Networking - Network Command Center

Module Overview

Welcome to this module on Network Command Center services. In OCI, Network Command Center services pr
ovides you a set of services and tools that help you troubleshoot and diagnose network issues. We have differe
nt tools, for example, inter-region latency, network visualizer, network path analyzer, and virtual test access poi
nts, which also includes the discussion on capture filters. So let's get started.

=======

Network Command Center Overview

Hello, and welcome to this lesson on Network Command Center overview. Let's get started. So what is Networ
k Command Center? Well, it's a tool or it's a service which helps you provide a unified experience for all your vi
rtual network monitoring needs so you get access to all the tools from a single place. And there are tools that
will help you visualize your network, perform monitoring, as well as perform troubleshooting.

So what are the different tools that are there in Network Command Center? The first tool is Network Visualizer.
It provides an interactive visualization of your virtual network topology, showing resource interconnections and
dependencies. Then, we have Network Path Analyzer, which helps you identify virtual network configuration is
sues by analyzing the configured connectivity.

Then, there is flow logs that helps you capture network traffic information that supports your monitoring and s
ecurity needs. There is a service, which is known as inter-region latency dashboard. So it is going to provide a vi
ew of network health and metrics for network service elements across all regions.

Virtual test access points or VTAP allows you to mirror all traffic to or from a designated source, and send it to
a selected target in order to facilitate troubleshooting, security analysis, and data monitoring. And the capture
filter contains a set of rules governing what traffic is captured by a virtual test access point or a flow log.

So this was a 10,000-foot overview lesson of Network Command Center services. In the subsequent lessons, w
e are going to look at some of these in detail. Thanks for watching.

==

Inter-Region Latency

Hello, and welcome to this lesson on Inter-Region Latency. So let's get started.

We all know that in OCI, there is a concept of OCI backbone network. And what is that backbone network? It's
basically the global private IP network that Oracle Cloud workloads they use when communicating between di
fferent regions. So this inter-region latency, it's going to reflect the traffic flowing through that backbone netwo
rk.

And in this diagram, you can see that the current and historical inter-region latency information between Phoe
nix and Melbourne region, this can basically help customers to make intelligent region selections for business e
xpansion reasons. So this inter-region latency dashboard, it is going to display the average inter-region round-
trip latency for all pairs of regions in an OCI realm.

So as I mentioned, it's going to display average inter-region round-trip latency. The Inter-Region Latency Dashb
oard is not available in realms that has one region. And the latency information provided is not specific to your
tenancy's workloads. So keep that in mind that these statistics, they provide visibility into latency between all r
egions just to help you plan scenarios such as data transfer and backups.

So there are two charts that this Inter-Region Latency Dashboard is going to show you. The first one is the curr
ent inter-region round-trip time. And the second one is the inter-region round-trip time. So let's take a look at
both the charts.

So the first one is current inter-region round-trip time. So you can think of it like the current or real-time snaps
hot that is expressed in milliseconds. And this particular snapshot is an average of values over the last five min
utes. And this view, it gets updated every minute.

So as you can see here, we are interested to determine the inter-region round-trip time between Germany Cen
tral and US East or Ashburn. So each cell displays the round-trip time in milliseconds, depending on the origin a
nd destination pair. In our case, we have the data going from the Frankfurt to the Ashburn region.

And you can see that the latency in this case would be around 97.24 milliseconds. And this value is based on th
e average values over the past five minutes. So that is our first chart.

The second chart is inter-region round-trip time, which is also in milliseconds, but it shows the historical view o
f the last 30 days. So we can choose the source and destination region, and then the dashboard is going to prov
ide us the historic snapshot of the last 30 days. So you basically can use this historical data to validate the netw
ork performance.

So let's talk about some of its use cases. The first use case is network planning. So when it comes to selection o
f a region, we know that there are so many factors influencing it. For example, disaster recovery, compliance, d
ata residency, and performance.

So using this Inter-Region Latency Dashboard, you can determine the performance impact different regional sel
ections can have. And it also helps you in making the optimal selection for your cloud deployment.

You can also use it to troubleshoot performance issues. You can validate network performance, both the real-
time performance as well as historic performance, by utilizing the Inter-Region Latency Dashboard.

And then, you can also utilize the latency information that is available through the monitoring API. And you can
also integrate metrics into your on-prem monitoring platform so that you are notified whenever the defined lat
ency thresholds are exceeded.

So this marks the end of this lesson. Thanks for watching.

Demo: Inter-Region Latency

Welcome to this demonstration on inter-region latency. So let's get started. I'll take you to the OCI Console, an
d I'll click on the Navigation menu. Under Networking, if you see here, there is something called Network Com
mand Center, so I'll click on it. So this is where you will find all the services related to the Network Command C
enter. Under Visualizations and Dashboards, you will see Inter-region latency. So let me click on it.

So this is the Inter-Region Latency dashboard, and it basically consists of two charts. The first chart is this one,
Current Inter-Region Round Trip Time in milliseconds. So this is the first one. And let me show you the second o
ne as well, Inter-Region Round Trip Time milliseconds for the last 30 days.

So first, let me take you to this particular chart. And this is where you provide or select the region. For example
, let me select Phoenix and Mumbai. So I want to see the average network round-trip latency between Phoenix
and Mumbai. The moment I click on Show-- so this is your Phoenix and this is your Mumbai.

And you can see that currently, it is 247.82. So this 247.82 is an average of the values over the last 5 minutes. A
nd if you see here, you also see that the new measurements are captured every minute. All right, so this is the
first chart.

Let me go to the second chart, which is Inter-Region Round Trip Time for the last 30 days. So this is going to sho
w you the historical view of the last 30 days. So again, I will just search for Phoenix. And here, I will type Mumb
ai. And I can click on Show.

So you see, this is the historical view of the last 30 days. So that's pretty much it about this dashboard. Thanks f
or watching.

===

Network Path Analyzer

Welcome to this lesson on Network Path Analyzer. Let's get started. So what is a Network Path Analyzer? It's ba
sically a Command Center tool that's going to identify connectivity problems.

So how does it do that? It uses automated configuration analysis. It's going to analyze the routing rules and sec
urity rules. And it's also going to query the networking constructs to look for the configuration that will allow t
o check reachability.

It also provides hop-by-hop path visualization. And when it comes to analysis, it supports both bi-directional an
d uni-directional analysis. Bi-directional means both forward and return path.
So let's now look at the features of Network Path Analyzer. It is going to precisely point out routing and security
configuration issues. It also supports connectivity to Oracle Services Network via service gateway or private en
dpoint.

So when we use Network Path Analyzer, the actual traffic is not sent. Instead, the configuration is examined an
d used to confirm reachability. The service is free. And as a result, it does not incur any cost no matter how ma
ny of these analysis you run. And Network Path Analyzer supports different scenarios, such as the source and t
he destination could be within OCI or across OCI and on-premises, or OCI and internet. So all these scenarios ar
e supported.

So in this scenario, you see that there is one instance inside one of the VCNs which is trying to connect to anot
her instance inside another VCN. And both the VCNs are connected to the dynamic routing gateway via VCN att
achments. But you see that the traffic from the DRG and compute via the VCN to attachment is denied. Why? B
ecause the security list is misconfigured. And hence, the status is unreachable.

Now let's have a look at another scenario. This time, the communication is between OCI and internet. So here,
it analyzes how the traffic flows from resources in OCI to the resources on internet. You can see that there is no
route configured. And an egress rule is denying access to the Google Public DNS server. You can quickly configu
re the required route and security rules to fix the issue.

Now let's have a look at some of the use cases of Network Path Analyzer. So you can troubleshoot routing and
security misconfigurations that are causing connectivity issues. This significantly reduces the mean time to reso
lution for this type of outage.

It performs on-demand validation of the logical network paths to match the intent, and verify that the connecti
vity setup will work as expected before onboarding production applications. This actually avoids delays in actua
l application deployment. And users can proactively verify and validate the network routing and security policy

configurations.

This marks the end of this lesson on Network Path Analyzer. Thanks for your time.

===

Demo: Network Path Analyzer

Hello, and welcome to this demonstration on network path analyzer. Let's get started.

I'll take you to the OCI Console. Let me first show you what all resources I have created. So I have created a VC
N with the name, npademovcn. And inside this VCN, I have a subnet, which is npademosubnet. I have also crea
ted internet gateway. And the default Route Table, I have not made any changes, so it is as it is, right.

And also, if I show you the security list-- if you look at the Default Security List, in Egress Rules, you see that the
destination is internet, All Protocols, Allows All traffic for all ports. I also have an instance running in that partic
ular VCN in a public subnet. And you see that this is the public IP address.
So let me now take you to the network path analyzer. I'll click on the navigation menu. I'll click on Networking.
Under Network Command Center, click on Network Path Analyzer. So click on Create path analysis. Just call it d
emoanalysis. OK with the compartment. OK with the protocol. But just to show you, there are so many protoco
ls that you can select from.

Now it is asking for the Source. So you have the option of entering the IP address or finding the OCI resource. I
will go for Find the OCI resource. And the Source type is Compute Instance. So my Compute Instance is going t
o be npademoinstance. And the VNIC is going to be the same.

The Source IP address, I'll select the public IP address. If you click on Show advanced option, you can also use t
he source port. And then it is asking for the Destination IP address. Or you can also provide the destination OCI
resource. So I'll go for Enter an IP address. And I will enter 8.8.8.8, which is the Google Public DNS server. And t
he port is 53.

So this time, I am going to select Uni-directional traffic. I'll click on Run analysis. And you see that it is currently
loading. All right, so it is 100% completed now. And unfortunately, the Status is Unreachable. And you see the S
uccessful hops, 0. So this is our instance, which is sitting inside the subnet in a demo VCN. And then, this is the
internet, this is the IP.

So let me just scroll down. OK, so it has analyzed that there is No route. So the routing configuration is not corr
ect. And then the Security is allowed. So if I return back to the VCN, I go to the Route Tables, I go to the default
route table.

OK, so I had purposefully not added the route out to the internet gateway just to show you. Select the Target g
ateway, and click on Add Route Rules. If return back to the network path analyzer, and this time, if I click on An
alyze, let's see what happens.

OK, so you see that it is now 70% completed. 100% completed. And now, if we look at the result, it says the Sta
tus is now Reachable, and there are 2 hops, hop 1, hop 2. You can look at the details.

If you click on hop 1, you can see that this is from the instance to the internet gateway. All right, and then if yo
u click on hope 2, you can also see that it is from internet gateway to 8.8.8.8. So Routing forwarded, Security all
owed. And the Status is Reachable.

So this is how you can create a path analysis when it comes to working with network path analyzer. You can als
o save the analysis so this gets saved. And similarly, here you see that you can also enter an IP address. And De
stination, you can provide as an OCI resource. And it can be also between OCI to OCI. So this marks the end of t
his demonstration on network path analyzer. Thanks for your time.

====

Network Visualizer

Welcome to this lesson on Network Visualizer. Let's get started. So here, you can see one of the sample networ
k architectures in OCI. You can see that inside the OCI region, there are two VCNs. And you can also see that th
ere are different types of gateways, for example, service gateway, local peering gateway, dynamic routing gate
way, and we also have a customer premises equipment on the on-prem site.
Then you can see that there are different subnets. And inside the subnets, there are different resources, for ex
ample, virtual machine, database system, and we also have object storage in Oracle Services Network. So here,
we have just three VCNs, but as more VCNs, subnets, and gateways are added, it becomes difficult to visualize t
he overall architecture.

So that is when the Network Visualizer comes into action. Network Visualizer is a service that helps you visualiz
e the whole network of any complexity very easily. So let's look at how it helps us to improve the overall custo
mer experience.

So in this diagram, you can see that these are the spoke VCNs, this is the hub VCN. And the hub VCN is connect
ed with dynamic routing gateway. And you can also see the remote peering connection and connection with yo
ur on-premise network. So you will also be able to very quickly navigate between its core components.

So now, as I mentioned, Network Visualizer is going to provide a diagram of implemented topology of all the V
CNs in a selected region and tenancy. So you can start with the regional topology, and then drill down to subne
t topology to get information about the whole network.

So there are three things here. The first is regional topology map. So here, you are going to get a high level layo
ut of your entire virtual network configuration. So things like dynamic routing gateways, VCNs, customer premi
ses equipments, and different types of gateways.

In VCN topology map, you will see the organization of a single VCN, including its subnets, the routing configura
tion. And in subnet topology, you can see information about the instances, load balancers, and services like OK
E clusters in the subnet.

So what are the use cases of Network Visualizer? Firstly, it helps you visualize and troubleshoot network securit
y configuration issues. So you are basically going to see the relationship of the security list and NSGs with other
virtual network resources.

So this service provides deeper insights which will also help you visualize the relationships between those reso
urces and understand the impact of any change that you are making in the architecture. You can also get an en
hanced view of the dynamic routing gateway attachments so you can easily troubleshoot any transit routing co
nfiguration issues.

This marks the end of this lesson. Thanks for watching.

========

Demo : Network Visualizer

Welcome to this demonstration on Network Visualizer. Let's get started. I'll take you to the OCI Console, and I'll
click on Navigation menu. Click on Networking. And under Network Command Center, I'll click on Network Visu
alizer.

So you see, the first time you are inside the Network Visualizer, it is going to load the Regional routing map. Yo
u have an option to change the compartment or also include child compartments. So let me first show you that
you have a search functionality, where you can find resources on maps. And then there are these filters with re
spect to Compartment.

And if you click here, you will also be able to see the Map Legend. That means if you see something like this, it i
s OCI Region, if you see something like this, this is VCN, the Dynamic Routing Gateway, and the different types
of gateways. So this is the Map Legend.

So you can see that it has constructed a Regional routing map. There are two different VCNs, testvcn and npad
emovcn that are currently attached to the dynamic routing gateway. All right, so this is one view.

Let's say I want to go inside this VCN, so I'll click here. You can see the Resource summary, the State, and you ca
n also view the additional resource details. Under Resource maps, you can also see the VCN routing as well as s
ecurity map. So let me click on VCN routing map.

So now, you see that it is showing you the Virtual Cloud Network routing map. And using the map mode here, y
ou can switch between the routing and the security mode. So this is the routing mode. And you see that it is sh
owing a route out to the internet gateway. It is also showing that it is currently also attached to the dynamic ro
uting gateway. This is the VCN.

Now if you click on this subnet, under Resource summary, you can see the details of the subnet. Under Resourc
e maps, you can also look at the subnet inventory map or the subnet security map. So let me click on subnet in
ventory map. It is loading the network map.

So here is your subnet inventory map. And if I click here, you will see the Resource summary. This is basically th
e instance that is running inside this npademosubnet. And this is the inventory mode. If I click on Security, it is
currently showing that this particular subnet is associated with a default security list. And hence, these are the
security rules that are enforced at this VNIC level.

You also have the option to Create a Path Analysis from here itself. For example, creating source or creating des
tination. So if you are working with Oracle Cloud Infrastructure, at some point of time, you will design an archit
ecture which is really complex.

So the purpose of Network Visualizer is to provide a diagram of the implemented topology of all the VCNs in th
e selected region and tenancy. So this concludes our demonstration. Thanks for watching.

==========

Capture filters

Welcome to this lesson on capture filters. Let's get started. Let me first do some whiteboarding to explain you
what this capture filter is. Now as a part of Network Command Center Services, there is something called flow l
ogs. And there is also something called VTAP. So this VTAP is Virtual Test Access Points.

So when you are using either flow logs or Virtual Test Access Points, you can use capture filters to select which
traffic to include in either flow logs or Virtual Test Access Points. So as the name suggests, it is actually a filter,
because you can decide what type of traffic to capture, and hence, the name is capture filters.
So let's go through the deck and look at capture filters in some detail. So capturing all the traffic flowing throug
h the network can sometimes cause performance degradation, hence, we can use capture filters to include onl
y the required traffic by either the flow logs or VTAP. In this case, we are considering a Virtual Test Access Point.

So a capture filter is associated with a VTAP configuration. And it defines what type of traffic to capture. A VTAP
must have a capture filter associated with it. And each capture filter must have at least one rule and can have u
p to 10 rules.

Now capture filter rules are examined in order. And they are executed when matched. Now when a match is fo
und, the remaining rules are not going to be examined or executed on that particular packet. So what that mea
ns? That means if you reorder the rules, the capture filter behavior is going to change. And therefore, the order
ing of the rules is very critical here.

So as you can see in the screenshot, you can create capture filter rules with include or exclude actions, such as
source and destination CIDR, protocol, source and destination port. Traffic direction setting captures the traffic
based on ingress or egress criteria. Now if a rule doesn't specify a CIDR block or prefix or the IP protocol, all the
IP addresses or IP protocols are accepted for that rule.

Now in the example shown in the screen, VTAP source is load balancer, which is distributing web traffic to back
-end web servers. You see those servers are there inside subnet A. And the VTAP target is network load balanc
er. And the capture filter is going to filter ingress HTTP traffic coming to load balancer from the internet for ide
ntifying anomalous web traffic.

And that is what you see on the rule that we have defined on the left. You see the traffic direction is ingress. Th
e source CIDR is 0000, which means internet. The destination CIDR is that of subnet A. And the IP protocol is TC
P. And the destination port is 80. So that means it's an ingress HTTP traffic.

So let's take an example to understand how the capture filter rules work. Let's say your intention is to capture a
ll traffic from CIDR 10.1.0.0/16 except 10.1.1.1. Now there are different ways in which you can design the rules
or create the rules.

Now this is one way. First of all, you are defining the source CIDR 10.1.1.1/32, Exclude, and then you are defini
ng the other include rules. So what's going to happen in this case? In this case, the capture filter is going to eva
luate each packet in the traffic against the rules that are in the defined sequence order.

So when there is a packet from 10.1.1.1, it's going to match the first rule, and it is going to be excluded from th
e mirrored traffic. Similarly, if we move our first rule to third, you see this time, the source CIDR 10.1.1.1/32, Ex
clude is now in number 3.

So what's going to happen? This time, it's not going to work. Because the traffic from 10.1.1.1 is going to be inc
luded by the first rule because of change in position, and hence, the third rule is not going to be evaluated.

So the packet will match the first rule, and is going to be included in the mirrored traffic. And the further rule e
valuations are skipped. So this is not serving our purpose, and hence, it is very important to understand the se
quence of the rules and how it works.

So this marks the end of this lesson. Thanks for watching.

Demo: Capture filters

Welcome to this demonstration on capture filters. Let's get started. I'll take you to the OCI Console, where I will
take you to Networking. Under Network Command Center, click on Capture Filters. So let me click on Create Ca
pture Filter. I'll give it a Name, demo capture filter.

And when you create a capture filter, it is going to ask you for the Filter type. So you have two choices. You can
use this capture filter to select what is included in flow logs, or you can also use it with VTAP. So let's select Flo
w log capture filter. And Sampling rate is basically the percentage of network flows that you would like to captu
re, so let me make it 100%.

So this is where you define the Rules. So under Traffic disposition, I will select All. Include. The Source IP, option
al. The Destination IP, optional. What I'm going to do now is I'll keep everything as default. And you see that I'
m also selecting All as the IP protocol. So I'll click on Create capture filter.

So this is how you create the capture filter. Now, I will return back to the Network Command Center. Under Tra
ffic monitoring, I will click on Flow logs. I will click on Enable flow logs. I'll give my File name prefix a name. I'll s
elect the Flow log destination. I don't have the Log group as of now, so I'll create a new log group.

OK, so now the log group is created, now I can enable the flow logs. Now it's asking for the Capture filter. We h
ave already created a capture filter, so this time, I'm going to select this. I'll click on Next.

Now this is where you need to add Enablement points, so click on Add enablement point. I'll select VCN. Click o
n Continue. I will select npademovcn. Click on Add enablement points. I'll click on Next. I'll click on Enable flow
logs.

All right, the flow log is now successfully enabled. And in case you want to view the log data, you need to go to
the log group. So this is the log group. And in some time, you will be able to see the log events here.

All right, so now you can see that the logs have actually started appearing here. And you see REJECT UDP, and t
hen ACCEPT TCP. Right, REJECT UDP. You see a lot of logs. So you are able to see both reject and accept. And yo
u are also able to see TCP, UDP because we haven't explicitly called out that in our capture filters.

So I'll go to the capture filter. Let me click on this, click on Manage rules. And this time, I'm going to, let's say, se
lect Reject. So I want to select Reject as the Traffic disposition. I don't want the ones that are accepted. So I'll cl
ick on Save Changes.

Now you see it is Reject. We'll go back to the log group. So this is the one. So we will wait for new logs. And thi
s time, we are going to observe that there will be only REJECT messages that will be captured.

OK, so I paused the video for a couple of minutes. And on returning, you can observe that this time, it's all REJE
CT messages, right? There is no ACCEPT message. Because in the capture filter, we have selected Traffic disposi
tion as Reject.
Previously, if I go back to the next page-- previously, you were able to see a mixture of reject and accept. You se
e, ACCEPT was also there, REJECT was also there. So this marks the end of this demonstration. Thanks for watc
hing.

=======

Virtual Test Access Points

Welcome to the lesson on virtual test access points. Let's get started. So virtual test access point provides a wa
y to mirror traffic from a designated source to a selected target to facilitate troubleshooting, security analysis,
and data monitoring. If you have multiple VTAPs with an overlapping source configuration, then the traffic from
the VTAP with the more specific source will be mirrored.

Now, VTAP source is the resource that the VTAP monitors. The traffic on this resource is mirrored and sent to a
chosen target. And please note that the VTAP source and target must be hosted in the same VCN. So what are t
he important components of VTAP? So in VTAP, you have a VTAP source, a VTAP target, and a capture filter.

So let's look at an example. In this example, the virtual machine in subnet A is sending the traffic to another vir
tual machine in subnet B. There is a VTAP in subnet A that checks traffic leaving the virtual machine. And becau
se this traffic matches the capture filter in use, the VTAP is going to mirror the traffic to the target. And in this c
ase, it's the network load balancer that is deployed in subnet C. Then the backend set can perform appropriate
analysis on the mirrored traffic.

Let's talk about some of its components. So each VTAP consists of three different components. The first is VTAP
source, which is the resource that the VTAP monitors. Then there is VTAP target. As I explained, the traffic on t
he source is going to be mirrored and sent to a chosen target. And then there are capture filter rules that selec
t what is going to be included in the traffic, which is mirrored from the source to the target.

Now, the traffic is encapsulated in VxLAN and then sent to VTAP target, which is the network load balancer via
UDP port 4789. Now, what exactly is a VTAP source? There are different sources from where we can capture th
e traffic. The VTAP sources can be a single compute instance VNIC in a subnet, or it can be a load balancer, a da
tabase system, an exadata VM cluster, or an autonomous database.

Now, VTAP target receives the mirrored traffic from the selected VTAP source. And the VTAP target must be a n
etwork load balancer with UDP listener on port 4789. And remember, it should be in the same VCN as the VTA
P source. And the backend set can then perform the appropriate analysis on the mirrored traffic.

So what are the typical use cases of VTAP? So things like performing deep packet inspection so that you can det
ect anomalous behavior. Also from a compliance standpoint, there can be a mandate to log and monitor the tr
affic. And it also helps in troubleshooting because you will be able to identify the issues that is impacting the p
erformance of applications.

All right. This marks the end of this lesson. Thanks for your time.
======

Demo: Virtual Test Access Points

Welcome to this demonstration on Virtual Test Access Points. Let's get started. I'll take you to the OCI Console.
In the Navigation menu, I'll click on Networking. Under Network Command Center, I will click on VTAPs.

So let me show you how you can create a VTAP. We know that VTAP uses a capture filter which will contain the
set of rules. And that will basically decide what a VTAP is going to mirror. So let me create a VTAP.

I will give it a name, vtapdemo. I'll select the compartment. I'll select the VCN. Now this is where you define th
e Source. And these are the supported Source types, like DB system, Exadata VM cluster, Instance VNIC, Load b
alancer, and Autonomous Data Warehouse. I'm going to select Instance VNIC. So I'll select the Subnet. And I wil
l select the VNIC. So this is going to be the source VNIC of this particular instance.

Now under Target, you can have Network load balancer. So I already have a network load balancer which is cre
ated. So I'll click on Network load balancer. Then, I also need to associate the VTAP with a Capture filter. So sele
ct a capture filter. One of the capture filters is already existing, so I'll just select it.

And under Advanced Options, you can provide this VXLAN network identifier. If you don't provide, then Oracle
is going to generate one for you. You can also configure the maximum packet size. So this Priority mode-- if you
enable the Priority mode, then this mirrored traffic is given the same priority as production traffic. Let me hide
the advanced options and click on Create VTAP.

So my Virtual Test Access Point is now available. But you see that by default, its Status is Stopped. So what you
need to do is you need to start the VTAP before it mirrors the traffic. So I'll click on Start.

So this says that if you start this VTAP, the traffic at the source is going to be mirrored to the target, which in ou
r case is the instance behind the network load balancer, and then you can have monitoring tools that can perfo
rm analysis on top of the traffic. So I'll click on Start.

OK, so the VTAP is now successfully started. So it's currently running. In the same way you started the VTAP, yo
u can also stop the VTAP. So when you stop the VTAP, the mirroring is going to be suspended between the sour
ce and the target. So click on Stop. OK, so now, you see that the vtapdemo is stopped.

Now a couple of things before I wrap up this demo. Firstly, you have the choice for the source. And I have show
n you what all options are available. But when it comes to the target, you must have a network load balancer.

Then secondly, I also talked about the priority mode. And we have discussed capture filter in one of our earlier
lessons. So this marks the end of this demonstration. Thanks for watching.