Configuring vFlow for Analytics

A vFlow can be used to capture packets for analysis, and you can determine if the vFlow captures packets across the fabric or on a single switch. Packets are captured by forwarding them from the data plane of the switch to the control plane.

A flow that directs packets to the switch CPU can be configured to save packets to a file by enabling the log-packets parameter. The file is written using a libcap compatible format so that programs like TCPdump and Wireshark can be used to read the file. The file is exported to clients using NFS or SFTP.

Packet capture data is available with switch or fabric scope. The pcap files are stored over NFS in the following locations:

• /net/<ServerSw_Name>/ONVL/global/flow/<Flow_Name>/switch/<Switch_Name>/pcap
• /net/<ServerSw_Name>/ONVL//<_Name>/flow/<Flow_Name>/switch/<Switch_Name>/pcap
• /net/<ServerSw_Name>/ONVL/global/flow/<Flow_Name>/fabric/pcap
• /net/<ServerSw_Name>/ONVL//<_Name>/flow/<Flow_Name>/fabric/pcap

Snooping only works if you use the parameters, copy-to-cpu or to-cpu.

The copy-to-cpu parameter ensures that the data plane forwards the packets and sends a copy to the CPU. Use this parameter if you want traffic to flow through the switch.

The to-cpu parameter doesn’t forward packets and interrupts traffic on the switch. To snoop all application flow packets of protocol type TCP, enter the following CLI commands at the prompt:

CLI (network-admin@Leaf1) > vflow-create name snoop_all scope local proto tcp action copy-to-cpu

Then use the following command to display the output:

CLI (network-admin@Leaf1) > vflow-snoop

switch: pleiades24, flow: snoop_all, port: 65, size: 66, time: 20:07:15.03867188

smac: 64:0e:94:28:00:fa, dmac: 64:0e:94:2c:00:7a, etype: ip

sip: 192.168.2.51, dip: 192.168.2.31, proto: tcp

sport: 42120, dport: 33399

switch: pleiades24, flow: snoop_all, port: 65, size: 184, time: 20:07:15.03882961

smac: 64:0e:94:28:00:fa, dmac: 64:0e:94:2c:00:7a, etype: ip

sip: 192.168.2.51, dip: 192.168.2.31, proto: tcp

sport: 42120, dport: 33399

switch: pleiades24, flow: snoop_all, port: 43, size: 66, time: 20:07:15.03893740

smac: 64:0e:94:2c:00:7a, dmac: 64:0e:94:28:00:fa, etype: ip

sip: 192.168.2.31, dip: 192.168.2.51, proto: tcp

sport: 33399, dport: 42120

To restrict the flows captured to TCP port 22, SSH traffic, create the following vFlow:

CLI (network-admin@Leaf1) > vflow-create name snoop_ssh scope local action copy-to-cpu src-port 22 proto tcp vflow-add-filter name snoop_ssh

Then use the vflow-snoop command to display the results:

switch: pleiades24, flow: snoop_ssh, port: 41, size: 230, time: 10:56:57.05785917 src-mac: 00:15:17:ea:f8:70, dst-mac: f4:6d:04:0e:77:60, etype: ip src-ip: 10.9.11.18, dst-ip: 10.9.10.65, proto: tcp src-port: 22, dst-port: 62356

switch: pleiades24, flow: snoop_ssh, port: 41, size: 118, time: 10:56:57.05922560 src-mac: 00:15:17:ea:f8:70, dst-mac: f4:6d:04:0e:77:60, etype: ip src-ip: 10.9.11.18, dst-ip: 10.9.10.65, proto: tcp src-port: 22, dst-port: 62356

The optional parameter vflow-add-filter restricts the output of the vflow-snoop command to the packets matching the snoop_ssh flow definition.

To capture traffic packets for a flow across the entire fabric, you create a flow with the scope of fabric. To copy the packets to a pcap file, add the log-packets option:

CLI (network-admin@Leaf1) > vflow-create name fab_snoop_all scope fabric action copy-to-cpu port 22 log-packets yes

If you enable log-packets, the separate pcap files for all switches are available on any switch. In addition a consolidated pcap file is available that aggregates the packets from all switches in the entire fabric.

Support for IPv6 Addresses and vFlow Configurations

You must modify the vFlow table profile using the new command, vflow-table-profile-modify:

CLI (network-admin@Leaf1) > vflow-table-profile-modify profile ipv6 hw-tbl switch-main

You must reboot the switch in order for the settings to take effect. To ensure that the profile is available after rebooting, use the vflow-table-show command:

CLI (network-admin@Leaf1) > vflow-table-show