In a CLEAR-Flow rule, the match-conditions portion consists of one to four expressions, an optional global-rule statement, and an optional period statement:
entry <CLFrulename> { if <match-type> { <expression>; <expression>; <expression>; <expression>; global-rule; period <interval>; } Then { <actions>; } else { <actions>; } }
In the following example, the CLEAR-Flow rule (named cflow_count_rule_example) will be evaluated every ten seconds. The actions statements will be triggered if the value of counter1 (defined earlier in the ACL (Access Control List) policy file) is greater than 1,000,000:
entry cflow_count_rule_example { if { count counter1 > 1000000 ; period 10 ; } Then { <actions>; } }
The global-rule statement is optional and affects how the counters are treated. An ACL that defines counters can be applied to more than one interface. You can specify the global-rule statement so that counters are evaluated for all the applied interfaces. For example, if a policy that defines a counter is applied to port 1:1 and 2:1, a CLEAR-Flow rule that used the global-rule statement would sum up the counts from both ports. Without the global-rule statement, the CLEAR-Flow rule would look at only the counts received on one port at a time.
The period interval statement is optional and sets the sampling interval, in seconds. This statement specifies how often the rule is evaluated by the CLEAR-Flow agent. If not specified, the default value is 5 seconds.
The five CLEAR-Flow rule expressions are: count; delta; ratio; delta-ratio; and rule. All of these expressions check the values of counters to evaluate if an action should be taken. The counters are either defined in the ACL entries that are defined on the switch, or are the predefined CLEAR-Flow counters. When you use a counter statement in an ACL, you are defining the counter used by CLEAR-Flow to monitor your system.