06-06-2020 06:47 AM
Hello All,
How we can check real time traffic logs between host to host in ACI just like we can check in catalyst switches by enabling netflow on SVI interface or add ACL log input on SVI interface or in monitor captures.
Appreciate your help on this.
06-06-2020 11:44 PM
Hi @dseth
If you are looking for exporting netflow records, you can do that in ACI as well. Here are a couple of references:
https://www.youtube.com/watch?v=6Yl_GelaS7g + https://www.youtube.com/watch?v=LQCZdf9Sux0
Better alternatives to traditional monitoring using netflow by itself, is telemetry. You can check the Network Insights Resources (NIR) which gives more then flow monitoring:
● Event analytics: This is software telemetry that leverages audit logs and events and faults data from the Cisco ACI fabric.
● Resource utilization: This is useful for capacity planning because it offers early detection of resources that are exceeding capacity thresholds.
● Environmental: Identifies anomalies by observing parameters such as CPU, memory, temperature, power draw, fan speed, etc.
● Flow analytics: Helps identify, locate and root-cause data path issues such as latency and packet drop for specific flows.
Hope it helps,
Sergiu
06-08-2020 07:02 PM
Thank you Sergiu for the quick response.
I think options that you suggested is not supported on 9k Gen1 switches and we have Gen1 switches in our infra. So can you advised options provisioned in Gen1 switches if any.
Thanks!
06-12-2020 01:45 AM
Since you have Gen-1 hardware, I'm afraid the choices are limited.
I have some thoughts...but I will add this disclaimer that everything I suggest is either only a partial answer, or an annoying workaround. But I suppose some info is better than no info.
1. In the Operations Tab >> Visibility and Troubleshooting in APIC, you could enter source and destination EPs and look at all the resulting output, like logs, contract hits, faults, events, atomic counters, etc. This tool is limited in that it only shows you and analysis of one source IP to one destination IP (and vice versa). Which leads me to option 2 as it is related...
2. In the V&T tool one of the choices is SPAN...which is actually a very easy way to tell the fabric to capture traffic from anywhere in the fabric and send to some other EP in the fabric (or outside the fabric). This is effectively ERSPAN and the tool makes it super easy to setup. Same limits here in that you are sending the traffic of one set of EPs. Yes, it is possible to use SPAN/ERSPAN outside this tool to capture using more and broader options. I get that spanning traffic may not be what you asked about....
3. You do have the ability to log contract deny or contract allow messages. These messages will tell you a lot of info, like IP/MAC, VRF, ports used. The limit here is that we cap the number of logs to 500/second, so it is a limited tool that you enable/disable when you need it for most use cases. You can see these logs of permit or deny (or both) in the System > Events window. Note, to see these logs you do need to do some basic configuration. They are not on by default.
06-16-2020 08:16 AM
Appreciate your swift response @joezersk, it is verify help.
Seems option 2 would be better to get the traffic logs in details. We will get SPAN enabled on fabric and will arrange the server to send the logs on it.
It would be great if you can share some links to enable SPAN on fabric for Gen-1 switches.
Thank you for your support.!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: