GigaVUE Cloud Suite for OpenStack

The OpenStack software is designed for multi-tenancy (multiple projects), where a common set of physical compute and network resources are used to create project domains that provide isolation and security. Characteristics of a typical OpenStack deployment include the following:

  • Projects are unaware of the physical hosts on which their instances are running.
  • A project can have several virtual networks and may span across multiple hosts.

In a multi-project OpenStack cloud, where project isolation is critical, the Gigamon solution extends visibility for the project's workloads without impacting others by doing the following:

  • Support project-wide monitoring domains—a project may monitor any of its instances.
  • Honor project isolation boundaries—no traffic leakage from one project to any other project during monitoring.
  • Monitor traffic without needing cloud administration privileges. There is no requirement to create port mirror sessions and so on.
  • Monitor traffic activity of one project without adversely affecting other projects.

This section describes the requirements and prerequisites for configuring the GigaVUE Cloud Suite for OpenStack. Refer to the following section for details.

■   Minimum Compute Requirements for OpenStack
■   Recommended Instance Type for OpenStack
■   Security Group for OpenStack
■   Network Requirements

Minimum Compute Requirements for OpenStack

In OpenStack, flavors set the vCPU, memory, and storage requirements for an image. Gigamon recommends that you create a flavor that matches or exceeds the minimum recommended requirements listed in the following table.

Compute Instances

vCPU

Memory

Disk Space

Description

UCT-V

2 vCPU

4GB

N/A

Available as rpm or Debian package.

Instances can have a single vNIC or dual vNICs configured for monitoring the traffic.

UCT-V Controller

1 vCPU

4GB

8GB

Based on the number of agents being monitored, multiple controllers will be required to scale out horizontally.

GigaVUE V Series Node

2 vCPU

3.75GB

20GB

NIC 1: Monitored Network IP; Can be used as Tunnel IP

NIC 2: Tunnel IP (optional)

NIC 3: Management IP

GigaVUE V Series Proxy

1 vCPU

4GB

8GB

Based on the number of GigaVUE V Series nodes being monitored, multiple controllers will be required to scale out horizontally.

GigaVUE‑FM

4 vCPU

8GB

40GB

GigaVUE‑FM must be able to access the controller instance for relaying the commands. Use a flavor with a root disk of minimum 40GB and an ephemeral disk of minimum 41GB.

Recommended Instance Type for OpenStack

The instance size of the GigaVUE V Series Node is configured and packaged as part of the qcow2 image file. The following table lists the available instance types and sizes based on memory and the number of vCPUs for a single GigaVUE V series Node. Instances sizes can be different for GiaVUE V Series Nodes in different OpenStack VMs and the default size is Small.

Type

Memory

vCPU

Disk space

vNIC

Small

4GB

2 vCPU

8GB

1 Management interface, 1 to 8 Tunnel interfaces

Medium

8GB

4 vCPU

Large

16GB

8 vCPU

Network Firewall Requirements for OpenStack

Direction

Ether Type

Protocol

Port

CIDR

Purpose

GigaVUE‑FM

Inbound

HTTPS

TCP

443

Any IP address

Allows users to connect to the GigaVUE‑FM GUI.

Inbound

IPv4

UDP

53

Any IP address

Allows GigaVUE‑FM to communicate with standard DNS server

Inbound

Custom TCP Rule

TCP

5671

GigaVUE V Series Node IP

Allows GigaVUE V Series Nodes to send traffic health updates to GigaVUE‑FM

Allows Next Generation UCT-V to send statistics to GigaVUE-FM.

Outbound (optional)

Custom TCP Rule

TCP

8890

V Series Proxy IP

Allows GigaVUE‑FM to communicate with V Series Proxy

Outbound

Custom TCP Rule

TCP

8889

GigaVUE V Series Node IP

Allows GigaVUE‑FM to communicate with V Series node

UCT-V Controller

Inbound

Custom TCP Rule

TCP

9900

Custom

GigaVUE-FM IP

Allows GigaVUE-FM to communicate with UCT-V Controllers

 

 

 

Inbound

(This is the port used for Third Party Orchestration)

Custom TCP Rule

TCP(6)

8891

UCT-V or Subnet IP

Allows UCT-V Controller to communicate the registration requests from UCT-V and forward the same to GigaVUE-FM.

Outbound

Custom TCP Rule

TCP

5671

GigaVUE-FM IP

Allows UCT-V Controller to send traffic health updates to GigaVUE‑FM

UCT-V

Inbound

Custom TCP Rule

TCP

9901

Custom

UCT-V Controller IP

Allows UCT-V Controllers to communicate with UCT-Vs

Outbound

(This is the port used for Third Party Orchestration)

Custom TCP Rule

TCP(6)

8891

UCT-V or Subnet IP

Allows UCT-V to communicate with UCT-V Controller for registration and Heartbeat

Outbound

Custom TCP Rule

TCP

11443

UCT-V subnet

Allows UCT-V to securely transfer the traffic to GigaVUE V Series Node

UCT-V OVS Controller

Inbound

Custom TCP Rule

TCP

9900

Custom

GigaVUE-FM IP

Allows GigaVUE-FM to communicate with UCT-V OVS Controllers

 

 

 

UCT-V OVS Agent

Inbound

Custom TCP Rule

TCP

9901

Custom

UCT-V OVS Controller IP

Allows UCT-V OVS Controllers to communicate with UCT-V OVS Agents

GigaVUE V Series Proxy

Inbound

IPv4

TCP

8890

GigaVUE‑FM IP address

Allows GigaVUE‑FM  to communicate with GigaVUE  V Series Proxys.

Outbound

Custom TCP Rule

TCP

8889

GigaVUE V Series Node IP

Allows V Series Proxy to communicate with GigaVUE V Series Nodes

GigaVUE V Series Node

Inbound

Custom TCP Rule

TCP(6)

8889

GigaVUE V Series Proxy IP address

Allows GigaVUE V Series Proxys to communicate with GigaVUE V Series nodes

Outbound

IPv4

TCP

8890

GigaVUE‑FM IP address

Allows GigaVUE V Series Node to communicate with GigaVUE V Series Proxy

Outbound

Custom UDP Rule

UDP

VXLAN (default 4789)
L2GRE (IP 47)

Tool IP

Allows V Series node to communicate and tunnel traffic to the Tool

Outbound

Custom TCP Rule

TCP

5671

GigaVUE-FM IP

Allows GigaVUE V Series Node to send traffic health updates to GigaVUE‑FM

Bi-directional

Custom TCP Rule

TCP

11443

GigaVUE V Series Node subnet

Allows to securely transfer the traffic in between GigaVUE V Series Nodes.

Note:  The Security Group Rules table lists only the ingress rules. Make sure the egress ports are open for communication. Along with the ports listed in the Security Group Rules table, make sure the suitable ports required to communicate with Service Endpoints such as Identity, Compute, and Cloud Metadata are also open.

Network Requirements

The following table lists the recommended requirements to setup the network topology.

Network

Purpose

Management

Identify the subnets that GigaVUE‑FM uses to communicate with the GigaVUE V Series Nodes and Proxy

Data

Identify the subnets that receives the mirrored tunnel traffic from the monitored instances.

In data network, if a tool subnet is selected then the GigaVUE V Series Node egress traffic on to the destinations or tools.