Supporting TCP Parameters using vFlows
Packet Broker requires the ability to create flows based on TCP control bits in a packet. The commands, vflow-create and vflow-modify have a new option tcp-flags. The supported TCP control bits include FIN, SYN, RST, PUSH, ACK, and URG.
Setting the ACK bit is supported only if it is combined with other TCP bits such as SYN and FIN and not as a single parameter.
Only to-port and mirror actions are supported by vFlow with tcp-flags filter. The actions added for vFlows with tcp-flags configured are mirror-to-port.
If analytics is enabled, then copy-to-cpu are also applied on the same vFlow. Also, these flows are created with a precedence of 3 or above.
System vFlows are created with precedence 2 so that analytics can also work even with these vFlows.
To create a vFlow for the default system table, use the following syntax:
CLI (network-admin@Spine1) > vflow-create name Redirect-TCP-Reset tcp-flags RST action to-port
CLI (network-admin@Spine1) > vflow-create name Redirect-TCP-ECN-Capable tcp-flags ECN,RST action to-port
CLI (network-admin@Spine1) > vflow-create name Mirror-TCP-Finished tcp-flags FIN action mirror
You can use the vflow-table-show command to display vFlow tables:
CLI (network-admin@Spine1) > vflow-table-show format all layout vertical
switch: Spine1
name: Egress-Table-1-0
id: a0000d7:1
flow-max: 1024
flow-used: 0
flow-tbl-slices: 1
capability: match-metadata
flow-tbl-bank: Egress
flow-profile: system
switch: Spine1
name: Decap-Table-1-0
id: a0000d7:2
flow-max: 1024
flow-used: 0
flow-tbl-slices: 2
capability: none
flow-tbl-bank: Match-Metadata
flow-profile: vxlan
switch: tac-f64-sw5
name: OpenFlow-L2-L3-1-0
id: a0000d7:3
flow-max: 1024
flow-used: 0
flow-tbl-slices: 7
capability: none
flow-tbl-bank: Match-Metadata
flow-profile: openflow