About Cisco Nexus Data Broker
Visibility into application traffic has traditionally been important for infrastructure operations to maintain security, troubleshooting, and compliance and perform resource planning. With the technological advances and growth in cloud-based applications, it has become imperative to gain increased visibility into the network traffic. Traditional approaches to gain visibility into network traffic are expensive and rigid, making it difficult for managers of large-scale deployments.
Cisco Nexus Data Broker with Cisco Nexus Switches provides a software-defined, programmable solution to aggregate copies of network traffic using Switched Port Analyzer (SPAN) or network Test Access Point (TAP) for monitoring and visibility. As opposed to traditional network taps and monitoring solutions, this packet-brokering approach offers a simple, scalable and cost-effective solution that is well-suited for customers who need to monitor higher-volume and business-critical traffic for efficient use of security, compliance, and application performance monitoring tools.
With the flexibility to use a variety of Cisco Nexus Switches and the ability to interconnect them to form a scalable topology provides the ability to aggregate traffic from multiple input TAP or SPAN ports, and replicate and forward traffic to multiple monitoring tools which may be connected across different switches. Combining the use of Cisco plugin for OpenFlow and the Cisco NX-API agent to communicate to the switches, Cisco Nexus Data Broker provides advance features for traffic management.
Cisco Nexus Data Broker provides management support for multiple disjointed Cisco Nexus Data Broker networks. You can manage multiple Cisco Nexus Data Broker topologies that may be disjointed using the same application instance. For example, if you have 5 data centers and want to deploy an independent Cisco Nexus Data Broker solution for each data center, you can manage all 5 independent deployments using a single application instance by creating a logical partition (network slice) for each monitoring network.
All the ACLs related to the default filters are installed on the ISL interfaces of the new switch. By default, this feature is enabled for all the new ISL interfaces.
Note |
Each PACL takes one label. If the same PACL is configured on multiple interfaces, the same label is shared. If each PACL has unique entries, the PACL labels are not shared, and the label limit is 30. |
Note |
You can manage this feature using the mm.addDefaultISLDenyRules attribute in config.ini file. By default, themm.addDefaultISLDenyRules attribute is not be present in config.in file. To disable this feature, you need to add the mm.addDefaultISLDenyRules attribute to config.ini file ans set it to false and restart the device. For example:
|
Note |
A Cisco Nexus Data Broker instance can support either the OpenFlow or NX-API device configuration mode, it does not support both device types. |
Note |
Starting with Cisco NDB Release 3.4, you can configure the timeout interval for NDB GUI. By default, a user is logged out if the session is inactive for more than 10 minutes. You can configure the inactive timeout interval by modifying the timeout interval attribute in the xnc/configuration/web.xml file. You need to restart the NDB to apply the new interval. |
Note |
Starting with Cisco Nexus Data Broker, Release 3.3:
|
Note |
Starting with Cisco NDB release 3.2.2, IPv6 addressing is supported in centralized mode. You can configure NDB to use either IPv6 addressing or both IPv4 and IPv6 addressing. Set ipv6.strict attribute in config.ini file to true to make NDB accessible only through IPv6 address. If you set the ipv6.strict attribute to false, you can access NDB through IPv4 or IPv6 address. |
Note |
Starting with Cisco Nexus Data Broker Release 3.1, the user strings for Cisco Nexus Data Broker can contain alphanumeric characters including the following special characters: period (.), underscore (_), or hyphen (-) . These are the only special characters that are allowed in the user strings. |
Note |
The hostname string for Cisco Nexus Data Broker can contain between 1 and 256 alphanumeric characters including the following special characters: period (.), underscore (_), or hyphen (-) . These are the only special characters that are allowed in the user strings. |
Note |
Nexus 3548 does not support Block-Tx feature. |
Cisco Nexus Data Broker provides the following:
-
Support for the OpenFlow mode or the NX-API mode of operation.
Note
The OpenFlow mode and the NX-API mode are supported on both Cisco Nexus 3000 Series and Cisco Nexus 9000 Series switches. Cisco Nexus 9500, 9200, and 9300-EX switches support only NX-API mode of deployment. Cisco Nexus 3500 supports only Openflow mode of deployment. You can enable only one mode, either OpenFlow or NX-API mode, at a time.
You can enable only one mode, either OpenFlow or NX-API mode, at a time.
When using OpenFlow mode, NX-API is available for auxiliary configurations only, for example, Enabling Q-in-Q on the SPAN and TAP ports.
Cisco Nexus 9300-EX Series switches support only Cisco NX-OS Release 7.0(3)I5(1) and later releases.
The configuration that is supported in the AUX mode is:
-
Pull and push of interface description
-
Q-in-Q configuration
-
Redirection
-
Port Channel load balancing
-
MPLS Stripping
Note
Starting with Cisco Nexus 3000 Release 7.x, the NX-API configuration is supported on the following Cisco Nexus Series switches:
-
Cisco Nexus 3172 switches
-
Cisco Nexus 3132 switches
-
Cisco Nexus 3164 switches
-
Cisco Nexus 31128 switches
-
Cisco Nexus 3232 switches
-
Cisco Nexus 3264 switches
-
Cisco Nexus 3100-V switches
-
-
The features that are supported with the Cisco Nexus 9500 Series switches are:
-
The NX-API feature is supported. (OpenFlow is not supported.)
-
The MPLS strip feature is supported.
-
The label age CLI feature is not supported.
-
-
Support for Layer-7 filtering for the HTTP traffic using the HTTP methods.
-
Support for VLAN and MPLS tag stripping.
-
A scalable topology for TAP and SPAN port aggregation.
-
Support for Q-in-Q to tag input source TAP and SPAN ports.
-
Symmetric load balancing.
-
Rules for matching monitoring traffic based on Layer 1 through Layer 4 information.
-
The ability to replicate and forward traffic to multiple monitoring tools.
-
Time stamping using Precision Time Protocol (PTP).
-
Packet truncation beyond a specified number of bytes to discard payload.
-
Reaction to changes in the TAP/SPAN aggregation network states.
-
Security features, such as role-based access control (RBAC), and integration with an external Active Directory using RADIUS, TACACS, or LDAP for authentication, authorization, and accounting (AAA) functions.
-
End-to-end path visibility, including both port and flow level statistics for troubleshooting.
-
Robust Representational State Transfer (REST) API and a web-based GUI for performing all functions
-
Support for Cisco plugin for Open Flow, version 1.0
-
Cisco Nexus Data Broker adds NX-API plugin to support Cisco Nexus 9000 Series switches as TAP/SPAN aggregation. The NX-API supports JSON-RPC, XML, and JSON. Cisco Nexus Data Broker interacts with Cisco Nexus 9000 Series using the NX-API in JSON message formats.
-
Beginning with Cisco Nexus Data Broker, Release 3.1, Cisco Nexus Data Broker is certified with Cisco Nexus 9200 Series and Cisco Nexus 9300-EX Series switches.
The following features are supported on the Cisco Nexus 9300-EX Series switches:
-
Symmetric Load Balancing
-
Q-in-Q
-
Switch Port Configuration
-
MPLS Stripping
-
BlockTx
-
Truncate
-
-
Beginning with Cisco Nexus Data Broker, Release 3.1, Cisco Nexus Data Broker is shipped with a certificate for the HTTPS connection between the Cisco Nexus Data Broker and a browser. Now with this feature, you can change to a different certificate than the shipped certificate.
The script generateWebUIcertificate.sh is available in the xnc/configuration folder. If you execute this script, it moves the shipped certificate to old_keystore and the new certificate is generated in keystore. On the next Cisco Nexus Data Broker restart, this new certificate is used.
With Cisco Nexus Data Broker, you can:
-
Classify Switched Port Analyzer (SPAN) and Test Access Point (TAP) ports.
-
Integrate with Cisco ACI through Cisco APIC to configure SPAN destinations and SPAN sessions.
-
Add monitoring devices to capture traffic.
-
Filter which traffic should be monitored.
-
Redirect packets from a single or multiple SPAN or TAP ports to multiple monitoring devices through
delivery ports.
-
Restrict which users can view and modify the monitoring system.
-
If Cisco Nexus 9000 Series switch is using 7.0(3)I4(1) or later version in NX-API mode and if a flow is installed using a VLAN filer, then the device goes through an IP access list and it does not match on the Layer 2 packet.
-
Configure these additional features, depending upon the type of switch:
-
Enable MPLS Tag stripping.
-
Set VLAN ID on Cisco Nexus 3000 Series switches.
-
Symmetric load balancing on Cisco Nexus 3100 Series switches and Cisco Nexus 9000 Series switches.
-
Q-in-Q on Cisco Nexus 3000 Series switches, 3100 Series switches, and Cisco Nexus 9000 Series switches.
-
Timestamp tagging and packet truncation on Cisco Nexus 3500 Series switches.
-
You can now configure the watchdog_timer configuration parameter in the config.ini file. If the value of the parameter is set to 0, the watchdog timer functionality is not available. The value of 30 seconds is a minimum value of the parameter and if the value of the parameter is set to a value more the 30 seconds, the watchdog timer monitors the JAVA process for the configured time interval.
-