Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-Flow group configuration | 64.28 KB |
Configuring flow groups
About flow groups
A flow group allows you to identify flows based on flow generation rules. The device extracts traffic characteristics (for example, 5-tuples in the packet header) and generates flow entries according to the header fields specified in a flow generation rule.
A flow group can use an ACL to limit the traffic for which flow entries are generated. A flow entry is aged out if no matching packets are received before the aging timer expires.
Figure 1 Flow entry generation
The flow entries generated by a flow group can be used by other features. A flow group can be in one of the following modes:
· Common MOD mode—Used by MOD. This mode occupies hardware resources but has a lower burden on the CPU. For more information about MOD, see Telemetry Configuration Guide.
· Simple MOD mode—Used by MOD. This mode has a higher burden on the CPU but saves hardware resources.
· Delay monitoring mode—Generates flow entries when a packet exceeds the delay threshold and reports the event through gRPC. To use this mode, you must configure the gRPC dial-out mode and specify sensor path telemetryftrace/genevent in a sensor group. For more information about gRPC, see Telemetry Configuration Guide.
· Common MOD+delay monitoring mode—Provides basic data for MOD and monitors delay threshold violation events. To use this mode, you must configure both MOD and the gRPC dial-out mode, and specify sensor path telemetryftrace/genevent in a sensor group.
Restrictions and guidelines: Flow group configuration
A flow group can reference only one ACL.
Because a flow can belong to only one flow group, make sure the same flow is not assigned to more than one flow group when specifying ACLs. For information about ACLs, see ACL and QoS Configuration Guide.
To delete an applied flow group, first remove the application and then delete the flow group.
Only one flow group can be applied.
Do not use a flow group to monitor VXLAN packets with the outer destination port number as 4789 or 6081. The generated flow entries do not contain the correct source and destination port numbers.
The traffic statistics for a Layer 3 Ethernet interface or Layer 3 aggregate interface in the flow table include the traffic statistics for its subinterfaces.
Procedure
system-view
2. Create a flow group and enter its view.
telemetry flow-group group-id [ name group-name ] [ mode { delay-monitor | mod-delay-monitor | simple-mod } ]
3. Specify an ACL.
if-match acl [ ipv6 | mac | user-defined ] { acl-number | name acl-name }
By default, no ACL is specified.
4. Configure the header fields used for generating flow entries.
template { destination-ip | destination-port | protocol | source-ip | source-port | vxlan { inner-destination-ip | inner-destination-port | inner-protocol | inner-source-ip | inner-source-port | vxlan-id } * } *
By default, no header fields are used for generating flow entries.
If an IPv4 ACL has been specified for the flow group, only the destination-ip, source-ip, inner-destination-ip, inner-source-ip, and vxlan-id keywords in this command can be configured. The inner-destination-ip keyword represents the inner destination IP address of VXLAN packets. The inner-source-ip keyword represents the inner source IP address of VXLAN packets. The vxlan-id keyword represents the VXLAN ID of VXLAN packets.
5. Return to system view.
quit
6. (Optional.) Set the aging time for flow entries.
telemetry flow-group aging-time aging-time
The default setting is 15 minutes.
7. (Optional.) Set the maximum number of flow entries generated.
telemetry flow-group max-entry max-entries
By default, the number of flow entries is not limited.
8. (Optional.) Set the packet forwarding delay threshold.
telemetry flow-group delay-threshold threshold
By default, the packet forwarding delay threshold is not set, and all packets are monitored. If you have configured the delay monitoring mode or common MOD+delay monitoring mode, flow entries are generated for all matching packets.
This command takes effect only for the delay monitoring mode and the common MOD+delay monitoring mode.
9. Apply the flow group.
telemetry apply flow-group { group-id | name group-name }
By default, no flow group is applied.
Display and maintenance commands for flow group
Execute display commands in any view.
|
Task |
Command |
|
Display the configuration and application status of flow groups. |
display telemetry flow-group [ group-id | name group-name ] [ slot slot-number ] |
|
Display flow entries. |
display telemetry flow-group flow-table [ [ group-id | name group-name ] | delay-monitor | mod ] [ destination-ip { dst-ipv4 | dst-ipv6 } | destination-port dst-port | protocol protocol | source-ip { src-ipv4 | src-ipv6 } | source-port src-port | vxlan [ inner-destination-ip { dst-ipv4 | dst-ipv6 } | inner-destination-port dst-port | inner-protocol protocol | inner-source-ip { src-ipv4 | src-ipv6 } | inner-source-port src-port | vxlan-id vxlan-id ] * ] * { slot slot-number } |
