DirectFlow

This section describes Arista's DirectFlow implementation. Topics in this section include:

Introduction

DirectFlow allows you to define flows consisting of conditions to match, and actions to perform, that are a superset of the OpenFlow 1.0 specification. DirectFlow runs alongside the existing L2/L3 forwarding plane, enabling a network architecture that incorporates new capabilities such as tap aggregation and custom traffic engineering, alongside traditional forwarding models. DirectFlow does not require a controller or any third party integration, as flows can be installed via the CLI.

DirectFlow exposes the underlying forwarding ASIC's capabilities through a programmable interface like EAPI or the standard CLI.

DirectFlow works in conjunction with all other aspects of standard Layer 2 or Layer 3 bridging or forwarding, and DirectFlow traffic is subject to the standard packet processing pipeline within the ASIC. You can think of DirectFlow as a stage in packet processing that processes traffic after ingress checks and before any egress actions.

DirectFlow enables you to configure flows that consist of matching criteria and actions, and to modify how traffic is processed, by overriding the L2 lookup decision or rewriting a MAC address or VLAN for example.

Features like MAC learning, STP state checks, ingress or egress VLAN membership checks on ports, ACLs, QoS, and others are all respected by DirectFlow. Traffic that does not match any programmed flow is processed normally, while traffic that matches programmed flows is now subject to the actions specified in the flows.

DirectFlow Flows

You can define a relative priority between flows and define idle or hard timeouts for the flow. DirectFlow also enables you to insert a flow entry that matches on specified criteria, and define actions to be taken on traffic that matches the specified matching conditions. You can define flows to match on TCP flags, IPv6 source and destination addresses, input ports, and more.

DirectFlow Non-persistent Flows

DirectFlow enables you to configure flows that are not visible in the startup or running configurations and do not persist over a reboot. This feature is designed to be used for flows that are configured by a custom agent using the eos SDK or eAPI and age out (expire) after a specified time period.

For example, if you are using a custom agent that reacts to traffic sent to the CPU (the redirect to CPU action), and you want to use a flow that will drop all matching traffic for 5 minutes, the agent can program a non-persistent flow that expires after a hard timeout of 300 seconds.

Using a non-persistent flow for this purpose ensures that other administrator actions (for example, saving the configuration) do not result in the flow being resurrected on startup or reverting to the saved configuration. It also removes the need for the agent to delete the expired flow.

Note: By default, all DirectFlow flows are persistent. You must use the no persistent command to configure a non-persistent flow.

Supported Matches

DirectFlow supports all matches on VLAN, ether type, source or destination MAC address, COS, source or destination IP address, IP protocol, IP TOS, L4 source, destination ports, ICMP type, and code.

In addition, DirectFlow also allows matching on:
  • TCP flags
  • IPv6 source address
  • IPv6 destination address
  • Traffic injected from the CPU
  • Input port

DirectFlow also permits re-using the same flow on multiple input ports, saving valuable TCAM space.

Supported Actions

DirectFlow supports the following actions:
  • Setting the source or destination MAC address
  • VLAN
  • COS
  • IP TOS
  • Transmit queue
  • Output port list and mirroring traffic pre-modification (ingress mirror) and post-modification (egress mirror)
  • Redirect to CPU

The redirect to CPU action is useful in cases in which a custom agent is running on eos and you want to trap specific traffic (matching traffic) and send the trapped traffic to the agent.

DirectFlow Configuration

Consider the following when using DirectFlow.
  • DirectFlow takes effect ONLY after exiting the individual flow configuration sub-mode.
  • Match criteria are connected with Boolean AND operators. Therefore they must all match for the condition to be true and action to be taken.
  • CLI is automatically set to match the ethertype to IP if IP fields (such as source or destination address or L4 ports) are chosen as part of other match/ action commands.
  • In a single flow, only the following fields can be matched along with IPv4 or IPv6 source and destination addresses:
    • VLAN priority
    • VLAN ID
    • EtherType
    • Source interface
    • Class of Service (CoS)

Commands Used to Enable DirectFlow, Configure and Display Flows

A number of different commands are provided for the DirectFlow feature. The different commands enable you to enter the DirectFlow configuration mode, enable DirectFlow, configure flows, and display configured flows.

Note: ALL match criteria specified in a flow definition must match in the packet for the actions specified to be applied to the traffic.

Enter the DirectFlow Configuration Mode

The directflow command places the switch in DirectFlow configuration mode.

switch(config)# directflow
switch(config-directflow)#

Enable DirectFlow

The shutdown (DirectFlow) command determines if the configuration takes effect or not. To enable DirectFlow, enter the following command.

switch(config-directflow)# no shutdown 

Create the Flow

The flow (DirectFlow) command creates a new flow entry. It must be unique or it will be overwritten by an existing entry.

switch(config-directflow)# flow Test-1
switch(config-directflow-Test-1)#

Create the DirectFlow Match Criteria

The match (DirectFlow-flow mode) command allows you to configure a rule or a flow which match on L2, L3, L4 fields of a packet and specify a certain action to either modify, drop or redirect the packet.

switch(config-directflow-Test-1)# match ethertype ip
switch(config-directflow-Test-1)# match source ip 10.10.10.10

Action Set

The action set (DirectFlow-flow mode) command allows you to configure a packet to be routed out a layer three interface using a DirectFlow entry.

switch(config-directflow-Test-1)# action egress mirror ethernet 7
switch(config-directflow-Test-1)# action set destination mac 0000.aaaa.bbbb

Finalize the Flow

DirectFlow flows do not take effect until you exit the configuration sub-mode for the specified flow. Use the exit command to finalize the flow and put it into effect.

switch(config-directflow-Test-1)# exit
switch(config-directflow)#

Redirect to CPU

The action output interface cpu (DirectFlow-flow mode) command allows you to configure flows so that traffic that matches the matching conditions specified in the flow is redirected to the CPU.

switch(config)# directflow
switch(config-directflow)# flow redirect-http-cpu
switch(config-directflow-redirect-http=cpu)# match ip protocol tcp
switch(config-directflow-redirect-http-cpu)# match destination port 80
switch(config-directflow-redirect-http-cpu)# action output interface cpu

Configuring a Non-persistent Flow

DirectFlow flows are persistent by default. Use the no persistent command to configure non-persistent flows.

switch config)# directflow
switch(config-directflow)# flow example-non-persistent
switch(config-directflow-example-non-persistent)# match input interface ethernet 25
switch(config-directflow-example-non-persistent)# action drop
switch(config-directflow-example-non-persistent)# no persistent 
switch(config-directflow-example-non-persistent)# timeout hard 300

Display Details for Configured Flows

The detail option of the show directflow flows command enables you to display the details of configured flows. You can use this command to verify that a non-persistent flow is deleted after the timeout period configured for the flow has elapsed.

The following example shows the use of this command to view the configuration of a non-persistent flow before the timeout period has elapsed, and a second time, after the timeout period has expired.

The initial use of the command displays the flow configuration (before the timeout expires).

switch(config-directflow)# show directflow flows example-non-persistent detail 
Flow example-non-persistent: (Flow programmed)
 persistent: False
 priority: 0
 hard timeout: 300
 idle timeout: 0
 match:
  ingress interface: 
      Et25
 actions:
  drop
 matched: 0 packets, 0 bytes

The second use of the command displays the flow details (after the timeout expires). The output shows that the flow is no longer programmed.

switch(config-directflow)# show directflow flows example-non-persistent detail
Flow example-non-persistent: (Flow not programmed)
persistent: False
priority: 0
hard timeout: 300
idle timeout: 0
match:
  ingress interface: 
      Et25
actions:
  drop
matched: 0 packets, 0 bytes

DirectFlow Feature Interactions

DirectFlow flow entries can have one of the following actions:
  • A set of egress ports for sending a matched packet
  • Copy to CPU
  • Redirect to CPU
  • Drop
  • No specified action (in this case, the traffic is output normally).

The only exception is the ingress or egress mirroring action, where the DirectFlow entry causes the packet to be mirrored.

When the ingress or egress packets are mirrored, the original traffic is sent out normally.

Bridging Features

  • DirectFlow entries have precedence over all entries in the MAC table, including static MAC entries and static MAC drop entries. Packets that do not match DirectFlow entries are forwarded based on the MAC address table.
  • VLANs: DirectFlow entries can modify the VLAN of a packet. MAC learning takes place in the original VLAN for DirectFlow entries that modify the VLAN. The modified packet will be subject to VLAN membership checks on the egress port. If a packet has no VLAN tag, DirectFlow assumes it came in on the native VLAN for the ingress interface. A VLAN override causes the packet to obey the VLAN rules on the egress port.
  • Q-in-Q: Q-in-Q is supported as DirectFlow entries match only on the outer tag.
  • Counters: All packets that match DirectFlow entries cause interface counters to increment as usual.

Spanning Tree

DirectFlow runs alongside MSTP, RSTP, and PVST. DirectFlow entries do not match on packets that ingress an STP discarding port. DirectFlow entries that cause a packet to be forwarded out an STP discarding port will result in the packets being dropped on egress.

When STP is enabled, BPDUs will always be trapped to the CPU. When STP is disabled, BPDUs will be subject to DirectFlow entries and not be copied to the CPU by default.

LLDP, LAGs, and LACP

  • LLDP packets are always trapped to the CPU. DirectFlow entries can never match LLDP packets.
  • LAGs are fully supported, and can be part of a match criteria and part of an output action to an interface.
  • LACP packets are always trapped to CPU. DirectFlow entries can never match LACP packets.

sFlow

sFlow is unaffected by DirectFlow.

IGMP Snooping

IGMP control packets are trapped to the CPU when IGMP Snooping is enabled. DirectFlow entries can match IGMP Snooping control traffic and override the trap to CPU.

Link-local-multicast packets are flooded in hardware in the VLAN via a TCAM entry. DirectFlow entries can match link-local-multicast packets and change the flooding behavior. As DirectFlow entries have to specify output interfaces or drop, the action will conflict and so matching DirectFlow entries will get precedence.

When IGMP snooping is enabled, unknown IPV4 multicast packets are flooded to the multicast-router ports in the VLAN. If DirectFlow entries match unknown IPV4 multicast packets, they will override the flooding behavior.

Data packets in groups under IGMP snooping control are sent to the group members through a MAC table entry. Matching DirectFlow entries override the MAC table entries.

ACLs

DirectFlow entries are lower priority than any configured Port ACLs (ingress). Packets coming in on a port that match DirectFlow entries obey any configured ACL on that port, and will only apply to packets that have a permit action.

DirectFlow entries are higher priority than any configured RACLs. Packets coming in on an L3 interface that match DirectFlow entries ignore any RACLs configured on that interface.

DirectFlow entries are lower priority than any configured Egress ACLs.

Layer Three Features and DirectFlow

DirectFlow runs alongside IP routing. If a packet is routed out a layer three interface using a DirectFlow entry, the actions associated with the entry will have to specify the new source MAC and destination MAC for the packet, as well as the physical port or LAG. If there are no output ports specified in an entry, packets that match that entry will be dropped.

Unicast Routing

When unicast routing is enabled, DirectFlow entries that match take precedence for all packets that would have been otherwise been routed. The three exceptions are the ingress mirror, egress mirror and copy-to-CPU actions where the packets will be routed normally in addition to the action being performed. Routed packets that do not match DirectFlow entries are forwarding based on the L3 lookup.

Multicast Routing

When multicast routing is enabled, DirectFlow entries that match take precedence for all packets that would have otherwise been multicast routed. The packets are not replicated based on the hardware multicast tables, but are forwarded strictly according to the actions specified by the DirectFlow entry. The entry can specify a set of output interfaces, which will result in the packet being replicated based on the DirectFlow entry.

Displaying DirectFlow Configurations

The show directflow flows command displays the contents of the flow table, showing each entry with its match rules, actions, and packet counters.
  • This example shows the status of a default (persistent) flow.
    switch(config-directflow)# show directflow flows
    Flow Test1:
    priority: 0
    match:
    ingress interface: Ethernet1
       ethertype ip 
    source ip address: 10.10.10.10
    actions:
    output mirror: Ethernet2 
    matched: 0 packets, 0 bytes
    switch(config-directflow)# 
  • This example shows the status of a non-persistent flow. The flow will be deleted once 5 minutes have elapsed.
    switch(config-directflow)# show directflow flows example-non-persistent 
    Flow example-non-persistent:
     persistent: False
     priority: 0
     hard timeout: 300
     idle timeout: 0
     match:
       ingress interface: 
           Et25
     actions:
       drop
     matched: 0 packets, 0 bytes

DirectFlow Commands

action drop (DirectFlow-flow mode)

The action drop command configures packets that match an entry to be dropped.

The no action drop and default action drop commands remove the statement from the DirectFlow configuration mode.

Command Mode

Directflow-flow Configuration

Command Syntax

action drop

no action drop

default action drop

Example
This command sets the action for packets from Test-1 to be dropped.
switch(config-directflow-Test-1)# action drop
switch#

action mirror (DirectFlow-flow mode)

The action mirror command can be used to ingress or egress mirror traffic to a mirror destination. This requires a mirror destination to be setup on the switch. If a packet comes in or goes out an interface that is part of another mirror session, then the destination for that destination as well as the DirectFlow destination will receive a copy of the packet.

The no action mirror and default action mirror commands remove the statement from DirectFlow configuration mode.

Command Mode

Directflow-flow Configuration

Command Syntax

action DIRECTION mirror INT_NAME

no action DIRECTION mirrorINT_NAME

default action DIRECTION mirror INT_NAME

Parameters
  • DIRECTION transmission direction of traffic to be mirrored.
    • ingress mirrors before any rewrites.
    • egress mirrors after rewrites.
  • INT_NAME Source interface for the mirroring session.
    • ethernet e_range Ethernet interfaces specified by e_range.
    • port-channel p_range Port channel interfaces specified by p_range.
Example
This command configures mirror traffic to ethernet 2.
switch(config-directflow)# flow Test1
switch(config-directflow-Test1)# match ethertype ip
switch(config-directflow-Test1)# match source ip 10.10.10.10
switch(config-directflow-Test1)# action egress mirror ethernet 2
switch(config-directflow-Test1)# 

action output (DirectFlow-flow mode)

The action output command configures an Ethernet or port channel interface as the output of a specified port mirroring session.

The no action output and default action outputcommands remove the statement from DirectFlow configuration mode.

Command Mode

Directflow-flow Configuration

Command Syntax

action output DESTINATION

no action output DESTINATION

default action output DESTINATION

Parameters

DESTINATION transmission direction of traffic to be mirrored.
  • all mirrors transmitted and received traffic.
  • flood mirrors received traffic only.
  • interface ethernet e_range Ethernet interfaces specified by e_range.
  • interface port-channel p_range Port channel interfaces specified by p_range.
  • nexthop vrf vrf_name ip_addr. If the next hop is reachable in the default VRF, the default VRF does not need to be specfied.
Examples
  • This command configures interface ethernet 7 as the output for the mirroring session.
    switch(config-directflow-Test1)# action output interface ethernet 7
    switch(config-directflow-Test1)#
  • The following commands configure a flow redirecting all traffic from 10.10.1.2 to e_range next hop assuming an appropriately configured TCAM profile.
    switch(config-directflow)# flow flow-sip-10_10_1_2-redirect-to-10_30_1_2
    switch(config-directflow-Test1)# match ethertype ip
    switch(config-directflow-Test1)# match source ip 10.10.1.2
    switch(config-directflow-Test1)# action output nexthop 10.30.1.2
    switch(config-directflow-Test1)#

action output interface cpu (DirectFlow-flow mode)

The action output interface cpu command configures the action (other commands are used to define the traffic matching conditions).

The no action output interface cpu and default action output commands remove the statement from DirectFlow configuration mode.

Command Mode

Directflow-flow Configuration

Command Syntax

action output DESTINATION

no action output DESTINATION

default action output DESTINATION

Parameters

DESTINATION transmission direction of traffic to be mirrored.
  • all mirrors transmitted and received traffic.
  • flood mirrors received traffic only.
  • interface cpu Ethernet interfaces specified by e_range.
Examples
  • This command configures interface ethernet 7 as the output for the mirroring session.
    switch(config-directflow-Test1)# action output interface ethernet 7 
    switch(config-directflow-Test1)#
  • These commands configure the action to redirect traffic matching the flow to the CPU and the matching conditions for the flow.
    switch (config)# directflow
    switch(config-directflow)# flow redirect-http-cpu
    switch(config-directflow-redirect-http=cpu)# match ip protocol tcp
    switch{config-directflow-redirect-http-cpu)# match destination p cpuort 80
    switch(config-directflow-redirect-http-cpu)# action output interface

action set (DirectFlow-flow mode)

The action set command allows you to configure a packet to be routed out a layer three interface using a DirectFlow entry. The actions associated with the entry will have to specify the new source MAC and destination MAC for the packet, as well as the physical port or LAG. If there are no output ports specified in an entry, packets that match that entry will be dropped.

The no action set and default action set commands remove action set statement from DirectFlow configuration mode.

Command Mode

Directflow-flow Configuration

Command Syntax

action set CONDITION

no action set CONDITION

default action set CONDITION

Parameters

CONDITION specifies parameter and value. Options include:
  • cos 0 to 7 Cost of service.
  • destination mac mac_addr Dotted hex notation.
  • ip tos 0 to 255 Type of service.
  • source mac mac_addr Dotted hex notation.
  • traffic-class 0 to 7 Dotted hex notation.
  • vlan 0 to 4094 Number of VLAN.

The no action set and default action set commands require only the CONDITION type without a specific condition value.

Example
These commands change the destination MAC of the frame.
switch(config-directflow)# flow Test1
switch(config-directflow-Test1)# action egress mirror ethernet 7
switch(config-directflow-Test1)# action set destination mac 0000.aaaa.bbbb

directflow

The directflow command places the switch in DirectFlow configuration mode.

The no directflow and default directflow commands delete the DirectFlow configuration mode statements from running-config.

DirectFlow configuration mode is not a group change mode; running-config is changed immediately upon entering commands. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

directflow

no directflow

default directflow

Commands Available in DirectFlow-Flow configuration mode:
Examples
  • This command places the switch in DirectFlow configuration mode.
    switch(config)# directflow
    switch(config-directflow)#
  • This command returns the switch to global management mode.
    switch(config-directflow)# exit
    switch(config)#

flow (DirectFlow)

The flow command places the switch in flow configuration mode.

The flow command specifies the name of the flow that subsequent commands modify and creates a newflow definition if it references a nonexistent flow. All changes in a flow configuration mode edit session are pending until the session ends:
  • The exit command saves pending changes to running-config and returns the switch to DirectFlow configuration mode. Changes are also saved by entering a different configuration mode.
  • The abort command discards pending changes, returning the switch to DirectFlow configuration mode.

The no flow and default flow commands delete the specified role by removing the role and its statements from running-config.

Command Mode

DirectFlow Configuration

Command Syntax

flow flow_name

no flow flow_name

default flow flow_name

Parameters

flow_name Name of flow.

match (DirectFlow-flow mode)

The match command allows you to configure a rule or a flow which could match on L2, L3, L4 fields of a packet and specify a certain action to modify, drop or redirect the packet.

All traffic ingressing on the switch will be matched against the flows installed. In cases where none of the packets match, normal switching or routing behavior will take over. When multiple entries match a packet, precedence is given to the entry that was installed first.

The no match and default match commands remove the match statement from the configuration mode.

Command Mode

Directflow-flow Configuration

Command Syntax

match CONDITION

no match CONDITION

default match CONDITION

Parameters

CONDITION specifies criteria for evaluating a route. Options include:
  • cos 0 to 7 cost of service.
  • destination ip ipv4_sub destination IPv4 subnet. L3 fields valid only if ethertype is IP (0x0800).
  • destination mac mac_addr Add to the existing community. Dotted hex notation.
  • destination mac mac_addr mask mac_mask Add to the sting community. Dotted hex notation.
  • destination port 0 to 65535 Fields accepted only if protocol is TCP|UDP.
  • ethertype 0 to 65535 Layer 4 destination port.
  • ethertype ARP Layer 4 destination port.
  • ethertype IP Layer 4 destination port.
  • icmp code 0 to 255 Fields accepted only if protocol is ICMP.
  • icmp type 0 to 255 Fields accepted only if protocol is ICMP.
  • input interface ethernet e_num Ethernet interface specified by e_num.
  • input interface port-channel p_num Port channel interface specified by p_num.
  • ip protocol 0 to 255 Type of service.
  • ip protocol icmp L3 fields valid only if ethertype is IP (0x0800).
  • ip protocol tcp L3 fields valid only if ethertype is IP (0x0800).
  • ip protocol udp L3 fields valid only if ethertype is IP (0x0800).
  • ip tos 0 to 255 L3 fields valid only if ethertype is IP (0x0800).
  • source ip ipv4_subnet L3 fields valid only if ethertype is IP (0x0800).
  • source mac mac_addr Add to the existing community. Dotted hex notation.
  • source mac mac_addr mask mac_mask Add to the sting community. Dotted hex notation.
  • source port 0 to 65535 Fields accepted only if protocol is TCP| UDP.
  • tcp flag ack Layer 4 destination port.
  • tcp flag fin Layer 4 destination port.
  • tcp flag psh Layer 4 destination port.
  • tcp flag rst Layer 4 destination port.
  • tcp flag syn Layer 4 destination port.
  • tcp flag urg Layer 4 destination port.
  • tcp flag urg Layer 4 destination port.
  • vlan 1 to 4094 mask 1 to 4095 Number of VLAN.

The no match and default match commands require only the CONDITION type without a specific condition value.

Example
This command creates the rules to match on Ethertype IP and Source IP 10.10.10.10.
switch(config-directflow)# flow Test1
switch(config-directflow-Test1)# persistent
switch(config-directflow-Test1)# match ethertype ip
switch(config-directflow-Test1)# match source ip 10.10.10.10

persistent

DirectFlow flows are persistent by default. Once finalized, they appear in the running configuration, and if saved to startup config they will persist over a reboot. The no form of the persistent command prevents the flow from showing up in running config, ensuring that it will not persist over a reboot.

Command Mode

Directflow-flow Configuration

Command Syntax

persistent

no persistent

Example
These commands create and enable a non-persistent DirectFlow flow.
switch(config)# directflow
switch(config-directflow)# flow example-non-persistent
switch(config-directflow-example-non-persistent)# match input interface ethernet 25
switch(config-directflow-example-non-persistent)# action drop
switch(config-directflow-example-non-persistent)# no persistent 
switch(config-directflow-example-non-persistent)# timeout hard 300
switch(config-directflow-example-non-persistent)# exit
switch(config-directflow)#

priority (DirectFlow-flow mode)

The priority command sets the priority for the flow match rules. Each flow-table entry has an optional priority field, with a higher number indicating a higher priority. Flows with the same priority may be loaded in any order, and the order may be changed at any time. If multiple entries match a packet, precedence is given to the entry that was installed first.

Priority numbers range from 0 to 65535. The default is 0. The higher priority rules match first.

The no priority and default priority commands remove priority statement from the DirectFlow configuration mode.

Command Mode

Directflow-flow Configuration

Command Syntax

priority priority_value

no priority

default priority

Parameter

priority_value priority xxx. Value ranges from 0 to 65535. Default is 0.

Example
These commands assign the priority of 150 to flow Test-1.
switch(config-directflow-Test-1)# priority 150
switch(config-directflow-Test-1)#

show directflow

The show directflow command displays summary information for DirectFlow. With the counters or details options, it displays counters or details for all flows configured on the switch.

Command Mode

EXEC

Command Syntax

show directflow [counters | details]

Examples
  • This command displays summary information for DirectFlow.
    switch# show directflow
    DirectFlow configuration: Enabled
    Total matched: 0 packets
    Total programmed flows: 3 flows
    switch#
  • This command displays counters for all DirectFlow flows configured on the switch.
    switch# show directflow counters
    Flow Name      Source      Matched packets      Matched bytes
    ---------      ------      ---------------      -------------
    test3          config      0                     0
    test2          config      0                     0
    test1          config      0                     0
    
    Total matched packets: 0
    switch>
  • This command displays details for all DirectFlow flows configured on the switch.
    switch# show directflow detail
    Flow test3: (Flow programmed)
      persistent: True
      priority: 0
      priorityGroupType: default
      tableType: ifp
      hard timeout: 0
      idle timeout: 0
      match:
        Ethernet type: 0x86dd
        source IPv6 address: fcaa::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      actions:
        output interfaces:
            Et32
      source: config
      matched: 0 packets, 0 bytes
    Flow test2: (Flow programmed)
      persistent: True
      priority: 0
      priorityGroupType: default
      tableType: ifp
      hard timeout: 0
      idle timeout: 0
      match:
        Ethernet type: IPv4
        source IPv4 address: 10.1.2.12/255.255.255.255
        IPv4 protocol: TCP
        destination TCP/UDP port or ICMP type: 8080
      actions:
        output interfaces:
            Et3/1
      source: config
      matched: 0 packets, 0 bytes
    Flow test1: (Flow programmed)
      persistent: True
      priority: 0
      priorityGroupType: default
      tableType: ifp
      hard timeout: 0
      idle timeout: 0
      match:
        ingress interface:
            Et1/1
      actions:
        output interfaces:
            Et2/1
      source: config
      matched: 0 packets, 0 bytes
    Flows: 3 programmed, 0 rejected
    switch#

show directflow flows

The show directflow flows command displays the contents of the flow table, showing each entry with its match rules, actions, and packet counters. Including the name of a specific flow limits the output to information about the specified flow.

Command Mode

EXEC

Command Syntax

show directflow flows [flow_name [counters | detail]]

Parameters
  • flow_name name of flow for which to display information. If no flow name is entered, command displays information for all flows.
  • counters displays DirectFlow counters for the specified flow.
  • detail displays detailed information for the specified flow.
Examples
  • This command displays the contents of the flow table.
    switch# show directflow flows
    Flow test3:
      persistent: True
      priority: 0
      priorityGroupType: default
      tableType: ifp
      hard timeout: 0
      idle timeout: 0
      match:
        Ethernet type: 0x86dd
        source IPv6 address: fcaa::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      actions:
        output interfaces:
            Et32
      source: config
      matched: 0 packets, 0 bytes
    Flow test2:
      persistent: True
      priority: 0
      priorityGroupType: default
      tableType: ifp
      hard timeout: 0
      idle timeout: 0
      match:
        Ethernet type: IPv4
        source IPv4 address: 10.1.2.12/255.255.255.255
        IPv4 protocol: TCP
        destination TCP/UDP port or ICMP type: 8080
      actions:
        output interfaces:
            Et3/1
      source: config
      matched: 0 packets, 0 bytes
    Flow test1:
      persistent: True
      priority: 0
      priorityGroupType: default
      tableType: ifp
      hard timeout: 0
      idle timeout: 0
      match:
        ingress interface:
            Et1/1
      actions:
        output interfaces:
            Et2/1
      source: config
      matched: 0 packets, 0 bytes
    switch#
  • This command displays information about flow test-1.
    switch# show directflow flows test-1
    Flow test1:
      persistent: True
      priority: 0
      priorityGroupType: default
      tableType: ifp
      hard timeout: 0
      idle timeout: 0
      match:
        ingress interface:
            Et1/1
      actions:
        output interfaces:
            Et2/1
      source: config
      matched: 0 packets, 0 bytes
    switch#
  • This command displays detailed information for flow test-1.
    switch# show directflow flows test-1 detail
    switch>show directflow flows test1 detail
    Flow test1: (Flow programmed)
      persistent: True
      priority: 0
      priorityGroupType: default
      tableType: ifp
      hard timeout: 0
      idle timeout: 0
      match:
        ingress interface:
            Et1/1
        source Ethernet address: 00:aa:aa:aa:aa:aa/ff:ff:ff:ff:ff:ff
        VLAN ID: 10
      actions:
        output interfaces:
      copy ingress to mirror dest interfaces: Ethernet1
        forward normally
      source: config
      matched: 0 packets, 0 bytes
    switch#
  • This command displays detailed information for all flows regardless of their status as installed, rejected, configured or others.
    switch# show directflow detail
    Flow test-3: (Flow programmed)
      persistent: False
      priority: 0
      priorityGroupType: default
      hard timeout: 0
      idle timeout: 0
      match:
        ingress interface:
            Et11
      actions:
        copy ingress to mirror dest interfaces: Ethernet1
        forward normally
      source: config
      matched: 0 packets, 0 bytes
    Flow test-1: (Flow programmed)
      persistent: True
      priority: 0
      priorityGroupType: default
      hard timeout: 0
      idle timeout: 0
      match:
        ingress interface:
            Et10
        source Ethernet address: 00:aa:aa:aa:aa:aa/ff:ff:ff:ff:ff:ff
        VLAN ID: 10
      actions:
        copy ingress to mirror dest interfaces: Ethernet1
        forward normally
      source: config
      matched: 0 packets, 0 bytes
    Flow test-2: (Flow rejected due to invalid match criteria)
      persistent: True
      priority: 0
      priorityGroupType: default
      hard timeout: 0
      idle timeout: 0
      match:
        Ethernet type: IPv4
        IPv4 protocol: ICMP
        source TCP/UDP port or ICMP type: 3
        destination TCP/UDP port or ICMP type: 6
      actions:
        copy ingress to mirror dest interfaces: Ethernet1
        forward normally
      source: config
      matched: 0 packets, 0 bytes
    Flows: 2 programmed, 1 rejected
    
    switch#
  • This command displays counters for flow test-1.
    switch# show directflow flows test-1 counters
    Flow Name     Source      Matched packets    Matched bytes
    ---------     ------      ---------------    -------------
    test1         config                    0                0
    switch#
  • This command displays match counters per flow.
    switch# show directflow counters
    Flow Name     Source      Matched packets    Matched bytes
    ---------     ------      ---------------    -------------
    test1         config                    0              146
    Total matched packets: 1
    switch#

shutdown (DirectFlow)

The shutdown command, in DirectFlow mode, disables DirectFlow on the switch. DirectFlow is disabled by default.

The no shutdown command re-enables DirectFlow.

Command Mode

Directflow Configuration

Command Syntax

shutdown

no shutdown

default shutdown

Examples
  • These commands enable DirectFlow on the switch.
    switch(config)# directflow
    switch(config-directflow)# no shutdown
    switch(config-directflow)#
  • This command disables DirectFlow Flow.
    switch(config-directflow-Test1)# shutdown

timeout (DirectFlow-flow mode)

The timeout command, in DirectFlow mode, command configures the connection timeout period for connection sessions. The connection timeout period defines the interval between a users most recently entered command and an automatic connection shutdown. Automatic connection timeout is disabled by setting the idle-timeout to zero, which is the default setting.

Command Mode

Directflow-flow Configuration

Command Syntax

no timeout hard

no timeout idle

Parameters
  • idle session idle timeout length.
    • 0 Automatic connection timeout is disabled.
    • 1-4294967295 Automatic timeout period (seconds).
  • hard session hard timeout length.
    • 0 Automatic connection timeout is disabled.
    • 1-4294967295
Example
  • These commands enable a hard timeout period of 5 seconds on the switch.
    switch(config)# directflow 
    switch(config-directflow-Test1)# timeout hard 5
    switch(config-directflow-Test1)#
  • These commands enable DirectFlow on the switch.
    switch(config)# directflow
    switch(config-directflow-Test1)# no timeout hard
    switch(config-directflow-Test1)#