Traffic management

The Traffic Management page allows users to define traffic rules operating on an interconnected fleet of Profitap XX-Series and X2-Series packet brokers, Kubernetes clusters, or a hybrid of both. The traffic rules can be used to forward, aggregate and replicate traffic from different devices and K8s pods. Supervisor will automatically generate and deploy the necessary device configuration to achieve the desired result.

Prior to creating traffic rules, port groups and packet broker uplinks can be created from the Registered Devices page, and pod groups and tunnel destinations from the Registered Clusters page. This can also be done by clicking a device or K8s cluster in the Traffic Management graphical view.

Traffic Management graphical view

Devices and other entities can be arranged in the graphical view by clicking and dragging them around. The mouse wheel can be used to zoom in and out. While zoomed in, clicking and dragging on an empty space moves the view around.

Clicking on a device or entity in the graphical view opens the related device or K8s cluster details window.

A network must first be initialized before using it for traffic management. The network must contain at least one device or K8s cluster. To initialize a network, select it in the drop-down menu in the top left corner and click the Initialize Network button. In the Initialize Network window, select a device or cluster, and click the Confirm button.

Supervisor uses the registered topology of devices, external devices, and K8s pods to allow you to perform advanced cross-device traffic management. The configuration of all these elements is covered by the Supervisor rule sets. These are traffic management profiles that can be created, cloned, swapped and modified. Any time a new rule set is applied, the Supervisor system will make sure that the configuration is automatically deployed on the targeted devices.

The Rule Sets tab displays the list of existing rule sets for the selected network. Each network operates with its own separate rule sets. Use the Selected Network drop-down menu in the top left corner to view and manage the rule sets for a specific network, or select the All Networks option for a view of existing rule sets across all networks.

Rule Sets tab displaying the list of rule sets on the selected virtual network

The following actions are available:

• Create a rule set
• Clone a rule set
• Configure a rule set
• Apply a rule set
• Rename a rule set
• Delete a rule set

Multiple rule sets can be deleted by selecting one or more rule sets and pressing the Delete Rule Sets button.

Note: In order to apply changes to the active rule set, it is necessary to apply the rule set again.

If a rule set is currently active, it is displayed at the bottom of the Traffic Management tab. It can be deactivated via the Deactivate Rule Set button.

A rule set can contain one or more traffic rules. Clicking the Configure Rule Set button displays the configuration page for the selected rule set.

Example of a rule set

From within a rule set, it is possible to manage the traffic rules, and the L4 port groups and VLAN ID groups which can be used in the traffic rule filters. Clicking the Apply Current Rule Set button deploys this rule set on the network. Clicking the Close Configuration button navigates back to the list of rule sets. Changes to a rule set are saved automatically. Changes to the active rule set are not deployed automatically; the rule set must be applied again in order to propagate the new network configuration.

Traffic Rules are at the core definition of the Supervisor traffic management. Each rule allows the definition of the source and destination of the network traffic, as well as filters for that traffic. The rules use the physical uplinks to make sure that the packets reach the intended target.

Click the Create Rule button within a rule set to start creating a rule. A basic rule consists of a name, traffic source, and traffic destination. One or more sources and destinations can be defined. Defining more than one source will aggregate the traffic, and defining more than one destination will replicate the traffic. Optionally, filters can be defined if the destinations are port groups on X2-Series devices or K8s tunnel destinations, and advanced options can be defined if the destinations are port groups on X2-Series devices. If no filter is defined, the rule will allow all traffic. The Traffic Sources, Traffic Destinations, Filters, and Advanced tabs are described in the following sections. The Rule Overview tab displays a summary of the rule. Click the Confirm button to finish creating the rule.

Traffic Sources can be simple port groups, external devices or tunnel termination port groups that were created on XX-Series or X2-Series devices, or pod groups that were created on K8s clusters.

Add a source by clicking the Add button, selecting the desired source type, then selecting the source from the drop-down menu, and finally clicking the Apply Port Group Source button. Repeat this process to add more sources.

Example of a rule with a simple port group set as traffic source

Click the Next button to continue to the Traffic Destinations tab.

Traffic Destinations can be simple port groups, external devices or tunnel creation port groups that were created on XX-Series or X2-Series devices.

Add a destination by clicking the Add button, selecting the desired destination type, then selecting the destination from the drop-down menu, and finally clicking the Apply Port Group Destination button. Repeat this process to add more destinations.

Example of a rule with a simple port group set as traffic destination

Click the Next button to continue to the Filters tab.

Filters can be defined if the destinations are port groups on X2-Series devices or K8s tunnel destinations.

Multiple filters can be created, and each filter can contain one or more statements.

The following actions are available:

• Add a filter containing one statement
• Add a statement to a filter
• Remove a statement from a filter
• Delete a filter

Each filter can be set as an allow filter or a drop filter using the Drop toggle.

The filter behavior is as follows:

• Filters are logically disjunctive (OR), meaning that any traffic matching any allow filter will be allowed through, except for the parts of that traffic that match drop filters.
• Any traffic matching any drop filter will be dropped.
• If only allow filters are set, only the traffic matching these filters will be allowed through.
• If only drop filters are set, all traffic will be allowed through, except for traffic that matches any of these drop filters.
• If no filters are present, all traffic from the selected sources will be sent to the selected destinations.
• Statements within a filter are logically conjunctive (AND), meaning that each filter only applies to traffic which matches all of the statements within that filter.

The Filters column of each filter provides an overview of the filter types of all statements present in the filter.

The leftmost drop-down menu of each statement allows the selection of the type of filter for this statement. The rest of the fields and drop-down menus in that statement will depend on the selected filter type.

The available filter types are as follows:

• MAC: Filter on source and/or destination MAC address.
• VLAN: Filter on VLAN ID. Select a VLAN ID group. VLAN ID groups can be created on the Rule Sets page.
• ETH_TYPE: Filter on EtherType. Input the hexadecimal EtherType value.
• IPV4/IPV6: Filter on source and/or destination IPv4/IPv6 address.
• PROTOCOL: Filter on protocol. Input the protocol number.
• TCP/UDP/SCTP: Filter on TCP/UDP/SCTP source and/or destination L4 port groups. L4 port groups can be created on the Rule Sets page.

Note: After updating Supervisor to v1.0.0, ICMP/IGMP filter statements will be lost. These can be reconfigured using the Protocol statement and the standard protocol number.

Advanced options can be defined if the destinations are port groups on X2-Series devices.

The available options are as follows:

• Source VLAN Tag: Label the outgoing traffic with the VLAN ID defined in the destination port group(s).
• Custom VLAN Tag: Label the outgoing traffic with the specified VLAN ID.

Example of a rule with Source VLAN Tag enabled