Configuring Flow Rules (NVIDIA)

NVIDIA ASIC

You can configure a rule with certain qualifiers to aggregate and filter traffic from network port(s) to tool port(s) for monitoring.

Before configuring flow rules, Network and Tool ports must be configured

Reference

Command

rule <ruleid> (deny | permit ) [description <cstring>] ([ethertype <etype>] [vlan <vid>] [src-ip (<ipv4> | <ipv6 > src-netmask <ipv6 >)] [dest-ip (<ipv4> | <ipv6 > dest-netmask <ipv6 >)] [protocol (tcp | udp | <ptype >)] [l4portsrc <sport>] [l4portdst <dport>] [tosval <sval >] [dscp <dval>] [ttl <tval>] [tcpctl <flags > tcpctlmask <tcpmask >] | match_all [ipv6]) [counters (enable | disable)]

no rule <ruleid>

Description

Rule configuration

Parameters

  • ruleid: It should be in the range 1 to 6000

  • description: max 50 characters

  • ethertype: hexadecimal value prefix with 0x. max 4 characters.

  • vlan: VLAN id 2 to 4094

  • src-ip: source IP address

  • dest-ip: Destination IP address

  • protocol: L3 Protocol

  • l4portsrc: L4 source port for TCP or UDP

  • l4portdst: L4 source port for TCP or UDP

  • tossval: Type of Service

  • dscp: Differentiated services code point.

  • ttl: Time-to-live

  • tcpctl: TCP control flags

Mode

FLOW

Example

pbnoscli# configure terminal 
pbnoscli(config)# flow flow01
pbnoscli(config-flow-flow01)# 
  !                     Exit from the current prompt
  description           Configure description for flow
  enable                Enable the flow
  end                   Exit to exec prompt
  exit                  Exit from the current prompt
  network-ports         Configure network or TAP ports
  no                    no form
  pop-vlan              Pop Vlan Tag
  push-vlan-tag         Push VLAN tag
  rule                  Configure rule
  show                  Show commands
  tool-ports            Configure network tool or analyzer ports
  top                   Exit to the configuration prompt
pbnoscli(config-flow-flow01)# rule 1 
  action                Add rule specific action
  deny                  Deny traffic
  permit                Permit traffic
pbnoscli(config-flow-flow01)# rule 1 permit 
  <cr>
  counters              Enable counters
  description           Add description within double quotes
  dest-ip               Destination IP address
  dscp                  Differentiated services code point
  ethertype             ethernet type, 0x800, 0x8100
  gtp                   GTP Tunneling
  l4portdst             L4 destination port
  l4portsrc             L4 source port
  match-all             Match all
  protocol              IP protocol
  qualifiers            Flow Rule Qualifiers
  src-ip                Source IP address
  tcpctl                TCP Control Flags
  tosval                Type of Service
  ttl                   Time-to-live
  vlan                  Vlan Identifier
pbnoscli(config-flow-flow01)# rule 1 permit src-ip 10.10.0.0/24 dest-ip 20.0.20.0/24 counters enable 

//to remove a rule
pbnoscli(config-flow-flow01)# no rule 1
pbnoscli(config-flow-flow01)#

You can verify the configuration by using the command(s) below:

PreviousConfiguring Flow DescriptionNextConfiguring Flow Rules (Broadcom)

Last updated