OPBNOS R2.8
Release
  • Open Packet Broker
  • What's New?
  • Getting Started
    • Licensing
    • Limitations
    • Image Management
      • Installing OPBNOS from ONIE
      • Installing OPBNOS from USB Drive
      • Image Upgrade from OPBNOS
      • Selecting OPBNOS on next boot
      • Removing available images
      • Rebooting the Switch
    • Supported Platforms
    • Scalability
    • Downloads
  • CLI Configuration Guide
    • Configuring License
    • Configuring Hostname
    • Configuring Username
    • On-Box FlowVision
    • Configuring AAA
      • Configuring AAA
      • Configuring TACACS
      • Configuring RADIUS
    • Configure Packet Timestamping
    • Interface Management
      • Configuring Management Interface
      • Configuring Physical Interface
    • Link Layer Discovery Protocol (LLDP)
      • Enabling LLDP
      • Displaying LLDP Neighbors
    • Configuring Interface Description
    • Configuring Auto Negotiation
    • Configuring FEC
    • Configuring Maximum Transition Unit
    • Configuring Port Speed
    • Configuring Port Breakout
    • Configuring Interface Type
    • Configuring VLAN Modes
    • Configuring Loopback Mode
    • Configuring Packet Slicing
    • Configuring Ingress VLAN
    • Configuring Egress Tagging
    • Configuring Rx-only
    • Configuring Tx-only
    • Configuring An-clause
    • Configuring PortChannel
    • Configuring LAG Hash
    • Configuring Flows and Rules
      • Configuring Network Ports
      • Configuring Tool Ports
      • Configuring Flows
      • Configuring Flow Description
      • Configuring Flow Rules (NVIDIA)
      • Configuring Flow Rules (Broadcom)
      • Configuring Flow Match Expression Rules
      • Configuring Flow UDF Rules
      • Configuring Push/Pop VLAN
      • Configuring Flow Override Action(s)
      • Display Flow Information
      • Clear Flow Counters
    • Configuring GTP Flow
    • Configuring IPv6 Reachability Check
    • Configuring VXLAN Flow
    • Configuring VXLAN Stripping
    • Configuring SNMP
      • Configure SNMP community
      • Configuring SNMP Trap
      • Configuring SNMP Threshold
      • Configuring SNMP User
      • Configuring SNMP Location
      • Configuring SNMP Contact
    • Configuring SYSLOG
    • Ping
    • Traceroute
    • Configuring NTP
    • Configuring Timezone
    • Configuring sFlow
    • Display Interface Information
      • Front Panel Port Mapping
    • Display System Information
      • Interface Transceiver Information
      • System Uptime
      • Reboot Cause
      • Show Environment
      • Show System Memory
      • Show Docker Memory
      • Show Services
      • Show Platform Fan
      • Show platform pcieinfo
      • Show Platform PSU
      • Show Platform SSD
      • Show Platform Summary
      • Show Platform Syseeprom
      • Show Platform Temperature
    • Configuration Management
      • Copying Configuration from Switch
      • Copying Running and Startup Configuration
      • Saving Configuration
      • Display Configuration
      • Clearing Startup configuration
    • Zero Touch Provisioning
      • DHCP Discovery
      • ZTP Boot File
      • Enable ZTP
    • Troubleshooting
  • Aviz FlowVision Graphical User Interface Guide
    • FlowVision Controller Installation
      • FV ESXi Host Installation
      • FV VirtualBox Installation
    • System
      • Viewing the Dashboard
      • Accessing System and Device Information
      • Managing Topologies
      • Managing Devices
      • Viewing System Log
      • Managing Users
      • Performing Backup and Restore
      • Viewing Audit Logs
    • Configuration
      • Configuring Ports
      • Configuring Port Groups
      • Configuring Rule Templates
      • Configuring Vxlan Tunnel
      • Configuring Flows
      • Configuring VLAN
      • Configuring SNMP Trap
    • Statistics
      • Viewing Port Statistics
      • Viewing Flow Statistics
    • Help
  • REST API Guide
    • FLOW
    • Interface Management
    • Port Channel
    • LLDP
    • SNMP
    • System and Platform
    • Statistics
  • Use Cases
    • For Engineers
      • VxLAN Deployment (NVIDIA)
      • GTP Deployment
      • Truncation and Load Balancing
      • Ingress VLAN and Egress Tagging
      • Loopback-mode Port
      • VXLAN Stripping
      • VLAN Mode/Tag Actions
    • Command Reference
      • Converting Network-to-Tool port
      • Configuring 1G Electrical SFP
      • Enabling FlowVision On-box Support
  • Solution Integration
    • Network Visibility and Analysis with OPB, Arkime, Elasticsearch & Kibana
      • Installation Pre-Requisites
      • Solution Components
      • Configuring OPBNOS
      • Installing Arkime
      • Installing Kibana
      • Troubleshooting
  • Support
    • How to contact Aviz Networks Support?
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. CLI Configuration Guide
  2. Configuring Flows and Rules

Configuring Flow Rules (Broadcom)

Broadcom ASIC

You can configure a rule with certain qualifiers to aggregate and filter traffic from network port(s) to tool port(s) for monitoring.

Before configuring flow rules, Network and Tool ports must be configured

Reference

Command

rule <ruleid> [ipv6] (deny | permit ) [description <cstring>] ([ethertype <etype>] [vlan <vid>] [src-ip (<ipv4> | <ipv6 > src-netmask <ipv6 >)] [dest-ip (<ipv4> | <ipv6 > dest-netmask <ipv6 >)] [protocol (tcp | udp | <ptype >)] [l4portsrc <sport>] [l4portdst <dport>] [tosval <sval >] [dscp <dval>] [ttl <tval>] [tcpctl <flags > tcpctlmask <tcpmask >] | match_all [ipv6]) [counters (enable | disable)]

no rule <ruleid>

Description

Rule configuration

Parameters

  • ruleid: It should be in the range 1 to 768

  • ipv6: used to specify an ipv6 rule

  • description: max 50 characters

  • ethertype: hexadecimal value prefix with 0x. max 4 characters.

  • vlan: VLAN id 2 to 4094

  • src-ip: source IP address

  • dest-ip: Destination IP address

  • protocol: L3 Protocol

  • l4portsrc: L4 source port for TCP or UDP

  • l4portdst: L4 source port for TCP or UDP

  • tossval: Type of Service

  • dscp: Differentiated services code point.

  • ttl: Time-to-live

  • tcpctl: TCP control flags

Mode

FLOW

Example

pbnoscli# configure terminal 
pbnoscli(config)# flow flow01
pbnoscli(config-flow-flow01)# 
  !                     Exit from the current prompt
  description           Configure description for flow
  enable                Enable the flow
  end                   Exit to exec prompt
  exit                  Exit from the current prompt
  network-ports         Configure network or TAP ports
  no                    no form
  rule                  Configure rule
  show                  Show commands
  tool-ports            Configure network tool or analyzer ports
  top                   Exit to the configuration prompt
pbnoscli(config-flow-flow01)# rule 1 
  action                Add rule specific action
  deny                  Deny traffic
  ipv6                  IPv6 Rule
  permit                Permit traffic
pbnoscli(config-flow-flow01)# rule 1 ipv6   
  deny                  Deny traffic
  permit                Permit traffic
pbnoscli(config-flow-flow01)# rule 1 ipv6 
pbnoscli(config-flow-flow01)# rule 1 permit 
  <cr>
  counters              Enable counters
  description           Add description within double quotes
  dest-ip               Destination IP address
  dscp                  Differentiated services code point
  ethertype             ethernet type, 0x800, 0x8100
  l4portdst             L4 destination port
  l4portsrc             L4 source port
  match-all             Match all
  protocol              IP protocol
  src-ip                Source IP address
  tcpctl                TCP Control Flags
  tosval                Type of Service
  ttl                   Time-to-live
  vlan                  Vlan Identifier
pbnoscli(config-flow-flow01)# rule 1 permit src-ip 10.10.0.0/24 dest-ip 20.0.20.0/24 counters enable 

//to remove a rule
pbnoscli(config-flow-flow01)# no rule 1
pbnoscli(config-flow-flow01)#

You can verify the configuration by using the command(s) below:

pbnoscli# show flow summary 
Flow-Name       Rule-Id        Status      Counter-Value
=========================================================
flow01          1             Active          1671               

pbnoscli# show flow flow01

===================================
Flow : flow01 (CLI)
===================================
Status       : enable          
Network-Port : Ethernet1/1,Ethernet2/1
Tool-Port    : port-channel1,Ethernet8/1

Rule : 1               
++++++++++++++++++++++++++++++++++
Action                   : permit          
Source IP                : 10.10.0.0       
Source Mask              : 255.255.255.0   
Destination IP           : 20.0.20.0       
Destination Mask         : 255.255.255.0   
Counters                 : enable          
pbnoscli# 
\\Configuring IPv4 rules
pbnoscli# show running-config 
configure terminal
port-channel 1 ports Ethernet63/1,Ethernet64/1
!
interface ethernet Ethernet1/1
forward-error-correction rs
type network
!
interface ethernet Ethernet2/1
forward-error-correction rs
type network
!
interface mgmt
ip address 10.4.4.53/23 gateway 10.4.4.1
!
flow flow01
description "--Flow Description--"
network-ports Ethernet1/1,Ethernet2/1
tool-ports port-channel1,Ethernet8/1
rule 1 permit src-ip 10.10.0.0/24 dest-ip 20.0.20.0/24 counters enable
!
pbnoscli# 
\\Configuring IPv6 rules
pbnoscli# show running-config 
configure terminal
port-channel 1 ports Ethernet63/1,Ethernet64/1
!
interface ethernet Ethernet1/1
forward-error-correction rs
type network
!
interface ethernet Ethernet2/1
forward-error-correction rs
type network
!
interface mgmt
ip address 10.4.4.53/23 gateway 10.4.4.1
!
flow flow01
description "--Flow Description--"
network-ports Ethernet1/1,Ethernet2/1
tool-ports port-channel1,Ethernet8/1
rule 1 ipv6 permit src-ip 2401::1 src-netmask f::f dest-ip 2401::2 dest-netmask f::f counters enable
!
pbnoscli#
PreviousConfiguring Flow Rules (NVIDIA)NextConfiguring Flow Match Expression Rules

Last updated 2 months ago

Was this helpful?