Using vFlows to Disable Communication for Security Monitoring


You can use vFlows to control the traffic by specifying the communications that are not allowed in a switch or a fabric. Use the following steps to create a vFlow as a firewall:


Define a VLAN and destination IP-based flow and specify that the flow is dropped by the switch, with statistics monitoring enabled:


CLI (network-admin@Leaf1) > vflow-create name vflow10 scope local vlan 99 dst-ip 172.168.24.1 action drop stats enable

 

Display the statistics for the new flow above as the traffic is dropped:


CLI (network-admin@Leaf1) > vflow-stats-show name vflow10 show-diff-interval 5

 

switch   name    packets    bytes          cpu-packets  cpu-bytes

-------  ----    --------   -----          -----------  ---------                

Leaf1    vflow10  864       116K           0           0

Leaf1    vflow10  5         936K           0           0

 

There are many options available for creating vFlows, and vFlows can be used to shape traffic, capture statistics, capture flow metadata, capture packets, or manage communications. The options include:


  • vlan
  • in-port
  • out-port
  • ether-type
  • src-mac
  • src-mac-mask
  • dst-mac
  • dst-mac-mask
  • src-ip
  • src-ip-mask
  • dst-ip
  • dst-ip-mask
  • src-port
  • dst-port
  • dscp
  • tos
  • proto
  • flow-class
  • uplink-ports
  • bw-min
  • bw-max
  • precedence
  • action
  • action-value
  • no-mirror
  • mirror
  • no-process-mirror
  • process-mirror
  • no-log-packets
  • log-packets
  • packet-log-max
  • stats
  • stats-interval
  • duration
  • no-transient
  • transient
  • vxlan
  • vxlan-ether-type
  • vxlan-proto