Filtering of Traffic Flows
In the context of vFlows, filtering describes the traffic characteristics on which the network administrator intends to undertake a certain action. You can define the filter through one of the arbitrary set of matching qualifiers as illustrated in Figure 10-5 and Figure 10-6:
- Operating at an OSI or Internet Protocol layer, which is based on the packet header content
- Based on Netvisor ONE logical constructs, such as vNET, vFlow metadata, or vRouter.
Figure 10-5: vFlow Filtering Using Packet Header Fields and Netvisor Logical Constructs
Figure 10-6: vFlow Tables - Packet Forwarding Stage and Filter or Action Capabilities
To define the vFlow filter using the components of OSI layer, use the following keywords or parameters in the vflow-create command:
Filtering Qualifiers at Physical Layer
- in-port port-list — ingress physical interface or LAG interface identifiers. Netvisor ONE accepts values as a single value, a dash-separated value range, or comma-separated list of values and ranges.
- out-port port-list — egress physical interface or LAG interface identifier. Netvisor ONE accepts values as a single value, a dash-separated value range, or comma-separated list of values and ranges. This out-port is applicable for Egress_table.
Filtering Qualifiers at Data Link Layer
- packet-res — packet resolution in the ASIC. The resolution types can be L2-unicast, L2-unknown-unicast, L2 multicast, L2-unknown-multicast, L2-broadcast. For more details, see the Enhancing the vFlow Capability to Match Forwarding Type and Packet Resolution in ASIC section.
- fwding-type — ASIC forwarding type: VLAN, VXLAN, or VLE
- vlan — VLAN (Virtual LAN) identifier (IEEE 802.1q). Range is from 0 through 4095.
- vxlan —VxLAN Network Identifier or VNI
- vxlan-ether-type — Ethernet type such IPv4, ARP, WAKE, RARP, VLAN, IPv6, LACP, MPLS-uni, MPLS-multi, Jumbo, dot1X, AOE, Q-in-Q, LLDP, MACSEC, ECP, PTP, FCOE, FCOE-init, or Q-in-Q-old
- vxlan-proto — Protocol type for the VXLAN. Includes TCP, UDP, ICMP, IGMP, IP, ICMPv6
- src-mac — Source MAC address
- src-mac-mask — Mask for source MAC address
- dst-mac — Destination MAC address for the vFlow
- dst-mac-mask — Mask for destination MAC address
- vlan-pri — Class of Service (CoS) or VLAN priority (IEEE 802.1p), ranges from 0 through 7.
Filtering Qualifiers at Internet Layer
- src-ip — Source IP address for the vFlow
- src-ip-mask — Mask for source IP address
- dst-ip — Destination IP address
- dst-ip-mask — Mask destination IP address
- ttl — Packet time-to-live
- proto — Layer 3 protocol for the vFlow
- dscp — 6-bit Differentiated Services Code Point (DSCP) for Quality of Service (QoS), in the range of 0 to 63
- dscp-start — Start value for DSCP
- dscp-end — End value for DSCP
- tos — Type of Service (ToS) value for Quality of Service (QoS)
- tos-start — Start value for Type of Service (ToS) range
- tos-end — End value for Type of Service (ToS) range
Filtering Qualifiers at Transport Layer
- src-port — Source transport port
- src-port-mask — Mask for source transport port
- dst-port — Destination transport port
- dst-port-mask — Mask for destination transport port
- tcp-flags — Comma-separated list of TCP control flag values
Filtering Qualifiers at User Defined Fields (UDFs)
- udf-name[1-3] — Reference to a User Defined Field (UDF) object, and defines advanced multi-layer filtering. Up to 3 objects are supported.
- udf-data[1-3] — Data value applied to the corresponding UDF object
- udf-data[1-3]-mask — Mask value applied to the corresponding UDF object
For details on configuring vFlows with UDFs, see the Configuring vFlows with user Defined Fields section.
Netvisor ONE Logical Filtering
To define the vFlow filter using the Netvisor ONE logical constructs, use the following keywords or parameters in the vflow-create command:
- metadata — Metadata tag value assigned to packets along the internal hardware forwarding path, which can be used to correlate different vFlow objects operating at different ingress and egress stages
- bridge-domain — Logical abstraction of data-link learning and forwarding domain, implemented using a combination of physical interfaces, VLANs and VNI
- vrouter-name — Reference to an Internet layer VRF context defined on a local vRouter
- vnet — Virtual Network (vNET) value, used for identifying traffic belonging to a logical network partition for multi-tenancy and network segmentation purposes.