Configure Secure Tunnel (Nutanix)

Follow the instructions in this topic to configure secure tunnels forGigaVUE Cloud Suite for Nutanix.

Prerequisites

■   An SSH key pair
■   A CA certificate

Notes

■   The secure tunnel supports Protocol version IPv4 and IPv6.
■   For IPv6 tunnels, ensure GigaVUE‑FM and the fabric components run version 6.6.00 or above.
■   For UCT-V agents with version lower than 6.6.00, if secure tunnel is enabled in the monitoring session, secure tunnel traffic uses IPv4, even if IPv6 is preferred.

Configure Secure Tunnel from GigaVUE V Series Node 1 to GigaVUE V Series Node 2

You can create secure tunnel in the following ways:

■   Between GigaVUE V Series 1 to GigaVUE V Series Node 2
■   From GigaVUE V Series Node 1 to multiple GigaVUE V Series nodes.

Prerequisite

Before you start the configuration of secure tunnel from GigaVUE V Series Node 1 to GigaVUE V Series Node 2, make sure you have the following:

■   IP address of the tunnel destination endpoint (GigaVUE V Series Node 2).
■   SSH key pair (pem file).

To configure secure tunnel from (GigaVUE V Series Node 1 to (GigaVUE V Series Node 2, perform the following steps:

  1. Upload a Certificate Authority (CA) Certificate

    You must upload a Custom Certificate to UCT-V Controller for establishing a connection between the GigaVUE V Series Node.

    To upload the CA using GigaVUE‑FM,

    1. Go to Inventory > Resources > Security > CA List.

    2. Select Add.

      The Add Certificate Authority page appears.

    3. Enter or select the following information:

      Field

      		 Action

      Alias

      Alias name of the CA.

      File Upload

      Choose the certificate from the desired location.

    4. Select Save.

    5. Select Deploy All.

      For more information, refer to Adding Certificate Authority

  2. Upload an SSL Key

    You must add an SSL key to GigaVUE V Series node. To add SSL Key, follow the steps in the SSL Decrypt.

  3. Create a secure tunnel between UCT-V and GigaVUE V Series Node 1

    To enable the secure tunnel feature,

    1. In the Edit Monitoring Session page, select Options.

      The Apply template page appears.

    2. Enable the Secure Tunnel button.

      You can enable secure tunnel for both mirrored and precrypted traffic.

  4. Select the added SSL Key while creating a monitoring domain

    Select the added SSL Key while creating a monitoring domain and configuring the fabric components in GigaVUE‑FM in GigaVUE V Series Node 1.

    You must select the added SSL Key in GigaVUE V Series Node 1.

    To select the SSL key, follow the steps in Configure GigaVUE Fabric Components in GigaVUE-FM.

  5. Select the added CA certificate while creating the monitoring domain

    You should select the added Certificate Authority (CA) in UCT-V Controller. To select the CA certificate, follow the steps in Configure GigaVUE Fabric Components in GigaVUE-FM

  6. Create an Egress tunnel from GigaVUE V Series Node 1 with tunnel type as TLS-PCAPNG while creating the monitoring session

    You must create a tunnel for traffic to flow out from GigaVUE V Series Node 1 with tunnel type as TLS-PCAPNG while creating the monitoring session. For details, refer to Create Ingress and Egress Tunnel (Nutanix).

    To create the egress tunnel,

    1. Create a new monitoring session, or select Actions > Edit on an existing monitoring session.

      The GigaVUE‑FM canvas appears.

    2. In the canvas, select New > New Tunnel, drag and drop a new tunnel template to the workspace.

      The Add Tunnel Spec quick view appears.

    3. On the New Tunnel quick view, enter or select the required information as described in the following table:

      Field

      		 Action

      Alias

      The name of the tunnel endpoint.

      Description

      The description of the tunnel endpoint.

      Type

      Select TLS-PCAPNG for creating egress secure tunnel

      Traffic Direction

      Choose Out (Encapsulation) for creating an egress tunnel from the V Series node to the destination. Select or enter the following values:

      o MTU- The default value is 1500 for Azure.

      Note:  Increasing the MTU value will impact the performance and may even result in packet loss. By default, Azure VNet attempts to fragment jumbo frames even if you configure sending and receiving VMs with a higher MTU.

      o Time to Live: Enter the value of the time interval till which the session needs to be available. The value ranges from 1 to 255. The default value is 64.
      o DSCP: Enter the Differentiated Services Code Point (DSCP) value.
      o Flow Label: Enter the Flow Label value.
      o Source L4 Port: Enter the Souce L4 Port value
      o Destination L4 Port: Enter the Destination L4 Port value.
      o Flow Label
      o Cipher- Only SHA 256 is supported.
      o TLS Version: Select TLS Version1.3.
      o Selective Acknowledgments: Choose Enable to turn on the TCP selective acknowledgments.
      o SYN Retries: Enter the value for number of times the SYN has to be tried. The value ranges from 1 to 6.
      o Delay Acknowledgments: Choose Enable to turn on delayed acknowledgments.

      Remote Tunnel IP

      Enter the interface IP address of the GigaVUE V Series Node 2 (Destination IP).

    4. Select Save.

  7. Select the added SSL Key while creating a monitoring domain and configuring the fabric components in GigaVUE‑FM in GigaVUE V Series Node 2.

    You must select the added SSL Key in GigaVUE V Series Node 2. To select the SSL key, follow the steps in Configure GigaVUE Fabric Components in GigaVUE-FM

  8. Create an ingress tunnel in the GigaVUE V Series Node 2 with tunnel type as TLS-PCAPNG while creating the monitoring session for GigaVUE Node 2

    You must create a ingress tunnel for traffic to flow in from GigaVUE V Series Node 1 with tunnel type as TLS-PCAPNG while creating the monitoring session.

    To create the ingress tunnel,

    1. Create a new monitoring session, or select Actions > Edit on an existing monitoring session.

      The GigaVUE‑FM canvas appears.

    2. In the canvas, select New > New Tunnel, drag and drop a new tunnel template to the workspace.

      The Add Tunnel Spec quick view appears.

    3. On the New Tunnel quick view, enter or select the required information as described in the following table:

      Field

      		 Action

      Alias

      The name of the tunnel endpoint.

      Description

      The description of the tunnel endpoint.

      Type

      Select TLS-PCAPNG for creating egress secure tunnel.

      Note:  If you are enabling Secure tunnel in Monitoring Session with traffic acquisition method as UCT-V, you must not create TLS-PCAPNG Tunnel with direction IN, Destination L4 port 11443, and GigaVUE V Series Node version 6.5 and above.

      Traffic Direction

      Choose In (Decapsulation) for creating an ingress tunnel that receives traffic from V Series node 1. Select or enter the values as described in Step 6.

      IP Version

      The version of the Internet Protocol. IPv4 and IPv6 are supported.

      Remote Tunnel IP

      Enter the interface IP address of the GigaVUE V Series Node 1 (Destination IP).

    4. Select Save.