Configuring Flow Rules (Broadcom)

Broadcom ASIC

You can configure a rule with certain qualifiers to aggregate and filter traffic from network port(s) to tool port(s) for monitoring.

Before configuring flow rules, Network and Tool ports must be configured

Reference

Command

rule <ruleid> [ipv6] (deny | permit ) [description <cstring>] ([ethertype <etype>] [vlan <vid>] [src-ip (<ipv4> | <ipv6 > src-netmask <ipv6 >)] [dest-ip (<ipv4> | <ipv6 > dest-netmask <ipv6 >)] [protocol (tcp | udp | <ptype >)] [l4portsrc <sport>] [l4portdst <dport>] [tosval <sval >] [dscp <dval>] [ttl <tval>] [tcpctl <flags > tcpctlmask <tcpmask >] | match_all [ipv6]) [counters (enable | disable)]

no rule <ruleid>

Description

Rule configuration

Parameters

ruleid: It should be in the range 1 to 6000
ipv6: used to specify an ipv6 rule
description: max 50 characters
ethertype: hexadecimal value prefix with 0x. max 4 characters.
vlan: VLAN id 2 to 4094
src-ip: source IP address
dest-ip: Destination IP address
protocol: L3 Protocol
l4portsrc: L4 source port for TCP or UDP
l4portdst: L4 source port for TCP or UDP
tossval: Type of Service
dscp: Differentiated services code point.
ttl: Time-to-live
tcpctl: TCP control flags

Mode

FLOW

Example

pbnoscli# configure terminal 
pbnoscli(config)# flow flow01
pbnoscli(config-flow-flow01)# 
  !                     Exit from the current prompt
  description           Configure description for flow
  enable                Enable the flow
  end                   Exit to exec prompt
  exit                  Exit from the current prompt
  network-ports         Configure network or TAP ports
  no                    no form
  rule                  Configure rule
  show                  Show commands
  tool-ports            Configure network tool or analyzer ports
  top                   Exit to the configuration prompt
pbnoscli(config-flow-flow01)# rule 1 
  action                Add rule specific action
  deny                  Deny traffic
  ipv6                  IPv6 Rule
  permit                Permit traffic
pbnoscli(config-flow-flow01)# rule 1 ipv6   
  deny                  Deny traffic
  permit                Permit traffic
pbnoscli(config-flow-flow01)# rule 1 ipv6 
pbnoscli(config-flow-flow01)# rule 1 permit 
  <cr>
  counters              Enable counters
  description           Add description within double quotes
  dest-ip               Destination IP address
  dscp                  Differentiated services code point
  ethertype             ethernet type, 0x800, 0x8100
  l4portdst             L4 destination port
  l4portsrc             L4 source port
  match-all             Match all
  protocol              IP protocol
  src-ip                Source IP address
  tcpctl                TCP Control Flags
  tosval                Type of Service
  ttl                   Time-to-live
  vlan                  Vlan Identifier
pbnoscli(config-flow-flow01)# rule 1 permit src-ip 10.10.0.0/24 dest-ip 20.0.20.0/24 counters enable 

//to remove a rule
pbnoscli(config-flow-flow01)# no rule 1
pbnoscli(config-flow-flow01)#

You can verify the configuration by using the command(s) below:

pbnoscli# show flow summary 
Flow-Name       Rule-Id        Status      Counter-Value
=========================================================
flow01          1             Active          1671               

pbnoscli# show flow flow01

===================================
Flow : flow01 (CLI)
===================================
Status       : enable          
Network-Port : Ethernet1/1,Ethernet2/1
Tool-Port    : port-channel1,Ethernet8/1

Rule : 1               
++++++++++++++++++++++++++++++++++
Action                   : permit          
Source IP                : 10.10.0.0       
Source Mask              : 255.255.255.0   
Destination IP           : 20.0.20.0       
Destination Mask         : 255.255.255.0   
Counters                 : enable          
pbnoscli#

\\Configuring IPv4 rules
pbnoscli# show running-config 
configure terminal
port-channel 1 ports Ethernet63/1,Ethernet64/1
!
interface ethernet Ethernet1/1
forward-error-correction rs
type network
!
interface ethernet Ethernet2/1
forward-error-correction rs
type network
!
interface mgmt
ip address 10.4.4.53/23 gateway 10.4.4.1
!
flow flow01
description "--Flow Description--"
network-ports Ethernet1/1,Ethernet2/1
tool-ports port-channel1,Ethernet8/1
rule 1 permit src-ip 10.10.0.0/24 dest-ip 20.0.20.0/24 counters enable
!
pbnoscli#

\\Configuring IPv6 rules
pbnoscli# show running-config 
configure terminal
port-channel 1 ports Ethernet63/1,Ethernet64/1
!
interface ethernet Ethernet1/1
forward-error-correction rs
type network
!
interface ethernet Ethernet2/1
forward-error-correction rs
type network
!
interface mgmt
ip address 10.4.4.53/23 gateway 10.4.4.1
!
flow flow01
description "--Flow Description--"
network-ports Ethernet1/1,Ethernet2/1
tool-ports port-channel1,Ethernet8/1
rule 1 ipv6 permit src-ip 2401::1 src-netmask f::f dest-ip 2401::2 dest-netmask f::f counters enable
!
pbnoscli#

PreviousConfiguring Flow Rules (NVIDIA)NextConfiguring Flow Match Expression Rules

Last updated 1 year ago

Was this helpful?

pbnoscli# configure terminal pbnoscli(config)# flow flow01 pbnoscli(config-flow-flow01)# ! Exit from the current prompt description Configure description for flow enable Enable the flow end Exit to exec prompt exit Exit from the current prompt network-ports Configure network or TAP ports no no form rule Configure rule show Show commands tool-ports Configure network tool or analyzer ports top Exit to the configuration prompt pbnoscli(config-flow-flow01)# rule 1 action Add rule specific action deny Deny traffic ipv6 IPv6 Rule permit Permit traffic pbnoscli(config-flow-flow01)# rule 1 ipv6 deny Deny traffic permit Permit traffic pbnoscli(config-flow-flow01)# rule 1 ipv6 pbnoscli(config-flow-flow01)# rule 1 permit <cr> counters Enable counters description Add description within double quotes dest-ip Destination IP address dscp Differentiated services code point ethertype ethernet type, 0x800, 0x8100 l4portdst L4 destination port l4portsrc L4 source port match-all Match all protocol IP protocol src-ip Source IP address tcpctl TCP Control Flags tosval Type of Service ttl Time-to-live vlan Vlan Identifier pbnoscli(config-flow-flow01)# rule 1 permit src-ip 10.10.0.0/24 dest-ip 20.0.20.0/24 counters enable //to remove a rule pbnoscli(config-flow-flow01)# no rule 1 pbnoscli(config-flow-flow01)#

pbnoscli# show flow summary Flow-Name Rule-Id Status Counter-Value ========================================================= flow01 1 Active 1671 pbnoscli# show flow flow01 =================================== Flow : flow01 (CLI) =================================== Status : enable Network-Port : Ethernet1/1,Ethernet2/1 Tool-Port : port-channel1,Ethernet8/1 Rule : 1 ++++++++++++++++++++++++++++++++++ Action : permit Source IP : 10.10.0.0 Source Mask : 255.255.255.0 Destination IP : 20.0.20.0 Destination Mask : 255.255.255.0 Counters : enable pbnoscli#

\\Configuring IPv4 rules pbnoscli# show running-config configure terminal port-channel 1 ports Ethernet63/1,Ethernet64/1 ! interface ethernet Ethernet1/1 forward-error-correction rs type network ! interface ethernet Ethernet2/1 forward-error-correction rs type network ! interface mgmt ip address 10.4.4.53/23 gateway 10.4.4.1 ! flow flow01 description "--Flow Description--" network-ports Ethernet1/1,Ethernet2/1 tool-ports port-channel1,Ethernet8/1 rule 1 permit src-ip 10.10.0.0/24 dest-ip 20.0.20.0/24 counters enable ! pbnoscli#

\\Configuring IPv6 rules pbnoscli# show running-config configure terminal port-channel 1 ports Ethernet63/1,Ethernet64/1 ! interface ethernet Ethernet1/1 forward-error-correction rs type network ! interface ethernet Ethernet2/1 forward-error-correction rs type network ! interface mgmt ip address 10.4.4.53/23 gateway 10.4.4.1 ! flow flow01 description "--Flow Description--" network-ports Ethernet1/1,Ethernet2/1 tool-ports port-channel1,Ethernet8/1 rule 1 ipv6 permit src-ip 2401::1 src-netmask f::f dest-ip 2401::2 dest-netmask f::f counters enable ! pbnoscli#