tech:network:cisco:netflow:netflow
Table of Contents
NetFlow
NetFlow Collector Setup
Initial config
- R1
int loopback 0 ip addr 172.16.255.1 255.255.255.255 exit
R1(config-if)#do sh int lo0
Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is 172.16.255.1/32
MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
R1(config)#do ping 172.16.2.245 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.245, timeout is 2 seconds: Packet sent with a source address of 172.16.255.1 ...
Add specific route.
✘╹◡╹✘ 18-06-15 9:03:08 /home/wnoguchi % sudo ip route add 172.16.255.1/32 via 172.16.2.1 ✘╹◡╹✘ 18-06-15 9:05:48 /home/wnoguchi % ip ro default via 192.168.10.1 dev enp3s0 proto static metric 100 169.254.0.0/16 dev enx84afec739c0a scope link metric 1000 172.16.2.0/24 dev enx84afec739c0a proto kernel scope link src 172.16.2.245 172.16.255.2 via 172.16.2.1 dev enx84afec739c0a 192.168.10.0/24 dev enp3s0 proto kernel scope link src 192.168.10.21 metric 100 ✘╹◡╹✘ 18-06-15 9:07:05 /home/wnoguchi % ping 172.16.255.2 PING 172.16.255.2 (172.16.255.2) 56(84) bytes of data. From 172.16.2.1 icmp_seq=1 Destination Host Unreachable From 172.16.2.1 icmp_seq=2 Destination Host Unreachable From 172.16.2.1 icmp_seq=3 Destination Host Unreachable ^C --- 172.16.255.2 ping statistics --- 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2003ms
still failing
R1(config)#do ping 172.16.2.245 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.245, timeout is 2 seconds:
Packet sent with a source address of 172.16.255.1
.....
Success rate is 0 percent (0/5)
R1(config)#do sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.2.0/24 is directly connected, FastEthernet0/0
L 172.16.2.1/32 is directly connected, FastEthernet0/0
C 172.16.255.1/32 is directly connected, Loopback0
O 192.168.10.0/24 [110/2] via 172.16.2.2, 00:46:48, FastEthernet0/0
route wrong…
172.16.255.2/32
correct
172.16.255.1/32
sudo ip route del 172.16.255.2/32 via 172.16.2.1 sudo ip route add 172.16.255.1/32 via 172.16.2.1
✘╹◡╹✘ 18-06-15 9:11:51 /home/wnoguchi % ip ro default via 192.168.10.1 dev enp3s0 proto static metric 100 169.254.0.0/16 dev enx84afec739c0a scope link metric 1000 172.16.2.0/24 dev enx84afec739c0a proto kernel scope link src 172.16.2.245 172.16.255.1 via 172.16.2.1 dev enx84afec739c0a 192.168.10.0/24 dev enp3s0 proto kernel scope link src 192.168.10.21 metric 100
R1(config)#do ping 172.16.2.245 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.245, timeout is 2 seconds: Packet sent with a source address of 172.16.255.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Success!! GoGoGo!!!
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#inter
R1(config)#interface f0/1
R1(config-if)#ip flo
R1(config-if)#ip flow in
R1(config-if)#ip flow ingress
R1(config-if)#ip flo
R1(config-if)#ip flow eg
R1(config-if)#ip flow egress
R1(config-if)#ip flo
R1(config-if)#ip flow ver
R1(config-if)#ip flow versi
R1(config-if)#exit
R1(config)#ip flo
R1(config)#ip flow-ver
R1(config)#ip flow-ex
R1(config)#ip flow-export ver
R1(config)#ip flow-export version 5
R1(config)#ip flow-export version ?
1
5
9
R1(config)#ip flow-export version 5
R1(config)#ip flo
R1(config)#ip flow-exp
R1(config)#ip flow-export desti
R1(config)#ip flow-export destination 172.16.2.222 2055
R1(config)#ip flo
R1(config)#ip flow-ex
R1(config)#ip flow-export sour
R1(config)#ip flow-export source lo
R1(config)#ip flow-export source loo
R1(config)#ip flow-export source loopback 0
^
% Invalid input detected at '^' marker.
int loopback 0 ip addr 172.16.255.1 255.255.255.255 exit
sudo ip route add 172.16.255.1/32 via 172.16.2.1
do ping 172.16.2.222 source lo0
R1(config)#int loopback 0
R1(config-if)#ip addr 172.16.255.1 255.255.255.255
R1(config-if)#exit
R1(config)#
000022: Jun 28 08:26:45.731 JST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R1(config)#do ping 172.16.2.222 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.222, timeout is 2 seconds:
Packet sent with a source address of 172.16.255.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1(config)#iip flo
R1(config)#ip flow-ca
R1(config)#ip flow-cac
R1(config)#ip flow-cache etnr
R1(config)#ip flow-cache etnri
R1(config)#ip flow-cache entr
R1(config)#ip flow-cache entries ?
<1024-524288> Entries
R1(config)#ip flow-cache entries 64536
%The change in number of entries will take effect after either
the next reboot or when netflow is turned off on all interfaces.
R1(config)#ip flow-cache time
R1(config)#ip flow-cache timeout ac
R1(config)#ip flow-cache timeout active ?
<1-60> Timeout in minutes
R1(config)#ip flow-cache timeout active 30
R1(config)#ip flo
R1(config)#ip flow-cach
R1(config)#ip flow-cache tim
R1(config)#ip flow-cache timeout ina
R1(config)#ip flow-cache timeout inactive 20
R1(config)#ip flow-cache timeout active 60
R1(config)#ip flow-cache timeout inactive _?
% Unrecognized command
R1(config)#ip flow-cache timeout inactive ?
<10-600> Timeout in seconds
R1(config)#ip flow-cache entr
R1(config)#ip flow-cache entries 129072
%The change in number of entries will take effect after either
the next reboot or when netflow is turned off on all interfaces.
R1(config)#ip flow-cache timeout active 60
R1(config)#ip flow-cache timeout inactive 20
R1# sh ip cache flow
IP packet size distribution (109275 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .443 .079 .029 .008 .008 .012 .006 .007 .017 .001 .002 .010 .009 .005
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.007 .002 .010 .029 .306 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
43 active, 4053 inactive, 9721 added
278793 ager polls, 0 flow alloc failures
Active flows timeout in 60 minutes
Inactive flows timeout in 20 seconds
IP Sub Flow Cache, 34056 bytes
43 active, 981 inactive, 9531 added, 9531 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-WWW 985 0.0 7 393 0.0 1.7 10.0
TCP-other 5916 0.0 12 549 0.4 7.3 12.5
UDP-NTP 146 0.0 1 76 0.0 0.0 15.6
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
UDP-other 2631 0.0 9 531 0.1 11.4 15.6
Total: 9678 0.0 11 534 0.5 7.7 13.1
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0 192.168.10.17 Fa0/1* 162.125.34.129 06 F42D 01BB 4
Fa0/1 52.88.58.240 Fa0/0 192.168.10.17 06 01BB F3DC 4
Fa0/1 104.244.42.65 Fa0/0 192.168.10.17 06 01BB F40B 1
Fa0/1 52.69.69.136 Fa0/0 192.168.10.17 06 01BB F206 194
Fa0/1 172.217.161.78 Fa0/0 192.168.10.17 11 01BB EBC0 21
Fa0/0 192.168.10.17 Fa0/1* 52.69.69.136 06 F0CC 01BB 179
Fa0/1 64.233.188.125 Fa0/0 192.168.10.17 06 1466 C04E 1
Fa0/0 192.168.10.17 Fa0/1* 23.44.230.53 06 C652 01BB 14
Fa0/0 192.168.10.17 Fa0/1* 104.244.42.65 06 F40B 01BB 1
Fa0/0 192.168.10.17 Fa0/1* 162.125.34.129 06 F613 01BB 3
Fa0/0 192.168.10.17 Fa0/1* 52.69.69.136 06 F206 01BB 176
Fa0/1 52.69.69.136 Fa0/0 192.168.10.17 06 01BB F0CC 83
Fa0/0 192.168.10.17 Fa0/1* 162.125.82.3 06 F7A1 01BB 26
Fa0/0 192.168.10.17 Fa0/1* 162.125.34.6 06 F79D 01BB 2
Fa0/1 162.125.82.3 Fa0/0 192.168.10.17 06 01BB F7A1 25
Fa0/0 192.168.10.17 Fa0/1* 64.233.188.189 11 EF44 01BB 383
Fa0/1 52.69.69.136 Fa0/0 192.168.10.17 06 01BB F68B 142
Fa0/1 162.125.34.129 Fa0/0 192.168.10.17 06 01BB F613 3
Fa0/0 192.168.10.17 Fa0/1* 64.233.188.125 06 DC2B 1466 2
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0 192.168.10.17 Fa0/1* 172.217.161.78 11 C46E 01BB 9
Fa0/1 64.233.189.189 Fa0/0 192.168.10.17 11 01BB E462 30
Fa0/1 162.125.34.129 Fa0/0 192.168.10.17 06 01BB F42D 4
Fa0/0 192.168.10.17 Fa0/1* 52.69.69.136 06 F68B 01BB 221
Fa0/1 8.8.4.4 Local 192.168.10.17 11 0035 C46D 1
Fa0/1 108.177.125.189 Fa0/0 192.168.10.17 11 01BB EA8F 39
Fa0/0 192.168.10.17 Fa0/1* 52.88.58.240 06 F3DC 01BB 5
Fa0/0 192.168.10.17 Fa0/1* 64.233.188.125 06 C04E 1466 1
Fa0/1 192.168.10.27 Null 192.168.10.255 11 445C 445C 1
Fa0/0 192.168.10.17 Fa0/1* 172.217.161.78 11 EBC0 01BB 21
Fa0/1 162.125.80.4 Fa0/0 192.168.10.17 06 01BB F7A2 4
Fa0/1 162.125.80.3 Fa0/0 192.168.10.17 06 01BB F7A3 23
Fa0/1 8.8.8.8 Local 192.168.10.17 11 0035 C46D 1
Fa0/1 52.69.69.136 Fa0/0 192.168.10.17 06 01BB EFCD 120
Fa0/1 23.44.230.53 Fa0/0 192.168.10.17 06 01BB C652 14
Fa0/0 192.168.10.17 Fa0/1* 108.177.125.189 11 EA8F 01BB 30
Fa0/1 64.233.188.189 Fa0/0 192.168.10.17 11 01BB EF44 414
Fa0/0 192.168.10.17 Fa0/1* 162.125.80.4 06 F7A2 01BB 4
Fa0/0 192.168.10.17 Fa0/1* 162.125.80.3 06 F7A3 01BB 21
Fa0/1 64.233.188.125 Fa0/0 192.168.10.17 06 1466 DC2B 2
Fa0/1 172.217.161.78 Fa0/0 192.168.10.17 11 01BB C46E 10
Fa0/0 192.168.10.17 Fa0/1* 64.233.189.189 11 E462 01BB 138
Fa0/0 192.168.10.17 Fa0/1* 52.69.69.136 06 EFCD 01BB 176
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/1 192.168.10.27 Null 255.255.255.255 11 445C 445C 1
R1#sh ip cache verbose flow
IP packet size distribution (109811 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .443 .079 .029 .008 .008 .012 .006 .007 .017 .001 .002 .011 .009 .005
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.007 .002 .010 .029 .305 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
39 active, 4057 inactive, 9793 added
283052 ager polls, 0 flow alloc failures
Active flows timeout in 60 minutes
Inactive flows timeout in 20 seconds
IP Sub Flow Cache, 34056 bytes
39 active, 985 inactive, 9603 added, 9603 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-WWW 985 0.0 7 393 0.0 1.7 10.0
TCP-other 5974 0.0 12 548 0.4 7.2 12.6
UDP-NTP 148 0.0 1 76 0.0 0.0 15.7
UDP-other 2647 0.0 9 530 0.1 11.4 15.6
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Total: 9754 0.0 10 533 0.5 7.7 13.2
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Fa0/0 192.168.10.17 Fa0/1* 52.230.80.159 06 00 18 2
CCFD /32 0 01BB /0 0 192.168.10.1 66 0.0
FFlags: 01
Fa0/1 52.88.58.240 Fa0/0 192.168.10.17 06 00 18 3
01BB /0 0 F3DC /24 0 172.16.2.123 312 0.1
Fa0/0 192.168.10.17 Fa0/1* 54.231.185.52 06 00 1A 18
F7AA /32 0 01BB /0 0 192.168.10.1 118 10.2
FFlags: 01
Fa0/1 52.69.69.136 Fa0/0 192.168.10.17 06 00 18 202
01BB /0 0 F206 /24 0 172.16.2.123 280 1845.7
Fa0/1 172.217.161.78 Fa0/0 192.168.10.17 11 00 10 12
01BB /0 0 CB98 /24 0 172.16.2.123 455 15.1
Fa0/1 172.217.161.78 Fa0/0 192.168.10.17 11 00 10 37
01BB /0 0 EBC0 /24 0 172.16.2.123 210 101.0
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Fa0/0 192.168.10.17 Fa0/1* 52.69.69.136 06 00 18 188
F0CC /32 0 01BB /0 0 192.168.10.1 77 1170.1
FFlags: 01
Fa0/1 64.233.188.125 Fa0/0 192.168.10.17 06 00 10 1
1466 /0 0 C04E /24 0 172.16.2.123 40 0.0
Fa0/1 8.8.8.8 Local 192.168.10.17 11 00 10 1
0035 /0 0 EE6E /0 0 0.0.0.0 188 0.0
Fa0/0 192.168.10.17 Fa0/1* 23.44.230.53 06 00 18 20
C652 /32 0 01BB /0 0 192.168.10.1 53 180.0
FFlags: 01
Fa0/0 192.168.10.17 Fa0/1* 162.125.34.129 06 00 18 3
F613 /32 0 01BB /0 0 192.168.10.1 389 0.1
FFlags: 01
Fa0/1 52.230.80.159 Fa0/0 192.168.10.17 06 00 18 1
01BB /0 0 CCFD /24 0 172.16.2.123 210 0.0
Fa0/0 192.168.10.17 Fa0/1* 52.69.69.136 06 00 18 188
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip flo
R1(config)#ip flow-aggre
R1(config)#ip flow-aggregation ca
R1(config)#ip flow-aggregation cache ?
as AS aggregation
as-tos AS-TOS aggregation
bgp-nexthop-tos BGP nexthop TOS aggregation
destination-prefix Destination Prefix aggregation
destination-prefix-tos Destination Prefix TOS aggregation
prefix Prefix aggregation
prefix-port Prefix-port aggregation
prefix-tos Prefix-TOS aggregation
protocol-port Protocol and port aggregation
protocol-port-tos Protocol, port and TOS aggregation
source-prefix Source Prefix aggregation
source-prefix-tos Source Prefix TOS aggregation
R1(config)#ip flow-aggregation cache as
R1(config-flow-cache)#enable
R1(config-flow-cache)#^Z
R1#
000024: Jun 29 07:45:57.134 JST: %SYS-5-CONFIG_I: Configured from console by console
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip flow-aggregation cache as
R1(config-flow-cache)#enabled
R1(config-flow-cache)#enabled
R1(config-flow-cache)#enabled
R1(config-flow-cache)#^Z
R1#
000025: Jun 29 07:46:14.597 JST: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip cac
R1#sh ip cache flo
R1#sh ip cache flow aggr
R1#sh ip cache flow aggregation as
IP Flow Switching Cache, 278544 bytes
3 active, 4093 inactive, 4 added
123 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
3 active, 1021 inactive, 4 added, 4 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active
Fa0/1 0 Fa0/0 0 20 61 177 87.8
Fa0/0 0 Fa0/1 0 23 66 336 94.8
Fa0/1 0 Null 0 2 2 77 0.0
R1#sh ip flo
R1#sh ip flow ca
R1#sh ip cach
R1#sh ip cache flow
IP packet size distribution (1476716 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .441 .084 .033 .006 .005 .010 .007 .008 .017 .002 .002 .007 .006 .004
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.006 .001 .005 .023 .323 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
29 active, 4067 inactive, 99062 added
4597979 ager polls, 0 flow alloc failures
Active flows timeout in 60 minutes
Inactive flows timeout in 20 seconds
IP Sub Flow Cache, 34056 bytes
29 active, 995 inactive, 98872 added, 98872 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-WWW 4262 0.0 11 578 0.1 2.0 11.8
TCP-other 59740 0.2 18 594 4.3 17.1 16.5
UDP-NTP 2616 0.0 1 76 0.0 0.0 20.2
R1#show ip cache flow aggregation ?
as AS aggregation cache
as-tos AS TOS aggregation cache
bgp-nexthop-tos BGP nexthop TOS aggregation cache
destination-prefix Destination Prefix aggregation cache
destination-prefix-tos Destination Prefix TOS aggregation cache
prefix Source/Destination Prefix aggregation cache
prefix-port Source/Destination Prefix port aggregation cache
prefix-tos Source/Destination Prefix TOS aggregation cache
protocol-port Protocol and port aggregation cache
protocol-port-tos Protocol, port, TOS aggregation cache
source-prefix Source Prefix aggregation cache
source-prefix-tos Source Prefix TOS aggregation cache
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip flow R1(config)#ip flow-to R1(config)#ip flow-top-talkers R1(config-flow-top-talkers)#top R1(config-flow-top-talkers)#top 10 R1(config-flow-top-talkers)#sort R1(config-flow-top-talkers)#sort-by by R1(config-flow-top-talkers)#sort-by bytes R1(config-flow-top-talkers)#cach R1(config-flow-top-talkers)#cache-timeout 3000 R1(config-flow-top-talkers)#^Z R1# 000026: Jun 29 07:48:50.524 JST: %SYS-5-CONFIG_I: Configured from console by console R1#sh ip flo R1#sh ip flow to R1#sh ip flow top-talkers SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes Fa0/0 192.168.10.17 Fa0/1* 108.177.125.189 11 FD27 01BB 124K Fa0/1 108.177.125.189 Fa0/0 192.168.10.17 11 01BB FD27 91K Fa0/1 52.69.69.136 Fa0/0 192.168.10.17 06 01BB DE07 70K Fa0/1 52.69.69.136 Fa0/0 192.168.10.17 06 01BB DE0E 68K Fa0/1 52.69.69.136 Fa0/0 192.168.10.17 06 01BB DE1C 63K Fa0/1 184.30.153.136 Fa0/0 192.168.10.17 06 01BB E8AA 40K Fa0/0 192.168.10.17 Fa0/1* 52.69.69.136 06 DE07 01BB 28K Fa0/0 192.168.10.17 Fa0/1* 52.69.69.136 06 DE0E 01BB 28K Fa0/1 52.69.69.136 Fa0/0 192.168.10.17 06 01BB D9A9 25K Fa0/0 192.168.10.17 Fa0/1* 52.69.69.136 06 DE1C 01BB 25K 10 of 10 top talkers shown. 39 flows processed.
108.177.125.189 is Google.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip flo
R1(config)#ip flow-to
R1(config)#ip flow-top-talkers
R1(config)#ip flow-top-talkers
R1(config-flow-top-talkers)#top
R1(config-flow-top-talkers)#top 10
R1(config-flow-top-talkers)#sor
R1(config-flow-top-talkers)#sort-by by
R1(config-flow-top-talkers)#sort-by bytes
R1(config-flow-top-talkers)#ma
R1(config-flow-top-talkers)#match so
R1(config-flow-top-talkers)#match source add
R1(config-flow-top-talkers)#match source address 172.16.2.123 255.255.255.0
R1(config-flow-top-talkers)#cach
R1(config-flow-top-talkers)#cache-timeout 3000
R1(config-flow-top-talkers)#^Z
R1#
000027: Jun 29 07:53:30.396 JST: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip flo
R1#sh ip flow top-tal
R1#sh ip flow top-talkers
% There are no matching flows to show
R1#sh ip flow top-talkers
% There are no matching flows to show
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#top 10
^
% Invalid input detected at '^' marker.
R1(config)#ip flo
R1(config)#ip flow-top
R1(config)#ip flow-top-talkers
R1(config-flow-top-talkers)#ma
R1(config-flow-top-talkers)#match sou
R1(config-flow-top-talkers)#match source 172.16.2.123 255.255.255.255
^
% Invalid input detected at '^' marker.
R1(config-flow-top-talkers)#match source addre 172.16.2.123 255.255.255.255
R1(config-flow-top-talkers)#match source addre 172.16.2.123 255.255.255.255
R1(config-flow-top-talkers)#^Z
R1#
000028: Jun 29 07:55:40.542 JST: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip flow top-talkers
% There are no matching flows to show
R1#sh ip flow top-talkers
% No top talkers
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#no ip flo
R1(config-if)#no ip flow in
R1(config-if)#no ip flow ingress
R1(config-if)#no ip flow eg
R1(config-if)#no ip flow egress
R1(config-if)#exit
R1(config)#int f0/1
R1(config-if)#no ip flow egress
R1(config-if)#no ip flow ingress
R1(config-if)#exit
R1(config)#int f0/0
R1(config-if)#ip flow egress
R1(config-if)#ip flow ingress
R1(config-if)#^Z
R1#
000029: Jun 29 08:08:35.268 JST: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip flo
R1#sh ip flow top
R1#sh ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Fa0/0 172.16.2.123 Fa0/1 52.43.28.40 06 EA93 01BB 971
Fa0/0 172.16.2.123 Fa0/1 108.177.125.189 11 FD27 01BB 941
Fa0/0 172.16.2.123 Fa0/1 172.217.27.78 11 E2D1 01BB 388
Fa0/0 172.16.2.123 Fa0/1 52.69.69.136 06 D9A9 01BB 286
Fa0/0 172.16.2.123 Fa0/1 52.69.69.136 06 DE1C 01BB 156
Fa0/0 172.16.2.123 Fa0/1 52.69.69.136 06 DE0E 01BB 156
Fa0/0 172.16.2.123 Null 8.8.4.4 01 0000 0303 130
Fa0/0 172.16.2.123 Null 192.168.10.21 06 EF84 0050 104
Fa0/0 172.16.2.123 Fa0/1 74.125.23.125 06 C349 1466 70
Fa0/0 172.16.2.123 Null 8.8.4.4 11 E7E1 0035 65
10 of 10 top talkers shown. 13 of 23 flows matched.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#do sh run | i ipv6
no ipv6 cef
R1(config)#int f0/0
R1(config-if)#ipv
R1(config-if)#ipv6 flo
R1(config-if)#ipv6 flow in
R1(config-if)#ipv6 flow ing
R1(config-if)#ipv6 flow ?
monitor Apply a Flow Monitor
R1(config-if)#exir
^
% Invalid input detected at '^' marker.
R1(config-if)#exir
^
% Invalid input detected at '^' marker.
R1(config-if)#exit
R1(config)#ipv
R1(config)#ipv6 cef
%Must enable IPv6 routing first
R1(config)#ipv6 ro
R1(config)#ipv6 routi
R1(config)#ipv6 ro
R1(config)#ipv6 route?
route router
R1(config)#ipv6 ?
access-list Configure access lists
cef Cisco Express Forwarding for IPv6
cga Configure IPv6 certified generated address
dhcp Configure IPv6 DHCP
flowset Set flow label random for originated packets
general-prefix Configure a general IPv6 prefix
hop-limit Configure hop count limit
host Configure static hostnames
icmp Configure ICMP parameters
inspect Context-based Access Control Engine
local Specify local options
mfib Multicast Forwarding
mld Global mld commands
mobile Mobile IPv6
multicast Configure multicast related commands
multicast-routing Enable IPv6 multicast
nat NAT-PT Configuration commands
nd Configure IPv6 ND
neighbor Neighbor
ospf OSPF
pim Configure Protocol Independent Multicast
port-map Port to application mapping (PAM) configuration commands
prefix-list Build a prefix list
radius RADIUS configuration commands
route Configure static routes
router Enable an IPV6 routing process
source-route Process packets with source routing header options
spd Selective Packet Discard (SPD)
tacacs TACACS configuration commands
traffic Configure traffic parameters
unicast-routing Enable unicast routing
R1(config)#ip ro
R1(config)#ip routi
R1(config)#ip routing ?
protocol IP routing protocol
<cr>
R1(config)#ip routing pr
R1(config)#ip routing protocol ?
purge routes purge
R1(config)#ipv6 routing
^
% Invalid input detected at '^' marker.
R1(config)#ipv6
R1(config)#ipv6 uni
R1(config)#ipv6 unicast-routing
R1(config)#ipv6 cef
R1(config)#int f0/0
R1(config-if)#ipv
R1(config-if)#ipv6 flo
R1(config-if)#ipv6 flow in
R1(config-if)#ipv6 flow ing
R1(config-if)#ipv6 flow ing
R1(config-if)#ipv6 flow ing
R1(config-if)#ipv6 flow ingress
^
% Invalid input detected at '^' marker.
R1(config-if)#ipv6 flow ?
monitor Apply a Flow Monitor
R1(config-if)#exit
R1(config)#ipv
R1(config)#ipv6 flo
R1(config)#ipv6 flowset ?
<cr>
R1(config)#
Maybe ipv6 flow ingress interface configuration command supported only IOS 12.x.
Let' view tcpdump Packet Capture Result by using Wireshark.
Amazing…
ElastiFlow
OK, Let's Visualize NetFlow Records using ElastiFlow ELK Elastic Stack.
Gallery
Go to Kibana Dashboard.
Overview
Wao…
Top-N
Very cool…..
Sankey
So Good….
Geo IP
Amazing….
References
tech/network/cisco/netflow/netflow.txt · Last modified: 2018/07/01 20:53 by wnoguchi
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
