Professional Documents
Culture Documents
BRKDCT 1890
BRKDCT 1890
• Abstract : Learn how to get the most visibility from your Nexus-based network
with new monitoring capabilities and advanced enhancements to traditional
features like SPAN, ERSPAN and Netflow to quickly pinpoint trouble spots in the
network
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Session Goal
• Create awareness of the Analytics and Monitoring tools
available in the Nexus family (3k, 5K, 7K, 9K)
Reference Slide
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
• Introduction
• Quick Product Overview
• Advanced Visibility
• SPAN/ ERSPAN
• Flexible Netflow
• Conclusion
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Network Network Bandwidth Explosion
4G Mobile
IP Traffic Cloud Video M2M
Adoption
Trillions of new
Global IP traffic Global cloud 4G will account
By 2017, the “connected
will grow 3X to traffic will grow for 45% of
world will reach events” will
1.4 zettabytes 6X by 2016 global mobile
3 trillion Internet occur over IP
annually by data traffic
video minutes networks
2017 per month throughout the
next decade
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
If not handled well..
Degrading performance
Difficulty to troubleshoot
Improper planning of
resources
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Studying past historical
What is Analytics? data to research potential
trends
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Advanced Analytics on Nexus Switches
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Agenda
• Introduction
• Quick Product Overview
• Advanced Visibility
• SPAN / ERSPAN
• Flexible Netflow
• Conclusion
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Nexus Family NEW!
Application Centric
Infrastructure (ACI)
Nexus 9000
Nexus 6000 APIC*
Nexus 2300 Nexus 7000 Nexus 7700 ACI
Nexus 5600
Nexus 3100
Nexus
1000V Nexus 2000
Nexus 3000
Nexus 5000
Nexus 3500
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Agenda
• Introduction
• Quick Products Overview
• Advanced Visibility
• SPAN / ERSPAN
• Flexible Netflow
• Conclusion
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Latency monitoring
Why do we need to correct latency problems?
Website download
Video streaming
Video conferencing
Online gaming
Banking
Airline reservation
Stock Market
Web hosting
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
How does Latency Monitoring work?
Packet
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 1 2 3 4 9 10 11 12 17 18 19 20
N5K-C56-72UP
ID
5 6 7 8 13 14 15 16 21 22 23 24
STAT
Packet
switch# show hardware profile latency monitor interface e1/23 interface e1/22
---------------------------------------------------------------------------
Ingress Port | Egress Port | Minimum | Maximum | Average
---------------------------------------------------------------------------
Ethernet1/22 | Ethernet1/23 | 856 | 1208 | 901 |
----------------------------------------------------------------------------
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Modes of Latency Monitoring
switch# show hardware profile latency monitor interface e1/3 interface e1/1
--------------------------------------------------------------------------------
| Egress Interface : Ethernet1/3 Ingress Interface : Ethernet1/1 |
--------------------------------------------------------------------------------
| Range | 800 <= Latency < 10000 | Outside the first range |
-------------------------------------------------------------------------------
| counter | 3542903 | 56792 |
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Microburst monitoring
Microburst – A Concern
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Challenge: It’s Very Hard to see Microbursts
5672# show interface ethernet 1/2
Ethernet1/2 is up
[…]
Last clearing of "show interface" counters 00:00:58
0 interface resets
30 seconds input rate 96315720 bits/sec, 1331 packets/sec
30 seconds output rate 0 bits/sec, 0 packets/sec
Load-Interval #2: 5 minute (300 seconds)
input rate 77.00 Mbps, 1.05 Kpps; output rate 0 bps, 0 pps
RX
200000 unicast packets 0 multicast packets 0 broadcast packets
200000 input packets 1800000000 bytes
200000 jumbo packets 0 storm suppression bytes
0 runts 0 giants 0 CRC 0 no buffer
[…]
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Solution: Burst Monitoring
Configure your own burst filter per port per direction
burst threshold {ingress | egress} {limit percent | size max_bytes} interval interval_time
For Syslogs
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
How to see bursts?
switch# show interface burst-counters
--------------------------------------------------------------------
--------------------------------------------------------------------
| Ethernet1/1 | 10 | N/A | 10 |
| Ethernet2/1 | 15 | 0 | 15 |
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Buffer monitoring
Why do we need to monitor buffers?
Can I add a new server?
Is my network congested?
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
What is Buffer monitoring on Nexus?
• Buffer utilization is on a per port basis
• Buffer utilization shows buffer for unicast traffic in ingress and unicast and multicast in
egress directions
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Configuration
• Buffer utilization histogram must be enabled on interface.
[no] hardware profile buffer monitor
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Output of Buffer Monitoring tool
switch# show hardware profile buffer monitor interface ethernet 1/21 history brief
--------------------------------------------------------------------------------
Interface : Eth1/21
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Sampling Mode : Slow (1 second)
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Ingress Buffer Utilization Detected(in KB)
Per asic Ingress Total Usage (15.628800MB)
--------------------------------------------------------------------------------
1 sec | 5 sec | 1 min | 5 min | 1 hour |
--------------------------------------------------------------------------------
0.6| 0.6| 0.6| 0.6| 0.6|
--------------------------------------------------------------------------------
Egress Buffer Utilization Detected(Unicast|Multicast)(in KB)
Per asic Egress Total Usage (8.611850MB)
--------------------------------------------------------------------------------
1 sec | 5 sec | 1 min | 5 min | 1 hour |
--------------------------------------------------------------------------------
112.6| 0.0| 177.2| 0.0| 158.0| 0.0| 164.1| 0.0| 164.3| 0.0|
--------------------------------------------------------------------------------
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Real World Example Impacted
Application not responding application
WAN
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Identify Packet Drops
switch# show interface ethernet 1/1
<snip>
30 seconds input rate 96315720 bits/sec, 1331 packets/sec
30 seconds output rate 0 bits/sec, 0 packets/sec
Load-Interval #2: 5 minute (300 seconds)
input rate 5.20 Gbps; output rate 0 bps, 0 pps
<snip>
RX
<snip>
0 input error 0 short frame 0 overrun 0 underrun 0 ignored
0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop
0 input with dribble 235847488 input discard
0 Rx pause
TX
0 unicast packets 0 multicast packets 0 broadcast packets
0 output packets 0 bytes
0 jumbo packets
0 output error 0 collision 0 deferred 0 late collision
0 lost carrier 0 no carrier 0 babble 0 output discard
0 Tx pause
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Real World Example
Application not responding
Problem Zone
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Agenda
• Introduction
• Quick Products Overview
• Advanced Visibility
• SPAN / ERSPAN
• Flexible Netflow
• Conclusion
Sniffer Device
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Encapsulated Remote SPAN (ERSPAN)
ERSPAN supports source
and destinations on different
Packets are replicated and At ERSPAN Destination device,
switches GRE encapsulated at GRE packet is decapsulated
ERSPAN source device
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
ERSPAN with IEEE1588 timestamp – Find Network Latency
GPS
PTP messages
Data
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 1 2 3 4 9 10 11 12 17 18 19 20
N5K-C56-72UP
ID
STAT 5 6 7 8 13 14 15 16 21 22 23 24
Switch A
N5K-C56-72UP
ID
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 1 2 3 4 9 10 11 12 17 18 19 20
Switch N
5 6 7 8 13 14 15 16 21 22 23 24
STAT
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Nexus 5600/6000 SPAN Features
Packet drops !!
5672(config) # show internet ethernet
1/5
Ethernet1/3 is UP
<snipped>
RX
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
N5K-C56-72UP
ID
proto drop 0 if down drop
5 6 7 8 13 14 15 16 21 22 23 24
STAT
What packets
are dropped?
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
SPAN-on-Drop
Port 3 is
Tail-Drop
Ingress congested
Data Buffer
Destination
SPAN-On-Drop
Monitoring
SPAN Buffer Station
Nexus 5600
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
SPAN on Drop - NX-OS 7.0(1)N1(1), Q1/2014
SPAN-on-Drop
• Works for unicast packets only
• Supports both local SPAN and ERSPAN
• One SPAN-on-Drop session is supported
• Can have multiple source ports, and multiple destination ports
• Source port(s) can be a part of a SPAN-on-Drop session, and a local SPAN session
simultaneously
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
SPAN on Drop - NX-OS 7.0(1)N1(1), Q1/2014
SPAN-on-Drop
The source interface is the ingress port for which we want to monitor drops.
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
SPAN-on-Latency – Identify delayed flows
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 1 2 3 4 9 10 11 12 17 18 19 20
N5K-C56-72UP
ID
What took so
STAT 5 6 7 8 13 14 15 16 21 22 23 24
long?
Connected to
SPINE
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
SPAN-on-Latency
Latency Monitoring:
Gives port-port latency
1 T1-T0
33
2 T0 34
3 35
4 36
T3-T2
5 37 If Latency Threshold > 10 usec:
T2 SPAN to 1/64
6 38
… …
Monitoring
32 64 Station
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
SPAN-on-Latency Configuration
interface Ethernet1/35
packet latency threshold 10001
interface Ethernet1/64
switchport mode monitor
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
SPAN-on-Latency
• Support for one SPAN-on-latency session
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Real World Example
Problem - Slow Download Rate
Monitored - Errors on interface and CPU usage
Eth1/7 Eth1/14
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 1 2 3 4 9 10 11 12 17 18 19 20
N5K-C56-72UP
ID
5 6 7 8 13 14 15 16 21 22 23 24
STAT
Analytics :
May be congestion? Buffer monitoring ✗
SVI 572
10.5.72.1/24
0000.0c9f.f23c
10.5.72.72 10.5.72.155
547f.ee36.e841 547f.ee35.e001
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Find which application is impacted - SPAN-on-
Latency ✓
monitor session 1 type span-on-latency
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Real World Example
Root cause -
In SPAN, found server subnet mask
incorrectly set to /25 instead of /24
Eth6/7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 1 2 3 4 9 10 11 12
Eth6/14
17 18 19 20
N5K-C56-72UP
ID
5 6 7 8 13 14 15 16 21 22 23 24
STAT
Fix -
[root@Car ~]# ifconfig eth0 | grep "inet addr"
Update server subnet mask inet addr:10.5.72.72 Bcast:10.5.72.127 Mask:255.255.255.128
Server Client
SVI 572
10.5.72.1/24
0000.0c9f.f23c
10.5.72.72
547f.ee36.e841 10.5.72.155
547f.ee35.e001
These hosts are in the same VLAN yet the Server (10.5.72.72) is sending traffic destined
to the gateway’s MAC address
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SPAN with ACL filter
• Selectively monitor traffic in a SPAN session using Access-control list (ACL)
switch(config-acl)# sh access-lists
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Nexus 7000/9000 SPAN Features
SPAN VLAN Filters
VLAN filters allow monitoring subset of VLANs on trunk ports
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
SPAN filtering
ACL FILTERS
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
ACL Capture
Selectively monitor traffic on an interface or VLAN
Packets that match ACL rule are permitted or denied and/or sent to an alternate
destination
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
ACL Capture
Enable a capture session for an ACL's access control entries (ACEs) and then apply the ACL to an interface:
switch(config)# ip access-list acl1
switch(config-acl)# permit tcp any any capture session 1
switch(config)interface ethernet 7/1
switch(config-if)# ip access-group acl1 in
Enable a capture session for the whole ACL and then apply the ACL to an interface:
switch(config)# ip access-list acl1
switch(config-acl)# capture session 1
switch(config)# interface ethernet 7/1
switch(config-if)# ip access-group acl1 in
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Inband SPAN – Monitor control traffic
• Supervisor CPU sends/receives traffic via dedicated interface to Fabric using
INBAND interface
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
INBAND SPAN capture
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Real world Example
High CPU – Use INBAND SPAN to find out!
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Rule Based SPAN
Filter applied selectively on a session results in desired subset of traffic
• MAC address
• Ether type
• VLAN
• IP address
• L4 protocol
• ToS
• CoS/VL
• Frame type (IPv4, IPv6, FCoE, ARP/RARP)….
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Simple Filter Configuration
Configure a filter within the session configuration mode
monitor session 1
All fields
source interface e1/1 AND’ed
destination interface e2/1
filter vlan 10, 20
filter frame-type ipv4 src-ip 10.1.1.1/24 dest-ip 20.1.1.1/24
no shut
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
FAQ: So many filters for SPAN! Which should I use?
GOAL IS SAME i.e SPAN WHAT I WANT TO ..
Nexus 5600/6000 :
ACL filters for SPAN (Use Access lists to filter SPAN)
Nexus 7000/7700 :
VLAN filters (Filter by VLAN)
Rule based SPAN (Filter by L2/L3/L4 fields)
Nexus 3100/9300/9500 :
VLAN filters (Filter by VLAN)
ACL filters (Use Access lists to filter SPAN)
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
SPAN rate limiting
• Limits the number of SPAN copies made on ingress
• In manual mode, the rate limit will be in 1-100 range, i.e., 1%, 2%, 3% …100% of 10G
SPAN rate
• In auto mode, the rate limit will automatically calculated as follows:
Rate limit = Dest. Bandwidth / Source Bandwidth
Command
N7k(config-monitor-local)# [no] rate-limiter [auto | manual [1..100]]
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Exception SPAN
• Exception SPAN enables you to span exception packets. Packets that have failed an intrusion detection
system (IDS) & Layer 3 IP verification
• Rate limiters, MTU truncation, and sampling are supported in the exception SPAN session
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Exception which lead to SPAN
Exceptions Brief explanation
No route in hardware This is seen when adjacency is not yet formed
Unicast/Multicast route error (incoming/outgoing This is seen when the outgoing interface is not
interface) available (say, when the LC is reloaded)
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Exception which lead to SPAN
Exceptions Brief explanation
TTL expiry When the number of hops in the header exceeds TTL
configured
SPAN replication before L2/L3 ACL deny If the copy is made before the decision engine takes
a decision, it is Ingress replication.
IPV6 scope check fail Seen when there are multiple link-local addresses
tied to an interface and the route does not exist for
the packet through either one of them,.
MTU fail When pkt size exceeds the link MTU
Stale adjacency When the adjacency does not exist / is not updated
for a long time / fails refresh
CoPP violations Any packets that violated CoPP rate-limits
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Exception SPAN – Verify CLI
Nexus7000(config)# show hardware ip verify
IPv4 IDS Checks Status Packets Failed
-----------------------------+---------+------------------
address source broadcast Enabled 65536
address source multicast Enabled 65536
address destination zero Enabled 65536
address identical Enabled 65536
checksum Enabled 768
protocol Enabled 0
fragment Enabled 0
length minimum Enabled 0
length consistent Enabled 0
length maximum max-frag Enabled 0
length maximum max-tcp Enabled 0
tcp flags Enabled 0
tcp tiny-frag Enabled 0
version Enabled 0
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Real world Example
CRC errors
Packets coming
into interface were Packet dropped in hardware–
mishandled by Packet which came in didn't
TRANSCEIVER
leading to CRC make it to the egress
errors
Receive
packet
from wire
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Nexus 5000-7000 SPAN
SPAN Features Nexus 5600 Nexus 7000 Nexus 7700
ERSPAN destination session Yes All except F1(F3*) All LC’s(F3*)
Prioritize data over SPAN Yes Yes (F2E/F3/M1/M2) Yes (F2E/F3)
Line-rate SPAN throughput Yes No No
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 *Software roadmap feature
Agenda
• Introduction
• Quick Products Overview
• Advanced Visibility
• SPAN / ERSPAN
• Flexible Netflow
• Conclusion
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
“Flexible” NetFlow ( Nexus 5k – 7k )
• Enhanced network anomaly
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
NetFlow = Visibility
A single NetFlow Record provides a wealth of information
switch# show flow monitor MONITOR-1 cache
…
IPV4 SOURCE ADDRESS: 192.168.100.100
IPV4 DESTINATION ADDRESS: 192.168.20.6
TRNS SOURCE PORT: 47321
TRNS DESTINATION PORT: 443
INTERFACE INPUT: E1/1
IP TOS: 0x00
IP PROTOCOL: 6
ipv4 next hop address: 192.168.20.6
tcp flags: 0x1A
interface output: Gi0/1.20
counter bytes: 1482
counter packets: 23
timestamp first: 12:33:53.358
timestamp last: 12:33:53.370
ip dscp: 0x00
ip ttl min: 127
ip ttl max: 127
application name: nbar secure-http
…
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Seven Steps of Flow Creation
1 Packet I/O Module
6 Formatted
into
I/O module collects
the flows and their statistics
5
NetFlow once the flow ages out
Export
Collector
7
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Full vs. Sampled NetFlow
• NetFlow collects full or sampled flow data
• Full NetFlow: Accounts for every packet of every flow on interface
– Available on M-Series modules only on Nexus 7000
– Flow data collection up to capacity of hardware NetFlow table
• Sampled NetFlow: Accounts for M in N packets on interface
– Available on both M2 (ingress/egress) and F2E/F3 (ingress only) in Nexus 7000
and Nexus 5600
– M2: Flow data collection up to capacity of hardware NetFlow table
– F3: Flow data collection for up to ~1000/3000pps per module
– F3 (future): Increased per-module sampling rate leveraging on-board Fabric Services
Accelerator (FSA) complex
– Nexus 5600: Flow data collection for up to ~120kpps per chassis
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
NetFlow - Traffic statistics
Configuration
flow record SAMPLE-FLOW flow exporter SAMPLE-EXPORT-1
match ipv4 source address description SAMPLE FnF v9 Exporter
match ipv4 destination address destination 11.1.1.1 use-vrf management
KEY
match transport source-port source Loopback0
match transport destination-port transport udp 2055
collect counter bytes flow exporter SAMPLE-EXPORT-2
collect counter packets description SAMPLE FnF v9 Exporter
NON-KEY collect timestamp sys-uptime first destination 12.1.1.1 use-vrf management
collect timestamp sys-uptime last transport udp 2055
Steps:
flow monitor SAMPLE-MONITOR 1. Create Flow Record
description SAMPLE FnF v9 Monitor 2. Create Flow Exporter
record SAMPLE-FLOW
exporter SAMPLE-EXPORT-1 3. Associate Record and
exporter SAMPLE-EXPORT-2 Exporter to a Flow
Monitor
4. Apply to the interfaces
interface eth 1/1 interface eth 2/1
ip address 172.16.0.1 255.255.255.0 ip address 172.16.1.1 255.255.0
ip flow monitor SAMPLE-MONITOR input ip flow monitor SAMPLE-MONITOR input
ip flow monitor SAMPLE-MONITOR output ip flow monitor SAMPLE-MONITOR output
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Use Case – Resolving High CPU using FnF
Nexus# show processes cpu sort
CPU utilization for five seconds: 65%/8%; one minute: 63%; five minutes: 61%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
310 30544 189234 81 47.12% 45.11% 45.23% 0 IP Input High CPU due to process “IP Input”
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Use Case - Monitoring Control-Plane traffic using
FnF
Nexus(config)# show flow monitor FnF-Receive cache detailed
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
NetFlow
NetFlow collects flow data for packets traversing the switch
M2 (N7000) F3 (Nexus 7x00) Nexus 5600
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Agenda
• Introduction
• Quick Products Overview
• Advanced Visibility
• SPAN / ERSPAN
• Flexible Netflow
• Conclusion
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Tools designed with you in mind
Netflow • Advanced feature rich analytics tools
Latency mon
ACL Capture
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Related Sessions
Session Id Session Name
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Call to Action
• Visit the World of Solutions for
– Cisco Campus Walk in Labs
– Technical Solution Clinics
• Meet the Engineer
• Lunch time Table Topics
• DevNet zone related labs and sessions
• Recommended Reading: for reading material and further resources for this
session, please visit www.pearson-books.com/CLMilan2015
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
BRKDCT-1890 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 117