monitoring cisco aci fabrics - apcon: solutions for networks...on apic controller cisco aci span...
TRANSCRIPT
SOLUTION BRIEF
Monitoring Cisco ACI Fabrics With APCON Network Visibility Solutions
Application Centric InfrastructureCisco’s Application Centric Infrastructure (ACI) provides network and data center architects/operators with a new level of automation and scale. While ACI provides a new approach to network-wide management and policy, it also introduces underlying protocols that may affect monitoring capabilities. This overview provides a framework of monitoring options, along with insights to leveraging APCON’s network visibility solutions, to maximize ROI investment of existing network/security tools.
APCON has developed comprehensive solutions for insight into physical, virtual and cloud networks. IntellaFlex XR is a scalable solution that can accommodate evolving network fabrics and higher port count environments while simultaneously providing packet processing functions to allow organizations to maintain ROI on their existing monitoring and security tool investments.
This Technical Brief will highlight options for a holistic monitoring of Cisco ACI environments using APCON network visibility solutions. Combining the new concepts within Cisco ACI fabrics with APCON’s tool optimization features creates a comprehensive network monitoring solution.
Concepts covered in this document include:
• Cisco ACI concepts/components• Monitoring options using APCON network visibility solutions• APCON Tool Optimization features• Integrated APCON capture/VM analysis options
Cisco ACI concepts and componentsCisco ACI abstracts underlying component configuration via Application Network Profiles. Policies define interaction between Application Profiles and End Point Groups. In a leaf-spine fabric, routing is enabled between any two endpoints. In addition, overlay protocols, such as virtual extensible local area network (VXLAN), allow workloads to exist anywhere in the network. For management, the Application Policy Infrastructure Controller (APIC) manages and configures policy switches in the ACI fabric. The APIC is a central control point for all policies and can rapidly provision or reconfigure hardware as needed.
For networking hardware, the following components are needed to implement a Cisco ACI fabric:
• Nexus 9000 series switches running in ACI mode• Application Policy Infrastructure Controller (APIC)
deployed in clustered configuration
Topology features following physical and virtual constructs:
• The physical Spine and Leaf fabric architecture• The ACI VXLAN overlay, which enables the decoupling
from the physical network and the creation of virtualized L2 segments regardless of the endpoint location
Cisco ACI Traffic MonitoringCisco ACI presents network architects and operators with new levels of scale, automation and ease of deployment. Understanding the monitoring options is important to complement these deployment innovations to attain comprehensive monitoring. Below is a high-level overview of how an APCON visibility solution can be used to complement a Cisco ACI deployment with conceptual options for gaining access to monitor feeds and data. Subsequent sections will cover these in more detail.
Topics will include:
• Cisco ACI SPAN types• APCON use cases for capturing Cisco ACI SPAN traffic • TAP options• Cisco ACI Copy Services• NetFlow Generation
Nexus 9000Spine/Leaf Nodes
Infrastructure Space
User Space
40G/100GFabric Interconnects
Clustered Application Policy Infrastructure Controller (APIC) appliances
A
B
INTELLAFLEX™
ACI–3072–XR
CANCEL
10.1.102.72 / 255.255.0.0
3072-XRS/N: 72020004Ver: 1
Hit [Enter] for configuration
UP DOWN ENTER
JJ26.7ºc
INTELLAFLEX™
ACI–3072–XR
INTELLAFLEX™ BladeACI-3033-E02-1
Power
Status
Hyper EnginePacket Processor1 2 40 Gbps Ethernet
INTELLAFLEX™ BladeACI-3030-E32-7
Power
Status
Packet Aggregator10 Gbps / 40 Gbps
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31
2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32
10 Gbps Ethernet
10 Gbps Ethernet
40 Gbps Ethernet
ERSPAN Type I / ERSPAN Type IITunnel Endpoint
ACI Local Access SPAN
40G BiDi TAP
ACI ERSPAN
AVS
TAP
The APIC provides a conceptual representation of the entire fabric as a single entity to user space endpoints. Pictured below is a topology representation of a Cisco ACI fabric including Spine/Leaf nodes and APIC controller.
Within a Cisco ACI fabric, TAP points between the spine and the leaf switches is an option to consider with additional setup covered later in this paper. It is important to note that TAP points will likely involve 40G BiDi optics, which are supported by APCON TAPs and 40G QSFP ports. Additionally, encapsulation and virtualization concepts are important to consider. A Cisco ACI Nexus fabric will normalize all traffic between leaf and spine through the encapsulated Cisco (VXLAN) protocol. APCON network visibility solutions have been developed to optimize tool performance by factoring VXLAN in deduplication hashing scheme and decapsulating VXLAN feeds. While previous monitoring concepts of TAP or SPAN rule of thumb still stand, it is important to consider some of the new concepts for Cisco ACI SPANs.
SPAN concepts in Cisco ACICisco ACI has introduced a new logical networking concept: Endpoint Group (EPG) for mapping applications to the network. EPGs act as a collection of applications and components for forwarding and policy definition. This is a key concept in enabling dynamic network provisioning as EPGs consume hardware resources only when member endpoints (tenants) are present. EPGs will expand or contract in real-time as tenants and workloads move around a datacenter.
SPAN Types in Cisco ACIFrom an APCON monitoring setup perspective, it is important to understand encapsulated remote extension of SPAN (ERSPAN) type based on the SPAN type selected. The three SPAN options in Cisco ACI environments are as follows:
Access SPAN – Mirrors all traffic to and from leaf host ports locally with source and destination on the same leaf switch or across multiple leaf switches with a remote destination
Tenant SPAN – Mirrors all traffic to and from EPGs associated to a common tenant to a remote destination
Fabric SPAN – Mirrors all traffic to and from a spine switch to a remote destination
Access, Tenant and Fabric SPANs use the encapsulated remote extension of SPAN (ERSPAN) Type I, while Fabric SPAN uses ERSPAN Type II. APCON supports all Cisco ACI SPAN types. Configuration of these SPAN and ERSPAN instructions can be found in the Configuring SPAN chapter of the APIC NXOS CLI User Guide.
APCON platforms enable compatibility with all available SPAN and overlay options in a Cisco ACI environment. The Cisco ACI SPAN options offer different levels of visibility. These factors are summarized below.
Tenant SPAN Fabric SPAN Access SPAN
• Aggregates SPAN sessions across multiple switches
• Mirrorstrafficto/fromspecified EndpointGroup(EPG)
• ERSPAN only
• ERSPAN Type I encapsulation
• Nofilteringpossible
• Sourcemustbefabricport
• Mirrorstrafficto/fromSpineswitches
• ERSPAN only
• ERSPAN Type II encapsulation
• Supportsaggregationofmultipleswitches
• Filterable by private network orbridgedomain
• Source must be host port
• Mirrorstrafficto/fromEndpoints (Leafswitchhostports)
• Local SPAN or ERSPAN
• ERSPAN Type I encapsulation
• Supportsaggregationofmultipleswitches
• Filterable by tenant, application profile, orEPG
Implementing APCON Network VisibilityReceiving SPAN Types on APCON XR PlatformTenant, Fabric, or Access SPANs are centrally configured on Cisco APIC. If configuring ERSPAN Type I or II, this will require a destination IP address set on an APCON port. APCON supports ERSPAN decapsulation options on the HyperEngine or IntellaStore II blades. The HyperEngine blade terminates tunneled traffic as required by Cisco ACI and virtual network environments. This includes support for decapsulation of GRE, NVGRE, VXLAN, GENEVE and ERSPAN Types I, II and III feeds for up to 200Gbps of tunneled traffic per blade.
Cisco SPAN Guidelines and RestrictionsThere are important configurations when setting up SPAN monitor feeds on Cisco ACI environments.
• SPAN traffic competes with user traffic for switch resources. To minimize the load, configure SPAN to copy only the specific traffic that you want to analyze.
• A SPAN source will take entire port for monitoring traffic from external sources.
• Tenant and Access SPANs use the encapsulated remote extension of SPAN (ERSPAN) Type I, while Fabric SPAN uses ERSPAN Type II.
• ERSPAN destination IPs must be learned in the fabric as an endpoint.
• SPAN supports IPv6 traffic but the destination IP for the ERSPAN cannot be an IPv6 address.
Refer to Cisco APIC Troubleshooting Guide for more information.
A
B
INTELLAFLEX™
ACI–3072–XR
CANCEL
10.1.102.72 / 255.255.0.0
3072-XRS/N: 72020004Ver: 1
Hit [Enter] for configuration
UP DOWN ENTER
JJ26.7ºc
INTELLAFLEX™
ACI–3072–XR
INTELLAFLEX™ BladeACI-3033-E02-1
Power
Status
Hyper EnginePacket Processor1 2 40 Gbps Ethernet
INTELLAFLEX™ BladeACI-3030-E32-7
Power
Status
Packet Aggregator10 Gbps / 40 Gbps
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31
2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32
10 Gbps Ethernet
10 Gbps Ethernet
40 Gbps Ethernet
Configuring SPAN sessions from Cisco ACI deployments
ACI SPAN sessions centrally configured on APIC Controller
Cisco ACI SPAN sessions utilize ERSPAN Type I & II for exportand can be terminated on HyperEngine or IntellaStore.
Terminate up to 16 sessions on HyperEngine, up to 200Gb/s throughput
ACI-3033-E02-1 HyperEngine
SPAN Type Source Filter DestinationFabric SPAN Fabric port • Bridge domain
• Private networkRemote (ERSPAN Type II)
Access SPAN Access port • Tenant• Application profile• Endpoint group
Remote (ERSPAN Type I)
Tenant SPAN Endpoint group – Remote (ERSPAN Type I)
Virtual SPAN Virtual machineinterface
– Remote (ERSPAN Type I)
For Cisco ACI environment, the following shows conceptual setup in configuring SPAN source from within a Cisco ACI environment via APIC and configuring APCON installation to receive and decapsulate this feed.
APCON Network Visibility Solution
ACI-3033-E02-1: HyperEngine Blade- ERSPAN Type I & Type II Tunnel
Termination- Deduplication / VXLAN Protocol Stripping- NetFlow Generation- Deep Packet Inspection/Masking- 40G Ingress with BiDi Support
ACI-3032-E36-1: Multi Function Blade- Aggregation and filtering functions- Tool Optimization features including
packet slicing, deduplication, protocol stripping and time stamping
ACI-3030-E20-1: High Density 40G Blade- 20× 40G ports with BiDi Support
A
B
C
D
INTELLAFLEX™
ACI–3144–XR
CANCEL
10.1.102.72 / 255.255.0.0
3144-XRS/N: 72020004Ver: 1
Hit [Enter] for configuration
UP DOWN ENTER
JJ26.7ºc INTELLAFLEX™ BladeACI-3033-E02-1
Power
Status
Hyper EnginePacket Processor1 2 40 Gbps Ethernet
Multi Function1/10 Gbps
1 3 5 7 9 11 13 15 17 19 21 23
2 4 6 8 10 12 14 16 18 20 22 24
25 27 29 31 33 35
26 28 30 32 34 36
1/10 Gbps Ethernet
1/10 Gbps Ethernet
PPS/IRIGIN OUT
INTELLAFLEX BladeACI-3032-E36-1
GPSANT
Power
Status
Multi Function1/10 Gbps
1 3 5 7 9 11 13 15 17 19 21 23
2 4 6 8 10 12 14 16 18 20 22 24
25 27 29 31 33 35
26 28 30 32 34 36
1/10 Gbps Ethernet
1/10 Gbps Ethernet
PPS/IRIGIN OUT
INTELLAFLEX BladeACI-3032-E36-1
GPSANT
Power
Status
Multi Function1/10 Gbps
1 3 5 7 9 11 13 15 17 19 21 23
2 4 6 8 10 12 14 16 18 20 22 24
25 27 29 31 33 35
26 28 30 32 34 36
1/10 Gbps Ethernet
1/10 Gbps EthernetPPS/IRIG
IN OUT
INTELLAFLEX BladeACI-3032-E36-1
GPSANT
Power
Status
ERSPAN Type I / ERSPAN Type IITunnel Endpoint
ACI ERSPAN
AVS
Deployment Options: ACI ERSPAN DeploymentFor ERSPAN deployments, one or more IP addressable ports will be exposed to Cisco ACI fabric and connected to APCON installation with the HyperEngine or IntellaStore II blade. The blade will provide function to set the IP destination address and decapsulate appropriate ERSPAN Type feed. SPAN feed will be configured from Cisco ACI environment. Once set, defined traffic from anywhere in the fabric will be sent to set APCON destination port.
From within APCON’s WebXR GUI for the HyperEngine, service point would be set to “Tunnel Termination” option with appropriate IP address and Type I or Type II De-Encapsulate option.
Cisco ACI Local SPAN DeploymentFor local SPAN deployments in Cisco ACI, a SPAN session is typically set on each of the leaf switches providing local monitor feeds from across the ACI fabric. Standard ports can be used on the APCON XR platform to receive feeds with appropriate 1/10/40/100G port rate setting. The SPAN feeds will be configured from Cisco ACI environment.
Specific setup options can be found in Cisco Configuring Copy Services documentation.
End Point Group (EPG) in the same (L2 Bridge domain) BD.
EPG in different BD under the same VRF (L3 route between L2). VRF is Cisco VPN mechanism to route between VLAN, yet maintaining separate IP domain.
EPG in different BD and different VRF.
AVS
A
B
C
D
INTELLAFLEX™
ACI–3144–XR
CANCEL
10.1.102.72 / 255.255.0.0
3144-XRS/N: 72020004Ver: 1
Hit [Enter] for configuration
UP DOWN ENTER
JJ26.7ºc
INTELLAFLEX™ BladeACI-3033-E02-1
Power
Status
Hyper EnginePacket Processor1 2 40 Gbps Ethernet
Multi Function1/10 Gbps
1 3 5 7 9 11 13 15 17 19 21 23
2 4 6 8 10 12 14 16 18 20 22 24
25 27 29 31 33 35
26 28 30 32 34 36
1/10 Gbps Ethernet
1/10 Gbps Ethernet
PPS/IRIGIN OUT
INTELLAFLEX BladeACI-3032-E36-1
GPSANT
Power
Status
Multi Function1/10 Gbps
1 3 5 7 9 11 13 15 17 19 21 23
2 4 6 8 10 12 14 16 18 20 22 24
25 27 29 31 33 35
26 28 30 32 34 36
1/10 Gbps Ethernet
1/10 Gbps Ethernet
PPS/IRIGIN OUT
INTELLAFLEX BladeACI-3032-E36-1
GPSANT
Power
Status
Power
Status
INTELLAFLEX™ BladeACI-3030-E20-1
Packet Aggregator40 Gbps
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
APCON Network Visibility Solution
We recommend the following network visibility systems:
ACI-3033-E02-1: HyperEngine Blade- Tunnel Termination (from virtual environments) - Deduplication / VXLAN Protocol Stripping- NetFlow Generation- Deep Packet Inspection/Masking- 40G Ingress with BiDi Support
ACI-3032-E36-1: Multi Function Blade- Aggregation and filtering functions- Tool Optimization features including packet slicing,
deduplication, protocol stripping and time stamping
ACI-3030-E20-1: High Density 40G Blade- 20 × 40G ports with BiDi Support
Cisco ACI Copy ServicesThe Cisco ACI copy services feature is new starting with ACI 2.0 Release. Unlike SPANs that duplicate traffic, copy services enable selectively copying traffic of interest between endpoint groups based on established user defined contracts. In addition, copy services do not add encapsulation headers to the copied traffic. It is recommended to check hardware specifications for availability (Nexus 9300-EX or newer).
Copy Service Deployment Options
TAP OptionsOptical TAP products can be used to gain full visibility into fabric traffic. Special attention will have to be factored into this implementation to account for ACI fabric normalization that will encapsulate original packet with ACI VXLAN header. The diagram below shows a conceptual configuration using 40G BiDi Optical TAPs feeding monitor traffic to the XR monitoring platform. Additional blades are highlighted that will perform additional functions, such as deduplication and VXLAN stripping. TAPing the Fabric in an ACI deployment will require protocol stripping. Architecture implementation will require deployment of advanced protocol stripping functions. Protocol stripping is available in products like the IntellaStore II, the Multi-function blade and the HyperEngine.
A
B
C
D
INTELLAFLEX™
ACI–3144–XR
CANCEL
10.1.102.72 / 255.255.0.0
3144-XRS/N: 72020004Ver: 1
Hit [Enter] for configuration
UP DOWN ENTER
JJ26.7ºc
INTELLAFLEX™ BladeACI-3033-E02-1
Power
Status
Hyper EnginePacket Processor1 2 40 Gbps Ethernet
Multi Function1/10 Gbps
1 3 5 7 9 11 13 15 17 19 21 23
2 4 6 8 10 12 14 16 18 20 22 24
25 27 29 31 33 35
26 28 30 32 34 36
1/10 Gbps Ethernet
1/10 Gbps Ethernet
PPS/IRIGIN OUT
INTELLAFLEX BladeACI-3032-E36-1
GPSANT
Power
Status
Power
Status
INTELLAFLEX™ BladeACI-3030-E20-1
Packet Aggregator40 Gbps
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
1 3 5 7 9 11
2 4 6 8 10 12
LAN
B
A
USB 3.0
INTELLASTORE® II+ BladeACI-3033-S14-2
1/10 Gbps Ethernet
PPS/IRIGIN OUT
GPSANT
Power
Status
13
14
40 Gbps Ethernet
Packet Aggregator ▪ 1/10/40 Gbps
BA
40G BiDi
MON-A MON-BA
40G BiDi
B MON-A MON-B
A
40G BiDi
B MON-A MON-B
A
40G BiDi
B MON-A MON-B
A
40G BiDi
B MON-A MON-B
A
40G BiDi
B MON-A MON-B
A
40G BiDi
B MON-A MON-B
A
40G BiDi
B MON-A MON-B
A
40G BiDi
B MON-A MON-B
LeafDevice B
TAP Cabling
1G/10G/40G Tools
SpineDevice A
APCON TAP and Network Visibility Solution
ACI-0540-000: ApconTap Chassis
ACI-0540-xxx: ApconTap TAP Module for 40GMM, 40GSM, 40GBiDi MM, 100G MM or 100G SM links
ACI-3033-E02-1: HyperEngine Blade- Tunnel Termination (from virtual environments) - Deduplication / VXLAN Protocol Stripping- NetFlow Generation- Deep Packet Inspection/Masking- 40G Ingress with BiDi Support
ACI-3032-E36-1: Multi Function Blade- Aggregation and filtering functions- Tool Optimization features including packet slicing,
deduplication, protocol stripping and time stamping
ACI-3030-E20-1: High Density 40G Blade- 20 × 40G ports with BiDi Support
APCON, Inc. ▪ apcon.com ▪ +1 503–682–4050 ▪ 1–800–624–6808© 2018 APCON, Inc. All Rights Reserved. @APCON ▪ company/APCON 17050-1018
NetFlow Generation, Packet and VM AnalysisIn addition to the above options to gain visibility to Cisco ACI fabrics, an APCON XR network visibility solution can be used to provide additional packet capture, analysis, trending and VM analytics.
PerformanceTools
SecurityTools
Network AnalysisTools
Monitor Feeds(100G/40G/10G/1G)
Load Balanced
Tool Optimization
DeduplicationPacket Slicing Protocol StrippingTime Stamping
Packet Analytics
NetFlow GenerationDeep Packet Inspection
NetFlow Collector
Flow Records
PacketCapture
Protocol Stripping Strip VXLAN or FabricPath headers before delivering to the tools.
Traffic Aggregation Traffic from multiple sources from Tenant, Access, Fabric, and Virtual SPANs.
ERSPAN Termination ACI SPANs heavily use ERSPAN to backhaul traffic to tools. Tunnel termination enables analytic tools to only receive the most relevant data in the packets.
Deduplication Relieve tool process by removing duplicate packets caused by data duplication within overlay network (inter-VXLAN or intra-VXLAN domain).
Packet Slicing Reduce packet size to increase processing throughput in recording/analysis tools.
10G/40G/100G Visibility Enable higher bandwidth 10G/40G/100G links with 1G monitoring tools.
Protocol Stripping Strip VXLAN or encapsulation headers to optimize tool processing.
Packet Capture/VM Analysis An IntellaStore II blade can be integrated into any XR platform to provide onboard capture, plus Wireshark analysis, along with Hypervisor support to run premium third-party network analysis, application performance, and security tools such as ntop, ExtraHop and Tenable. Please contact an APCON representative for a full list of supported applications.
40G BiDi support This is a common use between spine and leaf connection.
Restful API Support Restful API for end-to-end APIC service provisioning or automation.
Need Our Help?Contact APCON’s sales team at 503–682–4050 or via email [email protected].
Additional Functions Provided by APCON