Traffic management on the X2-Series is done using rules and rule sets.
Rule sets are traffic management profiles created by the user. Multiple rule sets can be created, with one of them active at any given time.
A rule set consists of the following facilities:
Rules define how the traffic will be processed by the packet broker. Only data matching at least one of the defined rules will pass through, everything else will be dropped.
X2-Series devices support up to 6000 “one port to one port” rules, or “interface links”. Each rule can contain one or more interface links. For optimizing rule utilization, see Optimizing rule consumption.
Packet deduplication is used to detect and drop duplicate packets.
Load balancing groups are logic groups of ports that are used to distribute the traffic stream across multiple interfaces.
Ingress rules are used to manipulate traffic on the interface ingress pipeline.
Timestamp synchronization can be set to connect to a PTPv2 server in order to perform high quality nanosecond precision traffic timestamping for ERSPAN type 3 encapsulated traffic.
Rules and rule sets are configured on the web GUI's Traffic Management page.
The Active tab displays the currently active rule set and its details, including the filtered interfaces, interfaces linked in load balancing groups, ingress rules, and timestamp synchronization settings and status.
The Rule Sets tab displays the list of existing rule sets on the device. The active rule set is highlighted. Users with appropriate permissions can create, configure, activate, rename, delete, import, and export rule sets.
After clicking the configure button of a rule set, rules can be added, modified, or deleted.
After configuring a rule set, it can be activated right away, or kept inactive for future use.
To create a new rule set, navigate to the Traffic Management > Rule Sets page, click the Create Rule Set button, enter a name, a description (optional), then confirm.
Several actions are available for each rule set:
To configure a rule set, click the configure button
for that rule set on the Traffic Management > Rule Sets page. You can also configure the currently active rule set directly from the Traffic Management > Active page.
The Rule Set Configuration menu, accessible by clicking the Configure button in the top-right corner of the screen, provides the following controls:
Modifying the rule set's name and description.
Configuring the Traffic Filtering Mode, which affects the available traffic rule filters, and configuring the Traffic Load Balancing Strategy, which affects how Load Balancing Groups function.
Configuring the Timestamp Synchronization feature (see Timestamp synchronization).
The Diagram view allows you to create and manage traffic rules visually and provides a clear, intuitive overview of them.

Example of a rule set with traffic rules in the Diagram view.
A new, empty rule set will be displayed as shown below, with input ports on the left side and output ports and load balancing groups on the right side. Make sure the Hide unused ports option is disabled.

Empty rule set in the Diagram view.
Clicking a port from the INPUT PORTS list, then Show Status, or simply double-clicking the port, will open its Status window.
In this Status window, you can change the port label, speed, enable/disable the port, and set an ingress rule if desired.
Note that creating an ingress rule is only possible if the Status window was opened from the INPUT PORTS list.
Clicking a port from the OUTPUT PORTS list gives the option to open its Status window or to create a load balancing group.
If one or more load balancing groups already exist, an additional option is available for adding the selected port to an existing load balancing group.
Double-clicking the port will open its Status window, where you can change the port label, speed, and enable/disable the port.
To start creating a new traffic rule, click and hold the circle on the side of an input port, and drag it to an output port or load balancing group. The Create Rule window will open, with the input port and output port or load balancing group selected.
For more details, see Creating a traffic rule.
With multiple rules created, the Hide unused ports option helps provide a cleaner overview of the rule set.
You can mouse over input ports, traffic rules, and output ports/load balancing groups to highlight relevant links.
You can click and drag the circle on the side of an input port, traffic rule, or output port/load balancing group to add connections to traffic rules.
You can click specific connections and click Delete to remove it from a rule.
Clicking a rule gives you the option to edit it, disable/enable it, clone it, or delete it.
Disabled rules will be grayed out. Enabling Hide disabled rules will hide them from the diagram.
The Table view allows you to create and manage traffic rules in a table.
Each rule appears as a row in the table. The controls on the right side of each row allows you to enable or disable the rule, clone it, edit it, or delete it.
Click the Create Rule button to create a new rule (see Creating a traffic rule).
Click the Create Load Balancing Group button to create a new load balancing group (see Load balancing groups).
Click the Create Ingress Rule button to create a new ingress rule (see Ingress rules).
The +/- toggle on the left side of each row allows you to expand or collapse to contents of the rule. The same toggle in the header row expands or collapses all rows.
The Filter button on the right side of the header row opens controls for filtering the rules displayed in the table.
The Configure columns button next to the Filter button allows you to choose which columns to display or hide in the table.
X2-Series NPBs are capable of performing packet deduplication (license required). This feature is useful when the same packets are captured from different tapping points and aggregated in the packet broker.
This feature can be controlled per rule set via the Packet Deduplication button (either on the Traffic Management > Active page for the active rule set, or the Traffic Management > Rule Sets page and clicking the Configure button of the desired rule set to enter the rule set). Clicking the Packet Deduplication button opens a new view, allowing the user to select the interfaces on which the device will check for duplicate packets. The deduplication configuration view displays different colors for ports wired to the different hardware tables that the device is using to compare the incoming packets. Only traffic incoming on ports wired to the same hardware table (i.e. ports displayed with the same color) is evaluated for deduplication.
Note that the traffic identification will happen in the interface ingress, using the following fields:
Load balancing groups can be created in a rule set's Diagram view by clicking an output port and selecting Create Load Balancing Group, or in the Table view by clicking the Create Load Balancing Group button.
When a load balancing group is enabled for a group of interfaces, it is important to remember that when a port is inserted in one of these groups, it cannot be used in additional rules and will be displayed as unavailable in the port layout. This also means that ports that are already used as output in one or more rules cannot be added to a load balancing group. Additionally, in order to have a consistent behavior of the load balancing group, all of the interfaces belonging to that group must operate at the same speed.
It is possible to change the traffic distribution strategy via the Configure button in the Load Balancing Group section of the Rule Set. In this view, it is possible to select between:
Note that if Flow Hash is used with source AND destination options enabled for L3 or L4, the unit will make sure to distribute the traffic maintaining flow symmetry and consistency.
On the X2-Series, users can define specific traffic manipulation rules to be performed on the interface ingress pipeline. Note that these operations will be performed before the filter and action engine described above. Users should ensure that the configured ingress rules don’t impact the functionality of the other rules.
Each Rule Set can include an independent set of ingress rules associated to each port. Note that it is only possible to have a single rule per port, and that these ports will only be available as input in other rules.
The available traffic manipulation options are:
This section can be used to configure the Time Synchronization port available on X2-3200G and X2-6400G. This interface only operates with 1G SFP modules.
The system works as a PTPv2 slave clock and will use the synchronized time to perform high quality nanosecond precision traffic timestamping for ERSPAN type 3 encapsulated traffic. For more details, see Time synchronization and timestamping.
The MAC and IP address associated with the port can be configured per rule set (either on the Traffic Management > Active page for the active rule set, or the Traffic Management > Rule Sets page and clicking the Configure button of the desired rule set to enter the rule set). Click the Configure button in the top-right corner of the screen to open the Rule Set Configuration menu.
Information about the internal synchronization process and its performance is then available at the top of the rule set's page.
State provides information about the current state of synchronization. The possible states are:
This view also provides information about the clock offset against the master clock and the time server's IP address.

Time synchronization port on X2-3200G

Time synchronization port on X2-6400G
The first step in creating a new rule is defining the behavior of that rule [1]. The possible options are:
The Input ports and Output ports sections [2] define which ports will be used as source for the traffic stream, and which ports will be used as destination.
If load balancing groups have been created, they appear in the Load Balancing Groups section [3]. Selecting one or more groups here will set them as output, in which case output interfaces won't need to be selected in the section above. Selecting multiple load balancing groups will replicate the traffic to each of these groups.
The Priority class option [4] can be used to create a filtering hierarchy. This feature can be used to define complex configurations, in which the user wants to create exception cases within drop or allow filters. The device supports six priority classes, which are processed from 5 (highest priority) to 0 (lowest priority). Note that, within the same priority class, rules dropping traffic always have the priority over rules allowing traffic.
The Enable Rule option [5] can be used to enable and disable the rule at will.
The Enable counter option [6] can be enabled to start a counter monitoring the amount of packets matching the defined filter. These counters will be displayed in the Frame Match column of the Active tab's Rules table.
Enabling the Bidirectional Filters option [7] will make the rule match traffic in both directions by swapping source and destination fields (MAC, IP, and L4 port filters).
The Filters tab [8] allows the user to configure the way in which traffic is targeted, according to specific rules related to its L2, L3 and L4 packet headers.
The Advanced tab [9] allows the configuration of options that can be applied to the traffic in outbound, as well as advanced filtering.
For more details, see Creating a traffic rule.