Configuring vFlow for Analytics
A vFlow can be used to capture packets for analysis, and you can determine if the vFlow captures packets across the fabric or on a single switch. Packets are captured by forwarding them from the data plane of the switch to the control plane.
Snooping only works if you use the parameters, copy-to-cpu or to-cpu.
The copy-to-cpu parameter ensures that the data plane forwards the packets and sends a copy to the CPU. Use this parameter if you want traffic to flow through the switch.
The to-cpu parameter doesn’t forward packets and interrupts traffic on the switch. To snoop all application flow packets of protocol type TCP, enter the following CLI commands at the prompt:
CLI (network-admin@Leaf1) > vflow-create name snoop_all scope local proto tcp action copy-to-cpu
Then use the following command to display the output:
CLI (network-admin@Leaf1) > vflow-snoop
switch: pleiades24, flow: snoop_all, port: 65, size: 66, time: 20:07:15.03867188
smac: 64:0e:94:28:00:fa, dmac: 64:0e:94:2c:00:7a, etype: ip
sip: 192.168.2.51, dip: 192.168.2.31, proto: tcp
sport: 42120, dport: 33399
switch: pleiades24, flow: snoop_all, port: 65, size: 184, time: 20:07:15.03882961
smac: 64:0e:94:28:00:fa, dmac: 64:0e:94:2c:00:7a, etype: ip
sip: 192.168.2.51, dip: 192.168.2.31, proto: tcp
sport: 42120, dport: 33399
switch: pleiades24, flow: snoop_all, port: 43, size: 66, time: 20:07:15.03893740
smac: 64:0e:94:2c:00:7a, dmac: 64:0e:94:28:00:fa, etype: ip
sip: 192.168.2.31, dip: 192.168.2.51, proto: tcp
sport: 33399, dport: 42120
Note: Use the vflow-snoop command only on platforms that do not have rear-facing NICs.
To restrict the flows captured to TCP port 22, SSH traffic, create the following vFlow:
CLI (network-admin@Leaf1) > vflow-create name snoop_ssh scope local action copy-to-cpu src-port 22 proto tcp vflow-add-filter name snoop_ssh
Then use the vflow-snoop command to display the results:
switch: pleiades24, flow: snoop_ssh, port: 41, size: 230, time: 10:56:57.05785917 src-mac: 00:15:17:ea:f8:70, dst-mac: f4:6d:04:0e:77:60, etype: ip src-ip: 10.9.11.18, dst-ip: 10.9.10.65, proto: tcp src-port: 22, dst-port: 62356
switch: pleiades24, flow: snoop_ssh, port: 41, size: 118, time: 10:56:57.05922560 src-mac: 00:15:17:ea:f8:70, dst-mac: f4:6d:04:0e:77:60, etype: ip src-ip: 10.9.11.18, dst-ip: 10.9.10.65, proto: tcp src-port: 22, dst-port: 62356
The optional parameter vflow-add-filter restricts the output of the vflow-snoop command to the packets matching the snoop_ssh flow definition.
To capture traffic packets for a flow across the entire fabric, you create a flow with the scope of fabric:
CLI (network-admin@Leaf1) > vflow-create name fab_snoop_all scope fabric action copy-to-cpu port 22
Support for IPv6 Addresses and vFlow Configurations
You must modify the vFlow table profile using the new command, vflow-table-profile-modify:
CLI (network-admin@Leaf1) > vflow-table-profile-modify profile ipv6 hw-tbl switch-main
You must reboot the switch in order for the settings to take effect. To ensure that the profile is available after rebooting, use the vflow-table-show command:
CLI (network-admin@Leaf1) > vflow-table-show
name ------------------ |
flow-max-per-group ---------------- |
flow-used --------- |
flow-tbl-slices --------------- |
capability ----------- |
flow-profile ------------- |
Egress-Table-1-0 |
256 |
0 |
2 |
match-metadata |
system |
Egress-Table-v6-1-0 |
256 |
0 |
1 |
none |
egress-v6 |
IPv6-Table-1-0 |
1536 |
0 |
1 |
none |
ipv6 |
System-L1-L4-Tun-1-0 |
1536 |
57 |
2 |
set-metadata |
system |
System-VCAP-table-1-0 |
512 |
1 |
1 |
none |
system |