Guest

Cisco Extensible Network Controller (XNC)

Cisco Nexus Data Broker: Scalable and Cost Effective Solution for Network Traffic Visibility Solution Overview

  • Viewing Options

  • PDF (881.0 KB)
  • Feedback

Text Box: BENEFITS
•	Extend the capabilities of your Cisco Nexus 3000 and 9000 Series Switches to create a scalable network traffic aggregation infrastructure.
•	Create a fully distributed traffic monitoring network that works as one logical device and provides the capability to change filtering and forwarding rules dynamically.
•	Increase visibility into network traffic with real-time feedback for better security, faster problem resolution, and resource planning.
•	Take advantage of the elasticity of a complete monitoring solution for greater business agility.
The Cisco Nexus® Data Broker is a scalable, cost-effective software-defined networking (SDN) traffic aggregation and monitoring solution. Working in conjunction with Cisco Nexus Family switches, it provides extensive visibility into application traffic to help maintain security, resolve problems, and enable more efficient resource planning.

The SDN packet broker delivers full-function network traffic monitoring without the limitations of many of today’s conventional approaches. By using Cisco Nexus Data Broker software with Cisco Nexus 3000 and 9000 Series switches for packet broker and inline monitoring, you can benefit from full-function network traffic monitoring without the limitations of today’s conventional approaches.

Why Conventional Tap and SPAN Traffic Aggregation Solutions Are Inadequate

Visibility into application traffic is important for infrastructure operations to maintain security, resolve problems, and perform resource planning. With the growing pace of technological advances and the ubiquity of the Internet, organizations need more than visibility. They need real-time feedback from their business systems to more effectively engage their customers. Scalable and cost-effective network traffic aggregation and monitoring solutions can more easily keep up with the rapid evolution of cloud-based technologies.

To gain visibility into your network traffic, Cisco® Switched Port Analyzer (SPAN) and scalable network tap mechanisms can deliver an aggregation solution that replicates and forwards traffic to monitoring tools. But conventional SPAN and tap aggregation solutions that use purpose-built switches are limited:

   Existing packet broker solutions are expensive, making building a scalable infrastructure a challenge.

   Many solutions don’t provide the flexibility to interconnect matrix switches.

   Lack of programmatic configuration options makes automated traffic monitoring difficult to implement.

SPAN Aggregation

SPAN can copy production traffic to a destination port for monitoring (Figure 1).

Figure 1.      Cisco SPAN Configuration

SPAN uses the following terminology:

   Ingress traffic: Traffic that enters the switch

   Egress traffic: Traffic that leaves the switch

   Source (SPAN) port: A port that is monitored with the SPAN feature

   Source (SPAN) VLAN: A VLAN whose traffic is monitored with the SPAN feature

   Destination (SPAN) port: A port that monitors source ports, usually ports with a sniffer connected

Although SPAN is required to monitor traffic on the switches, it has limitations. In today’s most common hardware switching architectures, one or multiple application-specific integrated circuits (ASICs) in a switching fabric forward packets at the hardware level. But very little data-plane information is sent to the CPU. Even though modular chassis use a distributed forwarding model, additional CPU cycles are needed when the software tells the hardware to duplicate and redirect packets. As a result, the number of SPAN and port monitoring sessions that can be configured on the switch is limited.

Other factors affect network device performance when using SPAN:

   The process of sending packets to the CPU and forwarding them to their destinations

   Basic monitoring of the interface

   The volume of SPAN traffic, which is crucial even on a 10 Gigabit Ethernet network

Network Taps

Another method of packet monitoring uses physical hardware taps. These network taps can be extremely useful for monitoring traffic because they provide direct inline access to data flowing through the network. In many cases, they are needed when a third party monitors the traffic between two points in the network. If the network between points A and B consists of a physical cable, a network tap may be the best way to accomplish this monitoring. The network tap has at least three ports: an A port, a B port, and a monitor port. A tap inserted between the A and B ports passes all traffic through unimpeded, but it also copies that same data to its monitor port, enabling a third party to listen.

Taps have many benefits:

   They can handle full-duplex data transmission.

   They are unobtrusive and can’t be detected by the network.

   They don’t use physical or logical addressing.

   Some support full inline power and can become a distributed tap.

Cisco Nexus Data Broker Applications

You can use Cisco Nexus Data Broker to monitor both out-of-band and inline traffic (Table 1).

Table 1.       Uses of Cisco Nexus Data Broker

Use

Description

Tap and SPAN aggregation for out-of-band traffic monitoring

With the Cisco Nexus Data Broker, you can interconnect your Cisco Nexus switches to build a scalable aggregation infrastructure made up of network taps and SPAN. You can also combine tap and SPAN sources to monitor production traffic, and you can distribute the tap and SPAN sources and traffic monitoring and analysis tools across multiple Cisco Nexus switches. This solution replaces purpose-built matrix switches with one or more Cisco Nexus 3000 or 9000 Series Switches, with traffic tapped into this bank of switches in the same way as in a matrix network.

Inline traffic monitoring for security

Today’s security environment demands multiple proactive in-line security tools, such as intrusion prevention systems (IPSs) and web filtering tools, at the perimeter of the network for a strong, layered security. Because of the high volume of traffic, these security tools themselves can become bottlenecks and single points of failure. To address these challenges, you need a solution that can adapt to the increasing volume of traffic, provide flexibility to support production connections and inline-tool connections, and offer cost-effective deployment options.

Tap and SPAN Aggregation with Cisco Nexus Data Broker

Cisco Nexus switches are connected to points in the network at which packet monitoring is most advantageous (Figure 2). From each network element, SPAN ports or optical taps send traffic flows directly to the matrix switch, which is directly connected to all the tools used to monitor the events in the network fabric. These monitoring devices include application analysis tools, security intrusion detection systems (IDSs), recording devices, and packet-sniffer tools.

Figure 2.      Tap and SPAN Aggregation with Cisco Nexus Data Broker

Main Capabilities

The Cisco Nexus Data Broker application discovers the tap and SPAN aggregation network topology and maintains the state of this network. It also maintains the mapping information for the monitoring tools connected to the Cisco Nexus switch and port.

Using the Nexus Data Broker, the network administrator can aggregate the tap and SPAN traffic from multiple input sources, replicate this traffic, and forward the traffic to multiple monitoring tools, which may be connected to different Cisco Nexus switches. The network administrator can also filter traffic based on Layer 1 through Layer 4 header information and forward the traffic to multiple monitoring tools.

With these capabilities, you can build a fully distributed traffic-monitoring network that works as one logical device that can change filtering and forwarding rules dynamically. And because the data broker provides a representational state transfer (REST) interface, network operators can write applications to detect and capture unique traffic according to administrative requirements and traffic monitoring needs. This solution allows unique and important traffic patterns to flow directly to the analysis tools in real time. With the elasticity and ease of use of a complete monitoring solution, Cisco Nexus Data Broker delivers greater business agility through a cost-effective, scalable approach to traffic monitoring.

Embedded Deployment Option

To reduce overhead and keep the process simple when deploying a traffic monitoring solution with a single Cisco Nexus 3000 or 3500 Series or 3100 platform switch, you can use the data broker’s embedded option (Figure 3). This option lets you run the software on the Cisco Nexus 3000 or 3500 Series or 3100 platform Linux container without the need for a separate virtual machine. This option provides an open virtual appliance (OVA) that is deployed and activated on the Cisco Nexus switch. This option includes all the features of the application except the following:

   You can use it to manage flows only on the switch on which the embedded OVA is deployed.

   You can deploy only one instance in each switch (high-availability configuration is not supported).

Figure 3.      Cisco Nexus Data Broker Embedded Deployment

Features and Benefits of Tap and SPAN Aggregation

Table 2 summarizes the main features and benefits of Cisco Nexus Data Broker tap and SPAN aggregation.

Table 2.       Features and Benefits of Cisco Nexus Data Broker Tap and SPAN Aggregation

Feature

Benefit

Support for different port capacities

  Cisco Nexus Data Broker supports 1, 10, 40, and 100 Gigabit Ethernet ports.
  High-density 10-, 40-, and 100-Gbps options are supported on Cisco Nexus 9500 platform switches.

Supported topology for TAP and SPAN aggregation

  Cisco Nexus Data Broker software discovers the Cisco Nexus switches and associated topology for tap and SPAN aggregation.
  You can configure ports as monitoring tool ports or input tap and SPAN ports.
  You can set end-device names for easy identification in the topology.

Support for IEEE 802.1 Q-in-Q to tag input source TAP and SPAN ports*

  You can tag traffic with a VLAN for each input tap or SPAN port.
  Q-in-Q in edge tap and SPAN ports can uniquely identify the source of traffic and preserve production VLAN information.

Symmetric hashing or symmetric load balancing*

  You can configure hashing based on Layer 3 (IP address) or Layer 3 plus Layer 4 (protocol ports) to load-balance the traffic across a port-channel link.
  You can spread the traffic across multiple tool instances to accommodate the high-traffic-volume scale.

Rules for matching monitored traffic

  You can match traffic based on Layer 1 through Layer 4 criteria.
  You can configure the software to send only the required traffic to the monitoring tools without flooding the tools with unnecessary traffic.
  You can configure an action to set the VLAN ID for the matched traffic.

Layer 7 monitoring for HTTP traffic*

  You can match on HTTP methods such as GET, PUT, etc. and take specific actions for that traffic.
  This monitoring can help reduce the volume of traffic sent to any Websense tools.

Multiprotocol Label Switching (MPLS) label stripping*

  You can filter MPLS packets by enabling MPLS label stripping.

Traffic replication and forwarding

  You can aggregate traffic from multiple input tap and SPAN ports, which that can be spread across multiple Cisco Nexus switches.
  You can configure the software to replicate and forward traffic to multiple monitoring tools, which can be connected across multiple Cisco Nexus switches.
  This solution is the only solution that supports any-to-many forwarding across a topology.

Time stamping**

  You can time-stamp a packet at ingress using the Precision Time Protocol (PTP; IEEE 1588), thereby providing nanosecond accuracy. You can use this capability in monitoring and archiving critical transaction data for regulatory compliance and advanced troubleshooting.

Packet truncation**

  You can configure the software to truncate a packet beyond a specified number of bytes.
  The minimum packet size is 64 bytes.
  You can retain a header for only analysis and troubleshooting.
  You can configure the software to discard the payload for security or compliance reasons.

Response to changes in the TAP and SPAN aggregation network state

  You can monitor and keep track of changes in the network condition.
  You can respond to link or node failures by automatically reprogramming the flows through an alternative path.

End-to-end path visibility

  For each traffic-forwarding rule, the solution provides complete end-to-end path visibility all the way from source ports to the monitoring tools, including the path through the network.

Management for multiple disjointed Cisco Nexus Data Broker networks

  You can manage multiple independent tap and SPAN aggregation networks using the same Cisco Nexus Data Broker instance.
* Feature supported on Cisco Nexus 3100 platform and Cisco Nexus 9000 Series
** Feature supported only on Cisco Nexus 3500 Series

In-line Monitoring with Cisco Nexus Data Broker

Using Cisco Nexus Data Broker inline option, customers can have Cisco Nexus 3000 series or Cisco Nexus 9300 switch act as inline redirection switch to multiple security tools. When using the inline option Cisco Nexus switches act as transparent inline switch and does not participate in any control protocols. Cisco Nexus switches gives flexible port capacity options from 1 Gigabit to 100 Gigabits.

With Cisco Nexus Data Broker software, you can configure redirection policies that can match specific traffic and redirect it through multiple security tools before the traffic enters or exits your data center. Cisco’s solution also automatically adapts to failure scenarios by bypassing the service nodes. It also provides the option to completely bypass all security tools for any emergency troubleshooting. Figure 6 shows the logical deployment architecture for inline monitoring solutions.

Figure 4.      Cisco Nexus Data Broker Inline Monitoring

Features and Benefits of Inline Monitoring

Table 3 summarizes the main features and benefits of Cisco Nexus Data Broker inline monitoring.

Table 3.       Features and Benefits of Cisco Nexus Data Broker Inline Monitoring

Feature

Benefit

Support for a variety of port capacities and densities

  The Cisco Nexus Data Broker Inline option supports 10-, 40-, and 100-Gbps connections to the production network switches and routers.

Flexible port definition option

  Any port can be used as a production connection port or as a security tool (service node) port.
  Multiple production ingress and egress connections are supported on the same switch.

Symmetric hashing or symmetric load balancing

  You can configure hashing based on Layer 3 (IP address) or Layer 3 plus Layer 4 (protocol ports) to load-balance the traffic across multiple security tool instances to accommodate high traffic volumes.

Support for multiple service nodes

  You can match traffic based on Layer 1 through Layer 4 criteria.
  You can create a redirection policy to direct the traffic through multiple security tools.

Implicit tagging to distinguish traffic from different ingress ports

  To identify traffic uniquely across each ingress and egress port, traffic is implicitly tagged with a VLAN ID.
  The VLAN ID is stripped implicitly before the traffic is sent through an egress port.

Automatic service-node removal

  If a port connected to a service node fails, that service node is automatically removed from the path.

Default fail-safe option

  The data broker automatically configures the fail-safe option to send the traffic directly from an ingress port to an egress port.

Automatic copy function for out-of-band traffic monitoring

  You can copy the traffic automatically from the ingress and egress ports of the last service node.
  This feature can be helpful for troubleshooting problems in service nodes.

End-to-end path visibility

  For each redirection instance, the solution provides complete end-to-end path visibility from the ingress port to the egress port, including the path through the service nodes.

Cisco Nexus Data Broker Access Mechanisms

You can access Cisco Nexus Data Broker functions in several ways:

   Web-based GUI for all configuration and user management (Figure 5)

Figure 5.      Cisco Nexus Data Broker Web GUI Access Mechanisms

   Robust REST API for programmatic access to functions and enablement of event-directed filtering and forwarding (Figure 6)

Figure 6.      Cisco Nexus Data Broker REST API Access Mechanisms

Device Support Matrix for Cisco Nexus Data Broker

Table 4 summarizes the devices and capabilities that Cisco Nexus Data Broker supports.

Table 4.       Device Support Matrix

Device Model

Cisco Nexus Data Broker Software

Deployment Mode Supported

Supported Use Cases

Cisco Nexus 3000 Series

All Cisco Nexus Data Broker releases

Centralized and embedded

Tap and SPAN aggregation and in-line monitoring

Cisco Nexus 3100 platform

All Cisco Nexus Data Broker releases

Centralized and embedded

Tap and SPAN aggregation and in-line monitoring

Cisco Nexus 3164Q Switch

Cisco Nexus Data Broker 2.2

Centralized and embedded

Tap and SPAN aggregation only

Cisco Nexus 3500 Series

Cisco Nexus Data Broker 2.0 and later

Centralized and embedded

Tap and SPAN aggregation only

Cisco Nexus 9300 platform

Cisco Nexus Data Broker 2.1 and later

Centralized and embedded

Tap and SPAN aggregation and in-line monitoring

Cisco Nexus 9500 platform

Cisco Nexus Data Broker 2.1 and later

Centralized only

Tap and SPAN aggregation only

Cisco Capital Financing to Help You Achieve Your Objectives

Cisco Capital® financing can help you acquire the technology you need to achieve your objectives and stay competitive. We can help you reduce capital expenditures (CapEx), accelerate your growth, and optimize your investment dollars and ROI. Cisco Capital financing gives you flexibility in acquiring hardware, software, services, and complementary third-party equipment. And there’s just one predictable payment. Cisco Capital financing is available in more than 100 countries. Learn more.

Additional Features of the Cisco Nexus Data Broker

Table 5 describes the main features of Cisco Nexus Data Broker.

Table 5.    Main Features of Cisco Nexus Data Broker

Feature

Description

Configuration

GUI

Cisco Nexus Data Broker software provides a web-based GUI for management of all configurations and functions. The GUI provides access features, including:

  Topology and device management and assignment of port type
  Mapping of the ports to the end monitoring or analysis tools
  Configuration of filters to match traffic according to business needs
  Set up of traffic flows from network-edge ports to tool-delivery ports
  Event logging and troubleshooting
  Flow and port statistics
  RBAC user and role management

Northbound API

The Cisco Nexus Data Broker REST-based API provides access to all functions that can be performed through the GUI.

Port-type assignment

Ports must be designated as edge tap or SPAN (input) ports or delivery (output) ports to be used to configure network connections. This feature, in combination with RBAC, increases network security.

InterSwitch Link (ISL) discovery

ISLs are ports that interconnect two switches. These ISLs can use individual ports or port channels. These ISLs are automatically discovered by the data broker software, and the state of these ISLs is automatically maintained.

Traffic Delivery (Basic)

One-to-one connection

This connection type establishes a one-to-one connection from an edge-network port to a tool-delivery port across the network with no oversubscription.

One-to-many connection

This connection type establishes a one-to-many connection from an edge-network port to multiple tool-delivery ports.

Many-to-one connection

This connection type establishes a many-to-one connection from multiple edge-network ports to a single tool-delivery port.

Combination connection

One-to-one, one-to-many, and many-to-one connections can be established for different flows at the same time in the same monitored network.

Port-speed adaptation

One-to-one, one-to-many, and many-to-one connections can be established between ports with different speeds. For instance, a 40-Gbps port can deliver traffic to a 10-Gbps tool port to allow use of traditional tools over high-speed production network interfaces.

Symmetric load balancing

You can configure symmetric hashing based on Layer 3 (IP address) information or Layer 3 and Layer 4 (protocol and port) information to load-balance the traffic to multiple monitoring tools.

Failure resiliency

If a path fails, the controller automatically reroutes each flow to an alternative path. If rerouting is not possible, an event is logged.

Traffic Delivery (Advanced)

Packet filtering

Traffic forwarding is based on the full-flow specification, allowing detailed traffic filtering to limit the traffic to the delivery port to only the traffic that is strictly necessary.

Layer 7 filtering for HTTP traffic

For HTTP traffic, you can filter based on HTTP methods. You can choose to send only certain types of HTTP transactions, such as GET and CONNECT, and drop the rest.

VLAN tag rewrite

You can change the original VLAN tag from the edge port to the delivery port either by using the filter mechanism or by tagging at the edge port.

VLAN tag insertion

You can add a VLAN tag to the original packet to be delivered to allow a tool to identify the origin of the traffic.

MPLS tag stripping

You can enable MPLS tags to be stripped and perform filtering on IP parameters before the traffic is sent to monitoring tools.

Q-in-Q support

If the packet is already tagged, Cisco Nexus Data Broker software can add a second tag that allows you to preserve the original tag information and also identify the edge tap or SPAN port from which the traffic is received.

Time stamping

You can configure the software to time-stamp packets using PTP with nanosecond accuracy for compliance, troubleshooting, or application-performance management.

Packet truncation

You can strip packet payloads for security and compliance purposes. The minimum packet length is 64 bytes. You can specify the number of bytes to be retained, and the packet payload is then truncated beyond the specified byte size and delivered to the monitoring tools.

Network Design

Multilevel design

Cisco Nexus Data Broker software can support multiple Cisco Nexus switches connected in any topology. Analysis and monitoring devices can be connected anywhere in the topology. Typical tap network architectures are:

  Two- or three-level networks (edge, distribution layer [optional], and core) in which the delivery ports are connected to the core switches
  Nonblocking leaf-and-spine architectures, in which both the edge and the delivery ports are connected to the leaf switches

Loop prevention

Built-in logic prevents creation of network loops. This feature supports one-to-one, one-to-many, many-to-one, and any-to-many replication and redirection policies.

Scalability

Cisco Nexus Data Broker can support up to 100 switches and 4000 edge and delivery ports per instance.

High availability

Cisco Nexus Data Broker supports high availability through active-active clustering. Using the current release, up to five instances can be part of the same cluster.

Security and Operations

Role-based access control (RBAC)

Each port can be exclusively assigned to one or more user groups.

Logging

Cisco Nexus Data Broker provides system logs and user audit logs. In addition, it supports different logging levels depending on administrative needs.

Path rerouting to help ensure delivery

If traffic is critical, data loss can impair compliance. In this case, if a network link or node failure occurs, the data flow is automatically rerouted using an alternative network path to prevent data loss and to meet compliance requirements.

System Requirements

Cisco Nexus Data Broker software

The minimum system requirements are:

  64-bit Linux OS (Fedora, Ubuntu, or Red Hat)
  8 GB of RAM, 6-core CPU, and 40 GB of free space in the partition in which the controller will be installed
  Java Release 1.8.0_45 or later recommended

 

 

Next Steps

For more information, see:

   Cisco Nexus Data Broker webpage: http://www.cisco.com/go/nexusdatabroker

   Cisco Nexus Data Broker configuration guide: http://www.cisco.com/c/en/us/support/cloud-systems-management/nexus-data-broker/products-installation-and-configuration-guides-list.html

   Cisco Nexus Data Broker quick-start implementation guides:

     Centralized: http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/nexus-data-broker/guide-c07-731460.html

     Embedded: http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/nexus-data-broker/guide-c07-733478.html