Help
Using NetFlow technology, network administrators can efficiently monitor bandwidth usage for capacity planning and resource allocation. Until now, NetFlow monitoring was supported only in Cisco high-end switches, such as Cisco Catalyst 3K, 4K, and 6K series switches. Cisco’s NetFlow-Lite is a light-weight, packet based sampling technology to monitor switching traffic in widely-used switches. With Cisco NetFlow-Lite, administrators can now easily monitor bandwidth across a variety of Cisco switches.
NetFlow-Lite is currently supported on the Cisco Catalyst 2960-X and 4948E. NetFlow-Lite can be configured as Version9 or IPFIX export fields. As of now, only ingress monitoring is available in NetFlow-Lite. Currently, NetFlow-Lite includes new fields like MAC addresses and option-templates, but these fields are not now available in the NetFlow Analyzer UI. However, they might be included in future releases.
Unlike traditional NetFlow, sampling is mandatory for NetFlow-Lite. There are two types of sampling algorithm available — deterministic and random sampling. Random sampling can monitor all interfaces. Deterministic sampling can be used for limited interfaces of the device.
You can use the following commands to configure the switch to export NetFlow-Lite flows to a NetFlowAnalyzer server. These commands are supported in Cisco IOS 15.0(2)EX1.
Switch(config)# flow record NfliteRecord
Switch(config-flow-record)# collect counter bytes long
Switch(config-flow-record)# collect counter packets long
Switch(config-flow-record)# collect flow sampler
Switch(config-flow-record)# collect interface input
Switch(config-flow-record)# collect timestamp sys-uptime first
Switch(config-flow-record)# collect timestamp sys-uptime last
Switch(config-flow-record)# collect transport tcp flags ack
Switch(config-flow-record)# collect transport tcp flags fin
Switch(config-flow-record)# collect transport tcp flags rst
Switch(config-flow-record)# match datalink ethertype
Switch(config-flow-record)# match datalink mac source address input
Switch(config-flow-record)# match datalink mac destination address input
Switch(config-flow-record)# match ipv4 protocol
Switch(config-flow-record)# match ipv4 destination address
Switch(config-flow-record)# match ipv4 source address
Switch(config-flow-record)# match ipv4 tos
Switch(config-flow-record)# match ipv6 protocol // optional : for IPv6 only
Switch(config-flow-record)# match ipv6 destination address // optional : for IPv6 only
Switch(config-flow-record)# match ipv6 source address // optional : for IPv6 only
Switch(config-flow-record)# match ipv6 tos // optional : for IPv6 only
Switch(config-flow-record)# match transport destination-port
Switch(config-flow-record)# match transport source-por
Switch(config-flow-exporter)# destination 10.10.10.10 // Nfa server IP
Switch(config-flow-exporter)# export-protocol netflow-v9
Switch(config-flow-exporter)# option interface-table
Switch(config-flow-exporter)# option exporter-stats
Switch(config-flow-exporter)# option sampler-table
Switch(config-flow-exporter)# source loopback 0 // source interface can be any L3 interface
Switch(config-flow-exporter)# template data timeout 60
Switch(config-flow-exporter)# transport udp 9996
Switch(config)# flow monitor NfliteMonitor
Switch(config-flow-monitor)# record NfliteRecord
Switch(config-flow-monitor)# exporter NfliteExporter
Switch(config-flow-monitor)# cache timeout active 60
Switch(config-flow-monitor)# cache timeout inactive 15
Switch(config-flow-monitor)# cache type normal
Switch(config-flow-monitor)# statistics packet protocol
Switch(config)# sampler NfliteSampler
Switch(config-sampler)# mode random 1 out-of 32 // The range can be 32 to 1022
Switch(config)# interface gigabitethernet 0/0
Switch(config-if)# ip flow monitor NfliteMonitor sampler NfliteSampler input // Repeat this command on all interfaces.