Using vFlows to Disable Communication
Flows can be used to specify communications that are not allowed with a switch or a fabric. Use the following steps to create a vFlow as a firewall:
1. Define a VLAN and destination IP-based flow and specify that the flow is dropped by the switch, with statistics monitoring enabled:
CLI network-admin@switch > vflow-create name flow3 scope local vlan 99 dst-ip 172.168.24.1 action drop stats enable
 
Display the statistics for the new vflow above as the traffic is dropped:
CLI network-admin@switch > vflow-stats-show name flow3 show-diff-interval 5
switch    name  packets  bytes  cpu-packets  cpu-bytes
------    ----- ------   -----  ----------   ---------
aquila02  flow3 864      116K   0            0
switch    name  packets  bytes  cpu-packets  cpu-bytes
aquila02  flow3 5        936K   0            0
 
l vlan
l in-port
l out-port
l ether-type
l src-mac
l src-mac-mask
l dst-mac
l dst-mac-mask
l src-ip
l src-ip-mask
l dst-ip
l dst-ip-mask
l src-port
l dst-port
l dscp
l tos
l proto
l flow-class
l uplink-ports
l bw-min
l bw-max
l precedence
l action
l action-value
l no-mirror
l mirror
l no-process-mirror
l process-mirror
l no-log-packets
l log-packets
l packet-log-max
l stats
l stats-interval
l duration
l no-transient
l transient
l vxlan
l vxlan-ether-type
l vxlan-proto
Use Case Scenario
In a real use case, the command connection-show server-ip 10.9.10.117 was used to analyze a suspicious connections to server 10.9.10.117:
switch:                     switch02
vlan:                       1
client-ip:                  10.9.9.33
server-ip:                  10.9.9.107
service:                    http
dur(s):                     0
latency(us):                65
out-bytes:                  0
in-bytes:                   0
active:                     yes
switch:                     switch02
vlan:                       1
client-ip:                  10.9.9.33
server-ip:                  10.9.9.107
service:                    http
dur(s):                     210
latency(us):                7
out-bytes:                  48804
in-bytes:                   6120
active:                     yes
switch:                     switch02
vlan:                       1
client-ip:                  10.9.9.33
server-ip:                  10.9.9.107
service:                    http
dur(s):                     328
latency(us):                30
out-bytes:                  48720
in-bytes:                   612620
active:                     yes
Configuring Mirroring for vFlows and Ports
The Netvisor ONE fabric administrator can run services and applications within the switch. Consider the use case of an application needing access to data flowing through the switch, but does not want to impede that flow. The port-mirroring feature provides this functionality.
To create mirrored ports and flows, use the command:
CLI network-admin@switch > mirror-create name name-string direction [ingress|egress|bidirectional] in-port port-list out-port port-list span-encap [none|over-ip|over-vlan] span-local-ip ip-address span-remote-ip ip-address span-src-mac mac-address span-dst-mac mac-address span-tagging-vlan span-tos <0-7>
Where,
name name-string
Specify the mirror name.
direction [ingress|egress|bidirectional]
Specify the direction of the mirrored traffic.
in-port port-list
Specify the incoming traffic port
out-port port-list
Specify the outgoing traffic port
span-encap [none|over-ip|over-vlan]
Specify the mirror span type. The default value is none.
span-local-ip ip-address
Specify the local IPv4 address.
span-remote-ip ip-address
Specify the remote IPv4 address.
span-src-mac mac-address
Specify the source MAC address for the span.
span-dst-mac mac-address
Specify the destination MAC address for the span.
span-tagging-vlan vlan-Id
Specify the mirror span vlan tagging ID. The default value is none.
span-tos <0-7>
Specify the mirror span tos. The default value is none.
 
For example, to create mirror over an IP with Encapsulated Remote Port Analyzer (ERSPAN), use the following command:
CLI network-admin@switch > mirror-create name test1 in-port 1 out-port 8 span-encap over-ip span-local-ip 1.1.1.1 span-remote-ip 2.2.2.2 span-src-mac 33:44:55:66:77:88 span-dst-mac 99:aa:bb:cc:dd:ee span-tagging-vlan 100
In this configuration, the mirror destination is marked as BCM_MIRROR_DEST_TUNNEL_IP_GRE, with VLAN tagging and TOS setting as optional parameters.
 
To create mirror over Vlan or layer 2 network with Remote Port Analyzer (RSPAN) encapsulation, use the following command:
CLI network-admin@switch > mirror-create name test4 in-port 1 out-port 16 span-encap over-vlan span-tagging-vlan 200
This configuration is based on 802.1Q vlan tagging. The mirror packet tags the target vlan and the mirror destination is marked as BCM_MIRROR_DEST_TUNNEL_L2, which triggers the encapsulation. Do not use Vlan0 as a valid tag because vlan0 is considered invalid for tagging.
 
To create a vflow mirror with ERSPAN encapsulation, use the command:
CLI network-admin@switch > vflow-create name testvflow1 scope local src-ip 40.1.1.8 mirror test1
Netvisor ONE predefines a mirror configuration, but does not insert any traffic into that mirror. Use the following steps to setup mirroring to send from all of the data ports to the span port. The span port varies from platform to platform and you must specify the span port based on your platform. You can modify the mirror configuration using the mirror-modify command:
CLI network-admin@switch > mirror-modify name name-string out-port port-list in-port port-list [policy port|vflow] mirroring|no-mirroring
CLI network-admin@switch > mirror-show [format fields-to-display] [parsable-delim character] [sort-asc] [sort-desc] [show dups] [layout vertical|horizontal] [show-interval seconds-interval]
To view the details of a mirror configuration that you had created already, use the mirror-show command. For example, if you had created the following configuration,
CLI network-admin@switch > mirror-create name test direction bidirection out-port 10.
To view the details, use the command:
CLI network-admin@switch > mirror-show
 
switch name direction out-port in-port filtering enable other-egress-out nvie-mirror
 
------------ ---- ----------- -------- ------- --------- ------ ---------------- -----------
 
ursa-onvl-11 test bidirection 10 none port yes prevent false
 
 
To modify, use:
CLI (network-admin@ursa-onvl-11) > mirror-modify name test out-port 20
 
To View changed details, use:
CLI (network-admin@ursa-onvl-11) > mirror-show
 
switch name direction out-port in-port filtering enable other-egress-out nvie-mirror
 
------------ ---- ----------- -------- ------- --------- ------ ---------------- -----------
 
ursa-onvl-11 test bidirection 20 none port yes prevent false
 
 
Netvisor does not configure the parameter out-port and disables mirroring, therefore, no data mirroring can occur.
To modify the mirror configuration, use the following steps:
1. Use the mirror-modify command to set the output to the span port. However, if you have more than 10Gb of traffic on ports 1-64, do not execute this command.
CLI network-admin@switch > mirror-modify in-port 1-64 out-port 66 enable
mirror-show
switch:        T6001-ON
direction:     bidirection
out-put:       66
in-port:       1-64
state:      enable
 
To disable the configuration, use the following command:
CLI network-admin@switch > mirror-modify in-port 1-64 out-port 66 disable
mirror-show
switch: T6001-ON
direction: bidirection
out-port: 66
in-port: 1-64
state: disable
 
Port Mirroring to a Remote Host
A port mirroring configuration allows mirrored traffic to be transmitted to a remote host which is located across L2 or L3 IP network. This feature allows you to monitor traffic from source ports distributed over multiple switches, which means you can centralize your network devices. Port Mirroring to a remote host works by mirroring the traffic from the source ports of a mirrored port session onto a VLAN that is dedicated for the port mirroring session. On the switch containing the destination port for the session, Netvisor ONE mirrors traffic from the session VLAN out the destination port.
Mirroring Traffic to a Virtual Machine (VM) Interface
Mirroring traffic coming from a switch port rear facing network interface card (NIC) to a VM NIC is now supported. This feature is useful for several reasons:
Viewing incoming traffic from front facing ports.
Troubleshooting issues if traffic does not run as expected.
Using a firewall, running as an application on a VM, for all incoming traffic.
This feature is related to the existing mirror-create command which mirrors traffic from any port to a rear facing NIC and uses the parameter option mirror-traffic [true|false] on the netvisor-kvm-interface-add command.