To configure the flow cache parameter for a Flexible NetFlow flow monitor, use the
cache command in Flexible NetFlow flow monitor configuration mode. To remove a flow cache parameter for a Flexible NetFlow flow monitor, use the
no form of this command.
nocache
{ entries | timeout
{ active | event transaction-end | inactive | update | synchronized }
| type
{ immediate | normal | permanent | synchronized } }
Syntax Description
entriesnumber
Specifies the maximum number of entries in the flow monitor cache. The range is from 16 to 2000000.
Note
On the Cisco ISR 4300 and 4400 Series Integrated Services Routers, the range is from 16 to 1000000.
timeoutactiveseconds
Specifies the active flow timeout in seconds. The range is from 1 to 604800 (7 days). The default is 1800.
timeouteventtransaction-end
Specifies that the record is generated and exported in the NetFlow cache at the end of a transaction.
timeoutinactiveseconds
Specifies the inactive flow timeout in seconds. The range is from 1 to 604800 (7 days).The default is 15.
timeoutupdateseconds
Specifies the update timeout, in seconds, for a permanent flow cache. The range is from 1 to 604800 (7 days). The default is 1800.
timeoutsynchronizedinterval
Specifies the synchronized interval timeout value. The range is from 1 to 300.
export-spread
Enables export spreading.
spread-interval
The export spreading interval in seconds. The valid period is 5 or 6.
type
Specifies the type of the flow cache.
immediate
Configures an immediate cache type. This cache type will age out every record as soon as it is created.
normal
Configures a normal cache type. The entries in the flow cache will be aged out according to the
timeoutactiveseconds and
timeoutinactiveseconds settings. This is the default cache type.
permanent
Configures a permanent cache type. This cache type disables flow removal from the flow cache.
synchronized
Configures a synchronized cache type.
Command Default
The default Flexible NetFlow flow monitor flow cache parameters are used.
The following flow cache parameters for a Flexible NetFlow flow monitor are enabled:
Cache type: normal
Maximum number of entries in the flow monitor cache: 4096
Active flow timeout: 1800 seconds
Inactive flow timeout: 15 seconds
Update timeout for a permanent flow cache: 1800 seconds
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
Cisco IOS XE Release 3.4S
This command was modified. The
eventtransaction-end keyword was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE with support for the
timeout and
typenormal keywords only.
Cisco IOS XE Release 3.11S
This command was modified. The export-spread keyword was added. The update keyword was removed.
Usage Guidelines
Each flow monitor has a cache that it uses to store all the flows it monitors. Each cache has various configurable elements, such as the number of entries and the time that a flow is allowed to remain in it. When a flow times out, it is removed from the cache and sent to any exporters that are configured for the corresponding flow monitor.
If a cache is already active (that is, you have applied the flow monitor to at least one interface in the router), your changes to the record, cache type, and cache size parameters will not take effect until you either reboot the router or remove the flow monitor from every interface and then reapply it. Therefore whenever possible you should customize the record, cache type, and cache size parameters for the cache before you apply the flow monitor to an interface. You can modify the timers, flow exporters, and statistics parameters for a cache while the cache is active.
cache entries
This command controls the size of the cache. Cache size should be based on a number of factors, including the number of flows expected, the time the flows are expected to last (based on the configured key fields and the traffic), and the timeout values configured for the cache. The size should be large enough to minimize emergency expiry.
Emergency expiry is caused by the Flexible NetFlow cache becoming full. When the Flexible NetFlow cache becomes full, the router performs “emergency expiry” where a number of flows are immediately aged, expired from the Flexible NetFlow cache, and exported in order to free up space for more flows.
For a permanent cache (flows never expire), the number of entries should be large enough to accommodate the number of flows expected for the entire duration of the cache entries. If more flows occur than there are cache entries, the excess flows are not recorded in the cache.
For an immediate cache (flows expire immediately), the number of entries simply controls the amount of history that is available for previously seen packets.
cache timeout active
This command controls the aging behavior of the normal type of cache. If a flow has been active for a long time, it is usually desirable to age it out (starting a new flow for any subsequent packets in the flow). This age out process allows the monitoring application that is receiving the exports to remain up to date. By default this timeout is 1800 seconds (30 minutes), but it can be adjusted according to system requirements. A larger value ensures that long-lived flows are accounted for in a single flow record; a smaller value results in a shorter delay between starting a new long-lived flow and exporting some data for it.
cache timeout event transaction-end
To use this command, you must configure the
matchconnectiontransactionid command and the
matchapplicationname command for the flow record. This command causes the record to be generated and exported in the NetFlow cache at the end of a transaction. A transaction is a set of logical exchanges between endpoints. There is normally one transaction within a flow.
cache timeout inactive
This command controls the aging behavior of the normal type of cache. If a flow has not seen any activity for a specified amount of time, that flow will be aged out. By default, this timeout is 15 seconds, but this value can be adjusted depending on the type of traffic expected.
If a large number of short-lived flows is consuming many cache entries, reducing the inactive timeout can reduce this overhead. If a large number of flows frequently get aged out before they have finished collecting their data, increasing this timeout can result in better flow correlation.
cache timeout update
This command controls the periodic updates sent by the permanent type of cache. This behavior is similar to the active timeout, except that it does not result in the removal of the cache entry from the cache. By default, this timer value is 1800 seconds (30 minutes).
This command configures export spreading on a synchronized cache. As asynchronous monitors need to aggregate the data in a few seconds, you can enable and configure export spreading only when you configure the synchronized interval timeout value to more than 10 seconds. Export spreading might start a couple of seconds after the interval ends in order to complete the aggregation. No export spreading option is visible on the CLI if the synchronized interval timeout value is lower than 10 seconds. The default export spread interval is 30 seconds.
cache type immediate
This command specifies the immediate cache type. This type of cache will age out every record as soon as it is created, with the result that every flow contains just one packet. The commands that display the cache contents will provide a history of the packets seen.
The use of this cache type is appropriate when very small flows are expected and a minimum amount of latency between analyzing a packet and exporting a report is desired. We recommend using this command when you are sampling packet chunks because the number of packets per flow is typically very low.
Caution
This command may result in a large amount of export data that can overload low speed links and overwhelm any systems to which you are exporting. We recommended that you configure sampling to reduce the number of packets seen.
Note
The timeout settings have no effect for the immediate cache type.
cache type normal
This command specifies the normal cache type. This is the default cache type. The entries in the cache will be aged out according to the
timeoutactiveseconds and
timeoutinactiveseconds settings. When a cache entry is aged out, it is removed from the cache and exported via any exporters configured for the monitor associated with the cache.
cache type permanent
This command specifies the permanent cache type. This type of cache never ages out any flows. This cache type is useful when the number of flows you expect to see has a limit and there is a need to keep long-term statistics on the router. For example, if the only key field is IP TOS, a limit of 256 flows can be seen, so to monitor the long-term usage of the IP TOS field, a permanent cache can be used. Update messages are exported via any exporters configured for the monitor associated with this cache in accordance with the
timeoutupdateseconds setting.
Note
When a cache becomes full, new flows will not be monitored. If this occurs, a “Flows not added” statistic will appear in the cache statistics.
Note
A permanent cache uses update counters rather than delta counters. This means that when a flow is exported, the counters represent the totals seen for the full lifetime of the flow and not the additional packets and bytes seen since the last export was sent.
Examples
The following example shows how to configure the number of entries for the flow monitor cache:
The following example shows how to enable and configure export spreading where the synchronized interval timeout value is 12 seconds and the export spread interval is 5 seconds:
Name of a flow exporter that was previously configured.
statistics
Clears the flow exporter statistics.
Command Modes
Privileged EXEC (#)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Examples
The following example clears the statistics for all of the flow exporters configured on the router:
Router# clear flow exporter statistics
The following example clears the statistics for the flow exporter named FLOW-EXPORTER-1:
Router# clear flow exporter name FLOW-EXPORTER-1 statistics
Related Commands
Command
Description
debugflowexporter
Enables debugging output for flow exporters.
clear flow monitor
To clear a Flexible NetFlow flow monitor, flow monitor cache, or flow monitor statistics and to force the export of the data in the flow monitor cache, use the
clearflowmonitor command in privileged EXEC mode.
Name of a flow monitor that was previously configured.
cache
(Optional) Clears the flow monitor cache information.
force-export
(Optional) Forces the export of the flow monitor cache statistics.
statistics
(Optional) Clears the flow monitor statistics.
Command Modes
Privileged EXEC (#)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
cache
This keyword removes all entries from the flow monitor cache. These entries will not be exported and the data gathered in the cache will be lost.
Note
The statistics for the cleared cache entries are maintained.
force-export
This keyword removes all entries from the flow monitor cache and exports them via all flow exporters assigned to the flow monitor. This action can result in a short-term increase in CPU usage. Use with caution.
Note
The statistics for the cleared cache entries are maintained.
statistics
This keyword clears the statistics for this flow monitor.
Note
The “Current entries” statistic will not be cleared because this is an indicator of how many entries are in the cache and the cache is not cleared with this command.
Examples
The following example clears the statistics and cache entries for the flow monitor named FLOW-MONITOR-1:
Router# clear flow monitor name FLOW-MONITOR-1
The following example clears the statistics and cache entries for the flow monitor named FLOW-MONITOR-1 and forces an export:
Router# clear flow monitor name FLOW-MONITOR-1 force-export
The following example clears the cache for the flow monitor named FLOW-MONITOR-1 and forces an export:
Router# clear flow monitor name FLOW-MONITOR-1 cache force-export
The following example clears the statistics for the flow monitor named FLOW-MONITOR-1:
Router# clear flow monitor name FLOW-MONITOR-1 statistics
Related Commands
Command
Description
debugflowmonitor
Enables debugging output for flow monitors.
clear sampler
To clear the statistics for a Flexible NetFlow flow sampler, use the
clearsampler command in privileged EXEC mode.
clearsampler [name] [sampler-name]
Syntax Description
name
(Optional) Specifies the name of a flow sampler.
sampler-name
(Optional) Name of a flow sampler that was previously configured.
Command Modes
Privileged EXEC (#)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Examples
The following example clears the sampler statistics for all flow samplers configured on the router:
Router# clear sampler
The following example clears the sampler statistics for the flow sampler named SAMPLER-1:
Router# clear sampler name SAMPLER-1
Related Commands
Command
Description
debugsampler
Enables debugging output for flow samplers.
collect application http
To configure one of the HTTP application fields as a nonkey field for a flow record, use the
collectapplicationhttphost command in flow record configuration mode. To disable the use the HTTP application fields as a key field for a flow record, use the
no form of this command.
collectapplicationhttp
{ host | uri statistics }
nocollectapplicationhttp
{ host | uri statistics }
Syntax Description
This command has no arguments or keywords.
Command Default
The HTTP application fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
15.2(4)S
This command was introduced.
Cisco IOS XE Release 3.7S
This command was integrated into Cisco IOS XE Release 3.7S.
15.2(4)M2
This command was integrated into Cisco IOS Release 15.2(4)M2 for MACE.
15.3(1)T
This command was integrated into Cisco IOS Release 15.3(1)T for MACE.
Usage Guidelines
This command can be used with Flexible NetFlow, MACE (Measurement, Aggregation, and Correlation Engine), and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for all three products, here we refer to the command mode for these products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the HTTP application host as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application http host
Examples
The following example configures the HTTP application host as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application http host
The following example configures the HTTP application URI statistics as a nonkey field for Performance Monitor:
Router(config)# flow record type mace RECORD-1
Router(config-flow-record)# collect application http uri statistics
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
flowrecordtypemace
Creates a flow record, and enters MACE flow record configuration mode.
collect application name
To configure the use of the application name as a nonkey field for a flow record, use the
collectapplicationname command in flow record configuration mode. To disable the use of the application name as a nonkey field for a flow record, use the
no form of this command.
collectapplicationname
nocollectapplicationname
Syntax Description
This command has no arguments or keywords.
Command Default
The application name is not configured as a non-key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
15.0(1)M
This command was introduced.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
15.2(3)T
This command was integrated into Cisco IOS Release 15.2(3)T for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the application name as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect application name
Examples
The following example configures the application name as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application name
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
matchapplicationname
Configures the use of application name as a key field for a Flexible NetFlow flow record.
collect application nntp
To configure the NNTP application group name field as a nonkey field for a flow record, use the
collectapplicationnntpgroup-name command in flow record configuration mode. To disable the use the application fields as a key field for a flow record, use the
no form of this command.
collectapplicationnntpgroup-name
nocollectapplicationnntpgroup-name
Syntax Description
This command has no arguments or keywords.
Command Default
The application version field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
15.2(4)S
This command was introduced.
Cisco IOS XE Release 3.7S
This command was integrated into Cisco IOS XE Release 3.7S.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the NNTP application group name as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application nntp group-name
Examples
The following example configures the NNTP application group name as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application nntp group-name
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect application pop3
To configure the POP3 application server field as a nonkey field for a flow record, use the
collectapplicationpop3server command in flow record configuration mode. To disable the use the application fields as a key field for a flow record, use the
no form of this command.
collectapplicationpop3server
nocollectapplicationpop3server
Syntax Description
This command has no arguments or keywords.
Command Default
The application version field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.7S
This command was introduced.
Usage Guidelines
The fields collected by this command can only extracted using the IPFIX export protocol.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the POP3 application server as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application pop3 server
Examples
The following example configures the POP3 application server as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application pop3 server
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect application rtsp
To configure the RTSP application hostname field as a nonkey field for a flow record, use the
collectapplicationrtsphost-name command in flow record configuration mode. To disable the use the application fields as a key field for a flow record, use the
no form of this command.
collectapplicationrtsphost-name
nocollectapplicationrtsphost-name
Syntax Description
This command has no arguments or keywords.
Command Default
The application version field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.7S
This command was introduced.
Usage Guidelines
The fields collected by this command can only extracted using the IPFIX export protocol.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the RTSP application hostname as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application rtsp host-name
Examples
The following example configures the RTSP application hostname as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application rtsp host-name
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect application sip
To configure the SIP application destination or source field as a nonkey field for a flow record, use the
collectapplicationsip command in flow record configuration mode. To disable the use the application fields as a key field for a flow record, use the
no form of this command.
collectapplicationsip
{ destination | source }
nocollectapplicationsip
{ destination | source }
Syntax Description
This command has no arguments or keywords.
Command Default
The application version field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.7S
This command was introduced.
Usage Guidelines
The fields collected by this command can only extracted using the IPFIX export protocol.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the SIP application source as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application sip source
Examples
The following example configures the application SMTP hostname as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application sip source
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect application smtp
To configure the SMTP application server or sender field as a nonkey field for a flow record, use the
collectapplicationsmtp command in flow record configuration mode. To disable the use the application fields as a key field for a flow record, use the
no form of this command.
collectapplicationsmtp
{ sender | server }
nocollectapplicationsmtp
{ sender | server }
Syntax Description
This command has no arguments or keywords.
Command Default
The application version field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.7S
This command was introduced.
Usage Guidelines
The fields collected by this command can only extracted using the IPFIX export protocol.
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the SMTP application server as a nonkey field for Flexible Netflow:
Router(config)# flow record RECORD-1
Router(config-flow-record)# collect application smtp server
Examples
The following example configures the SMTP application server as a nonkey field for Performance Monitor:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect application smtp server
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect connection
To configure various connection information fields as a nonkey field for a flow record, use the
collectconnection command in flow record configuration mode. To disable the use of the connection information fields as a nonkey field for a flow record, use the
no form of this command.
Configures the connection initiator as a nonkey field.
new-translations
Configures the number of TCP or UDP connections which were opened during an observation period as a nonkey field.
sum-duration
Configures the total time in seconds for all of the TCP or UDP connections which were in use during an observation period as a nonkey field.
Command Default
Connection information fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.4S
This command was introduced.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The
initiator keyword provides the following information about the direction of the flow.
0x00=undefined
0x01=initiator - the flow source is initiator of the connection.
0x02=reverseInitiator - the flow destination is the initiator of the connection.
For the
new-translations and
sum-duration keywords, the observation period can be specified by the start and end timestamps for the flow.
The Flexible NetFlow
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures information about the connection initiator as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect connection initiator
Examples
The following example configures information about the connection initiator as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect connection initiator
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect counter
To configure the number of bytes or packets in a flow as a nonkey field for a flow record, use the
collectcounter command in Flexible NetFLow flow record configuration mode. To disable the use of the number of bytes or packets in a flow (counters) as a nonkey field for a flow record, use the
no form of this command.
collectcounter
{ bytes
[ long | replicated [long] | squaredlong ] | packets
[ long | replicated [long] ] }
nocollectcounter
{ bytes
[ long | replicated [long] | squaredlong ] | packets
[ long | replicated [long] ] }
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
collectcounter
{ bytes
[ long | rate ] | packets
[ dropped [long] | long ] }
nocollectcounter
{ bytes
[ long | rate ] | packets
[ dropped [long] | long ] }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
nocollectcounter
{ bytes
{ layer2 long | long } | packetslong }
nocollectcounter
{ bytes
{ layer2 long | long } | packetslong }
Syntax Description
bytes
Configures the number of bytes seen in a flow as a nonkey field and enables collecting the total number of bytes from the flow.
layer 2 long
Enables collecting the total number of Layer 2 bytes or packets from the flow using a 64-bit counter rather than a 32-bit counter.
For Cisco IOS XE Release 3.2SE, use the layer 2 long keywords rather than the long keyword.
long
(Optional) Enables collecting the total number of bytes or packets from the flow using a 64-bit counter rather than a 32-bit counter.
For Cisco IOS XE Release 3.2SE, use the layer 2 long keywords rather than the long keyword.
replicated
Total number of replicated (multicast) IPv4 packets.
squaredlong
(Optional) Enables collecting the total of the square of the number of bytes from the flow.
packets
Configures the number of packets seen in a flow as a nonkey field and enables collecting the total number of packets from the flow.
rate
Configures the byte rate counter as a nonkey field.
dropped
Configures the dropped packet counter as a nonkey field.
Command Default
The number of bytes or packets in a flow is not configured as a nonkey field.
Command Modes
Flexible NetFLow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this Cisco was implemented on the 12000 series routers.
12.2(33)SRC
This command was modified. Support for this Cisco was implemented on the Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.4(22)T
This command was modified. The
replicated keyword was added.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was modified for the Cisco Performance Monitor. Thereplicated and
squaredlong keywords were removed and the
rate and
dropped keywords were added.
12.2(58)SE
This command was modified for the Cisco Performance Monitor. Thereplicated and
squaredlong keywords were removed and the
rate and
dropped keywords were added.
12.2(50)SY
This command was modified. The
replicated and
squaredlong keywords were removed.
Cisco IOS XE Release 3.2SE
This command was modified. The layer 2 long keyword combination was added. The
replicated and
squaredlong keywords were removed.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The
rate and
dropped keywords were added and the
replicated and
squaredlong keywords were removed. You must first enter theflowrecordtypeperformance-monitor command.
collect counter bytes
This command configures a 32-bit counter for the number of bytes seen in a flow.
collect counter packets
This command configures a 32-bit counter that is incremented for each packet seen in the flow. For extremely long flows it is possible for this counter to restart at 0 (wrap) when it reaches the limit of approximately 4 billion packets. On detection of a situation that would cause this counter to restart at 0, a flow monitor with a normal cache type exports the flow and starts a new flow.
collect counter packets long
This command configures a 64-bit counter that will be incremented for each packet seen in the flow. It is unlikely that a 64-bit counter will ever restart at 0.
collect counter bytes squared long
This counter can be used in conjunction with the byte and packet counters in order to calculate the variance of the packet sizes. Its value is derived from squaring each of the packet sizes in the flow and adding the results. This value can be used as part of a standard variance function.
The variance and standard deviation of the packet sizes for the flow can be calculated with the following formulas:
cbs: value from the
counterbytessquared field
pkts: value from the
counterpackets field
bytes: value from the
counterbytes field
Variance = (cbs/pkts) - (bytes/pkts)2
Standard deviation = square root of Variance
Example 1:
Packet sizes of the flow: 100, 100, 100, 100
Counter packets: 4
Counter bytes: 400, mean packet size = 100
Counter bytes squared: 40,000
Variance = (40,000/4) - (400/4)2 = 0
Standard Deviation = 0
Size = 100 +/- 0
Example 2:
Packet sizes of the flow: 50, 150, 50, 150
Counter packets: 4
Counter bytes: 400, mean packet size = 100
Counter bytes squared: 50,000
Variance = (50,000/4) - (400/4)2 = 2500
Standard deviation = 50
Size = 100 +/- 50
Examples
The following example configures the total number of bytes in the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter bytes
The following example configures the total number of bytes in the flows as a nonkey field using a 64-bit counter:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter bytes long
The following example configures the sum of the number of bytes of each packet in the flow squared as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter bytes squared long
The following example configures the total number of packets from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter packets
The following example configures the total number of packets from the flows as a nonkey field using a 64-bit counter:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect counter packets long
The following example configures the total number of packets from the flows as a nonkey field using a 64-bit counter:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect counter packets long
Related Commands
Command
Description
flowrecord
Creates a flow record for Flexible NetFlow.
flowrecordtypeperformance-monitor
Creates a flow record for Performance Monitor.
collect datalink dot1q vlan
To configure the 802.1Q (dot1q) VLAN ID as a non-key field for a Flexible NetFlow flow record, use the
collectdatalinkdot1qvlan command in Flexible NetFlow flow record configuration mode. To disable the use of the 802.1Q VLAN ID value as a nonkey field for a Flexible NetFlow flow record, use the
no form of this command.
collectdatalinkdot1qvlan
{ input | output }
nocollectdatalinkdot1qvlan
{ input | output }
Syntax Description
input
Configures the VLAN ID of traffic being received by the router as a nonkey field.
output
Configures the VLAN ID of traffic being transmitted by the router as a nonkey field.
Command Default
The 802.1Q VLAN ID is not configured as a nonkey field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
Usage Guidelines
The
input and
output keywords of the
collectdatalinkdot1qvlan command are used to specify the observation point that is used by the
collectdatalinkdot1qvlan command to capture the 802.1q VLAN IDs from network traffic. For example, when you configure a flow record with the
collectdatalinkdot1qvlaninput command to monitor the simulated denial of service (DoS) attack in the figure below and apply the flow monitor to which the flow record is assigned in either input (ingress) mode on interface Ethernet 0/0.1 on R3 or output (egress) mode on interface Ethernet 1/0.1 on R3, the observation point is always Ethernet 0/0.1 on R3. The 802.1q VLAN ID that is collected is 5.
Figure 4. Simulated DoS Attack (a)
The observation point of
collect commands that do not have the input and/or output keywords is always the interface to which the flow monitor that contains the flow record with the
collect commands is applied.
Examples
The following example configures the 802.1Q VLAN ID of traffic being received by the router as a nonkey field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect datalink dot1q vlan input
Related Commands
Command
Description
flowrecord
Creates a flow record.
collect datalink mac
To configure the use of MAC addresses as a nonkey field for a Flexible NetFlow flow record, use the
collectdatalinkmac command in Flexible NetFlow flow record configuration mode. To disable the use of Layer 2 MAC addresses as a non-key field for a Flexible NetFlow flow record, use the
no form of this command.
no collect datalink mac
{ destination | source }
address
{ input | output }
Syntax Description
destinationaddress
Configures the use of the destination MAC address as a non-key field.
sourceaddress
Configures the use of the source MAC address as a non-key field.
input
Packets received by the router.
output
Packets transmitted by the router.
Command Default
MAC addresses are not configured as a nonkey field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into 15.2(2)T without the
destination keyword for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flow record type performance-monitorcommand before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
The
input and
output keywords of the
collectdatalinkmac command are used to specify the observation point that is used by the
collectdatalinkmac command to capture the MAC addressees from network traffic. For example, when you configure a flow record with the
collectdatalinkmacdestinationaddressinputcommand to monitor the simulated denial of service (DoS) attack in the figure below and apply the flow monitor to which the flow record is assigned in either input (ingress) mode on interface Ethernet 0/0.1 on R3 or output (egress) mode on interface Ethernet 1/0.1 on R3, the observation point is always Ethernet 0/0.1 on R3. The destination MAC address that is collected is aaaa.bbbb.cc04.
Figure 5. Simulated DoS Attack (b)
When the destination output mac address is configured, the value is the destination mac address of the output packet, even if the monitor the flow record is applied to is input only.
When the destination input mac address is configured, the value is the destination mac address of the input packet, even if the monitor the flow record is applied to is output only.
When the source output mac address is configured, the value is the source mac address of the output packet, even if the monitor the flow record is applied to is input only.
When the source input mac address is configured, the value is the source mac address of the input packet, even if the monitor the flow record is applied to is output only.
Examples
The following example configures the use of the destination MAC address of packets that are received by the router as a nonkey field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect datalink mac destination address input
The following example configures the use of the source MAC addresses of packets that are transmitted by the router as a nonkey field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect datalink mac source address output
Examples
The following example configures the use of the source MAC addresses of packets that are transmitted by the router as a nonkey field for a Performance Monitor flow record: :
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect datalink mac source address output
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect flow
To configure the flow direction, the flow sampler ID number, or reason why the flow ended as a nonkey field for a flow record, use the
collectflow command in flow record configuration mode. To disable the use of the flow direction and the flow sampler ID number as a nonkey field for a flow record, use the
no form of this command.
collectflow
{ direction | sampler }
nocollectflow
{ direction | sampler }
Cisco IOS Release 15.1(4)M1
collectflowdirection
nocollectflowdirection
Syntax Description
direction
Configures the flow direction as a nonkey field and enables the collection of the direction in which the flow was monitored.
sampler
Configures the flow sampler ID as a nonkey field and enables the collection of the ID of the sampler that is assigned to the flow monitor.
Command Default
The flow direction and the flow sampler ID number are not configured as nonkey fields.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(4)M1
This command was integrated into Cisco IOS Release 15.1(4)M1 with only the
direction keyword.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
collect flow direction
This field indicates the direction of the flow. This is of most use when a single flow monitor is configured for input and output flows. It can be used to find and eliminate flows that are being monitored twice, once on input and once on output. This field may also be used to match up pairs of flows in the exported data when the two flows are flowing in opposite directions.
collect flow sampler
This field contains the ID of the flow sampler used to monitor the flow. This is useful when more than one flow sampler is being used with different sampling rates. The flow exporter
optionsampler-table command exports options records with mappings of the flow sampler ID to sampling rate so the collector can calculate the scaled counters for each flow.
Examples
The following example configures the ID of the flow sampler that is assigned to the flow as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect flow sampler
Examples
The following example configures the direction in which the flow was monitored as a nonkey field:
Router(config)# flow record type performance-monitor FLOW-RECORD-1
Router(config-flow-record)# collect flow direction
Related Commands
Command
Description
flowexporter
Creates a flow exporter
flowrecord
Creates a flow record for Flexible NetFlow.
flowrecordtypeperformance-monitor
Creates a flow record for Performance Monitor.
collect interface
To configure the input and output interface as a nonkey field for a flow record, use the
collectinterface command in flow record configuration mode. To disable the use of the input and output interface as a nonkey field for a flow record, use the
no form of this command.
collectinterface
{ input | output }
nocollectinterface
{ input | output }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
Configures the input interface as a nonkey field and enables collecting the input interface from the flows.
output
Configures the output interface as a nonkey field and enables collecting the output interface from the flows.
Command Default
The input and output interface is not configured as a nonkey field.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC and implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.
12.2(50)SY
This command was modified. The
physical and
snmpkeywords were added in Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
You must first enter theflowrecordtypeperformance-monitor command.
Examples
The following example configures the input interface as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect interface input
The following example configures the output interface as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect interface output
Examples
The following example configures the input interface as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect interface input
Related Commands
Command
Description
flowrecord
Creates a flow record for Flexible NetFlow.
flowrecordtypeperformance-monitor
Creates a flow record for Performance Monitor.
collect ipv4
To configure one or more of the IPv4 fields as a nonkey field for a flow record, use the collectipv4 command in flow record configuration mode. To disable the use of one or more of the IPv4 fields as a nonkey field for a flow record, use the no form of this command.
collectipv4
{ dscp | header-length | id | optionmap | precedence | protocol | tos | version }
nocollectipv4
{ dscp | header-length | id | optionmap | precedence | protocol | tos | version }
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
collectipv4dscp
nocollectipv4dscp
Syntax Description
dscp
Configures the differentiated services code point (DCSP) field as a nonkey field and enables collecting the value in the IPv4 DSCP type of service (ToS) fields from the flows.
header-length
Configures the IPv4 header length flag as a nonkey field and enables collecting the value in the IPv4 header length (in 32-bit words) field from the flows.
id
Configures the IPv4 ID flag as a nonkey field and enables collecting the value in the IPv4 ID field from the flows.
optionmap
Configures the IPv4 options flag as a nonkey field and enables collecting the value in the bitmap representing which IPv4 options have been seen in the options field from the flows.
precedence
Configures the IPv4 precedence flag as a nonkey field and enables collecting the value in the IPv4 precedence (part of ToS) field from the flows.
protocol
Configures the IPv4 payload protocol field as a nonkey field and enables collecting the IPv4 value of the payload protocol field for the payload in the flows
tos
Configures the ToS field as a nonkey field and enables collecting the value in the IPv4 ToS field from the flows.
version
Configures the version field as a nonkey field and enables collecting the value in the IPv4 version field from the flows.
Command Default
The IPv4 fields are not configured as a nonkey field.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC and implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor with only the dscp keyword.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor with only the dscp keyword.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Note
Some of the keywords of the collectipv4 command are documented as separate commands. All of the keywords for the collectipv4 command that are documented separately start with collectipv4. For example, for information about configuring the IPv4 time-to-live (TTL) field as a nonkey field and collecting its value for a flow record, refer to the collectipv4ttl command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
Only the the dscp keyword is available. You must first enter theflowrecordtypeperformance-monitor command.
Examples
The following example configures the DSCP field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 dscp
Examples
The following example configures the DSCP field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 dscp
Related Commands
Command
Description
flowrecord
Creates a flow record for Flexible NetFlow.
flowrecordtypeperformance-monitor
Creates a flow record for Performance Monitor.
collect ipv4 destination
To configure the IPv4 destination address as a nonkey field for a
flow record, use the
collectipv4destination command in flow record configuration
mode. To disable the use of an IPv4 destination address field as a nonkey field
for a flow record, use the
no form of this command.
no collect ipv4 destination mask
[ minimum-maskmask ]
Cisco Catalyst 6500 Switches in Cisco IOS Release
12.2(50)SY
collectipv4destination
{ mask | prefix }
nocollectipv4destination
{ mask | prefix }
Syntax Description
address
Configures the IPv4 destination address as a nonkey field
and enables collecting the value of the IPv4 destination address from the
flows.
mask
Configures the IPv4 destination address mask as a nonkey
field and enables collecting the value of the IPv4 destination address mask
from the flows.
prefix
Configures the prefix for the IPv4 destination address as a
nonkey field and enables collecting the value of the IPv4 destination address
prefix from the flows.
minimum-maskmask
(Optional) Specifies the size, in bits, of the minimum
mask. Range: 1 to 32.
Command Default
The IPv4 destination address is not configured as a nonkey field.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release
12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series
routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release
12.2(33)SRC and implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was integrated into Cisco IOS Release
12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T
for Cisco Performance Monitor with only the
maskandminimum-maskkeywords.
12.2(58)SE
This command was integrated into Cisco IOS Release
12.2(58)SE for Cisco Performance Monitor with only the
maskandminimum-maskkeywords.
12.2(50)SY
This command was modified. The
addressand
minimum-mask keywords were not
supported in Cisco IOS Release 12.2(50)SY.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance
Monitor. These products use different commands to enter the configuration mode
in which you issue this command, however the mode prompt is the same for both
products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow
record configuration mode. For Performance Monitor, the mode is also known as
Performance Monitor flow record configuration mode. Here we refer to them both
as flow record configuration mode.
The Flexible NetFlow and Performance Monitor
collect commands are used to configure nonkey
fields for the flow monitor record and to enable capturing the values in the
fields for the flow created with the record. The values in nonkey fields are
added to flows to provide additional information about the traffic in the
flows. A change in the value of a nonkey field does not create a new flow. In
most cases the values for nonkey fields are taken from only the first packet in
the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and
12.2(58)SE
Only the
maskandminimum-maskkeywords are available. You must first enter
theflowrecordtypeperformance-monitor
command.
Examples
The following example configures the IPv4 destination address prefix
from the flows that have a prefix of 16 bits as a nonkey field:
The following example configures the IPv4 destination address prefix
from the flows that have a prefix of 16 bits as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 destination prefix minimum-mask 16
Related Commands
Command
Description
flowrecord
Creates a flow record for Flexible NetFlow.
flowrecordtypeperformance-monitor
Creates a flow record for Performance Monitor.
collect ipv4 fragmentation
To configure the IPv4 fragmentation flags and the IPv4 fragmentation offset as a nonkey field for a flow record, use the
collectipv4fragmentation command in flow record configuration mode. To disable the use of the IPv4 fragmentation flags and the IPv4 fragmentation offset as a nonkey field for a flow record, use the
no form of this command.
collectipv4fragmentation
{ flags | offset }
nocollectipv4fragmentation
{ flags | offset }
Syntax Description
flags
Configures the IPv4 fragmentation flags as a nonkey field and enables collecting the value in the IPv4 fragmentation flag fields from the flows.
offset
Configures the IPv4 fragmentation offset value as a nonkey field and enables collecting the value in the IPv4 fragmentation offset field from the flows.
Command Default
The IPv4 fragmentation flags and the IPv4 fragmentation offset are not configured as nonkey fields.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
Usage Guidelines
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
collect ipv4 fragmentation flags
This field collects the "don’t fragment" and "more fragments" flags.
Bit 0: reserved, must be zero.
Bit 1: (DF) 0 = May Fragment, 1 = Don’t Fragment
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments
Bits 3-7: (DC) Don’t Care, value is irrelevant
0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+
| | D | M | D | D | D | D | D |
| 0 | F | F | C | C | C | C | C |
+---+---+---+---+---+---+---+---+
The following example configures the IPv4 fragmentation flags as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 fragmentation flags
Examples
The following example configures the IPv4 fragmentation flags as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 fragmentation flags
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect ipv4 section
To configure a section of an IPv4 packet as a nonkey field for a flow record, use the
collectipv4section command in flow record configuration mode. To disable the use of a section of an IPv4 packet as a nonkey field for a flow record, use the
no form of this command.
Configures the number of bytes of raw data starting at the IPv4 header to use as a nonkey field, and enables collecting the value in the raw data from the flows. Range: 1 to 1200.
payloadsizepayload-size
Configures the number of bytes of raw data starting at the IPv4 payload to use as a nonkey field, and enables collecting the value in the raw data from the flows. Range: 1 to 1200.
Command Default
A section of an IPv4 packet is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
Usage Guidelines
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
It is recommended that you configure both
headersize and
payloadsize so that you know how much data is going to be captured.
collect ipv4 section header
This command causes the first IPv4 header to be copied into the flow record for this flow. Only the configured size in bytes will be copied and part of the payload will also be captured if the configured size is larger than the size of the header.
Note
This command can result in large records which use a lot of router memory and export bandwidth.
collect ipv4 section payload
This command results in a copy of the first IPv4 payload being put into the flow record for this flow. Only the configured size in bytes will be copied and may end in a series of 0's if the configured size is greater than the size of the payload.
Note
This command can result in large records which use a lot of router memory and export bandwidth.
Examples
The following example configures the first eight bytes from the IP header of the packets in the flows as a non-key field:
The following example configures the first 16 bytes from the payload of the packets in the flows as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 section payload size 16
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect ipv4 source
To configure the IPv4 source address as a nonkey field for a flow
record, use the
collectipv4source command in flow record configuration mode.
To disable the use of the IPv4 source address field as a nonkey field for a
flow record, use the
no form of this command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and
12.2(58)SE
collect ipv4 source mask
[ minimum-maskmask ]
no collect ipv4 source mask
[ minimum-maskmask ]
Cisco Catalyst 6500 Switches in Cisco IOS Release
12.2(50)SY
collectipv4source
{ mask | prefix }
nocollectipv4source
{ mask | prefix }
Syntax Description
address
Configures the IPv4 source address as a nonkey field and
enables collecting the value of the IPv4 source address from the flows.
mask
Configures the IPv4 source address mask as a nonkey field
and enables collecting the value of the IPv4 source address mask from the
flows.
prefix
Configures the prefix for the IPv4 source address as a
nonkey field and enables collecting the value of the IPv4 source address prefix
from the flows.
minimum-maskmask
(Optional) Specifies the size, in bits, of the minimum
mask. Range: 1 to 32.
Command Default
The IPv4 source address is not configured as a nonkey field.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release
12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series
routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release
12.2(33)SRC and implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was integrated into Cisco IOS Release
12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T
for Cisco Performance Monitor with only the
maskandminimum-maskkeywords.
12.2(58)SE
This command was integrated into Cisco IOS Release
12.2(58)SE for Cisco Performance Monitor with only the
maskandminimum-maskkeywords.
12.2(50)SY
This command was modified. The
addressand
minimum-mask keywords were not
supported in Cisco IOS Release 12.2(50)SY.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance
Monitor. These products use different commands to enter the configuration mode
in which you issue this command, however the mode prompt is the same for both
products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow
record configuration mode. For Performance Monitor, the mode is also known as
Performance Monitor flow record configuration mode. Here we refer to them both
as flow record configuration mode.
The Flexible NetFlow and Performance Monitor
collect commands are used to configure nonkey
fields for the flow monitor record and to enable capturing the values in the
fields for the flow created with the record. The values in nonkey fields are
added to flows to provide additional information about the traffic in the
flows. A change in the value of a nonkey field does not create a new flow. In
most cases the values for nonkey fields are taken from only the first packet in
the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and
12.2(58)SE
Only the
maskandminimum-maskkeywords are available. You must first enter
theflowrecordtypeperformance-monitor
command.
collect ipv4 source prefix minimum-mask
The source address prefix is the network part of an IPv4 source
address. The optional minimum mask allows more information to be gathered about
large networks.
collect ipv4 source mask minimum-mask
The source address mask is the number of bits that make up the
network part of the source address. The optional minimum mask allows a minimum
value to be configured. This command is useful when there is a minimum mask
configured for the source prefix field and the mask is to be used with the
prefix. In this case, the values configured for the minimum mask should be the
same for the prefix and mask fields.
Alternatively, if the collector is aware of the minimum mask
configuration of the prefix field, the mask field can be configured without a
minimum mask so that the true mask and prefix can be calculated.
Examples
The following example configures the IPv4 source address prefix from
the flows that have a prefix of 16 bits as a nonkey field:
The following example configures the IPv4 source address prefix from
the flows that have a prefix of 16 bits as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 source prefix minimum-mask 16
Related Commands
Command
Description
flowrecord
Creates a flow record for Flexible NetFlow.
flowrecordtypeperformance-monitor
Creates a flow record for Performance Monitor.
collect ipv4 total-length
To configure the IPv4 total-length field as a nonkey field for a flow record, use the
collectipv4total-length command in flow record configuration mode. To disable the use of the IPv4 total-length field as a nonkey field for a flow record, use the
no form of this command.
collectipv4total-length
[ maximum | minimum ]
nocollectipv4total-length
[ maximum | minimum ]
Syntax Description
maximum
(Optional) Configures the maximum value of the total length field as a nonkey field and enables collecting the maximum value of the total length field from the flows.
minimum
(Optional) Configures the minimum value of the total length field as a nonkey field and enables collecting the minimum value of the total length field from the flows.
Command Default
The IPv4 total-length field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
Usage Guidelines
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
collect ipv4 total-length [minimum | maximum]
This command is used to collect the lowest and highest IPv4 total length values seen in the lifetime of the flow. Configuring this command results in more processing than is needed to simply collect the first total length value seen using the
collectipv4total-length command.
Examples
The following example configures total-length value as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 total-length
The following example configures minimum total-length value seen in the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 total-length minimum
Examples
The following example configures the minimum total-length value seen in the flows as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 total-length minimum
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect ipv4 ttl
To configure the IPv4 time-to-live (TTL) field as a nonkey field for a flow record, use the collectipv4ttl command in flow record configuration mode. To disable the use of the IPv4 TTL field as a nonkey field for a flow record, use the no form of this command.
collectipv4ttl
[ maximum | minimum ]
nocollectipv4ttl
[ maximum | minimum ]
Syntax Description
maximum
(Optional) Configures the maximum value of the TTL field as a nonkey field and enables collecting the maximum value of the TTL field from the flows.
minimum
(Optional) Configures the minimum value of the TTL field as a nonkey field and enables collecting the minimum value of the TTL field from the flows.
Command Default
The IPv4 time-to-live (TTL) field is not configured as a nonkey field.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC and implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
You must first enter theflowrecordtypeperformance-monitor command.
collect ipv4 ttl [minimum | maximum]
This command is used to collect the lowest and highest IPv4 TTL values seen in the lifetime of the flow. Configuring this command results in more processing than is needed to simply collect the first TTL value seen using the collectipv4ttl command.
Examples
The following example configures the largest value for IPv4 TTL seen in the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 ttl maximum
The following example configures the smallest value for IPv4 TTL seen in the flows as a nonkey field
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv4 ttl minimum
Examples
The following example configures the smallest value for IPv4 TTL seen in the flows as a nonkey field
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv4 ttl minimum
Related Commands
Command
Description
flowrecord
Creates a flow record for Flexible NetFlow.
flowrecordtypeperformance-monitor
Creates a flow record for Performance Monitor.
collect ipv6
To configure one or more of the IPv6 fields as a nonkey field for a flow record, use the
collectipv6 command in flow record configuration mode. To disable the use of one or more of the IPv6 fields as a nonkey field for a flow record, use the
no form of this command.
Configures the differentiated services code point (DCSP) field as a nonkey field and enables collecting the value in the IPv6 DSCP type of service (ToS) fields from the flows.
flow-label
Configures the IPv6 flow label as a nonkey field and enables collecting the value in the IPv6 flow label from the flows.
next-header
Configures the next-header field as a nonkey field and enables collecting the value of the next-header field in the IPv6 header from the flows.
payload-length
Configures the length of the IPv6 payload as a nonkey field and enables collecting the number of bytes used for the payload in the flows.
precedence
Configures the IPv6 precedence flag as a nonkey field and enables collecting the value in the IPv6 precedence (part of ToS) field from the flows.
protocol
Configures the IPv6 payload protocol field as a nonkey field and enables collecting the IPv6 value of the payload protocol field for the payload in the flows.
traffic-class
Configures the IPv6 traffic-class field as a nonkey field and enables collecting the value in the IPv6 protocol field from the flows.
version
Configures the IPv6 version field as a nonkey field and enables collecting the value in the IPv6 version field from the flows.
Command Default
The IPv6 fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Note
Some of the keywords for the
collectipv6 command are documented as separate commands. All of the keywords for the
collectipv6 command that are documented separately start with
collectipv6. For example, for information about configuring the IPv6 hop limit field as a nonkey field and collecting its value for a flow record, refer to the
collectipv6hop-limit command.
Examples
The following example configures the IPv6 DSCP field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 dscp
Examples
The following example configures the IPv6 DSCP field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 dscp
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect ipv6 destination
To configure the IPv6 destination address as a nonkey field for a flow record, use the
collectipv6destination command in flow record configuration mode. To disable the use of an IPv6 destination address field as a nonkey field for a flow record, use the
no form of this command.
Configures the IPv6 destination address as a nonkey field and enables collecting the value of the IPv6 destination address from the flows.
mask
Configures the IPv6 destination address mask as a nonkey field and enables collecting the value of the IPv6 destination address mask from the flows.
prefix
Configures the prefix for the IPv6 destination address as a nonkey field and enables collecting the value of the IPv6 destination address prefix from the flows.
minimum-maskmask
(Optional) Specifies the size, in bits, of the minimum mask. Range: 1 to 128.
Command Default
TheIPv6 destination address is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The
addressand
minimum-mask keywords were not supported in Cisco IOS Release 12.2(50)SY.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the IPv6 destination address prefix from the flows that have a prefix of 16 bits as a nonkey field:
The following example configures the IPv6 destination address prefix from the flows that have a prefix of 16 bits as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 destination prefix minimum-mask 16
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect ipv6 extension map
To configure the bitmap of the IPv6 extension header map as a nonkey field for a flow record, use the
collectipv6extensionmap command in flow record configuration mode. To disable the use of the IPv6 bitmap of IPv6 extension header map as a nonkey field for a flow record, use the
no form of this command.
collectipv6extensionmap
nocollectipv6extensionmap
Syntax Description
This command has no arguments or keywords.
Command Default
The use of the bitmap of the IPv6 extension header map is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Bitmap of the IPv6 Extension Header Map
The bitmap of IPv6 extension header map is made up of 32 bits.
0 1 2 3 4 5 6 7
+-----+-----+-----+-----+-----+-----+-----+-----+
| Res | FRA1| RH | FRA0| UNK | Res | HOP | DST |
+-----+-----+-----+-----+-----+-----+-----+-----+
8 9 10 11 12 13 14 15
+-----+-----+-----+-----+-----+-----+-----+-----+
| PAY | AH | ESP | Reserved |
+-----+-----+-----+-----+-----+-----+-----+-----+
16 17 18 19 20 21 22 23
+-----+-----+-----+-----+-----+-----+-----+-----+
| Reserved |
+-----+-----+-----+-----+-----+-----+-----+-----+
24 25 26 27 28 29 30 31
+-----+-----+-----+-----+-----+-----+-----+-----+
| Reserved |
+-----+-----+-----+-----+-----+-----+-----+-----+
0 Res Reserved
1 FRA1 Fragmentation header - not first fragment
2 RH Routing header
3 FRA0 Fragment header - first fragment
4 UNK Unknown Layer 4 header
(compressed, encrypted, not supported)
5 Res Reserved
6 HOP Hop-by-hop option header
7 DST Destination option header
8 PAY Payload compression header
9 AH Authentication Header
10 ESP Encrypted security payload
11 to 31 Reserved
The following example configures the bitmap of IPv6 extension header map as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 extension map
Examples
The following example configures the bitmap of IPv6 extension header map as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 extension map
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect ipv6 fragmentation
To configure one or more of the IPv6 fragmentation fields as a nonkey field for a flow record, use the
collectipv6fragmentation command in flow record configuration mode. To disable the use one or more of the IPv6 fragmentation fields as a nonkey field for a flow record, use the
no form of this command.
collectipv6fragmentation
{ flags | id | offset }
nocollectipv6fragmentation
{ flags | id | offset }
Syntax Description
flags
Configures the IPv6 fragmentation flags as a non-key field and enables collecting the value in the IPv6 fragmentation flag fields from the flows.
id
Configures the IPv6 fragmentation ID as a non-key field and enables collecting the value in the IPv6 fragmentation id fields from the flows
offset
Configures the IPv6 fragmentation offset as a non-key field and enables collecting the value in the IPv6 fragmentation offset field from the flows.
Command Default
The use of one or more of the IPv6 fragmentation fields is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the IPv6 fragmentation flags field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 fragmentation flags
Examples
The following example configures the IPv6 fragmentation flags field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 fragmentation flags
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect ipv6 hop-limit
To configure the IPv6 hop limit as a nonkey field for a flow record, use the
collectipv6hop-limit command in flow record configuration mode. To disable the use of the IPv6 hop limit field as a nonkey field for a flow record, use the
no form of this command.
collectipv6hop-limit [maximum] [minimum]
nocollectipv6hop-limit [maximum] [minimum]
Syntax Description
maximum
(Optional) Configures the IPv6 maximum hop limit as a nonkey field and enables collecting the value of the IPv6 maximum hop limit from the flows.
minimum
(Optional) Configures the IPv6 minimum hop limit as a nonkey field and enables collecting the value of the IPv6 minimum hop limit from the flows.
Command Default
The IPv6 hop limit is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
collect ipv6 hop-limit [minimum | maximum]
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
This command is used to collect the lowest and highest IPv6 hop limit values seen in the lifetime of the flow. Configuring this command results in more processing than is needed to simply collect the first hop limit value seen using the
collectipv6hop-limit command.
Examples
The following example configures the IPv6 maximum hop limit from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 hop-limit maximum
Examples
The following example configures the IPv6 maximum hop limit from the flows as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 hop-limit maximum
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect ipv6 length
To configure one or more of the IPv6 length fields as a nonkey field for a flow record, use the
collectipv6lengthcommand in flow record configuration mode. To disable the use of one or more of the IPv6 length fields as a nonkey field for a flow record, use the
no form of this command.
collectipv6length
{ header | payload | total [maximum] [minimum] }
nocollectipv6length
{ header | payload | total [maximum] [minimum] }
Syntax Description
header
Configures the length in bytes of the IPv6 header, not including any extension headers, as a nonkey field and collects the value of it for a flow record.
payload
Configures the length in bytes of the IPv6 payload, including any extension headers, as a nonkey field and collects the value of it for a flow record.
total
Configures the total length in bytes of the IPv6 header and payload as a nonkey field and collects the value of it for a flow record.
maximum
(Optional) Configures the maximum total length in bytes of the IPv6 header and payload as a nonkey field and collects the value of it for a flow record.
minimum
(Optional) Configures the minimum total length in bytes of the IPv6 header and payload as a nonkey field and collects the value of it for a flow record.
Command Default
The IPv6 length fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
collect ipv6 length [minimum | maximum]
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
This command is used to collect the lowest and highest IPv6 length values seen in the lifetime of the flow. Configuring this command results in more processing than is needed to simply collect the length value seen using the
collectipv6length command.
Examples
The following example configures the length of the IPv6 header, not including any extension headers, in bytes as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect ipv6 length header
Examples
The following example configures the length of the IPv6 header, not including any extension headers, in bytes as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 length header
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect ipv6 section
To configure a section of an IPv6 packet as a nonkey field for a flow record, use the
collectipv6section command in flow record configuration mode. To disable the use of a section of an IPv6 packet as a nonkey field for a flow record, use the
no form of this command.
Configures the number of bytes of raw data, starting at the IPv6 header, to use as a nonkey field, and enables collecting the value in the raw data from the flows. Range: 1 to 1200.
payloadsizepayload-size
Configures the number of bytes of raw data, starting at the IPv6 payload, to use as a nonkey field, and enables collecting the value in the raw data from the flows. Range: 1 to 1200.
Command Default
A section of an IPv6 packet is not configured as a non-key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
It is recommended that you configure both
headersize and
payloadsize so that you know how much data is going to be captured.
Note
The IPv6 payload data is captured only if the first packet in the flow is an IPv6 packet. If the first packet in the flow is not an IPv6 packet, information from other packets in the flow such as packet and byte counters, is still captured.
collect ipv6 section header
This command causes a copy of the first IPv6 header to be put into the flow record for this flow. Only the configured size in bytes will be copied, and part of the payload will also be captured if the configured size is larger than the size of the header.
Note
Configuring this command can result in large records that use a lot of router memory and export bandwidth.
collect ipv6 section payload
This command causes a copy of the first IPv6 payload to be put into the flow record for this flow. Only the configured size in bytes will be copied, and it may end in a series of zeros if the configured size is smaller than the size of the payload.
Note
Configuring this command can result in large records that use a lot of router memory and export bandwidth.
Examples
The following example configures the first eight bytes from the IPv6 header of the packets in the flows as a nonkey field:
The following example configures the first 16 bytes from the payload of the IPv6 packets in the flows as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 section payload size 16
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect ipv6 source
To configure the IPv6 source address as a nonkey field for a flow record, use the
collectipv6source command in flow record configuration mode. To disable the use of the IPv6 source address field as a nonkey field for a flow record, use the
no form of this command.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
collectipv6source
{ mask | prefix }
nocollectipv6source
{ mask | prefix }
Syntax Description
address
Configures the IPv6 source address as a nonkey field and enables collecting the value of the IPv6 source address from the flows.
mask
Configures the IPv6 source address mask as a nonkey field and enables collecting the value of the IPv6 source address mask from the flows.
prefix
Configures the prefix for the IPv6 source address as a nonkey field and enables collecting the value of the IPv6 source address prefix from the flows.
minimum-maskmask
(Optional) Specifies the size, in bits, of the minimum mask. Range: 1 to 128.
Command Default
The IPv6 source address is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The
addressand
minimum-mask keywords were not supported in Cisco IOS Release 12.2(50)SY.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
collect IPv6 source prefix minimum mask
The source address prefix field is the network part of the source address. The optional minimum mask allows more information to be gathered about large networks.
collect IPv6 source mask minimum mask
The source address mask is the number of bits that make up the network part of the source address. The optional minimum mask allows a minimum value to be configured. This command is useful when there is a minimum mask configured for the source prefix field and the mask is to be used with the prefix. In this case, the values configured for the minimum mask should be the same for the prefix and mask fields.
Alternatively, if the collector is aware of the minimum mask configuration of the prefix field, the mask field can be configured without a minimum mask so that the true mask and prefix can be calculated.
Examples
The following example configures the IPv6 source address prefix from the flows that have a prefix of 16 bits as a nonkey field:
The following example configures the IPv6 source address prefix from the flows that have a prefix of 16 bits as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect ipv6 source prefix minimum-mask 16
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect mpls label
To configure MPLS label fields as a nonkey field for a flow record, use the
collectmplslabel command in flow record configuration mode. To disable the use of the MPLS label fields as a nonkey field for a flow record, use the
no form of this command.
Configures the first MPLS label as a nonkey field.
details
Configures the details of the MPLS label as a nonkey field.
exp
Configures the MPLS experimental level field as a nonkey field.
ttl
Configures the time-to-life (TTL) for the MPLS label as a nonkey field.
label 2
Configures the second MPLS label as a nonkey field.
label 3
Configures the third MPLS label as a nonkey field.
label 4
Configures the fourth MPLS label as a nonkey field.
label 5
Configures the fifth MPLS label as a nonkey field.
label 6
Configures the sixth MPLS label as a nonkey field.
Command Default
MPLS label fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
The Flexible NetFlow
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the details of the first MPLS label as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect mpls label 1 details
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
collect policy qos classification hierarchy
To configure QoS policy classification hierarchy field as a nonkey field for a flow record, use the
collectpolicyqosclassificationhierarchy command in flow record configuration mode. To disable the use of the MPLS label fields as a nonkey field for a flow record, use the
no form of this command.
collectpolicyqosclassificationhierarchy
nocollectpolicyqosclassificationhierarchy
Syntax Description
This command has no arguments or keywords.
Command Default
QoS policy classification hierarchy field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
The Flexible NetFlow
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the details of the QoS policy classification hierarchy field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect policy qos classification hierarchy
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
collect policy qos queue index
To configure the QoS policy queue index as a nonkey field for a flow record, use the
collectpolicyqosqueueindexcommand in flow record configuration mode. To disable the use of one or more of the routing attributes as a nonkey field for a flow record, use the
no form of this command.
collectpolicyqosqueueindex
nocollectpolicyqosqueueindex
Syntax Description
This command has no arguments or keywords.
Command Default
QoS policy queue index is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
The Flexible NetFlow
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the QoS policy queue index as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect policy qos queue index
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
collect routing
To configure one or more of the routing attributes as a nonkey field for a flow record, use the
collect
routingcommand in flow record configuration mode. To disable the use of one or more of the routing attributes as a nonkey field for a flow record, use the
no form of this command.
Configures one or more of the destination routing attributes fields as a nonkey field and enables collecting the values from the flows.
source
Configures one or more of the source routing attributes fields as a nonkey field and enables collecting the values from the flows.
as
Configures the autonomous system field as a nonkey field and enables collecting the value in the autonomous system field from the flows.
4-octet
(Optional) Configures the 32-bit autonomous system number as a nonkey field.
peer
(Optional) Configures the autonomous system number of the peer network as a nonkey field and enables collecting the value of the autonomous system number of the peer network from the flows.
traffic-index
Configures the Border Gateway Protocol (BGP) source or destination traffic index as a nonkey field and enables collecting the value of the BGP destination traffic index from the flows.
forwarding-status
Configures the forwarding status as a nonkey field and enables collecting the value of the forwarding status of the packet from the flows.
next-hopaddress
Configures the next-hop address value as a nonkey field and enables collecting information regarding the next hop from the flows. The type of address (IPv4 or IPv6) is determined by the next keyword entered.
ipv4
Specifies that the next-hop address value is an IPv4 address.
ipv6
Specifies that the next-hop address value is an IPv6 address.
bgp
(Optional) Configures the IP address of the next hop BGP network as a nonkey field and enables collecting the value of the IP address of the BGP next-hop network from the flows.
vrfinput
Configures the Virtual Routing and Forwarding (VRF) ID for incoming packets as a nonkey field.
vrfoutput
Configures the Virtual Routing and Forwarding (VRF) ID for outgoing packets as a nonkey field.
reason
Configures the reason for the forwarding status as a nonkey field.
Command Default
The routing attributes are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC and implemented on the Cisco 7200 series routers.
12.4(20)T
This command was modified. The
ipv6 keyword was added.
15.0(1)M
This command was modified. The
vrf
input
keywords were added.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2S
This command was modified. The
4-octet keyword was added.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor with only the
forwarding-status
keyword and the addition of the
reason keyword.
12.2(58)SE
This command was integrated into Cisco IOS Release 12.2(58)SE for Cisco Performance Monitor with only the
forwarding-status
keyword and the addition of the
reason keyword.
12.2(50)SY
This command was modified. The
traffic-index
and
vrf
input
keywords were not supported in Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.8S
This command was modified. The
vrf
output
keyword was added.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command; however the mode prompt is the same for both products. For Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode. For Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode. Here we refer to them both as flow record configuration mode.
The Flexible NetFlow and Performance Monitor
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The
reason
keyword was added and only the
forwarding-status
keyword is available. You must first enter theflow
record
type
performance-monitor
command.
collect routing source as
[peer]
This command collects the 16-bit autonomous system number based on a lookup of the router’s routing table using the source IP address. The optional
peer keyword provides the expected next network, as opposed to the originating network.
collect routing source as 4-octet
[peer 4-octet]
This command collects the 32-bit autonomous system number based on a lookup of the router’s routing table using the source IP address. The optional
peer keyword provides the expected next network, as opposed to the originating network.
collect routing destination as
[peer]
This command collects the 16-bit autonomous system number based on a lookup of the router’s routing table using the destination IP address. The optional
peer keyword provides the expected next network, as opposed to the destination network.
collect routing destination as 4-octet
[peer 4-octet]
This command collects the 32-bit autonomous system number based on a lookup of the router’s routing table using the destination IP address. The
peer keyword provides the expected next network, as opposed to the destination network.
collect routing source traffic-index
This command collects the traffic-index field based on the source autonomous system for this flow. The traffic-index field is a value propagated through BGP.
This command is not supported for IPv6.
collect routing destination traffic-index
This command collects the traffic-index field based on the destination autonomous system for this flow. The traffic-index field is a value propagated through BGP.
This command is not supported for IPv6.
collect routing forwarding-status
This command collects a field to indicate if the packets were successfully forwarded. The field is in two parts and may be up to 4 bytes in length. For the releases specified in the Command History table, only the status field is used:
+-+-+-+-+-+-+-+-+
| S | Reason |
| t | codes |
| a | or |
| t | flags |
| u | |
| s | |
+-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7
Status:
00b=Unknown, 01b = Forwarded, 10b = Dropped, 11b = Consumed
collect routing vrf input
This command collects the VRF ID from incoming packets on a router. In the case where VRFs are associated with an interface via methods such as VRF Selection Using Policy Based Routing/Source IP Address, a VRF ID of 0 will be recorded. If a packet arrives on an interface that does not belong to a VRF, a VRF ID of 0 is recorded.
collect routing vrf output
This command collects the outgoing VRF ID for outgoing packets on a router based on the VRF associated with the outgoing interface.
Examples
The following example configures the 16-bit autonomous system number based on a lookup of the router’s routing table using the source IP address as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing source as
The following example configures the 16-bit autonomous system number based on a lookup of the router’s routing table using the destination IP address as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing destination as
The following example configures the value in the traffic-index field based on the source autonomous system for a flow as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing source traffic-index
The following example configures the forwarding status as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing forwarding-status
The following example configures the VRF ID for incoming packets as a nonkey field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing vrf input
The following example configures the VRF ID for outgoing packets as a nonkey field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing vrf output
Examples
The following example configures the forwarding status as a nonkey field for a Performance Monitor flow record:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect routing forwarding-status reason
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record for Performance Monitor.
collect routing is-multicast
To configure the use of the is-multicast field (indicating that the IPv4 traffic is multicast traffic) as a nonkey field, use the
collectroutingis-multicastcommand in flow record configuration mode. To disable the use of the is-multicast field as a nonkey field for a flow record, use the
no form of this command.
collectroutingis-multicast
nocollectroutingis-multicast
Syntax Description
This command has no arguments or keywords
Command Default
The is-multicast field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the is-multicast field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing is-multicast
Examples
The following example configures the is-multicast field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect routing is-multicast
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect routing multicast replication-factor
To configure the multicast replication factor value for IPv4 traffic as a nonkey field for a flow record, use the
collectroutingmulticastreplication-factorcommand in flow record configuration mode. To disable the use of the multicast replication factor value as a nonkey field for a flow record, use the
no form of this command.
collectroutingmulticastreplication-factor
nocollectroutingmulticastreplication-factor
Syntax Description
This command has no arguments or keywords.
Command Default
The multicast replication factor value is not configured as a nonkey field.
Command Modes
Fow record configuration (config-flow-record)
Command History
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
When the replication-factor field is used in a flow record, it will only have a non-zero value in the cache for ingress multicast traffic that is forwarded by the router. If the flow record is used with a flow monitor in output (egress) mode or to monitor unicast traffic or both, the cache data for the replication factor field is set to 0.
Examples
The following example configures the multicast replication factor value as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect routing multicast replication-factor
Examples
The following example configures the multicast replication factor value as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect routing multicast replication-factor
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect services pfr
To configure the Performance Routing (PfR) traffic class ID and the master controller ID per packet as a nonkey field for a flow record, use the
collectservicespfr command in Flexible NetFLow flow record configuration mode. To disable the use of the PfR IDs as a nonkey field for a flow record, use the
no form of this command.
collectservicespfr
{ traffic-class-id | mc-id }
nocollectservicespfr
{ traffic-class-id | mc-id }
Syntax Description
traffic-class-id
Configures the Performance Routing (PfR) traffic class ID per packet as a nonkey field.
mc-id
Configures the Performance Routing (PfR) master controller ID per packet as a nonkey field.
Command Default
The PfR IDs per packet are not configured as a nonkey field.
Command Modes
Flexible NetFLow flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the PfR traffic class ID per packet as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect services pfr traffic-class-id
Related Commands
Command
Description
flowrecord
Creates a flow record for Flexible NetFlow.
collect timestamp absolute
To configure the absolute time of the first seen or last seen packet in a flow as a nonkey field for a flow record, use the
collecttimestampabsolute command in Flexible NetFlow flow record configuration mode. To disable the use of the first seen or last seen packet in a flow as a nonkey field for a flow record, use the
no form of this command.
collecttimestampabsolute
{ first | last }
nocollecttimestampabsolute
{ first | last }
Syntax Description
first
Configures the absolute time that the first packet was seen from the flows as a nonkey field and enables collecting time stamps based on the system uptime for the time the first packet was seen from the flows.
last
Configures the absolute time that the last packet was seen from the flows as a nonkey field and enables collecting time stamps based on the system uptime for the time the most recent packet was seen from the flows.
Command Default
The absolute time field is not configured as a nonkey field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.2SE
This command was introduced.
Usage Guidelines
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures time stamps for the absolute time that the first packet was seen from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect timestamp absolute first
The following example configures the time stamps for the absolute time that the most recent packet was seen from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect timestamp absolute last
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
collect timestamp sys-uptime
To configure the system uptime of the first seen or last seen packet in a flow as a nonkey field for a flow record, use the
collecttimestampsys-uptime command in flow record configuration mode. To disable the use of the first seen or last seen packet in a flow as a nonkey field for a flow record, use the
no form of this command.
collecttimestampsys-uptime
{ first | last }
nocollecttimestampsys-uptime
{ first | last }
Syntax Description
first
Configures the system uptime for the time the first packet was seen from the flows as a nonkey field and enables collecting time stamps based on the system uptime for the time the first packet was seen from the flows.
last
Configures the system uptime for the time the last packet was seen from the flows as a nonkey field and enables collecting time stamps based on the system uptime for the time the most recent packet was seen from the flows.
Command Default
The system uptime field is not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures time stamps based on the system uptime for the time the first packet was seen from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect timestamp sys-uptime first
The following example configures the time stamps based on the system uptime for the time the most recent packet was seen from the flows as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect timestamp sys-uptime last
Examples
The following example configures the time stamps based on the system uptime for the time the most recent packet was seen from the flows as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect timestamp sys-uptime last
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect transport
To configure one or more of the transport layer fields as a nonkey field for a flow record, use the
collecttransport command in flow record configuration mode. To disable the use of one or more of the transport layer fields as a nonkey field for a flow record, use the
no form of this command.
Configures the destination port as a nonkey field and enables collecting the value of the destination port from the flows.
igmptype
Configures the Internet Group Management Protocol (IGMP) type as a nonkey field and enables collecting the value of the IGMP type from the flows.
source-port
Configures the source port as a nonkey field and enables collecting the value of the source port from the flows.
Command Default
The transport layer fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the transport destination port as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport destination-port
The following example configures the transport source port as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport source-port
Examples
The following example configures the transport source port as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport source-port
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect transport icmp ipv4
To configure the internet control message protocol (ICMP) IPv4 type field and the code field as nonkey fields for a flow record, use the
collecttransporticmpipv4 command in flow record configuration mode. To disable the use of the ICMP IPv4 type field and code field as nonkey fields for a flow record, use the
no form of this command.
collecttransporticmpipv4
{ code | type }
nocollecttransporticmpipv4
{ code | type }
Syntax Description
code
Configures the ICMP code as a nonkey field and enables collecting the value of the ICMP code from the flow.
type
Configures the ICMP type as a nonkey field and enables collecting the value of the ICMP type from the flow.
Command Default
The ICMP IPv4 type field and the code field are not configured as nonkey fields.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the ICMP IPv4 code field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport icmp ipv4 code
The following example configures the ICMP IPv4 type field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport icmp ipv4 type
Examples
The following example configures the ICMP IPv4 type field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport icmp ipv4 type
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect transport icmp ipv6
To configure the Internet Control Message Protocol (ICMP) IPv6 type field and code field as nonkey fields for a flow record, use the
collecttransporticmpipv6 command in flow record configuration mode. To disable the use of the ICMP IPv6 type field and code field as nonkey fields for a flow record, use the
no form of this command.
collecttransporticmpipv6
{ code | type }
nocollecttransporticmpipv6
{ code | type }
Syntax Description
code
Configures the ICMP code as a nonkey field and enables collecting the value of the ICMP code from the flow.
type
Configures the ICMP type as a nonkey field and enables collecting the value of the ICMP type from the flow.
Command Default
The ICMP IPv6 type field and code field are not configured as nonkey fields.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the ICMP IPv6 code field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport icmp ipv6 code
The following example configures the ICMP IPv6 type field as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport icmp ipv6 type
Examples
The following example configures the ICMP IPv6 type field as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport icmp ipv6 type
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect transport tcp
To configure one or more of the TCP fields as a nonkey field for a flow record, use the
collecttransporttcp command in flow record configuration mode. To disable the use of one or more of the TCP fields as a nonkey field for a flow record, use the
no form of this command.
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
collecttransporttcpflags
[ ack | cwr | ece | fin | psh | rst | syn | urg ]
nocollecttransporttcpflags
[ ack | cwr | ece | fin | psh | rst | syn | urg ]
Cisco IOS XE Release 3.2SE
collecttransporttcpflags
[ ack | cwr | ece | fin | psh | rst | syn | urg ]
nocollecttransporttcpflags
[ ack | cwr | ece | fin | psh | rst | syn | urg ]
Syntax Description
acknowledgement- number
Configures the TCP acknowledgement number as a nonkey field and enables collecting the value of the TCP acknowledgment number from the flow.
destination-port
Configures the TCP destination port as a nonkey field and enables collecting the value of the TCP destination port from the flow.
flags
Configures one or more of the TCP flags as a nonkey field and enables collecting the values from the flow.
ack
(Optional) Configures the TCP acknowledgment flag as a nonkey field.
cwr
(Optional) Configures the TCP congestion window reduced flag as a nonkey field.
ece
(Optional) Configures the TCP Explicit Congestion Notification echo (ECE) flag as a nonkey field.
fin
(Optional) Configures the TCP finish flag as a nonkey field.
psh
(Optional) Configures the TCP push flag as a nonkey field.
rst
(Optional) Configures the TCP reset flag as a nonkey field.
syn
(Optional) Configures the TCP synchronize flag as a nonkey field.
urg
(Optional) Configures the TCP urgent flag as a nonkey field.
header-length
Configures the TCP header length (in 32-bit words) as a nonkey field and enables collecting the value of the TCP header length from the flow.
maximum-segment-size
Configures the maximum segment size as a nonkey field and enables collecting the values from the flow.
sequence-number
Configures the TCP sequence number as a nonkey field and enables collecting the value of the TCP sequence number from the flow.
source-port
Configures the TCP source port as a nonkey field and enables collecting the value of the TCP source port from the flow.
urgent-pointer
Configures the TCP urgent pointer as a nonkey field and enables collecting the value of the TCP urgent pointer from the flow.
window-size
Configures the TCP window size as a nonkey field and enables collecting the value of the TCP window size from the flow.
window-size-average
Configures the average window size as a nonkey field and enables collecting the values from the flow.
window-size-maximum
Configures the maximum window size as a nonkey field and enables collecting the values from the flow.
window-size-minimum
Configures the minimum window size as a nonkey field and enables collecting the values from the flow.
Command Default
The TCP fields are not configured as a nonkey field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY without the support of the
acknowledgement-number,
destination-port,
header-length,
sequence-number,source-port,
urgent-pointer,and
window-size keywords.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Cisco IOS XE Release 3.6S
This command was modified. The
maximum-segment-size,
window-size-average,
window-size-maximum, and
window-size-minimum keywords were added into Cisco IOS XE Release 3.6S for Cisco Performance Monitor.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE without the support for the
acknowledgement-number,
destination-port,
header-length,
sequence-number,source-port,
urgent-pointer,and
window-size keywords.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The
collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
collect transport tcp flags ece
For more information about ECN echo, refer to RFC 3168
The Addition of Explicit Congestion Notification (ECN) to IP , at the following URL:
http://www.ietf.org/rfc/rfc3168.txt .
Examples
The following example configures the TCP acknowledgment number as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp acknowledgement-number
The following example configures the TCP source port as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp source-port
The following example configures the TCP acknowledgment flag as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp flags ack
The following example configures the TCP finish flag as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp flags fin
The following example configures the TCP reset flag as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport tcp flags rst
Examples
The following example configures the TCP reset flag as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport tcp flags rst
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
collect transport udp
To configure one or more of the user datagram protocol UDP fields as a nonkey field for a flow record, use the
collecttransportudp command in flow record configuration mode. To disable the use of one or more of the UDP fields as a nonkey field for a flow record, use the
no form of this command.
collect transport udp
{ destination-port | message-length | source-port }
no collect transport udp
{ destination-port | message-length | source-port }
Syntax Description
destination-port
Configures the UDP destination port as a nonkey field and enables collecting the value of the UDP destination port fields from the flow.
message-length
Configures the UDP message length as a nonkey field and enables collecting the value of the UDP message length fields from the flow.
source-port
Configures the UDP source port as a nonkey field and enables collecting the value of the UDP source port fields from the flow.
Command Default
The UDP fields are not configured as nonkey fields.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
Support for this command was added for Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE for the Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The Flexible NetFlow collect commands are used to configure nonkey fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record. The values in nonkey fields are added to flows to provide additional information about the traffic in the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for nonkey fields are taken from only the first packet in the flow.
Examples
The following example configures the UDP destination port as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport udp destination-port
The following example configures the UDP message length as a nonkey field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport udp message-length
The following example configures the UDP source port as a non-key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# collect transport udp source-port
Examples
The following example configures the UDP source port as a nonkey field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# collect transport udp source-port
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
debug flow exporter
To enable debugging output for Flexible NetFlow flow exporters, use the debugflowexporter command in privileged EXEC mode. To disable debugging output, use the no form of this command.
(Optional) The name of a flow exporter that was previously configured.
error
(Optional) Enables debugging for flow exporter errors.
event
(Optional) Enables debugging for flow exporter events.
packets
(Optional) Enables packet-level debugging for flow exporters.
number
(Optional) The number of packets to debug for packet-level debugging of flow exporters. Range: 1 to 65535.
Command Modes
Privileged EXEC (#)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Examples
The following example indicates that a flow exporter packet has been queued for process send:
Router# debug flow exporter
May 21 21:29:12.603: FLOW EXP: Packet queued for process send
Related Commands
Command
Description
clearflowexporter
Clears the Flexible NetFlow statistics for exporters.
debug flow monitor
To enable debugging output for Flexible NetFlow flow monitors, use the debugflowmonitor command in privileged EXEC mode. To disable debugging output, use the no form of this command.
To enable debugging output for Flexible NetFlow flow records, use the
debugflowrecord command in privileged EXEC mode. To disable debugging output, use the
no form of this command.
no debugflowrecord
[ [name] record-name | netflow
{ ipv4 | ipv6 }
record [peer] | netflow-v5 | optionssampler-table
]
Syntax Description
name
(Optional) Specifies the name of a flow record.
record-name
(Optional) Name of a user-defined flow record that was previously configured.
netflow-original
(Optional) Specifies the traditional IPv4 input NetFlow with origin autonomous systems.
netflow{ipv4 |
ipv6} record
(Optional) Specifies the name of the NetFlow predefined record. See the table below.
peer
(Optional) Includes peer information for the NetFlow predefined records that support the peer keyword.
Note
The peer keyword is not supported for every type of NetFlow predefined record. See the table below.
options
(Optional) Includes information on other flow record options.
exporter-statistics
(Optional) Includes information on the flow exporter statistics.
interface-table
(Optional) Includes information on the interface tables.
sampler-table
(Optional) Includes information on the sampler tables.
vrf-id-name-table
(Optional) Includes information on the virtual routing and forwarding (VRF) ID-to-name tables.
platform-originalipv4record
Configures the flow monitor to use one of the predefined IPv4 records.
platform-original ipv6record
Configures the flow monitor to use one of the predefined IPv6 records.
detailed
(Optional) Displays detailed information.
error
(Optional) Displays errors only.
Command Modes
Privileged EXEC (#)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.4(20)T
This command was modified. The
ipv6 keyword was added in Cisco IOS Release 12.4(20)T.
15.0(1)M
This command was modified. The
vrf-id-name-table keyword was added.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY without support for the
netflow-original, netflow, ipv4, netflow, ipv6 and peer keywords. The
platform-originalipv4 and
platform-originalipv6 keywords were added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE without the support for the
netflow-original,
options exporter-statistics,
options interface-table and
option vrf-id-name-table keywords.
Usage Guidelines
The table below describes the keywords and descriptions for the
record argument.
Table 1 Keywords and Descriptions for the record Argument
Keyword
Description
IPv4 Support
IPv6 Support
as
Autonomous system record.
Yes
Yes
as-tos
Autonomous system and type of service (ToS) record.
Yes
—
bgp-nexthop-tos
BGP next-hop and ToS record.
Yes
—
bgp-nexthop
BGP next-hop record.
—
Yes
destination
Original 12.2(50)SY platform IPv4/IPv6 destination record.
Yes
Yes
destination-prefix
Destination prefix record.
Note
For IPv6, a minimum prefix mask length of 0 bits is assumed.
Yes
Yes
destination-prefix-tos
Destination prefix and ToS record.
Yes
—
destination-source
Original 12.2(50)SY platform IPv4/IPv6 destination-source record.
Yes
Yes
full
Original 12.2(50)SY platform IPv4/IPv6 full record.
Yes
Yes
interface-destination
Original 12.2(50)SY platform IPv4/IPv6 interface-destination record.
Yes
Yes
interface-destination-source
Original 12.2(50)SY platform IPv4/IPv6 interface-destination-source record.
Yes
Yes
interface-full
Original 12.2(50)SY platform IPv4/IPv6 interface-full record.
Yes
Yes
interface-source
Original 12.2(50)SY platform IPv4/IPv6 interface-source only record.
Yes
Yes
original-input
Traditional IPv4 input NetFlow.
Yes
Yes
original-output
Traditional IPv4 output NetFlow.
Yes
Yes
prefix
Source and destination prefixes record.
Note
For IPv6, a minimum prefix mask length of 0 bits is assumed.
Yes
Yes
prefix-port
Prefix port record.
Note
The
peer keyword is not available for this record.
Yes
—
prefix-tos
Prefix ToS record.
Yes
—
protocol-port
Protocol ports record.
Note
The
peer keyword is not available for this record.
Yes
Yes
protocol-port-tos
Protocol port and ToS record.
Note
The
peer keyword is not available for this record.
Yes
—
source
Original 12.2(50)SY platform IPv4/IPv6 source only record.
Yes
Yes
source-prefix
Source autonomous system and prefix record.
Note
For IPv6, a minimum prefix mask length of 0 bits is assumed.
Yes
Yes
source-prefix-tos
Source prefix and ToS record.
Yes
—
Examples
The following example enables debugging for the flow record:
Router# debug flow record FLOW-record-1
Related Commands
Command
Description
flowrecord
Create a Flexible NetFlow flow record.
debug sampler
To enable debugging output for Flexible NetFlow samplers, use the debugsampler command in privileged EXEC mode. To disable debugging output, use the no form of this command.
(Optional) Enables detailed debugging for sampler elements.
error
(Optional) Enables debugging for sampler errors.
name
(Optional) Specifies the name of a sampler.
sampler-name
(Optional) Name of a sampler that was previously configured.
samplingsamples
(Optional) Enables debugging for sampling and specifies the number of samples to debug.
Command Modes
Privileged EXEC (#)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Examples
The following sample output shows that the debug process has obtained the ID for the sampler named SAMPLER-1:
Router# debug sampler detailed
*Oct 28 04:14:30.883: Sampler: Sampler(SAMPLER-1: flow monitor FLOW-MONITOR-1 (ip,Et1/0,O) get ID succeeded:1
*Oct 28 04:14:30.971: Sampler: Sampler(SAMPLER-1: flow monitor FLOW-MONITOR-1 (ip,Et0/0,I) get ID succeeded:1
Related Commands
Command
Description
clearsampler
Clears the Flexible NetFlow sampler statistics.
default (Flexible NetFlow)
To configure the default values for a Flexible NetFlow (FNF) flow exporter, use the default command in Flexible NetFlow flow exporter configuration mode.
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE without the support for the
option application-table ,
option vrf-table,
and
output-features keywords.
Usage Guidelines
Use the default command to configure the default values for an FNF flow exporter. The flow exporter information is needed to export the data metrics to a specified destination, port number, and so on.
Examples
The following example shows how to set the default destination for an FNF flow exporter:
To configure a description for a Flexible NetFlow flow sampler, flow monitor, flow exporter, or flow record, use the description command in the appropriate configuration mode. To remove a description, use the no form of this command.
descriptiondescription
nodescription
Syntax Description
description
Text string that describes the flow sampler, flow monitor, flow exporter, or flow record.
Command Default
The default description for a Flexible NetFlow flow sampler, flow monitor, flow exporter, or flow record is “User defined”.
To configure an export destination for a Flexible NetFlow flow exporter, use the
destination command in Flexible NetFlow flow exporter configuration mode. To remove an export destination for a Flexible NetFlow flow exporter, use the
no form of this command.
IP address of the workstation to which you want to send the NetFlow information.
hostname
Hostname of the device to which you want to send the NetFlow information.
vrfvrf-name
Specifies that the export data packets are to be sent to the named Virtual Private Network (VPN) routing and forwarding (VRF) instance for routing to the destination, instead of to the global routing table.
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T and added support for exporting data to a destination using an IPv6 address.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Each flow exporter can have only one destination address or hostname.
For some releases, you can export data to a destination using an IPv6 address.
When you configure a hostname instead of the IP address for the device, the hostname is resolved immediately and the IP address is stored in the running configuration. If the hostname-to-IP-address mapping that was used for the original domain name system (DNS) name resolution changes dynamically on the DNS server, the router does not detect this, and the exported data continues to be sent to the original IP address, resulting in a loss of data. Resolving the hostname immediately is a prerequisite of the export protocol, to ensure that the templates and options arrive before the data
Examples
The following example shows how to configure the networking device to export the Flexible NetFlow cache entry to a destination system:
The following example shows how to configure the networking device to export the Flexible NetFlow cache entry to a destination system using a VRF named VRF-1:
To configure a differentiated services code point (DSCP) value for Flexible NetFlow flow exporter datagrams, use the dscp command in Flexible NetFlow flow exporter configuration mode. To remove a DSCP value for Flexible NetFlow flow exporter datagrams, use the no form of this command.
dscpdscp
nodscp
Syntax Description
dscp
The DSCP to be used in the DSCP field in exported datagrams. Range: 0 to 63. Default: 0.
Command Default
The differentiated services code point (DSCP) value is 0.
To configure a flow exporter for a flow monitor, use the exporter command in the appropriate configuration mode. To remove a flow exporter for a flow monitor, use the no form of this command.
exporterexporter-name
noexporterexporter-name
Syntax Description
exporter-name
Name of a flow exporter that was previously configured.
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor was added. Support was added for policy configuration mode and policy monitor configuration configuration mode.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
You must have already created a flow exporter by using the flowexporter command before you can apply the flow exporter to a flow monitor with the exporter command.
For Performance Monitor, you can associate a flow exporter with a flow monitor while configuring either a flow monitor, policy map, or service policy.
Note
You can configure up to 5 flow exporters after using the flow monitor type performance-monitor command.
Examples
The following example configures an exporter for a flow monitor:
The following example shows one of the ways to configure a flow exporter for Performance Monitor:
Device(config)# policy-map type performance-monitor policy-4
Device(config-pmap)# class class-4
Device(config-pmap-c)# flow monitor monitor-4
Device(config-pmap-c-flowmon)# exporter exporter-4
Related Commands
Command
Description
flowexporter
Creates a flow exporter.
flowmonitor
Creates a flow monitor.
flowmonitortypeperformance-monitor
Creates a flow monitor for Performance Monitor.
policy-maptypeperformance-monitor
Creates a policy map for Performance Monitor
service-policytypeperformance-monitor
Associates policy map with an interface for Performance Monitor.
export-protocol
To configure the export protocol for a Flexible NetFlow exporter, use the
export-protocol command in Flexible NetFlow flow exporter configuration mode. To restore the use of the default export protocol for a Flexible NetFlow exporter, use the
no form of this command.
To create a Flexible NetFlow flow exporter, or to modify an existing Flexible NetFlow flow exporter, and enter Flexible NetFlow flow exporter configuration mode,
use the flowexporter command in global configuration mode. To remove a Flexible NetFlow flow exporter, use the no form of this command.
flowexporterexporter-name
noflowexporterexporter-name
Syntax Description
exporter-name
Name of the flow exporter that is being created or modified.
Command Default
Flexible NetFlow flow exporters are not present in the configuration.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(2)S
This command was modified. A hash collision between the name supplied and any existing name is now possible. If this happens, you can retry, supplying another name
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running Flexible NetFlow collector, for analysis and storage. Flow exporters are created as separate entities in the configuration. Flow exporters are assigned to flow monitors to provide data export capability for the flow monitors. You can create several flow exporters and assign them to one or more flow monitors to provide several export destinations. You can create one flow exporter and apply it to several flow monitors.
In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing name is possible. If this happens, you can retry, supplying another name.
Examples
The following example creates a flow exporter named FLOW-EXPORTER-1 and enters Flexible NetFlow flow exporter configuration mode:
The following example shows the output when there is a hash collision between the name supplied and any existing name:
Router(config-flow-exporter)# flow exporter FLOW-EXPORTER-1
% Flow Exporter: Failure creating Flow Exporter 'FLOW-EXPORTER-1' (Hash value in use).
Related Commands
Command
Description
clear
flow
exporter
Clears the statistics for flow exporters.
debug flow
exporter
Enables debugging output for flow exporters.
flow hardware
To configure Flexible NetFlow hardware parameters, use the flowhardware command in global configuration mode. To unconfigure Flexible NetFlow hardware parameters, use the no form of this command.
(Optional) The total CPU utilization threshold percentage.
linecard-threshold-percentage
(Optional) The line-card CPU utilization threshold percentage.
usagenotifyinput
(Optional) Configures NetFlow table utilization parameters for traffic that the router is receiving.
usagenotifyoutput
(Optional) Configures NetFlow table utilization parameters for traffic that the router is transmitting.
table-threshold-percentage
(Optional) The NetFlow table utilization threshold percentage.
seconds
(Optional) The NetFlow table utilization time interval, in seconds.
Command Default
Flexible NetFlow hardware parameters are not configured.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
Usage Guidelines
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running Flexible NetFlow collector, for analysis and storage. The number and complexity of flow records to be exported is the prime cause of CPU use in NetFlow. The CPU Friendly NetFlow Export feature (also known as Yielding NetFlow Data Export, or Yielding NDE) monitors CPU use for both the supervisor and line cards according to user-configured thresholds and dynamically adjusts the rate of export as needed.
A system reload is needed for egress NetFlow mode change. If egress NetFlow is disabled and you attempt to configure any feature that requires an egress NetFlow, an error message will be displayed indicating that egress NetFlow must be enabled for this feature to function. You should enable egress NetFlow, reload the system, and reconfigure the feature.
Examples
The following example configures CPU utilization thresholds for Flexible NetFlow flow export:
To create a Flexible NetFlow flow monitor, or to modify an existing Flexible NetFlow flow monitor, and enter Flexible NetFlow flow monitor configuration mode, use the
flowmonitor command in global configuration mode or in QoS policy-map-class configuration mode. To remove a Flexible NetFlow flow monitor, use the
no form of this command.
flowmonitormonitor-name
noflowmonitormonitor-name
Syntax Description
monitor-name
Name of the flow monitor that is being created or modified.
Command Default
Flexible NetFlow flow monitors are not present in the configuration.
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(2)S
This command was modified.
A hash collision between the name supplied and any existing name is now possible. If this happens, you can retry, supplying another name
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
15.2(4)M
This command was made available in QoS policy-map-class configuration mode.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a record and a cache. You add the record to the flow monitor after you create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic during the monitoring process based on the key and nonkey fields in the flow monitor's record and stored in the flow monitor cache.
In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing name is possible. If this happens, you can retry, supplying another name.
Examples
The following example creates a flow monitor named FLOW-MONITOR-1 and enters Flexible NetFlow flow monitor configuration mode:
The following example shows the output when there is a hash collision between the name supplied and any existing name:
Router(config)# flow monitor FLOW-MONITOR-1
% Flow Monitor: could not create monitor.
Related Commands
Command
Description
clearflowmonitor
Clears the flow monitor.
debugflowmonitor
Enables debugging output for flow monitors.
flow platform
To configure Flexible NetFlow platform parameters, use the
flowplatformcommand in global configuration mode. To unconfigure Flexible
NetFlow platform parameters, use the
no form of this command.
Flexible NetFlow platform parameters are not configured.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
Usage Guidelines
Hardware Flexible NetFlow table space is a valuable resource and
needs to managed. Older flows need to be identified as quickly as possible and
aged out (purged) to make way ultimately for new, more active flows. The older
the Flexible NetFlow data, the less it is useful for real-time monitoring of
traffic.
The common aging schemes are:
Inactive/normal aging:
age out flows that have had no activity in the preceding configured time.
Active/long aging: age
out flows that have lived for longer than the configured long aging period.
Fast aging: age out flows
that had some bursty activity followed by inactivity, for example, Domain Name
Service (DNS) resolution requests. This aging scheme is a function of the
creation time of a flow and the packet count.
TCP session aging: age
out flows pertaining to terminated TCP sessions.
Aggressive aging: age out
flows with user-configured aggressive aging inactivity timeout when table space
utilization exceeds a user-configured threshold.
In addition to purging older entries, NetFlow entries need to be
purged in response to certain configuration and network topology changes; for
example, interface or link going out of service.
Examples
The following example configures the active platform flow cache
timeout:
Router(config)# flow platform cache timeout active 60
To create a Flexible NetFlow flow record, or to modify an existing Flexible NetFlow flow record, and enter Flexible NetFlow flow record configuration mode, use the flowrecord command in global configuration mode. To remove a Flexible NetFlow flow record, use the no form of this command.
flowrecordrecord-name
noflowrecordrecord-name
Syntax Description
record-name
Name of the flow record that is being created or modified.
Command Default
A Flexible NetFlow flow record is not configured.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(2)S
This command was modified. A hash collision between the name supplied and any existing name is now possible. If this happens, you can retry, supplying another name
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Flexible NetFlow uses key and nonkey fields just as original NetFlow does to create and populate flows in a cache. In Flexible NetFlow a combination of key and nonkey fields is called a record. Original NetFlow and Flexible NetFlow both use the values in key fields in IP datagrams, such as the IP source or destination address and the source or destination transport protocol port, as the criteria for determining when a new flow must be created in the cache while network traffic is being monitored. A flow
is defined as a stream of packets between a given source and a given destination. New flows are created whenever a packet that has a unique value in one of the key fields is analyzed.
In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing name is possible. If this happens, you can retry, supplying another name.
Examples
The following example creates a flow record named FLOW-RECORD-1, and enters Flexible NetFlow flow record configuration mode:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)#
The following example shows the output when there is a hash collision between the name supplied and any existing name:
Router(config)# flow record FLOW-RECORD-1
% Flow Record: Failure creating new Flow Record (Hash value in use).
Related Commands
Command
Description
showflowrecord
Displays flow record status and statistics.
granularity
To configure the granularity of sampling for a Flexible NetFlow sampler, use the granularitycommand in Flexible NetFlow sampler configuration mode. To return the sampling configuration to the default value, use the no form of this command.
granularity
{ connection | packet }
nogranularity
Syntax Description
connection
Specifies that the sampling is done by connection.
To enable a Flexible NetFlow flow monitor for IPv4 traffic that the router is receiving or forwarding, use the ipflowmonitor command in interface configuration mode or subinterface configuration mode. To disable a Flexible NetFlow flow monitor, use the no form of this command.
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.4(22)T
This command was modified. The unicast and multicast keywords were added.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The layer2-switched keyword was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE without the support for the
multicast and
unicast keywords.
Usage Guidelines
You must have already created a flow monitor by using the flowmonitor command before you can apply the flow monitor to an interface with the ipflowmonitor command to enable traffic monitoring with Flexible NetFlow.
ip flow monitor sampler
When a sampler is added to a flow monitor, only packets that are selected by the named sampler will be entered into the cache to form flows. Each use of a sampler causes separate statistics to be stored for that usage.
You cannot add a sampler to a flow monitor after the flow monitor has been enabled on an interface. You must remove the flow monitor from the interface prior to enabling the same flow monitor with a sampler. See the “Examples” section for more information.
Note
The statistics for each flow must be scaled to give the expected true usage. For example, with a 1 in 10 sampler it is expected that the packet and byte counters will have to be multiplied by 10.
Multicast Traffic and Unicast Traffic
In Cisco IOS Release 12.4(22)T and later releases, the default behavior of the ipflowmonitorcommand is to analyze unicast and
multicast traffic. If you need to monitor only unicast traffic, use the unicast keyword. If you need to monitor only multicast traffic, use the multicast keyword.
Examples
The following example enables a flow monitor for monitoring input traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
The following example enables a flow monitor for monitoring output traffic on a subinterface:
Router(config)# interface ethernet0/0.1
Router(config-if)# ip flow monitor FLOW-MONITOR-1 output
The following example enables a flow monitor for monitoring only multicast input traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 multicast input
The following example enables a flow monitor for monitoring only unicast output traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 unicast output
The following example enables the same flow monitor on the same interface for monitoring input and output traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-1 output
The following example enables two different flow monitors on the same interface for monitoring input and output traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-2 output
The following example enables the same flow monitor on two different interfaces for monitoring input and output traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# exit
Router(config)# interface ethernet1/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 output
The following example enables two different flow monitors on two different interfaces for monitoring input and output traffic:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# exit
Router(config)# interface ethernet1/0
Router(config-if)# ip flow monitor FLOW-MONITOR-2 output
The following example enables a flow monitor for monitoring input traffic, with a sampler to limit the input packets that are sampled:
The following example enables two different flow monitors for monitoring input and output traffic, with a sampler on the flow monitor that is monitoring input traffic to limit the input packets that are sampled:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-2 output
The following example enables two different flow monitors for monitoring input and output traffic, with a sampler on the flow monitor that is monitoring output traffic to limit the output packets that are sampled:
Router(config)# interface ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-2 input
Router(config-if)# ip flow monitor FLOW-MONITOR-2 sampler SAMPLER-2 output
The following example shows what happens when you try to add a sampler to a flow monitor that has already been enabled on an interface without a sampler:
Router(config)# interface Ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in full mode and cannot be enabled with a sampler.
The following example shows how to remove a flow monitor from an interface so that it can be enabled with the sampler:
Router(config)# interface Ethernet0/0
Router(config-if)# no ip flow monitor FLOW-MONITOR-1 input
Router(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
The following example shows what happens when you try to remove a sampler from a flow monitor on an interface by entering the flowmonitor command again without the sampler keyword and argument:
Router(config)# interface Ethernet0/0
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in sampled mode and cannot be enabled in full mode.
The following example shows how to remove the flow monitor that was enabled with a sampler from the interface so that it can be enabled without the sampler:
Router(config)# interface Ethernet0/0
Router(config-if)# no ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
Router(config-if)# ip flow monitor FLOW-MONITOR-1 input
Related Commands
Command
Description
flowmonitor
Creates a flow monitor.
sampler
Creates a flow sampler.
ipv6 flow monitor
To enable a Flexible NetFlow flow monitor for IPv6 traffic that the router is receiving or forwarding, use the
ipv6flowmonitor command in interface configuration mode or subinterface configuration mode. To disable a Flexible NetFlow flow monitor, use the
no form of this command.
This command was modified. The
unicast and
multicast keywords were added.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The
multicast keyword was not supported.
15.1(1)SY
This command was modified. The
layer2-bridged keyword was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE without the support for the
multicast and
unicast keywords.
Usage Guidelines
You must have already created a flow monitor by using the
flowmonitor command before you can apply the flow monitor to an interface with the
ipv6flowmonitor command to enable traffic monitoring with Flexible NetFlow.
ipv6 flow monitor sampler
When a sampler is added to a flow monitor, only packets that are selected by the named sampler will be entered into the cache to form flows. Each use of a sampler causes separate statistics to be stored for that usage.
You cannot add a sampler to a flow monitor after the flow monitor has been enabled on an interface. You must remove the flow monitor from the interface prior to enabling the same flow monitor with a sampler. See the “Examples” section for more information.
Note
The statistics for each flow must be scaled to give the expected true usage. For example, with a 1 in 10 sampler it is expected that the packet and byte counters will have to be multiplied by 10.
Multicast Traffic and Unicast Traffic
In Cisco IOS Release 12.4(22)T and later releases, the default behavior of the
ipflowmonitor command is to analyze unicast
and multicast traffic. If you need to monitor only unicast traffic, use the
unicast keyword. If you need to monitor only multicast traffic, use the
multicast keyword.
Examples
The following example enables a flow monitor for monitoring input IPv6 traffic:
The following example enables two different flow monitors for monitoring input and output IPv6 traffic, with a sampler on the flow monitor that is monitoring input IPv6 traffic to limit the input packets that are sampled:
The following example enables two different flow monitors for monitoring input and output IPv6 traffic, with a sampler on the flow monitor that is monitoring output IPv6 traffic to limit the output packets that are sampled:
The following example shows what happens when you try to add a sampler to a flow monitor that has already been enabled on an interface without a sampler:
Router(config)# interface Ethernet0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 sampler SAMPLER-2 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in full mode and cannot be enabled with a sampler.
The following example shows how to remove a flow monitor from an interface so that it can be enabled with the sampler:
The following example shows what happens when you try to remove a sampler from a flow monitor on an interface by entering the
flowmonitor command again without the
sampler keyword and argument:
Router(config)# interface Ethernet 0/0
Router(config-if)# ipv6 flow monitor FLOW-MONITOR-1 input
% Flow Monitor: Flow Monitor 'FLOW-MONITOR-1' is already on in sampled mode and cannot be enabled in full mode.
The following example shows how to remove the flow monitor that was enabled with a sampler from the interface so that it can be enabled without the sampler:
To configure the use of the application name as a key field for a flow record, use the
matchapplicationname command in flow record configuration mode. To disable the use of the application name as a key field for a flow record, use the
no form of this command.
matchapplicationname
nomatchapplicationname
Syntax Description
This command has no arguments or keywords.
Command Default
The application name is not configured as a key field.
Command Modes
Flow record configuration (config-flow-record)
Command History
Release
Modification
15.0(1)M
This command was introduced.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the application name as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match application name
Examples
The following example configures the application name as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match application name
Related Commands
Command
Description
collectapplicationname
Configures the use of application name as a nonkey field for a Flexible NetFlow flow record.
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
match connection id
To configure the connection ID as a key field for a flow record, use the
matchconnectionid command in flow record configuration mode. To disable the use of a connection ID field as a key field for a flow record, use the
no form of this command.
matchconnectionid
nomatchconnectionid
Syntax Description
This command has no arguments or keywords.
Command Default
The use of the connection ID as a key field for a user-defined flow record is not enabled.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS Release XE 3.9S
This command was introduced.
Usage Guidelines
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Examples
The following example configures the connection ID as a key field:
Router(config)# flow record RECORD-4
Router(config-flow-record)# match connection id
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
match connection transaction-id
To configure the transaction ID as a key field for a flow record, use the
matchconnectiontransaction-id command in flow record configuration mode. To disable the use of a transaction ID field as a key field for a flow record, use the
no form of this command.
matchconnectiontransaction-id
nomatchconnectiontransaction-id
Syntax Description
This command has no arguments or keywords.
Command Default
The use of the transaction ID as a key field for a user-defined flow record is not enabled.
Command Modes
flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE 3.4S
This command was introduced.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T for Cisco Performance Monitor.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the
flowrecordtypeperformance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
The transaction ID identifies a transaction within a connection. A transaction is a meaningful exchange of application data between two network devices or a client and server. A transaction ID is assigned the first time a flow is reported, so that later reports for the same flow will have the same transaction ID. A different transaction ID is used for each transaction within a TCP or UDP connection. The identifiers are not required to be sequential.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
The transaction ID field is used to specify the transaction within the connection, for protocols where multiple transactions are used. The field is composed of the CFT-flow ID/pointer (the most significant bit) and the transaction counter within the connection specified by NBAR (least significant bit).
Examples
The following example configures the transaction ID as a key field:
Router(config)# flow record RECORD-4
Router(config-flow-record)# match connection transaction-id
Examples
The following example configures the transaction ID as a key field:
Router(config)# flow record type performance-monitor RECORD-1
Router(config-flow-record)# match connection transaction-id
Related Commands
Command
Description
flowrecord
Creates a flow record, and enters Flexible NetFlow flow record configuration mode.
flowrecordtypeperformance-monitor
Creates a flow record, and enters Performance Monitor flow record configuration mode.
match datalink dot1q priority
To configure the 802.1Q (dot1q) priority as a key field for a Flexible NetFlow flow record, use the
matchdatalinkdot1qpriority command in Flexible NetFlow flow record configuration mode. To disable the use of the 802.1Q priority as a key field for a Flexible NetFlow flow record, use the
no form of this command.
matchdatalinkdot1qpriority
nomatchdatalinkdot1qpriority
Command Default
The 802.1Q priority is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.2SE
This command was introduced.
Only the switch ports support it.
Usage Guidelines
The Flexible NetFlow
match commands are used to configure key fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record.
Examples
The following example configures the 802.1Q priority of traffic being received by the router as a key field for a Flexible NetFlow flow record
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink dot1q priority
Related Commands
Command
Description
flowrecord
Creates a flow record.
match datalink dot1q vlan
To configure the 802.1Q (dot1q) VLAN value as a key field for a Flexible NetFlow flow record, use the
matchdatalinkdot1qvlan command in Flexible NetFlow flow record configuration mode. To disable the use of the 802.1Q VLAN value as a key field for a Flexible NetFlow flow record, use the
no form of this command.
matchdatalinkdot1qvlan
{ input | output }
nomatchdatalinkdot1qvlan
{ input | output }
Syntax Description
input
Configures the 802.1Q VLAN ID of traffic being received by the router as a key field.
output
Configures the 802.1Q VLAN ID of traffic being transmitted by the router as a key field.
Command Default
The 802.1Q VLAN ID is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Only the switch ports support it.
Usage Guidelines
The
input and
output keywords of the
matchdatalinkdot1qvlan command are used to specify the observation point that is used by the
matchdatalinkdot1qvlan command to create flows based on the unique 802.1q VLAN IDs in the network traffic. For example, when you configure a flow record with the
matchdatalinkdot1qvlaninput command to monitor the simulated denial of service (DoS) attack in the figure below and apply the flow monitor to which the flow record is assigned in either input (ingress) mode on Ethernet interface 0/0.1 on R3 or output (egress) mode on Ethernet interface 1/0.1 on R3, the observation point is always Ethernet 0/0.1 on R3. The 802.1q VLAN ID that is used as a key field is 5.
Figure 27. Simulated DoS Attack (c)
The observation point of
match commands that do not have the input and/or output keywords is always the interface to which the flow monitor that contains the flow record with the
match commands is applied.
Examples
The following example configures the 802.1Q VLAN ID of traffic being received by the router as a key field for a Flexible NetFlow flow record
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink dot1q vlan input
Related Commands
Command
Description
flowrecord
Creates a flow record.
match datalink ethertype
To configure the ethertype as a key field for a Flexible NetFlow flow record, use the
matchdatalinkethertype command in Flexible NetFlow flow record configuration mode. To disable the use of the ethertype as a key field for a Flexible NetFlow flow record, use the
no form of this command.
matchdatalinkethertype
nomatchdatalinkethertype
Command Default
The ethertype is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
Cisco IOS XE Release 3.2SE
This command was introduced.
Usage Guidelines
The Flexible NetFlow
match commands are used to configure key fields for the flow monitor record and to enable capturing the values in the fields for the flow created with the record.
Examples
The following example configures the ethertype of traffic being received by the router as a key field for a Flexible NetFlow flow record
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink ethertype
Related Commands
Command
Description
flowrecord
Creates a flow record.
match datalink mac
To configure the use of MAC addresses as a key field for a Flexible NetFlow flow record, use the
matchdatalinkmac command in Flexible NetFlow flow record configuration mode. To disable the use of MAC addresses as a key field for a Flexible NetFlow flow record, use the
no form of this command.
match datalink mac
{ destination | source }
address
{ input | output }
no match datalink mac
{ destination | source }
address
{ input | output }
Syntax Description
destinationaddress
Configures the use of the destination MAC address as a key field.
sourceaddress
Configures the use of the source MAC address as a key field.
input
Packets received by the router.
output
Packets transmitted by the router.
Command Default
MAC addresses are not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The
input and
output keywords of the
matchdatalinkmac command are used to specify the observation point that is used by the
matchdatalinkmac command to create flows based on the unique MAC addressees in the network traffic. For example, when you configure a flow record with the
matchdatalinkmacdestinationaddressinput command to monitor the simulated denial of service (DoS) attack in the figure below and apply the flow monitor to which the flow record is assigned in either input (ingress) mode on Ethernet interface 0/0.1 on R3 or output (egress) mode on Ethernet interface 1/0.1 on R3, the observation point is always Ethernet 0/0.1 on R3. The destination MAC address that is used a key field is aaaa.bbbb.cc04.
Figure 28. Simulated DoS Attack (d)
When the destination output mac address is configured, the value is the destination mac address of the output packet, even if the monitor the flow record is applied to is input only.
When the destination input mac address is configured, the value is the destination mac address of the input packet, even if the monitor the flow record is applied to is output only.
When the source output mac address is configured, the value is the source mac address of the output packet, even if the monitor the flow record is applied to is input only.
When the source input mac address is configured, the value is the source mac address of the input packet, even if the monitor the flow record is applied to is output only.
Examples
The following example configures the use of the destination MAC address of packets that are received by the router as a key field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink mac destination address input
The following example configures the use of the source MAC addresses of packets that are transmitted by the router as a key field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink mac source address output
Related Commands
Command
Description
flowrecord
Creates a flow record.
match datalink vlan
To configure the VLAN ID as a key field for a Flexible NetFlow flow record, use the matchdatalinkvlan command in Flexible NetFlow flow record configuration mode. To disable the use of the VLAN ID value as a key field for a Flexible NetFlow flow record, use the no form of this command.
matchdatalinkvlan
{ input | output }
nomatchdatalinkvlan
{ input | output }
Syntax Description
input
Configures the VLAN ID of traffic being received by the router as a key field.
output
Configures the VLAN ID of traffic being transmitted by the router as a key field.
Command Default
The VLAN ID is not configured as a key field.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Only the switch ports support it.
Examples
The following example configures the VLAN ID of traffic being received by the router as a key field for a Flexible NetFlow flow record:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match datalink vlan input
Related Commands
Command
Description
flowrecord
Creates a flow record.
match flow
To configure the flow direction and the flow sampler ID number as key fields for a flow record, use the
matchflow command in Flexible NetFlow flow record configuration or policy inline configuration mode. To disable the use of the flow direction and the flow sampler ID number as key fields for a flow record, use the
no form of this command.
matchflow
{ direction | sampler }
nomatchflow
{ direction | sampler }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY and 15.1(1)SY
Configures the direction in which the flow was monitored as a key field.
sampler
Configures the flow sampler ID as a key field.
ctsdestinationgroup-tag
Configures the CTS destination field group as a key field.
ctssourcegroup-tag
Configures the CTS source field group as a key field.
Command Default
The CTS destination or source field group, flow direction and the flow sampler ID are not configured as key fields.
Command Modes
Flexible NetFlow flow record configuration (config-flow-record)
Policy inline configuration (config-if-spolicy-inline)
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T for Cisco Performance Monitor. Support was added for policy inline configuration mode.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY
This command was modified. The
ctsdestinationgroup-tag and
ctssourcegroup-tag keywords were added. The
sampler keyword was removed.
15.1(1)SY
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE without the support for the
sampler keyword.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the
match command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
You must first enter the
service-policytypeperformance-monitorinline command.
match flow direction
This field indicates the direction of the flow. This is of most use when a single flow monitor is configured for input and output flows. It can be used to find and eliminate flows that are being monitored twice, once on input and once on output. This field may also be used to match up pairs of flows in the exported data when the two flows are flowing in opposite directions.
match flow sampler
This field contains the ID of the flow sampler used to monitor the flow. This is useful when more than one flow sampler is being used with different sampling rates. The flow exporter
optionsampler-table command will export options records with mappings of the flow sampler ID to the sampling rate so the collector can calculate the scaled counters for each flow.
Examples
The following example configures the direction the flow was monitored in as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow direction
The following example configures the flow sampler ID as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow sampler
The following example configures the CTS destination fields group as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow cts destination group-tag
The following example configures the CTS source fields group as a key field:
Router(config)# flow record FLOW-RECORD-1
Router(config-flow-record)# match flow cts source group-tag
The following example shows how to use the policy inline configuration mode to configure a service policy for Performance Monitor. The policy specifies that packets traversing Ethernet interface 0/0 that match the flow sampler ID will be monitored based on the parameters specified in the flow monitor configuration named fm2:
Router(config)# interface ethernet 0/0
Router(config-if)# service-policy type performance-monitor inline input
Router(config-if-spolicy-inline)# match flow sampler
Router(config-if-spolicy-inline)# flow monitor fm-2
Router(config-if-spolicy-inline)# exit
Related Commands
Command
Description
class-map
Creates a class map to be used for matching packets to a specified class.
flowexporter
Creates a flow exporter.
flowrecord
Creates a flow record.
service-policytypeperformance-monitor
Associates a Performance Monitor policy with an interface.