Managing DMF Policies

This chapter describes the policies to work and configure in the DANZ Monitoring Fabric (DMF).

Overview

A policy selects the traffic to be copied from a production network to one or more tools for analysis. To define a policy, identify the traffic source(s) (filter interfaces), the match rules to select the type of traffic, and the destination tool(s) (delivery interfaces). The DANZ Monitoring Fabric (DMF) Controller automatically forwards the selected traffic based on the fabric topology. Define match rules to select interesting traffic for forwarding to the tools connected to the specified delivery interfaces. Users can also send traffic to be processed by a managed service, such as time stamping, slicing, or deduplication, on a DMF service node. Forward the output from the service node to the appropriate tool for analysis.

While policies can be simple, they can also be more complicated when optimizing hardware resources, such as switching TCAM space. Also, DMF provides different switching modes to optimize policies based on use cases and switch capabilities. Arista Networks recommends planning the switching mode before configuring policies in a production deployment.

For further information, refer to the chapter Advanced Policy Configuration.

DMF Policies Page

Overview

While retaining all information from the previous version, the new policy page features a new layout and design and offers additional functionality for easier viewing, monitoring, and troubleshooting of policies.

Header Action Items

Refresh Button

The page refreshes every 60 seconds automatically. Click the Refresh button to manually refresh the page.

Create Policy Button

Click the + Create Policy button to open the policy creation page.

Clear Stats Button

Click the Clear Stats button to clear all DMF interface's runtime stats.

Quick Filters

Show Quick Filters Button

By default, the feature is toggled on and displays four quick filter options. When toggled off, the four quick filters are no longer displayed.

Four quick filter cards display the policy counts that meet the filter criteria and the filter name. The quick filter cards support multi-select.

Radio Buttons

Switch page views between Table View and Interface View. Refer to the Table View and Interface View sections below for more information.

Table View

The table view is the default landing view of the Policies Page.

The page displays an empty table with the Create Policy button when no configured policies exist.

Conversely, when configured policies exist, the table view displays the list of policies.

Action Buttons

Several buttons in the policy table provide quick access to corresponding functionality. These are:

Delete Button

Disabled by default (when no policies are selected).
Enabled when one or more policies are selected.
Used to delete selected policies.

Edit Button

Disabled by default (when no policies are selected).
Enabled only when a policy is selected.
Navigate to the editing workflow (the new policy edit workflow).

Duplicate Button

Disabled by default (when no policy is elected).
Enabled only when one policy is selected.
Navigate to the create policy workflow (the new policy create workflow) with an empty name input field while retaining the same settings from the selected policy.

Table View Filters

Click the Filter button to open the filter menu.

Policy Filter(s)

There are four quick policy filters. The first three filters overlap with the quick filters; thus, enabling or disabling them will trigger changes to the quick filter button.

DMF Interface Name(s)

Filters out policies by DMF interfaces that are selected from the drop-down list.
Searchable
Allows multiple selections applying OR logic.

Policies Table

The Policy table displays all policies; each column shows the number of interfaces and services corresponding to that policy.

Table Search

The Policy table supports search functionality. Click the magnifying glass icon in the last column to activate the search input fields and search the results by the context of each column.

Table Search: The Policy table supports search functionality. Click on the magnifying glass icon in the last column to activate the search input fields. Search results by the context of each column.

Expand Policy + Icon

Hidden for an unconfigured policy. Click the expand + icon to view the policy's interfaces and services information.

Interfaces Group Expand + Icon

For policies configured with an interface group, an expand + icon with group displays by default. Click on the group expand + icon to view the detailed information on the interfaces belonging to that group.

Policy Name Tooltip

Hovering over policy names displays the tooltips for the policy, including Configuration / Runtime / Details state.

Policy Error Icon

Policies with errors will display this icon after the policy name.

Clicking the error icon will display an error window with detailed information.

Checkbox

Disabled for unconfigured policies. Use the checkbox to select a policy and the applicable function buttons (described above) as required.

Table Interaction

All columns support sorting.
Clicking on a policy name opens the policy table split view. The table on the left displays the policy names. The table on the right provides two tabs showing Configuration and Operational Details.
Select a policy name from the Policy Name list to view its configuration or operational details in the split view.
Use the icon to view the information in full-screen mode or the X icon to close the split view and return to the table view.

Configuration Details

Access the Configuration Details tab by selecting a policy in either Table View or Interface View. This tab displays all of the configured settings for the selected policy.

The top row of the Configuration Details tab displays the selected policy name and an Edit and Delete button. The Edit button opens the Edit Policy configuration page with policy information prefilled, and the Delete button opens a confirmation dialog window before deleting a policy. The default Table View opens after deleting a policy.

The second component of the Configuration Details is the Quick Facts box. This component displays the Description, Action, Push VLAN, Priority, Active, Scheduling Start Time, Policy Run Duration, PTP Timestamping, and Root Switch values.

Description: An info icon shows the entire description in a tooltip.
Action: Forward, Drop, Capture, or None.
Active: Policy active status, Yes or No.

Scheduling Start Time: Either Automatically or the DateTime it is scheduled to start, in terms of the current Time Zone configured on the DMF. When setting DateTime to Now during policy creation, the time of creation will be the Scheduling start time.
- Automatic: The policy will always run. There's no expiration.
- Now: The policy starts from now, and duration and packet expiration may apply. The policy runs from now with no expiration.
  
  Figure 26. Start Time

Run Policy: The duration the policy should run. The default value is Always. Set a time limit (i.e., 4 hours) or a packet limit (i.e., 1,000 packets) The tooltip explains that the policy will stop running when reaching either of the limits.

The third component is the Rules Table, which displays all Match Traffic rules configured for the policy. The default value is Allow All Traffic. Optionally, configure Deny All Traffic.

When configuring custom rules, the Rules Table is displayed. The table is horizontally scrollable, and each column is searchable and sortable. The Edit Policy feature provides rule management, including Edit, Add, and Delete functionality.

The next component is the Interface Info Columns.

There are three primary columns: Traffic Sources, Services, and Destination Tools.

The Traffic Sources column includes Filter Interfaces, vCenters, and CloudVision Portal associated with the policy.
The Services column includes Managed Services and Services associated with the policy.
The Destination Tools column includes Delivery interfaces and RN Fabric Interfaces associated with the policy.

These columns display the DMF Interface name in the interface card, and the name includes a link to the Interfaces page. The switch name and physical interface name appear in this format: SWITCH-NAME / INTERFACE-NAME under the DMF interface name. The bit rate and packet rate operational state data appear for each interface. Each column is only displayed if the policy has one or more interfaces of that type.

The services column renders for all policies that have at least one service. The service name appears for each card, which contains a link to either the Services or Managed Services page. Under the service name, the service type (Managed Service or Service) appears if the service has a backup name that also appears.

There is a special case for policies that have CloudVision port mirroring sessions. To differentiate the CloudVision source interfaces from the auto-generated DMF filter interfaces, DMF creates two columns: CloudVision and Filter Interfaces.

The cards in the CloudVision column show the connected CloudVision portal and the number of port mirroring sessions for each device in the CloudVision portal. Filter Interfaces and vCenters are now in the Filter Interfaces column. There are no differences between the Services and Destination Tools columns.

The last component only displays for policies with CloudVision port mirroring sessions.

The Port Mirroring Session Entries table shows all configured Port Mirroring Sessions for a CloudVision portal. The Device, Source Interface, Monitor Type, Tunnel Source, Tunnel Endpoint, SPAN Interface, and Direction columns display the same values configured in the Port Mirroring Table in the Add Traffic Sources component in the Create Policy flow. Each column is sortable.

For more information on the configuration flow for CloudVision port mirroring, please refer to the documentation in the Create Policy section.

Operational Details

Clicking on the Operational Details Tab navigates to the Operational Details view.

Edit: Clicking the Edit button opens the Editing Policy window for making changes to the policy.
Delete: Clicking the Delete button deletes the policy.
Edit Layout: Clicking the Edit Layout button opens the editing layout window. Move the widgets by dragging the components in order of user preference. Click the Save button to save the changes. DMF preserves the order of the widgets when the same user logs back in.

Widgets

Status / Information

Status and information include basic operational information about the policy.

Installed Duration

Hover over the info icon to see the installed time in the UTC time zone.

Top Filter and Delivery Interfaces by Traffic

Click the Metric Drop-down menu and choose the metrics to display in the chart. Only the selected metrics appear in the Badge, Labels, and Bar Chart.

Badge: Colored dots and text indicate the content represented by different bars in the bar chart.
Interface Name

Hover over the interface name to see the full name in the tooltips.

Labels: Display the number and unit corresponding to the bar.
Bar Chart: Displays the numerical value of traffic.
Empty State
- Display title, last updated time, and disabled metric drop-down.
- The Edit Policy button opens the edit policy window.

Top Core Interfaces by Traffic

The Core Interfaces by Traffic chart is similar to Filter Interfaces / Delivery Interfaces by Traffic charts, which have Metric Drop-down, Badge, Interface Name, Labels, and Bar Charts with similar functionality.

Errors & Dropped Packets

The Errors chart is similar to Filter Interfaces / Delivery Interfaces by Traffic charts, which have Metric Drop-down, Badge, Interface Name, Labels, and Bar Charts with similar functionality. Hovering over the bar displays all error counts and rate information.

The Dropped Packets chart is similar to Filter Interfaces / Delivery Interfaces by Traffic charts, which have Badge, Interface Name, Labels, and Bar Charts with similar functionality. Hovering over the bar displays all packet dropped counts and rate information.

Optimized Matches

Displays optimized match rules.

Interface View

As a new feature of the DMF Policies page, the Interface view offers an alternative way to view policies, allowing for an intuitive visualization of all policies-related interfaces.

Policies Column

A Policies header displaying count. The column shows the total count when no filters are applied, or the filtered policies count in the format of x Associated.
The drop-down menu enables data sorting using multiple attributes.
The Delete button deletes the selected policies.
The Edit button opens the selected policy in edit mode.
The Filter drop-down is similar to the table view filters but without an interface filtering option.

Figure 48. Filter

A list of policies with quick facts and user interactions.
The checkbox enables policy selection for deletion and editing.
Badges with different colors indicate policy run time status.
Policy name with tooltip on hover displaying configuration, runtime, and detailed status.
Current Traffic display in bps.
Clicking the View Information button highlights the policy:
- Only shows the interfaces associated with the selected policy in the DMF Interfaces tab.
- Enable Configuration Details and Operational Details.

Clicking on an active policy card deselects the previously selected policy:
- De-emphasizes the policy and resets card styles and tabs accessibility.
- Reveals all the interfaces in DMF Interfaces.
- Interface card highlights in the DMF Interfaces tab can co-exist, leading to a more granular search.

DMF Interfaces

Active tab by default

Header Row
- Stat selector: Choose between Utilization, Bit Rate, and Packet Rate to display in the subsequent interface info cards.
- Sorter selector: Choose between Utilization and interface name to sort the interfaces in ascending or descending order.
- Filter drop-down:
  - Utilization range filter
  - Switch name selector
  - DMF interface name selector

Interface Column
- Header: Specifies interface category and count, showing X Associated when filters apply and X Total otherwise.
- Interface Information Card
  - Interface name
  - Stat
    - Utilization
    - Bit Rate
    - Packet Rate
  - Text: Display detailed information about the selected stat of the current interface.

Interaction

Selecting one policy card:
The selected policy card highlights and filters interfaces to only those configured to the policy and hides interfaces not configured in the selected policy.

Selecting one interface card:
The selected interface card highlights and filters policies to only those configured to the interface and hides interfaces not configured in the filtered policies mentioned above.

Selecting multiple interface cards (any columns):
The selected interface cards highlight and filter policies to only those configured on the selected interfaces and hide interfaces not configured in the filtered policies mentioned above.

Highlighted policy and interface cards can co-exist, leading to a more granular search.

Configuration Details

The GUI is similar to Table View > Configuration Details . Please refer to the Configuration Details section.

Operational Details

The GUI is similar to Table View > Operational Details . Please refer to the Operational Details section.

Policy Elements

Each policy includes the following configuration elements:

Filter interfaces: these identify the ingress ports for analyzing the traffic for this policy. Choose individual filter interfaces or one or more filter interface groups. Select the Select All Filter Interfaces option, intended for small-scale deployments.
Delivery interfaces: these identify the egress ports for analyzing the traffic as part of this policy. Choose individual delivery interfaces or one or more delivery interface groups. Like filter interfaces, a Select All Delivery Interfaces option is available for small deployments.
Action: identifies the policy action applied to the inbound traffic. The following actions are available:
- Forward: forwards matching traffic at filter ports to the delivery ports defined in a given policy. Select at least one or more filter and delivery interfaces.
- Drop: drops matched traffic at the Filter ports. A policy with a drop action is often used in combination with another lower-priority policy to forward all traffic except the dropped traffic to tools. Use Drop to measure the bandwidth of matching traffic without forwarding it to a tool. Select at least one or more filter interfaces.
- Capture: sends the selected traffic to a physical interface on the controller to be saved in a PCAP file. This option works only on a hardware Controller appliance, and you must select at least one or more filter interfaces. A policy with a capture action can only run for a short period. For continuous packet capture, use the DANZ Monitoring Fabric (DMF) recorder node. Refer to the chapter Using the DMF Recorder Node for details.
  Note:The policy will not be installed if an action is not selected.
- Match rules: used to select traffic. The selected traffic is treated based on the action, with the most common action being Forward, i.e., forward-matched traffic to delivery interfaces. If a match rule is not specified or the match rule is Deny All Traffic, the policy is not installed. One policy can specify multiple match rules, differentiating each rule by its rule number.
  Note: The rule numbers do not define the order in which the rules will be installed or processed. The numbering allows a user to list them in order.
- Managed services (optional): identifies additional operations to perform, such as packet slicing, time stamping, packet deduplication, packet obfuscation, etc., before sending the traffic to the selected delivery interfaces.
- Status (optional): enables or disables the policy using the active or inactive sub-command from the config-policy sub-model. By default, a policy is active when initially configured.
- Priority (optional): unless a user specifies, all policies have a priority of 100. When sharing filter/ingress ports across policies, a policy with a higher priority will get access to matching traffic first. Traffic not matched by the policies with the higher priority then gets processed according to policies with lower priority. Overlapping policies are also not created when two policies have different priorities defined.
- Push VLAN (optional): when a user configures the Auto VLAN Mode push as push-per-policy (i.e., to Push Unique VLAN on Policies, every policy configured on DMF gets a unique VLAN ID. Typically, this VLAN ID is in the range of 1-4094 and auto-increments by 1. However, if you want a specific policy to have a specific VLAN ID, you should first define a smaller VLAN range using the command auto-vlan-range and then pick a VLAN outside that range to attach to a specific policy. This attachment of a specific VLAN to a specific policy can be done in the CLI using the CLI command push-vlan or in the GUI by selecting Push VLAN from the Advanced Options drop-down and then specifying the VLAN ID.
- Root switch (optional): when a core switch (or core link) goes down, existing policies using that switch are rerouted using other core switches. When that switch comes back, the policy does not move back. In some cases, this causes traffic overload. One way to overcome this problem is to specify a root switch in each policy. The policy is rerouted through other switches when the root switch goes down. When the root switch comes back, DMF reroutes the policy through the root switch again.

Policies can include multiple filter and delivery interfaces, and services are optional. Traffic that matches the rules in any policy associated with a filter interface forwards to all the delivery interfaces defined in the policy.

Except for a capture action policy, a policy runs indefinitely once activated. Optionally schedule the policy by specifying a starting time and period for which the policy should run and specify the number of received packets in the tool, after which the policy automatically deactivates.

Note:

Create and configure all interfaces and service definitions before creating a policy that uses them.
Use only existing interfaces and service definitions when creating a policy. When creating a policy with interfaces or service definitions that do not exist, the policy may enter an inconsistent state.
If this happens, delete the policy, create the interfaces and service definitions, and then recreate the policy.

Configuring a Policy

Configure a Policy Using the GUI

DANZ Monitoring Fabric (DMF) 8.5 introduces a newly designed Create Policy configuration workflow, replacing the former workflow page.

There are two possible entry points for creating a policy. The first is via the Create Policy button continuously displayed on the top-right corner of the DMF Policies page, or the second is via the Create Policy button, which appears on the central panel of the same page when no configured policies exist.

Clicking the Create Policy button opens the new Policy Creation configuration page, which supports moving, minimizing, expanding, collapsing, and closing the window using the respective icons in the menu bar.

Move: Click (and hold) any part of the title section of the window or the icon to drag and reposition as required. Moving the window in full-size mode is not possible.

Expand: Click the icon to enlarge the window.

Minimize: Click the icon to minimize the window and the icon to return to the standard view.

Proceed to the following sections for create and manage policies.

Create a New Policy

To create a new Policy, complete the required fields in the Policy Details section and configure settings under the Port Selection tab (optional) and the Match Traffic tab (optional). Please refer to the Policy Details, Port Selection Tab, and Match Traffic Tab sections for more detailed information on configuring settings.

Once configured, click the Create Policy button on the bottom-right corner to save the changes and finish the policy creation.

Policy Details

Enter the primary information for the policy:

Policy Name (must be unique)
Description
Policy Action: Capture, Drop, Forward (default)
Note: The Destination Tools column is not available when Drop and Capture actions are selected.

Push VLAN
Priority: By default, set to 100 if no value is specified.
Active: By default, set to enabled.
Advanced Options: By default, disabled.

When Advanced Options is enabled, the following configuration settings are available:

Scheduling: There are four options:
- Automatic: The policy runs indefinitely.
- Now: The policy starts running immediately; use Run Time to determine when the policy should stop.
- Set Time: Set a specific date and time to start the policy.
  
  Figure 60. Scheduling
- Set Delay: Start the policy using relative time options.
  
  Figure 61. Set Delay

Run Time: There are two options:
- Always: (default).
- For Duration: Selecting For Duration allows using Time Input to set the time number and the Unit selector to set the time unit. Select the checkbox to use Packet Input and enter the required packet number (1000, by default).

PTP Timestamping: Disabled by default.
Root Switch: By default, set to a locked state. Click the lock icon to unlock and select a root switch.

Additional Controls

Collapse and Show: Visually hide or unhide the basic policy configurations to manage the view of the other configuration fields.

Traffic Sources

The Traffic Sources column displays the associated traffic sources in the policy.

To add Sources, click on the Add Port(s) button. The page allows adding Filter Interfaces and Groups, vCenters, or CloudVision Portals.

Note: The left column has three multiple groups. Select the corresponding type of traffic source to view the available selections. After making all desired selections, confirm them using the Add N Sources button.

Interfaces can be searched by the available information in the interface tiles using the search bar. Clicking the icon reveals sorting and filtering options using Display Data, which includes:

Sort - By default, DMF sorts the data in descending Bit Rate order. Optionally, sort the data by ascending Bit Rate order or alphabetically.
Bit Rate (default), Utilization percentage, or Packet Rate
Switch Name
Interface Name(s)

DMF sorts vCenters and CloudVision Portals alphabetically (A-Z, by default).

Suppose a Filter Interface has not been created yet, the Create button has two selections: create Filter Interfaces and Filter Interface Groups.

Figure 69. Filter Interfaces / Filter Interface Groups

Clicking the Create Filter Interface button opens a form to configure a Filter Interface. Enter the required settings to configure the new Filter Interface.

Alternatively, the left column allows the selection of an existing connected device to pre-populate the Switch Name and Interface Name fields and to configure a Filter Interface based on a connected device. Click the Create and Select button to create the Filter Interface and associate it with the current policy.

To create multiple Filter Interface(s), click the Create another button to create an interface using the current configuration. This action clears the form to allow the creation of an additional Filter Interface.

Figure 72. Add Multiple Filter Interfaces

Note: The Select (n) interface button associates all created Filter Interfaces to the current policy.

Click the Create Filter Interface Group button to create a group of filter interfaces.

Figure 73. Create Filter Interface Group

Select one or more filter interfaces to create a Filter Interface Group.

Click the Create Group button to create the Filter Interface Group and associate the group with the current policy.

Expand the group tile to view interfaces within an Interface Group.

Note: Clicking the x icon on the top right of each tile disassociates the Filter Interface from the current policy. Clicking the Undo button restores the association.

Figure 77. Disassociate Filter Interface

CloudVision Portals

The Create Policy window lists CloudVision Portals connected to DMF and includes the CloudVision Portal name, the portal hostname, and the current software version. Select a card to add a CloudVision Port Mirroring Table. The card displays similar information and the default Tunnel Endpoint.

An empty port mirroring table initializes to add rows to the table for configuring port mirroring sessions.

Use the following guidelines to configure a port mirroring session:

Each row must contain a Device and Source Interface. This interface in the CloudVision production network will mirror traffic to DMF.
Each interface must select a Monitor Type: GRE Tunnel or SPAN.
Note: SPAN requires a physical connection from the CloudVision Portal to DMF. The default value for Tunnel Endpoint is the CloudVision Portal’s Default Tunnel Endpoint.
Each device must have the same Tunnel Endpoint and Tunnel Source values across the policies. Each interface on a device must have an identical destination configuration (GRE Tunnel, GRE Tunnel Source, and SPAN Interface) across the policies.
The default traffic direction is Bidirectional but configurable to Ingress or Egress.
After configuring the Port Mirroring Table, click Add Sources to return to the Main Page of the Create Policy configuration page.

After configuring Port Mirroring, the card appears in the Traffic Sources section. To edit the Port Mirroring Table, click the X Entries link.

Services

The Services column displays the Services and Managed Services associated with the policy. The Add Service(s) button opens a new page to specify additional services.

View All Services and View All Managed Services open the DMF Services and Managed Services pages, respectively. The Add Service button opens a configuration panel to specify Service information. If there are Services associated with this policy, they will be listed and available to edit.

Figure 81. View All Services / View All Managed Services

For each Service, specify:

Service Type: Managed or Unmanaged.
Service: Name of the Service (required).
Optional: Whether the Service is optional.
Backup Service: Name of the backup Service.
Del. Service: If the Managed Service type is selected, whether to use it as a Delivery Service.

Click the Add Another button to populate a new row to add another Service. The Add (n) Services button associates the Services with the policy.

After adding the services, they appear in the Services column. Click the x icon on the Service tile to disassociate the Service from the policy. While remaining on the page, if required, re-associate the Service by clicking Undo.

Destination Tools

The Destination Tools column displays the associated Destination Tool ports to a given policy.

To add additional destinations, click the Add Port(s) button. The configuration page allows adding Delivery Interfaces/Groups or Recorder Node Fabric Interfaces.

Note: The left column has two multiple groups. Select the corresponding type of Destination Tools to see the available selections. After making the desired selections, confirm using the Add (n) Interfaces button.

Interfaces can be searched by the available information in the interface tiles using the search bar. Clicking the icon reveals sorting and filtering options using Display Data, which includes:

Sort - By default, DMF sorts the data in descending Bit Rate order. Optionally, sort the data by ascending Bit Rate order or alphabetically.

Bit Rate (default), Utilization percentage, or Packet Rate

Switch Name

Interface Name(s)

Sort Recorder Node Fabric Interfaces alphabetically (A-Z, by default) and filter by Bit Rate.

Suppose there is still a need to create Destinations (Delivery Interfaces). In that case, the Create button has two selections: create Delivery Interfaces and Delivery Interface Groups.

Figure 88. Create Delivery Interfaces / Delivery Interface Groups

Clicking the Delivery Interface button opens a form to configure a Delivery Interface. Enter the required settings to configure the new Delivery Interface.

Alternatively, the left column allows the selection of an existing connected device to pre-populate the Switch Name and Interface Name fields and to configure a Delivery Interface based on a connected device. Click the Create and Select button to create the Delivery Interface and associate it with the current policy.

To create multiple Delivery Interface(s), click the Create another button to create an interface using the current configuration. This action clears the form to allow the creation of an additional Delivery Interface.

The Select (n) interface button associates all created Delivery Interfaces to the current policy.

Figure 92. Select Number of Interfaces & Associate

Click the Create Delivery Interface Group button to create a group of delivery interfaces.

Figure 93. Create Delivery Interface Group

Select one or more delivery interfaces to create a Delivery Interface Group.

Click the Create Group button to create the Delivery Interface Group and associate the group with the current policy.

Figure 95. Associate Delivery Interface Group

Expand the group tile to view interfaces within an Interface Group.

Stat Picker

Use the Stat: Packet Rate drop-down to select view specific data for the associated interfaces.

The data options are:

Utilization

Bit Rate (default)

Packet Rate

Match Traffic and Match Traffic Rules

Match Traffic

Use the Match Traffic tab to configure rules for the current policy.

There are four options to configure traffic rules.

Select the Allow All Traffic or Deny All Traffic radio button to quickly configure a rule for all traffic.

Navigate to the Rule Details configuration panel using the Configure A Rule button. Refer to the Custom Rule, Match Rule Shortcut, and Match Rule Group sections for more information.

The Import Rules button opens the import rule configuration dialog and supports importing .txt files using drag and drop or Browse.

Example Text File

1 match ip
2 match tcp
3 match tcp src-port 80
4 match tcp dst-port 25

Click the Preview button to verify the import result.

While using the Preview Imported Rule table, click the Edit button to open the Edit Rule configuration panel.

Click the Confirm button when finished, and use the Import x Rules button to import the rules.

Custom Rule

Click the Configure a Rule button to open the Configure A Traffic Rule screen.

By default, the configuration method is Custom Rule with several fields disabled by default; hover over the question mark icon to see how to enable an input field.

Specific EtherTypes will open an Additional Configurations panel.

Click the drop-down icon to display additional configurations (Source, Destination, Offset Match). Hovering over Offset Match allows viewing requirements to enable the Offset Match.

Match Rule Shortcut

To access the Match Rule Shortcut, click the drop-down button and select Match Rule Shortcut.

Click the Select Rule Shortcut selector and choose the required shortcut rules (supports multi-selection).

After selecting the rule shortcut:

All selected rules appear as a card in the selector.
Delete selected rules using the x icons.
Click the Customize Shortcut button to edit a rule shortcut.

After editing, click the Save Edit button to return to the Match Rule Shortcut view.

After configuring the shortcut rules, click the Add (n) Rules button to finish the configuration.

Match Rule Group

To access the Match Rule Group, click the drop-down button and select Match Rule Group.

To select a rule group, click the drop-down button under Rule Group. All rule groups appear in the menu. Select one. There is no multi-select available. Repeat the Match Rule Group steps to add more than one rule group.

After configuring the rule group, click the Add Rule button to finish the configuration.

Rules Table

All configured rules appear in the Rules Table.

Import Rules

Figure 118. Import Rules
- Similar in function to the Import Rules button on the start page. Refer to Start Page -> Import Rules for more information.

Export Select Rules

Figure 119. Export Select Rules
- Disabled by default when no rule is selected.
- Enabled when one or more than one rule is selected.
- Click to export selected rules information as a .txt file.

Delete

Figure 120. Delete
- Disabled by default when no rule is selected.
- Enabled when one or more than one rule is selected.
- Click to delete the selected rules.

Create New Rule and Create Rule Group buttons

Figure 121. Create New Rule / Create Rule Group
- The button will appear as Create New Rule when no rule is selected. Click to open the Create New Rule screen.
- When one or more rules are selected, the button changes to Create Rule Group. Click to open the Create Rule Group screen.
  
  Figure 122. Create Rule Group

The Rule Group Name is required. Click Create Group to confirm the rule group creation.

Table Actions

Figure 123. Edit / Delete
- Click the Edit button to edit the rule view.
- Click the Delete button to delete the rule.

Table Search

Figure 124. Table Search
- The Rules Table supports search functionality. Click the magnifying glass icon to activate the search input fields and search the results by the context of each column.

Checkbox

Figure 125. Checkbox
- Check the box to select a rule and use the function buttons described above.

Expandable Group Rules
- Group Rules in the Rule Table display as the group's name with an expand button.
  
  Figure 126. Expand
- Click the expand button to see the rules included in the group.
  
  Figure 127. Expanded Column

Configure a Policy Using the CLI

Before configuring a policy, define the filter interfaces for use in the policy.

To configure a policy, log in to the DANZ Monitoring Fabric (DMF) console or SSH to the IP address assigned and complete the following steps:

From config mode, enter the policy command to name the policy and enter the config-policy submode, as in the following example:
```
controller-1(config)# policy POLICY1
controller-1(config-policy)#
```
This example creates the policy POLICY1 and enters the config-policy submode.
Configure one or more match rules to identify the aggregated traffic from the filter interfaces assigned to the policy, as in the following example.
```
controller-1(config-policy)# 10 match full ether-type ip dst-ip 10.0.0.50 255.255.255.255
```
This matching rule (10) selects IP traffic with a destination address 10.0.0.50.
Assign one or more filter interfaces, which are monitoring fabric edge ports connected to production network TAP or SPAN ports and defined using the interface command from the config-switch-if submode.
```
controller-1(config-policy)# filter-interface TAP-PORT-1
```
Note: Define the filter interfaces used before configuring the policy.
To include all monitoring fabric interfaces assigned the filter role, use the all keyword, as in the following example:
```
controller-1(config-policy)# filter-interface all
```
Assign one or more delivery interfaces, which monitor fabric edge ports connected to destination tools and defined using the interface command from the config-switch-if submode.
```
controller-1(config-policy)# delivery-interface TOOL-PORT-1
```
Define the delivery interfaces used in the policy before configuring the policy. To include all monitoring fabric interfaces assigned the delivery role, use the all keyword, as in the following example:
```
controller-1(config-policy)# delivery-interface all
```

Define the action to take on matching traffic, as in the following example:

controller-1(config-policy)# action forward

The forward action activates the policy so matching traffic immediately starts being forwarded to the delivery ports identified in the policy. The other actions are capture and drop.
A policy is active when the configuration of the policy is complete, and a valid path exists through the network from a minimum of one of the filter ports to at least one of the delivery ports.
When inserting a service in the policy, the policy can only become active and begin forwarding when at least one delivery port is reachable from all the post-service ports defined within the service.

To verify the operational state of the policy enter the show policy command.

controller-1# show policy GENERATE-IPFIX-NETWORK-TAP-1
Policy Name : GENERATE-IPFIX-NETWORK-TAP-1
Config Status : active - forward
Runtime Status : installed
Detailed Status : installed - installed to forward
Priority : 100
Overlap Priority : 0
# of switches with filter interfaces : 1
# of switches with delivery interfaces : 1
# of switches with service interfaces : 0
# of filter interfaces : 1
# of delivery interfaces : 1
# of core interfaces : 0
# of services : 0
# of pre service interfaces : 0
# of post service interfaces : 0
Push VLAN : 3
Post Match Filter Traffic : -
Total Delivery Rate : -
Total Pre Service Rate : -
Total Post Service Rate : -
Overlapping Policies : none
Component Policies : none
~ Match Rules ~
# Rule
-|-----------|
1 1 match any
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Filter Interface(s) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# DMF IF Switch IF NameState Dir Packets Bytes Pkt Rate Bit Rate Counter Reset Time
-|-------------|---------------|----------|-----|---|---------|-----------|--------|--------|------------------------------|
1 TAP-TRAFFIC-2 FILTER-SWITCH-1 ethernet16 uprx182876967 69995305364 0-2022-10-31 23:13:10.177000 PDT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Delivery Interface(s) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# DMF IF Switch IF NameState Dir Packets Bytes Pkt Rate Bit Rate Counter Reset Time
-|-------------|---------------|----------|-----|---|---------|-----------|--------|--------|------------------------------|
1 TAP-TRAFFIC-1 FILTER-SWITCH-1 ethernet15 uptx182876967 69995305364 0-2022-10-31 23:13:10.177000 PDT
~ Service Interface(s) ~
None.
~ Core Interface(s) ~
None.
~ Failed Path(s) ~
None.
controller-1#

Note: If two policies have the same filter and delivery interfaces and the same priority with similar match conditions, then incorrect statistics can result for one or both policies. To alleviate this issue, either increase the priority or change the match conditions in one of the policies.

Detailed status in show policy command shows detailed information about a policy status. If for any reason a policy fails, the detailed status shows why the policy failed. One cause of policy failure is the TCAM reaching its total capacity.When this happens, the detailed status shows a message like Table ing_flow2 is full <switch_DPID>.

ing_flow1- used for programming analytics tracking like DNS, DHCP, ICMP, TCP control packets, and ARP.
ing_flow2 is the TCAM table used for programming data forwarding.
To delete an existing policy, use the no policy command and identify the policy to delete, as in the following example:
```
controller-1(config-policy)# no policy policy-name-1
Warning: submode exited due to deleted object
```
When deleting a policy, DMF deletes all traffic rules associated with the policy.

Define Out-of-band Match Rules Using the CLI

A policy can contain multiple match rules, each assigned a rule number. However, the rule number does not specify a priority or the sequence in applying the match rule to traffic entering the filter ports included in a policy. Instead, if the traffic matches any match rules, all actions specified in the policy are applied to all matching traffic.

The following example adds two match rules to dmf-policy-1.

controller-1(config)# policy dmf-policy-1
controller-1(config-policy)# 10 match full ether-type ip dst-ip 10.0.0.50 255.255.255.255
controller-1(config-policy)# 20 match udp src-ip 10.0.1.1 255.255.255.0
controller-1(config-policy)# filter-interface filname2
controller-1(config-policy)# delivery-interface delname3
controller-1(config-policy)# action forward

Note: When changing an existing installed policy by adding or removing match rules, DANZ Monitoring Fabric (DMF) calculates the change in policy flows and only sends the difference to the switches in the path for that policy. The unmodified flows for that policy are not affected.

When more than one action applies to the same packet, DMF makes copies of the matched packet. For details, refer to the chapter Advanced Policy Configuration.

Stop, Start, and Schedule a Policy Using the CLI

Enter the active or inactive command from the config-policy submode to enable or disable a policy.

To stop an action that is currently active, enter the stop command from the config-policy submode for the policy, as in the following example:

controller-1(config)# policy policy1
controller-1(config-policy)# stop

By default, if the policy action is forward or drop, the policy is active unless it is manually stopped or disabled.

To start a stopped or inactive policy immediately, enter the start now command from the config-policy submode for the policy, as in the following example:

controller-1(config)# policy policy1
controller-1(config-policy)# start now

For a policy with the forward action, the start now command causes the policy to run indefinitely. However, policies with the capture action run capture for 1 minute unless otherwise specified, after which the policy becomes inactive. This action prevents a capture from running indefinitely and utilizes the appliance storage capacity.

You can also use the start command with other options to schedule a stopped or inactive policy. The full syntax for this command is as follows:

start { now [ duration duration ] [ delivery-count delivery-packet-count ] | automatic | on-date-time start-time[duration duration ] seconds-from-now start-time [ duration duration ] [ delivery-count delivery-packet-count ]

The following summarizes the usage of each keyword:

now: start the action immediately.
delivery-count: runs until the specified number of packets are delivered to all delivery interfaces.
seconds: start the action after waiting for the specified number of seconds. For example, 300+ start the action in 5 minutes.
date-time: starts the action on the specified date and time. Use the format %Y-%m-%dT%H:%M:%S.
duration: DANZ Monitoring Fabric (DMF) assigns 60 seconds by default if no duration is specified. A value of 0 causes the action to run until it is stopped manually. When using the delivery-count keyword with the capture action, the maximum duration is 900 seconds.

For example, to start a policy with the forward action immediately and run for five minutes, enter the following command:

controller-1(config-policy)# start now duration 300

The following example starts the action immediately and stops after matching 100 packets:

controller-1(config-policy)# start now delivery-count 100

The following example starts the action after waiting 300 seconds:

controller-1(config-policy)# start 300+

Clear a Policy Using the CLI

To remove a specific DANZ Monitoring Fabric (DMF) policy, use the no keyword before the policy command, as in the following example:

controller-1(config)# no policy sample_policy

This command removes the policy sample_policy.

To clear all policies at once, enter the following command:

controller-1(config)# clear-all-configured-policy

View Policies Using the CLI

To display the policies currently configured in the DANZ Monitoring Fabric (DMF) fabric, enter the show policy command, as in the following example:

This output provides the following information about each policy.

#: a numeric identifier assigned to the policy.
Policy Name: name of the policy.
Action: Forward, Capture, or Drop.
Runtime Status: a policy is active only when the policy configuration is complete, and a valid path exists through the network from a minimum of one of the filter ports to at least one of the delivery ports (and moves on through the service ports if that is specified). When inserting a service in the policy, the policy can only become active/forwarding when a delivery port is reachable from all the post-service ports of the service.
Type: configured or dynamic. Refer to the Configuring Overlapping Policies section for details about dynamic policies created automatically to support overlapping policies.
Priority: determines which policy is applied first.
Overlap Priority: the priority assigned to the dynamic policy applied when policies overlap.
Push VLAN: a feature that rewrites the outer VLAN tag for a matching packet.
Filter BW: bandwidth used.
Delivery BW: bandwidth used.

The following is the full command syntax for the show policy command:

Use the event history to determine the last time when policy flows were installed or removed. A value of dynamic for Type indicates the policy was dynamically created for overlapping policies.

Rename a Policy Using the CLI

Policy Renaming Procedure

Note: A DANZ Monitoring Fabric (DMF) policy must exist to use the renaming feature.

Use the following procedure to rename an existing policy.

Use the CLI command policy existing-policy-name to enter the submode of an existing policy and then enter the show this command.

dmf-controller-1(config)# policy existing-policy-name
dmf-controller-1(config-policy)# show this
! policy
policy existing-policy-name

Enter the rename command with the name of the new policy, as shown in the following example.
```
dmf-controller-1(config-policy)# rename new-policy-name
```
Note: Possible traffic loss may occur when renaming a policy.

Verify the policy name change using the show this command.

dmf-controller-1(config-policy)# show this
! policy
policy new-policy-name
dmf-controller-1(config-policy)#

Note: A user must have permission to update the policy. The new policy name must follow the requirements for a policy name.

Using the Packet Capture Action in a Policy

Capture packets into a PCAP file for later processing or analysis. DANZ Monitoring Fabric (DMF) stores the captured packets on the DMF Controller hardware appliance. This feature provides a quick look at a small amount of traffic. For continuous packet capture and storage, use the DMF Recorder Node, described in the chapter Using the DMF Recorder Node.

Note: Storing PCAP files is supported only with the hardware appliance, as running the Controller in a virtual machine is impossible. The DMF hardware appliance normally provides 200 GB of storage capacity, but the hardware appliance is optionally available with 1 TB of storage capacity.

To enable this feature, connect one of the DMF Controller hardware interfaces to a fabric switch interface defined as a DMF delivery interface.

Figure 128. DMF Controller Hardware Appliance

Table 1.
1	1G Management Port	2	10G Management Port

Figure 129. Capturing Packets on the DMF Appliance

To capture packets, define a policy with filter ports and match rules to select the interesting traffic. Specify the capture action in the policy, then schedule the policy for a duration or packet count. In the illustrated example, a service exists in the policy to modify the packets before capture, but this is optional.

By default, when the policy action is capture, the policy is only active after scheduling the policy. Packet captures are always saved on the master (active) Controller. In case of HA failover, previous packet captures remain on the Controller where they were initially saved.

By default, DMF automatically removes PCAP files after seven days. Change the default value using the following CLI command with the command option if preferred:

controller-1(config)# packet-capture retention-days <tab-key>
<retention-days> Configure packet capture file retention period in days. Default is 7 days
controller-1(config)#

Define a Policy with a Packet Capture Action Using the CLI

Use the packet-capture-retention-days command to change the number of days to retain PCAP files. To view the current setting, use the show packet-capture retention-days <retention-days> command.

To remove PCAP files immediately, use the delete packet-capture files command. Delete the files associated with a specific policy, as shown in the following example:

controller-1(config-policy)# delete packet-capture files policy capture file 2022-02-24-07-31-25-34d9a85a.pcapng

The following command assigns the capture action to the current policy and schedules the packet capture to start immediately and run for 60 seconds.

controller-1(config-policy)# action capture
controller-1(config-policy)# start now duration 60

The following command starts the capture immediately and runs until it captures 1000 packets:

controller-1(config-policy)# start now delivery-count 1000

Once the packet capture is complete, the PCAP file can be downloaded via HTTP using the URL displayed when entering the show packet-capture files command, as shown in the following example.

controller-1(config-policy)# show packet-capture files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ All Packet Capture Files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Policy Name File NameFile Size Last ModifiedURL
-|-----------|----------------------------------|---------|------------------------------|----------------------------------------------------------------|
1 capture 2022-11-01-03-03-19-c106e6c.pcapng 258MB 2022-11-01 03:04:17.227000 PDT https://10.9.33.2/pcap/capture/2022-11-01-03-03-19-c106e6c.pcapng
controller-1(config-policy)#

To view the storage used and remaining for PCAP files, enter the show pcap-storage command, as in the following example:

controller-1 > show packet-capture disk-capacity
Disk capacity : 196GB
controller-1> show packet-capture disk-usage
Disk usage : 258MB
controller-1>

To view the number of days PCAP files are retained before deletion, use the show packet-capture retention-days command as in the following example:

controller-1> show packet-capture retention-days

To view the history of packet captures, enter the following command:

controller-1(config-policy)# show policy capture history
# Time Event Detail PCAP File
-|------------------------------|-------------------------------|-----------------|-------------------------------------------------|
1 2022-11-01 03:03:19.382000 PDT installation complete capturing packets/pcap/capture/2022-11-01-03-03-19-c106e6c.pcapng
2 2022-11-01 03:04:16.895000 PDT Configuration updated by admin. capturing packetsinactive - outside configured runtime/duration, 
scheduled to be started in 7sec if set active
3 2022-11-01 03:04:17.266000 PDT policy removed inactive - outside configured runtime/duration, 
scheduled to be started in 6sec if set active
controller-1(config-policy)#

DANZ Monitoring Fabric User Guide

Managing DMF Policies

Overview

DMF Policies Page

Overview

Header Action Items

Quick Filters

Table View

Action Buttons

Table View Filters

Policies Table

Table Interaction

Configuration Details

Operational Details

Widgets

Interface View

Policies Column

DMF Interfaces

Interaction

Configuration Details

Operational Details

Policy Elements

Configuring a Policy

Configure a Policy Using the GUI

Create a New Policy

Create a New Policy

Policy Details

Traffic Sources

CloudVision Portals

Services

Destination Tools

Stat Picker

Match Traffic and Match Traffic Rules

Match Traffic

Custom Rule

Match Rule Shortcut

Match Rule Group

Rules Table

Configure a Policy Using the CLI

Define Out-of-band Match Rules Using the CLI

Stop, Start, and Schedule a Policy Using the CLI

Clear a Policy Using the CLI

View Policies Using the CLI

Rename a Policy Using the CLI

Using the Packet Capture Action in a Policy

Define a Policy with a Packet Capture Action Using the CLI