WIXLIB

Solutions Guide: End-to-End Visibility and Security for Your Cisco InfrastructureCisco 40Gb BiDi LinksOne of the design elements of ACI is the move to leaf/spineinfrastructures running over 40Gb links. Unfortunately, traditional40Gb short-range links require multiple lanes of multi-mode fiberthat requires using up to four such pairs of fiber. In many cases,fiber is deployed in groups of 12. Consequently, an upgrade from10Gb to 40Gb could create a 6x increase in fiber cost.the FabricPath headers that are added to the traffic in thisenvironment. In addition, even if the operational tool is able toremove such headers, additional CPU processing from the toolis required. Again, there is a need for a centralized monitoringinfrastructure with the ability to “normalize” traffic so that thevarious operational tools can gain visibility while maintainingefficiency to focus on their specialized tasks.To mitigate this issue, Cisco solves this challenge with aninnovation in 40Gb called BiDi that allows 40Gb traffic to run overexisting 10Gb cabling. This is done by multiplexing two lanes of20Gb on a single pair of multi-mode fiber. While this eliminatesthe fiber cost issue, it raises a new challenge that standard TAPscannot be used to monitor these links. Moreover, Cisco customerscan also implement 40Gb BiDi independent of ACI, which meansthat this challenge can be significantly more impactful.Cisco Virtual InfrastructureCisco Nexus 1000V Series represents the first example of thirdparty distributed virtual switches that are fully integrated withVMware virtual infrastructure, including VMware vCenter for thevirtualization administrator. When deployed, the Cisco Nexus1000V Series not only maintains the virtualization administrator’sregular workflow; it also offloads the vSwitch and port groupconfiguration to the network administrator, reducing networkconfiguration mistakes and helping ensure that consistentnetwork policy is enforced throughout the data center.Cisco Fabric Extender (FEX) and VN-TagWhen Cisco introduced the Unified Fabric, the goal was to unifystorage, data networking, and network services to deliver architecturalflexibility across physical, virtual, and cloud environments.One of the key components is the Cisco Fabric ExtenderTechnology (FEX), which delivers fabric extensibility across thenetwork and server hypervisor connectivity. The Cisco FEXTechnology includes a parent switch and an extender switch. Theparent switch can be a Cisco Nexus 5000 Series switch, Nexus6000 Series switch, Nexus 7000 Series switch, or a Cisco UCSFabric Interconnect. The fabric of the parent switch is extendedto connect to the server either as a remote line card with Nexus2000 Series Fabric Extenders or virtual adapter ports to connectto any type of servers—rack and/or blades, with Cisco AdapterFEX and VM-FEX technologies. Initially based on IEEE802.1Qbh,a VN-Tag is inserted into each frame exchanged between theextender switch and the Nexus parent switch.While the goal of Cisco’s Fabric Extender is to simplify datacenter connectivity, it introduces potential issues for the securityand analytic tools that do not fully understand VN-Tag headers orrequire additional CPU processing to remove the VN-Tag headers.Therefore, the need for a centralized monitoring infrastructurewith the ability to “normalize” traffic will help the tools regainvisibility, while maintaining operational efficiency.Cisco FabricPathWith Cisco FabricPath, highly scalable Layer 2 multipath networkscan be built simply and provisioned easily without SpanningTree Protocol. Such networks are particularly suitable for largevirtualization deployments, private clouds, and high-performancecomputing (HPC) environments. However, much like CiscoFabric Extender, Cisco FabricPath introduces potential blindspots for security and analytic tools that do not fully understand 2014-2017 Gigamon. All rights reserved.In the Cisco Nexus 1000V Series, traffic between virtual machineson the same host is switched locally without ever hitting thephysical switch or network, resulting in the increased potentialfor blind spots. Cisco technologies such as SPAN, RSPAN,ERSPAN, and VACL may be used on the Nexus 1000V, but thereare limitations that will be discussed in the next section of thisdocument—Cisco Monitoring Methodologies.Cisco Monitoring MethodologiesNetFlow/IPFIXThe combination of Cisco’s NetFlow and its standards-basedconstituent IPFIX is a feature that collects IP traffic statistics. Byanalyzing these statistics, known as NetFlow/IPFIX records, anetwork administrator can determine things such as the sourceand destination of the traffic, class of service, and the cause ofcongestion. This insight can help in optimizing resource usage,planning network capacity, and identifying the optimal applicationlayer for Quality of Service (QoS). It can also play a critical role innetwork security by detecting Denial of Service (DoS) attacks andnetwork-propagated worms.When enabled natively in the Cisco switching infrastructure,NetFlow could consume precious compute resources that mayburden the switch in times of high utilization potentially causingcontention for resources which could affect the performance ofthe network switching, the ability to deliver accurate NetFlowstatistics, or both. Often administrators correct for this by settinga low sampling rate. However, too low of a sample rate can resultin important network events being missed. In addition, NetFlowon an individual switch offers a limited view of traffic that theswitch sees. An out-of-band, centralized approach to NetFlowgeneration could offer visibility into NetFlow statistics acrossthe network and not affect the performance of the production4

Solutions Guide: End-to-End Visibility and Security for Your Cisco Infrastructurenetwork. The centralized approach is especially important inmodern data centers that are highly virtualized and featuredistributed applications. The ability to collect NetFlow recordsfrom a centralized point provides insight into the nature of trafficpatterns across the network vs. a single node. Often, the Ciscoinfrastructure is also used with other equipment that may notbe NetFlow capable; in this case, centralized NetFlow/IPFIXgeneration is a viable approach to gaining NetFlow visibility acrosssuch a multi-vendor network.Cisco SPANThe Switch Port Analyzer (SPAN) functionality is offered in allCisco switching solutions. A SPAN port copies data from oneor more source ports to a destination port. Figure 1 shows anexample of how the SPAN function operates. With most Ciscoswitching products, users are limited to two SPAN sessions perswitch. For large enterprises this is typically not adequate formonitoring purposes. In most large organizations between thenetwork and security groups there can be up to four or moremonitoring or analysis tools that all need to contend for thesame data. Examples of some of the tools that are utilized by ITteams are Application Performance Monitoring (APM), NetworkPerformance Monitoring (NPM), Intrusion Detection Systems(IDS), Data Recorders, Web monitoring tools, and many more.There are also other limitations with this model that preventusers from sending data from one source port to both of theavailable SPAN sessions, as well as limitations that allow VLANand non-VLAN traffic to be sent to the same port. In summary,SPAN sessions are good for spot analysis but are limited in termsof scaling to support enterprise-wide monitoring policies. SPANports are typically best for small to medium environments wheremonitoring needs are minimal.Source DataEgressTrafficSourceSPAN PortsIngressTrafficSourceSPAN PortsNetworkAnalysis ToolFigure 1: Cisco SPAN Example: Inside a Cisco switch data iscopied from a network port to a SPAN port which has amonitoring tool connectedCisco ERSPANEncapsulated Remote SPAN (ERSPAN) data from remoteswitches can be forwarded to a source monitoring tool over arouted network or Internet using a GRE Tunnel that is configuredon the Cisco switches (Figure 2).ERSPAN is a feature that is supported on Cisco switches beginningwith the Supervisor Engine 720 with PFC3A. This means the featurehas limited support beyond Cisco switch families such as theCatalyst 6500 and Nexus families. Packets of an ERSPAN session areencapsulated with a 50-byte header. Fragmented frames and jumboframes can be problematic. ERSPAN does not support fragmentedframes and all switches in the path have to be configured to supportjumbo frames otherwise frames that increase past the 1500-byteMTU limit with the 50 bytes of ERSPAN encapsulation are dropped.As with all other SPAN technologies, users can only create twoERSPAN destinations per switch. ERSPAN requires additionalconfiguration complexity to ensure that the tunneling and framesizes are correct for proper routing of data.SPAN Datain GRE TunnelSPAN Datain GRE TunnelSource DataSPAN Datain GRE TunnelMonitoring ToolFigure 2: Cisco ERSPAN example 2014-2017 Gigamon. All rights reserved.5

Solutions Guide: End-to-End Visibility and Security for Your Cisco InfrastructureCisco RSPANCisco Remote Switch Port Analyzer (RSPAN) works very much likeSPAN with the exception that data can be sent between remotemonitoring ports in the switching architecture using the CiscoVLAN Trunking Protocol (VTP) and reflector ports (Figure 3).Users are only allowed to send data to two RSPAN destinations.Similar to the SPAN function, data from the same source portor VLAN cannot be shared across the two sessions. RSPANpresents configuration complexity as users have to configure thecorrect VTP domains on each switch that RSPAN data traverses.In addition to the potential for duplicate packets in SPANconfiguration, an RSPAN will not pass Layer 2 data.Originating switchwith reflector portRSPANVLANRSPANVLANSPANDataMonitoring ToolFigure 3: Cisco RSPAN Example: Data on the originating switchis sent over a RSPAN VLAN created using VTP and Reflector PortsCisco VACLVLAN access lists (VACLs) overcome most SPAN limitations inaddition to providing the ability to filter for certain types of trafficsuch as a TCP port or IP address. VACLs are ACLs that apply to allpackets, whether bridged within a VLAN or routed to/from a VLAN(unlike ACLs that are typically configured on router interfaces andapplied on router ports). See Figure 5. The maximum numberof VACLs a switch can support is determined by the numberof VLANs in a switch. For example, if a switch only has fiveconfigured VLANs, then five VACL capture ports can be created.Users will mainly use VACLs to free up SPAN resources as a BandAid to a complete monitoring infrastructure. Configuring VACLs isusually reserved for more senior networking staff as VACLs requirethe most configuration attention of all the Cisco network visibilitytechnologies. Many users can mistakenly block data from the VACLcapture port if care is not taken when configuring the VACL. LikeSPANs, source data cannot be sent to multiple VACLs limiting thebenefit of having extra VACL ports as many times monitoring toolswill have to see many VLANs at once leaving the user with one ortwo VACL capture ports that can be used. 2014-2017 Gigamon. All rights reserved.VLAN 200Source Data PortACL RateACL RateACL RateACL RateVLAN 200, IP 1.1.1.1VACL PortMonitoring ToolFigure 4: Cisco VACL example: Data from IP address 1.1.1.1 inVLAN 200 is forwarded to a VLAN capture portInline bypass protection of Cisco FirePOWER IntrusionPrevention Systems (IPS)Given the attack continuum facing organizations before, duringand after an attack, organizations today need continuous securitymonitoring to cope with the new security landscape. In the worldof network security, visibility is everything. Limited access pointsto traffic in the infrastructure create blind spots. To cope with thisbroad range of challenges, organizations are keen on implementingeffective inline security systems for effective protection. Cisco’sFirePOWER IPS systems provide best-in-class protection to provideintelligent cybersecurity solutions. Implementing such solutionsinline need the following considerations: Ensure high availability and resiliency. When implementingFirePOWER IPS inline, security operations often face concernsraised by network operations on high availability and resiliency. Intelligent filtering of traffic to inline appliances. Securityoperations personnel also have a need to get real-time networktraffic of interest to avoid overloading the FirePOWER IPS Upgrade, add/remove new IPS without waiting for networkmaintenance windows. Security operations personnelneed to maintain, upgrade, add/remove the FirePOWER IPSappliances without having to coordinate maintenance windowswith network operations Application-aware filtering to decouple performance ofIPS from performance of the network: This allows 1GbFirePOWER appliances to be used in-line with a 10Gb networkand 10Gb appliances with a 40Gb network, increasing overallutilization without compromising security.6

Solutions Guide: End-to-End Visibility and Security for Your Cisco InfrastructureRequirements for End-to-End Visibilityprovide only relevant traffic information reducing the unnecessaryburden on the tools. In addition, features such as header strippingand decapsulation tunneling functions provide tools access toprotocols and data they may otherwise be blind to.The challenges around gaining end-to-end visibility across Ciscoinfrastructure and technologies are driving IT departments to look moreclosely at an out-of-band monitoring infrastructure to pr

Cisco Monitoring Methodologies – NetFlow/IPFIX – SPAN – RSPAN – ERSPAN – VACL Inline Bypass Protection of Cisco FirePOWER Intrusion Prevention System (IPS) Monitoring Cisco Application Centric Infrastructure (ACI) Cisco’s innovative