Configuring Flow UDF Rules

Using this command, users can configure a rule to match specific bytes in the ingress packet based on user given offset to permit or deny these packets.

  • Offset for L3 packet starts from IP header in the packet

  • offset for L2 packet starts from EtherType in the packet

Before configuring flow rules, Network and Tool ports must be configured

This feature is supported only on NVIDIA spectrum-2/3 platforms

UDF and GTP can not be configured together on a device

Reference

Command

rule ((deny | permit) [description ] [udf-data udf-extraction-group (l2 | l3 [udf-extraction-point ]) udf-offset ] [counters (enable | disable )]

no rule <ruleid>

Description

Rule configuration

Parameters

  • ruleid: It should be in the range 1 to 6000

  • description: max 50 characters

  • udf-data: data bytes that need to be matched with the incoming packet (20 bytes for SPC 2 & 3, and 16 bytes for SPC1)

  • udf-extraction-group:

    • l2 - match from l2 header ethertype field

    • l3 - match from start of IPV4 or IPV6 header

  • udf-extraction point: (applies for only l3 extraction point) set extraction point from start of IPV4 or IPV6 header

  • udf-offset: offset from which bytes will be monitored from extraction point

  • counters: can be enabled or disabled

Mode

FLOW

Example

pbnoscli# configure terminal 
pbnoscli(config)# flow flow01
pbnoscli(config-flow-flow01)# 
  !                     Exit from the current prompt
  description           Configure description for flow
  enable                Enable the flow
  end                   Exit to exec prompt
  exit                  Exit from the current prompt
  network-ports         Configure network or TAP ports
  no                    no form
  pop-vlan              Pop Vlan Tag
  push-vlan-tag         Push VLAN tag
  rule                  Configure rule
  show                  Show commands
  tool-ports            Configure network tool or analyzer ports
  top                   Exit to the configuration prompt
pbnoscli(config-flow-flow01)# rule 1 permit description "UDF" udf-data 0xb166 udf-extraction-group l2 udf-offset 2 counters enable
pbnoscli(config-flow-flow01)# rule 2 permit description "UDF" udf-data 0x4500 udf-extraction-group l3 udf-extraction-point ipv4 udf-offset 0 counters enable 
pbnoscli(config-flow-flow01)# end

You can verify the configuration by using the command(s) below:

PreviousConfiguring Flow Match Expression RulesNextConfiguring Push/Pop VLAN

Last updated