Understanding vFlows and vFlow Objects

The vFlow functionality in NetVisor OS is a unique Arista feature, which defines fabric-wide policies (using match conditions) to facilitate the  manipulation  and redirection of traffic flows using physical or logical filtering methods (using action parameters) at line rate. NetVisor OS implements vFlow objects in hardware that have no impact on the forwarding performance of the switch. 

The  vFlows can be applied to traffic flows regardless of the forwarding method or provisioning construct employed. As such, vFlow objects can be implemented for bridging, routing and extended bridging operations and also for transparent forwarding services such as  Virtual Wire and Virtual Link extension  (vLE).

The vFlows can also be viewed as  Access Control Lists (ACL) with advanced capabilities.

The vFlow functionality offers a versatile, programmable,  and distributed method for implementing security access control policies, security service insertion, flow monitoring and telemetry, quality of service, and optimized flow-based forwarding.

In NetVisor OS the vFlow filters operate at wirespeed without any performance degradation because the vflow actions and filtering are applied in the ASIC pipeline at line rate, which ensures no latency or performance degradation.

The vFlow object enables you to: 

  • Configure traffic filtering based on L2, L3, and L4 layer parameters
  • Configure traffic filtering based on action parameters such as blocking and forwarding traffic 
  • Configure vFlows to copy packets to CPU, packet mirroring, packet classification, traffic metering and bandwidth guarantee
  • Gathering statistics for evaluation and analytics

At a high level, vFlow feature supports the following actions, which can be configured using the CLI commands:

  • Creating a vFlow Object

CLI (network-admin@switch-1) > vflow-create name <vflow-name> scope [local|fabric] {specify one or more parameters} {specify any action}

  • Modifying an existing vFlow Object

CLI (network-admin@switch-1) > vflow-modify name <vflow-name> {specify one or more parameters}

  • Deleting an existing vFlow Object

CLI (network-admin@switch-1) > vflow-delete name <vflow-name> 

  • Displaying the applicable actions and use cases for a selected vFlow Object

CLI (network-admin@switch-1) > vflow-show {specify one or more parameters}

These actions are explained in detail in the subsequent sections for configuring vFlow objects with specific parameters. 

Elements of a vFlow        

NetVisor OS identifies a vFlow object by a unique name and is composed of the following  elements:

  • Administrative scope and state
  • Implementation stage
  • Traffic flow filter
  • Forwarding action