Theory of operation

Traffic management on the XX-Series is done using rules and rule sets.

Rule sets are traffic management profiles created by the user. Multiple rule sets can be created, with one of them active at any given time.

A rule set consists of two facilities:

• Traffic rules
• Load balancing groups

Rules define how the traffic will be processed by the packet broker. Only data matching at least one of the defined rules will pass through, everything else will be dropped.

Load balancing groups are logic groups of ports that are used to distribute the traffic stream across multiple interfaces.

Rules and rule sets are configured on the XX-Manager GUI's Traffic Management page.

The Active Rule Set tab displays the currently active rule set and its details, including the filtered interfaces and the interfaces linked in load balancing.

The Rule Sets tab displays the list of existing rule sets on the device. The active rule set is highlighted. Users with appropriate permissions can create, configure, activate, rename, or delete rule sets.

After clicking the “configure” button of a rule set, rules can be added, modified, or deleted.

After configuring a rule set, it can be activated right away, or kept inactive for future use. If changes have been made to the currently active rule set, it must be activated again for the changes to take effect.

The first step in creating a new rule is defining the behavior of that rule [1]. The possible options are:

• ALLOW: Only traffic matching the defined filters will be forwarded;
• EGRESS DROP: Traffic matching the defined filters will be removed from the stream.

The Input interface and Output interface sections [2] define which ports will be used as source for the traffic stream, and which ports will be used as destination.

⇒ When selecting multiple input ports, the traffic incoming on these interfaces will be aggregated (N:1 configuration).
⇒ When selecting multiple output ports, the traffic stream to these interfaces will be replicated (1:M configuration).
⇒ If multiple inputs and outputs are selected, the device will first aggregate the incoming traffic and then replicate the resulting stream to all of the selected output ports (N:M configuration).

If load balancing groups have been created, they appear in the Load balancers section [3]. Selecting one or more groups here will set them as output, in which case output interfaces won't need to be selected in the section above. Selecting multiple load balancing groups will replicate the traffic to each of these groups.

The Match counter id option [4] can be used to start a counter monitoring the amount of packets matching the defined filter. These counters will be displayed on the Global Statistics page.

The Filters tab [5] allows the user to configure the way in which traffic is targeted, according to specific rules related to its L2, L3 and L4 packet headers:

• Packet type
  This selection will discard all other types of data but the selected one. Selecting ANY PACKET allows all types of packets to pass through.
• MAC layer
  Only frames matching MAC details configured in this section will be allowed to pass through.
• EtherType
  Only frames matching EtherType details configured in this section will be allowed to pass through. Only available when Packet type selection is set to ANY PACKET.
• Transport layer
  Only packets matching transport layer details configured in this section will be allowed to pass through. Not available when Packet type selection is set to ARP.
• 802.1q VLAN fields
  Only frames matching VLAN details configured in this section (having a VLAN tag in their header, added before entering the NPB) will be allowed to pass through. The VLAN Mask is a hexadecimal field that can be used to filter one or multiple VLAN IDs at the same time.
  
  Example:
  VID: 0 and HEX MASK: FFC will match VIDs: 0, 1, 2, 3;
  VID: 1 and HEX MASK: FFF will match only VID 1.
• IPv4 layer
  Only packets matching IPv4 details configured in this section will be allowed to pass through. Only available when Packet type selection is set to IPv4.
• IPv6 layer
  Only packets matching IPv6 details configured in this section will be allowed to pass through. Only available when Packet type selection is set to IPv6.

Note: If multiple filter fields are configured, only packets matching all filters will be targeted.

XX-Series devices can distribute the output traffic across a load balancing group using a flow-aware policy. This relies on the hashing of the L3 or L3+L4 headers to identify the traffic flows and consistently output them to the same interfaces. This allows the NPB to consistently provide traffic to multiple tools without impacting the quality of their analysis.

The load balancing configuration for a rule set can be changed using via the Configure button in the Load balancing section of that rule set.