federal data centers can benefit from intelligent traffic visibility … · 2013-04-30 · federal...

Federal Data Centers Can Benefit From Intelligent Traffic Visibility// White Paper

The Smart Route To Visibility™

1

The federal government has begun what looms as the largest data center consolidation in history, hoping to dramatically reduce IT operations that are currently distributed among more than 1,100 data centers. These data centers are where the applications and associated traffic negotiate the network infrastructure 24x7, providing critical services to both internal and external customers. Today’s data centers are increasingly complex with many different vendors and technologies working together.

The need for security, accountability and compliance is vital

to any network, and traffic visibility should be a paramount

consideration from the start when planning for a transition of

any size. One of the results of numerous monitoring tools being

deployed in a network, is that practices such as SPAN port

utilization is proving to be a challenge for sampling traffic. In

order to guarantee and certify that the traffic in your network is

secure and that it complies with FISMA, CALEA and other lawful

intercept rules and regulations, your network administrator must

have access to all the traffic. The Gigamon® solution deployed in

the network can help ensure that packets of traffic traversing the

wire are not compromised.

The Gigamon Intelligent Traffic Visibility Fabric™ provides all the

security required to help keep your traffic safe while allowing

the traffic going through the network to be delivered to your

monitoring tools. Downtime in the data center can cost federal

agencies thousands of dollars in lost productivity. It is vital for

IT to carefully monitor and analyze all the traffic in the data

center to maintain efficient operation of the network, reduce

bottlenecks, prevent outages and maintain security. A federal

agency’s most important asset is traffic, and it is absolutely

necessary to have secure, failsafe access, and complete

visibility of that traffic. To achieve this goal, federal agencies

can enhance their architecture by including intelligent traffic

visibility technology.

Most networking professionals are keenly aware of the need

for network visibility. They understand that any network

management system is only as good as the information it

provides and that the traffic sources themselves are critical

to any solution. To achieve unified management of service

delivery requires uncompromised visibility at various points of

the network. Each traffic source device type has capabilities

best suited toward certain environments. To best optimize

instrumentation, it is important to understand these capabilities

and the differences between the traffic sources themselves.

This paper focuses on how organizations can strategically

leverage the different types of security and monitoring

deployments available to achieve the coverage and visibility

required for smooth running operations during network

transition. It will explain the various solutions offered

by Gigamon, describe the benefits of each, and advise

which should be used in a given environment or network

segment. It will also discuss deployment considerations and

obstacles associated with networking infrastructures in many

organizations. This white paper is designed to guide the user

toward optimal usage and deployment strategies.



2

Visibility and Unified Service Delivery Management

The Gigamon Traffic Visibility Fabric provides comprehensive,

real-time network, application and service performance

intelligence that enables IT organizations to ensure optimized

network and application performance. The Gigamon solution

provides always-on network and application visibility with

a common and consistent view of service-oriented analysis

and reporting functions that enables increased productivity

and collaboration across the IT organization. This improves

IT staff productivity, cooperation and enables better cross-

functional leverage of management tool investments. This white

paper is dedicated toward the instrumentation and intelligent

traffic sources that support such a Unified Service Delivery

Management system.

Building a Secure Intelligent Traffic Visibility Network

The data center is part of a network ecosystem that drives the

work of any size agency. It is comprised of switches, routers,

application servers, firewalls, IP services (DNS, RADIUS, and

LDAP), virtualized applications, and storage area networks.

Monitoring the actual network traffic is extremely important

to the security of the agency. Federal agencies will typically

implement networks with countless numbers of monitoring and

security tools for defense, but find out that it is neither efficient

nor cost effective to have a tool connected on every critical

traffic path. The key to improved secure access and complete

visibility is to build a Traffic Visibility Solution that can filter,

aggregate, consolidate and replicate traffic to the

monitoring and security tools that are already found in

the data center.

Network Core

GigaSTREAM

VM Cluster

Fibre Channel SAN

Access Layer

Data Center

WAN Edge

Data Servers(Web, Mail, FTP, DNS)

PrivateWAN Edge

InternetWAN Edge

Distribution/Aggregation

GigaSTREAM In-Line Links

SPAN Data

GigaSTREAM

10G Tool Farm

1G Tool Farm

WebMonitor

IntrusionDetectionSystem

DataRecorder

Database Monitor

Data Recorder

VM Monitoring

Application Monitor

GigaVUE 2404

GigaVUE 2404

GigaVUE 2404

GigaVUE 2404

GigaVUE 420

GigaVUE 420GigaVUE 212

GigamonIntelligentDANTM

UPWHENINSTALLEDINREARSLOT

17 24

SLOT 3PORTS

9 16

SLOT 2PORTS

SLOT 1PORTS G1-G4PORTS 1-8

1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X



17 24

SLOT 3PORTS

9 16

SLOT 2PORTS


1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X



17 24

SLOT 3PORTS

9 16

SLOT 2PORTS


1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X



17 24

SLOT 3PORTS

9 16

SLOT 2PORTS


1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

Console

Mgmt

Pwr

Rdy

M/S

GigaVUE-212

2 4

1 3

6 8

5 7

10/100/1000 PORTS2

1

1G PORTS 1G/10G PORTS4

3

6

5

8

7

X2

X1

Pwr

9

10

11

12

GigaPORT-SFP

9

10

11

12Console

Mgmnt

Pwr

Rdy

M/S

1 2 3 4

Gigamon S ystems

Giga PORT Giga PORT Giga PORT Giga PORT

Console

Mgmnt

Pwr

Rdy

M/S

1 2 3 4

Gigamon S ystems

Giga PORT Giga PORT Giga PORT Giga PORT

Figure 1: Intelligent Traffic Visibility Technology can be implemented into your network



3

The key to secure access is to utilize the GigaVUE® integrated

TAPs between major network devices found in the data center.

This includes core switch-to-router, switch-to-server and switch-

to-switch links. GigaVUE integrated TAPs can be deployed

as passive network connections that copy traffic from the link

to the monitoring and analyzing devices. Gigamon designed

the GigaVUE Traffic Visibility Node as a modular product.

This modularity provides secure access to the traffic, allowing

greater flexibility that accommodates the different media types

typically present. The chassis and module architecture allows

an agency’s data center to save costly rack space by allowing

several different modules to perform filtering, aggregating and

regeneration all from the same unit. By moving beyond the

fixed-function chassis, towards a scalable approach leverages

a repeatable, predictable, and measurable framework allowing

federal agencies to provide their data centers with reduced

power consumption and a smaller physical footprint. Many of

these benefits provide “Day One ROI,” or short term earned

value and improved efficiencies.

Replicated Traffic on a Critical Link can be seen by Many Tools

Increase Effectiveness from Existing Tools: Often a federal

agency will experience a tool overburdened by the amount of

traffic sent to it or difficulty monitoring higher speed connections

with lower speed tools. The Gigamon solution can reduce these

problems using patented mapping and filtering technologies.

Filtering allows the 10G or aggregated traffic to be throttled

down to less than 1G and sent to a 1G tool that the agency

already owns. With filtering, users can reduce the amount of

traffic being sent to a tool allowing it to only see the traffic it

needs, instead of voluminous amounts of unnecessary traffic.

This improves efficiency and saves budget dollars.

Eliminate SPAN Port Contention: Most switch and router

manufacturers such as Cisco, Brocade, HP, and Juniper have

a use limitation of only two ports for SPAN/Port Mirroring

connections. Because of this limitation, users have reduced

visibility into traffic because all packet capture devices, data

recorders, and application monitoring and security tools cannot

access the traffic they need to see. By using the GigaVUE

Traffic Visbility Node, users can connect these same

SPAN/Port Mirroring connections to the routers and switches

and easily replicate the traffic to multiple tools simultaneously.

Easily Add New Tools and Monitor New Applications: Data

centers are continuously evolving, adding new applications,

services and monitoring tools. When all monitored traffic

is routed through a Traffic Visibility Fabric, users can easily

connect new tools or monitor new applications using the

modular design by quickly sending traffic to new tools without

disturbing existing monitoring connections. All of this can be

accomplished without having to wait for lengthy change orders

or management processes because no downtime is incurred

ensuring all traffic is passively accessed and distributed.

Secure Monitored Traffic: Another important consideration

when monitoring or capturing traffic is controlling access to that

traffic to ensure only authorized users capture or see it.

The GigaVUE system secures traffic by offering many

different security options:

• User-basedportlockingtoensureonlyauthorizedusers

can access specific ports



17 24

SLOT 3PORTS

9 16

SLOT 2PORTS


1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

Pwr

10GigaTAP-4SR

Split Ratio 50/50

LINK LINK LINK LINK

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-8X

P S U F A N S U P F A B I O M

C i s c o N e x u s 7000 Series

1 2 3 4 5 6 7 8 9 1 0

SERIAL PORT

CONSOLECOM1/AUX

STATUSIO

SYSTEM

ACTIVE

PWR MGMT

N7K-SUP 1

USB

DEVICE PORTHOST PORTS

RESET

CMPSTATUS

LINK

ACT

LINK

ACT

CMP MGMTETH

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24



1 2 3 4 5 6 7 8 9 1 0

SERIAL PORT

CONSOLECOM1/AUX

STATUSIO

SYSTEM

ACTIVE

PWR MGMT

N7K-SUP 1

USB


RESET

CMPSTATUS

LINK

ACT

LINK

ACT

CMP MGMTETH

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24



1 2 3 4 5 6 7 8 9 1 0

SERIAL PORT

CONSOLECOM1/AUX

STATUSIO

SYSTEM

ACTIVE

PWR MGMT

N7K-SUP 1

USB


RESET

CMPSTATUS

LINK

ACT

LINK

ACT

CMP MGMTETH

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24



1 2 3 4 5 6 7 8 9 1 0

SERIAL PORT

CONSOLECOM1/AUX

STATUSIO

SYSTEM

ACTIVE

PWR MGMT

N7K-SUP 1

USB


RESET

CMPSTATUS

LINK

ACT

LINK

ACT

CMP MGMTETH

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

SPAN Ports



1 2 3 4 5 6 7 8 9 1 0

SERIAL PORT

CONSOLECOM1/AUX

STATUS IO

SYSTEM

ACTIVE

PWR MGMT

N7K-SUP 1

USB


RESET

CMPSTATUS

LINK

ACT

LINK

ACT

CMP MGMTETH

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24



1 2 3 4 5 6 7 8 9 1 0

SERIAL PORT

CONSOLECOM1/AUX

STATUS IO

SYSTEM

ACTIVE

PWR MGMT

N7K-SUP 1

USB


RESET

CMPSTATUS

LINK

ACT

LINK

ACT

CMP MGMTETH

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24



1 2 3 4 5 6 7 8 9 1 0

SERIAL PORT

CONSOLECOM1/AUX

STATUS IO

SYSTEM

ACTIVE

PWR MGMT

N7K-SUP 1

USB


RESET

CMPSTATUS

LINK

ACT

LINK

ACT

CMP MGMTETH

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24



1 2 3 4 5 6 7 8 9 1 0

SERIAL PORT

CONSOLECOM1/AUX

STATUS IO

SYSTEM

ACTIVE

PWR MGMT

N7K-SUP 1

USB


RESET

CMPSTATUS

LINK

ACT

LINK

ACT

CMP MGMTETH

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

STATUS

IO

PERFORMANCE PORT

13

57

42

PERFORMANCE PORT

911

1315

1214

1610

PERFORMANCE PORT

1719

2123

2022

18

PERFORMANCE PORT

2527

2931

2830

3226

N7K-M132XP-12

68

24

Inline Connections

Monitoring andSecurity Tools



4

Copyright © 2012 Gigamon, LLC. All rights reserved. Gigamon, GigaVUE®, GigaSMART, G-TAP, Flow Mapping are registered trademarks of Gigamon, LLC and/or affiliates in the

United States and certain other countries. Visibility Fabric, Traffic Visibility Fabric (TVF), Citrus, and The Smart Route To Visibility are trademarks of Gigamon. All other trademarks

are the property of their respective owners.

Gigamon | 598 Gibraltar Drive Milpitas, CA 95035 | PH 408.263.2022 | www.gigamon.com

• Packetslicing,whichslicesthepayloadofapplicationtraffic

• SNMPtrapswhicharetriggeredwhenanexistingdeviceis

unplugged or a new device is plugged into an empty port

• Trafficmaskingwhichhidesthecontentsofsensitive

information

• User-orgroup-basedcentralizedauthenticationusing

RADIUS/TACACS+

• ProtectionofPersonallyIdentifiableInformation(PII)

Additionally, all out-of-band management functions use secure

access technologies such as SSH and HTTPS.

Deployment Considerations – GigaVUE Traffic Visibility Nodes

When considering GigaVUE Traffic Visibility Node deployment,

network port connections should be made on all critical links

where detailed packet monitoring is required.

Conclusion

Introducing a comprehensive Traffic Visibility Fabric within

Federal data centers currently provides secure access and

complete visibility into mission-critical traffic 24x7. With

secure access and complete visibility, agencies will reduce

downtime and MTTR of complex data center issues, benefiting

all internal and external users. The Gigamon Traffic Visibility

Fabric resolves many issues such as SPAN/Mirror port

contention, monitoring 10Gbps connections with lower speed

capable tools, configuration and change order management

and other obstacles that normally require a significant amount

of time and resources. With thousands of units deployed

and the uncompromised attention Gigamon clients receive,

network administrators will realize greater efficiency, improved

productivity and most importantly, the security of their most

important asset—information.

About Gigamon

Gigamon provides intelligent Traffic Visibility Networking

solutions for enterprises, data centers and service providers

around the globe. Our technology empowers infrastructure

architects, managers and operators with unmatched visibility

into the traffic traversing both physical and virtual networks

without affecting the performance or stability of the production

environment. Through patented technologies, the Gigamon

GigaVUE portfolio of high availability and high density products

intelligently delivers the appropriate network traffic to security,

monitoring or management systems. With over seven years

experience designing and building intelligent traffic visibility

products in the US, Gigamon serves the vertical market

leaders of the Fortune 1000 and has an install base spanning

40 countries.

For more information about our Gigamon products visit:

www.gigamon.com



17 24

SLOT 3PORTS

9 16

SLOT 2PORTS


1G/10G PORTS (SFP+)

Pwr

GigaVUE-2404MB

ConsoleMgmt

G4Rdy

M/S

G3G2G1

10/100/1000 PORTS (SFP)

1

1G1 G2 G3 G4

2

2

3

3

4

4

5

5

6

6

7

7

8

8

1G/10G PORTS (SFP+)

Pwr

10GigaPORT-6X

Rdy

Alm

GPS ANT (TNC-RG213) RS232

SERIAL TIME CODE

GPS Lock

SNMPTraps

TACACS+and Radius

Syslog/Audit Data

Pwr

10GigaTAP-4SR

Split Ratio 50/50

LINK LINK LINK LINK



1 2 3 4 5 6 7 8 9 1 0



1 2 3 4 5 6 7 8 9 1 0

Secure Inline Connections

• Packet-Slicing• Data-Masking• Port-Tagging• Timestamping

GigaSMART

federal data centers can benefit from intelligent traffic visibility … · 2013-04-30 · federal...

Documents