Configuring Flow Match Expression Rules

Using this command, users can configure a rule using an expression string for both inner and outer headers in encapsulated packets.

Before configuring flow rules, Network and Tool ports must be configured

This feature is supported only on NVIDIA spectrum-2/3 platforms

Reference

Command

rule ((deny | permit) [description ] [match-expression ] [counters (enable | disable )]

no rule <ruleid>

Description

Rule configuration

Parameters

ruleid: It should be in the range 1 to 6000
description: max 50 characters. match
expression: qualifiers can be added to this string
counters: can be enabled or disabled

Mode

FLOW

Expression qualifiers -
ethertype - L2 Ethertype, vlan - Vlan header value, src-ip - Source IP prefix, src-netmask - Source IP mask, dest-ip- Destination IP prefix, dest-netmask- Destination IP mask, protocol - Protocol type, l4portsrc- Transport layer source port, l4portdst - Transport layer destination port, tosval - Type of Service value, dscp - Differentiated services field value, ttl - Packet TTL, tcpctl - TCP control value, tcpctlmask - TCP control mask, teid - Encapsulation tunnel ID, inner-sip - Inner IP Source Address, inner-dip - Inner IP Destination Address, inner-protocol - Inner Header Protocol, inner_l4srcport - Inner Header UDP Source Port, inner_l4destport - Inner Header UDP Destination Port

Example

pbnoscli# configure terminal 
pbnoscli(config)# flow flow01
pbnoscli(config-flow-flow01)# 
  !                     Exit from the current prompt
  description           Configure description for flow
  enable                Enable the flow
  end                   Exit to exec prompt
  exit                  Exit from the current prompt
  network-ports         Configure network or TAP ports
  no                    no form
  pop-vlan              Pop Vlan Tag
  push-vlan-tag         Push VLAN tag
  rule                  Configure rule
  show                  Show commands
  tool-ports            Configure network tool or analyzer ports
  top                   Exit to the configuration prompt
pbnoscli(config-flow-flow01)# rule 1 permit description "Match Expression" 
  <cr>
  counters              Enable counters
  dest-ip               Destination IP address
  dscp                  Differentiated services code point
  ethertype             ethernet type, 0x800, 0x8100
  gtp                   GTP Tunneling
  l4portdst             L4 destination port
  l4portsrc             L4 source port
  match-all             Match all
  match-expression      Flow Rule Qualifiers
  protocol              IP protocol
  src-ip                Source IP address
  tcpctl                TCP Control Flags (maximum value is 0x3f)
  tosval                Type of Service
  ttl                   Time-to-live
  udf-data              User Defined Data
  vlan                  Vlan Identifier
pbnoscli(config-flow-flow01)# rule 1 permit description "Match Expression" 
pbnoscli(config-flow-flow01)# $Match Expression" match-expression 
  <matchexpression>     Example qualifiers: ethertype, vlan, src-ip, src-netmask, 
                                            dest-ip, dest-netmask, protocol, l4portsrc,
                                            l4portdst, tosval, dscp, ttl, tcpctl, tcpctlmask,
                                            teid, inner-sip, inner-dip, inner-protocol, 
                                            inner_l4srcport, inner_l4destport
pbnoscli(config-flow-flow01)# $Match Expression" match-expression "vlan 100 src-ip 1.1.1.1/32 dest-ip 2.2.2.2/32 protocol udp inner-sip 10.10.10.1/32 inner-dip 20.20.20.2/32" counters enable
pbnoscli(config-flow-flow01)# end

You can verify the configuration by using the command(s) below:

pbnoscli# show flow all
===================================
Flow : flow01 (CLI)
===================================
Status       : enable          
Network-Port : Ethernet1/1,Ethernet2/1
Tool-Port    : port-channel1,Ethernet8/1

Rule : 1               
++++++++++++++++++++++++++++++++++
Vlan                     : 100             
Source IP                : 1.1.1.1         
Source Mask              : 255.255.255.255 
Destination IP           : 2.2.2.2         
Destination Mask         : 255.255.255.255 
Protocol                 : udp             
Inner Source IP          : 10.10.10.1      
Inner Source Mask        : 255.255.255.255 
Inner Destination IP     : 20.20.20.2      
Inner Destination Mask   : 255.255.255.255 
Action                   : permit          
Description              : Match Expression
Counters                 : enable          
pbnoscli# 

pbnoscli# show flow counters all
Flow-Name       Rule-Id        ASIC-Stat-Id   Counter-Value
=============================================================
flow01          DropRule        40960           42156085        
flow01          1               57344           455049065       
pbnoscli#

pbnoscli# show running-config 
configure terminal
!
interface ethernet Ethernet1/1
forward-error-correction rs
type network
!
interface ethernet Ethernet2/1
forward-error-correction rs
type tool
!
interface mgmt
ip address 10.4.4.53/23 gateway 10.4.4.1
!
port-channel 1 ports Ethernet63/1,Ethernet64/1
flow flow01
network-ports Ethernet16
tool-ports Ethernet20
rule 1 permit description "Match Expression" match-expression "vlan 100 src-ip 1.1.1.1/32 dest-ip 2.2.2.2/32 protocol udp inner-sip 10.10.10.1/32 inner-dip 20.20.20.2/32" counters enable
!
pbnoscli#

PreviousConfiguring Flow Rules (Broadcom)NextConfiguring Flow UDF Rules

Was this helpful?

pbnoscli# configure terminal pbnoscli(config)# flow flow01 pbnoscli(config-flow-flow01)# ! Exit from the current prompt description Configure description for flow enable Enable the flow end Exit to exec prompt exit Exit from the current prompt network-ports Configure network or TAP ports no no form pop-vlan Pop Vlan Tag push-vlan-tag Push VLAN tag rule Configure rule show Show commands tool-ports Configure network tool or analyzer ports top Exit to the configuration prompt pbnoscli(config-flow-flow01)# rule 1 permit description "Match Expression" <cr> counters Enable counters dest-ip Destination IP address dscp Differentiated services code point ethertype ethernet type, 0x800, 0x8100 gtp GTP Tunneling l4portdst L4 destination port l4portsrc L4 source port match-all Match all match-expression Flow Rule Qualifiers protocol IP protocol src-ip Source IP address tcpctl TCP Control Flags (maximum value is 0x3f) tosval Type of Service ttl Time-to-live udf-data User Defined Data vlan Vlan Identifier pbnoscli(config-flow-flow01)# rule 1 permit description "Match Expression" pbnoscli(config-flow-flow01)# $Match Expression" match-expression <matchexpression> Example qualifiers: ethertype, vlan, src-ip, src-netmask, dest-ip, dest-netmask, protocol, l4portsrc, l4portdst, tosval, dscp, ttl, tcpctl, tcpctlmask, teid, inner-sip, inner-dip, inner-protocol, inner_l4srcport, inner_l4destport pbnoscli(config-flow-flow01)# $Match Expression" match-expression "vlan 100 src-ip 1.1.1.1/32 dest-ip 2.2.2.2/32 protocol udp inner-sip 10.10.10.1/32 inner-dip 20.20.20.2/32" counters enable pbnoscli(config-flow-flow01)# end

pbnoscli# show flow all =================================== Flow : flow01 (CLI) =================================== Status : enable Network-Port : Ethernet1/1,Ethernet2/1 Tool-Port : port-channel1,Ethernet8/1 Rule : 1 ++++++++++++++++++++++++++++++++++ Vlan : 100 Source IP : 1.1.1.1 Source Mask : 255.255.255.255 Destination IP : 2.2.2.2 Destination Mask : 255.255.255.255 Protocol : udp Inner Source IP : 10.10.10.1 Inner Source Mask : 255.255.255.255 Inner Destination IP : 20.20.20.2 Inner Destination Mask : 255.255.255.255 Action : permit Description : Match Expression Counters : enable pbnoscli# pbnoscli# show flow counters all Flow-Name Rule-Id ASIC-Stat-Id Counter-Value ============================================================= flow01 DropRule 40960 42156085 flow01 1 57344 455049065 pbnoscli#

pbnoscli# show running-config configure terminal ! interface ethernet Ethernet1/1 forward-error-correction rs type network ! interface ethernet Ethernet2/1 forward-error-correction rs type tool ! interface mgmt ip address 10.4.4.53/23 gateway 10.4.4.1 ! port-channel 1 ports Ethernet63/1,Ethernet64/1 flow flow01 network-ports Ethernet16 tool-ports Ethernet20 rule 1 permit description "Match Expression" match-expression "vlan 100 src-ip 1.1.1.1/32 dest-ip 2.2.2.2/32 protocol udp inner-sip 10.10.10.1/32 inner-dip 20.20.20.2/32" counters enable ! pbnoscli#