Configuring vFlows with User Defined Fields (UDFs) 


Netvisor allows you to define policy filters through one of the arbitrary set of matching qualifiers as explained in the Filtering of Traffic Flows section.  One of the qualifier is the User Defined Field (UDF).


A UDF can match up to 128 bytes of a packet starting from the first byte of the packet.  The length of the match can be from 1 to 4 bytes. Hardware with a Trident chip supports the creation of 8 UDF IDs. Each id can match a 2 byte portion of a packet. Creating a UDF with a length of 3 or 4 bytes requires 2 UDF IDs whereas a UDF with length of 1 or 2 bytes required 1 UDF id. The length specified for each UDF determines the total number of UDFs supported by Netvisor One. If you specify a length of 3 or 4 bytes, a maximum of 4 UDFs can be created. If you specify a length of 1 or 2 bytes, a maximum of 8 UDFs can be created.


Limitation: UDF offset range supported for UDF header packet-start type ranges from 0-63. This limitation is applicable for all NRU03 platforms.


A UDF adds a qualifier to the vFlow group, and you should create all UDFs before creating any vFlows. This feature is disabled by default, and you can enable it by using the following command:


CLI(network-admin@Spine1) >  vflow-settings-modify enable-user-defined-flow|no-enable-user-defined-flow


vflow-settings-modify

Use this command to update a user vflow setting

Specify one of more of the following options


enable-user-defined-flow|no-enable-user-defined-flow

Specify to enable or disable the user defined flows.

vxlan-analytics|no-vxlan-analytics

Specify to enable or disable VXLAN analytics.


Note: You must disable VXLAN analytics  before enabling the longlived tcp connection

inflight-vxlan-analytics|no-inflight-vxlan-analytics

Specify to enable or disable the  inflight VXLAN analytics.


Note: You must disable  inflight VXLAN analytics  before enabling the longlived tcp connection.

longlived-tcp-conn-stats|no-longlived-tcp-conn-stats

Specify to enable or disable the long-lived TCP connection statistics.


Note: You must enable the user-defined-flow before enabling the longlived tcp connection statistics.


To enable the user defined vflow, use the command:


CLI(network-admin@Spine1) >  vflow-settings-modify enable-user-defined-flow


To disable the feature, use the command:


CLI(network-admin@Spine1) >  vflow-settings-modify no-enable-user-defined-flow

 


Note: Reboot Netvisor OS for the changes (enable or disable commands) to take effect on the platform.


The command, udf-create, adds the qualifier to the UDF group in the hardware. This allocates UDF IDs based on the length. The command, vflow-create, has parameter  fields to provide the data and mask to be matched by the vFlow.  You can create vFlows with either one or two UDFs.

 

You cannot modify a UDF after adding it to a vFlow. You must delete the vFlow, modify the UDF, and re-create the vFlow with the modified UDF. 

New Commands for UDF

 

To create a new UDF, use the following command:

 

CLI(network-admin@Spine1) >  udf-create name udf1 scope local offset 10 length 2 header packet-start

 

udf-create

Create the UDF qualifier list

name name-string

Create the UDF name

scope local|fabric

Scope for the UDF

offset number-bytes

The offset in bytes. This is a value between 1 and 128.

length number-bytes

The length in bytes. This is a value between 1 and 4 bytes.

header [packet-start|l3-outer|l3-inner|l4-outer|l4-inner]

The header from where offset is calculated.


To delete an UDF command:

 

CLI(network-admin@Spine1) >  udf-delete name udf1

 

udf-delete

Delete UDF qualifier list

name name-string

The name of the UDF to delete.

 

To modify an existing UDF command:

 

CLI(network-admin@Spine1) >  udf-modify name udf1 scope local offset 20 length 4 header packet-start

 

udf-modify

Modify UDF qualifier list

name name-string

The name of the UDF to modify.

One or more of the following options:

 

offset number-bytes

The offset in bytes. This is a value between 1 and 128.

length number-bytes

The length in bytes. This is a value between 1 and 4 bytes.

header packet-start|l3-outer|l3-inner|l4-outer|l4-inner

The header from where offset is calculated.

 

CLI(network-admin@Spine1) >  udf-show

 

switch         name  scope   offset  length   header

------         ----  -----  ------  ------   ------------

spine1    u1    local   20      4       packet-start

spine1    u2    local   24      4       packet-start

 

 

switch

Displays the name of the switch

udf-show

Displays the UDF qualifier list

name name-string

Displays the UDF name

scope local|fabric

Displays the scope for the UDF

offset number-bytes

Displays the offset in bytes. This is a value between 1 and 128.

length number-bytes

Displays the length in bytes. This is a value between 1 and 4 bytes.

header packet-start|l3-outer|l3-inner|l4-outer|l4-inner

Displays the header from where the offset is calculated.

 

The command, vflow-create, has the following additional parameters:

 

udf-name1 udf-name   

Specify the name of the UDF.

udf-data1 udf-data1-number

Specify UDF data1q with the format 0xa0a0a01

udf-data1-mask udf-data1-mask-number

Specify he mask for udf-data with the format 0xffffffff.

udf-name2 udf-name

Specify the name of the UDF.

udf-data2 udf-data2-number

Specify UDF data2 with the format 0xa0a0a01

udf-data2-mask udf-data2-mask-number

Specify the mask for udf-data with the format 0xffffffff.

 

For example, to create a vflow with UDF parameters, use the command:


CLI(network-admin@Spine1) >  vflow-create name udf1 scope local udf-name1 udf1 udf-data 0x0a0a0a01 udf-data-mask1 0xffffffff udf-name2 udf2 udf-data2 0x0a0a1400 udf-data-mask2 0xffffff00

 

CLI(network-admin@Spine1) >  vflow-show

 

name  scope type  precedence udf-name1 udf-data1  udf-data-mask1 udf-name2  udf-data2  udf-data-mask2 

---- ----- ----- ---------- --------- ---------  --------------  --------- ---------   --------------  

udf1  local vflow  default     udf1    0xa0a0a01  0xffffffff             udf2       0xa0a1400  0xffffff00    



Configuring a UDF vFlow for Filtering ARP Requests
 

Consider a scenario where you need to allow only the ARP requests destined for Anycast gateway IP (anycast-gw-ip) to proceed with ARP processing, while blocking other transit ARP requests. You can create a UDF with a higher precedence value than system vFlows to achieve this. Follow the steps below to create such a configuration:


  • First enable UDF by using the command:


CLI (network-admin@switch) > vflow-settings-modify enable-user-defined-flow


udf-name1 udf-name   

Specify the name of the UDF.

udf-data1 udf-data1-number

Specify UDF data1q with the format 0xa0a0a01

udf-data1-mask udf-data1-mask-number

Specify he mask for udf-data with the format 0xffffffff.


  • Restart the nvOSd.


  • Create a UDF, target-ip, for the ARP request using the command:


CLI (network-admin@switch) > udf-create name target-ip scope local offset 42 length 4 header packet-start


  • Create UDF to punt ARP packets to CPU using the command:


CLI (network-admin@switch) > vflow-create name UDF-Allow-AnyGW-243 scope fabric precedence 15 action copy-to-cpu udf-name1 target-ip udf-data1 0xa65f302 udf-data1-mask 0xffffffff table-name System-L1-L4-UDF-1-0 flow-cb arp-cb


vflow-create

Creates a virtual flow definition for L2 or L3 IP.

name name-string

Enter a name for the vFlow.

scope local|fabric

Specify the scope for vFlow.

precedence default|0..15

Specify the traffic priority value between 2 and 15.

action copy-to-cpu

Specify the forwarding action to apply to the vFlow, in this case, copy-to-cpu.

udf-name1

Specify the UDF name created in step c.

udf-data1 udf-data1-number

Enter the UDF data (hexa-decimal value equivalent to the IP address of anycast gateway.

udf-data1-mask udf-data1-mask-number

Enter the mask for UDF data.

table-name vflow-table name

Enter the vFlow table name.

flow-cb default-cb|arp-cb|bcast-cb|igmp-cb|pim-cb|dhcp-cb|dhcpv6-cb|dmac-miss-cb|l2-miss-cb|no-cb

Specify the call-back option (here arp-cb).

 

To verify the configuration, use the vflow-show command:


CLI (network-admin@switch) > vflow-show name UDF-Allow-AnyGW-243


name                scope  type  burst-size precedence action      udf-name1 udf-data1 udf-data1-mask enable table-name           flow-cb

------------------- ------ ----- ---------- ---------- ----------- --------- --------- -------------- ------ -------------------- -------

UDF-Allow-AnyGW-243 fabric vflow auto       15         copy-to-cpu target-ip 0xa65f302 0xffffffff     enable System-L1-L4-UDF-1-0 arp-cb


 

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south