Configuring Flow Match Expression Rules

Using this command, users can configure a rule using an expression string for both inner and outer headers in encapsulated packets.

Before configuring flow rules, Network and Tool ports must be configured

This feature is supported only on NVIDIA spectrum-2/3 platforms

Reference

Command	rule ((deny | permit) [description ] [match-expression ] [counters (enable | disable )] no rule <ruleid>
Description	Rule configuration
Parameters	ruleid: It should be in the range 1 to 6000 description: max 50 characters. match expression: qualifiers can be added to this string counters: can be enabled or disabled
Mode	FLOW

Expression qualifiers -

ethertype - L2 Ethertype, vlan - Vlan header value, src-ip - Source IP prefix, src-netmask - Source IP mask, dest-ip- Destination IP prefix, dest-netmask- Destination IP mask, protocol - Protocol type, l4portsrc- Transport layer source port, l4portdst - Transport layer destination port, tosval - Type of Service value, dscp - Differentiated services field value, ttl - Packet TTL, tcpctl - TCP control value, tcpctlmask - TCP control mask, teid - Encapsulation tunnel ID, inner-sip - Inner IP Source Address, inner-dip - Inner IP Destination Address, inner-protocol - Inner Header Protocol, inner_l4srcport - Inner Header UDP Source Port, inner_l4destport - Inner Header UDP Destination Port

Example

pbnoscli# configure terminal 
pbnoscli(config)# flow flow01
pbnoscli(config-flow-flow01)# 
  !                     Exit from the current prompt
  description           Configure description for flow
  enable                Enable the flow
  end                   Exit to exec prompt
  exit                  Exit from the current prompt
  network-ports         Configure network or TAP ports
  no                    no form
  pop-vlan              Pop Vlan Tag
  push-vlan-tag         Push VLAN tag
  rule                  Configure rule
  show                  Show commands
  tool-ports            Configure network tool or analyzer ports
  top                   Exit to the configuration prompt
pbnoscli(config-flow-flow01)# rule 1 permit description "Match Expression" 
  <cr>
  counters              Enable counters
  dest-ip               Destination IP address
  dscp                  Differentiated services code point
  ethertype             ethernet type, 0x800, 0x8100
  gtp                   GTP Tunneling
  l4portdst             L4 destination port
  l4portsrc             L4 source port
  match-all             Match all
  match-expression      Flow Rule Qualifiers
  protocol              IP protocol
  src-ip                Source IP address
  tcpctl                TCP Control Flags (maximum value is 0x3f)
  tosval                Type of Service
  ttl                   Time-to-live
  udf-data              User Defined Data
  vlan                  Vlan Identifier
pbnoscli(config-flow-flow01)# rule 1 permit description "Match Expression" 
pbnoscli(config-flow-flow01)# $Match Expression" match-expression 
  <matchexpression>     Example qualifiers: ethertype, vlan, src-ip, src-netmask, 
                                            dest-ip, dest-netmask, protocol, l4portsrc,
                                            l4portdst, tosval, dscp, ttl, tcpctl, tcpctlmask,
                                            teid, inner-sip, inner-dip, inner-protocol, 
                                            inner_l4srcport, inner_l4destport
pbnoscli(config-flow-flow01)# $Match Expression" match-expression "vlan 100 src-ip 1.1.1.1/32 dest-ip 2.2.2.2/32 protocol udp inner-sip 10.10.10.1/32 inner-dip 20.20.20.2/32" counters enable
pbnoscli(config-flow-flow01)# end

You can verify the configuration by using the command(s) below:

pbnoscli# show flow all
===================================
Flow : flow01 (CLI)
===================================
Status       : enable          
Network-Port : Ethernet1/1,Ethernet2/1
Tool-Port    : port-channel1,Ethernet8/1

Rule : 1               
++++++++++++++++++++++++++++++++++
Vlan                     : 100             
Source IP                : 1.1.1.1         
Source Mask              : 255.255.255.255 
Destination IP           : 2.2.2.2         
Destination Mask         : 255.255.255.255 
Protocol                 : udp             
Inner Source IP          : 10.10.10.1      
Inner Source Mask        : 255.255.255.255 
Inner Destination IP     : 20.20.20.2      
Inner Destination Mask   : 255.255.255.255 
Action                   : permit          
Description              : Match Expression
Counters                 : enable          
pbnoscli# 

pbnoscli# show flow counters all
Flow-Name       Rule-Id        ASIC-Stat-Id   Counter-Value
=============================================================
flow01          DropRule        40960           42156085        
flow01          1               57344           455049065       
pbnoscli#

pbnoscli# show running-config 
configure terminal
!
interface ethernet Ethernet1/1
forward-error-correction rs
type network
!
interface ethernet Ethernet2/1
forward-error-correction rs
type tool
!
interface mgmt
ip address 10.4.4.53/23 gateway 10.4.4.1
!
port-channel 1 ports Ethernet63/1,Ethernet64/1
flow flow01
network-ports Ethernet16
tool-ports Ethernet20
rule 1 permit description "Match Expression" match-expression "vlan 100 src-ip 1.1.1.1/32 dest-ip 2.2.2.2/32 protocol udp inner-sip 10.10.10.1/32 inner-dip 20.20.20.2/32" counters enable
!
pbnoscli#