Interface Classification
The management and use of Interface Classification (IC) in the Kentik portal is covered in the following topics:
About Interface Classification
Interface Classification is an automated process that enables your organization to quickly and easily understand the types of interfaces through which your traffic enters and leaves the network, giving you the ability to optimize your network for cost and performance. Additional information is available in the following KB locations:
- For a fuller description of IC, see Classification Overview.
- For a look at some specific use cases for IC, see Using Interface Classification.
IC for Overridden Interfaces
Interface classification involves evaluation of the properties of the interfaces on the Kentik-registered devices in your organization, which you can see in the Interfaces List (Settings » Manage Interfaces). The values of some of these properties are typically discovered via SNMP OID Polling, while others are assigned during IC itself. Either type may alternatively be defined manually, a.k.a. "overridden" (see Interface Overrides). The impact of these overrides on interface classification depends on the properties that are overridden:
- SNMP overrides: If the SNMP-discovered value for an interface's name, description, and/or IP address field is overridden, classification of the interface will be based on the manually set value.
- Classification overrides: If an interface's value for Connectivity Type, Network Boundary, or Provider is edited manually, then until that setting is restored to its original value the interface will not be included in the interfaces evaluated by interface classification.
Interface Classification Page
Interface Classification is configured via the Interface Classification page of the Kentik portal (Settings » Interface Classification). The page and its associated dialogs are covered in the following topics:
Notes: Member-level users can view this page, but only Admin users may configure Interface Classification.
Interface Classification UI
The Interface Classification page contains the following UI elements:
- Add Rule button: Opens the Add Rule dialog (see Rule Dialogs).
- Configure Interface Classification button: Opens the Configure Interface Classification dialog.
- Manually Overridden notification: When the Name, Description, IP, and/or Capacity fields of an interface have been specified manually (see Manual vs. SNMP Discovery) a notification will appear above the Rules list. The notification includes a link to the Interfaces Page.
- Rules List: Contains a list of the current interface classification rules; see Rules List.
- Classified Devices pane: Displays the current classification status of interfaces on the devices your organization has registered with Kentik; see Classified Devices Pane.
Rules List
The Rules List on the main Interface Classification page lists all of the IC rules that have been defined in your organization. When a new rule is added via the Add Rule dialog it appears at the bottom of the list. Rules are evaluated in the list order (see Applying Classification Rules), which can be changed by clicking and dragging the handle at the left of each row.
Each row in the list includes the following elements (left to right):
- Drag handle: When you hover over the handle at left it becomes shaded and your cursor changes to a four-headed arrow. Click and drag the handle to move the rule higher or lower in the list.
- Number: The order in which the rule will be executed.
- Rule statement: A summary of the rule as defined with the settings in the Add Rule dialog, e.g. “IF Interface Description contains IX then classify as IX | External.”
Note: If the rule includes Provider Classification then the statement will also include “to Provider” and the provider value. - More options button (…): Click to open a popup from which you can choose the following options:
- Disable/enable: Select to disable or enable the rule.
- Remove (trash icon): Opens a confirming dialog that allows you to delete the rule from the rules engine.
Manual Rules Evaluation
The following Rules List events will cause an alert to appear at the top of the list, indicating that your rules need to be evaluated (manually applied) and displaying the Run Evaluation button; the alert disappears after the evaluation is run:
- Changing the order of the rules.
- Disabling or re-enabling a rule.
- Removing a rule.
View Rule Details
You can click on any row in the Rules List to open the corresponding rule in an Edit Rule dialog (see Rule Dialogs). The dialog opens pre-populated with the current settings of the rule.
Classified Devices Pane
The Classified Devices pane (right sidebar) of the Interface Classification page includes the following elements:
- Percentage classified indicator: A ring diagram at the top of the pane showing the percentage of your interfaces that have been successfully classified by the interface classification rules engine.
Note: High classification ratios are usually achieved by applying a rigorously consistent interface description naming system and IP addressing system across your entire infrastructure. - Number classified indicators: A set of three indicators showing:
- Devices: The number of devices on which the rules engine attempted interface classification.
- Interfaces: The number of interfaces on which the rules engine attempted classification.
- Classified: The number of interfaces that are classified. - View Unclassified Interfaces (present only if some interfaces are unclassified): A button that indicates the number of interfaces that are not yet classified and opens the Unclassified Interfaces Dialog.
- Search Devices: A filter field for narrowing, by name, the devices displayed in the list of classified devices.
- Sort button: Toggles the sort order (ascending or descending) of the listed devices (by name).
- Classified Devices list: A list of the devices on which the rules engine attempted interface classification (see Classified Devices List).
Classified Devices List
The Classified Devices list is a table listing the devices on which interface classification has been attempted. Clicking a device in the list will open, in a separate window or tab, the Device Interfaces Dialog for that device. The list includes the following information for each device:
- Name: The name of the device.
- Classification result: The number of interfaces on the device that were classified, expressed both as a fraction of the total interfaces on the device and as a percentage, and illustrated as a bar chart in which the light gray bar represents the total and a colored bar represents the classified (color varies by percent classified).
Device Interfaces Dialog
The Device Interfaces Dialog is covered in the following topics:
About the Device Interfaces Dialog
The Device Interfaces Dialog contains a table that lists all of the interfaces on a given device. To show the dialog for a given device, click on that device’s row in the device list of the Classified Devices Pane at the right of the Interface Classification page.
Note: Interfaces that are excluded in IC General Settings are not listed in this dialog.
Device Interfaces Dialog UI
The Device Interfaces dialog contains the following UI elements:
- Close button: Click the X in the upper right corner to close the dialog.
- Interfaces classified: Indicates, by fraction and by percent, the proportion of interfaces on the device that have been classified.
- Search interfaces: Filters the Device Interfaces list to show only rows containing the entered text in any of the table columns.
- Classification status: A button group with which you can filter the Device Interfaces list based on classification status:
- All: Show all interfaces.
- SNMP But No Flow: Shows only interfaces that have traffic reported via SNMP but show no flow, the most likely cause being misconfiguration of the flow-generating device. This is particularly useful when troubleshooting ports (see Flow SNMP Mismatch).
- Classified: Show only interfaces that have been classified.
- Unclassified: Show only interfaces that haven’t been classified. - Device Interfaces list: A list of interfaces on the device (see Device Interfaces List).
- View Traffic on Interfaces with No Description: A button that opens Data Explorer, with the Filtering pane of the Query sidebar set to include only interfaces on this device that have traffic but have no description (the Destination Interface Description dimension matches an empty string).
Device Interfaces List
The Device Interfaces List is a table whose rows each represent an interface that has been classified on the device. Click on a column heading to sort the list (ascending or descending). The value in a given row for a given column may be from SNMP, from a previous round of IC, or manually specified in Settings » Interfaces (see IC for Overridden Interfaces).
Each row in the list includes the following columns:
- Name: The interface’s name string.
- Description: The interface’s description string.
- IP: The interface’s IP address.
- Capacity: The interface’s maximum capacity (bitrate) in Mbps.
- Boundary ASNs: The ASNs of the autonomous systems to which — so far as Kentik is able to determine based on traffic and BGP data — an edge (External) interface is connected. If there's more than one AS, the percentage of traffic for each is also indicated.
- Network Boundary: The network boundary value assigned to the interface by interface classification (see Network Boundary Attribute).
- Connectivity Type: The network boundary value assigned to the interface by interface classification (see Connectivity Type Attribute).
- Provider: The provider value associated with the interface (see Provider Classification).
- View Interface Chart (chart icon): Opens a modal with a multi-axis chart showing the traffic across the interface (top source AS number vs. top destination AS number) ranked by max bits/second:
- Use the display type drop-down at upper right to change the type of chart.
- Click the View in Explorer button to open the chart in Data Explorer for further exploration of that traffic.
Unclassified Interfaces Dialog
The Unclassified Interfaces dialog, which opens from the Unclassified Interfaces button in the Classified Devices Pane, is covered in the following topics:
Note: Interfaces that are excluded in IC General Settings are not listed in this dialog.
Unclassified Interfaces UI
The Unclassified Interfaces dialog contains the following UI elements:
- Close button: Click the X in the upper right corner to close the dialog.
- Filter field: Filters the Unclassified Interfaces list to show only rows containing the entered text in any of the table columns.
- Export CSV: A button that exports the table as CSV data. When the button is first clicked, a notification will confirm that the CSV data is being prepared. When the data is ready, another notification will appear, advising you of the URL from which the data can be downloaded.
- Unclassified Interfaces List: A list of unclassified interfaces grouped by device (see Unclassified Interfaces List).
Unclassified Interfaces List
The Unclassified Interfaces List is a table listing the interfaces that remain unclassified. Each such interface is represented by a row in the table, and all interfaces for a given device are grouped under a heading row for that device, which allows you to show/hide the device's rows.
The interface rows include the following columns (click on a column heading to sort ascending or descending):
- Name: The interface’s name string, either defined in the device itself and retrieved via SNMP or manually specified in Kentik (overridden; see Add or Edit an Interface).
- Description: The description string, either defined in the device itself and retrieved via SNMP or manually specified in Kentik (overridden).
- Capacity: The capacity of the interface in Mbps.
- Boundary ASNs: The ASNs of the autonomous systems to which — so far as Kentik is able to determine based on traffic and BGP data — an edge (External) interface is connected. If there's more than one AS, the percentage of traffic for each is also indicated.
- View Interface Chart (icon): Opens a modal with a chart showing the traffic across the interface ranked by max bits/second to each destination AS:
- Use the display type drop-down at upper right to change the type of chart.
- Click the View in Explorer button to open the chart in Data Explorer for further exploration of that traffic.
Note: The value in a given row for a given column may be from SNMP, from a previous round of IC, or manually specified in Settings » Interfaces (see IC for Overridden Interfaces).
Rule Dialogs
Adding or editing an interface classification rule involves specifying information in the rule dialogs, which are covered in the following topics.
- About Rule Dialogs
- Rule Dialogs UI
- Rule IF Settings
- Rule THEN Settings
- Unclassified Interfaces Tab
- Interface Matches Tab
Note: Interfaces that are excluded in IC General Settings are not listed on the tabs of this dialog.
About Rule Dialogs
The Kentik portal uses rule dialogs to define interface classification. The information required to define a rule is entered in either of the following dialogs:
- Add Rule when creating a new rule.
- Edit Rule when editing an existing rule.
The UI of these two dialogs is identical, except that in the Add Rule dialog the Interface Matches tab appears only after a rule has been tested with the Test Rule button.
Rule Dialogs UI
The rule dialogs include the following UI elements:
- Close button: Click the X in the upper right corner to close the dialog without saving any changes.
- Rule IF Settings: The conditions that must be matched by an interface in order for classification to be applied by this rule (see Rule IF Settings).
- Rule THEN Settings: The classifications to apply to an interface for which the IF settings are matched (see Rule THEN Settings).
- Test Rule: Allows you to see the effect (the resulting classifications, if any) of applying the rule. During evaluation, an Evaluating Rules alert will appear.
- Interface Matches tab (after the rule is tested): Shows information about the result of testing a rule (see Interface Matches Tab).
- Unclassified Interfaces tab: A list of interfaces that haven't yet been classified by any existing rule (see Unclassified Interfaces Tab).
- Cancel button: Close the dialog without saving changes. All elements will be restored to their values at the time the dialog was opened.
- Add Rule button (Add Rule dialog only): Adds the rule to your set of interface classification rules, classifies your interfaces, and closes the dialog, leaving you back on the Interface Classification page with the new rule now shown at the end of the Rules List.
- Save button (Edit Rule dialog only): Saves any changes to the rule, classifies your interfaces, and closes the dialog, leaving you back on the Interface Classification page.
Rule IF Settings
The dialog’s IF controls specify the match condition that the rules engine will look for:
- SNMP field: The SNMP-polled interface field in which to look for a match, which will be one of the following:
- Interface name;
- Interface description;
- IP address. - Match clause: The operator used to evaluate the interface field for a match, which depends on which field type will be evaluated:
- Interface Name or Interface Description: equals, contains, or matches regex;
- Interface IP: is in subnet, is public IP address, is private IP address, has no IP address. - Pattern field: The string or IP address to try to match (not present when the match clause is "has no IP address").
- Edit Included Devices: Two UI elements that enable you to specify the devices whose interfaces will be checked for a match with the IF conditions:
- Included Devices list: Lists the currently included devices; defaults to All Devices.
- Edit included Devices button: Click to open a Data Sources Dialog that will enable you to select the devices to include. - Edit Excluded Devices:
- Excluded Devices list: If any devices have been selected for exclusion, shows those devices.
- Edit included Devices button: Click to open a Data Sources Dialog that will enable you to select the devices to exclude.
Interface Matching Rules
The controls above allow various ways to build a rule depending on the SNMP field to match on and the match clause. As discussed in Connectivity Type Attribute, a match can be based on one of three SNMP fields:
- Interface name: Base the match on interface name, which corresponds to the Interface column in the Interfaces List on the Interfaces page. The resulting rule would be structured like this: “If name contains FastEthernet1 then classify the interface as Available.”
- Interface description: Base the match on interface description. The resulting rule would be structured like this: “If description contains peering: PI then classify the interface as free private peering.” In this case peering: PI would be a string that you provide based on your knowledge of the interface description protocol used on your network, and free private peering would be selected from the connectivity type drop-down.
- IP address: Base the match on IP. The resulting rule would be structured like this: “If IP address is in subnet 123.456.78.90 then classify the interface as host.”
The table below gives an idea of the types of matching that you can currently use in your rules. Note that all references to "regex" mean ECMAScript (Javascript) regex (i.e. not PCRE or PCRE2).
Interface Attribute | Match clause | Matches when... |
Name | Equals | Provided string is an exact match with the name (case sensitive). |
Name | Contains | Provided string is found in the name (case insensitive). |
Name | Matches regex | Provided string is found in the name with regex match. |
Description | Equals | Provided string is an exact match with the description (case sensitive). |
Description | Contains | Provided string is found in the description (case insensitive). |
Description | Matches regex | Provided string is found in the description with regex match. |
IP Address | is in subnet | Interface’s IP address is within the user-provided CIDR. |
IP Address | is a Public IP Address | Interface’s IP address is a publicly routable IP address. |
IP Address | is a Private IP Address | Interface’s IP address is reserved (e.g. RFC1918, test-net, doc-net, apipa, cgn, etc.). |
IP Address | has no IP address | Interface has no IP address. |
Rule THEN Settings
The dialog’s THEN controls specify the interface classification attribute values that will be applied by the rules engine if a match is found:
- Connectivity type: Set the connectivity type value that will be applied if the rule is matched (see Connectivity Type Attribute).
- Network boundary: Set the network boundary value (Internal or External) that will be applied if the rule is matched (see Network Boundary Attribute).
- Provider: A provider value, expressed as a literal string or as regex, used for Provider Classification.
By default, the network boundary classification is automatically determined by the connectivity type. You can override the automatic correspondence between network boundary and connectivity type in either of two ways:
- To change the boundary value that will be applied for an individual rule, toggle the Auto button to off, then choose a value (Internal or External) from the drop-down list.
- To change the boundary value that will be applied automatically for a given connectivity type, see Configure Interface Classification.
Unclassified Interfaces Tab
The Unclassified Interfaces tab is one of two tabs in the main area of the Add Rule and Edit Rule dialogs. At the top of the tab is an indicator stating the percentage of your interfaces that are currently classified. Below the indicator is a table that is similar but not identical to the Unclassified Interfaces List. The table has a row for each interface and heading rows for each device that allow you to show/hide all rows corresponding to the interfaces for that device.
The interface rows of the table include the following columns:
- Name: The interface’s name string, either defined in the device itself and retrieved via SNMP or manually specified in Kentik (overridden; see Add or Edit an Interface).
- Description: The description string, either defined in the device itself and retrieved via SNMP or manually specified in Kentik (overridden).
- IP: The IP address for this interface.
Note: The IP address is not reported for manually created interfaces. - Capacity: The capacity of the interface in Mbps, either defined in the device itself and retrieved via SNMP or manually specified in Kentik (overridden).
- Boundary ASNs: The ASNs of the autonomous systems to which — so far as Kentik is able to determine based on traffic and BGP data — an edge (External) interface is connected. If there's more than one AS, the percentage of traffic for each is also indicated.
Interface Matches Tab
The Interface Matches tab provides information about the current state of interface classification across your organization’s Kentik-registered devices. The tab is always present in the Edit Rule dialog, but present in the Add Rule dialog only after you click the Test Rule button at the lower left of the dialog, which causes the current rule to be evaluated.
The tab presents classification status by device in the form of a Device Matches list. The list shows how many interfaces per device, by percentage and number, are classified by the current rule and all other enabled rules, so you can see if the current rule is having any effect on overall classification.
Each row in the list includes the following:
- The device name.
- A horizontal bar showing the percentage of classified interfaces on the device.
- The number of interfaces matched and classified by the current rule (left half of lozenge, on blue background).
- The number of interfaces classified by other rules (right half of lozenge; color varies depending on percentage classified).
- The percentage of interfaces classified.
When you click on a row in the list, an Interfaces Classified Dialog will appear that shows the classification status of the interfaces on the device corresponding to that row.
Interfaces Classified Dialog
The Interfaces Classified dialog, reached by clicking a row in the Device Matches list in the Add Rule or Edit Rule dialog, shows the classification status of the interfaces on an individual device. The dialog is covered in the following topics:
Notes:
- The information available in this dialog is partially but not entirely the same as the information in the Device Interfaces Dialog reached from the Classified Devices pane on the Interface Classification page. The Interfaces Classified dialog includes classification status for each interface, but not other information such as capacity, network boundary, and connectivity type.
- Interfaces that are excluded in IC General Settings are not listed in this dialog.
Interfaces Classified UI
The Interfaces Classified dialog includes the following UI elements:
- Device name: Shown in title bar at upper left.
- Close button: Click the X in the upper right corner to close the dialog without saving any changes.
- Interfaces Classified indicator: a collection of elements indicating:
- The number of interfaces classified.
- The total number of interfaces on the device.
- The percentage of classified interfaces on the device, shown as a horizontal bar with the percentage stated at right. - Filter field: Filters the Interfaces Classified List to show only rows containing the entered text in any of the table columns.
- Match indicator: States this rule's position in the Rules List (which determines order of application) and the IF condition defined in the rule (see Rule IF Settings).
- Classification key: A key explaining the icons used in the left-hand column of the Interfaces Classified List, which cover the following cases:
- The interface was matched and classified by this rule.
- The interface matched this rule but was already classified by a prior rule (higher in the Rules List).
- The interface did not match this rule, but was classified by another rule.
- The interface matched no rules. - Interfaces Classified List: A list of interfaces on the device (see Interfaces Classified List).
- View Traffic on Interfaces with No Description: A button that opens Data Explorer, with the Filtering pane of the Query sidebar set to include only interfaces that have traffic but have no description (the Destination Interface Description dimension matches an empty string).
Interfaces Classified List
The Interfaces Classified List includes the following columns (click on a column heading to sort the list, ascending or descending):
- Match: An icon indicating the interface's classification status. Possible values are described in the classification key (see Interfaces Classified UI).
- Name: The interface’s name string, either defined in the device itself and retrieved via SNMP or manually specified in Kentik (i.e. overridden; see Add or Edit an Interface).
- Description: The description string, either defined in the device itself and retrieved via SNMP or manually specified in Kentik (overridden).
- IP: The IP address for this interface.
Note: The IP address is not reported for manually created interfaces. - Provider: The provider value associated with the interface (see Provider Classification).
Note: The value in a given row for a given column may be from SNMP, from a previous round of IC, or manually specified in Settings » Interfaces (see IC for Overridden Interfaces).
Applying Classification Rules
Interface classification involves applying the current rules in the rules list to your organization’s interfaces. The classification process is initiated in response to the following:
- Automatic evaluation in response to:
- Adding a new rule with the Add Rule button in the Add Rule dialog.
- Saving an edited rule with the Save Changes button in the Edit Rule dialog. - Manual evaluation as described in Manual Rules Evaluation.
When the classification process is initiated the engine works through the interfaces on all of your registered devices. Classification is applied based on the first (top-most) match condition (“if”) that results in a match.
When an interface is classified, the values of the two attributes (connectivity type and network boundary) are written to your organization’s devices database in Kentik, which is updated every three hours. From there the values are applied to incoming flow records as they are processed by our ingest layer.
If no rule is matched for a given interface, that interface won’t be classified. Information about how many interfaces were classified and which devices they were from is shown as part of the Classified Devices Pane.
Configure Interface Classification
The Configure Interface Classification link on the main Interface Classification (IC) page takes you to the Configure Interface Classification dialog, which is covered in the following topics:
Configure IC Dialog UI
The Configure Interface Classification dialog consists of the following general UI elements and panes:
- Close button: Click the X in the upper right corner to close the dialog without saving changes to the settings.
- General Settings: Exclude interfaces from classification based on specific properties of the interface; see IC General Settings.
- Default Network Boundaries: Set the boundary value (Internal or External) that is currently associated by default with each of the supported connectivity types; see IC Default Network Boundaries.
- Cancel button: Close the dialog without saving changes. All elements will be restored to their values at the time the dialog was opened.
- Save button: Save changes to settings and exit the dialog.
IC General Settings
The interface classification settings in this pane enable you to exclude interfaces from classification based on specific interface properties. The pane includes the following controls:
- Exclude interfaces with no Description: A switch that excludes from interface classification any interface for which a description is not found.
- View in Explorer (chart icon): A button that opens Data Explorer, with the Filtering pane of the Query sidebar set to include only interfaces on this device that have traffic but have no description (the Destination Interface Description dimension matches an empty string).
- OR | AND button (shown only if the above switches are both on):
- If OR, an interface will be excluded if either condition is true.
- If AND, an interface will be excluded only if both conditions are true. - Exclude interfaces with no IP Address: A switch that excludes from interface classification any interface for which an IP address is not found.
- Exclude host (nProbe/kprobe) interfaces: A switch that excludes from interface classification any interface on a device whose type is host (see Host Configuration).
Note: Excluded interfaces are not only not classified but also not listed in any of the tables in the dialogs of the Interface Classification module.
IC Default Network Boundaries
The Default Network Boundaries pane enables you to change the default network boundary values associated with connectivity types (see Connectivity Type Attribute). The values are set with the drop-down selector below each type. When your interface classification rules are run, the engine will apply the settings in this pane to every interface that is classified by a rule whose network boundary is set to Auto in the THEN pane of the Add Rule or Edit Rule dialog (see Rule THEN Settings).
Using Interface Classification
The use of Interface Classification is covered in the following series of steps:
- Check Interface description fields: Interface classification works best when a rigorously consistent interface description naming system is applied across your entire infrastructure.
Note: The description value for a given interface may be from SNMP, from a previous round of IC, or manually specified in Settings » Interfaces (see IC for Overridden Interfaces). - Create and test rules: Based on your knowledge of the descriptions and IP addresses for the interfaces in your network, create a set of classification rules using the IF and THEN sections of the Rule Dialogs:
- The IF section sets what will be matched to determine if the rule will be applied to a given interface (see Rule IF Settings).
- The THEN section sets what connectivity type and network boundary values will be assigned to an interface that is matched by the rule (see Rule THEN Settings).
- A rule can be tested as it is developed to see how many (and which) interfaces would be classified by the rule if the rule were applied (see Test Rule in Rule Dialogs UI). - Apply classification rules: Initiate classification (see Applying Classification Rules), which results in applying the current set of rules in the rules list. Rules are evaluated in order of the list.
- Query based on classifications: Use the classification values as source or destination group-by or filter dimensions in Data Explorer, in Dashboards, in Alerting, and via the Kentik V5 Query API:
- Dimensions for network boundary: src_interface_network_boundary, dst_interface_network_boundary.
- Dimensions for connectivity type: src_interface_connectivity_type, dst_interface_connectivity_type.
Note: For examples of querying with the above dimensions, see Using Interface Classification.
Provider Classification
Provider classification is covered in the following topics:
About Provider Classification
Provider classification enables queries based on the "provider" via which traffic from a given externally facing interface reaches the Internet. This capability is supported by the Provider dimension (see Interface Classification Dimensions) that can be used in queries for group-by and filtering. The value of this dimension for traffic on a given interface can be set automatically as part of the interface classification process (see Provider Classification Implementation).
Notes:
- Provider classification depends on the application of consistent, well-structured interface description strings to all externally facing interfaces.
- While developed to associate externally facing interfaces with specific providers, provider classification can also be thought of more broadly as enabling queries based on a tag whose value is set via interface classification (as distinct from tags applied at flow ingest).
Provider Scope
For the purpose of provider classification, the term “provider” typically refers to one of the following types of external connections:
- A transit provider.
- A private peer (whether paid or free).
- An Internet Exchange (typically made up of multiple ASNs).
- A customer (only if you are a transit provider).
Provider Classification Implementation
Provider classification involves operations at two distinct stages in the Kentik system:
- Interface classification: Steps involving interface classification rules:
- Before classification, the provider’s name is specified by the user in the THEN settings of a rule (see Configuring Provider Classification). The name may be specified as a literal or using regex.
- When the rule is run, the name is extracted from the interface description and stored in the same Devices database that is used for interface classification (see Applying Classification Rules). - Query run-time: The source and destination interfaces associated with each flow record in the KDE are looked up in the Devices database, and the provider information (if any) for the interfaces is associated with that flow record using two KDE virtual columns. These columns are represented in the portal UI as filtering or group-by dimensions that can be applied to queries: Source Provider and Destination Provider.
Note: Because the provider values for each interface are derived at run time, the provider associated with traffic on a given interface will always be that interface's current provider (rather than the provider in effect when the flow was collected).
Configuring Provider Classification
Provider classification is configured in the IF and THEN panes at the left of the Rule Dialogs (Add Rule and Edit Rule) of the Interface Classification page (Settings » Interface Classification).
Provider IF Configuration
In the IF pane (see Rule IF Settings), specify conditions that will match all of the interfaces that you wish to label with a provider value. As with any interface classification, basic IF settings are as follows:
- Set the interface field to IP Address, Interface Name, or Interface Description.
- Set the match clause to equals, contains, or matches regex.
- In the pattern field, enter the literal or regex string to match.
Note: Use of regex for provider classification is covered in Provider Classification with Regex.
Provider THEN Configuration
In the THEN pane (see Rule THEN Settings), specify the classification that will occur when the conditions in the IF pane are matched:
- Set the connectivity type (e.g. Transit, IX Peering, Free Private Peering, or Paid Private Peering) that will be associated with the interface.
- If desired, change the default network boundary (see Network Boundary Attribute) that will be associated with the interface.
- In the Provider field, enter a literal or regex string for the provider value.
Note: Use of regex for provider classification is covered in Provider Classification with Regex.
Provider Classification with Regex
Assuming that your organization's interface descriptions are consistent and well-structured, provider classification with regex can be far more efficient than classification with a literal string. This form of provider classification uses the "capture group" feature of regex.
About Regex Capture Groups
A regex capture group allows you to designate part of a string as a substring that can be referenced by its ordinal position in the string:
- A substring (or multiple substrings) in a regex string can be designated as a capture group by surrounding the substring with parentheses. For example, the following regex contains two capture groups:
Capture (group)s are (power)ful - The contents of a capture group can be matched by referring to its index (1-based) in the collection of capture groups in the string, with $1 referring to the first capture group, $2 referring to the second, etc. In the example string above, the value of $1 is group and the value of $2 is power.
- The use of a capture group allows you to refer to the same part of multiple source strings even if the value of that part is different in each string. For instance if we evaluate a different string from our original example, e.g. Structured (descriptions) are the (key), the value of $1 would be descriptions and the value of $2 would be key.
Regex Provider Settings
For provider classification with regex, use the following settings:
- In the IF pane:
- Set the interface field to Interface Description.
- Set the match clause to matches regex.
- In the pattern field, enter the regex string to match. The substring that you want to use as the provider value should be designated as a capture group. - In the THEN pane:
- Set the connectivity type (e.g. Transit, IX Peering, Free Private Peering, or Paid Private Peering) that will be associated with the interface.
- If desired, change the default network boundary.
- In the Provider field, enter a reference to the capture group that identifies the part of the regex string that you want to use as the provider value.
To see how the above regex matching would work, let's suppose that the purpose of the rule is to assign a provider value to interfaces whose connectivity type is peering:
- In the IF pane, specify the pattern field as 'PEERING(\w*):.
- In the THEN pane, specify the connectivity type as Free Private Peering and the Provider field as $1.
When interface classification is run and the rule is applied, if an interface’s description starts with “PEERING” (case insensitive) followed immediately with a capture group then:
- The connectivity type of the interface will be stored in the devices database as Free Private Peering.
- The substring in the capture group will be stored in the devices database as the provider value for that interface.