Views:

Displays throughput and efficiency across the different inspection tiers of this device. Use this information to diagnose certain performance-related issues. On a stack device, the device's stacking statistics are displayed.

Inspection Tier Description
Stack : Segment Ports For TPS 8200TX/8400TX and TPS TXE Series devices, the following information is displayed when stacking is enabled:
  • Segment Rx Mbps displays the aggregate received traffic from all network segments on this device.
  • Segment Tx Mbps displays the aggregate traffic transmitted from all network segments on this device.
  • Stack Balance displays the load balance percentage, in which 100% equates to perfect balance across the number of devices in the stack. Note this will include devices that are in Intrinsic HA L2FB which would be zero in the load balance calculation. This statistic is analogous to the XLR load balance percent in Tier 1. Additional metrics include the throughput statistics (in Mbps) and utilization percentage statistics for each stack member.
  • <host n> Rx Mbps displays the traffic balanced from this device's network segments to the other devices in the stack.
  • Segment ratio to tier 1 displays the percentage of traffic being inspected by this device as a ratio of the segment Rx traffic.
Stack : Stack Ports For TPS 8200TX/8400TX and TPS TXE Series devices, the following information is displayed when stacking is enabled:
  • Stack Rx Mbps displays the aggregate received traffic from both stacking ports.
  • Stack Tx Mbps displays the aggregate traffic that is transmitted from both stacking ports.
  • Stack Rx > Stack Tx displays the total amount of transit or through traffic on the stacking ports; for example, traffic received on one Stack port that is forwarded by the switch to the other stack port.
  • Stack Rx > Seg Tx displays the amount of return traffic coming in on a stacking port en route to a network segment.
  • Stack ratio to tier 1 displays the percentage of traffic being inspected by this device as a ratio of the stack Rx traffic.
Tier 1 Inspection bypass and Intrinsic HA L2FB are handled here, preventing traffic from going to the next tier. It also handles the rate limiter, inspection bypass rules, jumbo packet shunting, and hardware watchdog timer.
  • Rx Mbps and Rx packet/sec indicate how much traffic is entering the device from all the segments. Tx Mbps and Tx packet/sec indicate how much traffic is egressing the device. A value in parentheses () represents the high-level watermark and a value in brackets [] represents the low-level watermark since the IPS was powered on or the tier statistics were reset.
    Note
    Note
    Use the clear np tier-stats CLI command to clear out these statistics.
  • Bypass Mbps displays the current and max throughput matching an Inspection Bypass rule. Traffic matching an Inspection Bypass rule does not count towards the IPS inspection limits.
  • A/B/C Balance displays how well the flows are being balanced between the XLRs. 100% indicates even balance 33/33/33 split, which is ideal. 0% means that all traffic is going to a single XLR. Note that the number of packets going thru the each XLR is flow based, so it is not uncommon to see a slight difference between them.
  • Utilization displays the percentage of rated system throughput and of traffic to next tier.
  • Inspection bypass rules reduce the value of both Utilization and Ratio to next tier.
Tier 2 Load balances flows through the KS threads and handles traffic management trusts and block filters will prevent traffic from proceeding to the next tier.
Ratio to next tier accounts for Traffic Management Trust and Block rules and Traffic normalization filters. TCP ACKs are trusted by default, and reduces Tier 2 ratio to next tier.
Tier 3 This tier is designed to search for suspicious traffic that needs to undergo deep inspection. This section handles IPv6 + GRE and Mobile IPv4 tunnels. IP reassembly, maintaining connection table, and TCP state tracking is handled here. If triggers are found it determines what filters need to be checked against the packet or flow then it turns on soft-reroute for the flow, and, if necessary, sends it for deep packet inspection.
This section displays how much traffic KS threads and IP reassembly will inspect. Ratio to next tier shows what percentage of traffic needs TCP reassembly or is suspicious (matched a trigger).
Tier 4 This tier performs TCP reassembly and threat verification which includes header-based checks, protocol decoders, content search, and regular expression matching. Also, action handling occurs here whether the packet is dropped, rate limited, or rate limited in the connection table.
  • Rx due to indicates why traffic is going deep:
    • Trigger match. Displays the percentage of traffic that matched a trigger.
    • Rx due to Reroute. When a packet matches a trigger the following packets which belong to the same flow are required for threat verification.
    • TCP sequence. If traffic cannot be reordered by K threads using loopy packet, it must go to Tier 4 for reordering.
  • Ratio to next tier. Displays the percentage of traffic that matched a filter, regardless of the Action Set.
Tuning is required if congestion is occurring or if an IPS is being operated close to its maximum rated throughput. The deeper a flow is inspected the more processing is required, so the most performance gains can be attained by optimizing the KS threads at this level (Tiers 3 and 4). The three most process intensive operations are:
  1. IP reassembly
  2. Threat verification
  3. TCP packet reordering
For supported TPS devices with a TOS v5.3 or later, the following information is displayed when SSL inspection is enabled:
  • Rx Mbps and Tx Mbps indicate how much encrypted traffic is entering the inspection engine from all the segments. The numbers in the brackets represent the high-level water mark since the IPS was powered on or tier stats was reset.
    Note
    Note
    Use the clear np tier-stats CLI command to clear out these statistics.
  • Utilization displays the percentage of rated system throughput and of traffic to next tier.
Tier 5 For supported TPS devices with a TOS earlier than v5.3, the following information is displayed when SSL inspection is enabled:
  • Rx Mbps and Tx Mbps indicate how much encrypted traffic is entering the inspection engine from all the segments. The numbers in the brackets represent the high-level water mark since the IPS was powered on or tier stats was reset.
    Note
    Note
    Use the clear np tier-stats CLI command to clear out these statistics.
  • Utilization displays the percentage of rated system throughput and of traffic to next tier.