Adaptive Packet Filtering Examples
The following are APF examples:
Identify Social Security Numbers in User-Level Transactions |
Mask Social Security Numbers |
Filter on Fiber Channel over Ethernet (FCOE) Traffic |
Multi-Encapsulation Filtering |
Filter on Subscriber Device IP (User-Endpoint IP or UE-IP) |
Filter on Inner Layer 2-4 Parameters for Unrecognized Headers |
GTP Tunnel ID-Based Filtering |
ERSPAN Tunneling |
Distribute Traffic Based on Inner IP Addresses and Inner TCP Port Values |
MPLS Label Based Filtering |
Combine APF with GigaSMART Operations |
Conditional Header Stripping |
Facilitate Overlapping Rules |
The following example looks for packets containing Social Security Numbers in an incoming traffic stream using pattern matching. Once a match is detected, the packets are forwarded to a monitoring tool for additional analysis.
Task |
Description |
UI Steps |
||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure one network and two tool ports. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operation. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Create a virtual port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map to forward traffic from network port 1/1/x3 to virtual port vp1. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a second level map to forward traffic from the virtual port vp1 to GigaSMART with pattern matching. |
|
In the following pattern matching example, IPv4 packets contain Social Security Numbers (SSNs) in the format xxx-xx-xxxx. If the SSNs are between offset 40 and 80, they will be replaced with zeros.
Task |
Description |
UI Steps |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Create a virtual port and associate it with the GigaSMART group. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Create a first level map to direct traffic from network port 1/1/x1 to virtual port gsTraffic. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Configure the GigaSMART operation. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a second level map to direct traffic from the virtual port gsTraffic to GigaSMART. |
|
The flexibility offered by regular expression-based filters can be used as an infrastructure to classify traffic streams with protocol headers that are typically unsupported on traditional TAP/SPAN aggregation devices. In this example, regular expression-based filters are used for filtering on the source address in a Fiber Channel header.
Task |
Description |
UI Steps |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure ports. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operation. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Create a virtual port and associate it with the GigaSMART group. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map to forward FCOE traffic to the virtual port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a second level map to filter on regular expression, using a string match to the destination address in the FCOE packet. |
|
In order to complement the mobility brought about by the virtualized server infrastructure, network virtualization overlays like VXLAN, VNTag, NVGRE are being designed and implemented in Data Centers and Enterprise environment. Across Service Provider environments, huge volumes of traffic are being tunneled over GTP. Until now, the GigaVUE Visibility Platform provided the option of stripping out these headers, thus providing visibility to monitoring tools that do not understand these overlays and encapsulation protocol. With APF, this capability is further enhanced where operators now have the option of making forwarding decisions based on the encapsulation and inner packet contents.
With encapsulation awareness enabled by APF, operators have multiple options to act on the packet including the flexibility to:
Filter on encapsulation header parameters, Layer 2 – 4 parameters in the outer or inner headers (up to 5 layers of encapsulation) in any combination. For example: |
Forward traffic specific to a subset of VXLAN IDs to one or more monitoring tools. |
Distribute traffic based on MPLS label values across one or more monitoring tools. |
In combination with header stripping: |
Implement “conditional” header-stripping, based on encapsulation header parameters or inner/outer packet contents, as follows: |
– Forward a subset of traffic “as-is” to monitoring tools that need these encapsulations for analysis.
– Alternatively, strip out the outer headers/encapsulations and distribute traffic to monitoring tools that do not require these outer headers for analysis.
Since APF is implemented as a second level map, operators can also implement overlapping rules where: |
A copy of the traffic can be distributed across a group of monitoring tools. |
A refined subset from the same incoming stream is distributed across a different set of tools. |
Encapsulation awareness enabled by APF allows mobile operators to filter on Layer 2 – 4 header parameters found in an encapsulated packet.
This allows operators to filter and forward traffic specific to a mobile subscriber device or a group of subscriber devices, identified by their IP address (User-Endpoint IP) to one or more monitoring tools.
In this example, we are:
Identifying and forwarding traffic from / to a UE-IP of 1.1.1.1 to a monitoring tool connected to 1/1/x1 |
Identifying and forwarding traffic from / to a UE-IP of 1.1.1.2 to a different monitoring tool connected to tool port 1/1/x4 |
In many cases, the GTP control sessions are low-volume and are useful in providing some level of visibility in to the quality of experience of the subscribers. To this end, operators prefer to replicate the control sessions across all the monitoring tools, while filtering and forwarding a subset of the user-plane sessions to a subset of monitoring tools. The following example also illustrates configuration commands, leveraging the patented flow-mapping technology to replicate the GTP control sessions across all the monitoring tools involved in the traffic analysis.
Task |
Description |
UI Steps |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure ports. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operation. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Create a virtual port and associate it with the GigaSMART group. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map to forward GTP-u traffic to the virtual port. Note: In the rule, 2152 is GTP-u traffic. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a first level map to forward GTP-c traffic to the tools. Note: In the rule, 2123 is GTP-c traffic. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
7 |
Create a second level map to filter on source and destination IP (bi-directional). |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 |
Create another second level map to filter on source and destination IP (bi-directional). |
|
The flexibility of encapsulation awareness enables filtering on encapsulated contents even if APF does not recognize the outer encapsulation header. The following example illustrates a packet encapsulated in Fabric Path headers. Fabric Path headers (as shown in the figure) are mac-in-mac headers that are currently not recognized by APF. However operators can still filter and forward traffic flows based on Layer 2 – 4 parameters found in the encapsulated packets.
In this example, we are:
Identifying and forwarding traffic from/to ip 1.1.1.1 in the inner / original packet to monitoring tool connected to tool port 1/1/x1 |
Identifying and forwarding traffic from/to ip 1.1.1.2 in the inner / original packet to monitoring tool connected to tool port 1/1/x4 |
Task |
Description |
UI Steps |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure ports. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operation. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Create a virtual port and associate it with the GigaSMART group. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map to forward fabric path packets to the virtual port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a second level map to filter on source and destination IP (bi-directional). |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
7 |
Create another second level map to filter on source and destination IP (bi-directional). |
|
The following example demonstrates filtering and forwarding traffic based on tunnel IDs included as part of the GTP user-plane messages. It also illustrates the concept of a shared collector to which traffic not matching any of the configured filters can be optionally sent. GTP control sessions are forwarded to all the monitoring tools leveraging the power of flow mapping by filtering on Layer-4 UDP port 2123.
For GTP-u:
Filter and forward teid ranges 0x001e8480..0x001e8489 to a monitoring tool |
Filter and forward teid ranges 0x001e8490..0x001e8499 to another monitoring tool |
Forward the rest of the traffic to a shared collector |
Task |
Description |
UI Steps |
||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure one network and three tool type of ports. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operation and assign it to the GigaSMART group. Packets processed by this operation are evaluated using Adaptive Packet Filtering (APF) rules. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Create a virtual port and associate it with the GigaSMART group. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map that directs GTP-u traffic from physical network port/s to the virtual port created in the previous step. Note: In the rule, 2152 is GTP-u traffic. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a first level map that directs GTP-u traffic from physical network port/s to the tool ports. Note: In the rule, 2123 is GTP-c traffic. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
7 |
Create a second level map that takes traffic from the virtual port, applies the GigaSMART operation, and matches tunnel IDs specified by the gsrule. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
8 |
Create a second level map that takes traffic from the virtual port, applies the GigaSMART operation, and matches tunnel IDs specified by the gsrule. |
|
||||||||||||||||||||||||||||||||||||||||||||||||
9 |
Add a shared collector for any unmatched data and send it to the third tool port. |
|
In this example, APF is used to filter packets based on ERSPAN ID. The ERSPAN header is not removed from the packet.
A second level map is configured in the example. A virtual port feeds traffic to the second level map. APF filters the packets and forwards those that match the filter criteria in the map.
Task |
Description |
UI Steps |
|||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure a tool type of port. |
|
|||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
|||||||||||||||||||||||||||||||||||||||||||||
3 |
Create a virtual port and associate it with the GigaSMART group. |
|
|||||||||||||||||||||||||||||||||||||||||||||
4 |
Configure the GigaSMART operation and assign it to the GigaSMART group. |
|
|||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map. |
|
|||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a second level map. |
|
In the following example, traffic is distributed based on inner IP addresses and inner TCP port values as follows:
Packets from VLAN 20 with GTP inner IP 65.128.7.21 and 98.43.132.70, inner TCP port 80 is forwarded to one tool port |
Packets from VLAN 20 with GTP inner IP 65.128.7.21 and 98.43.132.70, inner TCP port 443 is forwarded to a second tool port |
All packets not matching these rules is forwarded to a third tool port |
Task |
Description |
UI Steps |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure one network and three tool type of ports. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operation and assign it to the GigaSMART group. Packets processed by this operation are evaluated using Adaptive Packet Filtering (APF) rules. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Configure a virtual port and associate it with the GigaSMART group. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map that directs traffic from the physical network port to the virtual port created in the previous step. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a second level map that takes traffic from the virtual port, applies the GigaSMART operation, matches the rules, and sends the traffic to one tool port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
7 |
Create a second level map that takes traffic from the virtual port, applies the GigaSMART operation, matches the rules, and sends the traffic to another tool port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 |
Add a shared collector for any unmatched data and send it to the third tool port. |
|
Multiprotocol Label Switching (MPLS) is a mechanism in high-performance telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. The labels identify virtual links (paths) between distant nodes rather than endpoints.
MPLS is a scalable, protocol-independent transport. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself. This allows one to create end-to-end circuits across any type of transport medium, using any protocol.
However in the context of Visibility Platform nodes, traffic flows encapsulated in MPLS labels cannot be filtered and forwarded. With the wide-scale adoption of MPLS as a technology across enterprise and service provider environments, the ability to classify traffic flows based on MPLS labels would be a huge value add to granularly control the flow of traffic to the monitoring tools. APF can be leveraged to filter and forward traffic flows based on MPLS label values. MPLS can stack multiple labels to form tunnels within tunnels. The flexibility of APF facilitates traffic classifications across up to 5 levels of MPLS label stacks in addition to the capability to filter and forward based on Layer 2-4 parameters found in the encapsulated packet. The following example illustrates filtering and forwarding traffic based on MPLS labels, as follows:
Filter and forward traffic flows specific to mpls label = 4 at the second level in the MPLS label stack to tool 1 |
Filter and forward traffic flows specific to mpls label = 3 at the first level in the MPLS label stack to tool 2 |
Step |
Description |
Command |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure ports. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operation. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Create a virtual port and associate it with the GigaSMART group. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map to forward traffic to the virtual port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create another second level map to filter on MPLS label. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
7 |
Create another second level map to filter on MPLS label. |
|
APF can also be combined with other GigaSMART functions including Header Stripping, Packet Slicing or Masking, De-duplication and FlowVUE. This provides network administrators and operators to perform a second layer of filtering in combination with the GigaSMART tool optimization and packet manipulation operations.
In the following example, operators can distribute traffic to monitoring tools based on decapsulated contents, more specifically, after Header stripping VXLAN:
Identifying and forwarding traffic from/to ip 1.1.1.1 from the decapsulated packets to monitoring tool connected to tool port 1/1/x1 |
Identifying and forwarding traffic from/to ip 1.1.1.2 in the decapsulated packets to monitoring tool connected to tool port 1/1/x4 |
Note: This can be applied to any protocol that is supported through header-stripping, for example:
GTP, VXLAN, ISL, MPLS, MPLS+VLAN, VLAN, VN-Tag, fabric-path. |
This is also supported for Gigamon tunnel decapsulation. |
Step |
Description |
Command |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure ports. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operation. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Create a virtual port and associate it with the GigaSMART group. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map to forward VXLAN traffic to the virtual port. VXLAN accepts destination UDP ports 8472 and 4789. Starting in software version 4.5.01, VXLAN also accepts destination UDP port 48879. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a second level map to filter on source and destination IP (bi-directional). |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 |
Create another second level map to filter on source and destination IP (bi-directional). |
|
Another use-case that can be addressed leveraging the flexibility of APF would be the capability to header strip packets based on specific contents found across the packet including the inner packet contents. Since the APF rules are enforced before any other GigaSMART operation, operators can filter based on encapsulation protocol values and /or encapsulated (original) packet contents and apply conditional header stripping operations.
The following example shows how an end-user can filter and strip out outer VXLAN headers for a subset of the traffic based on inner IP addresses, while sending the rest of the traffic “as-is” to monitoring tools that need the VXLAN headers for traffic analysis, as follows.
Identifying and forwarding traffic from/to ip 1.1.1.1 in the inner / encapsulated packets to monitoring tool connected to tool port 1/1/x1 after header stripping VXLAN. |
Identifying and forwarding traffic from/to ip 1.1.1.2 in the inner / encapsulated packets to monitoring tool connected to tool port 1/1/x4 without stripping the VXLAN header. |
Note: This can be applied to any GigaSMART operation. While this example shows filtering based on inner packet contents, conditional SMART operations can be applied by filtering on encapsulation headers as well.
Note: This can be applied to any protocol that is supported through header stripping. GTP, VXLAN, ISL, MPLS, MPLS+VLAN, VLAN, VN-Tag, and fabric-path are all supported, as is Gigamon tunnel decapsulation.
Step |
Description |
Command |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure ports. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operations. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Create a virtual port and associate it with the GigaSMART group. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map to forward VXLAN traffic to the virtual port. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a second level map to filter on source and destination IP (bi-directional), using first GigaSMART operation. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
7 |
Create another second level map to filter on source and destination IP (bi-directional), using second GigaSMART operation. |
|
Because APF is implemented as a second level map operation, APF can also be leveraged for implementing basic overlapping rules. For the same incoming input stream, a copy of the traffic can be sent out to a group of monitoring tools while a refined subset of the traffic stream can be sent to a different set of monitoring tools. Typically overlapping rules would be implemented by combining APF with the patented Flow Mapping® technology.
Note that Role-Based Access control in the case of APF is applied at the gsgroup / e port.
In the following example, for the same input stream:
HTTP traffic is identified and distributed to a monitoring tool connected to tool port 1/1/x1. |
At the same time, the same stream of HTTP packets are being sent out after slicing unwanted packet contents to a different monitoring tool connected to tool port 1/1/x4. |
Step |
Description |
Command |
|||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure ports. |
|
|||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
|||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operations. |
|
|||||||||||||||||||||||||||||||||||||||||||||
4 |
Create a virtual port and associate it with the GigaSMART group. |
|
|||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map to forward traffic to the virtual port. Port 1/1/x1 and vertual ort vp1 are sent destination port 80 traffic, which is HTTP. |
|
|||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a second level map to filter on HTTP traffic and slice it. |
|
|||||||||||||||||||||||||||||||||||||||||||||
7 |
Create another second level map for the rest of the traffic. |
|
In the following example, for the same traffic stream, TCP traffic is sent to one monitoring tool while forwarding a subset of TCP flows specific to HTTP to another monitoring tool connected to tool port 1/1/x4.
Step |
Description |
Command |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1 |
Configure ports. |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Configure the GigaSMART operations. |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Create a virtual port and associate it with the GigaSMART group. |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Create a first level map to forward TCP traffic to the virtual port. |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create a second level map to filter on HTTP traffic. |
|