Using sFlow data, Flow Optimizer supports detailed traffic visibility and many actions (such as drop, meter, redirect or remark) on selected traffic flows for Brocade platforms. As we’ve discussed before, the Flow Optimizer 2.0 release supports many new platforms and use cases.
SLX (9850, 9540, 9240 and 9140) Visibility and Actions
Note: The document also discusses scale enhancements in 2.0, and methods for handling large numbers of flows.
VDX Visibility and Actions
Using StackStorm, Flow Optimizer 2.0 supports flow visibility and drop actions on VDX platforms. StackStorm performs these drop actions by executing workflow-based access lists from the Network Essentials automation suite on VDX (Figure 1).
Figure 1: VDX Visibility and Actions with Flow Optimizer 2.0
Sampled flows are sent to Flow Optimizer (1), and user-defined flows (2) are directed to StackStorm, which takes the specified actions (3) through a Netconf interface (4). Currently, VDX 6940 and VDX 6740 platforms are supported, and Flow Optimizer can listen to VDX-based IP or VCS fabrics.
New Support on SLX Routers and Switches
Flow Optimizer 2.0 supports visibility and the ability to rearrange and optimize flows on SLX 9850 and 9540. Profiles can be set at Layers 2-4.
Flow Optimizer on SLX devices also supports extended VXLAN headers, allowing users to fully understand and control traffic through VXLAN tunnels across data centers (Figure 2).
Figure 2: VXLAN Tunnel
For any L2/L3 traffic passing through a VXLAN tunnel, extended egress headers are added to the sFlow sample for Layer 2, IPv4, the VXLAN network identifier (VNI). There is also an extended decapsulate egress header to indicate the end of a tunnel. Being able to interrogate and act on these headers allows for more flexible isolation of flows to be acted upon.
Finally, there is now visibility and monitoring support on SLX 9240 and 9140.
IP address blacklisting lets you specify a list of source IP addresses that are mitigated by Flow Optimizer immediately upon detection, regardless of profile matching. Blacklisting is supported on MLX and SLX platforms through the OpenDaylight SDN controller and on the VDX platform through Workflow Composer automation suites (Figure 3).
Figure 3: IP Blacklisting Overview
The blacklist can be configured by providing a predefined set of IP addresses. You can provide an IPv6 address with an arbitrary bitmask in the source and destination fields of Layer 3 network attributes.
Flows are received (1) and matched against the specified list (2). If there is a match, it is mitigated (3) with changes made through OpenFlow (4) or via an access list specified in StackStorm (4).
When a flow with the blacklisted source IP address is detected, Flow Optimizer immediately creates a DROP OpenFlow rule to block the matching traffic.
Details on configuring and using the blacklisting feature are available in the use case document.