EOS Section 46.2: DirectFlow Configuration

46.2 DirectFlow Configuration
Consider the following when using DirectFlow.
DirectFlow takes effect ONLY after exiting the individual flow configuration sub-mode.
Match criteria are connected with Boolean AND operators i.e. they must all match for the condition to be true and action to be taken.
CLI is automatically set to match the ethertype to IP if IP fields (such as source or destination address or L4 ports) are chosen as part of other match/ action commands.
In a single flow, only the following fields can be matched along with IPv6 source and destination addresses:
VLAN priority
VLAN ID
EtherType
Source interface
Class of Service (CoS)
46.2.1 Commands Used to Enable DirectFlow, Configure and Display Flows
A number of different commands are provided for the DirectFlow feature. The different commands enable you to enter the DirectFlow configuration mode, enable DirectFlow, configure flows, and display configured flows.
Important! ALL match criteria specified in a flow definition must match in the packet for the actions specified to be applied to the traffic.
Enter the DirectFlow configuration mode
The directflow command places the switch in DirectFlow configuration mode.
switch(config)#directflow
switch(config-directflow)#
Enable DirectFlow
The shutdown (DirectFlow) command determines if the configuration takes effect or not. To enable DirectFlow, enter the following command.
switch(config-directflow)#no shutdown
switch(config-directflow)#
Create the flow
The flow (DirectFlow) command creates a new flow entry. It must be unique or it will be overwritten by an existing entry.
switch(config-directflow)#flow Test-1
switch(config-directflow-Test-1)#
Create the DirectFlow match criteria
The match (DirectFlow-flow mode) command allows you to configure a rule or a flow which match on L2, L3, L4 fields of a packet and specify a certain action to either modify, drop or redirect the packet.
switch(config-directflow)#flow Test1
switch(config-directflow-Test1)#match ethertype ip
switch(config-directflow-Test1)#match source ip 10.10.10.10
Action Set
The action set (DirectFlow-flow mode) command allows you to configure a packet to be routed out a layer three interface using a DirectFlow entry.
switch(config-directflow)#flow Test1
switch(config-directflow-Test1)#action egress mirror ethernet 7
switch(config-directflow-Test1)#action set destination mac 0000.aaaa.bbbb
Redirect to CPU
The action output interface cpu (DirectFlow-flow mode) command allows you to configure flows so that traffic that matches the matching conditions specified in the flow is redirected to the CPU.
switch(config)#directflow
switch(config-directflow)#flow redirect-http-cpu
switch(config-directflow-redirect-http=cpu)#match ip protocol tcp
switch(config-directflow-redirect-http-cpu)#match destination port 80
switch(config-directflow-redirect-http-cpu)#action output interface cpu
Configuring a non-persistent flow
Including the no persistent command allows you to configure non-persistent direct flow flows.
switch (config-directflow)#flow example-non-persistent
switch (config-directflow-example-non-persistent)#match input interface ethernet 25
switch (config-directflow-example-non-persistent)#action drop
switch (config-directflow-example-non-persistent)#no persistent
switch (config-directflow-example-non-persistent)#timeout hard 300
Display details for configured flows
The show directflow flow <flow name> detail command enables you to display the details of configured flows. You can use this command to verify that a non-persistent flow is deleted after the timeout period configured for the flow has elapsed.
The following example shows the use of this command to view the configuration of a non-persistent flow before the timeout period has elapsed, and a second time, after the timeout period has expired.
The initial use of the command displays the flow configuration (before the timeout expires).
switch (config-directflow)#show directflow flows example-non-persistent detail
Flow example-non-persistent: (Flow programmed)
persistent: False
priority: 0
hard timeout: 300
idle timeout: 0
match:
  ingress interface:
      Et25
actions:
  drop
matched: 0 packets, 0 bytes
The second use of the command displays the flow details (after the timeout expires). The output shows that the flow is no longer programmed.
switch (config-directflow)#show directflow flows example-non-persistent detail
Flow example-non-persistent: (Flow not programmed)
persistent: False
priority: 0
hard timeout: 300
idle timeout: 0
match:
  ingress interface:
      Et25
actions:
  drop
matched: 0 packets, 0 bytes