DirectFlow
Introduction
DirectFlow allows you to define flows consisting of conditions to match, and actions to perform, that are a superset of the OpenFlow 1.0 specification. DirectFlow runs alongside the existing L2/L3 forwarding plane, enabling a network architecture that incorporates new capabilities such as TAP aggregation and custom traffic engineering, alongside traditional forwarding models. DirectFlow does not require a controller or any third party integration, as flows can be installed via the CLI.
DirectFlow exposes the underlying forwarding ASIC's capabilities through a programmable interface like EAPI or the standard CLI.
DirectFlow works in conjunction with all other aspects of standard Layer 2 or Layer 3 bridging or forwarding, and DirectFlow traffic is subject to the standard packet processing pipeline within the ASIC. You can think of DirectFlow as a stage in packet processing that processes traffic after ingress checks and before any egress actions.
DirectFlow enables you to configure flows that consist of matching criteria and actions, and to modify how traffic is processed, by overriding the L2 lookup decision or rewriting a MAC address or VLAN for example.
Features like MAC learning, STP state checks, ingress or egress VLAN membership checks on ports, ACLs, QoS, and others are all respected by DirectFlow. Traffic that does not match any programmed flow is processed normally, while traffic that matches programmed flows is now subject to the actions specified in the flows.
DirectFlow Flows
You can define a relative priority between flows and define idle or hard timeouts for the flow. DirectFlow also enables you to insert a flow entry that matches on specified criteria, and define actions to be taken on traffic that matches the specified matching conditions. You can define flows to match on TCP flags, IPv6 source and destination addresses, input ports, and more.
DirectFlow Non-persistent Flows
DirectFlow enables you to configure flows that are not visible in the startup or running configurations and do not persist over a reboot. This feature is designed to be used for flows that are configured by a custom agent using the eos SDK or eAPI and age out (expire) after a specified time period.
For example, if you are using a custom agent that reacts to traffic sent to the CPU (the redirect to CPU action), and you want to use a flow that will drop all matching traffic for 5 minutes, the agent can program a non-persistent flow that expires after a hard timeout of 300 seconds.
Using a non-persistent flow for this purpose ensures that other administrator actions (for example, saving the configuration) do not result in the flow being resurrected on startup or reverting to the saved configuration. It also removes the need for the agent to delete the expired flow.
Supported Matches
DirectFlow supports all matches on VLAN, ether type, source or destination MAC address, COS, source or destination IP address, IP protocol, IP TOS, L4 source, destination ports, ICMP type, and code.
- TCP flags
- IPv6 source address
- IPv6 destination address
- Traffic injected from the CPU
- Input port
DirectFlow also permits re-using the same flow on multiple input ports, saving valuable TCAM space.
Supported Actions
- Setting the source or destination MAC address
- VLAN
- COS
- IP TOS
- Transmit queue
- Output port list and mirroring traffic pre-modification (ingress mirror) and post-modification (egress mirror)
- Redirect to CPU
The redirect to CPU action is useful in cases in which a custom agent is running on eos and you want to trap specific traffic (matching traffic) and send the trapped traffic to the agent.
DirectFlow Configuration
- DirectFlow takes effect ONLY after exiting the individual flow configuration sub-mode.
- Match criteria are connected with Boolean AND operators. Therefore they must all match for the condition to be true and action to be taken.
- CLI is automatically set to match the ethertype to IP if IP fields (such as source or destination address or L4 ports) are chosen as part of other match/ action commands.
- In a single flow, only the following fields
can be matched along with IPv4 or IPv6 source and destination addresses:
- VLAN priority
- VLAN ID
- EtherType
- Source interface
- Class of Service (CoS)
Commands Used to Enable DirectFlow, Configure and Display Flows
A number of different commands are provided for the DirectFlow feature. The different commands enable you to enter the DirectFlow configuration mode, enable DirectFlow, configure flows, and display configured flows.
Enter the DirectFlow Configuration Mode
The directflow command places the switch in DirectFlow configuration mode.
switch(config)# directflow
switch(config-directflow)#
Enable DirectFlow
The shutdown (DirectFlow) command determines if the configuration takes effect or not. To enable DirectFlow, enter the following command.
switch(config-directflow)# no shutdown
Create the Flow
The flow (DirectFlow) command creates a new flow entry. It must be unique or it will be overwritten by an existing entry.
switch(config-directflow)# flow Test-1
switch(config-directflow-Test-1)#
Create the DirectFlow Match Criteria
The match (DirectFlow-flow mode) command allows you to configure a rule or a flow which match on L2, L3, L4 fields of a packet and specify a certain action to either modify, drop or redirect the packet.
switch(config-directflow-Test-1)# match ethertype ip
switch(config-directflow-Test-1)# match source ip 10.10.10.10
Action Set
The action set (DirectFlow-flow mode) command allows you to configure a packet to be routed out a layer three interface using a DirectFlow entry.
switch(config-directflow-Test-1)# action egress mirror ethernet 7
switch(config-directflow-Test-1)# action set destination mac 0000.aaaa.bbbb
Finalize the Flow
DirectFlow flows do not take effect until you exit the configuration sub-mode for the specified flow. Use the exit command to finalize the flow and put it into effect.
switch(config-directflow-Test-1)# exit
switch(config-directflow)#
Redirect to CPU
The action output interface cpu (DirectFlow-flow mode) command allows you to configure flows so that traffic that matches the matching conditions specified in the flow is redirected to the CPU.
switch(config)# directflow
switch(config-directflow)# flow redirect-http-cpu
switch(config-directflow-redirect-http=cpu)# match ip protocol tcp
switch(config-directflow-redirect-http-cpu)# match destination port 80
switch(config-directflow-redirect-http-cpu)# action output interface cpu
Configuring a Non-persistent Flow
DirectFlow flows are persistent by default. Use the no persistent command to configure non-persistent flows.
switch config)# directflow
switch(config-directflow)# flow example-non-persistent
switch(config-directflow-example-non-persistent)# match input interface ethernet 25
switch(config-directflow-example-non-persistent)# action drop
switch(config-directflow-example-non-persistent)# no persistent
switch(config-directflow-example-non-persistent)# timeout hard 300
Display Details for Configured Flows
The detail option of the show directflow flows command enables you to display the details of configured flows. You can use this command to verify that a non-persistent flow is deleted after the timeout period configured for the flow has elapsed.
The following example shows the use of this command to view the configuration of a non-persistent flow before the timeout period has elapsed, and a second time, after the timeout period has expired.
The initial use of the command displays the flow configuration (before the timeout expires).
switch(config-directflow)# show directflow flows example-non-persistent detail
Flow example-non-persistent: (Flow programmed)
persistent: False
priority: 0
hard timeout: 300
idle timeout: 0
match:
ingress interface:
Et25
actions:
drop
matched: 0 packets, 0 bytes
The second use of the command displays the flow details (after the timeout expires). The output shows that the flow is no longer programmed.
switch(config-directflow)# show directflow flows example-non-persistent detail
Flow example-non-persistent: (Flow not programmed)
persistent: False
priority: 0
hard timeout: 300
idle timeout: 0
match:
ingress interface:
Et25
actions:
drop
matched: 0 packets, 0 bytes
DirectFlow Feature Interactions
- A set of egress ports for sending a matched packet
- Copy to CPU
- Redirect to CPU
- Drop
- No specified action (in this case, the traffic is output normally).
The only exception is the ingress or egress mirroring action, where the DirectFlow entry causes the packet to be mirrored.
When the ingress or egress packets are mirrored, the original traffic is sent out normally.
Bridging Features
- DirectFlow entries have precedence over all entries in the MAC table, including static MAC entries and static MAC drop entries. Packets that do not match DirectFlow entries are forwarded based on the MAC address table.
- VLANs: DirectFlow entries can modify the VLAN of a packet. MAC learning takes place in the original VLAN for DirectFlow entries that modify the VLAN. The modified packet will be subject to VLAN membership checks on the egress port. If a packet has no VLAN tag, DirectFlow assumes it came in on the native VLAN for the ingress interface. A VLAN override causes the packet to obey the VLAN rules on the egress port.
- Q-in-Q: Q-in-Q is supported as DirectFlow entries match only on the outer tag.
- Counters: All packets that match DirectFlow entries cause interface counters to increment as usual.
Spanning Tree
DirectFlow runs alongside MSTP, RSTP, and PVST. DirectFlow entries do not match on packets that ingress an STP discarding port. DirectFlow entries that cause a packet to be forwarded out an STP discarding port will result in the packets being dropped on egress.
When STP is enabled, BPDUs will always be trapped to the CPU. When STP is disabled, BPDUs will be subject to DirectFlow entries and not be copied to the CPU by default.
LLDP, LAGs, and LACP
- LLDP packets are always trapped to the CPU. DirectFlow entries can never match LLDP packets.
- LAGs are fully supported, and can be part of a match criteria and part of an output action to an interface.
- LACP packets are always trapped to CPU. DirectFlow entries can never match LACP packets.
sFlow
sFlow is unaffected by DirectFlow.
IGMP Snooping
IGMP control packets are trapped to the CPU when IGMP Snooping is enabled. DirectFlow entries can match IGMP Snooping control traffic and override the trap to CPU.
Link-local-multicast packets are flooded in hardware in the VLAN via a TCAM entry. DirectFlow entries can match link-local-multicast packets and change the flooding behavior. As DirectFlow entries have to specify output interfaces or drop, the action will conflict and so matching DirectFlow entries will get precedence.
When IGMP snooping is enabled, unknown IPV4 multicast packets are flooded to the multicast-router ports in the VLAN. If DirectFlow entries match unknown IPV4 multicast packets, they will override the flooding behavior.
Data packets in groups under IGMP snooping control are sent to the group members through a MAC table entry. Matching DirectFlow entries override the MAC table entries.
ACLs
DirectFlow entries are lower priority than any configured Port ACLs (ingress). Packets coming in on a port that match DirectFlow entries obey any configured ACL on that port, and will only apply to packets that have a permit action.
DirectFlow entries are higher priority than any configured RACLs. Packets coming in on an L3 interface that match DirectFlow entries ignore any RACLs configured on that interface.
DirectFlow entries are lower priority than any configured Egress ACLs.
Layer Three Features and DirectFlow
DirectFlow runs alongside IP routing. If a packet is routed out a layer three interface using a DirectFlow entry, the actions associated with the entry will have to specify the new source MAC and destination MAC for the packet, as well as the physical port or LAG. If there are no output ports specified in an entry, packets that match that entry will be dropped.
Unicast Routing
When unicast routing is enabled, DirectFlow entries that match take precedence for all packets that would have been otherwise been routed. The three exceptions are the ingress mirror, egress mirror and copy-to-CPU actions where the packets will be routed normally in addition to the action being performed. Routed packets that do not match DirectFlow entries are forwarding based on the L3 lookup.
Multicast Routing
When multicast routing is enabled, DirectFlow entries that match take precedence for all packets that would have otherwise been multicast routed. The packets are not replicated based on the hardware multicast tables, but are forwarded strictly according to the actions specified by the DirectFlow entry. The entry can specify a set of output interfaces, which will result in the packet being replicated based on the DirectFlow entry.
Displaying DirectFlow Configurations
- This example shows the status of a default (persistent) flow.
switch(config-directflow)# show directflow flows Flow Test1: priority: 0 match: ingress interface: Ethernet1 ethertype ip source ip address: 10.10.10.10 actions: output mirror: Ethernet2 matched: 0 packets, 0 bytes switch(config-directflow)#
- This example shows the status of a non-persistent flow. The flow will be deleted once
5 minutes have elapsed.
switch(config-directflow)# show directflow flows example-non-persistent Flow example-non-persistent: persistent: False priority: 0 hard timeout: 300 idle timeout: 0 match: ingress interface: Et25 actions: drop matched: 0 packets, 0 bytes
DirectFlow Commands
DirectFlow Global Configuration Mode
DirectFlow Configuration Commands
- action drop (DirectFlow-flow mode)
- action mirror (DirectFlow-flow mode)
- action output (DirectFlow-flow mode)
- action output interface cpu (DirectFlow-flow mode)
- action set (DirectFlow-flow mode)
- flow (DirectFlow)
- match (DirectFlow-flow mode)
- persistent
- priority (DirectFlow-flow mode)
- shutdown (DirectFlow)
- timeout (DirectFlow-flow mode)
DirectFlow and Clear Commands
action drop (DirectFlow-flow mode)
The action drop command configures packets that match an entry to be dropped.
The no action drop and default action drop commands remove the statement from the DirectFlow configuration mode.
Command Mode
Directflow-flow Configuration
Command Syntax
action drop
no action drop
default action drop
switch(config-directflow-Test-1)# action drop
switch#
action mirror (DirectFlow-flow mode)
The action mirror command can be used to ingress or egress mirror traffic to a mirror destination. This requires a mirror destination to be setup on the switch. If a packet comes in or goes out an interface that is part of another mirror session, then the destination for that destination as well as the DirectFlow destination will receive a copy of the packet.
The no action mirror and default action mirror commands remove the statement from DirectFlow configuration mode.
Command Mode
Directflow-flow Configuration
Command Syntax
action DIRECTION mirror INT_NAME
no action DIRECTION mirrorINT_NAME
default action DIRECTION mirror INT_NAME
- DIRECTION transmission direction of traffic to be
mirrored.
- ingress mirrors before any rewrites.
- egress mirrors after rewrites.
- INT_NAME Source interface for the mirroring
session.
- ethernet e_range Ethernet interfaces specified by e_range.
- port-channel p_range Port channel interfaces specified by p_range.
switch(config-directflow)# flow Test1
switch(config-directflow-Test1)# match ethertype ip
switch(config-directflow-Test1)# match source ip 10.10.10.10
switch(config-directflow-Test1)# action egress mirror ethernet 2
switch(config-directflow-Test1)#
action output (DirectFlow-flow mode)
The action output command configures an Ethernet or port channel interface as the output of a specified port mirroring session.
The no action output and default action outputcommands remove the statement from DirectFlow configuration mode.
Command Mode
Directflow-flow Configuration
Command Syntax
action output DESTINATION
no action output DESTINATION
default action output DESTINATION
Parameters
- all mirrors transmitted and received traffic.
- flood mirrors received traffic only.
- interface ethernet e_range Ethernet interfaces specified by e_range.
- interface port-channel p_range Port channel interfaces specified by p_range.
- nexthop vrf vrf_name ip_addr. If the next hop is reachable in the default VRF, the default VRF does not need to be specified.
- This command configures interface ethernet 7 as the
output for the mirroring
session.
switch(config-directflow-Test1)# action output interface ethernet 7 switch(config-directflow-Test1)#
- The following commands configure a flow redirecting all traffic from
10.10.1.2 to e_range
next hop assuming an appropriately configured TCAM
profile.
switch(config-directflow)# flow flow-sip-10_10_1_2-redirect-to-10_30_1_2 switch(config-directflow-Test1)# match ethertype ip switch(config-directflow-Test1)# match source ip 10.10.1.2 switch(config-directflow-Test1)# action output nexthop 10.30.1.2 switch(config-directflow-Test1)#
action output interface cpu (DirectFlow-flow mode)
The action output interface cpu command configures the action (other commands are used to define the traffic matching conditions).
The no action output interface cpu and default action output commands remove the statement from DirectFlow configuration mode.
Command Mode
Directflow-flow Configuration
Command Syntax
action output DESTINATION
no action output DESTINATION
default action output DESTINATION
Parameters
- all mirrors transmitted and received traffic.
- flood mirrors received traffic only.
- interface cpu Ethernet interfaces specified by e_range.
- This command configures interface ethernet 7 as the
output for the mirroring
session.
switch(config-directflow-Test1)# action output interface ethernet 7 switch(config-directflow-Test1)#
- These commands configure the action to redirect traffic matching the flow to the
CPU and the matching conditions for the flow.
switch (config)# directflow switch(config-directflow)# flow redirect-http-cpu switch(config-directflow-redirect-http=cpu)# match ip protocol tcp switch{config-directflow-redirect-http-cpu)# match destination p cpuort 80 switch(config-directflow-redirect-http-cpu)# action output interface
action set (DirectFlow-flow mode)
The action set command allows you to configure a packet to be routed out a layer three interface using a DirectFlow entry. The actions associated with the entry will have to specify the new source MAC and destination MAC for the packet, as well as the physical port or LAG. If there are no output ports specified in an entry, packets that match that entry will be dropped.
The no action set and default action set commands remove action set statement from DirectFlow configuration mode.
Command Mode
Directflow-flow Configuration
Command Syntax
action set CONDITION
no action set CONDITION
default action set CONDITION
Parameters
- cos 0 to 7 Cost of service.
- destination mac mac_addr Dotted hex notation.
- ip tos 0 to 255 Type of service.
- source mac mac_addr Dotted hex notation.
- traffic-class 0 to 7 Dotted hex notation.
- vlan 0 to 4094 Number of VLAN.
The no action set and default action set commands require only the CONDITION type without a specific condition value.
switch(config-directflow)# flow Test1
switch(config-directflow-Test1)# action egress mirror ethernet 7
switch(config-directflow-Test1)# action set destination mac 0000.aaaa.bbbb
directflow
The directflow command places the switch in DirectFlow configuration mode.
The no directflow and default directflow commands delete the DirectFlow configuration mode statements from running-config.
DirectFlow configuration mode is not a group change mode; running-config is changed immediately upon entering commands. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
directflow
no directflow
default directflow
- This command places the switch in DirectFlow configuration
mode.
switch(config)# directflow switch(config-directflow)#
- This command returns the switch to global management
mode.
switch(config-directflow)# exit switch(config)#
flow (DirectFlow)
The flow command places the switch in flow configuration mode.
- The exit command saves pending changes to running-config and returns the switch to DirectFlow configuration mode. Changes are also saved by entering a different configuration mode.
- The abort command discards pending changes, returning the switch to DirectFlow configuration mode.
The no flow and default flow commands delete the specified role by removing the role and its statements from running-config.
Command Mode
DirectFlow Configuration
Command Syntax
flow flow_name
no flow flow_name
default flow flow_name
Parameter
flow_name Name of flow.
match (DirectFlow-flow mode)
The match command allows you to configure a rule or a flow which could match on L2, L3, L4 fields of a packet and specify a certain action to modify, drop or redirect the packet.
All traffic ingressing on the switch will be matched against the flows installed. In cases where none of the packets match, normal switching or routing behavior will take over. When multiple entries match a packet, precedence is given to the entry that was installed first.
The no match and default match commands remove the match statement from the configuration mode.
Command Mode
Directflow-flow Configuration
Command Syntax
match CONDITION
no match CONDITION
default match CONDITION
Parameters
- cos 0 to 7 cost of service.
- destination ip ipv4_sub destination IPv4 subnet. L3 fields valid only if ethertype is IP (0x0800).
- destination mac mac_addr Add to the existing community. Dotted hex notation.
- destination mac mac_addr mask mac_mask Add to the sting community. Dotted hex notation.
- destination port 0 to 65535 Fields accepted only if protocol is TCP|UDP.
- ethertype 0 to 65535 Layer 4 destination port.
- ethertype ARP Layer 4 destination port.
- ethertype IP Layer 4 destination port.
- icmp code 0 to 255 Fields accepted only if protocol is ICMP.
- icmp type 0 to 255 Fields accepted only if protocol is ICMP.
- input interface ethernet e_num Ethernet interface specified by e_num.
- input interface port-channel p_num Port channel interface specified by p_num.
- ip protocol 0 to 255 Type of service.
- ip protocol icmp L3 fields valid only if ethertype is IP (0x0800).
- ip protocol tcp L3 fields valid only if ethertype is IP (0x0800).
- ip protocol udp L3 fields valid only if ethertype is IP (0x0800).
- ip tos 0 to 255 L3 fields valid only if ethertype is IP (0x0800).
- source ip ipv4_subnet L3 fields valid only if ethertype is IP (0x0800).
- source mac mac_addr Add to the existing community. Dotted hex notation.
- source mac mac_addr mask mac_mask Add to the sting community. Dotted hex notation.
- source port 0 to 65535 Fields accepted only if protocol is TCP| UDP.
- tcp flag ack Layer 4 destination port.
- tcp flag fin Layer 4 destination port.
- tcp flag psh Layer 4 destination port.
- tcp flag rst Layer 4 destination port.
- tcp flag syn Layer 4 destination port.
- tcp flag urg Layer 4 destination port.
- tcp flag urg Layer 4 destination port.
- vlan 1 to 4094 mask 1 to 4095 Number of VLAN.
The no match and default match commands require only the CONDITION type without a specific condition value.
switch(config-directflow)# flow Test1
switch(config-directflow-Test1)# persistent
switch(config-directflow-Test1)# match ethertype ip
switch(config-directflow-Test1)# match source ip 10.10.10.10
persistent
DirectFlow flows are persistent by default. Once finalized, they appear in the running configuration, and if saved to startup config they will persist over a reboot. The no form of the persistent command prevents the flow from showing up in running config, ensuring that it will not persist over a reboot.
Command Mode
Directflow-flow Configuration
Command Syntax
persistent
no persistent
switch(config)# directflow
switch(config-directflow)# flow example-non-persistent
switch(config-directflow-example-non-persistent)# match input interface ethernet 25
switch(config-directflow-example-non-persistent)# action drop
switch(config-directflow-example-non-persistent)# no persistent
switch(config-directflow-example-non-persistent)# timeout hard 300
switch(config-directflow-example-non-persistent)# exit
switch(config-directflow)#
priority (DirectFlow-flow mode)
The priority command sets the priority for the flow match rules. Each flow-table entry has an optional priority field, with a higher number indicating a higher priority. Flows with the same priority may be loaded in any order, and the order may be changed at any time. If multiple entries match a packet, precedence is given to the entry that was installed first.
Priority numbers range from 0 to 65535. The default is 0. The higher priority rules match first.
The no priority and default priority commands remove priority statement from the DirectFlow configuration mode.
Command Mode
Directflow-flow Configuration
Command Syntax
priority priority_value
no priority
default priority
Parameter
priority_value priority xxx. Value ranges from 0 to 65535. Default is 0.
switch(config-directflow-Test-1)# priority 150
switch(config-directflow-Test-1)#
show directflow
The show directflow command displays summary information for DirectFlow. With the counters or details options, it displays counters or details for all flows configured on the switch.
Command Mode
EXEC
Command Syntax
show directflow [counters | details]
- This command displays summary information for
DirectFlow.
switch# show directflow DirectFlow configuration: Enabled Total matched: 0 packets Total programmed flows: 3 flows switch#
- This command displays counters for all DirectFlow flows configured on the
switch.
switch# show directflow counters Flow Name Source Matched packets Matched bytes --------- ------ --------------- ------------- test3 config 0 0 test2 config 0 0 test1 config 0 0 Total matched packets: 0 switch>
- This command displays details for all DirectFlow flows configured on the
switch.
switch# show directflow detail Flow test3: (Flow programmed) persistent: True priority: 0 priorityGroupType: default tableType: ifp hard timeout: 0 idle timeout: 0 match: Ethernet type: 0x86dd source IPv6 address: fcaa::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff actions: output interfaces: Et32 source: config matched: 0 packets, 0 bytes Flow test2: (Flow programmed) persistent: True priority: 0 priorityGroupType: default tableType: ifp hard timeout: 0 idle timeout: 0 match: Ethernet type: IPv4 source IPv4 address: 10.1.2.12/255.255.255.255 IPv4 protocol: TCP destination TCP/UDP port or ICMP type: 8080 actions: output interfaces: Et3/1 source: config matched: 0 packets, 0 bytes Flow test1: (Flow programmed) persistent: True priority: 0 priorityGroupType: default tableType: ifp hard timeout: 0 idle timeout: 0 match: ingress interface: Et1/1 actions: output interfaces: Et2/1 source: config matched: 0 packets, 0 bytes Flows: 3 programmed, 0 rejected switch#
show directflow flows
The show directflow flows command displays the contents of the flow table, showing each entry with its match rules, actions, and packet counters. Including the name of a specific flow limits the output to information about the specified flow.
Command Mode
EXEC
Command Syntax
show directflow flows [flow_name [counters | detail]]
- flow_name name of flow for which to display information. If no flow name is entered, command displays information for all flows.
- counters displays DirectFlow counters for the specified flow.
- detail displays detailed information for the specified flow.
- This command displays the contents of the flow
table.
switch# show directflow flows Flow test3: persistent: True priority: 0 priorityGroupType: default tableType: ifp hard timeout: 0 idle timeout: 0 match: Ethernet type: 0x86dd source IPv6 address: fcaa::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff actions: output interfaces: Et32 source: config matched: 0 packets, 0 bytes Flow test2: persistent: True priority: 0 priorityGroupType: default tableType: ifp hard timeout: 0 idle timeout: 0 match: Ethernet type: IPv4 source IPv4 address: 10.1.2.12/255.255.255.255 IPv4 protocol: TCP destination TCP/UDP port or ICMP type: 8080 actions: output interfaces: Et3/1 source: config matched: 0 packets, 0 bytes Flow test1: persistent: True priority: 0 priorityGroupType: default tableType: ifp hard timeout: 0 idle timeout: 0 match: ingress interface: Et1/1 actions: output interfaces: Et2/1 source: config matched: 0 packets, 0 bytes switch#
- This command displays information about flow
test-1.
switch# show directflow flows test-1 Flow test1: persistent: True priority: 0 priorityGroupType: default tableType: ifp hard timeout: 0 idle timeout: 0 match: ingress interface: Et1/1 actions: output interfaces: Et2/1 source: config matched: 0 packets, 0 bytes switch#
- This command displays detailed information for flow
test-1.
switch# show directflow flows test-1 detail switch>show directflow flows test1 detail Flow test1: (Flow programmed) persistent: True priority: 0 priorityGroupType: default tableType: ifp hard timeout: 0 idle timeout: 0 match: ingress interface: Et1/1 source Ethernet address: 00:aa:aa:aa:aa:aa/ff:ff:ff:ff:ff:ff VLAN ID: 10 actions: output interfaces: copy ingress to mirror dest interfaces: Ethernet1 forward normally source: config matched: 0 packets, 0 bytes switch#
- This command displays detailed information for all flows regardless of their status as
installed, rejected, configured or
others.
switch# show directflow detail Flow test-3: (Flow programmed) persistent: False priority: 0 priorityGroupType: default hard timeout: 0 idle timeout: 0 match: ingress interface: Et11 actions: copy ingress to mirror dest interfaces: Ethernet1 forward normally source: config matched: 0 packets, 0 bytes Flow test-1: (Flow programmed) persistent: True priority: 0 priorityGroupType: default hard timeout: 0 idle timeout: 0 match: ingress interface: Et10 source Ethernet address: 00:aa:aa:aa:aa:aa/ff:ff:ff:ff:ff:ff VLAN ID: 10 actions: copy ingress to mirror dest interfaces: Ethernet1 forward normally source: config matched: 0 packets, 0 bytes Flow test-2: (Flow rejected due to invalid match criteria) persistent: True priority: 0 priorityGroupType: default hard timeout: 0 idle timeout: 0 match: Ethernet type: IPv4 IPv4 protocol: ICMP source TCP/UDP port or ICMP type: 3 destination TCP/UDP port or ICMP type: 6 actions: copy ingress to mirror dest interfaces: Ethernet1 forward normally source: config matched: 0 packets, 0 bytes Flows: 2 programmed, 1 rejected switch#
- This command displays counters for flow
test-1.
switch# show directflow flows test-1 counters Flow Name Source Matched packets Matched bytes --------- ------ --------------- ------------- test1 config 0 0 switch#
- This command displays match counters per
flow.
switch# show directflow counters Flow Name Source Matched packets Matched bytes --------- ------ --------------- ------------- test1 config 0 146 Total matched packets: 1 switch#
shutdown (DirectFlow)
The shutdown command, in DirectFlow mode, disables DirectFlow on the switch. DirectFlow is disabled by default.
The no shutdown command re-enables DirectFlow.
Command Mode
Directflow Configuration
Command Syntax
shutdown
no shutdown
default shutdown
- These commands enable DirectFlow on the
switch.
switch(config)# directflow switch(config-directflow)# no shutdown switch(config-directflow)#
- This command disables DirectFlow
Flow.
switch(config-directflow-Test1)# shutdown
timeout (DirectFlow-flow mode)
The timeout command, in DirectFlow mode, command configures the connection timeout period for connection sessions. The connection timeout period defines the interval between a users most recently entered command and an automatic connection shutdown. Automatic connection timeout is disabled by setting the idle-timeout to zero, which is the default setting.
Command Mode
Directflow-flow Configuration
Command Syntax
no timeout hard
no timeout idle
- idle session idle timeout length.
- 0 Automatic connection timeout is disabled.
- 1-4294967295 Automatic timeout period (seconds).
- hard session hard timeout length.
- 0 Automatic connection timeout is disabled.
- 1-4294967295
- These commands enable a hard timeout period of 5
seconds on the
switch.
switch(config)# directflow switch(config-directflow-Test1)# timeout hard 5 switch(config-directflow-Test1)#
- These commands enable DirectFlow on the
switch.
switch(config)# directflow switch(config-directflow-Test1)# no timeout hard switch(config-directflow-Test1)#