Gigamon Intelligent Flow Mapping - NDM Technologies · ensuring application availability and...

The Smart Route To Visibility™

1

Gigamon Intelligent Flow Mapping// White Paper

Copyright © 2013 Gigamon. All rights reserved.

In today’s competitive world where more and more business

critical applications are moving from the physical confines

of the corporate organization to the internet, the availability of,

and access to these applications is expected from anywhere

and at any time. From home, work and all points between,

we are leading “always connected” digital lifestyles.

The responsiveness and availability of critical business

applications and essential IT services is therefore of paramount

concern to IT organizations everywhere. As the market moves

to an always connected existence, the insatiable demands

from customers for ever-higher data, user throughput,

capacity and lower latency require the communications

industry to transform itself.

In order to optimize the design and management of their

network, operators need to fully understand the drivers of

this traffic. Thus obtaining high-quality, fine-grained relevant

data is more important than ever to gain real-time insights into

end-to-end application interdependencies. To this end, service

providers and IT organizations are increasingly turning to the

best-in-class, end-to-end visibility and performance analysis

tools to effectively manage and monitor the security and

performance of the infrastructure.

Introduction

As the rise of multimedia, social media and the Internet of

Things is fueling an exponential growth in data (aka Big Data),

service providers and IT organizations are investing in monitoring

solutions that interpret consumer behavior, detect fraud, monitor

performance and even predict the future with trending analysis!

However all of these systems are only as effective as the

information and traffic that they can see. Limit visibility to the

traffic, and the value of these systems is equally limited. With the

increasing volume and detail of information being moved across

the infrastructure, these tools find themselves drowning under

the volume of traffic. Traffic that might not even be relevant to

the tool!

It not just the volume that defines Big Data—it is the velocity,

the variety and the complexity of that data. Between now and

2020, the sheer volume of digital information is predicted to

increase to 35 trillion gigabytes1—much of it coming from new

sources including blogs, social media, internet search,

and sensor networks—as well as from existing video traffic

and new types of mobile video services. It is all about finding

a needle of value in a haystack of unstructured information.

With millions of traffic flows and tens of hundreds of changes

occurring within the infrastructure on a daily basis, visibility

needs to be pervasive, dynamic and scalable. A key factor in

ensuring application availability and network performance is

having a traffic visibility solution that can efficiently handle huge

volumes of data in real time and thus deliver relevant traffic to

the relevant tool.

Visibility solutions can differ greatly, employing a variety of

filtering mechanisms with varying degrees of efficiency and

performance to deliver the desired set of packets to one or more

monitoring tools. However with the magnitude and complexity

1 IBM (2012), Understanding Big Data Report. McGraw-Hill. Retrieved from http://public.dhe.ibm.com/common/ssi/ecm/en/iml14296usen/IML14296USEN.PDF


2



of current network infrastructures, the challenge is to develop

visibility solutions that can scale to allow 1000’s of diverse

traffic streams originating from a large number of network

traffic sources to be granularly filtered and forwarded to a

variety of monitoring tools and analyzers with zero packet loss.

In this age of Big Data, efficient and scalable traffic distribution

within a visibility solution is key for the monitoring tools and

analyzers to focus on relevant traffic that the tools were

originally designed for.

Connection-based Traffic Filtering

Traditional approaches to visibility typically employ traffic

forwarding based on statically defined “connections.”

These connections are simple one-to-one flows between

network and tool ports where traffic can be filtered with “allow

or deny” operations at both the ingress and egress sides of the

connection thus achieving fairly simple packet distribution.

On the surface it may appear that this method provides

sufficient flexibility to achieve the desired packet distribution.

Closer examination reveals significant limitations that cripple

the device’s capability to work with large volumes of data

and large number of distinct traffic streams. In some cases,

connection-based filtering can be inadequate even with a single

moderately loaded ingress network feed when sending traffic

from high speed network segments to low bandwidth tools.

Ingress Filters

Ingress filters, which are also known as pre-filters, are used

to allow or deny traffic on network or ingress ports. Any traffic

allowed by the filter is sent to all the tool ports at the other end

of the connection. This is fine when all the tools connected to

the egress ports have requirements to view the exact same

packet streams and the total traffic passed by the filters does

not exceed the tool port capacity. However with ingress filters

operating on incoming traffic streams, it is virtually impossible to

granularly filter and forward distinct and unique traffic streams

to different tools/egress ports. E.g. referring to Figure 1, if we

want to send Web traffic to the tool on port A and VoIP traffic

to the tool on port B, we have no choice but to send both

types of traffic to both tool ports. Not only are we wasting the

tools’ precious processing resources to weed out unwanted

information, but if the combined traffic exceeds the tool port

capacity, the device will indiscriminately discard all excess traffic.

Figure 1 Ingress Filters


3



Egress Filters

Egress filters which are also known as post-filters, enable

configuration of egress ports to “allow” focused traffic to

be sent out to the monitoring tools for analysis. These filters

provide relatively superior granular control over the traffic

flows sent out to the monitoring tools, compared to ingress

filters. However the limitation of egress or post-filters occurs

when multiple network ports have connections to the egress

ports. Since all the incoming traffic is getting multicast

across the backplane of the visibility device, you run the risk of

backplane oversubscription and dropped packets. Additionally

packet loss can occur at the egress port if the cumulative traffic

exceeds the bandwidth of the egress port.

These types of solutions also have severe limitations on the

number of egress filters that can be configured on the system,

which further offsets the granular-control benefits that egress

filters have to offer.

An alternative to the above limitations would be to use a

combination of ingress and egress filters to granularly sieve

the information flowing through the solution. However limitations

related to the scalability of forwarding rules, distinct traffic

flows and lack of system-wide capabilities make these

solutions rigid, overly structured and under-engineered in

meeting the visibility demands of today’s complex and

diverse networking infrastructures.

Figure 2 Egress Filters


4



Next-Generation Filtering and Forwarding with Flow Mapping Technology

Packet distribution based on Flow Mapping™ technology takes

high-speed incoming traffic at 1Gb, 10Gb, 40Gb or 100Gb

from a network tap or a SPAN/mirror port and prepares it for

tools and applications that analyze the data to help you secure,

monitor and optimize your network. Flow Mapping eliminates

the necessity to create static connections between the network

and tool ports. Instead, individual packets are forwarded

according to a set of user-defined forwarding rules/map

rules that are optimized to provide the user with far superior

granularity and scalability compared to alternative solutions

available in the market today.

In the example illustrated in Figure1, we would simply have a

map bound to the incoming traffic from the four network ports

with rules that direct all Web traffic to port A and all VoIP traffic

to port B. Since all of the forwarding decisions are made at the

ingress side, no extraneous traffic is ever forwarded to any tool

port and egress filters are not needed.

Thus every network port can receive 100% line-rate traffic

while each tool port can output relevant traffic up to 100% of

the port’s capacity allowing this solution to scale to virtually

any number of ingress network ports. The end result is that

more network ports can send desired traffic to each tool port

and every tool can see more traffic than otherwise would be

possible. This sort of filtering offers a core solution to overcome

the problems associated with Big Data.

Figure 3 The Gigamon Flow Mapping and GigaSMART technologies


5



Industry-Leading Scalability and Performance enabled by Flow Mapping and Stacking

Flow Mapping technology is based around creation of

individual filter map rules. Users can combine thousands

of filter map rules (each with multiple filter criteria) in a logical

order to achieve exactly the packet distribution desired.

Mapping also has the advantage of not counting against

the limited availability of tool port filters common to

competing devices. Hardware driven map rules are optimized,

which allows them to be bound to any number of network ports.

Using the stacking capabilities inherent in the Gigamon® Traffic

Visibility Fabric™, multiple discrete Visibility Fabric Nodes can be

combined into a single “manage as one” fabric via an intuitive

browser-based management UI. Thus users are no longer

limited to the port density of a single chassis. This capability,

when combined with the Visibility Fabric Node’s ability to

implement more than 8000 map rules becomes the most

intelligent and scalable traffic visibility networking solution

available in the market today. No other visibility solution

architecture can reduce the amount of Big Data traffic and

reduce it to manageable levels for tool processing in such a

reliable and manageable manner.

Granular Control over Distinct Traffic Streams

Each rule provides the ability to configure up to 13 unique

criteria based on over 30 predefined Layer 2, Layer 3 and

Layer 4 parameters to tailor delivery of traffic to one or more

monitoring tools. Thus Flow Mapping allows end users to

granularly filter and forward traffic to specific analysis tools

based on source/destination MAC or IPv4/IPv6 addresses,

application port numbers, ethertypes, VLAN IDs protocols,

TOS values, DSCP assured forwarding values and more.

Additionally, forwarding decisions can be made based

on user-defined, custom pattern match filters that can be

applied to search for a specific sequence of bits in the traffic

streams. Network administrators can control how traffic

should be handled once it arrives and where it should be sent.

Applying maps to your data thus ensures that each tool sees

only the traffic that best suits its individual strengths and

nothing else. Tools are made more efficient since they are

presented with only the traffic they need to see—therefore

maximizing their effective throughput and being better able to

process more of the Big Data load per connected tool.

Packet Manipulation and Tool Optimization enabled by GigaSMART and Flow Mapping.

In addition to providing access to critical information,

the packet distribution capabilities of the Visibility Fabric

can be combined with GigaSMART® to process and optimize

the filtered traffic streams before they are sent out to the

monitoring tools. Features such as stripping extraneous

headers, removal of duplicate information in the incoming

streams and extraction of relevant information using packet

slicing can be used to optimize tool performance and improve

monitoring accuracy, as well as allow for greater integration

between the tool layer and the data access layer. Incoming

traffic streams can also be time stamped closest to the source

of the packets allowing performance monitoring tools to

leverage this information to calculate end-to-end latency

and jitter, while preserving link-layer visibility.

With many visibility solutions, these advanced packet

manipulations features are typically applied to all the incoming

traffic and are often limited to a subset of ports on the chassis.

Using the unique and patented Flow Mapping technology,

incoming traffic on any ingress port can be directed to a

GigaSMART operation. These operations can thus be applied

to traffic of interest ingressing on any port of the Traffic Visibility

Fabric Node. Since the GigaSMART operations are tied to the

map rules, the end user has the flexibility to granularly control

the traffic flows over which the GigaSMART operations are

applied. This improves the throughput of tools by allowing the

tool to see only the traffic of interest to it, and by eliminating

the manual steps needed to format the data so tool processor

parsing cycles can be reduced. Thus each tool is better able to

address more of the Big Data load it is presented with.


6



Maps also offer some additional features that simple filtering

lack such as:

Virtual Drop Port: The virtual drop port is sort of like the

“Great Packet Graveyard” where you can set up map rules

that look for packets matching specific criteria and

immediately discard them before forwarding to the tool ports.

Collector: The collector, on the other hand, is the

“Everything Else” bucket. It’s where you send packets that

do not match the criteria specified by any of the other map

rules in a flow map.

Conclusion

While new web-based applications and mobile devices

continue to help businesses improve productivity and

empower employees, the challenges related to data mobility,

complexity and volume continue to plague organizations.

The responsiveness and availability of these business

applications become even more critical in the face of ever-

evolving IT infrastructures and usage models. With the

explosive growth in applications and end users leveraging

these applications, generated data traffic will continue to grow

more than ever. Therefore usage methods have to be created to

process Big Data as efficiently as possible.

An efficient, flexible and scalable traffic visibility architecture is

key to overcoming these challenges of real-time processing and

access of Big Data especially in dynamic data environments

from social media to financial institutions and exchanges .

At the same time, to keep pace with the tough demands of

an always-on connected lifestyle where communications,

entertainment and leisure converge and are accessible across

any device, the communications industry continues to evolve.

The rapid emergence of access networks and the evolution of

services (location based, context aware, customizable)

are forcing a paradigm shift in the communications industry.

With interface speeds and bandwidth volumes increasing at

never-before-seen rates, a highly scalable, zero loss,

line-rate filtering and forwarding solution is necessary

for gaining granular subscriber-level intelligence into the

performance of the network; understanding usage and

consumption trends is key to improving the overall Quality

of Experience (QoE) of the end-user such that operators

can remain operationally competitive.

With Gigamon’s unique patented Flow Mapping at the heart of

the Visibility Fabric, traffic streams ranging from 1Gb, 10Gb,

40Gb, and 100Gb, flowing across virtual and physical networks,

can be granularly filtered and aggregated before being replicated

into management tools including Performance Monitors,

Service/Security Monitors or Network Monitors.

Flow Mapping filters intelligently segregate data into different

logical groupings, so that traffic matching either very specific

or very broad parameters is forwarded on to the appropriate

management and monitoring systems. Operators can now

create data distribution maps that direct data from any number

of data access points to any number of monitoring tools at

line rate without data loss—taking on the issues of Big Data

head on. With the Visibility Fabric in place, the monitoring and

security tools that were limited by the number of connection

points and volume of traffic can now deliver their full value.

With end-to-end, access-to-core visibility and detailed analysis

of performance impacting events, operators are empowered

to proactively maintain a subscriber’s QoE while securing the

integrity of the network and satisfying the issues brought on by

continuing and increasing amounts of subscriber data.


7


Copyright © 2013 Gigamon. All rights reserved. Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at

www.gigamon.com/legal-trademarks. All other trademarks are the trademarks of their respective owners. Gigamon reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Gigamon® | 598 Gibraltar Drive Milpitas, CA 95035 | PH 408.263.2022 | www.gigamon.com

About Gigamon

Gigamon provides an intelligent Traffic Visibility Fabric for

enterprises, data centers and service providers around the

globe. Our technology empowers infrastructure architects,

managers and operators with pervasive visibility and control of

traffic across both physical and virtual environments without

affecting the performance or stability of the production network.

Through patented technologies and centralized management,

the Gigamon GigaVUE portfolio of high availability and high

density products intelligently delivers the appropriate network

traffic to security, monitoring or management systems. With over

eight years’ experience designing and building traffic visibility

products in the US, Gigamon solutions are deployed globally

across vertical markets including over half of the Fortune 100

and many government and federal agencies.

For more information about our Gigamon products visit:

www.gigamon.com

Gigamon Intelligent Flow Mapping - NDM Technologies · ensuring application availability and...

Documents

Transcript of Gigamon Intelligent Flow Mapping - NDM Technologies · ensuring application availability and...