Determining best path route using path monitoring metrics

PBR uses either static cost or path monitoring (dynamic metrics) to route its traffic.

Path monitoring, when configured on interfaces, derive metrics such as round trip time (RTT), jitter, mean opinion score (MOS), and packet loss per interface. These metrics are used to determine the best path for routing PBR traffic.

ICMP-based path monitoring method

The metrics on the interfaces are collected dynamically using ICMP probe messages to the interface's default gateway or a specified remote peer.

HTTP-based path monitoring method

Path monitoring calculates dynamic metrics for each remote peer associated with an interface. HTTP is preferred over ICMP when monitoring multiple applications and determining the best path through a policy on a branch firewall, because:

  • HTTP-ping can derive the performance metrics of the path up to the application layer of the server, where the application is hosted.

  • Because the application domain is tracked instead of the IP address, you do not need to change the firewall configuration when the application server IP address changes.

Note

You can configure both ICMP and HTTP on the same interface. If the destination in the policy matches to any of the domain IP, the corresponding metrics are used. If the destination does not match to any of the configured domains, the metrics from the ICMP are used by PBR to select the outgoing interface.

Default monitoring timers for metric collection

For metric collection and monitoring, the following timers are used:

  • The interface monitor average interval is 30 seconds. This interval indicates the frequency to which the probes average.

  • The interface monitor update interval is 30 seconds. This interval indicates the frequency at which the average of the collected values are calculated and made available for PBR to determine the best routing path.

  • The interface monitor probe interval by ICMP is one second. This interval indicates the frequency at which an ICMP ping is sent.

  • The application monitor probe interval by HTTP is 10 seconds. This interval indicates the frequency at which an HTTP ping is sent. Path monitoring uses the last 30 samples of HTTP ping for calculating the average metrics.

Note

You cannot configure or modify the interval for any of these timers.

PBR and path monitoring

Typically, in PBR, traffic is forwarded through egress interfaces based on the priority value (interface cost) configured on them. From management center version 7.2, PBR uses IP-based path monitoring to collect the performance metrics (RTT, jitter, packet-lost, and MOS) of the egress interfaces. PBR uses the metrics to determine the best path (egress interface) for forwarding the traffic. Path monitoring periodically notifies PBR about the monitored interface whose metric got changed. PBR retrieves the latest metric values for the monitored interfaces from the path monitoring database and updates the data path.

Path monitoring functions only with dynamic metrics, and only if the RTT, jitter, packet-lost, or MOS variables are set on the interfaces. Path monitoring does not function with static metrics—interface cost (cost set in interface).

You must enable path monitoring for the interface and configure the monitoring type. The PBR policy page allows you to specify the desired metric for path determination. See Configure policy-based routing policy.

PBR and HTTP-based path monitoring

From management center version 7.4, PBR can be configured to use HTTP-based path monitoring to collect the performance metrics of the application domains and not just one destination IP address. Path monitoring begins only after a DNS entry for a domain is detected; it does not start immediately when HTTP-based application monitoring is configured. After obtaining the resolved IP address for the domain, path monitoring sends an HTTP request and receives a response. If DNS resolves multiple IP addresses for a domain, path monitoring probes and monitors the application using the first resolved IP address. Path monitoring continues until the IP address changes or until HTTP-based monitoring is disabled.

Based on the HTTP request and response durations, path monitoring computes the performance metrics for the application. Path monitoring sends collected metrics to PBR at regular intervals so that PBR can make routing and forwarding decisions for traffic from the configured ingress interface. If traffic arrives before path monitoring sends metrics to PBR, the routing table determines the traffic flow. Once metrics are available, PBR uses them to make routing decisions for subsequent traffic.

Note

Based on the Network Service Groups in the match ACL of the policy, you can apply PBR for multiple domains having multiple IP addresses.

The management center associates applications and NSGs with the egress interface only when the PBR configuration meets these criteria:

  • The match ACL contains the monitored applications.

  • The PBR policy is configured with any one of the following interface ordering values (metric type):

    • Minimal Jitter

    • Maximum Mean Opinion Score

    • Minimal Round-Trip Time

    • Minimal Packet Loss