Configuring vFlows to Filter Packets on Management Interfaces
The Pluribus Networks switches support administrative services and protocols such as SSH, HTTP, SSL, ICMP, etc. (for all supported protocols, see the show command output below). Management vflow feature enables the use of IPTables to support filtering based on filter parameters on management interfaces traffic.
The management traffic on Pluribus switches are handled in two ways:
l Out-of band management interface traffic: Uses IPTables to perform kernel based filtering
l In-band management interface traffic: Uses vflow based programming a;proach
In dual stack networks, both IPv4 and IPv6 filters can be used on the management port (in-band/out-of-band). By default, the management traffic allows all SSH, NFS, SNMP traffic and denies all web traffic as displayed in the command output below:
 
CLI (network-admin@spine1) > admin-service-show
 
switch if ssh nfs web web-ssl web-ssl-port web-port snmp net-api icmp
---------------- ---- --- --- --- ------- ------------ -------- ----
 
spine1 mgmt on on off off 443 80 on on on
spine1 data on on off off 443 80 on on on
 
This feature uses the existing vflow commands to add filters on the out-of-band and in-band management interfaces that are specific for these administrative services. The vflow rules uses precedence numbering to maintain the order of filters and helps in enforcing rules at specific locations in the IPTables. However, when you configure vflow rules, make sure that the vflow rules do not have a conflict with the system rules because the system rules may take precedence over the user configured vflow rules.
While configuring the vflow rules, be aware of the following configuration considerations:
l The parameter if is used to configure management vflows.
l The vflow rules support only permit and drop actions.
l The order of the configuration aligns with the order in which the rules are programmed. However, the user can re-arrange the rules using precedence.
l The vflow rules take precedence in both IPTables and TCAM are:
l By default, the vflow rules have a precedence value of four (4).
l Implicit drop priority is always lower than the user configured management vflows
l IPTables filter is added such that it precedes the existing system rule.
l The following are the applicable scaling numbers:
l For in-band traffic: the egress TCAM table limitation of 256 entries or as per hardware limits.
l For out-of-band traffic: The IPTables scale limitation is applied.
 
For example, create a vflow with the following parameters, use the command:
CLI (network-admin@Spine1)>vflow-create name <mgmt_flow> if <mgmt|data> scope <local|fabric> src-ip <IP> src-mask <MASK> dstip <IP> dst-mask <MASK> proto <num_or_name> src-port <src-port-number> dst-port <dst-port-number> action <permit|drop> precedence <num>
 
name
Name of the vFlow that you are creating
if
Specify the vflow administrative service as management or data
scope
Specify the scope as local or fabric
src-ip
Specify the source IP Address
src-mask
Specify the source IP address mask
dstip
Specify the destination IP address 
dst-mask
Specify the destination IP mask
proto
Specify the name or number of the protocol
src-port
Specify the Layer 3 protocol source port for the vFlow
dst-port
Specify the Layer 3 protocol destination port for the vFlow
action
Specify the action, whether to drop the packet or allow/permit the flow of packet
precedence
Specify the traffic priority value. The default values range between 2 and 15.
 
 
To delete a vflow, use the command:
CLI (network-admin@spine1) vflow-delete name <mgmt_flow>
 
To modify the vflow rule, use the command,
CLI (network-admin@spine1) vflow-modify name <mgmt_flow>if <mgmt|data> src-ip <IP> src-mask <MASK> dstip <IP> dst-mask <MASK>
proto <num_or_name> src-port <num> dst-port <num> action <permit|drop> precedence <num>
To display the configured vflow rules from the IPTables, use the command:
CLI (network-admin@spine1) > vflow-mgmt-show name <string>
 
The following example displays an In-band filter configured in Egress Content Aware Processing (ECAP) TCAM on two IPV4 addresses, where the vflow filters are applied to block the ssh connection from the source IP address, 10.10.10.19 whereas the ssh connection is allowed from the IP address, 10.10.10.20:
 
CLI (network-admin@spine1) > switch-local vflow-show
 
switch
name
scope
type
in-port
src-ip
dst-port
proto
burst-size
precedence
action
enable
if
spine1
fdata
local
vflow
73
10.10.10.20
22
tcp
auto
4
none
enable
data
spine1
fdata1
local
vflow
73
10.10.10.19
22
tcp
auto
4
drop
enable
data
spine1
tcp_22
local
vflow
73
 
22
tcp
auto
default
drop
enable
data
 
To display the examples for out-of-band management filters.
CLI (network-admin@spine1) > vflow-mgmt-show
 
 
name
scope
type
src-ip
dst-port
proto
burst-size
precedence
action
enable
if
data1
local
iptable
153.1.1.120/255.255.255.255
22
tcp
auto
15
 
enable
mgmt
implicitv4_drop_tcp_22_vmgmt0
local
iptable
 
22
tcp
 
15
drop
enable
mgmt
mgmt_ipv4
local
iptable
2.1.1.1
 
icmp
auto
default
none
enable
mgmt
implicitv4_drop_icmp_vmgmt0
local
iptable
 
0
icmp
 
15
drop
enable
mgmt
mgmt1_ipv6
local
iptable
2000::2/ffff:ffff:ffff:ffff::
 
icmpv6
auto
default
none
enable
mgmt
mgmt_ipv6
local
iptable
2000::1/ffff:ffff:ffff:ffff::
 
icmpv6
auto
default
none
enable
mgmt
implicitv6_drop_ipv6-icmp_vmgmt0
local
iptable
 
0
icmpv6
 
15
drop
enable
mgmt
 
 
 
To display the packets and byte count from the IPTables, use the command:
CLI (network-admin@spine1) > vflow-mgmt-stats-show name <string>
CLI (network-admin@spine1) > vflow-mgmt-stats-show
switch name pkts bytes
--------- ---------- ------- --------
 
spine1 data1 0 0
 
spine1 implicitv4_drop_tcp_22_vmgmt0 16 976
spine1 mgmt_ipv4 0 0
 
spine1 implicitv4_drop_icmp_vmgmt0 29 2.38K
 
spine1 mgmt1_ipv6 0 0
 
spine13 mgmt_ipv6 0 0
 
spine1 implicitv6_drop_ipv6-icmp_vmgmt0 0 0
 
To clear all the IPTable rules, use the command:
CLI (network-admin@spine1) > vflow-mgmt-stats-clear name <string>
The following example displays an In-band filter configured in Egress Content Aware Processing (ECAP) TCAM on two IPV4 addresses, where the vflow filters are applied to block the ssh connection from the source IP address, 10.10.10.19 whereas the ssh connection is allowed from the IP address, 10.10.10.20:
 
CLI (network-admin@spine1) > switch-local vflow-show
 
switch
name
scope
type
in-port
src-ip
dst-port
proto
burst-size
precedence
action
enable
if
spine1
fdata
local
vflow
73
10.10.10.20
22
tcp
auto
4
none
enable
data
spine1
fdata1
local
vflow
73
10.10.10.19
22
tcp
auto
4
drop
enable
data
spine1
tcp_22
local
vflow
73
 
22
tcp
auto
default
drop
enable
data