Enhancing Cisco Networks with Gigamon - NDM · Enhancing Cisco Networks with Gigamon // White Paper The Smart Route To Visibility™ 1 Many Fortune 1000 companies and beyond implement
Post on 26-Apr-2020
16 Views
Preview:
Transcript
Enhancing Cisco Networks with Gigamon// White Paper
The Smart Route To Visibility™
1
Many Fortune 1000 companies and beyond implement a Cisco switching architecture. When implementing a large scale Cisco network, the infrastructure to effectively monitor these networks is often overlooked. To monitor the networks customers will use Cisco technologies such as SPAN, RSPAN, ERSPAN, VACL. Many times these technologies are not scalable to support the diverse needs of network and security groups as they strive for maximum uptime within the network infrastructure. This white paper will discuss the various monitoring functions Cisco provides and how you can enhance these technologies using the Gigamon Traffic Visibility Fabric and TAP solutions.
Cisco SPAN
SPAN stands for Switch Port Analyzer. The SPAN functionality is
offered in all Cisco switching solutions. A SPAN port copies data
from one or more source ports to a destination port. Figure 1
shows an example of how the SPAN function operates.
With most Cisco switching products, users are limited to two
SPAN sessions per switch. For most large enterprises this is
not suitable enough for monitoring purposes. In most large
organizations between the network and security groups there
are commonly four or more monitoring or analysis tools that all
need to contend for the same data. Examples of some of the
tools that are utilized are Application Performance Monitors,
Intrusion Detection Tools, Data Recorders, Web Monitoring
Tools, and many more. There are also limitations that prevent
users from sending data from one source port to both of the
available SPAN sessions as well as limitations that allow VLAN
and Non-VLAN traffic to be sent to the same port. In summary,
SPAN sessions are good for spot analysis but are limited in
terms of scaling to support company monitoring initiatives.
SPAN ports are typically best for small to medium environments
where monitoring needs are not great.
Source Data Port
SPAN Port
Figure 1 Cisco SPAN example
Inside a Cisco Switch data is copied from a network port (in
this example the port the router is connected to) to a SPAN port
which has a monitoring tool connected
Enhancing Cisco Networks with Gigamon// White Paper
The Smart Route To Visibility™
2
Cisco RSPAN
Cisco RSPAN stands for Remote Switch Port Analyzer. RSPAN
works very much like SPAN with the exception that data can
be sent between remote monitoring ports in the switching
architecture using VTP and reflector ports.
Users are only allowed to send data to two RSPAN destinations.
Just like SPAN, data from the same source port or VLAN cannot
be shared across the two sessions. RSPAN has additional
configuration complexity as users have to configure the correct
VTP domains on each switch that RSPAN data traverses. There
is a potential for duplicate packets in RSPAN configurations.
RSPAN ports will not pass Layer 2 data as well.
Cisco ERSPAN
ERSPAN stands for Encapsulated Remote SPAN. With ERSPAN
data from remote switches can be forwarded to a source
monitoring tool over a routed network or Internet using a
GRE Tunnel that is configured on the Cisco Switches.
ERSPAN is a feature that is only supported on Cisco Switches
that support the Supervisor Engine 720 manufactured with
PFC3A. This means this feature is limited to a few Cisco switch
families like the Catalyst 6500 family. This functionality has
not translated to the newer Cisco Nexus product line as an
option. Packets of an ERSPAN session are tagged with a 50-
byte header and replace the CRC. Items you need to be aware
of are fragmented frames and jumbo frames. ERSPAN does
not support fragmented frames and all switches have to be
configured to support jumbo frames or else frames that increase
past the 1500 byte limit with the 50 byte tagged data will be
dropped. Just like all other SPAN technologies you can only
create two ERSPAN destinations per switch. ERSPAN requires
additional configuration complexity to ensure that the tunneling
and frame sizes are correct for proper routing of data.
Cisco VACL
VACL stands for VLAN Access List. VACLs overcome most
SPAN limitations in addition to providing the ability to filter for
certain types of traffic such as a TCP port or IP Address. VACLs
are ACLs that only apply to data within a VLAN that are separate
from ACLs that would be used in router configurations. The
maximum number of VACLs a switch can support is determined
Routed Network
SPAN DataIn GRE Tunnel Monitoring
Tool
SourceData
SourceData
SPAN DataIn GRE Tunnel
SPAN DataIn GRE Tunnel
Originating switch with reflector port
RSPANVLAN
RSPANVLAN
SPANData
Monitoring Tool
Figure 2 CISCO RSPAN example
Data on the originating switch is sent over a RSPAN VLAN
created using VTP and Reflector Ports.
Figure 3 Cisco ERSPAN example
Enhancing Cisco Networks with Gigamon// White Paper
The Smart Route To Visibility™
3
by the amount of VLANs in a switch. For example if a switch
only has 5 configured VLANs then you can create 5 VACL
capture ports.
Users will mainly use VACLs to free up SPAN resources as a
bandaid to a complete monitoring infrastructure. Configuring
VACLs is usually reserved for more senior networking staff as
VACLs require the most configuration attention of all the Cisco
Network Visibility Technologies. Many users can mistakenly
block data from the VACL capture port if care is not taken when
configuring the VACL. Like SPAN’s, VACLs source data cannot
be sent to multiple VACLs limiting the benefit of having extra
VACL ports as many times monitoring tools will have to see
many VLANs at once leaving the user with one or two VACL
capture ports that can be used.
Gigamon GigaVUE Traffic Visibility Nodes
Gigamon GigaVUE® Traffic Visibility Nodes are purpose built
appliances create an out-of-band network that provides
enhanced visibility to all monitoring, data capture, and security
tools. With Traffic Visibility Nodes users can connect inputs
and aggregate, replicate, and filter data all at line-rate speeds
to any number of tools. Users can connect SPAN’s, RSPAN’s,
VACL’s, ERSPAN, and TAP input ports to control the traffic flow
from all network inputs to all monitoring inputs. You can think of
the Traffic Visibility Node as the central hub of your monitoring
infrastructure that is becoming a key component in new
10G and 1G data centers.
There are many benefits that users can gain by implementing a
Traffic Visibility Node such as GigaVUE:
• EliminatingSPAN,RSPAN,ERSPAN,VACLcontentionissues
• Providingsecureaccesstomonitoringdata
• Accessing10Gnetworklinkswith1Gmonitoringtools
• Enablingvisibilityintodataacrossasymmetriclinks
•FilteringofanyfieldLayer1-4withinapacketaswellas“user-
defined” filters that delve deeper into packet structures
•Consolidatingmonitoringresourcestoonecentrally
managed location
• Load-Balancingdatafrommultiple10Gand1Gnetwork
links to multiple 10G and 1G network tool interfaces
• Advancedfeaturessuchastime-stamping,port
tagging, and packetslicing
VACL Port
VLAN 200, IP 1.1.1.1
ACL Rule
ACL Rule
ACL Rule
ACL RuleSource Data port that belongs to VLAN 200
Monitoring Tool
Figure 4 Cisco VACL example
Data from IP address 1.1.1.1 in VLAN 200 is forwarded to a
VLAN capture port
RXRXTX TX TX TX
Network Switch Network Switch Monitoring Tool
Mgmnt (PoE)ConsoleMain
Pwr
BattPwr
Network Monitor/Tool
G-TAP® A-TX
PoEPwr
A B A B Mgmnt (PoE)ConsoleMain
Pwr
BattPwr
Network Monitor/Tool
G-TAP® A-TX
PoEPwr
A B A B Mgmnt (PoE)ConsoleMain
Pwr
BattPwr
Network Monitor/Tool
G-TAP® A-TX
PoEPwr
A B A B
Gigamon
G-Tap
OUT INX YOUT OUTX YOUT IN OUT INX Y
OUT OUTX YOUT IN OUT INX YOUT IN OUT OUTX Y OUT INX YOUT IN OUT OUTX Y OUT INX YOUT OUTX YOUT IN OUT INX Y
OUT OUTX YOUT IN OUT INX YOUT IN OUT OUTX Y OUT INX YOUT IN OUT OUTX Y
Figure 6 Gigamon G-TAP® and G-TAP®A-Series TAP’s
Figure 5 Logical TAP Traffic Flow Diagram
Enhancing Cisco Networks with Gigamon// White Paper
The Smart Route To Visibility™
4
Map-Rule 1
Map-Rule 2
Map-Rule 3
Map-Rule 4
Map-Rule 6
Ingress and Egress Port Filters can applied in addition to Map-Rules
Map-Rule 5
The Map-Rules represent different flows that arestrategically directed to the monitoring ports
Mgmnt (PoE)ConsoleMain
Pwr
BattPwr
Network Monitor/Tool
G-TAP® A-Tx
PoEPwr
A B A B
Gigamon® GigaVUE® Data Access Switch
10G SPAN Data
10G RSPAN Data
10G VACL Data
10G ERSPAN Data
1G Full-DuplexTap Data
Gigamon G-TAP® A-Tx
Filtered Data Stream
Filtered Data Stream
Filtered Data Stream
Filtered Data Stream
Filtered Data Stream
Filtered Data Stream
GigamonIntelligentDANTM
UPWHENINSTALLEDINREARSLOT
17 24
SLOT 3PORTS
9 16
SLOT 2PORTS
SLOT 1PORTS G1-G4PORTS 1-8
1G/10G PORTS (SFP+)
Pwr
GigaVUE-2404MB
ConsoleMgmt
G4Rdy
M/S
G3G2G1
10/100/1000 PORTS (SFP)
1
1G1 G2 G3 G4
2
2
3
3
4
4
5
5
6
6
7
7
8
8
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
GigaVUE-2404®
SPAN Traffic
SPAN Traffic
SPAN Traffic
SPAN Traffic
Console
Mgmt
Pwr
Rdy
M/S
GigaVUE-212
2 4
1 3
6 8
5 7
10/100/1000 PORTS2
1
1G PORTS 1G/10G PORTS4
3
6
5
8
7
X2
X1
1G Monitoring Tools
Figure 7 Sample configuration in a Flat Network
Figure 8 Example of Gigamon Flow Mapping technology
Enhancing Cisco Networks with Gigamon// White Paper
The Smart Route To Visibility™
5
Flow Mapping®
The key technology that enables these benefits in GigaVUE is
the Gigamon patented Flow Mapping technology. Flow Mapping
creates traffic distribution maps that can direct traffic from any
ingress traffic ports to any number of monitoring ports at line-
rate with no dropped traffic. Flow Mapping is different from port
filtering that is found on other Traffic Visibility Nodes. Network
engineers create Map rules that direct data to the desired
monitoring port. Once a Map is created, input ports
can be bound to the Map. This allows for dynamic changes to
data flows that would be impossible using port filters as
network engineers would have to change the filtering on each
port individually. Using other technology such as collectors
and pass-alls that are unique to Gigamon, users can have
access to unfiltered traffic while traffic is being filtered using the
Map. This is functionality unique to Gigamon and Gigamon only.
Gigamon users can augment the power of the Flow Mapping
technology by further reducing traffic loads on egress tool
ports as well. All these features create a powerful Traffic
Visibility Fabric.
GigamonIntelligentDANTM
UPWHENINSTALLEDINREARSLOT
17 24
SLOT 3PORTS
9 16
SLOT 2PORTS
SLOT 1PORTS G1-G4PORTS 1-8
1G/10G PORTS (SFP+)
Pwr
GigaVUE-2404MB
ConsoleMgmt
G4Rdy
M/S
G3G2G1
10/100/1000 PORTS (SFP)
1
1G1 G2 G3 G4
2
2
3
3
4
4
5
5
6
6
7
7
8
8
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
GigamonIntelligentDANTM
UPWHENINSTALLEDINREARSLOT
17 24
SLOT 3PORTS
9 16
SLOT 2PORTS
SLOT 1PORTS G1-G4PORTS 1-8
1G/10G PORTS (SFP+)
Pwr
GigaVUE-2404MB
ConsoleMgmt
G4Rdy
M/S
G3G2G1
10/100/1000 PORTS (SFP)
1
1G1 G2 G3 G4
2
2
3
3
4
4
5
5
6
6
7
7
8
8
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
GigamonIntelligentDANTM
UPWHENINSTALLEDINREARSLOT
17 24
SLOT 3PORTS
9 16
SLOT 2PORTS
SLOT 1PORTS G1-G4PORTS 1-8
1G/10G PORTS (SFP+)
Pwr
GigaVUE-2404MB
ConsoleMgmt
G4Rdy
M/S
G3G2G1
10/100/1000 PORTS (SFP)
1
1G1 G2 G3 G4
2
2
3
3
4
4
5
5
6
6
7
7
8
8
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
GigamonIntelligentDANTM
UPWHENINSTALLEDINREARSLOT
17 24
SLOT 3PORTS
9 16
SLOT 2PORTS
SLOT 1PORTS G1-G4PORTS 1-8
1G/10G PORTS (SFP+)
Pwr
GigaVUE-2404MB
ConsoleMgmt
G4Rdy
M/S
G3G2G1
10/100/1000 PORTS (SFP)
1
1G1 G2 G3 G4
2
2
3
3
4
4
5
5
6
6
7
7
8
8
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
GigamonIntelligentDANTM
UPWHENINSTALLEDINREARSLOT
17 24
SLOT 3PORTS
9 16
SLOT 2PORTS
SLOT 1PORTS G1-G4PORTS 1-8
1G/10G PORTS (SFP+)
Pwr
GigaVUE-2404MB
ConsoleMgmt
G4Rdy
M/S
G3G2G1
10/100/1000 PORTS (SFP)
1
1G1 G2 G3 G4
2
2
3
3
4
4
5
5
6
6
7
7
8
8
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
1G/10G PORTS (SFP+)
Pwr
10GigaPORT-8X
WAN Edge
Network Core
Data CenterDistribution Layer
Access Layer
SPAN Data
GigaSTREAM
VM Cluster VM Cluster
Fibre Channel SAN
GigaVUE-2404®
GigaVUE-2404®
GigaVUE-2404®
GigaVUE-2404®
GigaVUE-2404®
Console
Mgmnt
Pwr
Rdy
M/S
1 2 3 4
Gigamon S ystems
Giga TAP-Sx Split Ratio :70/30
INO
UT IN
OU
T INO
UT IN
OU
T
Giga TAP-Sx Split Ratio :70/30
INO
UT IN
OU
T I NO
UT IN
OU
T
Giga TAP-Sx Split Ratio :70/30
INO
UT IN
OU
T INO
UT IN
OU
T
Giga PORT
Console
Mgmt
Pwr
Rdy
M/S
GigaVUE-212
2 4
1 3
6 8
5 7
10/100/1000 PORTS2
1
1G PORTS 1G/10G PORTS4
3
6
5
8
7
X2
X1
GigaVUE-420®
GigaVUE-212™
10G Tool Farm
End User WorkstationsWireless Devices
Diagram Legend
10G and 1G Tool Farm
Multi-Layer Switch
Access Switch
Router
Firewall
GigaSTREAM Bundle
TAP Connection Point
1G Network Link
10G Network Link
1G TAP Traffic
10G TAP Traffic
SPAN Traffic
Cascaded Traffic
Figure 8 Example of Gigamon Flow Mapping technology
Enhancing Cisco Networks with Gigamon// White Paper
The Smart Route To Visibility™
6
Copyright © 2012 Gigamon, LLC. All rights reserved. Gigamon, GigaVUE®, GigaSMART, G-TAP, Flow Mapping are registered trademarks of Gigamon, LLC and/or affiliates in the
United States and certain other countries. Visibility Fabric, Traffic Visibility Fabric (TVF), Citrus, and The Smart Route To Visibility are trademarks of Gigamon. All other trademarks
are the property of their respective owners.
Gigamon | 598 Gibraltar Drive Milpitas, CA 95035 | PH 408.263.2022 | www.gigamon.com
Figure 9 shows an example of a large Cisco network with a
Gigamon Traffic Visibility Fabric overlay. In this diagram all major
switch to switch connections are tapped using Gigamon G-TAP®
network TAP’s or using integrated taps into the GigaVUE®
appliances.Bytappingatstrategiclocations,networkengineers
have increased visibility into traffic. For example, by tapping the
interface between the Internet and the firewall or the firewall and
router, engineers can view all traffic coming into and out of the
networkfromtheinternet.BecauseTAP’sareused,alltrafficat
full line rate can be viewed without missing traffic or degrading
the switch fabric. SPAN port traffic from the visibility nodes
are routed to the GigaVUE appliance where all traffic can be
aggregated, replicated, and filtered to multiple monitoring tools.
In most new 10G infrastructures SPAN traffic is usually limited
to the access layer as an easy way to view end-user traffic. All
GigaVUE appliances are stacked together or cascaded to be
controlled from one central interface that can dynamically route
specific traffic to specific tool ports. This aids in decreasing
resolution times and increased performance of monitoring and
capture tools as they are only receiving
the traffic that they desire.
Conclusion
ByleveragingthepowerofGigaVUEdevicesnetworkengineers
utilizing Cisco networks and monitoring technology such as
SPAN, RSPAN, and VACL can improve flexibility, performance,
and security of monitored data as the data is routed to various
monitoring, capture, and security tools. A Gigamon Traffic
Visibility Fabric allows network engineers to future proof their
monitoring infrastructure for speeds today and tomorrow.
About Gigamon
Gigamon provides intelligent Traffic Visibility Networking
solutions for enterprises, data centers and service providers
around the globe. Our technology empowers infrastructure
architects, managers and operators with unmatched visibility
into the traffic traversing both physical and virtual networks
without affecting the performance or stability of the production
environment. Through patented technologies, the Gigamon
GigaVUE portfolio of high availability and high density products
intelligently delivers the appropriate network traffic to security,
monitoring or management systems. With over seven years
experience designing and building intelligent traffic visibility
products in the US, Gigamon serves the vertical market
leaders of the Fortune 1000 and has an install base spanning
40countries.
For more information about our Gigamon products visit:
www.gigamon.com
top related