Today many companies around the world choose a Cisco networking infrastructure to service their physical and virtual networking needs for enterprise and data center operations. Cisco is incorporating various new technologies, like the Cisco Application Centric Infrastructure (ACI) and software defined networking (SDN) into their networking equipment. These enterprises are planning to migrate to the latest SDN based technologies to help IT engineers improve their network infrastructure. However, new technologies cause disruptions in existing monitoring strategies. This includes mirroring technologies for packet and flow data e.g. switched port analyzer (SPAN), remote SPAN (RSPAN), encapsulated remote SPAN (ERSPAN), and VLAN access-list (VACL) that have issues with encapsulation and other new technologies.
This creates a need to have a visibility architecture to overcome the limitations and maximize the use of the Cisco equipment, while at the same time, having the right monitoring solution would enable monitoring of application performance on the underlying network.
In this blog, we will review a few challenges with packet capture in the ACI network and then discuss the solution to overcome this challenge and perform network troubleshooting.
Challenges of Data visibility in ACI
The Cisco ACI architecture focuses on distributed applications. It uses a centralized controller and an overlay structure to create, deliver, and automate application policies throughout the network. Access to data monitoring can be accomplished either by use of taps or SPAN-related technology, depending upon the architecture implementation. However, issues like duplicate packets and the need for data filtering capabilities still exist and creates a significant burden for many monitoring tools. For instance, redundant traffic streams and a distributed leaf and spine architecture means that one should tap in multiple places to collect all the monitoring data needed in this architecture. This creates a significant amount of duplicate data from the BiDi taps that needs to be removed from the monitoring stream. To complicate matters, leaf portions of the networks are running at 40 Gbps and the spine portions can run at up to 100 Gbps. Removal of 40 Gbps duplicate packets can be very expensive for any monitoring tools at line rate.
VXLAN headers are often used to create the ACI network overlays. Unfortunately, many monitoring tools do not understand the VXLAN headers, so they need to be removed from the monitoring data by an NPB before the data can be sent to the tool(s). SSL encrypted data issues are often another problem for tools as well. Besides the ACI architecture, there are concerns with using SPAN and SPAN-related technologies in an ACI environment.
The Combined Solution
CA Tech and Ixia (a Keysight business) have partnered together to provide a powerful solution to overcome the above challenges and provide the right solution for your monitoring needs.
CA Application Delivery Analysis can help you prove how well your network delivers applications to users with application delivery analysis of performance and availability of SLA measurements. It helps you focus investments on the areas that require it most and later quantify the before and after, validate the impact of those changes and verify your investment decisions. Ixia’s Network Visibility Solutions (NVS), including TAPs and network packet brokers (NPB), complement CA application delivery solution to create the best-in-class scalable and resilient application monitoring solutions that IT professional need and want to purchase.
Ixia’s NVS solutions helps to remove unnecessary packet data and packet headers (at line rates of 40 Gbps or higher) before transmission across the network. It provides data filtering, aggregation and packet slicing capabilities. It can perform data rate throttling and load balancing to reduce 40 Gbps traffic so that it can be processed easily by CA Application delivery analysis solution.
Below diagram shows a simple network deployment of combined solution.
Feel free to reach out to me at AnujGupta for more detailed discussions on this topic.#