Handling traffic by VLAN

The vlan group data has been moved from UDR to SDR. Global rules for vlan drop, vlan pass, vlan hide, vlan permit, configured previously by the vlan group CLI command, have been converted and moved from UDR to SDR with removal from UDR.

Drop traffic without analysis from a specific VLAN:
```
fdpi_cli vlan rule add <id> perm drop
```
Drop traffic after preliminary analysis, but without sending it to NetFlow statistics from a specific VLAN (used for working with asymmetric traffic, when duplicated traffic from another site is delivered to the site. It is necessary to analyze and drop the traffic so that it does not get into statistics):
```
fdpi_cli vlan rule add <id> perm hide
```
Pass traffic without any analysis from a specific VLAN:
```
fdpi_cli vlan rule add <id> perm pass
```
Display existing settings in UDR:
```
fdpi_cli vlan rule dump
```
Example of command output:
```
# fdpi_cli vlan rule dump 
1000  perm hide
2000  perm drop
3000  perm pass
4000  perm hide
```
In this example, you can see that all protocols related to VLAN 1000 and 4000 fall under the hide rule, that is, traffic from one site is duplicated to another site; VLAN 2000 — traffic is dropped, VLAN 3000 — traffic is passed.

For more details, see Configuring Service-Name for VLAN

VLAN Rule

VLAN Rule allows flexible management of network traffic at the VLAN and QinQ level, assigning specific packet processing policies for individual VLANs, VLAN ranges, or QinQ tunnels.

Rule Types

The following rule types are supported:

dhcp — controls the processing of DHCP requests.
- dhcp enable — allow processing of DHCP requests in this VLAN/QinQ.
- dhcp disable — prohibit DHCP processing. All DHCP packets in this VLAN/QinQ will be dropped.
perm — defines the basic processing of all traffic in the VLAN/QinQ.
- drop — completely drop all packets.
- pass / accept — pass packets for further processing in the system.
- hide — (system-specific action, e.g., hide VLAN from broadcast queries).

Syntax for Describing VLAN/QinQ Ranges

Rules apply to ranges specified in the following format:

For a single VLAN: 156
For a VLAN range: 56-78 (VLANs 56 through 78 inclusive)
For any VLAN: * or any
For QinQ:
- 67.* or 67.any — S-VLAN=67, any C-VLAN.
- *.68 or any.68 — any S-VLAN, C-VLAN=68.
- *.* or any.any — any QinQ.
- 12-156.78-90 — S-VLAN range [12..156], C-VLAN range [78..90].
- 609.1-199 — S-VLAN=609, C-VLAN range [1..199].

Rules for regular VLANs (67) and QinQ (67.*) are independent and do not intersect.

Rule Priority

If the ranges of multiple rules intersect, the system determines the final action based on the principle "from general to specific":

Rules with the broadest ranges (e.g., 1-4095 or any.any) are applied first.
Rules with narrower ranges (e.g., 100-200) can then override the action set by general rules.

Example:
The following rules will create a policy: "Disable DHCP for all VLANs in the range 300-700, but enable it for VLAN 645 and the range 430-439".

vlan rule add 300-700 dhcp disable
vlan rule add 645 dhcp enable
vlan rule add 430-439 dhcp enable

Management

vlan rule add — adding a new rule to SDR
vlan rule modify — modifying an existing rule in SDR
vlan rule delete — deleting a rule from SDR
vlan rule show — shows all rules for the specified VLAN/QinQ
vlan rule dump — outputs a dump of all rules in SDR
vlan rule purge vlan/qinq/all — clears SDR VLAN/QinQ or both
vlan rule apply — applies rules; by default, rules are applied 5 minutes after the last SDR modification

When using * in CLI for QinQ ranges, it is recommended to enclose the expression in quotes (e.g., '*.68' ) or use the keyword any (e.g., any.68) to avoid incorrect interpretation of the * character by the bash shell.

Change Application Specifics: Rule changes made by the add, modify, or delete commands are saved to SDR and automatically applied by the system 5 minutes after the last modification. The vlan rule apply command allows forcing their application, but no more than once per minute.