Configuring vFlows to Filter Packets on Management Interfaces
The Arista Networks switches support administrative services and protocols such as SSH, HTTP, SSL, ICMP, etc. (for all supported protocols, see the show command output below). Management vflow feature enables the use of IPTables to support filtering based on filter parameters on management interfaces traffic.
The management traffic on Arista switches are handled in two ways:
- Out-of band management interface traffic: Uses IPTables to perform kernel based filtering
- In-band management interface traffic: Uses vflow based programming approach
In dual stack networks, both IPv4 and IPv6 filters can be used on the management port (in-band/out-of-band). By default, the management traffic allows all SSH, NFS, SNMP traffic and denies all web traffic as displayed in the command output below:
CLI (network-admin@spine1) > admin-service-show
if ---- |
ssh ---- |
nfs ---- |
web ----- |
web-ssl ------ |
web-ssl-port ------------ |
web-port -------- |
snmp ----- |
net-api ------- |
icmp ----- |
mgmt |
on |
on |
off |
off |
443 |
80 |
on |
on |
on |
data |
on |
on |
off |
off |
443 |
80 |
on |
on |
on |
This feature uses the existing vflow commands to add filters on the out-of-band and in-band management interfaces that are specific for these administrative services. The vflow rules uses precedence numbering to maintain the order of filters and helps in enforcing rules at specific locations in the IPTables. However, when you configure vflow rules, make sure that the vflow rules do not have a conflict with the system rules because the system rules may take precedence over the user configured vflow rules.
While configuring the vflow rules, be aware of the following configuration considerations:
- The parameter if is used to configure management vflows.
- The vflow rules support only permit and drop actions.
- The order of the configuration aligns with the order in which the rules are programmed. However, the user can re-arrange the rules using precedence.
- The vflow rules take precedence in both IPTables and TCAM are:
- By default, the vflow rules have a precedence value of four (4).
- Implicit drop priority is always lower than the user configured management vflows
- IPTables filter is added such that it precedes the existing system rule.
- The following are the applicable scaling numbers:
- For in-band traffic: the egress TCAM table limitation of 256 entries or as per hardware limits.
- For out-of-band traffic: The IPTables scale limitation is applied.
For example, create a vflow with the following parameters, use the command:
CLI (network-admin@Spine1) > vflow-create name <mgmt_flow> if <mgmt|data> scope <local|fabric> src-ip <IP> src-mask <MASK> dstip <IP> dst-mask <MASK> proto <num_or_name> src-port <src-port-number> dst-port <dst-port-number> action <permit|drop> precedence <num>
name |
Name of the vFlow that you are creating |
if |
Specify the vflow administrative service as management or data |
scope |
Specify the scope as local or fabric |
src-ip |
Specify the source IP Address |
src-mask |
Specify the source IP address mask |
dstip |
Specify the destination IP address |
dst-mask |
Specify the destination IP mask |
proto |
Specify the name or number of the protocol |
src-port |
Specify the Layer 3 protocol source port for the vFlow |
dst-port |
Specify the Layer 3 protocol destination port for the vFlow |
action |
Specify the action, whether to drop the packet or allow/permit the flow of packet |
precedence |
Specify the traffic priority value. The default values range between 2 and 15. |
To delete a vflow, use the command:
CLI (network-admin@spine1) > vflow-delete name <mgmt_flow>
To modify the vflow rule, use the command:
CLI (network-admin@spine1) > vflow-modify name <mgmt_flow>if <mgmt|data> src-ip <IP> src-mask <MASK> dstip <IP> dst-mask <MASK>
proto <num_or_name> src-port <num> dst-port <num> action <permit|drop> precedence <num>
To display the configured vflow rules from the IPTables, use the command:
CLI (network-admin@spine1) > vflow-mgmt-show name <string>
The following example displays an In-band filter configured in Egress Content Aware Processing (ECAP) TCAM on two IPV4 addresses, where the vflow filters are applied to block the ssh connection from the source IP address, 10.10.10.19 whereas the ssh connection is allowed from the IP address, 10.10.10.20:
CLI (network-admin@spine1) > switch-local vflow-show
name |
scope |
type |
in-port |
src-ip |
dst-port |
precedence |
action |
enable |
fdata |
local |
vflow |
73 |
10.10.10.20 |
22 |
4 |
none |
enable |
fdata1 |
local |
vflow |
73 |
10.10.10.19 |
22 |
4 |
drop |
enable |
tcp_22 |
local |
vflow |
73 |
|
22 |
default |
drop |
enable |
To display the examples for out-of-band management filters.
CLI (network-admin@spine1) > vflow-mgmt-show
name |
scope |
type |
src-ip |
dst-port |
precedence |
action |
enable |
data1 |
local |
iptable |
153.1.1.120/255.255.255.255 |
22 |
15 |
|
enable |
implicitv4_drop_tcp_22_vmgmt0 |
local |
iptable |
|
22 |
15 |
drop |
enable |
mgmt_ipv4 |
local |
iptable |
2.1.1.1 |
|
default |
none |
enable |
implicitv4_drop_icmp_vmgmt0 |
local |
iptable |
|
0 |
15 |
drop |
enable |
mgmt1_ipv6 |
local |
iptable |
2000::2/ffff:ffff:ffff:ffff:: |
|
default |
none |
enable |
mgmt_ipv6 |
local |
iptable |
2000::1/ffff:ffff:ffff:ffff:: |
|
default |
none |
enable |
implicitv6_drop_ipv6-icmp_vmgmt0 |
local |
iptable |
|
0 |
15 |
drop |
enable |
To display the packets and byte count from the IPTables, use the command:
CLI (network-admin@spine1) > vflow-mgmt-stats-show name <string>
CLI (network-admin@spine1) > vflow-mgmt-stats-show
switch --------- |
name ----------- |
pkts ------ |
bytes --------- |
spine1 |
data1 |
0 |
0 |
spine1 |
implicitv4_drop_tcp_22_vmgmt0 |
16 |
976 |
spine1 |
mgmt_ipv4 |
0 |
0 |
spine1 |
implicitv4_drop_icmp_vmgmt0 |
29 |
2.38K |
spine1 |
mgmt1_ipv6 |
0 |
0 |
spine13 |
mgmt_ipv6 |
0 |
0 |
spine1 |
implicitv6_drop_ipv6-icmp_vmgmt0 |
0 |
0 |
To clear all the IPTable rules, use the command:
CLI (network-admin@spine1) > vflow-mgmt-stats-clear name <string>
The following example displays an In-band filter configured in Egress Content Aware Processing (ECAP) TCAM on two IPV4 addresses, where the vflow filters are applied to block the ssh connection from the source IP address, 10.10.10.19 whereas the ssh connection is allowed from the IP address, 10.10.10.20:
CLI (network-admin@spine1) > switch-local vflow-show
name |
scope |
type |
in-port |
src-ip |
dst-port |
precedence |
action |
enable |
if |
fdata |
local |
vflow |
73 |
10.10.10.20 |
22 |
4 |
none |
enable |
data |
fdata1 |
local |
vflow |
73 |
10.10.10.19 |
22 |
4 |
drop |
enable |
data |
tcp_22 |
local |
vflow |
73 |
|
22 |
default |
drop |
enable |
data |