About Inline Tool Groups
Use the Inline Tool Groups configuration page to configure an inline tool group, which is an arrangement of multiple inline tools to which traffic is distributed based on hashing. In an inline tool group, traffic is shared. Each inline tool in the group receives a portion of the traffic. The distribution mechanism includes a way of dealing with failures of individual tools through traffic redistribution to the remaining healthy tools.
The inline tool ports that make up the inline tools participating in the inline tool group are always in pairs, running at the same speed, on the same medium (fiber or copper). All inline tool ports of the inline tool group must be on the same GigaVUE‑HC3, GigaVUE‑HC2, or GigaVUE‑HC1 node, but can be on different modules on the node. The inline tool ports must also be on the same GigaVUE‑HC3, GigaVUE‑HC2, or GigaVUE‑HC1 node as the inline network ports.
Inline tool groups can be configured as follows:
non-redundant—multiple inline tools with no spare inline tool. Refer to Figure 1 Inline Tool Group With No Spare, Non-Redundant. |
1+1 redundancy—single inline tool with a spare inline tool. Refer to Figure 2 Inline Tool Group With Spare, Redundant 1+1 Scenario. |
N+1 redundancy—multiple inline tools that are considered active, with a standby inline tool that is only used if one of the active inline tools fails. Refer to Figure 3 Inline Tool Group With Spare, Redundant N+1 Scenario. |
With 1+1 redundancy, an inline tool is paired with a standby tool. When there is a loss of link or a heartbeat failure on an active tool, the traffic will be sent to the standby tool with no loss. In addition, if the standby tool fails, you can configure what happens to the traffic in that case, such as drop it or forward it.
With N+1 redundancy, one tool is added to a group of N distributed inline tools. When any one of the N tools fails, the traffic from that tool is sent to the standby (or spare) tool with no loss. In addition, if the standby tool fails, you can configure what happens to the traffic in that case, such a redistribute it, send it to another tool, or declare a failure on the tool group.
Refer to Figure 1 Inline Tool Group With No Spare, Non-Redundant for a non-redundant inline tool group.
Figure 73 | Inline Tool Group With No Spare, Non-Redundant |
Refer to Figure 2 for an inline tool group with a single inline tool and a spare inline tool configured. This is also referred to as 1+1 redundancy or N+1 redundancy where N equals 1. In Figure 2, traffic is only shown from A-to-B.
Figure 74 | Inline Tool Group With Spare, Redundant 1+1 Scenario |
Refer to Figure 3 Inline Tool Group With Spare, Redundant N+1 Scenario for an inline tool group in an N+1 redundant scenario, in which N is greater than 1. In Figure 3, traffic is only shown from A-to-B.
Figure 75 | Inline Tool Group With Spare, Redundant N+1 Scenario |
For details on the parameters of inline tool groups, refer to the following:
Inline Tool Group Failover Action |
Inline Tool Group Spare Inline Tool |
Symmetrical and Asymmetrical Hashing. |
Resilient Weighted Hashing |
Inline Tool Group Failover Action
One of the parameters of inline tool groups is the failover action, taken in response to a failure of an inline tool group, when the number of healthy inline tools in the inline tool group (including the spare inline tool, if configured) falls below the configured minimum. You can configure one of the following failover actions:
ToolBypass—when the inline tool group fails, the traffic that normally was directed to the inline tool group is redirected to the bypass path. Use this failover action for configurations involving multiple inline tools or inline tool groups associated with an inline network or inline network group using rule-based maps. For configurations using map passalls, tool-bypass is the same as network-bypass. |
NetworkBypass—when the inline tool group fails, all traffic that would not have been dropped when the inline network or networks had a NORMAL forwarding state is directed to the bypass path. That is, all such traffic arriving at the side A inline network port or ports is forwarded to the side B inline network port or ports and all traffic arriving at the side B inline network port or ports is forwarded to the side A inline network port or ports. |
NetworkPortForcedDown—when the inline tool group fails, the inline network ports of the respective inline network (or inline network group) are forced down. |
ToolDrop—when the inline tool group fails, the traffic that normally was directed to the inline tool group is dropped. Use this failover action for configurations involving multiple inline tools or inline tool groups associated with an inline network or inline network group using rule-based maps. For configurations using map passalls, tool-drop is the same as network-drop. |
NetworkDrop—when the inline tool group fails, all traffic coming to the respective inline network (or inline network group) is dropped. |
The default is tool-bypass.
The bypass path is between side A and side B of the inline network ports.
The failover action of all the inline tools specified by the inline tool list is overwritten by the failover mechanism of the inline tool group. This means that when a given inline tool specified by the inline tool list fails, the traffic originally directed to this inline tool is redirected to the spare inline tool (if one is configured and available) or handled according to the failover mode of the active tools, so long as the total number of healthy inline tools in the inline tool group is not smaller than the minimum required number of healthy inline tools.
When the total number of healthy inline tools in the inline tool group drops below the minimum required number of healthy inline tools, the failover action of the inline tool group determines the action to be taken.
Inline Tool Group Spare Inline Tool
One of the parameters of inline tool groups is a spare inline tool. If a spare is configured, the inline tool group becomes a redundant arrangement of inline tools. When the first failure occurs in a set of active inline tools, traffic will be forwarded to the spare with no loss, thus the spare will replace the failed tool in the active set.
The inline tools in the inline tool list are considered to be active inline tools. The traffic is hash-distributed over the active inline tools as long as all the inline tools are healthy, When one of the active inline tools fails, the spare inline tool takes the place of the failed inline tool and the new set operates as a new active set. If another inline tool fails, the traffic is redistributed according to the failover mode, as if there was no spare.
When the number of failed inline tools is such that the number of healthy inline tools is less than the minimum-group-healthy-size, the group heals itself by re-spreading the traffic over the healthy tools. When the number of healthy tools falls below the minimum-group-healthy-size, the failover action of the inline tool group takes place, while the failover action of the member inline tools is ignored.
The spare inline tool works with another parameter called release-spare-if-possible. When the inline tool that had been replaced with the spare inline tool recovers, the release-spare-if-possible parameter determines if the recovering inline tool is included in the active set of inline tools or if it becomes the new spare inline tool.
The default of the release-spare-if-possible parameter is disabled. Disabled means that even if the original inline tool recovers, the spare that replaced it will remain in the active set of inline tools. Enabled means that after the original inline tool recovers, the spare that replaced it will be released, if possible, from the active set of tools to become the spare again.
Configure the minimum-group-healthy-size and release-spare-if-possible parameters at the same time you configure the spare inline tool.
Symmetrical and Asymmetrical Hashing
One of the parameters of inline tool groups is hashing, which is used for distributing packets across a group of inline tools belonging to the inline tool group. The values for the hash parameter are as follows:
advanced—Specifies symmetrical hashing, which is derived from the combination of packet fields based on the criteria selected for the advanced-hash algorithm configured under the Ports > Port Groups > GigaStreams > Advanced Hash Settings page. |
For inline bypass applications, the most common choice of criteria for the advanced-hash algorithm is the combination of source IP and destination IP addresses. This produces a hash value that sends all traffic associated with the same session to the same inline tool in the inline tool group.
a-srcip-b-dstip—Specifies asymmetrical hashing, which is derived from the source IP address for side A of the network and the destination IP address for side B of the network. This produces a hash value that sends all traffic associated with the same source address residing on side A to the same inline tool in the inline tool group, regardless of destination or session. |
b-srcip-a-dstip—Specifies asymmetrical hashing, which is derived from the destination IP address for side A of the network and the source IP address for side B of the network. This produces a hash value that sends all traffic associated with the same source address residing on side B to the same inline tool in the inline tool group, regardless of destination or session. |
The default is advanced.
Use asymmetrical hashing if all traffic exchanged between a particular node on one side of the network and any nodes on the other side of the network that communicate with that node need to go to the same inline tool. The asymmetrical hashing options involve only source IP address (srcip) in one direction and only destination IP address (dstip) in the opposite direction. Bi-directional traffic, such as between a given user and all the Internet sites visited by the user, will be sent to the same inline tool in the group.
Note: When asymmetric hashing is configured, the portsrc and portdst packet fields are not included in the advanced-hash calculation for any GigaStream and inline tool groups across the GigaVUE node.
With symmetrical hashing, the inline network traffic path parameter can be configured to different values on the inline networks. With asymmetrical hashing, there is a restriction. Refer to Asymmetrical Hashing Restrictions.
Refer to Figure 4 for asymmetrical hashing.
Figure 76 | Asymmetrical Hashing |
Use the hashing option a-srcip-b-dstip if the node is on side A of the network and the Internet is on side B. For example, Node A has IP address A. Traffic from Node A (from side A) will have IP address A. Traffic from side B (the Internet) destined for Node A, will have a destination of IP address A. This traffic will go to the same inline tool in the group.
If the network has the Internet on side A and the node on side B, use the hashing option b-srcip-a-dstip.
Asymmetrical Hashing Restrictions
The following are restrictions for asymmetrical hashing:
If asymmetrical hashing is configured for the inline tool group, only rule-based maps or shared collector maps can be used to send traffic to the inline tool group. Inline map passalls cannot be used to send traffic to the inline tool group. |
For inline networks belonging to an inline network group, mapped to an inline tool group using asymmetrical hashing, the Traffic Path must be configured to the same value on all the inline networks, one of Drop, Bypass, To Inline Tool, or ByPass with Monitoring. |
Note: For the inline networks belonging to an inline network group, mapped to an inline tool group using symmetrical hashing, the traffic path parameter can be configured to different values on the inline networks.
If an inline network is involved in an inline map to an inline tool group configured with asymmetrical hashing, the inline network ports of the inline network cannot be used as the Source in any out-of-band maps. Also, if the traffic path parameter for the inline network and the flex traffic path for inline tool group is configured to ByPass with Monitoring, there will not be any bypass traffic. All traffic will be forwarded to the inline tool group. |
When an inline tool group is included as a member of an inline series, asymmetrical hashing is not supported. |
Resilient Weighted Hashing
One of the parameters of inline tool groups is weighting that provides you the ability to distribute traffic to the inline tools by assigning either an equal weighting or a custom weighting to the inline tools. You can assign custom weight in percentage or ratio. If an inline tool in a group goes down and the group maintains the Minimum Healthy Group Size that is defined for the group, the traffic is redistributed to the remaining tools based on the equal weighting or the custom weighting assigned to the tools. If the inline tool group does not meet the Minimum Healthy Group Size defined for the group, the traffic is redistributed based on the Failover Action defined for the group.
Note: Resilient hashing is not supported for classic inline maps.
The values for the weighting parameter are as follows:
Equal—Traffic is distributed equally to all the inline tools in the inline tool group. |
Relative—Traffic is distributed to the inline tools in the inline tool group based on the relative weight or ratio assigned to the respective inline tools. The valid range is 1–256. |
Percentage—Traffic is distributed to the inline tools in the inline tool group based on the percentage assigned to the respective inline tools. The valid range is 1–100. |
If you select Relative or Percentage as the weighting option, enter the hash weights for the inline tools that appear in the table below the Weighting drop-down list. Ensure that you assign a hash weight for each inline tool in the inline tool group.