Configure NPU Traffic Monitoring
For supported software information, click here.
You can configure network processing unit (NPU) traffic-monitoring policy to collect statistics for traffic flows (sessions) for bridge domain interfaces, bridge domains, and layer 3 interfaces. You can control whether statistics are collected at the start of a flow, the end of a flow, or both. Statistics are exported in logs sent to the Analytics cluster associated with the SD-LAN configuration.
For information about NPU flow logs, see NPU Traffic Monitoring Logs in Flow Logs.
Configure NPU Traffic Monitoring Policy Rules
You configure traffic monitoring policy rules from the CLI on each Versa Operating SystemTM (VOSTM) device.
To monitor traffic for bridge domain interfaces, bridge domains, and layer 3 interfaces you configure traffic monitoring policy rules using match criteria, as shown below. Only a single traffic monitoring policy can be configured for each organization.
set orgs org-services org-name npu traffic-monitoring { policies { policy-name { rules { rule-name { match { match-criteria } } set { settings } } } } } }
Use following options to configure the match criteria:
- destination-ip-prefix—IPv4 prefix in destination address
- destination-ip6-prefix—IPv6 prefix in destination address
- destination-port—Destination port/port-range, for example 100 or 100-115
- dscp—DSCP value
- forwarding-type—Forwarding type of an incoming packet
- Inner-header—Set this criteria to true to match the contents of the inner header.
- interfaces—NPU interfaces
- ip-version—IP version
- protocol-value—IP protocol value
- layer2-routing-instance—Layer 2 routing instance
- layer3-routing-instance—Layer 3 routing instance
- source-ip-prefix—Prefix in IPv4 source address
- source-ip6-prefix—Prefix in IPv6 source address
- source-port—Source port/port-range, for example 100 or 100-115
- vxlan-vni-id—VXLAN ID
Use the following options to configure the settings:
- flow-tracking—Enable or disable flow tracking. Flow tracking is disabled by default.
- inner-header-ip-version—Set the IP address type to track for inner headers. Options are ipv4 and ipv6.
Disable a Traffic-Monitoring Policy Rule
You can disable a policy rule by setting rule-disable to true. The following example disables rule r1 for policy p1.
admin@SDLAN-Branch-cli(config)% set orgs org-services provider-org npu traffic-monitoring policies p1 rules r1 rule-disable true
Traffic Monitoring Policy Rule Examples
Example 1: Monitor a bridge domain interface. In the following example, rule r1 tracks flows which ingress VLANs 100 and 200 on interface enet-0/5.100.
admin@SDLAN-Branch-cli(config)% show orgs org-services versa npu traffic-monitoring policies pol1 { rules r1 { match { interfaces { enet-0/5.100 { vlan [ 100,200 ] } } } set { flow-tracking enabled } } }
Example 2: Monitor a bridge domain. In the following example, rule r1 tracks packets which ingress bridge domain bd100.
admin@SDLAN-Branch-cli(config)% show orgs org-services versa npu traffic-monitoring policies { p1 { rules { r1 { match { layer2-routing-instance vs { bridge-domain-list [ bd100 ]; } } set { flow-tracking enabled; } } } } }
Example 3: Monitor a layer 3 interface. In the following example, rule r1 matches interface enet-0/10.0 and tracks the packets ingressing into this interface.
admin@SDLAN-Branch-cli(config)% show orgs org-services versa npu traffic-monitoring policies { p1 { rules { r1 { match { interface enet-0/10.0; } set { flow-tracking enabled; } } } } }
Example 4: Track tunnel-terminated packets. Tunnel-terminated packets are tracked using the contents of the inner header, and so in the following example the Inner-header match criteria is set to true. The inner header uses IPv4 addressing, so the inner-header-ip-version setting is set to IPv4. The IP version in the source-ip-prefix match criteria must match the IP version listed for the inner header, so the source-ip-prefix is IPv4.
admin@SDLAN-Branch-cli(config)% show orgs org-services versa npu traffic-monitoring policies { p1 { rules { r1 { match { Inner-header true; source-ip-prefix 1.1.0.0/24; } set { flowtracking enabled; inner-header-ip-version ipv4; } } } } }
Configuring the Flow Inactivity Interval
By default, if a flow has no incoming packets for 60 seconds, the flow is deleted. You can modify the time interval that flows are allowed to persist without incoming packets.
To modify the time interval for flow inactivity, issue the CLI command below. Possible values for ageing time (in seconds) are 1, 10, 60, 600, 1800, 3600, 36000, and 86400. Note that ageing time is common to all organizations on the device.
admin@versa-flexvnf-cli(config)% set system platform npu tm-ageing-time ageing-time
Configure Flow Collection Control
You can configure a VOS device to collect statistics at the start or end of a flow (session), or at both the start and end of a flow. Note that Analytics can request an update in the interim, and the VOS device sends statistics in response.
To configure the point at which the VOS device exports flow statistics, issue the CLI command below. Possible values for the flow event are both, end, and start.
admin@SDLAN-Branch6-cli(config)% set orgs org-services org-name sd-lan logs logging-control sessions event flow-event
For example, the following command exports flow statistics at the start and end of flows.
admin@SDLAN-Branch6-cli(config)% set orgs org-services provider-org sd-lan logs logging-control sessions event both
Configure the NPU Log Export Interval
NPU logs are exported every 5 seconds by default. You can modify the time interval for exporting the logs.
To modify the log export interval, issue the CLI command below. The export time interval must be in the range of 1 through 1048575 seconds. Note that export time is common to all organizations on the device.
admin@SDLAN-Branch6-cli(config)% set system platform npu tm-periodic-export-time export-time
Supported Software Information
Releases 22.1.4 and later support all content described in this article.