlow cache does not capture the BGP Next Jump when the route to that BGP Next Hop can be recursively load-shared through various IGP links. Rather, the NetFlow cache records the effective simple next jump from a random choice of the load-shared ways to which the BGP path recurses. Thus, the NetFlow BGP Next Jump is not supported when you have got recursive load sharing hyperlinks.