Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
You can configure flows with rules to replicate and filter traffic between the network and tool ports.
Flow can be used to create a traffic stream between the network port and tool port, The traffic can be filtered by configuring rule(s) to permit/deny matching traffic.
Command
[no] flow <flow-name>
Description
Create/Delete Flow
Parameters
Flow-name—maximum of 10 characters
Interface
CONFIG
This section provides information about configuring flows and rules.
Network ports are the source port(s) that can be specified in a flow for matching and filtering on one or more ingress traffic ports.
Command
network-ports <network-ports>
Description
Configure network or TAP ports
Parameters
network-ports—valid interfaces, delimited by (,)
Mode
FLOW
You can verify the configuration by using the command(s) below:
You can specify the description of the flow. The description can contain upto 48 characters long and is case-sensitive.
Command
description <string>
Description
Description configuration
Parameters
string—maximum 50 characters, within double quotes.
Interface
FLOW
You can verify the configuration by using the command(s) below:
You can specify the destination(s) for packets matching the flow. The supported destinations are as follows:
port-id(s): matching traffic redirected to one or more tool ports
port-channel: matching traffic redirected to multiple tool ports with symmetric load balancing
You can verify the configuration by using the command(s) below:
Using this command, users can configure a rule using an expression string for both inner and outer headers in encapsulated packets.
Before configuring flow rules, Network and Tool ports must be configured
This feature is supported only on NVIDIA spectrum-2/3 platforms
Expression qualifiers -
ethertype - L2 Ethertype, vlan - Vlan header value, src-ip - Source IP prefix, src-netmask - Source IP mask, dest-ip- Destination IP prefix, dest-netmask- Destination IP mask, protocol - Protocol type, l4portsrc- Transport layer source port, l4portdst - Transport layer destination port, tosval - Type of Service value, dscp - Differentiated services field value, ttl - Packet TTL, tcpctl - TCP control value, tcpctlmask - TCP control mask, teid - Encapsulation tunnel ID, inner-sip - Inner IP Source Address, inner-dip - Inner IP Destination Address, inner-protocol - Inner Header Protocol, inner_l4srcport - Inner Header UDP Source Port, inner_l4destport - Inner Header UDP Destination Port
You can verify the configuration by using the command(s) below:
Broadcom ASIC
You can configure a rule to override the configured flow action for egress ports to and/or VLAN. You can also override tool port(s) for egress traffic.
override-action is per-rule and will require override-action for every rule in the flow
You can verify the configuration by using the command(s) below:
VLAN aware mode provides OPB administrators with the ability to match and modify packets in the flow before forwarding them to the tool port(s).
You can configure the OPBNOS to modify the flow as below:
Push VLAN - Push a new VLAN Tag onto the egress traffic.
Pop VLAN - Pop(remove) the VLAN Tag from the egress traffic.
This feature is only supported on the NVIDIA platforms
You can verify the configuration by using the command(s) below:
You can verify the configuration by using the command(s) below:
Command
tool-ports <tool-ports>
Description
Configure network tool or analyzer ports
Parameters
tool-ports—valid interfaces, delimited by (,)
Mode
FLOW
Command
rule ((deny | permit) [description ] [match-expression ] [counters (enable | disable )]
no rule <ruleid>
Description
Rule configuration
Parameters
ruleid: It should be in the range 1 to 6000
description: max 50 characters. match
expression: qualifiers can be added to this string
counters: can be enabled or disabled
Mode
FLOW
Command
rule <ruleid> [ipv6] (deny | permit ) [description <cstring>] ([ethertype <etype>] [vlan <vid>] [src-ip (<ipv4> | <ipv6 > src-netmask <ipv6 >)] [dest-ip (<ipv4> | <ipv6 > dest-netmask <ipv6 >)] [protocol (tcp | udp | <ptype >)] [l4portsrc <sport>] [l4portdst <dport>] [tosval <sval >] [dscp <dval>] [ttl <tval>] [tcpctl <flags > tcpctlmask <tcpmask >] | match_all [ipv6]) [counters (enable | disable)]
no rule <ruleid>
Description
Rule configuration
Parameters
ruleid: It should be in the range 1 to 6000
ipv6: used to specify an ipv6 rule
description: max 50 characters
ethertype: hexadecimal value prefix with 0x. max 4 characters.
vlan: VLAN id 2 to 4094
src-ip: source IP address
dest-ip: Destination IP address
protocol: L3 Protocol
l4portsrc: L4 source port for TCP or UDP
l4portdst: L4 source port for TCP or UDP
tossval: Type of Service
dscp: Differentiated services code point.
ttl: Time-to-live
tcpctl: TCP control flags
Mode
FLOW
Command
push-vlan-tag <vid>
Description
push VLAN to traffic matching the rules configured in the map
Parameters
vlanid—within 1 to 4094
Mode
flow
Command
pop-vlan
Description
pop Vlan Tag from ingress packets received
Parameters
disable/enable
Mode
flow
Command
rule 1 action
override-pop-vlan Override action to pop the VLAN override-push-vlan-tag Override action to push VLAN Tag override-to Override to configure a rule specific network tool or analyzer ports
Description
Rule actions
Parameters
● ruleid: It should be in the range 1 to 6000 ● override-to: override egress ports ● override-push-vlan: override MAP push VLAN ● override-pop-vlan: override pop VLAN
Mode
FLOW
User Defined Filtering can be considered an inspection of a packet based on offset values. An ACL can be defined with UDF matching capabilities to give granularity and flexibility when identifying traffic patterns. It is often used for deeper packet analysis. Typical use cases include finding patterns inside the inner header when packets are tunnelled.
Using UDF, users can configure a rule to match specific bytes in the ingress packet based on a given offset to permit or deny matched packets
Offset for the L3 packet starts from the IP header in the packet
offset for the L2 packet starts from EtherType in the packet
Note: The maximum length that can be matched is 40 characters (i.e. 20 bytes), and the minimum is 4 characters (i.e. 2 bytes), excluding the "0x" prefix. The character string must be an even number of characters.
Before configuring flow rules, Network and Tool ports must be configured
This feature is supported only on NVIDIA spectrum-2/3 platforms
UDF and GTP can not be configured together on a device
Command
rule <rule-id> ((deny | permit) [description ] [udf-data udf-extraction-group (l2 | l3 [udf-extraction-point ]) udf-offset ] [counters (enable | disable )]
no rule <ruleid>
Description
Rule configuration
Parameters
ruleid: It should be in the range 1 to 6000
description: max 50 characters
udf-data: data bytes that need to be matched with the incoming packet
udf-extraction-group:
l2 - match from l2 header ethertype field
l3 - match from start of IPV4 or IPV6 header
udf-extraction point: (applies for only l3 extraction point) set extraction point from start of IPV4 or IPV6 header
udf-offset: offset from which bytes will be monitored from extraction point
counters: can be enabled or disabled
Mode
FLOW
You can verify the configuration by using the command(s) below:
Use the following command to check the rate of data flowing through a flow:
Command
show flow (all | <flow-name> ) rate
Description
Display flow rate for a flow
Parameters
flow-name - max 20 characters
Mode
EXEC
You can display the flow configuration and operational status as follows:
Command
show flow (all | <flow-name> rule <rule-id> )
Description
Displays all the flow configurations and rule configurations
Parameters
flow-name—max 20 characters
rule-id – within 1 to 6000
Mode
EXEC
Use the following command to show the flow summary:
Command
show flow summary
Description
Displays the summary of all OPB flows
Parameters
None
Mode
EXEC
Use the following command to display the counters of all the flows:
Command
show flow counters (all |<flow-name> )
Description
Displays the counters of all the OPB flows
Parameters
flow-name – max 20 characters
Mode
EXEC
NVIDIA ASIC
You can configure a rule with certain qualifiers to aggregate and filter traffic from network port(s) to tool port(s) for monitoring.
Before configuring flow rules, Network and Tool ports must be configured
Command
rule <ruleid> (deny | permit ) [description <cstring>] ([ethertype <etype>] [vlan <vid>] [src-ip (<ipv4> | <ipv6 > src-netmask <ipv6 >)] [dest-ip (<ipv4> | <ipv6 > dest-netmask <ipv6 >)] [protocol (tcp | udp | <ptype >)] [l4portsrc <sport>] [l4portdst <dport>] [tosval <sval >] [dscp <dval>] [ttl <tval>] [tcpctl <flags > tcpctlmask <tcpmask >] | match_all [ipv6]) [counters (enable | disable)]
no rule <ruleid>
Description
Rule configuration
Parameters
ruleid: It should be in the range 1 to 6000
description: max 50 characters
ethertype: hexadecimal value prefix with 0x. max 4 characters.
vlan: VLAN id 2 to 4094
src-ip: source IP address
dest-ip: Destination IP address
protocol: L3 Protocol
l4portsrc: L4 source port for TCP or UDP
l4portdst: L4 source port for TCP or UDP
tossval: Type of Service
dscp: Differentiated services code point.
ttl: Time-to-live
tcpctl: TCP control flags
Mode
FLOW
You can verify the configuration by using the command(s) below: