쫑콩아빠의 지금 이 순간...

Gigamon Topology example #1
2 회선, 별도 SSL 암복호화 장비

Gigamon Topology example #2
2회선, 기가몬 SSL 암복호화

Gigamon Topology example #3
멀티 회선, Multi-Segment 수용

Gigamon Topology example #4
멀티 회선, Multi-Segment 수용, 보안장비 1G/10G 혼용 사용

Gigamon Topology example #5
Gigamon 이중화 (GRIP)
- Physical Bypass를 Inline-network로 사용
- 상단 장비 장애 시 하단 장비가 활성화

Gigamon Topology example #6
Gigamon 이중화
- 일반 Port를 Inline-network로 사용
- 기가몬 장애시 망 전환

소요장비 :
- Gigamon HC2 1ea
- SSL VA 2ea
- WAF 2ea
- Switch 2ea

구성
- Gigamon에 1회선 수용을 위해 상하단 Switch 구성
- SSL VA는 복호화 구간, 암호화 구간 각각 이중화(LB) 구성
- WAF 이중화(LB) 구성

### SSL VA PoC를 위해 지원한 Gigamon 설정값 ###

port 1/3/x1..x6,1/4/x1..x6,1/4/x17..x18 param admin enable
port 1/3/x1..x6,1/4/x1..x6 type inline-tool

inline-tool alias SSL-1-1
  pair tool-a 1/3/x1 and tool-b 1/3/x2
  enable
  heart-beat
  shared true
  exit
inline-tool alias SSL-1-2
  pair tool-a 1/3/x3 and tool-b 1/3/x4
  enable
  heart-beat
  shared true
  exit
inline-tool alias SSL-2-1
  pair tool-a 1/4/x1 and tool-b 1/4/x2
  enable
  heart-beat
  shared true
  exit
inline-tool alias SSL-2-2
  pair tool-a 1/4/x3 and tool-b 1/4/x4
  enable
  heart-beat
  shared true
  exit
  
  
inline-tool alias WAF-1
  pair tool-a 1/3/x5 and tool-b 1/3/x6
  enable
  heart-beat
  shared true
  exit
inline-tool alias WAF-2
  pair tool-a 1/4/x5 and tool-b 1/4/x6
  enable
  heart-beat
  shared true
  exit
  
inline-tool-group alias SSL-DEC-LB
  tool-list SSL-1-1,SSL-2-1
  enable
  exit
inline-tool-group alias SSL-ENC-LB
  tool-list SSL-1-2,SSL-2-2
  enable
  exit
inline-tool-group alias WAF-LB-1
  tool-list WAF-1,WAF-2
  enable
  exit
  
  
map alias iN5_HTTPS_VLAN501
  type flexinline byRule
  roles replace admin to owner_roles
  rule add pass portdst 443 protocol tcp bidir
  from default_inline_net_1_4_1
  a-to-b SSL-DEC-LB,WAF-LB-1,SSL-ENC-LB
  b-to-a reverse
  tag 501
  exit
map alias iN5_HTTP_VLAN502
  type flexinline byRule
  roles replace admin to owner_roles
  rule add pass portdst 80 protocol tcp bidir
  from default_inline_net_1_4_1
  a-to-b WAF-LB-1
  b-to-a reverse
  tag 502
  exit
map alias iN5_Other_VLAN520
  type flexinline collector
  roles replace admin to owner_roles
  from default_inline_net_1_4_1
  a-to-b bypass
  b-to-a bypass
  tag 520
  exit
  
  inline-network alias default_inline_net_1_4_1 physical-bypass disable
  inline-network alias default_inline_net_1_4_1 traffic-path to-inline-tool
  inline-network alias default_inline_net_1_4_1 lfp enable

Gigamon 장비의 통합관리 솔루션인 FM 장비를 업그레이드 하다 보면 가끔식 fmctlMgmtPort가 풀리는(?) 경우가 발생 한다. 이런 경우 FM CLI의 기본 명령어인 fmctl 명령어 실행이 안되게 된다. 이런 경우 당황하지 말고 아래와 같이 해결 하시길 바랍니다.

아래와 같이 fmctl 실행 시 아래와 같은 메시지가 발생 될 경우
$ fmctl
Error: fmctlMgmtPort - no such connection profile.
runfmctl: 2021/05/27 18:30:43 : There is no active NIC to set as the management port
runfmctl: 2021/05/27 18:30:43 : defaulting to 'eth0'
Error: fmctlMgmtPort - no such connection profile.
Error: fmctlMgmtPort - no such connection profile.
Error: fmctlMgmtPort - no such connection profile.
fmctl: there is no UUID for , connection 'fmctlMgmtPort'

조치방법
아래 정보는 예제이며 각 장비의 FM에서 명령어 실행 시 나오는 UUID 정보를 확인 하시기 바랍니다.
$ sudo nmcli conn show
NAME                UUID                                  TYPE      DEVICE
fmctlMgmtPort       5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03ethernet  eth0
fmctlNoRole         4d2000d1-6397-3541-9a78-89190c6d8608  ethernet  --
fmctlNoRole         e99474bf-fafa-4fdf-b11d-3c8add48e373  ethernet  --
Wired connection 1  534bdaea-402f-342a-8b05-11d7b7d86418  ethernet  --
Wired connection 2  b16cb007-0501-3d19-992b-eb6cd3542b47  ethernet  --
Wired connection 3  d1bb8356-a80f-30a8-a3f2-030a850ddd47  ethernet  --

$ sudo nmcli connection modify "해당 MGMT 포트의 UUID" connection.id fmctlMgmtPort
 
$ fmctl 실행 확인

Gigamon 장비는 제품별로 다양한 Packet 처리가 가능하다.
Mirror 트래픽을 전달 받아 가공을 통해 보안/모니터링/분석 장비에 전달함으로 효과를 얻을 수도 있고
Inline에 직접 개입하여 보안 장비들을 효과적으로 사용할 수 있게 구성이 가능하다.
참 재미난 Concept 이다. 
As-Is의 구성은 현재 많이 사용되는 이중화 구성이다. 예전에는 이 구성이 최적화된 구성이었으나 시대가 바뀌었고
예전 구성에서의 문제점들을 해결할 수 있는 방법도 생겨났다.

https://www.gigamon.com/products/optimize-traffic/traffic-intelligence/gigasmart/source-port-labeling.html

Identify each packet's entry point

The Source Port Labeling feature of the GigaSMART® engine provides context to packets and allows tools to properly assess network behavior and threats based on where they are happening in the network. When a packet arrives into the Gigamon® Visibility Platform, it could have come from one of dozens or hundreds of network access points.

Before forwarding the packet to a monitoring or security tool, Source Port Labeling adds a trailer to the packet that identifies on which port the packet arrived. The tool can query the Gigamon Visibility Platform using the Rest API and look up the Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) information associated with the packet’s source port to know exactly where in the network problems or threats reside.

Benefits of the Source Port Labeling feature

• Accurately analyze traffic aggregated from multiple collection points.
• Correlate traffic with CDP/LLDP information on the network.
• Identify incorrect cabling of taps and SPAN ports and verify accuracy of flow maps.

gigamon-0200fd (config policy alias test3) # condition  add ?
< condition >    Add a condition to the policy
GsCpuUtilHigh    
GsCpuUtilLow     
GsHbStatusDown   
GsHbStatusUp     
GsPktBufThHigh   
GsPktBufThLow    
GsPktDropRateHigh 
GsPktDropRateLow 
GsRxPktErrorHigh 
GsRxPktErrorLow  
GsRxPktRateHigh  
GsRxPktRateLow   
InlineToolDown   
InlineToolReady  
InlineToolUp     
PortDown         
PortRxBufferHigh 
PortRxBufferLow  
PortRxDiscardsHigh 
PortRxDiscardsLow 
PortRxDropsHigh  
PortRxDropsLow   
PortRxErrorsHigh 
PortRxErrorsLow  
PortRxUtilHigh   
PortRxUtilLow    
PortTxBufferHigh 
PortTxBufferLow  
PortTxDiscardsHigh 
PortTxDiscardsLow 
PortTxDropsHigh  
PortTxDropsLow   
PortTxErrorsHigh 
PortTxErrorsLow  
PortTxUtilHigh   
PortTxUtilLow    
PortUp           
TimeFriday       
TimeMonday       
TimeOfDay        
TimeSaturday     
TimeSunday       
TimeThursday     
TimeTuesday      
TimeWednesday    
TimeWeekday      
TimeWeekend      


gigamon-0200fd (config policy alias test3) # action add ?
< action >       Add an action to the policy.
FlexInlineOOBAdd 
FlexInlineOOBDelete 
InlineNetTrafficPath 
InlineToolDisable 
InlineToolEnable 
InlineToolRecover 
MapDisable       
MapEnable        
MapGsRuleAdd     
MapGsRuleDelete  
MapRuleAdd       
MapRuleDelete    
PhysicalByPassDisable 
PhysicalByPassEnable 
PolicyDisable    
PolicyEnable     
PortDisable      
PortEnable       
PortFilterAdd    
PortFilterDelete 
PortFilterDeleteAll 
WriteMemory      

Regular GigaStream Configuration
To configure a regular tool GigaStream, refer to the following example:

Step

Description

Command

1.    
Configure ports using type tool for a regular tool GigaStream.
(config) # port 1/3/q2..q3 type tool

2.  
Configure a regular GigaStream.
(config) # gigastream alias stream1 port-list 1/3/q1..q4

3.  
Configure a comment for the GigaStream.
(config) # gigastream alias stream1 comment “regular gigastream”

4.  
Assign hash weights in percentage or ratio to the ports in the GigaStream
(config gigastream alias stream1) # port-list 1/3/q1..q4 hash-weight 30,30,20,20
(config gigastream alias stream1) # port-list 1/3/q1..q4 hash-weight 3,3,2,2

5.  
Assign drop weight for the GigaStream
(config gigastream alias stream1) # drop-weight 2

6.  
Display the configuration for this example.
(config) # show gigastream

How To: Packet capture on Gigamon interface
2020. 4. 25•How to
Feature
Flow Mapping
Title
How To: Packet capture on Gigamon interface
Objective
Perform packet capture on Gigamon interface for troubleshooting.
 
Environment
HC-Series
Procedure
Please note: This feature is currently available for software version 5.4 and above.

Step1. Identify one unused port on the chassis and enable the port. This unused port will be used to capture and copy the traffic. (port type can be any). Channel port is only required in case you want to capture in direction (Tx or both). It is not required in order to capture only Rx traffic.
Rx = IfInPackets on a port.
Tx = IfOutPackets on a port.
port 1/3/x9 params admin enable
port 1/3/x9 alias unused-channel-port

Step2.  Add a capture filter to start the packet capture. 
#Example1
pcap alias nw-side
port 1/4/g16 both (Interface on which you want to capture the packets)  
channel-port 1/3/x9 (Unused port to copy the traffic)
packet-limit 20000
filter ipsrc 10.10.10.10 /32
exit

#To create another filter, please create another pcap profile.
#Example2
pcap alias IT-side
port 1/3/x11 rx
channel-port 1/3/x10
packet-limit 20000
filter ipdst 30.30.30.30 /32
exit

#Example3
pcap alias SSL
port 1/3/x11 tx
channel-port 1/3/x10
packet-limit 20000
filter ipdst 30.30.30.30 /32
exit

#Verification
show pcap alias nw-side
show pcap
show file pcap

Step3.  Reproduce the problem. 
Initiate a session between the client and server, to ensure that specific packets can be captured.

Step4. Stop the packet capture.
no pcap alias issl1
or
clear pcap all
or 
no pcap all

Step5. Verify if the packet capture file has been created.
show file pcap

Step6. Upload to your local machine or scp/tftp server. 
file pcap upload <filename> scp://user:pass@10.10.10.10/dir/folder/<filename>
file pcap delete-all
file pcap delete <filename>

Step7. Analyze the pcap file

 
Additional Notes
Filtering can be defined based on 6 conditions
IP source
IP destination
Port source
Port destination
Protocol
Tcp control
Tag
packet capture broadcom pcap bcm data port tcpdump