inspect policy-mix lookup-flow
Use the inspect policy-mix lookup-flow command to identify which network and priority policy rules apply to a specific flow based on source IP, destination IP, protocol, and port.
Use the inspect policy-mix lookup-flow command to simulate the full policy
evaluation for a specific five-tuple flow without sending live traffic. By specifying the
source and destination IPs, protocol, and optional ports, you can see which network and
priority policy rules would match, which paths are active and which are backup, and what DSCP
value and priority number the device would assign. Most options except
srcport and dscp rely on an effective custom application
lookup. Use this command to verify end-to-end policy intent and troubleshoot unexpected path
selection or QoS behavior.
Command
inspect policy-mix lookup-flow srcv4= src_ipv4 dstv4= dst_ipv4 ( prot-nm= ( udp | tcp | icmp ) | prot-no= protocol_number ) [ srcport= src_port | dstport= dst_port ]
Options
| srcv4 | Enter the source IPv4 address of the flow. |
| dstv4 | Enter the destination IPv4 address of the flow. |
| prot-nm | Enter the protocol name: udp, tcp, or icmp. |
| prot-no | Enter a numeric protocol number from 0 to 255. |
| srcport | Enter the source port number. |
| dstport | Enter the destination port number. |
| dscp | Enter a DSCP value to include in the lookup. |
When to Use
- When end-to-end path selection or QoS for a specific flow does not match expectations, to get both network and priority policy results in a single command rather than running lookup commands separately.
- Before testing a policy configuration change in production, to simulate how a known flow will be handled under the new rules.
- When traffic to a specific destination is using an unexpected path or receiving an incorrect DSCP marking, to confirm which rules actually apply to it.
Command Notes
| Role | Super, Read Only |
| Related Commands | None |
| Introduced in | Release 5.0.1 |
Example
The following example performs a full policy lookup for a TCP flow to a known destination:
inspect policy-mix lookup-flow prot-nm=tcp srcv4=10.2.53.101 dstv4=203.0.113.10 dstport=443
Most Specific App Id : 14611073109530070 : yahoo
Other Detected App Ids:
15035327122180161 : ssl
Identified LAN ID : 15047412584460168
Network Context ID : 0
Policy Lookup App Ids:
15035327095370149 : yahoo
15035327122180161 : ssl
WILDCARD :
- - - - - - - - - - - - - - - - - - - - - - - - - - -
Network Policy Rule : 15035327231370099 : yahoo-Policy
Policy Set : 15035327157110245 : default
Stack Index : 0
Application : 15035327095370149 : yahoo
Source Prefix : none
Destination Prefix : 15035327218390191 : 10.1.0.0/16
Network_Context Id : none
Order Number : 1024
Is Default Rule : False
Active Paths:
direct : public-*
direct : private-*
vpn : private-1 : 15047410360090142
vpn : public-1 : 15047410360100143
Backup Paths : none
Service Context : none
Priority Policy Rule : 15035327231370099 : yahoo-Policy
Policy Set : 15035327157110245 : default
Stack Index : 0
Application : 15035327095370149 : yahoo
Source Prefix : none
Destination Prefix : none
Network_Context Id : none
Order Number : 1024
Is Default Rule : False
Priority Number : 4
DSCP Value : none
Output Fields
- Most Specific App Id: The most precisely matched application for the flow, based on DPI classification.
- Other Detected App Ids: Additional applications the DPI engine detected for the flow that may also match policy rules.
- Network Policy Rule / Priority Policy Rule: The name and ID of the matched rule for each policy type.
- Policy Set: The policy set the matched rule belongs to.
- Stack Index: The stack position of the rule.
- Application: The application the rule matches.
- Source Prefix / Destination Prefix: The traffic match criteria defined in the rule, or none if unconfigured.
- Order Number: The evaluation priority of the rule within the stack.
- Is Default Rule: Whether the matched rule is the policy default rule.
- Active Paths: The paths the network policy directs the flow to, listed by type and name.
- Backup Paths: The fallback paths in the rule, or none if not configured.
- Priority Number: The QoS priority the priority policy rule assigns to the flow.
- DSCP Value: The DSCP marking the priority policy rule assigns to the flow, or none if not configured.
Troubleshooting
| Condition | Possible Cause | Action |
|---|
| Most Specific App Id is a generic protocol such as tcp or udp instead of the expected application | DPI has not identified the application; the flow may not have enough traffic samples, or the application is not in the DPI signature database | Allow the flow to run longer before re-running; confirm the application requires port-based detection and specify dstport in the command |
| Active Paths list is empty for the matched network policy rule | All paths in the rule's active path list are currently down or unavailable | Check circuit and path health; verify that the paths referenced in the policy rule are operational |
| DSCP Value is none even though the priority policy rule matched | The matched priority policy rule uses priority-based queuing without configuring a DSCP remark | This is expected behavior if the rule intentionally omits DSCP remarking; verify the intended QoS design in the priority policy configuration |
