Resilient inline arrangement is a method of configuring and deploying inline threat prevention tools for dual-path, redundant network architectures. A successful deployment of resilient inline arrangements provides traffic management for dual-path high availability environments.
The following figure illustrates the resilient inline arrangement.
Figure 65
Resilient Inline Arrangement
The resilient inline arrangement shows the Gigamon devices, which consolidate the traffic from multiple intercepted links before routing the traffic to inline tools. To protect such an inspection arrangement from any failure of the Gigamon devices, a redundant arrangement of inline packet broker is shown. Both the inline packet brokers are interconnected by an Inter-broker Pathway (IB-P). For details, refer to Inter-broker Pathway (IB-P).
Each inline packet broker is attached to a set of inline tools that are identical to each other, that is, both inline packet brokers must have equal number of inline tools. Moreover, the inline tools on both sides must be of the same type, port speed, and processing capacity.
Resilient inline arrangement is based on an aggregation and distribution principle that divides the packets received by an inline packet broker, between Node 1 and Node 2. The inline packet broker on the left, guides the Node 1 class of packets through its local tools and Node 2 class of packets through the remote tools that are reachable by a resilient inter-broker pathway. Similarly, the inline packet broker on the right, guides the Node 2 class of packets through its local tools and Node 1 class of packets through the remote tools.
Each link intercepted by the inline packet broker must be configured with the following component maps:
•
either a bidirectional original component map or two unidirectional original component maps,
•
two unidirectional export component maps, and
•
two unidirectional import component maps.
GigaVUE-FM configures the required export and import component maps for all the links that are intercepted by both the inline packet brokers. GigaVUE-FM configures the maps based on the tool side VLAN tags and the rules that you specified when configuring the flexible inline map.
Inter-broker Pathway (IB-P)
The inter-broker pathway provides link aggregation and distribution and is responsible for moving traffic between Node 1 and Node 2. You must configure tool ports in the inter-broker pathway. Following are the IB-P states:
•
inter-broker pathway-up—the traffic is handled as follows:
•
If the traffic is governed by the original component maps in which the traffic path is set to Bypass, the traffic bypasses the sequence of inline tools and inline tool groups and is re-directed to the inline network port that is configured on the opposite-side
•
If the traffic is governed by the export component maps in which the traffic path is set to any value other than Bypass, the traffic is routed through the inter-broker pathway based on the tag value defined in the map. If the tag value matches the VLAN attribute configured in the import component map, the traffic is sent to the inline packet broker on the opposite side. The traffic is then routed through the inline tools or inline tool groups based on the sequence defined in the import component map. After inspection, the traffic is sent back to the inter-broker pathway with the same tag value. Finally, the traffic is intercepted by the export component map and is guided to the respective exit inline network port.
•
inter-broker pathway-down—the traffic is handled based on the failover action selected for the inline map configured, as follows:
•
If the failover is set to ‘bypass’, the traffic is passed directly between the respective inline network ports.
•
If the failover is set to ‘original-map’, the traffic is passed through the path that is defined by the respective original map.
Note: Traffic can be moved from ‘bypass’ to ‘original-map’ and vice versa, when the inter-broker pathway is in ‘down’ state.
The failover-action set for an inline tool or an inline tool group that is configured on Node 2 will affect the inter-broker pathway as follows:
•
If the failover-action for the inline tools on Node 2 is set to ‘network-bypass’, all traffic received on the Node 2 will be by-passed and referred back to Node 1.
•
If the failover-action is set to ‘network-drop’, all traffic received on Node 2 of the inter-broker pathway will be dropped.
•
If the failover-action is set to ‘network-port-forced-down’, all ports on Node 2 of the inter-broker pathway will be brought down.
Resilient Inline Arrangement—Rules and Notes
Keep in mind the following rules and notes when working with Resilient Inline Arrangement:
•
Ensure that the names on both GigaVUE devices are identical, that is, the inline networks, inline tools, inline tool groups, out-of-band tools, and out-of-band tool GigaStreams must all have the same alias names on both the devices.
•
If you choose to use the inline network bundle, the alias of the inline network bundle on both the devices must be identical. However, the inline networks that are grouped into the bundle can have different aliases.
Deploy Resilient Inline Arrangement
Following are the prerequisites that you must complete before you configure Resilient inline arrangement:
Go to Physical > Orchestrate > Inline Flows, and then click Configuration Canvas to create a new Flexible Inline Canvas.
2.
In the Flexible Inline Canvas that is displayed, select the required device for which you want to create the inter-broker pathway.
3.
Click the ‘+’ icon next to the IB Pathway option to create a new inter-broker pathway.
4.
In the Properties pane, in the Alias and Comment fields, enter a name and description for the inter-broker pathway.
5.
From the Ports drop-down lists, select the required tool ports to attach with the inter-broker pathway.
Note: If the required tool ports are not available, you can choose to administratively enable the tool ports. Click Port Editor, and in the Quick Port Editor page, scroll down to the tool ports that you wish to configure. Select Enable, and then click OK.
6.
In the Minimum Ports Up field, enter the minimum number of tool ports that must be operationally up so that the status of the inter-broker pathway will be up.
7.
From the Traffic Path drop-down list, select one of the following options:
•
Bypass—Traffic bypasses the inter-broker pathway and is redirected to the next inline network port.
•
Monitoring—Traffic is forwarded to the sequence of inline tools in the monitoring mode.
•
To Inline Tool—Traffic is forwarded to the sequence of inline tools that you have configured.
Drag and drop the required inline network or inline network LAG in to the flexible inline canvas, and then click Settings.
2.
Select the Enable check box next to Show Resilient Inline Menu.
3.
Select the required Node 1, Node 2, IB Pathway1, and IB Pathway2 for the resilient inline arrangement.
4.
From the Hashing Source drop-down list, select one of the following options:
•
Side A—Hashing is done based on either the source IP address or the source port from side A. On side B, hashing is done based on either the destination IP address or the destination port.
•
Side B—Hashing is done based on either the source IP address or the source port from side B. On side A, hashing is done based on either the destination IP address or the destination port.
5.
From the Hashing Type drop-down list, select one of the following options:
•
L3 (IP Based)—Hashing is done based on IP address.
•
L4 (Port Based)—Hashing is done based on transport layer port number.
6.
From the Hashing LSB Node drop-down list, select one of the following options:
•
Node1 as 0—All traffic from IP addresses ending with 0 will be hashed to node 2.
•
Node2 as 0—All traffic from IP addresses ending with 0 will be hashed to node 1.
Note: This field is available only if you select the L3 (IP Based) option in the Hashing Type field.
7.
From the Hashing Port drop-down list, select one of the following options:
•
Node1 as odd—All traffic with odd port numbers will be hashed to node 2 and traffic with even port numbers will be hashed to node 1.
•
Node2 as odd—All traffic with odd port numbers will be hashed to node 1 and traffic with even port numbers will be hashed to node 2.
Note: This field is available only if you select the L4 (Port Based) option in the Hashing Type field.
8.
Click OK to save the settings.
9.
Drag and drop the flexible inline map into the canvas, and then click the map to open the
Properties pane.
10.
In the Alias and Comment fields, enter the name and description of the inline map.
11.
Enter the Tool Side VLAN Tag for the inline network for which you are configuring the map.
12.
From the FlexInline Failover drop-down list, select one of the following options:
•
Bypass—the traffic is passed directly between the respective inline network ports.
•
Original Map—the traffic is passed through the path that is defined in this flexible inline map.
13.
Add the required rules for the inline map, and then click OK to save the configuration.
14.
Drag and drop the required inline tools or inline tool group into the canvas.
15.
Drag and drop the OOB Copy into the canvas, if required.
16.
From the Destination Ports drop-down list, select the required hybrid or tool ports.
17.
From the VLAN Tag drop-down list, select one of the following options:
•
None—No VLAN tag is used and the traffic is routed to a different destination.
•
Original—Uses the original VLAN tag of the packet received from the inline network.
18.
Click Deploy. The Deploy pop-up window appears.
19.
In the Deploy pop-up window, select a traffic path and click OK.
Visit the Online Product Documentation page on the Gigamon Community to find the latest documentation offerings available online. Each online documentation portal also provides PDFs associated with that release.
Trademark Attributions: Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at http://www.gigamon.com/legal-trademarks. All other trademarks are the trademarks of their respective owners
The Gigamon Community is a technical site where Gigamon users, partners, security and network professionals and Gigamon employees come together to share knowledge and expertise, ask questions, build their network and learn about best practices for Gigamon products. The Gigamon Community is a great way to get answers fast, learn from experts and collaborate directly with other members around your areas of interest. Register today at community.gigamon.com.
Create Inter-broker Pathway
