Associate Inline Networks with Inline Tools Using Inline Maps
Inline networks and inline network groups are associated with inline tools, inline tool groups, and inline serial tools through inline maps. An inline map is a regular map, but the Source and Destination fields specify inline software constructs instead of port lists.
On the Edit Map or New Map page, the Source field specifies the inline network alias or inline network group alias. The Destination field specifies an inline tool alias, an inline tool group alias, an inline tool series alias, or an inline bypass. An inline bypass is a special construct that is used as a pseudo-inline tool to allow a portion of traffic to bypass any inline tools.
Maps can associate a network with multiple inline tools or they can associate multiple inline networks with the same inline tool or with multiple inline tools.
With inline maps, only the traffic that meets the map rules is sent to the tools, to bypass, or to shared collectors. For example, you can send traffic to tools for which they are specialized and send the rest to bypass. Or, if there is a type of traffic in which the tools are not interested or do not understand, that traffic can be sent to a shared collector.
NOTES:
When an inline network is mapped to an inline tool or inline tool group, a second inline network cannot be mapped to the same inline tool. (In other words, an inline tool can be used in only one map.) However, when there are multiple inline networks, use an inline network group to map to the same inline tool. |
If an inline tool is already specified in a map, that tool cannot be included in an inline tool group (unless the map is first deleted). |
Inline network ports, inline tool ports, and out-of-band tool ports that are used in map configuration must all be configured on the same GigaVUE‑HC3, GigaVUE‑HC2, or GigaVUE‑HC1 node. Even if nodes are in a cluster, the inline ports cannot be on different nodes. |
Refer to the following sections:
Inline Map Passall |
Inline Map |
Inline Map Shared Collector |
Inline Maps to Individual Members of an Inline Tool Group |
Out-of-Band (OOB) Map |
Symmetric and Asymmetric Maps |
Inline Map Passall
Use the Pass All subtype to configure a type of inline map that passes all traffic. Map-passalls facilitate the sending of traffic between inline network ports (through inline tools or bypass). All of the inline network ports and inline tool ports involved in an inline map must be located on the same Gigamon node.
Use the Source of the Pass All to specify a single inline network.
Use the Destination of the Pass All to specify an inline tool alias, an inline tool group alias, an inline tool series alias, or an inline bypass. An inline bypass is a special construct that is used as a pseudo inline tool to allow a portion of traffic to bypass any inline tools.
An inline bypass, using the physical bypass option, is only valid if the Source is an inline network port. This applies only to the Pass All subtype for asymmetrical scenarios.
Inline Map
Use the New Map page to configure a type of inline map that uses rules to direct traffic. These inline maps are referred to as rule-based maps. All of the inline network ports and inline tool ports involved in an inline map must be located on the same GigaVUE node.
Use the Source field to specify an inline network alias or an inline network group alias.
Support for rule-based maps is limited to symmetric scenarios, which means that the Destination of rule-based inline maps can only be aliases of inline networks or inline network groups (not individual ports).
Use the Destination to specify an inline tool alias, an inline tool group alias, an inline tool series alias, or an inline bypass. An inline bypass is a special construct that is used as a pseudo inline tool to allow a portion of traffic to bypass any inline tools.
For rule-based maps, the Destination can be configured to inline bypass with no restrictions, so long as the Source specifies either an inline network or an inline tool.
Use the Priority to order inline maps by priority. For example, you can specify the highest priority map to be for encrypted traffic and lowest priority map to be for a shared collector. You can also place inline maps before or after one another using the Priority.
Use the Type to specify any map rule.
Inline Map Shared Collector
Use the Collector subtype to configure a shared collector to which to send any packets that do not match the map rules in the inline maps. Use a shared collector with one or more rule-based inline maps. All of the inline network ports and inline tool ports involved in an inline shared collector map must be located on the same GigaVUE node.
Use the Source argument to specify an inline network alias or an inline network group alias.
Use the Destination argument to specify an inline tool alias, an inline tool group alias, an inline tool series alias, or an inline bypass. An inline bypass is a special construct that is used as a pseudo inline tool to allow a portion of traffic to bypass any inline tools.
For shared collector maps, the Source field can be configured to inline bypass with no restrictions, so long as the Destination field specifies either an inline network or an inline tool.
Support for shared collector inline maps is limited to symmetric scenarios, which means that the Destination field of rule-based inline maps can only be aliases of inline networks or inline network groups (not individual ports).
Inline Maps to Individual Members of an Inline Tool Group
Prior to software version 4.4, the Map page was used to configure an inline map that directed traffic to the inline tool group as a whole. The map could be rule-based or passall. There was only one type of hashing available, which distributed the traffic across the tools in the inline tool group.
Starting in software version 4.4, the Map page can also be used to configure inline maps to the individual members of an inline tool group. The maps must be rule-based. There are also more hashing options that can be specified for traffic that does not match any of the map rules. The hashing options are described in Symmetrical and Asymmetrical Hashing.
The rule-based maps are defined with the inline tool group sharing the same source, either an inline network or an inline network group in the Source field of the map. The map destinations (the Destination field of the map) are the individual inline tools in the group. Traffic not matching any of the map rules is sent to a shared collector to be distributed according to the specified hashing value.
The shared collector must also have the same source as the maps to the individual members of the inline tool group. The destination for the shared collector is the inline tool group. The shared collector map is a mandatory part of the configuration.
Both configurations are available: either a single map to the inline tool group as a whole, or multiple rule-based maps to the individual members of the inline tool group plus a shared collector; however, they cannot both be configured at the same time.
Refer to Figure 1 for the rule-based maps to the individual members of the inline tool group. In Figure 1, traffic is only shown from A-to-B.
.
Figure 126 | Rule-Based Maps to Individual Tools in an Inline Tool Group |
Map, Inline Tool, and Inline Tool Group Configuration Restrictions
The following are map, inline tool, and inline tool group configuration restrictions for the rule-based maps to the individual members of the inline tool group:
If there is a map to the inline tool group as a whole, there cannot also be rule-based maps to the individual inline tools in the group. |
Maps to the individual inline tools in a group must be rule-based. Map passalls to the individual tools cannot be configured. |
The source of rule-based maps to the individual inline tools in a group must be the same (either the same inline network or the same inline network group). The shared collector must have the same source as well. |
If there is a map configured to the individual inline tools in a group, the inline networks must have their traffic path set to to-inline-tool. This applies to individual inline networks as well as to inline networks involved in an inline network group. |
For the individual inline tools in a group, the recovery mode of the individual inline tools must be configured as automatic. A recovery mode of manual cannot be configured. |
For the inline tool group, the failover action must be either NetworkBpass or NetworkDrop. A failover action of either ToolBypass or ToolDrop for the inline tool group cannot be configured. |
Only one inline shared collector map can be configured (among the set of inline maps). |
Maps must be created in a specific order. The shared collector map must be configured last. For example, if there are three inline tools in the group, configure the three maps to the individual members of the group first, then configure the shared collector map. |
Maps must be deleted in a specific order. The shared collector map must be deleted first. Then the maps to the individual members of the group can be deleted. |
Once the shared collector map is configured, any changes to the maps to the individual members of the group are restricted. Only the map rules can be edited. |
Note: All the rules in a map cannot be deleted. All maps must have attributes for Source, Destination, and at least one rule configured.
When an inline tool group is included as a member of an inline series, inline maps to individual members of an inline tool group are not supported. |
- If one of the inline tools is disabled in an inline-network-group to inline-tool-group map that has the same ingress VLAN tag on the ports of an inline-network pair then the traffic will be looped back to the same network. This behavior is seen only with passall maps. In above scenarios use rule-based maps instead of passall maps.
Inline Tool Failures and Failover Actions
An inline tool group has a failover action for the group as a whole. The failover action is taken in response to a failure when the number of healthy inline tools in the inline tool group (including the spare inline tool, if configured) falls below the configured minimum. In addition, the individual inline tools in the group have failover actions.
When there are maps to individual inline tool members of the group, an inline tool has both a group failover action and an individual failover action.
Refer to Failover Actions When an Individual Tool in an Inline Tool Group Fails for the failover actions when an individual inline tool in an inline tool group fails.
Maps That May Lead to Selective Traffic Drops
With inline bypass solutions based on inline flow mapping, the use of rule-based maps can lead to selective traffic drops. Traffic drops can occur as follows:
if a shared collector from the inline network or inline network group has not been configured. Packets not matching the criteria specified by the rules in the configured rule-based maps will be dropped. |
if drop rules have been included in the rule-based maps configured from the inline network or inline network group |
In most inline flow mapping solutions, all traffic exchanged between the two end nodes of a given inline network are expected to be processed by the inline tool or tools associated with this inline network through the configured maps. Therefore, it is recommended to always configure a shared collector and to not include drop rules in the rule-based maps.
Out-of-Band (OOB) Map
All inline network ports and inline tool ports can be subject to monitoring by listen-only tools. This means that an inline network port or inline tool port can be listed in the Source field in which the Destination field is an arbitrary tool type of port located anywhere in the system and not limited to the same node.
Inline network ports and inline tool ports involved in rule-based inline maps can be used as network ports for monitoring (or out-of-band) maps.
Out-of-band (OOB) maps are supported as follows:
If the inline bypass solution use passalls, the OOB arrangements can use any rule-based maps or map shared collectors, or passalls. Refer to Figure 2 Out-of-Band Rule-Based Maps. |
If the inline bypass solution use rule-based maps or map shared collectors, the OOB arrangements can use only map passalls. Refer to Figure 3 Out-of-Band Map Passalls. |
When the source port of an OOB map is associated with an inline network, a list of inline ports is supported in the port list (the Source field of the Map page). |
The following restrictions apply to OOB maps:
When the source port of an OOB map is associated with an inline network group, only a single inline port (network or tool) is supported in the port list. In this case, multiple OOB maps are needed because each OOB map only accepts one inline port (network or tool) in the Source field on the Map page. |
OOB maps from inline network ports of inline networks involved in maps to inline tool groups configured with asymmetrical hashing are not allowed. If an inline network is involved in an inline map to an inline tool group configured with asymmetrical hashing, the inline network ports of the inline network cannot be used as the Source attribute in any out-of-band maps. |
Prior to software version 4.4, if an inline network was part of an inline network group, sending traffic to an out-of-band tool was not allowed.
Starting in software version 4.4, out-of-band maps from inline ports involved in inline network groups are supported. You can configure OOB maps originating from inline network ports or inline tool ports when these ports are involved in an inline network group, except for the following:
GigaSMART operations |
tool ports located on a different node |
Figure 127 | Out-of-Band Rule-Based Maps |
Figure 128 | Out-of-Band Map Passalls |
Symmetric and Asymmetric Maps
In a symmetric map configuration, the southbound and northbound forwarding to the tools is the same. For example, traffic from A to B goes through an inline tool, as does traffic from B to A. Rule-based maps are limited to symmetric configurations.
In an asymmetric map configuration, the southbound traffic is distributed to the inline tools, but northbound traffic can be sent through uninspected. For example, traffic from A to B goes through an inline tool, but traffic from B to A bypasses it.
Asymmetric configurations are only supported with map passalls. Traffic can come from individual inline networks, be sent to individual inline tools or inline tool groups, or to bypass.
Symmetrical combinations of two asymmetrical arrangements (that is, with both side A and side B pointing to the inline tool or to bypass) are not allowed.
Some IPSs do not need to inspect northbound traffic. For example, those focused on preventing Denial of Service (DoS) attacks, may not need to keep track of session flows and may only be concerned about southbound traffic.
Conversely, data loss prevention systems, those that are more concerned about what sensitive data is leaving the protected network than what is coming in, may focus solely on northbound traffic.