8-3. NetFlow Data Export Traffic statistics from Layer 3 switching can be gathered and sent to an external application for collection and analysis. This is done through the NetFlow Data Export (NDE) facility. Switches using MLS for Layer 3 switching can send data about expired flows using NDE. This is a natural extension of MLS because the switch uses flow cache data. Switches using CEF do not inherently use a flow cache, and therefore can't offer statistics through NDE. The Catalyst 6000 PFC2/MSFC2, however, keeps a NetFlow cache independent of the CEF process, strictly for exporting flow data with NDE. NetFlow data can be sent as several versions: - - NDE version 1 Used in legacy systems; data record includes specific information about the IP traffic flow and the interfaces used to forward it.
- - NDE version 5 Adds a sequence number to prevent lost UDP datagrams, and the Border Gateway Protocol (BGP) autonomous system (AS) number for the flow.
- - NDE version 7 Used to report flow data from Catalyst switches. Version 7 is not supported on a Catalyst 6000 MSFC.
- - NDE version 8 Used to report aggregate flow data from routers, Catalyst 5000 with NFFC, and Catalyst 6000 running MLS or CEF. Version 8 is not supported on a Catalyst 6000 MSFC.
NDE will export flow statistics according to the MLS flow mask that is used by the switch. To see detailed flow records, use a "full" flow mask.
NDE Configuration 1. | Start NDE on the RP.
MLS must first be configured on the RP. Refer to section "8-1: Multilayer Switching" (Step 1) for further details.
| 2. | Start NDE on the SE.
- a. Identify the flow data collector:
COS | set mls nde collector udp-port
| IOS | (global) ip flow-export destination collector udp-port
|
The host running the collector application is identified by collector (IP address or name). In addition, the NDE UDP port must be assigned as udp-port to match the port number used by the collector application.
- b. Identify the NDE source:
COS | N/A | IOS | [View full width] (global) ip flow-export source [{interface  interface-number} |){null 0} | {port-channel number} | {vlan vlan-id}]
|
NDE packets receive a source IP address from the interface specified. For a COS switch, the source address is taken from the sc0 management interface. You should always use a loopback interface as the source because the loopback interface is always up and available. You can use the null 0 interface if the source address of the NDE information is not needed in the exported data.
- c. Enable NDE:
COS | set mls nde version {1 | 7 | 8} set mls nde {enable | disable}
| IOS | (global) mls nde sender [version version]
-OR- [View full width] (global) ip flow-export version {1 | {5 [origin-as | peer-as]} | {6 [origin-as | peer-as]}}
|
The NDE version can be 1, 7 (the default), or 8. On an IOS switch, the mls nde sender command sets the NDE version used by the Catalyst 6000 PFC2 (native or Supervisor IOS), whereas the ip flow-export command configures the NDE version for routed flows on an MSFC/MSFC2 (MSFC IOS).
| 3. | Filter the exported data:
COS | [View full width] set mls nde flow {include | exclude} [destination ip-addr-spec] [source ip-addr-spec] [protocol protocol [src-port src-port] [dst-port dst-port]]
| IOS | [View full width] (global) mls nde flow {include | exclude} {{dest-port port-num} | {destination ip-addr ip-mask}} | {protocol {tcp | udp}} | {source ip-addr ip-mask} | {src-port port-num}}
|
Traffic flows can be exported only if the include keyword and matching criteria are given. If the exclude keyword is used, flows to that host are not reported. The include and exclude filters are mutually exclusive, in that only one of them can be active at a time. However, you can use multiple commands to configure an include or an exclude filter.
Flows can be matched by destination address, source address, destination port dst-port (0 matches any value), source port src-port (0 matches any value), and protocol (IOS: tcp or udp; COS: 0 to 255 or ip, ipinip, icmp, igmp, tcp, or udp; 0 matches any value). Addresses are given as ip-addr ip-mask for IOS switches. For COS switches, addresses can be given as either ip-addr, ip-addr/ip-mask, or ip-addr/maskbits.
Notice that the IOS command allows only one of the criteria to be given, whereas the COS command allows any combination of those parameters.
|
NDE Example NDE is configured on a switch with integrated RP and SE modules. The NetFlow Collector is located at 192.168.177.10, and uses UDP port 5000 for NDE exchanges. The switch sends NDE data using a source address of 192.168.40.1, which comes from the management interface sc0 (COS) or VLAN interface 900 (IOS). The switch will only include flow data for TCP port 80 traffic when it sends NDE data to the NetFlow Collector: COS | set mls nde 192.168.177.10 5000 set mls nde version 7 set mls nde enable set mls nde flow include protocol tcp dst-port 80 set interface sc0 900 192.168.40.1 255.255.255.0
| IOS | [View full width] (global) ip flow-export destination 192.168.177.10 5000 (global) ip flow-export source vlan 900 (global) mls nde sender version 7 (global) mls nde flow include dest-port 80 (global) interface vlan 900 (interface) ip address 192.168.40.1 255.255.255.0
|
Displaying Information About NDE You can use the switch commands in Table 8-4 to display helpful information about NDE. Table 8-4. Commands to Display NDE InformationDisplay Function | Switch OS | Command |
|---|
NDE version and activity | COS | show mls nde
| IOS | (exec) show mls netflow
|
|
