Configuring vFlow for Analytics


A vFlow can be used to capture packets for analysis, and you can determine if the vFlow captures packets across the fabric or on a single switch. Packets are captured by forwarding them from the data plane of the switch to the control plane.


Snooping only works if you use the parameters, copy-to-cpu or to-cpu


The copy-to-cpu parameter ensures that the data plane forwards the packets and sends a copy to the CPU. Use this parameter if you want traffic to flow through the switch. 


The to-cpu parameter doesn’t forward packets and interrupts traffic on the switch. To snoop all application flow packets of protocol type TCP, enter the following CLI commands at the prompt:


CLI (network-admin@Leaf1) > vflow-create name snoop_all scope local proto tcp action copy-to-cpu

 

Then use the following command to display the output:


CLI (network-admin@Leaf1) > vflow-snoop

 

switch: pleiades24, flow: snoop_all, port: 65, size: 66, time: 20:07:15.03867188

smac: 64:0e:94:28:00:fa, dmac: 64:0e:94:2c:00:7a, etype: ip

sip: 192.168.2.51, dip: 192.168.2.31, proto: tcp

sport: 42120, dport: 33399

 

switch: pleiades24, flow: snoop_all, port: 65, size: 184, time: 20:07:15.03882961

smac: 64:0e:94:28:00:fa, dmac: 64:0e:94:2c:00:7a, etype: ip

sip: 192.168.2.51, dip: 192.168.2.31, proto: tcp

sport: 42120, dport: 33399

 

switch: pleiades24, flow: snoop_all, port: 43, size: 66, time: 20:07:15.03893740

smac: 64:0e:94:2c:00:7a, dmac: 64:0e:94:28:00:fa, etype: ip

sip: 192.168.2.31, dip: 192.168.2.51, proto: tcp

sport: 33399, dport: 42120

 

Note: Use the vflow-snoop command only on platforms that do not have rear-facing NICs.


To restrict the flows captured to TCP port 22, SSH traffic, create the following vFlow:


CLI (network-admin@Leaf1) > vflow-create name snoop_ssh scope local action copy-to-cpu src-port 22 proto tcp vflow-add-filter name snoop_ssh

 

Then use the vflow-snoop command to display the results:

 

switch: pleiades24, flow: snoop_ssh, port: 41, size: 230, time: 10:56:57.05785917 src-mac: 00:15:17:ea:f8:70, dst-mac: f4:6d:04:0e:77:60, etype: ip src-ip: 10.9.11.18, dst-ip: 10.9.10.65, proto: tcp src-port: 22, dst-port: 62356

switch: pleiades24, flow: snoop_ssh, port: 41, size: 118, time: 10:56:57.05922560 src-mac: 00:15:17:ea:f8:70, dst-mac: f4:6d:04:0e:77:60, etype: ip src-ip: 10.9.11.18, dst-ip: 10.9.10.65, proto: tcp src-port: 22, dst-port: 62356

 

The optional parameter vflow-add-filter restricts the output of the vflow-snoop command to the packets matching the snoop_ssh flow definition.


To capture traffic packets for a flow across the entire fabric, you create a flow with the scope of fabric:


CLI (network-admin@Leaf1) > vflow-create name fab_snoop_all scope fabric action copy-to-cpu port 22 


Support for IPv6 Addresses and vFlow Configurations


You must modify the vFlow table profile using the new command, vflow-table-profile-modify:


CLI (network-admin@Leaf1) > vflow-table-profile-modify profile ipv6 hw-tbl switch-main 

 

You must reboot the switch in order for the settings to take effect. To ensure that the profile is available after rebooting, use the vflow-table-show command:


CLI (network-admin@Leaf1) > vflow-table-show

 

name

------------------

flow-max-per-group

----------------

flow-used

---------

flow-tbl-slices

---------------

capability

-----------

flow-profile

-------------

Egress-Table-1-0

256

0

2

match-metadata

system

Egress-Table-v6-1-0

256

0

1

none

egress-v6

IPv6-Table-1-0

1536

0

1

none

ipv6

System-L1-L4-Tun-1-0

1536

57

2

set-metadata

system

System-VCAP-table-1-0

512

1

1

none

system

 

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south