The below are configuration samples followed by explanations of what the command does. This sample is for reference only, actual ports, addresses will need to be specific for the customer environment.
The first section of configuration we will tackle is the Netflow configuration. Without this, there is no data that will be analyzed by the appliance.
set netflow export-interval 1
set netflow export-destination 10.0.0.220 2055
set netflow export-version 9
set netflow port tg.1.1-2 enable rx
set netflow template refresh-rate 30 timeout 1
set netflow cache enable
So for the above configuration, The 10.0.0.220 is the destination IP of the flow collector.
The ports it collects netflow from are tg.1.1-2. These uplinks in the network or are actually ports that are being mirrored two from other products. We use the rx attribute so we do not expect any reverse data flow going up those ports we wish to report on.
If no netflow data is being seen at this point on the collector, use the following command
set ip interface vlan.0.x default
The vlan.0.x should be a connected vlan on the box, either the default vlan used for an IP, or any routed interface that is active.
In order to get actual flows generated on ports tg.1.1-2 we need a policy configuration made to scan for the data in the packets. It needs to include two ports as it scans only on the inbound or RX part of the data. If a remote device is mirroring two-way traffic to the flow collector, then only one port is needed.
set policy profile 1 name Application pvid-status enable pvid 4095 mirror-destination 1
set policy rule admin-profile port tg.1.1-2 mask 16 port-string tg.1.1-2 admin-pid 1
In the above, pvid 4095 will be used if you wish to pass traffic back and forth on those uplinks. Use pvid 0 if you wish to drop this traffic.
For the PV-FC-180, that should always be the case for the collecting ports. Be mindful of this command a pvid 0 policy done incorrectly can bring a network down.
If using Link Aggregation ports please include those port strings as ports with the policy applied to them.
Next we need to use a physical port on the switch to forward mirror traffic to. We will use ge.1.3. If the mirror destination port is linked physically directly to eth1 on the Purview appliance than hook them up as such. If a GRE tunnel is going to be used, then ge.1.3 will remain physically unplugged, but used for configuration purposes. For more on this review this article:Mirror Port in GRE Tunnel setup does not work.
set mirror create 1
set mirror 1 mirrorN 15
set mirror ports ge.1.3 1
Further IF we use a GRE tunnel, we will need to hard-set speed and duplex on the port (if it is not a 10g or tg.x.x port). Otherwise, the previous section is all you need to proceed. (also see notes below if using a PV-FC-180 device)
set port duplex ge.1.1-3 full
set port speed ge.1.1-3 1000
If Using a Fiber Port (the dummy Port, where no cable is connected) for the Mirroring, make sure the GBIC is inserted.
Now we need to configure from the routing portion to include a loopack or standard interface (such as vlan.0.1) and tun.0.1 to represent the GRE tunnel. On the Purview appliance, use the loopback IP address specified below, not any other management IP address for the remote device. Make sure your routing interface (vlan.0.x or loop.0.x, does not have 'no ip forwarding and no proxy arp'. This will keep the gre burn port, such as ge.1.3 , from becoming operation via the 'show port status ge.1.3' command.
ip address 10.10.10.1 255.255.255.255 primary
tunnel destination 10.0.0.220
tunnel mode gre l2 ge.1.3
tunnel mirror enable
tunnel source 10.10.10.1
Where the GRE tunnel may traverse the network, make sure the Jumbo frames are enabled. For most EOS based switches, set port jumbo enable x.x.x
We need this since GRE takes full size ethernet frames (default MTU of 1500) and then encapsulates it from there. Making them too large without jumbo frames enabled.