Configuring vFlow Filters with Port Mirrors for Logging Packets
A vFlow filter, in conjunction with a port mirror, gives granular control over the traffic that is mirrored through SPAN, RSPAN, or ERSPAN configurations. By configuring a vFlow with a mirror, you can select the traffic you need for analysis with precision.
To create a vFlow-mirror, you should first configure a port mirror and you must identify the SPAN port before configuring the port mirror. For example,
To create a port mirror mirror11, use:
CLI (network-admin@switch) > mirror-create name mirror11 out-port 130 in-port 1-128 filtering vflow-and-port
To view the details:
CLI (network-admin@switch) > mirror-show
name direction out-port in-port filtering enable other-egress-out nvie-mirror
------- --------- -------- ------- -------------- ------ ---------------- -----------
mirror11 ingress 130 1-128 vflow-and-port yes prevent false
Note: The SPAN Port is different for each platform. For NRU02 platform, the SPAN port is port 130.
To create the corresponding vFlow - to_mirror, use the vflow-create command:
CLI (network-admin@switch) > vflow-create name to_mirror scope local mirror mirror11 src-ip 100.1.1.200 dst-ip 10.0.40.2 precedence default action none
The vflow-create command allows numerous filtering policies. Refer to the Configuring and Using vFlows chapter for more information.
To view the details, use the command:
CLI (network-admin@switch) > vflow-show name to_mirror
name scope type dst-ip precedence action mirror from-tunnel-decap transparency enable table-name
--------- ----- ----- --------- ---------- ------ ------ ----------------- ------------ ------ --------------------
to_mirror local vflow 10.0.40.2 default none mirror11 none disable enable System-L1-L4-Tun-1-0
A logical combination of a port mirror and a vFlow-based one can be configured using the filtering parameter in the vflow-create command.
- Use the port option to consider only the parameters configured in the mirror-create command for filtering the traffic.
- Use the vflow-or-port option to mirror traffic that meets either the vFlow or the mirror constraints. With this option, packets that match either the vFlow policy or the in-port parameter of the mirror get mirrored.
- Use the vflow-and-port option to mirror traffic that meets both the vFlow and the mirror constraints. With this option, only packets that match both the vFlow policy and the in-port parameter of the mirror get mirrored.
Note: IP-based remote port mirroring supports only sources (in-port) in the ingress direction with vflow-and-port filtering. This limitation applies to all platforms.
For Remote SPAN (RSPAN):
CLI (network-admin@switch) > mirror-create name mirror5 out-port 80 in-port 40 filtering vflow-and-port span-encap over-vlan span-tagging-vlan 300
Note: Port 80 is associated with VLAN 300.
CLI (network-admin@switch) > vflow-create name flow1 scope local dst-ip 10.10.10.10 action none mirror mirror5
With the above configuration, only the packets that ingress on port 40 of switch with a destination IP address of 10.10.10.10 are mirrored.
For packet logging to local SPAN port on platforms that have rear-facing NICs:
CLI (network-admin@switch) > mirror-create name mirror5 out-port 80 in-port 40 filtering vflow-and-port
where out-port parameter is the rear-facing NIC SPAN port.
Note: Use tcpdump command on Linux shell with rear-facing NIC SPAN port interface to create a PCAP file or to view the traffic live.
Guidelines to remember while configuring SPAN port:
- To view the SPAN port, use the command:
CLI (network-admin@switch*) > port-cos-rate-setting-show port span-ports format port,ports,
port ports
---------- -----
span-ports 130
here, 130 is the SPAN port for the switch.
- To determine the physical SPAN port interface used for tcpdump in Linux shell, use the command:
root@switch:~# cat /var/nvos/hw_pid.xml
<?xml version="1.0"?>
<hw_pids>
<hw_pid code="NRU02-ONVL" .. mgmt0="em0" mgmt1="em1" data0="em3" data1="em2" data2="" data3="" ports="none" ..
</hw_pids>
where, "data1" determines the span port physical interface (which is "em2" in this case). This "em2" interface must be used along with tcpdump to capture the packets.
- You can set the aggregate egress rate limit for traffic to the local SPAN port depending on the CPU utilization and traffic profile. For example, to set the limit to 100 MB, use the command:
CLI (network-admin@switch) > port-config-modify port 130 egress-rate-limit 100m
CLI (network-admin@switch) > port-config-show port 130 format intf,switch,port,speed,egress-rate-limit,
intf switch port speed egress-rate-limit
---- ------ ---- ----- -----------------
130 switch 130 10g 100000000
For a more granular rate setting, use the port-cos-rate-setting-modify command.