Configuring vFlows to Filter Packets on Management Interfaces


The Pluribus Networks switches support administrative services and protocols such as SSH, HTTP, SSL, ICMP, etc. (for all supported protocols, see the show command output below). Management vflow feature enables the use of IPTables to support filtering based on filter parameters on management interfaces traffic.

The management traffic on Pluribus switches are handled in two ways:


  • Out-of band management interface traffic: Uses IPTables to perform kernel based filtering
  • In-band management interface traffic: Uses vflow  based programming approach


In dual stack networks, both IPv4 and IPv6 filters can be used on the management port (in-band/out-of-band). By default, the management traffic allows all SSH, NFS, SNMP traffic and denies all web traffic as displayed in the command output below:

 

CLI (network-admin@spine1) > admin-service-show

 

if

----

ssh

----

nfs

----

web

-----

web-ssl

------

web-ssl-port

------------

web-port

--------

snmp

-----

net-api

-------

icmp

-----

mgmt

on

on

off

off

443

80

on

on

on

data

on

on

off

off

443

80

on

on

on

 


This feature uses the existing vflow commands to add filters on the out-of-band and in-band management interfaces that are specific for these administrative services. The vflow rules uses precedence numbering to maintain the order of filters and helps in enforcing rules at specific locations in the IPTables. However, when you configure vflow rules, make sure that the vflow rules do not have a conflict with the system rules because the system rules may take precedence over the user configured vflow rules.


While configuring the vflow rules, be aware of the following configuration considerations:


  • The parameter if is used to configure management vflows.
  • The vflow rules support only permit and drop actions.
  • The order of the configuration aligns with the order in which the rules are programmed. However, the user can re-arrange the rules using precedence.
  • The vflow rules take precedence in both IPTables and TCAM are:
  • By default, the vflow rules have a precedence value of four (4).
  • Implicit drop priority is always lower than the user configured management vflows
  • IPTables filter is added such that it precedes the existing system rule.
  • The following are the applicable scaling numbers:
  • For in-band traffic: the egress TCAM table limitation of 256 entries or as per hardware limits.
  • For out-of-band traffic: The IPTables scale limitation is applied.

 

For example, create a vflow with the following parameters, use the command:

 

CLI (network-admin@Spine1) > vflow-create name <mgmt_flow> if <mgmt|data> scope <local|fabric> src-ip <IP> src-mask <MASK> dstip <IP> dst-mask <MASK> proto <num_or_name> src-port <src-port-number> dst-port <dst-port-number> action <permit|drop> precedence <num>

 

name

Name of the vFlow that you are creating

if

Specify the vflow administrative service as management or data

scope

Specify the scope as local or fabric

src-ip

Specify the source IP Address

src-mask

Specify the source IP address mask

dstip

Specify the destination IP address 

dst-mask   

Specify the destination IP mask

proto   

Specify the name or number of the protocol

src-port   

Specify the Layer 3 protocol source port for the vFlow

dst-port

Specify the Layer 3 protocol destination port for the vFlow

action   

Specify the action, whether to drop the packet or allow/permit the flow of packet

precedence   

Specify the traffic priority value. The default values range between 2 and 15.

 

To delete a vflow, use the command:


CLI (network-admin@spine1) > vflow-delete name <mgmt_flow>

 

To modify the vflow rule, use the command:


CLI (network-admin@spine1) > vflow-modify name <mgmt_flow>if <mgmt|data> src-ip <IP> src-mask <MASK> dstip <IP> dst-mask <MASK>

proto <num_or_name> src-port <num> dst-port <num> action <permit|drop> precedence <num>

 

To display the configured vflow rules from the IPTables, use the command:


CLI (network-admin@spine1) > vflow-mgmt-show name <string>

 

The following example displays an In-band filter configured in Egress Content Aware Processing (ECAP) TCAM on two IPV4 addresses, where the vflow filters are applied to block the ssh connection from the source IP address, 10.10.10.19 whereas the ssh connection is allowed from the IP address, 10.10.10.20:

 

CLI (network-admin@spine1) > switch-local vflow-show

 

name

scope

type

in-port

src-ip

dst-port

precedence

action

enable

fdata

local

vflow

73

10.10.10.20

22

4

none

enable

fdata1

local

vflow

73

10.10.10.19

22

4

drop

enable

tcp_22

local

vflow

73

 

22

default

drop

enable

 

 

To display the examples for out-of-band management filters.


CLI (network-admin@spine1) > vflow-mgmt-show

 

name

scope

type

src-ip

dst-port

precedence

action

enable

data1

local

iptable

153.1.1.120/255.255.255.255

22

15

 

enable

implicitv4_drop_tcp_22_vmgmt0

local

iptable

 

22

15

drop

enable

mgmt_ipv4

local

iptable

2.1.1.1

 

default

none

enable

implicitv4_drop_icmp_vmgmt0

local

iptable

 

0

15

drop

enable

mgmt1_ipv6

local

iptable

2000::2/ffff:ffff:ffff:ffff::

 

default

none

enable

mgmt_ipv6

local

iptable

2000::1/ffff:ffff:ffff:ffff::

 

default

none

enable

implicitv6_drop_ipv6-icmp_vmgmt0

local

iptable

 

0

15

drop

enable

 

 

To display the packets and byte count from the IPTables, use the command:


CLI (network-admin@spine1) > vflow-mgmt-stats-show name <string>

 

CLI (network-admin@spine1) > vflow-mgmt-stats-show

 

switch

---------

name

-----------

pkts

------

bytes

---------

spine1

data1

0

0

spine1

implicitv4_drop_tcp_22_vmgmt0

16

976

spine1

mgmt_ipv4

0

0

spine1

implicitv4_drop_icmp_vmgmt0

29

2.38K

spine1

mgmt1_ipv6

0

0

spine13

mgmt_ipv6

0

0

spine1

implicitv6_drop_ipv6-icmp_vmgmt0

0

0

 

To clear all the IPTable rules, use the command:


CLI (network-admin@spine1) > vflow-mgmt-stats-clear name <string>

 

The following example displays an In-band filter configured in Egress Content Aware Processing (ECAP) TCAM on two IPV4 addresses, where the vflow filters are applied to block the ssh connection from the source IP address, 10.10.10.19 whereas the ssh connection is allowed from the IP address, 10.10.10.20:

 

CLI (network-admin@spine1) > switch-local vflow-show


name

scope

type

in-port

src-ip

dst-port

precedence

action

enable

if

fdata

local

vflow

73

10.10.10.20

22

4

none

enable

data

fdata1

local

vflow

73

10.10.10.19

22

4

drop

enable

data

tcp_22

local

vflow

73

 

22

default

drop

enable

data