Theory of operation

Traffic management on the XX-Series rev. 2 is done using rules and rule sets.

Rule sets are traffic management profiles created by the user. Multiple rule sets can be created, with one of them active at any given time.

A rule set consists of the following facilities:

• Traffic rules
• Load balancing groups
• Ingress rules

Rules define how the traffic will be processed by the packet broker. Only data matching at least one of the defined rules will pass through, everything else will be dropped.

XX-Series rev. 2 devices support up to 511 “one port to one port” rules, or “interface links”. Each rule can contain one or more interface links. For optimizing rule utilization, see Optimizing rule consumption.

Load balancing groups are logic groups of ports that are used to distribute the traffic stream across multiple interfaces.

Ingress rules are used to manipulate traffic on the interface ingress pipeline.

Rules and rule sets are configured on the web GUI's Traffic Management page.

The Active tab displays the currently active rule set and its details, including the filtered interfaces, interfaces linked in load balancing groups, and ingress rules.

The Rule Sets tab displays the list of existing rule sets on the device. The active rule set is highlighted. Users with appropriate permissions can create, configure, activate, rename, delete, import, and export rule sets.

After clicking the configure button of a rule set, rules can be added, modified, or deleted.

After configuring a rule set, it can be activated right away, or kept inactive for future use. If changes have been made to the currently active rule set, it must be activated again for the changes to take effect.

When a load balancing group is enabled for a group of interfaces, it is important to remember that when a port is inserted in one of these groups, it cannot be used in additional rules and will be displayed as unavailable in the port layout. Additionally, in order to have a consistent behavior of the load balancing group, all of the interfaces belonging to that group must operate at the same speed.

The traffic is load balanced using the L3 and L4 fields to make sure to distribute the traffic flows consistently in the output ports.

On the XX-Series rev. 2, users can define specific traffic manipulation rules to be performed on the interface ingress pipeline. Note that these operations will be performed before the filter and action engine described above. Users should ensure that the configured ingress rules don’t impact the functionality of the other rules.

Each Rule Set can include an independent set of ingress rules associated to each port. Note that it is only possible to have a single rule per port, and that these ports will only be available as input in other rules.

The available traffic manipulation option is:

• VLAN Tag: Adds a VLAN tag to all traffic incoming in the selected port;

The first step in creating a new rule is defining the behavior of that rule [1]. The possible options are:

• Accept: Only traffic matching the defined filters will be forwarded;
• Drop: Traffic matching the defined filters will be removed from the stream.

The Input ports and Output ports sections [2] define which ports will be used as source for the traffic stream, and which ports will be used as destination.

⇒ When selecting multiple input ports, the traffic incoming on these interfaces will be aggregated (N:1 configuration).
⇒ When selecting multiple output ports, the traffic stream to these interfaces will be replicated (1:M configuration).
⇒ If multiple inputs and outputs are selected, the device will first aggregate the incoming traffic and then replicate the resulting stream to all of the selected output ports (N:M configuration).

If load balancing groups have been created, they appear in the Load Balancing Groups section [3]. Selecting one or more groups here will set them as output, in which case output interfaces won't need to be selected in the section above. Selecting multiple load balancing groups will replicate the traffic to each of these groups.

The Filters tab [4] allows the user to configure the way in which traffic is targeted, according to specific rules related to its L2, L3 and L4 packet headers:

• Ethernet Layer
  Only frames matching MAC details configured in this section will be targeted (Source/Destination MAC Address, Source/Destination MAC Mask), with the possibility to select the packet type (IPv4, IPv6, ARP, TCP (IPv4/6), UDP (IPv4/6), SCTP (IPv4/6), Custom Protocol (IPv4/6), or any).
• IPv4/IPv6 Layer
  When IPv4/IPv6 is selected, the board will filter for any packet of those types. In order to filter for the IPv4/IPv6 details, the user needs to fill in the related fields (Source/Destination IP Address, Source/Destination IP Mask). The Protocol setting is only configurable for IPv4/IPv6, allowing the user to restrict the traffic to a specific type of L4 header (TCP, UDP, SCTP, ICMP, IGMP). Any allows filtering a custom EtherType or setting no filter for L3 headers. IPv6 Source and Destination Addresses filtering is only possible if the Rule Set is configured with IPv6 Addresses Filtering (Configure Filtering button on the Rule Set page).
• TCP/UDP/SCTP Layer
  When TCP/UDP/SCTP is selected in Packet Type or Protocol, only packets matching the transport layer details configured in this section will be filtered.
• VLAN Tags
  Can be used for filtering the first VLAN ID.

Note: If multiple filter fields are configured, only packets matching all filters will be targeted.