|
|
This document describes the Cisco IOS NetFlow Aggregation feature, which allows Cisco NetFlow users to summarize NetFlow export data on an IOS router before the data is exported to a NetFlow data collection system, such as the Cisco NetFlow FlowCollector. See the following sections for additional information:
By maintaining one or more extra flow caches, called aggregation caches, the NetFlow Aggregation feature allows limited aggregation of NetFlow data export streams to be done on a router.
The aggregation cache schemes are described in the following sections:
The user may configure each aggregation cache with its individual cache size, cache ager timeout parameter, export destination IP address, and export destination UDP port. As data flows expire in the main NetFlow cache, the flows are added to each enabled aggregation cache. Each aggregation cache contains different field combinations that determine which data flows are grouped. The default aggregation cache size is 4096.
Table 1 lists definitions for the data export record terms used in each aggregation scheme.
| Term | Definition |
|---|---|
Bytes | Number of bytes in the aggregated flows. |
Destination BGP Autonomous System | Peer or origin autonomous system of the destination prefix (IP address.) |
Destination Interface | SNMP index of the output interface. |
Destination Port | Destination UDP or TCP port number. |
Destination Prefix | Destination IP address AND'd with the destination prefix mask. |
First | System uptime when the first packet was switched. |
Flows | Number of main cache flows that were aggregated. |
Last | System uptime when the last packet was switched. |
Packets | Number of packets in the aggregated flows. |
PAD | Zero field. |
Protocol | IP protocol byte. |
Source BGP Autonomous System | Peer or origin autonomous system of the source prefix. |
Source Interface | SNMP index of the input interface. |
Source Port | Source UDP or TCP port number if applicable. |
Source Prefix | Source IP address AND'd with the source prefix mask, or the prefix that the source IP address of the aggregated flows belong to. |
The autonomous system aggregation scheme provides significant NetFlow export data volume reduction and generates autonomous system-to-autonomous system traffic flow data. The scheme groups data flows with the same source Border Gateway Protocol (BGP) autonomous system, destination BGP autonomous system, input interface, and output interface. See Figure 1.
The aggregated NetFlow data export records report the following:
The Destination Prefix aggregation scheme generates data so that you can examine the destinations of network traffic passing through a NetFlow-enabled device. The scheme groups data flows with the same destination prefix, destination prefix mask, destination BGP autonomous system, and output interface. See Figure 2.
The aggregated NetFlow data export records report the following:
The Prefix aggregation scheme generates data so that you can examine the sources and destinations of network traffic passing through a NetFlow-enabled device. The scheme groups data flows with the same source prefix, destination prefix, source prefix mask, destination prefix mask, source BGP autonomous system, destination BGP autonomous system, input interface, and output interface. See Figure 3.
The aggregated NetFlow data export records report the following:
The Protocol Port aggregation scheme generates data so that you can examine network usage by traffic type. The scheme groups data flows with the same IP protocol, source port number, and destination port number when applicable. See Figure 4.
The aggregated NetFlow data export records report the following:
The Source Prefix aggregation scheme generates data so that you can examine the sources of network traffic passing through a NetFlow-enabled device. The scheme groups data flows with the same source prefix, source prefix mask, source BGP autonomous system, and input interface. The aggregated NetFlow data export records report the following:
To coordinate flow aggregation on your router, determine the fields from which you want to collect data.Table 2 shows which fields are valid for the different aggregation schemes and which fields are part of the keys. Key fields define a unique flow.
Data Fields | Aggregation Schemes | ||||
|---|---|---|---|---|---|
| Autonomous System | Destination Prefix | Prefix | Protocol Port | Source Prefix |
Source Prefix |
|
|
|
|
|
Destination Prefix |
|
|
|
|
|
Protocol |
|
|
| * |
|
Type of Service Byte |
|
|
|
|
|
Source Port |
|
|
| * |
|
Destination Port |
|
|
| * |
|
Source Interface | * |
| * |
| * |
Destination Interface | * | * | * |
|
|
OR'd TCP Flags |
|
|
|
|
|
Source BGP Autonomous System | * |
| * |
| * |
Destination BGP Autonomous System | * | * | * |
|
|
Source Prefix Mask |
|
| * |
| * |
Destination Prefix Mask |
| * | * |
|
|
Next Hop IP Adress |
|
|
|
|
|
Source Encap Bytes |
|
|
|
|
|
Destination Encap Bytes |
|
|
|
|
|
Source Prefix |
|
| * |
| * |
Destination Prefix |
| * | * |
|
|
First Timestamp | x | x | x | x | x |
Last Timestamp | x | x | x | x | x |
Flows | x | x | x | x | x |
Packets | x | x | x | x | x |
Bytes | x | x | x | x | x |
* = exported key field x = exported field
&&Center&& &&Center&& &&Center&& &&Center&& &&Center&& | |||||
NetFlow exports flow information in UDP datagrams in one of several formats. Version 8, a new data export version, has been added to support data exports from aggregation caches. Version 8 allows for export datagrams to contain a subset of the usual version 5 export data, which is valid for a particular aggregations scheme type.
Figure 6 shows the version 8 header with the version and timestamp information. Table 3 lists definitions for terms used in the version 8 header.
| Term | Definition |
|---|---|
Version | The flow export format version number. In this case, the number is "8." |
Count | The number of export records in the datagram. |
System Uptime | The number of milliseconds since the router was last booted. |
UNIX Seconds | The number of seconds since 0000 Universal Time Code (UTC) 1970. |
UNIX Nanoseconds | The number of residual nanoseconds since 0000UTC 1970. |
Sequence Number | Sequence counter of total flows sent for this export stream. |
Engine Type | The type of switching engine. RP=0 and LC=1. |
Engine ID | The slot number of the NetFlow switching engine. |
Aggregation | The type of aggregation scheme being used. |
Aggregation Version | The aggregation subformat version number. The current value is "2". |
NetFlow aggregation caches reduce the bandwidth required between routers and NetFlow management workstations.
NetFlow aggregation caches reduce the number of NetFlow management workstations required.
NetFlow aggregation caches improve the scalability of high-flow-per-second routers, such as the 7500 series.
To collect NetFlow version 8 data export records, use NetFlow FlowCollector version 3.0. Version 2.0 and earlier versions do not support version 8 data export record formats.
This feature is supported on these platforms:
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
None
None
You must take these prerequisties into consideration before configuring the NetFlow Aggregation feature:
See the following sections for configuration tasks for the Cisco IOS NetFlow Aggregation feature:
To configure an aggregation cache, you must enter aggregation cache configuration mode, and you must decide which type of aggregation scheme you would like to configure: autonomous system, Destination Prefix, Prefix, Protocol Prefix, or Source Prefix aggregation cache. Once you define the aggregation scheme, define the operational parameters for that scheme.
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)#ip flow-aggregation cache as | Enters aggregation cache configuration mode and enables an aggregation cache scheme (as, destination-prefix, prefix, protocol-port, or source-prefix) | ||
| Router(config-flow-cache)#cache entries 2046 | Specifies the number (in this example, 2046) of cache entries to allocate for the autonomous system aggregation cache. | ||
| Router(config-flow-cache)#cache timeout inactive 199 | Specifies the number of seconds (in this example, 199) that an inactive entry is allowed to remain in the aggregation cache before it is deleted. | ||
| Router(config-flow-cache)#cache timeout active 45 | Specifies the number of minutes (in this example, 45) that an active entry is active. | ||
| Router(config-flow-cache)#export destination 10.42.41.1 9991 | Enables the data export. | ||
| Router(config-flow-cache)#enabled | Enables aggregation cache creation. |
To verify that the configuration is correct, use the show ip cache flow aggregation command.
To confirm data export, use the show ip flow export command.
To monitor and maintain aggregation schemes, use the show ip cache flow aggregation command.
To monitor and maintain aggregation schemes data export, use the show ip flow export command.
This section provides the following basic configuration examples:
The following example shows how to configure an autonomous system aggregation cache with a cache size of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992.
Router(config)#ip flow-aggregation cache as Router(config-flow-cache)#cache entries 2046 Router(config-flow-cache)#cache timeout inactive 200 Router(config-flow-cache)#cache timeout active 45 Router(config-flow-cache)#export destination 10.42.42.1 9992 Router(config-flow-cache)#enabled
The following example shows how to configure a Destination Prefix aggregation cache with a cache size of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992.
Router(config)#ip flow-aggregation cache destination-prefix Router(config-flow-cache)#cache entries 2046 Router(config-flow-cache)#cache timeout inactive 200 Router(config-flow-cache)#cache timeout active 45 Router(config-flow-cache)#export destination 10.42.42.1 9992 Router(config-flow-cache)#enabled
The following example shows how to configure a Prefix aggregation cache with a cache size of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992.
Router(config)#ip flow-aggregation cache prefix Router(config-flow-cache)#cache entries 2046 Router(config-flow-cache)#cache timeout inactive 200 Router(config-flow-cache)#cache timeout active 45 Router(config-flow-cache)#export destination 10.42.42.1 9992 Router(config-flow-cache)#enabled
The following example shows how to configure a Protocol Port aggregation cache with a cache size of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992.
Router(config)#ip flow-aggregation cache protocol-port Router(config-flow-cache)#cache entries 2046 Router(config-flow-cache)#cache timeout inactive 200 Router(config-flow-cache)#cache timeout active 45 Router(config-flow-cache)#export destination 10.42.42.1 9992 Router(config-flow-cache)#enabled
The following example shows how to configure a Source Prefix aggregation cache with a cache size of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992.
Router(config)#ip flow-aggregation cache source-prefix Router(config-flow-cache)#cache entries 2046 Router(config-flow-cache)#cache timeout inactive 200 Router(config-flow-cache)#cache timeout active 45 Router(config-flow-cache)#export destination 10.42.42.1 9992 Router(config-flow-cache)#enabled
This section documents new commands you can use to configure the Cisco IOS NetFlow Aggregation feature. All other commands used with this feature are documented in the Cisco IOS Release 12.0 Switching Services command reference publication.
In Cisco IOS Release 12.0(1)T or later, you can search and filter the output for show and more commands. This functionality is useful when you need to sort through large amounts of output, or if you want to exclude output that you do not need to see.
To use this functionality, enter a show or more command followed by the "pipe" character (|), one of the keywords begin, include, or exclude, and an expression that you want to search or filter on:
command | {begin | include | exclude} regular-expression
Following is an example of the show atm vc command in which you want the command output to begin with the first line where the expression "PeakRate" appears:
show atm vc | begin PeakRate
For more information on the search and filter functionality, refer to the Cisco IOS Release 12.0(1)T feature module titled CLI String Search.
To configure aggregation cache operational parameters, use the cache aggregation cache configuration command.
To disable the operational parameters, use the no form of this command.
cache {entries number | timeout [active minutes | inactive seconds]}
entries number | (Optional) The number of cached entries allowed in the aggregation cache. The number of entries can be 1024 to 524288. The default is 4096. |
active minutes | (Optional) The number of minutes that an active entry is active. The default is 30 minutes; the range is between 1 and 60 minutes. |
inactive seconds | (Optional) The number of seconds that an inactive entry will stay in the aggregation cache before it times out. The default is 15 seconds; the range is between 10 and 600 seconds. |
The default for cache entries is 4096.
The default for active cache entries is 30 minutes.
The default for inactive cache entries is 15 seconds.
Aggregation cache configuration
| Release | Modification |
|---|---|
12.0(3)T | This command was introduced. |
The following example shows how to set the aggregation cache entry limits:
cache entries 2046 cache timeout inactive 199
| Command | Description |
Enables an aggregation cache. | |
Enables aggregation cache export. | |
Enables aggregation cache configuration mode. | |
Displays aggregation cache contents. | |
Displays data export statistics. |
To enable a default aggregation cache, use the default interface configuration command.
default [cache | enabled | export]
cache | Configure NetFlow cache parameters. |
enabled | Enable the aggreation cache. |
export | Specify host/port to send flow statistics. |
No default behavior or values.
Aggregation cache configuration
| Release | Modification |
|---|---|
12.0(3)T | This command was introduced. |
The following example shows how to use the default command:
ip flow-aggregation cache as default enabled
| Command | Description |
Configures aggregation cache operational parameters. | |
Enables an aggregation cache. | |
Enables aggregation cache export. | |
Enables aggregation cache configuration mode. | |
Displays data export statistics |
To enable an aggregation cache, use the enabled interface configuration command.
enabledThis command has no keywords and arguments.
No default behavior or values.
Aggregation cache configuration
| Release | Modification |
|---|---|
12.0(3)T | This command was introduced. |
The following example shows how to use the enabled command:
enabled
| Command | Description |
Configures aggregation cache operational parameters. | |
Enables aggregation cache export. | |
Enables aggregation cache configuration mode. | |
Displays data export statistics |
To leave aggregation cache mode, use the exit aggregation cache configuration command.
exitThis command has no keywords and arguments.
No default behavior or values.
Aggregation cache configuration
| Release | Modification |
|---|---|
12.0(3)T | This command was introduced. |
The following example shows how to use the exit command:
exit
| Command | Description |
Configures aggregation cache operational parameters. | |
Enables an aggregation cache. | |
Enables aggregation cache export. | |
Enables aggregation cache configuration mode. | |
Displays data export statistics |
To enable the exporting of information from NetFlow aggregation caches, use the export destination aggregation cache configuration command.
To disable the exporting of NetFlow aggregation cache information, use the no form of this command.
export destination ip-address port
ip-address | Destination IP address. |
port | Destination UDP port. |
An export destination is not set.
Aggregation cache configuration
| Release | Modification |
|---|---|
12.0(3)T | This command was introduced. |
For version 8 data exports, the maximum number of aggregated flow records and the maximum byte size of each UDP datagram are as follows:
| Aggregation Scheme | Max. Number of Flow Records | UDP Packet Size |
|---|---|---|
BGP Autonomous System | 51 | 1456 bytes |
Destination Prefix | 44 | 1436 bytes |
Prefix | 35 | 1428 bytes |
Protocol Port | 51 | 1456 bytes |
Source Prefix | 44 | 1436 bytes |
The following example shows how to configure an export destination for an aggregation cache:
export destination 10.41.41.1 9992
| Command | Description |
Configures aggregation cache operational parameters. | |
Enables an aggregation cache. | |
Enables aggregation cache configuration mode. | |
Displays aggregation cache contents. | |
Displays data export statistics |
To enable aggregation cache configuration mode, use the ip flow-aggregation cache global configuration command.
To disable aggregation cache configuration mode, use the no form of this command.
ip flow-aggregation cache {as | destination-prefix | prefix | protocol-port | source-prefix}
as | Configures the autonomous system aggregation cache scheme. |
destination-prefix | Configures the Destination Prefix aggregation cache scheme. |
prefix | Configures the Prefix aggregation cache scheme. |
protocol-port | Configures the Protocol Port aggregation cache scheme. |
source-prefix | Configures the Source Prefix aggregation cache scheme. |
This command is not enabled by default.
Global configuration
| Release | Modification |
|---|---|
12.0(3)T | This command was introduced. |
The following example shows how to enable an autonomous system aggregation scheme:
ip flow-aggregation cache as enable
| Command | Description |
Configures aggregation cache operational parameters. | |
Enables an aggregation cache. | |
Enables aggregation cache export. | |
Displays aggregation cache contents. |
To display the aggregation cache configuration, use the show ip cache flow aggregation EXEC command.
show ip cache flow aggregation type
type | Displays a particular aggregation cache's configuration: autonomous system, destination prefix, prefix, protocol-port, or source prefix. |
No default behavior or values.
EXEC
| Release | Modification |
|---|---|
12.0(3)T | This command was introduced. |
The following example shows how to use the show ip cache flow aggregation command:
show ip cache flow aggregation as IP Flow Switching Cache, 278544 bytes 2 active, 4094 inactive, 13 added 178 ager polls, 0 flow alloc failures Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active Fa1/0 0 Null 0 1 2 49 10.2 Fa1/0 0 Se2/0 20 1 5 100 0.0
| Command | Description |
Configures aggregation cache operational parameters. | |
Enables an aggregation cache. | |
Enables aggregation cache export. | |
Enables aggregation cache configuration mode. | |
Displays data export statistics. |
To display the statistics for the data export including the main cache and all other enabled caches, use the show ip flow export EXEC command.
show ip flow exportThis command has no keywords and arguments.
No default behavior or values.
EXEC
| Release | Modification |
|---|---|
11.1CC | This command was introduced. |
The following example shows how to use the show ip flow export command:
show ip flow export Flow export is enabled Exporting flows to 203.20.40.1 (9991) Version 5 flow records, peer-as 1136 flows exported in 917 udp datagrams 0 flows exported in 0 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped enqueuing for the RP 0 export packets were dropped due to IPC rate limiting
| Command | Description |
Configures aggregation cache operational parameters. | |
Enables aggregation cache export. | |
Enables aggregation cache configuration mode. |
Posted: Mon Aug 2 15:49:57 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.