Gigamon Containerized Broker Deployment Guide v6.5 doc-v1.0
Gigamon Inc.
Gigamon-Containerized-Broker-Deployment-Guide-v65 Gigamon Containerized Broker Deployment
Guide
GigaVUE Cloud Suite
Product Version: 6.5 Document Version: 1.0 Last Updated: Monday, December 11, 2023
(See Change Notes for document updates.)
�Copyright 2023 Gigamon Inc.. All rights reserved.
Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. No part of this publication may be reproduced, transcribed, translated into any language, stored in a retrieval system, or transmitted in any form or any means without the written permission of Gigamon Inc..
Trademark Attributions
Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at www.gigamon.com/legaltrademarks. All other trademarks are the trademarks of their respective owners.
Gigamon Inc. 3300 Olcott Street Santa Clara, CA 95054 408.831.4000
�Gigamon Containerized Broker Deployment Guide
Change Notes
When a document is updated, the document version number on the cover page will indicate a new version and will provide a link to this Change Notes table, which will describe the updates.
Product Version
6.5.00
Document Version
1.0
Date Updated
12/11/2023
Change Notes
The original release of this document with 6.5.00 GA.
Change Notes
3
�Gigamon Containerized Broker Deployment Guide
Contents
Gigamon Containerized Broker Deployment Guide
1
Change Notes
3
Contents
4
Gigamon Containerized Broker
6
About Gigamon Containerized Broker
7
GCB and GigaVUE-FM Interaction
8
GCB Registration
8
GCB Deregistration
8
GCB Heartbeats
8
GCB Statistics
9
Monitoring Domain and Traffic Policy
9
GCB and GigaVUE-FM High Availability
9
GCB Traffic Health Monitoring
10
Configure Alarms in GCB
11
Configuration Health
11
Traffic Health
13
Resource Health
14
Connectivity Health
14
GCB Diameter Traffic Processing
16
Service Identification
17
Pod Status
17
Upgrade
17
Configuration of GCB Diameter Traffic Processing
17
Configure Traffic Policy
17
Configure GCB Settings
19
General Settings
19
SBI Settings
20
Diameter Settings
20
GCB for Service Mesh and HTTPS/2 Support with
Metadata
22
Architecture of GCB for Service Mesh and HTTPS/2 Support with Metadata 22
Get Started with GCB for Service Mesh and HTTPS/2 Support with
Metadata
24
Contents
4
�Gigamon Containerized Broker Deployment Guide
Components of GCB for Service Mesh and HTTPS/2 Support with
Metadata
24
License Information
24
Network Requirements
25
Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
25
Deploy GCB in Kubernetes
25
Deploy GCB Controller Service
26
Deploy GCB Controller Pods
27
Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
through GigaVUE-FM
34
Configure GCB Settings
42
GCB General Settings
42
GCB Individual Settings
42
GCB Group Settings
45
GCB for Cloud Object Storage
47
Architecture of GCB for Cloud Object Storage
48
GCB with GigaVUE-FM deployment
48
Get Started with GCB for Cloud Object Storage
48
Components of GCB for Cloud Object Storage
49
License Information
49
Network Requirements
49
Configure GCB for Cloud Object Storage
50
Launch GigaVUE-FM
50
Launch Gigamon Containerized Broker
50
Store Traffic Data in S3 Bucket
51
View GCB statistics in GigaVUE-FM
52
Additional Sources of Information
53
Documentation
53
How to Download Software and Release Notes from My Gigamon
55
Documentation Feedback
56
Contact Technical Support
57
Contact Sales
57
Premium Support
58
The VÜE Community
58
Glossary
59
Contents
5
�Gigamon Containerized Broker Deployment Guide
Gigamon Containerized Broker
Gigamon Containerized Broker (GCB) is a containerized component that provides the network broker features in a containerized form. GCB can perform traffic acquisition, aggregation, basic filtering, replication, and tunneling with encryption support. GCB can be deployed in its own Pod as a Kubernetes service where your workloads are running. There are various components based on multiple scenarios and requirements that the GCB receives the traffic from.
This guide provides an overview of Gigamon Containerized Broker and describes how to install and deploy GCB components in your Pods.
Topics: l About Gigamon Containerized Broker l GCB and GigaVUE-FM Interaction l GCB for Service Mesh and HTTPS/2 Support with Metadata l GCB for Cloud Object Storage
For Universal Cloud Tap - Container (UCT-C) related information, refer to Universal Cloud Tap - Container Guide.
Gigamon Containerized Broker
6
�Gigamon Containerized Broker Deployment Guide
About Gigamon Containerized Broker
The Gigamon Containerized Broker (GCB) is a containerized component that provides the network broker features in a containerized form. The GCB is deployed by Kubernetes orchestrator and not by GigaVUE-FM.
Following are the modules implemented in GCB:
l Traffic Acquisition using CNI Modules: GCB supports traffic acquisition by reading the traffic from the Container Network Interface (CNI) modules like AWS ENI, Calico, and Flannel. During initialization, GCB receives the configuration information from the Gigamon's YAML file. Kubernetes CNI (Container Network Interface) supports any combination of ingress, egress, and management process. Following the specifications defined in the YAML file, GCB configures itself on your worker node to acquire traffic.
NOTE: After GCB registration, you cannot change the number of CNI, and CNI types. If required, a new GCB instance configured and registered.
l Traffic Aggregation - When GCB is running in its own Pod, GCB itself serves as a traffic aggregator.
l Filtering Module - GCB allows basic filtering, forwarding policy, and enrichment. GCB's filtering can be passed from the YAML file, and it is based upon the protocol. The filters and rules are pushed to GCB from GigaVUE-FM and can be modified while the GCB is running.
l Tunneling Modules - GCB supports L2GRE and VXLAN tunneling modules. l Encryption Module - GCB maintains the required certificates to support TLS and HTTPS
encryption.
About Gigamon Containerized Broker
7
�Gigamon Containerized Broker Deployment Guide
GCB and GigaVUE-FM Interaction
Following are the interactions between GCB and GigaVUE-FM: l GCB Registration l GCB Deregistration l GCB Heartbeats l GCB Statistics l Monitoring Domain and Traffic Policy
GCB Registration
When GCB comes up in the Kubernetes environment, GCB registers itself with GigaVUE-FM. When GigaVUE-FM is unreachable, GCB tries to connect with five retries of increasing time periods. If the GigaVUE-FM is unreachable even after the retries, Kubernetes deployment of GCB fails. GCB only supports IPv4 protocol.
GCB Deregistration
When GCB is terminated normally, GCB sends the deregistration message to GigaVUE-FM. If GCB goes down abnormally, it might not get deregistered. The GCB Pods associated to a GCB node might then get moved to the other GCB node. Similarly, if a GCB goes down, the feeding UCT Containers are moved to the other GCB, and the GigaVUE-FM does not store information of the GCB Pod.
GCB Heartbeats
Periodically, GCB sends heartbeats to GigaVUE-FM. By default, the status of GCB is marked as Connected. The following are the various scenarios where the GCB status changes: l If 3 consecutive heartbeats are missed, GigaVUE-FM marks the status as Disconnected. l If 2 consecutive heartbeats are missed, GigaVUE-FM marks the status as Pending. l If GigaVUE-FM does not receive GCB heartbeats for 30 days, then GigaVUE-FM removes
the GCB, considering it as stale.
GCB and GigaVUE-FM Interaction GCB Registration
8
�Gigamon Containerized Broker Deployment Guide
GCB Statistics
GCB sends traffic statistics and associated GCB Pods to GigaVUE-FM. The highest traffic and lowest traffic widgets in GigaVUE-FM dashboard shows the details of 10 highest and 10 lowest GCB traffic statistics.
GCB continues to send the statistics even when there is no traffic flowing. The GCB statistics are not stored in cache even when GigaVUE-FM is not reachable by GCB at that instant of time.
Monitoring Domain and Traffic Policy
You can configure and manage the Monitoring Domains, Traffic Policies, Connections, Metadata fields, and Source Inventories of GCB in GigaVUE-FM. Refer to the GigaVUE-FM REST API Reference for detailed information on the REST APIs of GCB.
l A Traffic Policy is a combination of Rules and Tunnels. l A rule contains specific filtering criteria that the packets must match. The filtering
criteria lets you determine the target instances and the (egress or ingress) direction of tapping the network traffic. l A tunnel is a communication path in which the traffic matching the filtered criteria is routed to the destination. The tunnel supports ipv4 and ipv6 addresses.
GCB and GigaVUE-FM High Availability
Gigamon Containerized Broker (GCB) supports the GigaVUE-FM High Availability (FMHA) feature.
GCB and GigaVUE-FM High Availability GCB Statistics
9
�Gigamon Containerized Broker Deployment Guide
For GCB to make use of high availability feature of GigaVUE-FM, you must configure the FQDN (Fully Qualified Domain Name) of the GigaVUE-FM.
In a standalone GigaVUE-FM, the GCB uses the FQDN name of the GigaVUE-FM (if configured). If the FQDN is not configured or if the GCB fails to resolve to an IP address., it uses the legacy method of using the configured IP address.
For example: GCB Controller YAML file:
env: - name: GCB_CNTLR_EXT_IP_DNS value: "10.xxx.xx.xx" (IP address of the DNS server external to the Kubernetes cluster) - name: FM_FQDN value: "fm.myorg.com" (FMs FQDN that is used for DNS lookups)
NOTE: The FQDN represents a standalone GigaVUE-FM or a FMHA cluster comprised of multiple GigaVUE-FMs. IP addresses (either IPv4, IPv6, or both) for all GigaVUE-FMs (one or more) represented by the FQDN will be returned.
For more details on the GigaVUE-FM High Availability configuration, refer to the GigaVUE Administration Guide guide.
GCB Traffic Health Monitoring
GigaVUE-FM monitors the traffic health of GCB by monitoring the following: Configuration Health Traffic Health Resource Utilization Health Connectivity Health
In GigaVUE-FM, you can view alarms, manage one or more alarms, filter alarms, drill down to alarm source, etc. While configuring, GigaVUE-FM allows to set the threshold conditions so that alarms are raised by the GCB node when those threshold conditions are met.
GCB Traffic Health Monitoring Monitoring Domain and Traffic Policy
10
�Gigamon Containerized Broker Deployment Guide
Configure Alarms in GCB
You can configure alarms in GCB, after registering it with GigaVUE-FM. To register refer to GCB Registration.
To configure Alarms in GCB, follow the given steps: 1. Go to Inventory > Container > Gigamon Containerized Broker > Settings drop-down list box. 2. In the Settings drop-down list box select Settings. 3. Click the GCB UUID, and then click Thresholds near the GCB UUID to configure the thresholds for monitoring the following health: Configuration Health o To configure the thresholds for monitoring the configuration health, expand Configuration Health and configure the parameters as described in the table. Traffic Health o To configure the thresholds for monitoring the traffic health, expand Data Transmission and configure the parameters as described in the table. Resource Health o To configure the thresholds for monitoring the traffic health, expand Invalid RxDataand configure the parameters as described in the table. Connectivity Health o To configure the thresholds for monitoring the traffic health, expand Transaction Logging and configure the parameters as described in the table.
Configuration Health
To monitor the configuration health, you can configure the thresholds for the following:
GCB Traffic Health Monitoring Configure Alarms in GCB
11
�Gigamon Containerized Broker Deployment Guide
S. Name N o.
Moni tors
Descripti on
Trig ger Val ue Typ
e
Trig ger Val ue Ran ge
Mini mum
Maxi mum Time
r Inter val
Def ault Trig ger Val ue
Def ault tim e
Condi Sev Sta tions erity tus
1 ServiceIdTa Either Alarms are Inte 1-10 300- 1
bleMiss
of
raised
ger
6000
source when the
or
user fails to
destin upload any
ation one of src /
table dst table or
does both
not
ServiceIdTa
exist, bleMiss.
or both
the
tables
does
not
exist.
300 above Critic ON
sec
al
2 SvcIdLooku Entry Alarms are Inte 10- 300- 1000 300 above Major ON
pMiss
lookup raised
ger 5000 6000
sec
miss in when
svc-id service ID
table lookup fails
for
incoming
traffic
SvcIdLooku
pMiss.
3 GCBLogfile Indicat Alarms are Inte 1-10 300- 5
300 above
ON
Truncated es the raised
ger
6000
sec
loggin when gcb
g file http pod
trunca log is
tion
rotated and
(Notifi fresh
cation) logging
starts
GCBLogfile
Truncated .
GCB Traffic Health Monitoring Configure Alarms in GCB
12
�Gigamon Containerized Broker Deployment Guide
Traffic Health
To monitor the traffic health, you can configure the thresholds for the following:
S. Name N o.
Moni Descriptio Tri Tri Mini Def Def Cond Sev Sta
tors n
gg gg mum ault ault itions erit tus
er er - Tri tim
y
Val Val Maxi gge e
ue ue mum r
Typ Ra Time Val
e nge r ue
Inter
val
1 TransmitErro Errors Alarms are
Inte 10- 60-
rs
in
raised when ger 100 600
trans tx errors are
mittin observed in
g
the http pod
packe TransmitError
ts out s.
throu
gh
tunne
l.
2 TransactionL Transa Alarms are
Inte 10- 60-
oggingErrors ction raised when ger 100 600
Loggi transaction
ng
logging to
failure the
s
designated
file fails
TransactionL
oggingErrors.
3 PacketReord Packe Alarms are
Inte 1-100 60-
erTimeouts t
raised when ger
600
reorde reordering of
ring the incoming
trigge packet is not
red
successful/co
timeo mpleted in
ut or the defined
transa time interval
ction PacketReord
packe erTimeouts
t
discar
ds
100 60 above Majo ON
sec
r
100 60 above Majo OFF
sec
r
1
60 above Majo OFF
sec
r
GCB Traffic Health Monitoring Configure Alarms in GCB
13
�Gigamon Containerized Broker Deployment Guide
Resource Health
To monitor the resource health, you can configure the thresholds for the following:
S. Name N o.
Mon Tri Descriptio Tri Mini Def Def Cond Sev Sta
itors gge n
gge mum ault ault itions erit tus
r
r
- Tri tim
y
Val
Val Maxi gge e
ue
ue mum r
Typ
Ran Time Val
e
ge r ue
Inter
val
1 InvalidPostD
Inte Alarms are 1-10 60-
10
300 above Major ON
ataReceived Missi ger raised when
600
sec
ng
invalid post
the
data is
POST
received by
data
the pod
or
InvalidPostD
Invali
ataReceived.
d
Binar
y data
or
wron
g
pcap
files
Connectivity Health
To monitor the connectivity health, you can configure the thresholds for the following:
GCB Traffic Health Monitoring Configure Alarms in GCB
14
�Gigamon Containerized Broker Deployment Guide
S. Name N o.
Moni tors
Descri ption
Trig ger Val ue Typ
e
Trig ger Val ue Ran ge
Mini mum
Maxi mum Time
r Inter val
Def ault Trig ger Val ue
Def ault tim e
Condi tions
Sev Sta erity tus
1
PcapperConne Datap Alarms Inte 1-10 60-300 3
ctionFailure
ath
are
ger
conne raised
ction when
failure connect
ivity
fails
betwee
n
pcapper
and
http
service
pcapper
connect
ion
2 Controller2FM GigaV
Inte 1-10
3
Connectivity
UE-FM
ger
reacha
bility
issues
from
GCB-
Contro
ller
3 GCB2Controller Contro
Inte 1-10
3
Connectivity
ller
ger
unrea
chable
from
GCB
60 equal Critic ON
sec
al
300 equal sec
Critic OFF al
300 equal sec
Critic OFF al
The YAML updates are as follows:
- name: GCB_ALARM_GROUP_NAME
GCB Traffic Health Monitoring Configure Alarms in GCB
15
�Gigamon Containerized Broker Deployment Guide
value: "alarm group name" # 0 - disabled, 1 - enabled - name: GCB_ALARM_HMON_SUPPORTED value: '0'
For more information about Alarms, refer to Alarms section in the GigaVUE Administration Guide.
GCB Diameter Traffic Processing
This feature allows Gigamon Containerized Broker (GCB) to process Service Based Interface Application (SBI) and Diameter traffic from the Pcapper.
GigaVUE-FM also supports a new traffic type parameter with SBI or Diameter values. With the introduction of Diameter Traffic, there are independent traffic policies for SBI Traffic and Diameter Traffic. Each monitoring domain now supports two traffic policies. You can configure one traffic policy with metadata filter rules for SBI traffic and another with metadata filter rules for Diameter Traffic.
You can enable or disable the following features (as shown in the table) for SBI and Diameter traffic:
Features
SBI
Reorder packets
Supported
Transaction Logging Supported
Service Identification Supported
Diameter Supported Supported Supported
To configure Diameter Traffic Processing, refer to Configuration of GCB Diameter Traffic Processing
This section also describes about: Service Identification Pod Status Upgrade
GCB Diameter Traffic Processing Configure Alarms in GCB
16
�Gigamon Containerized Broker Deployment Guide
Service Identification
In GigaVUE-FM, you can enable or disable service identification for SBI and Diameter Traffic for GCB.
Pod Status
GigaVUE-FM supports a new pod status called Terminated. The status and the conditions are explained in the following table:
Status
Condition
Terminated Pending Disconnected Connected
GCB de-register with GigaVUE-FM. GCB lost heartbeat with GigaVUE-FM for more than 10 minutes, but less than 15 minutes. GCB lost heartbeat with GigaVUE-FM for more than 15 minutes.. If GCB is not in the status mentioned in the previous rows, then GigaVUE-FM set it as connected.
Upgrade
You must upgrade both GCB controller and GCB HTTP pod to same version. It is not recommended to use different controller and GCB versions.
Configuration of GCB Diameter Traffic Processing
This section provides information regarding the following: Configure Traffic Policy Configure GCB Settings
Configure Traffic Policy
To create a Traffic Policy in GigaVUE-FM: 1. From the GigaVUE-FM left navigation pane, select Traffic > CONTAINER > Gigamon Containerized Broker. The Traffic Policy page appears. 2. In the Traffic Policy page, click Create. The Tunnels and Rules wizard appears. 3. In the Tunnels tab. Enter or select the required information as described in the following table:
GCB Diameter Traffic Processing Service Identification
17
�Gigamon Containerized Broker Deployment Guide
Fields
Tunnel Name Remote IP Address Tunnel Type Tunnel Key Destination Port
Description
Name of the tunnel. IP Address of the Tunnel. Select L2GRE or VXLAN as the tunnel type. Enter a value for the tunnel key. If the tunnel type is VXLAN, enter the tunnel destination port number.
4. Switch to Rules tab. Enter or select the required information as described in the following table:
Fields
Description
Policy
Policy Name
Connection Connection Type
Rules
Enter a name for the policy. The Policies with the same name are allowed when the traffic source for one policy is SBI and another policy is Diameter. In such cases, Traffic Type helps to differentiate between SBI and Diameter traffic.
Select a connection for the policy.
Select any one of the following connection types: SBI - to create rules for the Service Based Interface (SBI)
Application traffic. Diameter - to create rules for the Diameter traffic.
Name
Enter a name for the Rule.
Destination Name
Select a tunnel destination.
Pass
Select Pass to allow the packets.
Click ADD FILTER to add filters for the rule.
Type
Select any one of the types from the following:
F5 Metadata - Provide a Metadata field name and value, when you select this option. For fields, which are part of request-metadata and answer-metadata, should be entered with a "." notation.
For example: answer-metadata.error , etc.
Kubernetes - Provide a value for the service, when you select this option.
NOTE: For Diameter Traffic, Kubernetes filter type is not supported.
Filter Value
Enter a value for the filter type.
5. Click Create. The new Traffic Policy deploys itself in GCB.
GCB Diameter Traffic Processing Configuration of GCB Diameter Traffic Processing
18
�Gigamon Containerized Broker Deployment Guide
The Traffic Policy processes the traffic and forwards the traffic to the tunnel destination IP address.
Rules and Notes
A minimum of 3 CPUs must be allocated for each GCB instance for better performance.
Configure GCB Settings
You can configure and edit the following GCB settings in GigaVUE-FM: General Settings SBI Settings Diameter Settings
General Settings
In the General Settings, you can view the following details in a list view: Monitoring Domain Connection GCB UUID IP Address Group- For GCB, use a different group name while registering GCB HTTP pod. Status - In the General settings, you can also specify the purge interval to automatically remove the settings that are disconnected for a long duration.
To view or edit the general settings: 1. In GigaVUE-FM, navigate to Inventory > CONTAINER > Gigamon Container Broker Settings > Settings, the Settings page appears. From the Settings page, on the General section, you can view details of the monitoring domain that are configured in GCB. 2. Click a GCB UUID, and the wizard provides a split view of the following details : o General Settings o SBI o Diameter Settings o Thresholds 3. Click on the General Settings, and click Edit to edit/view the following individual settings: o Log level o Log File Size o PCAP File Generation o Number of PCAP files generated
GCB Diameter Traffic Processing Configure GCB Settings
19
�Gigamon Containerized Broker Deployment Guide
4. . Click Save to save the changes made on the General Settings.
NOTE: To apply all the settings to the members of Group, enable the Unify All Settings check box.
SBI Settings
1. In GigaVUE-FM, navigate to Inventory > CONTAINER > Gigamon Container Broker Settings > Settings, the Settings page appears. From the Settings page, on the General section, you can view details of the monitoring domain that are configured in GCB.
2. Click a GCB UUID, and the wizard provides a split view of the following details :
o General Settings o SBI o Diameter Settings o Thresholds
3. Click on the SBI, and click Edit to edit/view the following Individual and Group settings.
Individual Settings
SBI transaction Logging Write SBI Transaction Log to a file Write SBI Transaction Log to stdout SBI Transaction Log Format SBI Transaction Log File Size
Group Settings
Enable/Disable packet reordering functionality. Use Sequence number for packet reordering. Use timestamp for packet reordering. Packet reordering timeout in milliseconds. Maximum number of requests stored in queue. Packet reordering drop policy. SBI Service Translation enable/disable.
4. Click Save to changes made on the SBI Settings.
Diameter Settings
1. In GigaVUE-FM, navigate to Inventory > CONTAINER > Gigamon Container Broker Settings > Settings, the Settings page appears. From the Settings page, on the General section, you can view the details of the monitoring domain that are configured in GCB.
2. Click a GCB UUID, and the wizard provides a split view of the following details: General Settings
o SBI o Diameter Settings o Thresholds
3. Click on the Diameter and click Edit to edit/view the following Individual and Group settings.
GCB Diameter Traffic Processing Configure GCB Settings
20
�Gigamon Containerized Broker Deployment Guide
Individual Settings
Diameter transaction Logging Write Diameter Transaction Log to a file Write Diameter Transaction Log to stdout Diameter Transaction Log Format Diameter Transaction Log File Size
Group Settings
Enable/Disable packet reordering functionality. Use timestamp for packet reordering. Packet reordering timeout in milliseconds. Maximum number of requests stored in queue. Packet reordering drop policy. SBI Service Translation enable/disable.
4. Click Save to changes made on the Diameter Settings.
GCB Diameter Traffic Processing Configure GCB Settings
21
�Gigamon Containerized Broker Deployment Guide
GCB for Service Mesh and HTTPS/2 Support with Metadata
This guide provides an overview of Gigamon Containerized Broker for service mesh and HTTPS/2 support with metadata and describes how to install and deploy GCB components. Refer to the following topics for details: l Architecture of GCB for Service Mesh and HTTPS/2 Support with Metadata l Get Started with GCB for Service Mesh and HTTPS/2 Support with Metadata l Configure GCB for Service Mesh and HTTPS/2 Support with Metadata l Configure GCB Settings
Architecture of GCB for Service Mesh and HTTPS/2 Support with Metadata
The following diagram illustrates the architecture of Gigamon Containerized Broker for service mesh and HTTPS/2 support with metadata environment.
GCB for Service Mesh and HTTPS/2 Support with Metadata Architecture of GCB for Service Mesh and HTTPS/2 Support with Metadata
22
�Gigamon Containerized Broker Deployment Guide
1. The GCB Controller is registered with GigaVUE-FM and the traffic policy is deployed on the GCBs.
2. Communication of configuration, data, and statistics to and from GCB is performed through the GCB Controller Service. GigaVUE-FM communicates with the GCB Pods through the GCB Controller.
3. Each GCB Pod is registered with GigaVUE-FM and the traffic policy is deployed on the GCBs.
4. The Pcapper collects the network traffic and sends the HTTP packets to GCB Controller.
5. In the GCB service, the received HTTP packets are load balanced across the available GCB Pods.
6. GCB Pods filters the packets based on the metadata.
7. The filtered HTTP packets from GCB Pods are tunneled directly to the Tools or through the GigaVUE V Series nodes on OpenStack environment. Refer to the GigaVUE Cloud Suite for OpenStack Configuration Guide for more information on the GigaVUE V Series configuration on OpenStack environment.
8. GCB Controller collects the data from GCB Pods and sends the collected statistics and heartbeats to GigaVUE-FM.
GCB for Service Mesh and HTTPS/2 Support with Metadata Architecture of GCB for Service Mesh and HTTPS/2 Support with Metadata
23
�Gigamon Containerized Broker Deployment Guide
Get Started with GCB for Service Mesh and HTTPS/2 Support with Metadata
This section describes how to initiate GCB and GigaVUE-FM deployment with the required licenses and network requisites.
Refer to the following sections for details:
l Components of GCB for Service Mesh and HTTPS/2 Support with Metadata l License Information l Network requirements
Components of GCB for Service Mesh and HTTPS/2 Support with Metadata
The Gigamon Containerized Broker for service mesh and HTTPS/2 support with metadata works with the following components:
l GigaVUE® Fabric Manager (GigaVUE-FM) is a web-based fabric management and orchestration interface that provides a single pane of glass visibility, management, and orchestration of both the physical and virtual traffic that form the GCB.
l GCB Pod is the primary GCB module that receives the data from Pcapper, filters the traffic and tunnels the filtered traffic directly to the tools or through the V Series nodes. GCB Pod also sends the statistics and heartbeats to GCB Controller.
l GCB Controller is the management component of GCB to control and communicate with GCB Pods. GCB Controller collects the heartbeats and stats from GCB Pods and sends the collected statistics and heartbeats to GigaVUE-FM.
License Information
All the GCB Pods deployed in your environment periodically report the statistics to GCB Controller. Then the GCB Controller periodically reports the collective statistics of GCB Pods to GigaVUE-FM for Volume-Based Licensing.
In the Volume-Based Licensing scheme, a license entitles specific applications on your devices to use a specified amount of total data volume over the term of the license. The distribution of the license to individual nodes or devices becomes irrelevant for Gigamon's accounting purpose. GigaVUE-FM tracks the total amount of data processed by the GCB, and tracks the overuse if any.
GCB for Service Mesh and HTTPS/2 Support with Metadata Get Started with GCB for Service Mesh and HTTPS/2 Support with Metadata
24
�Gigamon Containerized Broker Deployment Guide
Network Requirements
The following table describes the Kubernetes network requirements for GCB to work efficiently.
Direction Type
Protocol
Port
CIDR
Purpose
Gigamon Containerized Broker deployed inside Kubernetes worker node
Outbound HTTPS TCP
443
Any IP address
Allows GCB Controller to communicate with GigaVUEFM
Inbound
HTTPS TCP
8443 (configurable) Any IP address
Allows GigaVUE-FM to communicate with GCB Controller.
Outbound HTTPS TCP
42042
Any IP address
Allows GCB to communicate with GigaVUE-FM to send statistics data.
Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
Setting up GCB for Service Mesh and HTTPS/2 Support with Metadata involves the following two steps:
l Deploy GCB in Kubernetes
l Configure GCB for Service Mesh and HTTPS/2 Support with Metadata through GigaVUEFM
The Red Hat supported base images of the GCB applications are built on the top of Red Hat Universal Base Image or Red Hat Enterprise Linux Image. The GCB images are Red Hat Certified for Red Hat OpenShift platform.
Deploy GCB in Kubernetes
NOTE: GigaVUE-FM can manage the latest and the old versions of GCBs together concurrently.
To fully deploy GCB, the following steps are required to be completed: 1. Implement external access to the Kubernetes environment (e.g., ingress, external public IPs, load balancers) to allow communication between GCB and GigaVUE-FM.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
25
�Gigamon Containerized Broker Deployment Guide
2. Ensure that the firewall rules on Kubernetes nodes are met according to the Network Requirements.
3. Add the GCB images to a private Docker registry or ensure that the files can be pulled from the Docker Hub registry. You can spin up or spin down the GCB instances based on your traffic load.
4. Deploy GCB Controller Service and Pods using Deploy GCB Controller Service and Pods using YAML files or Deploy GCB Controller Service and Pods using Helm Chart.
5. Deploy GCB HTTP Service and Pods using Deploy GCB HTTP Service and Pods using YAML files or Deploy GCB HTTP Service and Pods.
Refer to the following topics for GCB Controller and HTTP services and Pods: l Deploy GCB Controller Service l Deploy GCB HTTP Service and Pods
NOTE: To upgrade the GCB solution, deploy the latest version of GCB Controller and then deploy the latest version of GCB HTTP by following the same procedure mentioned above.
Deploy GCB Controller Service and Pods
You can deploy the GCB Controller Service and Pods using the YAML files or the Helm Charts. Refer to the following sections for detailed information. l Deploy GCB Controller Service and Pods using YAML files l Deploy GCB Controller Service and Pods using Helm Chart Deploy GCB Controller Service and Pods using YAML files
Deploy GCB Controller Service
Follow the instructions below to deploy GCB Controller Service in your Kubernetes environment using YAML file:
NOTE: Contact Technical Support or Contact Sales for the GCB images and YAML files.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
26
�Gigamon Containerized Broker Deployment Guide
1. In your Kubernetes orchestrator, edit the GCB Controller image name, commands, and other required information into your YAML file. The following is sample data from the YAML file. Edit your YAML file based on the sample given below. Do not copy and paste this content into your YAML file:
apiVersion: v1 kind: Service metadata:
name: gigamon-gcb-cntlr-service labels:
app: gcb-cntlr service: gigamon-gcb-cntlr-service # change the namespace to match your namespace namespace: default spec: ports: - port: 8443 protocol: TCP name: gcb-rest targetPort: 8443 - port: 42042 protocol: TCP name: gcb-stats targetPort: 42042 selector: app: gcb-cntlr
The following table gives a description of all the field values in the YAML file that are updated:
Field Values
Description
Port: 8443 Port: 42042
The GCB Controller REST service port number.
This port must be port 42042. This allows GigaVUE-FM to communicate with GCB to send statistical data.
2. Using the YAML file, Kubernetes creates the GCB Controller Service.
Deploy GCB Controller Pods
Follow the instructions below to deploy GCB Controller Service in your Kubernetes environment using YAML file:
NOTE: Contact Technical Support or Contact Sales for the GCB images and YAML files.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
27
�Gigamon Containerized Broker Deployment Guide
1. In your Kubernetes orchestrator, edit the GCB Controller image name, commands, and other required information into your YAML file. The following is sample data from the YAML file. Edit your YAML file based on the sample given below. Do not copy and paste this content into your YAML file:
name: gcb-cntlr image: gigamon/gcb-cntlr:cntlr-<version> command: - # /gcb-cntlr - # <FM IP> - # <FM REST Svc Port> - # <GCB-Cntlr REST SVC Port> - # <mTLS Mode: 1(ON)|0(OFF)) - # <Cert Path> - # <Cert file> - # <Pvt Key> - # <CA-Root> imagePullPolicy: Always ports: - containerPort: 8443 - containerPort: 42042 env: # Service name.Should match name specified in metadata section. - name: GCB_CNTLR_SERVICE_NAME
value: "GIGAMON_GCB_CNTLR_SERVICE" # External LB balancer IP, for controller (FM) to connect to gcb-cntlr - name: GCB_CNTLR_EXT_IP_DNS
value: "<external IP for GigaVUE-FM to reach GCB CNTLR>" # K8S cluster end-point - name: K8S_CLUSTER_ENDPOINT
value: "https://<kubernetesapiserverurl>:6443" # Namespace of pod - name: GCB_CNTLR_POD_NAMESPACE
valueFrom: fieldRef: fieldPath: metadata.namespace
The following table gives a description of all the field values in the YAML file that are changed or updated:
Field Values
Description
/gcb-cntlr (image name)
GigaVUE-FM IP
FM REST Svc Port
GCB-Cntlr REST SVC Port
GCB Controller image name and version. Make sure to use the latest image version.
The IP address of the GigaVUE-FM with which your GCB is connected.
The FM REST service port number. This must be opened on your Kubernetes to allow outbound traffic. This allows GCB Controller to communicate with GigaVUE-FM. Example: 443
The GCB Controller REST service port number. This must be opened on your GigaVUE-FM to allow inbound traffic to Kubernetes. This allows
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
28
�Gigamon Containerized Broker Deployment Guide
Field Values
mTLS Mode: 1(ON) | 0(OFF)
Cert Path Cert file Pvt Key CA-Root
Ports:
containerPort: 8443 containerPort: 42042
External LB balancer IP
K8S cluster end-point
Description
GigaVUE-FM to communicate with GCB Controller. Example: 8443
To specify if mTLS mode between GigaVUE-FM and GCB controller should be On or Off. Values are:
l 1 - ON
l 0 - OFF
Path of the certificate file. Example: /etc/gcbcerts
Name of the certificate file. Example: gcb-cert.pem
Name of the private key. Example: gcb-pvt-key.pem
Name of the CA root certificate. Example: gcb-ca-root-cert.pem
Two ports must be opened. The first container port must be the same as GCB-Cntlr REST SVC Port. The second container port must be port 42042. This allows GigaVUE-FM to communicate with GCB to send statistics data.
The external load balancer IP/DNS value to allow GigaVUE-FM to communication with GCB Controller within Kubernetes. The GigaVUE-FM IP entry may change when you upgrade or redeploy.
Kubernetes cluster end point for GigaVUE-FM to access the control plane. Example: https://<kubernetesapiserverurl>:6443
NOTE: Volume Mount is optional for the cases when there is no mTLS authentication. You should enter your volume mount path and a name for the volume mount. For detailed information, refer to the respective YAML files.
2. Using the YAML file, Kubernetes automatically downloads the defined GCB Controller Pods and deploys it to the Kubernetes worker node.
Deploy GCB Controller Service and Pods using Helm Chart
Follow the instructions below to deploy GCB Controller Service and Pods in your Kubernetes environment using Helm Chart:
NOTE: Contact Technical Support or Contact Sales for the GCB images and Helm Charts (gcb-cntlr-<version>.tgz and gcb-http-<version>.tgz).
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
29
�Gigamon Containerized Broker Deployment Guide
1. On your Kubernetes orchestrator, extract the received GCB Controller (service and Pod) .tgz package.
$ tar -xvf gcb-cntlr-<version>.tgz
2. After extraction, navigate to the gcb-cntlr folder and edit the values.yaml file as per your environment. Refer to Deploy GCB Controller Service and Deploy GCB Controller Pods for detailed information.
3. From the extracted gcb-cntlr folder, install the GCB Controller Helm Chart using the following command:
$ helm install <Name for the GCB Controller> <Extracted folder path>
Example: $ helm install gcb-cntlr gcb-cntlr/ 4. Using the Helm file, Kubernetes creates the GCB Controller Service, automatically
downloads the defined GCB Controller Pods and deploys it to the Kubernetes worker node.
Deploy GCB HTTP Service and Pods
You can deploy the GCB HTTP Service and Pods using the YAML files or the Helm Charts. Refer to the following sections for detailed information.
l Deploy GCB HTTP Service and Pods using YAML files l Deploy GCB HTTP Service and Pods Deploy GCB HTTP Service and Pods using YAML files
Deploy GCB HTTP Service
Follow the below instructions to deploy GCB HTTP service in your Kubernetes environment using YAML file:
NOTE: Contact Contact Technical Support or Contact Sales for the GCB images and YAML files.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
30
�Gigamon Containerized Broker Deployment Guide
1. In your Kubernetes orchestrator, edit the GCB Controller image name, commands, and other required information into your YAML file. The following is sample data from the your YAML file. Edit your YAML file based on the sample given below. Do not copy and paste this content in your YAML file:
apiVersion: v1 kind: Service metadata:
name: gcb-http-service labels:
app: gcb-http service: gcb-http-service # change the namespace to match your namespace namespace: default spec: ports: - port: 9443 name: https selector: app: gcb-http
The following table gives a description of all the field values in the YAML file that is updated:
Field Value
Description
9443
The GCB Controller REST service port number. This must be opened on your GigaVUE-FM to allow inbound traffic to Kubernetes.
2. Using the YAML file, Kubernetes creates the defined GCB HTTP service.
Deploy GCB HTTP Pods
Follow the instructions below to deployGCBHTTP Pods in your Kubernetes environment using YAML file:
NOTE: Contact Contact Technical Support or Contact Sales for the GCB images and YAML files.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
31
�Gigamon Containerized Broker Deployment Guide
1. In your Kubernetes orchestrator, edit the GCBHTTP Pod image name, commands, and other required information in a YAML file. The following is sample data from the YAML file. Edit your YAML file based on the sample given below.Do notcopy and paste this content into your YAML file:
name: gcb-http command: - # /gcb-http - # PORT for RX - # mTLS-Flag(T/F) - # CERT_FILE - # KEY_FILE - # CA_CERT_FILE - # CA_VERIFY(T/F) - # default destination ip (if not configured from GigaVUE-FM) - # (1=> default, 0=> rule) - # (1=> L2GRE, 3=> VXLAN) image: gigamon/gcb-http:<version> imagePullPolicy: Always env: - name: GCB_DEBUG_MODE
value: "0x031A2F14" - name: GCB_REORDER_GROUP # This is a mandatory field
value: "group_6_0_00" # Group name must be unique - name: GCB_SERVICE_NAME
value: "GIGAMON_GCB_HTTP2_SERVICE" - name: GCB_CNTLR_SVC_DNS
#value: "<GCB-CNTLR-SVC-NAME.GCB-CNTLR-NAMESPACE>.svc.cluster.local" value: "gigamon-gcb-cntlr-service.default.svc.cluster.local" - name: GCB_CNTLR_REST_SVC_PORT # port used to receive configuration from FM value: '8443' - name: GCB_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace
The following table gives a description of all the field values in the YAML file that are changed or updated:
Field Value PORT for RX
mTLS-Flag (True/False) CERT_FILE
KEY_FILE
CA_CERT_FILE
Description
HTTP port number for ingress traffic Example: 9443 Enable or disable mTLS between Pcapper and GCB. SSL/TLS certificates Example: server-certificate-chain.pem Private key for the certificate Example: server-private-key.pem CA root certificate
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
32
�Gigamon Containerized Broker Deployment Guide
Field Value
CA_VERIFY (True/False) default destination ip
(1=> default, 0=> rule) (1=> L2GRE, 3=> VXLAN) gigamon/gcb-http:<version> GCB_DEBUG_MODE
Description
Example: ca-root-crt-chain.crt Enable or disable verification of the certificate files. Default Destination IP (if not being configured from FM)
(0/1) Enter 1 to use the default destination IP, or enter 0 to use the rules configured by GigaVUE-FM
(1/3) Enter 1 to use the L2GRE tunnel type, or enter 3 to use the VXLAN tunnel type.
GCB Controller image name and version. Make sure to use the latest image version.
The hex value for GCB debugging. This value must be in the 0xdd [aaaa][b][c] format, where:
l aaaa is a hex value for the number of pcap messages to maintain before rollover
l b is 0 = do not create pcap or 1 = create pcap
l c is level. Level with 1 =fatal, 2 =error, 3 =info, 4 =debug
l dd is the log file size multiplier
l dd = 0|1 - means default log file size (approx. 100,000 lines)
l dd = 08 - means 8 * default log file size (approx. 8*100,0000 lines)
GCB_CNTLR_SVC_DNS
GCB_CNTLR_REST_SVC_ PORT
l dd = FF = 255 - means (255*100,000 lines)
GCB Controller Service Number. This value must match the metadata used for GCB Controller. Example: gigamon-gcb-cntlr-service.default.svc.cluster.local
The GCB Controller REST service port number. This must be opened on your GigaVUE-FM to allow inbound traffic to Kubernetes.
2. Using the YAML file, Kubernetes automatically downloads and deploys the defined GCB HTTP Pods.
Deploy GCB HTTP Service and Pods using Helm Chart
Follow the instructions below to deploy GCB HTTP Service and Pods in your Kubernetes environment using Helm Chart:
NOTE: Contact Technical Support or Contact Sales for the GCB images and Helm Charts (gcb-cntlr-<version>.tgz and gcb-http-<version>.tgz).
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
33
�Gigamon Containerized Broker Deployment Guide
1. On your Kubernetes orchestrator, extract the received GCB HTTP (service and Pod) .tgz package.
$ tar -xvf gcb-http-<version>.tgz
2. After extraction, navigate to the gcb-http folder and edit the values.yaml file as per your environment. Refer to Deploy GCB HTTP Service and Deploy GCB HTTP Pods for detailed information.
3. From the extracted gcb-http folder, install the GCB HTTP Helm Chart using the following command:
$ helm install <Name for the GCB HTTP> <Extracted folder path>
Example: $ helm install gcb-http gcb-http/ 4. Using the Helm file, Kubernetes creates the GCB HTTP Service, automatically
downloads the defined GCB HTTP Pods and deploys it to the Kubernetes worker node.
Configure GCB for Service Mesh and HTTPS/2 Support with Metadata through GigaVUE-FM
This section describes how to configure GCB through GigaVUE-FM GUI. Refer to the following section for details.
l Launch GigaVUE-FM l Create Metadata Field Names l Create Monitoring Domain l Configure Service Identification l Configure Traffic Policy
Launch GigaVUE-FM
The recent GigaVUE-FM image files can be downloaded from Gigamon Customer Portal. After fetching the image, upload and launch GigaVUE-FM on your OpenStack environment. For assistance, Contact Technical Support of Gigamon or refer to the GigaVUE Cloud Suite Deployment Guide - OpenStack for more information on GigaVUE V Series configuration on OpenStack environment.
Create Metadata Field Names
To create metadata field names in GigaVUE-FM:
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
34
�Gigamon Containerized Broker Deployment Guide
1. In GigaVUE-FM, on the left navigation pane, select Inventory > CONTAINER > Gigamon Containerized Broker > Settings. The Settings page appears.
2. In the Settings page, click Add. The Add Metadata Field Names wizard appears.
3. Select the Tap type as F5 Service Mesh vTAP and enter the Metadata Field Names. 4. Click Add. The newly added metadata field names appear on the Settings page.
Create Monitoring Domain
To create a monitoring domain in GigaVUE-FM: 1. In GigaVUE-FM, on the left navigation pane, select Inventory > CONTAINER > Gigamon Containerized Broker > Monitoring Domain. The Monitoring Domain page appears.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
35
�Gigamon Containerized Broker Deployment Guide
2. In the Monitoring Domain page, click New. The Monitoring Domain Configuration wizard appears.
3. Enter or select the required information as described in the following table,
Fields
Monitoring Domain Alias Authentication Type API Server URL Tapping Type
Description Enter a name for the monitoring domain
Enter a name for the GCB connection Select Token as the authentication type
Enter the URL of the API server Select F5 Service Mesh vTap as the Tapping Type
4. Click Save to create a monitoring domain.
Configure Service Identification
In the Service mesh and HTTP/s supported platform, the GCB receives packets to be monitored in the form of HTTPS/2 requests. On receiving the HTTPS/2 request from Pcapper, GCB applies the rules configured in GigaVUE-FM and forwards the filtered traffic to GigaVUE V Series Nodes deployed on the OpenStack platform through L2GRE or VXLAN tunnels.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
36
�Gigamon Containerized Broker Deployment Guide
In a Kubernetes environment, the IP addresses associated with pods and services are temporary and can change regularly. For the external tools, these changing IP addresses are difficult to consistently correlate incoming data to the services and the sources related to that data. The same IP addresses may also exist in multiple Kubernetes clusters adding difficulty in identifying the true source of the monitored traffic. To correlate these temporary and same IP addresses, the GigaVUE-FM and GCB use information supplied in the .csv text files to map the temporary IP addresses to IPv6 addresses that the external tools can consistently use.
The CSV file must contain a header row with two columns. The first column is for the Metadata value and the second column is for the IPv6 address. The metadata value specified in the header row and the values in the first column of the CSV file must match theMetadata Field Names.
NOTE: The length of the metadata value in first column of the non-header row must be less than or equal to 255 and the number of non-header entries (rows) must be less than 4096. Service ID feature will not work if metadata fields for Service ID mapping are greater than 255 bytes.
The Service Mesh and HTTPS/2 supported platform must provide the following CSV files: a src-ip-mapping.csv file to translate the temporary source IP (IPv4) address to an external IPv6 address. a dest-ip-mapping.csv file to translate the temporary destination IP (IPv4) address to an external IPv6 address.
To upload the mapping CSV files to GigaVUE-FM: 1. After creating a Monitoring Domain, in GigaVUE-FM, from the left navigation pane, select Inventory > CONTAINER > Gigamon Containerized Broker > Service Identification. The Service Identification page appears.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
37
�Gigamon Containerized Broker Deployment Guide
2. In the Service Identification page, click Upload. The File Upload wizard appears.
3. Enter or select the required information as described in the following table:
Fields Connection Metadata Field Name
Type Select (CSV) File
Description
Select an existing monitoring domain
Select a Metadata field to search in the CSV file.
l If the value for the metadata field matches the content of the received packets, then GCB use the mapping tables to convert the ephemeral IPv4 addresses to external IPv6 addresses and replaces the incoming IPv4 header with an IPv6 header, before forwarding the packets to the Tools or V Series nodes.
l If the value for the metadata field doesn't match the content of the received packets, then the GCB forwards the packets without translation.
Select an IP address type from the following: SRC - Source IP DST - Destination IP
Select an IP mapping CSV file to upload to GigaVUE-FM.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
38
�Gigamon Containerized Broker Deployment Guide
4. Click Upload to upload the selected CSV file for the monitoring domain.
NOTE: You must upload a source and a destination IP mapping CSV file for the IP translation.
Once the CSV file is uploaded successfully, GigaVUE-FM displays the status of the uploaded file. If no error is found in the meta-data, then the status is displayed as Ok. However, if there is any error in the meta data or processing, then the error message is displayed under the Status column. Click on the error message to get detailed information about the error.
Types of Error messages:
1. Skipped Entries: This error message is displayed: l If the metadata value is blank or more than 127 characters. l If the IP address is invalid. l If there are more than 4096 entries in the file excluding the header. In this case, only the first 4096 entries will be sent to GCB and the rest would be skipped. l If the uploaded CSV file contains two or more identical entries, or two or more entries with the same meta data values. In this case only the first entry will be sent to GCB and the rest would be skipped.
2. GCB: This error message is displayed due to processing errors or a failure.
Configure Traffic Policy
To create a Traffic Policy in GigaVUE-FM:
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
39
�Gigamon Containerized Broker Deployment Guide
1. From the GigaVUE-FM left navigation pane, select Traffic > CONTAINER > Gigamon Containerized Broker. The Traffic Policy page appears.
2. In the Traffic Policy page, click Create. The Create Tunnels and Rules wizard appears. 3. In the Tunnels tab, enter or select the required information as described in the
following table:
Fields
Description
Tunnel Name
Enter a name for the Tunnel.
Remote IP Address Enter an IP Address for the Tunnel.
Tunnel Type
Select L2GRE or VXLAN as the tunnel type.
Tunnel Key
Enter a value for the tunnel key.
Destination Port
If the tunnel type is VXLAN, enter the tunnel destination port number.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
40
�Gigamon Containerized Broker Deployment Guide
4. Switch to Rules tab, and enter or select the required information as described in the following table:
Fields
Description
Policy
Policy Name
Enter a name for the policy.
Connection
Select a connection for the policy.
Rules
Name
Enter a name for the Rule.
Destination Name Select a tunnel destination.
Pass/Drop
Select Pass to allow the packets or select Drop to block the packets based on the filters.
Click ADD FILTER to add filters for the rule.
Type
Select the type as F5 Metadata.
Metadata Field
Select a Metadata field name.
Filter value
Enter a value for the filter type.
5. Click Create and this new Traffic Policy deploys itself in the GCB.
The Traffic Policy processes the Pcapper traffic and forwards the traffic to the tunnel destination IP address.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB for Service Mesh and HTTPS/2 Support with Metadata
41
�Gigamon Containerized Broker Deployment Guide
Configure GCB Settings
You can configure the following settings in GigaVUE-FM: l GCB General Settings l GCB Individual Settings l GCB Group Settings
GCB General Settings
In the GCB General Settings, you can specify the purge interval to automatically remove the GCBs that are disconnected for a long duration.
NOTE: GigaVUE-FM generates an alarm for the disconnected GCB when the GCB heartbeats are not received for more than 15 minutes. Refer to "Alarms" topic in the GigaVUE Administration Guide for detailed information on Alarms.
To view or edit the GCB general settings: 1. In GigaVUE-FM, navigate to Inventory > CONTAINER > Gigamon Containerized Broker > Settings, the Settings page appears. 2. From the Settings page, on the General section, click Edit. The Edit General Settings quick view appears.
3. Enter the number of days to retain the disconnected GCB and after this duration the disconnected GCB will be removed.
4. Click Save to changes made on the General Settings.
GCB Individual Settings
GCB Log Level Settings In GigaVUE-FM, you can control the level of logs created at each individual GCB for troubleshooting. The regular GCB log file name format is gcb_http2.log. To view or edit the GCB log level settings:
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB Settings
42
�Gigamon Containerized Broker Deployment Guide
1. In GigaVUE-FM, navigate to Inventory > CONTAINER > Gigamon Containerized Broker > Settings, the Settings page appears.
2. From the Settings page, select a GCB to view or edit the GCB log configuration. 3. Select Edit to edit the required GCB log values in the Individual Settings section.
Field Log Level
Log File Size PCAP File Generation Number of PCAP Files Generated
Description
Select one of the following:
l DEBUG--fine-grained log information for application debugging l INFO--coarse-grained log information for highlighting application progress l WARN--log information of potentially harmful situations l ERROR--log information of the error events that allows the application to run
continuously l FATAL--log information of very severe error events that presumably lead the
application to abort. Enter a value for the number of lines in the GCB log file. Select Yes to generate the PCAP file and select No to continue without the PCAP file.
Enter a value for the number of PCAP files to be generated and stored on the GCB.
On any of the above fields,
l click Reset to reset the value to default. l click Apply to Group to apply the value to all the members of the group
GCB Transaction Logging Settings
The GCB considers an HTTPS POST message from Pcapper to GCB as a transaction. The Transaction Logging feature collects data from the transaction to aid in troubleshooting problems such as dropped packets, or no traffic at tools. For each transaction, GCB creates a transaction record. The transaction record is logged to a transaction log file in the GCB pod or into the Kubernetes logging stdout stream.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB Settings
43
�Gigamon Containerized Broker Deployment Guide
The transaction log consists of various items like transaction index, transaction time, source, and destination details extracted from the data sources like GCB system time, Pcapper metadata field, and Pcapper transaction. Each pod can have a maximum of ten log files.
The GCB transaction log file name format is gcb_trans_<YYYY-MM-DD_hh-mm-ss>.<csv | json>, and the file is located on each GCB Pod in the /pod-data directory.
To view or edit the transaction log settings:
1. In GigaVUE-FM, navigate to Inventory > CONTAINER > Gigamon Containerized Broker > Settings, the Settings page appears.
2. From the Settings page, select a GCB to view or edit the GCB transaction log settings. 3. Select Edit to edit the required GCB transaction log values in the Individual Settings
section.
Field
Description
Transaction Logging
Select Yes to enable the transaction logs generation or select No to disable the transaction logs generation.
Write
Select Yes to save the generated transaction logs to a file on your GCB HTTPS Pods
Transaction Log or select No to continue without saving the logs to a file.
to a File
Write Transaction Log to stdout
Select Yes to save the generated transaction logs to your Kubernetes logging standard output stream or select No to continue without saving the logs to your Kubernetes stdout.
Refer to Kubernetes Logging Architecture for detailed information on Kubernetes stdout.
Transaction Log Select CSV or JSON as the transaction log file format. Format
Transaction Log Enter a value between 1 MB to 4095 MB for the transaction log file size.
File Size (MB)
A new log file is created whenever the log file reaches the specified file size.
Unify All Settings
Enable the Unify All Settings option to apply all the log settings to the members of the group.
On any of the above fields,
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB Settings
44
�Gigamon Containerized Broker Deployment Guide
l click Reset to reset the value to default. l click Apply to Group to apply the value to all the members of the group
GCB Group Settings
GCB Group settings allow you to configure group settings such as packet reordering settings to multiple GCBs present in a group. It allows you to create a group consisting of multiple GCBs with the same settings. You can change one or more group settings for a GCB group, and the changes are applied to all the GCBs in the group. You can create many GCB groups, but the group name should be different.
GCB Packet Reordering Settings
When the GCB receives HTTPS POST request from Pcapper, it extracts the headers, metadata, and packets from the message. After extraction, GCB applies the traffic policy and service identification and forwards packets to the destination.
In some cases, a single request may not have the complete transaction, or the request may have packets that are out of order. The GCB packet reordering functionality fixes these out of order packets and makes a complete transaction for tool effectiveness. When the GCB receives a request from Pcapper, GCB checks for complete transaction using a combination of metadata fields and the flow of the extracted messages.
GCB stores the request in a queue with a time stamp and waits until the transaction is complete. When the queue reaches the maximum storage limit, then GCB drops the oldest or the most recent request based on the selected policy.
To view or edit the GCB packet reordering settings:
1. In GigaVUE-FM, navigate to Inventory > CONTAINER > Gigamon Containerized Broker > Settings, the Settings page appears.
2. From the Settings page, select a GCB to view or edit the GCB packet reordering settings.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB Settings
45
�Gigamon Containerized Broker Deployment Guide
3. Select Edit to edit the required GCB packet reordering values in the Group Settings section.
Field
Description
Enable/disable
Select Yes to enable the packet reordering functionality or select No to disable the
packet reordering packet reordering functionality.
functionality
Use sequence
Select Yes to use sequencing numbers for packet reordering or select No to
number for
reorder packets based on timestamps.
packet reordering
Use timestamp for packet reordering
Select Yes to use time stamps for packet reordering or select No to continue without using time stamps for the packet reordering.
Packet reordering timeout in milliseconds
Enter a value between 10000 to 3600000 milliseconds for the packet reordering timeout.
Packet reordering timeout in the duration, the GCB waits for the pending packets to complete the transaction, and after this timeout, all the related packets are dropped.
Maximum number of requests stored in queue
Enter a value between 1000 to 100000 requests for the maximum number of requests that can be stored in the queue.
Packet reordering Select Drop most recent to drop the most recent packets when the queue is
drop policy
overloaded or select Drop oldest to drop the old packets when the queue is
overloaded.
GCB for Service Mesh and HTTPS/2 Support with Metadata Configure GCB Settings
46
�Gigamon Containerized Broker Deployment Guide
GCB for Cloud Object Storage
This chapter provides an overview of Gigamon Containerized Broker for cloud object storage and describes how to install and deploy UCT Containers in your Pods. Topics: l Architecture of GCB for Cloud Object Storage l Get Started with GCB for Cloud Object Storage l Configure GCB for Cloud Object Storage l View GCB statistics in GigaVUE-FM
GCB for Cloud Object Storage
47
�Gigamon Containerized Broker Deployment Guide
Architecture of GCB for Cloud Object Storage
GCB with GigaVUE-FM deployment
With GCB in its own Pod, you can choose an orchestrator (other than GigaVUE-FM) like K8S to spin up/down the GCB pods.
During GCB initialization, the GCB Controller tries to connect with the GigaVUE-FM IP that you provided in the YAML file. GigaVUE-FM has a server certificate and GCB has a client certificate, so that GigaVUE-FM and GCB can identify the connection and traffic flow. GigaVUE-FM does not control the GCB spin up/down. The GCB parameter definition and deployment is performed through Kubernetes orchestrator and not by GigaVUE-FM.
Get Started with GCB for Cloud Object Storage
This section describes how to initiate GCB deployment with the required licenses and network requisites.
Refer to the following sections for details:
l Components of GCB for Cloud Object Storage l License Information l Network Requirements
Architecture of GCB for Cloud Object Storage
48
�Gigamon Containerized Broker Deployment Guide
Components of GCB for Cloud Object Storage
The Gigamon Containerized Broker for cloud object storage works with the following components:
l GigaVUE® Fabric Manager (GigaVUE-FM) is a web-based fabric management and orchestration interface that provides a single pane of glass visibility, management, and orchestration of both the physical and virtual traffic that form the GCB.
l UCT Container is the Traffic Acquisition Component of Gigamon's Network Visibility Offering. It receives mirrored traffic from various Networking Infrastructures and overlays (VXLAN) them to Gigamon Containerized Broker.
l GCB Controller is the management component of GCB that controls the registration and deregistration with GigaVUE-FM. GCB Controller also sends the collected statistics of GCB and UCT Container to GigaVUE-FM.
l GCB S3 is the storage service component of GCB that collects the mirrored packets from GCB Controller, converts to PCAP file and uploads it into Amazon S3.
License Information
All theUCT Container instances connected to GCB periodically report the statistics to GCB. Then the GCB periodically reports the collective statistics of UCT Containers and its own statistics to GigaVUE-FM for Volume-Based Licensing. GigaVUE-FM adds the required licensing tags into the Elasticsearch.
In the Volume-Based Licensing scheme, a license entitles specific applications on your devices to use a specified amount of total data volume over the term of the license. The distribution of the license to individual nodes or devices becomes irrelevant for Gigamon's accounting purpose. GigaVUE-FM tracks the total amount of data processed by the various licensed applications and provides visibility into the actual amount of data, each licensed application is using on each node, and tracks the overuse if any.
Network Requirements
A security group defines the virtual firewall rules for your instance to control inbound and outbound traffic. When you launch GigaVUE-FM, Gigamon Containerized Broker, and UCT Containers in your project, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
It is recommended to create a separate security group for each component using the rules and port numbers.
Network Requirements
49
�Gigamon Containerized Broker Deployment Guide
Direction
Type
Protocol
Port
CIDR
Gigamon Containerized Broker deployed inside EKS worker node
Inbound
HTTPS
TCP
443
Any IP
address
Purpose
Allows GCB Controller to communicate with GigaVUEFM
Configure GCB for Cloud Object Storage
This section describes how to configure GCB in your environment. Refer to the following section for details. l Launch GigaVUE-FM l Launch Gigamon Containerized Broker l Store Traffic Data in S3 Bucket
Launch GigaVUE-FM
The recent GigaVUE-FM image files can be downloaded from Gigamon Customer Portal. After fetching the image, upload and launch GigaVUE-FM inside or outside your VPC. For assistance, Contact Technical Support of Gigamon.
Launch Gigamon Containerized Broker
Follow the instructions below to deploy GCB in your node:
Configure GCB for Cloud Object Storage
50
�Gigamon Containerized Broker Deployment Guide
1. In your Kubernetes orchestrator, enter the GCB Controller and GCB S3 image name, commands and the required information in a YAML file. Following is the example data to be entered into your YAML file:
image: gigamon/gcb-s3:<version> - command: - gcb-s3 - <pkt_filter_type(ip|tcp|udp)> - <i_iface: eth0, eth1> - <s3_bucket_name>(Ex: gcb_s3_bucket) - <s3_region>(Ex: us-east-2>) - <AWS Account-ID> - <max_pkt_per_pcap> - <idle_timeout (in sec)> - <stats_active (0/1)> - <gcm port> - <stats_interval(in sec)> - <filtering rule> - <gcb vxlan port>
image: gigamon/gcb-cntlr:<version> - command: - /gcb-cntlr - <GigaVUE-FM IP> - <PORT ID for GCB controller to communicate with GigaVUE-FM>
2. Using the YAML file, Kubernetes automatically downloads the defined GCB Controller and GCB S3. Then both are deployed in a new Pod.
3. Connect the deployed UCT Containers to the GCB installed in the same node.
4. Register GCB with the GigaVUE-FM launched inside or outside your VPC.
Once the GCB is registered with GigaVUE-FM, the GCB starts to collect the traffic from the UCT Containers and periodically sends the heartbeats and statistics to GigaVUE-FM. For more information on GCB and GigaVUE-FM interaction, refer to GCB and GigaVUE-FM Interaction
Store Traffic Data in S3 Bucket
By default, the traffic information from GCB is saved into Amazon S3 bucket. All the parameters of the S3 bucket are defined in the yaml files.
The following are the S3 bucket parameters defined in yaml file:
Parameter
Description
s3_bucket_name s3_region AWS Account-ID max_pkt_per_pcap idle_timeout (in sec)
Name of the Amazon S3 bucket AWS region (Example: us-east-2>) ID of AWS user account Maximum packets required to create a PCAP file Idle time limit to create PCAP file without waiting to collect the maximum packets defined.
Configure GCB for Cloud Object Storage
51
�Gigamon Containerized Broker Deployment Guide
Follow the instructions below to store the traffic data from GCB to your Amazon S3 bucket. 1. Save the traffic data from the GCB as a PCAP file with the Server-Side Encryption technology. 2. Transfer and save the encrypted PCAP files to your Amazon S3 bucket.
NOTE: Naming convention of the PCAP file and the folder in S3 bucket are as follows: l PCAP file name: <AWS Accout ID>_pod_<Pod IP>_YYYY_MM_DD_HH_mm_ss_
<milliseconds>.pcap l S3 folder name: [S3 bucket name]/account_id/MM-DD-YYYY/[file-name]/
View GCB statistics in GigaVUE-FM
You can view the traffic information of GCB in GigaVUE-FM as the collective traffic from UCT Containers and GCB are periodically transferred to GigaVUE-FM.
GigaVUE-FM dashboard displays the GCB statistics in the following widgets: l Status Summary l Lowest Traffic l Highest Traffic
To view the GCB statistics in GigaVUE-FM: 1. On the top navigation bar, click Dashboard. 2. In the left navigation pane of the Dashboard page, click Physical & Virtual. 3. Click Add Widget and select Status Summary, Lowest Traffic, and Highest Traffic widgets. The widgets display the GCB status summary, lowest and highest traffic.
View GCB statistics in GigaVUE-FM
52
�Gigamon Containerized Broker Deployment Guide
Additional Sources of Information
This appendix provides additional sources of information. Refer to the following sections for details:
Documentation Documentation Feedback Contact Technical Support Contact Sales The VÜE Community
Documentation
This table lists all the guides provided for GigaVUE Cloud Suite software and hardware. The first row provides an All-Documents Zip file that contains all the guides in the set for the release.
NOTE: In the online documentation, view What's New to access quick links to topics for each of the new features in this Release; view Documentation Downloads to download all PDFs.
Table 1: Documentation Set for Gigamon Products
GigaVUE Cloud Suite 6.5 Hardware and Software Guides
DID YOU KNOW? If you keep all PDFs for a release in common folder, you can easily search across the doc set by opening one of the files in Acrobat and choosing Edit > Advanced Search from the menu. This opens an interface that allows you to select a directory and search across all PDFs in a folder. Hardware how to unpack, assemble, rack-mount, connect, and initially configure ports the respective GigaVUE Cloud Suite devices; reference information and specifications for the respective GigaVUE Cloud Suite devices GigaVUE-HC1 Hardware Installation Guide GigaVUE-HC2 Hardware Installation Guide GigaVUE-HC3 Hardware Installation Guide GigaVUE-HC1-Plus Hardware Installation Guide GigaVUE-TA25 Hardware Installation Guide GigaVUE-TA25E Hardware Installation Guide GigaVUE-TA100 Hardware Installation Guide
Additional Sources of Information Documentation
53
�Gigamon Containerized Broker Deployment Guide
GigaVUE Cloud Suite 6.5 Hardware and Software Guides
GigaVUE-TA200 Hardware Installation Guide GigaVUE-TA200E Hardware Installation Guide GigaVUE-TA400 Hardware Installation Guide GigaVUE-OS Installation Guide for DELL S4112F-ON G-TAP A Series 2 Installation Guide GigaVUE M Series Hardware Installation Guide GigaVUE-FM Hardware Appliance Guide for GFM-HW1-FM010 and and GFM-HW1-FM001-HW Software Installation and Upgrade Guides
GigaVUE-FM Installation, Migration, and Upgrade Guide GigaVUE-OS Upgrade Guide GigaVUE V Series Migration Guide Fabric Management and Administration Guides
GigaVUE Administration Guide covers both GigaVUE-OS and GigaVUE-FM
GigaVUE Fabric Management Guide how to install, deploy, and operate GigaVUE-FM; how to configure GigaSMART operations; covers both GigaVUE-FM and GigaVUE-OS features
Cloud Guides how to configure the GigaVUE Cloud Suite components and set up traffic monitoring sessions for the cloud platforms GigaVUE V Series Applications Guide GigaVUE V Series Quick Start Guide GigaVUE Cloud Suite Deployment Guide - AWS GigaVUE Cloud Suite Deployment Guide - Azure GigaVUE Cloud Suite Deployment Guide - OpenStack GigaVUE Cloud Suite Deployment Guide - Nutanix GigaVUE Cloud Suite Deployment Guide - VMware GigaVUE Cloud Suite Deployment Guide - Third Party Orchestration Universal Cloud Tap - Container Deployment Guide Gigamon Containerized Broker Deployment Guide
Additional Sources of Information Documentation
54
�Gigamon Containerized Broker Deployment Guide
GigaVUE Cloud Suite 6.5 Hardware and Software Guides
GigaVUE Cloud Suite for Nutanix Guide--GigaVUE-VM Guide GigaVUE Cloud Suite Deployment Guide - AWS Secret Regions Reference Guides
GigaVUE-OS CLI Reference Guide library of GigaVUE-OS CLI (Command Line Interface) commands used to configure and operate GigaVUE HC Series and TA Series devices
GigaVUE-OS Security Hardening Guide GigaVUE Firewall and Security Guide GigaVUE Licensing Guide GigaVUE-OS Cabling Quick Reference Guide
guidelines for the different types of cables used to connect Gigamon devices GigaVUE-OS Compatibility and Interoperability Matrix
compatibility information and interoperability requirements for Gigamon devices GigaVUE-FM REST API Reference in GigaVUE-FM User's Guide
samples uses of the GigaVUE-FM Application Program Interfaces (APIs) Release Notes
GigaVUE-OS, GigaVUE-FM, GigaVUE-VM, G-TAP A Series, and GigaVUE Cloud Suite Release Notes new features, resolved issues, and known issues in this release ; important notes regarding installing and upgrading to this release NOTE: Release Notes are not included in the online documentation.
NOTE: Registered Customers can log in to My Gigamon to download the Software and Release Notes from the Software & Docs page on to My Gigamon. Refer to How to Download Software and Release Notes from My Gigamon.
In-Product Help
GigaVUE-FM Online Help how to install, deploy, and operate GigaVUE-FM.
How to Download Software and Release Notes from My Gigamon
Registered Customers can download software and corresponding Release Notes documents from the Software & Release Notes page on to My Gigamon. Use the My Gigamon Software & Docs page to download:
Additional Sources of Information Documentation
55
�Gigamon Containerized Broker Deployment Guide
l Gigamon Software installation and upgrade images, l Release Notes for Gigamon Software, or l Older versions of PDFs (pre-v5.7).
To download release-specific software, release notes, or older PDFs:
1. Log in to My Gigamon 2. Click on the Software & Release Notes link. 3. Use the Product and Release filters to find documentation for the current release. For
example, select Product: "GigaVUE-FM" and Release: "5.6," enter "pdf" in the search box, and then click GO to view all PDF documentation for GigaVUE-FM 5.6.xx.
NOTE: My Gigamon is available to registered customers only. Newer documentation PDFs, with the exception of release notes, are all available through the publicly available online documentation.
Documentation Feedback
We are continuously improving our documentation to make it more accessible while maintaining accuracy and ease of use. Your feedback helps us to improve. To provide feedback and report issues in our documentation, send an email to: documentationfeedback@gigamon.com
Please provide the following information in the email to help us identify and resolve the issue. Copy and paste this form into your email, complete it as able, and send. We will respond as soon as possible.
Documentation Feedback Form
Your Name
About You
Your Role
Your Company
Online doc link
For Online Topics
Topic Heading
(URL for where the issue is)
(if it's a long topic, please provide the heading of the section where the issue is)
Additional Sources of Information Documentation Feedback
56
�Gigamon Containerized Broker Deployment Guide
For PDF Topics
Document Title Product Version Document Version Chapter Heading PDF page #
(shown on the cover page or in page header ) (shown on the cover page) (shown on the cover page) (shown in footer) (shown in footer)
How can we improve?
Describe the issue
Describe the error or issue in the documentation. (If it helps, attach an image to show the issue.)
How can we improve the content?
Be as specific as possible.
Any other comments?
Contact Technical Support
For information about Technical Support: Go to Settings in GigaVUE-FM.
> Support > Contact Support
You can also refer to https://www.gigamon.com/support-and-services/contact-support for Technical Support hours and contact information.
Email Technical Support at support@gigamon.com.
Contact Sales
Use the following information to Gigamon channel partner or Gigamon sales representatives.
Telephone: +1.408.831.4025
Additional Sources of Information Contact Technical Support
57
�Gigamon Containerized Broker Deployment Guide
Sales: inside.sales@gigamon.com
Partners: www.gigamon.com/partners.html
Premium Support
Email Gigamon at inside.sales@gigamon.com for information on purchasing 24x7 Premium Support. Premium Support entitles you to round-the-clock phone support with a dedicated Support Engineer every day of the week.
The VÜE Community
The VÜE Community is a technical site where Gigamon users, partners, security and network professionals and Gigamon employees come together to share knowledge and expertise, ask questions, build their network and learn about best practices for Gigamon products.
Visit the VÜE site to: Find knowledge base articles and documentation Ask and answer questions and learn best practices from other members. Join special-interest groups to have focused collaboration around a technology, usecase, vertical market or beta release Take online learning lessons and tutorials to broaden your knowledge of Gigamon products. Open support tickets (Customers only) Download the latest product updates and documentation (Customers only)
The VÜE Community is a great way to get answers fast, learn from experts and collaborate directly with other members around your areas of interest.
Register today at community.gigamon.com
Questions? Contact our Community team at community@gigamon.com.
Additional Sources of Information The VÜE Community
58
�Gigamon Containerized Broker Deployment Guide
Glossary
D
decrypt list need to decrypt (formerly blacklist)
decryptlist need to decrypt - CLI Command (formerly blacklist)
drop list selective forwarding - drop (formerly blacklist)
F
forward list selective forwarding - forward (formerly whitelist)
L
leader leader in clustering node relationship (formerly master)
M
member node follower in clustering node relationship (formerly slave or non-master)
N
no-decrypt list no need to decrypt (formerly whitelist)
Glossary
59
�Gigamon Containerized Broker Deployment Guide
nodecryptlist no need to decrypt- CLI Command (formerly whitelist)
P
primary source root timing; transmits sync info to clocks in its network segment (formerly grandmaster)
R
receiver follower in a bidirectional clock relationship (formerly slave)
S
source leader in a bidirectional clock relationship (formerly master)
Glossary
60
�
madbuild