Network Administration Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 switches) - Flexible NetFlow Configuration [Support] (2023)

Prerequisites for Flexible NetFlow

You are familiar with the key Flexible NetFlow fields as defined in the following commands:
- phosphor flow
- phosphor Interface
- phosphor {ipv4 |ipv6 }
- phosphor routing
- phosphor transport
You are familiar with Flexible NetFlow non-key fields as defined in the following commands:
- gather worktop
- gather flow
- gather Interface
- gather {ipv4 |ipv6 }
- gather routing
- gather timestamp system uptime
- gather transport
The network device must be running a Cisco version that supports Flexible NetFlow.

IPv4 traffic

The network device must be configured for IPv4 routing.
One of the following must be enabled on your device and on any interface you want to enable Flexible NetFlow on: Cisco Express Forwarding or Distributed Cisco Express Forwarding.

IPv6 traffic

The network device must be configured for IPv6 routing.
One of the following must be enabled on your device and on any interface you want to enable Flexible NetFlow on: Cisco Express Forwarding IPv6 or Cisco Express Forwarding distributed.

Restrictions for Flexible NetFlow

The following are restrictions for Flexible NetFlow:

Flexible NetFlow is not supported on the Layer 2 port-channel interface, but is supported on member ports of the Layer 2 port-channel.
NetFlow traditional accounting is not supported.
The flexible NetFlow version 9 and version 10 export formats are supported. However, if you have not configured the export protocol, the version 9 export format is applied by default.
For over-the-wire Application Visibility and Control (AVC) traffic, only one flow monitor can be configured on one or more Layer 2 or Layer 3 physical interfaces on the system.
Flexible NetFlow and NBAR cannot be configured together at the same time on the same interface.
Layer 2, IPv4, and IPv6 traffic types are supported. Multiple flow monitors of different types of traffic can be applied for a given interface and direction. Multiple flow monitors of the same type of traffic cannot be applied for a given interface and direction.
Layer 2, VLAN, Layer 3, and SVI interfaces are supported, but the device does not support tunnels.
The following NetFlow table sizes are supported:

trim level

Ingress NetFlow Table

Output NetFlow Table

Network Fundamentals

32K

32K

network advantage

32K

32K
Depending on the type of switch, a switch will have one or two forwarding ASICs. Capacities listed in the table above are per core/per ASIC.
The switch can support one or two cores. Each overflow TCAM can support 256 inputs and 256 output inputs per core.
NetFlow tables are in separate compartments and cannot be combined. Depending on which kernel processed the packet, the streams will be created in the table in the corresponding kernel.
The NetFlow hardware implementation supports four hardware samplers. You can select a sample rate from 1 of 2 to 1 of 1024. Both random and deterministic sampling modes are supported.
NetFlow hardware uses hash tables internally. Hash collisions can happen in hardware. Therefore, despite the internal content-addressable memory (CAM) overflow, the actual NetFlow table utilization might be around 80 percent.
Depending on the fields used for the stream, a single stream might have two consecutive entries. Data link and IPv6 flows also take two inputs. In these situations, the effective use of NetFlow entries is half the size of the table, which is independent of the hash collision limitation above.
The device supports up to 15 flow monitors.
The NetFlow software implementation supports distributed export of NetFlow, whereby flows are exported from the same device on which the flow was created.
The ingress flows are present on the ASIC that first received the packets for the flow. The output streams are present at the ASIC from which the packets actually left the configured device.
The value reported for the byte count field (called "bytes long") is Layer-2-packet-size: 18 bytes. For classic Ethernet (802.3) traffic, this will be fine. For all other Ethernet types, this field will not be exact. Use the "bytes layer2" field, which always reports the exact size of the layer 2 packet. For information about supported flexible NetFlow fields, see the "Supported flexible NetFlow fields" topic.
Configuring the IPFIX exporter on an AVC stream monitor is not supported.
See Also
how to add server name column in wireshark IP over InfiniBand (IPoIB) - MLNX_OFED v5.9-0.5.9.0 - Solo for Azure Systems Smart Card System - A Level Computing - Marked by Teachers.com [Red] Transport Layer Protocol - TCP/UDP
NetFlow flexible export is not supported on the Ethernet management port, GigabitEthernet 0/0.
When a flow record has only the Source Group Tag (SGT) and Destination Group Tag (DGT) fields (or just either one) and if both values are not applicable, a flow with zero values will still be created for SGT and DGT. Flow records are expected to include source and destination IP addresses, along with the SGT and DGT fields.
On non-Cisco TrustSec interfaces, an SGT value of zero implies that there is no command header. On Cisco TrustSec interfaces, an SGT value of zero implies an unknown tag.
When a QoS-marked packet is received on an interface that has NetFlow configured on the ingress address, the NetFlow collector captures the QoS value of the packet. However, when the packet is received on an interface that has NetFlow configured on the egress address and the switch has rewritten the QoS value on the ingress, the collector does not capture the new QoS value of the packet.
For an IPv6 flow monitor, the Source Group Tag (SGT) and Destination Group Tag (DGT) fields cannot coexist with MAC address fields.
NetFlow records do not support Multiprotocol Label Switching-enabled (MPLS-enabled) interfaces.
MPLS label-based data capture is not supported within the MPLS network. Capture of IP header fields from an MPLS-tagged packet is not supported.
Egress flow monitors do not capture flows leaving in EoMPLS mode or in L3VPN mode by prefix.
The stream exporter exports the stream data only after the template data timeout period expires. Configuration changes, such as changing the VPN ID or removing VRF, will take effect after the timeout period ends.
A flow monitor cannot be shared between Layer 3 physical interfaces and logical interfaces (such as Layer 3 port-channel interface, Layer 3 port-channel member, and Switch Virtual Interface [SVI]), but a flow monitor can be shared between Layer 3 logical interfaces or physical interfaces.
When Flexible NetFlow and Network Address Translation (NAT) are configured on an interface,
- Flexible NetFlow will display and export the details of the actual flow; but not the translated flow details. The Application Layer Gateway (ALG) flow details are not part of the actual flow details that are exported.
- If the ALG traffic is translated through the CPU, Flexible NetFlow will display and export the details of the translated flow for the ALG traffic.

trim level	Ingress NetFlow Table	Output NetFlow Table
Network Fundamentals	32K	32K
network advantage	32K	32K

Information about NetFlow flexible

The following sections provide information about Flexible NetFlow.

Flexible NetFlow Overview

Flexible NetFlow uses flows to provide statistics for accounting, network monitoring, and network planning.

A flow is a unidirectional flow of packets arriving at a source interface and having the same values for the keys. A key is an identified value for a field within the package. You create a stream using a stream registry to define the unique keys for your stream.

The device supports the Flexible NetFlow feature that enables enhanced security and network anomaly detection. Flexible NetFlow allows you to define an optimal flow record for a particular application by selecting keys from a large collection of predefined fields.

All key values must match for the packet to count in a given flow. A flow can collect other fields of interest, depending on the version of the export log you configure. The flows are stored in the Flexible NetFlow cache.

You can export the data that Flexible NetFlow collects for your flow using an exporter, and export this data to a remote system, such as a Flexible NetFlow collector. The Flexible NetFlow collector can use an IPv4 address.

Define the size of data you want to collect for a flow using a monitor. The monitor combines the flow log and exporter with the Flexible NetFlow cache information.

Starting with Cisco IOS XE 16.12.1, the Source Group Tag (SGT) and Destination Group Tag (DGT) fields over Flexible NetFlow are supported for IPv6 traffic.

NetFlow original y ventajas de Flexible NetFlow

Flexible NetFlow allows the user to define the flow. Flexible NetFlow benefits include:

High capacity flow recognition, including scalability and aggregation of flow information.
Enhanced flow infrastructure for security monitoring and dDoS detection and identification.
New packet information to tailor the flow information to a particular service or operation on the network. The available flow information will be customizable by Flexible NetFlow users.
Extensive use of Cisco's flexible and extensible NetFlow version 9.
A comprehensive IP accounting feature that can be used to replace many accounting features, such as IP accounting, Border Gateway Protocol (BGP) policy accounting, and persistent caches.

Flexible NetFlow allows you to understand network behavior more efficiently, with specific flow information tailored to the various services used on the network. The following are some sample applications for a Flexible NetFlow feature:

Flexible NetFlow enhances Cisco NetFlow as a security monitoring tool. For example, new flow keys can be defined for the length of the packet or the MAC address, allowing users to search for a specific type of attack on the network.
Flexible NetFlow allows you to quickly identify how much application traffic is being sent between hosts by specifically tracing TCP or UDP applications by the Class of Service (CoS) in the packets.
The accounting of traffic entering a Multiprotocol Label Switching (MPLS) or IP core network and its destination for each next hop by class of service. This capability allows the construction of an end-to-end traffic matrix.

The following figure is an example of how Flexible NetFlow could be implemented in a network.

Network Administration Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 switches) - Flexible NetFlow Configuration [Support] (1)

Flexible NetFlow Components

Flexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export. Flexible NetFlow's user-defined flow logs and component structure make it easy to create various configurations for traffic analysis and data export on a network device with a minimum number of configuration commands. Each stream monitor can have a unique combination of stream log, stream exporter, and cache type. If you change a parameter such as the destination IP address for a stream exporter, it is automatically changed for all stream monitors that use the stream exporter. The same flow monitor can be used in conjunction with different flow samplers to sample the same type of network traffic at different rates on different interfaces. The following sections provide more information about the Flexible NetFlow components:

flow records

In Flexible NetFlow, a combination of key and non-key fields is called a record. Flexible NetFlow records are mapped to Flexible NetFlow flow monitors to define the cache that is used to store flow data.Flexible NetFlow includes several predefined logs that can help you get started with Flexible NetFlow.

A flow record defines the keys that Flexible NetFlow uses to identify packets in the flow, as well as other fields of interest that Flexible NetFlow collects for the flow. You can define a flow record with any combination of keys and fields of interest. The device supports a broad set of keys. A flow record also defines the types of counters collected per flow. You can configure 64-bit byte or packet counters. The device enables the following match fields as defaults when it creates a flow record:

match data binding —Layer 2 attributes
match the flow direction : Specifies a match with the fields that identify the flow direction.
match interface —Interface attributes
party ipv4 —Attributes de IPv4
party ipv6 —Attributes de IPv6
transportation party —Transport layer fields
match flow cts —Cisco TrustSec fields

NetFlow predefined records

Flexible NetFlow includes several predefined logs that you can use to start monitoring traffic on your network. Predefined logs are available to help you quickly implement Flexible NetFlow and are easier to use than user-defined flow logs. You can choose from a list of pre-defined logs that can meet your network monitoring needs. As Flexible NetFlow evolves, popular user-defined flow logs will be available as predefined logs to make them easier to implement.

Network Administration Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 switches) - Flexible NetFlow Configuration [Support] (2)

Use

Predefined logs are not compatible with regular Flexible NetFlow on the Cisco Catalyst 9000 Series Switch.

User Defined Records

Flexible NetFlow allows you to define your own logs for a Flexible NetFlow flow monitor cache by specifying key and non-key fields to customize data collection to your specific requirements. When you define your own logs for a Flexible NetFlow flow monitor cache, they are calleduser defined records. Non-key field values are added to flows to provide additional information about the traffic on the flows. A change to the value of a non-key field does not create a new flow. In most cases, the values of the non-key fields are taken only from the first packet in the flow. Flexible NetFlow allows you to capture counter values such as the number of bytes and packets in a flow as non-key fields.

You can create user-defined logs for applications such as QoS and bandwidth monitoring, end-user and application traffic profiling, and security monitoring for dDoS attacks.Flexible NetFlow also includes several predefined logs that emulate the original NetFlow.NetFlow's flexible user-defined logs provide the ability to monitor a contiguous section of a packet of a user-configurable size and use it in a flow log as a key or non-key field along with other packet fields and attributes. The section may include any Layer 3 data from the packet.Packet section fields allow the user to monitor any field in the packet that is not covered by the Flexible NetFlow predefined keys.The ability to analyze packet fields allows for more detailed traffic monitoring, facilitates investigation of dDoS attacks, and enables the implementation of other security applications, such as URL monitoring.

Flexible NetFlow provides predefined types of packet sections of a size configurable by the user. The following Flexible NetFlow commands (used in Flexible NetFlow's flow record configuration mode) can be used to configure the predefined types of packet sections:

gather ipv4 section header size bytes --Start capturing the number of bytes specified by thebytes argument from the beginning of the IPv4 header of each packet.
gather ipv4 section useful load size bytes --Start capturing bytes immediately after the IPv4 header of each packet. The number of bytes captured is specified by thebytes argument.
gather ipv6 section header size bytes --Start capturing the number of bytes specified by thebytes argument from the beginning of the IPv6 header of each packet.

Hebytes the values are the byte sizes of these fields in the stream record. If the corresponding packet fragment is smaller than the requested section size, Flexible NetFlow will fill the rest of the section field in the flow record with zeros. If the packet type does not match the requested section type, Flexible NetFlow will fill the entire section field in the flow record with zeros.

Flexible NetFlow adds a new Version 9 export format field type for the packet and header section types. Flexible NetFlow will communicate to the NetFlow collector the section sizes configured in the corresponding Version 9 export template fields. Payload sections will have a corresponding length field that can be used to collect the actual size of the collected section.

Flexible NetFlow matching parameters

The following table describes the Flexible NetFlow match parameters. You must configure at least one of the following match parameters for flow records.

Tabla 1.match parameters
Domain	Aim
match data binding{dot1q\|tipo ether\|Mac\|vlan}	Specifies a match to the Data Link or Layer 2 fields. The following command options are available: dot1q: matches the field dot1q. tipo ether: matches the ether type of the packet. Mac: Matches the source or destination MAC fields. vlan: Matches the VLAN the packet is on (ingress or egress).
match the flow direction	Specifies a match to the flow identification fields.
match interface{input\|production}	Specifies a match to the interface fields. The following command options are available: input: matches the input interface. production: matches the output interface.
party ipv4{destiny\|protocol\|fuente\|tos\|ttl\|version}	Specifies a match to the IPv4 fields. The following command options are available: destiny: matches fields based on IPv4 destination addresses. protocol: Matches IPv4 protocols. fuente: matches fields based on IPv4 source address. tos: Matches the IPv4 Type of Service fields. ttl: Matches the IPv4 Time to Live fields. version: Matches the IP version of the IPv4 header.
party ipv6{destiny\|skip limit\|protocol\|fuente\|traffic class\|version}	Specifies a match to the IPv6 fields. The following command options are available: destiny: Matches fields based on IPv6 destination address. skip limit: Matches the IPv6 hop limit fields. protocol: matches the IPv6 payload protocol fields. fuente: matches fields based on IPv6 source address. traffic class: Matches the IPv6 traffic class. version: Matches the IP version of the IPv6 header.
transportation party{port of destination\|igmp\|ICMP\|port of origin}	Specifies a match to the transport layer fields. The following command options are available: port of destination—It coincides with the port of destination of the transport. ICMP: Matches ICMP fields, including IPv4 and IPv6 ICMP fields. igmp: matches the IGMP fields. port of origin: Matches the origin port of the transport.
match flow cts {source \| destination} group label	Specifies a match against the CTS field support in the FNF record. The following command options are available: fuente: matches the CTS source entering the domain. destiny: matches the destination of the CTS leaving the domain.

Flexible NetFlow Collection Parameters

The following table describes the Flexible NetFlow collection parameters.

Tabla 2.collect parameters

Domain

Aim

collection counter{bytes{capa2{largo} |largo} |packages{largo} }

Collects the total bytes from the counter fields and the total packets.

collect interface{input|production}

Collects the fields from the input or output interface.

collect absolute timestamp{first|last}

Collects the fields for either the absolute time the first packet was seen or the absolute time the most recent packet was last seen (in milliseconds).

collect transport tcp flags

Collects the following TCP transport marks:

recognize—TCP acknowledgment flag
corner—Reduced TCP congestion window flag
onions—TCP ECN echo flag
fin—TCP Termination Indicator
psh—TCP insertion flag
first—TCP reset flag
sin—TCP Sync Flag
accent—TCP urgency flag

Use

On the device, you cannot specify which TCP flag to collect. You can only specify to collect transport TCP flags. All TCP flags will be collected with this command.

collect counter bytes

Sets the number of bytes seen in a stream as a non-key field and allows the total number of bytes from the stream to be collected.

pick up counter packages

Sets the number of packets seen in a flow as a non-key field and allows you to collect the total number of packets in the flow.

collect flow samples

Configures a stream sampler ID as a non-key field for the record. This field contains the identification of the flow sampler used to monitor the flow.

collect ipv4 destination

Configures the IPv4 destination as a non-key field for a flow record.

collect source ipv4

Set IPv4 source as a non-key field for a flow record

collect ipv6 destination

Configures the IPv6 destination as a non-key field for a flow record.

collect source ipv6

Configure IPv6 source as a non-key field for a flow record

collect routing next hop address

Sets the next hop address value as a non-key field and enables the collection of next hop information from flows

flow exporters

Flow exporters export the data in the flow monitor cache to a remote system, such as a server running the NetFlow collector, for analysis and storage. Stream exporters are created as separate entities in the configuration. Stream exporters are mapped to stream monitors to provide data export capability for the stream monitors. You can create multiple stream exporters and assign them to one or more stream monitors to provide multiple export destinations. You can create a stream exporter and apply it to multiple stream monitors.

NetFlow Data Export Format Version 9

The basic output of NetFlow is a flow log. Several different formats for flow records have evolved as NetFlow has matured. The most recent evolution of the NetFlow export format is known as Version 9. The distinctive feature of the NetFlow Version 9 export format is that it is template-based. The templates provide an extensible layout to the record format, a feature that should enable future enhancements to NetFlow services without requiring concurrent changes to the basic flow record format. Using templates provides several key benefits:

Third-party trading partners that produce applications that provide collection or display services for NetFlow do not have to recompile their applications each time a new NetFlow feature is added. Instead, they should be able to use an external data file that documents known template formats.
New features can be added to NetFlow quickly without disrupting current implementations.
NetFlow is "future-proof" against new or developing protocols because the version 9 format can be adapted to provide support for them.

The Version 9 export format consists of a packet header followed by one or more sets of data streams or template streams. A template flow set provides a description of the fields that will be present in future data flow sets. These data flow sets may occur later within the same export packet or in subsequent export packets. Template flow and dataflow sets can be intermixed within a single export package, as illustrated in the figure below.

Network Administration Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 switches) - Flexible NetFlow Configuration [Support] (3)

NetFlow Version 9 will periodically export the template data so that the NetFlow collector understands what data will be sent and will also export the dataflow set for the template. The key advantage of Flexible NetFlow is that the user sets up a flow record, which is effectively converted to a version 9 template and then sent to the collector. The following figure is a detailed example of the NetFlow Version 9 export format, including the header, template flow, and data flow sets.

Network Administration Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 switches) - Flexible NetFlow Configuration [Support] (4)

For more information on the version 9 export format, see the whitepaper titledCisco IOS NetFlow Release 9 Flow Record Format, available at this URL:http://www.cisco.com/en/US/tech/tk648/tk362/technologies_white_paper09186a00800a3db9.shtml.

flow monitors

Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring.

Flow data is collected from network traffic and added to the flow monitor cache during the monitoring process based on key and non-key fields in the flow log.

Flexible NetFlow can be used to perform different types of analysis on the same traffic. In the figure below, packet 1 is analyzed using a log designed for standard traffic analysis on the ingress interface and a log designed for security analysis on the egress interface.

Network Administration Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 switches) - Flexible NetFlow Configuration [Support] (5)

The following figure shows a more complex example of how you can apply different types of flow monitors with custom logs.

Network Administration Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 switches) - Flexible NetFlow Configuration [Support] (6)

Normal

The default cache type is "normal". In this mode, cache entries expire according to the active timeout and inactive timeout settings. When a cache entry expires, it is removed from the cache and exported via any configured exporter.

flow samplers

Stream samplers are created as separate components in a router's configuration. Flow samplers are used to reduce the load on the device running Flexible NetFlow by limiting the number of packets that are selected for analysis.

Flow sampling trades monitoring accuracy for router performance. When you apply a sampler to a flow monitor, the overhead on the router of running the flow monitor is reduced because the number of packets that the flow monitor must analyze is reduced. The reduction in the number of packets that the flow monitor analyzes causes a corresponding reduction in the accuracy of the information stored in the flow monitor's cache.

Samplers are combined with flow monitors when applied to an interface with theip flow monitor domain.

NetFlow flexible fields supported

The following tables provide a consolidated list of fields supported in Flexible NetFlow (FNF) for various traffic types and traffic directions.

Network Administration Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 switches) - Flexible NetFlow Configuration [Support] (7)

Use

If the packet has a VLAN field, that length is not taken into account.


Campo	layer 2 in	layer 2 out	Entrada IPv4	Salida IP v4	IPv6 one	IPv6 output	grades
Key or compilation fields
interface input	Yeah	—	Yeah	—	Yeah	—	If you apply a flow monitor in the inlet direction: Use thephosphor keyword and use the input interface as a key field. Use thegather keyword and use the exit interface as a collection field. This field will be present in the exported records but with a value of 0.
interface output	—	Yeah	—	Yeah	—	Yeah	If you apply a flow monitor in the outlet direction: Use thephosphor keyword and use the exit interface as a key field. Use thegather keyword and use the input interface as a collection field. This field will be present in the exported records but with a value of 0.


Campo	layer 2 in	layer 2 out	Entrada IPv4	Salida IP v4	IPv6 one	IPv6 output	grades
key fields
flow direction	Yeah	Yeah	Yeah	Yeah	Yeah	Yeah
Etertipo	Yeah	Yeah	—	—	—	—
VLAN entry	Yeah	—	Yeah	—	Yeah	—	Only supported for one switch port.
egress vlan	—	Yeah	—	Yeah	—	Yeah	Only supported for one switch port.
dot1q VLAN entry	Yeah	—	Yeah	—	Yeah	—	Only supported for one switch port.
egress dot1q vlan	—	Yeah	—	Yeah	—	Yeah	Only supported for one switch port.
dot1q priority	Yeah	Yeah	Yeah	Yeah	Yeah	Yeah	Only supported for one switch port.
MAC Source Address Entry	Yeah	Yeah	Yeah	Yeah	Yeah	Yeah
MAC source address output	—	—	—	—	—	—
MAC Destination Address Entry	Yeah	—	Yeah	—	Yeah	—
MAC destination address output	—	Yeah	—	Yeah	—	Yeah
IPv4 version	—	—	Yeah	Yeah	Yeah	Yeah
IPv4 Terms of Service	—	—	Yeah	Yeah	Yeah	Yeah
protocol IPv4	—	—	Yeah	Yeah	Yeah	Yeah	This should be used if any of the src/dest port, ICMP code/type, IGMP type, or TCP flags are used.
TTL de IPv4	—	—	Yeah	Yeah	Yeah	Yeah
TTL de IPv4	—	—	Yeah	Yeah	Yeah	Yeah	Same as IPv4 TTL.
protocol IPv4	—	—	Yeah	Yeah	Yeah	Yeah	Same as IPv4 protocol. This should be used if any of the src/dest port, ICMP code/type, IGMP type, or TCP flags are used.
IPv4 source address	—	—	Yeah	Yeah	—	—
IPv4 destination address	—	—	Yeah	Yeah	—	—
IPv4-type ICMP	—	—	Yeah	Yeah	—	—
IPv4 ICMP code	—	—	Yeah	Yeah	—	—
IGMP type	—	—	Yeah	Yeah	—	—


Campo	layer 2 in	layer 2 out	Entrada IPv4	Salida IP v4	IPv6 one	IPv6 output	grades
Key fields continued
IPv6 version	—	—	Yeah	Yeah	Yeah	Yeah	Same as IP version.
protocol IPv6	—	—	Yeah	Yeah	Yeah	Yeah	Same as IP protocol. This should be used if any of the src/dest port, ICMP code/type, IGMP type, or TCP flags are used.
IPv6 source address	—	—	—	—	Yeah	Yeah
IPv6 destination address	—	—	—	—	Yeah	Yeah
IPv6 traffic class	—	—	Yeah	Yeah	Yeah	Yeah	Same as IP TOS.
IPv6 hop limit	—	—	Yeah	Yeah	Yeah	Yeah	Same as IP TTL.
Tipo ICMP IPv6	—	—	—	—	Yeah	Yeah
IPv6 ICMP code	—	—	—	—	Yeah	Yeah
port of origin	—	—	Yeah	Yeah	Yeah	Yeah
port of destination	—	—	Yeah	Yeah	Yeah	Yeah


Campo	layer 2 in	layer 2 out	Entrada IPv4	Salida IP v4	IPv6 one	IPv6 output	grades
collect fields
long bytes	Yeah	Yeah	Yeah	Yeah	Yeah	Yeah	Packet size = (Ethernet frame size including FCS - 18 bytes) Recommended: Avoid this field and use Bytes layer2 long.
long packets	Yeah	Yeah	Yeah	Yeah	Yeah	Yeah
absolute timestamp first	Yeah	Yeah	Yeah	Yeah	Yeah	Yeah
Last absolute timestamp	Yeah	Yeah	Yeah	Yeah	Yeah	Yeah
TCP indicators	Yeah	Yeah	Yeah	Yeah	Yeah	Yeah	Collect all the flags.
Bytes capa2 largo	Yeah	Yeah	Yeah	Yeah	Yeah	Yeah

Default configuration

The following table lists the default Flexible NetFlow settings for the device.

Tabla 3.Flexible NetFlow Default Settings
Setting	Default
Flow active timeout	1800 seconds
Idle Flow Timeout	15 seconds

Flexible NetFlow: Ingress VRF Support Overview

The Flexible NetFlow—Ingress VRF Support feature allows you to collect the virtual routing and forwarding (VRF) ID of incoming packets on a device by applying an ingress flow monitor that has a flow log that collects the VRF ID as a key field.

Flexible Network Flow - Outbound VRF Support Overview

The Flexible Netflow—Egress VRF Support feature allows you to collect the VRF ID of outgoing packets on a device by applying an egress flow monitor that has a flow record that collects the VRF ID as a key field.

Autonomous System Number

The Autonomous System number space is a 32-bit field with 4,294,967,296 unique values, which are available for use to support the public routing system between Internet domains.

An Autonomous System Number (AS number) is a special number assigned by IANA, used primarily with the Border Gateway Protocol. Uniquely identifies a network under a single technical administration that has a single routing policy or is multi-directional to the public Internet. This autonomous system number is required to run BGP and peer with your Internet Service Provider, between Internet Service Providers on peering points, and Internet Exchanges (IX). The AS number must be globally unique so that blocks of IP addresses appear to come from a unique location that BGP can find and route. BGP uses Autonomous System Prefixes and Routes (AS Paths) to determine the shortest path to a destination where a prefix is found.

The NetFlow V9 and IPFIX export types support 32-bit AS numbers. NetFlow V5 does not support this 32 AS field, as it follows a fixed 16-bit source and destination AS format.

You can export the following BGP parameters in Netflow:

BGP source origin or peer AS number
BGP destination source or peer AS number

Setting

Use the following command to set the AS number system:

[no] collect routing{destination | fountain} as[[4 octets] partner] [4 octets]

Flexible Input Output NetFlow in MPLS

MPLS Ingress Flexible Network Flow (IP Layer): This feature enables the capture of Internet Protocol (IP) flow information for packets subject to MPLS label enforcement entering the MPLS network. These packets arrive at a router as IP packets and are transmitted as MPLS packets. This feature can be enabled by configuring an ingress monitor for IPv4 and IPv6 traffic on the side of the PE node that faces the CE.
MPLS Egress Flexible Network Flow (IP Layer): This feature enables the capture of Internet Protocol (IP) flow information for packets subject to MPLS label enforcement that are leaving the MPLS network. These packets arrive at a router as MPLS packets and are transmitted as IP packets. The feature can be enabled by configuring an egress monitor for IPv4 and IPv6 traffic on the side of the PE node that faces the CE.

Configuring VPN ID in Flexible NetFlow

Multiple VPNs on the same private network can use the same source and destination private IPs for data traffic. This can make it difficult to identify the IP address to which the data belongs. A VPN-ID can be used to solve this problem. A VPN-ID is a unique global virtual private network identifier. It is used to identify a VPN through autonomous systems (AS). If VPN-ID is exported in NetFlow exported packets, the collector in another AS will be able to associate and segregate the flows based on the VPN to which the data belongs. VPN-ID is a system level property similar to VRF-ID and can be exported in a similar way.

VPN ID Components

Each VPN ID consists of the following elements:

An Organizational Unique Identifier (OUI), a three-octet hexadecimal number. The IEEE Registration Authority assigns OUI to any company that manufactures components under the ISO/IEC 8802 standard. The OUI is used to generate universal LAN MAC addresses and protocol identifiers for use in metropolitan and local area network applications. For example, an OUI for Cisco Systems is 00-03-6B (hexadecimal).
A VPN index, a four-octet hexadecimal number, that identifies the VPN within the enterprise.

You can set the VPN ID using thevpn id command in VRF definition configuration mode. Specify the VPN ID in the following format:

vpn idyes: VPN index

Once the VPN ID has been set up, you can use thevrf attributes option Command in flow exporter configuration mode to configure the VPN ID.

How to configure flexible network flow

To configure Flexible Netflow, follow these general steps:

Create a flow record by specifying keys and non-key fields for the flow.
Create an optional stream exporter by specifying the transport destination protocol and port, destination, and other parameters.
Create a flow monitor based on the flow log and the flow exporter.
Create an optional sampler.
Apply the flow monitor to a Layer 2 port, Layer 3 port, or VLAN.

Create a flow log

Perform this task to set up a custom flow log.

Custom flow logs are used to analyze traffic data for a specific purpose. A custom flow record must have at least onephosphor criteria for use as a key field and typically has at least onegather criteria for use as a non-key field.

There are hundreds of possible permutations of custom flow records. This task shows the steps that are used to create one of the possible permutations. Modify the steps in this task as appropriate to create a custom flow log for your requirements.

Procedure

command or action Aim

Paso 1

to allow

Example:

device > enable

Enable privileged EXEC mode.

Enter your password if prompted.

Paso 2

to set up Terminal

Example:

Device Configuration Terminal #

Enter global configuration mode.

Paso 3

flow record record-name

Example:

device(config)# flow record FLOW-RECORD-1

Creates a flow record and enters Flexible NetFlow flow record configuration mode.

This command also allows you to modify an existing flow record.

stage 4

description description

Example:

Device (config-flow-record) # descripción Used for basic traffic analysis

(Optional) Create a description for the flow log.

Paso 5

phosphor {ip |ipv6 } {destiny |fuente }ADDRESS

Example:

device(config-flow-record) # matches destination ipv4 address

Use

This example configures the IPv4 destination address as a key field for the record.

Paso 6

Repeat step 5 as necessary to configure additional key fields for the record.

—

Paso 7

match flow cts {fuente |destiny }group label

Example:

Device (configuration flow register) # match flow cts source group label Device (configuration flow register) # match flow cts destination group label

Use

This example configures the CTS Source Group Label and Destination Group Label as a key field for the record. For information about the other key fields available for thephosphor ipv4/ipv6 command, and the otherphosphor commands that are available to configure key fields.

Use

Salida:
- If propagating SGT or CTS is disabled on the exit interface, SGT will be zero.
- In an outgoing packet, if there is a SGACL configuration that corresponds to (SGT, DGT), DGT will be non-zero.
- If SGACL is disabled on the egress port/VLAN or global SGACL enforcement is disabled, then DGT will be zero

Income:
- In an incoming packet, if there is a header, SGT will reflect the same value as the header. If no value is present, it will display zero.
- The DGT value will not depend on the SGACL setting of the input port.

Paso 8

fin

Example:

Dispositivo (config-flow-record) # fin

Exits Flexible NetFlow logging configuration mode and returns to privileged EXEC mode.

Paso 9

show flow record record-name

Example:

Device # show flow record FLOW_RECORD-1

(Optional) Displays the current state of the specified flow record.

Paso 10

show running-config flow record record-name

Example:

Device number shows running configuration flow record FLOW_RECORD-1

(Optional) Displays the settings for the specified flow log.

Creating a stream exporter

You can create a flow export to define the export parameters of a flow.

Network Administration Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 switches) - Flexible NetFlow Configuration [Support] (8)

Use

Each stream exporter only supports one destination. If you want to export the data to multiple destinations, you must configure multiple stream exporters and assign them to the stream monitor.

You can export to a destination using an IPv4 address.

Procedure

command or action Aim

Paso 1

to allow

Example:

device > enable

Enable privileged EXEC mode.

Enter your password if prompted.

Paso 2

configure terminal

Example:

Device(config) # configure terminal

Enter global configuration mode.

Paso 3

stream exporter name

Example:

Device (config) #ExportTest stream exporter

Create a stream exporter and enter stream exporter configuration mode.

stage 4

description chain

Example:

Device(config-stream-exporter)#description ExportV9

(Optional) Describe this stream record as a string of up to 63 characters.

Paso 5

destiny{ipv4 address}

Example:

Device(config-stream-exporter)#destination 192.0.2.1(destination IPv4)

Sets the IPv4 destination address or host name for this exporter.

Paso 6

dscp valor

Example:

Device(config-stream-exporter)#dscp 0

(Optional) Specifies the value of the differentiated services code point. The range is 0 to 63. The default is 0.

Paso 7

fuente interface typeinterface number

Example:

Device(config-stream-exporter)#fuente gigabitEthernet1/0/1

(Optional) Specifies the interface to use to reach the NetFlow collector at the configured destination.

Use

Flow Exporter does not support unnumbered IP interface as source interface.

The following interfaces can be configured as a source:

automatic template—Auto template interface
Capwap—CAPWAP tunnel interface
Gigabit Ethernet—Ethernet Gigabit IEEE 802
Group VI—Virtual group interface
internal interface—Internal interface
inverted loop—Loopback interface
Null—null interface
port channel—Interface Ethernet channel
TenGigabitEthernet—Ethernet de 10 Gigabits
Tunnel—Tunnel interface
VLAN—Catalyst VLANs

Paso 8

transport up number

Example:

Device(config-stream-exporter)#transport up 200

(Optional) Specifies the UDP port to use to reach the NetFlow collector.

Paso 9

ttl seconds

Example:

Device(config-stream-exporter)#ttl210

(Optional) Sets the time-to-live (TTL) value for datagrams sent by the exporter. The range is from 1 to 255 seconds. The default is 255.

Paso 10

export protocol {netflow-v9 }

Example:

device(config-flow-exporter)# export protocol netflow-v9

Specifies the version of the NetFlow export protocol that the exporter uses.

Paso 11

fin

Example:

Dispositivo (config-flow-record)#fin

Returns to privileged EXEC mode.

Paso 12

show stream exporter[name record-name]

Example:

Device#show stream exporter ExportTest

(Optional) Displays information about NetFlow flow exporters.

Paso 13

copy running configuration startup configuration

Example:

Device#copy running configuration startup configuration

(Optional) Save your entries in the configuration file.

what to do next

Define a stream monitor based on the stream log and stream exporter.

Creating a custom flow monitor

Perform this necessary task to create a custom flow monitor.

Each stream monitor is assigned a separate cache. Each stream monitor requires a registry to define the content and layout of its cache entries. These record formats can beone of the predefined formats ora user-defined format. An advanced user can create a custom format using theflow record domain.

Before you start

If you want to use a custom registry instead of using one of the Flexible NetFlow predefined registry, you must create the custom registry before you can perform this task. If you want to add a stream exporter to the stream monitor for data export, you must create the exporter before you can complete this task.

Network Administration Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 switches) - Flexible NetFlow Configuration [Support] (9)

Use

You must use theNo ip flow monitor command to remove a flow monitor from all interfaces to which you have applied it before you can modify the parameters for therecord command in the flow monitor.

Procedure

	command or action	Aim
Paso 1	to allow Example: `device > enable`	Enable privileged EXEC mode. Enter your password if prompted.
Paso 2	to set up Terminal Example: `Device Configuration Terminal #`	Enter global configuration mode.
Paso 3	flow monitor `monitor-name` Example: `Device (config) # flow monitor FLOW-MONITOR-1`	Creates a flow monitor and enters Flexible NetFlow flow monitor configuration mode. This command also allows you to modify an existing flow monitor.
stage 4	description `description` Example: `Device (config-flow-monitor) # description Used for basic ipv4 traffic analysis`	(Optional) Create a description for the flow monitor.
Paso 5	record {`record-name` \|netflow-original \|network flow {ipv4 \|ipv6 }`record` [par ]} Example: `Dispositivo (config-flow-monitor) # record FLOW-RECORD-1`	Specifies the log for the flow monitor.
Paso 6	cache {time is over {asset \|idle \|update \|rate limit }`seconds` \|type normal } Example: `Device (config-flow-monitor) # normal cache type` `device(config-flow-monitor)# active cache timeout`	(Optional) Modifies the flow monitor's cache parameters, such as timeout values and cache type. Associates a stream cache with the specified stream monitor.
Paso 7	Repeat step 6 as necessary to finish modifying the cache parameters for this flow monitor.	—
Paso 8	Statistics package protocol Example: `device (config-flow-monitor) # statistics packet protocol`	(Optional) Enables the collection of protocol distribution statistics for Flexible NetFlow monitors.
Paso 9	Statistics package size Example: `device(config-flow-monitor) # statistics packet size`	(Optional) Enables the collection of size distribution statistics for Flexible NetFlow monitors.
Paso 10	exporter `exporter-name` Example: `Device (config-flow-monitor) # exporter EXPORTADOR-1`	(Optional) Specifies the name of an exporter that was previously created.
Paso 11	fin Example: `Dispositivo (config-flow-monitor) # fin`	Exits Flexible NetFlow flow monitor configuration mode and returns to privileged EXEC mode.
Paso 12	show flow monitor [[name ]`monitor-name` [cache [Format {CSV \|record \|mesa } ]][Statistics ]] Example: `Device# show flow monitor FLOW-MONITOR-2 caché`	(Optional) Displays the status and statistics of a Flexible NetFlow flow monitor.
Paso 13	show running-config flow monitor `monitor-name` Example: `Device# show running configuration flow monitor FLOW_MONITOR-1`	(Optional) Displays the settings for the specified flow monitor.
Paso 14	copy running configuration startup configuration Example: `Device#copy running configuration startup configuration`	(Optional) Save your entries in the configuration file.

Creating a flow sampler

Perform this required task to configure and enable a flow sampler.

Procedure

	command or action	Aim
Paso 1	to allow Example: `device > enable`	Enable privileged EXEC mode. Enter your password if prompted.
Paso 2	to set up Terminal Example: `Device Configuration Terminal #`	Enter global configuration mode.
Paso 3	sampler `sampler name` Example: `Dispositivo (config) # sampler SAMPLER-1`	Create a sample and enter sample setup mode. This command also allows you to modify an existing swatch.
stage 4	description `description` Example: `Device (config-sampler) # description Sample at 50%`	(Optional) Create a description for the flow sampler.
Paso 5	way {random }1 outside `window size` Example: `Device(config-sampler) # random mode 1 of 2`	Specifies the sampler mode and the window size of the stream sampler. The range for the`window size` the argument is from0 a 1024.
Paso 6	salida Example: `device(config-sampler)# output`	Exits sampler configuration mode and returns to global configuration mode.
Paso 7	Interface `type` `number` Example: `Device (config) # interface GigabitEthernet 0/0/0`	Specifies an interface and enters interface configuration mode.
Paso 8	{ip \|ipv6 }flow monitor `monitor-name` [[sampler ]`sampler name` ] {input \|production } Example: `device(config-if)# ip flow monitor FLOW-MONITOR-1 sampler SAMPLER-1 input`	Assign the flow monitor and flow sampler you created to the interface to enable sampling.
Paso 9	fin Example: `Device (config-if) # fin`	Exits interface configuration mode and returns to privileged EXEC mode.
Paso 10	show sampler sampler name Example: `Dispositivo # show sampler SAMPLER-1`	Displays the status and statistics of the flow sampler that you have configured and enabled.

Apply a flow to an interface

You can apply a flow monitor and optional sampler to an interface.

Procedure

command or action Aim

Paso 1

to allow

Example:

device > enable

Enable privileged EXEC mode.

Enter your password if prompted.

Paso 2

configure terminal

Example:

Device(config) # configure terminal

Enter global configuration mode.

Paso 3

Interface type

Example:

Device (config) #Gigabit Ethernet1/0/1 interface

Enter interface configuration mode and configure an interface.

Flexible NetFlow is not supported on the L2 port-channel interface, but is supported on L2 port-channel member ports.

Flexible NetFlow supports L3 port channel interfaces and member ports, but not both at the same time.

stage 4

{ip flow monitor|ipv6 flow monitor|data link flow monitor}name[sampler name] {input|production}

Example:

Device (config-si) #IP Flow Monitor Monitor Test Input

Associates an IPv4, IPv6 and data link flow monitor and optional sampler to the interface for input or output packets.

ip flow monitor – Enable Flexible NetFlow to monitor IPv4 traffic.

ipv6 flow monitor – Enable Flexible NetFlow to monitor IPv6 traffic.

data link flow monitor – Enable Flexible NetFlow to monitor non-IP traffic.

Use

You can associate multiple monitors to an interface in the input and output directions.

Paso 5

fin

Example:

Device (configuration flow monitor) #fin

Returns to privileged EXEC mode.

Paso 6

show stream interface[interface type number]

Example:

Device#show stream interface

(Optional) Displays information about NetFlow on an interface.

Paso 7

copy running configuration startup configuration

Example:

Device#copy running configuration startup configuration

(Optional) Save your entries in the configuration file.

Configuring a Bridged NetFlow on a VLAN

You can apply a flow monitor and optional sampler to a VLAN.

Procedure

	command or action	Aim
Paso 1	to allow Example: `device > enable`	Enable privileged EXEC mode. Enter your password if prompted.
Paso 2	configure terminal Example: `Device(config) # configure terminal`	Enter global configuration mode.
Paso 3	vlan[setting]`id-vlan` Example: `Device (config) #vlan 30 configDispositivo (config-vlan-config) #`	Enters VLAN or VLAN configuration mode.
stage 4	ip flow monitor `monitor name`[sampler `sample name`] {input} Example: `Dispositivo (config-vlan-config) #IP Flow Monitor Monitor Test Input`	Associates a flow monitor and optional sampler to the VLAN for inbound packets.
Paso 5	copy running configuration startup configuration Example: `Device#copy running configuration startup configuration`	(Optional) Save your entries in the configuration file.

Layer 2 NetFlow Configuration

You can define Layer 2 keys in Flexible NetFlow records that you can use to capture flows on Layer 2 interfaces.

Procedure

	command or action	Aim
Paso 1	to allow Example: `device > enable`	Enable privileged EXEC mode. Enter your password if prompted.
Paso 2	configure terminal Example: `Device(config) # configure terminal`	Enter global configuration mode.
Paso 3	flow record `name` Example: `Device (config) #stream record L2_recordDispositivo (config-flow-record)#`	Enters flow log setup mode.
stage 4	match data binding{dot1q\|tipo ether\|Mac\|vlan} Example: `Dispositivo (config-flow-record)#match datalink ethertype`	Specifies the layer 2 attribute as the key.
Paso 5	fin Example: `Dispositivo (config-flow-record)#fin`	Returns to privileged EXEC mode.
Paso 6	show flow log[`name`] Example: `Device#show flow log`	(Optional) Displays information about NetFlow on an interface.
Paso 7	copy running configuration startup configuration Example: `Device#copy running configuration startup configuration`	(Optional) Save your entries in the configuration file.

Flexible network flow monitoring

The commands in the following table can be used to monitor Flexible NetFlow.

Tabla 4.Flexible NetFlow Monitoring Commands
Domain	Aim
show stream exporter[Hall\|export-ids\|name\|`name`\|Statistics\|templates]	Displays information about NetFlow exporters and flow statistics.
show stream exporter[name `exporter-name`]	Displays information about NetFlow exporters and flow statistics.
show stream interface	Displays information about NetFlow interfaces.
show flow monitor[name `exporter-name`]	Displays information about NetFlow statistics and flow monitors.
display flow monitor statistics	Displays flow monitor statistics
display stream monitor cache format{mesa\|record\|CSV}	Displays the cache contents for the flow monitor, in the specified format.
show flow log[name `record-name`]	Displays information about the NetFlow logs.
show sampler[Hall\|name\|`name`]	Displays information about NetFlow samplers.

Configuration Examples for Flexible NetFlow

Example: Configuring a flow

This example shows how to create a flow and apply it to an interface:

Device#configure terminalEnter the configuration commands, one per line. End with CNTL/Z.Device(config)#export stream export1Device(config-stream-exporter)#destination 10.0.101.254Device(config-stream-exporter)#transport up 2055Device(config-stream-exporter)#salidaDevice (config) #flow record record1Dispositivo (config-flow-record)#match ipv4 source addressDispositivo (config-flow-record)#match destination ipv4 addressDispositivo (config-flow-record)#match protocol ipv4Dispositivo (config-flow-record)#coincide with the port of origin of the transportDispositivo (config-flow-record)#combine transport destination-portDispositivo (config-flow-record)#match flow cts source group-tagDispositivo (config-flow-record)#match flow cts target group labelDispositivo (config-flow-record)#collect long byte counterDispositivo (config-flow-record)#pick up the long counter packDispositivo (config-flow-record)#collect absolute timestamp firstDispositivo (config-flow-record)#collect last absolute timestampDispositivo (config-flow-record)#salidaDevice (config) #flow monitor monitor1Device (configuration flow monitor) #record record1Device (configuration flow monitor) #export export1Device (configuration flow monitor) #salidaDevice (config) #interface tenGigabitEthernet 1/0/1Device (config-si) #flow monitor ip monitor1 inputDevice (config-si) #fin

Example: Monitoring IPv4 Ingress Traffic

This example shows how to monitor incoming IPv4 traffic (int g1/0/11 sends traffic to int g1/0/36 and int g3/0/11).

Device#configure terminalEnter the configuration commands, one per line. End with CNTL/Z.Device(config)#flow log fr-1Dispositivo (config-flow-record)#match ipv4 source addressDispositivo (config-flow-record)#match destination ipv4 addressDispositivo (config-flow-record)#match interface inputDispositivo (config-flow-record)#collect long counter bytesDispositivo (config-flow-record)#pick up long counter packetsDispositivo (config-flow-record)#collect absolute timestamp firstDispositivo (config-flow-record)#collect last absolute timestampDispositivo (config-flow-record)#collect long layer 2 counter bytesDispositivo (config-flow-record)#salidaDevice (config) #fe-ipfix6 stream exporterDevice(config-stream-exporter)#destination 2001:0:0:24::10Device(config-stream-exporter)#fuente Vlan106Device(config-stream-exporter)#transport up 4739Device(config-stream-exporter)#ipfix export protocolDevice(config-stream-exporter)#template data timeout 240Device(config-stream-exporter)#salidaDevice (config) #fe-ipfix stream exporterDevice(config-stream-exporter)#description IPFIX format collector 100.0.0.80Device(config-stream-exporter)#destination 100.0.0.80Device(config-stream-exporter)#dscp 30Device(config-stream-exporter)#ttl210Device(config-stream-exporter)#transport up 4739Device(config-stream-exporter)#ipfix export protocolDevice(config-stream-exporter)#template data timeout 240Device(config-stream-exporter)#salidaDevice (config) #flow exporter fe-1Device(config-stream-exporter)#destination 10.5.120.16Device(config-stream-exporter)#vlan105 sourceDevice(config-stream-exporter)#dscp 32Device(config-stream-exporter)#ttl 200Device(config-stream-exporter)#transport up 2055Device(config-stream-exporter)#template data timeout 240Device(config-stream-exporter)#salidaDevice (config) #flow monitor fm-1Device (configuration flow monitor) #fe-ipfix6 exporterDevice (configuration flow monitor) #fe-ipfix exporterDevice (configuration flow monitor) #exporter fe-1Device (configuration flow monitor) #idle cache timeout 60Device (configuration flow monitor) #active cache timeout 180Device (configuration flow monitor) #grabar fr-1Device (configuration flow monitor) #finDevice#show g1/0/11 running configuration interfaceDevice#show running configuration interface g1/0/36Device#show g3/0/11 running configuration interfaceDevice#show fm-1 flow monitor cache format table

Example: monitoring IPv4 egress traffic

Device#configure terminalEnter the configuration commands, one per line. End with CNTL/Z.Device(config)#flow log fr-1 outDispositivo (config-flow-record)#match ipv4 source addressDispositivo (config-flow-record)#match destination ipv4 addressDispositivo (config-flow-record)#match interface outputDispositivo (config-flow-record)#collect long counter bytesDispositivo (config-flow-record)#pick up long counter packetsDispositivo (config-flow-record)#collect absolute timestamp firstDispositivo (config-flow-record)#collect last absolute timestampDispositivo (config-flow-record)#salidaDevice (config) #flow exporter fe-1Device(config-stream-exporter)#destination 10.5.120.16Device(config-stream-exporter)#vlan105 sourceDevice(config-stream-exporter)#dscp 32Device(config-stream-exporter)#ttl 200Device(config-stream-exporter)#transport up 2055Device(config-stream-exporter)#template data timeout 240Device(config-stream-exporter)#salidaDevice (config) #fe-ipfix6 stream exporterDevice(config-stream-exporter)#destination 2001:0:0:24::10Device(config-stream-exporter)#fuente Vlan106Device(config-stream-exporter)#transport up 4739Device(config-stream-exporter)#ipfix export protocolDevice(config-stream-exporter)#template data timeout 240Device(config-stream-exporter)#salidaDevice (config) #fe-ipfix stream exporterDevice(config-stream-exporter)#description IPFIX format collector 100.0.0.80Device(config-stream-exporter)#destination 100.0.0.80Device(config-stream-exporter)#dscp 30Device(config-stream-exporter)#ttl210Device(config-stream-exporter)#transport up 4739Device(config-stream-exporter)#ipfix export protocolDevice(config-stream-exporter)#template data timeout 240Device(config-stream-exporter)#salidaDevice (config) #fm-1-output flow monitorDevice (configuration flow monitor) #exporter fe-1Device (configuration flow monitor) #fe-ipfix6 exporterDevice (configuration flow monitor) #fe-ipfix exporterDevice (configuration flow monitor) #idle cache timeout 50Device (configuration flow monitor) #active cache timeout 120Device (configuration flow monitor) #grabar fr-1-outDevice (configuration flow monitor) #finDevice#show flow monitor fm-1 output cache format table

Example: Flexible NetFlow Configuration for Ingress VRF Compatibility

The following example configures the collection of the VRF ID of incoming packets on a device by applying an inbound flow monitor that has a flow record that collects the VRF ID as a key field.

Device>to allowDevice#configure terminalDevice (config) #flow record rm_1Dispositivo (config-flow-record)#vrf input routing matchDispositivo (config-flow-record)#match ipv4 source addressDispositivo (config-flow-record)#match destination ipv4 addressDispositivo (config-flow-record)#collect interface inputDispositivo (config-flow-record)#collect interface outputDispositivo (config-flow-record)#pick up counter packagesDispositivo (config-flow-record)#salidaDevice (config) #flow monitor mm_1Dispositivo (config-flow-record)#record rm_1Dispositivo (config-flow-record)#salidaDevice (config) #Gigabit Ethernet 1/0/1 interfaceDevice (config-si) #green vrf ip forwardingDevice (config-si) #IP address 172.16.2.2 255.255.255.252Device (config-si) #ip flow monitor input mm_1Device (config-si) #fin

Example: Flexible NetFlow Configuration for Egress VRF Compatibility

The following example configures the collection of the VRF ID of outgoing packets on a device by applying an egress flow monitor that has a flow record that collects the VRF ID as a key field.

Device>to allowDevice#configure terminalDevice (config) #flow record rm_1Dispositivo (config-flow-record)#vrf input routing matchDispositivo (config-flow-record)#match ipv4 source addressDispositivo (config-flow-record)#match destination ipv4 addressDispositivo (config-flow-record)#collect interface inputDispositivo (config-flow-record)#collect interface outputDispositivo (config-flow-record)#pick up counter packagesDispositivo (config-flow-record)#salidaDevice (config) #flow monitor mm_1Dispositivo (config-flow-record)#record rm_1Dispositivo (config-flow-record)#salidaDevice (config) #Gigabit Ethernet 1/0/1 interfaceDevice (config-si) #green vrf ip forwardingDevice (config-si) #IP address 172.16.2.2 255.255.255.252Device (config-si) #ip flow monitor output mm_1Device (config-si) #fin

Feature History for Flexible NetFlow

This table provides information about the version and related to the features that are explained in this module.

These features are available in all versions after the one they were introduced, unless otherwise noted.


Release	Feature	Feature Information
Cisco IOS XE Everest 16.5.1a	flexible network flow	Flexible NetFlow uses flows to provide statistics for accounting, network monitoring, and network planning.
Cisco IOS XE Gibraltar 16.12.1	Source Group Tag (SGT), Destination Group Tag (DGT) over Flexible NetFlow for IPv6 traffic	Introduced support for Source Group Tag (SGT) and Destination Group Tag (DGT) fields over Flexible NetFlow, for IPv6 traffic.
Cisco IOS XE Amsterdam 17.1.1	Flexible input and output network flow in MPLS	Enables the capture of IP flow information for packets subject to Multiprotocol Label Switching (MPLS) label enforcement when entering an MPLS network. These packets arrive at a device as IP packets and are transmitted as MPLS packets.
Cisco IOS XE Amsterdam 17.2.1	ID the VPN and NetFlow	Supports Virtual Private Network Identifier (VPN-ID) configuration in Flexible NetFlow. A VPN-ID is global and unique. It is used to identify a VPN through autonomous systems (ASes).
Cisco IOS XE Bangalore 17.5.1	Flexible NetFlow for compatibility with Egress VRF	Introduced support for configuring Flexible NetFlow for Egress VRF support.\

Use the Cisco Feature Navigator to find information about platform and software image compatibility. To access Cisco Feature Navigator, go tohttps://cfnng.cisco.com/.