12-03-2021 05:41 AM
Hi
Our security team is asking if it's possible to deploy a NDR solution in our datacenter fabric to ingest "all traffic" for analysis.
All they're asking is to SPAN all traffic on each Leaf switch into the NDR device. I've made it clear that they can't capture all traffic alone by spanning the leaf switches, due to inter-chassis traffic on the hypervisor (UCS + ESXi).
I've done SPAN sessions before on specific links, like firewall transit links and core<->dist links for a limited time for troubleshooting. But spanning the entire ACI fabric seems at first like a bad idea, also I can't find any way to estimate how much traffic is flowing through the switches, expect interface stats. If we're going to saturate the SPAN destinations, I guess It's pointless due to packet drops on the interface, when the NDR device requires the entire payload of the packets.
Googling did help me much, so I'm hoping to find some help on the forum.
Cheers!
12-03-2021 06:19 AM
SPAN is ideal for troubleshooting specific flows, but I wouldn't suggest it for a '24/7 Traffic Analysis' implementation. If this is what security is looking for then I'd suggest taking a look at Nexus Data Broker, which essentially configures a TAP switch and ACI to grab copies of all the traffic for external monitoring/analysis.
https://www.cisco.com/c/en/us/products/cloud-systems-management/nexus-data-broker/index.html
https://www.youtube.com/watch?v=VfhRROskrng
Robert
12-06-2021 07:59 AM
Hi Rob,
It seems that NBR is targeted at specific ports and flows, not the entire switch thus pulling every packet to the NDB or in my case the NDR box. I'm still unclear how a forever running SPAN on the entire switch will impact performance, since SPAN wasn't designed for the job.
Also I'm still not able to get insights into how much traffic actually flows through a switch on a daily basis.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide