Support for TCP Parameters using vFlows

Packet Broker requires the ability to create flows based on TCP control bits in a packet. The commands, vflow-create and vflow-modify have a new option tcp-flags. The supported TCP control bits include FIN, SYN, RST, PUSH, ACK, and URG.

Setting the ACK bit is supported only if it is combined with other TCP bits such as SYN and FIN and not as a single parameter.

Only to-port and mirror actions are supported by vFlow with tcp-flags filter. The actions added for vFlows with tcp-flags configured are mirror-to-port.  If analytics is enabled, then copy-to-cpu are also applied on the same vFlow. Also, these flows are created with a precedence of 3 or above. System vFlows are created with precedence 2 so that analytics can also work even with these vFlows.

To create a vFlow for the default system table, use the following syntax:

CLI (network-admin@Spine1)>vflow-create name Redirect-TCP-Reset tcp-flags RST action to-port

CLI(network-admin@Spine1)>vflow-create name Redirect-TCP-ECN-Capable tcp-flags ECN,RST action to-port

CLI(network-admin@Spine1)>vflow-create name Mirror-TCP-Finished tcp-flags FIN action mirror

 

You can use the vflow-table-show command to display vFlow tables:

CLI (network-admin@Spine1)> vflow-table-show format all layout vertical

switch:          Spine1

name:            Egress-Table-1-0

id:              a0000d7:1

flow-max:        1024

flow-used:       0

flow-tbl-slices: 1

capability:      match-metadata

flow-tbl-bank:   Egress

flow-profile:    system

switch:          Spine1

name:            Decap-Table-1-0

id:              a0000d7:2

flow-max:        1024

flow-used:       0

flow-tbl-slices: 2

capability:      none

flow-tbl-bank:   Match-Metadata

flow-profile:    vxlan

switch:          tac-f64-sw5

name:            OpenFlow-L2-L3-1-0

id:              a0000d7:3

flow-max:        1024

flow-used:       0

flow-tbl-slices: 7

capability:      none

flow-tbl-bank:   Match-Metadata

flow-profile:    openflow