Using vFlows to Disable Communication for Security Monitoring
You can use vFlows to control the traffic by specifying the communications that are not allowed in a switch or a fabric. Use the following steps to create a vFlow as a firewall:
Define a VLAN and destination IP-based flow and specify that the flow is dropped by the switch, with statistics monitoring enabled:
CLI (network-admin@Leaf1) > vflow-create name vflow10 scope local vlan 99 dst-ip 172.168.24.1 action drop stats enable
Display the statistics for the new flow above as the traffic is dropped:
CLI (network-admin@Leaf1) > vflow-stats-show name vflow10 show-diff-interval 5
switch name packets bytes cpu-packets cpu-bytes
------- ---- -------- ----- ----------- ---------
Leaf1 vflow10 864 116K 0 0
Leaf1 vflow10 5 936K 0 0
There are many options available for creating vFlows, and vFlows can be used to shape traffic, capture statistics, capture flow metadata, capture packets, or manage communications. The options include:
- vlan
- in-port
- out-port
- ether-type
- src-mac
- src-mac-mask
- dst-mac
- dst-mac-mask
- src-ip
- src-ip-mask
- dst-ip
- dst-ip-mask
- src-port
- dst-port
- dscp
- tos
- proto
- flow-class
- uplink-ports
- bw-min
- bw-max
- precedence
- action
- action-value
- no-mirror
- mirror
- no-process-mirror
- process-mirror
- packet-log-max
- stats
- stats-interval
- duration
- no-transient
- transient
- vxlan
- vxlan-ether-type