Configure Resilient Inline Arrangement

Refer to the following sections that provide details about the resilient inline arrangement feature and instructions on how to configure it:

■   Resilient Inline Arrangement
o   Resilient Inline Arrangement With Single VLAN Tag
o   Resilient Inline Arrangement—Classic
o   Inter-broker Pathway (IB-P)
■   Resilient Inline Arrangement—Rules and Notes
■   Deploy Resilient Inline Arrangement

Resilient Inline Arrangement

Resilient inline arrangement is a method of configuring and deploying inline threat prevention tools for dual-path, redundant network architectures. A successful deployment of resilient inline arrangements provides traffic management for dual-path high availability environments.

Note:  Resilient inline arrangement is not supported in GigaVUE-HCT devices.

The following figure illustrates the resilient inline arrangement.

1 Resilient Inline Arrangement

The resilient inline arrangement shows the Gigamon devices, which consolidate the traffic from multiple intercepted links before routing the traffic to inline tools. To protect such an inspection arrangement from any failure of the Gigamon devices, a redundant arrangement of inline packet broker is shown. Both the inline packet brokers are interconnected by an Inter-broker Pathway (IB-P). For details, refer to Inter-broker Pathway (IB-P).

Each inline packet broker is attached to a set of inline tools that are identical to each other, that is, both inline packet brokers must have equal number of inline tools. Moreover, the inline tools on both sides must be of the same type, port speed, and processing capacity.

Resilient inline arrangement is based on an aggregation and distribution principle that divides the packets received by an inline packet broker, between Node 1 and Node 2. The inline packet broker on the left, guides the Node 1 class of packets through its local tools and Node 2 class of packets through the remote tools that are reachable by a resilient inter-broker pathway. Similarly, the inline packet broker on the right, guides the Node 2 class of packets through its local tools and Node 1 class of packets through the remote tools.

Each link intercepted by the inline packet broker must be configured with the following component maps:

■   either a bidirectional original component map or two unidirectional original component maps,
■   two unidirectional export component maps, and
■   two unidirectional import component maps.

GigaVUE‑FM configures the required export and import component maps for all the links that are intercepted by both the inline packet brokers. GigaVUE‑FM configures the maps based on the tool side VLAN tags and the rules that you specified when configuring the flexible inline map.

The component maps use VLAN tags to transfer the traffic from inline network to inline tools and back through the inter-broker pathway. Refer to the following sections:

■   Resilient Inline Arrangement—Classic
■   Resilient Inline Arrangement With Single VLAN Tag

Resilient Inline Arrangement—Classic

When a packet is received from an inline network, an additional VLAN tag is added to the packet before guiding it to the inline tools. The additional VLAN tag is useful when the inline tools are shared by multiple traffic flows. It helps to distinguish the traffic coming from inline-tools and to make sure the traffic is routed to the right inline networks. You can configure the additional VLAN tags when you create the flexible inline maps.

Resilient Inline Arrangement With Single VLAN Tag

You can choose to deploy a resilient inline arrangement with a single VLAN tag in which a packet received from an inline network is guided to the inline tool using a single VLAN tag, which you can configure when creating a flexible inline map. You must configure the packet's original VLAN tag as the network side VLAN tag and provide the required tool side VLAN tag when you create the flexible inline maps. The single VLAN tag is useful when your inline tools do not support Q-in-Q VLAN tags.

You can configure a Flexible Inline SSL and RIA iSSL solution with Single VLAN Tagging (SVT).

The following table explains the compatibility matrix between single VLAN tag enabled and disabled maps. Symbol (√) denotes the engine ports that are supported, and symbol (X) denotes the engine ports that are not supported.

Maps

SVT enabled RIA iSSL map

 

same gs_engine

different gs_engine in different maps

RIA

X

RIA + SVT

X

RIA + iSSL

X

Inter-broker Pathway (IB-P)

The inter-broker pathway provides link aggregation and distribution and is responsible for moving traffic between Node 1 and Node 2. You must configure tool ports in the inter-broker pathway. Following are the IB-P states:

■   inter-broker pathway-up—the traffic is handled as follows:
o   If the traffic is governed by the original component maps in which the traffic path is set to Bypass, the traffic bypasses the sequence of inline tools and inline tool groups and is re-directed to the inline network port that is configured on the opposite-side.
o   If the traffic is governed by the export component maps in which the traffic path is set to any value other than Bypass, the traffic is routed through the inter-broker pathway based on the tag value defined in the map. If the tag value matches the VLAN attribute configured in the import component map, the traffic is sent to the inline packet broker on the opposite side. The traffic is then routed through the inline tools or inline tool groups based on the sequence defined in the import component map. After inspection, the traffic is sent back to the inter-broker pathway with the same tag value. Finally, the traffic is intercepted by the export component map and is guided to the respective exit inline network port.
■   inter-broker pathway-down—the traffic is handled based on the failover action selected for the inline map configured, as follows:
o   If the failover is set to ‘bypass’, the traffic is passed directly between the respective inline network ports.
o   If the failover is set to ‘original-map’, the traffic is passed through the path that is defined by the respective original map.

Note:  Traffic can be moved from ‘bypass’ to ‘original-map’ and vice-versa, when the inter-broker pathway is in ‘down’ state.

The failover-action set for an inline tool or an inline tool group that is configured on Node 2 will affect the inter-broker pathway as follows:

■   If the failover-action for the inline tools on Node 2 is set to ‘network-bypass’, all traffic received on the Node 2 will be by-passed and referred back to Node 1.
■   If the failover-action is set to ‘network-drop’, all traffic received on Node 2 of the inter-broker pathway will be dropped.
■   If the failover-action is set to ‘network-port-forced-down’, all ports on Node 2 of the inter-broker pathway will be brought down.

Resilient Inline Arrangement—Rules and Notes

Keep in mind the following rules and notes when working with Resilient Inline Arrangement:

■   Ensure that the names on both GigaVUE devices are identical, that is, the inline networks, inline tools, inline tool groups, out-of-band tools, and out-of-band tool GigaStreams must all have the same alias names on both the devices.
■   If you choose to use the inline network bundle, the alias of the inline network bundle on both the devices must be identical. However, the inline networks that are grouped into the bundle can have different aliases.
■   In GEN2 GigaSMART card, a maximum of 14 VLANs will be supported for a single inline- network per GS Group. In the case of multiple inline-network ports (number of inline- network ports x number of VLANs), the number should not exceed 14 per GS Group.
■   In GEN3 GigaSMART card, a maximum of 16 VLANs will be supported for a single inline- network per GS Group. In the case of multiple inline-network ports (number of inline- network ports x number of VLANs), the number should not exceed 16 per GS Group.

Deploy Resilient Inline Arrangement

Following are the prerequisites that you must complete before you configure Resilient inline arrangement:

■   Configure the required inline networks. Refer to Configure Inline Network Ports and Inline Network.
■   Configure the required inline network LAG. Refer to Configure Inline Network Link Aggregation Group (LAG).
■   Configure the required inline tools. Refer to Configure Inline Tool Ports and Inline Tools.
■   Configure the required inline tool group. Refer to Configure Inline Tool Group.

Complete the following tasks to successfully deploy resilient inline arrangement: