Pages

Showing posts with label Monitoring. Show all posts
Showing posts with label Monitoring. Show all posts

Wednesday, 5 May 2021

CONFIGURING SNMPv2c and SNMPv3

Introduction

SNMP is an open standard protocol for collecting information about managed devices and modifying configuration on the managed devices. SNMP is an application layer protocol that supports message exchange in a specific format between SNMP managers and agents. It is used for monitoring and managing devices on a network. SNMP is able to retrieve data, modify SNMP object variables of managed devices on IP networks and send notifications to Network Management Stations (NMS). Some devices that support SNMP include routers, switches, servers, workstations, printers etc.

SNMP uses UDP port 161 for general messages and responses and UDP port 162 for SNMP traps.

SNMP components include; SNMP manager (NMS), SNMP agent and SNMP MIB.

  • SNMP manager: controls and monitors the operation of network hosts using SNMP. The manager receives unsolicited notifications from agents running on monitored devices. Additionally, the manager polls SNMP agents running on the network devices for information. The manager runs as software on a computer/server.
  • SNMP Agent: is a software component that runs on the managed device. It collects and stores information on the device. The agent responds to manager requests for information. The agent can send unsolicited notifications (traps or informs) to notify the manager about conditions on the managed device.
  • MIB: is a database of objects (information variables) that lists various attributes of the managed device that can be monitored. An SNMP agent contains MIB variables, whose values the SNMP manager can request for or change through the Get or Set operations. A manager can retrieve a value from an agent or store a value from that agent. The agent gathers data from the SNMP MIB. The MIB uses read and write community strings for controlling access. Object Identifier (OID) is an ID for the various components in the MIB of a managed device.

SNMP operations involve SNMP agents running on the managed devices sending monitoring data to the SNMP manager. SNMP uses the following operations to retrieve and modify objects on managed/monitored devices:

  • SNMP Get: A Get operation is performed by the SNMP manager to retrieve SNMP object variables from the agent. There are three types of GET operations;
    • Get: Retrieves exact object instance identified by OID or name.
    • GetNext: Retrieves next object variable (successor) to the specified variable.
    • GetBulk: Retrieves large amount of object variable data without repeated GetNext operations.
  • SNMP Set: An NMS carries out a SET operation to modify the value of the object variable on a managed device.
  • SNMP Notifications: Traps and informs are unsolicited (asynchronous) notifications sent by an agent to an NMS.

Traps, Informs, and Polls

Traps are unsolicited messages alerting the NMS to a condition on the managed device. Traps are discarded as soon as they are sent. Traps are sent once and do not require acknowledgement by the manager.

Informs are traps that include a request for confirmation of receipt from the SNMP manager. The SNMP manager sends a confirmation using SNMP response PDU. If the Agent did not receive a response for an inform, the inform can be sent again. Informs may be sent many times hence traps are usually preferred. An inform is held in memory until a response is received or times out. Traps are usually preferred because they consume less resources in terms of memory.

Polls are probes where the SNMP manager sends an SNMP request to the agent and receives an SNMP reply to this request. The SNMP GetRequest(poll) is sent using UDP port 161 and the SNMP GetResponse(trap) sent using UDP port 162.

SNMP Versions

SNMP comes in three major versions: SNMPv1, v2c and v3. In SNMP v1, security is based on community strings. SNMPv1 is not recommended to be used in today's networks and many network device vendors do not support it. In SNMP v2c, security is also based on community strings. In SNMP v3, security is based on message authentication, encryption algorithms.

Security with SNMP can be refined by implementing the following:

  • Configuration of an ACL of managers permitted to access the agent
  • Defining MIB view: subset of all MIB objects accessible to the community. Where multiple views with the same OID are entered, the latest entry takes precedence.
  • Read-Write or Read-only permission for MIB objects accessible to the community.

SNMP v2c

SNMP v2c is defined by RFC 1441 and RFC 1452 with improvements to SNMPv1 in areas of performance, security and manager-to-device communications. It introduced the GetBulk request, an alternative to iterative GetNext requests, for retrieving large amounts of management data in a single request. SNMP v2c sends the community strings in clear text.

SNMP v2c includes detailed error reporting; this minimizes the number of round trips. It includes expanded error codes that distinguish different types of errors. SNMP v2c uses community strings for security. An agent can communicate with multiple managers using the appropriate version for each manager.

Configuring views for SNMP v2c is optional. It limits which MIB objects an SNMP manager can access.

Configuration of SNMP v2c

To configure SNMP v2c on a managed device, follow these steps:

  1. Configure SNMP Community: configure the read-only or read-write community string using the command snmp-server community <string> <ro | rw > [<ipv6 nacl> | <acl>]. The ACL parameter is an optional access control list that is recommended to be configured as it adds a layer of security to SNMPv2. The community string has to match on both the manager and the agent.

    R1(config)#snmp-server community ciscolab ro

  2. Enable sending of traps: SNMP v2c is able to send traps using the command snmp-server enable traps [<mib-value>]. To send all available SNMP traps, exclude the mib-value snmp-server enable traps. To define specific traps, add the type of traps to the above command:

    R1(config)#snmp-server enable traps cpu threshold
    R1(config)#snmp-server enable traps vlancreate
    R1(config)#snmp-server enable traps vlandelete
    R1(config)#snmp-server enable traps memory bufferpeak
    R1(config)#snmp-server enable traps power-ethernet group 1 threshold 80
    R1(config)#snmp-server enable traps power-ethernet police

    Link up/down notifications are controlled by snmp trap link-status interface command.

  3. Configure the SNMP manager address: The SNMP manager to which the notifications will be sent is configured using the command snmp-server host <ip-address> [traps | informs] version [1 | 2c | 3 [auth | noauth | priv]] <community-string> udp-port <port-number> <notification-type>. By default, traps are sent. With this command, the following configurations are made:
    • SNMP manager address
    • Type of notifications sent i.e., informs or traps.
    • Version of SNMP
  4. R1(config)#snmp-server host 192.168.5.2 traps version 2c ciscolab

    It is important to note the following:

    • Without the snmp-server host command on a managed device, no notifications are sent.
    • Each succeeding snmp-server host command overwrites the previous command.
    • Entering the snmp-server host command without keywords enables all trap types for the host.

  5. System information: The first snmp-server command entered enables SNMP on the device. Configuring SNMP system information is optional, however, the information configured can be valuable when troubleshooting SNMP. System information includes; chassis-id, location and contact information of the device.

    1. System Serial Number: snmp-server chassis-id 0123456AB
    2. System Contact: snmp-server contact example@example.com
    3. System Location: snmp-server location Floor01_Rm02

Security using Access Control Lists

An additional layer of security can be introduced by applying an Access Control List (ACL).

  1. Configure Access Control for an SNMP Community: The ACL controls the SNMP managers that are permitted to access the agent on the managed device based on their IP address or the subnet they reside in.

    R1(config)#ip access-list standard ACL_SNMP_MANAGER
    R1(config-std-nacl)#10 permit host 192.168.5.1

  2. Add the ACL to the configuration of the community string: configure the read only or read-write community string that references the ACL snmp-server community <string> view <view-name> <ro | rw > <ipv6 nacl> <acl>. The view and the ACL are optional parameters. The community string has to match on both the manager and the agent.

    R1(config)#snmp-server community ciscolab rw ACL_SNMP_MANAGER

Index Shuffling

MIB indices sometimes experience "index shuffling" where the indices of router components change after reboots or firmware upgrades. Index shuffling can be stopped using the command snmp-server ifindex persist. This command shows up in the running configuration as snmp ifmib ifindex persist. This command ensures that the mapping between the ifDescr object values and the ifIndex object values (generated from the IF_MIB) will be retained across reboots.

Verification

show snmp

R4#show snmp
Chassis: 4279256517
Contact: etoko@gmail.com
Location: Building2Room2SW01
0 SNMP packets input
    0 Bad SNMP version errors
    0 Unknown community name
    0 Illegal operation for community name supplied
    0 Encoding errors
    0 Number of requested variables
    0 Number of altered variables
    0 Get-request PDUs
    0 Get-next PDUs
    0 Set-request PDUs
    0 Input queue packet drops (Maximum queue size 1000)
0 SNMP packets output
    0 Too big errors (Maximum packet size 1500)
    0 No such name errors
    0 Bad values errors
    0 General errors
    0 Response PDUs
    0 Trap PDUs
SNMP Dispatcher:
   queue 0/75 (current/max), 0 dropped
SNMP Engine:
   queue 0/1000 (current/max), 0 dropped
    
SNMP logging: enabled
    Logging to 10.0.12.1.162, 0/10, 0 sent, 0 dropped.
R4#

show snmp host

R4#show snmp host
Notification host: 10.0.12.1    udp-port: 162   type: trap
user: cisco123  security model: v2c                    

R4#

show snmp community

R4#show snmp community

Community name: ILMI
Community Index: cisco0
Community SecurityName: ILMI
storage-type: read-only active


Community name: cisco123
Community Index: cisco2
Community SecurityName: cisco123
storage-type: nonvolatile active access-list: 1300


R4#

show snmp chassis

show snmp contact

show snmp location

Troubleshooting SNMP v2c

When troubleshooting SNMP v2c, verify the following:

  • Traps are enabled by default (traps are unsolicited)
  • Specify correct traps if all traps are not desired.
  • Ensure correct configuration of traps or informs.
  • Verify that the correct community string is specified
  • Verify that the correct NMS IP address is specified
  • Verify that the correct SNMP version is configured
  • SNMP uses UDP port 161 for general messages and 162 for traps and informs. Verify that an access control list is not blocking traffic to these ports.

SNMP v3

The main improvement of SNMP v3 over SNMP v2c is the added security through authentication and encryption. Poll messages for example GetRequest are sent still sent using UDP port 161 and traps (GetResponse) on UDP 162.

SNMP v3 defines three security levels:

  1. NoAuthNoPriv: no authentication, no privacy. Uses a username for authentication and does not use encryption.
  2. AuthNoPriv: uses a hash for authentication (MD5 or SHA1) but does not use encryption.
  3. AuthPriv: uses a hash for authentication and uses encryption for privacy (DES, 3DES, AES).
When configuring SNMP v3, in order to utilize the security mechanisms that it supports, groups and users must be configured.

SNMP v3 Features

SNMP v3 structures its configuration into three main sections:

  1. Views: Restrict the OIDs visible to the NMS. It defines what the manager is able to access/view on the device. This restriction can include access to a particular interface. The view can be associated with a group.
  2. Groups: associated with a view to specify the type of access i.e., whether read or write, as well as the type of security enabled.
  3. User: specifies credentials required to access a view based on a group.

Configuration

When configuring SNMP v3, three steps are followed:

  1. Create an SNMP view to define the list of features or attributes on the managed device that are to be monitored.
  2. Associate the view with the group which defines the type of access (whether read-only or read-write) as well as the security type enabled for this access.
  3. Associate the group with a user. The user defines the username, password, encryption and authentication to be used.

The order of configuration of SNMP v3:

  1. Configuration of SNMP Views:

    SNMP Views are configured to restrict the number of MIB objects that an SNMP manager has access to. SNMP views can be predefined or custom configured. To configure an SNMP view, use the command snmp-server view <view-name> <oid-tree> | <object-name> <included | excluded>.
    Caution: If an MIB name is defined for a view, MIB names are case-sensitive. Use the SNMP Object Navigator for the correct object names or OID values.

    R2(config)#snmp-server view mib2 mib-2 included
    R2(config)#snmp-server view mib2 ifEntry included
    R2(config)#snmp-server view int-access ifEntry included

    From the above configuration:

    • The mib2 view includes all objects in the MIB-II subtree.
    • The MIB value for access to all interfaces and their features is ifIndex.

  2. Creating SNMP Groups

    An SNMP group maps users to views using the command snmp-server group <group-name> [v1 | v2c | v3] [auth | noauth | priv] [read <read-view>] [write <write-view>] [notify <notify-view>] [access <acl>] . Configure the SNMP server group to enable authentication for members permitted by the configured ACL.

    R2(config)#snmp-server group group1 v3 auth read mib2

  3. Configuring Users

    To configure a remote user, specify the IP address of the remote SNMP manager of the device where the user resides. Before you configure remote users for a particular agent, configure the SNMP engine ID using the command snmp-server engineID with remote option. The remote agent’s SNMP engine ID is required when computing the authentication and privacy digests from the password. EngineID (remote) should be configured first before sending requests and informs to it.

    SNMP passwords are localised using engineID of the authoritative SNMP engine. For informs, the authoritative SNMP agent is the remote agent. You must configure the remote agent’s SNMP engine ID in the SNMP database before sending proxy requests or informs to it. Changing the engine ID after configuring the SNMP user doesn’t allow the removal of the user. To remove the configuration, you need to first reconfigure all SNMP configurations.

    1. Step 1: Define the remote system engineID; snmp-server engineID <local engineID | remote ip-address <udp-port port-number> <vrf name> <engineID-string>

      R2(config)#snmp-server engineID remote 192.168.3.10 800000090300CA0305F30006

    2. Step 2: Add a new user to a defined SNMP group; snmp-server user <username> <group-name> <remote ip_address> [udp-port <port-number>] [v1 | v2c | v3] encrypted> [auth [md5 | sha]] <auth-password> [priv [des56|3des|aes] <shared-secret-key>] <access-acl>

      Creating an SNMP user user1

      R2(config)#snmp-server user user1 group1 10.1.1.1 v3 auth sha complexcomplex priv aes 256 priv_password access ACL_SNMP

Security

To use SNMP version 3 security mechanisms, groups and users with passwords must be configured. No default values exist for authentication or privacy algorithms when you configure snmp-server group.

Configuration of Access Control Lists

R2(config)#ip access-list standard ACL_SNMP
R2(config-std-nacl)#10 PERMIT 192.168.3.10 ?
A.B.C.D Wildcard bits
log Log matches against this entry
<cr>

R2(config-std-nacl)#10 PERMIT 192.168.3.10
R2(config-std-nacl)#exit

Verification

show snmp user

SNMP users do not appear in the running-configuration. However, to view SNMP users, use the command show snmp user.

R2#show snmp user

User name: user1
Engine ID: 800000090300CA0206BC0006
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: SNMP_GROUP1

R2#

To verify the SNMP v3 view created;

R2#show snmp view
R2#show snmp view
*ilmi system - included permanent active
*ilmi atmForumUni - included permanent active
cac_view pimMIB - included read-only active
cac_view msdpMIB - included read-only active
cac_view interfaces - included read-only active
cac_view ip - included read-only active
cac_view ospf - included read-only active
cac_view bgp - included read-only active
cac_view dot1dBridge - included read-only active
cac_view ifMIB - included read-only active
cac_view nhrpMIB - included read-only active
cac_view ipMRouteStdMIB - included read-only active
cac_view igmpStdMIB - included read-only active
cac_view ospfv3MIB - included read-only active
cac_view ipForward - included read-only active
cac_view ipTrafficStats - included read-only active
cac_view ospfTrap - included read-only active
cac_view sysUpTime.0 - included read-only active
cac_view mplsLsrStdMIB - included read-only active
cac_view mplsLdpStdMIB - included read-only active
cac_view ciscoPingMIB - included read-only active
cac_view ciscoIpSecFlowMonitorMIB - included read-only active
cac_view ciscoIpSecPolMapMIB - included read-only active
cac_view ciscoPimMIB - included read-only active
cac_view ciscoBgp4MIB - included read-only active
cac_view ciscoIfExtensionMIB - included read-only active
cac_view ciscoEigrpMIB - included read-only active
cac_view ciscoCefMIB - included read-only active
cac_view ciscoNhrpExtMIB - included read-only active
cac_view ciscoGdoiMIB - included read-only active
cac_view ciscoIpMRouteMIB - included read-only active
cac_view ciscoIPsecMIB - included read-only active
cac_view mplsLdpMIB - included read-only active
cac_view ciscoDlcSwitchMIB - included read-only active
cac_view ciscoExperiment.101 - included read-only active
cac_view ciscoIetfIsisMIB - included read-only active
cac_view ciscoIetfBfdMIB - included read-only active
cac_view ifIndex - included read-only active
cac_view ifDescr - included read-only active
cac_view ifType - included read-only active
cac_view ifAdminStatus - included read-only active
cac_view ifOperStatus - included read-only active
cac_view snmpTraps.3 - included read-only active
cac_view snmpTraps.4 - included read-only active
cac_view snmpTrapOID.0 - included read-only active
cac_view internet.6.3.1.1.4.3.0 - included read-only active
cac_view lifEntry.20 - included read-only active
cac_view cciDescriptionEntry.1 - included read-only active
v1default iso - included permanent active
v1default internet.6.3.15 - excluded permanent active
v1default internet.6.3.16 - excluded permanent active
v1default internet.6.3.18 - excluded permanent active
v1default ciscoMgmt.394 - excluded permanent active
v1default ciscoMgmt.395 - excluded permanent active
v1default ciscoMgmt.399 - excluded permanent active
v1default ciscoMgmt.400 - excluded permanent active
SNMP_MIB_VIEW mplsLsrMIB.1.8 - included nonvolatile active
SNMP_MIB_VIEW lifEntry.1 - included nonvolatile active
SNMP_MIB_VIEW lifEntry.45 - included nonvolatile active

show snmp host

SNMP v3 Groups

Verification of SNMP v3 groups

R2(config)#do show snmp group              
groupname: ILMI                             security model:v1
contextname: <no context specified>         storage-type: permanent
readview : *ilmi                            writeview: *ilmi
notifyview: <no notifyview specified>        
row status: active                                
                                                  
groupname: ILMI                             security model:v2c
contextname: <no context specified>         storage-type: permanent
readview : *ilmi                            writeview: *ilmi
notifyview: <no notifyview specified>        
row status: active                                
                                                  
groupname: SNMP_GROUP1                      security model:v3 priv
contextname: <no context specified>         storage-type: nonvolatile
readview : v1default                        writeview: SNMP_MIB_VIEW
notifyview: <no notifyview specified>     row status: active

R2(config)#do show snmp engineID
Local SNMP engineID: 800000090300CA0206BC0006
Remote Engine ID          IP-addr    Port
R2#

Troubleshooting SNMP v3

  • Correct security level specified?
  • Correct OIDs specified in the view
  • Is the notification configured?
  • Index shuffling
  • Correct security level specified
  • Correct hashing algorithm, encryption algorithm, or passwords

IMPLEMENTING NETFLOW v5, v9 AND FLEXIBLE NETFLOW (IPFIX)

NetFlow is a Cisco application that collects statistics on packets flowing through a router. By analyzing the data provided by NetFlow, a network administrator can determine the characteristics of network traffic such as source, destination of traffic, class of service to get a hint on troubleshooting network problems such as the causes of congestion. NetFlow provides insights into the state of network traffic and this information can be utilized in network and security monitoring, network planning, traffic analysis, application monitoring, capacity planning, and IP accounting. Most NetFlow devices support export versions 1, 5, and 9.

NetFlow provides the ability to view network traffic grouped by protocol. With this feature, a baseline of network traffic can be performed before the introduction of a new network service or implementation of traffic shaping.

For Internet-facing routers that run NAT, it is recommended that NetFlow be configured on the router interface connecting to the local network i.e. before NAT translations. If NetFlow is configured on the Internet-facing interface, NAT will have been implemented and it becomes difficult to understand traffic flow patterns of local devices as their local/internal IP addresses will already have been translated by NAT.

A typical flow monitoring setup using NetFlow consists of three main components:

  • Flow exporter: aggregates packet data into flows and exports flow records to one or more flow collectors. This is usually a router.
  • Flow collector: responsible for reception, storage and processing of flow data received from a flow exporter.
  • NetFlow cache: the record for each active flow is maintained locally in the cache.

A network flow is a unidirectional stream of packets between a given source and destination. A flow is uniquely identified by the following characteristics:

  • Source IP address
  • Source port number
  • Destination IP address
  • Destination port number
  • Layer 3 protocol type
  • Type of service (TOS)
  • Logical input interface: router or switch interface
The combination of these fields make a flow uniquely identifiable. NetFlow is used on top of an existing switching path such as CEF.

Traffic monitored by NetFlow can be classified into the following categories:

  • Device: flow count, traffic and volume
  • Interface: bandwidth utilization, traffic, packets, and volume.
  • Application: traffic with port and protocol details.
  • Conversation: source, destination, application, and traffic
  • Quality of Server(QoS): DSCP and traffic.

NetFlow Cache

After you enable NetFlow on an interface, NetFlow reserves memory to accommodate a number of entries in the NetFlow cache. Normally the default size of the NetFlow cache meets the needs of your NetFlow traffic rates. The cache default size is 64K flow cache entries. Each cache entry requires 64 bytes of storage. About 4 MB of DRAM are required for a cache with the default number of entries. You can increase or decrease the number of entries maintained in the cache, if required. To obtain information on your flow traffic, use the command show ip cache flow. A NetFlow cache can be resized depending on the platform and the amount of DRAM on a line card using the command ip flow-cache entries <number>.

Parameters of the NetFlow cache can be modified using the following commands:

  • ip flow-cache timeout active <1-60>: the value is in minutes. This specifies the number of minutes that an active flow remains in the cache before the flow times out. The default is 30.
  • ip flow-cache timeout inactive <10-600>: This specifies the number of seconds that an inactive flow remains in the cache before it times out. The default value is 15 seconds.

Note: If any parameters of the NetFlow main cache are modified after NetFlow is enabled, the changes will not take effect until the router is rebooted. A better option is to disable NetFlow on the interface first and then re-enabling NetFlow on the interface.

Flow entries are deleted from the cache when they expire. The following are the scenarios under which NetFlow cache entries expire:

  • If a flow has been idle for 15 seconds by default.
  • Flows that are continuous, such as routing protocol message exchanges, they are categorized as long-lived flows. Long-lived flows, by default, expire after a maximum of 30 minutes (cache timeout active configured value).
  • If the NetFlow cache is full, the oldest flows get deleted.
  • TCP connections that are ending with the FIN flag set or have been reset (with the RST flag) are expired.

Collection Engine

The collection engine runs on the router or switch whose interface traffic is to be monitored. The collection engine sends NetFlow data to a management collector with 1.5% export data overhead. Flows are exported to the NetFlow collector periodically or when they expire using datagrams in UDP format. The UDP port number is arbitary; there is no default UDP port specified on which the collector listens.

NetFlow Collector

NetFlow export, unlike SNMP polling, pushes information periodically to the collector. Flows that have terminated or expired (based on the NetFlow cache) are exported as well. Flows are terminated when the network communication is ended. A maximum of two export destinations is allowed.

NetFlow Version 5

NetFlow version 5 has a fixed packet format that cannot be added or extended. It supports IPv4 only. Support for BGP is included. NetFlow v5 supports the export of data from the main cache only; the aggregation cache is not supported. NetFlow v5 does not have the concept of ingress and egress flows. The collector engine reverses the information behind the scenes without any additional configuration.

Information captured by NetFlow v5 includes the following:

  • Source and destination ports
  • Packet counts
  • Byte counts
  • Flow duration
  • I/O interfaces

NetFlow v5 does not support multicast, IPSec and MPLS. Additionally

Configuration

To configure NetFlow version 5, the following configurations are made:

  1. Enable flows on the interface: in interface configuration mode:
    • ip flow ingress: enables NetFlow for inbound traffic on an interface
    • ip flow egress: enables NetFlow for outbound traffic on an interface.

    R1(config-if)#interface g1/0
    R1(config-if)#ip flow ingress
    R1(config-if)#ip flow egress

    The legacy interface command ip route-cache flow can also be used as an alternative to the above commands on platforms that still support it. It enables NetFlow on an interface as well as any configured sub-interfaces.

  2. Configure location of flow data storage: NetFlow data is stored locally in the device cache or exported to a NetFlow collector.
    • Local Retrieval: Local retrieval is also known as stand-alone mode where NetFlow records are stored in the local router memory. This information can be accessed using the CLI. The following commands enable monitoring of bandwidth based on bytes or packet count:

      R1(config)#ip flow-top-talkers
      R1(config-flow-top-talkers)#top 10
      R1(config-flow-top-talkers)#sort-by bytes

      To view the flows, use the command show ip flow top-talkers.

      NetFlow is a heavy resource hungry feature. It is recommended not to enable NetFlow on a router that is experiencing heavy resource constraints.

    • Export (Configuration Only):
      • Define the export destination: using the command ip flow-export destination <ip-address> <port> [sctp|udp].

        R1(config)#no ip flow-export destination 192.168.34.2 ?
          <1-65535> UDP/SCTP port number

        R1(config)#ip flow-export destination 192.168.14.2 9999

        The NetFlow records are exported by the NetFlow exporter to the collector using UDP. An IP address of a NetFlow collector and a destination UDP port have to be configured on the flow exporter. A router (NetFlow exporter) will maintain a track of flow record which is already exported, hence if the NetFlow packets are dropped in the event of packet corruption or network congestion.

        NetFlow export also uses SCTP (stream control transmission protocol) to export the NetFlow records. This offers protection against the loss of packets. In the case of NetFlow version 9, SCTP ensures that the NetFlow v9 template is received by the collector before exporting the related record. The NetFlow export only uses the network backbone link, packet loss can be negligible.

        The NetFlow collector listens for NetFlow records on UDP or SCTP. However, the port is not explicitly defined. The administrator can configure a UDP port of choice; the commonly configured port number is 9995, 9996 or 9999. It is important to note that when configuring a NetFlow collector to collect NetFlow records from more than one NetFlow exporter, each NetFlow exporter should be configured to export flow records to a different port number. Otherwise the NetFlow collector will aggregate the flow records. So it is recommended to configure one port for one NetFlow exporter.

      • ip flow-export version [5|9]: specifies the format of exported NetFlow records. It is possible to configure NetFlow version 5 and export Flow records in version 9.

        R1(config)#ip flow-export version 5 ?
          bgp-nexthop  record BGP NextHop
          origin-as    record origin AS
          peer-as      record peer AS
          
          <cr>  

        R1(config)#ip flow-export version 5

      • Specify the source IP address: the source IP address can be configured using the command ip flow-export source <interface>.

        R1(config)#ip flow-export source lo0

        This is particularly important in scenarios where, with multipathing, NetFlow records from one device may have different source IP addresses due to the different egress interfaces that the NetFlow traffic may have used. This command ensures that the source IP address is consistent for all flow records from a device.

Verification

show ip cache [verbose] flow

Displays basic statistics for NetFlow records that are stored in the router's local cache.

The section "IP packet size distribution" displays the different packet sizes an the percentage of network traffic that had be given size. A value of .855 is equivalent to 85.5 percent of traffic has a packet size of 128 bytes.

R1#show ip cache flow
IP packet size distribution (9364 total packets):                            
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .010 .132 .855 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
                                                                              
    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608                    
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000                    
                                                                              
IP Flow Switching Cache, 4456704 bytes                                        
  5 active, 65531 inactive, 122 added                                        
  12987 ager polls, 0 flow alloc failures                                    
  Active flows timeout in 30 minutes                                          
  Inactive flows timeout in 15 seconds                                        
IP Sub Flow Cache, 533256 bytes                                              
  5 active, 16379 inactive, 105 added, 105 added to flow                      
  0 alloc failures, 0 force free                                              
  1 chunk, 2 chunks added                                                    
  last clearing of statistics never                                          
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow  
ICMP                81      0.0        99    99      1.6       4.1      15.8  
IP-other            36      0.0        25    80      0.1     212.2      13.8  
Total:             117      0.0        76    97      1.8      68.1      15.2  
                                                                              
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi2/0         192.168.14.2    Local         1.1.1.1         01 0000 0303     1
                                                                              
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi3/0         192.168.13.2    Null          224.0.0.5       59 0000 0000    74
Gi0/0         192.168.12.2    Null          224.0.0.5       59 0000 0000   132
Gi1/0         192.168.15.2    Null          224.0.0.5       59 0000 0000    97
Gi2/0         192.168.14.2    Null          224.0.0.5       59 0000 0000    53
R1#

The port numbers are displayed in hexadecimal values.

From the output, under the Destination interface column(DstIf), ingress interfaces have a * appended to the interface name.

R1#show ip cache verbose flow
IP packet size distribution (9530 total packets):                            
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .011 .146 .841 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
                                                                            
    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608                    
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000                    
                                                                            
IP Flow Switching Cache, 4456704 bytes                                      
  5 active, 65531 inactive, 135 added                                        
  14644 ager polls, 0 flow alloc failures                                    
  Active flows timeout in 30 minutes                                        
  Inactive flows timeout in 15 seconds                                      
IP Sub Flow Cache, 533256 bytes                                              
  5 active, 16379 inactive, 118 added, 118 added to flow                    
  0 alloc failures, 0 force free                                            
  1 chunk, 2 chunks added                                                    
  last clearing of statistics never                                            
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow  
ICMP                94      0.0        86    99      1.5       3.5      15.9  
IP-other            36      0.0        25    80      0.1     212.2      13.8  
Total:             130      0.0        69    97      1.7      61.3      15.3  
                                                                              
                                                                              
SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
Gi2/0          192.168.14.2    Local          1.1.1.1         01 C0  10       1
0000 /30 0                     0303 /32 0     0.0.0.0                56     0.0
                                                                              
Gi3/0          192.168.13.2    Null           224.0.0.5       59 C0  10     112
0000 /30 0                     0000 /0  0     0.0.0.0                80  1023.4
                                                                              
Gi0/0          192.168.12.2    Null           224.0.0.5       59 C0  10     171
0000 /30 0                     0000 /0  0     0.0.0.0                80  1557.9
                                                                              
Gi1/0          192.168.15.2    Null           224.0.0.5       59 C0  10     135
0000 /30 0                     0000 /0  0     0.0.0.0                80  1221.8
                                                                              
Gi2/0          192.168.14.2    Null           224.0.0.5       59 C0  10      91
0000 /30 0                     0000 /0  0     0.0.0.0                80   825.3

show ip flow export

Displays the NetFlow data export configuration and statistics of NetFlow records that are being exported.

R1#show ip flow export
Flow export v5 is enabled for main cache
  Export source and destination details :
  VRF ID : Default      
    Source(1)       1.1.1.1 (Loopback0)
    Destination(1)  192.168.14.2 (9999)
  Version 5 flow records
  159 flows exported in 143 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  27 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures
R1#

show ip flow interface

Displays the NetFlow configuration for each interface

R1#show ip flow interface
GigabitEthernet0/0
  ip route-cache flow
  ip flow ingress
  ip flow egress
GigabitEthernet1/0
  ip flow ingress
  ip flow egress
GigabitEthernet2/0
  ip flow ingress
  ip flow egress
GigabitEthernet3/0
  ip flow ingress
  ip flow egress

show ip flow top-talkers

This table displays real-time values for the top devices transmitting and receiving traffic.

R1#show ip flow top-talkers

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Gi0/0         192.168.12.2    Null          224.0.0.5       59 0000 0000  8248
Gi1/0         192.168.15.2    Null          224.0.0.5       59 0000 0000  5448
Gi3/0         192.168.13.2    Null          224.0.0.5       59 0000 0000  3608
Gi2/0         192.168.14.2    Null          224.0.0.5       59 0000 0000  1840
4 of 10 top talkers shown. 4 flows processed.

R1#show ip flow top-talkers verbose

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs Bytes
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
Gi0/0          192.168.12.2    Null           224.0.0.5       59 C0  10    8248
0000 /30 0                     0000 /0  0     0.0.0.0                80   938.2
                                                                              
Gi1/0          192.168.15.2    Null           224.0.0.5       59 C0  10    5448
0000 /30 0                     0000 /0  0     0.0.0.0                80   606.4
                                                                              
Gi3/0          192.168.13.2    Null           224.0.0.5       59 C0  10    3608
0000 /30 0                     0000 /0  0     0.0.0.0                80   402.1
                                                                              
Gi2/0          192.168.14.2    Null           224.0.0.5       59 C0  10    1840
0000 /30 0                     0000 /0  0     0.0.0.0                80   210.5
                                                                              
4 of 10 top talkers shown. 4 flows processed.

clear ip flow stats

Clearing statistics to observer NetFlow operations.

NetFlow Version 9

NetFlow version 9 is a flexible format, which provides the versatility needed for support of new fields and record types. It provides support for export of packet data from IPv6, multicast, Multiprotocol Label Switching(MPLS), BGP next hop etc. NetFlow version 9 is template-based. Templates provide a means of extending the record format, and ensures that NetFlow can be adapted to provide support for new protocols. A template describes a NetFlow record format and attributes of the fields within the record. The router assigns teach templete an ID, which is communicated to the Collection Engine along with the template description. The template ID is used for all further communication from the router to the Collection Engine. However, NetFlow records generated with version 9 are not backwards compatible with previous versions of NetFlow.

With NetFlow v9, templates used are preconfigured on the IOS. These cannot be easily modified. However, with flexible NetFlow, these templates can be manually configured. In version 9, the command flow-capture can be used to add fields of the packet in NetFlow records.

Unlike version 5 which exports records only from the main cache, NetFlow 9 supports the export of data from main cache and aggregation cache.

NetFlow v9 introduces the concept of "egress" flows. Traffic statistics on ingress flows are calculated before compression. This may be a problem if WAN links are using compression of packets. Egress flow statistics are calculated after compression.

In addition to information captured by NetFlow v5, the following information is captured by NetFlow v9:

  • Fragmentation flags
  • Other TCP flags/counters
  • Flow direction
  • DSCP info
  • ToS
  • ICMP and IGMP
  • TTL

Configuration

  1. Enable flows on the interface: In interface configuration mode: ip flow [ingress|egress]

  2. Configure the flow export destination: Define the export destination using the command ip flow-export destination <ip-address> <port> [sctp|udp].
  3. Define the source IP address:
  4. using the command ip flow-export source <interface>.
  5. Configure the export version: ip flow-export version 9.
  6. The characteristics of the packets to be included in the NetFlow records are defined using the template keyword which specifies that template specific configurations follow. Some template-defined parameters include the following:

    Command Description
    ip flow-export template timeout-rate <minutes>

    Set the template timeout to one minute: ip flow-export template timeout-rate 1. This ensures that there are no data gaps if the network service or server restarts. The default setting for long active flows (long-lived flows) is 30 minutes. This can cause high peaks well above circuit speeds. By breaking the cached flows into one-minute fragments, we can avoid the high peaks by normalizing the data.

    ip flow-export template options export-stats
    ip flow-export template options refresh-rate <1-600> Specifies the number of packets exported before the templates are resent. The default is 20.
    ip flow-export template options timeout-rate <minutes> Specifies time elapsed before templates are resent. The default is 30 minutes
    ip flow-capture fragment-offset Capture the fragment offset information
    ip flow-capture packet-length Capture the max and min packet length
    ip flow-capture ttl Capture the TTL
    ip flow-capture vlan-id Capture the VLAN ID
    ip flow-capture icmp Capture the ICMP type and code
    ip flow-capture ip-id Capture the IP ID
    ip flow-capture mac-addresses Capture the source and destination MAC addresses.
    ip flow-cache timeout inactive <10-600> Capture the inactive timeout value in seconds.
    ip flow-cache timeout active 1

    R1(config)#ip flow-capture packet-length
    R1(config)#ip flow-capture ttl
    R1(config)#ip flow-capture fragment-offset
    R1(config)#ip flow-capture mac-addresses
    R1(config)#ip flow-capture ip-id

  7. IfIndex Persistance: To ensure that the interface indices persists across device reboots, snmp-server ifindex persist.

Flow Sampler

A flow sampler is used to define a subset of packets whose statistics are representative of the traffic transiting an interface rather than all packets going through the interface. Sampling flow data reduces the load on the CPU and memory. However, with sampling flow data, some packet information may be missed. A flow sampler can be configured as follows:

R1(config)#flow-sampler-map ONE_TEN
R1(config-sampler)#mode random one-out-of 10

The flow sampler can then be applied to the interface using the interface command flow-sampler ONE_TEN.

If ingress flow is configured on an interface and a flow sampler is applied to the interface, an error message is generated Warning: ingress NetFlow will override the sampler. The ingress flow command will have to be removed.

R1(config-if)#flow-sampler ONE_TEN ?
R1(config-if)#flow-sampler ONE_TEN
*May 29 22:43:54.035: Warning: ingress NetFlow will override the sampler.
R1(config-if)#no ip flow ingress
*May 29 22:44:06.223: Warning: ingress sampler re-enabled.

Flow sampler with Class Map and Policy Map

A flow sampler can be combined with a class map and a policy map to view network traffic statistics. This can be accomplished using the following commands:

  1. Configure the flow sampler:

    R1(config)#flow-sampler-map ONE_ONE
    R1(config-sampler)#mode random one-out-of 1

  2. Configure the class-map:

    R1(config)#class-map match-all ICMP
    R1(config-cmap)#match protocol icmp

  3. Configure the policy map:

    R1(config)#policy-map PM_SAMPLER
    R1(config-pmap)#class ICMP
    R1(config-pmap-c)#NetFlow-sampler ONE_TEN
    R1(config-pmap)#class class-default
    R1(config-pmap-c)#NetFlow-sampler ONE_ONE

    The default class-map captures statistics on all other traffic i.e., traffic not matched by the class ICMP.

  4. Apply the service policy to the interface:

    R1(config)#interface g0/0
    R1(config-if)#service-policy input PM_SAMPLER

To verify the traffic statistics, use the command show policy-map interface. The other NetFlow verification commands still apply.

On a remote device simulate ICMP traffic:

R2#ping 192.168.15.2 repeat 1000

R1#show policy-map interface g0/0 input
GigabitEthernet0/0
        
  Service-policy input: PM_SAMPLER
        
    Class-map: ICMP (match-all)
      1000 packets, 114000 bytes
      5 minute offered rate 00
00 bps, drop rate 0000 bps
      Match: protocol icmp
      NetFlow-sampler: ONE_TEN
        
    Class-map: class-default (match-any)
      25 packets, 2350 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any
      NetFlow-sampler: ONE_ONE
R1#

Verification

show ip flow export

Displays the statistics of the NetFlow export for the main cache and other enabled caches.

R1#show ip flow export
Flow export v9 is enabled for main cache
  Export source and destination details :
  VRF ID : Default      
    Source(1)       1.1.1.1 (Loopback0)
    Destination(1)  192.168.14.2 (9999)
  Version 9 flow records
  388 flows exported in 311 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  27 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures
R1#show ip flow export verbose
Flow export v9 is enabled for main cache
  Export source and destination details :
  VRF ID : Default      
    Source(1)       1.1.1.1 (Loopback0)
    Destination(1)  192.168.14.2 (9999)
  Version 9 flow records
  388 flows exported in 311 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  27 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures

show ip flow export template

Displays statistics for the NetFlow data export for template specific configurations.

R1#show ip flow export template
   Template Options Flag = 0
   Total number of Templates added = 4
   Total active Templates = 4
   Flow Templates active = 4
   Flow Templates added = 4
   Option Templates active = 0
   Option Templates added = 0
   Template ager polls = 9546
   Option Template ager polls = 0
Main cache version 9 export is enabled
Template export information
   Template timeout = 30
   Template refresh rate = 20
Option export information
   Option timeout = 30
   Option refresh rate = 20
R1#

Clearing NetFlow Stats on a Router

clear ip flow stats.

Flexible NetFlow

Flexible NetFlow improves on original NetFlow by adding the capability to customize the traffic analysis parameters for your specific requirements. Flexible NetFlow is an extension of NetFlow v9. It provides additional functionality that allows you to export more information using the same NetFlow v9 datagram. Flexible NetFlow facilitates the creation of more complex configurations for traffic analysis and data export through the use of templates which are reusable configuration components.

When configuring flexible NetFlow, consider the following:

  • Ensure that the source interface is a loopback interface. This is because this interface does not go down resulting in predictable source IP addresses in the NetFlow records.
  • Set the active timeout to 1 minute using the command ip flow-cache timeout active 1.

It supports the ability to configure different destinations(collectors) for different categories of traffic.

IPFIX

IPFIX (IP Flow Information eXport) is the standards-based method for exporting the flow information to a collector that was published by IETF. It is intended to serve as a universal protocol for exporting flow information. IPFIX has extensive flexibility in its configurations. Cisco configuration commands will consider export format in IPFIX as NetFlow version 10.

Configuration of Flexible NetFlow

To configure flexible NetFlow:

  1. Create a flow record: a flow record explicitly specifies what exactly we are sampling. This creates the template to match on. This template can be modified using the match and collect commands.
    1. Define the flow record: using the command flow record <flow-name>
    2. Match the traffic category: The key fields can be matched using the command match [ipv4|ipv6|interface|flow|datalink|application|routing|transport]

      Where:

      Parameter Description
      transport [destination-port | igmp | icmp | source-port] Specifies a match to the transport layer fields.
      ipv4 [destination | protocol | source | tos | ttl | version] Specifies a match to IPv4 fields.
      ipv6 [destination | hop-limit | protocol | source | traffic-class | version] Specifies a match to the IPv6 fields.
      interface [input | output] Specifies a match to the interface fields.
      datalink [dot1q | mac | vlan | ethertype] Specifies a match to the datalink or Layer 2 fields.

      At least of these parameters must be configured for a flow record.

      R3(config)#flow record FLOW-RECORD-G00
      R3(config-flow-record)#description NetFlow Record for TTL, TOS, PACKET_LENGTH
      R3(config-flow-record)#match interface input
      R3(config-flow-record)#match interface output
      R3(config-flow-record)#match ipv4 destination address
      R3(config-flow-record)#match ipv4 destination mask
      R3(config-flow-record)#match ipv4 source address
      R3(config-flow-record)#match ipv4 source mask
      R3(config-flow-record)#match ipv4 precedence
      R3(config-flow-record)#match ipv4 protocol
      R3(config-flow-record)#match ipv4 total-length
      R3(config-flow-record)#match ipv4 ttl
      R3(config-flow-record)#match ipv4 tos

    3. Specify the collection field: using the command collect [ counter | interface | timestamp absolute | transport tcp flags]. The following example collects the count of traffic in bytes: collect counter bytes.

      Where:

      Parameter Description
      transport tcp flags [ack | cwr | ece | fin | psh | rst | syn | urg] Collects TCP flags. On switches, all TCP flags will be collected. Only with routers can the TCP flag type be specified.
      timestamp absolute [first | last] Collects the fields for the absolute time the most recent packet was last seen(in milliseconds).
      interface [input | output] Collects fields from the input or output interface.
      counter [bytes [layer2 [long] | long] | packets [long]] Collects the counter fields total bytes and total packets.

      R3(config-flow-record)#collect datalink mac source address output
      R3(config-flow-record)#collect counter packets long
      R3(config-flow-record)#collect counter bytes long
      R3(config-flow-record)#collect flow direction
      R3(config-flow-record)#collect application name
      R3(config-flow-record)#collect transport tcp flags
      R3(config-flow-record)#collect transport tcp destination-port
      R3(config-flow-record)#collect timestamp absolute first
      R3(config-flow-record)#collect timestamp absolute last

  2. Create Flow Export: Define export parameters for a flow.

    1. Define the flow export name: flow exporter <name>

      R3(config)#flow export FLOW-EXPORT-G00

    2. Specify the destination IPv4 address or hostname: destination <ip-address> vrf <vrf-name>

      R3(config-flow-exporter)#destination 192.168.15.2

    3. Specify the UDP port: transport udp <1-65535>

      R3(config-flow-exporter)#transport udp 9999

    4. Specify the NetFlow export version: using the command export [ipfix | NetFlow-v5 | NetFlow-v9].

      R3(config-flow-exporter)#export ipfix

    5. Define the source interface:

      R3(config-flow-exporter)#source g0/0

  3. Configure a flow monitor: the flow monitor ties the flow record to the flow exporter. The flow monitor calls the flow record.
    1. Define the flow monitor name using the command flow monitor <name>.

      R3(config)#flow monitor FLOW-MONITOR-G00

    2. Configure a description: using the command description <text>.

      R3(config-flow-monitor)#description NetFlow monitor for traffic transiting G0/0

    3. Specify the configured flow record: using the command record <name>.

      R3(config-flow-monitor)#record FLOW-RECORD-G00

    4. Specify the configured flow exporter: using the command exporter <name>.

      R3(config-flow-monitor)#exporter FLOW-EXPORT-G00

    5. Specify the active timeout in seconds: using the command cache timeout active <1-604800>.

      R3(config-flow-monitor)#cache timeout active 1

  4. Apply the flow monitor: Associate a flow monitor and optional flow sampler to a Layer 2, Layer 3 or VLAN interface using the command ip flow monitor <monitor-name> [sampler <sampler-name>] [input | output]. The direction can be input or output.

    R1(config)#interface g2/0
    R1(config-if)#ip flow monitor FLOW-MONITOR_G00 sampler ONETEN input
    R1(config-if)#ip flow monitor FLOW-MONITOR_G00 sampler ONETEN output

Flow Sampler

A flow sampler can be added to the configuration as follows:

  1. Define the flow sampler: using the command sampler <sampler-name>.
  2. Define the mode: using the command mode [1-out-of 10].
  3. Link the sampler to the flow monitor: using the interface command ip flow monitor FNF sampler ONE_TEN input.

Verification

show flow record

To view configured flow records.

R3#show flow record
flow record FLOW-RECORD-G00:
  Description:        NetFlow Record for TTL, TOS, PACKET_LENGTH
  No. of users:       1
  Total field space:  70 bytes
  Fields:
    match ipv4 tos
    match ipv4 precedence
    match ipv4 total-length
    match ipv4 ttl
    match ipv4 protocol
    match ipv4 source address
    match ipv4 source mask
    match ipv4 destination address
    match ipv4 destination mask
    match interface input
    match interface output
    collect datalink mac source address output
    collect transport tcp destination-port
    collect transport tcp flags
    collect flow direction
    collect counter bytes long
    collect counter packets long
    collect timestamp absolute first
    collect timestamp absolute last
    collect application name

show flow record NetFlow ipv4 original-input

Lists the builtin flow records templates in the IOS.

R3#show flow record NetFlow ipv4 original-output
flow record NetFlow ipv4 original-output:
  Description:        Traditional IPv4 output NetFlow with ASs
  No. of users:       0      
  Total field space:  53 bytes
  Fields:                    
    match ipv4 tos            
    match ipv4 protocol      
    match ipv4 source address
    match ipv4 destination address
    match transport source-port
    match transport destination-port
    match interface output    
    match flow sampler        
    collect routing source as
    collect routing destination as
    collect routing next-hop address ipv4
    collect ipv4 source mask  
    collect ipv4 destination mask
    collect transport tcp flags
    collect interface input  
    collect counter bytes    
    collect counter packets  
    collect timestamp sys-uptime first
    collect timestamp sys-uptime last

show flow record NetFlow ipv4 prefix

Displays NetFlow record template for collecting IPv4 prefix information from packets.

R3#show flow record NetFlow ipv4 prefix
flow record NetFlow ipv4 prefix:
  Description:        Source and Destination Prefixes aggregation schemes
  No. of users:       0  
  Total field space:  38 bytes
  Fields:
    match routing source as
    match routing destination as
    match ipv4 source prefix
    match ipv4 source mask
    match ipv4 destination prefix
    match ipv4 destination mask
    match interface input
    match interface output
    collect counter bytes
    collect counter packets
    collect timestamp sys-uptime first
    collect timestamp sys-uptime last

show flow exporter

Displays NetFlow exporter configurations.

R3#show flow exporter
Flow Exporter FLOW-EXPORT-G00:
  Description:              NetFlow export to destination 192.168.15.2
  Export protocol:          IPFIX (Version 10)
  Transport Configuration:    
    Destination IP address: 192.168.15.2
    Source IP address:      192.168.13.2
    Source Interface:       GigabitEthernet0/0
    Transport Protocol:     UDP
    Destination Port:       9999
    Source Port:            59235
    DSCP:                   0x0
    TTL:                    255
    Output Features:        Not Used

show flow exporter templates

R3#show flow exporter templates
Flow Exporter FLOW-EXPORT-G00:                                                  
  Client: Flow Monitor FLOW-MONITOR-G00                                        
  Exporter Format: IPFIX (Version 10)                                          
  Template ID    : 256                                                          
  Source ID      : 0                                                            
  Record Size    : 70                                                          
  Template layout                                                              
  _____________________________________________________________________________
  |                 Field                   |    ID | Ent.ID | Offset |  Size |
  -----------------------------------------------------------------------------
  | ipv4 source address                     |     8 |        |      0 |     4 |
  | ipv4 destination address                |    12 |        |      4 |     4 |
  | interface input snmp                    |    10 |        |      8 |     4 |
  | interface output snmp                   |    14 |        |     12 |     4 |
  | ipv4 total-length                       |   190 |        |     16 |     2 |
  | ipv4 source mask                        |     9 |        |     18 |     1 |
  | ipv4 destination mask                   |    13 |        |     19 |     1 |
  | ip tos                                  |     5 |        |     20 |     1 |
  | ip precedence                           |   196 |        |     21 |     1 |
  | ip protocol                             |     4 |        |     22 |     1 |
  | ip ttl                                  |   192 |        |     23 |     1 |
  | transport tcp flags                     |     6 |        |     24 |     1 |
  | flow direction                          |    61 |        |     25 |     1 |
  | datalink mac source address output      |    81 |        |     26 |     6 |
  | transport tcp destination-port          |   183 |        |     32 |     2 |
  | application id                          |    95 |        |     34 |     4 |
  | counter bytes long                      |     1 |        |     38 |     8 |
  | counter packets long                    |     2 |        |     46 |     8 |
  | timestamp absolute first                |   152 |        |     54 |     8 |
  | timestamp absolute last                 |   153 |        |     62 |     8 |
  -----------------------------------------------------------------------------

show flow exporter statistics

Displays details of NetFlow exporter statistics such as bytes sent, number of records added and sent.

R3#show flow exporter statistics
Flow Exporter FLOW-EXPORT-G00:
  Packet send statistics (last cleared 02:08:51 ago):
    Successfully sent:         155                   (20566 bytes)

  Client send statistics:      
    Client: Flow Monitor FLOW-MONITOR-G00
      Records added:           175
        - sent:                175
      Bytes added:             12250
        - sent:                12250

show flow monitor <flow-monitor-name>

Displays Flow monitor information.

R3#show flow monitor
Flow Monitor FLOW-MONITOR-G00:
  Description:       NetFlow monitor for traffic transiting G0/0
  Flow Record:       FLOW-RECORD-G00
  Flow Exporter:     FLOW-EXPORT-G00
  Cache:                  
    Type:              normal
    Status:            allocated
    Size:              4096 entries / 442396 bytes
    Inactive Timeout:  15 secs
    Active Timeout:    60 secs
    Update Timeout:    1800 secs

show flow monitor <flow-monitor-name> cache

Display Flow monitor cache contents.

R3#show flow monitor FLOW-MONITOR-G00 cache
  Cache type:                               Normal
  Cache size:                                 4096
  Current entries:                               2
  High Watermark:                                5
                                                
  Flows added:                                 319
  Flows aged:                                  317
    - Active timeout      (    60 secs)         68
    - Inactive timeout    (    15 secs)        249
    - Event aged                                 0
    - Watermark aged                             0
    - Emergency aged                             0
                                                
IPV4 TOTAL LENGTH:                   56          
IPV4 SOURCE ADDRESS:                 192.168.15.2
IPV4 SOURCE MASK:                    /30        
IPV4 DESTINATION ADDRESS:            192.168.13.2
IPV4 DESTINATION MASK:               /0          
INTERFACE INPUT:                     Gi0/0      
INTERFACE OUTPUT:                    Null        
IP TOS:                              0xC0        
IP PRECEDENCE:                       6          
IP PROTOCOL:                         1          
IP TTL:                              253        
datalink mac source address output:  0000.0000.0000
tcp destination port:                0          
tcp flags:                           0x00        
flow direction:                      Input      
counter bytes long:                  56          
counter packets long:                1          
timestamp abs first:                 00:13:44.970
timestamp abs last:                  00:13:44.970
application name:                    prot icmp  
                                                
IPV4 TOTAL LENGTH:                   80          
IPV4 SOURCE ADDRESS:                 192.168.13.1
IPV4 SOURCE MASK:                    /30        
IPV4 DESTINATION ADDRESS:            224.0.0.5  
IPV4 DESTINATION MASK:               /0          
INTERFACE INPUT:                     Gi0/0      
INTERFACE OUTPUT:                    Null        
IP TOS:                              0xC0        
IP PRECEDENCE:                       6          
IP PROTOCOL:                         89          
IP TTL:                              1          
datalink mac source address output:  0000.0000.0000
tcp destination port:                0          
tcp flags:                           0x00        
flow direction:                      Input      
counter bytes long:                  80          
counter packets long:                1          
timestamp abs first:                 00:13:49.766
timestamp abs last:                  00:13:49.766
application name:                    cisco unclassified
                                                
                                                

show flow monitor <flow-monitor-name> statistics

Displays Flow monitor statistics.

R3#show flow monitor FLOW-MONITOR-G00 statistics
  Cache type:                               Normal
  Cache size:                                 4096
  Current entries:                               2
  High Watermark:                                5
                                                
  Flows added:                                 320
  Flows aged:                                  318
    - Active timeout      (    60 secs)         68
    - Inactive timeout    (    15 secs)        250
    - Event aged                                 0
    - Watermark aged                             0
    - Emergency aged                             0


R3#

Troubleshooting

Common NetFlow configuration problems on the VSM can occur if you attempt to do the following:

  • Use undefined records, exporters, samplers, or monitors
  • Use invalid records, exporters, samplers, or monitors
  • Modify records, exporters, samplers, or monitors after they are applied to an interface
  • Configure a monitor on an interface which causes the VEM to run out of memory and results in a verification error.

  • Consider the unidirectional nature of NetFlow traffic. Verify using the following commands:
    • ip flow ingress
    • ip flow outbound
    • show ip flow interface
  • Consider the appropriate interface. Verify configured interfaces using show ip flow interface.
  • Consider exporting to a collector: verify configured settings using show ip flow export.
  • Consider the source of NetFlow export packets; verify with the commands:
    • ip flow-export source <interface
    • show ip flow export
  • Consider versions 5 and 9, with version 9 being the more popular choice. Verify using the command ip flow-export version[5|9] and show ip flow-export.
  • Avoid duplication: When monitoring only one interface, configure ip flow ingress and ip flow egress. If monitoring more than one interface, configure ip flow ingress only.