Flows Classification
For improved flows management, Meridian uses a classification engine that applies predefined and user-defined rules to filter and classify flows. The included predefined rules are based on the IANA Service Name and Transport Protocol Port Number Registry.
You can group flows by a combination of parameters: source/destination port, source/destination address, IP protocol, and exporter filter.
Once set up, you can view classification groups on the home page.
Use classification to help you determine how the flows associated with a particular appliance, service, or other component affect your network (for example, all YouTube traffic or all flows to port 80 marked as http
).
To classify a flow, you must define a rule. A rule includes at least a name for the classified flows and additional parameters that must match for successful classification.
Use the Classification UI to define new rules:
.Flows classification example
Assume that you define the following rules:
name | srcAddress | srcPort | dstAddress | dstPort | protocol | exporterFilter |
---|---|---|---|---|---|---|
OpenNMS |
10.0.0.1 |
8980 |
tcp |
|||
http |
80,8980,8080,9000 |
tcp |
||||
https |
443 |
|||||
Exporters |
categoryName == 'Exporters' |
Meridian receives the following flows, classified according to the rules defined above:
Flow | Classification |
---|---|
protocol: tcp, |
http |
protocol: tcp, |
https |
protocol: tcp, |
OpenNMS |
Create a flows classification rule
A flows classification rule must include at least a name and one definition for source/destination port, source/destination address, IP protocol, or exporter filter.
By default, rules that a user creates appear in the "user-defined rules" group. You can create other groups as needed and assign rules to those groups.
-
Click the gears icon, and click Manage Flow Classification.
-
In the User-defined Rules tab, click the plus sign.
-
Type a name for the rule in the Application Name field.
-
Specify a value in at least one of the following fields:
Source IP Address
The source IP address of the flow to match. May include wildcard characters (for example, asterisks (*)) to define a dynamic range of IP addresses that can be matched.
Source Port
The source port of the flow to match. May be a range or list of ports; for example, 80,8080,8980, or 8000-9000.
Destination IP Address
The destination IP address of the flow to match. May include wildcard characters (for example, asterisks (*)) to define a dynamic range of IP addresses that can be matched.
Destination Port
The destination port of the flow to match. May be a range or list of ports; for example, 80,8080,8980, or 8000-9000.
Exporter Filter
The exporter of the flow (device/observation point) must match this criteria. This parameter supports all capabilities of the Meridian Filters API.
IP Protocol
The IP protocol of the flow to match.
-
Mark the rule as omnidirectional to evaluate it with interchanged endpoint addresses and ports.
This classifies related traffic that matches the classification in the same way.
-
Click Create.
Note that when you have more than one user-defined rule, in the Position field, you can specify the order you want the classification engine to evaluate the rule within its group. Lower numbers are evaluated first (0 > 1 > 2). By default, the Position field increments the number with each new rule. (The classification engine would evaluate the rules based on the order in which you create them.) See order of evaluation.
Rule groups
Each rule is associated with a rule group. The default user groups are "user-defined rules" and "pre-defined rules". You can add, edit, and delete groups. Note that you cannot edit or delete the "pre-defined" group or its rules.
To add a rule group, follow these steps:
-
Click the gears icon and click Manage Flow Classification.
-
In the Settings tab, click the plus sign.
-
In the Position field, choose a number for the order you want the group to be evaluated.
Evaluation order goes from lowest number to highest (0>1>2).
-
Type a name and description in the appropriate fields and click Create.
If you originally created a rule in the user-defined rules group, you can edit that rule to assign it to a different group.
Verify rule configuration
To verify that a complex set of rules is configured correctly, navigate to the classification UI (
) and select the test classification icon (magic wand) in the top right.Define values in the screen and click Classify. (You are basically crafting an IP packet by hand.)
This simulates sending a flow to the classification engine.
If the configuration is correct, the name of the associated rule appears in the bottom left of the Test Classification dialog:
Order of evaluation
Rules and groups each have a position in the order of evaluation. The classification engine evaluates lower positions first. The position of a rules group is more important than the rule’s position within its group. The pre-defined group is always evaluated last.
Drag and drop or edit the Position field in the group/rules dialogs to change the positions of rules.
An example of an evaluation:
Group Position | Group | Rule Position | Rule |
---|---|---|---|
1 |
group 1 |
1 |
rule 1.1 |
1 |
group 1 |
2 |
rule 1.2 |
1 |
group 1 |
3 |
rule 1.3 |
1 |
group 1 |
4 |
rule 1.4 |
2 |
group 2 |
1 |
rule 2.1 |
2 |
group 2 |
2 |
rule 2.2 |
2 |
group 2 |
3 |
rule 2.3 |
2 |
group 2 |
4 |
rule 2.4 |
3 |
group 3 |
1 |
rule 3.1 |
3 |
group 3 |
2 |
rule 3.2 |