White Paper
Cisco Nexus Data Broker Integration with
Cisco ACI
What You Will Learn
Visibility into network traffic has traditionally been important for network operations, compliance, and security.
Traditionally, network traffic monitoring has been performed using test access points (TAPs) and Cisco® Switched
Port Analyzer (SPAN) along with a purpose-built matrix switch to replicate and forward the traffic to different
monitoring tools. This approach has become more challenging as network and application traffic volume has
increased and as traffic has shifted to an east-west pattern. This shift in traffic pattern requires customers to move
their monitoring domains from the aggregation layer to the access layer or the top of the rack for better visibility.
Cisco Nexus® Data Broker offers a cost-effective alternative to traditional TAP and SPAN aggregation solutions for
network traffic monitoring. This simple and scalable solution offers several flexible implementation options that can
appeal to a wide variety of customers.
This document discusses how the data broker along with Cisco Nexus 9000 Series Switches integrates with Cisco
Application Centric Infrastructure (Cisco ACI™) to provide fabric traffic visibility for security, monitoring, and
operations purposes.
Cisco Application Centric Infrastructure Overview
Cisco ACI fabric consists of three major components:
●
Cisco Application Policy Infrastructure Controller (APIC)
●
Cisco ACI spine switches
●
Cisco ACI leaf switches
Figure 1 shows these three components in the Cisco ACI fabric architecture.
Figure 1.
Cisco ACI Fabric Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 6
In Figure 1, the fabric is designed in a leaf-and-spine architecture, with links connecting each leaf switch to each
spine switch. This design enables linear scalability and robust multipathing within the fabric, optimized for the large
volumes of east-west traffic required by modern applications. Links between the leaf and spine switches can use
40-Gbps Cisco BiDi optics. Cisco BiDi optics enables customers to run 40 Gigabit Ethernet on the same optical
fibers that they have been using for 10 Gigabit Ethernet.
Note:
In upcoming releases, Cisco ACI will support 100-Gbps leaf-to-spine interconnects in addition to the
current 40-Gbps connectivity.
Cisco ACI fabric is designed from the foundation for programmability and simplified management. The APIC, which
is a clustered network control system, provides these capabilities. This controller acts as the centralized policy and
network management engine for the fabric and is responsible for tasks ranging from fabric activation and switch
firmware management to network policy configuration and instantiation. In addition to a web based GUI, the APIC
provides a northbound API through representational state transfer (REST) and JavaScript Object Notation (JSON)
for all policy, fabric, and system configurations.
For application-level traffic monitoring and visibility, Cisco ACI offers three SPAN options that allow administrators
to copy traffic to external entities:
●
Access SPAN (or infrastructure SPAN): Access SPAN copies traffic from all or specific host-facing leaf
ports. Traffic can be further filtered based on the endpoint group (EPG) and traffic direction. Copied traffic
can be sent to any external entity through the local destination interface.
●
Fabric SPAN: Fabric SPAN copies traffic from leaf node uplink interfaces (fabric facing) or fabric ports.
Traffic can be filtered based on the bridge domain and private network. Copied traffic is sent to remote
destinations using Encapsulated Remote SPAN (ERSPAN).
●
Tenant SPAN: This mode copies specific tenant traffic to remote destinations using ERSPAN. The traffic
source is specified only using EPGs. No additional filtering is possible at the time of this writing.
In addition to the SPAN options, administrators have the flexibility to use optical TAPs, including BiDi TAPs, which
can passively copy the traffic between the leaf and spine switches.
Although Cisco ACI provides an integrated in-band mechanism for carrying monitoring traffic from any source to
any destination leaf switch by using ERSPAN, a solution that combines Cisco Nexus Data Broker with Cisco ACI
access SPAN and Cisco Bidi TAPs can provide several advantages:
●
Additional filtering and truncation control of monitored application traffic through the data broker
●
Consolidation and replication of monitoring traffic, allowing the use of multiple monitoring devices on the
same traffic sources
●
Redirection of monitoring traffic to a dedicated out-of-band network
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 6
Note:
Although Cisco ACI can manage the prioritization of ERSPAN traffic within the fabric to avoid any impact
on application traffic in environments with very high traffic monitoring requirements, offloading monitoring traffic to a
dedicated network may be beneficial.
●
Fewer visibility blind spots because administrators can capture both locally switched traffic and fabric traffic
within a leaf switch
Cisco Nexus Data Broker Overview
●
Cisco Nexus Data Broker is a simple, scalable, and cost-effective solution for enterprise customers who
need to monitor higher-volume and business-critical traffic. It replaces traditional purpose-built matrix
switches with one or more Cisco Nexus 9000 Series Switches that you can interconnect to build a scalable
network TAP and SPAN aggregation infrastructure that supports 1-, 10-, 40-, and 100-Gbps speeds. The
Cisco solution consists of two elements: Cisco Nexus 9000 Series Switches in Cisco NX-OS Software mode
and Cisco Nexus Data Broker Software. Compatible switches are:
◦ Cisco Nexus 9300 platform switches
◦ Cisco Nexus 9500 platform with line cards supported in NX-OS mode
●
These are the primary value propositions for the solution:
◦ Significant reduction in capital expenditures (CapEx) compared to traditional approaches
◦ Efficient use of monitoring and analysis tools
◦ Faster troubleshooting
The Cisco solution gives customers flexibility, allowing them to use the centralized deployment option or the
embedded on-switch deployment option on Cisco Nexus 9000 Series Switches.
Integration with Cisco ACI for Traffic Visibility
Cisco Nexus Data Broker integration with Cisco ACI provides a central management point for fabric traffic visibility.
Figure 2 shows the high-level deployment architecture integrating the data broker with Cisco ACI.
Using the data broker’s GUI or REST API, users can perform the following operations in Cisco ACI fabric:
●
Set up Cisco ACI leaf ports as SPAN destinations. These SPAN destination interfaces need to be
connected to a port on the Cisco Nexus 9000 Series Switch that is acting as a data broker switch.
●
Configure SPAN sessions. SPAN access sessions can be set up, and the traffic can be configured so that
it is forwarded to monitoring tools from a single GUI screen. Optionally, traffic can be further filtered based
on EPGs.
●
Synchronize SPAN sessions. Periodically synchronize SPAN access session information to make sure
that the data broker and the APIC are synchronized.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 6
Figure 2.
Cisco Nexus Data Broker Integration with Cisco ACI
All these configurations and information queries are performed through the APIC’s REST interface. When you add
a SPAN session, you can directly specify the monitoring tools to which the SPAN traffic needs to be sent. The data
broker automatically creates the connection policy and configures the Cisco Nexus 9000 Series Switches to
redirect the traffic to the monitoring tools. This automation eliminates the need for you to perform two separate
steps.
Table 1 summarizes the SPAN functions that are supported through the data broker interface.
Table 1.
SPAN Functions Supported through the Cisco Nexus Data Broker Interface
Feature
Details
APIC cluster addition
● Add up to 3 APICs in a cluster.
● Automatically fail over when connection to an instance is lost.
SPAN destination management
● Select one or more leaf ports and designate them as SPAN destination ports.
● Perform add, modify, and delete operations for the SPAN destination from the data broker interface.
SPAN session management
● Add, modify, and delete SPAN sessions from the data broker interface.
● Add multiple source ports across multiple leaf switches.
● Filter traffic based on the EPG.
● Specify the traffic direction that needs to be captured.
● Specify the monitoring tools that need to receive the SPAN traffic.
SPAN session synchronization
● Periodically synchronize the SPAN access session information with the APIC.
● If deviations exist, the data broker updates the configuration in the APIC.
Use Case: Deployment in a Large Service Provider Data Center
A large service provider customer was using a traditional network packet-broker solution to monitor network traffic
in a traditional data center infrastructure. Traffic was being sent to tools to measure application performance,
network security, and network troubleshooting. When this customer started rolling out Cisco ACI, the customer
wanted to monitor the traffic in the ACI fabric. However, the existing packet-broker switch did not have enough
capacity to address the SPAN traffic from Cisco ACI fabric. Adding more ports to the existing packet-broker
solution involved buying a new chassis and a line card, solutions that proved to be very expensive. This customer
was seeking alternative solutions to overcome these challenges.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 6
With Cisco Nexus switches and Cisco Nexus Data Broker, the customer was able to deploy a cost-effective SPAN
aggregation solution. The Cisco Nexus switch aggregated both the SPAN access session and BiDi optical TAPs
from the Cisco ACI fabric. These Cisco Nexus switches were connected to the customer’s existing packet-broker
switch, allowing the customer to aggregate traffic from both Cisco ACI and the traditional network to current
monitoring tools. Figure 3 shows the deployment architecture of the data broker in this scenario.
Figure 3.
Customer Deployment Example
The primary benefits of this new monitoring infrastructure for the customer are:
●
Reduced CapEx and simpler, more cost-effective monitoring switches
●
Efficient use of analysis tools for better utilization of ports
●
Improved facilities as the Cisco Nexus Data Broker was added without any disruption to the customer’s
current monitoring infrastructure
Conclusion
Cisco Nexus Data Broker is a highly scalable solution with options ranging from a small one-switch, embedded
deployment to a centralized deployment across many data centers in different locations. Integration with Cisco ACI
provides a central point for all monitoring configuration and eliminates the need for users to use multiple systems to
configure monitoring. Because of this flexibility, Cisco Nexus Data Broker customers can monitor any part of their
networks in an automated and cost-effective way.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 6
For More Information
●
Information about Cisco Nexus Data Broker: http://www.cisco.com/go/nexusdatabroker
●
Cisco Nexus Data Broker data sheet: http://www.cisco.com/c/en/us/products/collateral/cloud-systemsmanagement/nexus-data-broker/data_sheet_c78-729452.html
●
Cisco Nexus Data Broker solution implementation guide:
http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/nexus-data-broker/guide-c07736167.html
●
Cisco Nexus Data Broker solution overview: http://www.cisco.com/c/en/us/products/collateral/cloudsystems-management/nexus-data-broker/solution-overview-c22-729753.html
Printed in USA
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
C11-736572-00
03/16
Page 6 of 6