techwisetv workshop: nexus data broker
TRANSCRIPT
1C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data Broker
Jothi Prakash
June 2, 2016
Jothi PrakashProduct ManagerJune, 2016
Enable Maximum Visibility With Minimum Complexity Cisco Nexus Data Broker
3C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Monitor Network Traffic?
Application PerformanceApplication PerformanceCompliance and Security
Network Performance/Troubleshooting
4C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Tools
Conventional Packet Broker Deployment Scenario
Production Network
IDS
Videomonitor
Matrix network
Purpose-builtmatrix switch
Analytics
Cisco® SPAN ports
Optical TAPs
ConventionalTraffic Monitoring
Traffic Filtered and Forwarded to Monitoring Tools
Tap Aggregation with Purpose-built Matrix Switch
5C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Traffic Pattern Shift within Datacenter
Source: Cisco Global Cloud Index, 2012
6C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
High cost of conventional matrix switches make scaling very expensive
Filtering and forwarding are statically configured, not event driven
Limitation on interconnection of Matrix Switches to build a scalable topology
Challenges with The Conventional Approach
7C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data Broker
8C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data Broker ComponentsCisco Nexus
3000 Series
3100 Platform
3500 Series
9300 Platform
9500 Platform
+ Cisco Nexus® Data Broker software
Cisco Nexus Data Broker SoftwareCisco Nexus 3000 or 9000 Series Switches
Supported use cases:
Scalable test access point (TAP) and Cisco® Switched Port Analyzer (SPAN) aggregation for out-of-band network traffic monitoring
Flexible solution for inline traffic monitoring and redirection to security tools
3200 Series
9200 Platform
9C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data Broker: Centralized Deployment
Tools TAP and Cisco® SPAN Aggregation Production Network
CustomTools
OpticalTAPs
SPAN
Cisco Nexus 3000 or 9000 Series Switches
Central tapping point
Java and RESTCisco Nexus Data Broker
Cisco Prime™
Network AnalysisModule (NAM)
Securityintrusion detection system (IDS)
Traffic filtered and forwarded to one or moremonitoring tools
OpenFlow or
Cisco NX-API
With Cisco Nexus® Data Broker
Cisco Nexus Data Broker replaces the purpose-built matrix switch with Cisco Nexus switches for scalable and cost-effective TAP and SPAN aggregation
10C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data Broker Embedded ModeOn-Switch Deployment
Production NetworkTools TAP and Cisco® SPAN Aggregation
Cisco Nexus Data Broker software runs on an Cisco Nexus 3000 Series or Cisco Nexus 9300 platform switches
CustomTools
SPAN and ERSPAN
OpticalTAPs
Cisco Nexus Data Broker and
OpenFlow
REST API for northbound application integration
Cisco Prime™ NAM
Security IDS
Traffic filtered and forwardedto one or more monitoring tools
With Cisco Nexus® Data Broker
Cisco Nexus 3000 Series or 9000
platform switches
New
11C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data Broker Programming Flows
Cisco Nexus®
Data Broker
HTTP/HTTPS REST API
Cisco Nexus switch Cisco Nexus switch
OpenFlow or Cisco® NX-API OpenFlow or Cisco NX-API
12C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data Broker Interfaces
Web-based GUI and REST API to support:
Device management
Monitoring topology view
Troubleshooting
AAA functions
TAP and Cisco® SPAN port definitions
Filter configurations
Connection configuration
13C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data BrokerPacket Filtering Features
Packet tagging features at ingress
Support IEEE 802.1Q encapsulation for source-port tagging Perform VLAN and MPLS tag stripping Time-stamp packet at ingress based on PTP (IEEE 1588) Truncate packet at ingress at set number of bytes (minimum 64 bytes)
Packet filtering capabilities
Filter based on Layer 1 through Layer 4 information Perform Layer 7 filtering for HTTP traffic based on HTTP methods Enable bidirectional packet matching Support dropping of all matching traffic
Traffic load balancing
Load-balance traffic to multiple monitoring tools Enable symmetric hashing with:
Layer 3 (IP address) information Layer 3 plus Layer 4 (IP address plus protocol plus port) information
I want to see web traffic on my packet-analysis tool …
Production infrastructure
Traffic monitoring infrastructure
Copy of production traffic
14C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data BrokerPacket Forwarding Features
Multipoint-to-multipoint (MP2MP) traffic
Specify one or more input ports (TAP or Cisco® SPAN) Can replicate and forward traffic to N number of
monitoring tools Monitoring tools can be connected to different switches
Any-to-multipoint (A2MP) traffic
Input port in monitor topology is not known Can replicate and forward traffic to N number of
monitoring tools Monitoring tools can be connected to different switches Programmed flows follow loop-free forwarding path
Complex topologies require(and Cisco Nexus® Data Broker
provides):
Automation of flow programming
Capability to automatically adapt to topology changes
15C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data Broker View and Statistics
Link use information is available in the topology and the per-rule path view window
Inter-Switch Link (ISL) use
For each flow on the device, provides packet and byte counters Provides per-port statistics for all ports on the switch
Device-level statistics
Per-connection-path view and flow-level statistics
16C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ACI Integration
17C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data Broker Integration with Cisco ACIToolsTAP and Cisco® SPAN AggregationProduction Network
Cisco Nexus Data Broker integrates with Cisco ACI to provide single point of managementfor monitoring configuration
Cisco Prime™ NAM
Security IDS
Other trafficanalyzer tools
Cisco Nexus® Data Broker
Cisco Nexus 3000 or 9000 Series Switches for Cisco Nexus Data Broker
Production network: Cisco ACI™
SPAN
BiDiTAPs
REST interface
18C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ACI Integration Features
All operations performed through Cisco Nexus® Data Broker web GUI or REST API
Cisco® SPAN Destination SPAN Sessions Automated Connection
Setup
Query Cisco ACI™ leaf switches
Designate ports as SPAN destinations
Configure access SPAN in Cisco ACI
Use multiple source interfaces across multiple leaf switches
Filter traffic based on EPG
Set up connections automatically
Forward traffic to monitoring tools
Support filter setup
19C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Nexus Data Broker: Demonstration
20C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Customer Deployment Scenarios
21C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Scalable Deployment Using Nexus 9000 Series
Customer Benefits
Improve Operations Efficiency
• Get relevant traffic visibility in minutes
• Enable faster troubleshooting through automation
Provide Tool Placement Flexibility
• Replicate traffic to multiple tools across different
switches
Highly Cost Effective
• Cost effective and scalable option with rich feature
set
Monitoring Tool-1 Monitoring Tool-2
Cisco Nexus 9500
Cisco Nexus 9300
ProductionNetwork
SPAN andTaps
SPAN andTaps
SPAN andTaps
Nexus Data Broker
Large Financial Customer
22C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialExisiting Packet Broker Switch
Nexus 3172 with Nexus Data Broker
Access SPAN from every ACI leaf
40G links to existing Packet Broker Switch
Cisco ACI InfrastructureCustomer Benefits
Seamless insertion
• Enables visibility to both Cisco ACI and
traditional infrastructure
• Works with existing packet broker
solution
Enables Automation
• Robust REST API for programmatic
configurations
• Build feedback loop based on traffic
patterns
Monitoring Traffic in Cisco ACI with Nexus Data BrokerLarge Service Provider Customer
23C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
General Features and Functions
24C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multiple-Data Center Management Feature
Filtering and forwarding policies for each sliceStatistics collected and presented per slice
Full RBAC functions for each slice
Cisco UCS® Cluster for Cisco Nexus® Data Broker
Cisco Nexus DataBroker Cluster
Monitoring Network in Data Center 1 Monitoring Network in Data Center 2
Cisco Prime™
NAM
Network TAPs
Network TAPs
CiscoNexus 3100
CiscoNexus 3100
CiscoNexus 3000
CiscoNexus 3000
Cisco PrimeNAM
Network TAPs
Network TAPs
CiscoNexus 3100
CiscoNexus 3100
CiscoNexus 3000
CiscoNexus 3000
Cisco PrimeNAM
Cisco PrimeNAM
Support for multiple data centers using network slicing concept
28C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Solution Differentiators Summary
Centralized management through GUI and REST API Uses Cisco Nexus® Data Broker Supports multiple disjointed monitoring networks
Capability to interconnect multiple monitoring switches to form a topology No limit on number of switches and topology model
Transparent replication and redirection of traffic to monitoring tools connected anywhere in the topology Only solution to support any-to-one and any-to-many connections
High-availability support using clustering
Integrated role-based access control (RBAC) Supports local deployment of or integration with a corporate or central RBAC server
29C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
www.cisco.com/go/nexusdatabroker
31C97-735943-01 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you for watching.