SDWAN - Cflowd IMPLEMENTATION AND VALIDATION

 SDWAN - Cflowd IMPLEMENTATION AND VALIDATION

This is very important feature which help us to identify the traffic and how they route from vEDGE , Today I will be going to configure the Cflowd Policy with CLI Template and how we can check the traffic.

flowd traffic flow monitoring can be configured. By using Cflowd template option, including location of Cflowd collector and actions in data policy Cflowd monitoring can be enabled.

Cflowd Routing Policy CLI Template Values

For creating any policy in SDWAN we need to first create the LISTS

-       >  LISTS 

-        > POLICY

-        > APPLY POLICY

LISTS CREATION

I have 3 Site – IDs , I configure separated may in your new code it will come like “Site-id 100,200,300” accepted

!

 lists

  vpn-list vpn_1

   vpn 1

  !

  site-list cflowd-sites

   site-id 100

   site-id 200

   site-id 300

  !

 

POLICY CREATION

-        Created Data policy for Cflowd

-        Match traffic based on Protocol you can use any match condition

-        For collector create cflowd Template – transport type can be UDP or TCP

policy

 data-policy test-cflowd-policy

  vpn-list vpn_1

   sequence 1

    match

     protocol 6

     protocol 17

     protocol 1

    !

    action accept

     cflowd

    !

   !

   default-action accept

  !

 !

 cflowd-template test-cflowd-template

  flow-inactive-timeout 60

  template-refresh      90

  collector vpn 1 address 1.1.1.20 port 13322 transport transport_tcp

 

APPLY POLICY

Last step to apply this policy on SITE-LIST which we created

apply-policy

 site-list cflowd-sites

  data-policy     test-cflowd-policy

  cflowd-template test-cflowd-template

 

NOW Making CLI TEMPATE FOR POLICY

 

Now we need to ACTIVATE this policy

It will ask confirmation for activate this Policy on vSmarts , In my Lab we have 1 vSMART

We can see the Policy applied successfully

 

VALIDATION PART

Now we need to validate the policy applied and working or not.

vSmart# show running-config apply-policy

apply-policy

 site-list cflowd-sites

  data-policy test-cflowd-policy all

  cflowd-template test-cflowd-template

 

This will show the policy is applied on vSMART now we will check as this is DATA policy then we can see this on vEDGE itself.

vedge-01# show policy from-vsmart

from-vsmart data-policy test-cflowd-policy

 direction all

 vpn-list vpn_1

  sequence 1

   match

    protocol 1

   action accept

    cflowd

  default-action accept

from-vsmart cflowd-template test-cflowd-template

 flow-active-timeout    600

 flow-inactive-timeout  60

 template-refresh       90

 flow-sampling-interval 1

 collector vpn 1 address 1.1.1.20 port 13322 transport transport_tcp

from-vsmart lists vpn-list vpn_1

 vpn 1

vedge-01#

 

Now we validate the Cflowd results for traffic

 

vedge-01# show app cflowd flows | tab

 

                                                          TCP                                                                            TIME    EGRESS  INGRESS

                                 SRC   DEST        IP     CNTRL  ICMP                  TOTAL  TOTAL  MIN  MAX                            TO      INTF    INTF     APP

VPN  SRC IP        DEST IP       PORT  PORT  DSCP  PROTO  BITS   OPCODE  NHOP IP       PKTS   BYTES  LEN  LEN  START TIME                EXPIRE  NAME    NAME     ID

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

1    10.4.251.1    10.160.10.10  0     0     0     1      0      2048    10.160.10.10  2      168    84   84   Sat Jul  8 05:52:26 2023  59      ge0/3   ge0/0    0

1    10.160.10.10  10.4.251.1    0     0     0     1      0      0       10.1.1.60     2      196    98   98   Sat Jul  8 05:52:26 2023  59      ge0/0   ge0/3    0

 

You can see incoming and outgoing traffic in VPN 1 and during troubleshooting this will help to identify the traffic coming to vEDGE or not.