Using this command, users can configure a rule to match specific bytes in the ingress packet based on user given offset to permit or deny these packets.
Offset for L3 packet starts from IP header in the packet
offset for L2 packet starts from EtherType in the packet
Before configuring flow rules, Network and Tool ports must be configured
This feature is supported only on NVIDIA spectrum-2/3 platforms
UDF and GTP can not be configured together on a device
udf-data: data bytes that need to be matched with the incoming packet (20 bytes for SPC 2 & 3, and 16 bytes for SPC1)
udf-extraction-group:
l2 - match from l2 header ethertype field
l3 - match from start of IPV4 or IPV6 header
udf-extraction point: (applies for only l3 extraction point) set extraction point from start of IPV4 or IPV6 header
udf-offset: offset from which bytes will be monitored from extraction point
counters: can be enabled or disabled
Mode
FLOW
Example
pbnoscli# configure terminal
pbnoscli(config)# flow flow01
pbnoscli(config-flow-flow01)#
! Exit from the current prompt
description Configure description for flow
enable Enable the flow
end Exit to exec prompt
exit Exit from the current prompt
network-ports Configure network or TAP ports
no no form
pop-vlan Pop Vlan Tag
push-vlan-tag Push VLAN tag
rule Configure rule
show Show commands
tool-ports Configure network tool or analyzer ports
top Exit to the configuration prompt
pbnoscli(config-flow-flow01)# rule 1 permit description "UDF" udf-data 0xb166 udf-extraction-group l2 udf-offset 2 counters enable
pbnoscli(config-flow-flow01)# rule 2 permit description "UDF" udf-data 0x4500 udf-extraction-group l3 udf-extraction-point ipv4 udf-offset 0 counters enable
pbnoscli(config-flow-flow01)# end
You can verify the configuration by using the command(s) below:
pbnoscli# show flow all
===================================
Flow : flow01 (CLI)
===================================
Status : enable
Network-Port : Ethernet1/1
Tool-Port : Ethernet2/1
Rule : 1
++++++++++++++++++++++++++++++++++
Action : permit
Description : UDF
UDF Data : 0xb166
UDF Extraction Group : l2
UDF Offset : 2
Counters : enable
Rule : 2
++++++++++++++++++++++++++++++++++
Action : permit
Description : UDF
UDF Data : 0x4500
UDF Extraction Group : l3
UDF Extraction Point : ipv4
UDF Offset : 0
Counters : enable
pbnoscli#
pbnoscli# show flow counters all
Flow-Name Rule-Id ASIC-Stat-Id Counter-Value
=============================================================
flow01 2 98304 503378220
flow01 DropRule 73728 4390145
flow01 1 90112 2270112825
pbnoscli#
