![]() |
Cisco IOS NetFlow Command Reference
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mask (IPv4) through top
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Contents
mask (IPv4) through topmask (IPv4)To specify the source or destination prefix mask for a NetFlow accounting prefix aggregation cache, use the maskcommand in aggregation cache configuration mode. To disable the source or destination mask, use the no form of this command. Command History
Usage GuidelinesYou must have NetFlow accounting configured on your router before you can use this command. The NetFlow accounting minimum prefix mask allows you to set a minimum mask size for the traffic that will be added to the NetFlow aggregation cache. The source or destination IP address (depending on the type of aggregation cache that you are configuring) is ANDed with the larger of the two masks (the mask that you enter with the mask command and the mask in the IP routing table) to determine if the traffic should be added to the aggregation cache that you are configuring. To enable the minimum prefix mask for a particular aggregation cache, configure the desired minimum mask value using the NetFlow aggregation cache commands. The minimum mask value in the range of 1-32 is used by the router defines the granularity of the NetFlow data that is collected:
Specifying the minimum value for the source or destination mask of a NetFlow accounting aggregation cache is permitted only for the following NetFlow aggregation cache types:
mask sourceThe following example shows how to configure the source-prefix aggregation cache: Router(config)# ip flow-aggregation cache source-prefix Router(config-flow-cache)# enable The following output from the show ip cache flow aggregation source-prefix command shows that, with no minimum mask configured, nine flows are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation source-prefix
IP Flow Switching Cache, 278544 bytes
9 active, 4087 inactive, 18 added
950 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
9 active, 1015 inactive, 18 added, 18 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Src If Src Prefix Msk AS Flows Pkts B/Pk Active
Et0/0.1 10.10.10.0 /24 0 4 668 762 179.9
Et0/0.1 10.10.10.0 /24 0 4 668 762 180.8
Et0/0.1 10.10.11.0 /24 0 4 668 1115 180.9
Et0/0.1 10.10.11.0 /24 0 4 668 1115 181.9
Et0/0.1 10.1.0.0 /16 0 4 668 1140 179.9
Et0/0.1 10.1.0.0 /16 0 4 668 1140 179.9
Et0/0.1 172.16.6.0 /24 0 1 6 52 138.4
Et0/0.1 172.16.1.0 /24 0 8 1338 1140 182.1
Et0/0.1 172.16.1.0 /24 0 8 1339 1140 181.0
Router#
The following example shows how to configure the source-prefix aggregation cache using a minimum source mask of 8: Router(config)# ip flow-aggregation cache source-prefix Router(config-flow-cache)# mask source minimum 8 Router(config-flow-cache)# enable The following output from the show ip cache flow aggregation source-prefix command shows that with a minimum mask of 8 configured, only five flows from the same traffic used in the previous example are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation source-prefix
IP Flow Switching Cache, 278544 bytes
5 active, 4091 inactive, 41 added
3021 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
5 active, 1019 inactive, 59 added, 59 added to flow
0 alloc failures, 0 force free
1 chunk, 7 chunks added
Minimum source mask is configured to /8
Src If Src Prefix Msk AS Flows Pkts B/Pk Active
Et0/0.1 10.0.0.0 /8 0 12 681 1007 64.8
Et0/0.1 172.16.6.0 /24 0 1 3 52 56.1
Et0/0.1 10.0.0.0 /8 0 12 683 1006 64.8
Et0/0.1 172.16.1.0 /24 0 8 450 1140 61.8
Et0/0.1 172.16.1.0 /24 0 8 448 1140 61.5
Router#
mask destinationThe following example shows how to configure the destination-prefix aggregation cache: Router(config)# ip flow-aggregation cache destination-prefix Router(config-flow-cache)# enable The following output from the show ip cache flow aggregation destination-prefix command shows that, with no minimum mask configured, only two flows are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation destination-prefix
IP Flow Switching Cache, 278544 bytes
3 active, 4093 inactive, 3 added
4841 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
3 active, 1021 inactive, 9 added, 9 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Dst If Dst Prefix Msk AS Flows Pkts B/Pk Active
Et1/0.1 172.16.10.0 /24 0 120 6737 1059 371.0
Et1/0.1 172.16.10.0 /24 0 120 6739 1059 370.9
The following example shows how to configure the destination-prefix aggregation cache using a minimum source mask of 32: Router(config)# ip flow-aggregation cache destination-prefix Router(config-flow-cache)# mask source minimum 32 Router(config-flow-cache)# enable The following output from the show ip cache flow aggregation destination-prefix command shows that, with a minimum mask of 32 configured, 20 flows from the same traffic used in the previous example are included in the NetFlow source prefix aggregation cache:
Router# show ip cache flow aggregation destination-prefix
IP Flow Switching Cache, 278544 bytes
20 active, 4076 inactive, 23 added
4984 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
20 active, 1004 inactive, 29 added, 29 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
Minimum destination mask is configured to /32
Dst If Dst Prefix Msk AS Flows Pkts B/Pk Active
Et1/0.1 172.16.10.12 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.12 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.14 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.9 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.11 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.10 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.11 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.10 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.5 /32 0 1 56 1040 59.5
Et1/0.1 172.16.10.4 /32 0 1 56 940 59.5
Et1/0.1 172.16.10.4 /32 0 1 56 940 59.5
Et1/0.1 172.16.10.7 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.7 /32 0 1 57 1140 60.6
Et1/0.1 172.16.10.1 /32 0 1 56 628 59.5
Et1/0.1 172.16.10.2 /32 0 1 56 640 59.5
Et1/0.1 172.16.10.17 /32 0 1 56 1140 59.5
Et1/0.1 172.16.10.17 /32 0 1 56 1140 59.5
Et1/0.1 172.16.10.18 /32 0 1 56 1140 59.5
Et1/0.1 172.16.10.19 /32 0 1 56 1140 59.5
Et1/0.1 172.16.10.18 /32 0 1 56 1140 59.5
Related Commands
maskTo specify the destination or source mask, use the maskcommand in aggregation cache configuration mode. To disable the destination mask, use the no form of this command. Command History
Usage GuidelinesThis command is only available with router-based aggregation. Minimum masking capability is not available if router-based aggregation is not enabled. ExamplesThe following example shows how to configure the mask to use the destination-prefix as the aggregation cache scheme with a minimum mask value of 32: Router(config)# ipv6 flow-aggregation cache destination-prefix Router(config-flow-cache)# mask destination minimum 32 Related Commands
match (NetFlow)To specify match criteria for the NetFlow top talkers (unaggregated top flows), use the match command in NetFlow top talkers configuration mode. To remove match criteria for NetFlow top talkers, use the no form of this command.
match
{byte-range [max-byte-number min-byte-number | max max-byte-number | min min-byte-number] | class-map map-name | destination [address ip-address [mask | slash nn]] | as as-number | port [max-port-number min-port-number | max max-port-number | min min-port-number] | direction [ingress | egress] | flow-sampler flow-sampler-name | input-interface interface-type interface-number | nexthop-address ip-address [mask | slash nn] | output-interface interface-type interface-number | packet-range [max-packets min-packets | max max-packets | min min-packets] | protocol [protocol-number | udp | tcp] | source [address ip-address [mask | slash nn]] | as as-number | port [max-port-number min-port-number | max max-port-number | min min-port-number] | tos [tos-byte | dscp dscp | precedence precedence]}
no
match
{byte-range | class-map | destination [address | as | port] | direction | flow-sampler | input-interface | nexthop-address | output-interface | packet-range | protocol | source [address | as | port] | tos}
Syntax Description
Command History
Usage GuidelinesConfiguring NetFlow Top Talkers You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Specifying Match Criteria Use this command to specify match criteria for NetFlow top talkers. Using matching criteria is useful to restrict the list of top talkers. If you are using a MIB and using simple network management protocol (SNMP) commands to configure this feature, refer to the table below for a mapping of the command-line interface (CLI) commands to the MIB SNMP commands:
1 The only IP version type that is currently supported is IPv4 (type 1).
ExamplesThe following example shows how you enter NetFlow top talkers configuration mode and specify that the top talkers are to contain the following characteristics:
Router(config)# ip flow-top-talkers Router(config-flow-top-talkers)# match source address 10.10.0.0/16 Router(config-flow-top-talkers)# top 4 Router(config-flow-top-talkers)# sort-by bytes The following example shows the output of the show ip flow top talkers command when the configuration from the previous example is used:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et2/0 10.10.11.3 Et1/0.1 172.16.10.7 06 0041 0041 30K
Et0/0.1 10.10.11.4 Et1/0.1 172.16.10.8 06 0041 0041 30K
Et3/0 10.10.11.2 Et1/0.1 172.16.10.6 06 0041 0041 29K
Et3/0 10.10.18.1 Null 172.16.11.5 11 00A1 00A1 28K
4 of 4 top talkers shown. 10 of 27 flows matched
The following example shows how you enter NetFlow top talkers configuration mode and specify that the top talkers are to contain the following characteristics:
Router(config)# ip flow-top-talkers Router(config-flow-top-talkers)# match source address 10.10.0.0/16 Router(config-flow-top-talkers)# match destination address 172.16.11.0/24 Router(config-flow-top-talkers)# top 4 Router(config-flow-top-talkers)# sort-by bytes The following example shows the output of the show ip flow top talkers command when the configuration from the previous example is used:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et3/0 10.10.18.1 Null 172.16.11.5 11 00A1 00A1 67K
Et3/0 10.10.19.1 Null 172.16.11.6 11 00A2 00A2 67K
2 of 4 top talkers shown. 2 of 30 flows matched
Related Commands
mls aging fastTo configure the fast-aging time for unicast entries in the Layer 3 table, use the mls aging fastcommand in global configuration mode. To restore the MLS fast-aging time to the default settings, use the no form of this command.
mls
aging
fast
[threshold packet-count [time seconds]]
mls
aging
fast
[time seconds [threshold packet-count]]
no
mls
aging
fast
Command DefaultThe defaults are as follows:
Usage GuidelinesThis command has no effect when you configure sampled NetFlow. You must disable sampled NetFlow to allow this command to take effect. mls aging longTo configure the long-aging time for unicast entries in the Layer 3 table, use the mls aging longcommand in global configuration mode. To restore the MLS long-aging time to the default settings, use the no form of this command. Usage GuidelinesThis command has no effect when you configure sampled NetFlow. You must disable sampled NetFlow to allow this command to take effect. mls aging normalTo configure the normal-aging time for unicast entries in the Layer 3 table, use the mls aging normalcommand in global configuration mode. To restore the MLS normal-aging time to the default settings, use the no form of this command. Usage GuidelinesThis command has no effect when you configure sampled NetFlow. You must disable sampled NetFlow to allow this command to take effect. mls exclude acl-denyTo disable the creation of NetFlow entries for ingress ACL denied flows, use the mls exclude acl-denycommand in global configuration mode. To disable the creation of NetFlow entries for ACL denied flows, use the no form of this command. mls flowTo configure the flow mask for NDE, use the mls flow command in global configuration mode. To specify a null flow mask, use the no form of this command. To restore the default flow mask, use the default form of this command.
mls
flow
{ip | ipv6} {destination | destination-source | full | interface-destination-source | interface-full | source}
no
mls
flow
{ip | ipv6}
default
mls
flow
{ip | ipv6}
Syntax Description
Command DefaultThe defaults are as follows:
Command History
Usage GuidelinesThis command collects statistics for the supervisor engine. In Cisco IOS Release 12.2(33)SRB and later, the interface-destination-source and interface-full flow masks are the only masks supported for IPv4 traffic. This change was made to accommodate the per-interface NetFlow feature. If other flow mask values are used, the router upgrades them as follows:
mls ip nat netflow-frag-l4-zeroTo zero out the Layer 4 information in the NetFlow lookup table for fragmented packets, use the mls ip nat netflow-frag-l4-zero command in global configuration mode. To restore the default settings, use the no form of this command. Usage GuidelinesThis command is supported in PFC3BXL or PFC3B mode only. Use the mls ip nat netflow-frag-l4-zero command to prevent matching the first fragment to the NetFlow shortcut (normal operation) that is sent to the software. The next fragments that are sent to the software are translated based on the Layer 4 port information from the first fragment. The translation based on the Layer 4 port information from the first fragment occurs because there are no fragment bits for matching in the NetFlow key. When there is a large feature configuration on an interface that requires a large number of ACL TCAM entries/masks that are programmed in TCAM, if the interface is configured as a NAT-inside interface, the feature configuration may not fit in the ACL TCAM and the traffic on the interface may get switched in the software. mls nde flowTo specify the filter options for NDE, use the mls nde flowcommand in global configuration mode. To clear the NDE flow filter and reset the filter to the default settings, use the no form of this command.
mls
nde
flow
{include | exclude}
{dest-port port-num | destination ip-addr ip-mask | protocol {tcp | udp} | source ip-addr ip-mask | src-port port-num}
no
mls
nde
flow
{include | exclude}
Syntax Description
Command DefaultThe defaults are as follows:
Usage GuidelinesThe mls nde flow command adds filtering to the NDE. The expired flows matching the specified criteria are exported. These values are stored in NVRAM and do not clear when NDE is disabled. If any option is not specified in this command, it is treated as a wildcard. The NDE filter in NVRAM does not clear when you disable NDE. Only one filter can be active at a time. If you do not enter the exclude or include keyword, the filter is assumed to be an inclusion filter. The include and exclude filters are stored in NVRAM and are not removed if you disable NDE. ip-addr maskbits is the simplified long subnet address format. The mask bits specify the number of bits of the network masks. For example, 172.22.252.00/22 indicates a 22-bit subnet address. The ip-addr is a full host address, such as 193.22.253.1/22. mls nde interfaceTo populate the additional fields in the NDE packets, use the mls nde interface command in interface configuration mode. To disable the population of the additional fields, use the no form of this command. Command DefaultThe defaults are as follows:
Usage GuidelinesYou can configure NDE to populate the following additional fields in the NDE packets:
The ingress-interface SNMP index is always populated if the flow mask is interface-full or interface-src-dst. For detailed information, refer to the " Configuring NDE " chapter of the Cisco 7600 Series Router Cisco IOS Software Configuration Guide . mls nde senderTo enable MLS NDE export, use the mls nde sender command in global configuration mode. To disable MLS NDE export, use the no form of this command. mls netflowTo enable NetFlow to gather statistics, use the mls netflow command in global configuration mode. To disable NetFlow from gathering statistics, use the no form of this command.
mls
netflow
[interface | cache | usage notify [threshold seconds]]
no
mls
netflow
[interface | cache | usage notify]
Syntax Description
Command History
Usage GuidelinesNetFlow gathers statistics from traffic that flows through the Cisco 7600 series router and stores the statistics in the NetFlow table. You can gather the statistics globally based on a protocol or optionally per interface. If you are not using NetFlow Data Export (NDE) or Cisco IOS features that use the hardware NetFlow table (non-Reverse Path Forwarding [non-RPF] multicast traffic, microflow quality of service [QoS], the Web Cache Communications Protocol [WCCP], TCP intercept, or reflexive access control lists), you can safely disable the use and maintenance of the hardware NetFlow table using the no mls netflow command in global configuration mode. Use the cache keyword to enable NetFlow to cache the total active flow count in the PFC or DFC. If caching is disabled, the active flow count is retrieved from the router, which causes delay affecting Simple Network Management Protocol (SNMP)-based applications. When this option is enabled, the total active count in the PFC or DFC is cached every 30 seconds, and the cached value is used for statistics. ExamplesThe following example shows how to enable NetFlow to gather statistics:
Router(config)#
mls netflow
The following example shows how to disable NetFlow from gathering the statistics:
Router(config)# no mls netflow
Disabling MLS netflow entry creation.
The following example shows how to enable NetFlow to cache the total active flow count:
Router(config)#
mls netflow cache
The following example shows how to set the threshold value for NetFlow table utilization:
Router(config)#
mls netflow usage notify 75 500
mls netflow interfaceTo enable the creation of NetFlow entries on a per-VLAN basis, use the mls netflow interface command in global configuration mode. To disable the creation of NetFlow entries, use the no form of this command. Usage GuidelinesEntering the mls netflow interface command creates NetFlow entries for all VLANs. NetFlow entries are created both for VLANs on which bridged-flow statistics is enabled and for VLANs on which NetFlow entry creation is enabled. For example, if you enable Layer 3 per-VLAN entry creation on VLANs 100 and 200 and at the same time you want to enable bridged-flow statistics on VLANs 150 and 250, NetFlow entry creation and bridged-flow statistics are both enabled on all four VLANs. To collect only bridged-flow statistics for VLAN 150 and 250, you must disable the per-VLAN entry creation feature. mls netflow maximum-flowsTo configure the maximum flow allocation in the NetFlow table, use the mls netflow maximum-flowscommand in global configuration mode. To return to the default settings, use the no form of this command. Usage GuidelinesThis command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 720. The value that you specify for the maximum number of flows is that value times 1000. For example, if you enter 32, you specify that 32,000 is the maximum number of permitted flows. mls netflow samplingTo enable sampled NetFlow on an interface, use the mls netflow sampling command in interface configuration mode. To disable sampled NetFlow on an interface, use the no form of this command. Command History
Usage GuidelinesIn Cisco IOS Release 12.2SRA and earlier, the sampled NetFlow can be global or per interface, depending on the current flow mask. For interface-full and interface-destination-source flow masks, sampled NetFlow is enabled on a per-interface basis. For all the other flow masks, sampled NetFlow is always global and is turned on or off for all interfaces. Enter the mls sampling command to enable sampled NetFlow globally. Cisco IOS Release 12.2(33)SRB and later support per-interface NetFlow for IPv4 traffic. Per-interface NetFlow has the following configuration requirements:
ExamplesThis example shows how to enable sampled NetFlow on an interface:
Router(config-if)# mls netflow sampling
Router(config-if)#
This example shows how to disable sampled NetFlow on an interface:
Router(config-if)# no mls netflow sampling
Router(config-if)#
Related Commands
mls netflow usage notifyTo monitor the NetFlow table usage on the switch processor and the DFCs, use the mls netflow usage notifycommand in global configuration mode. To return to the default settings, use the no form of this command. Usage GuidelinesIf the NetFlow table usage monitoring is enabled and the NetFlow table usage exceeds the percentage threshold, a warning message is displayed. NetFlow gathers statistics from traffic and stores the statistics in the NetFlow table. You can gather statistics globally based on a protocol or optionally per interface. If you are not using NDE or the Cisco IOS features that use the hardware NetFlow table (micro-flow QoS, WCCP, TCP Intercept, or Reflexive ACLs), you may safely disable the use and maintenance of the hardware NetFlow table using the no mls netflow command in global configuration mode. mls samplingTo enable the sampled NetFlow and specify the sampling method, use the mls sampling command in global configuration mode. To disable the sampled NetFlow, use the no form of this command. Syntax Description
Command HistoryUsage GuidelinesThe sampled NetFlow is supported on Layer 3 interfaces only. You can enable the sampled NetFlow even if NDE is disabled, but no flows are exported. With packet-based sampling, a flow with a packet cou nt of n is sampled nm times, where m is the sampling rate. Cisco IOS Release 12.2(33)SRB and later support per-interface NetFlow for IPv4 traffic. Per-interface NetFlow has the following configuration requirements:
The time-based sampling is based on a preset interval for each sampling rate. The table below lists the sample intervals for each rate and period. ExamplesThis example shows how to enable the time-based NetFlow sampling and set the sampling rate:
Router(config
)# mls sampling time-based 1024
Router(config)#
This example shows how to enable the packet-based NetFlow sampling and set the sampling rate and interval:
Router(config
)# mls sampling packet-based 1024 8192
Router(config)#
Related Commands
mode (flow sampler configuration)To specify a packet interval for random sampled NetFlow accounting and enable the flow sampler map, use the modecommand in NetFlow flow sampler configuration mode. Command History
Usage GuidelinesThe mode random one-out-of command does not have a no format to remove it from the configuration. To disable NetFlow random sampling and packet interval you must remove the flow sampler map that you enabled with the mode random one-out-ofcommand. If you want to change the value that you entered for the packet-interval argument repeat the mode random one-out-of packet-interval command using the new value for packet-interval. Random sampled NetFlow accounting cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling on the same interface, or subinterface. In order to run random sampled NetFlow accounting, you must first disable (ingress) NetFlow accounting, egress NetFlow accounting, or NetFlow accounting with input filter sampling. You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command. ExamplesThe following example shows how to create and enable a random sampler map for random sampled (ingress) NetFlow accounting with CEF switching on Ethernet interface 0/0: Router(config)# ip cef Router(config)# flow-sampler-map my-map Router(config-sampler)# mode random one-out-of 100 Router(config-sampler)# interface ethernet 0/0 Router(config-if)# no ip route-cache flow Router(config-if)# ip route-cache cef Router(config-if)# flow-sampler my-map The following example shows how to create and enable a random sampler map for random sampled egress NetFlow accounting with CEF switching on Ethernet interface 1/0: Router(config)# ip cef Router(config)# flow-sampler-map my-map Router(config-sampler)# mode random one-out-of 100 Router(config-sampler)# interface ethernet 1/0 Router(config-if)# no ip flow egress Router(config-if)# ip route-cache cef Router(config-if)# flow-sampler my-map egress The following output from the show flow-sampler command verifies that random sampled NetFlow accounting is active:
Router# show flow-sampler
Sampler : my-map, id : 1, packets matched : 7, mode : random sampling mode
sampling interval is : 100
Related Commands
mpls netflow egressTo enable Multiprotocol Label Switching (MPLS) egress NetFlow accounting on an interface, use the mpls netflow egress command in interface configuration mode. To disable MPLS egress NetFlow accounting, use the no form of this command. Command History
Usage GuidelinesUse this command to configure the provider edge (PE) to customer edge (CE) interface of a PE router. ExamplesThe following example shows how to enable MPLS egress NetFlow accounting on the egress PE interface that connects to the CE interface at the destination Virtual Private Network (VPN) site:
Router(config-if)# mpls netflow egress
Related Commands
netflow-samplerTo enable NetFlow accounting with input filter sampling, use the netflow-samplercommand in QoS policy-map class configuration mode. To disable NetFlow accounting with input filter sampling, use the no form of this command. Command History
Usage GuidelinesNetFlow accounting with input filter sampling cannot be run concurrently with (ingress) NetFlow accounting, egress NetFlow accounting, or random sampled NetFlow on the same interface, or subinterface. In order to run NetFlow accounting with input filter sampling, you must first disable (ingress) NetFlow accounting, egress NetFlow accounting, or random sampled NetFlow. You can assign only one NetFlow input filter sampler to a class. Assigning another NetFlow input filter sampler to a class overwrites the previous one. Samplers, also known as filters, are based on classes, but they are enabled on interfaces. You assign a NetFlow input filters sampler to a class by using the netflow-samplercommand in QoS policy-map class configuration. You the use the service-policycommand to attach the policy map you defined to one or more interfaces. You must enable either Cisco Express Forwarding (CEF) or distributed CEF (dCEF) before using this command. ExamplesThe following example shows how to enable NetFlow accounting with input filter sampling for one class of traffic (traffic with 10 as the first octet of the IP source address): Router(config)# ip cef Router(config)# flow-sampler-map network-10 Router(config-sampler)# mode random one-out-of 100 Router(config-sampler)# exit Router(config)# class-map match-any network-10 Router(config-cmap)# match access-group 100 Router(config-cmap)# exit Router(config)# policy-map network-10 Router(config-pmap)# class network-10 Router(config-pmap-c)# netflow-sampler network-10 Router(config-pmap-c)# exit Router(config-pmap)# exit Router(config)# interface Ethernet0/0 Router(config-if)# no ip route-cache flow Router(config-if)# ip route-cache cef Router(config-if)# interface ethernet 0/0.1 Router(config-if)# service-policy input network-10 Router(config-if)# exit Router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any The following output from the show flow-sampler command verifies that the NetFlow accounting with input filter sampling is active:
Router# show flow-sampler
Sampler : network-10, id : 1, packets matched : 546, mode : random sampling mode
sampling interval is : 100
The following output from the show ip cache verbose flow command shows that combination of the access-list 100 permit ip 10.0.0.0 0.255.255.255 any command and the match access-group 100 command has filtered out any traffic in which the source IP address does not have 10 as the first octet:
Router# show ip cache verbose flow
IP packet size distribution (116 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .155 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .258 .586 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
7 active, 4089 inactive, 66 added
3768 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 120 seconds
IP Sub Flow Cache, 21640 bytes
6 active, 1018 inactive, 130 added, 62 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 6 0.0 1 940 0.0 8.8 51.6
TCP-FTP 5 0.0 1 640 0.0 6.9 53.4
TCP-SMTP 2 0.0 3 1040 0.0 41.7 18.5
TCP-other 36 0.0 1 1105 0.0 18.8 41.5
UDP-other 6 0.0 3 52 0.0 54.8 5.5
ICMP 4 0.0 1 628 0.0 11.3 48.8
Total: 59 0.0 1 853 0.1 20.7 39.6
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et0/0.1 10.10.10.3 Et1/0.1 172.16.10.3 06 80 00 1
0016 /0 0 0016 /0 0 0.0.0.0 840 0.0
Sampler: 1 Class: 1
Et0/0.1 10.10.10.3 Et1/0.1* 172.16.10.3 06 80 00 1
0016 /0 0 0016 /0 0 0.0.0.0 840 0.0
Sampler: 1 Class: 1 FFlags: 01
Et0/0.1 10.10.11.3 Et1/0.1 172.16.10.7 06 80 00 1
0041 /0 0 0041 /0 0 0.0.0.0 1140 0.0
Sampler: 1 Class: 1
Et0/0.1 10.10.11.1 Et1/0.1 172.16.10.5 06 80 00 3
0019 /0 0 0019 /0 0 0.0.0.0 1040 36.7
Sampler: 1 Class: 1
Et0/0.1 10.10.11.1 Et1/0.1* 172.16.10.5 06 80 00 1
0019 /0 0 0019 /0 0 0.0.0.0 1040 0.0
Sampler: 1 Class: 1 FFlags: 01
Et0/0.1 10.1.1.2 Et1/0.1 172.16.10.10 06 80 00 2
0041 /0 0 0041 /0 0 0.0.0.0 1140 37.8
Sampler: 1 Class: 1
Et0/0.1 10.10.10.1 Et1/0.1 172.16.10.1 01 80 10 1
0000 /0 0 0000 /0 0 0.0.0.0 628 0.0
Sampler: 1 Class: 1
Related Commands
platform netflow rp sampling scaleTo enable applying of sampling scale equivalent to the configured platform sampling ratio on the software-switched flows exported by the NetFlow software, use the platform netflow rp sampling scalecommand in global configuration mode. To disable sampling of software-switched flows by the NetFlow software, use the no form of this command. Usage GuidelinesUse this command to scale the exported information for flows handled by the Route Processor (RP) equivalent to the platform sampling ratio. Without this command, a NetFlow collector assumes all flows exported by a router are uniformly sampled and multiplies the nonsampled RP flows by the sampling factor, and therefore overestimates the traffic handled by the RP. The applicable sampling scale is obtained from the Cisco 7600-specific router platform mls sampling command. Based on configuration, the RP software divides the exported packet/byte counts for a V5 and V9 export by the configured platform sampling ratio. The platform configuration is accomplished using the mls netflow sampling command. If no such configuration is present, the RP exports the value it observes, and does not divide the exported packet/byte count.
reliability (NetFlow SCTP)To specify the level of reliability for the reliable export of NetFlow accounting information in NetFlow cache entries, use the reliabilitycommand in NetFlow ip flow export stream control transmission protocol (SCTP) configuration mode. To return to the default behavior, use the noform of this command.
reliability
{full | none | partial buffer-limit}
no
reliability
{full | none | partial buffer-limit limit}
Syntax Description
Usage GuidelinesNetFlow Reliable Export Using SCTP with Partial Reliability If a stream is specified as unreliable, the packet is simply sent once and not buffered on the exporter at all. If the packet is lost en route to the receiver, the exporter is not notified and cannot re-transmit it When a stream is specified as partially reliable, a limit can be placed on how much memory should be dedicated to storing un-acknowledged packets. The limit is configurable. If the limit is exceeded and the router attempts to buffer another packet, the oldest un-acknowledged packet is discarded. When SCTP discards the oldest unacknowledged packet a message called a forward-tsn (transmit sequence number) is sent to the export destination to indicate that this packet will not be received. This prevents NetFlow from consuming all the free memory on a router when a situation has arisen which requires a large number of packets to be buffered, for example when you are experiencing long response times from an SCTP peer connection. When SCTP is operating in partially-reliable mode, the limit on how much memory should be dedicated to storing un-acknowledged packets should initially be set as high as possible. The limit on how much memory should be dedicated to storing unacknowledged packets can be reduced if other processes on the router begin to run out of memory. Deciding on the best value for the limit on how much memory should be dedicated to storing un-acknowledged packets involves a trade off between avoiding starving other processes of the memory that they require to operate, and dropping SCTP messages that have not been acknowledged by the export destination. NetFlow Reliable Export Using SCTP with Reliability Disabled When an SCTP connection is specified as unreliable, exported messages are sent once only and are not buffered. If the message is lost en route to the export destination, it cannot be retransmitted. Unreliable SCTP can be used when the export destination that you are using doesn't support UDP as a transport protocol for receiving NetFlow export datagrams, and you do not want to allocate the resources on your router required to provide reliable, or partially reliable, SCTP connections. ExamplesThe following example shows how to configure the networking device to use full SCTP reliability: Router(config)# ip flow-export destination 172.16.10.2 78 sctp Router(config-flow-export-sctp)# reliability full The following example shows how to configure the networking device to use partial SCTP reliability, with a maximum value for the buffer limit of 35000 export packets: Router(config)# ip flow-export destination 172.16.10.2 78 sctp Router(config-flow-export-sctp)# reliability partial buffer-limit 35000 The following example shows how to configure the networking device to use SCTP with no reliability: Router(config)# ip flow-export destination 172.16.10.2 78 sctp Router(config-flow-export-sctp)# reliability none Related Commands
show flow-samplerTo display the status and statistics for random sampled NetFlow (including mode, packet interval, and number of packets matched for each flow sampler), use the show flow-sampler command in user EXEC or privileged EXEC mode. Command History
ExamplesThe following is sample output from the show flow-sampler command for all flow samplers:
Router> show flow-sampler
Sampler : mysampler1, id : 1, packets matched : 10, mode : random sampling mode
sampling interval is : 100
Sampler : myflowsampler2, id : 2, packets matched : 5, mode : random sampling mode
sampling interval is : 200
The following is sample output from the show flow-sampler command for a flow sampler named mysampler1:
Router> show flow-sampler mysampler1
Sampler : mysampler1, id : 1, packets matched : 0, mode : random sampling mode
sampling interval is : 100
The table below describes the fields shown in the displays. Related Commands
show fm nat netflow dataTo display the information about the NAT-related NetFlow data, use the show fm nat netflow data command in user EXEC or privileged EXEC mode. Command History
ExamplesThis example shows how to display the information about the NAT-related NetFlow data:
Router> show fm nat netflow data
FM Pattern with stat push disabled: 1
Default/TCP/UDP Timeouts:
Def s/w timeout: 86400 h/w timeout: 300 Pattern(ingress): 4
Pattern(egress): 4 Push interval: 1333
TCP s/w timeout: 86400 h/w timeout: 300 Pattern(ingress): 4
Pattern(egress): 4 Push interval: 1333
UDP s/w timeout: 300 h/w timeout: 300 Pattern(ingress): 3
Pattern(egress): 3 Push interval: 100
Port Timeouts:
Idle timeout :3600 secs
Fin/Rst timeout :10 secs
Fin/Rst Inband packets sent per timeout :10000
Netflow mode to Zero-out Layer4 information for fragment packet lookup :
Enabled
Router>
show fm netflowTo display the feature manager (FM) Netflow information, use the show fm netflow command in User EXEC or privileged EXEC mode. ExamplesThis example shows how to display the information about the feature manager Netflow counters:
Router# show fm netflow counters
FM Netflow Counters IPv4 IPv6
-----------------------------------------------------------------
Netflow Install Request Counters:
Netflow Install Reply Counters:
Netflow Delete Requests Counters:
Netflow Delete Reply Counters:
Netflow nodes in database: 0 0
FM Netflow Outstanding Adjacency Replies, Slot[1] = 0
FM Safe inband mode : Active
FM No. of dummy inbands : 8
FM Netflow Disable shortcut Flag : 0
FM Inband Reply Mode : Inband err reply
FM Netflow Adjacency Block Size : 1024
FM Netflow Max Adjacency Threshold : 131072
FM Number of Items in Netflow Clr Database=0
This example shows how to display the information about the feature manager Netflow patterns:
Router# show fm netflow pattern
Feature Pattern StatPush Agetime
------- ------- -------- -------
SLB 7 0 0 10
INSPECT 6 0 0 1
TCP_INTERCEPT 5 0 300 1
WCCP_EGRESS 5 0 300 1
NAT_INGRESS 4 1333 300 1
NAT_EGRESS 4 1333 300 1
IP_ACCESS_INGRESS 3 100 300 1
IP_ACCESS_EGRESS 3 100 300 1
NAT_INGRESS 3 100 300 1
NAT_EGRESS 3 100 300 1
IPV6_RACL_EGRESS 3 100 300 1
NF_AGING 2 0 10
DEFAULT_NO_STAT 1 0 0
This example shows how to display the slot information about the feature manager Netflow:
Router# show fm netflow slotinfo
Slotnum=1 free_index=0 num_free_adj=128 adj_arr_size=128
VSS OutputThis example shows how to display the information about the feature manager Netflow counters on a VSS:
Router# show fm netflow counters
FM Netflow Counters IPv4 IPv6
-----------------------------------------------------------------
Netflow Install Request Counters:
Netflow Install Reply Counters:
Netflow Delete Requests Counters:
Netflow Delete Reply Counters:
Netflow nodes in database: 0 0
FM Netflow Outstanding Adjacency Replies, Slot[1/1] = 0
FM Netflow Outstanding Adjacency Replies, Slot[1/2] = 0
FM Safe inband mode : Active
FM No. of dummy inbands : 8
FM Netflow Disable shortcut Flag : 0
FM Inband Reply Mode : Inband err reply
FM Netflow Adjacency Block Size : 1024
FM Netflow Max Adjacency Threshold : 131072
FM Number of Items in Netflow Clr Database=0
This example shows how to display the slot information about the feature manager Netflow on a VSS:
Router# show fm netflow slotinfo
Slotnum=1/1 free_index=0 num_free_adj=128 adj_arr_size=128
Slotnum=1/2 free_index=0 num_free_adj=128 adj_arr_size=128
Slotnum=2/5 free_index=0 num_free_adj=128 adj_arr_size=128
Slotnum=2/8 free_index=0 num_free_adj=128 adj_arr_size=128
show ip cache flowTo display a summary of the NetFlow accounting statistics, use the show ip cache flow command in user EXEC or privileged EXEC mode. Command History
Usage GuidelinesSome of the content in the display of the show ip cache flowcommand uses multiline headings and multiline data fields. Figure 1 uses an example of the output from the show ip cache verbose flowto show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on. When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same. Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding On platforms running distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. To display this information on a distributed platform by use of the show ip cache flow command, you must enter the command at a line card prompt. Cisco 7600 Series Platforms The module num keyword and argument are supported on DFC-equipped modules only. The VPN name and ID are shown in the display output in the format VPN:vpn-id. Cisco 7500 Series Platform The Cisco 7500 series platforms are not supported by Cisco IOS Release 12.4T and later. Cisco IOS Release 12.4 is the last Cisco IOS release to support the Cisco 7500 series platforms. To display NetFlow cache information using the show ip cache flow command on a Cisco 7500 series router that is running dCEF, enter the following sequence of commands: Router# if-con slot-number LC- slot-number # show ip cache flow For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display NetFlow cache information: Router# execute-on slot-number show ip cache flow Cisco 12000 Series Platform To display NetFlow cache information using the show ip cache flow command on a Cisco 12000 Series Internet Router, enter the following sequence of commands: Router# attach slot-number LC- slot-number # show ip cache flow For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display NetFlow cache information: Router# execute-on slot-number show ip cache flow ExamplesThe following is a sample display of a main cache using the show ip cache flow command:
Router# show ip cache flow
IP packet size distribution (2381 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.092 .000 .003 .000 .141 .048 .000 .000 .000 .093 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .048 .189 .381 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
22 active, 4074 inactive, 45 added
2270 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 100 seconds
IP Sub Flow Cache, 25736 bytes
23 active, 1001 inactive, 47 added, 45 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-FTP 4 0.0 67 840 2.6 59.4 0.7
TCP-SMTP 1 0.0 67 168 0.6 59.4 0.5
TCP-BGP 1 0.0 68 1140 0.6 60.3 0.4
TCP-NNTP 1 0.0 68 1340 0.6 60.2 0.2
TCP-other 7 0.0 68 913 4.7 60.3 0.4
UDP-TFTP 1 0.0 68 156 0.6 60.2 0.1
UDP-other 4 0.0 36 151 1.4 45.6 14.7
ICMP 4 0.0 67 529 2.7 60.0 0.2
Total: 23 0.2 62 710 14.3 57.5 2.9
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et2/0 192.168.137.78 Et3/0* 192.168.10.67 06 0041 0041 39
Et2/0 172.19.216.196 Et3/0* 192.168.10.38 06 0077 0077 39
Et0/0.1 10.56.78.128 Et1/0.1 172.16.30.231 06 00B3 00B3 48
Et0/0.1 10.10.18.1 Et1/0.1 172.16.30.112 11 0043 0043 47
Et0/0.1 10.162.37.71 Et1/0.1 172.16.30.218 06 027C 027C 48
Et0/0.1 172.16.6.1 Null 224.0.0.9 11 0208 0208 1
Et0/0.1 10.231.159.251 Et1/0.1 172.16.10.2 06 00DC 00DC 48
Et2/0 10.234.53.1 Et3/0* 192.168.10.32 06 0016 0015 39
Et2/0 10.210.211.213 Et3/0* 192.168.10.127 06 006E 006E 38
Et0/0.1 10.234.53.1 Et1/0.1 172.16.30.222 01 0000 0000 47
Et0/0.1 10.90.34.193 Et1/0.1 172.16.10.2 06 0016 0015 48
Et0/0.1 10.10.10.2 Et1/0.1 172.16.10.2 06 0016 0015 48
Et2/0 10.10.18.1 Et3/0* 192.168.10.162 11 0045 0045 39
Et0/0.1 192.168.3.185 Et1/0.1 172.16.10.2 06 0089 0089 48
Et0/0.1 10.10.11.1 Et1/0.1 172.16.30.51 06 0019 0019 49
Et0/0.1 10.254.254.235 Et1/0.1 172.16.10.2 11 00A1 00A1 48
Et2/0 192.168.23.2 Et3/0* 192.168.10.2 01 0000 0000 39
Et0/0.1 10.251.10.1 Et1/0.1 172.16.10.2 01 0000 0800 47
R3#
The following output of the show ip cache flow command on a Cisco 7600 series router shows the source interface some of the traffic in the NetFlow hardware cache on the PFC is VPN Red. PE1# show ip cache flow ------------------------------------------------------------------------------- MSFC: IP packet size distribution (3139 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .685 .309 .000 .000 .000 .000 .003 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 2 active, 4094 inactive, 56 added 20904 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 33992 bytes 0 active, 1024 inactive, 4 added, 4 added to flow 0 alloc failures, 0 force free 1 chunk, 2 chunks added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-BGP 10 0.0 1 49 0.0 0.0 15.3 TCP-other 6 0.0 2 49 0.0 4.5 15.5 UDP-other 28 0.0 74 63 0.1 320.5 12.7 IP-other 6 0.0 153 80 0.0 1488.3 1.7 Total: 50 0.0 60 68 0.2 358.6 12.2 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa1/1 172.16.1.1 Null 224.0.0.2 11 0286 0286 74 Fa1/1 172.16.1.1 Null 224.0.0.5 59 0000 0000 33 ------------------------------------------------------------------------------- PFC: Displaying Hardware entries in Module 5 SrcIf SrcIPaddress DstIPaddress Pr SrcP Dss Fa1/1 172.20.1.2 172.20.1.3 0 0 0 Fa1/1 172.20.1.3 172.20.1.2 0 0 0 Fa1/1 172.16.1.2 172.16.2.6 0 0 0 Fa1/1 172.16.1.1 224.0.0.2 udp 646 64 vpn:red 10.2.0.2 10.1.1.1 0 0 0 . . . PE1# The table below describes the significant fields shown in the flow switching cache lines of the display.
The table below describes the significant fields shown in the activity by protocol lines of the display.
The table below describes the significant fields in the NetFlow record lines of the display.
Related Commands
show ip cache flow aggregationTo display the NetFlow accounting aggregation cache statistics, use the show ip cache flow aggregation command in user EXEC or privileged EXEC mode.
show
ip
cache
[prefix mask]
[interface-type interface-number]
[verbose]
flow
aggregation
{as | as-tos | bgp-nexthop-tos | destination-prefix | destination-prefix-tos | prefix | prefix-port | prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-prefix-tos}
Syntax DescriptionCommand History
Usage GuidelinesSome of the content in the display of the show ip cache flow aggregationcommand uses multiline headings and multiline data fields. Figure 1 uses an example of the output from the show ip cache verbose flowto show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on. When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same. Cisco 7600 Series Platforms If you enter the show ip cache flow aggregation command without the module num, the software-switched aggregation cache on the RP is displayed. The module num keyword and argument are supported on DFC-equipped modules only. The VPN name and ID are shown in the display output in the format VPN:vpn-id. Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding On platforms running Distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. To display this information on a distributed platform by use of the show ip cache flow command, you must enter the command at a line card prompt. Cisco 7500 Series Platform The Cisco 7500 series platforms are not supported by Cisco IOS Release 12.4T and later. Cisco IOS Release 12.4 is the last Cisco IOS release to support the Cisco 7500 series platforms. To display NetFlow cache information using the show ip cache flow command on a Cisco 7500 series router that is running dCEF, enter the following sequence of commands: Router# if-con slot-number LC- slot-number # show ip cache flow For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display NetFlow cache information: Router# execute-on slot-number show ip cache flow Cisco 12000 Series Platform To display NetFlow cache information using the show ip cache flow command on a Cisco 12000 Series Internet Router, enter the following sequence of commands: Router# attach slot-number LC- slot-number # show ip cache flow For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display NetFlow cache information: Router# execute-on slot-number show ip cache flow ExamplesThe following is a sample display of an autonomous system aggregation cache with the show ip cache flow aggregation as command:
Router# show ip cache flow aggregation as
IP Flow Switching Cache, 278544 bytes
2 active, 4094 inactive, 13 added
178 ager polls, 0 flow alloc failures
Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active
Fa1/0 0 Null 0 1 2 49 10.2
Fa1/0 0 Se2/0 20 1 5 100 0.0
The following is a sample display of an autonomous system aggregation cache for the prefix mask 10.0.0.0 255.0.0.0 with the show ip cache flow aggregation ascommand:
Router# show ip cache 10.0.0.0 255.0.0.0 flow aggregation as
IP Flow Switching Cache, 278544 bytes
2 active, 4094 inactive, 13 added
178 ager polls, 0 flow alloc failures
Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active
e1/2 0 Null 0 1 2 49 10.2
e1/2 0 e1/2 20 1 5 100 0.0
The following is a sample display of an destination prefix TOS cache with the show ip cache flow aggregation destination-prefix-tos command:
Router# show ip cache flow aggregation destination-prefix-tos
IP Flow Switching Cache, 278544 bytes
7 active, 4089 inactive, 21 added
5970 ager polls, 0 flow alloc failures
Active flows timeout in 5 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25736 bytes
7 active, 1017 inactive, 21 added, 21 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Dst If Dst Prefix Msk AS TOS Flows Pkts B/Pk Active
Null 224.0.0.0 /24 0 C0 2 6 72 132.1
Et1/0.1 172.16.30.0 /24 0 00 2 134 28 121.1
Et1/0.1 172.16.30.0 /24 0 80 12 804 780 124.6
Et1/0.1 172.16.10.0 /24 0 00 4 268 1027 121.1
Et1/0.1 172.16.10.0 /24 0 80 12 804 735 123.6
Et3/0 192.168.10.0 /24 0 80 10 669 755 121.8
Et3/0 192.168.10.0 /24 0 00 2 134 28 121.2
Router#
The following is a sample display of an prefix port aggregation cache with the show ip cache flow aggregation prefix-portcommand:
Router# show ip cache flow aggregation prefix-port
IP Flow Switching Cache, 278544 bytes
21 active, 4075 inactive, 84 added
26596 ager polls, 0 flow alloc failures
Active flows timeout in 5 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25736 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Src If Src Prefix Msk Dst If Dst Prefix Msk Flows Pkts
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 2 132
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 66
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 67
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 67
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 66
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 66
Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 66
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 66
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 66
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 67
Et0/0.1 172.16.6.0 /24 Null 224.0.0.0 /24 1 3
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 66
Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 66
Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 66
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 66
Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 66
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 1 67
Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 67
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 66
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 1 66
Et2/0 0.0.0.0 /0 Et3/0 192.168.10.0 /24 1 67
Router#
The following is a sample display of an prefix port aggregation cache for the prefix mask 172.16.0.0 255.255.0.0 with the show ip cache 172.16.0.0 255.255.0.0 flow aggregation prefix-port command:
Router# show ip cache 172.16.0.0 255.255.0.0 flow aggregation prefix-port
IP Flow Switching Cache, 278544 bytes
21 active, 4075 inactive, 105 added
33939 ager polls, 0 flow alloc failures
Active flows timeout in 5 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25736 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Src If Src Prefix Msk Dst If Dst Prefix Msk Flows Pkts
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 6 404
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 203
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 203
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 202
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 203
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 201
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 202
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 202
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 202
Et0/0.1 172.16.6.0 /24 Null 224.0.0.0 /24 2 6
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 203
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 203
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.30.0 /24 3 203
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 202
Et0/0.1 0.0.0.0 /0 Et1/0.1 172.16.10.0 /24 3 203
Router#
The following is a sample display of an protocol port aggregation cache with the show ip cache flow aggregation protocol-port command:
Router# show ip cache flow aggregation protocol-port
IP Flow Switching Cache, 278544 bytes
19 active, 4077 inactive, 627 added
150070 ager polls, 0 flow alloc failures
Active flows timeout in 5 minutes
Inactive flows timeout in 300 seconds
IP Sub Flow Cache, 25736 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
Protocol Source Port Dest Port Flows Packets Bytes/Packet Active
0x01 0x0000 0x0000 4 270 28 242.4
0x01 0x0000 0x0000 8 541 290 244.4
0x06 0x0041 0x0041 4 271 1140 243.3
0x06 0x0041 0x0041 4 271 1140 243.4
0x11 0x00A1 0x00A1 4 271 156 243.4
0x11 0x0043 0x0043 4 271 156 243.4
0x06 0x00B3 0x00B3 4 271 1140 243.4
0x06 0x0035 0x0035 4 270 1140 242.5
0x11 0x0045 0x0045 4 271 156 243.3
0x06 0x0016 0x0015 4 270 840 242.5
0x06 0x0016 0x0015 12 810 840 244.5
0x06 0x0077 0x0077 4 271 1340 243.3
0x01 0x0000 0x0800 4 270 1500 242.5
0x06 0x0019 0x0019 4 271 168 243.4
0x06 0x0089 0x0089 4 271 296 243.4
0x11 0x0208 0x0208 3 9 72 222.1
0x06 0x00DC 0x00DC 4 271 1140 243.4
0x06 0x006E 0x006E 4 271 296 243.4
0x06 0x027C 0x027C 4 271 1240 243.4
Router#
The table below describes the significant fields shown in the output of the show ip cache flow aggregation command.
Related Commands
show ip cache verbose flowTo display a detailed summary of the NetFlow accounting statistics, use the show ip cache verbose flow command in user EXEC or privileged EXEC mode. Command History
Usage GuidelinesUse the show ip cache verbose flowcommand to display flow record fields in the NetFlow cache in addition to the fields that are displayed with the show ip cache flowcommand. The values in the additional fields that are shown depend on the NetFlow features that are enabled and the flags that are set in the flow.
Some of the content in the display of the show ip cache verbose flowcommand uses multiline headings and multiline data fields. The figure below uses an example of the output from the show ip cache verbose flowto show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on. When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same. NetFlow Multicast Support When the NetFlow Multicast Support feature is enabled, the show ip cache verbose flow command displays the number of replicated packets and the packet byte count for NetFlow multicast accounting. When you configure the NetFlow Version 9 Export Format feature, this command displays additional NetFlow fields in the header. MPLS-aware NetFlow When you configure the MPLS-aware NetFlow feature, you can use the show ip cache verbose flow command to display both the IP and MPLS portions of MPLS flows in the NetFlow cache on a router line card. To display the IP portion of the flow record in the NetFlow cache when MPLS-aware NetFlow is configured, use the show ip cache flow command. NetFlow accounts for locally destined MPLS to IP VPN packets and displays the destination interface as Null instead of Local for these packets. NetFlow BGP Nexthop The NetFlow bgp-nexthop command can be configured when either the Version 5 export format or the Version 9 export format is configured. The following caveats apply to the bgp-nexthop command:
Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding On platforms running distributed Cisco Express Forwarding, NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt. Cisco 7600 Series Platforms The module number keyword and argument are supported on Distributed Forwarding Card-equipped (DFC) modules only. Cisco 7500 Series Platform The Cisco 7500 series platforms are not supported by Cisco IOS Release 12.4T and later. Cisco IOS Release 12.4 is the last Cisco IOS release to support the Cisco 7500 series platforms. To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed Cisco Express Forwarding, enter the following sequence of commands: Router# if-con slot-number LC- slot-number # show ip cache verbose flow For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information: Router# execute-on slot-number show ip cache verbose flow Gigabit Switch Router (GSR) To display detailed NetFlow cache information on a Gigabit Switch Router, enter the following sequence of commands: Router# attach slot-number LC- slot-number # show ip cache verbose flow For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information: Router# execute-on slot-number show ip cache verbose flow ExamplesThe following is sample output from the show ip cache verbose flow command:
Router# show ip cache verbose flow
IP packet size distribution (25229 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .206 .793 .000 .000 .000 .000 .000 .000
The preceding output shows the percentage distribution of packets by size. In this display, 20.6 percent of the packets fall in the 1024-byte size range and 79.3 percent fall in the 1536-byte range. The next section of the output can be divided into three sections. The section and the table corresponding to each are as follows: IP Flow Switching Cache, 278544 bytes 6 active, 4090 inactive, 17 added 505 ager polls, 0 flow alloc failures Active flows timeout in 1 minutes Inactive flows timeout in 10 seconds IP Sub Flow Cache, 25736 bytes 12 active, 1012 inactive, 39 added, 17 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 1 0.0 362 940 2.7 60.2 0.0 TCP-FTP 1 0.0 362 840 2.7 60.2 0.0 TCP-FTPD 1 0.0 362 840 2.7 60.1 0.1 TCP-SMTP 1 0.0 361 1040 2.7 60.0 0.1 UDP-other 5 0.0 1 66 0.0 1.0 10.6 ICMP 2 0.0 8829 1378 135.8 60.7 0.0 Total: 11 0.0 1737 1343 147.0 33.4 4.8 SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts Port Msk AS Port Msk AS NextHop B/Pk Active Et0/0.1 10.251.138.218 Et1/0.1 172.16.10.2 06 80 00 65 0015 /0 0 0015 /0 0 0.0.0.0 840 10.8 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 840 Max plen: 840 Min TTL: 59 Max TTL: 59 IP id: 0 Et0/0.1 172.16.6.1 Et1/0.1 172.16.10.2 01 00 00 4880 0000 /0 0 0000 /0 0 0.0.0.0 1354 20.1 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 772 Max plen: 1500 Min TTL: 255 Max TTL: 255 ICMP type: 0 ICMP code: 0 IP id: 2943 FO: 185 Et2/0 192.168.137.78 Et3/0* 192.168.10.67 06 80 00 3 0041 /0 0 0041 /24 0 172.17.7.2 1140 1.8 FFlags: 01 MAC: (VLAN id) aabb.cc00.2002 (000) aabb.cc00.2201 (000) Min TTL: 59 Max TTL: 59 IP id: 0 Et0/0.1 10.10.13.1 Et1/0.1 172.16.10.2 06 80 00 65 0017 /0 0 0017 /0 0 0.0.0.0 940 10.8 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 940 Max plen: 940 Min TTL: 59 Max TTL: 59 IP id: 0 Et2/0 10.234.53.1 Et3/0* 192.168.10.32 06 80 00 3 0016 /0 0 0015 /24 0 172.17.7.2 840 1.7 FFlags: 01 MAC: (VLAN id) aabb.cc00.2002 (000) aabb.cc00.2201 (000) Min TTL: 59 Max TTL: 59 IP id: 0 Et0/0.1 10.106.1.1 Et1/0.1 172.16.10.2 01 00 00 1950 0000 /0 0 0000 /0 0 0.0.0.0 1354 8.6 MAC: (VLAN id) aaaa.bbbb.cc03 (005) aaaa.bbbb.cc06 (006) Min plen: 772 Max plen: 1500 Min TTL: 59 Max TTL: 59 ICMP type: 0 ICMP code: 0 IP id: 13499 FO: 185 Et2/0 10.10.18.1 Et3/0* 192.168.10.162 11 80 10 4 0045 /0 0 0045 /24 0 172.17.7.2 156 2.7 FFlags: 01 MAC: (VLAN id) aabb.cc00.2002 (000) aabb.cc00.2201 (000) Min TTL: 59 Max TTL: 59 IP id: 0
The table below describes the significant fields shown in the NetFlow cache section of the output.
The table below describes the significant fields shown in the activity by protocol section of the output.
The table below describes the significant fields in the NetFlow record section of the output.
The following example shows the NetFlow output from the show ip cache verbose flow command in which the sampler, class ID, and general flags are set. What is displayed for a flow depends on what flags are set in the flow. If the flow was captured by a sampler, the output shows the sampler ID. If the flow was marked by Modular QoS CLI (MQC), the display includes the class ID. If any general flags are set, the output includes the flags.
Router# show ip cache verbose flow
.
.
.
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
BGP: BGP NextHop
Et1/0 10.8.8.8 Et0/0* 10.9.9.9 01 00 10 3
0000 /8 302 0800 /8 300 10.3.3.3 100 0.1
BGP: 2.2.2.2 Sampler: 1 Class: 1 FFlags: 01
The table below describes the significant fields shown in the NetFlow output for a sampler, for an MQC policy class, and for general flags.
The following example shows the NetFlow output from the show ip cache verbose flowcommand when NetFlow BGP next-hop accounting is enabled:
Router# show ip cache verbose flow
.
.
.
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
BGP:BGP_NextHop
Et0/0/2 10.0.0.2 Et0/0/4 10.0.0.5 01 00 10 20
0000 /8 0 0800 /8 0 10.0.0.6 100 0.0
BGP:26.0.0.6
Et0/0/2 10.0.0.2 Et0/0/4 10.0.0.7 01 00 10 20
0000 /8 0 0800 /8 0 10.0.0.6 100 0.0
BGP:26.0.0.6
Et0/0/2 10.0.0.2 Et0/0/4 10.0.0.7 01 00 10 20
0000 /8 0 0000 /8 0 10.0.0.6 100 0.0
BGP:26.0.0.6
The table below describes the significant fields shown in the NetFlow BGP next-hop accounting lines of the output.
The following example shows the NetFlow output from the show ip cache verbose flowcommand when NetFlow multicast accounting is configured:
Router# show ip cache verbose flow
.
.
.
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
IPM:OPkts OBytes
IPM: 0 0
Et1/1/1 10.0.0.1 Null 192.168.1.1 01 55 10 100
0000 /8 0 0000 /0 0 0.0.0.0 28 0.0
IPM: 100 2800
Et1/1/1 10.0.0.1 Se2/1/1.16 192.168.1.1 01 55 10 100
0000 /8 0 0000 /0 0 0.0.0.0 28 0.0
IPM: 0 0
Et1/1/2 10.0.0.1 Et1/1/4 192.168.2.2 01 55 10 100
0000 /8 0 0000 /0 0 0.0.0.0 28 0.1
Et1/1/2 10.0.0.1 Null 192.168.2.2 01 55 10 100
0000 /8 0 0000 /0 0 0.0.0.0 28 0.1
IPM: 100 2800
The table below describes the significant fields shown in the NetFlow multicast accounting lines of the output.
The following example shows the output for both the IP and MPLS sections of the flow record in the NetFlow cache when MPLS-aware NetFlow is enabled:
Router# show ip cache verbose flow
.
.
.
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
PO3/0 10.1.1.1 PO5/1 10.2.1.1 01 00 10 9
0100 /0 0 0200 /0 0 0.0.0.0 100 0.0
Pos:Lbl-Exp-S 1:12305-6-0 (LDP/10.10.10.10) 2:12312-6-1
The table below describes the significant fields for the IP and MPLS sections of the flow record in the output.
Related Commands
show ip cache verbose flow aggregationTo display the aggregation cache configuration, use the show ip cache verbose flow aggregation command in user EXEC and privileged EXEC mode.
show
ip
cache
[prefix mask]
[interface-type interface-number]
[verbose]
flow
aggregation
{as | as-tos | bgp-nexthop-tos | destination-prefix | destination-prefix-tos | prefix | prefix-port | prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-prefix-tos | exp-bgp-prefix}
Syntax Description
Command History
Usage GuidelinesUse the show ip cache verbose flow aggregationcommand to display flow record fields in the NetFlow aggregation cache in addition to the fields that are displayed with the show ip cache flow aggregationcommand. The values in the additional fields that are shown depend on the NetFlow features that are enabled and the flags that are set in the flow.
Some of the content in the display of the show ip cache verbose flow aggregationcommand uses multiline headings and multiline data fields. Figure 1 uses an example of the output from the show ip cache verbose flowto show how to associate the headings with the correct data fields when there are two or more lines of headings and two or more lines of data fields. The first line of the headings is associated with the first line of data fields. The second line of the headings is associated with the second line of data fields, and so on. When other features such as IP Multicast are configured, the number of lines in the headings and data fields increases. The method for associating the headings with the correct data fields remains the same NetFlow Multicast Support When the NetFlow Multicast Support feature is enabled, the show ip cache verbose flow command displays the number of replicated packets and the packet byte count for NetFlow multicast accounting. When you configure the NetFlow Version 9 Export Format feature, this command displays additional NetFlow fields in the header. MPLS-aware NetFlow When you configure the MPLS-aware NetFlow feature, you can use the show ip cache verbose flowcommand to display both the IP and MPLS portions of MPLS flows in the NetFlow cache on a router line card. To display only the IP portion of the flow record in the NetFlow cache when MPLS-aware NetFlow is configured, use the show ip cache flowcommand. NetFlow BGP Nexthop The NetFlow bgp-nexthop command can be configured when either the Version 5 export format or the Version 9 export format is configured. The following caveats apply to the bgp-nexthop command:
Displaying Detailed NetFlow Cache Information on Platforms Running Distributed Cisco Express Forwarding On platforms running distributed Cisco Express Forwarding, NetFlow cache information is maintained on each line card or Versatile Interface Processor. If you want to use the show ip cache verbose flow command to display this information on a distributed platform, you must enter the command at a line card prompt. Cisco 7600 Series Platforms The module num keyword and argument are supported on DFC-equipped modules only. Cisco 7500 Series Platform The Cisco 7500 series platforms are not supported by Cisco IOS Release 12.4T and later. Cisco IOS Release 12.4 is the last Cisco IOS release to support the Cisco 7500 series platforms. To display detailed NetFlow cache information on a Cisco 7500 series router that is running distributed Cisco Express Forwarding, enter the following sequence of commands: Router# if-con slot-number LC- slot-number # show ip cache verbose flow For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information: Router# execute-on slot-number show ip cache verbose flow Cisco 12000 Series Platform To display detailed NetFlow cache information on a Cisco 12000 Series Internet Router, enter the following sequence of commands: Router# attach slot-number LC- slot-number # show ip cache verbose flow For Cisco IOS Releases 12.3(4)T, 12.3(6), and 12.2(20)S and later, enter the following command to display detailed NetFlow cache information: Router# execute-on slot-number show ip cache verbose flow ExamplesThe following is a sample display of an prefix port aggregation cache with the show ip cache verbose flow aggregation prefix-portcommand:
Router# show ip cache verbose flow aggregation prefix-port
IP Flow Switching Cache, 278544 bytes
20 active, 4076 inactive, 377 added
98254 ager polls, 0 flow alloc failures
Active flows timeout in 5 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25736 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Src If Src Prefix Dst If Dst Prefix TOS Flows Pkts
Port Msk Port Msk Pr B/Pk Active
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 2 136
0016 /0 0015 /24 06 840 62.2
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68
00B3 /0 00B3 /24 06 1140 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68
0043 /0 0043 /24 11 156 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 00 1 68
0000 /0 0000 /24 01 28 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 68
0035 /0 0035 /24 06 1140 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68
0041 /0 0041 /24 06 1140 60.3
Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68
006E /0 006E /24 06 296 60.3
FFlags: 01
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68
0016 /0 0015 /24 06 840 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 00 1 68
0000 /0 0000 /24 01 554 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 68
00A1 /0 00A1 /24 11 156 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 67
00DC /0 00DC /24 06 1140 59.4
Et2/0 0.0.0.0 Et3/0 192.168.10.0 00 1 68
0000 /0 0000 /24 01 28 60.2
FFlags: 01
Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 67
0041 /0 0041 /24 06 1140 59.4
FFlags: 01
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 68
0019 /0 0019 /24 06 168 60.3
Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68
0016 /0 0015 /24 06 840 60.3
FFlags: 01
Et0/0.1 0.0.0.0 Et1/0.1 172.16.30.0 80 1 67
027C /0 027C /24 06 1240 59.4
Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68
0077 /0 0077 /24 06 1340 60.2
FFlags: 01
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 00 1 68
0000 /0 0800 /24 01 1500 60.3
Et0/0.1 0.0.0.0 Et1/0.1 172.16.10.0 80 1 68
0089 /0 0089 /24 06 296 60.3
Et2/0 0.0.0.0 Et3/0 192.168.10.0 80 1 68
0045 /0 0045 /24 11 156 60.2
FFlags: 01
Router#
The table below describes the significant fields shown in the output of the show ip cache verbose flow aggregation prefix-port command.
The following is a sample display of an exp-bgp-prefix aggregation cache with the show ip cache verbose flow aggregation exp-bgp-prefix command:
Router# show ip cache verbose flow aggregation exp-bgp-prefix
IP Flow Switching Cache, 278544 bytes
1 active, 4095 inactive, 4 added
97 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 17032 bytes
1 active, 1023 inactive, 4 added, 4 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Src If BGP Nexthop Label MPLS EXP Flows Pkts B/Pk Active
Gi4/0/0.102 10.40.40.40 0 0 1 5 100 0.0
The table below describes the significant fields shown in the output of the show ip cache verbose flow aggregation exp-bgp-prefix command.
Related Commands
show ip flow exportTo display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches, use the show ip flow export command in user EXEC or privileged EXEC mode. Syntax Description
Command History
ExamplesThe following is sample output from the show ip flow export command with NetFlow export over User Datagram Protocol (UDP) (the default NetFlow export transport protocol) configured on the networking device:
Router# show ip flow export
Flow export v9 is enabled for main cache
Exporting flows to 172.17.10.2 (100)
Exporting using source interface Loopback0
Version 9 flow records, origin-as bgp-nexthop
Cache for as aggregation v9
62 flows exported in 17 udp datagrams
0 flows failed due to lack of export packet
8 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to output drops
The following is sample output from the show ip flow export command with NetFlow export over UDP and NetFlow SCTP export destinations configured:
Router# show ip flow export
Flow export v9 is enabled for main cache
Exporting flows to 172.17.10.2 (100)
Exporting flows to 172.16.45.57 (100) via SCTP
Exporting using source interface Loopback0
Version 9 flow records, origin-as bgp-nexthop
Cache for as aggregation v9
Exporting flows to 192.168.247.198 (200) via SCTP
Exporting using source IP address 172.16.254.254
479 flows exported in 318 udp datagrams
467 flows exported in 315 sctp messages
0 flows failed due to lack of export packet
159 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
The table below describes the significant fields shown in the display of the show ip flow export command.
The following is sample output from the show ip flow export sctp command with NetFlow SCTP export primary and backup SCTP export destinations configured for the NetFlow main cache and the NetFlow destination-prefix aggregation cache. The primary SCTP export destinations are active:
Router# show ip flow export sctp
IPv4 main cache exporting to 172.16.45.57, port 100, none
status: connected
backup mode: fail-over
912 flows exported in 619 sctp messages.
0 packets dropped due to lack of SCTP resources
fail-over time: 25 milli-seconds
restore time: 25 seconds
backup: 192.168.247.198, port 200
status: not connected
fail-overs: 2
9 flows exported in 3 sctp messages.
0 packets dropped due to lack of SCTP resources
destination-prefix cache exporting to 172.16.12.200, port 100, full
status: connected
backup mode: redundant
682 flows exported in 611 sctp messages.
0 packets dropped due to lack of SCTP resources
fail-over time: 25 milli-seconds
restore time: 25 seconds
backup: 192.168.247.198, port 200
status: connected
fail-overs: 8
2 flows exported in 2 sctp messages.
0 packets dropped due to lack of SCTP resources
The following is sample output from the show ip flow export sctp command with NetFlow SCTP export primary and backup SCTP export destinations configured for the NetFlow main cache and the NetFlow destination-prefix aggregation cache. The backup SCTP export destinations are active because the primary SCTP export destinations are unavailable.
Router# show ip flow export sctp
IPv4 main cache exporting to 172.16.45.57, port 100, none
status: fail-over
backup mode: fail-over
922 flows exported in 625 sctp messages.
0 packets dropped due to lack of SCTP resources
fail-over time: 25 milli-seconds
restore time: 25 seconds
backup: 192.168.247.198, port 200
status: connected, active for 00:00:24
fail-overs: 3
11 flows exported in 4 sctp messages.
0 packets dropped due to lack of SCTP resources
destination-prefix cache exporting to 172.16.12.200, port 100, full
status: fail-over
backup mode: redundant
688 flows exported in 617 sctp messages.
0 packets dropped due to lack of SCTP resources
fail-over time: 25 milli-seconds
restore time: 25 seconds
backup: 192.168.247.198, port 200
status: connected, active for 00:00:00
fail-overs: 13
2 flows exported in 2 sctp messages.
0 packets dropped due to lack of SCTP resources
Router#
The table below describes the significant fields shown in the display of the show ip flow export sctp and the show ip flow export sctp verbosecommands.
The following is sample output from the show ip flow export templatecommand:
Router# show ip flow export template
Template Options Flag = 1
Total number of Templates added = 4
Total active Templates = 4
Flow Templates active = 3
Flow Templates added = 3
Option Templates active = 1
Option Templates added = 1
Template ager polls = 2344
Option Template ager polls = 34
Main cache version 9 export is enabled
Template export information
Template timeout = 30
Template refresh rate = 20
Option export information
Option timeout = 800
Option refresh rate = 300
Aggregation cache destination-prefix version 9 export is enabled
Template export information
Template timeout = 30
Template refresh rate = 20
Option export information
Option timeout = 30
Option refresh rate = 20
The table below describes the significant fields shown in the display of the show ip flow export templatecommand.
The following example displays the additional line in the show ip flow export command output when the verbose keyword is specified and MPLS PAL records are being exported to a NetFlow collector:
Router# show ip flow export verbose
Flow export v9 is enabled for main cache
Exporting flows to 10.23.0.5 (4200)
Exporting using source IP address 10.2.72.35
Version 9 flow records, origin-as bgp-nexthop
Cache for destination-prefix aggregation:
Exporting flows to 10.2.0.1 (4200)
Exporting using source IP address 10.2.72.35
182128 MPLS PAL records exported
189305 flows exported in 6823 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures swat72f3#
The line of output added for the MPLS PAL records precedes the "x flows exported in y UDP datagrams" line. In this example, the additional line of output precedes "189305 flows exported in 6823 UDP datagrams." The following example shows the sample output of the show ip flow export nbar command:
Router# show ip flow export nbar
Nbar netflow is enabled
10 nbar flows exported
0 nbar flows failed to export due to lack of internal buffers
Related Commands
show ip flow top-talkersTo display the statistics for the NetFlow aggregated top talkers or unaggregated top flows, use the show ip flow top-talkerscommand in user EXEC or privileged EXEC mode. Cisco IOS Releases 12.4(9)T and Newer
{show ip flow top-talkers [verbose] | [number [from-cache main] aggregate aggregate-field [sorted-by {aggregate | bytes | flows | packets} [ascending | descending]] [match match-field match-value]]}
Cisco IOS Releases 12.4(4)T and 12.4(6)
show
ip
flow
top
number [from-cache main] aggregate aggregate-field [sorted-by {aggregate | bytes | flows | packets} [ascending | descending]] [match match-field match-value]
show
ip
flow
top-talkers
[verbose]
Cisco IOS Releases Prior to 12.4(4)T
show
ip
flow
top-talkers
[verbose]
Syntax Description
Command DefaultThe show ip flow top-talkers number command string displays output in descending order based on the value in the sorted-by field. The show ip flow top-talkers number command string displays data from the main NetFlow cache. Command History
Usage GuidelinesYou must have NetFlow configured before you can use the show ip flow top-talkerscommand. The show ip flow top-talkers command can be used to display statistics for unaggregated top flows or aggregated top talkers. Prior to Cisco IOS release 12.4(9)T the show ip flow top-talkers command could only be used to display statistics for unaggregated top flows. In Cisco IOS release 12.4(9)T and newer releases, the show ip flow top-talkers command can be used to display statistics for both unaggregated top flows and aggregated top talkers. Refer to the following sections for more information on using either of these methods: Unaggregated Top Flows--All Cisco IOS Releases Prior to 12.4(9)T When you use the show ip flow top-talkers command in releases prior to Cisco IOS release 12.4(9)T, the display output shows only separate (unaggregated) statistics for the number of top flows that you specified with the top command.
This method of viewing flow statistics is useful for identifying the unique flows that are responsible for the highest traffic utilization in your network. For example, if you have a centralized WEB server farm and you want to see statistics for the top 50 flows between your servers and your users regardless of the network protocol or application in use, you can configure top 50 and use the show ip flow top-talkers verbose command to view the statistics from the 50 top flows.
Displaying information on individual top flows will not provide you with a true map of your network utilization when the highest volume application or protocol traffic on your network is being generated by a large number of users who are sending small amounts of traffic. For example, if you configure top 10 and there are ten or more users generating more FTP traffic than any other type of traffic in your network, you will see the FTP traffic as the top flows even though there might be 10,000 users using HTTP to access web sites at much lower individual levels of network utilization that account for a much larger aggregated traffic volume. In this situation you need to aggregate the traffic patterns across flows using the show ip flow top-talkers [number] command string. The timeout period as specified by the cache-timeout command does not start until the show ip flow top-talkers command is entered. From that time, the same top talkers are displayed until the timeout period expires. To recalculate a new list of top talkers before the timeout period expires, you can change the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command. A long timeout period for the cache-timeout command limits the system resources that are used by the NetFlow MIB and Top Talkers feature. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires. A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:
A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but cause the list of top talkers to be recalculated by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkerscommand to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request. Aggregated Top Talkers--Cisco IOS Releases 12.4(9)T and Newer The show ip flow top command was merged with the show ip flow top-talkers command in Cisco IOS release 12.4(9)T. The two commands were merged to make it easier for you to display cache information on either unaggregated top flows, or aggregated top talkers, using the same root command. The CLI help for the show ip flow top-talkers command was modified to help you differentiate between the two command formats.
Router# show ip flow top-talkers ?
Display aggregated top talkers:
<1-100> Number of aggregated top talkers to show
Display unaggregated top flows:
verbose Display extra information about unaggregated top flows
| Output modifiers
<cr>
Router#
When you use the show ip flow top-talkers [number] command the display output will consist of aggregated statistics from the flows (aggregated top talkers) for the number of top talkers that you specified with the number argument. Unlike the show ip flow top-talkers [verbose] command, the show ip flow top-talkers [number] command string does not require:
The arguments that are available with the show ip flow top-talkers [number] command enable you to quickly modify the criteria to be used for generating the display output. Refer to the configuration documentation for the " NetFlow Dynamic Top Talkers CLI " feature which is included in the Cisco IOS Release 12.4(4)T module " Detecting and Analyzing Network Threats With NetFlow ", for additional information using the show ip flow top-talkers [number] command string. For additional usage guidelines on displaying statistics for aggregated top talkers using the show ip flow top-talkers [number] command string, see the following sections: Top Traffic Flows Using the show ip flow top-talkerscommand to display the aggregated statistics from the flows on a router for the highest volume applications and protocols in your network helps you identify, and classify, security problems such as a denial of service (DoS) attacks because DoS attack traffic almost always show up as one of the highest volume protocols in your network when a DoS attack is in progress. Displaying the aggregated statistics from the flows on a router is also useful for traffic engineering, diagnostics and troubleshooting. Data Displayed by the show ip flow top command The data in the display output from the show ip flow top-talkers command is not flow centric. You cannot identify individual flows with the show ip flow top-talkers command. For example, when you use the show ip flow top-talkers 5 aggregate destination-address command:
Top Talkers Display Output With Aggregation Only If you do not use any of the optional parameters the show ip flow top-talkerscommand displays the aggregated statistics from the flows on the router for the aggregation field that you enter. For example, to aggregate the flows based on the destination IP addresses, and display the top five destination IP addresses, you use the show ip flow top-talkers 5 aggregate destination-address command. Top Talkers Display Output With Aggregation and Match Criteria You can limit the display output by adding an optional match criterion. For example, to aggregate the statistics from the flows based on the destination IP addresses, and display the top five destination IP addresses that contain TCP traffic, you use the show ip flow top-talkers 5 aggregate destination-address match protocol tcp command. Top Talkers Display Output in Ascending Order With Aggregation and Match Criteria You can change the default sort order of the display output by using the sorted-by keyword. For example, to aggregate the statistics from the flows based on the destination IP addresses, and display the top five destination IP addresses that contain TCP traffic sorted on the aggregated field in ascending order, you use the show ip flow top-talkers 5 aggregate destination-address sorted-by aggregate ascending match protocol tcp command.
Aggregate-field and Match-field Match-value Keywords, Arguments, and Descriptions The table below shows the keywords and descriptions for the aggregate-field argument of the show ip flow top-talkers number aggregateaggregate-field command. You must enter one of the keywords from this table.
The table below shows the keywords, arguments, and descriptions for the match-field match-value arguments for the show ip flow top-talkers number aggregateaggregate-fieldmatchmatch-fieldmatch-value command. These keywords are all optional.
Many of the values shown in the display output of the show ip cache verbose flow command are in hexadecimal. If you want to match these values using the show ip flow top-talkers command with the match keyword, you must enter the field value that you want to match in hexadecimal. For example, to match on the destination port of 0x00DC in the following excerpt from the show ip cache verbose flow command, you would use the match destination-port0x00DC keywords and argument for the show ip flow top-talkers command. R3# show ip cache verbose flow . . . SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts Port Msk AS Port Msk AS NextHop B/Pk Active Et0/0.1 10.10.11.4 Et1/0.1 172.16.10.8 06 00 00 209 0023 /0 0 00DC /0 0 0.0.0.0 40 281.4 . . .
The Order That Aggregation Occurs in With the exception of the flows keyword in the table above, all matches made with the match-fieldmatch-value arguments are performed prior to aggregation, and only matching flows are aggregated. For example, the show ip flow top-talkers5aggregate destination-address match destination-prefix172.16.0.0/16 command analyzes all of the available flows looking for any flows that have destination addresses that match the destination-prefix value of 172.16.0.0/16 . If it finds any matches it aggregates them, and then displays the number of aggregated destination-address flows that is equal to the number of top talkers that were requested in the command-in this case five. The flows keyword matches the number of aggregated flows post-aggregation. For example, the show ip flow top2aggregate destination-address match flows 6command aggregates all of the flows on the values in their destination IP address field, and then displays the top talkers that have 6 aggregated flows. Number of Flows Matched If you do not specify match criteria and there are flows in the cache that include the field that you used to aggregate the flows on, all of the flows will match. For example, if your router has 20 flows with IP traffic and you enter the show ip flow top-talkers 10 aggregate destination-address command the display will indicate that 20 of 20 flows matched, and the 10 top talkers will be displayed. If you use the match keyword to limit the flows that are aggregated to the flows with a destination prefix of 224.0.0.0/3, and only one flow matches this criterion the output will indicate that one out of 20 flows matched. For example, if your router has 20 flows with IP traffic, but only one of them has a destination prefix of 224.0.0.0/3, and you enter the show ip flow top-talkers 10 aggregate destination-address match destination-prefix224.0.0.0/3 command, the display will indicate that 1 of 20 flows matched. If the total number of top talkers is less than the number of top talkers that were requested in the command, the available number of top talkers is displayed. For example, if you enter a value of five for the number of top talkers to display and there are only three top talkers that match the criteria that you used, the display will only include three top talkers. When a match criterion is included with the show ip flow top-talkerscommand, the display output will indicate "N of M flows matched" where N is the number of matched flows, M is the total number of flows seen, and N is less than or equal to M. The numbers of flows seen could potentially be more than the total number of flows in the cache if some of the analyzed flows were expired from the cache and new flows were created, as the top talkers feature scans through the cache. Therefore, M is NOT the total number of flows in the cache, but rather, the number of flows observed in the cache by the top talkers feature. If you attempt to display the top talkers by aggregating them on a field that is not in the cache you will see the "% aggregation-field is not available for this cache" message. For example, if you use the show ip flow top5 aggregate source-vlan command, and you have not enabled the capture of VLAN IDs from the flows, you will see the "% VLAN id is not available for this cache" message. TCP-Flags If you want to use the tcp-flags flag match criteria you must enter the hexadecimal values for the type of TCP flag that you want to match. The TCP flags as used in the tcp-flags flag match criteria are provided in the table below.
For more information on TCP and TCP flags, refer to RFC 3168 at the following URL: http://www.ietf.org/rfc/rfc3168.txt. ExamplesThe show ip flow top-talkers command can be used to display information for unaggregated top flows or aggregated top talkers. Refer to the following sections for examples on using either of these methods: Examples for Unaggregated Top Flows--All Cisco IOS releases that Support the NetFlow MIB and Top Talkers FeatureThe following example shows the output of the show ip flow top-talkers command. In the example, the NetFlow MIB and Top Talkers feature has been configured to allow a maximum of five top talkers to be viewed. The display output is configured to be sorted by the total number of bytes in each top talker, and the list of top talkers is configured to be retained for 2 seconds (2000 milliseconds). Router(config)# ip flow-top-talkers Router(config-flow-top-talkers)# top 5 Router(config-flow-top-talkers)# sort-by bytes Router(config-flow-top-talkers)# cache-timeout 2000 Router# show ip flow top-talkers SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 144K Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 144K Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 135K Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 125K Et0/0.1 10.92.231.235 Et1/0.1 172.16.10.2 06 0041 0041 115K 5 of 5 top talkers shown. 11 flows processed The table below describes the significant fields shown in the display.
The table below shows messages that could be received in response to the show ip flow top-talkers command and their explanations.
Examples for Aggregated Top Talkers--All Cisco IOS releases that Support the NetFlow Dynamic Top Talkers CLI FeatureThe following example looks for up to 10 top talkers, aggregates them on the protocol type, sorts them by the number of packets in the flows, and displays the output in descending order:
Router# show ip flow top-talkers 10 aggregate protocol sorted-by packets descending
There are 3 top talkers:
IPV4 PROT bytes pkts flows
========= ========== ========== ==========
1 2009729203 1455464 11
6 33209300 30690 19
17 92 1 1
31 of 31 flows matched.
Things to note in this display output:
The table below describes the significant fields shown in the display.
2 IPV4 is shown in upper-case (capital) letters because it is the field that the display is aggregated on. In this example this is the keyword protocol in the show ip flow top-talkers 10 aggregate protocol sorted-by packets descending command.
The following example looks for up to five top talkers, aggregates them on the source IP address, sorts them in descending order by the numbers of packets, matches on the ICMP type value of 8, and displays the output in descending order:
Router# show ip flow top-talkers 5 aggregate source-address sorted-by packets descending match icmp-type 8
There are 3 top talkers:
IPV4 SRC-ADDR bytes pkts flows
=============== ========== ========== ==========
192.168.87.200 23679120 16501 1
10.234.53.1 18849000 12566 1
172.30.231.193 12094620 8778 1
3 of 29 flows matched.
The following example looks for up to five top talkers, aggregates them on the destination IP address, sorts them in descending order by the numbers of packets, matches on the ICMP type value of 8, and displays the output in descending order:
Router# show ip flow top-talkers 5 aggregate destination-address sorted-by packets descending match icmp-type 8
There are 2 top talkers:
IPV4 DST-ADDR bytes pkts flows
=============== ========== ========== ==========
172.16.1.2 32104500 21403 2
172.16.10.2 2128620 2134 1
3 of 32 flows matched.
The table below describes the significant fields shown in the display.
3 IPV4 SRC-ADDR is shown in upper-case (capital) letters because it is the field that the display is aggregated on. In this example this is the keyword source-address in the show ip flow top-talkers 5 aggregate source-address sorted-by packets descending match icmp-type 8 command. 4 IPV4 DST-ADDR is shown in upper-case (capital) letters because it is the field that the display is aggregated on. In this example this is the keyword destination-address in the show ip flow top-talkers 5 aggregate destination-address sorted-by packets descending match icmp-type 8 command.
The following example looks for up to five top talkers, aggregates them on the source IP address, sorts them in descending order by the number of bytes in the flow, matches on the port range of 20 to 21 (FTP Data and control ports, respectively), and displays the output in descending order:
Router# show ip flow top-talkers 5 aggregate source-address sorted-by bytes descending match destination-port min 20 max 21
There are 5 top talkers:
IPV4 SRC-ADDR bytes pkts flows
=============== ========== ========== ==========
10.231.185.254 920 23 2
10.10.12.1 480 12 2
10.251.138.218 400 10 2
10.132.221.111 400 10 2
10.71.200.138 280 7 1
9 of 34 flows matched.
The table below describes the significant fields shown in the display.
The following example looks for up to five top talkers, aggregates them on the source IP address, sorts them in descending order by the aggregated field (source IP address), and displays the output in descending order:
Router# show ip flow top-talkers 5 aggregate source-address sorted-by aggregate descending
There are 5 top talkers:
IPV4 SRC-ADDR bytes pkts flows
=============== ========== ========== ==========
172.16.1.85 97360 2434 2
172.16.1.84 97320 2433 2
10.251.138.218 34048 1216 1
10.231.185.254 34048 1216 1
10.132.221.111 34076 1217 1
7 of 18 flows matched.
The table below describes the significant fields shown in the display.
Related Commands
show mls ip non-staticTo display information for the software-installed nonstatic entries, use the show mls ip non-static command in user EXEC or privileged in the EXEC mode. Usage GuidelinesThis command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2. ExamplesThis sections contains examples from the show mls ip non-static command. The fields shown in the display are self-explanatory. This example shows how to display the software-installed nonstatic entries:
Router> show mls ip non-static
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
Router>
This example shows how to display detailed information for the software-installed nonstatic entries:
Router> show mls ip non-static detail
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
QoS Police Count Threshold Leak Drop Bucket Use-Tbl Use-Enable
-----------+------------+---------+-----------+----+-------+-------+----------+
Router>
This example shows how to display the total number of software-installed nonstatic entries:
Router> show mls ip non-static count
Displaying Netflow entries in Supervisor Earl
Number of shortcuts = 0
Router>
show mls ip routesTo display the NetFlow routing entries, use the show mls ip routescommand in user EXEC or privileged EXEC mode.
show
mls
ip
routes
[non-static | static]
[count [module number] | detail [module number] | module number]
Syntax Description
Usage GuidelinesThis command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2. ExamplesThis section contains examples of the show mls ip routes non-static command. The fields shown in the display are self-explanatory. This example shows how to display the software-installed nonstatic routing entries:
Router> show mls ip routes non-static
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
Router>
This example shows how to display detailed information for the software-installed nonstatic routing entries:
Router> show mls ip routes non-static detail
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
QoS Police Count Threshold Leak Drop Bucket Use-Tbl Use-Enable
-----------+------------+---------+-----------+----+-------+-------+----------+
Router>
This example shows how to display the total number of software-installed routing entries:
Router> show mls ip routes count
Displaying Netflow entries in Supervisor Earl
Number of shortcuts = 0
Router>
show mls ip staticTo display the information for the software-installed static IP entries, use the show mls ip static command in user EXEC or privileged EXEC mode. Usage GuidelinesThis command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2. ExamplesThis section contains examples from the show mls ip staticcommand. The fields shown in the display are self-explanatory. This example shows how to display the software-installed static entries:
Router> show mls ip static
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
Router>
This example shows how to display detailed information for the software-installed static entries:
Router> show mls ip static detail
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
QoS Police Count Threshold Leak Drop Bucket Use-Tbl Use-Enable
-----------+------------+---------+-----------+----+-------+-------+----------+
Router>
This example shows how to display the total number of software-installed static entries:
Router> show mls ip static count
Displaying Netflow entries in Supervisor Earl
Number of shortcuts = 0
Router>
show mls ndeTo display information about the NetFlow Data Export (NDE) hardware-switched flow, use the show mls ndecommand in user EXEC or privileged EXEC mode. Command History
Usage GuidelinesThe output for Cisco 7600 series routers that are configured with a Supervisor Engine 720 includes the current NDE mode. Supervisor Engine 2 ExamplesThis example shows the output from Cisco 7600 series routers that are configured with a Supervisor Engine 2. This example shows how to display information about the NDE status on a Cisco 7600 series router that is configured with a Supervisor Engine 2:
Router# show mls nde
Netflow Data Export is Enabled
Router#
Supervisor Engine 720 ExamplesThis example shows how to display information about the NDE hardware-switched flow on a Cisco 7600 series router that is configured with a Supervisor Engine 720:
Router# show mls nde
Netflow Data Export enabled (Interface Mode)
Exporting flows to 172.20.55.71 (9991)
Exporting flows from 10.6.60.120 (59020)
Version: 9
Include Filter not configured
Exclude Filter not configured
Total Netflow Data Export Packets are:
as aggregation v9 0 packets, 0 no packets, 0 records
Router#
Related Commands
show mls netflowTo display configuration information about the NetFlow hardware, use the show mls netflow command in user EXEC or privileged EXEC mode.
show
mls
netflow
{aging | aggregation flowmask | creation | flowmask | {table-contention detailed | summary}}
IPv6, MLPS, and software Configuration
show
mls
netflow
[ip | ipv6 | mpls]
[any | count | destination {hostname | ip-address} | detail | dynamic | flow {tcp | udp} | module number | nowrap | source {hostname | ip-address} | sw-installed [non-static | static]]
Syntax Description
Command History
Usage Guidelines
The ipv6 and mpls keywords are not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2. When you view the output, note that a colon (:) is used to separate the fields. For TCP intercept flows, the packet count is 0 on DFC. TCP intercept will install a zero count entry in each DFC and PFC for each intercepted flow because TCP intercept is a global feature. ExamplesThis example shows how to display the NetFlow-aging configuration:
Router#
show mls netflow aging
enable timeout packet threshold
------ ------- ----------------
normal aging true 300 N/A
fast aging true 32 100
long aging true 900 N/A
Router#
This example shows how to display the configured protocol-creation filters:
Router
# show mls netflow creation
Excluded protocols:
port protocol
-------+----------
10 tcp
8 udp/tcp
Router#
Supervisor Engine 720 ExamplesThese examples show the output from Cisco 7600 series routers that are configured with a Supervisor Engine 720. This example shows how to display the flow mask that is set for the current NetFlow aggregation:
Router#
show mls netflow aggregation flowmask
Current flowmask set for netflow aggregation : Dest only
Minimum flowmask required for netflow aggregation schemes
----------------------+-------------------+-----------------
Aggregation Scheme Min. Flowmask Status
----------------------+-------------------+-----------------
as Intf Src Dest disabled
protocol-port Full Flow disabled
source-prefix Intf Src Dest disabled
destination-prefix Dest only enabled
prefix Intf Src Dest disabled
Router#
This example shows how to display detailed information about the NetFlow table-contention level:
Router# show mls netflow table-contention detailed
Earl in Module 2
Detailed Netflow CAM (TCAM and ICAM) Utilization
================================================
TCAM Utilization : 0%
ICAM Utilization : 0%
Netflow TCAM count : 0
Netflow ICAM count : 0
Router#
This example shows how to display a summary of the NetFlow table-contention level:
Router# show mls netflow table-contention summary
Earl in Module 2
Summary of Netflow CAM Utilization (as a percentage)
====================================================
TCAM Utilization : 0%
ICAM Utilization : 0%
Router#
Supervisor Engine 2 ExamplesThese examples show the output from Cisco 7600 series routers that are configured with a Supervisor Engine 2. This example shows how to display the flow mask that is set for the current NetFlow aggregations:
Router#
show mls netflow aggregation flowmask
Current flowmask set for netflow aggregation : interface and full flow
Minimum flowmask required for netflow aggregation schemes
----------------------+-------------------+-----------------
Aggregation Scheme Min. Flowmask Status
----------------------+-------------------+-----------------
as if-dst-src enabled
protocol-port full enabled
source-prefix if-dst-src enabled
destination-prefix dst enabled
prefix if-dst-src enabled
Router#
This example shows how to display detailed information about the NetFlow table-contention level:
Router# show mls netflow table-contention detailed
Earl in Module 1
Detailed Table Contention Level Information
===========================================
Layer 3
-------
L3 Contention Level: 0
Page Hits Requiring 1 Lookup = 0
Page Hits Requiring 2 Lookups = 0
Page Hits Requiring 3 Lookups = 0
Page Hits Requiring 4 Lookups = 0
Page Hits Requiring 5 Lookups = 0
Page Hits Requiring 6 Lookups = 0
Page Hits Requiring 7 Lookups = 0
Page Hits Requiring 8 Lookups = 0
Page Misses = 0
Router#
This example shows how to display a summary of the NetFlow table-contention level:
Router# show mls netflow table-contention summary
Earl in Module 1
Summary of Table Contention Levels (on a scale of 0 (lowest) to 5 (highest))
============================================================================
L3 Contention Level: 0
Router#
show mls netflow ipTo display information about MLS NetFlow IP traffic, use the show mls netflow ipcommand in user EXEC or privileged EXEC mode.
show
mls
netflow
ip
any
show
mls
netflow
ip
count
[module number]
show
mls
netflow
ip
destination
{hostname | ip-address}
[slash ip-mask]
[count [module number] | detail | dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | source {hostname | ip-address} [slash ip-mask] | sw-installed [non-static | static]]
show
mls
netflow
ip
detail
[module number | nowrap [module number]]
show
mls
netflow
ip
dynamic
[count [module number]]
[detail]
[module number]
[nowrap [module number] [qos [module number]] [nowrap [module number]]]
show
mls
netflow
ip
flow
{icmp | tcp | udp}
[count [module number] | destination {hostname | ip-address} [slash ip-mask] | detail | dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | source {hostname | ip-address} | sw-installed [non-static | static]]
show
mls
netflow
ip
module
number
show
mls
netflow
ip
qos
[module number | nowrap [module number]]
{show mls netflow ip source {hostname | ip-address} [slash ip-mask] [count [module number]] | detail | dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | sw-installed [non-static | static]}
Syntax Description
Command History
Usage GuidelinesIf you enter the show mls netflow ip command with no arguments, the output of the show mls netflow ip sw-installed and show mls netflow ip dynamic commands are displayed. When you view the output, note that a colon (:) is used to separate the fields. The multicast keyword appears on systems that are not configured with a Supervisor Engine 720. In Cisco IOS Release 12.2SR and later, the NetFlow cache might contain null entries (with an IP source and destination address of 0.0.0.0). This behavior is the result of changes made to support per-interface NetFlow, which allows you to enable NetFlow for IPv4 traffic on individual interfaces. By default, the hardware cache is populated with information about packets received on all IP interfaces. However, if NetFlow is not enabled on an IP interface, a null flowmask is used, which results in a null cache entry being created for the interface. ExamplesThis example shows how to display information about any MLS NetFlow IP:
Router# show mls netflow ip
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
-----------------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
10.1.1.2 11.1.1.2 tcp :3 :5 Fa5/11 :0x0
459983 21159218 6 07:45:13 L3 - Dynamic
10.1.1.2 11.1.1.3 tcp :3 :5 Fa5/11 :0x0
459984 21159264 6 07:45:13 L3 - Dynamic
Router#
This example shows how to display detailed NetFlow table-entry information:
Router# show mls netflow ip detail
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
Mask Pi R CR Xt Prio Dsc IP_EN OP_EN Pattern Rpf FIN_RDT FIN/RST
----+--+-+--+--+----+---+-----+-----+-------+---+-------+-------
Ig/acli Ig/aclo Ig/qosi Ig/qoso Fpkt Gemini MC-hit Dirty Diags
-------+-------+-------+-------+----+------+------+-----+------
QoS Police Count Threshold Leak Drop Bucket Use-Tbl Use-Enable
-----------+------------+---------+-----------+----+-------+-------+----------+
172.30.46.2 172.30.45.2 4 :0 :0 Gi7/1: 0x0
140063 6442898 15 01:42:52 L3 - Dynamic
1 1 0 0 1 0 0 1 1 0 0 0 0
0 0 0 0 0 0 0 0 0
0x0 672645504 0 0 NO 31784 NO NO
Router#
This example shows how to display NetFlow table-entry information with no test wrap:
Router# show mls netflow ip nowrap
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f
:AdjPtr Pkts Bytes Age LastSeen Attributes
-----------------------------------------------------------------------
-
------------------------------------------------------------------
10.1.1.2 11.1.1.92 udp :63 :63 Fa5/11
:0x0 176339 8111594 912 22:31:15 L3 - Dynamic
10.1.1.2 11.1.1.93 udp :63 :63 Fa5/11
:0x0 176338 8111548 912 22:31:15 L3 - Dynamic
10.1.1.2 11.1.1.94 udp :63 :63 Fa5/11
:0x0 176338 8111548 912 22:31:15 L3 - Dynamic
10.1.1.2 11.1.1.95 udp :63 :63 Fa5/11
:0x0 176338 8111548 912 22:31:15 L3 - Dynamic
10.1.1.2 11.1.1.96 udp :63 :63 Fa5/11
:0x0 176338 8111548 912 22:31:15 L3 - Dynamic
10.1.1.2 11.1.1.97 udp :63 :63 Fa5/11
:0x0 176337 8111502 912 22:31:15 L3 - Dynamic
10.1.1.2 11.1.1.98 udp :63 :63 Fa5/11
:0x0 176337 8111502 912 22:31:15 L3 - Dynamic
10.1.1.2 11.1.1.99 udp :63 :63 Fa5/11
:0x0 176337 8111502 912 22:31:15 L3 - Dynamic
10.1.1.2 11.1.1.100 udp :63 :63 Fa5/11
:0x0 176337 8111502 912 22:31:15 L3 - Dynamic
Router#
This example shows how to display information about the MLS NetFlow on a specific interface:
Router#
show mls netflow ip interface FastEthernet 3/1
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
172.20.52.19 0.0.0.0 0 :0 :0 0 : 0
0 0 1635 11:05:26 L3 - Dynamic
Router#
This example shows how to display information about the MLS NetFlow on a specific IP address:
Router#
show mls netflow ip destination 172.20.52.122
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
Router#
This example shows how to display information about the MLS NetFlow on a specific flow:
Router#
show mls netflow ip flow udp
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
172.20.52.19 0.0.0.0 0 :0 :0 0 : 0
0 0 1407 11:01:32 L3 - Dynamic
Router#
This example shows how to display detailed information about the MLS NetFlow on a full-flow mask:
Router#
show mls netflow ip detail
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
QoS Police Count Threshold Leak Drop Bucket Use-Tbl Use-Enable
-----------+------------+---------+-----------+----+-------+-------+----------+
172.20.52.19 0.0.0.0 0 :0 :0 0 : 0
0 0 1464 11:02:31 L3 - Dynamic
0x0 0 0 0 NO 64 NO NO
Router#
This example shows how to display detailed information about a specific flow type:
Router#
show mls netflow ip flow icmp
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f
:AdjPtr
>
>---------------------------------------------------------------------------
-
-
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
10.1.1.2 11.1.10.151 icmp:0 :0 Fa5/11
:0x0
1945 89470 1062 08:45:15 L3 - Dynamic
10.1.1.2 11.1.10.153 icmp:0 :0 Fa5/11
:0x0
1945 89470 1062 08:45:15 L3 - Dynamic
10.1.1.2 11.1.10.155 icmp:0 :0 Fa5/11
:0x0
1945 89470 1062 08:45:15 L3 - Dynamic
10.1.1.2 11.1.10.157 icmp:0 :0 Fa5/11
:0x0
1945 89470 1062 08:45:15 L3 - Dynamic
10.1.1.2 11.1.10.159 icmp:0 :0 Fa5/11
:0x0
1945 89470 1062 08:45:15 L3 - Dynamic
10.1.1.2 11.1.10.161 icmp:0 :0 Fa5/11
:0x0
1945 89470 1062 08:45:15 L3 - Dynamic
10.1.1.2 11.1.10.163 icmp:0 :0 Fa5/11
:0x0
Router#
This example shows how to display QoS information:
Router
# show mls netflow ip qos
Displaying netflow qos information in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
-------------------------------------------------------------------------
Pkts Bytes LastSeen QoS PoliceCount Threshold Leak
-------------------------------------------------------------------------
Drop Bucket
------------
xxx.xxxx.xxx.xxx xxx.xxx.xxx.xxx xxxx:63 :63 Fa5/11 :0x0
772357 35528422 17:59:01 xxx xxx xxx xxx
xxx xxx
Router#
This example shows how to display VPN information on a Cisco 7600 series router: Router# show mls netflow ip module 5 Displaying Netflow entries in module 5 DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr ----------------------------------------------------------------------------- Pkts Bytes Age LastSeen Attributes --------------------------------------------------- 10.1.1.1 10.2.0.2 0 :0 :0 vpn:red :0x0 504 398020 1 23:20:48 L3 - Dynamic 224.0.0.5 172.16.1.1 89 :0 :0 Fa1/1 :0x0 1 84 7 23:20:42 L2 - Dynamic 0.0.0.0 0.0.0.0 0 :0 :0 -- :0x0 2238 1582910 33 23:20:48 L3 - Dynamic 224.0.0.2 172.16.1.1 udp :646 :646 Fa1/1 :0x0 5 310 21 23:20:46 L2 - Dynamic 172.16.2.6 172.16.1.2 0 :0 :0 Fa1/1 :0x0 1 140 22 23:20:27 L2 - Dynamic Router# Related Commands
show mls netflow ipv6To display information about the hardware NetFlow IPv6 configuration, use the show mls netflow ipv6 command in privileged EXEC mode. show mls netflow ipv6 any
show mls netflow ipv6 count [module number]
show mls netflow ipv6 destination ipv6-address [/ipv6-prefix] [count [module number] | detail | dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | source ipv6-address [/ipv6-prefix] | sw-installed [non-static | static]]
show mls netflow ipv6 detail [module number | nowrap [module number]]
show mls netflow ipv6 dynamic [count [module number]] [detail] [module number] [nowrap [module number]] [qos [module number]] [nowrap [module number]]
show mls netflow ipv6 flow {icmp | tcp | udp} [count [module number] | destination ipv6-address [/ipv6-prefix] | detail | dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | source ipv6-address [/ipv6-prefix] | sw-installed [non-static | static]]
show mls netflow ipv6 [module number]
show mls netflow ipv6 qos [module number | nowrap [module number]]
show mls netflow ipv6 source ipv6-address [/ipv6-prefix] [count [module number] | detail | dynamic | flow {icmp | tcp | udp} | module number | nowrap | qos | sw-installed [non-static | static]]
Syntax Description
Command History
ExamplesThis example shows how to display information about the hardware NetFlow configuration:
Router# show mls netflow ipv6
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP
-------------------------------------------------------------------------------
Prot:SrcPort:DstPort Src i/f :AdjPtr
Pkts Bytes Age LastSeen Attributes
------------------------------------------------------------------------------------------
50::2 47::2
tcp :16 :32 Vl47 :0x0
23758 1425480 4 23:48:36 L3 (IPv6) - Dynamic
50::2 47::3
tcp :16 :32 Vl47 :0x0
23758 1425480 4 23:48:36 L3 (IPv6) - Dynamic
50::2 47::4
tcp :16 :32 Vl47 :0x0
23758 1425480 4 23:48:36 L3 (IPv6) - Dynamic
50::2 47::5
tcp :16 :32 Vl47 :0x0
23758 1425480 4 23:48:36 L3 (IPv6) - Dynamic
50::2 47::6
tcp :16 :32 Vl47 :0x0
23758 1425480 4 23:48:36 L3 (IPv6) - Dynamic
This example shows how to display IPv6 microflow policing information:
Router# show mls netflow ipv6 qos
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP
--------------------------------------------------------------------------------
Prot:SrcPort:DstPort Src i/f :AdjPtr Pkts Bytes
--------------------------------------------------------------------------------
LastSeen QoS PoliceCount Threshold Leak Drop Bucket
--------------------------------------------------------------------
101::3 100::2
icmp:0 :0 -- 0x0 0 0
22:22:09 0x0 0 0 0 NO 0
101::2 100::2
icmp:0 :0 -- 0x0 0 0
22:22:09 0x0 0 0 0 NO 0
This example shows how to display IPv6 microflow policing information for a specific module:
Router# show mls netflow ipv6 qos module 7
Displaying Netflow entries in module 7
DstIP SrcIP
--------------------------------------------------------------------------------
Prot:SrcPort:DstPort Src i/f :AdjPtr Pkts Bytes
--------------------------------------------------------------------------------
LastSeen QoS PoliceCount Threshold Leak Drop Bucket
--------------------------------------------------------------------
101::2 100::2
icmp:0 :0 -- 0x0 0 0
22:22:56 0x0 0 0 0 NO 0
101::3 100::2
icmp:0 :0 -- 0x0 0 0
22:22:56 0x0 0 0 0 NO 0
This example shows the output display when you turn off text wrapping:
Router# show mls netflow ipv6 qos nowrap
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr Pkts Bytes LastSeen QoS PoliceCount Threshold Leak Drop Bucket
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
101::3 100::2 icmp:0 :0 -- 0x0 0 0 22:22:19 0x0 0 0 0 NO 0
101::2 100::2 icmp:0 :0 -- 0x0 0 0 22:22:19 0x0 0 0 0 NO 0
This example shows the output display when you turn off text wrapping for a specific module:
Router# show mls netflow ipv6 qos nowrap module 7
Displaying Netflow entries in module 7
DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr Pkts Bytes LastSeen QoS PoliceCount Threshold Leak Drop Bucket
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
101::3 100::2 icmp:0 :0 -- 0x0 0 0 22:22:38 0x0 0 0 0 NO 0
101::2 100::2 icmp:0 :0 -- 0x0 0 0 22:22:38 0x0 0 0 0 NO 0
show mls netflow ip dynamicTo display the statistics for NetFlow IP entries, use the showmls netflow ip dynamic command in user EXEC or privileged EXEC mode. Command History
Usage GuidelinesThe show mls netflow ip statisticscommand is supported on releases prior to Release 12.2(17a)SX. For Release 12.2(17a)SX and later releases, use the show mls netflow ip dynamic command. ExamplesThis example shows how to display the statistics for the NetFlow IP entries:
Router> show mls netflow ip dynamic
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
Router>
This example shows how to display the statistics for the NetFlow IP entries:
Router> show mls netflow ip dynamic detail
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
QoS Police Count Threshold Leak Drop Bucket Use-Tbl Use-Enable
-----------+------------+---------+-----------+----+-------+-------+----------+
Router>
Related Commands
show mls netflow ip routesTo display the NetFlow IP routing entries, use the show mls netflow ip routes command in user EXEC or privileged EXEC mode.
show
mls
netflow
ip
routes
[non-static | static]
[count [module number] | detail [module number] | module number]
Syntax Description
Usage GuidelinesThe show mls netflow ip routescommand is supported on releases prior to Release 12.2(17a)SX. For Release 12.2(17a)SX and later releases, use the show mls netflow ip sw-installedcommand. This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2. ExamplesThis example shows how to display the software-installed nonstatic routing entries:
Router> show mls netflow ip routes non-static
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
Router>
This example shows how to display detailed information for the software-installed nonstatic routing entries:
Router> show mls netflow ip routes non-static detail
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
QoS Police Count Threshold Leak Drop Bucket Use-Tbl Use-Enable
-----------+------------+---------+-----------+----+-------+-------+----------+
Router>
This example shows how to display the total number of software-installed routing entries:
Router> show mls netflow ip routes count
Displaying Netflow entries in Supervisor Earl
Number of shortcuts = 0
Router>
show mls netflow ip sw-installedTo display information for the software-installed IP entries, use the show mls netflow ip sw-installedcommand in user EXEC or privileged EXEC mode.
show
mls
netflow
ip
sw-installed
{non-static | static}
[count [module number] | detail [module number] | module number]
Syntax Description
Command History
ExamplesThis example shows how to display the software-installed nonstatic entries:
Router> show mls netflow ip sw-installed non-static
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
Router>
This example shows how to display detailed information for the software-installed nonstatic entries:
Router> show mls netflow ip sw-installed non-static detail
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
QoS Police Count Threshold Leak Drop Bucket Use-Tbl Use-Enable
-----------+------------+---------+-----------+----+-------+-------+----------+
Router>
This example shows how to display the total number of software-installed nonstatic entries:
Router> show mls netflow ip sw-installed non-static count
Displaying Netflow entries in Supervisor Earl
Number of shortcuts = 0
Router>
show mls netflow ipxTo display MLS NetFlow IPX information in the EXEC command mode, use the show mls netflow ipx command.
show
mls
netflow
ipx
[count | destination {hostname | ipx-address} | detail | flow {tcp | udp} | interface interface interface-number | vlan vlan-id | macd destination-mac-address | macs source-mac-address | routes num | module number | source {hostname | ipx-address} | statistics]
Syntax Description
Usage GuidelinesThe show mls netflow ipx command is only supported on systems that have a version 2 Supervisior Engine. The interface, macd, and macs keywords are not supported. When you enter the ipx-network, the format is N.H.H.H. When you enter the destination-mac-address, the format for the 48-bit MAC address is H.H.H. The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from 1 to 48. These valid values also apply when entering the module number keyword and argument. show mls samplingTo display information about the sampled NDE status, use the show mls sampling command in user EXEC or privileged EXEC mode. sort-byTo specify the sorting criterion for the NetFlow top talkers (unaggregated top flows), use the sort-by command in NetFlow top talkers configuration mode. To disable NetFlow top talkers, use the no form of this command. Command History
Usage GuidelinesConfiguring NetFlow Top Talkers You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria. ExamplesIn the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each top talker. Router(config)# ip flow-top-talkers Router(config-flow-top-talkers)# top 4 Router(config-flow-top-talkers)# sort-by bytes The following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
topTo specify the maximum number of NetFlow top talkers (unaggregated top flows) to display the statistics for, use the topcommand in NetFlow top talkers configuration mode. To disable NetFlow top talkers, use the no form of this command. Command History
Usage GuidelinesConfiguring NetFlow Top Talkers You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria. ExamplesIn the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each top talker. Router(config)# ip flow-top-talkers Router(config-flow-top-talkers)# top 4 Router(config-flow-top-talkers)# sort-by bytes The following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
© 2012 Cisco Systems, Inc. All rights reserved.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||