1. Home
  2. Networking
  3. Network Management

Example: NetFlow Configuration on the Catalyst

The following example shows the configuration of NetFlow on a Cisco 7600. The flow records from both the PFC and the MSFC are exported to the collector with the IP address 10.48.71.129 and UDP port 9991. NetFlow is configured with the interface-full flow mask, to export the flow records with NetFlow version 5, and to exclude the flow records whose destination IP address is part of the 10.10.10.0/24 network. The command mls nde sender version 5 is specific to the flow records accounted on the PFC, and the command ip flow-export version 5 is specific to the flow records accounted on the MSFC.

7600(config)# mls flow ip interface-full
7600(config)# mls netflow
7600(config)# mls nde sender version 5
7600(config)# mls nde flow exclude destination 10.10.10.0 255.255.255.0

7600(config)# interface GigabitEthernet1/8
7600(config-if)# ip flow ingress

7600(config)# interface Vlan1
7600(config-if)# ip flow ingress

7600(config)# ip flow-export version 5
7600(config)# ip flow-export destination 10.48.71.129 9991

The NetFlow cache contains the flow records, PFC, and MSFC, with a clear separation in the output. This happens because the flows are monitored at two different logical entities and because the flows are classified according to two different sets of key-fields. Note also the Null interface for the flow records monitored by the MSFC.

Code View:
7600# show ip cache flow
----------------------------------------------------------------------
MSFC:
IP packet size distribution (58 total packets):
  1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
  .000 .982 .000 .000 .000 .000 .000 .000 .000 .000 .017 .000 .000 .000 .000

   512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
  .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
 11 active, 65525 inactive, 11 added
 193 ager polls, 0 flow alloc failures
 Active flows timeout in 30 minutes
 Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 270664 bytes
 11 active, 16373 inactive, 11 added, 11 added to flow
 0 alloc failures, 0 force free
 1 chunk, 1 chunk added
 last clearing of statistics never
Protocol         Total    Flows    Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec      /Flow  /Pkt     /Sec     /Flow     /Flow

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Vl1           0.0.0.0         Null          255.255.255.255 11 0044 0043  1
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
07C1     7 Vl1           10.48.77.118    Null          224.0.0.2       11 07C1
07C1     8 Vl1           10.48.73.58     Null          224.0.0.10      58 0000
0000     5
----------------------------------------------------------------------
PFC:

Displaying Hardware entries in Module 5
SrcIf            SrcIPaddress          DstIPaddress      Pr       SrcP
DstP      Pkts
Vl1              10.48.71.129          10.48.72.208      tcp      62816
telnet    0            --               0.0.0.0               0.0.0.0
0        0         0         6

The show mls nde and show ip flow export commands display the NetFlow export information for the PFC and MSFC, respectively. The fact that the two exports use the same source IP address (10.48.72.208) allows the export from NetFlow version 5 from both the PFC and the MSFC.

Code View:
7600# show mls nde
 Netflow Data Export enabled
 Exporting flows to 10.48.71.129 (9992)
 Exporting flows from 10.48.72.208 (56986)
 Version: 5
 Include Filter not configured
 Exclude Filter is:
   destination:  ip address 10.10.10.0, mask 255.255.255.0
 Total Netflow Data Export Packets are:
    0 packets, 0 no packets, 0 records
 Total Netflow Data Export Send Errors:
        IPWRITE_NO_FIB = 0
        IPWRITE_ADJ_FAILED = 0
        IPWRITE_PROCESS = 0
        IPWRITE_ENQUEUE_FAILED = 0
        IPWRITE_IPC_FAILED = 0
        IPWRITE_OUTPUT_FAILED = 0
        IPWRITE_MTU_FAILED = 0
        IPWRITE_ENCAPFIX_FAILED = 0
 Netflow Aggregation Disabled
7600# show ip flow export
Flow export v5 is enabled for main cache
  Exporting flows to 10.48.71.129 (9992)
  Exporting using source IP address 10.48.72.208
  Version 5 flow records
  50826 flows exported in 23589 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures
  0 export packets were dropped enqueuing for the RP
  0 export packets were dropped due to IPC rate limiting



Network Management: Accounting and Performance Strategies - Graphically Rich Book
About the Authors
About the Technical Reviewers
Acknowledgments
Icons Used in This Book
Command Syntax Conventions
Introduction
Part I: Data Collection and Methodology Standards
Part II: Implementations on the Cisco Devices
Chapter 4. SNMP and MIBs
Chapter 5. RMON
Chapter 6. IP Accounting
Chapter 7. NetFlow
Fundamentals of NetFlow
CLI Operations
SNMP Operations with the NETFLOW-MIB
Example: NetFlow Version 5 on a Router
Example: NetFlow Configuration on the Catalyst
Example: NetFlow Version 8
Example: NetFlow Version 9
New Features Supported with NetFlow Version 9
Deployment Guidelines
Supported Devices and IOS Versions
Chapter 8. BGP Policy Accounting
Chapter 9. AAA Accounting
Chapter 10. NBAR
Chapter 11. IP SLA
Chapter 12. Summary of Data Collection Methodology
Part III: Assigning Technologies to Solutions