Simple and Complex Inline Bypass Solutions
Simple and complex inline bypass solutions are described in the following sections:
Typical Configuration |
Distribution to Multiple Inline Tools |
Inline Tools in a Series |
Multiple Inline Networks |
Inline Flow Mapping® |
Send Traffic to Out-of-Band Tools |
Typical Configuration
In the typical or most common configuration, a single inline tool is inserted in a Network A to Network B link. All traffic is sent to the inline tool and inspected in both directions.
A typical configuration is shown in 1 Simple Configuration. The physical protection switch is optional and present only when using bypass combo modules or copper TAP modules.
1 | Simple Configuration |
Distribution to Multiple Inline Tools
One of the challenges to inline monitoring is scaling the throughput of the inline tools with the speed of the network. One way to do this is to share the load across multiple inline tools.
Because inline inspection of network traffic is processor-intensive, it is common to combine the power of multiple inline tools to monitor traffic. This is especially true for 10Gb, 40Gb, and 100Gb networks and tools that only support 1Gb or 10Gb interfaces.
An inline tool group is an arrangement of multiple inline tools which share the traffic load. Traffic is sent to the tools based on standard hashing parameters. This is referred to as hash-based distribution. If a single tool in the group of tools fails, the packets will be redistributed to other tools. This ensures that all packets are inspected.
A multiple inline tool arrangement is shown in 2.
2 | Multiple Tool Arrangement |
Multiple tool distributions can be non-redundant or have 1+1 or N+1 redundancy. About Inline Tool Groups
Inline Tools in a Series
Tools can form an inline series, in which the traffic from one tool flows to the next, so all tools see the same traffic.
Refer to 3 for an inline tool series. In 3, traffic is only shown from A-to-B.
3 | Inline Tool Series |
For more information on inline tool series, refer to Inline Tools in a Series.
Multiple Inline Networks
An inline network group is an arrangement of multiple inline networks that share the same inline tool, inline tool group, or inline tool series. The numbers of networks to tools can be many-to-one as shown in 4 or many-to-many. Traffic is guided to a particular inline network through internal VLAN ID tagging.
4 | Inline Network Group |
For more information on inline network groups, refer to Configure Inline Bypass Solutions.
Inline Flow Mapping®
Some tools are optimized for particular inline traffic. With inline flow mapping, the GigaVUE node forwards packets to different inline tools based on criteria, such as TCP/UDP port number, or any other rule that can be defined in a map. Using these map rules, selected traffic can be sent to specific tools.
When inline flow mapping is combined with distribution to multiple tools, one application, such as Web traffic, can be sent to one tool or group of tools, while another application, such as email traffic, can be sent to another tool or group of tools. If there is traffic, such as encrypted traffic, that does not need to be or cannot be inspected, it can be bypassed.
An inline flow mapping based traffic distribution is shown in 5. In 5, traffic is only shown from A-to-B.
5 | Inline Flow Mapping® Based Traffic Distribution |
Send Traffic to Out-of-Band Tools
Traffic can be sent to out-of-band (OOB) tools. Any port used for inline functionality can be used as a source for a map to an out-of-band tool. This includes any inline network port or inline tool port. For example, you can use inline tool ports to inspect packets that have passed through the IPS.
An out-of-band arrangement is shown in 6.
6 | Out-of-Band Arrangement |