Transcription
Monitoring Cisco ACI Environments Using CAApplication Delivery Analysis and IxiaVisibility ArchitectureBest Practice Deployment Guide
COPYRIGHT AND DISCLAIMERCopyright 2018 Ixia. All rights reserved.This publication may not be copied, in whole or in part, without Ixia's consent.RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the U.S. Government issubject to the restrictions set forth in subparagraph (c)(1)(ii) of the Rights in TechnicalData and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.Ixia, the Ixia logo, and all Ixia brand names and product names in this document areeither trademarks or registered trademarks of Ixia in the United States and/or other countries.All other trademarks belong to their respective owners.The information herein is furnished for informational use only, is subject to change by Ixiawithout notice, and should not be construed as a commitment by Ixia. Ixia assumes noresponsibility or liability for any errors or inaccuracies contained in this publication.Ixia is Keysight is Business.IxiaACI and CA ADA Best Practice Deployment Guide using Ixia NVSPage 2
CONTENTSExecutive Summary . 4Target Audience . 5How To Mitigate CISCO ACI Application Deployment challenges. 5Key Ixia technologies . 6Access Credentials . 10Installing CA Virual Multi-Port (CA VMTP) ADA . 10Best Practice Deployment Guides . 11Scenario 1: Access Packets . 11Scenario 2: Aggregate Traffic and Stripping VXLAN Header . 15Scenario 3: Load Balancing Multiple CA VMTP Devices . 24Scenario 4: Traffic Grooming . 31Scenario 5: Automation and APIC Management . 36Scenario 6: Monitoring East to West Traffic . 37Scenario 7: Monitoring and Troubleshooting ACI Environments . 40Products Tested in preceding deployment examples . 44Who to contact for further information on the Cisco Ixia joint solution . 45IxiaACI and CA ADA Best Practice Deployment Guide using Ixia NVSPage 3
EXECUTIVE SUMMARYEnterprise service provider and other major companies choose a Cisco networking infrastructure to service theirphysical and virtual networking needs for enterprise and data center operations. However migrating to new CiscoArchitectures such as ACI presents some challenges. When implementing a large-scale Cisco network, monitoringtools typically rely upon Cisco technologies, such as NetFlow, SPAN, RSPAN, ERSPAN, and VACL for trafficvisibility. Traffic is extracted and sent to the tools. However, especially in newer Cisco ACI architectures, thesetechnologies are often difficult to scale and can modify traffic (e.g. encapsulate traffic), making it difficult to supportthe diverse monitoring needs of network, security, application, and server groups as they strive to maintain maximizeduptime, secure the network, realize operational efficiencies, and gain greater insight into business decision making.CA Application Delivery Analysis can help you prove how well your network delivers applications to users withapplication delivery analysis of performance and availability of SLA measurements. It helps you focus investments onthe areas that require it most and later quantify the before and after, validate the impact of those changes and verifyyour investment decisions. Ixia’s Network Visibility Solutions (NVS), including TAPs and network packet brokers(NPB), complement CA application delivery products to create the best-in-class scalable and resilient applicationmonitoring solutions that IT professional need and want to purchase.This best practice deployment guide draws on industry trends and lessons learned to add scalability and resilience tomonitoring application running over Cisco ACI Network using CA Application Delivery Analysis (ADA) and IxiaVisibility Architecture. CA Virual Multi-Port (CA VMTP) collectot is a powerful appliance that captures session-levelpacket data from a monitored data center. The appliance captures data for reporting in CA Application DeliveryAnalysis (CA ADA).The methods and suggestions outlined in this document are provided to answer IT customer question on “how to”accomplish application performance monitoring and resilience goals when running over ACI Network. The use casesdefined in this document are tested by Ixia and CA, deployed at customers and are ready to be demonstrated with theintent of accelerating evaluation cycles, avoid technical pitfalls at deployment, and helping customers scale their CAADAdeployments.By closely linking Cisco ACI, CA ADA and Ixia VisionOne products to build an application level performancemonitoring, CA and Ixia’s mutual channel partners will gain the benefit of providing customers a complete highlyscalable solution that is easy to deploy.The paper spells out how to integrate CA ADA with Ixia’s NVS to proactively: Access packets using physical TAPs, Virtual TAPs (V-TAP) and Cisco ERSPAN Dynamically load balanced workloads across multiple CA Virual Multi-Port (CA VMTP) collectors, which feeddata to ADA Maximize CA Virual Multi-Port (CA VMTP) utilization by accessing multiple network links across the datacenter to a pool of CA Tools Aggregation and striping proprietary or standard VXLAN headers to before sending to CA Build high availability into mission critical deployments Traffic grooming, deduplication, filteringSpecific details of how to configure the Ixia and CA devices to achieve these goals are provided in the Designexamples later in this document.IxiaACI and CA ADA Best Practice Deployment Guide using Ixia NVSPage 4
Target AudienceThis Best Practice Deployment Guide is intended to assist CA and partner technical resources who help their customerswith planning, deploying, and managing CA Application Delivery Solutions. This document highlights keyconsiderations to avoid pitfalls, operational challenges, and customer constraints by leveraging Ixia’s NetworkVisibility Solutions. The document also provides specific configuration details for the use case scenarios covered.This document is not intended to be a full set of documentation. Please consult Ixia Network Visibility, and CAADAAdmin and User guides for complete technical details on the referenced products.HOW TO MITIGATE CISCO ACI APPLICATION DEPLOYMENTCHALLENGESThe following list of typical problem areas can negatively impact successful Cisco ACI Network and applicationmonitoring deployments and create unnecessary support calls.Table 1 outlines the ways CA Virual Multi-Port (CA VMTP) and Ixia’s Network Visibility solutions help you get overtypical application performance monitoring and resilience challenges in Cisco ACI Network. (Details of how toconfigure such solutions are provided later in this document)Table 1: Solutions to typical ACI Network Application deployment challengesProblemAreasFlexibilityProblem DetailsHow Ixia helpsComplex Spanning Cisco SPAN, RSPANand ERSPANSPAN ports offered all Cisco switches, SPAN copies datafrom one or more source ports to destination port, Limited totwo span sessions per switch. Cannot send from one source tomultiple destinations, tag and untag ports. RSPAN complexconfiguration users have to configure the correct VTP domainson each switch. Duplicate packets in SPAN configuration, anRSPAN will not pass layer two data and ERSPAN Data fromremote switches can be forwarded to a source monitoring toolover a routed network using GRE Tunnel with 50-byte header,fragmentation and jumbo packets problem.Using Ixia Visibility Architecture users can overcome suchlimitations, with physical taps user can send copy of the trafficto anywhere without limitations, also Ixia VisionOne productcan remove VXLAN, MPLS, VN-TAG and other headers andsend traffic to the tools, load share it and filter.Ixis NVS REST API allows for automation of monitoringtasks. In some cases SPANing may be used (e.g TenantSPAN), and integration between the ACI Controller and IxiaNPB will also allow for automation of monitoring in thosescases.AutomationIxiaACI and CA ADA Best Practice Deployment Guide using Ixia NVSPage 5
ProblemAreasPerformanceProblem DetailsHow Ixia helpsSPAN / RSPAN/ERSPAN OverheadDue to overhead placed on ACI infracture switches, SPAN,RSPAN, ERSPAN can be used on a limited basis only. On theother hand Ixia TAPs and NPBs can monitor copies of all ACIinfrastructure traffic without placing any overhead on theprocution traffic.ScalabilityToo much trafficIxia NPBs prevent oversubscribing CA Tools by loadbalancing and filtering traffic. Additional CA Virual MultiPort (CA VMTP) can be added to the NPB seamlessly withoutany downtime to protected servicesIxia NPBs can aggregate various link speeds and forward toNGIPSs across 1G, 10G, or 40G interfaces with the option ofload balancing, filtering, and de-duplication. A variety mediatypes are supported.Ixia’s iBypass family allow for traffic capture on multiplesegments that can be aggregated with Ixia NPBs beforeforwarding to NGIPSs or NGIPS pool for full visibility. TheNPB ensures consistency of traffic by link.Ixia NVS solutions can be implemented as fully redundanthigh availability designs to support Active/Active orActive/Standby tools. The solution can be implemented tomonitor all patch of the ACI infrastructure to encure fullcoverage. For example all links can be TAPed and aggreratedin the NPB.Ixia NPBs allow existing and new tools to coexist. Forinstance, traffic sent to CA Virual Multi-Port (CA VMTP) forapplication monitoring, while also being sent to preexistingtools (e.g. Security Forensics). Also, customers can keep usinglower speed tool (e.g. 10G) to monitor higher speed (e.g. 40G)present in ACI networks.Mix of network linkspeeds (1G, 10G, 25G,40G)Maximize tool efficiencyCoverage &ReliabilityMany ACI networkpoints need to bemonitoredCoexistenceDon’t want to loseinvestment of existingtoolsKey Ixia technologiesIxia Network Visibility Solutions works in concert with CA ADA to deliver application performance and scalability.Ixia NVS provide, out of band monitoring and load balancing technology for offering highly resilient, fault-tolerant,and scalable CA ADA deployments. CA ADA deployments can be upgraded or expanded as the customer’s traffic andprotection needs increase, without the need to take the current CA Tools out of service.Cisco 40G BiDiThe Cisco QSFP 40-Gbps Bidirectional (BiDi) transceiver is a pluggable optical transceiver with a duplex LCconnector interface for short-reach data communication and interconnect applications using MultiMode Fiber (MMF).The Cisco QSFP 40-Gbps BiDi transceiver offers customers a compelling solution that enables reuse of their existing10 gigabit duplex MMF infrastructure for migration to 40 Gigabit Ethernet connectivity.IxiaACI and CA ADA Best Practice Deployment Guide using Ixia NVSPage 6
The Cisco QSFP 40-Gbps BiDi transceiver supports link lengths of 100 and 150 meters on laser-optimized OM3 andOM4 multimode fibers, respectively. The Cisco BiDi transceiver complies with the QSFP MSA specification, enablingcustomers to use it on all QSFP 40-Gbps platforms to achieve high-density 40 Gigabit Ethernet networks.Each Cisco QSFP 40-Gbps BiDi transceiver consists of two 20-Gbps transmit and receive channels in the 832-918nanometer wavelength range, enabling an aggregated 40-Gbps link over a two-strand multimode fiber connection.Figure 1. Cisco QSFP BiDi 40Gbps Transceiver: Duplex MMF with LC Connectors at Both EndsTAPBuilt using fiber-optics, Ixia Flex Tap fiber taps deliver 100% visibility into network traffic and permanent, passiveaccess points while preserving top network performance. That’s because each tap in the Ixia Flex Tap family ismodular, can support network speeds of up to 100Gbps, and is 100% passive. At the same time, Flex Taps allow you toeffectively monitor network performance, avoiding issues of degradation and disruption. Flex Taps are also versatile:each is compatible with all protocols and monitoring devices, and can be deployed at any inline connection on thenetwork without increasing overhead or management workflows. Flex Taps consist of a base chassis unit that can holdup to 24 individual LC based Flex Tap modules, or 12 MTP based modules.IT professionals buy Ixia Flex Taps, due to: Ixia having the largest range of tap types of any vendor - (Speeds from 1Gbps to 100Gbps, Single mode andMulti mode, and connector/fiber types including Cisco BiDi). See data sheet for complete listing of Flex Tapmodules including the new Flex Tap VHD module which provides up to 36 taps in a 19inch 1U space Ixia holding many thousands of taps in stock and can quickly ship high volumes if required Ixia's ability to supply globally through a network of global Channel Partners Ixia having high quality products. Ixia undertakes thorough testing on Flex Tap optical fiber taps in both thedesign and manufacturing processes, often using the same test equipment that Ixia is famous for Ixia's reputation for technical innovation - Ixia was the first to offer a modular tap - "Flex Tap" and continues toinnovate through products such as the Flex Tap Secure which provides an enhanced security for the mostsensitive of applications Wide choice of supporting cables Specific TAP module available which supports connection to the specialized optics of Cisco ACI 40G BiDilinks.Ixia Network Packet Broker VisionOneThe Ixia Vision ONE is a purpose-built network packet broker (NPB) for monitoring high-speed network traffic, lettingyou share the network’s rapidly increasing traffic load among multiple CA Application Monitoring solutions via loadbalancing. Vision ONE allows inline tool deployment in serial, parallel, or combined mode, and provides failoverfeatures to maximize scalability and resiliency of CA Tools deployment.Key Benefits Application monitoring tools can be deployed very flexibly to meet varying customer requirements. They canbe deployed in serial (for service chaining) or in parallel (for load balancing), or both to maintain maximumflexibility. Tool-sharing reduces costs by allowing multiple departments in an organization to utilize the same monitoringtool to monitor multiple links throughout the organization.IxiaACI and CA ADA Best Practice Deployment Guide using Ixia NVSPage 7
Filtering increases efficiency and maximizes tool utilization by sending each tool only the traffic it needs.Traffic grooming and VXLAN header removal by sending only IP traffic to the tools.Vision ONE also includes the Application and Intelligence Threat Processor (ATIP), which performs deep packetinspection and SSL decryption for flows filtered through it. ATIP provides traffic analysis describing the who, what,and where of your traffic in a dashboard.Figure 1 Ixia Vision ONE Network Packet BrokerCloudLens PrivateCloudLens , Ixia's platform for public, private and hybrid cloud visibility addresses the challenges ofgranular data access in the cloud. CloudLens Private, the arm that supports private cloud technologies,is able to tap, filter, process and manipulate traffic all in a cloud environment. CloudLensoffers organizations the visibility they need, while keeping aligned to "all cloud," hybrid cloud, multicloud or any cloud strategy. CloudLens supports leading hypervisors via a single managementinterface to support organizations that use a variety of private cloud technology in their buildouts.CloudLens supports intelligent monitoring for OpenStack KVM, VMWare ESXi and NSX, andMicrosoft Hyper-V. Moreover, CloudLens is also vSwitch/Router Agnostic (VSS, vDS).CA Application Delivery Analysis (ADA)CA ADA provides the end-to-end response time monitoring capabilities that you need to measure and report on theperformance of applications, quickly isolate and fix performance bottlenecks and optimize the end-user experience. Thesolution is efficient to deploy and manage, delivering performance and availability measurements that are based on realapplication response times, without requiring synthetic tests, probes or agents.CA ADA can continually collect performance metrics, automatically establish intelligent baselines, and instantlygenerate alerts when performance starts to deteriorate.CA ADA provides rapid insight into the duration, frequency, pervasiveness and severity of problems. Convenientapplication scorecards provide an at-a-glance view of critical application performance, while SLA reportingsummarizes both performance and availability of applications.CA ADA provides the visibility and insights you need to mitigate the risks associated with planned changes orunexpected events. You can measure the before-and-after impact of infrastructure changes on application performanceIxiaACI and CA ADA Best Practice Deployment Guide using Ixia NVSPage 8
as well as validate the effectiveness of such efforts as an MPLS migration, VoIP deployment, WAN optimization, QoSpolicy changes and server upgrades.Key Benefits for CA Virtual Multi-Port (CA VMTP) Faster problem triage.Intuitivevisual queues, such as graphs and charts, make it easier to quickly identify the fault domain. Better root-cause determination.Leverage simple workflows, automated investigations and comprehensive diagnostics that facilitate fast verificationand root cause analysis. Improve change management.Before- and-after metrics help you validateand mitigate the risks of planned and unplanned changes to your application delivery infrastructure. Boost service levels.SLAreportingand alarms can foster improved service levels and proactive SLA complianceCA Virtual Network Assurance, Network Monitoring ToolsThis next-generation network monitoring tool is a comprehensive and highly scalable software gateway that enableseasy management of software-defined network (SDN) architectures along with traditional infrastructure for a familiaroperational user experience and continued use of standard network operating procedures.SDN enables cloud networks to expand and contract dynamically based on application demand and makes traditionalnetwork monitoring much more challenging. The CA Virtual Network Assurance network monitoring tool captures thedynamic relationships introduced by modern automated networks in real-time and visualizes these physical and logicaldependencies in application and service chain build block views enabling operational insight into how all elements of anew modern network affect business service integrity.The solut
Architectures such as ACI presents some challenges. When implementing a large-scale Cisco network, monitoring tools typically rely upon Cisco technologies, such as NetFlow, SPAN, RSPAN, ERSPAN, and VACL for traffic visibility. Traffic is extracted and sent to the tools. However, especially
