- Introduction
- Get Started
- play_arrow Apstra GUI
- play_arrow Blueprints and Dashboard
- play_arrow Analytics (Blueprints)
- Analytics Introduction
- play_arrow Dashboards
- play_arrow Anomalies
- play_arrow Widgets
- play_arrow Probes
- play_arrow Predefined Reports (Tech Preview)
- play_arrow Root Causes
- play_arrow Staged (Datacenter Blueprints)
- Blueprint-Wide Search
- play_arrow Physical
- play_arrow Build
- play_arrow Selection
- play_arrow Topology
- play_arrow Nodes
- Nodes (Datacenter)
- Unassign Device (Datacenter)
- Update Deploy Mode (Datacenter)
- Generic Systems vs. External Generic Systems
- Create Generic System
- Create External Generic System
- Create Access Switch
- Update Node Tag (Datacenter)
- Update Port Channel ID Range
- Update Hostname (Datacenter)
- Edit Generic System Name
- Edit Device Properties (Datacenter)
- View Node's Static Routes
- Delete Node
- play_arrow Links
- Links (Datacenter)
- Add Links to Leaf
- Add Links to Spine
- Add Links to Generic System
- Add Links to External Generic System
- Add Leaf Peer Links
- Add Link per Superspine (5-Stage)
- Form LAG
- Create Link in LAG
- Break LAG
- Update LAG Mode
- Update Link Tag (Datacenter)
- Update Link Speed
- Update Link Speed per Superspine (5-Stage)
- Mixed Link Speeds between Leaf and Spine
- Update Link Properties
- Delete Link (Datacenter)
- Export Cabling Map (Datacenter)
- Import Cabling Map (Datacenter)
- Edit Cabling Map (Datacenter)
- Fetch LLDP Data (Datacenter)
- play_arrow Interfaces
- play_arrow Racks
- play_arrow Pods
- play_arrow Planes
-
- play_arrow Virtual
- play_arrow Virtual Networks
- play_arrow Routing Zones
- Static Routes (Virtual)
- Protocol Sessions (Virtual)
- play_arrow Virtual Infrastructure
- play_arrow Statistics
-
- play_arrow Policies
- play_arrow Endpoints
- Security Policies
- Interface Policies
- Routing Policies
- Routing Zone (VRF) Constraints
- play_arrow Routing Zone Policy (4.2.0)
-
- play_arrow Data Center Interconnect (DCI)
- play_arrow Catalog
- play_arrow Logical Devices
- play_arrow Interface Maps
- play_arrow Property Sets
- play_arrow Configlets
- play_arrow AAA Servers
- play_arrow Tags
-
- play_arrow Tasks
- play_arrow Connectivity Templates
- Connectivity Templates Introduction
- play_arrow Primitives
- Primitive: Virtual Network (Single)
- Primitive: Virtual Network (Multiple)
- Primitive: IP Link
- Primitive: Static Route
- Primitive: Custom Static Route
- Primitive: BGP Peering (IP Endpoint)
- Primitive: BGP Peering (Generic System)
- Primitive: Dynamic BGP Peering
- Primitive: Routing Policy
- Primitive: Routing Zone Constraint
- User-defined
- Pre-defined
- Create Connectivity Template for Multiple VNs on Same Interface (Example)
- Create Connectivity Template for Layer 2 Connected External Router (Example)
- Update Connectivity Template Assignments
- Edit Connectivity Template
- Delete Connectivity Template
- play_arrow Fabric Settings (4.2.1)
- play_arrow Fabric Policy (4.2.1)
- play_arrow Severity Preferences (4.2.1)
-
- play_arrow Fabric Settings (4.2.0)
- play_arrow Fabric Policy (4.2.0)
- play_arrow Virtual Network Policy (4.2.0)
- play_arrow Anti-Affinity Policy (4.2.0)
- play_arrow Validation Policy (4.2.0)
-
- BGP Route Tagging
- play_arrow Staged (Freeform Blueprints)
- Freeform Introduction
- play_arrow Blueprints
- play_arrow Physical
- play_arrow Selection
- play_arrow Topology
- play_arrow Systems
- Systems Introduction (Freeform)
- Create Internal System (Freeform)
- Create External System (Freeform)
- Update Config Template Assignment (Freeform)
- Update System Name (Freeform)
- Update Hostname (Freeform)
- Update Device Profile Assignment (Freeform)
- Update System ID Assignment (Freeform)
- Update Deploy Mode (Freeform)
- Update System Tag Assignment (Freeform)
- Delete System (Freeform)
- Device Context (Freeform)
- play_arrow Links
-
- play_arrow Resource Management
- Resource Management Introduction (Freeform)
- play_arrow Blueprint Resources
- play_arrow Allocation Groups
- play_arrow Local Pools
- play_arrow Catalog
- play_arrow Config Templates
- play_arrow Device Profiles
- play_arrow Property Sets
- play_arrow Tags
-
- play_arrow Tasks
- play_arrow Uncommitted (Blueprints)
- play_arrow Active (Datacenter Blueprints)
- play_arrow Time Voyager (Blueprints)
- play_arrow Devices
- Device Configuration Lifecycle
- play_arrow Managed Devices
- play_arrow System Agents
- play_arrow Pristine Config
- play_arrow Telemetry
- play_arrow Apstra ZTP
- Apstra ZTP Introduction
- Create User Profile for Communicating with ZTP Server
- Download and Deploy Apstra ZTP Server VM
- Configure Static Management IP Address for Apstra ZTP Server
- Replace SSL Certificate for Apstra ZTP Server GUI
- Configure Credentials for Apstra ZTP Server GUI
- Create Vendor-specific Custom Configuration
- Configure Apstra Server Connection Details
- Configure DHCP Server for Apstra ZTP
- ztp.json Keys
- Configure ztp.json with Configurator
- Configure ztp.json with CLI
- Onboard Devices with Apstra ZTP
- Check ZTP Status of Devices and Services
- Reset Apstra ZTP GUI Admin Password
- play_arrow Device Profiles
- play_arrow Design
- play_arrow Logical Devices
- play_arrow Interface Maps
- play_arrow Rack Types
- play_arrow Templates
- play_arrow Config Templates
- play_arrow Configlets (Datacenter)
- play_arrow Property Sets (Datacenter)
- play_arrow TCP/UDP Ports
- play_arrow Tags
-
- play_arrow Resources
- play_arrow External Systems (RBAC Providers)
- play_arrow Providers
- play_arrow Provider Role Mapping
-
- play_arrow Platform
- play_arrow User / Role Management
- play_arrow Security
- Syslog Configuration (Platform)
- Receivers (Platform)
- Global Statistics (Platform)
- Event Log (Audit Log)
- play_arrow Apstra VM Clusters
- play_arrow Developers
- play_arrow Technical Support
- Check Apstra Versions and Patent Numbers
-
- Favorites & User
- play_arrow Apstra Server Management
- Apstra Server Introduction
- Monitor Apstra Server via CLI
- Restart Apstra Server
- Reset Apstra Server VM Password
- Reinstall Apstra Server
- Apstra Database Overview
- Back up Apstra Database
- Restore Apstra Database
- Reset Apstra Database
- Migrate Apstra Database
- Replace SSL Certificate on Apstra Server with Signed One
- Replace SSL Certificate on Apstra Server with Self-Signed One
- Change Apstra Server Hostname
- Apstra CLI Utility
- play_arrow Guides
- play_arrow References
- play_arrow Feature Matrix
- play_arrow Devices
- play_arrow Analytics
- play_arrow Predefined Dashboards (Analytics)
- play_arrow Predefined Probes (Analytics)
- Probe: BGP Monitoring
- Probe: Bandwidth Utilization
- Probe: Critical Services: Utilization, Trending, Alerting
- Probe: Device Environmental Checks
- Probe: Device System Health
- Probe: Device Telemetry Health
- Probe: Device Traffic
- Probe: Drain Traffic Anomaly
- Probe: ECMP Imbalance (External Interfaces)
- Probe: ECMP Imbalance (Fabric Interfaces)
- Probe: ECMP Imbalance (Spine to Superspine Interfaces)
- Probe: ESI Imbalance
- Probe: EVPN Host Flapping
- Probe: EVPN VXLAN Type-3 Route Validation
- Probe: EVPN VXLAN Type-5 Route Validation
- Probe: External Routes
- Probe: Hot/Cold Interface Counters (Fabric Interfaces)
- Probe: Hot/Cold Interface Counters (Specific Interfaces)
- Probe: Hot/Cold Interface Counters (Spine to Superspine Interfaces)
- Probe: Hypervisor and Fabric LAG Config Mismatch Probe (Virtual Infra)
- Hypervisor and Fabric VLAN Config Mismatch Probe (Virtual Infra)
- Probe: Hypervisor MTU Mismatch Probe (Virtual Infra - NSX-T Only)
- Probe: Hypervisor MTU Threshold Check Probe (Virtual Infra)
- Probe: Hypervisor Missing LLDP Config Probe (Virtual Infra)
- Probe: Hypervisor Redundancy Checks Probe (Virtual Infra)
- Probe: Interface Flapping (Fabric Interfaces)
- Probe: Interface Flapping (Specific Interfaces)
- Probe: Interface Flapping (Specific Interfaces)
- Probe: Interface Policy 802.1x
- Probe: LAG Imbalance
- Probe: Leafs Hosting Critical Services: Utilization, Trending, Alerting
- Probe: Link Fault Tolerance in Leaf and Access LAGs
- Probe: MLAG Imbalance
- Probe: Multiagent Detector
- Probe: Optical Transceivers
- Probe: Packet Discard Percentage
- Probe: Spine Fault Tolerance
- Probe: Total East/West Traffic
- Probe: VMs without Fabric Configured VLANs Probe (Virtual Infra)
- Probe: VXLAN Flood List Validation
- play_arrow Probe Processors (Analytics)
- Processor: Accumulate
- Processor: Average
- Processor: Comparison
- Processor: EVPN Type 3
- Processor: EVPN Type 5
- Processor: Extensible Service Data Collector
- Processor: Generic Graph Collector
- Processor: Generic Service Data Collector
- Processor: Interface Counters
- Processor: Logical Operator
- Processor: Match Count
- Processor: Match Percentage
- Processor: Match String
- Processor: Max
- Processor: Min
- Processor: Periodic Average
- Processor: Range
- Processor: Ratio
- Processor: Service Data Collector
- Processor: Set Comparison
- Processor: Set Count
- Processor: Standard Deviation
- Processor: State
- Processor: Subtract
- Processor: Sum
- Processor: System Utilization
- Processor: Time in State
- Processor: Traffic Monitor
- Processor: Union
- Processor: VXLAN Floodlist
- Configlet Examples (Design)
- play_arrow Apstra CLI Commands
- Apstra EVPN Support Addendum
- Apstra Server Configuration File
- Graph
- Juniper Apstra Technology Preview
-
User-Defined Metadata
User-Defined Metadata Enrichment
IP Address Enrichment Module
The IP address enrichment module provides supplemental information for IP addresses, such as hostname, autonomous system, geolocation, reputation and user-defined metadata. This information is cached for improved performance and flow record throughput. For more control of when enrichment is applied, you can include or exclude IP addresses from various enrichers by CIDR, IP range or individual IP address.
For example:
# Specify whether the IP/CIDR/Range is considered to be "internal".
192.0.2.0/24:
internal: true
# Additional options are name, vlan, tags and metadata.
192.0.2.192/26:
name: atlanta_guest_wifi
vlan: 1001
tags:
- wifi
- dhcp
metadata:
dhcp.pool.name: atlanta_guest_wifi
.site.id: atlanta
# Metadata fields beginning with a . will be organized under the object containing the IP address.
192.0.2.194-192.0.2.198:
metadata:
.site.bldg.id: hq
.site.floor.id: 2
.site.rack.id: 1
# An individual IP address.
192.0.2.194:
metadata:
device.type.name: wifi_apMetadata Types (IP Addresses)
The user-defined metadata enricher supports a combination of predefined metadata types and enables you to provide custom data as key-value pairs. Table 1 describes the metadata types you can use for IP addresses.
| Attribute | Data Type | Field Populated | Description |
|---|---|---|---|
internal | boolean | <object>.isInternal | Specifies whether or not the IP belongs to a network considered to be internal. |
name | string | <object>.ip.subnet.name | Name given to this subnet. |
vlan | number (0-4094) | <object>.vlan.tag.id | A VLAN ID. |
tags | array of strings | <object>.ip.subnet.tags | Tags that describe attributes of the subnet or IP address. |
metadata | sequence of attributes | <object><attribute> or
<attribute> | Key-value pairs added at the IP object or record levels. |
Detailed Attribute Descriptions
internal: Boolean attribute used to specify whether the CIDR, range or IP address is internal or external. This differs from whether the IP address is within a private or public IP range.Some private IP addresses are considered external, such as IPs used within a DMZ. Similarly some public IPs are still considered internal if the IPs are assigned to resources operated by the organization and to which access is generally restricted.
name: string attribute used to provide a user-friendly name to a subnet relevant to the user or organization.Note:Only a single
namevalue is returned for a given IP address. Make sure that there are no conflicting names among overlapping CIDRs, ranges and IP addresses. If you must assign multiple values, add these values to thetagsattribute.vlan: Enables you to specify a VLAN tag for a CIDR, range or IP address. This tag is typically assigned to source and destination and client and server related fields.This tag does not conflict with VLAN tags provided in the flow records from network devices.
Devices report on the VLAN tags observed on their own interfaces, not the flow endpoints.
The VLAN tags reported by devices are typically assigned to the in and out related fields.
tags: Array of string values for attributes that further describe the CIDR, range or IP address.metadata: List of key-value pairs added as fields to the record. These fields can be custom fields specific or existing fields from the Apstra Flow CODEX schema. When you specify CODEX fields, the configured metadata value overrides any values that exist in the record.
You can specify key names with or without a leading "."
- If specified with a leading "
." the field is placed within the parent object containing the network interface. - If specified without a leading "
." the field is placed at the root of the record.
Consider the IP address from flow.src.ip.addr:
- If the metadata key is defined as
.site.name, the value is assigned toflow.src.site.name. - If the metadata key is defined as
site.name, the value is assigned directly tosite.name.
Merging Values from Multiple Definitions
You can merge attribute values for an IP address that matches multiple CIDR, range or IP address entries into a single result set.
For example:
192.168.0.0/16:
metadata:
.geo.loc.coord: 48.167106,11.486918
.geo.city.name: Munich
.geo.country.code: DE
.geo.country.name: Germany
.geo.tz.name: Europe/Berlin
192.168.1.0/24:
name: munich_hq
tags:
- campus
metadata:
sec.zone.name: campus
192.168.1.151-192.168.1.200:
tags:
- guest_wifi
- dhcp
metadata:
.host.name: guest_wifi
.ip.addr: 192.168.1.0The above example includes:
- A Class C private network
192.168.0.0/16that includes location metadata. - A
192.168.0.0/24subnet tagged as the campus network and the firewall zone to which it belongs. - A range of IP address that belong to the guest WiFi and are provided by DHCP.
Because the value flow.src.ip.addr
(192.168.1.152), matches all three entries in the above
configuration, the resulting enrichment fields added to the record will be:
flow.src.ip.subnet.name: munich_hq flow.src.ip.subnet.tags: [campus guest_wifi dhcp] flow.src.geo.loc.coord: 48.167106,11.486918 flow.src.geo.city.name: Munich flow.src.geo.country.code: DE flow.src.geo.country.name: Germany flow.src.geo.tz.name: Europe/Berlin sec.zone.name: campus flow.src.host.name: guest_wifi flow.src.ip.addr: 192.168.1.0
In the above use case, the host.name and
ip.addr were overridden to generic static values
anonymizing the individual guest WiFi users. This enables the traffic to be
collected and analyzed without tracking each guest individually. This also
allows network or security operations to investigate suspect traffic they
might want to block, while preserving individual guests' privacy.
Scoping Enrichment with Include/Exclude
You can include or exclude the hostname, DNS, and Maxmind GeoIP enrichment features
to a subset of IP addresses by specifying ASs or CIDRs. You can specify the
Include/exclude definitions in the provided YAML files to update and refresh without
the need to restart the Apstra Flow collector. See
/etc/juniper/hostname/incl_excl.yml and
/etc/juniper/hostname/user_defined.yml.
The following output shows an example of include/exclude definitions:
include:
asn:
- 14168
cidr:
- 10.0.0.0/8
- 192.168.0.0/16
exclude:
#asn:
# -
cidr:
- 192.168.100.0/24Evaluation of Include/Exclude Definitions
It is important to understand how include/exclude definitions are evaluated to ensure your configuration provides the desired outcome.
The following rules apply:
If no specific include values are defined, everything is included.
Exclude values are evaluated within the scope of included values.
Examples of Include/Exclude Definitions
While the following examples use only CIDRs, the same logic applies to ASN values.
- no include/exclude definitions
- only include is defined
- only exclude is defined
- both include/exclude are defined
no include/exclude definitions
# no path provided or an empty file
If no include/excludes are defined, everything is included.
IP Address | Included |
|---|---|
192.168.0.1 | yes |
10.0.0.1 | yes |
10.111.0.1 | yes |
only include is defined
include:
cidr:
- 10.0.0.0/8Only those IP addresses within a defined AS or CIDR are included. In this
example, only IP addresses within the CIDR 10.0.0.0/8 are
included.
IP Address | Included |
|---|---|
192.168.0.1 | no |
10.0.0.1 | yes |
10.111.0.1 | yes |
only exclude is defined
exclude:
cidr:
- 10.111.0.0/16All IP address not specifically excluded by the defined AS or CIDR are
included. In this example, all IP addresses except those within the CIDR
10.111.0.0/16 are included.
IP Address | Included |
|---|---|
192.168.0.1 | yes |
10.0.0.1 | yes |
10.111.0.1 | no |
both include/exclude are defined
include:
cidr:
- 10.0.0.0/8
exclude:
cidr:
- 10.111.0.0/16Only those IP addresses within a specified AS or CIDR are included, except those within an excluded AS or CIDR.
IP Address | Included |
|---|---|
192.168.0.1 | no |
10.0.0.1 | yes |
10.111.0.1 | no |
192.168.0.1is not included because it is not within an included AS or CIDR.10.0.0.1is included because it is within an included AS or CIDR.10.111.0.1is not included.
