NextGig Systems, Inc. - Network Connectivity & Test Solutions

Packet Filtering versus Mapping

Mapping Packets, Pre-Filters & Post-Filters

Gigamon offers two variations to filtering. The first is called a Pre-Filter or filter before aggregation. The second type of packet filter is a Post-Filter or filter after aggregation.

Resources

gigamon_evaluation.html
gigamon_register.html
gigamon_register.html
gigamon gigavue packet filtering diagram

The diagram above shows a connectivity scenario where packets are flowing from left to right. Ports on the left are called Network Ports (ingress ports) and ports on the right are Tool Ports (egress ports). Network Ports are to be connected to the network via SPAN ports, external taps or internal taps such as the GigaTAP, or optical splitter in the case of an “Aggregation Tap”). Similarly, Tool Ports are to be connected to security tools used for the purpose of troubleshooting, monitoring and analysis. Any passive ethernet based tool can be plugged into the GigaVUE including protocol analyzers, intrusion detection systems, forensic recorders, application performance monitors, data loss prevention and VOIP analyzers.

Packet filtering can be implemented either at the ingress or the egress. Filters that are implemented on the ingress side are called Pre-Filters since filtering is done before any connectivity operations, i.e., before aggregation (Many-to-Any) and replication (Any-to-Many). Similarly, filters that are implemented on the egress side are called Post-Filters since filtering is done only after aggregation.

Pre-Filters are used to prevent oversubscription since it cuts down on incoming traffic before aggregation.

Post-Filter are a very useful as a way of customizing traffic for multiple attached tools (filtering of one tool does not affect its neighbors).

The GigaVUE network monitoring switches have a third way of customizing traffic which is called “Mapping” and can be thought of as a “multi-rule” Pre-Filter and is available for both 1G and 10G ingress ports.

gigamon gigavue packet mapping

The above diagram shows a typical example where the ingress ports are 10G which can receive traffic from the SPAN port of a 10G core switch or from a 10G passive tap. Using these multi-rule Pre-Filters, 10G traffic can be “mapped” to multiple load-sharing 1G monitoring tools with each tool analyzing a specific VLAN range, port number or IP subnet according to the specific filter rule. This provides the ability to perform comprehensive monitoring at 10G line-rate without oversubscribing any single 1G tool.

Mapping is a combination of “multicasting” and “pre-filtering”. Unlike conventional single-rule Pre-Filter, GigaVUE can first make a backup copy of the incoming traffic before we perform filtering so that subsequent filtering can be performed on the original ingress traffic. Multiple filters may be combined by using Boolean logic statements before the customized data stream is delivered to your monitoring tools.

Any-to-Any

Deploy any tool to any link at anytime without affecting the production network

Improved monitoring efficiency, effectiveness and network uptime

Any-to-Many

Multicast traffic to support multiple tools with competing monitoring demands

Share SPAN ports and taps, customizing access for all tools all the time

Many-to-Any

Aggregate traffic from multiple access points to create a "big pipe" or "end-to-end" view

Deploy fewer tools and consolidating valuable tools in a tool farm

Packet Filtering

Customize and map traffic flow to multiple tools and reduce traffic load on all tools

Optimize tool utilization and sharing load across multiple tools

Features

Functions

Benefits

The above diagram shows a typical example where the ingress ports are 10G which can receive traffic from the SPAN port of a 10G core switch or from a 10G passive tap. Using these multi-rule Pre-Filters, 10G traffic can be “mapped” to multiple load-sharing 1G monitoring tools with each tool analyzing a specific VLAN range, port number or IP subnet according to the specific filter rule. This provides the ability to perform comprehensive monitoring at 10G line-rate without oversubscribing any single 1G tool.

Mapping is a combination of “multicasting” and “pre-filtering”. Unlike conventional single-rule Pre-Filter, GigaVUE can first make a backup copy of the incoming traffic before we perform filtering so that subsequent filtering can be performed on the original ingress traffic. Multiple filters may be combined by using Boolean logic statements before the customized data stream is delivered to your monitoring tools.

Questions? Call  1-805-277-2400

 
/body>