IPV6 netflow is unique and easy to setup for cisco routers that support it. I will concentrate this post only on the ios-based routers that are NOT; 6500/7600 or NX-OS.
The commands are similar, but I will point out some differences during this post that you might want to keep in the back of your head.
1st and most IMPORTANT, you need ipv6 cef enabled globally.
This requirement is also needed for ipv4 netflow in that ip cef is enabled globally. The 2 ( ipv4 or ipv6 ) are different and protocol sensitive with regards to configurations. If you don't enable it or forget to enable cef, the cisco router will gently remind you of this. The router will displays the following message on your terminal session and will not enter the log buffer iirc.
e.g
%Must enable IPv6 CEF globally first
Next,
I have not seen a flow-sampler option with regards to any 12.4 code and most lower end ISR. As of this blog, I haven't looked at or investigated the 15.X mainline codesets and it's ipv6 netflow support. So on the interface(s) that you want collection for and after you enable ipv6 cef globally, we have a few choices as show below
e.g
ccie01(config-if)#ipv6 flow ?
egress Enable egress IPv6 Flow on the interface
ingress Enable ingress IPv6 Flow on the interface
mask Configure various masks during netflow capture
The configurations options should be simple to understand, but you have the choice of the directionality of in/out and to set any mask options if any. The mask options by default are FULL and works very similar to ipv4 netflow mask options.
Now to set up the exporter, the commands are similar. Keep in mind & remember this one note, for ipv6 netflow, the only version support via netflow is version v9. It's funny that cisco still gives you the version option within the cli, but the version and the only netflow version that support ipv6 is v9 or IPFIX ( aka v10 which is not an option in cisco )
e.g
ccie01(config)#ipv6 flow-export version ?
9
Why they did this , is beyond me, unless version 10 is soon to be available or version 11, if I had to guess and if cisco stays with the odd version number as the next main release.
To export the flow the commands are very similar to our ways of configurations;
!
ipv6 flow-export source FastEthernet0/0
ipv6 flow-export template options export-stats
ipv6 flow-export template options refresh-rate 4
ipv6 flow-export template timeout-rate 2
ipv6 flow-export template refresh-rate 2
ipv6 flow-export destination 172.16.1.1 5000
!
Here' I set a few template options in order to speed up my testing, but most network engineers, do not adjust the template rates and uses the factory defaults.
And like wise to validate the flow-exporter, we use the similar show command but now with the "show ipv6";
ccie01#show ipv6 flow export
Flow export v9 is enabled for main cache
Exporting flows to 172.16.1.1 (5000)
Exporting using source interface FastEthernet0/0
Version 9 flow records
17354 flows exported in 909 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
And to view any flow cache, guess what the command is similar to our ipv4
ccie02>show ipv6 flow cache verbose
IP packet size distribution (0 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 0 bytes
0 active, 0 inactive, 0 added
0 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
Ver Dir SrcAddress SrcMsk InpIf SrcAS DstAddress DstMsk OutIf DstAS NextHop BGPNextHop Prot TCP ToS SrcPrt DstPrt FlowLbl OptHdr LastUse FirstUse Bytes Packets
ccie02>
To review any template configuration, likewise we use the equal "show ipv6" command ccie01#show ipv6 flow export template Template Options Flag = 6 Total number of Templates added = 5 Total active Templates = 5 Flow Templates active = 3 Flow Templates added = 3 Option Templates active = 2 Option Templates added = 2 Template ager polls = 22017 Option Template ager polls = 12069 Main cache version 9 export is enabled Template export information Template timeout = 2 Template refresh rate = 2 Option export information Option timeout = 30 Option refresh rate = 4 ccie01#
And lastly, here's a few decoded ipv6 netflow flow records. Notice the new fields & the following
Type 64 IPV6_OPTION_HEADERS;
Cisco NetFlow/IPFIX
Version: 9
Count: 2
SysUptime: 14104732
Timestamp: Oct 24, 2012 17:16:15.000000000
CurrentSecs: 1351098975
FlowSequence: 39
SourceId: 0
FlowSet 1
Options FlowSet: 1
FlowSet Length: 24
Template Id: 260
Option Scope Length: 4
Option Length: 8
Scope Type: System (1)
Scope Field Length: 0
Type: TOTAL_FLOWS_EXP (42)
Length: 4
Type: TOTAL_PKTS_EXP (41)
Length: 4
FlowSet 2
Data FlowSet (Template Id): 260
FlowSet Length: 12
Flow 1
FlowsExp : 20476
PacketsExp: 1123
Cisco NetFlow/IPFIX
Version: 9
Count: 6
SysUptime: 14594748
Timestamp: Oct 24, 2012 17:24:25.000000000
CurrentSecs: 1351099465
FlowSequence: 48
SourceId: 0
FlowSet 1
Template FlowSet: 0
FlowSet Length: 88
Template (Id = 259, Count = 20)
Template Id: 259
Field Count: 20
Field (1/20)
Type: IP_PROTOCOL_VERSION (60)
Length: 1
Field (2/20)
Type: DIRECTION (61)
Length: 1
Field (3/20)
Type: IPV6_SRC_ADDR (27)
Length: 16
Field (4/20)
Type: IPV6_SRC_MASK (29)
Length: 1
Field (5/20)
Type: INPUT_SNMP (10)
Length: 2
Field (6/20)
Type: IPV6_DST_ADDR (28)
Length: 16
Field (7/20)
Type: IPV6_DST_MASK (30)
Length: 1
Field (8/20)
Type: OUTPUT_SNMP (14)
Length: 2
Field (9/20)
Type: IPV6_NEXT_HOP (62)
Length: 16
Field (10/20)
Type: PROTOCOL (4)
Length: 1
Field (11/20)
Type: TCP_FLAGS (6)
Length: 1
Field (12/20)
Type: IP_TOS (5)
Length: 1
Field (13/20)
Type: L4_SRC_PORT (7)
Length: 2
Field (14/20)
Type: L4_DST_PORT (11)
Length: 2
Field (15/20)
Type: FLOW_LABEL (31)
Length: 4
Field (16/20)
Type: IPV6_OPTION_HEADERS (64)
Length: 4
Field (17/20)
Type: LAST_SWITCHED (21)
Length: 4
Field (18/20)
Type: FIRST_SWITCHED (22)
Length: 4
Field (19/20)
Type: BYTES (1)
Length: 4
Field (20/20)
Type: PKTS (2)
Length: 4
FlowSet 2
Data FlowSet (Template Id): 259
FlowSet Length: 440
Flow 1
IPVersion: 06
Direction: Ingress (0)
SrcAddr: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
SrcMask: 128
InputInt: 2
DstAddr: 2001::1 (2001::1)
DstMask: 128
OutputInt: 0
BGPNextHop: :: (::)
Protocol: 17
TCP Flags: 0x10
IP ToS: 0x00
SrcPort: 59327
DstPort: 53
Type 31 FLOW_LABEL
Type 64 IPV6_OPTION_HEADERS
[Duration: 1.004000000 seconds]
StartTime: 14566.836000000 seconds
EndTime: 14567.840000000 seconds
Octets: 416
Packets: 4
Flow 2
IPVersion: 06
Direction: Egress (1)
SrcAddr: 2001:414:1:0:214:6aff:fec4:28ac (2001:414:1:0:214:6aff:fec4:28ac)
SrcMask: 128
InputInt: 0
DstAddr: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
DstMask: 128
OutputInt: 2
BGPNextHop: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
Protocol: 58
TCP Flags: 0x10
IP ToS: 0x00
SrcPort: 0
DstPort: 256
Type 31 FLOW_LABEL
Type 64 IPV6_OPTION_HEADERS
[Duration: 5.012000000 seconds]
StartTime: 14566.840000000 seconds
EndTime: 14571.852000000 seconds
Octets: 608
Packets: 4
Flow 3
IPVersion: 06
Direction: Ingress (0)
SrcAddr: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
SrcMask: 128
InputInt: 2
DstAddr: 2001::2 (2001::2)
DstMask: 128
OutputInt: 0
BGPNextHop: :: (::)
Protocol: 17
TCP Flags: 0x10
IP ToS: 0x00
SrcPort: 59327
DstPort: 53
Type 31 FLOW_LABEL
Type 64 IPV6_OPTION_HEADERS
[Duration: 1.004000000 seconds]
StartTime: 14570.848000000 seconds
EndTime: 14571.852000000 seconds
Octets: 416
Packets: 4
Flow 4
IPVersion: 06
Direction: Egress (1)
SrcAddr: fe80::214:6aff:fec4:28ac (fe80::214:6aff:fec4:28ac)
SrcMask: 10
InputInt: 0
DstAddr: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
DstMask: 128
OutputInt: 2
BGPNextHop: 2001:414:1:0:242e:ae9b:937f:9026 (2001:414:1:0:242e:ae9b:937f:9026)
Protocol: 58
TCP Flags: 0x10
IP ToS: 0xe0
SrcPort: 0
DstPort: 34560
Type 31 FLOW_LABEL
Type 64 IPV6_OPTION_HEADERS
[Duration: 0.000000000 seconds]
StartTime: 14571.840000000 seconds
EndTime: 14571.840000000 seconds
Octets: 72
Packets: 1
Flow 5
IPVersion: 06
Direction: Ingress (0)
SrcAddr: fe80::426c:8fff:fe03:18c4 (fe80::426c:8fff:fe03:18c4)
SrcMask: 10
InputInt: 2
DstAddr: fe80::214:6aff:fec4:28ac (fe80::214:6aff:fec4:28ac)
DstMask: 128
OutputInt: 0
BGPNextHop: :: (::)
Protocol: 58
TCP Flags: 0x10
IP ToS: 0x00
SrcPort: 0
DstPort: 34816
Type 31 FLOW_LABEL
Type 64 IPV6_OPTION_HEADERS
[Duration: 0.000000000 seconds]
StartTime: 14571.840000000 seconds
EndTime: 14571.840000000 seconds
Octets: 64
Packets: 1
Padding (1 byte)
One quick note that I find strange and disturbing.
It kind of follows my earlier ipv6 rant from one of my earlier post. Cisco only let you export to a ipv4 collector. So even cisco own ipv6 netflow exporters are somewhat restricted on who they can export to. So in my CCIE/RS lab ISR, we can only export to a ipv4 addressed flow collector.
I thought that was very funny when I setup my 1st ipv6 netflow router :)
Ken Felix
Freelance Security & Network Engineer
kfelix " at " hyperfeed.com
Hello Ken,
ReplyDeleteI have a question on TCP Flags. I could see the difference in TCP Flags with Netflow V5 and Netflow V9.
I am really not aware what difference is Netflow V9 (TCP Flags 0x10) and in Netflow V5 (TCP Flags 0x00)... may be my question is a silly one but if you could let me know, what the TCP Flags are and why the difference..I would be really thankfull...