Configuring vFlow for Analytics

---

A vFlow can be used to capture packets for analysis, and you can determine if the vFlow captures packets across the fabric or on a single switch. Packets are captured by forwarding them from the data plane of the switch to the control plane.

Snooping only works if you use the parameters, copy-to-cpu or to-cpu. 

The copy-to-cpu parameter ensures that the data plane forwards the packets and sends a copy to the CPU. Use this parameter if you want traffic to flow through the switch. 

The to-cpu parameter doesn’t forward packets and interrupts traffic on the switch. To snoop all application flow packets of protocol type TCP, enter the following CLI commands at the prompt:

CLI (network-admin@Leaf1) > vflow-create name snoop_all scope local proto tcp action copy-to-cpu

 

Then use the following command to display the output:

CLI (network-admin@Leaf1) > vflow-snoop

 

switch: pleiades24, flow: snoop_all, port: 65, size: 66, time: 20:07:15.03867188

smac: 64:0e:94:28:00:fa, dmac: 64:0e:94:2c:00:7a, etype: ip

sip: 192.168.2.51, dip: 192.168.2.31, proto: tcp

sport: 42120, dport: 33399

 

switch: pleiades24, flow: snoop_all, port: 65, size: 184, time: 20:07:15.03882961

smac: 64:0e:94:28:00:fa, dmac: 64:0e:94:2c:00:7a, etype: ip

sip: 192.168.2.51, dip: 192.168.2.31, proto: tcp

sport: 42120, dport: 33399

 

switch: pleiades24, flow: snoop_all, port: 43, size: 66, time: 20:07:15.03893740

smac: 64:0e:94:2c:00:7a, dmac: 64:0e:94:28:00:fa, etype: ip

sip: 192.168.2.31, dip: 192.168.2.51, proto: tcp

sport: 33399, dport: 42120

 

Note: Use the vflow-snoop command only on platforms that do not have rear-facing NICs.

To restrict the flows captured to TCP port 22, SSH traffic, create the following vFlow:

CLI (network-admin@Leaf1) > vflow-create name snoop_ssh scope local action copy-to-cpu src-port 22 proto tcp vflow-add-filter name snoop_ssh

 

Then use the vflow-snoop command to display the results:

 

switch: pleiades24, flow: snoop_ssh, port: 41, size: 230, time: 10:56:57.05785917 src-mac: 00:15:17:ea:f8:70, dst-mac: f4:6d:04:0e:77:60, etype: ip src-ip: 10.9.11.18, dst-ip: 10.9.10.65, proto: tcp src-port: 22, dst-port: 62356

switch: pleiades24, flow: snoop_ssh, port: 41, size: 118, time: 10:56:57.05922560 src-mac: 00:15:17:ea:f8:70, dst-mac: f4:6d:04:0e:77:60, etype: ip src-ip: 10.9.11.18, dst-ip: 10.9.10.65, proto: tcp src-port: 22, dst-port: 62356

 

The optional parameter vflow-add-filter restricts the output of the vflow-snoop command to the packets matching the snoop_ssh flow definition.

To capture traffic packets for a flow across the entire fabric, you create a flow with the scope of fabric:

CLI (network-admin@Leaf1) > vflow-create name fab_snoop_all scope fabric action copy-to-cpu port 22 

Support for IPv6 Addresses and vFlow Configurations

You must modify the vFlow table profile using the new command, vflow-table-profile-modify:

CLI (network-admin@Leaf1) > vflow-table-profile-modify profile ipv6 hw-tbl switch-main 

 

You must reboot the switch in order for the settings to take effect. To ensure that the profile is available after rebooting, use the vflow-table-show command:

CLI (network-admin@Leaf1) > vflow-table-show