测试环境 #
- vManage: 20.9.3
- 8000v: 17.9.3a
为所有 VPN 流量开启 CFLOW #
如过需要为所有的 VPN 流量开启 CFLOW, 则需要修改Localized Policy (如果没有则需要新增 Configuration - > Policies-> Localized Policy - Add Policy), 勾选Netflow 和 Application
对应的下发到 cEdge 上的配置为:
!
policy
app-visibility
flow-visibility
!
完成后需要在指定 cEdge 的 Device Templates 加载该Localized Policy,如下:
下一步则需要去Centalized Policy下配置 cFlow Template.
去已经激活的Centralized Policy下 import 该 cFlow Template (如果没有激活过Centralized Policy请新建 Configuration - > Policies-> Centralized Policy - Add Policy)。
同时设置cflow template激活的 site:
对应的在相应 site 里的 cEdge 上可以看到该 policy:
cEdge1-8000#show sdwan policy from-vsmart
from-vsmart cflowd-template Cflow-Tem
flow-active-timeout 600
flow-inactive-timeout 10
template-refresh 60
flow-sampling-interval 5
protocol ipv4
customized-ipv4-record-fields
no collect-tos
no collect-dscp-output
collector vpn 0 address 10.70.79.199 port 9996 transport transport_udp
source-interface GigabitEthernet1
如果 vSmart 是 CLI 模式, 则 CLI 配置参考如下:
lists
site-list cflow
site-id 1012
site-id 102
!
!
cflowd-template Cflow-Tem
flow-inactive-timeout 10
template-refresh 60
flow-sampling-interval 5
collector vpn 0 address 10.70.79.199 port 9996 transport transport_udp
source-interface GigabitEthernet1
!
apply-policy
site-list cflow
cflowd-template Cflow-Tem
!
!
为部分流量开启 cFlow #
如果只是为部分流量开启 cFlow, 则Localized Policy 不需要勾选Netflow 和 Application。
修改已有的Data Policy (或者新建 Configuration - > Policies-> Centralized Policy -> Custom Option[Traffic policy] -> Traffic Data->), 匹配对应的感兴趣流量, 并在Action中 enable Cflow:
修改已经激活的Centralized Policy, import 该 Data Policy:
设定Data Policy激活的 site:
对应的在相应 site 里的 cEdge 上可以看到该 policy 为:
cEdge1-8000#show sdwan policy from-vsmart
from-vsmart data-policy _vpn10_xuxing-cflow-dp
direction from-service
vpn-list vpn10
sequence 1
match
source-data-prefix-list DEFAULT_ROUTE
action accept
cflowd
default-action accept
同时也需要参考上面的步骤配置 cflow Template, 这里就不在重复.
如果 vSmart 是 CLI 模式, 则 CLI 配置参考如下:
policy
data-policy _vpn10_xuxing-cflow-dp
vpn-list vpn10
sequence 1
match
source-data-prefix-list DEFAULT_ROUTE
!
action accept
cflowd
!
!
default-action accept
!
!
cflowd-template Cflow-Tem
flow-inactive-timeout 10
template-refresh 60
flow-sampling-interval 5
collector vpn 0 address 10.70.79.199 port 9996 transport transport_udp
source-interface GigabitEthernet1
!
!
lists
vpn-list vpn10
vpn 10
!
data-prefix-list DEFAULT_ROUTE
ip-prefix 0.0.0.0/0
!
site-list cflow
site-id 1012
site-id 102
!
!
!
apply-policy
site-list cflow
data-policy _vpn10_xuxing-cflow-dp from-service
cflowd-template Cflow-Tem
!
!
Cflow Command: #
show app cflow flows
show app cflowd
show app cflowd collector
show app cflowd flow
show app cflowd flow-count
show app cflowd flows
show app cflowd flows app id 890
show app cflowd flows egress-intf-name
show app cflowd flows egress-intf-name ge0/0
show app cflowd flows ingress-intf-name
show app cflowd flows ingress-intf-name ge0/0
show app cflowd flows ingress-intf-name ge0/0 count
show app cflowd flows total-pkts
show app cflowd flows vpn [number]
show app cflowd statistics
show app cflowd template
几个命令示例:
cEdge1-8000#show flow monitor sdwan_flow_monitor cache format table
Cache type: Normal (Platform cache)
Cache size: 250000
Current entries: 3
High Watermark: 14
Flows added: 645
Flows aged: 642
- Active timeout ( 60 secs) 494
- Inactive timeout ( 10 secs) 148
IPV4 SRC ADDR IPV4 DST ADDR TRNS SRC PORT TRNS DST PORT IP VPN ID IP PROT tcp flags intf input intf output flow sampler id bytes long pkts long time abs first time abs last flow end reason intf overlay session id input intf overlay session id output conn conn id long drop cause id bytes drop long sdwan sla not met sdwan preferred color not met sdwan queue id pkts drop long ip dscp app name
=============== =============== ============= ============= ========== ======= ========= ==================== ==================== =============== ==================== ==================== ============== ============= ==================== ============================= ============================== =================== ============= ==================== ================== ============================== =============== ==================== ======= ================================
172.168.2.2 170.72.245.124 58870 443 10 6 0xC2 Gi2 Null 2 52 1 08:50:54.779 08:50:54.779 Not determined 0 0 0xE8B3D39000174A23 19 52 0 0 2 1 0x00 layer7 unknown
192.168.123.100 172.168.2.2 60441 7575 10 6 0xC2 Gi1 Gi2 2 52 1 08:50:48.827 08:50:48.827 Not determined 8 0 0xE8B9D1F0000A335C 0 0 0 0 2 0 0x00 layer7 unknown
172.168.2.2 192.168.123.100 7575 60441 10 6 0x52 Gi2 Gi1 2 93 2 08:50:48.829 08:50:48.831 Not determined 0 8 0xE8B9D1F0000A335C 0 0 0 0 2 0 0x00 layer7 iperf
192.168.123.100 172.168.2.2 60007 7575 10 17 0x00 Gi1 Gi2 2 67469094 48679 08:50:48.844 08:50:55.814 Not determined 8 0 0xE8B3D1F000112234 23 79002 0 0 2 57 0x00 layer7 unknown
cEdge1-8000#show flow monitor sdwan_flow_monitor cache
Cache type: Normal (Platform cache)
Cache size: 250000
Current entries: 0
High Watermark: 14
Flows added: 642
Flows aged: 642
- Active timeout ( 60 secs) 494
- Inactive timeout ( 10 secs) 148
IPV4 SOURCE ADDRESS: 192.168.123.100
IPV4 DESTINATION ADDRESS: 172.168.2.2
TRNS SOURCE PORT: 60441
TRNS DESTINATION PORT: 7575
IP VPN ID: 10
IP PROTOCOL: 6
tcp flags: 0xC2
interface input: Gi1
interface output: Gi2
flow sampler id: 2
counter bytes long: 52
counter packets long: 1
timestamp abs first: 08:50:48.827
timestamp abs last: 08:50:48.827
flow end reason: Not determined
interface overlay session id input: 8
interface overlay session id output: 0
connection connection id long: 0xE8B9D1F0000A335C
drop cause id: 0
counter bytes drop long: 0
sdwan sla not met : 0
sdwan preferred color not met : 0
sdwan queue id : 2
counter packets drop long: 0
ip dscp: 0x00
application name: layer7 unknown
IPV4 SOURCE ADDRESS: 172.168.2.2
IPV4 DESTINATION ADDRESS: 192.168.123.100
TRNS SOURCE PORT: 7575
TRNS DESTINATION PORT: 60441
IP VPN ID: 10
IP PROTOCOL: 6
tcp flags: 0x52
interface input: Gi2
interface output: Gi1
flow sampler id: 2
counter bytes long: 93
counter packets long: 2
timestamp abs first: 08:50:48.829
timestamp abs last: 08:50:48.831
flow end reason: Not determined
interface overlay session id input: 0
interface overlay session id output: 8
connection connection id long: 0xE8B9D1F0000A335C
drop cause id: 0
counter bytes drop long: 0
sdwan sla not met : 0
sdwan preferred color not met : 0
sdwan queue id : 2
counter packets drop long: 0
ip dscp: 0x00
application name: layer7 iperf
cEdge1-8000#show sdwan app-fwd cflowd flows table
Generating output, this might take time, please wait ...
PKT PKT PKT PKT SSL SSL APPQOE APPQOE
TCP SLA COLOR FEC FEC DUP D DUP D DUP CXP CXP SSL SSL EN SSL EN DE SSL DE SSL SSL SSL APPQOE DRE DRE
SRC DEST IP CNTRL ICMP TOTAL TOTAL EGRESS INTF INGRESS INTF DROP DROP DROP NOT NOT QUEUE DSCP SAMPLER D R PKTS PKTS R D TRAFFIC SERVICE PATH READ WRITTEN READ WRITTEN READ WRITTEN SERVICE TRAFFIC POLICY APPQOE APPQOE PASS INPUT INPUT APPQOE
VPN SRC IP DEST IP PORT PORT DSCP PROTO BITS OPCODE PKTS BYTES START TIME NAME NAME APPLICATION FAMILY CAUSE OCTETS PACKETS MET MET ID TOS OUTPUT ID PKTS PKTS ORIG DUP PKTS PKTS CATEGORY AREA TYPE BYTES BYTES BYTES BYTES BYTES BYTES TYPE TYPE ACTION ACTION SN IP REASON BYTES PACKETS FLAGS
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10 192.168.123.100 172.168.2.2 59280 7575 0 17 0 0 419631 581608566 Mon Jan 20 08:28:58 2025 GigabitEthernet2 GigabitEthernet1 unknown network-service No Drop 0 0 0 0 2 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.0.0.0 0 0 0 0