Create an Ingress Group for a 9920 Device

An ingress group is a set of ports, port channels, and tunnels on which monitored traffic is received.

Before you begin

If necessary, create the port channel to associate with the ingress group. For more information, see Create a Port Channel.

If necessary, create the ingress policy to associate with the ingress group. For more information, see Create an Ingress Policy for a Device.

If necessary, create a mirror for the outer tunnel. For more information, see Configure a Traffic Mirror for 9920 Devices.

About this task

Ingress groups classify and apply policies on monitored traffic. After you create an ingress group, the group can be associated with an ingress policy.

Procedure

  1. In the Navigation menu, select Device Inventory.
  2. In the Devices page, click anywhere in the required device row except the Actions column (Actions column icon) to proceed to the device Overview page.
  3. In the Device Config menu, select Policies and Configuration > Ingress Groups > Add Ingress Group.
  4. In the Name field, enter a name for the group.
  5. In the Ports/Port Channels field, select at least one port or port channel for the group.
  6. Optional: For single tunnel encapsulation, do the following to configure the Inner Tunnel:
    1. Expand the Inner Tunnel section.
    2. In the Tunnel Type field, select the type of tunnel for the incoming traffic.
      • GRE
      • GTPU
      • VXLAN
      • NVGRE
      • IPIP
    3. Optional: In the Tunnel ID field, select or enter a value that represents the tunnel ID.
      This field is not applicable for GRE and IPIP tunnels.
    4. Optional: Complete the applicable processing and filter options for the selected protocol.
      • Destination IP: Specifies the destination IP address
      • Destination Prefix: Specifies the destination prefix
      • Source IP: Specifies the source IP address
      • Source Prefix: Specifies the source prefix
    5. In the Advance Scope section, select one of the following actions to apply to the incoming traffic.
      • Decap to remove the outer tunnel headers from the packet
      • Scope Shift to move the ACL scope for matching from the outer headers to the inner headers of a tunneled packet
      • None to perform neither action
  7. Optional: For packets with two sets of tunnel headers before the innermost packet, for example, a VXLAN tunnel wrapped around a GTPu tunneled packet, do the following to configure the Outer Tunnel.
    1. Expand the Outer Tunnel section.
    2. In the Outer Tunnel Type field, select the type of tunnel for the incoming traffic.
      • None
      • VXLAN
      • MPLS

      A maximum of five MPLS header removal is supported. The packets with more than five MPLS headers are dropped.

    3. Complete the applicable filter options for the outer tunnel headers for the selected protocol.
      • Label: Filters on the last MPLS label present in a five label stack.
      • Traffic Class: Filters on the Traffic Class field of the last MPLS label present in a five label stack.
      • Time To Live (TTL): Filters on the Time To Live field in the last MPLS label present in a five label stack.
      • Outer Tunnel ID: Filters on the VXLAN tunnel ID field.
      • Outer Destination IP: Specifies the destination IPv4 address or network..
      • Outer Destination Prefix: Specifies the destination prefix if filtering on a range of hosts.
      • Outer Source IP: Specifies the source IPv4 address or network.
      • Outer Source Prefix: Specifies the source prefix if filtering on a range of hosts.

      The packets that do not match the selected filter options are dropped.

    4. Optional: In the Mirror field, select the mirror action to forward a copy of the entire packet to the configured mirrored port.
      For more information, see Configure a Traffic Mirror for 9920 Devices.
  8. In the Policy Name field, select the ingress policy to associate with the group.
  9. Select Create.
9037726-00 Rev AB