VIFG Modes
Two modes of VIFG operation control the way in which AppResponse 11 recognizes and manages network interfaces for the purposes of capturing and monitoring traffic. Traffic is grouped by monitoring interfaces (the default) or by VLAN ID. The VIFG mode that is set in AppResponse 11 controls which VIFGs are visible in Packet Analyzer Plus.
The two modes of operation are exclusive; it is not possible to create one VIFG that captures from a monitoring interface and a VLAN tag.
Changing the VIFG mode causes all groups created in the other mode to be deleted. Existing capture jobs will be kept, and will remain linked to the deleted VIFG.
Monitoring Interfaces Mode
Monitoring Interfaces mode is the default mode for AppResponse 11. In this mode, VIFGs are defined by explicitly specifying individual monitoring interfaces to include in the VIFG. This corresponds to the monitoring interface groups (MIfGs) supported prior to Version 11.5.0, and MIfGs created before Version 11.5.0 will be preserved in the process of upgrading to Version 11.5.0 and later.
Observe these considerations when planning and configuring VIFGs:
◼ A VIFG has one or more monitoring interfaces.
◼ A monitoring interface can be a member of only one VIFG.
◼ The maximum number of VIFGs is the same as the number of monitoring interfaces installed. When running on VMware ESXi 5.5 or 6.0, the maximum number of monitoring interfaces is 8.
◼ A VIFG must have a unique name. If a VIFG is deleted, that name can then be used by another VIFG.
◼ Any changes to a VIFG take effect immediately.
VLAN Mode
Selecting the Group By: VLAN IDs option enables you to define VIFGs based on the VLAN tags that are read from incoming packets. As with groups based on monitoring interfaces, you can create new VLAN-based groups manually using the web UI. For example, you could create a new VIFG that includes VLAN 10, VLAN 100, and VLAN 150. Two different VLAN-based groups cannot have VLAN tags in common, so, for example, you cannot create a VIFG including VLAN 10 and VLAN 100, and another VIFG including VLAN 20 and VLAN 100. A VIFG in VLAN mode can aggregate up to 32 VLANs.
You can use wildcards ("*") when specifying VLANs, including when specifying inner or outer VLAN IDs. For example, typing VLAN "45:*" would match the VLAN "45:48:3" as well as the VLAN "45:2". Be conscious of the interaction of the wildcard character with Q-in-Q delimiters: For example, "3:*:5" will match "3:12:5", but not "3:1:2:5". In addition, overlap between definitions is not allowed: For example, "4:*" and "*:3" both match "4:3", so the second such definition would be rejected.
The Packet Analyzer Plus Windows client does not support VLAN mode.
For each VLAN-based VIFG, you can specify a default filter, enable/disable deduplication, and/or export the VIFG to SteelCentral NetProfiler (with a custom filter).
As of Version 11.10.0, VLAN UNTAGGED is used for untagged packets instead of VLAN 0. Autodetect will assign VLAN 0 packets to a group named "vifg_0", and will assign untagged packets to a group named "vifg_untagged". When upgrading to Version 11.10.0 and later, groups that used VLAN 0 will be converted to VLAN UNTAGGED. (When defined manually, the "UNTAGGED" label must be typed in all capital letters.)
“Q-in-Q” tunneling is supported, but VLAN inside VLAN is considered separate from a single VLAN. That is, VLAN 10 and VLAN 10 inside VLAN 11 will be considered two different non-overlapping groups. Comma-separated values are treated as distinct VLANs; Q-in-Q would be denoted with a semicolon, such as, “3102:300”.
VLAN Autodiscovery
In addition to the default behavior that enables you to define VLAN-based VIFGs manually, VLAN mode supports VLAN-based VIFG creation by autodiscovery. Autodiscovery is useful when you don’t know in advance what VLAN IDs are configured in the network you’re working with. The VIFG will be created with a default name ("VIFG %d" or "VIFG%d:%d" for Q-in-Q tunneling), and there will be a new VIFG for each VLAN tag; Q-in-Q VLANs count as separate groups.
Autodiscovery is available only when working in VLAN mode.
Be aware of these aspects of VLAN autodiscovery behavior:
◼ When autodiscovery is off, new VIFGs can only be created manually using the Web UI (or through REST).
◼ When autodiscovery is on, it is not possible to create new VIFGs or edit existing ones manually.
◼ When autodiscovery is on, each time a new VLAN tag is seen in the network, a new VIFG is created automatically.
◼ If the number of VIFGs doesn’t exceed the maximum, then the other_vifg group will not be used, regardless of whether it’s enabled or not. If the number of VIFGs exceeds 2,000, the other_vifg group will be used if it’s enabled.
◼ As of Version 11.10.0, VLAN 0 packets are assigned to a group named "vifg_0", and untagged packets are assigned to a group named "vifg_untagged". When upgrading to Version 11.10.0 and later, VIFGs with 0s are converted to untagged.
◼ Autodiscovery will not modify existing groups, nor will it create overlapping groups.
◼ The deduplication and filter of pre-existing groups will not be modified when autodiscovery is on. If a VIFG was already configured manually on specific VLANs (for example, VLAN10), and a packet with VLAN10 is received, it will be added to the existing VIFG, and no new group will be created.
◼ When autodiscovery is on, although it is not possible to edit the membership of existing groups manually, it is possible to change the autodiscovery settings (for example, using a filter).
You may find this workflow helpful for using autodiscovery:
1. Enable autodiscovery.
2. Wait for VLAN-based VIFGs to appear automatically.
3. Disable autodiscovery.
4. Edit groups manually (for example, join two VLAN IDs in the same VIFG).