Gigamon 장비는 제품별로 다양한 Packet 처리가 가능하다.
Mirror 트래픽을 전달 받아 가공을 통해 보안/모니터링/분석 장비에 전달함으로 효과를 얻을 수도 있고
Inline에 직접 개입하여 보안 장비들을 효과적으로 사용할 수 있게 구성이 가능하다.
참 재미난 Concept 이다.
As-Is의 구성은 현재 많이 사용되는 이중화 구성이다. 예전에는 이 구성이 최적화된 구성이었으나 시대가 바뀌었고
예전 구성에서의 문제점들을 해결할 수 있는 방법도 생겨났다.
| Firemon SIQL (1) | 2018.05.08 |
|---|---|
| Firemon 웹로그인유저 패스워드 복구방법 (0) | 2018.05.08 |
| Firemon CLI (0) | 2018.05.08 |
| Firemon SIQL (0) | 2017.08.08 |
Gigamon HC Series는 패킷 미러 처리 뿐 아니라 inline에 직접 연결해 다양한 inline-tool에게 최적의 패킷을 전달 하는 역활을 한다.
보통의 Gigamon 이중화는 GRIP이라는 Gigamon에서 제공하는 이중화 프로토콜을 통해 이중화를 구성하며, 회선별 구성이 아닌 아래와 같이 상하단 구성을 주로 한다.
기존 회선 이중화 방식에서 발생되는 문제점들을 Gigamon을 통해 다양한 문제점들의 해결이 가능해진다.
- 보안 장비로 인한 네트워크 성능 저하
- 여러 장애 포인트 존재
- 비대칭 라우팅으로 인한 보안 장비 탐지의 어려움
- 보안 장비 확장의 어려움
- 보안장비 Firmware 업그레이드 혹은 교체시 네트워크 단절 위험
- 네트워크 증속 시 보안도 동일 증속을 위한 투자
- 보안 장비 한대 장애로 인한 망 전환
- 불필요한 패킷이 보안 장비에 전달 됨으로 인한 성능 저하
- Active/Standby 회선에서 Standby쪽에 연결된 보안장비의 휴무
- 각자 SSL 암복호화를 수행함에 따른 성능 지연 및 인증서 관리 문제
Gigamon의 GRIP 구성은 처음 접하면 이해하기 어려우나, 상당히 추천할 만한 구성이다.
이에 반해 Gigamon을 각각의 회선별로 Standalone으로 구성하는 사례도 있다. 아래와 같이...
위의 구성 시 주의 사항은 아래와 같다.
- Asymmetric 문제 발생
- Gigamon 장애 시 트래픽 바이패스 또는 망 전환 (inline-network 구성을 bypass 모듈에 할지 일반 포트에 구성하는지에 따라 다름)
- SSL 암복호화 시 발생될 수 있는 Mac Flapping
3가지 주의 사항 중 오늘 언급하고자 하는 부분은 SSL 암복호화 부분이다.
특히 Gigamon의 좌/우 구성에서 iSSL 암복호화를 Gigamon에서 수행할 경우 장애 발생 여지가 있다.
결론부터 얘기하자면 Gigamon에서 iSSL 암복호화를 수행 시 Proxy 형태로 GigaSMART에서 연결된 SSL Session에 대해 유지를 하게 된다. 기존 SSL Session이 유지되는 상태에서 망 전환이 발생이 되고, SSL Session Timeout에 의해 기존 연결된 Session에 reset 패킷을 발생 시키게 됨으로 Standby쪽 하단 스위치에 reset 패킷이 도달하게 되며 그로 인해 하단 스위치에서 Mac Flapping이 발생하게 된다.
해결 방법으로는 Gigamon 6.x 버전 이상에서는 "Active Visibility"라는 기능에서 Condition에 따른 Action을 수행할수 있기에 망 전환시 발생되는 회선 포트 다운 event에 iSSL Session Clear를 할수 있는 Action을 통해 해결이 가능하다.
Gigamon의 상/하단 구성인 GRIP 구성에서는 SSL Session이 유지된 상태에서 장비 Fail-over가 발생된다 해도 Standby쪽 장비에서는 Physical Bypass 상태를 유지하므로 SSL Session Timeout에 의해 Reset 패킷이 발생한다 하더라도 이로 인한 영향은 없다.
단 Gigamon에서 iSSL의 암복호화 수행이 아닌 별도의 SSL 암복호화 솔루션을 쓰게 될 경우에 해결 방법에 대해서는 아직 미지수이다.
SSL 암복호화를 수행 하는 경우 Gigamon 구성에 대해서는 반드시 확인이 필요하다.
| GigaVUE-FM에 등록된 Node의 비밀번호 변경 시 (0) | 2024.01.08 |
|---|---|
| Gigamon HC Series iSSL에 관하여 2탄 (1) | 2023.11.28 |
| Gigamon Process 상태 정보 확인 by Rest-API (0) | 2023.07.06 |
| Gigamon GigaVUE-OS upgrade CLI (0) | 2023.07.06 |
| Gigamon DevStack (0) | 2023.07.06 |
To set up GRIP successfully, it is advised that you check the inline functions of each HC2 separately.
https://gigamoncp.force.com/partnercommunity/s/article/HC2-GRIP-Configuration-example#loaded
A. Set up Primary without GRIP
a. ensure secondary is wire only (i.e physical bypass = enable)
b. take primary out of bypass, configure all ports and forward inline traffic to inline tool
On secondary: inline-network alias default_inline_net_1_1_4 physical-bypass en
On primary:
port 1/1/x23..x24 params admin enable
port 1/1/x8..x9 type inline-tool
port 1/1/x8..x9 params ad en
inline-network alias default_inline_net_1_1_4 traffic-path to-inline-tool
inline-tool alias IT-01 pair tool-a 1/1/x8 and tool-b 1/1/x9
inline-tool alias IT-01 failover-action tool-bypass
inline-tool alias IT-01 enable
c. Forward traffic to the inline tool for inspection:
map-passall alias IL-to-tool-Grip
from default_inline_net_1_1_4
to IT-01
exit
inline-network alias default_inline_net_1_1_4 physical-bypass disable
Confirm set up on primary using show port params and show port stats
B. Set up Secondary without GRIP
a. Set primary as wire only (i.e physical bypass = enable)
On primary: inline-network alias default_inline_net_1_1_4 physical-bypass en
On secondary:
port 1/1/x23..x24 params admin enable
inline-network alias default_inline_net_1_1_4 traffic-path to-inline-tool
port 1/1/x2..x3 type inline-tool
port 1/1/x2..x3 params ad en
inline-tool alias IT-02 pair tool-a 1/1/x2 and tool-b 1/1/x3
inline-tool alias IT-02 failover-action tool-bypass
inline-tool alias IT-02 enable
map-passall alias IL-to-tool-GripSecondary
from default_inline_net_1_1_4
to IT-02
exit
inline-network alias default_inline_net_1_1_4 physical-bypass disable
Again, confirm configuration by using show port params and show port stats
C. Configure redundancy profiles and signal links.
i. Enable bypass on both
[primary] inline-network alias default_inline_net_1_1_4 physical-bypass en
[secondary] inline-network alias default_inline_net_1_1_4 physical-bypass en
ii. Configure GRIP Redundancy profiles and check signal link
Note: signal link on primary is 1/x7, on secondary, it is x4
Primary:
port 1/1/x7 type stack
port 1/1/x7 params admin en
redundancy-profile alias RP-01
protection-role primary
signaling-port 1/1/x7
exit
Secondary:
port 1/1/x4 type stack
port 1/1/x4 params admin en
redundancy-profile alias RP-02
protection-role secondary
signaling-port 1/1/x4
exit
D. Turn off LFP, Assign Redundancy Profile (RP) to Inline Network ports on both chassis
[primary]
no inline-network alias default_inline_net_1_4_4 lfp en
inline-network alias default_inline_net_1_1_4 physical-bypass disable
inline-network alias default_inline_net_1_1_4 redundancy-profile RP-01
[secondary]
no inline-network alias default_inline_net_1_4_4 lfp en
inline-network alias default_inline_net_1_1_4 physical-bypass disable
inline-network alias default_inline_net_1_1_4 redundancy-profile RP-02
ADDITIONAL NOTES
Once the redundancy profile has been applied, the physical bypass state is controlled by software
Commands for checking status;
[Primary]
show inline-network alias default_inline_net_1_1_4
show port stats p 1/1/x23,1/1/x8,1/1/x9,1/1/x24
show port params p 1/1/x23,1/1/x8,1/1/x9,1/1/x24
[Secondary]
show inline-network alias default_inline_net_1_1_4
show port params p 1/1/x23,1/1/x2,1/1/x3,1/1/x24
show port stats p 1/1/x23,1/1/x2,1/1/x3,1/1/x24
Note: Note that in this example, link fail propagation (LFP) is disabled to reduce inlinennetwork recovery time after failover.
When GRIP is deployed with high availability networks where a second path is present, it is a best practice to leave LFP enabled.
| GigaSALES Certification Test (0) | 2021.03.29 |
|---|---|
| Could you please share us the below listed information to proceed further on this case. (0) | 2021.01.25 |
| Gigamon ASF (Buffered) Email Attachment Content-Disposition 1000byte & (Unbuffered) Yahoo MSG (0) | 2021.01.20 |
| Gigamon Active Visibility (Condition & Action Lists) (0) | 2021.01.20 |
| Gigamon Controlled GigaStream Configuration (0) | 2021.01.20 |
You can configure Gigamon Resiliency for inline protection on H Series nodes (GigaVUE-HC1, GigaVUE-HC2, and GigaVUE-HC3). Example 18 is an inline bypass solution for GRIP using TAP-HC1-G10040 modules on GigaVUE-HC1 with copper ports. The same instructions apply to GigaVUE-HC2 and GigaVUE-HC3.
Note: On the GigaVUE-HC2, the configuration steps will be the same as in this example, but the network ports and the TAP module will be different.
First, configure the GigaVUE-HC1 with the primary role, then configure the GigaVUE-HC1 with the secondary role. The configuration is the same (is synchronized) on both nodes, except for step 3, in which the protection role (primary or secondary) is specified.
Note that in this example, link fail propagation (LFP) is disabled to reduce inline network recovery time after failover. When a primary to secondary failover occurs and LFP is enabled for copper inline bypass links, network service recovery may take several seconds because of Ethernet link renegotiation. Optical links failover faster and typically recover service much faster. For inline networks where only one path is available, this is a consideration. When GRIP is deployed with high availability networks where a second path is present, it is a best practice to leave LFP enabled.
Configuring Primary Role GigaVUE-HC1
Step
Description
Command
(config) # port 1/3/g1..g8 params taptx passive
(config) # port 1/3/g1..g8 type inline-network
(config) # port 1/1/x1 type stack
(config) # port 1/1/x1 params admin enable
(config) # redundancy-profile alias RP_001
(config redundancy-profile alias RP_001) # signaling-port 1/1/x1
(config redundancy-profile alias RP_001) # protection-role primary
(config redundancy-profile alias RP_001) # exit
(config) #
(config) # inline-network alias IN_001 pair net-a 1/3/g1 and net-b 1/3/g2
(config) # inline-network alias IN_001 redundancy-profile RP_001
(config) # no inline-network alias IN_001 lfp enable
(config) # port 1/1/x11 type inline-tool
(config) # port 1/1/x11 params admin enable
(config) # port 1/1/x12 type inline-tool
(config) # port 1/1/x12 params admin enable
(config) # inline-tool alias IT_001 pair tool-a 1/1/x11 and tool-b 1/1/x12
(config) # inline-tool alias IT_001 failover-action network-bypass
(config) # inline-tool alias IT_001 enable
(config) # map-passall alias INtoIT
(config map-passall alias INtoIT) # from IN_001
(config map-passall alias INtoIT) # to IT_001
(config map-passall alias INtoIT) # exit
(config) #
(config) # inline-network alias IN_001 traffic-path to-inline-tool
| Gigamon IP Tunnel Receiving End Configuration (0) | 2021.01.18 |
|---|---|
| Gigamon IP Tunnel Sending End Configuration (0) | 2021.01.18 |
| Gigamon Maps to Individual Inline Tool Group Members (0) | 2021.01.18 |
| Gigamon Asymmetrical Hashing in Inline Tool Group (0) | 2021.01.18 |
| Gigamon OOB Maps Originating from Inline Network Group (0) | 2021.01.18 |
Example 17 is an inline bypass solution on GigaVUE-HC2 for an inline tool group with four tools. It is similar to Example 16: Asymmetrical Hashing in Inline Tool Group, but has four rule-based inline maps, one to each individual member of the inline tool group. In Example 17, asymmetrical hashing is used, but the hashing could also be symmetrical. The hashing only applies to the traffic sent to the shared collector.
Example 17 is different from Example 5: Inline Tool Group (N+1) Redundancy. In Example 5, all the traffic was sent to the inline tool group as a whole, using a map passall. Hashing distributed the traffic across the group.
With the multiple rule-based maps in Example 17, specific traffic is sent to specific tools in the inline tool group according to the rules. Each of the four inline maps directs traffic from one source IP address to a specific inline tool in the group.
A shared collector is configured from the inline network to the inline tool group. Traffic that does not match any of the map rules is sent to the shared collector and will be distributed according to the hashing value specified for the group.
Step
Description
Command
(config) # port 1/2/x1 alias iN1
(config) # port iN1 type inline-network
(config) # port iN1 params admin enable
(config) # port 1/2/x2 alias iN2
(config) # port iN2 type inline-network
(config) # port iN2 params admin enable
(config) # inline-network alias inNet pair net-a iN1 and net-b iN2
(config) # port 1/2/x15 alias iT1
(config) # port iT1 type inline-tool
(config) # port iT1 params admin enable
(config) # port 1/2/x16 alias iT2
(config) # port iT2 type inline-tool
(config) # port iT2 params admin enable
(config) # port 1/2/x19 alias iT3
(config) # port iT3 type inline-tool
(config) # port iT3 params admin enable
(config) # port 1/2/x20 alias iT4
(config) # port iT4 type inline-tool
(config) # port iT4 params admin enable
(config) # port 1/2/x21 alias iT5
(config) # port iT5 type inline-tool
(config) # port iT5 params admin enable
(config) # port 1/2/x22 alias iT6
(config) # port iT6 type inline-tool
(config) # port iT6 params admin enable
(config) # port 1/2/x23 alias iT7
(config) # port iT7 type inline-tool
(config) # port iT7 params admin enable
(config) # port 1/2/x24 alias iT8
(config) # port iT8 type inline-tool
(config) # port iT8 params admin enable
(config) # inline-tool alias inTool1 pair tool-a iT1 and tool-b iT2
(config) # inline-tool alias inTool2 pair tool-a iT3 and tool-b iT4
(config) # inline-tool alias inTool3 pair tool-a iT5 and tool-b iT6
(config) # inline-tool alias inTool4 pair tool-a iT7 and tool-b iT8
(config) # inline-tool alias inTool1 enable
(config) # inline-tool alias inTool2 enable
(config) # inline-tool alias inTool3 enable
(config) # inline-tool alias inTool4 enable
(config) # inline-tool-group alias inToolGroup
(config inline-tool-group alias inToolGroup) # tool-list inTool1,inTool2,inTool3,inTool4
(config inline-tool-group alias inToolGroup) # hash a-srcip-b-dstip
(config inline-tool-group alias inToolGroup) # minimum-group-healthy-size 4
(config inline-tool-group alias inToolGroup) # enable
(config inline-tool-group alias inToolGroup) # failover-action network-bypass
(config inline-tool-group alias inToolGroup) # exit
(config) #
(config) # map alias inNet-to-inTool1
(config map alias inNet-to-inTool1) # type inline byRule
(config map alias inNet-to-inTool1) # from inNet
(config map alias inNet-to-inTool1) # to inTool1
(config map alias inNet-to-inTool1) # rule add pass ipsrc 10.10.10.101 /32
(config map alias inNet-to-inTool1) # exit
(config) #
(config) # map alias inNet-to-inTool2
(config map alias inNet-to-inTool2) # type inline byRule
(config map alias inNet-to-inTool2) # from inNet
(config map alias inNet-to-inTool2) # to inTool2
(config map alias inNet-to-inTool2) # rule add pass ipsrc 20.10.20.102 /32
(config map alias inNet-to-inTool2) # exit
(config) #
(config) # map alias inNet-to-inTool3
(config map alias inNet-to-inTool3) # type inline byRule
(config map alias inNet-to-inTool3) # from inNet
(config map alias inNet-to-inTool3) # to inTool3
(config map alias inNet-to-inTool3) # rule add pass ipsrc 31.11.31.103 /32
(config map alias inNet-to-inTool3) # exit
(config) #
(config) # map alias inNet-to-inTool4
(config map alias inNet-to-inTool4) # type inline byRule
(config map alias inNet-to-inTool4) # from inNet
(config map alias inNet-to-inTool4) # to inTool4
(config map alias inNet-to-inTool4) # rule add pass ipsrc 41.11.41.104 /32
(config map alias inNet-to-inTool4) # exit
(config) #
(config) # map-scollector alias inNet-to-ITG
(config map-scollector alias inNet-to-ITG) # from inNet
(config map-scollector alias inNet-to-ITG) # collector inToolGroup
(config map-scollector alias inNet-to-ITG) # exit
(config) #
(config) # inline-network alias inNet traffic-path to-inline-tool
(config) # show inline-tool-group
(config) # show map
| Gigamon IP Tunnel Sending End Configuration (0) | 2021.01.18 |
|---|---|
| Gigamon Resiliency for Inline Protection (GRIP) (0) | 2021.01.18 |
| Gigamon Asymmetrical Hashing in Inline Tool Group (0) | 2021.01.18 |
| Gigamon OOB Maps Originating from Inline Network Group (0) | 2021.01.18 |
| Gigamon OOB Maps Originating from Inline Network (0) | 2021.01.18 |
Example 16 is an inline bypass solution on GigaVUE-HC2 for an inline tool group with four tools. The inline tool group uses asymmetrical hashing (unlike Example 5: Inline Tool Group (N+1) Redundancy which uses symmetrical hashing). The hashing is based on the source IP address for side A and the destination IP address for side B.
A rule-based map (vlan 200) is configured from the inline network to the inline tool group. Traffic that matches the map rule and has the same source IP on side A and destination IP on side B will be sent to the same inline tool in the inline tool group.
A shared collector is configured from the inline network to bypass. Traffic that does not match the map rule will be sent to the shared collector and bypassed.
Step
Description
Command
(config) # port 1/2/x1 alias iN1
(config) # port iN1 type inline-network
(config) # port iN1 params admin enable
(config) # port 1/2/x2 alias iN2
(config) # port iN2 type inline-network
(config) # port iN2 params admin enable
(config) # inline-network alias inNet pair net-a iN1 and net-b iN2
(config) # port 1/2/x15 alias iT1
(config) # port iT1 type inline-tool
(config) # port iT1 params admin enable
(config) # port 1/2/x16 alias iT2
(config) # port iT2 type inline-tool
(config) # port iT2 params admin enable
(config) # port 1/2/x19 alias iT3
(config) # port iT3 type inline-tool
(config) # port iT3 params admin enable
(config) # port 1/2/x20 alias iT4
(config) # port iT4 type inline-tool
(config) # port iT4 params admin enable
(config) # port 1/2/x21 alias iT5
(config) # port iT5 type inline-tool
(config) # port iT5 params admin enable
(config) # port 1/2/x22 alias iT6
(config) # port iT6 type inline-tool
(config) # port iT6 params admin enable
(config) # port 1/2/x23 alias iT7
(config) # port iT7 type inline-tool
(config) # port iT7 params admin enable
(config) # port 1/2/x24 alias iT8
(config) # port iT8 type inline-tool
(config) # port iT8 params admin enable
(config) # inline-tool alias inTool1 pair tool-a iT1 and tool-b iT2
(config) # inline-tool alias inTool2 pair tool-a iT3 and tool-b iT4
(config) # inline-tool alias inTool3 pair tool-a iT5 and tool-b iT6
(config) # inline-tool alias inTool4 pair tool-a iT7 and tool-b iT8
(config) # inline-tool alias inTool1 enable
(config) # inline-tool alias inTool2 enable
(config) # inline-tool alias inTool3 enable
(config) # inline-tool alias inTool4 enable
(config) # inline-tool-group alias inToolGroup
(config inline-tool-group alias inToolGroup) # tool-list inTool1,inTool2,inTool3,inTool4
(config inline-tool-group alias inToolGroup) # hash a-srcip-b-dstip
(config inline-tool-group alias inToolGroup) # minimum-group-healthy-size 4
(config inline-tool-group alias inToolGroup) # enable
(config inline-tool-group alias inToolGroup) # failover-action tool-bypass
(config inline-tool-group alias inToolGroup) # exit
(config) #
(config) # map alias inNet-to-ITG
(config map alias inNet-to-ITG) # type inline byRule
(config map alias inNet-to-ITG) # from inNet
(config map alias inNet-to-ITG) # to inToolGroup
(config map alias inNet-to-ITG) # rule add pass vlan 200
(config map alias inNet-to-ITG) # exit
(config) #
(config) # map-scollector alias inNet-to-bypass
(config map-scollector alias inNet-to-bypass) # from inNet
(config map-scollector alias inNet-to-bypass) # collector bypass
(config map-scollector alias inNet-to-bypass) # exit
(config) #
(config) # inline-network alias inNet traffic-path to-inline-tool
(config) # show inline-tool-group
(config) # show map
| Gigamon Resiliency for Inline Protection (GRIP) (0) | 2021.01.18 |
|---|---|
| Gigamon Maps to Individual Inline Tool Group Members (0) | 2021.01.18 |
| Gigamon OOB Maps Originating from Inline Network Group (0) | 2021.01.18 |
| Gigamon OOB Maps Originating from Inline Network (0) | 2021.01.18 |
| Gigamon Inline Flow Mapping Based Solution D (0) | 2021.01.17 |
Example 15 expands on Example 14 by combining out-of-band (OOB) maps with a map passall originating from an inline network group on GigaVUE-HC2.
When the source port of an OOB map is associated with an inline network group, only one port is supported in the port list. In this case, multiple OOB maps are needed because each OOB map only accepts one inline network port as the input (the from argument of the map command).
A protected inline network (which uses bypass combo modules) is included in Example 15. You do not need to configure inline network ports or the inline networks because they are created automatically. The port pairs in Example 15 are
1/1/x17 and 1/1/x18, as well as 1/1/x19 and 1/1/x20. The aliases of the default inline networks in Example 15 are default_inline_net_1_1_1 and default_inline_net_1_1_2.
In Example 15, two OOB maps send traffic from each inline network port (associated with default_inline_net_1_1_1) to the OOB tool. Two more maps would be needed to send traffic from each inline network port (associated with default_inline_net_1_1_2) to the OOB tool, but this is not included in Example 15.
On GigaVUE-HC3, protected inline bypass can be configured on the bypass combo module on ports c1..c4.
On GigaVUE-HC1, protected inline bypass can be configured on the bypass combo module, or on the TAP-HC1-G10040 module placed in either bay 2 or bay 3, so the ports will be 1/2/g1..g8 or 1/3/g1..g8. On the TAP module, you will need to configure inline network ports and the inline network because they are not created automatically (as they are on bypass combo modules).
Step
Description
Command
(config) # inline-network-group alias inNetGroup
(config inline-network-group alias inNetGroup) # network-list default_inline_net_1_1_1,default_inline_net_1_1_2
(config inline-network-group alias inNetGroup) # exit
(config) #
(config) # port 1/1/x12 type tool
(config) # port 1/1/x12 params admin enable
(config) # port 1/2/x23 type inline-tool
(config) # port 1/2/x23 params admin enable
(config) # port 1/2/x24 type inline-tool
(config) # port 1/2/x24 params admin enable
(config) # inline-tool alias inTool1 pair tool-a 1/2/x23 and tool-b 1/2/x24
(config) # inline-tool alias inTool1 enable
(config) # inline-tool alias inTool1 shared true
(config) # map-passall alias inline_map1
(config map-passall alias inline_map1) # from inNetGroup
(config map-passall alias inline_map1) # to inTool1
(config map-passall alias inline_map1) # exit
(config) #
(config) # map alias OoB_map1
(config map alias OoB_map1) # type regular byRule
(config map alias OoB_map1) # rule add pass ipver 4
(config map alias OoB_map1) # to 1/1/x12
(config map alias OoB_map1) # from 1/1/x17
(config map alias OoB_map1) # exit
(config) #
(config) # map alias OoB_map2
(config map alias OoB_map2) # type regular byRule
(config map alias OoB_map2) # rule add pass ipver 4
(config map alias OoB_map2) # to 1/1/x12
(config map alias OoB_map2) # from 1/1/x18
(config map alias OoB_map2) # exit
(config) #
(config) # map alias OoB_map3
(config map alias OoB_map3) # type inline byRule
(config map alias OoB_map3) # rule add pass ipver 4
(config map alias OoB_map3) # to 1/1/x12
(config map alias OoB_map3) # from 1/2/x23
(config map alias OoB_map3) # exit
(config) #
(config) # inline-network alias default_inline_net_1_1_1 traffic-path to-inline-tool
(config) # inline-network alias default_inline_net_1_1_2 traffic-path to-inline-tool
(config) # inline-network alias default_inline_net_1_1_1 physical-bypass disable
(config) # inline-network alias default_inline_net_1_1_2 physical-bypass disable
(config) # show inline-network
(config) # show inline-network-group
(config) # show inline-tool
(config) # show map
| Gigamon Maps to Individual Inline Tool Group Members (0) | 2021.01.18 |
|---|---|
| Gigamon Asymmetrical Hashing in Inline Tool Group (0) | 2021.01.18 |
| Gigamon OOB Maps Originating from Inline Network (0) | 2021.01.18 |
| Gigamon Inline Flow Mapping Based Solution D (0) | 2021.01.17 |
| Gigamon Inline Flow Mapping Based Solution C (0) | 2021.01.17 |
Example 14 combines out-of-band (OOB) maps with a map passall originating from an inline network on GigaVUE-HC2. In Example 14, the map passall sends all traffic to the inline tool. The OOB rule-based map sends traffic to an OOB tool.
When the source port of an OOB map is associated with an inline network, multiple source ports are supported in the port list (the from argument of the map command).
A protected inline network (which uses bypass combo modules) is included in Example 14. You do not need to configure inline network ports because they are created automatically. The port pairs in Example 14 are 1/1/x21 and 1/1/x22. You do not need to configure an inline network because it is also created automatically. The alias of the default inline network in Example 14 is default_inline_net_1_1_3.
On GigaVUE-HC3, protected inline bypass can be configured on the bypass combo module on ports c1..c4.
On GigaVUE-HC1, protected inline bypass can be configured on the bypass combo module, or on the TAP-HC1-G10040 module placed in either bay 2 or bay 3, so the ports will be 1/2/g1..g8 or 1/3/g1..g8. On the TAP module, you will need to configure inline network ports and the inline network because they are not created automatically (as they are on bypass combo modules).
Step
Description
Command
(config) # port 1/1/x12 type tool
(config) # port 1/1/x12 params admin enable
(config) # port 1/2/x23 type inline-tool
(config) # port 1/2/x23 params admin enable
(config) # port 1/2/x24 type inline-tool
(config) # port 1/2/x24 params admin enable
(config) # inline-tool alias inTool1 pair tool-a 1/2/x23 and tool-b 1/2/x24
(config) # inline-tool alias inTool1 enable
(config) # map-passall alias inline_map1
(config map-passall alias inline_map1) # from default_inline_net_1_1_3
(config map-passall alias inline_map1) # to inTool1
(config map-passall alias inline_map1) # exit
(config) #
(config) # map alias OoB_map
(config map alias OoB_map) # type regular byRule
(config map alias OoB_map) # rule add pass ipver 4
(config map alias OoB_map) # to 1/1/x12
(config map alias OoB_map) # from 1/1/x21..x22
(config map alias OoB_map) # exit
(config) #
(config) # inline-network alias default_inline_net_1_1_3 traffic-path to-inline-tool
(config) # inline-network alias default_inline_net_1_1_3 physical-bypass disable
(config) # show inline-network
(config) # show inline-tool
(config) # show map
(config) # show port stats
| Gigamon Asymmetrical Hashing in Inline Tool Group (0) | 2021.01.18 |
|---|---|
| Gigamon OOB Maps Originating from Inline Network Group (0) | 2021.01.18 |
| Gigamon Inline Flow Mapping Based Solution D (0) | 2021.01.17 |
| Gigamon Inline Flow Mapping Based Solution C (0) | 2021.01.17 |
| Gigamon Inline Flow Mapping Based Solution B (0) | 2021.01.17 |
