techwisetv workshop: nexus data broker

1C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data Broker

Jothi Prakash

June 2, 2016

Jothi PrakashProduct ManagerJune, 2016

Enable Maximum Visibility With Minimum Complexity Cisco Nexus Data Broker

3C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Why Monitor Network Traffic?

Application PerformanceApplication PerformanceCompliance and Security

Network Performance/Troubleshooting

4C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Tools

Conventional Packet Broker Deployment Scenario

Production Network

IDS

Videomonitor

Matrix network

Purpose-builtmatrix switch

Analytics

Cisco® SPAN ports

Optical TAPs

ConventionalTraffic Monitoring

Traffic Filtered and Forwarded to Monitoring Tools

Tap Aggregation with Purpose-built Matrix Switch

5C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Traffic Pattern Shift within Datacenter

Source: Cisco Global Cloud Index, 2012

6C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

High cost of conventional matrix switches make scaling very expensive

Filtering and forwarding are statically configured, not event driven

Limitation on interconnection of Matrix Switches to build a scalable topology

Challenges with The Conventional Approach

7C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data Broker

8C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data Broker ComponentsCisco Nexus

3000 Series

3100 Platform

3500 Series

9300 Platform

9500 Platform

+ Cisco Nexus® Data Broker software

Cisco Nexus Data Broker SoftwareCisco Nexus 3000 or 9000 Series Switches

Supported use cases:

Scalable test access point (TAP) and Cisco® Switched Port Analyzer (SPAN) aggregation for out-of-band network traffic monitoring

Flexible solution for inline traffic monitoring and redirection to security tools

3200 Series

9200 Platform

9C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data Broker: Centralized Deployment

Tools TAP and Cisco® SPAN Aggregation Production Network

CustomTools

OpticalTAPs

SPAN

Cisco Nexus 3000 or 9000 Series Switches

Central tapping point

Java and RESTCisco Nexus Data Broker

Cisco Prime™

Network AnalysisModule (NAM)

Securityintrusion detection system (IDS)

Traffic filtered and forwarded to one or moremonitoring tools

OpenFlow or

Cisco NX-API

With Cisco Nexus® Data Broker

Cisco Nexus Data Broker replaces the purpose-built matrix switch with Cisco Nexus switches for scalable and cost-effective TAP and SPAN aggregation

10C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data Broker Embedded ModeOn-Switch Deployment

Production NetworkTools TAP and Cisco® SPAN Aggregation

Cisco Nexus Data Broker software runs on an Cisco Nexus 3000 Series or Cisco Nexus 9300 platform switches

CustomTools

SPAN and ERSPAN

OpticalTAPs

Cisco Nexus Data Broker and

OpenFlow

REST API for northbound application integration

Cisco Prime™ NAM

Security IDS

Traffic filtered and forwardedto one or more monitoring tools

With Cisco Nexus® Data Broker

Cisco Nexus 3000 Series or 9000

platform switches

New

11C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data Broker Programming Flows

Cisco Nexus®

Data Broker

HTTP/HTTPS REST API

Cisco Nexus switch Cisco Nexus switch

OpenFlow or Cisco® NX-API OpenFlow or Cisco NX-API

12C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data Broker Interfaces

Web-based GUI and REST API to support:

Device management

Monitoring topology view

Troubleshooting

AAA functions

TAP and Cisco® SPAN port definitions

Filter configurations

Connection configuration

13C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data BrokerPacket Filtering Features

Packet tagging features at ingress

Support IEEE 802.1Q encapsulation for source-port tagging Perform VLAN and MPLS tag stripping Time-stamp packet at ingress based on PTP (IEEE 1588) Truncate packet at ingress at set number of bytes (minimum 64 bytes)

Packet filtering capabilities

Filter based on Layer 1 through Layer 4 information Perform Layer 7 filtering for HTTP traffic based on HTTP methods Enable bidirectional packet matching Support dropping of all matching traffic

Traffic load balancing

Load-balance traffic to multiple monitoring tools Enable symmetric hashing with:

Layer 3 (IP address) information Layer 3 plus Layer 4 (IP address plus protocol plus port) information

I want to see web traffic on my packet-analysis tool …

Production infrastructure

Traffic monitoring infrastructure

Copy of production traffic

14C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data BrokerPacket Forwarding Features

Multipoint-to-multipoint (MP2MP) traffic

Specify one or more input ports (TAP or Cisco® SPAN) Can replicate and forward traffic to N number of

monitoring tools Monitoring tools can be connected to different switches

Any-to-multipoint (A2MP) traffic

Input port in monitor topology is not known Can replicate and forward traffic to N number of

monitoring tools Monitoring tools can be connected to different switches Programmed flows follow loop-free forwarding path

Complex topologies require(and Cisco Nexus® Data Broker

provides):

Automation of flow programming

Capability to automatically adapt to topology changes

15C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data Broker View and Statistics

Link use information is available in the topology and the per-rule path view window

Inter-Switch Link (ISL) use

For each flow on the device, provides packet and byte counters Provides per-port statistics for all ports on the switch

Device-level statistics

Per-connection-path view and flow-level statistics

16C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco ACI Integration

17C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data Broker Integration with Cisco ACIToolsTAP and Cisco® SPAN AggregationProduction Network

Cisco Nexus Data Broker integrates with Cisco ACI to provide single point of managementfor monitoring configuration

Cisco Prime™ NAM

Security IDS

Other trafficanalyzer tools

Cisco Nexus® Data Broker

Cisco Nexus 3000 or 9000 Series Switches for Cisco Nexus Data Broker

Production network: Cisco ACI™

SPAN

BiDiTAPs

REST interface

18C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco ACI Integration Features

All operations performed through Cisco Nexus® Data Broker web GUI or REST API

Cisco® SPAN Destination SPAN Sessions Automated Connection

Setup

Query Cisco ACI™ leaf switches

Designate ports as SPAN destinations

Configure access SPAN in Cisco ACI

Use multiple source interfaces across multiple leaf switches

Filter traffic based on EPG

Set up connections automatically

Forward traffic to monitoring tools

Support filter setup

19C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Nexus Data Broker: Demonstration

20C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Customer Deployment Scenarios

21C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Scalable Deployment Using Nexus 9000 Series

Customer Benefits

Improve Operations Efficiency

• Get relevant traffic visibility in minutes

• Enable faster troubleshooting through automation

Provide Tool Placement Flexibility

• Replicate traffic to multiple tools across different

switches

Highly Cost Effective

• Cost effective and scalable option with rich feature

set

Monitoring Tool-1 Monitoring Tool-2

Cisco Nexus 9500

Cisco Nexus 9300

ProductionNetwork

SPAN andTaps

SPAN andTaps

SPAN andTaps

Nexus Data Broker

Large Financial Customer

22C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialExisiting Packet Broker Switch

Nexus 3172 with Nexus Data Broker

Access SPAN from every ACI leaf

40G links to existing Packet Broker Switch

Cisco ACI InfrastructureCustomer Benefits

Seamless insertion

• Enables visibility to both Cisco ACI and

traditional infrastructure

• Works with existing packet broker

solution

Enables Automation

• Robust REST API for programmatic

configurations

• Build feedback loop based on traffic

patterns

Monitoring Traffic in Cisco ACI with Nexus Data BrokerLarge Service Provider Customer

23C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

General Features and Functions

24C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Multiple-Data Center Management Feature

Filtering and forwarding policies for each sliceStatistics collected and presented per slice

Full RBAC functions for each slice

Cisco UCS® Cluster for Cisco Nexus® Data Broker

Cisco Nexus DataBroker Cluster

Monitoring Network in Data Center 1 Monitoring Network in Data Center 2

Cisco Prime™

NAM

Network TAPs

Network TAPs

CiscoNexus 3100

CiscoNexus 3100

CiscoNexus 3000

CiscoNexus 3000

Cisco PrimeNAM

Network TAPs

Network TAPs

CiscoNexus 3100

CiscoNexus 3100

CiscoNexus 3000

CiscoNexus 3000

Cisco PrimeNAM

Cisco PrimeNAM

Support for multiple data centers using network slicing concept

28C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Solution Differentiators Summary

Centralized management through GUI and REST API Uses Cisco Nexus® Data Broker Supports multiple disjointed monitoring networks

Capability to interconnect multiple monitoring switches to form a topology No limit on number of switches and topology model

Transparent replication and redirection of traffic to monitoring tools connected anywhere in the topology Only solution to support any-to-one and any-to-many connections

High-availability support using clustering

Integrated role-based access control (RBAC) Supports local deployment of or integration with a corporate or central RBAC server

29C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

www.cisco.com/go/nexusdatabroker

31C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Thank you for watching.