Configuring vFlows with User Defined Fields (UDFs)
Netvisor allows you to define policy filters through one of the arbitrary set of matching qualifiers as explained in the Filtering of Traffic Flows section. One of the qualifier is the User Defined Field (UDF).
A UDF can match up to 128 bytes of a packet starting from the first byte of the packet. The length of the match can be from 1 to 4 bytes. Hardware with a Trident chip supports the creation of 8 UDF IDs. Each id can match a 2 byte portion of a packet. Creating a UDF with a length of 3 or 4 bytes requires 2 UDF IDs whereas a UDF with length of 1 or 2 bytes required 1 UDF id. The length specified for each UDF determines the total number of UDFs supported by Netvisor One. If you specify a length of 3 or 4 bytes, a maximum of 4 UDFs can be created. If you specify a length of 1 or 2 bytes, a maximum of 8 UDFs can be created.
Limitation: UDF offset range supported for UDF header packet-start type ranges from 0-63. This limitation is applicable for all NRU03 platforms.
A UDF adds a qualifier to the vFlow group, and you should create all UDFs before creating any vFlows. This feature is disabled by default, and you can enable it by using the following command:
CLI(network-admin@Spine1) > vflow-settings-modify enable-user-defined-flow|no-enable-user-defined-flow
|
vflow-settings-modify |
Use this command to update a user vflow setting |
|
Specify one of more of the following options |
|
|
enable-user-defined-flow|no-enable-user-defined-flow |
Specify to enable or disable the user defined flows. |
|
vxlan-analytics|no-vxlan-analytics |
Specify to enable or disable VXLAN analytics. Note: You must disable VXLAN analytics before enabling the longlived tcp connection |
|
inflight-vxlan-analytics|no-inflight-vxlan-analytics |
Specify to enable or disable the inflight VXLAN analytics. Note: You must disable inflight VXLAN analytics before enabling the longlived tcp connection. |
|
longlived-tcp-conn-stats|no-longlived-tcp-conn-stats |
Specify to enable or disable the long-lived TCP connection statistics. Note: You must enable the user-defined-flow before enabling the longlived tcp connection statistics. |
To enable the user defined vflow, use the command:
CLI(network-admin@Spine1) > vflow-settings-modify enable-user-defined-flow
To disable the feature, use the command:
CLI(network-admin@Spine1) > vflow-settings-modify no-enable-user-defined-flow
Note: Reboot Netvisor OS for the changes (enable or disable commands) to take effect on the platform.
The command, udf-create, adds the qualifier to the UDF group in the hardware. This allocates UDF IDs based on the length. The command, vflow-create, has parameter fields to provide the data and mask to be matched by the vFlow. You can create vFlows with either one or two UDFs.
You cannot modify a UDF after adding it to a vFlow. You must delete the vFlow, modify the UDF, and re-create the vFlow with the modified UDF.
New Commands for UDF
To create a new UDF, use the following command:
CLI(network-admin@Spine1) > udf-create name udf1 scope local offset 10 length 2 header packet-start
|
udf-create |
Create the UDF qualifier list |
|
name name-string |
Create the UDF name |
|
scope local|fabric |
Scope for the UDF |
|
offset number-bytes |
The offset in bytes. This is a value between 1 and 128. |
|
length number-bytes |
The length in bytes. This is a value between 1 and 4 bytes. |
|
header [packet-start|l3-outer|l3-inner|l4-outer|l4-inner] |
The header from where offset is calculated. |
To delete an UDF command:
CLI(network-admin@Spine1) > udf-delete name udf1
|
udf-delete |
Delete UDF qualifier list |
|
name name-string |
The name of the UDF to delete. |
To modify an existing UDF command:
CLI(network-admin@Spine1) > udf-modify name udf1 scope local offset 20 length 4 header packet-start
|
udf-modify |
Modify UDF qualifier list |
|
name name-string |
The name of the UDF to modify. |
|
One or more of the following options: |
|
|
offset number-bytes |
The offset in bytes. This is a value between 1 and 128. |
|
length number-bytes |
The length in bytes. This is a value between 1 and 4 bytes. |
|
header packet-start|l3-outer|l3-inner|l4-outer|l4-inner |
The header from where offset is calculated. |
CLI(network-admin@Spine1) > udf-show
switch name scope offset length header
------ ---- ----- ------ ------ ------------
spine1 u1 local 20 4 packet-start
spine1 u2 local 24 4 packet-start
|
switch |
Displays the name of the switch |
|
udf-show |
Displays the UDF qualifier list |
|
name name-string |
Displays the UDF name |
|
scope local|fabric |
Displays the scope for the UDF |
|
offset number-bytes |
Displays the offset in bytes. This is a value between 1 and 128. |
|
length number-bytes |
Displays the length in bytes. This is a value between 1 and 4 bytes. |
|
header packet-start|l3-outer|l3-inner|l4-outer|l4-inner |
Displays the header from where the offset is calculated. |
The command, vflow-create, has the following additional parameters:
|
udf-name1 udf-name |
Specify the name of the UDF. |
|
udf-data1 udf-data1-number |
Specify UDF data1q with the format 0xa0a0a01 |
|
udf-data1-mask udf-data1-mask-number |
Specify he mask for udf-data with the format 0xffffffff. |
|
udf-name2 udf-name |
Specify the name of the UDF. |
|
udf-data2 udf-data2-number |
Specify UDF data2 with the format 0xa0a0a01 |
|
udf-data2-mask udf-data2-mask-number |
Specify the mask for udf-data with the format 0xffffffff. |
For example, to create a vflow with UDF parameters, use the command:
CLI(network-admin@Spine1) > vflow-create name udf1 scope local udf-name1 udf1 udf-data 0x0a0a0a01 udf-data-mask1 0xffffffff udf-name2 udf2 udf-data2 0x0a0a1400 udf-data-mask2 0xffffff00
CLI(network-admin@Spine1) > vflow-show
name scope type precedence udf-name1 udf-data1 udf-data-mask1 udf-name2 udf-data2 udf-data-mask2
---- ----- ----- ---------- --------- --------- -------------- --------- --------- --------------
udf1 local vflow default udf1 0xa0a0a01 0xffffffff udf2 0xa0a1400 0xffffff00
Configuring a UDF vFlow for Filtering ARP Requests
Consider a scenario where you need to allow only the ARP requests destined for Anycast gateway IP (anycast-gw-ip) to proceed with ARP processing, while blocking other transit ARP requests. You can create a UDF with a higher precedence value than system vFlows to achieve this. Follow the steps below to create such a configuration:
- First enable UDF by using the command:
CLI (network-admin@switch) > vflow-settings-modify enable-user-defined-flow
|
udf-name1 udf-name |
Specify the name of the UDF. |
|
udf-data1 udf-data1-number |
Specify UDF data1q with the format 0xa0a0a01 |
|
udf-data1-mask udf-data1-mask-number |
Specify he mask for udf-data with the format 0xffffffff. |
- Restart the nvOSd.
- Create a UDF, target-ip, for the ARP request using the command:
CLI (network-admin@switch) > udf-create name target-ip scope local offset 42 length 4 header packet-start
- Create UDF to punt ARP packets to CPU using the command:
CLI (network-admin@switch) > vflow-create name UDF-Allow-AnyGW-243 scope fabric precedence 15 action copy-to-cpu udf-name1 target-ip udf-data1 0xa65f302 udf-data1-mask 0xffffffff table-name System-L1-L4-UDF-1-0 flow-cb arp-cb
|
vflow-create |
Creates a virtual flow definition for L2 or L3 IP. |
|
name name-string |
Enter a name for the vFlow. |
|
scope local|fabric |
Specify the scope for vFlow. |
|
precedence default|0..15 |
Specify the traffic priority value between 2 and 15. |
|
action copy-to-cpu |
Specify the forwarding action to apply to the vFlow, in this case, copy-to-cpu. |
|
udf-name1 |
Specify the UDF name created in step c. |
|
udf-data1 udf-data1-number |
Enter the UDF data (hexa-decimal value equivalent to the IP address of anycast gateway. |
|
udf-data1-mask udf-data1-mask-number |
Enter the mask for UDF data. |
|
table-name vflow-table name |
Enter the vFlow table name. |
|
flow-cb default-cb|arp-cb|bcast-cb|igmp-cb|pim-cb|dhcp-cb|dhcpv6-cb|dmac-miss-cb|l2-miss-cb|no-cb |
Specify the call-back option (here arp-cb). |
To verify the configuration, use the vflow-show command:
CLI (network-admin@switch) > vflow-show name UDF-Allow-AnyGW-243
name scope type burst-size precedence action udf-name1 udf-data1 udf-data1-mask enable table-name flow-cb
------------------- ------ ----- ---------- ---------- ----------- --------- --------- -------------- ------ -------------------- -------
UDF-Allow-AnyGW-243 fabric vflow auto 15 copy-to-cpu target-ip 0xa65f302 0xffffffff enable System-L1-L4-UDF-1-0 arp-cb