enhancing cisco networks with gigamon - ndm · enhancing cisco networks with gigamon // white paper...

Enhancing Cisco Networks with Gigamon// White Paper

The Smart Route To Visibility™

1

Many Fortune 1000 companies and beyond implement a Cisco switching architecture. When implementing a large scale Cisco network, the infrastructure to effectively monitor these networks is often overlooked. To monitor the networks customers will use Cisco technologies such as SPAN, RSPAN, ERSPAN, VACL. Many times these technologies are not scalable to support the diverse needs of network and security groups as they strive for maximum uptime within the network infrastructure. This white paper will discuss the various monitoring functions Cisco provides and how you can enhance these technologies using the Gigamon Traffic Visibility Fabric and TAP solutions.

Cisco SPAN

SPAN stands for Switch Port Analyzer. The SPAN functionality is

offered in all Cisco switching solutions. A SPAN port copies data

from one or more source ports to a destination port. Figure 1

shows an example of how the SPAN function operates.

With most Cisco switching products, users are limited to two

SPAN sessions per switch. For most large enterprises this is

not suitable enough for monitoring purposes. In most large

organizations between the network and security groups there

are commonly four or more monitoring or analysis tools that all

need to contend for the same data. Examples of some of the

tools that are utilized are Application Performance Monitors,

Intrusion Detection Tools, Data Recorders, Web Monitoring

Tools, and many more. There are also limitations that prevent

users from sending data from one source port to both of the

available SPAN sessions as well as limitations that allow VLAN

and Non-VLAN traffic to be sent to the same port. In summary,

SPAN sessions are good for spot analysis but are limited in

terms of scaling to support company monitoring initiatives.

SPAN ports are typically best for small to medium environments

where monitoring needs are not great.

Source Data Port

SPAN Port

Figure 1 Cisco SPAN example

Inside a Cisco Switch data is copied from a network port (in

this example the port the router is connected to) to a SPAN port

which has a monitoring tool connected



2

Cisco RSPAN

Cisco RSPAN stands for Remote Switch Port Analyzer. RSPAN

works very much like SPAN with the exception that data can

be sent between remote monitoring ports in the switching

architecture using VTP and reflector ports.

Users are only allowed to send data to two RSPAN destinations.

Just like SPAN, data from the same source port or VLAN cannot

be shared across the two sessions. RSPAN has additional

configuration complexity as users have to configure the correct

VTP domains on each switch that RSPAN data traverses. There

is a potential for duplicate packets in RSPAN configurations.

RSPAN ports will not pass Layer 2 data as well.

Cisco ERSPAN

ERSPAN stands for Encapsulated Remote SPAN. With ERSPAN

data from remote switches can be forwarded to a source

monitoring tool over a routed network or Internet using a

GRE Tunnel that is configured on the Cisco Switches.

ERSPAN is a feature that is only supported on Cisco Switches

that support the Supervisor Engine 720 manufactured with

PFC3A. This means this feature is limited to a few Cisco switch

families like the Catalyst 6500 family. This functionality has

not translated to the newer Cisco Nexus product line as an

option. Packets of an ERSPAN session are tagged with a 50-

byte header and replace the CRC. Items you need to be aware

of are fragmented frames and jumbo frames. ERSPAN does

not support fragmented frames and all switches have to be

configured to support jumbo frames or else frames that increase

past the 1500 byte limit with the 50 byte tagged data will be

dropped. Just like all other SPAN technologies you can only

create two ERSPAN destinations per switch. ERSPAN requires

additional configuration complexity to ensure that the tunneling

and frame sizes are correct for proper routing of data.

Cisco VACL

VACL stands for VLAN Access List. VACLs overcome most

SPAN limitations in addition to providing the ability to filter for

certain types of traffic such as a TCP port or IP Address. VACLs

are ACLs that only apply to data within a VLAN that are separate

from ACLs that would be used in router configurations. The

maximum number of VACLs a switch can support is determined

Routed Network

SPAN DataIn GRE Tunnel Monitoring

Tool

SourceData

SourceData

SPAN DataIn GRE Tunnel

SPAN DataIn GRE Tunnel

Originating switch with reflector port

RSPANVLAN

RSPANVLAN

SPANData

Monitoring Tool

Figure 2 CISCO RSPAN example

Data on the originating switch is sent over a RSPAN VLAN

created using VTP and Reflector Ports.

Figure 3 Cisco ERSPAN example



3

by the amount of VLANs in a switch. For example if a switch

only has 5 configured VLANs then you can create 5 VACL

capture ports.

Users will mainly use VACLs to free up SPAN resources as a

bandaid to a complete monitoring infrastructure. Configuring

VACLs is usually reserved for more senior networking staff as

VACLs require the most configuration attention of all the Cisco

Network Visibility Technologies. Many users can mistakenly

block data from the VACL capture port if care is not taken when

configuring the VACL. Like SPAN’s, VACLs source data cannot

be sent to multiple VACLs limiting the benefit of having extra

VACL ports as many times monitoring tools will have to see

many VLANs at once leaving the user with one or two VACL

capture ports that can be used.

Gigamon GigaVUE Traffic Visibility Nodes

Gigamon GigaVUE® Traffic Visibility Nodes are purpose built

appliances create an out-of-band network that provides

enhanced visibility to all monitoring, data capture, and security

tools. With Traffic Visibility Nodes users can connect inputs

and aggregate, replicate, and filter data all at line-rate speeds

to any number of tools. Users can connect SPAN’s, RSPAN’s,

VACL’s, ERSPAN, and TAP input ports to control the traffic flow

from all network inputs to all monitoring inputs. You can think of

the Traffic Visibility Node as the central hub of your monitoring

infrastructure that is becoming a key component in new

10G and 1G data centers.

There are many benefits that users can gain by implementing a

Traffic Visibility Node such as GigaVUE:

• EliminatingSPAN,RSPAN,ERSPAN,VACLcontentionissues

• Providingsecureaccesstomonitoringdata

• Accessing10Gnetworklinkswith1Gmonitoringtools

• Enablingvisibilityintodataacrossasymmetriclinks

•FilteringofanyfieldLayer1-4withinapacketaswellas“user-

defined” filters that delve deeper into packet structures

•Consolidatingmonitoringresourcestoonecentrally

managed location

• Load-Balancingdatafrommultiple10Gand1Gnetwork

links to multiple 10G and 1G network tool interfaces

• Advancedfeaturessuchastime-stamping,port

tagging, and packetslicing

VACL Port

VLAN 200, IP 1.1.1.1

ACL Rule

ACL Rule

ACL Rule

ACL RuleSource Data port that belongs to VLAN 200

Monitoring Tool

Figure 4 Cisco VACL example

Data from IP address 1.1.1.1 in VLAN 200 is forwarded to a

VLAN capture port

RXRXTX TX TX TX

Network Switch Network Switch Monitoring Tool

Mgmnt (PoE)ConsoleMain

Pwr

BattPwr

Network Monitor/Tool

G-TAP® A-TX

PoEPwr

A B A B Mgmnt (PoE)ConsoleMain

Pwr

BattPwr


G-TAP® A-TX

PoEPwr

A B A B Mgmnt (PoE)ConsoleMain

Pwr

BattPwr


G-TAP® A-TX

PoEPwr

A B A B

Gigamon

G-Tap

OUT INX YOUT OUTX YOUT IN OUT INX Y

OUT OUTX YOUT IN OUT INX YOUT IN OUT OUTX Y OUT INX YOUT IN OUT OUTX Y OUT INX YOUT OUTX YOUT IN OUT INX Y

OUT OUTX YOUT IN OUT INX YOUT IN OUT OUTX Y OUT INX YOUT IN OUT OUTX Y

Figure 6 Gigamon G-TAP® and G-TAP®A-Series TAP’s

Figure 5 Logical TAP Traffic Flow Diagram



4

Map-Rule 1

Map-Rule 2

Map-Rule 3

Map-Rule 4

Map-Rule 6

Ingress and Egress Port Filters can applied in addition to Map-Rules

Map-Rule 5

The Map-Rules represent different flows that arestrategically directed to the monitoring ports

Mgmnt (PoE)ConsoleMain

Pwr

BattPwr


G-TAP® A-Tx

PoEPwr

A B A B

Gigamon® GigaVUE® Data Access Switch

10G SPAN Data

10G RSPAN Data

10G VACL Data

10G ERSPAN Data

1G Full-DuplexTap Data

Gigamon G-TAP® A-Tx

Filtered Data Stream






GigamonIntelligentDANTM

UPWHENINSTALLEDINREARSLOT

17 24

SLOT 3PORTS

9 16

SLOT 2PORTS

SLOT 1PORTS G1-G4PORTS 1-8

1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

GigaVUE-2404®

SPAN Traffic

SPAN Traffic

SPAN Traffic

SPAN Traffic

Console

Mgmt

Pwr

Rdy

M/S

GigaVUE-212

2 4

1 3

6 8

5 7

10/100/1000 PORTS2

1

1G PORTS 1G/10G PORTS4

3

6

5

8

7

X2

X1

1G Monitoring Tools

Figure 7 Sample configuration in a Flat Network

Figure 8 Example of Gigamon Flow Mapping technology



5

Flow Mapping®

The key technology that enables these benefits in GigaVUE is

the Gigamon patented Flow Mapping technology. Flow Mapping

creates traffic distribution maps that can direct traffic from any

ingress traffic ports to any number of monitoring ports at line-

rate with no dropped traffic. Flow Mapping is different from port

filtering that is found on other Traffic Visibility Nodes. Network

engineers create Map rules that direct data to the desired

monitoring port. Once a Map is created, input ports

can be bound to the Map. This allows for dynamic changes to

data flows that would be impossible using port filters as

network engineers would have to change the filtering on each

port individually. Using other technology such as collectors

and pass-alls that are unique to Gigamon, users can have

access to unfiltered traffic while traffic is being filtered using the

Map. This is functionality unique to Gigamon and Gigamon only.

Gigamon users can augment the power of the Flow Mapping

technology by further reducing traffic loads on egress tool

ports as well. All these features create a powerful Traffic

Visibility Fabric.



17 24

SLOT 3PORTS

9 16

SLOT 2PORTS


1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X



17 24

SLOT 3PORTS

9 16

SLOT 2PORTS


1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X



17 24

SLOT 3PORTS

9 16

SLOT 2PORTS


1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X



17 24

SLOT 3PORTS

9 16

SLOT 2PORTS


1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X



17 24

SLOT 3PORTS

9 16

SLOT 2PORTS


1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

WAN Edge

Network Core

Data CenterDistribution Layer

Access Layer

SPAN Data

GigaSTREAM

VM Cluster VM Cluster

Fibre Channel SAN

GigaVUE-2404®

GigaVUE-2404®

GigaVUE-2404®

GigaVUE-2404®

GigaVUE-2404®

Console

Mgmnt

Pwr

Rdy

M/S

1 2 3 4

Gigamon S ystems

Giga TAP-Sx Split Ratio :70/30

INO

UT IN

OU

T INO

UT IN

OU

T


INO

UT IN

OU

T I NO

UT IN

OU

T


INO

UT IN

OU

T INO

UT IN

OU

T

Giga PORT

Console

Mgmt

Pwr

Rdy

M/S

GigaVUE-212

2 4

1 3

6 8

5 7

10/100/1000 PORTS2

1

1G PORTS 1G/10G PORTS4

3

6

5

8

7

X2

X1

GigaVUE-420®

GigaVUE-212™

10G Tool Farm

End User WorkstationsWireless Devices

Diagram Legend

10G and 1G Tool Farm

Multi-Layer Switch

Access Switch

Router

Firewall

GigaSTREAM Bundle

TAP Connection Point

1G Network Link

10G Network Link

1G TAP Traffic

10G TAP Traffic

SPAN Traffic

Cascaded Traffic

Figure 8 Example of Gigamon Flow Mapping technology



6

Copyright © 2012 Gigamon, LLC. All rights reserved. Gigamon, GigaVUE®, GigaSMART, G-TAP, Flow Mapping are registered trademarks of Gigamon, LLC and/or affiliates in the

United States and certain other countries. Visibility Fabric, Traffic Visibility Fabric (TVF), Citrus, and The Smart Route To Visibility are trademarks of Gigamon. All other trademarks

are the property of their respective owners.

Gigamon | 598 Gibraltar Drive Milpitas, CA 95035 | PH 408.263.2022 | www.gigamon.com

Figure 9 shows an example of a large Cisco network with a

Gigamon Traffic Visibility Fabric overlay. In this diagram all major

switch to switch connections are tapped using Gigamon G-TAP®

network TAP’s or using integrated taps into the GigaVUE®

appliances.Bytappingatstrategiclocations,networkengineers

have increased visibility into traffic. For example, by tapping the

interface between the Internet and the firewall or the firewall and

router, engineers can view all traffic coming into and out of the

networkfromtheinternet.BecauseTAP’sareused,alltrafficat

full line rate can be viewed without missing traffic or degrading

the switch fabric. SPAN port traffic from the visibility nodes

are routed to the GigaVUE appliance where all traffic can be

aggregated, replicated, and filtered to multiple monitoring tools.

In most new 10G infrastructures SPAN traffic is usually limited

to the access layer as an easy way to view end-user traffic. All

GigaVUE appliances are stacked together or cascaded to be

controlled from one central interface that can dynamically route

specific traffic to specific tool ports. This aids in decreasing

resolution times and increased performance of monitoring and

capture tools as they are only receiving

the traffic that they desire.

Conclusion

ByleveragingthepowerofGigaVUEdevicesnetworkengineers

utilizing Cisco networks and monitoring technology such as

SPAN, RSPAN, and VACL can improve flexibility, performance,

and security of monitored data as the data is routed to various

monitoring, capture, and security tools. A Gigamon Traffic

Visibility Fabric allows network engineers to future proof their

monitoring infrastructure for speeds today and tomorrow.

About Gigamon

Gigamon provides intelligent Traffic Visibility Networking

solutions for enterprises, data centers and service providers

around the globe. Our technology empowers infrastructure

architects, managers and operators with unmatched visibility

into the traffic traversing both physical and virtual networks

without affecting the performance or stability of the production

environment. Through patented technologies, the Gigamon

GigaVUE portfolio of high availability and high density products

intelligently delivers the appropriate network traffic to security,

monitoring or management systems. With over seven years

experience designing and building intelligent traffic visibility

products in the US, Gigamon serves the vertical market

leaders of the Fortune 1000 and has an install base spanning

40countries.

For more information about our Gigamon products visit:

www.gigamon.com

enhancing cisco networks with gigamon - ndm · enhancing cisco networks with gigamon // white paper...

Documents