Solved: Re: How to find flows in VRNI that are or are not ...

vmmedmed · ‎06-25-2019

I tried to make a query where Destination IP matched 10.* or did not match 10.*. This

failed as there was only an = or != following Destination IP. For a microsegmentation

project I'm trying narrow the number of flows that get exported by, for example,

excluding all flows from a particular Security Group to the Internet.I'm just interested

flows internal to the company. Is there a way that I could filter based on IP range?

vmmedmed · ‎06-26-2019

With some more experimenting this morning I found the answer:

For internal private traffic:

flow where Destination IP Address = 10.0.0.0/8 or Destination IP Address = 172.16.0.0/12 or Destination IP Address = 192.168.0.0/16

For Internet bound traffic it looks like:

flow where Destination IP Address != 10.0.0.0/8 and Destination IP Address != 172.16.0.0/12 and Destination IP Address != 192.168.0.0/16

This will result also in showing multicast traffic. But that could then be filtered in like fashion or kept as needed.

..and now I know.

vmmedmed · ‎06-26-2019

With some more experimenting this morning I found the answer:

For internal private traffic:

flow where Destination IP Address = 10.0.0.0/8 or Destination IP Address = 172.16.0.0/12 or Destination IP Address = 192.168.0.0/16

For Internet bound traffic it looks like:

flow where Destination IP Address != 10.0.0.0/8 and Destination IP Address != 172.16.0.0/12 and Destination IP Address != 192.168.0.0/16

This will result also in showing multicast traffic. But that could then be filtered in like fashion or kept as needed.

..and now I know.

tmichaeli · ‎07-09-2019

For Internet flows, would following query be more easier?

flow where Flow Type = 'Destination is Internet'

for RFC

flow where Flow Type = 'Switched' or Flow Type = 'Routed'

How to find flows in VRNI that are or are not RFC1918?