Table Of Contents
NetFlow MIB and Top Talkers
Contents
Prerequisites for Configuring NetFlow MIB and Top Talkers
Restrictions for Configuring NetFlow MIB and Top Talkers
Information About Configuring NetFlow MIB and Top Talkers
NetFlow MIB and Top Talkers Overview
NetFlow MIB and Top Talkers Benefits
How to Configure NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands
Configuring SNMP Support on the Networking Device
Configuring Parameters for the NetFlow Main Cache
Identifying the Interface Number to use for Enabling NetFlow with SNMP
Configuring NetFlow on Cisco Routers
Configuring NetFlow Top Talkers
Configuring NetFlow Top Talkers Match Criteria
Verifying the NetFlow Top Talkers Configuration
Configuration Examples for NetFlow Top Talkers
Configuring NetFlow Top Talkers using SNMP Commands: Example
Configuring NetFlow Top Talkers Match Criteria using SNMP Commands: Example
Additional References
Related Documents
MIBs
Technical Assistance
Command Reference
cache-timeout
ip flow-top-talkers
match (NetFlow)
show ip flow top-talkers
sort-by
top
NetFlow MIB and Top Talkers
NetFlow is a technology that provides highly granular per-flow statistics on traffic in a Cisco router. The NetFlow MIB and Top Talkers feature uses NetFlow functionality to obtain information regarding heaviest traffic patterns and most-used applications in the network.
History for the NetFlow MIB and Top Talkers Feature
Release
|
Modification
|
12.2(25)S
|
This feature was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This feature was integrated into Cisco IOS Release 12.2(27)SBC.
|
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Configuring NetFlow MIB and Top Talkers
• Restrictions for Configuring NetFlow MIB and Top Talkers
• Information About Configuring NetFlow MIB and Top Talkers
• How to Configure NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands
• Configuration Examples for NetFlow Top Talkers
• Additional References
• Command Reference
Prerequisites for Configuring NetFlow MIB and Top Talkers
Before you enable NetFlow and NetFlow Top Talkers, you must:
•Configure the router for IP routing
•Ensure that one of the following is enabled on your router, and on the interfaces that you want to configure NetFlow on: Cisco Express Forwarding (CEF), distributed CEF, or fast switching
•Understand the resources required on your router because NetFlow consumes additional memory and CPU resources.
Restrictions for Configuring NetFlow MIB and Top Talkers
Cisco IOS Releases 12.2(14)S, 12.0(22)S, or 12.2(15)T
If your router is running a version of Cisco IOS prior to releases 12.2(14)S, 12.0(22)S, or 12.2(15)T the ip route-cache flow command is used to enable NetFlow on an interface.
If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S, 12.2(15)T, or later the ip flow ingress command is used to enable NetFlow on an interface.
Information About Configuring NetFlow MIB and Top Talkers
To configure the NetFlow MIB and Top Talkers feature, you should understand the following concepts:
• NetFlow MIB and Top Talkers Overview
• NetFlow MIB and Top Talkers Benefits
NetFlow MIB and Top Talkers Overview
NetFlow collects traffic flow statistics on routing devices. NetFlow has been used for a variety of applications, including traffic engineering, usage-based billing, and denial of service (DoS) attack monitoring.
The usual implementation of NetFlow exports NetFlow data to a collector. The NetFlow MIB and Top Talkers feature can be used for security monitoring or accounting purposes for top talkers, and matching and identifying key users of the network. This feature is also useful for a network location where a traditional NetFlow export operation is not possible. The NetFlow MIB and Top Talkers feature does not require a collector to obtain information regarding flows. Instead, these flows are placed in a special cache where they can be viewed. The NetFlow MIB part of the NetFlow MIB and Top Talkers feature allows you to configure the NetFlow Top Talkers feature using SNMP.
The flows that are generating the heaviest system traffic are known as the "top talkers."
The NetFlow Top Talkers feature allows flows to be sorted so that they can be viewed. The top talkers can be sorted by either of the following criteria:
•By the total number of packets in each top talker
•By the total number of bytes in each top talker
In addition to sorting top talkers, you can further organize your output by specifying criteria that the top talkers must match, such as source or destination IP address or port. The match command is used to specify this criterion. For a full list of the matching criteria that you can select, refer to the match command in the Cisco IOS command reference documentation.
NetFlow MIB and Top Talkers Benefits
Top talkers can be useful for analyzing network traffic in any of the following ways:
•Security—You can view the list of top talkers to see if traffic patterns consistent with a denial of service (DoS) attack are present in your network.
•Load balancing—You can identify the most heavily used parts of the system and move network traffic over to less-used parts of the system.
•Traffic analysis—Consulting the data retrieved from the NetFlow MIB and Top Talkers feature can assist you in general traffic study and planning for your network.
An additional benefit of the NetFlow MIB and Top Talkers feature is that it can be configured for a router either by entering CLI commands or by entering SNMP commands on a network management system (NMS) workstation. The SNMP commands are sent to the router and processed by a MIB. You do not have to be connected to the router console to extract the list of top talkers information if an NMS workstation is configured to communicate using SNMP to your network device. For more information on configuring your network device to use MIB functionality for the NetFlow MIB and Top Talkers feature, see the "Configuring SNMP Support on the Networking Device" section.
How to Configure NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands
Note Some of the tasks in this section include examples of the SNMP CLI syntax used to set configuration parameters on the router, and to read values from MIB objects on the router. These SNMP CLI syntax examples are taken from a Linux workstation using public domain SNMP tools. The SNMP CLI syntax for your workstation might be different. Refer to the documentation that was provided with your SNMP tools for the correct syntax for your network management workstation.
This section contains the following subsections:
• Configuring SNMP Support on the Networking Device
• Configuring Parameters for the NetFlow Main Cache
• Identifying the Interface Number to use for Enabling NetFlow with SNMP
• Configuring NetFlow on Cisco Routers
• Configuring NetFlow Top Talkers
• Configuring NetFlow Top Talkers Match Criteria
• Verifying the NetFlow Top Talkers Configuration
Configuring SNMP Support on the Networking Device
If you want to configure the Top Talkers feature using the Cisco IOS CLI, you do not need to perform this task.
If you want to configure the Top Talkers feature using the NetFlow MIB and SNMP, you must perform this task.
Before the you can use SNMP commands to configure the Top Talkers feature you must configure SNMP support on your networking device. To enable the SNMP support on the networking device perform the steps in this task.
Note The SNMP community read-only (RO) string for the examples is public. The SNMP community read-write (RW) string for the examples is private. You should use more complex strings for these values in your configurations.
Note For more information on configuring SNMP support on your networking device, refer to the Configuring SNMP Support chapter of the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide, Release 12.3
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server community string ro
4. snmp-server community string rw
5. end
DETAILED STEPS: Router CLI Commands
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
(Required) Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
(Required) Enters global configuration mode.
|
Step 3
|
snmp-server community string ro
Example:
Router(config)# snmp-server community public ro
|
(Required) Sets up the community access string to permit access to SNMP.
•The string argument is a community string that consists of from 1 to 32 alphanumeric characters and functions much like a password, permitting access to the SNMP protocol. Blank spaces are not permitted in the community string.
•The ro keyword specifies read-only access. SNMP management stations using this string can retrieve MIB objects.
|
Step 4
|
snmp-server community string rw
Example:
Router(config)# snmp-server community private
rw
|
(Required) Sets up the community access string to permit access to SNMP.
•The string argument is a community string that consists of from 1 to 32 alphanumeric characters and functions much like a password, permitting access to the SNMP protocol. Blank spaces are not permitted in the community string.
•The rw keyword specifies read-write access. SNMP management stations using this string can retrieve and modify MIB objects.
Note The string argument must be different from the read-only string argument specified in the preceding step (Step 3).
|
Step 5
|
end
Example:
Router(config)# end
|
(Required) Exits the current configuration mode and returns to privileged EXEC mode.
|
Configuring Parameters for the NetFlow Main Cache
This optional task describes the procedure for modifying the parameters for the NetFlow main cache. Perform the steps in this optional task using either the router CLI commands or the SNMP commands to modify the parameters for the NetFlow main cache.
SUMMARY STEPS
Router CLI Commands
1. enable
2. configure terminal
3. ip flow-cache entries number
4. ip flow-cache timeout active minutes
5. ip flow-cache timeout inactive seconds
6. end
SNMP Commands
1. snmpset -c private -m all -v2c [ip-address | hostname] cnfCICacheEntries.type unsigned number
2. snmpset -c private -m all -v2c [ip-address | hostname] cnfCIActiveTimeOut.type unsigned number
3. snmpset -c private -m all -v2c [ip-address | hostname] ccnfCIInactiveTimeOut.type unsigned number
DETAILED STEPS: Router CLI Commands
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
(Required) Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
(Required) Enters global configuration mode.
|
Step 3
|
ip flow-cache entries number
Example:
Router(config)# ip flow-cache entries 4000
|
(Optional) Specifies the maximum number of entries to be captured for the main flow cache.
Note The valid range for the number argument is from 1024 to 524288 entries.
|
Step 4
|
ip flow-cache timeout active minutes
Example:
Router(config)# ip flow-cache timeout active 30
|
(Optional) Configures operational parameters for the main cache.
•The timeout keyword dissolves the session in the cache.
•The active minutes keyword-argument pair is the number of minutes that an entry is active. The range is from 1 to 60 minutes. The default is 30 minutes.
|
Step 5
|
ip flow-cache timeout inactive seconds
Example:
Router(config)# ip flow-cache timeout inactive
100
|
(Optional) Configures operational parameters for the main cache.
•The timeout keyword dissolves the session in the main cache.
•The inactive seconds keyword-argument pair is the number of seconds that an inactive entry will stay in the main cache before it times out. The range is from 10 to 600 seconds. The default is 15 seconds.
|
Step 6
|
end
Example:
Router(config)# end
|
(Required) Exits the current configuration mode and returns to privileged EXEC mode.
|
DETAILED STEPS: SNMP Commands
| |
Command or Action
|
Purpose
|
Step 1
|
snmpset -c private -m all -v2c [ip-address |
hostname] cnfCICacheEntries.type unsigned
number
Example:
workstation% snmpset -c private -m all -v2c
10.4.9.62 cnfCICacheEntries.0 unsigned 4000
|
(Optional) Defines the maximum number of entries to be captured for the main flow cache.
•The value for the type argument in cnfCICacheEntries.type unsigned number is 0 for the main cache.
•The value for the number argument in cnfCICacheEntries.type number is the maximum number of cache entries.
Note The valid range for the number argument is from 1024 to 524288 entries.
|
Step 2
|
snmpset -c private -m all -v2c [ip-address |
hostname] cnfCIActiveTimeOut.type unsigned
number
Example:
workstation% snmpset -c private -m all -v2c
10.4.9.62 cnfCIActiveTimeOut.0 unsigned 60
|
(Optional) Specifies the number of seconds that an active flow remains in the main cache before it times out.
•The value for the type argument in cnfCIActiveTimeout.type unsigned number is 0 for the main cache.
•The value for the number argument in cnfCIActiveTimeout.type unsigned number is the number of seconds that an active flow remains in the cache before it times out.
Note The range for the number argument is from 1 to 60 minutes. The default is 30 minutes.
|
Step 3
|
snmpset -c private -m all -v2c [ip-address |
hostname] ccnfCIInactiveTimeOut.type unsigned
number
Example:
workstation% snmpset -c private -m all -v2c
10.4.9.62 cnfCIInactiveTimeOut.0 unsigned 30
|
(Optional) Specifies the number of seconds that an inactive flow remains in the main cache before it times out.
•The value for the type argument in cnfCIInactiveTimeout.type unsigned number is 0 for the main cache.
•The value for the number argument in cnfCIInactiveTimeout.type unsigned number is the number of seconds that an inactive flow remains in the main cache before it times out.
Note The range for the number argument is from 10 to 600 seconds. The default is 15 seconds.
|
Identifying the Interface Number to use for Enabling NetFlow with SNMP
If you want to configure the Top Talkers feature using the Cisco IOS CLI, you do not need to perform this task.
If you want to configure the Top Talkers feature using the NetFlow MIB and SNMP, you must perform this task.
Before you can use SNMP to enable NetFlow on an interface you must identify the SNMP interface number on the router. To identify the interface number for the interface that you want to enable NetFlow on perform the steps in this required task.
SUMMARY STEPS
1. enable
2. show snmp mib ifmib ifindex type number
3. Repeat Step 2 to identify the SNMP interface number for any other interfaces that you plan to enable NetFlow on.
DETAILED STEPS
Step 1 enable
Enters privileged EXEC mode. Enter the password if prompted.
Router> enable
Step 2 show snmp mib ifmib ifindex type number
Displays the SNMP interface number for the interface specified.
Router# show snmp mib ifmib ifindex GigabitEthernet6/2
Ethernet0/0: Ifindex = 60
Step 3 Repeat Step 2 to identify the SNMP interface number for any other interfaces that you plan to enable NetFlow on.
Configuring NetFlow on Cisco Routers
Perform the steps in this required task using either the router CLI commands or the SNMP commands to enable NetFlow on the router.
SUMMARY STEPS
Router CLI Commands
1. enable
2. configure terminal
3. interface type number
4. ip flow {ingress | egress}
5. exit
6. Repeat Steps 3 through 5 to enable NetFlow on other interfaces
7. end
SNMP Commands
1. snmpset -c private -m all -v2c [ip-address | hostname] cnfCINetflowEnable.interface-number integer [0 | 1 | 2 | 3]
2. Repeat Step 1 to enable NetFlow on other interfaces.
DETAILED STEPS: Router CLI Commands
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
(Required) Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
(Required) Enters global configuration mode.
|
Step 3
|
interface type number
Example:
Router(config)# interface GigabitEthernet6/2
|
(Required) Specifies the interface that you want to enable NetFlow on and enters interface configuration mode.
|
Step 4
|
ip flow {ingress | egress}
Example:
Router(config-if)# ip flow ingress
and/or
Example:
Router(config-if)# ip flow egress
|
(Required) Enables NetFlow on the interface.
•ingress—captures traffic that is being received by the interface
•egress—captures traffic that is being transmitted by the interface.
|
Step 5
|
exit
Example:
Router(config-if)# exit
|
(Optional) Exits interface configuration mode and returns to global configuration mode.
Note You only need to use this command if you want to enable NetFlow on another interface.
|
Step 6
|
Repeat Steps 3 through 5 to enable NetFlow on other interfaces.
|
(Optional) —
|
Step 7
|
end
Example:
Router(config-if)# end
|
(Required) Exits the current configuration mode and returns to privileged EXEC mode.
|
DETAILED STEPS: SNMP Commands
| |
Command or Action
|
Purpose
|
Step 1
|
snmpset -c private -m all -v2c [ip-address |
hostname] cnfCINetflowEnable.interface-number
integer [0 | 1 | 2 | 3]
Example:
workstation% snmpset -c private -m all -v2c
10.4.9.62 cnfCINetflowEnable.60 integer 1
|
(Required) Configures NetFlow for an interface.
Note The value for the interface-number argument is found by entering the router CLI command show snmp mib ifmib ifindex on the router in privileged EXEC mode.
The values for the direction argument are:
•0—Disable NetFlow
•1—Enable Ingress NetFlow
•2—Enable Egress NetFlow
•3—Enable Ingress and Egress NetFlow
|
Step 2
|
Repeat Step 1 to enable NetFlow on other interfaces
|
(Optional) —
|
Configuring NetFlow Top Talkers
This task describes the procedure for configuring the NetFlow Top Talkers feature. Perform the steps in this required task using either the router CLI commands or the SNMP commands to configure the NetFlow Top Talkers feature on the router.
SUMMARY STEPS
Router CLI Commands
1. enable
2. configure terminal
3. ip flow-top-talkers
4. top number
5. sort by [packets | bytes]
6. cache-timeout milliseconds
7. end
SNMP Commands
1. snmpset -c private -m all -v2c [ip-address | hostname] cnfTopFlowsTopN.0 unsigned number
2. snmpset -c private -m all -v2c [ip-address | hostname] cnfTopFlowsSortBy.0 integer [1 | 2 | 3]
3. snmpset -c private -m all -v2c [ip-address | hostname] cnfTopFlowsCacheTimeout.0 unsigned milliseconds
DETAILED STEPS: Router CLI Commands
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
(Required) Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
(Required) Enters global configuration mode.
|
Step 3
|
ip flow-top-talkers
Example:
Router(config)# ip flow-top-talkers
|
(Required) Enters NetFlow top talkers configuration mode.
|
Step 4
|
top number
Example:
Router(config-flow-top-talkers)# top 50
|
(Required) Specifies the maximum number of top talkers that will be retrieved by a NetFlow top talkers query.
Note The valid range for the number argument is from 1 to 200 entries.
|
Step 5
|
sort-by [bytes | packets]
Example:
Router(config-flow-top-talkers)#
sort-by packets
|
(Required) Specifies the sort criterion for the top talkers.
•The top talkers can be sorted either by the total number of packets of each top talker or the total number of bytes of each top talker.
|
Step 6
|
cache-timeout milliseconds
Example:
Router(config-flow-top-talkers)#
cache-timeout 30000
|
(Optional) Specifies the amount of time that the list of top talkers is retained.
•Reentering the top, sort-by, or cache-timeout command resets the timeout period, and the list of top talkers is recalculated the next time they are requested.
•The list of top talkers is lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required NetFlow top talkers.
•If this timeout value is too large, the list of top talkers might not be updated quickly enough to display the latest top talkers. If a request to display the top talkers is made more than once during the timeout period, the same results will be displayed for each request. To ensure that the latest information is displayed while conserving CPU time, configure a large value for the timeout period and change the parameters of the cache-timeout, top, or sort-by command when a new list of top talkers is required.
Note The valid range for the number argument is from 1 to 3,600,000 (1 millisecond to one hour). The default is 5000 (5 seconds).
|
Step 7
|
end
Example:
Router(config-flow-top-talkers)# end
|
(Required) Exits the current configuration mode and returns to privileged EXEC mode.
|
DETAILED STEPS: SNMP Commands
| |
Command or Action
|
Purpose
|
Step 1
|
snmpset -c private -m all -v2c [ip-address |
hostname] cnfTopFlowsTopN.0 unsigned number
Example:
workstation% snmpset -c private -m all -v2c
10.4.9.62 cnfTopFlowsTopN.0 unsigned 50
|
(Required) Specifies the maximum number of top talkers that will be retrieved by a NetFlow top talkers query.
•The value for the number argument in cnfTopFlowsTopN.0 number is the maximum number of top talkers that will be retrieved by a NetFlow top talkers query.
Note The valid range for the number argument is from 1 to 200 entries.
|
Step 2
|
snmpset -c private -m all -v2c [ip-address |
hostname] cnfTopFlowsSortBy.0 integer [1 | 2 |
3]
Example:
workstation% snmpset -c private -m all -v2c
10.4.9.62 cnfTopFlowsSortBy.0 integer 2
|
(Required) Specifies the sort criteria for the top talkers.
•Values for sort-option in cnfTopFlowsSortBy.0 [1 | 2 | 3] are:
–1—no sorting will be performed and that the NetFlow MIB and Top Talkers feature will be disabled
–2—specifies that sorting will be performed by total number of packets of each top talker
–3—that sorting will be performed by the total number of bytes of each top talker
|
Step 3
|
snmpset -c private -m all -v2c [ip-address |
hostname] cnfTopFlowsCacheTimeout.0 unsigned
milliseconds
Example:
workstation% snmpset -c private -m all -v2c
10.4.9.62 cnfTopFlowsCacheTimeout.0 unsigned
30000
|
(Optional) Specifies the amount of time that the list of top talkers is retained.
•Reentering the top, sort-by, or cache-timeout command resets the timeout period, and the list of top talkers is recalculated the next time they are requested.
•The list of top talkers will be lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required NetFlow top talkers.
•If this timeout value is too large, the list of top talkers might not be updated quickly enough to display the latest top talkers. If a request to display the top talkers is made more than once during the timeout period, the same results will be displayed for each request. To ensure that the latest information is displayed while conserving CPU time, configure a large value for the timeout period and change the parameters of the cache-timeout, top, or sort-by command when a new list of top talkers is required.
Note The valid range for the number argument is from 1 to 3,600,000 (1 millisecond to one hour). The default is 5000 (5 seconds).
|
Configuring NetFlow Top Talkers Match Criteria
You can limit the traffic that is displayed by the NetFlow Top Talkers feature by configuring match criteria. The match criteria is applied to data in the main cache. The data in the main cache that meets the match criteria is displayed when you enter the show ip flow top-talkers command. To limit the traffic that is displayed by the NetFlow MIB and Top Talkers feature perform the steps in this optional task.
Before configuring NetFlow MIB and Top Talkers match criteria, you should understand the following:
• NetFlow Top Talkers Match Criteria Specified by CLI Commands
• NetFlow Top Talkers Match Criteria Specified by SNMP Commands
NetFlow Top Talkers Match Criteria Specified by CLI Commands
You can use the match CLI command to specify match criteria to restrict the display of top talkers for the NetFlow MIB and Top Talkers feature. If you do not provide matching criteria, all top talkers are displayed.
Note When configuring a matching source, destination or nexthop address, both the address and a mask must be configured. The configuration will remain unchanged until both have been specified.
Note cnfTopFlowsMatchSampler matches flows from a named flow sampler. cnfTopFlowsMatchClass matches flows from a named class map.
Note When you are configuring Top Talkers to match bytes and packets, the values that are matched are the total number of bytes and packets in the flow so far. For example, it is possible to match flows containing a specific number of packets, or flows with more or less than a set number of bytes.
The match command has the following syntax:
match {[byte-range [max-byte-number min-byte-number | max max-byte-number |
min min-byte-number] | class-map map-name | destination [address ip-address [mask | /nn] |
as as-number | port [max-port-number min-port-number | max max-port-number |
min min-port-number] | direction [ingress | egress] | flow-sampler flow-sampler-name |
input-interface interface-type interface-number | nexthop-address ip-address [mask | /nn] |
output-interface interface-type interface-number | packet-range [max-packets min-packets |
max max-packets | min min-packets] | protocol [protocol-number | udp | tcp] | source [address
ip-address [mask | /nn] | as as-number | port max-port-number min-port-number | max
max-port-number | min min-port-number] | tos [tos-byte | dscp dscp | precedence precedence]
no match {byte-range | class-map | destination [address | as | port] | direction | flow-sampler |
input-interface | protocol | source [address | as | port] | tos}
Table 1 describes the CLI commands that provide match criteria options for top talker display. You can use these commands to restrict the display of top talkers.
Table 1 CLI Commands That Provide Match Criteria Options for Top Talker Display
Router CLI Command
|
Description
|
byte-range
|
The match criterion is based on the size in bytes of the IP datagrams in the flows.
|
max-byte-number min-byte-number
|
Range of sizes for ip datagrams to be matched in bytes. Range: 1-4294967295.
|
max max-byte-number
|
Maximum size for ip datagrams to be matched in bytes. Range: 1-4294967295.
|
min min-byte-number
|
Minimum size for ip datagrams to be matched in bytes. Range: 1-4294967295.
|
class-map
|
The match criterion is based on a class map.
|
map-name
|
Name of the class map to be matched.
|
destination address
|
The match criterion is based on the destination IP address.
|
ip-address
|
The destination IP address to be matched.
|
mask
|
Address mask, in dotted decimal format.
|
/nn
|
Address mask as entered in classless interdomain routing (CIDR) format. An address mask of 255.255.255.0 is equivalent to a /24 mask in CIDR format.
|
destination as
|
The match criterion is based on the destination autonomous system.
|
as-number
|
Autonomous system number to be matched.
|
destination port
|
The match criterion is based on the destination port.
|
max-port-number
min-port-number
|
Range of port numbers for ip datagrams to be matched. Range: 0-65535.
|
max max-port-number
|
Maximum port number for ip datagrams to be matched. Range: 0-65535.
|
min min-port-number
|
Minimum port number for ip datagrams to be matched. Range: 0-65535.
|
direction
|
Direction of the flow to be matched.
|
ingress
|
The match criterion is based on ingress flows.
|
egress
|
The match criterion is based on egress flows.
|
flow-sampler
|
The match criterion is based on top talker sampling.
|
flow-sampler-name
|
Name of the top talker sampler to be matched.
|
input-interface
|
The match criterion is based on the input interface.
|
interface-type interface-number
|
The input interface to be used
|
nexthop address
|
The match criterion is based on the next-hop IP address.
|
ip-address
|
The next-hop IP address to be matched.
|
mask
|
Address mask, in dotted decimal format.
|
/nn
|
Address mask as entered in classless interdomain routing (CIDR) format. An address mask of 255.255.255.0 is equivalent to a /24 mask in CIDR format.
|
output-interface
|
The match criterion is based on the output interface.
|
interface-type interface-number
|
The output interface to be used
|
packet-range
|
The match criterion is based on the number of IP datagrams in the flows.
|
max-packets min-packets
|
Range of number of packets in the flows to be matched. Range: 1-4294967295.
|
max max-packet
|
Maximum number of packets in the flows to be matched. Range: 1-4294967295.
|
min min-packets
|
Minimum number of packets in the flows to be matched. Range: 1-4294967295.
|
protocol
|
The match criterion is based on protocol.
|
protocol-number
|
Protocol number to be matched. Range: 0 to 255.
|
tcp
|
Protocol number to be matched as TCP.
|
udp
|
Protocol number to be matched as UDP.
|
source address
|
The match criterion is based on the source IP address.
|
ip-address
|
The source IP address to be matched.
|
mask
|
Address mask, in dotted decimal format.
|
/nn
|
Address mask as entered in classless interdomain routing (CIDR) format. An address mask of 255.255.255.0 is equivalent to a /24 mask in CIDR format.
|
source as
|
The match criterion is based on the source autonomous system.
|
as-number
|
Autonomous system number to be matched.
|
source port
|
The match criterion is based on the source port.
|
max-port-number
min-port-number
|
Range of port numbers for ip datagrams to be matched. Range: 0-65535.
|
max max-port-number
|
Maximum port number for ip datagrams to be matched. Range: 0-65535.
|
min min-port-number
|
Minimum port number for ip datagrams to be matched. Range: 0-65535.
|
tos
|
The match criterion is based on type of service (ToS).
|
tos-value
|
ToS to be matched.
|
dscp dscp-value
|
Differentiated services code point (DSCP) value to be matched.
|
precedence precedence-value
|
Precedence value to be matched.
|
NetFlow Top Talkers Match Criteria Specified by SNMP Commands
If you are using SNMP commands to configure NetFlow Top Talkers, refer to the Table 2 for router CLI commands and equivalent SNMP commands.
Note Some of the SNMP match criteria options, such as the cnfTopFlowsMatchSrcAddress option, require that you enter multiple SNMP commands on the same line. For example, snmpset -c private -m all -v2c 10.4.9.62 cnfTopFlowsMatchSrcAddressType.0 integer 1 cnfTopFlowsMatchSrcAddress.0 decimal 172.16.10.0 cnfTopFlowsMatchSrcAddressMask.0 unsigned 24.
Table 2 Router CLI Commands and Equivalent SNMP Commands
Router CLI Command
|
SNMP Command
|
match source address [ip-address] [mask | /nn]
|
cnfTopFlowsMatchSrcAddress decimal ip-address
cnfTopFlowsMatchSrcAddressType integer type1
cnfTopFlowsMatchSrcAddressMask unsigned mask
|
match destination address [ip-address] [mask | /nn]
|
cnfTopFlowsMatchDstAddress decimal ip-address
cnfTopFlowsMatchDstAddressType integer type1
cnfTopFlowsMatchDstAddressMask unsigned mask
|
match nexthop address [ip-address] [mask | /nn]
|
cnfTopFlowsMatchNhAddress decimal ip-address
cnfTopFlowsMatchNhAddressType integer type1
cnfTopFlowsMatchNhAddressMask unsigned mask
|
match source port min port
|
cnfTopFlowsMatchSrcPortLo integer port
|
match source port max port
|
cnfTopFlowsMatchSrcPortHi integer port
|
match destination port min port
|
cnfTopFlowsMatchDstPortLo integer port
|
match destination port max port
|
cnfTopFlowsMatchDstPortHi integer port
|
match source as as-number
|
cnfTopFlowsMatchSrcAS integer as-number
|
match destination as as-number
|
cnfTopFlowsMatchDstAS integer as-number
|
match input-interface interface
|
cnfTopFlowsMatchInputIf integer interface
|
match output-interface interface
|
cnfTopFlowsMatchOutputIf integer interface
|
match tos [tos-value | dscp dscp-value | precedence precedence-value]
|
cnfTopFlowsMatchTOSByte integer tos-value2
|
match protocol [protocol-number | tcp | udp]
|
cnfTopFlowsMatchProtocol integer protocol-number
|
match flow-sampler flow-sampler-name
|
cnfTopFlowsMatchSampler string flow-sampler-name
|
match class-map class
|
cnfTopFlowsMatchClass string class
|
match packet-range min minimum-range
|
cnfTopFlowsMatchMinPackets unsigned minimum-range
|
match packet-range max maximum-range
|
cnfTopFlowsMatchMaxPackets unsigned maximum-range
|
match byte-range min minimum-range
|
cnfTopFlowsMatchMinBytes unsigned minimum-range
|
match byte-range max maximum-range
|
cnfTopFlowsMatchMaxPackets unsigned maximum-range
|
Configuring Source IP Address Top Talkers Match Criteria
Perform the steps in this optional task using either the router CLI commands or the SNMP commands to add source IP address match criteria to the Top Talkers configuration.
Prerequisites
You must configure NetFlow Top Talkers before you perform this task.
SUMMARY STEPS
Router CLI Commands
1. enable
2. configure terminal
3. ip flow-top-talkers
4. match source address {ip-address/nn | ip-address mask}
5. end
SNMP Commands
1. snmpset -c private -m all -v2c [ip-address | hostname] cnfTopFlowsMatchSrcAddressType.0 integer 1 cnfTopFlowsMatchSrcAddress.0 decimal ip-address cnfTopFlowsMatchSrcAddressMask.0 unsigned mask
DETAILED STEPS: Router CLI Commands
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
(Required) Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
(Required) Enters global configuration mode.
|
Step 3
|
ip flow-top-talkers
Example:
Router(config)# ip flow-top-talkers
|
(Required) Enters NetFlow top talkers configuration mode.
|
Step 4
|
match source address {ip-address/nn |
ip-address mask}
Example:
Router(config-flow-top-talkers)# match source
address 172.16.10.0/24
|
(Required) Specifies a match criterion.
•The source address keyword specifies that the match criterion is based on the source IP address.
•The ip-address argument is the IP address of the source, destination, or next-hop address to be matched.
•The mask argument is the address mask, in dotted decimal format.
•The /nn argument is the address mask as entered in CIDR format. The match source address 172.16.10.0/24 is equivalent to the match source address 172.16.10.0 255.255.255.0 command.
Note You must configure at least one of the possible match criteria before matching can be used to limit the traffic that is displayed by the Top talkers feature. Additional match criteria are optional.
Note For a full list of the matching criteria that you can select, refer to the "NetFlow Top Talkers Match Criteria Specified by CLI Commands" section.
|
Step 5
|
end
Example:
Router(config-flow-top-talkers)# end
|
(Required) Exits the current configuration mode and returns to privileged EXEC mode.
|
DETAILED STEPS: SNMP Commands
| |
Command or Action
|
Purpose
|
Step 1
|
snmpset -c private -m all -v2c [ip-address |
hostname] cnfTopFlowsMatchSrcAddressType.0
integer 1 cnfTopFlowsMatchSrcAddress.0 decimal
ip-address cnfTopFlowsMatchSrcAddressMask.0
unsigned mask
Example:
workstation% snmpset -c private -m all -v2c
10.4.9.62 cnfTopFlowsMatchSrcAddressType.0
integer 1 cnfTopFlowsMatchSrcAddress.0 decimal
172.16.10.0 cnfTopFlowsMatchSrcAddressMask.0
unsigned 24
|
(Required) Specifies a match criterion.
•The IP address type of 1 in the cnfTopFlowsMatchSrcAddressType.0 integer 1 command specifies an IP version 4 (IPv4) address for the IP address type. IPv4 is currently the only IP version that is supported.
•The ip-address argument in cnfTopFlowsMatchSrcAddress.0 decimal ip-address is the IPv4 source IP address to match in the traffic that is being analyzed.
•The mask argument in cnfTopFlowsMatchSrcAddressMask.0 unsigned mask is the number of bits in the mask for the IPv4 source IP address to match in the traffic that is being analyzed.
Note You must configure at least one of the possible match criteria before matching can be used to limit the traffic that is displayed by the Top talkers feature. Additional match criteria are optional.
Note To remove the cnfTopFlowsMatchSrcAddress match criterion from the configuration, specify an IP address type of 0 (unknown) with the cnfTopFlowsMatchSrcAddressType.0 integer 0 command.
Note For a list of router CLI commands and their corresponding SNMP commands, refer to the "Router CLI Commands and Equivalent SNMP Commands" table .
|
Verifying the NetFlow Top Talkers Configuration
To verify the NetFlow Top Talkers configuration, perform the steps in this optional task using either router CLI command or the SNMP commands.
SUMMARY STEPS
Router CLI Commands
1. show ip flow top-talkers
SNMP Command
1. snmpset -c private -m all -v2c [ip-address | hostname] cnfTopFlowsGenerate.0 integer 1
2. snmpwalk -c public -m all -v2c [ip-address | hostname] cnfTopFlowsReportAvailable
3. snmpwalk -c public -m all -v2c [ip-address | hostname] cnfTopFlowsTable
DETAILED STEPS: Router CLI Commands
Step 1 show ip flow top-talkers
Use this command to verify that the NetFlow MIB and Top Talkers feature is operational. For example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et3/0 10.1.1.3 Local 10.1.1.2 01 0000 0000 4800
Et3/0 10.1.1.4 Local 10.1.1.2 01 0000 0000 4800
Et3/0 10.1.1.5 Local 10.1.1.2 01 0000 0000 800
3 of 10 top talkers shown. 3 flows processed.
In this example, even though a maximum of ten top talkers is configured by the top command, only three top talkers were transmitting data in the network. Therefore, three top talkers are shown, and the "3 flows processed" message is displayed in the output. If you expect more top talkers to be displayed than are being shown, this condition may possibly be the result of matching criteria, specified by the match command, that are overly restrictive.
DETAILED STEPS: SNMP Commands
Step 1 snmpset -c private -m all -v2c [ip-address | hostname] cnfTopFlowsGenerate.0 integer 1
Use this command to initiate a generation of the top talkers statistics:
workstation% snmpset -c private -m all -v2c 10.4.9.62 cnfTopFlowsGenerate.0 integer 1
CISCO-NETFLOW-MIB::cnfTopFlowsGenerate.0 = INTEGER: true(1)
Step 2 snmpget -c public -m all -v2c [ip-address | hostname] cnfTopFlowsReportAvailable
Use this command to verify that the top talkers statistics are available:
workstation% snmpwalk -c public -m all -v2c 10.4.9.62 cnfTopFlowsReportAvailable
CISCO-NETFLOW-MIB::cnfTopFlowsReportAvailable.0 = INTEGER: true(1)
Step 3 snmpwalk -c public -m all -v2c [ip-address | hostname] cnfTopFlowsTable
Use this command to display the NetFlow top talkers:
workstation% snmpwalk -c public -m all -v2c 10.4.9.62 cnfTopFlowsTable
CISCO-NETFLOW-MIB::cnfTopFlowsSrcAddressType.1 = INTEGER: ipv4(1)
CISCO-NETFLOW-MIB::cnfTopFlowsSrcAddress.1 = Hex-STRING: 0A 04 09 08
CISCO-NETFLOW-MIB::cnfTopFlowsSrcAddressMask.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddressType.1 = INTEGER: ipv4(1)
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddress.1 = Hex-STRING: 0A 04 09 A7
CISCO-NETFLOW-MIB::cnfTopFlowsDstAddressMask.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsNhAddressType.1 = INTEGER: ipv4(1)
CISCO-NETFLOW-MIB::cnfTopFlowsNhAddress.1 = Hex-STRING: 00 00 00 00
CISCO-NETFLOW-MIB::cnfTopFlowsSrcPort.1 = Gauge32: 32773
CISCO-NETFLOW-MIB::cnfTopFlowsDstPort.1 = Gauge32: 161
CISCO-NETFLOW-MIB::cnfTopFlowsSrcAS.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsDstAS.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsInputIfIndex.1 = INTEGER: 1
CISCO-NETFLOW-MIB::cnfTopFlowsOutputIfIndex.1 = INTEGER: 0
CISCO-NETFLOW-MIB::cnfTopFlowsFirstSwitched.1 = Timeticks: (12073160) 1 day, 9:32:11.60
CISCO-NETFLOW-MIB::cnfTopFlowsLastSwitched.1 = Timeticks: (12073160) 1 day, 9:32:11.60
CISCO-NETFLOW-MIB::cnfTopFlowsTOS.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsProtocol.1 = Gauge32: 17
CISCO-NETFLOW-MIB::cnfTopFlowsTCPFlags.1 = Gauge32: 16
CISCO-NETFLOW-MIB::cnfTopFlowsSamplerID.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsClassID.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsFlags.1 = Gauge32: 0
CISCO-NETFLOW-MIB::cnfTopFlowsBytes.1 = Gauge32: 75
CISCO-NETFLOW-MIB::cnfTopFlowsPackets.1 = Gauge32: 1
Tip You need to convert the source and destination IP addresses from hexadecimal to dotted decimal format used in the display output before you can correlate them to source and destination hosts on your network. For example in the display output above: 0A 04 09 02 = 10.4.9.2 and 0A 04 09 AF = 10.4.9.175.
Configuration Examples for NetFlow Top Talkers
This section provides the following configuration examples:
• Configuring NetFlow Top Talkers using SNMP Commands: Example
• Configuring NetFlow Top Talkers Match Criteria using SNMP Commands: Example
Configuring NetFlow Top Talkers using SNMP Commands: Example
The following output from the network management workstation shows the command and the response for enabling NetFlow on interface GigabitEthernet6/2 (ifindex number 60):
workstation% snmpset -c private -m all -v2c 10.4.9.62 cnfCINetflowEnable.60 integer 1
CISCO-NETFLOW-MIB::cnfCINetflowEnable.60 = INTEGER: interfaceDirIngress(1)
The following output from the network management workstation shows the command and the response for specifying five as the maximum number of top talkers that will be retrieved by a NetFlow top talkers query:
workstation% snmpset -c private -m all -v2c 10.4.9.62 cnfTopFlowsTopN.0 unsigned 5
CISCO-NETFLOW-MIB::cnfTopFlowsTopN.0 = Gauge32: 5
The following output from the network management workstation shows the command and the response for specifying the sort criteria for the top talkers:
workstation% snmpset -c private -m all -v2c 10.4.9.62 cnfTopFlowsSortBy.0 integer 2
CISCO-NETFLOW-MIB::cnfTopFlowsSortBy.0 = INTEGER: byPackets(2)
The following output from the network management workstation shows the command and the response for specifying the amount of time that the list of top talkers is retained:
workstation% snmpset -c private -m all -v2c 10.4.9.62 cnfTopFlowsCacheTimeout.0 unsigned
2000
CISCO-NETFLOW-MIB::cnfTopFlowsCacheTimeout.0 = Gauge32: 2000 milliseconds
Configuring NetFlow Top Talkers Match Criteria using SNMP Commands: Example
The following output from the network management workstation shows the snmpset command and the response for specifying the following Top Talkers match criteria:
•Source IP address-172.16.23.0
•Source IP address mask-255.255.255.0 (/24)
•IP address type-IPv4
workstation% snmpset -c private -m all -v2c 10.4.9.62 cnfTopFlowsMatchSrcAddress.0 decimal
172.16.23.0 cnfTopFlowsMatchSrcAddressMask.0 unsigned 24 cnfTopFlowsMatchSrcAddressType.0
integer 1
CISCO-NETFLOW-MIB::cnfTopFlowsMatchSrcAddress.0 = Hex-STRING: AC 10 17 00
CISCO-NETFLOW-MIB::cnfTopFlowsMatchSrcAddressMask.0 = Gauge32: 24
CISCO-NETFLOW-MIB::cnfTopFlowsMatchSrcAddressType.0 = INTEGER: ipv4(1)
The following output from the network management workstation shows the snmpset command and the response for specifying the class-map my-class-map as a Top Talkers match criterion:
workstation% snmpset -c private -m all -v2c 10.4.9.62 cnfTopFlowsMatchClass.0 s
my-class-map
CISCO-NETFLOW-MIB::cnfTopFlowsMatchClass.0 = STRING: my-class-map.
Additional References
The following sections provide references related to the NetFlow MIB and Top Talkers feature.
Related Documents
MIBs
MIBs
|
MIBs Link
|
•CISCO-NETFLOW-MIB.my
|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL(requires CCO login account):
http://www.cisco.com/go/mibs
|
Technical Assistance
Description
|
Link
|
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
|
http://www.cisco.com/techsupport
|
Command Reference
This section documents modified commands only.
• cache-timeout
• ip flow-top-talkers
• match (NetFlow)
• show ip flow top-talkers
• sort-by
• top
cache-timeout
To specify the length of time for which the list of NetFlow top talkers (unaggregated top flows) is retained, use the cache-timeout command in NetFlow top talkers configuration mode. To return the timeout parameters for the list of top talkers to the default of 5 seconds, use the no form of this command.
cache-timeout milliseconds
no cache-timeout
Syntax Description
milliseconds
|
Length in milliseconds for which the list of top talkers is retained. The range is from 1 to 3,600,000 (1 millisecond to one hour). The default is 5000 (5 seconds).
|
Defaults
The default time for which the list of top talkers is retained is 5 seconds.
Command Modes
NetFlow top talkers configuration
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
Configuring NetFlow top talkers
You must enable NetFlow on at least one interface in the router; and configure NetFlow top talkers before you can use the show ip flow top-talkers command to display the traffic statistics for the unaggregated top flows in the network. NetFlow top talkers also requires that you configure the sort-by and top commands. Optionally, the match command can be configured to specify additional matching criteria.
Cache Timeout
The cache timeout starts after the list of top talkers is requested by entering the show ip flow top-talkers command or through the netflow MIB.
A long timeout period limits the system resources that are used by NetFlow top talkers. However, the list of top talkers is calculated only once during the timeout period. If a request to display the top talkers is made more than once during the timeout period, the same results are displayed for each request, and the list of top talkers is not recalculated until the timeout period expires.
A short timeout period ensures that the latest list of top talkers is retrieved; however too short a period can have undesired effects:
•The list of top talkers is lost when the timeout period expires. You should configure a timeout period for at least as long as it takes the network management system (NMS) to retrieve all the required NetFlow top talkers.
•The list of top talkers is updated every time the top talkers information is requested, possibly causing unnecessary usage of system resources.
A good method to ensure that the latest information is displayed, while also conserving system resources, is to configure a large value for the timeout period, but recalculate the list of top talkers by changing the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command to display the top talkers. Changing the parameters of the cache-timeout, top, or sort-by command causes the list of top talkers to be recalculated upon receipt of the next command line interface (CLI) or MIB request.
Examples
In the following example, the list of top talkers is configured to be retained for 2 seconds (2000 milliseconds). There is a maximum of 4 top talkers, and the sort criterion is configured to sort the list of top talkers by the total number of bytes in each top talker.
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# cache-timeout 2000
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command using the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
Command
|
Description
|
ip flow-top-talkers
|
Enters the configuration mode for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
match (NetFlow)
|
Specifies match criteria for the NetFlow MIB and top talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
show ip flow top-talkers
|
Displays the statistics for the top talkers (heaviest traffic patterns and most-used applications in the network).
|
sort-by
|
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature.
|
top
|
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and top talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
ip flow-top-talkers
To enter the configuration mode for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature, use the ip flow-top-talkers command in global configuration mode. To disable the NetFlow MIB and Top Talkers feature, use the no form of this command.
ip flow-top-talkers
no ip flow-top-talkers
Tip The ip flow-top-talkers command does not appear in the configuration until you have configured the top number and sort-by [bytes | packets] commands.
Syntax Description
This command has no arguments or keywords.
Defaults
The NetFlow MIB and Top Talkers feature is disabled by default.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
You must configure the sort-by and top commands to activate the NetFlow MIB and Top Talkers feature.
You can set the following parameters for the NetFlow MIB and Top Talkers feature:
•Sorting the packets in the flows through the use of the sort-by command
•The number of top talkers in the flows to view through the use of the top command
•(Optional) The length of time for which the list of top talkers in the flows is retained through the use of the cache-timeout command
•(Optional) Various matching criteria for traffic in the flows through the use of the match command
Examples
In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each top talker.
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
Command
|
Description
|
cache-timeout
|
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and Top Talkers feature is retained.
|
match (NetFlow)
|
Specifies match criteria for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
show ip flow top-talkers
|
Displays the statistics for the top talkers (heaviest traffic patterns and most-used applications in the network).
|
sort-by
|
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature.
|
top
|
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
match (NetFlow)
To specify match criteria for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature, use the match command in NetFlow top talkers configuration mode. To remove match criteria for the NetFlow MIB and Top Talkers feature, use the no form of this command.
match {[byte-range [max-byte-number min-byte-number | max max-byte-number |
min min-byte-number] | class-map map-name | destination [address ip-address [mask | /nn] |
as as-number | port [max-port-number min-port-number | max max-port-number |
min min-port-number] | direction [ingress | egress] | flow-sampler flow-sampler-name |
input-interface interface-type interface-number | nexthop-address ip-address [mask | /nn] |
output-interface interface-type interface-number | packet-range [max-packets min-packets |
max max-packets | min min-packets] | protocol [protocol-number | udp | tcp] | source [address
ip-address [mask | /nn] | as as-number | port max-port-number min-port-number | max
max-port-number | min min-port-number] | tos [tos-byte | dscp dscp | precedence precedence]
no match {byte-range | class-map | destination [address | as | port] | direction | flow-sampler |
input-interface | nexthop-address | output-interface | packet-range | protocol |
source [address | as | port] | tos}
Syntax Description
byte-range
|
The match criterion is based on the size in bytes of the IP datagrams in the flows.
|
max-byte-number min-byte-number
|
Range of sizes for ip datagrams to be matched in bytes. Range: 1-4294967295.
|
max max-byte-number
|
Maximum size for ip datagrams to be matched in bytes. Range: 1-4294967295.
|
min min-byte-number
|
Minimum size for ip datagrams to be matched in bytes. Range: 1-4294967295.
|
class-map
|
The match criterion is based on a class map.
|
map-name
|
Name of the class map to be matched.
|
destination address
|
The match criterion is based on the destination IP address.
|
ip-address
|
The destination IP address to be matched.
|
mask
|
Address mask, in dotted decimal format.
|
/nn
|
Address mask as entered in classless interdomain routing (CIDR) format. An address mask of 255.255.255.0 is equivalent to a /24 mask in CIDR format.
|
destination as
|
The match criterion is based on the destination autonomous system.
|
as-number
|
Autonomous system number to be matched.
|
destination port
|
The match criterion is based on the destination port.
|
max-port-number
min-port-number
|
Range of port numbers for ip datagrams to be matched. Range: 0-65535.
|
max max-port-number
|
Maximum port number for ip datagrams to be matched. Range: 0-65535.
|
min min-port-number
|
Minimum port number for ip datagrams to be matched. Range: 0-65535.
|
direction
|
Direction of the flow to be matched.
|
ingress
|
The match criterion is based on ingress flows.
|
egress
|
The match criterion is based on egress flows.
|
flow-sampler
|
The match criterion is based on top talker sampling.
|
flow-sampler-name
|
Name of the top talker sampler to be matched.
|
input-interface
|
The match criterion is based on the input interface.
|
interface-type interface-number
|
The input interface to be used
|
nexthop address
|
The match criterion is based on the next-hop IP address.
|
ip-address
|
The next-hop IP address to be matched.
|
mask
|
Address mask, in dotted decimal format.
|
/nn
|
Address mask as entered in classless interdomain routing (CIDR) format. An address mask of 255.255.255.0 is equivalent to a /24 mask in CIDR format.
|
output-interface
|
The match criterion is based on the output interface.
|
interface-type interface-number
|
The output interface to be used
|
packet-range
|
The match criterion is based on the number of IP datagrams in the flows.
|
max-packets min-packets
|
Range of number of packets in the flows to be matched. Range: 1-4294967295.
|
max max-packet
|
Maximum number of packets in the flows to be matched. Range: 1-4294967295.
|
min min-packets
|
Minimum number of packets in the flows to be matched. Range: 1-4294967295.
|
protocol
|
The match criterion is based on protocol.
|
protocol-number
|
Protocol number to be matched. Range: 0 to 255.
|
tcp
|
Protocol number to be matched as TCP.
|
udp
|
Protocol number to be matched as UDP.
|
source address
|
The match criterion is based on the source IP address.
|
ip-address
|
The source IP address to be matched.
|
mask
|
Address mask, in dotted decimal format.
|
/nn
|
Address mask as entered in classless interdomain routing (CIDR) format. An address mask of 255.255.255.0 is equivalent to a /24 mask in CIDR format.
|
source as
|
The match criterion is based on the source autonomous system.
|
as-number
|
Autonomous system number to be matched.
|
source port
|
The match criterion is based on the source port.
|
max-port-number
min-port-number
|
Range of port numbers for ip datagrams to be matched. Range: 0-65535.
|
max max-port-number
|
Maximum port number for ip datagrams to be matched. Range: 0-65535.
|
min min-port-number
|
Minimum port number for ip datagrams to be matched. Range: 0-65535.
|
tos
|
The match criterion is based on type of service (ToS).
|
tos-value
|
ToS to be matched.
|
dscp dscp-value
|
Differentiated services code point (DSCP) value to be matched.
|
precedence precedence-value
|
Precedence value to be matched.
|
Defaults
No matching criteria are specified by default. All top talkers are displayed.
Command Modes
NetFlow top talkers configuration
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This command was integrated into Cisco IOS Release 12.3(11)T. The direction, ingress, and egress keywords were added.
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC
|
Usage Guidelines
Use this command to specify match criteria for the NetFlow MIB and Top Talkers feature. Using matching criteria is useful to restrict the list of top talkers.
If you are using a MIB and using simple network management protocol (SNMP) commands to configure this feature, refer to Table 3 for a mapping of the command-line interface (CLI) commands to the MIB SNMP commands:
Table 3 Router CLI Commands and Equivalent SNMP Commands
Router CLI Command
|
SNMP Command
|
match source address [ip-address] [mask | /nn]
|
cnfTopFlowsMatchSrcAddress ip-address
cnfTopFlowsMatchSrcAddressType type1
cnfTopFlowsMatchSrcAddressMask mask
|
match destination address [ip-address] [mask | /nn]
|
cnfTopFlowsMatchDstAddress ip-address
cnfTopFlowsMatchDstAddressType type1
cnfTopFlowsMatchDstAddressMask mask
|
match nexthop address] [ip-address] [mask | /nn]]
|
cnfTopFlowsMatchNhAddress ip-address
cnfTopFlowsMatchNhAddressType type1
cnfTopFlowsMatchNhAddressMask mask
|
match source port min port
|
cnfTopFlowsMatchSrcPortLo port
|
match source port max port
|
cnfTopFlowsMatchSrcPortHi port
|
match destination port min port
|
cnfTopFlowsMatchDstPortLo port
|
match destination port max port
|
cnfTopFlowsMatchDstPortHi port
|
match source as as-number
|
cnfTopFlowsMatchSrcAS as-number
|
match destination as as-number
|
cnfTopFlowsMatchDstAS as-number
|
match input-interface interface
|
cnfTopFlowsMatchInputIf interface
|
match output-interface interface
|
cnfTopFlowsMatchOutputIf interface
|
match tos [tos-value | dscp dscp-value | precedence precedence-value]
|
cnfTopFlowsMatchTOSByte tos-value2
|
match protocol [protocol-number | tcp | udp]
|
cnfTopFlowsMatchProtocol protocol-number
|
match flow-sampler flow-sampler-name
|
cnfTopFlowsMatchSampler flow-sampler-name
|
match class-map class
|
cnfTopFlowsMatchClass class
|
match packet-range min minimum-range
|
cnfTopFlowsMatchMinPackets minimum-range
|
match packet-range max maximum-range
|
cnfTopFlowsMatchMaxPackets maximum-range
|
match byte-range min minimum-range
|
cnfTopFlowsMatchMinBytes minimum-range
|
match byte-range max maximum-range
|
cnfTopFlowsMatchMaxPackets maximum-range
|
direction [ingress | egress]
|
cnfTopFlowsMatchDirection [flowDirNone(0) | flowDirIngress(1) | flowDirEgress(2)]
|
Examples
The following example shows how you enter NetFlow top talkers configuration mode and specify that the top talkers are to contain the following characteristics:
•The list of top talkers will have a source IP address that begins with 10.10.0.0 and subnet a mask of 255.255.0.0 (/16).
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# match source address 10.10.0.0/16
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command when the configuration from the previous example is used:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et2/0 10.10.11.3 Et1/0.1 172.16.10.7 06 0041 0041 30K
Et0/0.1 10.10.11.4 Et1/0.1 172.16.10.8 06 0041 0041 30K
Et3/0 10.10.11.2 Et1/0.1 172.16.10.6 06 0041 0041 29K
Et3/0 10.10.18.1 Null 172.16.11.5 11 00A1 00A1 28K
4 of 4 top talkers shown. 10 of 27 flows matched
The following example shows how you enter NetFlow top talkers configuration mode and specify that the top talkers are to contain the following characteristics:
•The list of top talkers will have a source IP address that begins with 10.10.0.0 and subnet mask of 255.255.0.0 (/16).
•The list of top talkers will have a destination IP address that begins with 172.16.11.0 and a subnet mask of 255.255.255.0 (/24)
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# match source address 10.10.0.0/16
Router(config-flow-top-talkers)# match destination address 172.16.11.0/24
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command when the configuration from the previous example is used:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et3/0 10.10.18.1 Null 172.16.11.5 11 00A1 00A1 67K
Et3/0 10.10.19.1 Null 172.16.11.6 11 00A2 00A2 67K
2 of 4 top talkers shown. 2 of 30 flows matched
Related Commands
Command
|
Description
|
cache-timeout
|
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and Top Talkers feature is retained.
|
ip flow-top-talkers
|
Enters the configuration mode for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
show ip flow top-talkers
|
Displays the statistics for the top talkers (heaviest traffic patterns and most-used applications in the network).
|
sort-by
|
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature.
|
top
|
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
show ip flow top-talkers
To display the statistics for the NetFlow accounting top talkers (heaviest traffic patterns and most-used applications in the network), use the show ip flow top-talkers command in user EXEC or privileged EXEC mode.
show ip flow top-talkers [verbose]
Syntax Description
verbose
|
Displays an expanded output of the configuration of the NetFlow MIB and Top Talkers feature.
|
Defaults
No default behavior or values.
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This feature was integrated into Cisco IOS Release 12.2(27)SBC.
|
Usage Guidelines
Use this command to display the list of top talkers.
The sort-by and top commands must be configured for the top talkers to be displayed. Optionally, the match command can be configured to specify additional matching criteria.
The timeout period as specified by the cache-timeout command does not start until the show ip flow top-talkers command is entered. From that time, the same top talkers are displayed until the timeout period expires. To recalculate a new list of top talkers after the timeout period expires, you can change the parameters of the cache-timeout, top, or sort-by command prior to entering the show ip flow top-talkers command.
Examples
The following example shows the output of the show ip flow top-talkers command.
In the example, the NetFlow MIB and Top Talkers feature has been configured to allow a maximum of five top talkers to be viewed. The display output is configured to be sorted by the total number of bytes in each top talker, and the list of top talkers is configured to be retained for 2 seconds (2000 milliseconds).
Router(config)# ip flow-top-talkers
Router(config)# top 5
Router(config)# sort-by bytes
Router(config-flow-top-talkers)# cache-timeout 2000
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 144K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 144K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 135K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 125K
Et0/0.1 10.92.231.235 Et1/0.1 172.16.10.2 06 0041 0041 115K
5 of 5 top talkers shown. 11 flows processed
Table 4 describes the significant fields shown in the display.
Table 4 show ip flow top-talkers Field Descriptions
Field
|
Description
|
SrcIf
|
Source interface
|
SrcIPaddress
|
Source IP address
|
DstIf
|
Destination interface
|
DstIPaddress
|
Destination IP address
|
Pr
|
Protocol number
|
SrcP
|
Source port
|
DstP
|
Destination port
|
Bytes
|
Total number of bytes in each top talker
|
Table 5 shows messages that could be received in response to the show ip flow top-talkers command and their explanations.
Table 5 show ip flow top-talkers Message Descriptions
Message
|
Description
|
|
The NetFlow MIB and Top Talkers feature has not yet been configured.
|
|
There are no top talkers in the list to be viewed.
|
|
Top talkers exist in the list, but the match criteria that were specified do not match any top talkers that are in the list.
|
Related Commands
Command
|
Description
|
cache-timeout
|
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and Top Talkers feature is retained.
|
ip flow-top-talkers
|
Enters the configuration mode for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
match (NetFlow)
|
Specifies match criteria for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
sort-by
|
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature.
|
top
|
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
sort-by
To specify the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature, use the sort-by command in NetFlow top talkers configuration mode. To disable the NetFlow MIB and Top Talkers feature, use the no form of this command.
sort-by [bytes | packets]
no sort-by [bytes | packets]
Syntax Description
bytes
|
Sorts the list of top talkers by the total number of bytes in each top talker.
|
packets
|
Sort the list of top talkers by the total number of packets in each top talker.
|
Defaults
No default behavior or values.
Command Modes
NetFlow top talkers configuration
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This feature was integrated into Cisco IOS Release 12.2(27)SBC.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
You must configure the sort-by and top commands to activate the NetFlow MIB and Top Talkers feature.
Examples
In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each top talker.
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
Command
|
Description
|
cache-timeout
|
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and Top Talkers feature is retained.
|
ip flow-top-talkers
|
Enters the configuration mode for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
match (NetFlow)
|
Specifies match criteria for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
show ip flow top-talkers
|
Displays the statistics for the NetFlow accounting top talkers (heaviest traffic patterns and most-used applications in the network).
|
top
|
Specifies the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
top
To specify the maximum number of top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature, use the top command in NetFlow top talkers configuration mode. To disable the NetFlow MIB and Top Talkers feature, use the no form of this command.
top number
no top
Syntax Description
number
|
The maximum number of top talkers that will be displayed.
|
Defaults
No default behavior or values.
Command Modes
NetFlow top talkers configuration
Command History
Release
|
Modification
|
12.2(25)S
|
This command was introduced.
|
12.3(11)T
|
This feature was integrated into Cisco IOS Release 12.3(11)T.
|
12.2(27)SBC
|
This feature was integrated into Cisco IOS Release 12.2(27)SBC.
|
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
You must configure the sort-by and top commands to activate the NetFlow MIB and Top Talkers feature.
Examples
In the following example, a maximum of four top talkers is configured. The sort criterion is configured to sort the list of top talkers by the total number of bytes for each top talker.
Router(config)# ip flow-top-talkers
Router(config-flow-top-talkers)# top 4
Router(config-flow-top-talkers)# sort-by bytes
The following example shows the output of the show ip flow top talkers command with the configuration from the previous example:
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/0.1 10.10.18.1 Et1/0.1 172.16.10.232 11 00A1 00A1 349K
Et0/0.1 10.10.19.1 Et1/0.1 172.16.10.2 11 00A2 00A2 349K
Et0/0.1 172.30.216.196 Et1/0.1 172.16.10.2 06 0077 0077 328K
Et0/0.1 10.162.37.71 Et1/0.1 172.16.10.2 06 0050 0050 303K
4 of 4 top talkers shown. 11 flows processed
Related Commands
Command
|
Description
|
cache-timeout
|
Specifies the length of time for which the list of top talkers (heaviest traffic patterns and most-used applications in the network) for the NetFlow MIB and Top Talkers feature is retained.
|
ip flow-top-talkers
|
Enters the configuration mode for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
match (NetFlow)
|
Specifies match criteria for the NetFlow MIB and Top Talkers (heaviest traffic patterns and most-used applications in the network) feature.
|
show ip flow top-talkers
|
Displays the statistics from to the top talkers (heaviest traffic patterns and most-used applications in the network).
|
sort-by
|
Specifies the sorting criterion for top talkers (heaviest traffic patterns and most-used applications in the network) to be displayed for the NetFlow MIB and Top Talkers feature.
|
show ip cache flow
|
Displays a summary of the NetFlow accounting statistics.
|
show ip cache verbose flow
|
Displays a detailed summary of the NetFlow accounting statistics.
|
show ip flow interface
|
Displays NetFlow accounting configuration for interfaces.
|
© 2004-2007 Cisco Systems, Inc. All rights reserved.
