Configure UCT-C Controller and TAP through GigaVUE-FM
This section describes how to configure UCT-C through GigaVUE-FM GUI. Refer to the following section for details.
- Launch GigaVUE-FM
- Universal Cloud Tap - Container Inventory
- Create Monitoring Domain
- Create Source Selectors
- Create Tunnel Specifications
- Configure Traffic Policy
- Policies Landing Page
- Viewing Policy Configurations
- Traffic Policy Statistics
- Viewing Policy Statistics
The recent GigaVUE-FM image files can be downloaded from the Gigamon Customer Portal. After fetching the image, upload and launch GigaVUE-FM on the supported Cloud environment. For assistance, Contact Technical Support of Gigamon or refer to GigaVUE-FM Installation Guide and GigaVUE Fabric Management Guide for details on installing and launching GigaVUE-FM.
In GigaVUE-FM, on the left navigation pane, go to Inventory > CONTAINER > Universal Cloud Tap - Container. You can view the following tabs on the Universal Cloud Tap - Container launch page:
Tabs |
Description |
Monitoring Domains |
Displays the Monitoring Domain details along with the connectivity status from GigaVUE-FM to Cluster. |
Clusters |
Displays Kubernetes Clusters, along with UCT-C Controller information and total Nodes per Cluster. Also displays GigaVUE-FM to Controller connectivity and Heartbeats status. Note: You can delete a cluster that is not tagged to any Monitoring Domain from the Clusters page. Ensure to delete the cluster only after stopping UCT-C Controller and UCT-C TAP. |
Nodes |
Displays the Nodes from all Kubernetes Cluster along with UCT-C TAP information and Total Pods per Node. UCT-C TAP status should be Connected for deployments for respective Worker Nodes to go through. If the UCT-C TAP status for a Worker Node is not shown as Connected, the deployment for that Worker Node will not go through. UCT-C TAP solution cannot tap traffic from Pods with Host Network Enabled. |
Pods |
Displays the list of Pods from all Kubernetes Clusters. For each Pod, all metadata - Pod Name, Labels, IPs, Namespace, Service Name, Service IPs, Node Name, Containers, and Host Network information is displayed. |
Settings |
Displays the general settings which include disconnected UCT-C Purge Interval days, and the maximum number of Clusters allowed in GigaVUE-FM. |
To view and filter the list of Monitoring Domains, Cluster, and Node details, click the filter button on the left side of any of the above listed tabs. You can also create a new Monitoring Domain, edit, and delete the existing Monitoring Domains.
On Clusters, Nodes, and Pods screens, you can click the Filter button displayed on the right of the page to filter the details on that particular screen.
To create a monitoring domain in GigaVUE-FM:
- In GigaVUE-FM, on the left navigation pane, go to Inventory > CONTAINER > Universal Cloud Tap - Container > Monitoring Domains.
- In the Monitoring Domains page, click New. The New Monitoring Domain wizard appears.
- Enter or select the required information as described in the following table.
Fields
Description
Monitoring Domain Name
Enter a name for the monitoring domain
Clusters
Cluster Name
Enter a name for the cluster
API Server URL
Enter or select the URL of the API server
Option
CA
Select the required CA name from the drop-down menu.
Note: CA is required for deploying the policy with Secure Tunnels.
Click to add another cluster and click to remove an existing cluster.
- Click Save to create a monitoring domain.
You can view the monitoring domain created in the list view. The list view shows the following information for UCT-C and controllers:
Monitoring Domain - Shows the list of Monitoring Domains created. |
Cluster - Displays the status of GigaVUE-FM to UCT-C Controller connectivity. You can click the number link next to (connected) or the (disconnected) icons to view the cluster details for the selected Monitoring Domain. |
Use the following buttons to manage your Monitoring Domain:
Button | Description | ||||||
New |
Use to create new Monitoring Domain |
||||||
Actions |
Provides the following options:
|
||||||
Refresh Inventory |
Triggers Inventory Refresh on all Clusters in the Monitoring Domain |
When setting up a traffic flow, it is important to define the selection criteria for the sources of traffic. Use the Source Selectors page to configure the sources of the traffic to be monitored.
- DefaultExclusion: DefaultExclusion is a default source selector which will be applied to all policies. It cannot be deleted but can be modified. After modifying the DefaultExclusion source selector, policies need to be deployed again for the changes to take effect. DefaultExclusion appears by default on the Source Selector Specifications page.
To exclude the pods from monitoring, you can add criteria to DefaultExclusion. From the drop-down list, select any of the following Object Property to exclude them from the monitoring, and provide the value for the property selected in the Value field:
servicename serviceip podname podip podlabels nodename namespace nodepodcidr hostNetwork By default pods in kube-system namespace, metallb-system namespace, and host network enabled pods are excluded from monitoring.
You can add criteria to DefaultExclusion to exclude nodenames where UCT-C TAP is not launched. If Master node(s) does not have UCT-C TAP, add master node names to DefaultExclusion.
To configure the Source Selectors:
- Go to Inventory > Resources> Source Selectors.
-
On the Source Selector Specifications page, navigate to the Container tab and click Create.
The New Source Selector wizard appears.
- Enter or select the required information:
Field Action Name
Enter a name for the source
Inclusion Criteria
You can select any one of the following options:
All Sources - Select this option to acquire traffic from all namespaces and pods within the selected cluster(s). The volume of traffic may be large, depending on the size of the cluster(s).
Criteria1- You must enter the following options:
Object Property
Select an object property to filter the traffic source.
Operator
Select the operator.
Values
Enter the values for the filter. Values are case-sensitive.
On the Criteria, click to add another Object and click to remove an existing Object.
Exclusion Criteria
On the Criteria, click to add another Object and click to remove an existing Object.
Object Property
Select an object property to filter the traffic source.
Operator
Select the operator.
Values
Enter the values for the filter. Values are case-sensitive.
On the Inclusion or Exclusion Criteria sections, click to add another Criteria and click to remove an existing Criteria.
- Click Save.
- If you have configured multiple objects in a criteria, then the traffic will be filtered only if all the object rules are true (AND condition).
- If you have configured multiple criteria, then the traffic will be filtered even if one of the criteria is true (OR condition).
A tunnel of type L2GRE, VXLAN, or TLS-PCAPNG can be created. The tunnel is an egress tunnel. For more information on how to create a tunnel of type TLS-PCAPNG, refer to Secure Tunnels Secure Tunnels . Secure Tunnels
To configure the tunnels:
- Go to Inventory > Resources > Tunnel Specifications.
-
On the Tunnel Specifications page, navigate to the Container tab and click Create. The Create Tunnel Specification wizard appears.
- Enter or select the following information:
- Click Save to save the configuration.
Field |
Description |
Name |
The name of the tunnel endpoint. Note: Do not enter space or Invalid characters. |
Tunnel Type |
Select L2GRE, VXLAN, or TLS-PCAPNG tunnel type to create a tunnel. |
Destination IP Address |
Enter the IP address of the destination endpoint. |
Key (Applicable when the selected tunnel type is L2GRE) |
Enter a value for the tunnel key. |
VXLAN Network Identifier (Applicable when the selected tunnel type is VXLAN) |
Enter the identifier key for VXLAN network. |
Destination Port (Applicable when the selected tunnel type is VXLAN or TLS-PCAPNG) |
Specify the destination port value. Enter a value between 1 and 65535. |
The traffic from the workload pods is processed based on the Traffic Policy configuration. The UCT-C TAP routes the traffic to the tunnel destination IP addresses specified in the Traffic Policy rules.
You can refer to the GigaVUE API Reference for detailed information on the REST APIs of UCT-C.
To create a UCT-C Traffic Policy in GigaVUE-FM, follow the below steps:
1. | From the GigaVUE-FM left navigation pane, go toTraffic > CONTAINER > Universal Cloud Tap - Container. The Policies page appears. |
2. | In the Policies page, click New. The Create Policy wizard appears. |
Note: You can deploy a maximum of eight policies per Monitoring Domain.
3. | In the General tab, enter or select the required information as described in the following table: |
Fields |
Description |
Policy Name |
Enter a name for the Traffic Policy. The name must be unique. |
Monitoring Domain |
Select an existing monitoring domain. To create a new monitoring domain, refer to Create Monitoring Domain section. |
Clusters |
Select the required cluster from the drop-down menu. |
Precryption Policy |
Click the radio button Yes, to enable the Precryption rules for the policy. Click radio button No to enable the Mirroring. Note: Once the policy is deployed, you cannot change the Precryption Policy setting. |
4. | Click Next to switch to the Source Selectors tab, select an existing source selector and click Add or select Create New to create a new source selector, refer to Create Source Selectors section for detailed information. You can configure a maximum of eight source selectors per policy. |
5. | In the Source Selectors page, click to expand the Default Exclusion section. DefaultExclusion Source Selector is applied automatically for all policies. |
Note: You can edit the values across the Monitoring Domain in Inventory > Resources > Source Selectors section. On the Source Selectors Specifications page, navigate to Container > Default Exclusion. In the Edit Source Selector wizard, you can edit the values in the Exclusion Criteria section.
6. | Click Next to switch to the Rules tab, enter or select the required information for the Ingress Rules and the Egress Rules as described in the following table. You must select CA in the Monitoring Domain page to use secure tunnel in rules: |
Fields |
Description |
|||||||||||||||
Tunnel Specifications |
Select an existing tunnel or select Create New to create a new tunnel, refer to Create Tunnel Specifications section for detailed information. For Precryption, only one Tunnel Specification field will be displayed at the top for all the rules. For Mirroring, Tunnel Specification can be configured for every individual rule. |
|||||||||||||||
Rules On the Ingress or Egress rules, click to add another rule and click to remove an existing rule. You must select CA in the Monitoring Domain page to use secure tunnel in rules. |
||||||||||||||||
Rule Name |
Enter a name for the rule. Rule name should always be unique within a policy. Note: Rule names ending with __I, __E, __RI, __RE are not recommended as the names are invalid in policy rules. Rule names like passall, ingress-passall, and egress-passall are restricted. |
|||||||||||||||
Enable |
Select On to enable the passall rule or select Off to disable the passall rule. Refer to Enable Selective Precryption to add the filters when you choose to disable the passall rule. |
|||||||||||||||
Action |
Select Pass to allow the packets or select Drop to block the packets based on the filters. |
|||||||||||||||
Direction |
Select any one of the following directions:
Note: When you apply filters to two pods on the same worker node to capture traffic in both directions, only one copy of the packet will be tunneled out for each packet traveling from one pod to the other.
Note: The maximum number of rules supported per direction is 32. |
|||||||||||||||
Priority |
Enter a priority value to specify the order of rule execution on the selected Pod. Unique Priority is enforced in a policy within ingress and egress space. Bi-directional rules get expanded in ingress and egress space. Priority is not applicable for Drop Rules. Drop Rules are executed first, followed by passall rules, and then filter rules based on specified priority values. |
If you wish to use selective Precryption follow the steps given below:
- Disable the Enable toggle button to turn off the default passall rule.
- Click to add another rule.
- Enter the following details as mentioned in the below table:
Fields
Description
Rule Name
Enter a name for the rule.
Action
Choose any one of the following options:
Pass — Passes the traffic. Drop — Drops the traffic. Note: In the absence of a Precryption rule, traffic is implicitly allowed. However, once rules are defined, they include an implicit pass all rule. Should the traffic not conform to any of the specified rules, it will be passed.
Direction
Choose any one of the following options:
Bi-Directional —- Allows the traffic in both directions of the flow. A single Bi-direction rule should consist of 1 Ingress and 1 Egress rule. Ingress — Filters the traffic that flows in. Egress — Filters the traffic that flows out. Priority
Select the value of the priority based on which the rules must be prioritized for filtering. Select the value as 1 to pass or drop a rule in top priority. Similarly, you can select the value as 2, 3, 4 to 8, where 8 can be used for setting a rule with the least priority. Drop rules are added based on the priority and, then pass rules are added.
Filters
Filter Type
Select the Filter Type from the following options:
L3 L4 L3:
Filter Name
Select the Filter Name from the following options:
IPv4 Source IPv4 Destination IPv6 Source IPv6 Destination Protocol - It is common for both IPv4 and IPv6 Value
Enter or Select the Value based on the selected Filter Name.
Note: When using Protocol as the Filter Name, select TCP from the drop-down menu.
L4:
Filter Name
Select the Filter Name from the following options:
Source Port Destination Port Filter Relation
Select the Filter Relation from any one of the following options:
Not Equal to Equal to Value
Enter the source or destination port value.
7. | Click Next to switch to the Validate tab, click Save to the policy or click Deploy, and the selected traffic policy rules get deployed to the required UCT-C TAPs present on the nodes corresponding to the source pods selected for monitoring. |
In the Policies page, you can view various details related to a policy such as Policy Name, Monitoring Domain, Cluster, Deployment Status, and Statistics etc., The fields and the description of the field names are given in the following table:
Fields |
Description |
---|---|
Policy |
Name of the Policy |
Monitoring Domain |
Monitoring Domain associated with the Policy |
Cluster |
The cluster name associated with the policy |
Deployment Status |
Indicates the policy deployment status:
|
Statistics |
Displays the statistics of the policy |
Note: Click the gear icon to add or remove column or columns as per your requirement.
Use the following buttons on the Policies screen to manage your Policy:
Button | Description | ||||||||||||
New |
Use to create a new policy |
||||||||||||
Actions |
Provides the following options:
|
To view the Deployment status, click the Deployment status link in the Deployment Status column of a policy. The Deployment status appears on the bottom of the Policies page.
You can view the following fields along with the policy name:
Pod Name |
Namespace |
Rules |
Cluster |
Node |
Click Filter to filter the details like Cluster, Node, Namespace, Pod Name, and Pod Status in the Deployment Status Wizard.
To view the Policy Configurations of the traffic policy configured in the GigaVUE-FM, click the policy name. The configurations appear on the bottom of the Policies page.
You can view the following tabs along with the policy name:
Source Specifications |
Mirroring Rules or Precryption Rules |
You can scroll each of the tables to view more columns. The fields and description for the tab that appears when you click the tabs are described in the topics respectively.
Source Specifications
You can view the criteria based on which pod is selected for tapping.
The fields and descriptions of the Source Specifications tab are described in the following table:
Tab- Source Specifications |
Field |
Description |
||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Source Selector |
|
|
||||||||||||||||||||||||
|
Name |
Specifies the name of the Source selector. |
||||||||||||||||||||||||
Inclusion Criteria |
|
|
||||||||||||||||||||||||
|
Criteria Name |
Specifies the inclusion criteria for the source selector. Pod that matches the inclusion criteria will be selected as source for the given traffic policy. |
||||||||||||||||||||||||
|
Property |
Specifies the property for the attributes in the criteria. The available properties are:
|
||||||||||||||||||||||||
|
Operator |
Specifies the operator used in the criteria. |
||||||||||||||||||||||||
|
Value |
Specifies the value for the attributes in the criteria. |
||||||||||||||||||||||||
Exclusion Criteria |
|
|
||||||||||||||||||||||||
|
Criteria Name |
Specifies the exclusion criteria for the source selector. Pod that matches the exclusion criteria will be excluded from the source for the given traffic policy. |
||||||||||||||||||||||||
|
Property |
Specifies the property in the exclusion criteria based on which the pod associated with the source is excluded. |
||||||||||||||||||||||||
|
Operator |
Specifies the operator involved in the exclusion criteria in tapping the traffic in the pod. |
||||||||||||||||||||||||
|
Value |
Specifies the value in the criteria based on which traffic in the pod is excluded. |
Mirroring Rules or Precryption Rules
The fields and descriptions of the Mirroring Rules or Precryption Rules tab are described in the following table:
Tab-Rules Rules |
Field |
Description |
---|---|---|
Mirroring Rules or Precryption Rules |
|
|
|
Rule |
Specifies the name of the rules in which the traffic is filtered in the pod. Click on the Rule name to view the filters. |
|
Tunnel |
Specifies the tunnel details which is associated with the rules to send the traffic out. When you hover over the tunnel specification value, you can view the details of the tunnel in a message box. |
|
Priority |
Specifies the priority assigned for the rule. |
|
Action |
Specifies whether to pass or drop the rule. |
|
Direction |
Specifies the direction of the flow of traffic is ingress, egress, or in both direction. |
Filter |
|
|
|
Type |
Specifies the filter type. |
|
Filter |
Specifies the name for the filter. |
|
Value |
Specifies the value of the filter. |
Traffic Policy Statistics in GigaVUE-FM provides the visibility of the policies within a Monitoring Domain and displays the information of the policies and its rules statistics in the dashboard.
Rules are configured in the UCT-C to either forward the traffic to a Tunnel or drop the flow of the traffic.
The activities of the rules are reflected by the statistics counters. The statistics counters show how the policy statistics are directly co-related to the policy and its rules being configured through the GigaVUE-FM.
To view the statistics of the traffic policy configured in the GigaVUE-FM, click the View status link in the Statistics column of a policy. The Policy Statistics and the Mirroring Statistics or Precryption Statistics appears on the bottom of the Policies page:
Fields |
Description |
---|---|
Policy Name |
Name of the policy |
Ingress packets |
Total aggregate value of the ingress packets associated with the policy |
Egress packets |
Total aggregate value of the egress packets associated with the policy |
Ingress Bytes |
Total aggregate value of the ingress bytes associated with the policy |
Egress Bytes |
Total aggregate value of the egress bytes associated with the policy |
Ingress Errors |
Total aggregate value of the ingress errors associated with the policy |
Egress Errors |
Total aggregate value of the egress errors associated with the policy |
Ingress Dropped |
Total aggregate value of the ingress packets dropped associated with the policy |
Egress Dropped |
Total aggregate value of the egress packets dropped associated with the policy |
Fields |
Description |
---|---|
Rule Name |
Name of the individual rule. |
Ingress packets |
Total aggregate value of the ingress packets associated with the rule |
Egress packets |
Total aggregate value of the egress packets associated with the rule |
Ingress Bytes |
Total aggregate value of the ingress bytes associated with the rule |
Egress Bytes |
Total aggregate value of the egress bytes associated with the rule |
Ingress Errors |
Total aggregate value of the ingress errors associated with the rule |
Egress Errors |
Total aggregate value of the egress errors associated with the rule |
Ingress Dropped |
Total aggregate value of the ingress packets dropped associated with the rule |
Egress Dropped |
Total aggregate value of the egress packets dropped associated with the rule |