VPF Monitoring

This document covers topics related to monitoring VPF itself as well as using VPF for monitoring traffic passing through TNSR.

Status

There are several show commands to view various aspects of the VPF configuration and state.

show vpf connection-statistics:

Displays a summary of VPF connections based on data in the state table.

See VPF Connection Statistics for details.

show vpf connections:

Lists current connections in the VPF state table. Can be optionally filtered, limited, or displayed with increased verboseness.

See VPF Connections (State Data) for details.

show vpf filter ruleset [<name>]:

Prints the contents of VPF filter rulesets, optionally limited to a single filter ruleset by name.

The output includes the configured filter rule parameters along with a count of packets and bytes matched by the rule.

show vpf ha:

Displays the current VPF High Availability configuration.

show vpf ipfix:

Prints the current status of IPFIX in VPF (e.g. enabled or disabled).

show vpf nat ruleset [<name>]:

Prints the contents of VPF NAT rulesets, optionally limited to a single NAT ruleset by name.

The output includes the configured NAT rule parameters along with a count of packets and bytes translated by the rule.

show vpf options interfaces:

Prints a list of interfaces attached to VPF and the rulesets associated with those interfaces.

show vpf options runtime:

Prints the VPF runtime options and their current values.

show vpf options startup:

Prints the VPF startup options and their current values.

show vpf status:

Prints the current status of VPF itself (e.g. enabled or disabled).

show vpf table [<name>]:

Prints the current contents of VPF Tables, optionally limited to a single table by name.

VPF Connection Statistics

The show vpf connection-statistics command displays a summary of VPF connections based on data in the state table.

This is organized as two tables, one for IPv4 and one for IPv6, each with data grouped by worker thread and summarized.

tnsr# show vpf connection-statistics

VPF IPv4 connection statistics:

  Thread      TCP       TCP       UDP       UDP      ICMP      ICMP      Other     Other
            Active    Expired   Active    Expired   Active    Expired   Active    Expired
------------------------------------------------------------------------------------------
         0         0         0         3         0         0         0         0         0
------------------------------------------------------------------------------------------
Total              0         0         3         0         0         0         0         0

VPF IPv6 connection statistics:

  Thread      TCP       TCP       UDP       UDP      ICMP      ICMP      Other     Other
            Active    Expired   Active    Expired   Active    Expired   Active    Expired
------------------------------------------------------------------------------------------
         0         0         0         0         0         0         0         0         0
------------------------------------------------------------------------------------------
Total              0         0         0         0         0         0         0         0

VPF Connections (State Data)

TNSR includes mechanisms to display and remove current VPF connection states. These commands operate in the same manner for matching which connections the commands will show or clear.

The two commands are:

  • show vpf connections displays connection state data

  • clear vpf connections removes connection state data

Both commands have two main forms, one to display all connections and one to filter the matches. Filtering is important on TNSR devices which may have many thousands or even millions of connection states.

Note

When executing a clear command for VPF connections, VPF High Availability synchronizes that action to its peers. For example, clearing all states from one node will also remove matching connection states from peers.

This bulk action temporarily utilizes additional memory, see VPF HA Memory Requirements for details.

Show VPF Connections Output Limits and Detail

The show vpf connections command supports output limits and increased detail:

limit <n>:

Limits the output of the command to at most n entries. Default limit is 100 entries.

Note

By default, TNSR limits the output to 100 entries to prevent it from generating excessive output with large volumes of state data.

To view more than 100 entries, specify a larger limit value. For example, show vpf connections all limit 500.

verbose:

Prints much more detailed information about each connection state.

Show or Clear All VPF Connections

To view all connections, use show vpf connections all:

tnsr# show vpf connections all

VPF connections:
     0. on thread 0, interface WAN, pass from table 0 10.28.0.150:54056, to 142.250.190.14:443,
        protocol tcp, state time-wait, translate 203.0.113.228:7873

1 connections found.

To clear all connections, use clear vpf connections all:

tnsr# clear vpf connections all

478 IPv4 connections removed.
No IPv6 connections removed.

Show or Clear Specific VPF Connections

The matching form of the command follows this syntax:

tnsr# (clear|show) vpf connections matching [[!] <filter> [<filter> [...]]]
                                            [limit <number>] [verbose]
!:

Prefixing the filters with an exclamation mark (!) negates the match, making the command match all entries except those which match the specified filters.

Note

This negation is global, not per filter specification.

destination (<ip-address>|<prefix>):

Matches states with a specific IPv4 or IPv6 destination address or destination addresses within a specified prefix.

destination-id <id>:

Matches states with the given protocol-specific destination identifier. For TCP and UDP this is a port value, other protocols vary in meaning.

destination-route-table <route-table-name>:

Matches states with a destination in the given route table (VRF).

filter-only:

Matches only states created by VPF filter rules.

nat-only:

Matches only states created by VPF NAT rules.

owner (<interface-name>|<route-table-name>):

Matches states owned by a given interface or route table (VRF).

protocol (<name>|<number>):

Matches states with the given protocol, either by protocol name or number.

source (<ip-address>|<prefix>):

Matches states with a specific IPv4 or IPv6 source address or source addresses within a specified prefix.

source-id <id>:

Matches states with the given protocol-specific source identifier. For TCP and UDP this is a port value, other protocols vary in meaning.

source-route-table <route-table-name>:

Matches states with a source in the given route table (VRF).

thread-index <n>:

Matches states associated with a specific VPP worker thread.

translation (<ip-address>|<prefix>):

Matches states with a specific IPv4 or IPv6 NAT translation address or NAT translation addresses within a specified prefix.

translation-id <id>:

Matches states with the given protocol-specific NAT translation identifier. For TCP and UDP this is a port value, other protocols vary in meaning.

IPFIX

VPF can send session data, including NAT translations, via IPFIX. See IPFIX Exporter and VPF NAT IPFIX Logging for details.