1. Drop traffic without analysis from a specific VLAN:

   fdpi_cli vlan rule add <id> perm drop

2. Drop traffic with prior analysis but without NetFlow export from a specific VLAN (used for asymmetric traffic scenarios where duplicate traffic from another site is delivered to the node. Traffic must be analyzed and dropped so it does not enter statistics):

   fdpi_cli vlan rule add <id> perm hide

3. Pass traffic without any analysis from a specific VLAN:

   fdpi_cli vlan rule add <id> perm pass

4. Display current settings in SDR:

   fdpi_cli vlan rule dump

Added the ability to filter output by rule type:

Format:

vlan rule dump [type]

type — rule type: perm, dhcp, all (default)

Examples:

vlan rule dump perm

vlan rule dump dhcp

vlan rule dump

VLAN Rule provides flexible traffic management at the VLAN and QinQ level, allowing assignment of packet processing policies for individual VLANs, VLAN ranges, or QinQ tunnels.

The following rule types are supported:

• dhcp — controls DHCP request processing.
  • dhcp enable — allow DHCP processing in this VLAN/QinQ.
  • dhcp disable — disable DHCP processing. All DHCP packets in this VLAN/QinQ will be dropped.

• perm — defines the base processing behavior for all traffic in a VLAN/QinQ.
  • drop — fully drop all packets. Packets are not processed further and are not included in NetFlow statistics.
  • pass — pass packets without processing. Packets are included in NetFlow statistics.
  • accept — pass packets for full system processing. Packets are included in NetFlow statistics.
  • hide — packets go through internal processing stages (with exceptions) but are dropped after processing. In this case:
    • packets are not included in NetFlow statistics;
    • services 9, 12, 15, 18, NAT, and policing (global and per-channel) are not applied;
    • packets are not recorded via ajb — IPFIX, SIP, FTP, etc.

PPPoE traffic processing support has been added to VLAN rules.

PPPoE rules:

vlan rule add <Range> pppoe [enable | drop | pass | delay N]

PPPoE rules with Service-Name filtering:

vlan rule add <Range> pppoe sname <Service-Name> [enable | drop | pass | delay N]

Permissions:

• enable — allow PPPoE processing
• drop — drop PPPoE packets
• pass — pass PPPoE packets without processing
• delay N — establish PPPoE session with N-second delay (0 < N < 16)

Rules are applied to ranges defined as follows:

• Single VLAN: 156
• VLAN range: 56-78
• Any VLAN: * or any
• QinQ:
  • 67.* or 67.any — S-VLAN=67, any C-VLAN
  • *.68 or any.68 — any S-VLAN, C-VLAN=68
  • *.* or any.any — any QinQ
  • 12-156.78-90 — S-VLAN range [12..156], C-VLAN range [78..90]
  • 609.1-199 — S-VLAN=609, C-VLAN range [1..199]

If rule ranges overlap, the system determines the final action using a "from general to specific" approach:

1. First, rules with the widest ranges are applied (e.g., 1-4095 or any.any)
2. Then more specific rules may override them

Example:

vlan rule add 300-700 dhcp disable
vlan rule add 645 dhcp enable
vlan rule add 430-439 dhcp enable

• vlan rule add — add a new rule to SDR
• vlan rule modify — modify an existing rule in SDR
• vlan rule delete — delete a rule from SDR
• vlan rule show — display all rules for a VLAN/QinQ
• vlan rule dump — output rules from SDR
• vlan rule purge vlan/qinq/all — clear VLAN/QinQ rules in SDR or both
• vlan rule apply — force rule application (no more than once per minute)

Change application behavior: changes are stored in SDR and automatically applied after 5 minutes since the last modification.