Configuring vFlow Filters with Port Mirrors for Logging Packets

A vFlow filter, in conjunction with a port mirror, gives granular control over the traffic that is mirrored through SPAN, RSPAN, or ERSPAN configurations. By configuring a vFlow with a mirror, you can select the traffic you need for analysis with precision.


To create a vFlow-mirror, you should first configure a port mirror and you must identify the SPAN port before configuring the port mirror. For example,


To create a port mirror mirror11, use:


CLI (network-admin@switch) > mirror-create name mirror11 out-port 130 in-port 1-128 filtering vflow-and-port 


To view the details:


CLI (network-admin@switch) > mirror-show


name    direction out-port in-port filtering      enable other-egress-out nvie-mirror

------- --------- -------- ------- -------------- ------ ---------------- -----------

mirror11 ingress   130      1-128   vflow-and-port yes    prevent          false


Note:  The SPAN Port is different for each platform. For NRU02 platform, the SPAN port is port 130.


To create the corresponding vFlow - to_mirror, use the vflow-create command:


CLI (network-admin@switch) > vflow-create name to_mirror scope local mirror mirror11 src-ip 100.1.1.200 dst-ip 10.0.40.2 precedence default action none

 

The vflow-create command allows numerous filtering policies. Refer to the Configuring and Using vFlows chapter for more information.


To view the details, use the command:


CLI (network-admin@switch) > vflow-show name to_mirror


name      scope type  dst-ip    precedence action mirror from-tunnel-decap transparency enable table-name

--------- ----- ----- --------- ---------- ------ ------ ----------------- ------------ ------ --------------------

to_mirror local vflow 10.0.40.2  default    none  mirror11 none             disable     enable System-L1-L4-Tun-1-0


A logical combination of a port mirror and a vFlow-based one can be configured using the filtering parameter in the vflow-create command.


  • Use the port option to consider only the parameters configured in the mirror-create command for filtering the traffic.


  • Use the vflow-or-port option to mirror traffic that meets either the vFlow or the mirror constraints. With this option, packets that match either the vFlow policy or the in-port parameter of the mirror get mirrored.


  • Use the vflow-and-port option to mirror traffic that meets both the vFlow and the mirror constraints. With this option, only packets that match both the vFlow policy and the in-port parameter of the mirror get mirrored.


Note: IP-based remote port mirroring supports only sources (in-port) in the ingress direction with vflow-and-port filtering. This limitation applies to all platforms.


For Remote SPAN (RSPAN):


CLI (network-admin@switch) > mirror-create name mirror5 out-port 80 in-port 40 filtering vflow-and-port span-encap over-vlan span-tagging-vlan 300


Note: Port 80 is associated with VLAN 300.


CLI (network-admin@switch) > vflow-create name flow1 scope local dst-ip 10.10.10.10 action none mirror mirror5


With the above configuration, only the packets that ingress on port 40 of switch with a destination IP address of 10.10.10.10 are mirrored.


For packet logging to local SPAN port on platforms that have rear-facing NICs:


CLI (network-admin@switch) > mirror-create name mirror5 out-port 80 in-port 40 filtering vflow-and-port 


where out-port parameter is the rear-facing NIC SPAN port. 


Note:  Use tcpdump command on Linux shell with rear-facing NIC SPAN port interface to create a PCAP file or to view the traffic live.     


Guidelines to remember while configuring SPAN port:


  • To view the SPAN port, use the command:


CLI (network-admin@switch*) > port-cos-rate-setting-show port span-ports format port,ports,

port       ports

---------- -----

span-ports 130


here, 130 is the SPAN port for the switch.


  • To determine the physical SPAN port interface used for tcpdump in Linux shell, use the command:


root@switch:~# cat /var/nvos/hw_pid.xml

<?xml version="1.0"?>

<hw_pids>

  <hw_pid code="NRU02-ONVL" .. mgmt0="em0" mgmt1="em1" data0="em3" data1="em2" data2="" data3="" ports="none" ..

</hw_pids>


where, "data1" determines the span port physical interface (which is "em2" in this case). This "em2" interface must be used along with tcpdump to capture the packets.


  • You can set the aggregate egress rate limit for traffic to the local SPAN port depending on the CPU utilization and traffic profile. For example, to set the limit to 100 MB,  use the command:


CLI (network-admin@switch) > port-config-modify port 130 egress-rate-limit 100m


CLI (network-admin@switch) > port-config-show port 130 format intf,switch,port,speed,egress-rate-limit,


intf switch port speed egress-rate-limit

---- ------ ---- ----- -----------------

130  switch 130  10g   100000000 


For a more granular rate setting, use the port-cos-rate-setting-modify command. 


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south