User Defined Filtering can be considered an inspection of a packet based on offset values. An ACL can be defined with UDF matching capabilities to give granularity and flexibility when identifying traffic patterns. It is often used for deeper packet analysis. Typical use cases include finding patterns inside the inner header when packets are tunnelled.
Using UDF, users can configure a rule to match specific bytes in the ingress packet based on a given offset to permit or deny matched packets
Offset for the L3 packet starts from the IP header in the packet
offset for the L2 packet starts from EtherType in the packet
Note: The maximum length that can be matched is 40 characters (i.e. 20 bytes), and the minimum is 4 characters (i.e. 2 bytes), excluding the "0x" prefix. The character string must be an even number of characters.
Before configuring flow rules, Network and Tool ports must be configured
This feature is supported only on NVIDIA spectrum-2/3 platforms
UDF and GTP can not be configured together on a device
udf-data: data bytes that need to be matched with the incoming packet
udf-extraction-group:
l2 - match from l2 header ethertype field
l3 - match from start of IPV4 or IPV6 header
udf-extraction point: (applies for only l3 extraction point) set extraction point from start of IPV4 or IPV6 header
udf-offset: offset from which bytes will be monitored from extraction point
counters: can be enabled or disabled
Mode
FLOW
Example
pbnoscli# configure terminal
pbnoscli(config)# flow flow01
pbnoscli(config-flow-flow01)#
! Exit from the current prompt
description Configure description for flow
enable Enable the flow
end Exit to exec prompt
exit Exit from the current prompt
network-ports Configure network or TAP ports
no no form
pop-vlan Pop Vlan Tag
push-vlan-tag Push VLAN tag
rule Configure rule
show Show commands
tool-ports Configure network tool or analyzer ports
top Exit to the configuration prompt
pbnoscli(config-flow-flow01)# rule 1 permit description "UDF" udf-data 0xb166 udf-extraction-group l2 udf-offset 2 counters enable
pbnoscli(config-flow-flow01)# rule 2 permit description "UDF" udf-data 0x4500 udf-extraction-group l3 udf-extraction-point ipv4 udf-offset 0 counters enable
pbnoscli(config-flow-flow01)# end
You can verify the configuration by using the command(s) below:
pbnoscli# show flow all
===================================
Flow : flow01 (CLI)
===================================
Status : enable
Network-Port : Ethernet1/1
Tool-Port : Ethernet2/1
Rule : 1
++++++++++++++++++++++++++++++++++
Action : permit
Description : UDF
UDF Data : 0xb166
UDF Extraction Group : l2
UDF Offset : 2
Counters : enable
Rule : 2
++++++++++++++++++++++++++++++++++
Action : permit
Description : UDF
UDF Data : 0x4500
UDF Extraction Group : l3
UDF Extraction Point : ipv4
UDF Offset : 0
Counters : enable
pbnoscli#
pbnoscli# show flow counters all
Flow-Name Rule-Id ASIC-Stat-Id Counter-Value
=============================================================
flow01 2 98304 503378220
flow01 DropRule 73728 4390145
flow01 1 90112 2270112825
pbnoscli#