Release

Configuring Flow UDF Rules

User Defined Filtering can be considered an inspection of a packet based on offset values. An ACL can be defined with UDF matching capabilities to give granularity and flexibility when identifying traffic patterns. It is often used for deeper packet analysis. Typical use cases include finding patterns inside the inner header when packets are tunnelled.

Using UDF, users can configure a rule to match specific bytes in the ingress packet based on a given offset to permit or deny matched packets

  • Offset for the L3 packet starts from the IP header in the packet

  • offset for the L2 packet starts from EtherType in the packet

Note: The maximum length that can be matched is 40 characters (i.e. 20 bytes), and the minimum is 4 characters (i.e. 2 bytes), excluding the "0x" prefix. The character string must be an even number of characters.

Before configuring flow rules, Network and Tool ports must be configured

This feature is supported only on NVIDIA spectrum-2/3 platforms

UDF and GTP can not be configured together on a device

Reference

Command

rule <rule-id> ((deny | permit) [description ] [udf-data udf-extraction-group (l2 | l3 [udf-extraction-point ]) udf-offset ] [counters (enable | disable )]

no rule <ruleid>

Description

Rule configuration

Parameters

  • ruleid: It should be in the range 1 to 6000

  • description: max 50 characters

  • udf-data: data bytes that need to be matched with the incoming packet

  • udf-extraction-group:

    • l2 - match from l2 header ethertype field

    • l3 - match from start of IPV4 or IPV6 header

  • udf-extraction point: (applies for only l3 extraction point) set extraction point from start of IPV4 or IPV6 header

  • udf-offset: offset from which bytes will be monitored from extraction point

  • counters: can be enabled or disabled

Mode

FLOW

Example

pbnoscli# configure terminal 
pbnoscli(config)# flow flow01
pbnoscli(config-flow-flow01)# 
  !                     Exit from the current prompt
  description           Configure description for flow
  enable                Enable the flow
  end                   Exit to exec prompt
  exit                  Exit from the current prompt
  network-ports         Configure network or TAP ports
  no                    no form
  pop-vlan              Pop Vlan Tag
  push-vlan-tag         Push VLAN tag
  rule                  Configure rule
  show                  Show commands
  tool-ports            Configure network tool or analyzer ports
  top                   Exit to the configuration prompt
pbnoscli(config-flow-flow01)# rule 1 permit description "UDF" udf-data 0xb166 udf-extraction-group l2 udf-offset 2 counters enable
pbnoscli(config-flow-flow01)# rule 2 permit description "UDF" udf-data 0x4500 udf-extraction-group l3 udf-extraction-point ipv4 udf-offset 0 counters enable 
pbnoscli(config-flow-flow01)# end

You can verify the configuration by using the command(s) below:

pbnoscli# show flow all
===================================
Flow : flow01 (CLI)
===================================
Status       : enable          
Network-Port : Ethernet1/1     
Tool-Port    : Ethernet2/1     

Rule : 1               
++++++++++++++++++++++++++++++++++
Action                   : permit          
Description              : UDF             
UDF Data                 : 0xb166          
UDF Extraction Group     : l2              
UDF Offset               : 2               
Counters                 : enable          

Rule : 2               
++++++++++++++++++++++++++++++++++
Action                   : permit          
Description              : UDF             
UDF Data                 : 0x4500          
UDF Extraction Group     : l3              
UDF Extraction Point     : ipv4            
UDF Offset               : 0               
Counters                 : enable          
pbnoscli# 
 

pbnoscli# show flow counters all
Flow-Name       Rule-Id        ASIC-Stat-Id   Counter-Value
=============================================================
flow01          2               98304           503378220       
flow01          DropRule        73728           4390145               
flow01          1               90112           2270112825               
pbnoscli# 
pbnoscli# show running-config 
configure terminal
!
interface ethernet Ethernet1/1
forward-error-correction rs
type network
!
interface ethernet Ethernet2/1
forward-error-correction rs
type tool
!
interface mgmt
ip address 10.4.4.53/23 gateway 10.4.4.1
!
flow flow01
network-ports Ethernet1/1
tool-ports Ethernet2/1
rule 1 permit description "UDF" udf-data 0xb166 udf-extraction-group l2 udf-offset 2 counters enable
rule 2 permit description "UDF" udf-data 0x4500 udf-extraction-group l3 udf-extraction-point ipv4 udf-offset 0 counters enable 
!
pbnoscli#
PreviousConfiguring Flow Match Expression RulesNextConfiguring Push/Pop VLAN