acls.rst revision 7fa3dd28
1.. _aclwithvpp:
2
3Access Control Lists (ACLs) with FD.io VPP
4==========================================
5
6This section is overview of the options available to implement ACLs in
7FD.io VPP. As there are a number of way's to address ACL-like functionality,
8it is worth a separate survey of these options with some commentary on
9features and performance
10
11All performance numbers and examples from this document are reused from
12the `FD.io CSIT v19.04 performance report <https://docs.fd.io/csit/rls1904/report/>`__
13All information and performance is accurate for
14`FD.io VPP 19.04 <https://git.fd.io/vpp/tag/?h=v19.04>`__ release. The
15sections *performance* & *operational data* below correlate directly with
16those sections from the FD.io CSIT performance report.
17
18Summary
19-------
20
21+---------------------+-----------+-----------------------------------+
22| Option              | Relative  | Features & Notes                  |
23|                     | Performan |                                   |
24|                     | ce        |                                   |
25+=====================+===========+===================================+
26| :ref:`aclplugin`    | Lowest    | Match on restricted L2-L4 fields, |
27|                     |           | stateful & stateless              |
28+---------------------+-----------+-----------------------------------+
29| :ref:`vppcop`       | Highest   | Match on Layer 3 IPs, stateless   |
30|                     | (software |                                   |
31|                     | only)     |                                   |
32+---------------------+-----------+-----------------------------------+
33| :ref:`vppflow`      | Highest   | Match on restricted L2-L4 fields, |
34|                     | (accelera | stateless, limited number of      |
35|                     | ted)      | flows                             |
36+---------------------+-----------+-----------------------------------+
37| :ref:`classifiers`  | TBD       | Match on any field in the first   |
38|                     |           | 80 bytes, Not measured            |
39+---------------------+-----------+-----------------------------------+
40
41FD.io VPP ACL Options
42---------------------
43
44.. _aclplugin:
45
46The FD.io VPP ACL Plugin
47~~~~~~~~~~~~~~~~~~~~~~~~
48
49The plugin was originally developed as part of FD.io VPP and OpenStack
50integration. The plugin needs to be enabled on specific interfaces.
51
52Supports stateful and stateless ACLs on …
53""""""""""""""""""""""""""""""""""""""""""
54
55- MACs
56- IPS
57- UDP Ports
58- TCP Ports & Flags
59- ICMP Messages
60
61Directional
62"""""""""""
63
64* Input ACLs
65
66  * Run before the IP flow classification.
67
68* ACLs
69
70  * Run before interface output.
71
72Actions
73"""""""
74- Permit (sl)
75- Drop (sf)
76- Permit+Reflect (sf)
77
78Stateful (sf)
79"""""""""""""
80
81- Actions: permit+reflect
82- Most heavily optimized, as are the most common use case.
83- Faster because stateful uses a flow cache, it means the ACL hit is only taken once, up front for the flow and then becomes just look-up.
84- Uses more memory, less deterministic as the flow cache makes it
85  more susceptible to the effects of the memory hierarchy and
86  locality.
87
88Stateless (sl)
89""""""""""""""
90
91-  Actions : permit, drop
92-  Less optimized, less common use case.
93-  Slower as there is no flow-cache, every new packet incurs the same
94   amount ACL processing.
95-  Uses less memory, and are more deterministic (compared to
96   stateful).
97
98Operational Data
99----------------
100
101Input/Stateless
102~~~~~~~~~~~~~~~
103
104Test Case: 10ge2p1x520-ethip4udp-ip4base-iacl1sl-10kflows-ndrpdr
105""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
106
107.. code-block:: console
108
109       DUT1: 
110       Thread 0 vpp_main (lcore 1) 
111       Time 3.8, average vectors/node 0.00, last 128 main loops 0.00 per node 0.00 
112         vector rates in 0.0000e0, out 0.0000e0, drop 0.0000e0, punt 0.0000e0 
113                    Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call   
114       acl-plugin-fa-cleaner-process   any wait                 0               0              14          1.29e3            0.00 
115       acl-plugin-fa-worker-cleaner-pinterrupt wa               7               0               0          9.18e2            0.00 
116       api-rx-from-ring                 active                  0               0              52          8.96e4            0.00 
117       dpdk-process                    any wait                 0               0               1          1.35e4            0.00 
118       fib-walk                        any wait                 0               0               2          2.69e3            0.00 
119       ip6-icmp-neighbor-discovery-ev  any wait                 0               0               4          1.32e3            0.00 
120       lisp-retry-service              any wait                 0               0               2          2.90e3            0.00 
121       unix-epoll-input                 polling              7037               0               0          1.25e6            0.00 
122       vpe-oam-process                 any wait                 0               0               2          2.28e3            0.00 
123
124       Thread 1 vpp_wk_0 (lcore 2) 
125       Time 3.8, average vectors/node 249.02, last 128 main loops 32.00 per node 273.07 
126         vector rates in 6.1118e6, out 6.1118e6, drop 0.0000e0, punt 0.0000e0 
127                    Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call   
128       TenGigabitEtherneta/0/0-output   active              47106        11721472               0          9.47e0          248.83 
129       TenGigabitEtherneta/0/0-tx       active              47106        11721472               0          4.22e1          248.83 
130       TenGigabitEtherneta/0/1-output   active              47106        11721472               0          1.02e1          248.83 
131       TenGigabitEtherneta/0/1-tx       active              47106        11721472               0          4.18e1          248.83 
132       acl-plugin-fa-worker-cleaner-pinterrupt wa               7               0               0          1.39e3            0.00 
133       acl-plugin-in-ip4-fa             active              94107        23442944               0          1.75e2          249.11 
134       dpdk-input                       polling             47106        23442944               0          4.64e1          497.66 
135       ethernet-input                   active              94212        23442944               0          1.55e1          248.83 
136       ip4-input-no-checksum            active              94107        23442944               0          3.23e1          249.11 
137       ip4-lookup                       active              94107        23442944               0          2.91e1          249.11 
138       ip4-rewrite                      active              94107        23442944               0          2.48e1          249.11 
139       unix-epoll-input                 polling                46               0               0          1.54e3            0.00
140
141Input/Stateful
142~~~~~~~~~~~~~~
143
144Test Case: 64b-1t1c-ethip4udp-ip4base-iacl1sf-10kflows-ndrpdr
145"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
146
147.. code-block:: console
148
149       DUT1: 
150       Thread 0 vpp_main (lcore 1) 
151       Time 3.9, average vectors/node 0.00, last 128 main loops 0.00 per node 0.00 
152         vector rates in 0.0000e0, out 0.0000e0, drop 0.0000e0, punt 0.0000e0 
153                    Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call   
154       acl-plugin-fa-cleaner-process   any wait                 0               0              16          1.40e3            0.00 
155       acl-plugin-fa-worker-cleaner-pinterrupt wa               8               0               0          8.97e2            0.00 
156       api-rx-from-ring                 active                  0               0              52          7.12e4            0.00 
157       dpdk-process                    any wait                 0               0               1          1.69e4            0.00 
158       fib-walk                        any wait                 0               0               2          2.55e3            0.00 
159       ip4-reassembly-expire-walk      any wait                 0               0               1          1.27e4            0.00 
160       ip6-icmp-neighbor-discovery-ev  any wait                 0               0               4          1.09e3            0.00 
161       ip6-reassembly-expire-walk      any wait                 0               0               1          2.57e3            0.00 
162       lisp-retry-service              any wait                 0               0               2          1.18e4            0.00 
163       statseg-collector-process       time wait                0               0               1          6.38e3            0.00 
164       unix-epoll-input                 polling              6320               0               0          1.41e6            0.00 
165       vpe-oam-process                 any wait                 0               0               2          7.53e3            0.00 
166
167       Thread 1 vpp_wk_0 (lcore 2) 
168       Time 3.9, average vectors/node 252.74, last 128 main loops 32.00 per node 273.07 
169         vector rates in 7.5833e6, out 7.5833e6, drop 0.0000e0, punt 0.0000e0 
170                    Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call   
171       TenGigabitEtherneta/0/0-output   active              58325        14738944               0          9.41e0          252.70 
172       TenGigabitEtherneta/0/0-tx       active              58325        14738944               0          4.32e1          252.70 
173       TenGigabitEtherneta/0/1-output   active              58323        14738944               0          1.02e1          252.71 
174       TenGigabitEtherneta/0/1-tx       active              58323        14738944               0          4.31e1          252.71 
175       acl-plugin-fa-worker-cleaner-pinterrupt wa               8               0               0          1.62e3            0.00 
176       acl-plugin-in-ip4-fa             active             116628        29477888               0          1.01e2          252.75 
177       dpdk-input                       polling             58325        29477888               0          4.63e1          505.41 
178       ethernet-input                   active             116648        29477888               0          1.53e1          252.71 
179       ip4-input-no-checksum            active             116628        29477888               0          3.21e1          252.75 
180       ip4-lookup                       active             116628        29477888               0          2.90e1          252.75 
181       ip4-rewrite                      active             116628        29477888               0          2.48e1          252.75 
182       unix-epoll-input                 polling                57               0               0          2.39e3            0.00  
183                           
184Output/Stateless
185~~~~~~~~~~~~~~~~
186
187Test Case: 64b-1t1c-ethip4udp-ip4base-oacl10sl-10kflows-ndrpdr
188""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
189
190   .. code-block:: console
191
192       DUT1: 
193        Thread 0 vpp_main (lcore 1) 
194        Time 3.8, average vectors/node 0.00, last 128 main loops 0.00 per node 0.00 
195          vector rates in 0.0000e0, out 0.0000e0, drop 0.0000e0, punt 0.0000e0 
196                     Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call   
197        acl-plugin-fa-cleaner-process   any wait                 0               0              14          1.43e3            0.00 
198        acl-plugin-fa-worker-cleaner-pinterrupt wa               7               0               0          9.23e2            0.00 
199        api-rx-from-ring                 active                  0               0              52          8.01e4            0.00 
200        dpdk-process                    any wait                 0               0               1          1.59e6            0.00 
201        fib-walk                        any wait                 0               0               2          6.81e3            0.00 
202        ip6-icmp-neighbor-discovery-ev  any wait                 0               0               4          2.81e3            0.00 
203        lisp-retry-service              any wait                 0               0               2          3.64e3            0.00 
204        unix-epoll-input                 polling              4842               0               0          1.81e6            0.00 
205        vpe-oam-process                 any wait                 0               0               1          2.24e4            0.00 
206         
207        Thread 1 vpp_wk_0 (lcore 2) 
208        Time 3.8, average vectors/node 249.29, last 128 main loops 36.00 per node 271.06 
209          vector rates in 5.9196e6, out 5.9196e6, drop 0.0000e0, punt 0.0000e0 
210                     Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call   
211        TenGigabitEtherneta/0/0-output   active              45595        11363584               0          9.22e0          249.23 
212        TenGigabitEtherneta/0/0-tx       active              45595        11363584               0          4.25e1          249.23 
213        TenGigabitEtherneta/0/1-output   active              45594        11363584               0          9.75e0          249.23 
214        TenGigabitEtherneta/0/1-tx       active              45594        11363584               0          4.21e1          249.23 
215        acl-plugin-fa-worker-cleaner-pinterrupt wa               7               0               0          1.28e3            0.00 
216        acl-plugin-out-ip4-fa            active              91155        22727168               0          1.78e2          249.32 
217        dpdk-input                       polling             45595        22727168               0          4.64e1          498.46 
218        ethernet-input                   active              91189        22727168               0          1.56e1          249.23 
219        interface-output                 active              91155        22727168               0          1.13e1          249.32 
220        ip4-input-no-checksum            active              91155        22727168               0          1.95e1          249.32 
221        ip4-lookup                       active              91155        22727168               0          2.88e1          249.32 
222        ip4-rewrite                      active              91155        22727168               0          3.53e1          249.32 
223        unix-epoll-input                 polling                44               0               0          1.53e3            0.00 
224                           
225Output/Stateful
226~~~~~~~~~~~~~~~
227
228Test Case: 64b-1t1c-ethip4udp-ip4base-oacl10sf-10kflows-ndrpdr
229""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
230
231.. code-block:: console
232
233       DUT1: 
234        Thread 0 vpp_main (lcore 1) 
235        Time 3.8, average vectors/node 0.00, last 128 main loops 0.00 per node 0.00 
236          vector rates in 0.0000e0, out 0.0000e0, drop 0.0000e0, punt 0.0000e0 
237                     Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call   
238        acl-plugin-fa-cleaner-process   any wait                 0               0              16          1.47e3            0.00 
239        acl-plugin-fa-worker-cleaner-pinterrupt wa               8               0               0          8.51e2            0.00 
240        api-rx-from-ring                 active                  0               0              50          7.24e4            0.00 
241        dpdk-process                    any wait                 0               0               2          1.93e4            0.00 
242        fib-walk                        any wait                 0               0               2          2.02e3            0.00 
243        ip4-reassembly-expire-walk      any wait                 0               0               1          3.96e3            0.00 
244        ip6-icmp-neighbor-discovery-ev  any wait                 0               0               4          9.84e2            0.00 
245        ip6-reassembly-expire-walk      any wait                 0               0               1          3.76e3            0.00 
246        lisp-retry-service              any wait                 0               0               2          1.49e4            0.00 
247        statseg-collector-process       time wait                0               0               1          4.98e3            0.00 
248        unix-epoll-input                 polling              5653               0               0          1.55e6            0.00 
249        vpe-oam-process                 any wait                 0               0               2          1.90e3            0.00 
250         
251        Thread 1 vpp_wk_0 (lcore 2) 
252        Time 3.8, average vectors/node 250.85, last 128 main loops 36.00 per node 271.06 
253          vector rates in 7.2686e6, out 7.2686e6, drop 0.0000e0, punt 0.0000e0 
254                     Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call   
255        TenGigabitEtherneta/0/0-output   active              55639        13930752               0          9.33e0          250.38 
256        TenGigabitEtherneta/0/0-tx       active              55639        13930752               0          4.27e1          250.38 
257        TenGigabitEtherneta/0/1-output   active              55636        13930758               0          9.81e0          250.39 
258        TenGigabitEtherneta/0/1-tx       active              55636        13930758               0          4.33e1          250.39 
259        acl-plugin-fa-worker-cleaner-pinterrupt wa               8               0               0          1.62e3            0.00 
260        acl-plugin-out-ip4-fa            active             110988        27861510               0          1.04e2          251.03 
261        dpdk-input                       polling             55639        27861510               0          4.62e1          500.76 
262        ethernet-input                   active             111275        27861510               0          1.55e1          250.38 
263        interface-output                 active             110988        27861510               0          1.21e1          251.03 
264        ip4-input-no-checksum            active             110988        27861510               0          1.95e1          251.03 
265        ip4-lookup                       active             110988        27861510               0          2.89e1          251.03 
266        ip4-rewrite                      active             110988        27861510               0          3.55e1          251.03 
267        unix-epoll-input                 polling                54               0               0          2.43e3            0.00  
268                           
269Performance
270-----------
271
272+---------------------------------------+-------+-------------------+
273| Test Case                             | MPPS  | Cycles per packet |
274+---------------------------------------+-------+-------------------+
275| ethip4-ip4base                        | 18.26 | 136               |
276+---------------------------------------+-------+-------------------+
277| ethip4ip4udp-ip4base-iacl1sl-10kflows | 9.134 | 273               |
278+---------------------------------------+-------+-------------------+
279| ethip4ip4udp-ip4base-iacl1sf-10kflows | 11.06 | 226               |
280+---------------------------------------+-------+-------------------+
281
282Input ACLS (SKX)
283~~~~~~~~~~~~~~~~
284
285.. figure:: /_images/ip4-2n-iacl.png
286
287Output ACLs (HSW)
288~~~~~~~~~~~~~~~~~
289
290.. figure:: /_images/ip4-3n-oacl.png
291
292Configuration
293-------------
294
295Stateful
296~~~~~~~~
297
298.. code-block:: console
299
300       $ sudo vppctl ip_add_del_route 20.20.20.0/24 via 1.1.1.2  sw_if_index 1 resolve-attempts 10 count 1     
301       $ sudo vppctl acl_add_replace  ipv4 permit src 30.30.30.1/32 dst 40.40.40.1/32 sport 1000 dport 1000, ipv4 permit+reflect src 10.10.10.0/24, ipv4 permit+reflect src 20.20.20.0/24        
302       $ sudo vppctl acl_interface_set_acl_list sw_if_index 2 input 0 
303       $ sudo vppctl acl_interface_set_acl_list sw_if_index 1 input 0 
304                           
305Stateless
306~~~~~~~~~
307
308.. code-block:: console
309
310       $ sudo vppctl ip_add_del_route 20.20.20.0/24 via 1.1.1.2  sw_if_index 1 resolve-attempts 10 count 1     
311       $ sudo vppctl acl_add_replace  ipv4 permit src 30.30.30.1/32 dst 40.40.40.1/32 sport 1000 dport 1000, ipv4 permit src 10.10.10.0/24, ipv4 permit src 20.20.20.0/24        
312       $ sudo vppctl acl_interface_set_acl_list sw_if_index 2 input 0 
313       $ sudo vppctl acl_interface_set_acl_list sw_if_index 1 input 0
314              
315Links
316~~~~~
317
318-  `FD.io Security Groups overview <https://wiki.fd.io/view/VPP/SecurityGroups>`__
319-  `Reflexive Access Control Lists <https://packetlife.net/blog/2008/nov/25/reflexive-access-lists/>`__
320-  `Andrew Yuort's Blog on ACLs <http://stdio.be/blog/2017-12-09-Debugging-VPP-MACIP-ACLs/>`__
321
322.. _vppcop:
323
324FD.io VPP COP
325-------------
326
327IPv4/IPv6 white-lists using the FD.io VPP FIB, with support for multiple
328nested white-lists.
329
330Design notes:
331~~~~~~~~~~~~~
332
333- The cop graph nodes (input & white-list) make reuse of the FD.io VPP in FIB 2.0 implementation. Essentially
334  a successful lookup in the FIB, indicates that a packet has been white-listed and may be forwarded.
335
336- cop-input: Determines if the frame is IPv4 or IPv6, and forwards to ipN-copwhitelist graph node.
337
338- ipN-copwhitelist: uses the ip4_fib_[mtrie,lookup] functions to confirm the packet's ip matches a route in the white-list fib.
339
340- Match: if it matches, it is then either sent to the next whitelist or to the ip layer.
341
342- No Match: if it there is not match, it is sent to error-drop.
343
344Operational Data
345~~~~~~~~~~~~~~~~
346
347Note: the double-pass of the ip4-lookup and ip4-rewrite.
348
349.. code-block:: console
350
351    DUT1: 
352     Thread 0 vpp_main (lcore 1) 
353     Time 3.9, average vectors/node 0.00, last 128 main loops 0.00 per node 0.00 
354       vector rates in 0.0000e0, out 0.0000e0, drop 0.0000e0, punt 0.0000e0 
355                  Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call   
356     api-rx-from-ring                 active                  0               0              53          4.20e4            0.00 
357     dpdk-process                    any wait                 0               0               1          1.75e4            0.00 
358     fib-walk                        any wait                 0               0               2          1.59e3            0.00 
359     ip4-reassembly-expire-walk      any wait                 0               0               1          2.20e3            0.00 
360     ip6-icmp-neighbor-discovery-ev  any wait                 0               0               4          1.14e3            0.00 
361     ip6-reassembly-expire-walk      any wait                 0               0               1          1.50e3            0.00 
362     lisp-retry-service              any wait                 0               0               2          2.19e3            0.00 
363     statseg-collector-process       time wait                0               0               1          2.48e3            0.00 
364     unix-epoll-input                 polling              2800               0               0          3.15e6            0.00 
365     vpe-oam-process                 any wait                 0               0               2          7.00e2            0.00 
366
367     Thread 1 vpp_wk_0 (lcore 2) 
368     Time 3.9, average vectors/node 220.84, last 128 main loops 20.87 per node 190.86 
369       vector rates in 1.0724e7, out 1.0724e7, drop 0.0000e0, punt 0.0000e0 
370                  Name                 State         Calls          Vectors        Suspends         Clocks       Vectors/Call   
371     TenGigabitEtherneta/0/0-output   active              94960        20698112               0          1.03e1          217.97 
372     TenGigabitEtherneta/0/0-tx       active              94960        20698112               0          3.97e1          217.97 
373     TenGigabitEtherneta/0/1-output   active              92238        20698112               0          9.92e0          224.39 
374     TenGigabitEtherneta/0/1-tx       active              92238        20698112               0          4.26e1          224.39 
375     cop-input                        active              94960        20698112               0          1.98e1          217.97 
376     dpdk-input                       polling             95154        41396224               0          4.58e1          435.04 
377     ethernet-input                   active              92238        20698112               0          1.59e1          224.39 
378     ip4-cop-whitelist                active              94960        20698112               0          3.24e1          217.97 
379     ip4-input                        active              94960        20698112               0          3.13e1          217.97 
380     ip4-input-no-checksum            active              92238        20698112               0          2.23e1          224.39 
381     ip4-lookup                       active             187198        41396224               0          3.08e1          221.14 
382     ip4-rewrite                      active             187198        41396224               0          2.47e1          221.14 
383     unix-epoll-input                 polling                93               0               0          1.35e3            0.00 
384                    
385Performance
386~~~~~~~~~~~
387
388+-------------------------------+-------+-------------------+
389| Test Case                     | MPPS  | Cycles per packet |
390+-------------------------------+-------+-------------------+
391| ethip4-ip4base                | 18.81 | 132               |
392+-------------------------------+-------+-------------------+
393| ethip4-ip4base-copwhtlistbase | 15.12 | 165               |
394+-------------------------------+-------+-------------------+
395
396.. figure:: /_images/ip4-acl-features-ndr.png
397
398Configuration
399~~~~~~~~~~~~~
400
401Note: a new VRF 1 is created which holds the whitelist, which then
402applied to the interface 1.
403
404.. code-block:: console
405
406    $ sudo vppctl ip_add_del_route 10.10.10.0/24 via 1.1.1.1  sw_if_index 2 resolve-attempts 10 count 1     
407    $ sudo vppctl ip_table_add_del table 1  
408    $ sudo vppctl ip_add_del_route 20.20.20.0/24  vrf 1  resolve-attempts 10 count 1    local 
409    $ sudo vppctl cop_whitelist_enable_disable sw_if_index 1 ip4 fib-id 1 
410    $ sudo vppctl cop_interface_enable_disable sw_if_index 1  
411                    
412Links
413~~~~~
414
415-  `FIB 2.0: Hierarchical, Protocol Independent. <https://wiki.fd.io/images/7/71/FIB_2.0_-_Hierarchical,_Protocol_Independent..pdf>`__
416
417.. _vppflow:
418
419FD.io VPP Flow
420--------------
421
422FD.io VPP Flow adds the ability for FD.io VPP to support matching of
423flows and taking an associated action. This information is then used to
424program hardware accelerations such as those available on network cards,
425e.g. Intel® Ethernet Flow Director technology on the Intel® Ethernet
426Controller X710/XXV710/XL710.
427
428Supports
429~~~~~~~~
430
431Actions
432"""""""
433
434-  Count: don't now what this does, presume it count's matches.
435-  Mark: Associate a matched flow with arbitrary data such as vxlan tunnel, for a lookup in the redirect graph node.
436-  Buffer Advance: Can be used advance to an encapsulated ethernet or ip header.
437-  Redirect to node: When you see a packet from flow xyz, the next node in FD.io VPP is the indicated graph node.
438-  Redirect to queue: When you see a packet from flow xyz, is to redirect to rx queue n.
439-  Drop: When you see a packet from flow xyz, drop the packet (next node is error drop).
440
441Design Notes
442~~~~~~~~~~~~
443
444-  Currently the only place in FD.io VPP that this is used, is to accelerate VXLAN bypassing the Ethernet and IP Layers.
445-  Flow uses DPDK rte_flow API under the hood for those network interfaces programmed through DPDK.
446-  Redirect to node: worth remember that if you are bypassing a graph, you are bypassing all the checks in the graph node, e.e time-to-live, crcs and the like.
447
448Operational Data
449~~~~~~~~~~~~~~~~
450
451FD.io CSIT numbers for VXLan do not use FD.io Flow support.
452
453Performance
454~~~~~~~~~~~
455
456FD.io CSIT numbers for VXLan do not use FD.io Flow support.
457
458Configuration
459~~~~~~~~~~~~~
460
461-  `Flow API <https://git.fd.io/vpp/tree/src/vnet/flow/flow.h>`__
462
463.. _classifiers:
464
465FD.io VPP Classifiers
466---------------------
467
468The most flexible form of ACLs in FD.io VPP enable the user to match anywhere in the first
46980 bytes of the packet header.
470
471Configuration
472~~~~~~~~~~~~~
473
474Match an IPv6….
475
476.. code-block:: console
477
478    $ sudo vppctl classify table mask l3 ip6 dst buckets 64
479    $ sudo vppctl classify session hit-next 0 table-index 0 match l3 ip6 dst 2001:db8:1::2 opaque-index 42
480    $ sudo vppctl set interface l2 input classify intfc host-s0_s1 ip6-table 0
481                           
482Links
483~~~~~
484
485-  `Overview of classifiers <https://wiki.fd.io/view/VPP/SecurityGroups#Existing_functionality>`__
486-  `FD.io VPP Classifiers Overview <https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers>`__
487-  `FD.io VPP Classifiers CLI <https://docs.fd.io/vpp/19.04/clicmd_src_vnet_classify.html>`__
488-  `Sample Code from Andrew Yourt <http://stdio.be/vpp/t/aytest-bridge-tap-py.txt>`__
489