Enabling Network Monitoring at 40Gbps and 100Gbps with Flow Mapping Technology

// White Paper
The Smart Route To Visibility

1
Enabling Network Monitoring at 40Gbps and 100Gbps
with Flow Mapping

Technology
Historically network monitoring and analysis has been an
afterthought in the design of networks and networking
equipment. In todays data economy, this is a growing issue
as organizations race to ever-faster network speeds, security
threats are on the rise, and regulatory compliance requirements
have become more complex and stringent. As a result,
monitoring next generation networks is a topic that has
become central to protecting the enterprise.
Network speeds have begun the transition from 1Gbps to
10Gbps, and are quickly moving toward 40Gbps and 100Gbps.
Accurate monitoring of these higher traffc, higher speed
networks becomes equally critical and challenging, because
the network is the lifeblood of modern enterprises. Failure to
analyze, monitor and secure will result in network downtime,
which can quickly cost organizations millions of dollars in lost
revenue. For example, monitoring directly impacts Service
Providers revenue, since it ensures accurate and verifable
billing, roaming charge backs, and advertisement data tracking.
To maintain network security, advanced persistent threats, cyber
attacks, and data leaks must be combated and averted. At the
same time, effcient network performance must be upheld to
prevent bottlenecks and outages by monitoring bandwidth
usage and application response time. Compliance regulations,
such as Sarbanes-Oxley (SOX), Payment Card Industry Data
Security Standards (PCI DSS), and the Health Insurance
Portability and Accountability Act (HIPAA) have been
implemented to protect the organizations and the people they
serve. However, proper network monitoring and audits are vital
to ensure that compliance is maintained. To ensure compliance,
failure often comes at a high cost, through expensive fnes.
Adding to the complexity is the fact that traffc can fow
asymmetrically and virtualization is being adopted into more
network architectures. While networks become larger and more
complex, budgets are often getting tighter and spread in more
directions. This confuence of factors makes network monitoring
extremely diffcult.

The Evolution of Network Monitoring
The early method of monitoring directly attached the monitoring
tools to the links or into each SPAN/mirror port on every switch.
This distributed method was costly and created tunnel vision
in which the tools only saw a portion of the traffc, because the
correct tools didnt have suffcient visibility to the traffc they
needed. Another issue included tool oversubscription, when
more traffc was sent to the tool than it could handle. These
situations often led to inaccurate results. Lastly, using this model
of network monitoring meant that the addition, subtraction,
or change in tool placement in the network needed a high
amount of structure, or they could negatively impact the
production network. Because of all these challenges,
a newer method of network monitoring was needed.
The Gigamon Traffc Visibility Fabric scales from just a few
connections, up to thousands, allowing traffc to be monitored
Enabling Network Monitoring at 40Gbps and 100Gbps with Flow Mapping Technology
// White Paper
The Smart Route To Visibility

2
and secured from a centralized network tool farm, reducing
CAPEX. Also, because the tools can be managed
in a centralized out-of-band network, OPEX costs are lowered
through reduced time to resolution for troubleshooting
and security issues.
But traffc aggregation and fltering is only half of the solution
behind a Traffc Visibility Fabric. You see on its own, traffc
aggregation and fltering create additional challenges that must
be addressed. These stem from the monitoring tools receiving
unwanted packets from the aggregated and fltered outputs.
For instance, with just aggregation and fltering, a VoIP Analyzer
would receive all of the network traffc, not just the VoIP traffc
traffc it needed to see. This problem scales to be larger and
larger as speeds increase. Because Deep Packet Inspection
(DPI) is inherently resource intensive, the faster the line rate, the
more processing it will take for a tool to flter through the traffc
that it needs to see. At 1Gbps line rate, 1Gbps tools may or may
not be able to keep up without becoming oversubscribed. At
10Gbps, it becomes likely that tools will be unable to keep up
with line rate, even using with 10Gbps tools.
Looking into the near future, and network speeds of 40Gbps
and 100Gbps, straight aggregation and fltering alone cannot be
used reliably to direct network traffc to the monitoring tools. As
the food of packets at 40Gbps and 100Gbps hit 10Gbps and
1Gbps outputs, tools are instantly oversubscribed and serious
packet losses will render the tools incapable of meaningful
analysis. To make aggregation and fltering a viable solution
at faster network speeds, another innovation was required.
A New Paradigm with Flow Mapping Technology
As we mentioned, traffc aggregation is only one half of the
solution behind the Traffc Visibility Fabric. The other half is an
advanced fltering architecture called Flow Mapping. Invented
and patented by Gigamon, Flow Mapping starts with network
ports and ends with tool ports, and is used to include or exclude
traffc on connections. Users decide which traffc should be
forwarded, where it should be sent, and how it should be
handled once it arrives.

Lets look at the details of how this works. Flow Mapping
technology combines an ingress port traffc flter, an egress
port traffc flter, up to 13 unique user-selected criteria, and
ties it to one or more output ports, allowing delivery of discrete
traffc to exactly the location that you need. Users can combine
thousands of different rules, called map rules, in a logical order
to achieve exactly the packet distribution they want. Applying
map rules to your traffc ensures that each tool sees only the
5
7
8
1G/10G
Tool Ports
1
4
2
3
MAP
rules
MAP
rules
MAP
rules
MAP
rules
6
TM
Intelligent Traffc Visibility Networking using Flow Mapping Technology
Enabling Network Monitoring at 40Gbps and 100Gbps with Flow Mapping Technology
// White Paper
The Smart Route To Visibility

3
traffc that it needs and nothing else. This allows tools to operate
more effciently, along with easier management of the tools,
providing both CAPEX and OPEX savings.
While other companies offer partial solutions based on
aggregation and fltering, the Traffc Visibility Fabric, which is the
hardware-based, advanced traffc fltering architecture its built
upon, was invented and patented by Gigamon. This solution is
only available in Gigamon GigaVUE appliances.
Features and Benefts of Flow Mapping Technology
The following are just some of the abilities/benefts of
Flow Mapping:
Send only the packets on even source ports to local tool ports
Send only packets matching a user-defned pattern match for
a particular MPLS label to local tool port
Discard all traffc from a particular IP address
Send only non-specifc traffc to a local tool port using the
Collector rule
Redirect all traffc to IDS monitors regardless of any flters
applied to network ports
Ability to create flter maps in advance for instant
troubleshooting of specifc scenarios.
Temporarily troubleshoot situations where you want to see
all traffc on a port without disturbing any other flter, cross-
box flter, Flow Map, or cross-box maps already in place for
the port

Flow Mapping also has the advantage of not counting against
the limited availability of tool port flters common to competing
devices and the GigaVUE appliance has the ability to implement
up to 4000 map-rules providing the ability to flter on up to
52,000 unique flter parameters. This is roughly 13 times
the capacity of similar products.
Traffc arriving at a single network port can be sent to multiple
destination tool ports. Maps are useful for overcoming tool port
oversubscription when aggregating traffc from multiple network
ports. If two 100Gbps connections are sending traffc to a single
10Gb tool port, there are likely to be situations where the tool
port would be oversubscribed and drop packets. This can be
addressed with maps by removing the parts of the overall traffc
stream that do not interest the particular function of specialized
tools. For example, there is no reason for a VoIP analyzer to
receive any traffc not associated with the VoIP protocol or for
a Web Performance Monitor to receive SMTP, SNMP, or UDA
traffc. This ability greatly improves the processing resources
inherent to a particular type of monitoring tool.
When trying to set up a multi-pronged packet distribution
strategy, Flow Mapping offers some important features that
simple fltering does not:

Virtual Drop Port The virtual drop port is where you send
packets that dont interest you. You can set up map-rules
that look for packets matching specifc criteria and
immediately discard them before forwarding to the tool ports.

For example, you could set up a map-rule that sends all traffc
from a particular source IP address to the virtual drop port.

Collector The collector, on the other hand, is the place where
you send all other packets that dont match the criteria
specifed by any of the other map-rules in a Flow Map.
For example, suppose you set up a map called VLAN1 that
sends traffc from a specifc VLAN to a particular tool port, and
another VLAN2 to another tool port. Traffc that doesnt match
either of those particular VLANs, still needs a place to
be monitored. You can set up a fnal map-rule that sends
all packets not matching the other rules to a designated
collector port.

GigaVUE also includes a special pass-all packet distribution
command. The pass-all command can be used to send all
packets on a network or tool port to another tool port (or
multiple tool ports) on the same box, irrespective of the Flow
Mapping already in place for the ports. This is particularly useful
Enabling Network Monitoring at 40Gbps and 100Gbps with Flow Mapping Technology
// White Paper
The Smart Route To Visibility

4
Copyright 2012 Gigamon, LLC. All rights reserved. Gigamon, GigaVUE

, GigaSMART, G-TAP, Flow Mapping are registered trademarks of Gigamon, LLC and/or affliates in the
United States and certain other countries. Visibility Fabric, Traffc Visibility Fabric (TVF), Citrus, and The Smart Route To Visibility are trademarks of Gigamon. All other trademarks
are the property of their respective owners.
Gigamon | 598 Gibraltar Drive Milpitas, CA 95035 | PH 408.263.2022 | www.gigamon.com
when you want to send all the traffc from mapped network ports
to a security tool that needs to see all unfltered traffc.
Conclusion
The amount of traffc, and the speed at which that traffc is
fowing in enterprise networks is increasing dramatically. At
1Gbps and 10Gbps, network monitoring and security tools
struggle to keep up with line rate speeds. At faster speeds
of 40Gbps and 100Gbps, tools will be simply incapable of
processing the volume of packet traffc going across the
network. The Gigamon Traffc Visibility Fabric, with its advanced
traffc fltering architecture called Flow Mapping will allow
10Gbps tools to monitor 40Gbps and 100Gbps links, by sending
only the desired traffc to the tools which need that traffc. The
execution of map rules in real-time, and at line rate speeds can
eliminate oversubscription of network monitoring and security
tools, improving their performance because they are processing
on the packets that relate to their function. Flow Mapping
technology from Gigamon is the only answer available to allow
effcient network monitoring at future network speeds.
About Gigamon
Gigamon

provides intelligent Traffc Visibility Networking
solutions for enterprises, data centers and service providers
around the globe. Our technology empowers infrastructure
architects, managers and operators with unmatched visibility
into the traffc traversing both physical and virtual networks
without affecting the performance or stability of the production
environment. Through patented technologies, the Gigamon
GigaVUE portfolio of high

availability and high density products
intelligently delivers the appropriate network traffc to security,
monitoring or management systems. With over seven years
experience designing and building intelligent traffc visibility
products in the US, Gigamon serves the vertical market
leaders of the Fortune 1000 and has an install base spanning
40 countries.

For more information about our Gigamon products visit:
www.gigamon.com