Resilient inline arrangement is a method of configuring and deploying inline threat prevention tools for dual-path, redundant network architectures. A successful deployment of resilient inline arrangements provides traffic management for dual-path high availability environments.
The following figure illustrates the resilient inline arrangement.
Figure 52
Resilient Inline Arrangement
The resilient inline arrangement shows the Gigamon devices, which consolidate the traffic from multiple intercepted links before routing the traffic to inline tools. To protect such an inspection arrangement from any failure of the Gigamon devices, a redundant arrangement of inline packet broker is shown. Both the inline packet brokers are interconnected by an Inter-broker Pathway (IB-P). For details, refer to Inter-broker Pathway (IB-P).
Each inline packet broker is attached to a set of inline tools that are identical to each other, that is, both inline packet brokers must have equal number of inline tools. Moreover, the inline tools on both sides must be of the same type, port speed, and processing capacity.
Resilient inline arrangement is based on an aggregation and distribution principle that divides the packets received by an inline packet broker, between Node 1 and Node 2. The inline packet broker on the left, guides the Node 1 class of packets through its local tools and Node 2 class of packets through the remote tools that are reachable by a resilient inter-broker pathway. Similarly, the inline packet broker on the right, guides the Node 2 class of packets through its local tools and Node 1 class of packets through the remote tools.
Each link intercepted by the inline packet broker must be configured with the following component maps:
■
either a bidirectional original component map or two unidirectional original component maps,
■
two unidirectional export component maps, and
■
two unidirectional import component maps.
GigaVUE‑FM configures the required export and import component maps for all the links that are intercepted by both the inline packet brokers. GigaVUE‑FM configures the maps based on the tool side VLAN tags and the rules that you specified when configuring the flexible inline map.
The component maps use VLAN tags to transfer the traffic from inline network to inline tools and back through the inter-broker pathway. Refer to the following sections:
When a packet is received from an inline network, an additional VLAN tag is added to the packet before guiding it to the inline tools. The additional VLAN tag is useful when the inline tools are shared by multiple traffic flows. It helps to distinguish the traffic coming from inline-tools and to make sure the traffic is routed to the right inline networks. You can configure the additional VLAN tags when you create the flexible inline maps.
Resilient Inline Arrangement With Single VLAN Tag
You can choose to deploy resilient inline arrangement with single VLAN tag in which a packet received from an inline network is guided to the inline tool using a single VLAN tag, which you can configure when creating a flexible inline map. You must configure the packet's original VLAN tag as the network side VLAN tag and provide the required tool side VLAN tag when you create the flexible inline maps. The single VLAN tag is useful when your inline tools does not support Q-in-Q VLAN tags.
Inter-broker Pathway (IB-P)
The inter-broker pathway provides link aggregation and distribution and is responsible for moving traffic between Node 1 and Node 2. You must configure tool ports in the inter-broker pathway. Following are the IB-P states:
■
inter-broker pathway-up—the traffic is handled as follows:
o
If the traffic is governed by the original component maps in which the traffic path is set to Bypass, the traffic bypasses the sequence of inline tools and inline tool groups and is re-directed to the inline network port that is configured on the opposite-side
o
If the traffic is governed by the export component maps in which the traffic path is set to any value other than Bypass, the traffic is routed through the inter-broker pathway based on the tag value defined in the map. If the tag value matches the VLAN attribute configured in the import component map, the traffic is sent to the inline packet broker on the opposite side. The traffic is then routed through the inline tools or inline tool groups based on the sequence defined in the import component map. After inspection, the traffic is sent back to the inter-broker pathway with the same tag value. Finally, the traffic is intercepted by the export component map and is guided to the respective exit inline network port.
■
inter-broker pathway-down—the traffic is handled based on the failover action selected for the inline map configured, as follows:
o
If the failover is set to ‘bypass’, the traffic is passed directly between the respective inline network ports.
o
If the failover is set to ‘original-map’, the traffic is passed through the path that is defined by the respective original map.
Note: Traffic can be moved from ‘bypass’ to ‘original-map’ and vice versa, when the inter-broker pathway is in ‘down’ state.
The failover-action set for an inline tool or an inline tool group that is configured on Node 2 will affect the inter-broker pathway as follows:
■
If the failover-action for the inline tools on Node 2 is set to ‘network-bypass’, all traffic received on the Node 2 will be by-passed and referred back to Node 1.
■
If the failover-action is set to ‘network-drop’, all traffic received on Node 2 of the inter-broker pathway will be dropped.
■
If the failover-action is set to ‘network-port-forced-down’, all ports on Node 2 of the inter-broker pathway will be brought down.
Resilient Inline Arrangement—Rules and Notes
Keep in mind the following rules and notes when working with Resilient Inline Arrangement:
■
Ensure that the names on both GigaVUE devices are identical, that is, the inline networks, inline tools, inline tool groups, out-of-band tools, and out-of-band tool GigaStreams must all have the same alias names on both the devices.
■
If you choose to use the inline network bundle, the alias of the inline network bundle on both the devices must be identical. However, the inline networks that are grouped into the bundle can have different aliases.
Deploy Resilient Inline Arrangement
Following are the prerequisites that you must complete before you configure Resilient inline arrangement:
On the left navigation pane, go to Physical > Orchestrated Flows >Inline Flows, and then click Configuration Canvas to create a new Flexible Inline Canvas.
2.
In the Flexible Inline Canvas that is displayed, select the required device for which you want to create the inter-broker pathway.
3.
Click the ‘+’ icon next to the IB Pathway option to create a new inter-broker pathway.
4.
In the Properties pane, in the Alias and Description fields, enter a name and description for the inter-broker pathway.
5.
From the Ports drop-down lists, select the required tool ports to attach with the inter-broker pathway.
Note: If the required tool ports are not available, you can choose to administratively enable the tool ports. Click Port Editor, and in the Quick Port Editor page, scroll down to the tool ports that you wish to configure. Select Enable, and then click OK.
6.
In the Minimum Ports Up field, enter the minimum number of tool ports that must be operationally up so that the status of the inter-broker pathway will be up.
7.
From the Traffic Path drop-down list, select one of the following options:
o
Bypass—Traffic bypasses the inter-broker pathway and is redirected to the next inline network port.
o
Monitoring—Traffic is forwarded to the sequence of inline tools in the monitoring mode.
o
To Inline Tool—Traffic is forwarded to the sequence of inline tools that you have configured.
Side B—Hashing is done based on either the source IP address or the source port from side B. On side A, hashing is done based on either the destination IP address or the destination port.
6.
From the Hashing Type drop-down list, select one of the following options:
o
L3 (IP Based)—Hashing is done based on IP address.
o
L4 (Port Based)—Hashing is done based on transport layer port number.
7.
From the Hashing LSB Node drop-down list, select one of the following options:
o
Node1 as 0—All traffic from IP addresses ending with 0 will be hashed to node 2.
o
Node2 as 0—All traffic from IP addresses ending with 0 will be hashed to node 1.
Note: This field is available only if you select the L3 (IP Based) option in the Hashing Type field.
8.
From the Hashing Port drop-down list, select one of the following options:
o
Node1 as odd—All traffic with odd port numbers will be hashed to node 2 and traffic with even port numbers will be hashed to node 1.
o
Node2 as odd—All traffic with odd port numbers will be hashed to node 1 and traffic with even port numbers will be hashed to node 2.
Note: This field is available only if you select the L4 (Port Based) option in the Hashing Type field.
9.
Click OK to save the settings.
10.
Drag and drop the flexible inline map into the canvas, and then click the map to open the
Properties pane.
11.
In the Alias and Description fields, enter the name and description of the inline map.
Note: You can choose to disable the Single Tag Mode for collector maps, if
required.
13.
Enter the Tool Side VLAN Tag for the inline network for which you are configuring the map.
14.
From the FlexInline Failover drop-down list, select one of the following options:
o
Bypass—the traffic is passed directly between the respective inline network ports.
o
Original Map—the traffic is passed through the path that is defined in this flexible inline map.
15.
Add the required rules for the inline map, and then click OK to save the configuration.
16.
Drag and drop the required inline tools or inline tool group into the canvas.
17.
Drag and drop the OOB Copy into the canvas, if required.
18.
From the Destination Ports drop-down list, select the required hybrid or tool ports.
19.
From the VLAN Tag drop-down list, select one of the following options:
o
None—No VLAN tag is used and the traffic is routed to a different destination.
o
Original—Uses the original VLAN tag of the packet received from the inline network.
o
As Inline—Uses the same VLAN tag that was configured for the flexible inline map.
Note: The As Inline is the only option that is available when you configure Resilient Inline Arrangement with single VLAN tag.
20.
Click Deploy. The Deploy pop-up window appears.
21.
In the Deploy pop-up window, select a traffic path and click OK.
Note: In case of validation failure when you configure or deploy the RIA SSL solution with outer map tool in non-shared mode, do the following actions:
■
Correct the error and redeploy the solution.
■
Delete the existing SSL app and create a new one if the SSL app is not used in any other map or solution.