Enhancing Cisco Networks with Gigamon // White Paper

Transcription

1 The Smart Route To Visibility Enhancing Cisco s with Many Fortune 000 companies and beyond implement a Cisco switching architecture. When implementing a large scale Cisco network, the infrastructure to effectively monitor these networks is often overlooked. To monitor the networks customers will use Cisco technologies such as SPAN, RSPAN, ERSPAN, VACL. Many times these technologies are not scalable to support the diverse needs of network and security groups as they strive for maximum uptime within the network infrastructure. This white paper will discuss the various monitoring functions Cisco provides and how you can enhance these technologies using the Traffic Visibility Fabric and TAP solutions. and Non-VLAN traffic to be sent to the same port. In summary, SPAN sessions are good for spot analysis but are limited in terms of scaling to support company monitoring initiatives. SPAN ports are typically best for small to medium environments where monitoring needs are not great. Source Data Port Cisco SPAN SPAN stands for Switch Port Analyzer. The SPAN functionality is offered in all Cisco switching solutions. A SPAN port copies data SPAN Port from one or more source ports to a destination port. Figure shows an example of how the SPAN function operates. With most Cisco switching products, users are limited to two SPAN sessions per switch. For most large enterprises this is not suitable enough for monitoring purposes. In most large organizations between the network and security groups there are commonly four or more monitoring or analysis tools that all need to contend for the same data. Examples of some of the Figure Cisco SPAN example Inside a Cisco Switch data is copied from a network port (in this example the port the router is connected to) to a SPAN port which has a monitoring tool connected tools that are utilized are Application Performance Monitors, Intrusion Detection Tools, Data Recorders, Web Monitoring Tools, and many more. There are also limitations that prevent users from sending data from one source port to both of the available SPAN sessions as well as limitations that allow VLAN

2 The Smart Route To Visibility Enhancing Cisco s with Figure Cisco ERSPAN example Source Data In GRE Tunnel In GRE Tunnel Monitoring Tool Source Data In GRE Tunnel Routed Cisco RSPAN Cisco RSPAN stands for Remote Switch Port Analyzer. RSPAN works very much like SPAN with the exception that data can be sent between remote monitoring ports in the switching architecture using VTP and reflector ports. Users are only allowed to send data to two RSPAN destinations. Just like SPAN, data from the same source port or VLAN cannot be shared across the two sessions. RSPAN has additional configuration complexity as users have to configure the correct VTP domains on each switch that RSPAN data traverses. There is a potential for duplicate packets in RSPAN configurations. RSPAN ports will not pass Layer data as well. Originating switch with reflector port RSPAN VLAN RSPAN VLAN SPAN Data Monitoring Tool Figure CISCO RSPAN example Data on the originating switch is sent over a RSPAN VLAN created using VTP and Reflector Ports. Cisco ERSPAN ERSPAN stands for Encapsulated Remote SPAN. With ERSPAN data from remote switches can be forwarded to a source monitoring tool over a routed network or Internet using a GRE Tunnel that is configured on the Cisco Switches. ERSPAN is a feature that is only supported on Cisco Switches that support the Supervisor Engine 0 manufactured with PFCA. This means this feature is limited to a few Cisco switch families like the Catalyst 00 family. This functionality has not translated to the newer Cisco Nexus product line as an option. Packets of an ERSPAN session are tagged with a 0- byte header and replace the CRC. Items you need to be aware of are fragmented frames and jumbo frames. ERSPAN does not support fragmented frames and all switches have to be configured to support jumbo frames or else frames that increase past the 00 byte limit with the 0 byte tagged data will be dropped. Just like all other SPAN technologies you can only create two ERSPAN destinations per switch. ERSPAN requires additional configuration complexity to ensure that the tunneling and frame sizes are correct for proper routing of data. Cisco VACL VACL stands for VLAN Access List. VACLs overcome most SPAN limitations in addition to providing the ability to filter for certain types of traffic such as a TCP port or IP Address. VACLs are ACLs that only apply to data within a VLAN that are separate from ACLs that would be used in router configurations. The maximum number of VACLs a switch can support is determined

3 Batt Mgmnt () A B A B Batt Mgmnt () OUT OUT OUT OUT OUT OUT A B A B Mgmnt () Batt OUT OUT OUT OUT A B A B OUT OUT The Smart Route To Visibility Enhancing Cisco s with by the amount of VLANs in a switch. For example if a switch only has configured VLANs then you can create VACL capture ports. Users will mainly use VACLs to free up SPAN resources as a bandaid to a complete monitoring infrastructure. Configuring VACLs is usually reserved for more senior networking staff as VACLs require the most configuration attention of all the Cisco Visibility Technologies. Many users can mistakenly block data from the VACL capture port if care is not taken when configuring the VACL. Like SPAN s, VACLs source data cannot be sent to multiple VACLs limiting the benefit of having extra VACL ports as many times monitoring tools will have to see many VLANs at once leaving the user with one or two VACL capture ports that can be used. GigaVUE Traffic Visibility Nodes GigaVUE Traffic Visibility Nodes are purpose built appliances create an out-of-band network that provides enhanced visibility to all monitoring, data capture, and security tools. With Traffic Visibility Nodes users can connect inputs and aggregate, replicate, and filter data all at line-rate speeds to any number of tools. Users can connect SPAN s, RSPAN s, VACL s, ERSPAN, and TAP input ports to control the traffic flow from all network inputs to all monitoring inputs. ou can think of the Traffic Visibility Node as the central hub of your monitoring infrastructure that is becoming a key component in new 0G and G data centers. Load-Balancing data from multiple 0G and G network links to multiple 0G and G network tool interfaces Advanced features such as time-stamping, port tagging, and packetslicing Source Data port that belongs to VLAN 00 VLAN 00, IP... VACL Port Monitoring Tool Figure Cisco VACL example Data from IP address... in VLAN 00 is forwarded to a VLAN capture port T R T R T T There are many benefits that users can gain by implementing a Traffic Visibility Node such as GigaVUE: Eliminating SPAN, RSPAN, ERSPAN, VACL contention issues Providing secure access to monitoring data Accessing 0G network links with G monitoring tools Enabling visibility into data across asymmetric links Filtering of any field Layer - within a packet as well as userdefined filters that delve deeper into packet structures Consolidating monitoring resources to one centrally managed location G-Tap Switch Switch Monitoring Tool Figure Logical TAP Traffic Flow Diagram G-TAP A-T G-TAP A-T G-TAP A-T Figure G-TAP and G-TAP A-Series TAP s

4 Batt Mgmnt () A B A B G-TAP A-Tx 0GigaPORT- GigaVUE-0MB Mgmt 0GigaPORT- 0/00/000 (SFP) G G G G G G G G SLOT 9 SLOT G-G - SLOT Mgmt 0/00/000 G G/0G The Smart Route To Visibility Enhancing Cisco s with Figure Sample configuration in a Flat GigaVUE- GigaVUE-0 G Monitoring Tools Figure Example of Flow Mapping technology 0G Map-Rule 0G R Map-Rule 0G VACL Data Map-Rule Map-Rule 0G ER Map-Rule Map-Rule G Full-Duplex Tap Data The Map-Rules represent different flows that are strategically directed to the monitoring ports G-TAP A-Tx Ingress and Egress Port Filters can applied in addition to Map-Rules GigaVUE Data Access Switch

5 0GigaPORT- GigaVUE-0MB 0/00/000 (SFP) G G G G G G G G 0GigaPORT- 0GigaPORT- GigaVUE-0MB 0/00/000 (SFP) G G G G G G G G 0GigaPORT- GigaVUE- Mgmt 0/00/000 G G/0G SLOT 9 SLOT G-G - SLOT SLOT 9 SLOT G-G - SLOT S ystems Mgmnt 0GigaPORT- GigaVUE-0MB 0/00/000 (SFP) G G G G G G G G 0GigaPORT- Giga TAP-Sx Split Ratio :0/0 Giga TAP-Sx Split Ratio :0/0 Giga TAP-Sx Split Ratio :0/0 Giga PORT SLOT 9 SLOT G-G - SLOT 0GigaPORT- GigaVUE-0MB 0GigaPORT- GigaVUE-0MB 0/00/000 (SFP) G G G G G G G G 0GigaPORT- 0/00/000 (SFP) G G G G G G G G 0GigaPORT- SLOT 9 SLOT G-G - SLOT SLOT 9 SLOT G-G - SLOT The Smart Route To Visibility Enhancing Cisco s with Flow Mapping The key technology that enables these benefits in GigaVUE is the patented Flow Mapping technology. Flow Mapping creates traffic distribution maps that can direct traffic from any ingress traffic ports to any number of monitoring ports at linerate with no dropped traffic. Flow Mapping is different from port filtering that is found on other Traffic Visibility Nodes. engineers create Map rules that direct data to the desired monitoring port. Once a Map is created, input ports can be bound to the Map. This allows for dynamic changes to data flows that would be impossible using port filters as network engineers would have to change the filtering on each port individually. Using other technology such as collectors and pass-alls that are unique to, users can have access to unfiltered traffic while traffic is being filtered using the Map. This is functionality unique to and only. users can augment the power of the Flow Mapping technology by further reducing traffic loads on egress tool ports as well. All these features create a powerful Traffic Visibility Fabric. WAN Edge GigaVUE-0 GigaVUE-0 Core 0G and G Tool Farm Distribution Layer Data Center Fibre Channel SAN GigaVUE-0 Access Layer GigaVUE-0 GigaVUE-0 GigaVUE-0 0G Tool Farm VM Cluster VM Cluster GigaVUE- GigaSTREAM Diagram Legend Multi-Layer Switch GigaSTREAM Bundle G Link 0G Link Wireless Devices End User Workstations Access Switch TAP Connection Point G TAP Traffic Router 0G TAP Traffic Firewall Cascaded Traffic Figure Example of Flow Mapping technology

6 The Smart Route To Visibility Enhancing Cisco s with Figure 9 shows an example of a large Cisco network with a Traffic Visibility Fabric overlay. In this diagram all major switch to switch connections are tapped using G-TAP network TAP s or using integrated taps into the GigaVUE appliances. By tapping at strategic locations, network engineers have increased visibility into traffic. For example, by tapping the interface between the Internet and the firewall or the firewall and router, engineers can view all traffic coming into and out of the network from the internet. Because TAP s are used, all traffic at full line rate can be viewed without missing traffic or degrading the switch fabric. SPAN port traffic from the visibility nodes are routed to the GigaVUE appliance where all traffic can be aggregated, replicated, and filtered to multiple monitoring tools. In most new 0G infrastructures SPAN traffic is usually limited to the access layer as an easy way to view end-user traffic. All GigaVUE appliances are stacked together or cascaded to be controlled from one central interface that can dynamically route specific traffic to specific tool ports. This aids in decreasing resolution times and increased performance of monitoring and capture tools as they are only receiving the traffic that they desire. About provides intelligent Traffic Visibility ing solutions for enterprises, data centers and service providers around the globe. Our technology empowers infrastructure architects, managers and operators with unmatched visibility into the traffic traversing both physical and virtual networks without affecting the performance or stability of the production environment. Through patented technologies, the GigaVUE portfolio of high availability and high density products intelligently delivers the appropriate network traffic to security, monitoring or management systems. With over seven years experience designing and building intelligent traffic visibility products in the US, serves the vertical market leaders of the Fortune 000 and has an install base spanning 0 countries. For more information about our products visit: Conclusion By leveraging the power of GigaVUE devices network engineers utilizing Cisco networks and monitoring technology such as SPAN, RSPAN, and VACL can improve flexibility, performance, and security of monitored data as the data is routed to various monitoring, capture, and security tools. A Traffic Visibility Fabric allows network engineers to future proof their monitoring infrastructure for speeds today and tomorrow. Copyright 0, LLC. All rights reserved., GigaVUE, GigaSMART, G-TAP, Flow Mapping are registered trademarks of, LLC and/or affiliates in the United States and certain other countries. Visibility Fabric, Traffic Visibility Fabric (TVF), Citrus, and The Smart Route To Visibility are trademarks of. All other trademarks are the property of their respective owners. 9 Gibraltar Drive Milpitas, CA 90 PH