ACI and Network NDR

Michael Bartholomæussen · ‎12-03-2021

Hi

Our security team is asking if it's possible to deploy a NDR solution in our datacenter fabric to ingest "all traffic" for analysis.

All they're asking is to SPAN all traffic on each Leaf switch into the NDR device. I've made it clear that they can't capture all traffic alone by spanning the leaf switches, due to inter-chassis traffic on the hypervisor (UCS + ESXi).

I've done SPAN sessions before on specific links, like firewall transit links and core<->dist links for a limited time for troubleshooting. But spanning the entire ACI fabric seems at first like a bad idea, also I can't find any way to estimate how much traffic is flowing through the switches, expect interface stats. If we're going to saturate the SPAN destinations, I guess It's pointless due to packet drops on the interface, when the NDR device requires the entire payload of the packets.

Googling did help me much, so I'm hoping to find some help on the forum.

Cheers!

Robert Burns · ‎12-03-2021

SPAN is ideal for troubleshooting specific flows, but I wouldn't suggest it for a '24/7 Traffic Analysis' implementation. If this is what security is looking for then I'd suggest taking a look at Nexus Data Broker, which essentially configures a TAP switch and ACI to grab copies of all the traffic for external monitoring/analysis.

https://www.cisco.com/c/en/us/products/cloud-systems-management/nexus-data-broker/index.html

https://www.youtube.com/watch?v=VfhRROskrng

Robert

Michael Bartholomæussen · ‎12-06-2021

Hi Rob,

It seems that NBR is targeted at specific ports and flows, not the entire switch thus pulling every packet to the NDB or in my case the NDR box. I'm still unclear how a forever running SPAN on the entire switch will impact performance, since SPAN wasn't designed for the job.

Also I'm still not able to get insights into how much traffic actually flows through a switch on a daily basis.