Feedback
match interface (Flexible NetFlow) through ttl (Flexible NetFlow)
- match interface (Flexible NetFlow)
- match ipv4
- match ipv4 destination
- match ipv4 source
- match ipv4 ttl
- match ipv6
- match ipv6 destination
- match ipv6 hop-limit
- match ipv6 source
- match transport
- match transport icmp ipv4
- match transport icmp ipv6
- mode (Flexible NetFlow)
- option (Flexible NetFlow)
- record
- sampler
- show flow exporter
- show flow interface
- show flow monitor
- show flow monitor cache aggregate
- show flow monitor cache filter
- show flow monitor cache sort
- show flow record
- show sampler
- source (Flexible NetFlow)
- template data timeout
- transport (Flexible NetFlow)
- ttl (Flexible NetFlow)
match interface (Flexible NetFlow)
To configure input and output interfaces as key fields for a flow record, use the match interface command in Flexible NetFlow flow record configuration mode. To disable the use of the input and output interfaces as key fields for a flow record, use the no form of this command.
match interface { input | output }
no match interface { input | output }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match interface { input [physical] | output } [snmp]
no match interface { input [physical] | output } [snmp]
Syntax Description
input
Configures the input interface as a key field.
physical
(Optional) Configures the physical input interface as a key field and enables collecting the input interface from the flows.
output
Configures the output interface as a key field.
snmp
(Optional) Configures the simple network management protocol (SNMP) index of the input interface as a key field.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The physical and snmp keywords were added.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the input interface as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match interface inputThe following example configures the output interface as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match interface outputThe following example configures the output interface as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match interface outputmatch ipv4
To configure one or more of the IPv4 fields as a key field for a flow record, use the match ipv4 command in Flexible NetFlow flow record configuration mode. To disable the use of one or more of the IPv4 fields as a key field for a flow record, use the no form of this command.
match ipv4 { dscp | header-length | id | option map | precedence | protocol | tos | version }
no match ipv4 { dscp | header-length | id | option map | precedence | protocol | tos | version }
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
match ipv4 protocol
no match ipv4 protocol
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv4 { dscp | precedence | protocol | tos }
no match ipv4 { dscp | precedence | protocol | tos }
Cisco IOS XE Release 3.2SE
match ipv4 { protocol | tos | version }
match ipv4 { protocol | tos | version }
Syntax Description
dscp
Configures the IPv4 differentiated services code point (DSCP) (part of type of service [ToS]) as a key field.
header-length
Configures the IPv4 header length (in 32-bit words) as a key field.
id
Configures the IPv4 ID as a key field.
option map
Configures the bitmap representing which IPv4 options have been seen as a key field.
precedence
Configures the IPv4 precedence (part of ToS) as a key field.
protocol
Configures the IPv4 protocol as a key field.
tos
Configures the IPv4 ToS as a key field.
version
Configures the IP version from IPv4 header as a key field.
Command Default
The use of one or more of the IPv4 fields as a key field for a user-defined flow record is not enabled by default.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was modified for the Cisco Performance Monitor. The dscp, header-length, id, option map, precedence, tos, and version keywords were removed.
12.2(58)SE
This command was modified for the Cisco Performance Monitor. The dscp, header-length, id, option map, precedence, tos, and version keywords were removed.
12.2(50)SY
This command was modified. The header-length, id, option, map, and version keywords were not supported in Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was modified. The dscp, header-length, id, option map, and precedence keywords were removed.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
NoteSome of the keywords of the match ipv4 command are documented as separate commands. All of the keywords for the match ipv4 command that are documented separately start with match ipv4. For example, for information about configuring the IPv4 time-to-live (TTL) field as a key field for a flow record, refer to the match ipv4 ttl command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
Only the protocol keyword is available. You must first enter theflow record type performance-monitor command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The following example configures the IPv4 DSCP field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 dscpThe following example configures the IPv4 DSCP field as a key field for Cisco Performance Monitor:
Router(config)# flow record type performance-monitor FLOW-RECORD-1 Router(config-flow-record)# match ipv4 dscpmatch ipv4 destination
To configure the IPv4 destination address as a key field for a flow record, use the match ipv4 destination command in Flexible NetFlow flow record configuration mode. To disable the IPv4 destination address as a key field for a flow record, use the no form of this command.
match ipv4 destination { address | { mask | prefix } [ minimum-mask mask ] }
no match ipv4 destination { address | { mask | prefix } [ minimum-mask mask ] }
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
match ipv4 destination { address | prefix [ minimum-mask mask ] }
no match ipv4 destination { address | prefix [ minimum-mask mask ] }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv4 destination address
no match ipv4 destination address
Cisco IOS XE Release 3.2SE
match ipv4 destination address
no match ipv4 destination address
Syntax Description
address
Configures the IPv4 destination address as a key field.
mask
Configures the mask for the IPv4 destination address as a key field.
prefix
Configures the prefix for the IPv4 destination address as a key field.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum mask. The range is 1 to 32.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Gigabit Switch Router (GSR).
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was modified for the Cisco Performance Monitor. The mask keyword was removed.
12.2(58)SE
This command was modified for the Cisco Performance Monitor. The mask keyword was removed.
12.2(50)SY
This command was modified. The mask, prefix, and minimum-mask keywords were removed.
Cisco IOS XE Release 3.2SE
This command was modified. The mask, prefix, and minimum-mask keywords were removed.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The mask keyword is not available. You must first enter theflow record type performance-monitor command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The following example configures a 16-bit IPv4 destination address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 destination prefix minimum-mask 16The following example specifies a 16-bit IPv4 destination address mask as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 destination mask minimum-mask 16The following example specifies a 16-bit IPv4 destination address mask as a key field for Cisco Performance Monitor:
Router(config)# flow record type performance-monitor FLOW-RECORD-1 Router(config-flow-record)# match ipv4 destination mask minimum-mask 16match ipv4 source
To configure the IPv4 source address as a key field for a flow record, use the match ipv4 source command in Flexible NetFlow flow record configuration mode. To disable the use of the IPv4 source address as a key field for a flow record, use the no form of this command.
match ipv4 source { address | { mask | prefix } [ minimum-mask mask ] }
no match ipv4 source { address | { mask | prefix } [ minimum-mask mask ] }
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
match ipv4 source { address | prefix [ minimum-mask mask ] }
no match ipv4 source { address | prefix [ minimum-mask mask ] }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv4 source address
no match ipv4 source address
Cisco IOS XE Release 3.2SE
match ipv4 source address
no match ipv4 source address
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(3)T
This command was modified for the Cisco Performance Monitor. The mask keyword was removed.
12.2(58)SE
This command was modified for the Cisco Performance Monitor. The mask keyword was removed.
12.2(50)SY
This command was modified. The mask, prefix, and minimum-mask keywords were removed.
Cisco IOS XE Release 3.2SE
This command was modified. The mask, prefix, and minimum-mask keywords were removed.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The mask keyword is not available. You must first enter theflow record type performance-monitor command.
match ipv4 source prefix minimum-mask
The source address prefix field is the network part of the source address. The optional minimum mask allows a more information to be gathered about large networks.
match ipv4 source mask minimum-mask
The source address mask is the number of bits that make up the network part of the source address. The optional minimum mask allows a minimum value to be configured. This command is useful when there is a minimum mask configured for the source prefix field and the mask is to be used with the prefix. In this case, the values configured for the minimum mask should be the same for the prefix and mask fields.
Alternatively, if the collector knows the minimum mask configuration of the prefix field, the mask field can be configured without a minimum mask so that the true mask and prefix can be calculated.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.1(3)T and 12.2(58)SE
The following example configures a 16-bit IPv4 source address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 source prefix minimum-mask 16The following example specifies a 16-bit IPv4 source address mask as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 source mask minimum-mask 16The following example specifies a 16-bit IPv4 source address mask as a key field for Cisco Performance Monitor:
Router(config)# flow record type performance-monitor FLOW-RECORD-1 Router(config-flow-record)# match ipv4 source mask minimum-mask 16match ipv4 ttl
To configure the IPv4 time-to-live (TTL) field as a key field for a flow record, use the match ipv4 ttl command in Flow NetFlow flow record configuration mode. To disable the use of the IPv4 TTL field as a key field for a flow record, use the no form of this command.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.5S for Cisco Performance Monitor.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures IPv4 TTL as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv4 ttlThe following example configures the IPv4 TTL as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv4 ttlmatch ipv6
To configure one or more of the IPv6 fields as a key field for a flow record, use the match ipv6 command in Flexible NetFlow flow record configuration mode. To disable the use of one or more of the IPv6 fields as a key field for a flow record, use the no form of this command.
match ipv6 { dscp | flow-label | next-header | payload-length | precedence | protocol | traffic-class | version }
no match ipv6 { dscp | flow-label | next-header | payload-length | precedence | protocol | traffic-class | version }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv6 { dscp | precedence | protocol | tos }
no match ipv6 { dscp | precedence | protocol | tos }
Cisco IOS XE Release 3.2SE
match ipv6 { protocol | traffic-class | version }
no match ipv6 { protocol | traffic-class | version }
Syntax Description
dscp
Configures the IPv6 differentiated services code point DSCP (part of type of service (ToS)) as a key field.
flow-label
Configures the IPv6 flow label as a key field.
next-header
Configures the IPv6 next header as a key field.
payload-length
Configures the IPv6 payload length as a key field.
precedence
Configures the IPv6 precedence (part of ToS) as a key field.
protocol
Configures the IPv6 protocol as a key field.
tos
Configures the IPv6 ToS as a key field.
traffic-class
Configures the IPv6 traffic class as a key field.
version
Configures the IPv6 version from IPv6 header as a key field.
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The flow-label, next-header, payload-length,traffic-class, and version keywords were removed.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was modified. The dscp, flow-label, next-header, payload-length, and precedence keywords were removed.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
NoteSome of the keywords of the match ipv6 command are documented as separate commands. All of the keywords for the match ipv6 command that are documented separately start with match ipv6. For example, for information about configuring the IPv6 hop limit as a key field for a flow record, refer to the match ipv6 hop-limit command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the IPv6 DSCP field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 dscpThe following example configures the IPv6 DSCP field as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv6 dscpmatch ipv6 destination
To configure the IPv6 destination address as a key field for a flow record, use the match ipv6 destination command in Flexible Netflow flow record configuration mode. To disable the IPv6 destination address as a key field for a flow record, use the no form of this command.
match ipv6 destination { address | { mask | prefix } [ minimum-mask mask ] }
no match ipv6 destination { address | { mask | prefix } [ minimum-mask mask ] }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv6 destination address
no match ipv6 destination address
Cisco IOS XE Release 3.2SE
match ipv6 destination address
no match ipv6 destination address
Syntax Description
address
Configures the IPv6 destination address as a key field.
mask
Configures the mask for the IPv6 destination address as a key field.
prefix
Configures the prefix for the IPv6 destination address as a key field.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum mask. Range: 1 to 128.
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The mask, prefix, and minimum-mask keywords were removed.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was modified. The mask, prefix, and minimum-mask keywords were removed.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures a 16-bit IPv6 destination address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 destination prefix minimum-mask 16The following example specifies a 16-bit IPv6 destination address mask as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 destination mask minimum-mask 16The following example configures a 16-bit IPv6 destination address mask as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv6 destination mask minimum-mask 16match ipv6 hop-limit
To configure the IPv6 hop limit as a key field for a flow record, use the match ipv6 hop-limit command in Flexible NetFlow flow record configuration mode. To disable the use of a section of an IPv6 packet as a key field for a flow record, use the no form of this command.
Command Default
The use of the IPv6 hop limit as a key field for a user-defined flow record is not enabled by default.
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the hop limit of the packets in the flow as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 hop-limitThe following example configures the hop limit of the packets in the flow as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv6 hop-limitmatch ipv6 source
To configure the IPv6 source address as a key field for a flow record, use the match ipv6 source command in Flexible NetFlow flow record configuration mode. To disable the use of the IPv6 source address as a key field for a flow record, use the no form of this command.
match ipv6 source { address | { mask | prefix } [ minimum-mask mask ] }
no match ipv6 source { address | { mask | prefix } [ minimum-mask mask ] }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv6 source address
no match ipv6 source address
Cisco IOS XE Release 3.2SE
match ipv6 source address
no match ipv6 source address
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The mask, prefix, and minimum-mask keywords were removed.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was modified. The mask, prefix, and minimum-mask keywords were removed.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures a 16-bit IPv6 source address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 source prefix minimum-mask 16The following example specifies a 16-bit IPv6 source address mask as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 source mask minimum-mask 16The following example configures the 16-bit IPv6 source address mask as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv6 source mask minimum-mask 16match transport
To configure one or more of the transport fields as a key field for a flow record, use the match transport command in Flexible NetFlow flow record configuration mode. To disable the use of one or more of the transport fields as a key field for a flow record, use the no form of this command.
match transport { destination-port | igmp type | source-port }
no match transport { destination-port | igmp type | source-port }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match transport { destination-port | source-port }
no match transport { destination-port | source-port }
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The igmp type keyword combination was removed.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the destination port as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport destination-portThe following example configures the source port as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport source-portThe following example configures the source port as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match transport source-portmatch transport icmp ipv4
To configure the ICMP IPv4 type field and the code field as key fields for a flow record, use the match transport icmp ipv4 command in Flexible NetFlow flow record configuration mode. To disable the use of the ICMP IPv4 type field and code field as key fields for a flow record, use the no form of this command.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the IPv4 ICMP code field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport icmp ipv4 codeThe following example configures the IPv4 ICMP type field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport icmp ipv4 typeThe following example configures the IPv4 ICMP type field as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match transport icmp ipv4 typematch transport icmp ipv6
To configure the internet control message protocol ICMP IPv6 type field and the code field as key fields for a flow record, use the match transport icmp ipv6 command in Flexible NetFlow flow record configuration mode. To disable the use of the ICMP IPv6 type field and code field as key fields for a flow record, use the no form of this command.
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on for the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A Flow Record requires at least one key field before it can be used in a Flow Monitor. The Key fields differentiate Flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the IPv6 ICMP code field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport icmp ipv6 codeThe following example configures the IPv6 ICMP type field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match transport icmp ipv6 typeThe following example configures the IPv6 ICMP type field as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match transport icmp ipv6 typemode (Flexible NetFlow)
To specify the type of sampling and the packet interval for a Flexible NetFlow sampler, use the mode command in Flexible NetFlow sampler configuration mode. To unconfigure the type of sampling and the packet interval for a Flexible NetFlow sampler, use the no form of this command.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Deterministic Mode
In deterministic mode, packets are chosen periodically based on the configured interval. This mode has less overhead than random mode and can be useful when the router samples traffic that is random in nature.
Random Mode
In random mode, packets are chosen in a manner that should eliminate any bias from traffic patterns and counter any attempt by users to avoid monitoring.
Examples
The following example enables deterministic sampling with a window size of 1000:
Router(config)# sampler SAMPLER-1 Router(config-sampler)# mode deterministic 1 out-of 1000The following example enables random sampling with a window size of 1000:
Router(config)# sampler SAMPLER-1 Router(config-sampler)# mode random 1 out-of 1000option (Flexible NetFlow)
To configure optional data parameters for a flow exporter for Flexible NetFlow or the Cisco Performance Monitor, use the option command in Flexible NetFlow flow exporter configuration mode. To remove optional data parameters for a flow exporter, use the no form of this command.
option { application-attributes | application-table | exporter-stats | class-qos-table | interface-table | policy-qos-table | sampler-table | sub-application-table | vrf-table } [ timeout seconds ]
no option { application-attributes | application-table | class-qos-table | exporter-stats | interface-table | policy-qos-table | sampler-table | sub-application-table | vrf-table }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
option { exporter-stats | interface-table | sampler-table | vrf-table } [ timeout seconds ]
no option { exporter-stats | interface-table | sampler-table | vrf-table }
Cisco IOS XE Release 3.2SE
option { exporter-stats | interface-table | sampler-table } [ timeout seconds ]
option { exporter-stats | interface-table | sampler-table } [ timeout seconds ]
Syntax Description
application-attributes
Configures the application attributes option for flow exporters.
application-table
Configures the application table option for flow exporters.
class-qos-table
Configures the QoS class table option for flow exporters.
exporter-stats
Configures the exporter statistics option for flow exporters.
interface-table
Configures the interface table option for flow exporters.
policy-qos-table
Configures the QoS policy table option for flow exporters.
sampler-table
Configures the export sampler information option for flow exporters.
sub-application-table
Configures the subapplication table option for flow exporters.
vrf-table
Configures the virtual routing and forwarding (VRF) ID-to-name table option for flow exporters.
timeout seconds
(Optional) Configures the option resend time in seconds for flow exporters. The range is from 1 to 86400. The default is 600.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
15.0(1)M
This command was modified. The application-table and vrf-table keywords were added.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY
This command was modified. The application-table keyword was removed.
Cisco IOS XE Release 3.5S
This command was modified. The application-attributes keyword was added.
15.2(1)S2
This command was modified. The sub-application-table keyword was added.
Cisco IOS XE Release 3.7S
This command was integrated into Cisco IOS XE Release 3.7S.
15.2(4)M2
This command was modified. The class-qos-table and policy-qos-table keywords were added.
15.3(1)T
This command was integrated into Cisco IOS Release 15.3(1)T.
Cisco IOS XE Release 3.2SE
This command was modified. The application-attributes, application-table , and vrf-table keywords were removed.
Usage Guidelines
The option command can be used with both Flexible NetFlow and the Cisco Performance Monitor.
Use the timeout keyword to alter the frequency at which reports are sent.
option application-attributes
The option application-attributes command causes the periodic sending of network-based application recognition (NBAR) application attributes to the collector.
The following application attributes are sent to the collector per protocol:
- Application-Group—Groups applications that belong to the same networking application.
- Category—Provides first-level categorization for each application.
- Encrypted—Specifies whether the application is an encrypted networking protocol.
- P2P-Technology—Specifies whether the application is based on peer-to-peer technology.
- Sub-Category—Provides second-level categorization for each application.
- Tunnel-Technology—Specifies whether the application tunnels the traffic of other protocols.
option application-table
The option application-table command enables the periodic sending of an options table that allows the collector to map NBAR application IDs provided in the flow records to application names.
option class-qos-table
The option class-qos-table command enables the periodic sending of an options table that allows the collector to map QoS class IDs to class names in the flow records.
option exporter-stats
The option exporter-stats command enables the periodic sending of exporter statistics, including the number of records, bytes, and packets sent. This command allows the collector to estimate packet loss for the export records it receives.
option interface-table
The option interface-table enables the periodic sending of an options table that allows the collector to map the interface Simple Network Management Protocol (SNMP) indexes provided in flow records to interface names.
option policy-qos-table
The option policy-qos-table command enables the periodic sending of an options table that allows the collector to map QoS policy IDs to policy names in the flow records.
option sampler-table
The option sampler-table command enables the periodic sending of an options table that provides complete information about the configuration of each sampler and allows the collector to map the sampler ID provided in any flow record to a configuration that it can use to scale up the flow statistics.
option sub-application-table
The option sub-application-table command enables the periodic sending of an options table that allows the collector to map NBAR subapplication tags, subapplication names, and subapplication descriptions provided in the flow records to application IDs.
option vrf-table
The option vrf-table command enables the periodic sending of an options table that allows the collector to map the VRF IDs provided in the flow records to VRF names.
Examples
The following example shows how to enable the periodic sending of NBAR application attributes to the collector:
Device(config)# flow exporter FLOW-EXPORTER-1 Device(config-flow-exporter)# option application-attributesThe following example shows how to enable the periodic sending of an options table that allows the collector to map QoS class IDs provided in flow records to class names:
Device(config)# flow exporter FLOW-EXPORTER-1 Device(config-flow-exporter)# option class-qos-tableThe following example shows how to enable the periodic sending of an options table that allows the collector to map QoS policy IDs provided in flow records to policy names:
Device(config)# flow exporter FLOW-EXPORTER-1 Device(config-flow-exporter)# option policy-qos-tableThe following example shows how to enable the periodic sending of exporter statistics, including the number of records, bytes, and packets sent:
Device(config)# flow exporter FLOW-EXPORTER-1 Device(config-flow-exporter)# option exporter-statsThe following example shows how to enable the periodic sending of an options table that allows the collector to map the interface SNMP indexes provided in flow records to interface names:
Device(config)# flow exporter FLOW-EXPORTER-1 Device(config-flow-exporter)# option interface-tableThe following example shows how to enable the periodic sending of an options table that allows the collector to map NBAR application IDs provided in flow records to application names:
Device(config)# flow exporter FLOW-EXPORTER-1 Device(config-flow-exporter)# option application-tableThe following example shows how to enable the periodic sending of an options table that details the configuration of each sampler and allows the collector to map the sampler ID provided in any flow record to a configuration that the collector can use to scale up the flow statistics:
Device(config)# flow exporter FLOW-EXPORTER-1 Device(config-flow-exporter)# option sampler-tableThe following example shows how to enable the periodic sending of an options table that allows the collector to map the NBAR subapplication tags, subapplication names, and subapplication descriptions provided in flow records to application IDs:
Device(config)# flow exporter FLOW-EXPORTER-1 Device(config-flow-exporter)# option sub-application-tableThe following example shows how to enable the periodic sending of an options table that allows the collector to map the VRF IDs provided in flow records to VRF names:
Device(config)# flow exporter FLOW-EXPORTER-1 Device(config-flow-exporter)# option vrf-tablerecord
To configure a flow record for a Flexible NetFlow flow monitor, use the record command in Flexible NetFlow flow monitor configuration mode. To remove a flow record for a Flexible NetFlow flow monitor, use the no form of this command.
record { record-name | netflow-original | netflow { ipv4 | ipv6 } record [peer] }
no record
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
record { record-name | platform-original { ipv4 | ipv6 } record }
no record
Cisco IOS XE Release 3.2SE
record record-name
no record
Syntax Description
record-name
Name of a user-defined flow record that was previously configured.
netflow-original
Configures the flow monitor to use the Flexible NetFlow implementation of original NetFlow with origin autonomous systems.
netflow ipv4
Configures the flow monitor to use one of the predefined IPv4 records.
netflow ipv6
Configures the flow monitor to use one of the predefined IPv6 records. This keyword is not supported on the Cisco ASR 1000 Series Aggregation Services router.
record
Name of the predefined record. See the table below for a listing of the available records and their definitions.
peer
(Optional) Configures the flow monitor to use one of the predefined records with peer autonomous systems. The peer keyword is not supported for every type of Flexible NetFlow predefined record. See the table below.
platform-original ipv4
Configures the flow monitor to use one of the predefined IPv4 records.
platform-original ipv4
Configures the flow monitor to use one of the predefined IPv6 records.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.4(20)T
This command was modified. The ipv6 keyword was added.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
12.2(50)SY
This command was modified. The netflow-original , netflow ipv4 , and netflow ipv6 keywords were removed.
The platform-originalipv4a nd platform-originalipv4 keywords were added.
Cisco IOS XE Release 3.2SE
This command was modified. The netflow-original , netflow ipv4 , and netflow ipv6 keywords were removed.
Usage Guidelines
Each flow monitor requires a record to define the contents and layout of its cache entries. The flow monitor can use one of the wide range of predefined record formats, or advanced users may create their own record formats.
NoteYou must use the no ip flowmonitor command to remove a flow monitor from all of the interfaces to which you have applied it before you can modify the parameters for the record command for the flow monitor.
The table below describes the keywords and descriptions for the record argument.
Examples
The following example configures the flow monitor to use the NetFlow original record:
Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)# record netflow-originalThe following example configures the flow monitor to use a user-defined record named collect-ipv4-data:
Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)# record collect-ipv4-dataThe following example configures the flow monitor to use the Flexible NetFlow IPv4 destination prefix record:
Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)# record netflow ipv4 destination-prefixThe following example configures the flow monitor to use a the Flexible NetFlow IPv6 destination prefix record:
Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)# record netflow ipv6 destination-prefixsampler
To create a Flexible NetFlow flow sampler, or to modify an existing Flexible NetFlow flow sampler, and to enter Flexible NetFlow sampler configuration mode, use the sampler command in global configuration mode. To remove a sampler, use the no form of this command.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
15.1(2)S
This command was modified. A hash collision between the name supplied and any existing name is now possible. If this happens, you can retry, supplying another name.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Flow samplers are used to reduce the load placed by Flexible NetFlow on the networking device to monitor traffic by limiting the number of packets that are analyzed. You configure a rate of sampling that is 1 out of a range of 2 to 32,768 packets. For example, a rate of 1 out of 2 results in analysis of 50 percent of the packets sampled. Flow samplers are applied to interfaces in conjunction with a flow monitor to implement sampled Flexible NetFlow.
To enable flow sampling, you configure the record that you want to use for traffic analysis and assign it to a flow monitor. When you apply a flow monitor with a sampler to an interface, the sampled packets are analyzed at the rate specified by the sampler and compared with the flow record associated with the flow monitor. If the analyzed packets meet the criteria specified by the flow record, they are added to the flow monitor cache.
In Cisco IOS Release 15.1(2)S and later releases, a hash collision between the name supplied and any existing name is possible. If this happens, you can retry, supplying another name.
Examples
The following example creates a flow sampler name SAMPLER-1:
Router(config)# sampler SAMPLER-1 Router(config-sampler)#The following example shows the output when there is a hash collision between the name supplied and any existing name:
Router(config-sampler)# sampler SAMPLER-1 % sampler: Failed to create a new Sampler (Hash value in use). Router(config)#show flow exporter
To display Flexible NetFlow flow exporter status and statistics, use the show flow exporter command in privileged EXEC mode.
show flow exporter [ export-ids { netflow-v5 | netflow-v9 } | [name] exporter-name [ statistics | templates ] [ option application { engines | table } ] ]
Cisco IOS XE Release 3.2SE
show flow exporter [ export-ids netflow-v9 | [name] exporter-name [ statistics | templates ] ]
Syntax Description
export-ids netflow-v5
(Optional) Displays the NetFlow Version 5 export fields that can be exported and their IDs.
export-ids netflow-v9
(Optional) Displays the NetFlow Version 9 export fields that can be exported and their IDs.
name
(Optional) Specifies the name of a flow exporter.
exporter-name
(Optional) Name of a flow exporter that was previously configured.
statistics
(Optional) Displays flow exporter statistics.
templates
(Optional) Displays flow exporter template information.
option application engines
(Optional) Displays the application engines option for flow exporters.
option application table
(Optional) Displays the application table option for flow exporters.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE 3.1S
This command was modified. The option and application keywords were added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
15.2.(2)T
This command was modified. The ability to display IPv6 addresses was added.
Cisco IOS XE 3.5S
This command was modified. The ability to display IPv6 addresses was added.
Cisco IOS XE Release 3.2SE
This command was modified. The export-ids netflow-v5 , option application engines , and option application table keywords were removed.
Examples
The following example displays the status and statistics for all of the flow exporters configured on a router:
Router# show flow exporter Flow Exporter FLOW-MONITOR-1: Description: Exports to the datacenter Export protocol: NetFlow Version 9 Transport Configuration: Destination IP address: 172.16.10.2 Source IP address: 172.16.6.2 Source Interface: Ethernet0/0 Transport Protocol: UDP Destination Port: 650 Source Port: 55864 DSCP: 0x3F TTL: 15 Output Features: Used Flow Exporter FLOW-MONITOR-2: Description: Exports to the datacenter Export protocol: NetFlow Version 9 Transport Configuration: Destination IP address: 2222::2/64 Source IP address: 1111::1/64 Transport Protocol: UDP Destination Port: 4739 Source Port: 49936 DSCP: 0x0 TTL: 255 Output Features: Not Used Options Configuration: exporter-stats (timeout 120 seconds) interface-table (timeout 120 seconds)sampler-table (timeout 120 seconds)
The table below describes the significant fields shown in the display.
Table 2 show flow exporter Field Descriptions Field
Description
Flow Exporter
The name of the flow exporter that you configured.
Description
The description that you configured for the exporter, or the default description “User defined”.
Transport Configuration
The transport configuration fields for this exporter.
Destination IP address
The IP address of the destination host.
Source IP address
The source IP address used by the exported packets.
Transport Protocol
The transport layer protocol used by the exported packets.
Destination Port
The destination UDP port to which the exported packets are sent.
Source Port
The source UDP port from which the exported packets are sent.
DSCP
The differentiated services code point (DSCP) value.
TTL
The time-to-live value.
The following example displays the NetFlow Version 9 export IDs for all of the flow exporters configured on a router. This output will vary according to the flow record configured:
Router# show flow exporter export-ids netflow-v9 Export IDs used by fields in NetFlow-common export format: ip version : 60 ip tos : 194 ip dscp : 195 ip precedence : 196 ip protocol : 4 ip ttl : 192 ip ttl minimum : 52 ip ttl maximum : 53 ip length header : 189 ip length payload : 204 ip section header : 313 ip section payload : 314 routing source as : 16 routing destination as : 17 routing source as peer : 129 routing destination as peer : 128 routing source traffic-index : 92 routing destination traffic-index : 93 routing forwarding-status : 89 routing is-multicast : 206 routing next-hop address ipv4 : 15 routing next-hop address ipv4 bgp : 18 routing next-hop address ipv6 bgp : 63 ipv4 header-length : 207 ipv4 tos : 5 ipv4 total-length : 190 ipv4 total-length minimum : 25 ipv4 total-length maximum : 26 ipv4 id : 54 ipv4 fragmentation flags : 197 ipv4 fragmentation offset : 88 ipv4 source address : 8 ipv4 source prefix : 44 ipv4 source mask : 9 ipv4 destination address : 12 ipv4 destination prefix : 45 ipv4 destination mask : 13 ipv4 options : 208 transport source-port : 7 transport destination-port : 11 transport icmp-ipv4 type : 176 transport icmp-ipv4 code : 177 transport igmp type : 33 transport tcp source-port : 182 transport tcp destination-port : 183 transport tcp sequence-number : 184 transport tcp acknowledgement-number : 185 transport tcp header-length : 188 transport tcp window-size : 186 transport tcp urgent-pointer : 187 transport tcp flags : 6 transport udp source-port : 180 transport udp destination-port : 181 transport udp message-length : 205 interface input snmp : 10 interface output snmp : 14 interface name : 82 interface description : 83 flow direction : 61 flow exporter : 144 flow sampler : 48 flow sampler algorithm export : 49 flow sampler interval : 50 flow sampler name : 84 flow class : 51 v9-scope system : 1 v9-scope interface : 2 v9-scope linecard : 3 v9-scope cache : 4 v9-scope template : 5 counter flows : 3 counter bytes : 1 counter bytes long : 1 counter packets : 2 counter packets long : 2 counter bytes squared long : 198 counter bytes permanent : 85 counter packets permanent : 86 counter bytes squared permanent : 199 counter bytes exported : 40 counter packets exported : 41 counter flows exported : 42 timestamp sys-uptime first : 22 timestamp sys-uptime last : 21The following example displays the status and statistics for all of the flow exporters configured on a router:
Router# show flow exporter name FLOW-MONITOR-1 statistics Flow Exporter FLOW-MONITOR-1: Packet send statistics: Ok 0 No FIB 0 Adjacency failure 0 Enqueued to process level 488 Enqueueing failed 0 IPC failed 0 Output failed 0 Fragmentation failed 0 Encap fixup failed 0 No destination address 0 Client send statistics: Client: Flow Monitor FLOW-MONITOR-1 Records added 558 Packets sent 486 (51261 bytes) Packets dropped 0 (0 bytes) No Packet available errors 0The table below describes the significant fields shown in the display.
Table 3 show flow exporter name exporter-name statistics Field Descriptions Field
Description
Flow Exporter
The name of the flow exporter that you configured.
Packet send statistics
The packet transmission statistics for this exporter.
Ok
The number of packets that have been sent successfully.
No FIB
No entry in the Forwarding Information Base (FIB) to forward to.
Adjacency failure
No Cisco Express Forwarding (CEF) adjacency available for forwarding.
Enqueued to process level
Packets that were sent to the processor for forwarding.
Enqueueing failed
Packets that could not be queued for transmission.
IPC failed
Packets for which interprocess communication (IPC) failed.
Output failed
Packets that were dropped because the output queue was full.
Fragmentation failed
Packets that were not able to be fragmented.
Encap fixup failed
Packets that were not able to be encapsulated for transmission on the egress interface.
No destination address
No destination address configured for the exporter.
Client send statistics
Statistics for the flow monitors that are using the exporters.
Client
The name of the flow monitor that is using the exporter.
Records added
The number of flow records that have been added for this flow monitor.
Packets sent
The number of packets that have been exported for this flow monitor.
Packets dropped
The number of packets that were dropped for this flow monitor.
No Packet available error
The number of times that no packets were available to transmit the records.
The following example displays the template format for the exporters configured on the router. This output will vary according to the flow record configured:
Router# show flow exporter FLOW_EXPORTER-1 templates Flow Exporter FLOW-MONITOR-1: Client: Flow Monitor FLOW-MONITOR-1 Exporter Format: NetFlow Version 9 Template ID : 256 Record Size : 53 Template layout _____________________________________________________________________ | Field | Type1 | Offset2 | Size3 | --------------------------------------------------------------------- | ipv4 source address | 8 | 0 | 4 | | ipv4 destination address | 12 | 4 | 4 | | interface input snmp | 10 | 8 | 4 | | flow sampler | 48 | 12 | 4 | | transport source-port | 7 | 16 | 2 | | transport destination-port | 11 | 18 | 2 | | ip tos | 194 | 20 | 1 | | ip protocol | 4 | 21 | 1 | | ipv4 source mask | 9 | 22 | 1 | | ipv4 destination mask | 13 | 23 | 1 | | transport tcp flags | 6 | 24 | 1 | | routing source as | 16 | 25 | 2 | | routing destination as | 17 | 27 | 2 | | routing next-hop address ipv4 | 15 | 29 | 4 | | interface output snmp | 14 | 33 | 4 | | counter bytes | 1 | 37 | 4 | | counter packets | 2 | 41 | 4 | | timestamp sys-uptime first | 22 | 45 | 4 | | timestamp sys-uptime last | 21 | 49 | 4 | ---------------------------------------------------------------------show flow interface
To display the Flexible NetFlow configuration and status for an interface, use the show flow interface command in privileged EXEC mode.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Examples
The following example displays the Flexible NetFlow accounting configuration on Ethernet interfaces 0/0 and 0/1:
Router# show flow interface ethernet 1/0 Interface Ethernet1/0 FNF: monitor: FLOW-MONITOR-1 direction: Output traffic(ip): on Router# show flow interface ethernet 0/0 Interface Ethernet0/0 FNF: monitor: FLOW-MONITOR-1 direction: Input traffic(ip): sampler SAMPLER-2#The table below describes the significant fields shown in the display.
Table 4 show flow interface Field Descriptions Field
Description
Interface
The interface to which the information applies.
monitor
The name of the flow monitor that is configured on the interface.
direction:
The direction of traffic that is being monitored by the flow monitor.
The possible values are:
traffic(ip)
Indicates if the flow monitor is in normal mode or sampler mode.
The possible values are:
show flow monitor
To display the status and statistics for a Flexible NetFlow flow monitor, use the show flow monitor command in privileged EXEC mode.
show flow monitor [ [name] monitor-name [ cache [ format { csv | record | table } ] ] [statistics] ]
Syntax Description
name
(Optional) Specifies the name of a flow monitor.
monitor-name
(Optional) Name of a flow monitor that was previously configured.
cache
(Optional) Displays the contents of the cache for the flow monitor.
format
(Optional) Specifies the use of one of the format options for formatting the display output.
csv
(Optional) Displays the flow monitor cache contents in comma separated variables (CSV) format.
record
(Optional) Displays the flow monitor cache contents in record format.
table
(Optional) Displays the flow monitor cache contents in table format.
statistics
(Optional) Displays the statistics for the flow monitor.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.4(20)T
This command was modified. Support for displaying IPv6 data in Flexible NetFlow flow monitor caches was added.
15.0(1)M
This command was modified. Support for displaying virtual routing and forwarding (VRF) and Network Based Application Recognition (NBAR) data in Flexible NetFlow flow monitor caches was added.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The cache keyword uses the table format by default.
The uppercase field names in the display output of the show flowmonitor monitor-name cache command are key fields that Flexible NetFlow uses to differentiate flows. The lowercase field names in the display output of the show flow monitor monitor-name cache command are nonkey fields from which Flexible NetFlow collects values as additional data for the cache.
Examples
The following example displays the status for a flow monitor:
Router# show flow monitor FLOW-MONITOR-1 Flow Monitor FLOW-MONITOR-1: Description: Used for basic traffic analysis Flow Record: netflow-original Flow Exporter: EXP-DC-TOPEKA EXP-DC-PHOENIX Cache: Type: normal Status: allocated Size: 4096 entries / 311316 bytes Inactive Timeout: 15 secs Active Timeout: 1800 secs Update Timeout: 1800 secsThe table below describes the significant fields shown in the display.
Table 5 show flow monitor monitor-name Field Descriptions Field
Description
Flow Monitor
Name of the flow monitor that you configured.
Description
Description that you configured or the monitor, or the default description “User defined”.
Flow Record
Flow record assigned to the flow monitor.
Flow Exporter
Exporters that are assigned to the flow monitor.
Cache
Information about the cache for the flow monitor.
Type
Flow monitor cache type.
The possible values are:
Status
Status of the flow monitor cache.
The possible values are:
Size
Current cache size.
Inactive Timeout
Current value for the inactive timeout in seconds.
Active Timeout
Current value for the active timeout in seconds.
Update Timeout
Current value for the update timeout in seconds.
The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-1:
Router# show flow monitor FLOW-MONITOR-1 cache Cache type: Normal Cache size: 4096 Current entries: 8 High Watermark: 10 Flows added: 1560 Flows aged: 1552 - Active timeout ( 1800 secs) 24 - Inactive timeout ( 15 secs) 1528 - Event aged 0 - Watermark aged 0 - Emergency aged 0 IP TOS: 0x00 IP PROTOCOL: 6 IPV4 SOURCE ADDRESS: 10.10.10.2 IPV4 DESTINATION ADDRESS: 172.16.10.2 TRNS SOURCE PORT: 20 TRNS DESTINATION PORT: 20 INTERFACE INPUT: Et0/0 FLOW SAMPLER ID: 0 ip source as: 0 ip destination as: 0 ipv4 next hop address: 172.16.7.2 ipv4 source mask: /0 ipv4 destination mask: /24 tcp flags: 0x00 interface output: Et1/0 counter bytes: 198520 counter packets: 4963 timestamp first: 10564356 timestamp last: 12154104The table below describes the significant fields shown in the display.
Table 6 show flow monitor monitor-name cache Field Descriptions Field
Description
Cache type
Flow monitor cache type.
The possible values are:
Cache Size
Number of entries in the cache.
Current entries
Number of entries in the cache that are in use.
High Watermark
Highest number of cache entries seen.
Flows added
Flows added to the cache since the cache was created.
Flows aged
Flows expired from the cache since the cache was created.
Active timeout
Current value for the active timeout in seconds.
Inactive timeout
Current value for the inactive timeout in seconds.
Event aged
Number of flows that have been aged by an event such as using the force-export option for the clear flow monitor command.
Watermark aged
Number of flows that have been aged because they exceeded the maximum high watermark value.
Emergency aged
Number of flows that have been aged because the cache size was exceeded.
IP TOS
IP type of service (ToS) value.
IP PROTOCOL
Protocol number.
IPV4 SOURCE ADDRESS
IPv4 source address.
IPV4 DESTINATION ADDRESS
IPv4 destination address.
TRNS SOURCE PORT
Source port for the transport protocol.
TRNS DESTINATION PORT
Destination port for the transport protocol.
INTERFACE INPUT
Interface on which the input is received.
FLOW SAMPLER ID
Flow sampler ID number.
ip source as
Border Gateway Protocol (BGP) source autonomous system number.
ip destination as
BGP destination autonomous system number.
ipv4 next hop address
IPv4 address of the next hop to which the packet is forwarded.
ipv4 source mask
IPv4 source address mask.
ipv4 destination mask
IPv4 destination address mask.
tcp flags
Value of the TCP flags.
interface output
Interface on which the input is transmitted.
counter bytes
Number of bytes that have been counted.
counter packets
Number of packets that have been counted.
timestamp first
Time stamp of the first packet in the flow.
timestamp last
Time stamp of the last packet in the flow.
The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-1 in a table format:
Router# show flow monitor FLOW-MONITOR-1 cache format table Cache type: Normal Cache size: 4096 Current entries: 4 High Watermark: 6 Flows added: 90 Flows aged: 86 - Active timeout ( 1800 secs) 0 - Inactive timeout ( 15 secs) 86 - Event aged 0 - Watermark aged 0 - Emergency aged 0 IP TOS IP PROT IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT ====== ======= =============== =============== ============= ============== 0x00 1 10.251.10.1 172.16.10.2 0 02 0x00 1 10.251.10.1 172.16.10.2 0 20484 0xC0 17 172.16.6.1 224.0.0.9 520 5202 0x00 6 10.10.11.1 172.16.10.5 25 252 Router#The following example displays the status, statistics, and data for the flow monitor named FLOW-MONITOR-IPv6 (the cache contains IPv6 data) in record format:
Router# show flow monitor name FLOW-MONITOR-IPv6 cache format record Cache type: Normal Cache size: 4096 Current entries: 6 High Watermark: 8 Flows added: 1048 Flows aged: 1042 - Active timeout ( 1800 secs) 11 - Inactive timeout ( 15 secs) 1031 - Event aged 0 - Watermark aged 0 - Emergency aged 0 IPV6 FLOW LABEL: 0 IPV6 EXTENSION MAP: 0x00000040 IPV6 SOURCE ADDRESS: 2001:DB8:1:ABCD::1 IPV6 DESTINATION ADDRESS: 2001:DB8:4:ABCD::2 TRNS SOURCE PORT: 3000 TRNS DESTINATION PORT: 55 INTERFACE INPUT: Et0/0 FLOW DIRECTION: Input FLOW SAMPLER ID: 0 IP PROTOCOL: 17 IP TOS: 0x00 ip source as: 0 ip destination as: 0 ipv6 next hop address: :: ipv6 source mask: /48 ipv6 destination mask: /0 tcp flags: 0x00 interface output: Null counter bytes: 521192 counter packets: 9307 timestamp first: 9899684 timestamp last: 11660744The table below describes the significant fields shown in the display.
Table 7 show flow monitor monitor-name cache format record Field Descriptions Field
Description
Cache type
Flow monitor cache type.
The possible values are:
Cache Size
Number of entries in the cache.
Current entries
Number of entries in the cache that are in use.
High Watermark
Highest number of cache entries seen.
Flows added
Flows added to the cache since the cache was created.
Flows aged
Flows expired from the cache since the cache was created.
Active timeout
Current value for the active timeout in seconds.
Inactive timeout
Current value for the inactive timeout in seconds.
Event aged
Number of flows that have been aged by an event such as using the force-export option for the clear flow monitor command.
Watermark aged
Number of flows that have been aged because they exceeded the maximum high watermark value.
Emergency aged
Number of flows that have been aged because the cache size was exceeded.
IPV6 FLOW LABEL
Label number for the flow.
IPV6 EXTENSION MAP
Pointer to the IPv6 extensions.
IPV6 SOURCE ADDRESS
IPv6 source address.
IPV6 DESTINATION ADDRESS
IPv6 destination address.
TRNS SOURCE PORT
source port for the transport protocol.
TRNS DESTINATION PORT
Destination port for the transport protocol.
INTERFACE INPUT
Interface on which the input is received.
FLOW DIRECTION
Input or output.
FLOW SAMPLER ID
Flow sampler ID number.
IP PROTOCOL
IP protocol number.
IP TOS
IP ToS number.
ip source as
BGP source autonomous system number.
ip destination as
BGP destination autonomous system number.
ipv6 next hop address
IPv4 address of the next hop to which the packet is forwarded.
ipv6 source mask
IPv6 source address mask.
ipv6 destination mask
IPv6 destination address mask.
tcp flags
Value of the TCP flags.
interface output
Interface on which the input is transmitted.
counter bytes
Number of bytes that have been counted.
counter packets
Number of packets that have been counted.
timestamp first
Time stamp of the first packet in the flow.
timestamp last
Time stamp of the last packet in the flow.
The following example displays the status and statistics for a flow monitor:
Router# show flow monitor FLOW-MONITOR-1 statistics Cache type: Normal Cache size: 4096 Current entries: 4 High Watermark: 6 Flows added: 116 Flows aged: 112 - Active timeout ( 1800 secs) 0 - Inactive timeout ( 15 secs) 112 - Event aged 0 - Watermark aged 0 - Emergency aged 0The table below describes the significant fields shown in the display.
Table 8 show flow monitor monitor-name statistics Field Descriptions Field
Description
Cache Type
Flow monitor cache type.
The possible values are:
Cache Size
Size of the cache.
Current entries
Number of entries in the cache that are in use.
High Watermark
Highest number of cache entries seen.
Flows added
Flows added to the cache since the cache was created.
Flows aged
Flows expired from the cache since the cache was created.
Active Timeout
Current value for the active timeout in seconds.
Inactive Timeout
Current value for the inactive timeout in seconds.
Event aged
Number of flows that have been aged by an event such as using the force-export option for the clear flow monitor command.
Watermark aged
Number of flows that have been aged because they exceeded the maximum high watermark value.
Emergency aged
Number of flows that have been aged because the cache size was exceeded.
show flow monitor cache aggregate
To display aggregated flow statistics from a flow monitor cache, use the show flow monitor cache aggregate command in privileged EXEC mode.
show flow monitor [name] monitor-name cache aggregate { options [ . .. options ] [ collect options [ . .. options ] ] | record record-name } [ format { csv | record | table } ]
Syntax Description
name
(Optional) Specifies the name of a flow monitor.
monitor-name
Name of a flow monitor that was previously configured.
options
Fields upon which aggregation is performed; and from which additional data from the cache is displayed when the collect keyword is used. You can specify multiple values for the options argument. See the “Usage Guidelines” section.
collect
(Optional) Displays additional data from the cache. See the “Usage Guidelines” section.
record record-name
Specifies the name of a user-defined flow record or a predefined flow record. See the first table below for a listing of the available predefined records and their definitions.
format
(Optional) Specifies the use of one of the format options for formatting the display output.
csv
Displays the flow monitor cache contents in comma-separated variables (CSV) format.
record
Displays the flow monitor cache contents in record format.
table
Displays the flow monitor cache contents in table format.
Command History
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Flexible NetFlow—Top N Talkers Support
The show flow monitor cacheaggregate command is one of a set of three commands that make up the Flexible NetFlow—Top N Ta lkers Support feature. The Flexible NetFlow—Top N Talkers Support feature is used to manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible NetFlow—Top N Talkers Support feature are show flow monitor cache filter and show flow monitor cache sort. The three commands can be used together or on their own, depending on your requirements. For more detailed information about these commands, see the show flow monitor cache filter command and the show flow monitor cache sort command. For information about how the three commands are used together, refer to the “Configuring Cisco IOS Flexible NetFlow—Top N Talkers Support” module in the Configuring Cisco IOS Flexible NetFlow Configuration Guide.
Flow Aggregation
Flow aggregation using the showflow monitor cache aggregate command allows you to dynamically display the flow information in a cache using a different flow record than the cache was originally created from. Only the fields in the cache will be available for the aggregated flows.
NoteThe key and nonkey fields in the flows are defined in the flow record that you assigned to the flow monitor from which the cache data is being aggregated.
Aggregation helps you achieve a higher-level view of the traffic in your network by combining flow data from multiple flows based on the criteria that interest you, for example, displaying flow data for:
- All the HTTP traffic in your network.
- All the traffic being forwarded to a specific Border Gateway Protocol (BGP) next hop.
- Identifying a device that is sending several types of traffic to one or more hosts in your network, perhaps as part of a denial of service (DoS) attack.
Aggregation options Argument
The options that you can use for the options argument of the show flow monitor cache aggregate command are dependent on the fields that are used for the user-defined flow record that you configured for the flow monitor using the record command. To identify the options that you can use, use the show flow recordrecord-name command in privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the “NetFlow Original” predefined record to a flow monitor, you use the show flow record netflow-original command to display its key (match) and nonkey (collect) fields. The following is partial output from the show flow record netflow-original command:
flow record netflow-original: Description: Traditional IPv4 input NetFlow with origin ASs No. of users: 2 Total field space: 53 bytes Fields: match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address . . . collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime lastThe fields from this partial output that you can use for the option argument follow the match (key fields) and collect (nonkey fields) words. For example, you can use the “ipv4 tos” field to aggregate the flows as shown in the first example in the “Examples section.
Cache Data Fields Displayed
By default the data fields from the cache that are shown in the display output of the show flow monitor cache aggregate command are limited to the field used for aggregation and the counter fields such as flows, number of bytes, and the number of packets. The following is partial output from the show flow monitor FLOW-MONITOR-3 cache aggregate ipv4 destination address command:
IPV4 DST ADDR flows bytes pkts =============== ========== ========== ========== 224.192.16.1 2 97340 4867 224.192.18.1 3 96080 4804 224.192.16.4 4 79760 3988 224.192.45.12 3 77480 3874 255.255.255.255 1 52 1Notice that the data contains only the IPv4 destination addresses for which flows have been aggregated and the counter values.
The flow monitor (FLOW-MONITOR-3) referenced by the show flow monitor FLOW-MONITOR-3 cache aggregate ipv4 destination address command uses the “NetFlow Original” predefined record, which contains the following key and nonkey fields:
- match ipv4 tos
- match ipv4 protocol
- match ipv4 source address
- match ipv4 destination address
- match transport source-port
- match transport destination-port
- match interface input
- match flow sampler
- collect routing source as
- collect routing destination as
- collect routing next-hop address ipv4
- collect ipv4 source mask
- collect ipv4 destination mask
- collect transport tcp flags
- collect interface output
- collect counter bytes
- collect counter packets
- collect timestamp sys-uptime first
- collect timestamp sys-uptime last
The collect keyword is used to include additional cache data in the display output of the show flow monitor cache aggregate command. The following partial output from theshow flow monitor FLOW-MONITOR-3 cache aggregate ipv4 destination address collect transport tcp flags command shows the transport TCP flags data from the cache:
IPV4 DST ADDR tcp flags flows bytes pkts =============== ========= ========== ========== ========== 224.192.16.1 0x00 4 165280 8264 224.192.18.1 0x00 4 158660 7933 224.192.16.4 0x00 3 146740 7337 224.192.45.12 0x00 4 145620 7281 255.255.255.255 0x00 1 52 1 224.0.0.13 0x00 1 54 1You can add cache data fields after the collect keyword to show additional data from the cache in the display output of the show flow monitor cache aggregate command.
Keywords and Descriptions for the record Argument
The table below describes the keywords for the record argument.
Table 9 Keywords and Descriptions for the Aggregate record Argument Keyword
Description
IPv4 Support
IPv6 Support
as
Autonomous system record.
Yes
Yes
as-tos
Autonomous system and ToS record.
Yes
No
bgp-nexthop-tos
BGP next-hop and ToS record.
Yes
No
bgp-nexthop
BGP next-hop record.
No
Yes
destination-prefix
Destination prefix record.
Note For IPv6, a minimum prefix mask length of 0 bits is assumed.
Yes
Yes
destination-prefix-tos
Destination prefix and ToS record.
Yes
No
original-input
Traditional IPv4 input NetFlow.
Yes
Yes
original-output
Traditional IPv4 output NetFlow.
Yes
Yes
prefix
Source and destination prefixes record.
Note For IPv6, a minimum prefix mask length of 0 bits is assumed.
Yes
Yes
prefix-port
Prefix port record.
Note The peer keyword is not available for this record.
Yes
No
prefix-tos
Prefix ToS record.
Yes
No
protocol-port
Protocol ports record.
Note The peer keyword is not available for this record.
Yes
Yes
protocol-port-tos
Protocol port and ToS record.
Note The peer keyword is not available for this record.
Yes
No
source-prefix
Source autonomous system and prefix record.
Note For IPv6, a minimum prefix mask length of 0 bits is assumed.
Yes
Yes
source-prefix-tos
Source prefix and ToS record.
Yes
No
Examples
The following example aggregates the flow monitor cache data on the destination and source IPv4 addresses:
Router# show flow monitor FLOW-MONITOR-1 cache aggregate ipv4 destination address ipv4 source address Processed 26 flows Aggregated to 17 flows IPV4 SRC ADDR IPV4 DST ADDR flows bytes pkts =============== =============== ========== ========== ========== 10.251.10.1 172.16.10.2 2 1400828 1364 192.168.67.6 172.16.10.200 1 19096 682 10.234.53.1 172.16.10.2 3 73656 2046 172.30.231.193 172.16.10.2 3 73616 2045 10.10.10.2 172.16.10.2 2 54560 1364 192.168.87.200 172.16.10.2 2 54560 1364 10.10.10.4 172.16.10.4 1 27280 682 10.10.11.1 172.16.10.5 1 27280 682 10.10.11.2 172.16.10.6 1 27280 682 10.10.11.3 172.16.10.7 1 27280 682 10.10.11.4 172.16.10.8 1 27280 682 10.1.1.1 172.16.10.9 1 27280 682 10.1.1.2 172.16.10.10 1 27280 682 10.1.1.3 172.16.10.11 1 27280 682 172.16.1.84 172.16.10.19 2 54520 1363 172.16.1.85 172.16.10.20 2 54520 1363 172.16.6.1 224.0.0.9 1 52 1The table below describes the significant fields shown in the display.
Table 10 show flow monitor cache aggregate Field Descriptions Field
Description
IPV4 SOURCE ADDRESS
IPv4 source address.
IPV4 DESTINATION ADDRESS
IPv4 destination address.
flows
Numbers of flows associated with the source/destination IP address combination
bytes
Number of bytes contained in the flows.
packets
Number of packets contained in the flows.
show flow monitor cache filter
To filter the display output of statistics from the flows in a flow monitor cache, use the show flow monitor cache filter command in privileged EXEC mode.
show flow monitor [name] monitor-name cache filter options [ regexp regexp ] [ . .. options [ regexp regexp ] ] [ format { csv | record | table } ]
Syntax Description
name
(Optional) Specifies the name of a flow monitor.
monitor-name
Name of a flow monitor that was previously configured.
options
Fields upon which filtering is performed. You can specify multiple values for the options argument. See the “Usage Guidelines” section.
regexp regexp
(Optional) Match the field specified with the options argument against a regular expression. See the “Usage Guidelines” section.
format
(Optional) Specifies the use of one of the format options for formatting the display output.
csv
Displays the flow monitor cache contents in comma-separated variables (CSV) format.
record
Displays the flow monitor cache contents in record format.
table
Displays the flow monitor cache contents in table format.
Command History
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Flexible NetFlow—Top N Talkers Support
The show flow monitor cache filter command is one of a set of three commands that make up the Flexible NetFlow—Top N Talkers Support feature. The Flexible NetFlow—Top N Talkers Support feature is used to manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible NetFlow—Top N Talkers Support feature are show flow monitor cache sort and show flow monitor cache aggregate. The three commands can be used together or on their own, depending on your requirements. For more detailed information about these commands, see the show flow monitor cache sort command and the show flow monitor cache aggregate command. For information about how the three commands are used together, refer to the “Configuring Cisco IOS Flexible NetFlow—Top N Talkers Support” module in the Configuring Cisco IOS Flexible NetFlow Configuration Guide.
Filter options Argument
The options that you can use for the options argument of the show flow monitor cache filter command are dependent on the fields that are used for the record that you configured for the flow monitor using the record command. To identify the options that you can use, use the show flow record record-name command in privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the “NetFlow Original” predefined record to a flow monitor, you use the show flow record netflow-original command to display its key (match) and nonkey (collect) fields. The following is partial output from the show command:
flow record netflow-original: Description: Traditional IPv4 input NetFlow with origin ASs No. of users: 2 Total field space: 53 bytes Fields: match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address . . . collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime lastThe fields from this partial output that you can use for the option argument follow the match (key fields) and collect (nonkey fields) words. For example, you can use the “ipv4 tos” field to filter the flows as shown in the first example in the “Examples” section.
Filtering Criteria
The following are examples of the types of filtering criteria available for the show flow monitorcache filter command:
Regular Expressions
The table below shows the syntax for regular expressions.
Table 11 Syntax for Regular Expressions Option
Description
*
Match zero or more characters in this position.
?
Match any one character in this position.
|
Match any one character in this position.
(|)
Match one of a choice of characters in a range. For example, aa:(0033|4455):3456 matches either aa:0033:3456 or aa:4455:3456.
[]
Match any character in the range specified, or one of the special characters. For example, [0-9] is all of the digits. [*] is the “*” character, and [[] is the “[ ” character.
Examples
The following example filters the flow monitor cache data on the source IPv4 address of 10.234.53.1:
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 source address 10.234.53.1 Cache type: Normal Cache size: 4096 Current entries: 26 High Watermark: 26 Flows added: 87 Flows aged: 61 - Active timeout ( 1800 secs) 0 - Inactive timeout ( 15 secs) 61 - Event aged 0 - Watermark aged 0 - Emergency aged 0 IPV4 SOURCE ADDRESS: 10.234.53.1 IPV4 DESTINATION ADDRESS: 172.16.10.2 TRNS SOURCE PORT: 0 TRNS DESTINATION PORT: 2048 INTERFACE INPUT: Et0/0.1 FLOW SAMPLER ID: 0 IP TOS: 0x00 IP PROTOCOL: 1 ip source as: 0 ip destination as: 0 ipv4 next hop address: 172.16.7.2 ipv4 source mask: /0 ipv4 destination mask: /24 tcp flags: 0x00 interface output: Et1/0.1 counter bytes: 24724 counter packets: 883 timestamp first: 16:03:56.007 timestamp last: 16:27:07.063 IPV4 SOURCE ADDRESS: 10.234.53.1 IPV4 DESTINATION ADDRESS: 172.16.10.2 TRNS SOURCE PORT: 20 TRNS DESTINATION PORT: 20 INTERFACE INPUT: Et0/0.1 FLOW SAMPLER ID: 0 IP TOS: 0x00 IP PROTOCOL: 6 ip source as: 0 ip destination as: 0 ipv4 next hop address: 172.16.7.2 ipv4 source mask: /0 ipv4 destination mask: /24 tcp flags: 0x00 interface output: Et1/0.1 counter bytes: 35320 counter packets: 883 timestamp first: 16:03:56.267 timestamp last: 16:27:07.323 IPV4 SOURCE ADDRESS: 10.234.53.1 IPV4 DESTINATION ADDRESS: 172.16.10.2 TRNS SOURCE PORT: 21 TRNS DESTINATION PORT: 21 INTERFACE INPUT: Et0/0.1 FLOW SAMPLER ID: 0 IP TOS: 0x00 IP PROTOCOL: 6 ip source as: 0 ip destination as: 0 ipv4 next hop address: 172.16.7.2 ipv4 source mask: /0 ipv4 destination mask: /24 tcp flags: 0x00 interface output: Et1/0.1 counter bytes: 35320 counter packets: 883 timestamp first: 16:03:56.327 timestamp last: 16:27:07.363 Matched 3 flowsThe table below describes the significant fields shown in the display.
Table 12 show flow monitor monitor-name cache filter Field Descriptions Field
Description
Cache type
Flow monitor cache type.
The possible values are:
Cache Size
Number of entries in the cache.
Current entries
Number of entries in the cache that are in use.
High Watermark
Highest number of cache entries seen.
Flows added
Flows added to the cache since the cache was created.
Flows aged
Flows expired from the cache since the cache was created.
Active timeout
Current value for the active timeout in seconds.
Inactive timeout
Current value for the inactive timeout in seconds.
Event aged
Number of flows that have been aged by an event such as using the force-export option for the clear flow monitor command.
Watermark aged
Number of flows that have been aged because they exceeded the maximum high watermark value.
Emergency aged
Number of flows that have been aged because the cache size was exceeded.
IPV4 SOURCE ADDRESS
IPv4 source address.
IPV4 DESTINATION ADDRESS
IPv4 destination address.
TRNS SOURCE PORT
source port for the transport protocol.
TRNS DESTINATION PORT
Destination port for the transport protocol.
INTERFACE INPUT
Interface on which the input is received.
FLOW DIRECTION
Input or output.
FLOW SAMPLER ID
Flow sampler ID number.
IP PROTOCOL
IP protocol number.
IP TOS
IP ToS number.
ip source as
BGP source autonomous system number.
ip destination as
BGP destination autonomous system number.
ipv4 next hop address
IPv4 address of the next hop to which the packet is forwarded.
ipv4 source mask
IPv4 source address mask.
ipv4 destination mask
IPv4 destination address mask.
tcp flags
Value of the TCP flags.
interface output
Interface on which the input is transmitted.
counter bytes
Number of bytes that have been counted.
counter packets
Number of packets that have been counted.
timestamp first
Time stamp of the first packet in the flow.
timestamp last
Time stamp of the last packet in the flow.
show flow monitor cache sort
To sort the display output of statistics from the flows in a flow monitor cache, use the show flow monitor cache sort command in privileged EXEC mode.
show flow monitor [name] monitor-name cache sort options [ top [number] ] [ format { csv | record | table } ]
Syntax Description
name
(Optional) Specifies the name of a flow monitor.
monitor-name
Name of a flow monitor that was previously configured.
options
Fields upon which aggregation can be performed. See the “Usage Guidelines” section.
top
(Optional) Limits the display output to the 20 highest volume flows (top talkers) unless overridden by the specification of a value for the number argument.
number
(Optional) Overrides the default value of top talkers to display.
format
(Optional) Specifies the use of one of the format options for formatting the display output.
csv
Displays the flow monitor cache contents in comma-separated variables (CSV) format.
record
Displays the flow monitor cache contents in record format.
table
Displays the flow monitor cache contents in table format.
Command History
Release
Modification
12.4(22)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Flexible NetFlowNetFlow—Top N Talkers Support
The show flow monitor cache sort command is one of a set of three commands that make up the Flexible NetFlow—Top N Talkers Support feature. The Flexible NetFlow—Top N Talkers Support feature is used to manipulate the display output from the Flexible NetFlow cache to facilitate the analysis of network traffic.
The other two commands that make up the Flexible NetFlow—Top N Talkers Support feature are show flow monitor cache filter and show flow monitor cache aggregate. The three commands can be used together or on their own, depending on your requirements. For more detailed information about these commands, see the show flow monitor cache filter command and the show flow monitor cache aggregate command. For information about how the three commands are used together, refer to the “Configuring Cisco IOS Flexible NetFlow—Top N Talkers Support” module in the Configuring Cisco IOS Flexible NetFlow Configuration Guide.
Flow Sorting
The flow sorting function of the Flexible NetFlow—Top N Talkers Support feature sorts flow data from the Flexible NetFlow cache based on the criteria that you specify, and displays the data. You can also use the flow sorting function of the Flexible NetFlow—Top N Talkers Support feature to limit the display output to a specific number of entries (Top N Talkers) by using the top keyword.
Sort options Argument
The options that you can use for the options argument of the show flow monitor cache filter command are dependent on the fields that are used for the record that you configured for the flow monitor using the record command. To identify the options that you can use, use the show flow record record-name command in privileged EXEC mode, where record-name is the name of the record that you configured for the flow monitor.
For example, if you assigned the “NetFlow Original” predefined record to a flow monitor, you use the show flow record netflow-original command to display its key (match) and nonkey (collect) fields. The following is partial output from the show command:
flow record netflow-original: Description: Traditional IPv4 input NetFlow with origin ASs No. of users: 2 Total field space: 53 bytes Fields: match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address . . . collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime lastThe fields from this partial output that you can use for the option argument follow the match (key fields) and collect (nonkey fields) words. For example, you can use the “ipv4 tos” field to sort the flows as shown in the first example in the “Examples” section.
Examples
The following example sorts the flow monitor cache data on the IPv4 ToS value and limits the display output to the top two flows:
Router# show flow monitor FLOW-MONITOR-3 cache sort ipv4 tos top 2 Processed 17 flows Aggregated to 17 flows Showing the top 2 flows IPV4 SOURCE ADDRESS: 10.1.1.1 IPV4 DESTINATION ADDRESS: 224.192.16.1 TRNS SOURCE PORT: 0 TRNS DESTINATION PORT: 3073 INTERFACE INPUT: Et0/0 FLOW SAMPLER ID: 0 IP TOS: 0x55 IP PROTOCOL: 1 ip source as: 0 ip destination as: 0 ipv4 next hop address: 0.0.0.0 ipv4 source mask: /24 ipv4 destination mask: /0 tcp flags: 0x00 interface output: Null counter bytes: 33680 counter packets: 1684 timestamp first: 18:39:27.563 timestamp last: 19:04:28.459 IPV4 SOURCE ADDRESS: 10.1.1.1 IPV4 DESTINATION ADDRESS: 224.192.16.1 TRNS SOURCE PORT: 0 TRNS DESTINATION PORT: 0 INTERFACE INPUT: Et0/0 FLOW SAMPLER ID: 0 IP TOS: 0x55 IP PROTOCOL: 1 ip source as: 0 ip destination as: 0 ipv4 next hop address: 0.0.0.0 ipv4 source mask: /24 ipv4 destination mask: /0 tcp flags: 0x00 interface output: Et3/0.1 counter bytes: 145040 counter packets: 7252 timestamp first: 18:42:34.043 timestamp last: 19:04:28.459The table below describes the significant fields shown in the display.
Table 13 show flow monitor monitor-name cache sort Field Descriptions Field
Description
IPV4 SOURCE ADDRESS
IPv4 source address.
IPV4 DESTINATION ADDRESS
IPv4 destination address.
TRNS SOURCE PORT
source port for the transport protocol.
TRNS DESTINATION PORT
Destination port for the transport protocol.
INTERFACE INPUT
Interface on which the input is received.
FLOW DIRECTION
Input or output.
FLOW SAMPLER ID
Flow sampler ID number.
IP PROTOCOL
IP protocol number.
IP TOS
IP ToS number.
ip source as
BGP source autonomous system number.
ip destination as
BGP destination autonomous system number.
ipv4 next hop address
IPv4 address of the next hop to which the packet is forwarded.
ipv4 source mask
IPv4 source address mask.
ipv4 destination mask
IPv4 destination address mask.
tcp flags
Value of the TCP flags.
interface output
Interface on which the input is transmitted.
counter bytes
Number of bytes that have been counted.
counter packets
Number of packets that have been counted.
timestamp first
Time stamp of the first packet in the flow.
timestamp last
Time stamp of the last packet in the flow.
show flow record
To display the status and statistics for a Flexible NetFlow flow record, use the show flow record command in privileged EXEC mode.
show flow record [ [name] record-name | netflow-original | netflow { ipv4 | ipv6 } record [peer] ]
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
show flow record [ [name] record-name | platform-original { ipv4 | ipv6 } record ]
Cisco IOS XE Release 3.2SE
show flow record [ [name] record-name ]
Syntax Description
name
(Optional) Specifies the name of a flow record.
record-name
(Optional) Name of a user-defined flow record that was previously configured.
netflow-original
(Optional) Specifies the Flexible NetFlow implementation of original NetFlow with origin autonomous systems.
netflow ipv4
(Optional) Configures the flow monitor to use one of the IPv4 predefined records.
netflow ipv6
(Optional) Configures the flow monitor to use one of the IPv6 predefined records.
record
(Optional) Name of the predefined record. See the first table below for a listing of the available records and their definitions.
peer
(Optional) Configures the flow monitor to use one of the predefined records with peer autonomous systems. The peer keyword is not supported for every type of Flexible NetFlow predefined record. See the first table below.
platform-original ipv4
Configures the flow monitor to use one of the predefined IPv4 records.
platform-original ipv6
Configures the flow monitor to use one of the predefined IPv6 records.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.4(20)T
This command was modified. The ipv6 keyword was added.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The netflow-original, netflow ipv4, and netflow ipv6 keywords were removed. The platform-originalipv4 and platform-originalipv6 keywords were added.
Cisco IOS XE Release 3.2SE
This command was modified. The netflow-original, netflow ipv4, and netflow ipv6 keywords were removed.
Usage Guidelines
The table below describes the keywords and descriptions for the record argument.
Table 14 Keywords and Descriptions for the record Argument Keyword
Description
IPv4 Support
IPv6 Support
as
Autonomous system record.
Yes
Yes
as-tos
Autonomous system and Type of Service (ToS) record.
Yes
—
bgp-nexthop-tos
BGP next-hop and ToS record.
Yes
—
bgp-nexthop
BGP next-hop record.
—
Yes
destination
Original platform IPv4/IPv6 destination record.
Yes
Yes
destination-prefix
Destination prefix record.
Note For IPv6, a minimum prefix mask length of 0 bits is assumed.
Yes
Yes
destination-prefix-tos
Destination prefix and ToS record.
Yes
—
destination-source
Original platform IPv4/IPv6 destination-source record.
Yes
Yes
full
Original platform IPv4/IPv6 full record.
Yes
Yes
interface-destination
Original platform IPv4/IPv6 interface-destination record.
Yes
Yes
interface-destination- source
Original platform IPv4/IPv6 interface-destination-source record.
Yes
Yes
interface-full
Original platform IPv4/IPv6 interface-full record.
Yes
Yes
interface-source
Original platform IPv4/IPv6 interface-source only record.
Yes
Yes
original-input
Traditional IPv4 input NetFlow.
Yes
Yes
original-output
Traditional IPv4 output NetFlow.
Yes
Yes
prefix
Source and destination prefixes record.
Note For IPv6, a minimum prefix mask length of 0 bits is assumed.
Yes
Yes
prefix-port
Prefix port record.
Note The peer keyword is not available for this record.
Yes
—
prefix-tos
Prefix ToS record.
Yes
protocol-port
Protocol ports record.
Note The peer keyword is not available for this record.
Yes
Yes
protocol-port-tos
Protocol port and ToS record.
Note The peer keyword is not available for this record.
Yes
—
source
Original platform IPv4/IPv6 source only record.
Yes
Yes
source-prefix
Source autonomous system and prefix record.
Note For IPv6, a minimum prefix mask length of 0 bits is assumed.
Yes
Yes
source-prefix-tos
Source prefix and ToS record.
Yes
—
Examples
The following example displays the status and statistics for the original Flexible NetFlow record:
Router# show flow record FLOW-RECORD-1 platform-original ipv4 destination flow record FLOW_RECORD-1: Description: Flow Record for IPv4 traffic No. of users: 3 Total field space: 53 bytes Fields: match interface input match transport destination-port match transport source-port match ipv4 destination address match ipv4 source address match ipv4 protocol match ipv4 tos collect counter bytes collect counter packets collect timestamp sys-uptime last collect timestamp sys-uptime first collect ipv4 destination mask collect ipv4 source mask collect routing destination as collect routing source as collect transport tcp flags collect routing next-hop address ipv4 collect interface outputThe table below describes the significant fields shown in the display.
Table 15 show flow record netflow-original Field Descriptions Field
Description
Description
Description that you configured for the record, or the default description “User defined.”
No. of users
Number of monitors in the configuration that use the flow record.
Total field space
Number of bytes required to store these fields for one flow.
Fields
The fields that are included in this record. For more information about the fields, refer to the match and collect commands.
show sampler
To display the status and statistics for a Flexible NetFlow sampler, use the show sampler command in privileged EXEC mode.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Examples
The following example displays the status and statistics for all of the flow samplers configured:
Router# show sampler Sampler SAMPLER-1: ID: 1 Description: User defined Type: random Rate: 1 out of 3 Samples: 189 Requests: 23243 Users (2): flow monitor FLOW-MONITOR-1 (ip,Et0/0,Input) 65 out of 10786 flow monitor FLOW-MONITOR-2 (ipv6,Et0/0, Input) 124 out of 12457 Sampler sampler-2: ID: 2 Description: User defined Type: deterministic Rate: 1 out of 100 Samples: 1 Requests: 124 Users (1): flow monitor FLOW-MONITOR-1 (ip,Et0/0,Input) 1 out of 124The table below describes the significant fields shown in the display.
Table 16 show sampler Field Descriptions Field
Description
ID
ID number of the flow sampler. This is used to identify the sampler at the collector.
Description
Description that you configured for the flow sampler, or the default description “User defined.”
Type
Sampling mode that you configured for the flow sampler.
Rate
Window size (for packet selection) that you configured for the flow sampler. Range: 2 to 32768.
Samples
Number of packets sampled since the flow sampler was configured or the router was restarted. This is equivalent to the number of times a positive response was received when the sampler was queried to determine if the traffic needed to be sampled. Refer to the explanation of the “Requests” field in this table.
Requests
Number of times the flow sampler was queried to determine if the traffic needed to be sampled.
Users
Interfaces on which the flow sampler is configured.
source (Flexible NetFlow)
To configure the source IP address interface for all of the packets sent by a Flexible NetFlow flow exporter, use the source command in Flexible NetFlow flow exporter configuration mode. To remove the source IP address interface for all of the packets sent by a Flexible NetFlow flow exporter, use the no form of this command.
Command Default
The IP address of the interface over which the Flexible NetFlow datagram is transmitted is used as the source IP address.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers in Cisco IOS Release 12.2(33)SRC.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The benefits of using a consistent IP source address for the datagrams that NetFlow sends include the following:
- The source IP address of the datagrams exported by Flexible NetFlow is used by the destination system to determine from which router the Flexible NetFlow data is arriving. If your network has two or more paths that can be used to send Flexible NetFlow datagrams from the router to the destination system and you do not specify the source interface from which the source IP address is to be obtained, the router uses the IP address of the interface over which the datagram is transmitted as the source IP address of the datagram. In this situation the destination system might receive Flexible NetFlow datagrams from the same router, but with different source IP addresses. When the destination system receives Flexible NetFlow datagrams from the same router with different source IP addresses, the destination system treats the Flexible NetFlow datagrams as if they were being sent from different routers. To avoid having the destination system treat the Flexible NetFlow datagrams as if they were being sent from different routers, you must configure the destination system to aggregate the Flexible NetFlow datagrams it receives from all of the possible source IP addresses in the router into a single Flexible NetFlow flow.
- If your router has multiple interfaces that can be used to transmit datagrams to the destination system, and you do not configure the source command, you will have to add an entry for the IP address of each interface into any access lists that you create for permitting Flexible NetFlow traffic. Creating and maintaining access lists for permitting Flexible NetFlow traffic from known sources and blocking it from unknown sources is easier when you limit the source IP address for Flexible NetFlow datagrams to a single IP address for each router that is exporting Flexible NetFlow traffic.
Caution
The interface that you configure as the source interface must have an IP address configured, and it must be up.
Tip
When a transient outage occurs on the interface that you configured with the source command, the Flexible NetFlow exporter reverts to the default behavior of using the IP address of the interface over which the datagrams are being transmitted as the source IP address for the datagrams. To avoid this problem, use a loopback interface as the source interface because loopback interfaces are not subject to the transient outages that can occur on physical interfaces.
template data timeout
To configure the template resend timeout for a flow exporter, use the template data timeout command in Flexible NetFlow flow exporter configuration mode. To remove the template resend timeout for a flow exporter, use the no form of this command.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
transport (Flexible NetFlow)
To configure the transport protocol for a flow exporter for Flexible NetFlow or Performance Monitor, use the transport command in Flexible NetFlow flow exporter configuration mode. To remove the transport protocol for a flow exporter, use the no form of this command.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
ttl (Flexible NetFlow)
To configure the time-to-live (TTL) value for a flow exporter for Flexible NetFlow or Performance Monitor, use the ttl command in Flexible NetFlow flow exporter configuration mode. To remove the TTL value for a flow exporter, use the no form of this command.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.0(33)S
This command was modified. Support for this command was implemented on the Cisco 12000 series routers.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7200 series routers.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7300 Network Processing Engine (NPE) series routers.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
15.1(3)T
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(58)SE
This command was modified. Support for the Cisco Performance Monitor was added.
12.2(50)SY
This command was integrated into Cisco IOS Release 12.2(50)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
