Using vFlows to Disable Communication


Flows can be used to specify communications that are not allowed with a switch or a fabric. Use the following steps to create a vFlow as a firewall:


Define a VLAN and destination IP-based flow and specify that the flow is dropped by the switch, with statistics monitoring enabled:


CLI (network-admin@Leaf1) > vflow-create name flow3 scope local vlan 99 dst-ip 172.168.24.1 action drop stats enable

 

Display the statistics for the new flow above as the traffic is dropped:


CLI (network-admin@Leaf1) > vflow-stats-show name flow3 show-diff-interval 5


switch    name  packets  bytes  cpu-packets  cpu-bytes

aquila02  flow3 864      116K   0            0

switch    name  packets  bytes  cpu-packets  cpu-bytes

aquila02  flow3 5        936K   0            0

 

There are many options available for creating vFlows, and vFlows can be used to shape traffic, capture statistics, capture flow metadata, capture packets, or manage communications. The options include:


  • vlan
  • in-port
  • out-port
  • ether-type
  • src-mac
  • src-mac-mask
  • dst-mac
  • dst-mac-mask
  • src-ip
  • src-ip-mask
  • dst-ip
  • dst-ip-mask
  • src-port
  • dst-port
  • dscp
  • tos
  • proto
  • flow-class
  • uplink-ports
  • bw-min
  • bw-max
  • precedence
  • action
  • action-value
  • no-mirror
  • mirror
  • no-process-mirror
  • process-mirror
  • no-log-packets
  • log-packets
  • packet-log-max
  • stats
  • stats-interval
  • duration
  • no-transient
  • transient
  • vxlan
  • vxlan-ether-type
  • vxlan-proto