Configuring Flow Rules (Broadcom)
Broadcom ASIC
You can configure a rule with certain qualifiers to aggregate and filter traffic from network port(s) to tool port(s) for monitoring.
Reference
Command
rule <ruleid> [ipv6] (deny | permit ) [description <cstring>] ([ethertype <etype>] [vlan <vid>] [src-ip (<ipv4> | <ipv6 > src-netmask <ipv6 >)] [dest-ip (<ipv4> | <ipv6 > dest-netmask <ipv6 >)] [protocol (tcp | udp | <ptype >)] [l4portsrc <sport>] [l4portdst <dport>] [tosval <sval >] [dscp <dval>] [ttl <tval>] [tcpctl <flags > tcpctlmask <tcpmask >] | match_all [ipv6]) [counters (enable | disable)]
no rule <ruleid>
Description
Rule configuration
Parameters
ruleid: It should be in the range 1 to 6000
ipv6: used to specify an ipv6 rule
description: max 50 characters
ethertype: hexadecimal value prefix with 0x. max 4 characters.
vlan: VLAN id 2 to 4094
src-ip: source IP address
dest-ip: Destination IP address
protocol: L3 Protocol
l4portsrc: L4 source port for TCP or UDP
l4portdst: L4 source port for TCP or UDP
tossval: Type of Service
dscp: Differentiated services code point.
ttl: Time-to-live
tcpctl: TCP control flags
Mode
FLOW
Example
pbnoscli# configure terminal
pbnoscli(config)# flow flow01
pbnoscli(config-flow-flow01)#
! Exit from the current prompt
description Configure description for flow
enable Enable the flow
end Exit to exec prompt
exit Exit from the current prompt
network-ports Configure network or TAP ports
no no form
rule Configure rule
show Show commands
tool-ports Configure network tool or analyzer ports
top Exit to the configuration prompt
pbnoscli(config-flow-flow01)# rule 1
action Add rule specific action
deny Deny traffic
ipv6 IPv6 Rule
permit Permit traffic
pbnoscli(config-flow-flow01)# rule 1 ipv6
deny Deny traffic
permit Permit traffic
pbnoscli(config-flow-flow01)# rule 1 ipv6
pbnoscli(config-flow-flow01)# rule 1 permit
<cr>
counters Enable counters
description Add description within double quotes
dest-ip Destination IP address
dscp Differentiated services code point
ethertype ethernet type, 0x800, 0x8100
l4portdst L4 destination port
l4portsrc L4 source port
match-all Match all
protocol IP protocol
src-ip Source IP address
tcpctl TCP Control Flags
tosval Type of Service
ttl Time-to-live
vlan Vlan Identifier
pbnoscli(config-flow-flow01)# rule 1 permit src-ip 10.10.0.0/24 dest-ip 20.0.20.0/24 counters enable
//to remove a rule
pbnoscli(config-flow-flow01)# no rule 1
pbnoscli(config-flow-flow01)#
You can verify the configuration by using the command(s) below:
pbnoscli# show flow summary
Flow-Name Rule-Id Status Counter-Value
=========================================================
flow01 1 Active 1671
pbnoscli# show flow flow01
===================================
Flow : flow01 (CLI)
===================================
Status : enable
Network-Port : Ethernet1/1,Ethernet2/1
Tool-Port : port-channel1,Ethernet8/1
Rule : 1
++++++++++++++++++++++++++++++++++
Action : permit
Source IP : 10.10.0.0
Source Mask : 255.255.255.0
Destination IP : 20.0.20.0
Destination Mask : 255.255.255.0
Counters : enable
pbnoscli#
\\Configuring IPv4 rules
pbnoscli# show running-config
configure terminal
port-channel 1 ports Ethernet63/1,Ethernet64/1
!
interface ethernet Ethernet1/1
forward-error-correction rs
type network
!
interface ethernet Ethernet2/1
forward-error-correction rs
type network
!
interface mgmt
ip address 10.4.4.53/23 gateway 10.4.4.1
!
flow flow01
description "--Flow Description--"
network-ports Ethernet1/1,Ethernet2/1
tool-ports port-channel1,Ethernet8/1
rule 1 permit src-ip 10.10.0.0/24 dest-ip 20.0.20.0/24 counters enable
!
pbnoscli#
\\Configuring IPv6 rules
pbnoscli# show running-config
configure terminal
port-channel 1 ports Ethernet63/1,Ethernet64/1
!
interface ethernet Ethernet1/1
forward-error-correction rs
type network
!
interface ethernet Ethernet2/1
forward-error-correction rs
type network
!
interface mgmt
ip address 10.4.4.53/23 gateway 10.4.4.1
!
flow flow01
description "--Flow Description--"
network-ports Ethernet1/1,Ethernet2/1
tool-ports port-channel1,Ethernet8/1
rule 1 ipv6 permit src-ip 2401::1 src-netmask f::f dest-ip 2401::2 dest-netmask f::f counters enable
!
pbnoscli#
Last updated
Was this helpful?