GigaVUE Cloud Suite for OpenStack
The OpenStack software is designed for multi-tenancy (multiple projects), where a common set of physical compute and network resources are used to create project domains that provide isolation and security. Characteristics of a typical OpenStack deployment include the following:
- Projects are unaware of the physical hosts on which their instances are running.
- A project can have several virtual networks and may span across multiple hosts.
In a multi-project OpenStack cloud, where project isolation is critical, the Gigamon solution extends visibility for the project's workloads without impacting others by doing the following:
- Support project-wide monitoring domains—a project may monitor any of its instances.
- Honor project isolation boundaries—no traffic leakage from one project to any other project during monitoring.
- Monitor traffic without needing cloud administration privileges. There is no requirement to create port mirror sessions and so on.
- Monitor traffic activity of one project without adversely affecting other projects.
This section describes the requirements and prerequisites for configuring the GigaVUE Cloud Suite for OpenStack. Refer to the following section for details.
Minimum Compute Requirements for OpenStack |
Recommended Instance Type for OpenStack |
Security Group for OpenStack |
Network Requirements |
Minimum Compute Requirements for OpenStack
In OpenStack, flavors set the vCPU, memory, and storage requirements for an image. Gigamon recommends that you create a flavor that matches or exceeds the minimum recommended requirements listed in the following table.
Compute Instances |
vCPU |
Memory |
Disk Space |
Description |
UCT-V |
2 vCPU |
4GB |
N/A |
Available as rpm or Debian package. Instances can have a single vNIC or dual vNICs configured for monitoring the traffic. |
UCT-V Controller |
1 vCPU |
4GB |
8GB |
Based on the number of agents being monitored, multiple controllers will be required to scale out horizontally. |
GigaVUE V Series Node |
2 vCPU |
3.75GB |
20GB |
NIC 1: Monitored Network IP; Can be used as Tunnel IP NIC 2: Tunnel IP (optional) NIC 3: Management IP |
GigaVUE V Series Proxy |
1 vCPU |
4GB |
8GB |
Based on the number of GigaVUE V Series nodes being monitored, multiple controllers will be required to scale out horizontally. |
GigaVUE‑FM |
4 vCPU |
8GB |
40GB |
GigaVUE‑FM must be able to access the controller instance for relaying the commands. Use a flavor with a root disk of minimum 40GB and an ephemeral disk of minimum 41GB. |
Recommended Instance Type for OpenStack
The instance size of the GigaVUE V Series Node is configured and packaged as part of the qcow2 image file. The following table lists the available instance types and sizes based on memory and the number of vCPUs for a single GigaVUE V Series Node. Instances sizes can be different for GiaVUE V Series Nodes in different OpenStack VMs and the default size is Small.
Type |
Memory |
vCPU |
Disk space |
vNIC |
---|---|---|---|---|
Small |
4GB |
2 vCPU |
8GB |
1 Management interface, 1 to 8 Tunnel interfaces |
Medium |
8GB |
4 vCPU |
||
Large |
16GB |
8 vCPU |
Network Firewall Requirements for OpenStack
Note: When using dual stack network, the below mentioned ports must be opened for both IPv4 and IPv6.
Direction |
Ether Type |
Protocol |
Port |
CIDR |
Purpose |
||||||
GigaVUE‑FM |
|||||||||||
Inbound |
HTTPS |
TCP |
443 |
Any IP address |
Allows users to connect to the GigaVUE‑FM GUI. |
||||||
Inbound |
IPv4 |
UDP |
53 |
Any IP address |
Allows GigaVUE‑FM to communicate with standard DNS server |
||||||
Inbound |
Custom TCP Rule |
TCP |
5671 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Nodes to send traffic health updates to GigaVUE‑FM Allows Next Generation UCT-V to send statistics to GigaVUE-FM. |
||||||
Outbound (optional) |
Custom TCP Rule |
TCP |
8890 |
V Series Proxy IP |
Allows GigaVUE‑FM to communicate with V Series Proxy |
||||||
Outbound |
Custom TCP Rule |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to communicate with V Series node |
||||||
UCT-V Controller | |||||||||||
Inbound |
Custom TCP Rule |
TCP |
9900 |
Custom GigaVUE-FM IP |
Allows GigaVUE-FM to communicate with UCT-V Controllers
|
||||||
Inbound (This is the port used for Third Party Orchestration) |
Custom TCP Rule |
TCP(6) |
8891 |
UCT-V or Subnet IP |
Allows UCT-V Controller to communicate the registration requests from UCT-V and forward the same to GigaVUE-FM. |
||||||
Outbound (This is the port used for Third Party Orchestration) |
Custom TCP Rule |
TCP(6) |
443 |
GigaVUE‑FM IP |
Allows UCT-V Controller to communicate the registration requests to GigaVUE-FM |
||||||
Outbound |
Custom TCP Rule |
TCP |
5671 |
GigaVUE-FM IP |
Allows UCT-V Controller to send traffic health updates to GigaVUE‑FM |
||||||
UCT-V | |||||||||||
Inbound |
Custom TCP Rule |
TCP |
9901 |
Custom UCT-V Controller IP |
Allows UCT-V Controllers to communicate with UCT-Vs |
||||||
Outbound (This is the port used for Third Party Orchestration) |
Custom TCP Rule |
TCP(6) |
8891 |
UCT-V or Subnet IP |
Allows UCT-V to communicate with UCT-V Controller for registration and Heartbeat |
||||||
Outbound |
Custom TCP Rule |
TCP |
11443 |
UCT-V subnet |
Allows UCT-V to securely transfer the traffic to GigaVUE V Series Node |
||||||
UCT-V OVS Controller | |||||||||||
Inbound |
Custom TCP Rule |
TCP |
9900 |
Custom GigaVUE-FM IP |
Allows GigaVUE-FM to communicate with UCT-V OVS Controllers
|
||||||
UCT-V OVS Agent | |||||||||||
Inbound |
Custom TCP Rule |
TCP |
9901 |
Custom UCT-V OVS Controller IP |
Allows UCT-V OVS Controllers to communicate with UCT-V OVS Agents |
||||||
GigaVUE V Series Proxy |
|||||||||||
Inbound |
IPv4 |
TCP |
8890 |
GigaVUE‑FM IP address |
Allows GigaVUE‑FM to communicate with GigaVUE V Series Proxys. |
||||||
Outbound |
Custom TCP Rule |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows V Series Proxy to communicate with GigaVUE V Series Nodes |
||||||
GigaVUE V Series Node |
|||||||||||
Inbound |
Custom TCP Rule |
TCP(6) |
8889 |
GigaVUE V Series Proxy IP address |
Allows GigaVUE V Series Proxys to communicate with GigaVUE V Series nodes |
||||||
Outbound |
IPv4 |
TCP |
8890 |
GigaVUE‑FM IP address |
Allows GigaVUE V Series Node to communicate with GigaVUE V Series Proxy |
||||||
Outbound |
Custom UDP Rule |
UDP |
|
Tool IP |
Allows V Series node to communicate and tunnel traffic to the Tool |
||||||
Outbound |
Custom TCP Rule |
TCP |
5671 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send traffic health updates to GigaVUE‑FM |
||||||
Bi-directional |
Custom TCP Rule |
TCP |
11443 |
GigaVUE V Series Node subnet |
Allows to securely transfer the traffic in between GigaVUE V Series Nodes. |
Note: The Security Group Rules table lists only the ingress rules. Make sure the egress ports are open for communication. Along with the ports listed in the Security Group Rules table, make sure the suitable ports required to communicate with Service Endpoints such as Identity, Compute, and Cloud Metadata are also open.
Network Requirements
The following table lists the recommended requirements to setup the network topology.
Network |
Purpose |
Management |
Identify the subnets that GigaVUE‑FM uses to communicate with the GigaVUE V Series Nodes and Proxy |
Data |
Identify the subnets that receives the mirrored tunnel traffic from the monitored instances. In data network, if a tool subnet is selected then the GigaVUE V Series Node egress traffic on to the destinations or tools. |