Date created: 04/12/17 11:52:22. Last modified: 03/28/18 16:55:15

7600 NetFlow

References:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-s/nf-15-s-book.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/15-s/fnf-15-s-book/fnetflow-overview.html
http://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/nde.html

NetFlow Overview:

NetFlow captures data from ingress (incoming) and egress (outgoing) packets. NetFlow gathers statistics for the following ingress IP packets:

  • IP-to-IP packets
  • IP-to-Multiprotocol Label Switching (MPLS) packets
  • Frame Relay-terminated packets
  • ATM-terminated packets

NetFlow captures data for all egress (outgoing) packets through the use of the following features:

  • Egress NetFlow Accounting - NetFlow gathers statistics for all egress packets for IP traffic only.
  • NetFlow MPLS Egress - NetFlow gathers statistics for all egress MPLS-to-IP packets.

A network flow is identified as a unidirectional stream of packets between a given source and destination - both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:

  • Source IP address
  • Destination IP address
  • Source port number
  • Destination port number
  • Layer 3 protocol type
  • Type of service (ToS)
  • Input logical interface

NetFlow Data Export format Version 9 is a flexible and extensible format, which provides the versatility needed for support of new fields and record types. This format accommodates new NetFlow-supported technologies such as Multicast, Multiprotocol Label Switching (MPLS), and Border Gateway Protocol (BGP) next hop.

To reduce the volume of statistics collected, use:

  • NetFlow Sampling, which reduces the number of statistics collected
  • NetFlow aggregation, which merges collected statistics

The NetFlow cache on the MSFC captures statistics for flows routed in software. The MSFC supports NetFlow aggregation for traffic routed in software. The NetFlow cache on the PFC captures statistics for flows routed in hardware. The PFC supports sampled NetFlow and NetFlow aggregation for traffic routed in hardware.

NetFlow traffic sampling is used on platforms that perform software-based NetFlow accounting, such as Cisco 7200 series routers and Cisco 7600 series MSFCs. NetFlow flow sampling is available on Cisco 7600 series routers for hardware-based NetFlow accounting on the PFCs and DFCs installed in the router.

Configuring NetFlow aggregation for the MSFC also configures it for the PFC and DFCs.

 

NetFlow and NDE Guidlines and Limitations/Restrictions:

  • You can configure per-interface NetFlow and QoS micro-policing on an interface. However, do not configure different flow mask types on an interface. Only a single flow mask type should be configured for per-interface NetFlow and microflow policy.
  • Beginning in Release 12.2SRB, the router supports both NDE flow mask and QoS flow mask; however, you cannot configure both types of flow masks on the same interface.
  • When NDE and multicast non-RPF are both enabled, NDE has the potential to lose statistics. This potential loss occurs because NetFlow and NDE are enabled globally for multicast flows, which means that the NetFlow table could overflow.
  • When you use the platform ip features sequential command on an interface, you must configure the interface-full flowmask feature. This enables the NDE to export the correct statistics, and avoids double accounting.
  • The following limitations apply to flow masks in per-interface mode:
    • You cannot configure different flow mask types for individual interfaces. Only a single flow mask type is supported for all interfaces configured for per-interface NetFlow or NDE.
    • The same flow mask is used for both routed (L3) and bridged (L2) NetFlow entries for NDE.
  • Cisco 7600 routers do not support Netflow in egress direction for unicast ip packets. (This is an EARL 7.5 limitation)
  • All PFCs (except the PFC3A) support NetFlow and NDE for bridged IP traffic.
  • NDE does not support Internetwork Packet Exchange (IPX) traffic.
  • The Policy Feature Card 3 (PFC3) does not use the NetFlow table for Layer 3 switching in hardware.
  • If the NetFlow table utilization exceeds these recommended utilization levels, there is an increased probability that there will be insufficient room to store statistics:
PFC 			Recommended NetFlow Table Utilization		Total NetFlow Table Capacity

PFC3CXL & PFC3BXL	235,520 (230K) entries				262,144 entries


PFC3C & PFC3BX 		117,760 (115K) entries				131,072 entries


PFC3A			65,536 (64K) entries				131,072 entries
  • No statistics are available for flows that are switched when the NetFlow table is full.
  • The Cisco 7600 series router uses the Netflow table to maintain information about flow-based features. Normally, the Feature Manager creates a Netflow table entry for a flow-based feature only on the line card where the flow ingresses. However, because TCP intercept is a global feature, the router creates an entry for each TCP intercept flow on each of the installed PFCs and DFCs, not just the ingress PFC or DFC. This means that the PFC or DFC where the TCP intercept flow ingresses will have a non-zero packet count, but the other PFC and the DFCs will have a count of zero packets for the flow. [CSCek47971]
  • The following IPv4 Netflow and NDE options are not available for IPv6 flows: [CSCek55571]
    • Aggregation support (ip flow-aggregation cache command)
    • Export of Layer 2 switched IPv6 flows
    • Netflow and NDE sampling
    • NDE filter support

Note: You must enable NetFlow on the MSFC Layer 3 interfaces to support NDE on the PFC and NDE on the MSFC.
Note: You must enable NDE on the MSFC to support NDE on the PFC.
Note: When you configure NAT and NDE on an interface, the PFC sends all traffic in fragmented packets to the MSFC to be processed in software. (CSCdz51590)
Note: NDE and NAT configuration on the same interface is not supported. NDE requires flows to age out periodicaly for it to export its statistics. NAT installs hardware shortcuts that do not age. Hence, NDE for NAT'd flows does not work correctly.
Note: If Netflow is enabled on the port channel, then the flow entries are created per port-channel interface. NetFlow entries are not created for each port channel member link and the NetFlow from member links will be part of the port-channel NetFlow.

All PFCs (except the PFC3A) support NetFlow and NDE for ingress bridged IP traffic.

  • For each VLAN where you want to enable NetFlow and NDE for bridged IP traffic, you must create a corresponding VLAN interface, assign an IP address to it, and issue the no shutdown command to bring the interface up.
  • When you enable NetFlow for bridged IP traffic on a VLAN, export of the bridged traffic is enabled by default as long as NDE is globally enabled.

Note: The capacity for NetFlow TCAM (IPv4) for PFC3A, PFC3B, and PFC3C is 128,000 entries. For  PFC3BXL and PFC3CXL, the capacity is 256,000 entries. Use the show platform hardware pfc mode command in order to check the PFC operating mode.

 

Examples:

1. If you plan to export NetFlow statistics, globally enable NDE on the router by issuing the following commands:
configure terminal
 ip flow-export destination <IP/Hostname>
 ip flow-export version <n>
 mls nde sender version <n> ! Without this enabled the router will only export flows for the MSFC which is mainly management traffic
 
2. Enable NetFlow on individual interfaces by issuing the following commands:
configure terminal
 interface x/x
  ip flow ingress
  mls netflow sampling ! Optional to enable sample NetFlow

Optional global commands for Bridged IP traffic:
ip flow ingress layer2-switched vlan 200 ! Enables NetFlow for Ingress Bridged IP Traffic in VLANs
ip flow export layer2-switched vlan 200 ! Enables NDE for Ingress Bridged IP Traffic in VLANs

It is wise to set static SNMP interface indexes if this has not already been done otherwise NetFlow after reboots will refer to inconsistant interfaces. Globally enter:
snmp-server ifindex persist

ip flow-cache entries <N> !? Specifies the maximum number of entries to be captured for the main flow cache
ip flow-cache timeout active <N> !? the number of minutes that an entry is active in the main cache
ip flow-cache timeout inactive <N> !? the number of seconds that an inactive entry will stay in the main cache before it times out

ip flow-export version 9 origin-as bgp-nexthop  ! Enable bgp-nexthop accounting
ip flow-aggregation cache bgp-nexthop-tos       ! Also required for bgp-nexthop accounting, to aggregate the flow data (on the router) by BGP Next-Hop

mpls netflow egress ! Interface command to gather label disposition traffic stats (not supported on 7600

Example 7600 config to enabled NetFlow v9 exporting and ingress NetFlow on a single interface:

conf t
 snmp-server ifindex persist                      ! Ensure consistant SNMP interface indexes
 no mls sampling                                  ! Disable sampled NetFlow to use "full" NetFlow
 mls flow ip interface-full                       ! Configure global flow-mask value
 ! mls nde sender version 7                       ! Enable NDE globally
 ! The command below is used to enable NetFlow version 9 exporting, it overrides the command above
 ip flow-export version 9 origin-as bgp-nexthop   ! Enable bgp-nexthop accounting
 ip flow-export destination 1.2.3.4 4444 vrf mgmt ! Configure NDE destination
 ip flow-export source gi3/17                     ! NDE source interface

 int gi3/18
  no mls netflow sampling                         ! Ensure sampled NetFlow is disable to use "full" NetFlow
  ip flow ingress                                 ! Enable ingress NetFlow accounting
  ! ip flow engress                               ! Not support on 7600
  exit

 

Checking:

Check the flow mask (this is applied to all interface NetFlow is enabled on):
show mls netflow flowmask

Check the aging timers:
show mls netflow aging

Check the NDE details:
show mls nde
show ip flow export

Check NetFlow an NDE are enabled for the interface:
show ip interface gig2/9

Check the number of flows present in the TCAM:
show mls netflow ip count

To display NetFlow aggregation cache information for the PFC or DFCs, perform this task:
 show ip cache flow aggregation { as | destination-prefix | prefix | protocol-port | source-prefix) module slot_num
 show mls netflow aggregation flowmask (might be deprecated?)

To keep the NetFlow cache size below the recommended utilization, enable the following parameters when using the mls aging command:
normal - Configures the wait before aging out and deleting entries that are not covered by fast or long aging.
fast aging - Configures an efficient process to age out entries created for flows that only switch a few packets, and then are never used again. The fast aging parameter uses the time keyword value to check if at least the threshold keyword value of packets have been switched for each flow. If a flow has not switched the threshold number of packets during the time interval, then the entry is aged out.
long - Configures the aging time for deleting entries that are always in use. Long aging is used to prevent counter wraparound, which can cause inaccurate statistics.

If you need to enable MLS fast aging time, initially set the value to 128 seconds. If the size of the NetFlow cache continues to grow over the recommended utilization, decrease the setting until the cache size stays below the recommended utilization. If the cache continues to grow over the recommended utilization, decrease the normal MLS aging time.

mls aging {fast [threshold { 1-128 } | time { 1-128 }] | long 64-1920 | normal 32-4092 }