Reference Guide
If you congure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both ow-based
monitoring and port mirroring do not function. Flow-based monitoring is supported only for ingress trac.
The show monitor session session-id command displays output which indicates if a particular session is enabled for ow-
monitoring.
View ow-based monitoring
OS10# show monitor session 1
S.Id Source Destination Dir SrcIP DstIP DSCP TTL State Reason
----------------------------------------------------------------------------
1 ethernet1/1/1 ethernet1/1/4 both N/A N/A N/A N/A true Is UP
Trac matching ACL rule
OS10# show ip access-lists in
Ingress IP access-list testflow
Active on interfaces :
ethernet1/1/1
seq 5 permit icmp any any capture session 1
count (0 packets)
seq 10 permit ip 102.1.1.0/24 any capture session 1 count bytes (0 bytes)
seq 15 deny udp any any capture session 2 count bytes (0 bytes)
seq 20 deny tcp any any capture session 3 count bytes (0 bytes)
Enable ow-based monitoring
Flow-based monitoring conserves bandwidth by mirroring only specied trac, rather than all trac on an interface. It is available for L2
and L3 ingress and egress trac. Congure trac to be monitored using ACL lters.
1 Create a monitor session in MONITOR-SESSION mode.
monitor session session-number type {local | rspan-source}
2 Enable ow-based monitoring for the mirroring session in MONITOR-SESSION mode.
flow-based enable
3 Dene ACL rules that include the keywords capture session session-id in CONFIGURATION mode. The system only
considers port monitoring trac that matches rules with the keywords capture session.
ip access-list
4 Apply the ACL to the monitored port in INTERFACE mode.
ip access-group access-list
Enable ow-based monitoring
OS10(config)# monitor session 1 type local
OS10(conf-mon-local-1)# flow-based enable
OS10(config)# ip access-list testflow
OS10(conf-ipv4-acl)# seq 5 permit icmp any any capture session 1
OS10(conf-ipv4-acl)# seq 10 permit ip 102.1.1.0/24 any capture session 1
count byte
OS10(conf-ipv4-acl)# seq 15 deny udp any any capture session 2 count byte
OS10(conf-ipv4-acl)# seq 20 deny tcp any any capture session 3 count byte
OS10(conf-ipv4-acl)# exit
OS10(config)# interface ethernet 1/1/1
OS10(conf-if-eth1/1/1)# ip access-group testflow in
OS10(conf-if-eth1/1/1)# no shutdown
View access-list conguration
OS10# show ip access-lists in
Ingress IP access-list testflow
Active on interfaces :
ethernet1/1/1
seq 5 permit icmp any any capture session 1
count (0 packets)
seq 10 permit ip 102.1.1.0/24 any capture session 1 count bytes (0 bytes)
seq 15 deny udp any any capture session 2 count bytes (0 bytes)
seq 20 deny tcp any any capture session 3 count bytes (0 bytes)
498
Access Control Lists