Handling traffic by VLAN

1. Drop traffic without analysis from a specific VLAN:

   fdpi_cli vlan group <id> drop

2. Dropping traffic with preliminary analysis, but without transferring it to Netflow statistics from a specific VLAN (Used to deal with asymmetric traffic when a site receives a double of traffic from another site. It is necessary to analyze and drop the traffic so that it is not included in the statistics):

   fdpi_cli vlan group <id> hide

3. Passing traffic without any analysis from a specific VLAN:

   fdpi_cli vlan group <id> pass

4. Display existing settings in the UDR:

   fdpi_cli vlan group 0 show all

   Example output of the command:

   fdpi_cli vlan group 0 show all
   <proto> <vlan> <service-name> <policy> <delay>
   all 4000 *  hide 0
   all 4002 *  hide 0
   all 4003 *  hide 0

   In this example, you can see that all protocols belonging to VLAN 4000, 4002, 4003 are affected by hide, that is, traffic from one site is duplicated to another site.

5. Output all properties for a group with a specific id:

   fdpi_cli vlan group <id> show all

   Here id is the number of the VLAN for which you want to output Service-Name information.

VLAN Rule allows flexible management of network traffic at the VLAN and QinQ level, assigning specific packet processing policies for individual VLANs, VLAN ranges, or QinQ tunnels.

The following rule types are supported:

• dhcp — controls the processing of DHCP requests.
  • dhcp enable — allow processing of DHCP requests in this VLAN/QinQ.
  • dhcp disable — prohibit DHCP processing. All DHCP packets in this VLAN/QinQ will be dropped.
• perm — defines the basic processing of all traffic in the VLAN/QinQ.
  • drop — completely drop all packets.
  • pass / accept — pass packets for further processing in the system.
  • hide — (system-specific action, e.g., hide VLAN from broadcast queries).

Rules apply to ranges specified in the following format:

• For a single VLAN: 156
• For a VLAN range: 56-78 (VLANs 56 through 78 inclusive)
• For any VLAN: * or any
• For QinQ:
  • 67.* or 67.any — S-VLAN=67, any C-VLAN.
  • *.68 or any.68 — any S-VLAN, C-VLAN=68.
  • *.* or any.any — any QinQ.
  • 12-156.78-90 — S-VLAN range [12..156], C-VLAN range [78..90].
  • 609.1-199 — S-VLAN=609, C-VLAN range [1..199].

If the ranges of multiple rules intersect, the system determines the final action based on the principle "from general to specific":

1. Rules with the broadest ranges (e.g., 1-4095 or any.any) are applied first.
2. Rules with narrower ranges (e.g., 100-200) can then override the action set by general rules.

Example:
The following rules will create a policy: "Disable DHCP for all VLANs in the range 300-700, but enable it for VLAN 645 and the range 430-439".

vlan rule add 300-700 dhcp disable
vlan rule add 645 dhcp enable
vlan rule add 430-439 dhcp enable

• vlan rule add — adding a new rule to SDR
• vlan rule modify — modifying an existing rule in SDR
• vlan rule delete — deleting a rule from SDR
• vlan rule show — shows all rules for the specified VLAN/QinQ
• vlan rule dump — outputs a dump of all rules in SDR
• vlan rule purge vlan/qinq/all — clears SDR VLAN/QinQ or both
• vlan rule apply — applies rules; by default, rules are applied 5 minutes after the last SDR modification

Change Application Specifics: Rule changes made by the add, modify, or delete commands are saved to SDR and automatically applied by the system 5 minutes after the last modification. The vlan rule apply command allows forcing their application, but no more than once per minute.