Configuracion Basica de Netflow

Cisco IOS Flexible NetFlow
Configuration Guide
Release 12.4T
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network
are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To
You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems,
Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing,
FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace,
MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet,
Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc.
and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0809R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco IOS Flexible NetFlow Configuration Guide
2008 Cisco Systems, Inc. All rights reserved.
About Cisco IOS and Cisco IOS XE Software

Documentation
Last updated: August 6, 2008
This document describes the objectives, audience, conventions, and organization used in Cisco IOS and
Cisco IOS XE software documentation, collectively referred to in this document as Cisco IOS
documentation. Also included are resources for obtaining technical assistance, additional
documentation, and other information from Cisco. This document is organized into the following
sections:
Documentation Objectives, page i
Audience, page i
Documentation Conventions, page ii
Documentation Organization, page iii
Additional Resources and Documentation Feedback, page xi
Documentation Objectives
Cisco IOS documentation describes the tasks and commands available to configure and maintain Cisco
networking devices.
Audience
The Cisco IOS documentation set is i ntended for users who configure and maintain Cisco networking
devices (such as routers and switches) but who may not be familiar with the configuration and
maintenance tasks, the relationship among tasks, or the Cisco IOS commands necessary to perform
particular tasks. The Cisco IOS documentation set is also intended for those users experienced with
Cisco IOS who need to know about new features, new configuration options, and new software
characteristics in the current Cisco IOS release.
About Cisco IOS and Cisco IOS XE Software Documentation

Documentation Conventions
Documentation Conventions
In Cisco IOS documentation, the term router may be used to refer to various Cisco products; for example,
routers, access servers, and switches. These and other networking devices that support Cisco IOS
software are shown interchangeably in examples and are used only for illustrative purposes. An example
that shows one product does not necessarily mean that other products are not supported.
This section includes the following topics:
Typographic Conventions, page ii
Command Syntax Conventions, page ii
Software Conventions, page iii
Reader Alert Conventions, page iii
Typographic Conventions
Cisco IOS documentation uses the following typographic conventions:
Convention
Description
^ or Ctrl
Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard. For
example, the key combination ^D or Ctrl-D means that you hold down the
Control key while you press the D key. (Keys are indicated in capital letters but
are not case sensitive.)
string
A string is a nonquoted set of characters shown in italics. For example, when

setting a Simple Network Management Protocol (SNMP) community string to
public, do not use quotation marks around the string; otherwise, the string will
include the quotation marks.
Command Syntax Conventions

Cisco IOS documentation uses the following command syntax conventions:
ii
Convention
Description
bold
Bold text indicates commands and keywords that you enter as shown.
italic
Italic text indicates arguments for which you supply values.
[x]
Square brackets enclose an optional keyword or argument.
A vertical line, called a pipe, indicates a choice within a set of keywords

or arguments.
[x | y]
Square brackets enclosing keywords or arguments separated by a pipe indicate an

optional choice.
{x | y}
Braces enclosing keywords or arguments separated by a pipe indicate a

required choice.
[x {y | z}]
Braces and a pipe within square brackets indicate a required choice within an
optional element.

Documentation Organization
Software Conventions
Cisco IOS uses the following program code conventions:
Convention
Description
Courier font
Courier font is used for information that is displayed on a PC or terminal screen.
Bold Courier font
Bold Courier font indicates text that the user must enter.
<
>
Angle brackets enclose text that is not displayed, such as a password. Angle
brackets also are used in contexts in which the italic font style is not supported;
for example, ASCII text.
An exclamation point at the beginning of a line indicates that the text that follows
is a comment, not a line of code. An exclamation point is also displayed by
Cisco IOS software for certain processes.
Square brackets enclose default responses to system prompts.
Reader Alert Conventions

The Cisco IOS documentation set uses the following conventions for reader alerts:
Caution
Note
Timesaver
Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Means the described action saves time. You can save time by performing the action described in the
paragraph.
This section describes the Cisco IOS documentation set, how it is organized, and how to access it on
Cisco.com. Included are lists of configuration guides, command references, and supplementary
references and resources that make up the documentation set. The following topics are included:
Cisco IOS Documentation Set, page iv
Cisco IOS Documentation on Cisco.com, page iv
Configuration Guides, Command References, and Supplementary Resources, page v
iii

Cisco IOS Documentation Set

Cisco IOS documentation consists of the following:
Release notes and caveats provide information about platform, technology, and feature support for
a release and describe severity 1 (catastrophic), severity 2 (severe), and severity 3 (moderate) defects
in released Cisco IOS code. Review release notes before other documents to learn whether or not
updates have been made to a feature.
Sets of configuration guides and command references organized by technology and published for
each standard Cisco IOS release.
Configuration guidesCompilations of documents that provide informational and
task-oriented descriptions of Cisco IOS features.

Command referencesCompilations of command pages that provide detailed information
about the commands used in the Cisco IOS features and processes that make up the related
configuration guides. For each technology, there is a single command reference that covers all
Cisco IOS releases and that is updated at each standard release.
Lists of all the commands in a specific release and all commands that are new, modified, removed,
or replaced in the release.
Command reference book for debug commands. Command pages are listed in alphabetical order.
Reference book for system messages for all Cisco IOS releases.
Cisco IOS Documentation on Cisco.com

The following sections describe the documentation organization and how to access various document
types.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS
software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An
account on Cisco.com is not required.
New Features List
The New Features List for each release provides a list of all features in the release with hyperlinks to the
feature guides in which they are documented.
Feature Guides
Cisco IOS features are documented in feature guides. Feature guides describe one feature or a group of
related features that are supported on many different software releases and platforms. Your Cisco IOS
software release or platform may not support all the features documented in a feature guide. See the
Feature Information table at the end of the feature guide for information about which features in that
guide are supported in your software release.
Configuration Guides
Configuration guides are provided by technology and release and comprise a set of individual feature
guides relevant to the release and technology.
iv

Command References
Command reference books describe Cisco IOS commands that are supported in many different software
releases and on many different platforms. The books are provided by technology. For information about
all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup
or the Cisco IOS Master Command List, All Releases, at
http://www.cisco.com/en/US/docs/ios/mcl/all_release/all_mcl.html.
Cisco IOS Supplementary Documents and Resources
Supplementary documents and resources are listed in Table 2 on page xi.
Configuration Guides, Command References, and Supplementary Resources

Table 1 lists, in alphabetical order, Cisco IOS and Cisco IOS XE software configuration guides and
command references, including brief descriptions of the contents of the documents. The Cisco IOS
command references are comprehensive, meaning that they include commands for both Cisco IOS
software and Cisco IOS XE software, for all releases. The configuration guides and command references
support many different software releases and platforms. Your Cisco IOS software release or platform
may not support all these technologies.
For additional information about configuring and operating specific networking devices, go to the
Product Support area of Cisco.com at http://www.cisco.com/web/psa/products/index.html.
Table 2 lists documents and resources that supplement the Cisco IOS software configuration guides and
command references. These supplementary resources include release notes and caveats; master
command lists; new, modified, removed, and replaced command lists; system messages; and the debug
command reference.
Table 1
Cisco IOS and Cisco IOS XE Configuration Guides and Command References
Configuration Guide and Command Reference Titles
Features/Protocols/Technologies
Cisco IOS AppleTalk Configuration Guide
AppleTalk protocol.
Cisco IOS XE AppleTalk Configuration Guide

Cisco IOS AppleTalk Command Reference
Cisco IOS Asynchronous Transfer Mode
Configuration Guide
LAN ATM, multiprotocol over ATM (MPoA), and WAN ATM.
Cisco IOS Asynchronous Transfer Mode

Command Reference

Table 1
Cisco IOS and Cisco IOS XE Configuration Guides and Command References (continued)

Cisco IOS Bridging and IBM Networking
Configuration Guide
Transparent and source-route transparent (SRT) bridging,

source-route bridging (SRB), Token Ring Inter-Switch Link
(TRISL), and token ring route switch module (TRRSM).
Data-link switching plus (DLSw+), serial tunnel (STUN),

block serial tunnel (BSTUN); logical link control, type 2
(LLC2), synchronous data link control (SDLC); IBM
Network Media Translation, including Synchronous Data
Logical Link Control (SDLLC) and qualified LLC (QLLC);
downstream physical unit (DSPU), Systems Network
Architecture (SNA) service point, SNA frame relay access,
advanced peer-to-peer networking (APPN), native client
interface architecture (NCIA) client/server topologies, and
IBM Channel Attach.
Cisco IOS Bridging Command Reference

Cisco IOS IBM Networking Command Reference
Cisco IOS Broadband and DSL Configuration Guide

Cisco IOS XE Broadband and DSL Configuration Guide
Point-to-Point Protocol (PPP) over ATM (PPPoA) and PPP over

Ethernet (PPPoE).
Cisco IOS Broadband and DSL Command Reference

Cisco IOS Carrier Ethernet Configuration Guide
Cisco IOS Carrier Ethernet Command Reference
Cisco IOS Configuration Fundamentals

Configuration Guide
Cisco IOS XE Configuration Fundamentals
Configuration Guide
Connectivity fault management (CFM), Ethernet Local

Management Interface (ELMI), IEEE 802.3ad link bundling,
Link Layer Discovery Protocol (LLDP), media endpoint
discovery (MED), and operations, administration, and
maintenance (OAM).
Autoinstall, Setup, Cisco IOS command-line interface (CLI),
Cisco IOS file system (IFS), Cisco IOS web browser user
interface (UI), basic file transfer services, and file management.
Cisco IOS Configuration Fundamentals

Command Reference
Cisco IOS DECnet Configuration Guide
DECnet protocol.
Cisco IOS XE DECnet Configuration Guide

Cisco IOS DECnet Command Reference
Cisco IOS Dial Technologies Configuration Guide
Cisco IOS XE Dial Technologies Configuration Guide
Cisco IOS Dial Technologies Command Reference
Cisco IOS Flexible NetFlow Configuration Guide
Cisco IOS Flexible NetFlow Command Reference
vi
Asynchronous communications, dial backup, dialer technology,

dial-in terminal services and AppleTalk remote access (ARA),
large scale dialout, dial-on-demand routing, dialout, modem and
resource pooling, ISDN, multilink PPP (MLP), PPP, virtual
private dialup network (VPDN).
Flexible NetFlow.

Table 1
Cisco IOS H.323 Configuration Guide
Gatekeeper enhancements for managed voice services,

Gatekeeper Transaction Message Protocol, gateway codec order
preservation and shutdown control, H.323 dual tone
multifrequency relay, H.323 version 2 enhancements, Network
Address Translation (NAT) support of H.323 v2 Registration,
Admission, and Status (RAS) protocol, tokenless call
authorization, and VoIP gateway trunk and
carrier-based routing.
Cisco IOS High Availability Configuration Guide
A variety of High Availability (HA) features and technologies

that are available for different network segments (from
enterprise access to service provider core) to facilitate creation
of end-to-end highly available networks. Cisco IOS HA features
and technologies can be categorized in three key areas:
system-level resiliency, network-level resiliency, and embedded
management for resiliency.
Cisco IOS XE High Availability Configuration Guide

Cisco IOS High Availability Command Reference
Cisco IOS Integrated Session Border Controller

Command Reference
A VoIP-enabled device that is deployed at the edge of networks.

An SBC is a toolkit of functions, such as signaling interworking,
network hiding, security, and quality of service (QoS).
Cisco IOS Intelligent Service Gateway

Configuration Guide
Cisco IOS Intelligent Service Gateway
Command Reference
Subscriber identification, service and policy determination,

session creation, session policy enforcement, session life-cycle
management, accounting for access and service usage, session
state monitoring.
Cisco IOS Interface and Hardware Component

Configuration Guide
LAN interfaces, logical interfaces, serial interfaces, virtual

interfaces, and interface configuration.
Cisco IOS XE Interface and Hardware Component

Configuration Guide
Cisco IOS Interface and Hardware Component
Command Reference
Cisco IOS IP Addressing Services Configuration Guide
Cisco IOS XE Addressing Services Configuration Guide
Cisco IOS IP Addressing Services Command Reference
Cisco IOS IP Application Services Configuration Guide
Cisco IOS XE IP Application Services Configuration
Guide
Cisco IOS IP Application Services Command Reference
Cisco IOS IP Mobility Configuration Guide
Address Resolution Protocol (ARP), Network Address

Translation (NAT), Domain Name System (DNS), Dynamic
Host Configuration Protocol (DHCP), and Next Hop Address
Resolution Protocol (NHRP).
Enhanced Object Tracking (EOT), Gateway Load Balancing
Protocol (GLBP), Hot Standby Router Protocol (HSRP), IP
Services, Server Load Balancing (SLB), Stream Control
Transmission Protocol (SCTP), TCP, Web Cache
Communication Protocol (WCCP), User Datagram Protocol
(UDP), and Virtual Router Redundancy Protocol (VRRP).
Mobile ad hoc networks (MANet) and Cisco mobile networks.
Cisco IOS IP Mobility Command Reference

Cisco IOS IP Multicast Configuration Guide
Cisco IOS XE IP Multicast Configuration Guide
Cisco IOS IP Multicast Command Reference
Protocol Independent Multicast (PIM) sparse mode (PIM-SM),

bidirectional PIM (bidir-PIM), Source Specific Multicast
(SSM), Multicast Source Discovery Protocol (MSDP), Internet
Group Management Protocol (IGMP), and Multicast VPN
(MVPN).
vii

Table 1
Cisco IOS IP Routing Protocols Configuration Guide
Cisco IOS IP Routing Protocols Command Reference
Border Gateway Protocol (BGP), multiprotocol BGP,

multiprotocol BGP extensions for IP multicast, bidirectional
forwarding detection (BFD), Enhanced Interior Gateway
Routing Protocol (EIGRP), Interior Gateway Routing Protocol
(IGRP), Intermediate System-to-Intermediate System (IS-IS),
on-demand routing (ODR), Open Shortest Path First (OSPF),
and Routing Information Protocol (RIP).
Cisco IOS IP SLAs Configuration Guide
Cisco IOS IP Service Level Agreements (IP SLAs).
Cisco IOS XE IP Routing Protocols Configuration Guide
Cisco IOS XE IP SLAs Configuration Guide

Cisco IOS IP SLAs Command Reference
Cisco IOS IP Switching Configuration Guide
Cisco IOS XE IP Switching Configuration Guide
Cisco Express Forwarding, fast switching, and Multicast

Distributed Switching (MDS).
Cisco IOS IP Switching Command Reference

Cisco IOS IPv6 Configuration Guide
Cisco IOS XE IPv6 Configuration Guide
For IPv6 features, protocols, and technologies, go to the IPv6

Start Here document at the following URL:
Cisco IOS IPv6 Command Reference
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/
guide/ip6-roadmap.html
Cisco IOS ISO CLNS Configuration Guide
ISO connectionless network service (CLNS).
Cisco IOS XE ISO CLNS Configuration Guide

Cisco IOS ISO CLNS Command Reference
Cisco IOS LAN Switching Configuration Guide
Cisco IOS XE LAN Switching Configuration Guide
VLANs, Inter-Switch Link (ISL) encapsulation, IEEE 802.10

encapsulation, IEEE 802.1Q encapsulation, and multilayer
switching (MLS).
Cisco IOS LAN Switching Command Reference

Cisco IOS Mobile Wireless Gateway GPRS Support Node
Configuration Guide
Cisco IOS Mobile Wireless Gateway GPRS Support Node
Command Reference
Cisco IOS Mobile Wireless Home Agent
Configuration Guide
Cisco IOS Mobile Wireless Home Agent
Command Reference
Cisco IOS Mobile Wireless Packet Data Serving Node
Configuration Guide
Cisco IOS Mobile Wireless Packet Data Serving Node
Command Reference
Cisco IOS Mobile Wireless Radio Access Networking
Configuration Guide
Cisco IOS Mobile Wireless Radio Access Networking
Command Reference
viii
Cisco IOS Gateway GPRS Support Node (GGSN) in a

2.5-generation general packet radio service (GPRS) and
3-generation universal mobile telecommunication system (UMTS)
network.
Cisco Mobile Wireless Home Agent, an anchor point for mobile
terminals for which mobile IP or proxy mobile IP services are
provided.
Cisco Packet Data Serving Node (PDSN), a wireless gateway that
is between the mobile infrastructure and standard IP networks and
that enables packet data services in a code division multiple access
(CDMA) environment.
Cisco IOS radio access network products.

Table 1
Cisco IOS Multiprotocol Label Switching

Configuration Guide
MPLS Label Distribution Protocol (LDP), MPLS Layer 2 VPNs,

MPLS Layer 3 VPNs, MPLS Traffic Engineering (TE), and
MPLS Embedded Management (EM) and MIBs.
Cisco IOS XE Multiprotocol Label Switching

Configuration Guide
Cisco IOS Multiprotocol Label Switching
Command Reference
Cisco IOS Multi-Topology Routing Configuration Guide
Cisco IOS Multi-Topology Routing Command Reference
Cisco IOS NetFlow Configuration Guide
Cisco IOS XE NetFlow Configuration Guide
Unicast and multicast topology configurations, traffic

classification, routing protocol support, and network
management support.
Network traffic data analysis, aggregation caches, export
features.
Cisco IOS NetFlow Command Reference

Cisco IOS Network Management Configuration Guide
Basic system management; system monitoring and logging;

troubleshooting, logging, and fault management;
Cisco IOS XE Network Management Configuration Guide
Cisco Discovery Protocol; Cisco IOS Scripting with Tool
Cisco IOS Network Management Command Reference
Control Language (Tcl); Cisco networking services (CNS);
DistributedDirector; Embedded Event Manager (EEM);
Embedded Resource Manager (ERM); Embedded Syslog
Manager (ESM); HTTP; Remote Monitoring (RMON); SNMP;
and VPN Device Manager Client for Cisco IOS Software
(XSM Configuration).
Cisco IOS Novell IPX Configuration Guide
Novell Internetwork Packet Exchange (IPX) protocol.
Cisco IOS XE Novell IPX Configuration Guide

Cisco IOS Novell IPX Command Reference
Cisco IOS Optimized Edge Routing Configuration Guide
Cisco IOS Optimized Edge Routing Command Reference
Cisco IOS Quality of Service Solutions

Configuration Guide
Cisco IOS XE Quality of Service Solutions
Configuration Guide
Cisco IOS Quality of Service Solutions
Command Reference
Cisco IOS Security Configuration Guide

Cisco IOS XE Security Configuration Guide
Cisco IOS Security Command Reference
Optimized edge routing (OER) monitoring, policy

configuration, routing control, logging and reporting, and
VPN IPsec/generic routing encapsulation (GRE) tunnel
interface optimization.
Class-based weighted fair queuing (CBWFQ), custom queuing,
distributed traffic shaping (DTS), generic traffic shaping (GTS),
IP- to-ATM class of service (CoS), low latency queuing (LLQ),
modular QoS CLI (MQC), Network-Based Application
Recognition (NBAR), priority queuing, Security Device
Manager (SDM), Multilink PPP (MLPPP) for QoS, header
compression, AutoQoS, QoS features for voice, Resource
Reservation Protocol (RSVP), weighted fair queuing (WFQ),
and weighted random early detection (WRED).
Access control lists (ACLs), authentication, authorization, and
accounting (AAA), firewalls, IP security and encryption,
neighbor router authentication, network access security, network
data encryption with router authentication, public key
infrastructure (PKI), RADIUS, TACACS+, terminal access
security, and traffic filters.
ix

Table 1
Cisco IOS Service Selection Gateway Configuration Guide Subscriber authentication, service access, and accounting.
Cisco IOS Service Selection Gateway Command Reference
Cisco IOS Software Activation Configuration Guide
Cisco IOS Software Activation Command Reference
Cisco IOS Software Modularity Installation and
Configuration Guide
Cisco IOS Software Modularity Command Reference
Cisco IOS Terminal Services Configuration Guide
Cisco IOS Terminal Services Command Reference
An orchestrated collection of processes and components to

activate Cisco IOS software feature sets by obtaining and
validating Cisco software licenses.
Installation and basic configuration of software modularity
images, including installations on single and dual route
processors, installation rollbacks, software modularity binding,
software modularity processes and patches.
DEC, local-area transport (LAT), and X.25 packet
assembler/disassembler (PAD).
Cisco IOS XE Terminal Services Command Reference

Cisco IOS Virtual Switch Command Reference
Virtual switch redundancy, high availability, and packet handling;

converting between standalone and virtual switch modes; virtual
switch link (VSL); Virtual Switch Link Protocol (VSLP).
Note
Cisco IOS Voice Configuration Library

Cisco IOS Voice Command Reference
Cisco IOS VPDN Configuration Guide
Cisco IOS XE VPDN Configuration Guide
Cisco IOS VPDN Command Reference
For information about virtual switch configuration, refer

to the product-specific software configuration
information for the Cisco Catalyst 6500 series switch or
for the Metro Ethernet 6500 series switch.
Cisco IOS support for voice call control protocols, interoperability,

physical and virtual interface management, and troubleshooting.
The library includes documentation for IP telephony applications.
Layer 2 Tunneling Protocol (L2TP) dial-out load balancing and
redundancy, L2TP extended failover, L2TP security VPDN,
multihop by Dialed Number Identification Service (DNIS),
timer and retry enhancements for L2TP and Layer 2 Forwarding
(L2F), RADIUS Attribute 82: tunnel assignment ID, shell-based
authentication of VPDN users, tunnel authentication via
RADIUS on tunnel terminator.
Cisco IOS Wide-Area Networking Configuration Guide
Frame Relay, Layer 2 Tunneling Protocol Version 3 (L2TPv3),

Link Access Procedure, Balanced (LAPB), Switched
Cisco IOS XE Wide-Area Networking Configuration Guide
Multimegabit Data Service (SMDS), and X.25.
Cisco IOS Wide-Area Networking Command Reference
Cisco IOS Wireless LAN Configuration Guide
Cisco IOS Wireless LAN Command Reference
Broadcast key rotation, IEEE 802.11x support, IEEE 802.1x

authenticator, IEEE 802.1x local authentication service for
Extensible Authentication Protocol-Flexible Authentication via
Secure Tunneling (EAP-FAST), Multiple Basic Service Set ID
(BSSID), Wi-Fi Multimedia (WMM) required elements, and
Wi-Fi Protected Access (WPA).

Additional Resources and Documentation Feedback
Table 2
Cisco IOS Supplementary Documents and Resources
Document Title
Description
Cisco IOS Master Command List, All Releases
Alphabetical list of all the commands documented in all

Cisco IOS releases.
Cisco IOS New, Modified, Removed, and

Replaced Commands
List of all the new, modified, removed, and replaced commands

for a Cisco IOS release.
Cisco IOS Software System Messages
List of Cisco IOS system messages and descriptions. System

messages may indicate problems with your system; be
informational only; or may help diagnose problems with
communications lines, internal hardware, or the
system software.
Cisco IOS Debug Command Reference
Alphabetical list of debug commands including brief

descriptions of use, command syntax, and usage guidelines.
Release Notes and Caveats
Information about new and changed features, system

requirements, and other useful information about specific
software releases; information about defects in specific
Cisco IOS software releases.
MIBs
Files used for network monitoring. To locate and download

MIBs for selected platforms, Cisco IOS releases, and feature
sets, use Cisco MIB Locator at the following URL:
http://www.cisco.com/go/mibs
RFCs
Standards documents maintained by the Internet Engineering

Task Force (IETF) that Cisco IOS documentation references
where applicable. The full text of referenced RFCs may be
obtained at the following URL:
http://www.rfc-editor.org/

Whats New in Cisco Product Documentation is published monthly and describes all new and revised
Cisco technical documentation. The Whats New in Cisco Product Documentation publication also
provides information about obtaining the following resources:
Technical documentation
Cisco product security overview
Product alerts and field notices
Technical assistance
Cisco IOS technical documentation includes embedded feedback forms where you can rate documents
and provide suggestions for improvement. Your feedback helps us improve our documentation.
xi

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, the Cisco logo, DCE, and Welcome to the
Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar,
Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified
Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration
Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient,
IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone,
MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect,
ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and
the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0807R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
xii
Using the Command-Line Interface in Cisco IOS

and Cisco IOS XE Software
Last updated: August 6, 2008
This document provides basic information about the command-line interface (CLI) in Cisco IOS and
Cisco IOS XE software and how you can use some of the CLI features. This document contains the
following sections:
Initially Configuring a Device, page i
Using the CLI, page ii
Saving Changes to a Configuration, page xii
Additional Information, page xii
For more information about using the CLI, see the Using the Cisco IOS Command-Line Interface
section of the Cisco IOS Configuration Fundamentals Configuration Guide.
For information about the software documentation set, see the About Cisco IOS and Cisco IOS XE
Software Documentation document.
Initially Configuring a Device

Initially configuring a device varies by platform. For information about performing an initial
configuration, see the hardware installation documentation that is provided with the original packaging
of the product or go to the Product Support area of Cisco.com at
http://www.cisco.com/web/psa/products/index.html.
After you have performed the initial configuration and connected the device to your network, you can
configure the device by using the console port or a remote access method, such as Telnet or Secure Shell
(SSH), to access the CLI or by using the configuration method provided on the device, such as Security
Device Manager.
Using the Command-Line Interface in Cisco IOS and Cisco IOS XE Software
Using the CLI
Changing the Default Settings for a Console or AUX Port
There are only two changes that you can make to a console port and an AUX port:
Note
Change the port speed with the config-register 0x command. Changing the port speed is not
recommended. The well-known default speed is 9600.
Change the behavior of the port; for example, by adding a password or changing the timeout value.
The AUX port on the Route Processor (RP) installed in a Cisco ASR1000 series router does not serve
any useful customer purpose and should be accessed only under the advisement of a customer support
representative.
Using the CLI

This section describes the following topics:
Understanding Command Modes, page ii
Using the Interactive Help Feature, page v
Understanding Command Syntax, page vi
Understanding Enable and Enable Secret Passwords, page viii
Using the Command History Feature, page viii
Abbreviating Commands, page ix
Using Aliases for CLI Commands, page ix
Using the no and default Forms of Commands, page x
Using the debug Command, page x
Filtering Output Using Output Modifiers, page x
Understanding CLI Error Messages, page xi
Understanding Command Modes

The CLI command mode structure is hierarchical, and each mode supports a set of specific commands.
This section describes the most common of the many modes that exist.
Table 1 lists common command modes with associated CLI prompts, access and exit methods, and a
brief description of how each mode is used.
ii
Using the CLI
Table 1
CLI Command Modes
Command
Mode
Access Method
Prompt
Exit Method
User EXEC
Log in.
Router>
Issue the logout or exit

command.
Privileged
EXEC
From user EXEC mode,

issue the enable
command.
Router#
Issue the disable

command or the exit
command to return to
user EXEC mode.
Mode Usage
Change terminal
settings.
Perform basic tests.
Display device status.
Issue show and debug

commands.
Copy images to the

device.
Reload the device.
Manage device
configuration files.
Manage device file

systems.
Global
configuration
From privileged EXEC

mode, issue the
configure terminal
command.
Router(config)#
Issue the exit command Configure the device.

or the end command to
return to privileged
EXEC mode.
Interface
configuration
From global
configuration mode,
issue the interface
command.
Router(config-if)#
Issue the exit command Configure individual

to return to global
interfaces.
configuration mode or
the end command to
EXEC mode.
Line
configuration
Router(config-line)# Issue the exit command Configure individual

From global
to return to global
terminal lines.
configuration mode,
configuration mode or
issue the line vty or line
the end command to
console command.
EXEC mode.
iii
Using the CLI
Table 1
CLI Command Modes (continued)
Command
Mode
Access Method
Prompt
Exit Method
ROM monitor
From privileged EXEC

mode, issue the reload
command. Press the
Break key during the
first 60 seconds while
the system is booting.
rommon # >
Issue the continue

command.
Diagnostic
(available only
on the Cisco
ASR1000
series router)
Router(diag)#
The router boots or
enters diagnostic mode
in the following
scenarios. When a
Cisco IOS process or
processes fail, in most
scenarios the router will
reload.
iv
The # symbol
represents the line
number and increments
at each prompt.
A user-configured
access policy was
configured using
the transport-map
command, which
directed the user
into diagnostic
mode.
The router was
accessed using an
RP auxiliary port.
A break signal
(Ctrl-C,
Ctrl-Shift-6, or the
send break
command) was
entered, and the
router was
configured to enter
diagnostic mode
when the break
signal was received.
If a Cisco IOS process

failure is the reason for
entering diagnostic
mode, the failure must
be resolved and the
router must be rebooted
to exit diagnostic mode.
If the router is in
diagnostic mode
because of a
transport-map
configuration, access
the router through
another port or using a
method that is
configured to connect to
the Cisco IOS CLI.
If the RP auxiliary port
was used to access the
router, use another port
for access. Accessing
the router through the
auxiliary port is not
useful for customer
purposes.
Mode Usage
Run as the default

operating mode when a
valid image cannot be
loaded.
Access the fall-back

procedure for loading an
image when the device
lacks a valid image and
cannot be booted.
Perform password
recovery when a
CTRL-Break sequence is
issued within 60 seconds
of a power-on or reload
event.
Inspect various states on

the router, including the
Cisco IOS state.
Replace or roll back the

configuration.
Provide methods of
restarting the Cisco IOS
software or other
processes.
Reboot hardware, such

as the entire router, an
RP, an ESP, a SIP, a SPA,
or possibly other
hardware components.
Transfer files into or off

of the router using
remote access methods
such as FTP, TFTP, and
SCP.
Using the CLI
EXEC commands are not saved when the software reboots. Commands that you issue in a configuration
mode can be saved to the startup configuration. If you save the running configuration to the startup
configuration, these commands will execute when the software is rebooted. Global configuration mode
is the highest level of configuration mode. From global configuration mode, you can enter a variety of
other configuration modes, including protocol-specific modes.
ROM monitor mode is a separate mode that is used when the software cannot load properly. If a valid
software image is not found when the software boots or if the configuration file is corrupted at startup,
the software might enter ROM monitor mode. Use the question symbol (?) to view the commands that
you can use while the device is in ROM monitor mode.
rommon 1 > ?
alias
boot
confreg
cont
context
cookie
.
.
.
rommon 2 >
set and display aliases command

boot up an external process
configuration register utility
continue executing a downloaded image
display the context of a loaded image
display contents of cookie PROM in hex
The following example shows how the command prompt changes to indicate a different command mode:
Router> enable
Router# configure terminal
Router(config)# interface ethernet 1/1
Router(config-if)# ethernet
Router(config-line)# exit
Router(config)# end
Router#
Note
A keyboard alternative to the end command is Ctrl-Z.
Using the Interactive Help Feature

The CLI includes an interactive Help feature. Table 2 describes how to use the Help feature.
Table 2
CLI Interactive Help Commands
Command
Purpose
help
Provides a brief description of the help feature in any command mode.
Lists all commands available for a particular command mode.
partial command?
Provides a list of commands that begin with the character string (no
space between the command and the question mark).
partial command<Tab>
Completes a partial command name (no space between the command

and <Tab>).
command ?
Lists the keywords, arguments, or both associated with the command

(space between the command and the question mark).
command keyword ?
Lists the arguments that are associated with the keyword (space between
the keyword and the question mark).
Using the CLI
The following examples show how to use the help commands:

help
Router> help
Help may be requested at any point in a command by entering a question mark '?'. If
nothing matches, the help list will be empty and you must backup until entering a '?'
shows the available options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a command argument (e.g. 'show ?')
and describes each possible argument.
2. Partial help is provided when an abbreviated argument is entered and you want to know
what arguments match the input (e.g. 'show pr?'.)
?
Router# ?
Exec commands:
access-enable
access-profile
access-template
alps
archive
<snip>
Create a temporary access-List entry

Apply user-profile to interface
Create a temporary access-List entry
ALPS exec commands
manage archive files
partial command?
Router(config)# zo?
zone zone-pair
partial command<Tab>
Router(config)# we<Tab> webvpn
command ?
Router(config-if)# pppoe ?
enable
Enable pppoe
max-sessions Maximum PPPOE sessions
command keyword ?
Router(config-if)# pppoe enable ?
group attach a BBA group
<cr>
Understanding Command Syntax

Command syntax is the format in which a command should be entered in the CLI. Commands include
the name of the command, keywords, and arguments. Keywords are alphanumeric strings that are used
literally. Arguments are placeholders for values that a user must supply. Keywords and arguments may
be required or optional.
Specific conventions convey information about syntax and command elements. Table 3 describes these
conventions.
vi
Using the CLI
Table 3
CLI Syntax Conventions
Symbol/Text
Function
Notes
< > (angle brackets)
Indicate that the option is an

argument.
Sometimes arguments are displayed

without angle brackets.
A.B.C.D.
Indicates that you must enter a

dotted decimal IP address.
Angle brackets (< >) are not always

used to indicate that an IP address is
an argument.
WORD (all capital letters)
Indicates that you must enter

one word.

used to indicate that a WORD is an
argument.
LINE (all capital letters)
Indicates that you must enter

more than one word.

used to indicate that a LINE is an
argument.
<cr> (carriage return)
Indicates the end of the list of

available keywords and arguments, and also indicates when
keywords and arguments are
optional. When <cr> is the only
option, you have reached the
end of the branch or the end of
the command if the command
has only one branch.
The following examples show syntax conventions:

Router(config)# ethernet cfm domain ?
WORD domain name
Router(config)# ethernet cfm domain dname ?
level
Router(config)# ethernet cfm domain dname level ?
<0-7> maintenance level number
Router(config)# ethernet cfm domain dname level 7 ?
<cr>
Router(config)# snmp-server file-transfer access-group 10 ?
protocol protocol options
<cr>
Router(config)# logging host ?
Hostname or A.B.C.D IP address of the syslog server
ipv6
Configure IPv6 syslog server
Router(config)# snmp-server file-transfer access-group 10 ?
protocol protocol options
<cr>
vii
Using the CLI
Understanding Enable and Enable Secret Passwords

Some privileged EXEC commands are used for actions that impact the system, and it is recommended
that you set a password for these commands to prevent unauthorized use. Two types of passwords, enable
(not encrypted) and enable secret (encrypted), can be set. The following commands set these passwords
and are issued in global configuration mode:
enable password
enable secret password
Using an enable secret password is recommended because it is encrypted and more secure than the
enable password. When you use an enable secret password, text is encrypted (unreadable) before it is
written to the config.text file. When you use an enable password, the text is written as entered (readable)
to the config.text file.
Each type of password is case sensitive, can contain from 1 to 25 uppercase and lowercase alphanumeric
characters, and can start with a number. Spaces are also valid password characters; for example,
two words is a valid password. Leading spaces are ignored, but trailing spaces are recognized.
Note
Both password commands have numeric keywords that are single integer values. If you choose a number
for the first character of your password followed by a space, the system will read the number as if it were
the numeric keyword and not as part of your password.
When both passwords are set, the enable secret password takes precedence over the enable password.
To remove a password, use the no form of the commands: no enable password or
no enable secret password.
For more information about password recovery procedures for Cisco products, see
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/
products_tech_note09186a00801746e6.shtml.
Using the Command History Feature

The CLI command history feature saves the commands you enter during a session in a command history
buffer. The default number of commands saved is 10, but the number is configurable within the range of
0 to 256. This command history feature is particularly useful for recalling long or complex commands.
To change the number of commands saved in the history buffer for a terminal session, issue the
terminal history size command:
Router# terminal history size num
A command history buffer is also available in line configuration mode with the same default and
configuration options. To set the command history buffer size for a terminal session in line configuration
mode, issue the history command:
Router(config-line)# history [size num]
To recall commands from the history buffer, use the following methods:
viii
Press Ctrl-P or the up arrow keyRecalls commands beginning with the most recent command.
Repeat the key sequence to recall successively older commands.
Using the CLI
Press Ctrl-N or the down arrow keyRecalls the most recent commands in the history buffer after
they have been recalled using Ctrl-P or the up arrow key. Repeat the key sequence to recall
successively more recent commands.
Note
The arrow keys function only on ANSI-compatible terminals such as the VT100.
Issue the show history command in user EXEC or privileged EXEC modeLists the most recent
commands that you entered. The number of commands that are displayed is determined by the
setting of the terminal history size and history commands.
The CLI command history feature is enabled by default. To disable this feature for a terminal
session, issue the terminal no history command in user EXEC or privileged EXEC mode or the
no history command in line configuration mode.
Abbreviating Commands
Typing a complete command name is not always required for the command to execute. The CLI
recognizes an abbreviated command when the abbreviation contains enough characters to uniquely
identify the command. For example, the show version command can be abbreviated as sh ver. It cannot
be abbreviated as s ver because s could mean show, set, or systat. The sh v abbreviation also is not valid
because the show command has vrrp as a keyword in addition to version. (Command and keyword
examples from Cisco IOS Release 12.4(13)T.)
Using Aliases for CLI Commands

To save time and the repetition of entering the same command multiple times, you can use a command
alias. An alias can be configured to do anything that can be done at the command line, but an alias cannot
move between modes, type in passwords, or perform any interactive functions.
Table 4 shows the default command aliases.
Table 4
Default Command Aliases
Command Alias
Original Command
help
lo
logout
ping
show
u or un
undebug
where
To create a command alias, issue the alias command in global configuration mode. The syntax of the
command is alias mode command-alias original-command. Following are some examples:
Router(config)# alias exec prt partitionprivileged EXEC mode
Router(config)# alias configure sb source-bridgeglobal configuration mode
Router(config)# alias interface rl rate-limitinterface configuration mode
ix
Using the CLI
To view both default and user-created aliases, issue the show alias command.
For more information about the alias command, see
http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_book.html.
Using the no and default Forms of Commands

Most configuration commands have a no form that is used to reset a command to its default value or
disable a feature or function. For example, the ip routing command is enabled by default. To disable this
command, you would issue the no ip routing command. To re-enable IP routing, you would issue the
ip routing command.
Configuration commands may also have a default form, which returns the command settings to their
default values. For commands that are disabled by default, using the default form has the same effect as
using the no form of the command. For commands that are enabled by default and have default settings,
the default form enables the command and returns the settings to their default values.
The no and default forms of commands are described in the command pages of command references.
Using the debug Command

A debug command produces extensive output that helps you troubleshoot problems in your network.
These commands are available for many features and functions within Cisco IOS and Cisco IOS XE
software. Some debug commands are debug all, debug aaa accounting, and debug mpls packets. To
use debug commands during a Telnet session with a device, you must first enter the terminal monitor
command. To turn off debugging completely, you must enter the undebug all command.
For more information about debug commands, see the Cisco IOS Debug Command Reference at
http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_book.html.
Caution
Debugging is a high priority and high CPU utilization process that can render your device unusable. Use
debug commands only to troubleshoot specific problems. The best times to run debugging are during
periods of low network traffic and when few users are interacting with the network. Debugging during
these periods decreases the likelihood that the debug command processing overhead will affect network
performance or user access or response times.
Filtering Output Using Output Modifiers

Many commands produce lengthy output that may use several screens to display. Using output modifiers,
you can filter this output to show only the information that you want to see.
Three output modifiers are available and are described as follows:
begin regular expressionDisplays the first line in which a match of the regular expression is found
and all lines that follow.
include regular expressionDisplays all lines in which a match of the regular expression is found.
exclude regular expressionDisplays all lines except those in which a match of the regular
expression is found.
Using the CLI
To use one of these output modifiers, type the command followed by the pipe symbol (|), the modifier,
and the regular expression that you want to search for or filter. A regular expression is a case-sensitive
alphanumeric pattern. It can be a single character or number, a phrase, or a more complex string.
The following example illustrates how to filter output of the show interface command to display only
lines that include the expression protocol.
Router# show interface | include protocol
FastEthernet0/0 is up, line protocol is up
Serial4/0 is up, line protocol is up
Serial4/1 is up, line protocol is up
Serial4/2 is administratively down, line protocol is down
Serial4/3 is administratively down, line protocol is down
Understanding CLI Error Messages

You may encounter some error messages while using the CLI. Table 5 shows the common CLI error
messages.
Table 5
Common CLI Error Messages
Error Message
Meaning
% Ambiguous command:
show con
You did not enter enough

Reenter the command followed by a
characters for the command to space and a question mark (?). The
be recognized.
keywords that you are allowed to
enter for the command appear.
% Incomplete command.
You did not enter all the

keywords or values required
by the command.
% Invalid input detected at ^ You entered the command inmarker.

correctly. The caret (^) marks
the point of the error.
How to Get Help
Reenter the command followed by a

space and a question mark (?). The
keywords that you are allowed to
enter for the command appear.
Enter a question mark (?) to display
all the commands that are available in
this command mode. The keywords
that you are allowed to enter for the
command appear.
For more system error messages, see the following documents:
Cisco IOS Release 12.2SR System Message Guide
Cisco IOS System Messages, Volume 1 of 2 (Cisco IOS Release 12.4)
Cisco IOS System Messages, Volume 2 of 2 (Cisco IOS Release 12.4)
xi
Saving Changes to a Configuration
Saving Changes to a Configuration

To save changes that you made to the configuration of a device, you must issue the copy running-config
startup-config command or the copy system:running-config nvram:startup-config command. When
you issue these commands, the configuration changes that you made are saved to the startup
configuration and saved when the software reloads or power to the device is turned off or interrupted.
The following example shows the syntax of the copy running-config startup-config command:
Router# copy running-config startup-config
Destination filename [startup-config]?
You press Enter to accept the startup-config filename (the default), or type a new filename and then press
Enter to accept that name. The following output is displayed indicating that the configuration was saved:
Building configuration...
[OK]
Router#
On most platforms, the configuration is saved to NVRAM. On platforms with a Class A flash file system,
the configuration is saved to the location specified by the CONFIG_FILE environment variable. The
CONFIG_FILE variable defaults to NVRAM.
Additional Information
Using the Cisco IOS Command-Line Interface section of the

Cisco IOS Configuration Fundamentals Configuration Guide:
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_cli-basics.html
or
Using Cisco IOS XE Software chapter of the Cisco ASR1000 Series Aggregation Services Routers
Software Configuration Guide:
http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/using_cli.html
Cisco Product Support Resources

http://www.cisco.com/web/psa/products/index.html
Support area on Cisco.com (also search for documentation by task or product)

http://www.cisco.com/en/US/support/index.html
White Paper: Cisco IOS Reference Guide

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a00801830
5e.shtml
Software Download Center (downloads; tools; licensing, registration, advisory, and general
information) (requires Cisco.com User ID and password)
http://www.cisco.com/kobayashi/sw-center/
Error Message Decoder, a tool to help you research and resolve error messages for
Cisco IOS software
http://www.cisco.com/pcgi-bin/Support/Errordecoder/index.cgi
xii
Command Lookup Tool, a tool to help you find detailed descriptions of Cisco IOS commands
(requires Cisco.com user ID and password)
http://tools.cisco.com/Support/CLILookup
Output Interpreter, a troubleshooting tool that analyzes command output of supported

show commands
https://www.cisco.com/pcgi-bin/Support/OutputInterpreter/home.pl\
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, the Cisco logo, DCE, and Welcome to the
Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar,
Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified
Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration
Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient,
IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone,
MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect,
ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and
the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
coincidental.
xiii
xiv
Cisco IOS Flexible NetFlow Overview

First Published: June 19, 2006
Last Updated: October 10, 2008
NetFlow is a Cisco IOS technology that provides statistics on packets flowing through the router.
NetFlow is the standard for acquiring IP operational data from IP networks. NetFlow provides network
and security monitoring, network planning, traffic analysis, and IP accounting.
Flexible NetFlow improves on original NetFlow by adding the capability to customize the traffic analysis
parameters for your specific requirements. Flexible NetFlow makes it easier to create more complex
configurations for traffic analysis and data export through the use of reusable configuration components.
This module provides an overview of Flexible NetFlow and the advanced Flexible NetFlow features and
services.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS
software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An
account on Cisco.com is not required.
Contents
Information About Flexible NetFlow, page 1
Where to Go Next, page 13
Additional References, page 14
Information About Flexible NetFlow

The following sections contain information about Flexible NetFlow.
Typical Uses for NetFlow, page 2
Flows, page 3
Original NetFlow and Flexible NetFlow, page 3
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Flexible NetFlow Components, page 5
Security Detection with Flexible NetFlow, page 11
Feature Comparison of Original NetFlow and Flexible NetFlow, page 11
Typical Uses for NetFlow

NetFlow is typically used for several key customer applications, including the following:
Network monitoring. NetFlow data enables extensive near-real-time network monitoring

capabilities. Flow-based analysis techniques are used to visualize traffic patterns associated with
individual routers and switches and network-wide traffic patterns (providing aggregate traffic or
application-based views) to provide proactive problem detection, efficient troubleshooting, and
rapid problem resolution.
Application monitoring and profiling. NetFlow data enables network managers to gain a detailed
time-based view of application usage over the network. This information is used to plan, understand
new services, and allocate network and application resources (for example, web server sizing and
voice over IP (VoIP) deployment) to meet customer demands responsively.
User monitoring and profiling. NetFlow data enables network engineers to gain detailed
understanding of customer and user use of network and application resources. This information may
then be used to efficiently plan and allocate access, backbone, and application resources and to
detect and resolve potential security and policy violations.
Network planning. NetFlow can be used to capture data over a long period of time, affording the
opportunity to track and anticipate network growth and plan upgrades to increase the number of
routing devices, ports, and higher-bandwidth interfaces. NetFlow services data optimizes network
planning for peering, backbone upgrades, and routing policy. NetFlow helps to minimize the total
cost of network operations while maximizing network performance, capacity, and reliability.
NetFlow detects unwanted WAN traffic, validates bandwidth and quality of service (QoS), and
allows the analysis of new network applications. NetFlow will give you valuable information to
reduce the cost of operating your network.
Security analysis. NetFlow identifies and classifies distributed denial of service (dDoS) attacks,
viruses, and worms in real time. Changes in network behavior indicate anomalies that are clearly
demonstrated in Flexible NetFlow data. The data is also a valuable forensic tool to understand and
replay the history of security incidents.
Billing and accounting. NetFlow data provides fine-grained metering (for instance, flow data
includes details such as IP addresses, packet and byte counts, time stamps, type of service (ToS) and
application ports) for highly flexible and detailed resource utilization accounting. Service providers
may use the information for billing based on time of day, bandwidth usage, application usage,
quality of service, and so on. Enterprise customers may use the information for departmental charge
back or cost allocation for resource utilization.
NetFlow data warehousing and data mining. NetFlow data (or derived information) can be
warehoused for later retrieval and analysis in support of proactive marketing and customer service
programs (for example, figuring out which applications and services are being used by internal and

external users and targeting them for improved service, advertising, and so on). In addition, Flexible
NetFlow data gives market researchers access to the who, what, where, and how long
information relevant to enterprises and service providers.
Flows
Original NetFlow and Flexible NetFlow both use the concept of flows. A flow is defined as a stream of
packets between a given source and a given destination.
Original NetFlow and Flexible NetFlow both use the values in key fields in IP datagrams, such as the IP
source or destination address and the source or destination transport protocol port, as the criteria for
determining when a new flow must be created in the cache while network traffic is being monitored.
When the value of the data in the key field of a datagram is unique with respect to the flows that already
exist, a new flow is created.
Original NetFlow and Flexible NetFlow both use non-key fields as the criteria for identifying fields from
which data is captured from the flows. The flows are populated with data that is captured from the values
in the non-key fields.
Figure 1 is an example of the process for inspecting packets and creating flow records in the cache. In
this example, two unique flows are created in the cache because there are different values in the source
and destination IP address key fields.
Figure 1
Packet Inspection
P2
Example 1
Example 2
P1
P2
P1
Inspect Packet
Inspect Packet
Key Fields
Packet 1
Key Fields
Packet 1
Source IP
10.1.1.1
Source IP
10.1.1.1
Destination IP
10.9.7.2
Destination IP
10.9.7.2
Source port
23
Source port
23
Destination port
22078
Destination port
22078
Layer 3 Protocol
TCP-6
Layer 3 Protocol
TCP-6
TOS Byte
TOS Byte
Input Interface
Ethernet 0
Input Interface
Ethernet 0
Add new Flow to the NetFlow Cache
Create Flow record in the Cache

Source IP Dest. IP
Dest. I/F Protocol TOS
... Pkts
Source IP Dest. IP
... Pkts
10.1.1.1
E1
... 11000
10.3.3.3
10.2.7.2
E1
... 11000
10.1.1.1
10.9.7.2
E1
... 11000
10.9.7.2
Original NetFlow and Flexible NetFlow

Original NetFlow uses a fixed seven tuple of IP information to identify a flow. The new flexible concept
allows the flow to be user defined. The benefits of Flexible NetFlow include:

High-capacity flow recognition, including scalability and aggregation of flow information.
Enhanced flow infrastructure for security monitoring and distributed DoS detection and
identification.
New information from packets to adapt flow information to a particular service or operation in the
network. The flow information available will be customizable by Flexible NetFlow users.
Extensive use of Ciscos flexible and extensible NetFlow Version 9 export format.
A comprehensive IP accounting feature that can be used to replace many accounting features, such
as IP accounting, BGP Policy Accounting, and persistent caches.
Original NetFlow allows you to understand what the network is doing and thus to optimize network
design and reduce operational costs. Flexible NetFlow allows you to understand network behavior with
more efficiency, with specific flow information tailored for various services used in the network. The
following are some example applications for a Flexible NetFlow feature:
Flexible NetFlow enhances Cisco NetFlow as a security monitoring tool. For instance, new flow
keys can be defined for packet length or MAC address, allowing users to search for a specific type
of attack in the network.
Flexible NetFlow allows you to quickly identify how much application traffic is being sent between
hosts by specifically tracking TCP or user datagram protocol (UDP) applications by the class of
service (CoS) in the packets.
The accounting of traffic entering a multi-protocol label switching (MPLS) or IP core network and
its destination for each next hop per class of service. This capability allows the building of an
edge-to-edge traffic matrix.
Figure 2 is an example of how Flexible NetFlow might be deployed in a network.

Figure 2
Typical Deployment for Flexible NetFlow
ISP
Peering Flows
Dest. AS
Dest. Traffic Index
BGP Next Hop
DSCP
IP
IP
Branch
Data Center
WAN
Multicast Flows
Protocol
Ports
IP Address
TCP Flags
Packet Section
Security Flows
Protocol
Ports
IP Address
TCP Flags
Packet Section
IP Flows
IP Subnets
Ports
Protocol
Interfaces
Egress/Ingress
271759
IP
Campus

Flexible NetFlow Components

Flexible NetFlow consists of components that can be used together in several variations to perform
traffic analysis and data export. The user-defined flow records and the component structure of Flexible
NetFlow make it easy for you to create various configurations for traffic analysis and data export on a
networking device with a minimum number of configuration commands. Each flow monitor can have a
unique combination of flow record, flow exporter, and cache type. If you change a parameter such as the
destination IP address for a flow exporter, it is automatically changed for all the flow monitors that use
the flow exporter. The same flow monitor can be used in conjunction with different flow samplers to
sample the same type of network traffic at different rates on different interfaces. The following sections
provide more information on Flexible NetFlow components:
Records, page 5
Flow Monitors, page 7
Flow Exporters, page 9
Flow Samplers, page 11
Records
In Flexible NetFlow a combination of key and non-key fields is called a record. Flexible NetFlow records
are assigned to Flexible NetFlow flow monitors to define the cache that is used for storing flow data.
Flexible NetFlow includes several predefined records that can help you get started using Flexible
NetFlow. To use Flexible NetFlow to its fullest potential, you need to create your own customized
records.
NetFlow Predefined Records, page 5
User-Defined Records, page 6
NetFlow Predefined Records

Flexible NetFlow includes several predefined records that you can use right away to start monitoring
traffic in your network. The predefined records are available to help you quickly deploy Flexible
NetFlow and are easier to use than user-defined flow records. You can choose from a list of already
defined records that may meet the needs for network monitoring. As Flexible NetFlow evolves, popular
user-defined flow records will be made available as predefined records to make them easier to
implement.
The predefined records ensure backward compatibility with your existing NetFlow collector
configurations for the data that is exported. Each of the predefined records has a unique combination of
key and non-keys fields that offer you the built-in ability to monitor various types of traffic in your
network without customizing Flexible Netflow on your router.
Two of the predefined records (NetFlow original1 and NetFlow IPv4/IPv6 original output) emulate
original (ingress) NetFlow and the Egress NetFlow Accounting feature in original NetFlow, respectively.
Some of the other Flexible NetFlow predefined records are based on the aggregation cache schemes
available in original NetFlow. The Flexible NetFlow predefined records that are based on the aggregation
cache schemes available in original NetFlow do not perform aggregation. Instead each flow is tracked
separately by the predefined records.
1. The Netflow Original and NetFlow IPv4/IPv6 original-input predefined records are functionally
equivalent.

If you want to learn more about the Flexible NetFlow predefined records, refer to the Getting Started
with Configuring Cisco IOS Flexible NetFlow module or the Configuring Cisco IOS Flexible NetFlow
with Predefined Records module.
User-Defined Records
Flexible NetFlow enables you to define your own records for a Flexible NetFlow flow monitor cache by
specifying the key and non-key fields to customize the data collection to your specific requirements.
When you define your own records for a Flexible NetFlow flow monitor cache, they are referred to as
user-defined records. The values in non-key fields are added to flows to provide additional information
about the traffic in the flows. A change in the value of a non-key field does not create a new flow. In most
cases the values for non-key fields are taken from only the first packet in the flow. Flexible NetFlow
enables you to capture counter values such as the number of bytes and packets in a flow as non-key fields.
You can create user-defined records for applications such as QoS and bandwidth monitoring, application
and end user traffic profiling, and security monitoring for denial of service (DoS) attacks. Flexible
NetFlow also includes several predefined records that emulate original NetFlow.
Flexible NetFlow user-defined records provide the capability to monitor a contiguous section of a packet
of a user-configurable size, and use it in a flow record as a key or a non-key field along with other fields
and attributes of the packet. The section may potentially include any Layer 3 data from the packet.
The packet section fields allow the user to monitor any packet fields that are not covered by the Flexible
NetFlow predefined keys. The ability to analyze packet fields that are not collected with the predefined
keys enables more detailed traffic monitoring, facilitates the investigation of distributed denial of service
(dDoS) attacks, and enables implementation of other security applications such as URL monitoring.
Flexible NetFlow provides predefined types of packet sections of a user-configurable size. The following
Flexible NetFlow commands (used in flow record configuration mode) can be used to configure the
predefined types of packet sections:
collect ipv4 section header size header-sizeStarts capturing the number of bytes specified by the
header-size argument from the beginning of the IPv4 header of each packet.
collect ipv4 section payload size payload-sizeStarts capturing bytes immediately after the IPv4
header from each packet. The number of bytes captured is specified by the payload-size argument.
collect ipv6 section header size header-sizeStarts capturing the number of bytes specified by the
header-size argument from the beginning of the IPv6 header of each packet.
collect ipv6 section payload size payload-sizeStarts capturing bytes immediately after the IPv6
header from each packet. The number of bytes captured is specified by the payload-size argument.
The header-size and payload-size values are the sizes in bytes of these fields in the flow record. If the
corresponding fragment of the packet is smaller than the requested section size, Flexible NetFlow will
fill the rest of the section field in the flow record with zeros. If the packet type does not match the
requested section type, Flexible NetFlow will fill the entire section field in the flow record with zeros.
Flexible NetFlow adds a new Version 9 export format field type for the header and packet section types.
Flexible NetFlow will communicate to the NetFlow collector the configured section sizes in the
corresponding Version 9 export template fields. The payload sections will have a corresponding length
field that can be used to collect the actual size of the collected section.

Flow Monitors
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network
traffic monitoring. Flow monitors consist of a user-defined or predefined record, an optional flow
exporter, and a cache that is automatically created at the time the flow monitor is applied to the first
interface. Flow data is collected from the network traffic and added to the flow monitor cache during the
monitoring process based on the key and non-key fields in the flow record.
Flexible NetFlow can be used to perform different types of analysis on the same traffic. In Figure 3,
packet 1 is analyzed using a record designed for standard traffic analysis on the input interface and a
record designed for security analysis on the output interface.
Figure 3
Example of Using Two Flow Monitors to Analyze the Same Traffic
Traffic
P5 P4 P3 P2
Key Fields
Packet 1
Flow Monitor 1
(Ethernet 0)
P1
Flow Monitor 2
(Ethernet 1)
Non Key Fields
Key Fields
Packet 1
Non Key Fields
Source IP
10.3.3.3
Packets
Source IP
10.3.3.3
Packets
Destination IP
10.2.2.2
Bytes
Destination IP
10.2.2.2
Time Stamps
Source port
23
Time Stamps
Input Interface
Ethernet 0
Destination port
22078
Next-Hop Address
SYN Flag
Layer 3 Protocol
TCP-6
TOS Byte
Input Interface
Ethernet 0
Traffic Analysis Cache
Security Analysis Cache
... Pkts
Source IP Dest. IP
... Pkts
E1
... 11000
10.3.3.3
E1
... 11000
10.2.2.2
10.2.2.2
E1
271755
Source IP Dest. IP
10.3.3.3

Figure 4 shows a more complex example of how you can apply different types of flow monitors with
custom records.
Figure 4
Complex Example of Using Multiple Types of Flow Monitors with Custom Records
ISP
IP
Peering
Flows
IP
IP
Branch
Campus
Data Center
WAN
Application Flows
Security Flows
IP Flows
Multicast
Flows
Teleworker
271756
IP
There are three types of flow monitor caches. You change the type of cache used by the flow monitor
after you create the flow monitor. The three types of flow monitor caches are as follows:
Normal, page 8
Immediate, page 8
Permanent, page 9
Normal
The default cache type is normal. In this mode, the entries in the cache are aged out according to the
timeout active and timeout inactive settings. When a cache entry is aged out, it is removed from the cache
and exported via any exporters configured.
Immediate
A cache of type immediate ages out every record as soon as it is created. As a result, every flow
contains just one packet. The commands that display the cache contents will provide a history of the
packets seen.
This mode is desirable when you expect only very small flows and you want a minimum amount of
latency between seeing a packet and exporting a report.
Caution
This command may result in a large amount of export data that can overload low-speed links and
overwhelm any systems that you are exporting to. We recommended that you configure sampling to
reduce the number of packets that are processed.

Note
The cache timeout settings have no effect in this mode.

Permanent
A cache of type permanent never ages out any flows. A permanent cache is useful when the number
of flows you expect to see is low and there is a need to keep long-term statistics on the router. For
example, if the only key field in the flow record is the 8-bit IP ToS field, only 256 flows can be
monitored. To monitor the long-term usage of the IP ToS field in the network traffic, a permanent cache
can be used. Permanent caches are useful for billing applications and for an edge-to-edge traffic matrix
for a fixed set of flows that are being tracked. Update messages will be sent periodically to any flow
exporters configured according to the timeout update setting.
Note
When a cache becomes full in permanent mode, new flows will not be monitored. If this occurs, a Flows
not added message will appear in the cache statistics.
Note
A permanent cache uses update counters rather than delta counters. This means that when a flow is
exported, the counters represent the totals seen for the full lifetime of the flow and not the additional
packets and bytes seen since the last export was sent.
Flow Exporters
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running
NetFlow collector, for analysis and storage. Flow exporters are created as separate entities in the
configuration. Flow exporters are assigned to flow monitors to provide data export capability for the flow
monitors. You can create several flow exporters and assign them to one or more flow monitors to provide
several export destinations. You can create one flow exporter and apply it to several flow monitors.
NetFlow Data Export Format Version 9
The basic output of NetFlow is a flow record. Several different formats for flow records have evolved as
NetFlow has matured. The most recent evolution of the NetFlow export format is known as Version 9.
The distinguishing feature of the NetFlow Version 9 export format is that it is template-based. Templates
provide an extensible design to the record format, a feature that should allow future enhancements to
NetFlow services without requiring concurrent changes to the basic flow-record format. Using templates
provides several key benefits:
Third-party business partners who produce applications that provide collector or display services for
NetFlow do not have to recompile their applications each time a new NetFlow feature is added.
Instead, they should be able to use an external data file that documents the known template formats.
New features can be added to NetFlow quickly without breaking current implementations.
NetFlow is future-proofed against new or developing protocols because the Version 9 format can
be adapted to provide support for them.
The Version 9 export format consists of a packet header followed by one or more template flow or data
flow sets. A template flow set provides a description of the fields that will be present in future data flow
sets. These data flow sets may occur later within the same export packet or in subsequent export packets.
Template flow and data flow sets can be intermingled within a single export packet, as illustrated in
Figure 5.

Packet
Header
Version 9 Export Packet
Template
FlowSet
Data
FlowSet
Data
FlowSet
Template
FlowSet
271757
Figure 5
Data
FlowSet
NetFlow Version 9 will periodically export the template data so the NetFlow collector will understand
what data is to be sent and also export the data flow set for the template. The key advantage to Flexible
NetFlow is that the user configures a flow record, which is effectively converted to a Version 9 template
and then forwarded to the collector. Figure 6 is a detailed example of the NetFlow Version 9 export
format, including the header, template flow and data flow sets.
Note
The NetFlow Version 5 export format is a fixed export format that would provide limited information for
Flexible NetFlow data. This is why Flexible Netflow uses the Version 9 export format.
Figure 6
Detailed Example of the NetFlow Version 9 Export Format
Header
First Template FlowSet
Template Record
First Record FlowSet
(Template ID 256)
First Data Record
NetFlow Version 9 Header: 32 bits

Version 9
Count = 4 (FlowSets)
System Uptime
UNIX Seconds
Package Sequence
Source ID
Second Data Record

Third Data Record
Second Template FlowSet
Template FlowSet: 16 bits

FlowSet ID - 0
Template Record
Length = 28 bytes
Template Record
Template ID = 256
Second Record FlowSet

(Template ID 257)
Data Record
Data Record
Data Record
Data Record
Field Count = 5
Data FlowSet: 32 bits

FlowSet
ID = 256
Length =
64 bytes
192.168.1.12
10.5.12.254
IPv4_SRCADDR (0x0008)
192.168.1.1
Length = 4
5009
IPv4_DSTADDR (0x000C)
5344385
Length = 4
192.168.1.27
IPv4_NEXT_HDP (0x000E)
Length = 4
PKTS:_32(0x0002)
10.5.12.23
192.168.1.1
748
Length = 4
388964
BYTES:_32(0x0001)
192.168.1.56
Length = 4
10.5.12.65
5
6534
271758
192.168.1.1
For more information on the Version 9 export format, refer to the white paper entitled Cisco IOS NetFlow
Version 9 Flow-Record Format, available at this url:
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_white_paper09186a00800a3db9.shtml.
10

Flow Samplers
Flow samplers are used to reduce the load that Flexible NetFlow places on the networking device to
monitor traffic by limiting the number of packets that are analyzed. You can configure a rate of sampling
that is 1 out of a range of 2 to 32768 packets. For example, a sampling rate of 1 out of 2 results in the
analysis of 50 percent of the packets processed by the networking device.
Flow samplers are applied to interfaces in conjunction with a flow monitor to implement Flexible
NetFlow flow sampling. Packets are analyzed at the rate specified by the sampler and compared with the
flow record associated with the flow monitor. If the analyzed packets meet the criteria specified by the
flow record, they are added to the flow monitor cache.
Security Detection with Flexible NetFlow

Flexible NetFlow can be used as a network attack detection tool with capabilities to track all parts of the
IP header and even packet sections and characterize this information into flows. Security detection
systems can listen to Flexible NetFlow data, and upon finding an issue in the network, create a virtual
bucket or virtual cache that will be configured to track specific information and identify details about
the attack pattern or worm propagation. The capability to create caches dynamically with specific
information combined with input filtering (for example, filtering all flows to a specific destination)
makes Flexible NetFlow a powerful security detection tool.
One common type of attack occurs when TCP flags are used to flood open TCP requests to a destination
server (for example, a SYN flood attack). The attacking device sends a stream of TCP SYNs to a given
destination address but never send the ACK in response to the servers SYN-ACK as part of the TCP
three-way handshake. The flow information needed for security detection server requires the tracking of
three key fields: destination address or subnet, TCP flags, and packet count. The security detection server
may be monitoring general Flexible NetFlow information, and this data may trigger a detailed view of
this particular attack by dynamically creating a new flow monitor in the routers configuration. The new
flow monitor might include input filtering to limit what traffic is visible in the Flexible NetFlow cache
along with the tracking of the specific information to diagnose the TCP-based attack. In this case the
user may want to filter all flow information to the server destination address or subnet to limit the amount
of information the security detection server needs to evaluate. If the security detection server decided it
understood this attack, it might then program another flow monitor to collect and export payload
information or sections of packets to take a deeper look at a signature within the packet. This example
is just one of many possible ways that Flexible NetFlow can be used to detect security incidents.
Feature Comparison of Original NetFlow and Flexible NetFlow

Table 1 provides a feature-by-feature comparison of original NetFlow and Flexible NetFlow.
Table 1
Feature-by-Feature Comparison of Original NetFlow and Flexible NetFlow
Feature
Original
NetFlow
Flexible
NetFlow
NetFlow Data Capture
Supported
Supported
Data capture is available with the

predefined1 and user-defined records in
Flexible NetFlow.
NetFlow Data Export
Supported
Supported
Flow exporters export data from the

Flexible NetFlow flow monitor caches to
remote systems.
Comments
11

Table 1
Feature-by-Feature Comparison of Original NetFlow and Flexible NetFlow (continued)
Feature
Original
NetFlow
Flexible
NetFlow
NetFlow for IPv6
Supported
Supported
Comments
IPv6 support was removed from original
NetFlow in Cisco IOS Release
12.4(20)T.
The Flexible NetFlow - IPv6 Unicast
Flows feature implemented IPv6 support
for Flexible NetFlow in Cisco IOS
Release 12.4(20)T.
12
MPLS-Aware NetFlow
Supported
Not supported
MPLS Egress NetFlow
Supported
Supported
The Flexible Netflow - MPLS Egress

NetFlow feature implemented MPLS
NetFlow egress support for Flexible
NetFlow in Cisco IOS Release
12.4(22)T.
NetFlow BGP Next Hop

Support
Supported
Supported
Available in the predefined and userdefined keys in Flexible NetFlow

records.
Random Packet Sampled

NetFlow
Supported
Supported
Available with Flexible NetFlow

sampling.
NetFlow v9 Export Format
Supported
Supported

exporters.
NetFlow Subinterface
Support
Supported
Supported
Flexible NetFlow monitors can be

assigned to subinterfaces.
NetFlow Multiple Export

Destinations
Supported
Supported

exporters.
NetFlow ToS-Based Router

Aggregation
Supported
Supported
Available in the predefined and

user-defined records in Flexible NetFlow
records.
NetFlow Minimum Prefix

Mask for Router-Based
Aggregation
Supported
Supported
Available in the predefined and

user-defined records.
NetFlow Input Filters
Supported
Not supported
NetFlow MIB
Supported
Not supported
NetFlow MIB and Top

Talkers
Supported
Not supported

Where to Go Next
Table 1
Feature-by-Feature Comparison of Original NetFlow and Flexible NetFlow (continued)
Feature
Original
NetFlow
Flexible
NetFlow
NetFlow Multicast Support
Supported
Supported
Comments
In Cisco IOS release 12.4(9)T through
12.4(20)T Flexible NetFlow collects
statistics for multicast flows. However,
specific additional fields such as
replication counts for bytes and packets
are not supported.
The Flexible Netflow - IPv4 Multicast
Statistics Support feature implemented
support for capturing multicast
replication counts for bytes and packets
in Cisco IOS Release 12.4(22)T.
NetFlow Layer 2 and

Security Monitoring
Exports
Supported
Partially
supported
The Flexible Netflow - Layer 2 Fields

feature implemented support for
capturing MAC addresses and virtual
LAN (VLAN) IDs in Cisco IOS Release
12.4(22)T.
Egress NetFlow Accounting Supported
Supported
Flexible NetFlow monitors can be used

to monitor egress traffic on interfaces
and subinterfaces.
NetFlow Reliable Export

with SCTP
Supported
Not supported
NetFlow Dynamic Top

Talkers CLI
Supported
Supported
The Flexible Netflow - Top N Talkers

Support feature implemented in
Cisco IOS Release 12.4(22)T provides
the same functionailty.
1. Flexible NetFlow has several predefined keys that emulate the traffic analysis capabilities of original NetFlow.
Where to Go Next
To implement a basic Flexible NetFlow configuration that emulates original NetFlow traffic analysis and
data export, refer to the Getting Started with Configuring Cisco IOS Flexible NetFlow module. To
implement other Flexible NetFlow configurations, refer to the Related Documents section on page 14.
13

Additional References
The following sections provide references related to Flexible NetFlow.
Related Documents
Related Topic
Document Title
Flexible NetFlow Feature Roadmap
Cisco IOS Flexible NetFlow Features Roadmap
Emulating original NetFlow with Flexible NetFlow
Getting Started with Configuring Cisco IOS Flexible NetFlow
Configuring flow exporters to export Flexible NetFlow Configuring Data Export for Cisco IOS Flexible NetFlow with
data
Flow Exporters
Customizing Flexible NetFlow for your network
Customizing Cisco IOS Flexible NetFlow Flow Records and Flow

Monitors
Configuring flow sampling to reduce the overhead of

monitoring traffic with Flexible NetFlow
Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the

CPU Overhead of Analyzing Traffic
Configuring Flexible NetFlow using predefined

records
Configuring Cisco IOS Flexible NetFlow with Predefined Records
Using Flexible Netflow Top N Talkers to Analyze

Network Traffic
Using Cisco IOS Flexible Netflow Top N Talkers to Analyze

Network Traffic
Configuring IPv4 Multicast Statistics Support for

Flexible NetFlow
Configuring IPv4 Multicast Statistics Support for Cisco IOS

Flexible NetFlow
Configuration commands for Flexible NetFlow
RFCs
RFC
Title
RFC #3954
Cisco Systems NetFlow Services Export Version 9
Technical Assistance
Description
Link
The Cisco Support website provides extensive online

resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
http://www.cisco.com/techsupport
To receive security and technical information about

your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter, and
Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
14

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and
Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access
Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink,
Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime
Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet,
Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks
of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply
coincidental.
15

16

This feature roadmap lists the Cisco IOS features documented in the Cisco IOS Flexible NetFlow
Configuration Guide and maps them to the documents in which they appear. The roadmap is organized
so that you can select your release train and see the features in that release. Find the feature name you
are searching for and click on the URL in the Where Documented column to access the document
containing that feature.
Feature and Release Support
Table 1 lists Flexible NetFlow feature support for the following Cisco IOS software release trains:
Cisco IOS Release 12.2SB
Cisco IOS Release 12.2SR
Cisco IOS Release 12.4T
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco
Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a
specific software release, feature set, or platform. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
Table 1 lists the most recent release of each software train first and the features in alphabetical order
within the release.
Table 1
Release
Supported Cisco IOS Flexible NetFlow Features
Feature Name
Feature Description
Where Documented
Flexible NetFlow was integrated into Cisco IOS

Release 12.2(31)SB2.

Overview
Cisco IOS Release 12.2SB
12.2(31)SB2 Flexible NetFlow
Getting Started with

Configuring Cisco IOS
Flexible NetFlow
Flexible NetFlow with
Predefined Records
Customizing Cisco IOS
Flexible NetFlow Flow
Records and Flow Monitors
Configuring Data Export for
with Flow Exporters
Using Cisco IOS Flexible
NetFlow Flow Sampling to
Reduce the CPU Overhead of
Analyzing Traffic
Cisco IOS Release 12.2SR
12.2(33)SR
Flexible NetFlow
Support for Flexible NetFlow on Cisco 7200

series routers was added in
Cisco IOS Release 12.2(33)SRC.

Overview
Flexible NetFlow
Predefined Records
with Flow Exporters
Analyzing Traffic
Table 1
Release
Supported Cisco IOS Flexible NetFlow Features (continued)
Feature Name
Feature Description
Where Documented
Cisco IOS Release 12.4T
12.4(22)T
Flexible Netflow - IPv4

Multicast Statistics
Support
The capability of reporting the number of

replicated bytes and the number of replicated
packets in multicast flows was added.
Configuring IPv4 Multicast

Statistics Support for
12.4(22)T
Flexible Netflow Netflow V5 export

protocol
Support for sending export packets using the

Version 5 export protocol was added.

with Flow Exporters
12.4(22)T
Flexible Netflow - Layer Support for collecting statistics for Layer 2 fields Customizing Cisco IOS
2 Fields
such as MAC addresses and virtual LAN (VLAN) Flexible NetFlow Flow
IDs from traffic was added.
12.4(22)T

Flexible Netflow - MPLS Support for captureing IP flow information for
Egress NetFlow
packets undergoing MPLS label disposition; that Configuring Cisco IOS
is, packets that arrive on a router as MPLS packets Flexible NetFlow
and are transmitted as IP packets.
12.4(22)T
Flexible Netflow - Top N Support for analyzing the large amount of data
Talkers Support
Flexible NetFlow captures from the traffic in a
network by providing the ability to filter,
aggregate, and sort the data in the Flexible
NetFlow cache as it is displayed was added.

Netflow Top N Talkers to
Analyze Network Traffic
12.4(20)T
Flexible NetFlow - IPv6

Unicast Flows

Overview
Support for IPv6 traffic was added.

Flexible NetFlow
Predefined Records
with Flow Exporters
Analyzing Traffic
Flexible NetFlow Output Features on Data
Export
Support for data export using the Cisco IOS

feature path was added.

with Flow Exporters
Table 1
Supported Cisco IOS Flexible NetFlow Features (continued)
Release
Feature Name
Feature Description
Where Documented
12.4(9)T
Flexible NetFlow
Flexible NetFlow is introduced.

Overview
Flexible NetFlow
Predefined Records
with Flow Exporters
Analyzing Traffic
coincidental.
Getting Started with Configuring Cisco IOS

Flexible NetFlow
This document contains information about and instructions for configuring Flexible NetFlow to emulate
the data capture, data analysis, and data export features of original NetFlow. The Flexible NetFlow
equivalents of some of the other features that have been added to original NetFlow, such as NetFlow
Subinterface Support, and Multiple Export Destinations, are covered in this document. The purpose of
this document is to help you get started using Flexible NetFlow as quickly as possible.
This document explains how to configure certain Flexible NetFlow features but does not explain them
in detail. The documents listed in the Related Documents section on page 23 contain more detailed
information on Flexible NetFlow features.
Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information for Flexible NetFlow section on page 24.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS,
and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to

Contents
Contents
Prerequisites for Getting Started with Configuring Flexible NetFlow, page 2
Information About Getting Started with Configuring Flexible NetFlow, page 2
How to Get Started with Configuring Flexible NetFlow, page 8
Configuration Examples for Emulating Original NetFlow Features with Flexible NetFlow, page 21
Feature Information for Flexible NetFlow, page 24
Prerequisites for Getting Started with Configuring Flexible

NetFlow
The following prerequisites must be met before you can configure Flexible NetFlow:
You are familiar with the information in the Cisco IOS Flexible NetFlow Overview module.
The networking device must be running a Cisco IOS release that supports Cisco IOS Flexible
NetFlow. See the Cisco IOS Flexible NetFlow Features Roadmap module for a list of
Cisco IOS software releases that support Flexible NetFlow.
IPv4 Traffic
The networking device must be configured for IPv4 routing.
One of the following must be enabled on your router and on any interfaces on which you want to
enable Flexible NetFlow: Cisco Express Forwarding (CEF) or distributed CEF (dCEF).
IPv6 Traffic
enable Flexible NetFlow: Cisco Express Forwarding IPv6 (CEF IPv6) or distributed CEF IPv6
(dCEF IPv6).
Information About Getting Started with Configuring Flexible

NetFlow
Before you configure Flexible NetFlow to emulate original NetFlow, you should understand the
following concepts:
Benefit of Emulating Original NetFlow with Flexible NetFlow, page 3
Flexible NetFlow Netflow Original and NetFlow IPv4 Original Input Predefined Records,
page 3
Flexible NetFlow NetFlow IPv4 Original Output Predefined Record, page 4
Flexible NetFlow NetFlow IPv6 Original Input Predefined Record, page 5

Information About Getting Started with Configuring Flexible NetFlow
Flexible Netflow - MPLS Egress NetFlow, page 7
Benefit of Emulating Original NetFlow with Flexible NetFlow

Emulating original NetFlow with Flexible NetFlow enables to you to deploy Flexible NetFlow quickly
because you can use a predefined record instead of designing and configuring a custom user-defined
record. You need only configure a flow monitor and apply it to an interface for Flexible NetFlow to start
working like original NetFlow. You can add an optional exporter if you want to analyze the data that you
collect with an application such as NetFlow collector.
If you are familiar with original NetFlow, you already understand the format and content of the data that
you collect and export with Flexible NetFlow when you emulate original Netflow. You will be able to
use the same techniques for analyzing the data.
Flexible NetFlow Netflow Original and NetFlow IPv4 Original Input

Predefined Records
The Flexible NetFlow NetFlow original and NetFlow IPv4 original input predefined records can be
used interchangeably because they have the same key and non-key fields. The key and non-key fields
and the counters for the Flexible NetFlow NetFlow original and NetFlow IPv4 original input
predefined records are shown in Table 1.
Table 1
Key and Non Key-Fields Used by the Flexible NetFlow NetFlow Original and
NetFlow IPv4 Original Input Predefined Records
Field
Key or Non-Key Field
Definition
IP ToS
Key
Value in the type of service (ToS) field.
IP Protocol
Key
Value in the IP protocol field.
IP Source Address
Key
IP source address.
IP Destination Address
Key
IP source address.
Transport Source Port
Key
Value of the transport layer source port field.
Transport Destination
Port
Key
Value of the transport layer destination port field.
Interface Input
Key
Interface on which the traffic is received.
Flow Sampler ID
Key
ID number of the flow sampler (if flow sampling is

enabled).
IP Source AS
Non-key
Source autonomous system number.
IP Destination AS
Non-key
Destination autonomous system number.
IP Next Hop Address
Non-key
IP address of the next hop.
IP Source Mask
Non-key
Mask for the IP source address.
IP Destination Mask
Non-key
Mask for the IP destination address.
TCP Flags
Non-key
Value in the TCP flag field.
Interface Output
Non-key
Interface on which the traffic is transmitted.

Table 1
Key and Non Key-Fields Used by the Flexible NetFlow NetFlow Original and
NetFlow IPv4 Original Input Predefined Records (continued)
Field
Definition
Counter Bytes
Non-key
Number of bytes seen in the flow.
Counter Packets
Non-key
Number of packets seen in the flow.
Time Stamp System

Uptime First
Non-key
System uptime (time, in milliseconds, since this

device was first booted) when the first packet was
switched.
Time Stamp System

Uptime Last
Non-key

device was first booted) when the last packet was
switched.
The configuration in the How to Get Started with Configuring Flexible NetFlow section on page 8 uses
the predefined Flexible NetFlow NetFlow original record.
Flexible NetFlow NetFlow IPv4 Original Output Predefined Record

The Flexible NetFlow NetFlow IPv4 original output predefined record is used to emulate the original
NetFlow Egress NetFlow Accounting feature that was released in Cisco IOS Release 12.3(11)T. The key
and non-key fields and the counters for the Flexible NetFlow NetFlow IPv4 original output predefined
record are shown in Table 2.
Table 2
Key and Non Key Fields Used by the Flexible NetFlow NetFlow IPv4 Original Output
Predefined Record
Field
Definition
IP ToS
Key
Value in the ToS field.
IP Protocol
Key
IP Source Address
Key
IP source address.
Key
IP destination address.
Key
Port
Key
Interface Output
Key
Flow Sampler ID
Key

enabled).
IP Source AS
Non-key
IP Destination AS
Non-key
IP Next Hop Address
Non-key
IP Source Mask
Non-key
IP Destination Mask
Non-key
TCP Flags
Non-key
Interface Input
Non-key

Table 2
Key and Non Key Fields Used by the Flexible NetFlow NetFlow IPv4 Original Output
Predefined Record (continued)
Field
Definition
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
The configuration in the Configuring Flexible NetFlow Egress Accounting for IPV4 and IPv6 Traffic:
Example section on page 21 uses the predefined Flexible NetFlow NetFlow original output record.
Flexible NetFlow NetFlow IPv6 Original Input Predefined Record

The key and non-key fields and the counters for the Flexible NetFlow NetFlow IPv6 original input
predefined record are shown in Table 3.
Table 3
Key and Non Key-Fields Used by the Flexible NetFlow NetFlow IPv6 Original Input
Predefined Record
Field
Definition
Traffic Class
Key
Value in the traffic class field.
Flow Label
Key
Flow label.
Protocol
Key
Value in the protocol field.
Extension Map
Key
Value in the extension map bitmap.
IP Source Address
Key
IP source address.
Key
Key
Port
Key
Interface Input
Key
Flow Direction
Key
The direction of the flow.
Flow Sampler
Key

enabled).
Routing Source AS
Non-key
Routing Destination AS Non-key
Routing Next-hop
Address
Non-key
IP Source Mask
Non-key
IP Destination Mask
Non-key

Table 3
Field
Definition
Transport TCP Flags
Non-key
Interface Output
Non-key
Interface over which the traffic is transmitted.
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.

The key and non-key fields and the counters for the Flexible NetFlow NetFlow IPv6 original output
predefined record are shown in Table 4.
Table 4
Key and Non Key-Fields Used by the Flexible NetFlow NetFlow IPv6 Original
Output Predefined Record
Field
Definition
Traffic Class
Key
Flow Label
Key
The flow label.
Protocol
Key
Extension Map
Key
IP Source Address
Key
IP source address.
Key
Key
Port
Key
Interface Output
Key
Flow Direction
Key
Flow Sampler
Key

enabled).
Routing Source AS
Non-key
Routing Next-hop
Address
Non-key
IP Source Mask
Non-key
IP Destination Mask
Non-key

Table 4
Output Predefined Record (continued)
Field
Definition
Transport TCP Flags
Non-key
Interface Input
Non-key
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible Netflow - MPLS Egress NetFlow

The Flexible Netflow - MPLS Egress NetFlow feature allows you to capture IP flow information for
packets that arrive on a router as MPLS packets and are transmitted as IP packets. This feature allows
you to capture the MPLS Virtual Private Network (VPN) IP flows that are traveling through the service
provider backbone from one site of a VPN to another site of the same VPN. The Flexible Netflow MPLS Egress NetFlow feature is enabled by applying a flow monitor in output (egress) mode on the
provider edge (PE) to customer edge (CE) interface of the providers network.
Figure 1 shows a sample MPLS VPN network topology that includes four VPN 1 sites and two VPN 2
sites. If the Flexible Netflow - MPLS Egress NetFlow is enabled on an outgoing PE interface by applying
a flow monitor in output mode, IP flow information for packets that arrive at the PE as MPLS packets
(from an MPLS VPN) and that are transmitted as IP packets to the PE router is captured. For example,
To capture the flow of traffic going to site 2 of VPN 1 from any remote VPN 1 sites, you enable a
flow monitor in output mode on link PE2-CE5 of provider edge router PE2.
To capture the flow of traffic going to site 1 of VPN 2 from any remote VPN 2 site, you enable a
flow monitor in output mode on link PE3-CE4 of the provider edge router PE3.
The flow data is stored in the Flexible NetFlow cache. You can use the show flow monitor monitor-name
cache command view the flow data in the cache.

How to Get Started with Configuring Flexible NetFlow
Sample MPLS VPN Network Topology with Flexible Netflow - MPLS Egress NetFlow
feature
Site 2
VPN 1
C
VPN-SC
Backbone
Site 1
VPN 1
CE5
Collector 2
P
CE1
PE1
Site 2
VPN 2
CE2
P
PE2
Collector 1
PE3
Site 3
VPN 1
PE4
Site 1
VPN 2
Site 4
VPN 1
CE4
CE6
CE3
42949
Figure 1
If you configure a Flexible NetFlow exporter for the flow monitors you use for the Flexible Netflow MPLS Egress NetFlow feature, the PE routers will export the captured flows to the configured collector
devices in the provider network. Applications such as the Network Data Analyzer or the VPN Solution
Center (VPN-SC) can gather information from the captured flows and compute and display site-to-site
VPN traffic statistics.

The tasks in this section explain how to configure and verify the emulation of original (ingress) NetFlow
data capture with Flexible NetFlow for traffic that is received by the router and how to configure and
verify the emulation of original NetFlow data export with Flexible NetFlow.
Note
Flexible NetFlow emulation of original NetFlow requires the configuration of a flow monitor and the
application of the flow monitor to at least one interface that is receiving the traffic that you want to
analyze.
Note
Only the keywords and arguments required for the Flexible NetFlow commands used in these tasks are
explained in these tasks. For information on the other keywords and arguments available for these
Flexible NetFlow commands, refer to the Cisco IOS Flexible NetFlow Command Reference.
To configure and enable Flexible NetFlow using a predefined record, perform the following tasks:
Configuring a Flow Monitor for IPv4 Traffic Using the Flexible NetFlow NetFlow IPv4 Original
Input Predefined Record, page 9
Configuring a Flow Monitor for IPv6 Traffic Using the Flexible NetFlow NetFlow IPv6 Original
Input Predefined Record, page 10
Applying an IPv4 Flow Monitor to an Interface, page 12

Verifying the Flow Monitor, page 14 (optional)
Verifying That Flexible NetFlow Is Enabled, page 15 (optional)
Viewing the Flow Monitor Cache, page 15
Configuring a Flow Exporter for the Flow Monitor, page 18
Verifying the Flow Exporter, page 20 (optional)
Configuring a Flow Monitor for IPv4 Traffic Using the Flexible NetFlow
NetFlow IPv4 Original Input Predefined Record
To configure a flow monitor for IPv4 traffic using the Flexible NetFlow NetFlow IPv4 original input
predefined record for the flow monitor, perform the following required task.
Flow Monitors
Each flow monitor has a separate cache assigned to it. Each flow monitor requires a record to define the
contents and layout of its cache entries. The record format can be one of the predefined record formats,
or an advanced user may create his or her own record format using the collect and match commands in
flow record configuration mode.
Restrictions
You must remove a flow monitor from all of the interfaces to which you have applied it before you can
modify the record format of the flow monitor.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
flow monitor monitor-name
4.
description text-string
5.
record netflow ipv4 original-input
6.
end

DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Enter your password if prompted.
Example:
Router> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Step 3
Example:
Router(config)# flow monitor FLOW-MONITOR-1
Step 4
Creates a flow monitor and enters Flexible NetFlow flow

monitor configuration mode.
This command also allows you to modify an existing

flow monitor. For example, to modify the configuration
of a flow monitor named monitor-name, use the
flow monitor monitor-name command in global
configuration mode.
(Optional) Creates a description for the flow monitor.
Example:
Router(config-flow-monitor)# description Used
for monitoring IPv4 traffic
Step 5
Specifies the record for the flow monitor.
Example:
Router(config-flow-monitor)# record netflow
ipv4 original-input
Step 6
Exits flow monitor configuration mode and returns to

privileged EXEC mode.
end
Example:
Router(config-flow-monitor)# end
Configuring a Flow Monitor for IPv6 Traffic Using the Flexible NetFlow
NetFlow IPv6 Original Input Predefined Record
To configure a flow monitor for IPv6 traffic using the Flexible NetFlow NetFlow IPv6 original input
predefined record for the flow monitor, perform the following required task.
Flow Monitors
10

Restrictions
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
description string
5.
6.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:
Step 4
description string


configuration mode.
Example:
Step 5
Example:
ipv6 original-input
Step 6
end

Example:
11

Applying an IPv4 Flow Monitor to an Interface

Before it can be activated an IPv4 flow monitor must be applied to at least one interface. To activate an
IPv4 flow monitor, perform the following required task.
Restrictions
When you specify the NetFlow original or the NetFlow IPv4 original input predefined record for the
flow monitor to emulate original NetFlow, the flow monitor can be used only for analyzing input
(ingress) traffic.
When you specify the NetFlow IPv4 original output predefined record for the flow monitor to emulate
the Egress NetFlow Accounting feature, the flow monitor can be used only for analyzing output (egress)
traffic.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface type number
4.
ip flow monitor monitor-name input
5.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Specifies an interface and enters interface configuration

mode.
Example:
Step 4
ip flow monitor monitor-name input
Activates the flow monitor that you created previously by

assigning it to the interface to analyze traffic.
Example:
Router(config-if)# ip flow monitor
FLOW-MONITOR-1 input
Step 5
end
Example:
Router(config-if)# end
12
Exits interface configuration mode and returns to privileged

EXEC mode.


before it can be activated an IPv6 flow monitor must be applied to at least one interface. To activate an
Restrictions
When you specify the NetFlow IPv6 original input predefined record for the flow monitor to emulate
original NetFlow, the flow monitor can be used only for analyzing input (ingress) traffic.
traffic.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
ipv6 flow monitor monitor-name input
5.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3

mode.
Example:
Step 4
ipv6 flow monitor monitor-name input

Example:
Router(config-if)# ipv6 flow monitor
Step 5
end

EXEC mode.
Example:
13

Verifying the Flow Monitor

To view the current status of a flow monitor and verify the configuration commands that you entered,
perform the following optional task.
Prerequisites
The interface to which you applied the input flow monitor must be receiving traffic that meets the criteria
defined by the NetFlow original record before you can view the flows in the flow monitor cache.
SUMMARY STEPS
1.
enable
2.
show flow monitor
3.
show running-config flow monitor
DETAILED STEPS
Step 1
enable
The enable command enters privileged EXEC mode (enter the password if prompted).
Router> enable
Router#
Step 2
show flow monitor

The show flow monitor command shows the current status of the flow monitor that you specify.
Router# show flow monitor
Flow Monitor FLOW-MONITOR-1:
Description:
Used for basic IPv4 traffic analysis
Flow Record:
netflow ipv4 original-input
Cache:
Type:
normal
Status:
allocated
Size:
4096 entries / 311316 bytes
Inactive Timeout: 15 secs
Active Timeout:
1800 secs
Update Timeout:
1800 secs
Description:
Flow Record:
Cache:
Type:
normal
Status:
allocated
Size:
Active Timeout:
1800 secs
Update Timeout:
1800 secs
Step 3

The show running-config flow monitor command shows the configuration commands of the flow
monitor that you specify.
14

Router# show running-config flow monitor

Current configuration:
!
flow monitor FLOW-MONITOR-1
description Used for basic IPv4 traffic analysis
!
!
!
Verifying That Flexible NetFlow Is Enabled

To verify that Flexible NetFlow is enabled on an interface, perform the following optional task.
SUMMARY STEPS
1.
enable
2.
show flow interface type number
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2

The show flow interface command verifies that Flexible NetFlow is enabled on an interface.
Router# show flow interface ethernet 0/0
Interface Ethernet0/0
FNF: monitor:
direction:
traffic(ip):
FNF: monitor:
direction:
traffic(ipv6):
FLOW-MONITOR-1
Input
on
FLOW-MONITOR-2
Input
on
Viewing the Flow Monitor Cache

To display the status, statistics and the flow data in the cache for a flow monitor, perform the following
optional task.
15

Prerequisites
defined by the NetFlow original record before you can view the flow data in the flow monitor cache.
SUMMARY STEPS
1.
enable
2.
show flow monitor name monitor-name cache format record
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2

The show flow monitor name monitor-name cache format record command string displays the status,
statistics, and the flow data in the cache for a flow monitor.
Router# show flow monitor name FLOW-MONITOR-1 cache format record
Cache type:
Normal
Cache size:
4096
Current entries:
8
High Watermark:
8
Flows added:
Flows aged:
- Active timeout
(
- Inactive timeout (
- Event aged
- Watermark aged
- Emergency aged
IPV4 SOURCE ADDRESS:
IPV4 DESTINATION ADDRESS:
TRNS SOURCE PORT:
TRNS DESTINATION PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 next hop address:
ipv4 source mask:
ipv4 destination mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
.
.
.
16
1800 secs)
15 secs)
10.251.10.1
172.16.10.2
0
2048
Et0/0
0
0x00
1
0
0
172.16.7.2
/0
/24
0x00
Et1/0
733500
489
720892
975032
24
16
0
16
0
0
0


TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
172.16.6.1
224.0.0.9
520
520
Et0/0
0
0xC0
17
0
0
0.0.0.0
/24
/0
0x00
Null
52
1
973804
973804

Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
(
- Event aged
- Watermark aged
- Emergency aged
IPV6 FLOW LABEL:
IPV6 EXTENSION MAP:
TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW DIRECTION:
FLOW SAMPLER ID:
IP PROTOCOL:
IP TOS:
ip source as:
ip destination as:
ipv6 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
.
.
.
IPV6 FLOW LABEL:
IPV6 EXTENSION MAP:
Normal
4096
6
8
1800 secs)
15 secs)
1048
1042
11
1031
0
0
0
0
0x00000040
2001:DB8:1:ABCD::1
2001:DB8:4:ABCD::2
3000
55
Et0/0
Input
0
17
0x00
0
0
::
/48
/0
0x00
Null
521192
9307
9899684
11660744
0
0x00000000
FE80::A8AA:BBFF:FEBB:CC03
FF02::9
17

TRNS SOURCE PORT:

INTERFACE INPUT:
FLOW DIRECTION:
FLOW SAMPLER ID:
IP PROTOCOL:
IP TOS:
ip source as:
ip destination as:
ipv6 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
521
521
Et0/0
Input
0
17
0xE0
0
0
::
/10
/0
0x00
Null
92
1
11653832
11653832
Configuring a Flow Exporter for the Flow Monitor

To export the data that is collected by Flexible NetFlow to a remote system for further analysis and
storage, perform the following optional task.
Flow Exporters
Flow exporters are used to send the data that you collect with Flexible NetFlow to a remote system such
as a NetFlow Collection Engine. Exporters use UDP as the transport protocol and use the Version 9
export format.
Restrictions
Each flow exporter supports only one destination. If you want to export the data to multiple destinations,
you must configure multiple flow exporters and assign them to the flow monitor.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
flow exporter exporter-name
4.
description string
5.
destination {hostname | ip-address} [vrf vrf-name]
6.
transport udp udp-port
7.
exit
8.
9.
exporter exporter-name
10. end
18

DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:
Router(config)# flow exporter EXPORTER-1
Step 4
description string
Creates a flow exporter and enters Flexible NetFlow flow

exporter configuration mode.

flow exporter. For example, to modify the configuration
of a flow exporter named exporter-name, use the
flow exporter exporter-name command and argument
in global configuration mode.
(Optional) Creates a description for the flow exporter.
Example:
Router(config-flow-exporter)# description
Exports to Chicago datacenter
Step 5
destination {hostname | ip-address} [vrf

vrf-name]
Specifies the hostname or IP address of the system to which

the exporter sends data.
Example:
Router(config-flow-exporter)# destination
172.16.10.2
Step 6
Example:
Configures UDP as the transport protocol and specifies the

UDP port on which the destination system is listening for
exported Flexible NetFlow traffic.
Router(config-flow-exporter)# transport udp 65
Step 7
exit
Exits Flexible NetFlow flow exporter configuration mode

and returns to global configuration mode.
Example:
Router(config-flow-exporter)# exit
Step 8
flow monitor flow-monitor-name
Enters Flexible NetFlow flow monitor configuration mode

for the flow monitor that you created previously.
Example:
19

Step 9
Command or Action
Purpose
Specifies the name of an exporter that you created

previously.
Example:
Router(config-flow-monitor)# exporter
EXPORTER-1
Step 10
Exits Flexible NetFlow flow monitor configuration mode

and returns to privileged EXEC mode.
end
Example:
Verifying the Flow Exporter

To view the current status of a flow exporter and verify the configuration commands that you entered,
SUMMARY STEPS
1.
enable
2.
show flow exporter
3.
show running-config flow exporter exporter-name
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2
show flow exporter exporter-name

The show flow exporter command shows the current status of the flow exporter that you specify.
Router# show flow exporter EXPORTER-1
Flow Exporter EXPORTER-1:
Description:
Transport Configuration:
Destination IP address:
Source IP address:
Transport Protocol:
Destination Port:
Source Port:
DSCP:
TTL:
Step 3
Exports to Chicago datacenter

172.16.10.2
172.16.7.1
UDP
65
56041
0x0
255
show running-config flow exporter

The show running-config flow exporter command shows the configuration commands of the flow
exporter that you specify.
Router# show running-config flow exporter EXPORTER-1
20

Configuration Examples for Emulating Original NetFlow Features with Flexible NetFlow
!
flow exporter EXPORTER-1
description Exports to Chicago datacenter
destination 172.16.10.2
transport udp 65
!
Configuration Examples for Emulating Original NetFlow

Features with Flexible NetFlow
The following examples show you how to configure Flexible NetFlow to emulate three features that are
available in original NetFlow:
Configuring Flexible NetFlow Egress Accounting for IPV4 and IPv6 Traffic: Example, page 21
Configuring Flexible NetFlow Subinterface Support: Example, page 22
Configuring Flexible NetFlow Multiple Export Destinations: Example, page 22
Configuring Flexible NetFlow Egress Accounting for IPV4 and IPv6 Traffic:
Example
The following example shows how to configure Flexible NetFlow Egress Accounting for IPv4 and IPv6
traffic.
This sample starts in global configuration mode:
!
record netflow ipv4 original-output
exit
!
!
exit
!
ip cef
ipv6 cef
!
interface Ethernet0/0
ip address 172.16.6.2 255.255.255.0
ipv6 address 2001:DB8:2:ABCD::2/48
ip flow monitor FLOW-MONITOR-1 output
ipv6 flow monitor FLOW-MONITOR-2 output
!
21

Configuration Examples for Emulating Original NetFlow Features with Flexible NetFlow
Configuring Flexible NetFlow Subinterface Support: Example

The following example shows how to configure Flexible NetFlow Subinterface Support for IPv4 traffic.
!
exit
!
ip cef
!
interface Ethernet0/0.1
ip address 172.16.6.2 255.255.255.0
ip flow monitor FLOW-MONITOR-1 input
!
The following example shows how to configure Flexible NetFlow to Emulate NetFlow Subinterface
Support for IPv6 traffic.
!
exit
!
ip cef
ipv6 cef
!
interface Ethernet0/0.1
ipv6 flow monitor FLOW-MONITOR-2 input
!
Configuring Flexible NetFlow Multiple Export Destinations: Example

The following example shows how to configure Flexible NetFlow Multiple Export Destinations.
!
transport udp 90
exit
!
transport udp 90
exit
!
record netflow-original
exporter EXPORTER-2
exporter EXPORTER-1
exit
!
ip cef
!
ip address 172.16.6.2 255.255.255.0
22

Where to Go Next

!
Where to Go Next
For information on advanced Flexible NetFlow configurations for specific purposes such as quality of
service (QoS) and bandwidth monitoring, application and user flow monitoring and profiling, and
security analysis, refer to the Customizing Cisco IOS Flexible NetFlow Flow Records and Flow
Monitors module.
If you want to configure additional options for data export for Flexible NetFlow, refer to the
Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters module.
If you want to configure flow sampling to reduce the CPU overhead of analyzing traffic, refer to the
Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic
module.
If you want to configure any of the predefined records for Flexible NetFlow refer, to the Configuring
Cisco IOS Flexible NetFlow with Predefined Records module.
Related Documents
Related Topic
Document Title
Overview of Flexible NetFlow
data.
Flow Exporters
Customizing Flexible NetFlow

Monitors



records

Network Traffic

Network Traffic

Flexible NetFlow

Flexible NetFlow
23

Feature Information for Flexible NetFlow
Standards
Standard
Title
There are no standards associated with this feature.
MIBs
MIB
MIBs Link
None
To locate and download MIBs for selected platforms, Cisco IOS

releases, and feature sets, use Cisco MIB Locator found at the
following URL:
RFCs
RFC
Title
RFC #3954
Description
Link



Table 5 lists the features in this module and provides links to specific configuration information. Only
features that were introduced or modified in Cisco IOS Release 12.2(1) or Cisco IOS Releases 12.2(1)
or 12.0(3)S or a later release appear in the table.
For information on a feature in this technology that is not documented here, see the Cisco IOS Flexible
NetFlow Features Roadmap.
Not all commands may be available in your Cisco IOS software release. For release information about a
specific command, see the command reference documentation.
24

Use Cisco Feature Navigator to find information about platform support and software image support.
Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE
software images support a specific software release, feature set, or platform. To access Cisco Feature
Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 5
Feature Name
Releases
Feature Configuration Information
Flexible NetFlow
12.4(9)T

Information about the Flexible NetFlow feature is included
in the following sections:
Prerequisites for Getting Started with Configuring

Flexible NetFlow, page 2
Information About Getting Started with Configuring

How to Get Started with Configuring Flexible NetFlow,

page 8
Configuration Examples for Emulating Original

NetFlow Features with Flexible NetFlow, page 21
The following commands were introduced or modified:

cache (Flexible NetFlow), clear flow exporter, clear flow
monitor, clear sampler, collect counter, collect flow,
collect interface, collect ipv4, collect ipv4 destination,
collect ipv4 fragmentation, collect ipv4 section, collect
ipv4 source, collect ipv4 total-length, collect ipv4 ttl,
collect routing, collect timestamp sys-uptime, collect
transport, collect transport icmp ipv4, collect transport
tcp, collect transport udp, debug flow exporter, debug
flow monitor, debug flow record, debug sampler,
description (Flexible NetFlow), destination, dscp
(Flexible NetFlow), exporter, flow exporter, flow
monitor, flow record, ip flow monitor, match flow, match
interface (Flexible NetFlow), match ipv4, match ipv4
destination, match ipv4 fragmentation, match ipv4
section, match ipv4 source, match ipv4 total-length,
match ipv4 ttl, match routing, match transport, match
transport icmp ipv4, match transport tcp, match
transport udp, mode (Flexible NetFlow), option
(Flexible NetFlow), record, sampler, show flow exporter,
show flow interface, show flow monitor, show flow
record, show sampler, source (Flexible NetFlow),
statistics packet, template data timeout, transport
(Flexible NetFlow).
25

Table 5
Feature Name
Releases
Flexible Netflow - MPLS Egress NetFlow
12.4(22)T
The Flexible Netflow - MPLS Egress NetFlow feature

allows you to capture IP flow information for packets
undergoing MPLS label disposition; that is, packets that
arrive on a router as MPLS packets and are transmitted as IP
packets.
The following sections provide information about this
feature:
Flexible Netflow - MPLS Egress NetFlow, page 7
No commands were introduced or modified by this feature.

Flexible NetFlow - IPv6 Unicast Flows
12.4(20)T
Enables Flexible NetFlow to monitor IPv6 traffic.

Information about the Flexible NetFlow - IPv6 Unicast
Flows feature is included in the following sections:
Configuring a Flow Monitor for IPv6 Traffic Using the

Flexible NetFlow NetFlow IPv6 Original Input
Predefined Record, page 10
Applying an IPv6 Flow Monitor to an Interface,

page 13
Configuring Flexible NetFlow Egress Accounting for

IPV4 and IPv6 Traffic: Example, page 21

collect routing, debug flow record, match routing,
record, show flow monitor, show flow record, collect
ipv6, collect ipv6 destination, collect ipv6 extension map,
collect ipv6 fragmentation, collect ipv6 hop-limit, collect
ipv6 length, collect ipv6 section, collect ipv6 source,
collect transport icmp ipv6, ipv6 flow monitor, match
ipv6, match ipv6 destination, match ipv6 extension map,
match ipv6 fragmentation, match ipv6 hop-limit, match
ipv6 length, match ipv6 section, match ipv6 source,
match transport icmp ipv6.
coincidental.
26
Configuring Cisco IOS Flexible NetFlow with

Predefined Records
This module contains information about and instructions for configuring Flexible NetFlow using
predefined records. Many of the Flexible NetFlow predefined records use the same key and non-key
fields as the aggregation caches available in original NetFlow. However, the predefined Flexible NetFlow
records do not perform aggregation.
NetFlow is a Cisco IOS technology that provides statistics on packets flowing through a router. NetFlow
is the standard for acquiring IP operational data from IP networks. NetFlow provides network and
security monitoring, network planning, traffic analysis, and IP accounting.

Contents
Prerequisites for Configuring Flexible NetFlow with Predefined Records, page 2
Information About Configuring Flexible NetFlow with Predefined Records, page 2

Prerequisites for Configuring Flexible NetFlow with Predefined Records
How to Configure Flexible NetFlow Using a Predefined Record for the Flow Monitor, page 18
Configuration Examples for Configuring Flexible NetFlow with Predefined Records, page 27
Prerequisites for Configuring Flexible NetFlow with Predefined

Records
The networking device must be running a Cisco IOS release that supports Flexible NetFlow. See the
Cisco IOS Flexible NetFlow Features Roadmap module for a list of Cisco IOS software releases
that support Flexible NetFlow.
IPv4 Traffic
IPv6 Traffic
(dCEF IPv6).
Information About Configuring Flexible NetFlow with

Predefined Records
Before configuring Flexible NetFlow with predefined records, you should understand the following
information:
Flexible NetFlow Predefined Records, page 3
Benefits of Flexible NetFlow Predefined Records, page 3
Flexible NetFlow Netflow Original and NetFlow IPv4 Original Input Predefined Records,
page 3
Flexible NetFlow NetFlow IPv6 Original Input Predefined Record, page 5
Flexible NetFlow Autonomous System Predefined Record, page 7
Flexible NetFlow Autonomous System ToS Predefined Record, page 8

Information About Configuring Flexible NetFlow with Predefined Records
Flexible NetFlow BGP Next-Hop ToS Predefined Record, page 10
Flexible NetFlow Destination Prefix Predefined Record, page 10
Flexible NetFlow Destination Prefix ToS Predefined Record, page 11
Flexible NetFlow Prefix Predefined Record, page 12
Flexible NetFlow Prefix Port Predefined Record, page 13
Flexible NetFlow Prefix ToS Predefined Record, page 14
Flexible NetFlow Protocol Port Predefined Record, page 15
Flexible NetFlow Protocol Port ToS Predefined Record, page 15
Flexible NetFlow Source Prefix Predefined Record, page 16
Flexible NetFlow Source Prefix ToS Predefined Record, page 17
Flexible NetFlow Predefined Records

Flexible NetFlow predefined records are based on the original NetFlow ingress and egress caches and
the aggregation caches. The difference between the original NetFlow aggregation caches and the
corresponding predefined Flexible NetFlow records is that the predefined records do not perform
aggregation. Flexible NetFlow predefined records are associated with a Flexible NetFlow flow monitor
the same way that you associate a user-defined (custom) record.
Benefits of Flexible NetFlow Predefined Records

If you have been using original NetFlow or original NetFlow with aggregation caches you can continue to
capture the same traffic data for analysis when you migrate to Flexible NetFlow by using the predefined
records available with Flexible NetFlow. Many users will find that the pre-existing Flexible NetFlow records
are suitable for the majority of their traffic analysis requirements.
Flexible NetFlow Netflow Original and NetFlow IPv4 Original Input

Predefined Records
The Flexible NetFlow NetFlow original and NetFlow IPv4 original input predefined records can be
used interchangeably because they have the same key and non-key fields. The key and non-key fields
and the counters for the NetFlow original and NetFlow IPv4 original input predefined records are
shown in Table 1.
Table 1
Key and Non Key-Fields Used by the Netflow Original and NetFlow IPv4 Original
Input Predefined Records
Field
Definition
IP ToS
Key
Value in the type of service (ToS) field.
IP Protocol
Key
IPv4 Source Address
Key
IPv4 source address.
IPv4 Destination
Address
Key

Table 1
Key and Non Key-Fields Used by the Netflow Original and NetFlow IPv4 Original
Input Predefined Records (continued)
Field
Definition
Key
Value in the transport layer source port field.
Port
Key
Value in the transport layer destination port field.
Interface Input
Key
Flow Sampler ID
Key

enabled).
IP Source AS
Non-key
IP Destination AS
Non-key
IPv4 Next Hop Address Non-key
IPv4 address of the next hop.
IPv4 Source Mask
Non-key
Mask for the IPv4 source address.
IPv4 Destination Mask
Non-key
Mask for the IPv4 destination address.
TCP Flags
Non-key
Interface Output
Non-key
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key
System uptime (time in milliseconds since this

switched.
Time Stamp System

Uptime Last
Non-key

switched.

The Flexible NetFlow NetFlow IPv4 original output predefined record is used to emulate the original
NetFlow Egress NetFlow Accounting feature that was released in Cisco IOS Release 12.3(11)T. The key
and non-key fields and the counters for the NetFlow IPv4 original output predefined record are shown
in Table 2.
Table 2
Key and Non Key Fields Used by the NetFlow IPv4 Original Output Predefined
Record
Field
Definition
IP ToS
Key
IP Protocol
Key
IPv4 Source Address
Key
IPv4 Destination
Address
Key
Key

Table 2
Key and Non Key Fields Used by the NetFlow IPv4 Original Output Predefined
Record (continued)
Field
Definition
Port
Key
Interface Output
Key
Flow Sampler ID
Key

enabled).
IP Source AS
Non-key
IP Destination AS
Non-key
IPv4 Next Hop Address Non-key
IPv4 address of the next hop.
IPv4 Source Mask
Non-key
Mask for the IPv4 source address.
Non-key
Mask for the IPv4 destination address.
TCP Flags
Non-key
Interface Input
Non-key
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow NetFlow IPv6 Original Input Predefined Record

The key and non-key fields and the counters for the Flexible NetFlow NetFlow IPv6 original input
Table 3
Predefined Record
Field
Definition
Traffic Class
Key
Flow Label
Key
Flow label.
Protocol
Key
Extension Map
Key
IP Source Address
Key
IP source address.
Key
Key
Port
Key

Table 3
Field
Definition
Interface Input
Key
Flow Direction
Key
Flow Sampler
Key

enabled).
Routing Source AS
Non-key
Routing Next-hop
Address
Non-key
IP Source Mask
Non-key
IP Destination Mask
Non-key
Transport TCP Flags
Non-key
Interface Output
Non-key
Counter Bytes
Non-key
Counter Packets
Non-key
Timestamp Sys-uptime
First
Non-key

switched.
Last
Non-key

switched.

The key and non-key fields and the counters for the Flexible NetFlow NetFlow IPv6 original output
Table 4
Output Predefined Record
Field
Definition
Traffic Class
Key
Flow Label
Key
The flow label.
Protocol
Key
Extension Map
Key
IP Source Address
Key
IP source address.
Key
Key
Port
Key

Table 4
Output Predefined Record (continued)
Field
Definition
Interface Output
Key
Flow Direction
Key
Flow Sampler
Key

enabled).
Routing Source AS
Non-key
Routing Next-hop
Address
Non-key
IP Source Mask
Non-key
IP Destination Mask
Non-key
Transport TCP Flags
Non-key
Interface Input
Non-key
Counter Bytes
Non-key
Counter Packets
Non-key
First
Non-key

switched.
Last
Non-key

switched.
Flexible NetFlow Autonomous System Predefined Record

The Flexible NetFlow autonomous system predefined record creates flows based on autonomous
system-to-autonomous system traffic flow data. The Flexible NetFlow autonomous system predefined
record uses the same key and non-key fields as the original NetFlow autonomous system aggregation
cache.
Note
This predefined record can be used to analyze IPv4 and IPv6 traffic.
Table 5 lists the key and non-key fields used in the Flexible NetFlow autonomous system predefined
record.
Table 5
Key and Non-Key Fields Used by the Flexible NetFlow Autonomous System
Predefined Record
Field
Definition
IP Source AS
Key
Autonomous system of the source IP address (peer

or origin).
IP Destination AS
Key
Autonomous system of the destination IP address

(peer or origin).

Table 5
Key and Non-Key Fields Used by the Flexible NetFlow Autonomous System
Field
Definition
Interface Input
Key
Interface Output
Key
Flow Direction
Key
Direction in which the flow is being monitored.
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key
System uptime (time, in milliseconds since this

switched.
Time Stamp System

Uptime Last
Non-key
System uptime (time, in milliseconds since this

switched.
Flexible NetFlow Autonomous System ToS Predefined Record

The Flexible NetFlow autonomous system ToS predefined record creates flows based on autonomous
system-to-autonomous system and type of service (ToS) traffic flow data. The Flexible NetFlow
autonomous system TOS predefined record uses the same key and non-key fields as the original
NetFlow autonomous system TOS aggregation cache.
Note
This predefined record can only be used to analyze IPv4 traffic.
Tip
This predefined record is particularly useful for generating autonomous system-to- autonomous system
traffic flow data.
Table 6 lists the key and non-key fields used in the Flexible NetFlow autonomous system TOS
predefined record.
Table 6
Key and Non-Key Fields Used by the Flexible NetFlow Autonomous System ToS
Predefined Record
Field
Definition
IP ToS
Key
IP Source autonomous
system
Key

or origin).
IP Destination
autonomous system
Key

(peer or origin).
Interface Input
Key
Interface Output
Key
Flow Direction
Key
Counter Bytes
Non-key

Table 6
Key and Non-Key Fields Used by the Flexible NetFlow Autonomous System ToS
Field
Definition
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow BGP Next-Hop Predefined Record

The Flexible NetFlow BGP next-hop predefined record creates flows based on border gateway
protocol (BGP) traffic flow data.
Note

Table 7 lists the key and non-key fields used in the Flexible NetFlow BGP next-hop predefined record.
Table 7
Key and Non-Key Fields Used by the Flexible NetFlow BGP Next-hop Predefined
Record
Field
Definition
Routing Source AS
Key
Autonomous system of the source IP address.
Routing Destination AS Key
Autonomous system of the destination IP address.
Routing Next-hop
Address IPv6 BGP
Key
IPv6 address of the BGP next-hop.
Interface Input
Key
Interface Output
Key
Flow Direction
Key
Counter Bytes
Non-key
Counter Packets
Non-key
First
Non-key

switched.
Last
Non-key

switched.

Flexible NetFlow BGP Next-Hop ToS Predefined Record

The Flexible NetFlow BGP next-hop ToS predefined record creates flows based on BGP and ToS
traffic flow data. The Flexible NetFlow BGP next-hop ToS predefined record uses the same key and
non-key fields as the original NetFlow BGP next-hop ToS aggregation cache.
Note

Table 8 lists the key and non-key fields used in the BGP next-hop ToS predefined record.
Table 8
Key and Non-Key Fields Used by the Flexible NetFlow BGP Next-hop ToS
Predefined Record
Field
Definition
IP ToS
Key
system
Key

or origin).
IP Destination
autonomous system
Key

(peer or origin).
IPv4 Next Hop Address Key

BGP
IPv4 address of the BGP next-hop peer.
Interface Input
Key
Interface Output
Key
Flow Direction
Key
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow Destination Prefix Predefined Record

The Flexible NetFlow destination prefix predefined record creates flows based on destination prefix
traffic flow data. The Flexible NetFlow destination prefix predefined record uses the same key and
non-key fields as the original NetFlow destination prefix aggregation cache.
Note
Table 9 lists the key and non-key fields used in the Flexible NetFlow destination prefix predefined
record.
10

Table 9
Key and Non-Key Fields Used by the Flexible NetFlow Destination Prefix Predefined
Record
Field
Definition
IP Destination
autonomous system
Key

(peer or origin).
IPv4 or IPv6
Destination Prefix
Key
Destination IP address ANDed with the destination

prefix mask.
IPv4 or IPv6
Destination Mask
Key
Number of bits in the destination prefix.
Interface Output
Key
Flow Direction
Key
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow Destination Prefix ToS Predefined Record

The Flexible NetFlow destination prefix ToS predefined record creates flows based on destination
prefix and ToS traffic flow data. The Flexible NetFlow destination prefix ToS predefined record uses
the same key and non-key fields as the original NetFlow destination prefix ToS aggregation cache.
This predefined record is particularly useful for capturing data with which you can examine the
destinations of network traffic passing through a NetFlow-enabled device.
Note

Table 10 lists the key and non-key fields used in the used in the Flexible NetFlow destination prefix
ToS predefined record.
Table 10
Key and Non Key Fields Used by the Flexible NetFlow Destination Prefix ToS
Predefined Record
Field
Definition
IP ToS
Key
IP Destination
autonomous system
Key

(peer or origin).
IPv4 Destination Prefix Key

prefix mask.
Key
11

Table 10
Key and Non Key Fields Used by the Flexible NetFlow Destination Prefix ToS
Field
Definition
Interface Output
Key
Flow Direction
Key
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow Prefix Predefined Record

The Flexible NetFlow prefix predefined record creates flows based on the source and destination
prefixes in the traffic flow data. The Flexible NetFlow prefix predefined record uses the same key and
non-key fields as the original NetFlow prefix aggregation cache.
Note
This predefined record can be used to analyze IPv4 and IPv6 traffic. For IPv6 traffic, a minimum prefix
mask length of 0 bits is assumed.
Table 11 lists the key and non-key fields used in the Flexible NetFlow prefix predefined record.
Table 11
12
Key and Non-Key Fields Used by the Flexible NetFlow Prefix Predefined Record
Field
Definition
system
Key

or origin).
IP Destination
autonomous system
Key

(peer or origin).
IPv4 or IPv6 Source

Prefix
Key
Source IP address ANDed with the source prefix

mask, or the prefix to which the source IP address of
the aggregated flows belongs.
IPv4 or IPv6 Source

Mask
Key
Number of bits in the source prefix.
IPv4 or IPv6
Destination Prefix
Key

prefix mask.
IPv4 or IPv6
Destination Mask
Key
Interface Input
Key
Interface Output
Key
Counter Bytes
Non-key

Table 11
Key and Non-Key Fields Used by the Flexible NetFlow Prefix Predefined Record
Field
Definition
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow Prefix Port Predefined Record

The Flexible NetFlow prefix port predefined record creates flows based on source and destination
prefixes and ports in the traffic flow data. The Flexible NetFlow prefix port predefined record uses the
same key and non-key fields as the original NetFlow prefix port aggregation cache.
This predefined record is particularly useful for capturing data with which you can examine the sources
and destinations of network traffic passing through a NetFlow-enabled device.
Note

Table 12 lists the key and non-key fields used in the destination Flexible NetFlow prefix port
predefined record.
Table 12
Key and Non-Key Fields Used by the Flexible NetFlow Prefix Port Predefined
Record
Field
Definition
IP ToS
Key
IP Protocol
Key
IPv4 Source Prefix
Key

IPv4 Source Mask
Key

prefix mask.
Key
Key
Port
Key
Interface Input
Key
Interface Output
Key
Flow Direction
Key
Counter Bytes
Non-key
13

Table 12
Key and Non-Key Fields Used by the Flexible NetFlow Prefix Port Predefined Record
(continued)
Field
Definition
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow Prefix ToS Predefined Record

The Flexible NetFlow prefix ToS predefined record creates flows based on source and destination
prefixes and ToS traffic flow data. The Flexible NetFlow prefix ToS predefined record uses the same
key and non-key fields as the original NetFlow destination prefix ToS aggregation cache.
This predefined record is particularly useful for capturing data so that you can examine the sources and
destinations of network traffic passing through a NetFlow-enabled device.
Note

Table 13 lists the key and non-key fields used in the Flexible NetFlow prefix ToS predefined record.
Table 13
14
Key and Non-Key Fields Used by the Flexible NetFlow Prefix ToS Predefined Record
Field
Definition
IP ToS
Key
system
Key

or origin).
IP Destination
autonomous system
Key

(peer or origin).
IPv4 Source Prefix
Key

IPv4 Source Mask
Key

prefix mask.
Key
Interface Input
Key
Interface Output
Key
Flow Direction
Key
Counter Bytes
Non-key
Counter Packets
Non-key

Table 13
Key and Non-Key Fields Used by the Flexible NetFlow Prefix ToS Predefined Record
Field
Definition
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow Protocol Port Predefined Record

The Flexible NetFlow protocol port predefined record creates flows based on protocols and ports in
the traffic flow data. The Flexible NetFlow protocol port predefined record uses the same key and
non-key fields as the original NetFlow protocol port aggregation cache.
Note
Table 14 lists the key and non-key fields used in the Flexible NetFlow protocol port predefined record.
Table 14
Key and Non-Key Fields Used by the Flexible NetFlow Protocol Port Predefined
Record
Field
Definition
IP Protocol
Key
Key
Port
Key
Flow Direction
Key
Direction that the flow is being monitored in.
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow Protocol Port ToS Predefined Record

The Flexible NetFlow protocol port ToS predefined record creates flows based on the protocol, port,
and ToS value in the traffic data. The Flexible NetFlow protocol port ToS predefined record uses the
same key and non-key fields as the original NetFlow protocol port ToS aggregation cache.
This predefined record is particularly useful for capturing data so that you can examine network usage
by type of traffic.
15

Note

Table 15 lists the key and non-key fields used in the used in the Flexible NetFlow protocol port ToS
predefined record.
Table 15
Key and Non-Key Fields Used by the Flexible NetFlow Protocol Port ToS Predefined
Record
Field
Definition
IP ToS
Key
IP Protocol
Key
Key
Port
Key
Flow Direction
Key
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow Source Prefix Predefined Record

The Flexible NetFlow source prefix predefined record creates flows based on source prefixes in the
network traffic. The Flexible NetFlow source prefix predefined record uses the same key and non-key
fields as the original NetFlow source prefix aggregation cache.
Note
Table 16 lists the key and non-key fields used in the Flexible NetFlow source prefix predefined record.
Table 16
16
Key and Non-Key Fields Used by the Flexible NetFlow Source Prefix Predefined
Record
Field
Definition
system
Key

or origin).
IPv4 or IPv6 Source

Prefix
Key

IPv4 or IPv6 Source

Mask
Key

Table 16
Key and Non-Key Fields Used by the Flexible NetFlow Source Prefix Predefined
Record (continued)
Field
Definition
Interface Input
Key
Flow Direction
Key
Counter Bytes
Non-key
Counter Packets
Non-key
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
Flexible NetFlow Source Prefix ToS Predefined Record

The Flexible NetFlow source prefix ToS predefined record creates flows based on source prefixes and
ToS values in the network traffic. The Flexible NetFlow source prefix ToS predefined record uses the
same key and non-key fields as the original NetFlow source prefix ToS aggregation cache.
This predefined record is particularly useful for capturing data so that you can examine the sources of
network traffic passing through a NetFlow-enabled device.
Note

Table 17 lists the key and non-key fields used in the Flexible NetFlow source prefix ToS predefined
record.
Table 17
Key and Non-Key Fields Used by the Flexible NetFlow Source Prefix ToS Predefined
Record
Field
Definition
IP ToS
Key
system
Key

or origin).
IPv4 Source Prefix
Key

IPv4 Source Mask
Key
Interface Input
Key
Flow Direction
Key
Counter Bytes
Non-key
Counter Packets
Non-key
17

How to Configure Flexible NetFlow Using a Predefined Record for the Flow Monitor
Table 17
Key and Non-Key Fields Used by the Flexible NetFlow Source Prefix ToS Predefined
Record (continued)
Field
Definition
Time Stamp System

Uptime First
Non-key

switched.
Time Stamp System

Uptime Last
Non-key

switched.
How to Configure Flexible NetFlow Using a Predefined Record

for the Flow Monitor
The tasks in this section explain how to configure Flexible NetFlow using a predefined record for the
flow monitor.
Note
explained in these tasks. For information on the other keywords and arguments available for these
To configure and enable Flexible NetFlow using a predefined record, perform the following tasks:
Configuring a Flow Monitor for IPv4 Traffic Using a Predefined Record, page 18
Configuring a Flow Monitor for IPv6 Traffic Using a Predefined Record, page 20
Viewing the Flow Monitor Cache, page 25 (optional)
Configuring a Flow Monitor for IPv4 Traffic Using a Predefined Record

To configure a flow monitor for IPv4 traffic using a predefined record for the flow monitor, perform the
following required task.
Flow Monitors
18

Restrictions
You must remove a flow monitor from all of the interfaces on which you have applied it before you can
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
record {netflow-original | netflow ipv4 record [peer]}
6.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:
Step 4


configuration mode.
Example:
19

Step 5
Command or Action
Purpose
record {netflow-original | netflow ipv4 record

[peer]}
Example:
ipv4 original-input
or
Example:
Router(config-flow-monitor)# record
netflow-original
Step 6

end
Example:
Configuring a Flow Monitor for IPv6 Traffic Using a Predefined Record

To configure a flow monitor for IPv6 traffic using a predefined record for the flow monitor, perform the
following required task.
Flow Monitors
Restrictions
You must remove a flow monitor from all of the interfaces on which you have applied it before you can
SUMMARY STEPS
20
1.
enable
2.
configure terminal
3.
4.
description string
5.
record netflow ipv6 record [peer]
6.
end

DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:
Step 4

description string

configuration mode.
Example:
Step 5
record netflow ipv6 record [peer]
Example:
ipv6 original-input
Step 6

end
Example:

Before it can be activated, an IPv4 flow monitor must be applied to at least one interface. To activate an
Restrictions
When you specify the NetFlow original or the NetFlow IPv4 original input predefined record for the
flow monitor to emulate original NetFlow, the flow monitor can be used only for analyzing input
(ingress) traffic.
traffic.
21

SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
ip flow monitor monitor-name {input | output}
5.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3

mode.
Example:
Step 4
ip flow monitor monitor-name {input | output}
Example:
and/or
FLOW-MONITOR-1 output
Step 5

You can configure input and output traffic analysis
concurrently by configuring the
ip flow monitor monitor-name input and
ip flow monitor monitor-name output commands on
the same interface. You can use different flow monitors
for input and output traffic analysis.

EXEC mode.
end
Example:

Before it can be activated, an IPv6 flow monitor must be applied to at least one interface. To activate an
Restrictions
When you specify the NetFlow IPv6 original input predefined record for the flow monitor to emulate
original NetFlow, the flow monitor can be used only for analyzing input (ingress) traffic.
22

traffic.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
ipv6 flow monitor monitor-name {input | output}
5.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3

mode.
Example:
Step 4
ipv6 flow monitor monitor-name {input | output}
Example:
and/or
FLOW-MONITOR-2 output
Step 5

You can configure input and output traffic analysis
concurrently by configuring the
ipv6 flow monitor monitor-name input and
ipv6 flow monitor monitor-name output commands
on the same interface. You can use different flow
monitors for input and output traffic analysis.

EXEC mode.
end
Example:

23

Prerequisites
SUMMARY STEPS
1.
enable
2.
show flow monitor
3.
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2
show flow monitor

Router# show flow monitor
Description:
Used for monitoring IPv4 traffic
Flow Record:
Cache:
Type:
normal
Status:
allocated
Size:
Active Timeout:
1800 secs
Update Timeout:
1800 secs
Description:
Used for monitoring IPv6 traffic
Flow Record:
Cache:
Type:
normal
Status:
allocated
Size:
Active Timeout:
1800 secs
Update Timeout:
1800 secs
Step 3

Router# show running-config flow monitor
!
24

description Used for monitoring IPv4 traffic

!
description Used for monitoring IPv6 traffic
!
end

SUMMARY STEPS
1.
enable
2.
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2

FNF: monitor:
direction:
traffic(ip):
FNF: monitor:
direction:
traffic(ipv6):
FLOW-MONITOR-1
Input
on
FLOW-MONITOR-2
Input
on

To view the data in the flow monitor cache, perform the following optional task.
Prerequisites
25

SUMMARY STEPS
1.
enable
2.
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2

statistics, and flow data in the cache for a flow monitor.
Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
(
- Event aged
- Watermark aged
- Emergency aged
IP DESTINATION AS:
IPV4 DESTINATION PREFIX:
IPV4 DESTINATION MASK:
INTERFACE OUTPUT:
FLOW DIRECTION:
counter bytes:
counter packets:
timestamp first:
timestamp last:
Normal
4096
1
2
1800 secs)
15 secs)
8
7
0
7
0
0
0
0
172.16.10.0
/24
Et1/0
Input
4292430
4305
15853684
15860868

Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
(
- Event aged
- Watermark aged
- Emergency aged
IPV6 FLOW LABEL:
IPV6 EXTENSION MAP:
26
Normal
4096
6
8
1800 secs)
15 secs)
0
0x00000040
1048
1042
11
1031
0
0
0

Configuration Examples for Configuring Flexible NetFlow with Predefined Records

TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW DIRECTION:
FLOW SAMPLER ID:
IP PROTOCOL:
IP TOS:
ip source as:
ip destination as:
ipv6 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
.
.
.
IPV6 FLOW LABEL:
IPV6 EXTENSION MAP:
TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW DIRECTION:
FLOW SAMPLER ID:
IP PROTOCOL:
IP TOS:
ip source as:
ip destination as:
ipv6 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
2001:DB8:1:ABCD::1
2001:DB8:4:ABCD::2
3000
55
Et0/0
Input
0
17
0x00
0
0
::
/48
/0
0x00
Null
521192
9307
9899684
11660744
0
0x00000000
FF02::9
521
521
Et0/0
Input
0
17
0xE0
0
0
::
/10
/0
0x00
Null
92
1
11653832
11653832
Configuration Examples for Configuring Flexible NetFlow with

Predefined Records
This section contains the following configuration examples:
Configuring a Flexible NetFlow Predefined Record for IPv4 Traffic: Example, page 28
Configuring a Flexible NetFlow Predefined Record for IPv6 Traffic: Example, page 28
27

Where to Go Next
Configuring a Flexible NetFlow Predefined Record for IPv4 Traffic: Example

The following example shows how to configure a flow monitor using the Flexible NetFlow BGP ToS
next-hop predefined record to monitor IPv4 traffic.
!
record netflow ipv4 bgp-nexthop-tos
exit
!
ip cef
!
ip address 172.16.6.2 255.255.255.0
!
Configuring a Flexible NetFlow Predefined Record for IPv6 Traffic: Example

The following example shows how to configure a flow monitor using the Flexible NetFlow source
prefix predefined record to monitor IPv6 traffic.
!
record netflow ipv6 source-prefix
exit
ip cef
ipv6 cef
!
!
Where to Go Next
Monitors module.
If you want to configure flow sampling to reduce the CPU overhead of analyzing traffic refer, to the
module.
If you want to configure data export for Flexible NetFlow, refer to the Configuring Data Export for
Cisco IOS Flexible NetFlow with Flow Exporters module.
28

Related Documents
Related Topic
Document Title
data.
Flow Exporters

Monitors



Network Traffic

Network Traffic

Flexible NetFlow

Flexible NetFlow
Standards
Standard
Title
MIBs
MIB
MIBs Link
None.

following URL:
RFCs
RFC
Title
RFC3954
29

Description
Link



Note
30

Table 18
Feature Name
Releases
Flexible NetFlow
12.4(9)T

Prerequisites for Configuring Flexible NetFlow with

Predefined Records, page 2
Information About Configuring Flexible NetFlow with

Predefined Records, page 2
How to Configure Flexible NetFlow Using a Predefined

Record for the Flow Monitor, page 18
Configuration Examples for Configuring Flexible

NetFlow with Predefined Records, page 27

(Flexible NetFlow).
31

Table 18
Feature Name
Releases
12.4(20)T

Configuring a Flow Monitor for IPv6 Traffic Using a

Predefined Record, page 20
Applying an IPv6 Flow Monitor to an Interface,

page 22
Configuring a Flexible NetFlow Predefined Record for

IPv6 Traffic: Example, page 28

coincidental.
32
Configuring Data Export for Cisco IOS Flexible

NetFlow with Flow Exporters
This document contains information about and instructions for configuring flow exporters to export
Flexible NetFlow data to remote systems such as a UNIX server running NetFlow collector.

Contents
Prerequisites for Configuring Data Export for Flexible NetFlow with Flow Exporters, page 2
Restrictions for Configuring Data Export for Flexible NetFlow with Flow Exporters, page 2
Information About Data Export for Flexible NetFlow with Flow Exporters, page 2
How to Configure Data Export for Flexible NetFlow with Flow Exporters, page 3
Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters
Prerequisites for Configuring Data Export for Flexible NetFlow with Flow Exporters
Configuration Examples for Flexible NetFlow Data Export with Flow Exporters, page 10
Prerequisites for Configuring Data Export for Flexible NetFlow

with Flow Exporters
IPv4 Traffic
IPv6 Traffic
(dCEF IPv6).
Restrictions for Configuring Data Export for Flexible NetFlow

with Flow Exporters
The following restriction applies to configuring data export for Flexible NetFlow with flow exporters:
The NetFlow Version 5 export protocol that was first shipped in Cisco IOS Release 12.4(22)T is
supported only for flow monitors that use the Flexible NetFlow predefined records.
Information About Data Export for Flexible NetFlow with Flow

Exporters
Before you configure a flow exporter, you need to understand the following:
Flow Exporters, page 3
Benefits of Flexible NetFlow Flow Exporters, page 3
How to Configure Data Export for Flexible NetFlow with Flow Exporters
Flow Exporters
Flow exporters are created as separate components in a routers configuration. Exporters are assigned to
flow monitors to export the data from the flow monitor cache to a remote system such as a NetFlow
collector. Flow monitors can support more than one exporter. Each exporter can be customized to meet
the requirements of the flow monitor or monitors in which it is used and the NetFlow collector systems
to which it is exporting data.
Benefits of Flexible NetFlow Flow Exporters

Flexible NetFlow allows you to configure many different flow exporters, depending on your
requirements. Some of the benefits of Flexible NetFlow flow exporters are as follows:
Using flow exporters, you can create an exporter for every type of traffic that you want to analyze
so that you can send each type of traffic to a different NetFlow collector. Original NetFlow sends
the data in a cache for all of the analyzed traffic to a maximum of two export destinations.
Flow exporters support up to 10 exporters per flow monitor. Original NetFlow is limited to only two
export destinations per cache.
In Cisco IOS Release 12.4(20)T and newer releases, flow exporters can use class of service (CoS)
in the packets that are sent to export destinations to help ensure that the packets are given the correct
priority throughout the network. Original Netflow exporters do not use CoS in the packets that are
sent to export destinations.
In Cisco IOS Release 12.4(20)T and newer releases flow exporter, traffic can be encrypted.
How to Configure Data Export for Flexible NetFlow with Flow

Exporters
The tasks in this section explain how to export the data that is collected by Flexible NetFlow to a remote
system for further analysis and storage.
Flow Exporters
Flow exporters are used to send the data that you collect with Flexible NetFlow to a remote system such
as a NetFlow collector. Flow exporters use UDP as the transport protocol.
Restrictions
Each flow exporter supports only one destination. If you want to export the data to multiple destinations,
you must configure multiple flow exporters and assign them to the flow monitor. Flow exporters are
added to flow monitors to enable data export from the flow monitor cache.
Note
explained in these tasks. For information about the other keywords and arguments available for these
To configure data export for Flexible NetFlow, perform the tasks in this section:
Configuring the Flow Exporter, page 4
Verifying the Flow Exporter, page 6 (optional)
Configuring and Enabling Flexible NetFlow with Data Export, page 7
Verifying That Data Export Is Enabled for the Flow Monitor, page 10 (optional)
Configuring the Flow Exporter

To configure the flow exporter, perform the following required task.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
description string
5.
destination {ip-address | hostname} [vrf vrf-name]
6.
export-protocol {netflow-v5 | netflow-v9}
7.
dscp dscp
8.
source type number
9.
option {{exporter-stats | interface-table | sampler-table} [timeout seconds]}
10. output-features
11. template data timeout seconds
12. transport udp udp-port
13. ttl ttl
14. end
DETAILED STEPS
Command or Action
Step 1
enable
Purpose
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Command or Action
Purpose
Creates the flow exporter and enters flow exporter

configuration mode.
Example:
Router(config)# flow exporter EXPORTER-1
Step 4
description string
Example:

flow exporter. For example, to modify the configuration
of a flow exporter named EXPORTER-1, use the
flow exporter EXPORTER-1 command and argument
(Optional) Configures a description to the exporter that will

appear in the configuration and the display of the show flow
exporter command.
Router(config-flow-exporter)# description
Exports to the Chicago datacenter
Step 5
destination {ip-address | hostname} [vrf

vrf-name]
Specifies the IP address or hostname of the destination

system for the exporter.
Example:
172.16.10.2
Step 6
export-protocol {netflow-v5 | netflow-v9}
Specifies the version of the Netflow export protocol used by

the exporter. Default: netflow-v9.
Example:
172.16.10.2
Step 7
dscp dscp
Example:
(Optional) Configures DSCP parameters for datagrams sent

by the exporter.
Router(config-flow-exporter)# dscp 63
Step 8
source type number
Example:
The range for the dscp argument is from 0 to 63.

Default: 0.
(Optional) Specifies the local interface from which the

exporter will use the IP address as the source IP address for
exported datagrams.
Router(config-flow-exporter)# source ethernet

0/0
Step 9
option {{exporter-stats | interface-table |

sampler-table} [timeout seconds]}
Example:
Router(config-flow-exporter)# option
exporter-stats timeout 120
Step 10
output-features
(Optional) Configures options data parameters for the

exporter.
You can configure all three options concurrently.
The range for the seconds argument is 1 to 86400.

Default: 600
(Optional) Enables sending export packets using quality of

service (QoS) and encryption.
Example:
Router(config-flow-exporter)# output-features
Step 11
Command or Action
Purpose
template data timeout seconds
(Optional) Configure resending of templates based on a

timeout.
Example:
Router(config-flow-exporter)# template data
timeout 120
Step 12
The range for the seconds argument is 1 to 86400

seconds. (86400 seconds = 24 hours)
Specifies the UDP port on which the destination system is

listening for exported datagrams.
Example:
The range for the udp-port argument is from 1 to 65536.
Router(config-flow-exporter)# transport udp 650
Step 13
(Optional) Configures the time-to-live (TTL) value for

datagrams sent by the exporter.
ttl ttl
Example:
The range for the ttl argument is from 1 to 255.
Router(config-flow-exporter)# ttl 15
Step 14
Exits flow exporter configuration mode and returns to

end
Example:
Router(config-flow-exporter)# end
Verifying the Flow Exporter

To view the current status of a flow exporter and verify the configuration commands that you entered,
SUMMARY STEPS
1.
enable
2.
show flow exporter
3.
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2
show flow exporter

The show flow exporter command shows the current status of the flow exporter that you specify.
Router# show flow exporter EXPORTER-1
Flow Exporter EXPORTER-1:
Description:
Destination IP address:
Source IP address:
Source Interface:
Exports to the Chicago datacenter

172.16.10.2
172.16.6.2
Ethernet0/0
Transport Protocol:
UDP
Destination Port:
650
Source Port:
55864
DSCP:
0x3F
TTL:
15
Output Features:
Used
Options Configuration:
exporter-stats (timeout 120 seconds)
interface-table (timeout 120 seconds)
sampler-table (timeout 120 seconds)
Step 3

The show running-config flow exporter command shows the configuration commands of the flow
exporter that you specify.
Router# show running-config flow exporter EXPORTER-1
!
description Exports to the Chicago datacenter
source Ethernet0/0
output-features
dscp 63
ttl 15
transport udp 650
template data timeout 120
option exporter-stats timeout 120
option interface-table timeout 120
option sampler-table timeout 120
!
end
Configuring and Enabling Flexible NetFlow with Data Export

You must create a flow monitor to configure the types of traffic for which you want to export the cache
data. You must enable the flow monitor by applying it to at least one interface to start exporting data. To
configure and enable Flexible NetFlow with data export, perform this required task.
Flow Monitors
Restrictions
When you specify the NetFlow original or the NetFlow IPv4 original input or the NetFlow IPv6
original input predefined record for the flow monitor to emulate original NetFlow, the flow monitor can
be used only for analyzing input (ingress) traffic.
When you specify the NetFlow IPv4 original output or the NetFlow IPv6 original output predefined
record for the flow monitor to emulate the Egress NetFlow Accounting feature, the flow monitor can be
used only for analyzing output (egress) traffic.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
record {record-name | netflow-original | netflow {ipv4 | ipv6} record [peer]}
5.
6.
exit
7.
8.
{ip | ipv6} flow monitor monitor-name {input | output}
9.
end
DETAILED STEPS
Command or Action
Step 1
enable
Purpose
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:


configuration mode.
Step 4
Command or Action
Purpose
record {record-name | netflow-original |

netflow {ipv4 | ipv6} record [peer]}
Example:
ipv4 original-input
and/or
Example:
ipv6 original-input
Step 5
Specifies the name of an exporter that you created

previously.
Example:
EXPORTER-1
Step 6
exit
Exits Flexible NetFlow flow monitor configuration mode

and returns to global configuration mode.
Example:
Router(config-flow-monitor)# exit
Step 7

mode.
Example:
Step 8
{ip | ipv6} flow monitor monitor-name {input |

output}

Example:
and/or
Example:
Step 9
end
Exits flow interface configuration mode and returns to

Example:
Configuration Examples for Flexible NetFlow Data Export with Flow Exporters
Verifying That Data Export Is Enabled for the Flow Monitor

To verify that data export is enabled for the flow monitor cache, perform the following optional task.
Prerequisites
Before you can view the flows in the flow monitor cache, the interface to which you applied the input
flow monitor must be receiving traffic that meets the criteria defined by the NetFlow original record.
SUMMARY STEPS
1.
enable
2.
show flow monitor name monitor-name
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2
show flow monitor name monitor-name

Displays the status and statistics for a flow monitor.
Router# show flow monitor name FLOW-MONITOR-1
Description:
User defined
Flow Record:
netflow original-input
Flow Exporter:
EXPORTER-1
Cache:
Type:
normal
Status:
allocated
Size:
Active Timeout:
1800 secs
Update Timeout:
1800 secs
Configuration Examples for Flexible NetFlow Data Export with

Flow Exporters
The following example shows you how to configure data export for Flexible NetFlow:
10
Configuring Multiple Export Destinations: Example, page 11
Configuring Sending Export Packets Using QoS: Example, page 11
Configuring Version 5 Export: Example, page 13
Configuring Multiple Export Destinations: Example

The following example shows how to configure multiple export destinations for Flexible NetFlow for
IPv4 and IPv6 traffic.
!
transport udp 90
exit
!
transport udp 90
exit
!
exporter EXPORTER-2
exporter EXPORTER-1
!
!
exporter EXPORTER-2
exporter EXPORTER-1
!
ip cef
!
ip address 172.16.6.2 255.255.255.0
!
The following display output shows that the flow monitor is exporting data to the two exporters:
Router# show flow monitor FLOW-MONITOR-1
Description:
User defined
Flow Record:
netflow original-input
Flow Exporter:
EXPORTER-1
EXPORTER-2
Cache:
Type:
normal
Status:
allocated
Size:
Active Timeout:
1800 secs
Update Timeout:
1800 secs
Configuring Sending Export Packets Using QoS: Example

The following example shows how to configure sending Flexible NetFlow export packets using quality
of service (QoS).
11
Note
The Flexible NetFlow export packets to the destination host (IP address 10.0.1.2) are transmitted on
Ethernet 0/1 using QoS.
!
flow record FLOW-RECORD-1
match ipv4 source address
collect counter packets
!
flow exporter FLOW-EXPORTER-1
output-features
dscp 18
!
record FLOW-RECORD-1
exporter FLOW-EXPORTER-1
cache entries 1024
!
ip cef
!
class-map match-any COS3
!
policy-map PH_LABS_FRL_64k_16k_16k_8k_8k
class COS3
bandwidth percent 2
random-detect dscp-based
random-detect exponential-weighting-constant 1
random-detect dscp 18 200 300 10
!
ip address 10.0.0.1 255.255.255.0
!
ip address 10.0.1.1 255.255.255.0
service-policy output PH_LABS_FRL_64k_16k_16k_8k_8k
!
The following display output shows that the flow monitor is exporting data using output feature support
that enables the exported data to use QoS:
Flow Exporter FLOW-EXPORTER-1:
Description:
User defined
Tranport Configuration:
Destination IP address: 10.0.1.2
Source IP address:
10.0.0.1
Transport Protocol:
UDP
Destination Port:
9995
Source Port:
56750
DSCP:
0x12
TTL:
255
Output Features:
Used
12
Configuring Version 5 Export: Example

The following example shows how to configure multiple export destinations for Flexible NetFlow for
IPv4 and IPv6 traffic.
!
export-protocol netflow-v5
transport udp 90
exit
!
exporter EXPORTER-1
!
ip cef
!
ip address 172.16.6.2 255.255.255.0
!
The following display output shows that the flow monitor is exporting data to the two exporters:
Router# #show flow exporter FLOW-EXPORTER-6
Flow Exporter FLOW-EXPORTER-6:
Description:
User defined
Export protocol:
NetFlow Version 5
Destination IP address: 172.31.90.23
Source IP address:
10.1.1.2
Transport Protocol:
UDP
Destination Port:
90
Source Port:
55950
DSCP:
0x0
TTL:
255
Output Features:
Not Used
13
Where to Go Next
Where to Go Next
Monitors module.
module.
If you want to configure any of the predefined records for Flexible NetFlow refer, to the Configuring
Related Documents
Related Topic
Document Title

Monitors



records

Network Traffic

Network Traffic

Flexible NetFlow

Flexible NetFlow
Standards
Standard
Title
14
MIBs
MIB
MIBs Link
None.

following URL:
RFCs
RFC
Title
RFC #3954
Description
Link



15
Note
Table 1
Feature Name
Releases
Flexible NetFlow
12.4(9)T

Prerequisites for Configuring Data Export for Flexible

NetFlow with Flow Exporters, page 2
Information About Data Export for Flexible NetFlow

with Flow Exporters, page 2
How to Configure Data Export for Flexible NetFlow

with Flow Exporters, page 3
Configuration Examples for Flexible NetFlow Data

Export with Flow Exporters, page 10

(Flexible NetFlow).
16
Table 1
Feature Name
Releases
12.4(20)T

Configuring and Enabling Flexible NetFlow with Data

Export, page 7
Configuring Multiple Export Destinations: Example,

page 11

Flexible NetFlow - Output Features on Data
Export
12.4(20)T
Enables sending export packets using quality of service

(QoS) and encryption.
Information about the Flexible NetFlow - Output Features
on Data Export feature is included in the following sections:
Configuring Sending Export Packets Using QoS:

Example, page 11
The following command was introduced: output-features.

Flexible Netflow - NetflowV5 export protocol
12.4(22)T
Enables sending export packets using the Version 5 export

protocol.
Information about the Flexible NetFlow - NetflowV5 export
protocol feature is included in the following sections:
Restrictions for Configuring Data Export for Flexible

NetFlow with Flow Exporters, page 2
Configuring Version 5 Export: Example, page 13
The following command was introduced: export-protocol.

17
coincidental.
18
Customizing Cisco IOS Flexible NetFlow Flow

This document contains information about and instructions for customizing Flexible NetFlow flow
records and flow monitor requirements. If the tasks and configuration examples in the Getting Started
with Configuring Cisco IOS Flexible NetFlow module and the Configuring Cisco IOS Flexible
NetFlow with Predefined Records module were not suitable for your traffic analysis requirements, you
can use the information and instructions in this document to customize Flexible NetFlow to meet your
traffic analysis requirements.

Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors
Contents
Contents
Prerequisites for Customizing Flexible NetFlow Flow Records and Flow Monitors, page 2
Information About Customizing Flexible NetFlow Flow Records and Flow Monitors, page 3
How to Customize Flexible NetFlow Flow Records and Flow Monitors, page 4
Configuration Examples for Customizing Flexible NetFlow Flow Records and Flow Monitors,
page 16
Prerequisites for Customizing Flexible NetFlow Flow Records

and Flow Monitors
You are familiar with the Flexible NetFlow key fields as they are defined in the following commands
in the Cisco IOS Flexible NetFlow Command Reference:
match flow
match interface
match {ipv4 | ipv6}
match routing
match transport
You are familiar with the Flexible NetFlow non-key fields as they are defined in the following
commands in the Cisco IOS Flexible NetFlow Command Reference:
collect counter
collect flow
collect interface
collect {ipv4 | ipv6}
collect routing
collect timestamp sys-uptime
collect transport
IPv4 Traffic
Information About Customizing Flexible NetFlow Flow Records and Flow Monitors
IPv6 Traffic
(dCEF IPv6).
Information About Customizing Flexible NetFlow Flow Records

and Flow Monitors
Before you customize Flexible NetFlow flow records and flow monitors, you must understand the
following concept:
Identifying the Types of Traffic That You Want to Analyze, page 3
Identifying the Types of Traffic That You Want to Analyze

If the predefined Flexible NetFlow records are not suitable for your traffic requirements, you can create
a user-defined (custom) record using the Flexible NetFlow collect and match commands. Before you
can create a customized record, you must decide the criteria that you are going to use for the key and
non-key fields.
If you want to create a customized record for detecting network attacks, you must include the appropriate
key and non-key fields in the record to ensure that the router creates the flows and captures the data that
you need to analyze the attack and respond to it. For example, SYN flood attacks are a common denial
of service (DoS) attack in which TCP flags are used to flood open TCP requests to a destination host.
When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from
a source host and sends back a SYN ACK (synchronize acknowledge). The destination host must then
hear an ACK (acknowledge) of the SYN ACK before the connection is established. This is referred to as
the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of
finite size on the destination host keeps track of connections waiting to be completed. This queue
typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.
The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN packets
with random source addresses toward a victim host. The victim destination host sends a SYN ACK back
to the random source address and adds an entry to the connection queue. Since the SYN ACK is destined
for an incorrect or non-existent host, the last part of the "three-way handshake" is never completed and
the entry remains in the connection queue until a timer expires, typically for about one minute. By
generating phony TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the
connection queue and deny TCP services (such as e-mail, file transfer, or WWW) to legitimate users.
The information needed for a security monitoring record for this type of DoS attack might include the
following key and non-key fields:
Key fields:
Destination IP address or destination IP subnet
TCP flags
Packet count
Non-key fields
Destination IP address
How to Customize Flexible NetFlow Flow Records and Flow Monitors
Source IP address
Interface input and output
Tip
Many users configure a general Flexible NetFlow monitor that triggers a more detailed Flexible NetFlow
view of a DoS attack using these key and non-key fields.
How to Customize Flexible NetFlow Flow Records and Flow

Monitors
The tasks in this section explain how to do the following:
Note
Customize a Flexible NetFlow flow record.
Customize a Flexible NetFlow flow monitor.
Enable Flexible NetFlow.
To customize Flexible NetFlow flow records and flow monitors, and to enable Flexible NetFlow, perform
the following tasks:
Configuring a Customized Flow Record, page 4
Verifying the Flow Record, page 7 (optional)
Customizing a Flow Monitor, page 9
Applying a Flow Monitor to an Interface, page 12
Viewing the Flow Monitor Cache, page 14 (optional)
Configuring a Customized Flow Record

Customized flow records are used to analyze traffic data for a specific purpose. A customized flow
record must have at least one match criterion for use as the key field and typically has at least one collect
criterion for use as a non-key field.
There are hundreds of possible permutations of customized flow records. This task explains the steps
that are used to create one of the possible permutations. Modify the steps in these tasks as appropriate
to create a customized flow record for your requirements.
To configure a customized flow record, perform either of the following tasks:
Configuring a Customized Flow Record for IPv4 Traffic

SUMMARY STEPS
1.
enable
2.
configure terminal
3.
flow record flow-record-name
4.
description string
5.
match ipv4 {destination | source} address
6.
Repeat Step 5 as required to configure additional key fields for the record.
7.
collect ipv4 source {address | mask [minimum-mask mask] | prefix [minimum-mask mask]}
8.
Repeat Step 7 as required to configure additional non-key fields for the record
9.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:
Creates a flow record and enters flow record configuration

mode.
Router(config)# flow record FLOW-RECORD-1
Step 4
description string

flow record. For example, to modify the configuration
of a flow record named record-name use the
flow record record-name command and argument in
global configuration mode.
(Optional) Creates a description for the flow record.
Example:
Router(config-flow-record)# description Used
for basic traffic analysis
Step 5
Configures a key field for the flow record.

Note
Example:
Router(config-flow-record)# match ipv4
destination address
This example configures the IPv4 destination

address as a key field for the record. For information
about the other key fields available for the match
ipv4 command, and the other match commands that
are available to configure key fields, refer to the
Cisco IOS Flexible NetFlow Command Reference.
Command or Action
Purpose
Step 6
Repeat Step 5 as required to configure additional key

fields for the record.
Step 7
collect ipv4 source {address | mask

[minimum-mask mask] | prefix [minimum-mask
mask]}
Configures one or more of the IPv4 source fields in the flow

as a non-key field for the record.
This example configures the IPv4 source address as
a non-key field for the record. For information on
the other collect commands that are available to
configure non-key fields, refer to the Cisco IOS
Flexible NetFlow Command Reference.
Note
Example:
Router(config-flow-record)# collect ipv4 source
address
Step 8
Repeat Step 7 as required to configure additional

non-key fields for the record.
Step 9
end
Exits flow record configuration mode and returns to

Example:
Router(config-flow-record)# end

SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
description string
5.
6.
Repeat Step 5 as required to configure additional key fields for the record.
7.
collect ipv6 source {address | mask [minimum-mask mask] | prefix [minimum-mask mask]}
8.
Repeat Step 7 as required to configure additional non-key fields for the record
9.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Command or Action
Purpose

mode.
Example:
Step 4
description string

of a flow record named record-name use the
Example:
for basic IPv6 traffic analysis
Step 5
Configures a key field for the flow record.

Note
Example:
Router(config-flow-record)# match ipv6
destination address
This example configures the IPv6 destination

address as a key field for the record. For information
about the other key fields available for the match
ipv6 command, and the other match commands that
are available to configure key fields, refer to the
Cisco IOS Flexible NetFlow Command Reference.
Step 6
Repeat Step 5 as required to configure additional key

fields for the record.
Step 7
collect ipv6 source {address | mask

[minimum-mask mask] | prefix [minimum-mask
mask]}
Configures the number of packets in the flow as a non-key

field for the record.
Note
Example:
Router(config-flow-record)# collect ipv6 source
address
This example configures the IPv6 source address as

a non-key field for the record. For information about
the other collect commands that are available to
configure non-key fields, refer to the Cisco IOS
Step 8
Repeat Step 7 as required to configure additional

non-key fields for the record.
Step 9
end
Exits flow record configuration mode and returns to

Example:
Router(config-flow-record)# end
Verifying the Flow Record

To view the current status of a flow record and verify the configuration commands that you entered,
SUMMARY STEPS
1.
enable
2.
show flow record
3.
show running-config flow record
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2
show flow record

The show flow record command shows the current status of the flow monitor that you specify.
Router# show flow record
flow record FLOW-RECORD-2:
Description:
No. of users:
1
Total field space: 53 bytes
Fields:
match ipv6 destination address
collect ipv6 protocol
collect ipv6 source address
collect transport source-port
collect transport destination-port
collect counter bytes
collect timestamp sys-uptime first
collect timestamp sys-uptime last
flow record FLOW-RECORD-1:
Description:
No. of users:
1
Total field space: 29 bytes
Fields:
Step 3
show running-config flow record

The show running-config flow record command shows the configuration commands of the flow
Router# show running-config flow record
!

!
!
!
Customizing a Flow Monitor

To create a customized flow monitor, perform the following required task.
Flow Monitor
contents and layout of its cache entries. These record formats can be one of the predefined formats, or
an advanced user can create a customized format using the flow record command. This task uses the
record that you created in the Configuring a Customized Flow Record section on page 4.
Prerequisites
If you want to use a customized record instead of using one of the Flexible NetFlow predefined records,
you must create the customized record before you can perform this task. Refer to the Configuring a
Customized Flow Record section on page 4 for information about and instructions for creating a
customized flow record.
If you want to add a flow exporter to the flow monitor for data export, you must create the exporter before
you can complete this task. Refer to the Configuring Data Export for Cisco IOS Flexible NetFlow with
Flow Exporters module for information about and instructions for creating a flow exporter.
Restrictions
You must use the no ip flow monitor command to remove a flow monitor from all of the interfaces to
which you have applied it before you can modify the parameters for the record command on the flow
monitor. For information about the ip flow monitor command, refer to the Cisco IOS Flexible NetFlow
Command Reference.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
description string
5.
6.
cache {entries entries | timeout {active active | inactive inactive | update update} | type
{immediate | normal | permanent}}
7.
Repeat Step 6 as required to finish modifying the cache parameters for this flow monitor.
8.
statistics packet protocol
9.
statistics packet size
10. exporter exporter-name

11. end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:

Step 4
description string

flow monitor monitor-name command and argument
Example:
for basic ipv4 traffic analysis
Step 5

Example:
FLOW-RECORD-1
Step 6
cache {entries entries | timeout {active active

| inactive inactive | update update} | type
{immediate | normal | permanent}}
Example:
Router(config-flow-monitor)# cache entries 1000
10
(Optional) Modifies the flow monitor cache parameters

such as timeout values, number of cache entries, and the
cache type.
The timeout keywords do not have any effect when the

cache type is set to immediate.
Command or Action
Purpose
Step 7
Repeat Step 6 as required to finish modifying the cache

parameters for this flow monitor.
Step 8
(Optional) Enables the collection of protocol distribution

statistics for Flexible NetFlow monitors.
Example:
Router(config-flow-monitor)# statistics packet
protocol
Step 9
(Optional) Enables the collection of size distribution

statistics for Flexible NetFlow monitors.
Example:
Router(config-flow-monitor)# statistics packet
size
Step 10
(Optional) Specifies the name of an exporter that was

created previously.
Example:
EXPORTER-1
Step 11
Refer to the Configuring Data Export for Cisco IOS

Flexible NetFlow with Flow Exporters module for
information about and instructions for configuring flow
exporters.

end
Example:

SUMMARY STEPS
1.
enable
2.
show flow monitor
3.
show running-config flow monitor monitor-name
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2
show flow monitor monitor-name

11

Description:
Used for basic ipv4 traffic analysis
Flow Record:
FLOW-RECORD-1
Flow Exporter:
EXPORTER-1
Cache:
Type:
normal
Status:
allocated
Size:
Active Timeout:
1800 secs
Update Timeout:
1800 secs
Stats:
protocol distribution
size distribution
Step 3

Router# show running-config flow monitor FLOW-MONITOR-1
!
description Used for basic ipv4 traffic analysis
exporter EXPORTER-1
cache entries 1000
!
Applying a Flow Monitor to an Interface

Before it can be activated, a flow monitor must be applied to at least one interface. To activate a flow
monitor, perform the following required task.
Restrictions
original input predefined record for the flow monitor to emulate original NetFlow, the Flexible NetFlow
flow monitor can be used only for analyzing input (ingress) traffic.
record for the flow monitor to emulate the Egress NetFlow Accounting feature, the Flexible NetFlow
flow monitor can be used only for analyzing output (egress) traffic.
SUMMARY STEPS
12
1.
enable
2.
configure terminal
3.
4.
{ip | ipv6} flow monitor monitor-name {input | output}
5.
Repeat Steps 3 and 4 to activate a flow monitor on any other interfaces in the router over which you
want to monitor traffic.
6.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3

mode.
Example:
Step 4
{ip | ipv6} flow monitor monitor-name {input |

output}
Activates a flow monitor that was created previously by

Example:
Step 5
Repeat Steps 3 and 4 to activate a flow monitor on any

other interfaces in the router over which you want to
monitor traffic.
Step 6
end

EXEC mode.
Example:

SUMMARY STEPS
1.
enable
2.
show flow interface
DETAILED STEPS
Step 1
enable
13
Router> enable
Router#
Step 2
show flow interface

FNF: monitor:
direction:
traffic(ip):
FNF: monitor:
direction:
traffic(ipv6):
FLOW-MONITOR-1
Input
on
FLOW-MONITOR-2
Input
on

FNF: monitor:
direction:
traffic(ip):
FNF: monitor:
direction:
traffic(ipv6):
FLOW-MONITOR-1
Output
on
FLOW-MONITOR-2
Output
on

To view the data in the flow monitor cache, perform the following optional task.
Prerequisites
The interface on which you applied the input flow monitor must be receiving traffic that meets the
criteria defined by the NetFlow original record before you can view the flows in the flow monitor cache.
SUMMARY STEPS
1.
enable
2.
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2
14
statistics, and flow data in the cache for a flow monitor.
Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
(
- Event aged
- Watermark aged
- Emergency aged
Normal
1000
4
4
101
97
3
94
0
0
0
1800 secs)
15 secs)

ipv4 source address:
trns source port:
trns destination port:
counter bytes:
counter packets:
timestamp first:
timestamp last:
ip protocol:
172.16.10.5
10.10.11.1
25
25
72840
1821
21237828
22086520
6

trns source port:
counter bytes:
counter packets:
timestamp first:
timestamp last:
ip protocol:
172.16.10.2
10.10.10.2
20
20
3913860
7326
21238788
22088080
6

trns source port:
counter bytes:
counter packets:
timestamp first:
timestamp last:
ip protocol:
172.16.10.200
192.168.67.6
0
3073
51072
1824
21239228
22087980
1

Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
(
- Event aged
- Watermark aged
- Emergency aged
Normal
1000
2
3
1800 secs)
15 secs)
95
93
0
93
0
0
0
2001:DB8:4:ABCD::2
15
Configuration Examples for Customizing Flexible NetFlow Flow Records and Flow Monitors

trns source port:
counter bytes:
counter packets:
timestamp first:
timestamp last:
ip protocol:
2001:DB8:1:ABCD::1
33572
23
19140
349
2172704
2198272
6

trns source port:
counter bytes:
counter packets:
timestamp first:
timestamp last:
ip protocol:
FF02::9
521
521
92
1
2195672
2195672
17
Configuration Examples for Customizing Flexible NetFlow Flow

This section contains the following configuration examples:
Configuring a Permanent Flow Record Cache with a Limited Number of Possible Flows: Example,
page 16
Configuring a Customized Flow Record Cache for Monitoring IPv6 Traffic: Example, page 17
Configuring Flexible NetFlow for Monitoring MAC and VLAN Statistics: Example, page 18
Configuring a Permanent Flow Record Cache with a Limited Number of

Possible Flows: Example
The following example is designed to monitor the type of service (ToS) field usage on all interfaces in
the router. An exporter is not configured because this example is intended to be used to capture additional
data for analysis on the router using the show flow monitor command.
!
ip cef
!
flow record QOS_RECORD
description UD: Flow Record to monitor the use of TOS within this router/network
match interface input
match interface output
match ipv4 tos
exit
!
flow monitor QOS_MONITOR
description UD: Flow Monitor which watches the limited combinations of interface and TOS
record QOS_RECORD
16
cache type permanent

cache entries 8192
! 2^5 (combos of interfaces) * 256 (values of TOS)
exit
!
interface ethernet0/0
ip flow monitor QOS_MONITOR
exit
!
exit
!
exit
!
interface serial2/0
exit
!
interface serial2/1
!
input
input
input
input
input
The display from the show flow monitor command shows the current status of the cache.
Router# show flow monitor QOS_MONITOR cache
Cache type:
Permanent
Cache size:
8192
Current entries:
2
High Watermark:
2
Flows added:
Updates sent
1800 secs)
2
0
Configuring a Customized Flow Record Cache for Monitoring IPv6 Traffic:

Example
The following example creates a customized flow record for monitoring common IPv6 traffic
characteristics.
!
ip cef
ipv6 cef
!
!
17
cache entries 1000
!
!
ipv6 flow monitor FLOW-MONITOR-2 output
!
Configuring Flexible NetFlow for Monitoring MAC and VLAN Statistics:

Example
The following example shows how to configure Flexible NetFlow for monitoring MAC and VLAN
statistics.
!
flow record LAYER-2-FIELDS-1
match ipv4 source address
collect datalink dot1q vlan output
collect datalink mac source address input
collect datalink mac source address output
collect datalink mac destination address input
collect flow direction
!
exit
!
!
record LAYER-2-FIELDS-1
exit
!
ip cef
!
ip address 172.16.6.2 255.255.255.0
!
18
Where to Go Next
Where to Go Next
module.
If you want to configure any of the predefined records for Flexible NetFlow, refer to the Configuring
Related Documents
Related Topic
Document Title
data.
Flow Exporters


records

Network Traffic

Network Traffic

Flexible NetFlow

Flexible NetFlow
Standards
Standard
Title
19
MIBs
MIB
MIBs Link
None

following URL:
RFCs
RFC
Title
RFC #3954
Description
Link



20
Note
Table 1
Feature Name
Releases
Flexible NetFlow
12.4(9)T

Prerequisites for Customizing Flexible NetFlow Flow

Records and Flow Monitors, page 2
Information About Customizing Flexible NetFlow

Flow Records and Flow Monitors, page 3
How to Customize Flexible NetFlow Flow Records and

Flow Monitors, page 4
Configuration Examples for Customizing Flexible

NetFlow Flow Records and Flow Monitors, page 16

(Flexible NetFlow).
21
Table 1
Feature Name
Releases
Flexible Netflow - Layer 2 Fields
12.4(22)T
Enables collecting statistics for Layer 2 fields such as MAC

addresses and virtual LAN (VLAN) IDs from traffic.
Information about the Flexible NetFlow - Layer 2 Fields
feature is included in the following sections:
Configuring Flexible NetFlow for Monitoring MAC

and VLAN Statistics: Example, page 18

collect datalink dot1q vlan, collect datalink mac, match
datalink dot1q vlan, match datalink mac.
12.4(20)T

Configuring a Customized Flow Record for IPv6

Traffic, page 6
Applying a Flow Monitor to an Interface, page 12
Configuring a Customized Flow Record Cache for

Monitoring IPv6 Traffic: Example, page 17

coincidental.
22
Using Cisco IOS Flexible NetFlow Flow Sampling

to Reduce the CPU Overhead of Analyzing Traffic
Last Updated: October 10 2008
This document contains information about and instructions for configuring sampling to reduce the CPU
overhead of analyzing traffic with Flexible NetFlow.

Contents
Prerequisites for Using Flow Sampling, page 2
Information About Flexible NetFlow Samplers, page 3
How to Configure Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic with Flexible
NetFlow, page 3
Prerequisites for Using Flow Sampling
Configuration Examples for Using Flow Sampling to Reduce the CPU Overhead of Analyzing
Traffic with Flexible NetFlow, page 7
Prerequisites for Using Flow Sampling

IPv4 Traffic
IPv6 Traffic
(dCEF IPv6).
Information About Flexible NetFlow Samplers
Information About Flexible NetFlow Samplers

Before you configure a Flexible NetFlow sampler, you need to understand the following:
Samplers, page 3
Samplers
Flow samplers are created as separate components in a routers configuration. Flow samplers are used to
reduce the load on the device that is running Flexible Netflow by limiting the number of packets that are
selected for analysis. Samplers use either random or deterministic sampling techniques (modes).
DeterministicThe same sampling position is used each time a sample is taken.
RandomA randomly selected sampling position is used each time a sample is taken.
Flow sampling exchanges monitoring accuracy for router performance. When you apply a sampler to a
flow monitor, the overhead load on the router of running the flow monitor is reduced because the number
of packets that the flow monitor must analyze is reduced. The reduction in the number of packets that
are analyzed by the flow monitor causes a corresponding reduction in the accuracy of the information
stored in the flow monitors cache.
Samplers are combined with flow monitors when they are applied to an interface with the ip flow
monitor command.
How to Configure Flow Sampling to Reduce the CPU Overhead

of Analyzing Traffic with Flexible NetFlow
Flow sampling reduces the CPU overhead of analyzing traffic with Flexible NetFlow by reducing the
number of packets that are analyzed.
Note
To configure flow sampling to reduce the CPU overhead of analyzing traffic with Flexible NetFlow,
perform the following tasks:
Configuring a Flow Monitor, page 3
Configuring and Enabling Flow Sampling, page 5
Verifying the Flow Sampler Configuration, page 7 (optional)
Configuring a Flow Monitor

Samplers are applied to an interface in conjunction with a flow monitor. You must create a flow monitor
to configure the types of traffic that you want to analyze before you can enable sampling. To create a
flow monitor, perform the following required task.
How to Configure Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic with Flexible NetFlow
Flow Monitor
Restrictions
You must use the no ip flow monitor command to remove a flow monitor from all of the interfaces to
which you have applied it before you can modify the parameters for the record command on the flow
monitor.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
description string
5.
6.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:
Step 4
description string
Example:
for basic traffic analysis


configuration mode.
Step 5
Command or Action
Purpose

Example:
ipv4 original-input
Step 6

end
Example:
Configuring and Enabling Flow Sampling

To configure and enable a random flow sampler, perform the following required task.
Restrictions
original input predefined record for the flow monitor to emulate original NetFlow, the flow monitor can
be used only for analyzing input (ingress) traffic.
record for the flow monitor to emulate the Egress NetFlow Accounting feature, the flow monitor can be
used only for analyzing output (egress) traffic.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
sampler sampler-name
4.
description string
5.
mode {deterministic | random} 1 out-of window-size
6.
exit
7.
8.
{ip | ipv6} flow monitor {monitor-name [[sampler] sampler-name] {input | output}}
9.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
sampler sampler-name
Creates a sampler and enters sampler configuration mode.
Example:
Router(config)# sampler SAMPLER-1
Step 4
description string

sampler. For example, to modify the configuration of a
sampler named sampler-name use the
sampler sampler-name command in global
configuration mode.
(Optional) Creates a description for the flow sampler.
Example:
Router(config-sampler)# description Sample at
50%
Step 5
mode {deterministic | random} 1 out-of

window-size
Specifies the sampler mode and the flow sampler window

size.
Example:
The range for the window-size argument is from 2 to

32768.
Router(config-sampler)# mode random 1 out-of 2
Step 6
exit
Exits sampler configuration mode and returns to global

configuration mode.
Example:
Router(config-sampler)# exit
Step 7

mode.
Example:
Step 8
{ip | ipv6} flow monitor {monitor-name

[[sampler] sampler-name] {input | output}}
Assigns the flow monitor and the flow sampler that you
created to the interface to enable sampling.
Example:
FLOW-MONITOR-1 sampler SAMPLER-1 input
Step 9
end
Example:

EXEC mode.
Configuration Examples for Using Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic with Flexible
Verifying the Flow Sampler Configuration

To display the status and statistics of the flow sampler that you configured and enabled, perform the
following optional task.
SUMMARY STEPS
1.
enable
2.
show sampler
DETAILED STEPS
Step 1
enable
Router> enable
Router#
Step 2
show sampler
The show sampler command shows the current status of the sampler that you specify.
Router# show sampler SAMPLER-1
Sampler SAMPLER-1:
ID:
2
Description:
Sample at 50%
Type:
random
Rate:
1 out of 2
Samples:
2482
Requests:
4964
Users (1):
flow monitor FLOW-MONITOR-1 (ip,Et0/0,I
2482 out of 4964
Configuration Examples for Using Flow Sampling to Reduce the

CPU Overhead of Analyzing Traffic with Flexible NetFlow
The following example shows you how configure and enable a deterministic sampler:
Configuring and Enabling a Deterministic Sampler for IPv4 Traffic, page 8
Configuring and Enabling a Deterministic Sampler for IPv6 Traffic, page 8
Adding a Sampler to a Flow Monitor When a Flow Monitor Is Already Enabled on an Interface,
page 9
Removing a Sampler from a Flow Monitor, page 9
Configuring and Enabling a Deterministic Sampler for IPv4 Traffic

The following example shows how to configure and enable deterministic sampling for IPv4 output
traffic.
!
exit
!
sampler SAMPLER-1
mode deterministic 1 out-of 2
exit
!
ip cef
!
ip address 172.16.6.2 255.255.255.0
ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 output
!
The following example shows how to configure and enable deterministic sampling for IPv4 input traffic.
!
exit
!
sampler SAMPLER-1
exit
!
ip cef
!
ip address 172.16.6.2 255.255.255.0
ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
!
Configuring and Enabling a Deterministic Sampler for IPv6 Traffic

The following example shows how to configure and enable deterministic sampling for IPv6 output
traffic.
!
exit
!
sampler SAMPLER-1
exit
!
ip cef
ipv6 cef
!
ipv6 flow monitor FLOW-MONITOR-2 sampler SAMPLER-1 output
!
The following example shows how to configure and enable deterministic sampling for IPv6 input traffic.
!
exit
!
sampler SAMPLER-1
exit
!
ip cef
ipv6 cef
!
ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
!
Adding a Sampler to a Flow Monitor When a Flow Monitor Is Already Enabled

on an Interface
The following example shows what happens when you try to add a sampler to a flow monitor that has
already been enabled on an interface without a sampler:
Router(config)# interface Ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 in
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in full mode and cannot be
enabled with a sampler.
The following example shows how to remove the flow monitor from the interface so that it can be
enabled with the sampler:
Router(config-if)# no ip flow monitor FLOW-MONITOR-1 in
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 in
Removing a Sampler from a Flow Monitor

The following example shows what happens when you try to remove a sampler from a flow monitor on
an interface by entering the flow monitor command again without the sampler keyword and argument:
Router(config-if)# ip flow monitor FLOW-MONITOR-1 in
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in sampled mode and cannot be
enabled in full mode.
The following example shows how to remove the flow monitor that was enabled with a sampler from the
interface so that it can be enabled without the sampler:
Where to Go Next
Router(config-if)# no ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 in

Router(config-if)# ip flow monitor FLOW-MONITOR-1 in
Where to Go Next
Monitors module.
Related Documents
Related Topic
Document Title
data.
Flow Exporters

Monitors

records

Network Traffic

Network Traffic

Flexible NetFlow

Flexible NetFlow
10
Standards
Standard
Title
MIBs
MIB
MIBs Link
None

following URL:
RFCs
RFC
Title
RFC #3954
Description
Link


11

Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required..
Note
12
Table 1
Feature Name
Releases
Flexible NetFlow
12.4(9)T

Prerequisites for Using Flow Sampling, page 2
Information About Flexible NetFlow Samplers, page 3
How to Configure Flow Sampling to Reduce the CPU

Overhead of Analyzing Traffic with Flexible NetFlow,
page 3
Configuration Examples for Using Flow Sampling to

Reduce the CPU Overhead of Analyzing Traffic with

(Flexible NetFlow).
13
Table 1
Feature Name
Releases
12.4(20)T

How to Configure Flow Sampling to Reduce the CPU

Overhead of Analyzing Traffic with Flexible NetFlow,
page 3
Configuring and Enabling a Deterministic Sampler for

IPv6 Traffic, page 8

coincidental.
14

First Published: October 10, 2008
This document contains information about and instructions for configuring the Flexible Netflow - IPv4
Multicast Statistics Support feature. Prior to the introduction of the Flexible Netflow - IPv4 Multicast
Statistics Support feature, Flexible NetFlow was capable of analyzing IPv4 multicast traffic, but was not
capable of reporting the number of replicated bytes or the number of replicated packets in multicast
flows. The Flexible Netflow - IPv4 Multicast Statistics Support feature adds the capability of reporting
the number of replicated bytes and the number of replicated packets in multicast flows to Flexible
NetFlow.
NetFlow is a Cisco IOS technology that provides statistics on packets flowing through a networking
device. NetFlow is the standard for acquiring IP operational data from IP networks. NetFlow provides
network and security monitoring, network planning, traffic analysis, and IP accounting.

supported, see the Feature Information for IPv4 Multicast Statistics Support section on page 8.
Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow
Contents
Contents
Prerequisites for Configuring IPv4 Multicast Statistics Support, page 2
Restrictions for Configuring IPv4 Multicast Statistics Support, page 2
Information About IPv4 Multicast Statistics Support, page 3
How to Configure IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow, page 3
Configuration Examples for IPv4 Multicast Statistics Support, page 6
Feature Information for IPv4 Multicast Statistics Support, page 8
Prerequisites for Configuring IPv4 Multicast Statistics Support

The following prerequisites must be met before you can configure multicast support for Flexible
NetFlow:
You are familiar with the information in the Customizing Cisco IOS Flexible NetFlow Flow
Records and Flow Monitors module.
The networking device is running a Cisco IOS release that supports the Flexible Netflow - IPv4
Multicast Statistics Support feature. See the Cisco IOS Flexible NetFlow Features Roadmap
module for a list of Cisco IOS software releases that support the Flexible Netflow - IPv4 Multicast
Statistics Support feature.
The networking device is configured for IPv4 unicast routing and IPv4 multicast routing.
One of the following is enabled on your networking device and on any interfaces on which you want
to enable Flexible NetFlow: Cisco Express Forwarding (CEF), distributed CEF (dCEF).
Restrictions for Configuring IPv4 Multicast Statistics Support

The following restrictions apply to configuring multicast support for Flexible NetFlow:
IPv4 traffic
When the replication-factor field is used in a flow record, it will only have a non-zero value in the
cache for ingress multicast traffic that is forwarded by the router. If the flow record is used with a
flow monitor in output (egress) mode and/or to monitor unicast traffic, the cache data for the
replication factor field is set to 0.
IPv6 traffic
Traffic monitoring for multicast statistics is not supported.
Information About IPv4 Multicast Statistics Support
Information About IPv4 Multicast Statistics Support

The Flexible Netflow - IPv4 Multicast Statistics Support feature adds the capability of reporting the
number of replicated bytes and the number of replicated packets in multicast flows to Flexible NetFlow.
You can capture the packet-replication factor for a specific flow as well as for each outgoing stream.
You can use the The Flexible Netflow - IPv4 Multicast Statistics Support feature to identify and count
multicast packets on the ingress side or the egress side (or both sides) of a networking device. Multicast
ingress accounting provides information about the source and how many times the traffic was replicated.
Multicast egress accounting monitors the destination of the traffic flow.
How to Configure IPv4 Multicast Statistics Support for Cisco IOS

Flexible NetFlow
To configure the Flexible Netflow - IPv4 Multicast Statistics Support feature, perform the following
task.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
description string
5.
match routing is-multicast
6.
Add key fields for the record as required using other match commands.
7.
collect counter {bytes replicated [long] | packets replicated [long]}
8.
collect routing multicast replication-factor
9.
Add non-key fields for the record as required using other collect commands.
10. flow monitor monitor-name

11. description string
12. record record-name
13. interface type number
14. ip flow monitor monitor-name [multicast | unicast] {input | output}
15. Repeat Steps 13 and 14 to activate a flow monitor on any other interfaces in the networking device
over which you want to monitor traffic.

16. end
How to Configure IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:
Step 4
description string

mode.

of a flow record named record-name, use the
Example:
for IPv4 multicast traffic analysis
Step 5
Example:
Configures IPv4 multicast destination addresses (indicating

that the IPv4 traffic is multicast traffic) as a key field for the
flow record.
Router(config-flow-record)# match routing

is-multicast
Step 6
Add key fields for the record as required using other

match commands.
For information about the other match commands that are

available to configure key fields, refer to the Cisco IOS
Step 7
collect counter {bytes replicated [long] |

packets replicated [long]}
Configures the number of bytes or packets multiplied by the

multicast replication factor (number of interfaces the
multicast traffic is forwarded over) as a non-key field.
Example:
Default: Uses a 32-bit counter. The long keyword

configures a 64-bit counter.
Router(config-flow-record)# collect counter

packets replicated
Step 8
Example:
Configures the multicast replication factor (number of

interfaces over which multicast traffic is forwarded) as a
non-key field.
Router(config-flow-record)# collect routing

multicast replication-factor
Step 9
Add non-key fields for the record as required using

other collect commands.
For information about the other collect commands that are

available to configure non-key fields, refer to the Cisco IOS
How to Configure IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow
Step 10
Command or Action
Purpose

Example:
Step 11
description string

configuration mode.
Example:
for IPv4 multicast traffic analysis
Step 12
record record-name
Example:
FLOW-RECORD-2
Step 13

mode.
Example:
Step 14
ip flow monitor monitor-name [multicast |

unicast] {input | output}
Example:
Activates the flow monitor that was created previously by

assigning it to the interface to analyze traffic. To monitor
only multicast traffic, use the multicast keyword. Default:
Unicast traffic and multicast traffic are monitored.

Step 15
Repeat Steps 13 and 14 to activate a flow monitor on

any other interfaces in the networking device over
which you want to monitor traffic.
Step 16
end
Exits flow interface configuration mode and returns to

Example:
Examples
The following output from the show flow monitor command shows four multicast flows and three
unicast flows:
Router# show flow monitor FLOW-MONITOR-2 cache
Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
Normal
4096
8
8
4074
4066
Configuration Examples for IPv4 Multicast Statistics Support
Active timeout
(
Inactive timeout (
Event aged
Watermark aged
Emergency aged
IP IS MULTICAST
===============
Yes
Yes
No
No
No
Yes
No
Yes
1800 secs)
15 secs)
IPV4 DST ADDR

===============
224.192.16.1
224.192.65.1
10.1.4.2
10.1.2.2
10.1.3.2
224.0.0.13
255.255.255.255
224.0.0.1
46
4020
0
0
0
pkts rep
==========
16642
16621
0
0
0
0
0
0
Configuration Examples for IPv4 Multicast Statistics Support

This section contains the following configuration example:
Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow: Example, page 6
Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow:
Example
This example configures the following:
IPv4 multicast destination addresses (indicating that the IPv4 traffic is multicast traffic) as a key
field.
The destination IPv4 address as a key field.
The replicated packet count as a non-key field.
The replication factor as a non-key field.
The flow monitor to monitor only multicast traffic.

!
collect counter packets replicated
exit
!
exit
!
no shut
ip address 10.1.1.2 255.255.255.0
ip flow monitor FLOW-MONITOR-2 multicast input
!
end
Where to Go Next
Where to Go Next
module.
Related Documents
Related Topic
Document Title
data.
Flow Exporters


records

Network Traffic

Network Traffic
Standards
Standard
Title
Feature Information for IPv4 Multicast Statistics Support
MIBs
MIB
MIBs Link
None

following URL:
RFCs
RFC
Title
RFC #3954
Description
Link



NetFlow Features Roadmap or other available documentation for your Cisco IOS release.
Note
Table 1
Feature Information for Flexible Netflow - IPv4 Multicast Statistics Support
Feature Name
Releases
Feature Information
Flexible NetFlow
12.4(9)T

How to Configure IPv4 Multicast Statistics Support for

Cisco IOS Flexible NetFlow, page 3

(Flexible NetFlow).
Table 1
Feature Information for Flexible Netflow - IPv4 Multicast Statistics Support (continued)
Feature Name
Releases
Feature Information
Flexible Netflow - IPv4 Multicast Statistics

Support
12.4(22)T
The Flexible Netflow - IPv4 Multicast Statistics Support

feature adds the capability of reporting the number of
replicated bytes and the number of replicated packets in
multicast flows to Flexible NetFlow.
The following sections provide information about this
feature:
Prerequisites for Configuring IPv4 Multicast Statistics

Support, page 2
Restrictions for Configuring IPv4 Multicast Statistics

Support, page 2
Information About IPv4 Multicast Statistics Support,

page 3
How to Configure IPv4 Multicast Statistics Support for

Cisco IOS Flexible NetFlow, page 3
Configuration Examples for IPv4 Multicast Statistics

Support, page 6

collect counter, collect routing is-multicast, collect
routing multicast replication-factor, match routing
is-multicast, match routing multicast replication-factor,
ip flow monitor, ipv6 flow monitor.
coincidental.
10
Using Cisco IOS Flexible NetFlow Top N Talkers

to Analyze Network Traffic
First Published: October 10, 2008
This document contains information about and instructions for using the Flexible NetFlow - Top N
Talkers Support feature. The Flexible NetFlow - Top N Talkers Support feature helps you analyze the
large amount of data that Flexible NetFlow captures from the traffic in your network by providing the
ability to filter, aggregate, and sort the data in the Flexible NetFlow cache as you display it. When you
are sorting and displaying the data in the cache, you can limit the display output to a specific number of
entries with the highest values (Top N Talkers) for traffic volume, packet counters, and so on. The
Flexible NetFlow - Top N Talkers Support feature facilitates real-time traffic analysis by requiring only
the use of show commands, which can be entered in many different variations using the available
keywords and arguments to meet your traffic data analysis requirements.

supported, see the Feature Information for Flexible NetFlow Top N Talkers section on page 15.
Using Cisco IOS Flexible NetFlow Top N Talkers to Analyze Network Traffic
Contents
Contents
Prerequisites for Flexible NetFlow Top N Talkers, page 2
Information About Flexible NetFlow Top N Talkers, page 2
How to Analyze Network Traffic With Cisco IOS Flexible NetFlow Top N Talkers, page 4
Examples for Flexible NetFlow Top N Talkers, page 10
Feature Information for Flexible NetFlow Top N Talkers, page 15
Prerequisites for Flexible NetFlow Top N Talkers

The following prerequisites must be met before you can use the Flexible NetFlow - Top N Talkers
Support feature:
The networking device is running a Cisco IOS release that supports the Flexible NetFlow - Top N
Talkers Support feature. See the Feature Information for Flexible NetFlow Top N Talkers section
on page 15 for a list of Cisco IOS software releases that support Flexible NetFlow.
There are no configuration tasks associated with the Flexible NetFlow - Top N Talkers Support feature.
Therefore, in order to use the Flexible NetFlow - Top N Talkers Support feature, traffic analysis with
Flexible NetFlow must already be configured about the networking device. See the Cisco IOS Flexible
NetFlow Features Roadmap module for information on configuring traffic analysis on your networking
device with Flexible NetFlow.
Information About Flexible NetFlow Top N Talkers

Before you can use the Flexible NetFlow - Top N Talkers Support feature, you should understand the
following concepts:
Flow Filtering, page 2
Flow Aggregation, page 3
Flow Sorting and Top N Talkers, page 3
Documented Command Names and Actual Command Syntax, page 3
Combined Use of Flow Filtering, Flow Aggregation, and Flow Sorting with Top N Talkers, page 4
Memory and Performance Impact of Top N Talkers
Flow Filtering
The flow filtering function of the Flexible NetFlow - Top N Talkers Support feature filters the flow data
in a flow monitor cache based on the criteria that you specify, and displays the data.
The flow filtering function of the Flexible NetFlow - Top N Talkers Support feature is provided by the
show flow monitor cache filter command. For more information on the show flow monitor cache filter
command, refer to the Cisco IOS Flexible NetFlow Command Reference.
Information About Flexible NetFlow Top N Talkers
Flow Aggregation
Flow aggregation using the show flow monitor cache aggregate command allows you to dynamically
view the flow information in a cache using a different flow record than the cache was originally created
from. Only the fields in the cache will be available for the aggregated flows.
The flow aggregation function of the Flexible NetFlow - Top N Talkers Support feature is provided by
the show flow monitor cache aggregate command. For more information on the show flow monitor
cache aggregate command, refer to the Cisco IOS Flexible NetFlow Command Reference.
Flow Sorting and Top N Talkers

The flow sorting function of the Flexible NetFlow - Top N Talkers Support feature sorts flow data from
the Flexible NetFlow cache based on the criteria that you specify and displays the data. You can also use
the flow sorting function of the Flexible NetFlow - Top N Talkers Support feature to limit the display
output to a specific number of entries (top n talkers, where n is the number or talkers to display) by using
the top keyword.
The flow sorting and Top N Talkers function of the Flexible NetFlow - Top N Talkers Support feature is
provided by the show flow monitor cache sort command. For more information on the show flow
monitor cache sort command, refer to the Cisco IOS Flexible NetFlow Command Reference.
Documented Command Names and Actual Command Syntax

The three commands that make up the Flexible NetFlow - Top N Talkers Support feature are documented
using the Cisco documentation convention of using the initial words in the CLI syntax, omitting a
subsequent words in the CLI syntax, and using a word in the CLI syntax that follows the omitted words.
Therefore the syntax that you use for entering the commands is different from the actual documented
command name. Table 1 shows the documented commands names and the actual command CLI syntax.
The monitor-name argument is the name of a flow monitor that was previously configured.
Note
The arguments and keywords that you can use after filter, aggregation, and sort are not included in
Table 1. For more information on the arguments and keywords that you can use after filter, aggregation,
and sort, refer to the Cisco IOS Flexible NetFlow Command Reference.
Table 1
Documented Command Names and Actual Command Syntax
Documented Command Name
Actual CLI Syntax for Using the Command
show flow monitor cache filter
show flow monitor monitor-name cache filter
show flow monitor cache aggregation
show flow monitor monitor-name cache aggregation
show flow monitor cache sort
show flow monitor monitor-name cache sort
How to Analyze Network Traffic With Cisco IOS Flexible NetFlow Top N Talkers
Combined Use of Flow Filtering, Flow Aggregation, and Flow Sorting with
Top N Talkers
Although each of the show commands that make up the Flexible NetFlow - Top N Talkers Support
feature can be used individually for traffic analysis; they provide much greater analytical capabilities
when they are used together. When you use any combination of the three show commands, you enter
only the common prefix of show flow monitor monitor-name cache followed by filter, aggregation,
sort, and the arguments and keywords available for filter, aggregation, sort, as required. For example,
show flow monitor monitor-name cache filter options aggregation options sort options
where options is any permissible combination of arguments and keywords. See the Examples for
Flexible NetFlow Top N Talkers section on page 10 for more information.
Memory and Performance Impact of Top N Talkers

The Flexible NetFlow - Top N Talkers Support feature can use a large number of CPU cycles and
possibly also system memory for a short time. However, because Flexible NetFlow - Top N Talkers
Support feature uses only show commands, the CPU usage should be run at a low priority because there
is no real-time data processing involved. The memory usage can be mitigated by using a larger
granularity of aggregation, or no aggregation at all.
How to Analyze Network Traffic With Cisco IOS Flexible

NetFlow Top N Talkers
The tasks in this section are examples of using the Flexible NetFlow - Top N Talkers Support feature to
analyze traffic in a network:
Filtering Flow Data from the Flexible NetFlow Cache, page 4
Aggregating Flow Data from the Flexible NetFlow Cache, page 6
Sorting Flow Data from the Flexible NetFlow Cache, page 6
Sorting Flow Data from the Flexible NetFlow Cache and Displaying the Top N Talkers, page 8
Filtering Flow Data from the Flexible NetFlow Cache

This task shows you how to use the show flow monitor cache filter command with a regular expression
to filter the flow monitor cache data, and display the results. For more information on regular expressions
and the show flow monitor cache filter command, refer to the Cisco IOS Flexible NetFlow Command
Reference.
To filter the flow monitor cache data using a regular expression and display the results, perform the
following task.
SUMMARY STEPS
1.
enable
2.
show flow monitor [name] monitor-name cache filter options [regexp regexp] [...options [regexp
regexp] [format {csv | record | table}
DETAILED STEPS
Step 1
enable
Enters privileged EXEC mode.
Router> enable
Step 2
show flow monitor [name] monitor-name cache filter options [regexp regexp] [...options [regexp
regexp] [format {csv | record | table}
Filters the flow monitor cache data on the IPv4 type of service (ToS) value.
Router# show flow monitor FLOW-MONITOR-3 cache filter ipv4 tos regexp 0x(C0|50)
Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
(
- Event aged
- Watermark aged
- Emergency aged
TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
Normal
4096
19
38
1800 secs)
15 secs)
3516
3497
52
3445
0
0
0
10.1.1.1
255.255.255.255
520
520
Et0/0
0
0xC0
17
0
0
0.0.0.0
/24
/0
0x00
Null
52
1
18:59:46.199
18:59:46.199
Matched 1 flow
Aggregating Flow Data from the Flexible NetFlow Cache

This task shows you how to use the show flow monitor cache aggregate command to aggregate the flow
monitor cache data with a different record than the cache was created with, and display the results. For
more information on the show flow monitor cache aggregate command, refer to the Cisco IOS Flexible
NetFlow Command Reference.
To aggregate the flow monitor cache data and display the results, perform the following task.
SUMMARY STEPS
1.
enable
2.
show flow monitor [name] monitor-name cache aggregate {{options [...options] [collect options
[...options]] | record record-name} [format {csv | record | table}}
DETAILED STEPS
Step 1
enable
Router> enable
Step 2
show flow monitor [name] monitor-name cache aggregate {{options [...options] [collect options
[...options]] | record record-name} [format {csv | record | table}}
Aggregates the flow monitor cache data on the IPv4 destination address and displays the cache data for
the IPv4 protocol type and input interface non-key fields:
Router# show flow monitor FLOW-MONITOR-3 cache aggregate ipv4 destination address collect
ipv4 protocol interface input
Processed 17 flows
Aggregated to 7 flows
IPV4 DST ADDR
===============
224.192.16.4
224.192.16.1
224.192.18.1
224.192.45.12
255.255.255.255
224.0.0.13
224.0.0.1
intf input
====================
Et0/0
Et0/0
Et0/0
Et0/0
Et0/0
Et0/0
Et0/0
flows
==========
3
3
4
4
1
1
1
bytes
==========
42200
17160
18180
14440
52
54
28
pkts
==========
2110
858
909
722
1
1
1
ip prot
=======
1
1
1
1
17
103
2
Sorting Flow Data from the Flexible NetFlow Cache

This task shows you how to use the show flow monitor cache sort command to sort the flow monitor
cache data, and display the results. For more information on the show flow monitor cache sort
command, refer to the Cisco IOS Flexible NetFlow Command Reference.
To sort the flow monitor cache data and display the results, perform the following task.
SUMMARY STEPS
1.
enable
2.
show flow monitor [name] monitor-name cache sort options [top [number]] [format {csv | record
| table}]
DETAILED STEPS
Step 1
enable
Router> enable
Step 2
show flow monitor [name] monitor-name cache sort options [top [number]] [format {csv | record |
table}]
Displays the cache data sorted on the number of packets from highest to lowest.
Note
When the top keyword is not used, the default number of sorted flows shown is 20.
Router# show flow monitor FLOW-MONITOR-1 cache sort highest counter packets
Processed 26 flows
Showing the top 20 flows
TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
10.1.1.3
172.16.10.11
443
443
Et0/0.1
0
0x00
6
0
0
172.16.7.2
/0
/24
0x00
Et1/0.1
22760
1569
19:42:32.924
19:57:28.656

TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 source mask:
10.10.11.2
172.16.10.6
65
65
Et0/0.1
0
0x00
6
0
0
172.16.7.2
/0
/24
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
.
.
.
TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
0x00
Et1/0.1
22720
568
19:42:34.264
19:57:28.428

TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
10.234.53.1
172.16.10.2
0
2048
Et0/0.1
0
0x00
1
0
0
172.16.7.2
/0
/24
0x00
Et1/0.1
15848
213
19:42:36.904
19:57:27.888
192.168.67.6
172.16.10.200
0
3073
Et0/0.1
0
0x00
1
0
0
172.16.7.2
/0
/24
0x00
Et1/0.1
15848
344
19:42:36.852
19:57:27.836
Sorting Flow Data from the Flexible NetFlow Cache and Displaying the Top N
Talkers
This task shows you how to use the show flow monitor cache sort command to sort the flow monitor
cache data, and to limit the display results to a specific number of high volume flows. For more
information on the show flow monitor cache sort command, refer to the Cisco IOS Flexible NetFlow
Command Reference.
To sort the flow monitor cache data and limit the display output using to a specific number of high
volume flows, perform the following task:
SUMMARY STEPS
1.
enable
2.
show flow monitor [name] monitor-name cache sort options [top [number]] [format {csv | record
| table}]
DETAILED STEPS
Step 1
enable
Router> enable
Step 2
show flow monitor [name] monitor-name cache sort options [top [number]] [format {csv | record |
table}]
Displays the cache data sorted on the number of packets from highest to lowest and limits the output to
the three highest volume flows:
Router# show flow monitor FLOW-MONITOR-1 cache sort highest counter packets top 3
Processed 25 flows
TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
10.1.1.3
172.16.10.11
443
443
Et0/0.1
0
0x00
6
0
0
172.16.7.2
/0
/24
0x00
Et1/0.1
32360
1897
19:42:32.924
20:03:47.100

TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 source mask:
10.10.11.2
172.16.10.6
65
65
Et0/0.1
0
0x00
6
0
0
172.16.7.2
/0
Examples for Flexible NetFlow Top N Talkers

tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
/24
0x00
Et1/0.1
32360
809
19:42:34.264
20:03:48.460

TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
172.16.1.84
172.16.10.19
80
80
Et0/0.1
0
0x00
6
0
0
172.16.7.2
/24
/24
0x00
Et1/0.1
32320
345
19:42:34.512
20:03:47.140

This section contains the following example:
Filtering, Aggregating, and Sorting Flow Data from the Flexible NetFlow Cache and Displaying the
Top Talkers: Example, page 10
Filtering Using Multiple Filtering Criterion: Example, page 12
Aggregation Using Multiple Aggregation Criterion: Example, page 13
Filtering, Aggregating, and Sorting Flow Data from the Flexible NetFlow Cache
and Displaying the Top Talkers: Example
The following example combines filtering, aggregation, collecting additional field data, sorting the flow
monitor cache data, and limiting the display output to a specific number of high volume flows (top
talkers).
This sample runs in privileged EXEC mode:
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 protocol regexp (1|6) aggregate
ipv4 destination address collect ipv4 protocol sort counter bytes top 4
Processed 26 flows
Matched 26 flows
10
IPV4 DST ADDR

===============
172.16.10.2
172.16.10.19
172.16.10.20
172.16.10.4
flows
==========
12
2
2
1
bytes
==========
1358370
44640
44640
22360
pkts
==========
6708
1116
1116
559
The following example combines filtering using a regular expression, aggregation using a predefined
record, sorting the flow monitor cache data, limiting the display output to a specific number of high
volume flows (top talkers), and displaying the output in record format.
This sample runs in privileged exec mode:
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 source address regexp 10.*
aggregate record netflow ipv4 protocol-port sort transport destination-port top 5 format
record
Processed 26 flows
Matched 15 flows
TRNS SOURCE PORT:
FLOW DIRECTION:
IP PROTOCOL:
counter flows:
counter bytes:
counter packets:
timestamp first:
timestamp last:
0
0
Input
1
1
387800
700
17:12:30.712
17:30:52.936
TRNS SOURCE PORT:

FLOW DIRECTION:
IP PROTOCOL:
counter flows:
counter bytes:
counter packets:
timestamp first:
timestamp last:
20
20
Input
6
2
56000
1400
17:12:29.532
17:30:53.148
TRNS SOURCE PORT:

FLOW DIRECTION:
IP PROTOCOL:
counter flows:
counter bytes:
counter packets:
timestamp first:
timestamp last:
21
21
Input
6
2
56000
1400
17:12:29.572
17:30:53.196
TRNS SOURCE PORT:

FLOW DIRECTION:
IP PROTOCOL:
counter flows:
counter bytes:
counter packets:
timestamp first:
timestamp last:
22
22
Input
6
1
28000
700
17:12:29.912
17:30:52.168
TRNS SOURCE PORT:

25
25
11
FLOW DIRECTION:
IP PROTOCOL:
counter flows:
counter bytes:
counter packets:
timestamp first:
timestamp last:
Input
6
2
56000
1400
17:12:29.692
17:30:51.968
Filtering Using Multiple Filtering Criterion: Example

The following example filters the cache data on the IPv4 destination address and the destination port:
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 destination address regexp
172.16.10* transport destination-port 21
Cache type:
Cache size:
Current entries:
High Watermark:
Flows added:
Flows aged:
- Active timeout
(
- Event aged
- Watermark aged
- Emergency aged
12
Normal
4096
26
26
1800 secs)
15 secs)

TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
ipv4 source mask:
tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
10.10.10.2
172.16.10.2
21
21
Et0/0.1
0
0x00
6
0
0
172.16.7.2
/0
/24
0x00
Et1/0.1
17200
430
17:03:58.071
17:15:14.615

TRNS SOURCE PORT:
INTERFACE INPUT:
FLOW SAMPLER ID:
IP TOS:
IP PROTOCOL:
ip source as:
ip destination as:
172.30.231.193
172.16.10.2
21
21
Et0/0.1
0
0x00
6
0
0
172.16.7.2
241
215
50
165
0
0
0
ipv4 source mask:

tcp flags:
interface output:
counter bytes:
counter packets:
timestamp first:
timestamp last:
/0
/24
0x00
Et1/0.1
17160
429
17:03:59.963
17:15:14.887
Matched 2 flows
Aggregation Using Multiple Aggregation Criterion: Example

The following example aggregates the flow monitor cache data on the destination and source IPv4
addresses:
Router# show flow monitor FLOW-MONITOR-1 cache aggregate ipv4 destination address ipv4
source address
Processed 26 flows
IPV4 SRC ADDR
===============
10.251.10.1
192.168.67.6
10.234.53.1
172.30.231.193
10.10.10.2
192.168.87.200
10.10.10.4
10.10.11.1
10.10.11.2
10.10.11.3
10.10.11.4
10.1.1.1
10.1.1.2
10.1.1.3
172.16.1.84
172.16.1.85
172.16.6.1
IPV4 DST ADDR

===============
172.16.10.2
172.16.10.200
172.16.10.2
172.16.10.2
172.16.10.2
172.16.10.2
172.16.10.4
172.16.10.5
172.16.10.6
172.16.10.7
172.16.10.8
172.16.10.9
172.16.10.10
172.16.10.11
172.16.10.19
172.16.10.20
224.0.0.9
flows
==========
2
1
3
3
2
2
1
1
1
1
1
1
1
1
2
2
1
bytes
==========
1400828
19096
73656
73616
54560
54560
27280
27280
27280
27280
27280
27280
27280
27280
54520
54520
52
pkts
==========
1364
682
2046
2045
1364
1364
682
682
682
682
682
682
682
682
1363
1363
1
Router#
The following sections provide references related to the Flexible NetFlow - Top N Talkers Support
feature.
13
Related Documents
Related Topic
Document Title
data
Flow Exporters

Monitors



records

Flexible NetFlow

Flexible NetFlow
Standards
Standard
Title
MIBs
MIB
MIBs Link
None

following URL:
RFCs
RFC
Title
There are no RFCs associated with this feature.
14
Feature Information for Flexible NetFlow Top N Talkers
Description
Link



Note
15
Table 2
Feature Name
Releases
Feature Usage Information
Flexible NetFlow - Top N Talkers Support
12.4(22)T
Helps you analyze the large amount of data Flexible

NetFlow captures from the traffic in your network by
providing the ability to filter, aggregate, and sort the data in
the Flexible NetFlow cache as you display it.
Information about the Flexible NetFlow - Top N Talkers
Support feature is included in the following sections:
Prerequisites for Flexible NetFlow Top N Talkers,

page 2
Information About Flexible NetFlow Top N Talkers,

page 2
How to Analyze Network Traffic With Cisco IOS

Flexible NetFlow Top N Talkers, page 4
Examples for Flexible NetFlow Top N Talkers, page 10

show flow monitor cache aggregate, show flow monitor
cache filter, show flow monitor cache sort.
16
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, the Cisco logo, DCE, and Welcome to the Human
Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet,
AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork
Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation,
EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ
Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace,
MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare,
SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo
are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
coincidental.
17
18

Configuracion Basica de Netflow

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Configuracion Basica de Netflow

Încărcat de

Drepturi de autor:

Formate disponibile

Cisco IOS Flexible NetFlow

About Cisco IOS and Cisco IOS XE Software

Documentation Objectives, page i

Documentation Conventions, page ii

Documentation Organization, page iii

Additional Resources and Documentation Feedback, page xi

About Cisco IOS and Cisco IOS XE Software Documentation

Typographic Conventions, page ii

Command Syntax Conventions, page ii

Software Conventions, page iii

Reader Alert Conventions, page iii

A string is a nonquoted set of characters shown in italics. For example, when

Command Syntax Conventions

Italic text indicates arguments for which you supply values.

Square brackets enclose an optional keyword or argument.

A vertical line, called a pipe, indicates a choice within a set of keywords

Square brackets enclosing keywords or arguments separated by a pipe indicate an

Braces enclosing keywords or arguments separated by a pipe indicate a

About Cisco IOS and Cisco IOS XE Software Documentation

Courier font is used for information that is displayed on a PC or terminal screen.

Bold Courier font

Square brackets enclose default responses to system prompts.

Reader Alert Conventions

Cisco IOS Documentation Set, page iv

Cisco IOS Documentation on Cisco.com, page iv

Configuration Guides, Command References, and Supplementary Resources, page v

About Cisco IOS and Cisco IOS XE Software Documentation

Cisco IOS Documentation Set

task-oriented descriptions of Cisco IOS features.

Cisco IOS Documentation on Cisco.com

About Cisco IOS and Cisco IOS XE Software Documentation

Supplementary documents and resources are listed in Table 2 on page xi.

Configuration Guides, Command References, and Supplementary Resources

Configuration Guide and Command Reference Titles

Cisco IOS AppleTalk Configuration Guide

Cisco IOS XE AppleTalk Configuration Guide

LAN ATM, multiprotocol over ATM (MPoA), and WAN ATM.

Cisco IOS Asynchronous Transfer Mode

About Cisco IOS and Cisco IOS XE Software Documentation

Configuration Guide and Command Reference Titles

Transparent and source-route transparent (SRT) bridging,

Data-link switching plus (DLSw+), serial tunnel (STUN),

Cisco IOS Bridging Command Reference

Cisco IOS Broadband and DSL Configuration Guide

Point-to-Point Protocol (PPP) over ATM (PPPoA) and PPP over

Cisco IOS Broadband and DSL Command Reference

Cisco IOS Configuration Fundamentals

Connectivity fault management (CFM), Ethernet Local

Cisco IOS Configuration Fundamentals

Cisco IOS XE DECnet Configuration Guide

Asynchronous communications, dial backup, dialer technology,

About Cisco IOS and Cisco IOS XE Software Documentation

Configuration Guide and Command Reference Titles

Cisco IOS H.323 Configuration Guide

Gatekeeper enhancements for managed voice services,

Cisco IOS High Availability Configuration Guide

A variety of High Availability (HA) features and technologies

Cisco IOS XE High Availability Configuration Guide

Cisco IOS Integrated Session Border Controller

A VoIP-enabled device that is deployed at the edge of networks.

Cisco IOS Intelligent Service Gateway

Subscriber identification, service and policy determination,

Cisco IOS Interface and Hardware Component

LAN interfaces, logical interfaces, serial interfaces, virtual