Overview

This chapter contains overview information of the Cisco Nexus Data Broker.

About Cisco Nexus Data Broker

Visibility into application traffic has traditionally been important for infrastructure operations to maintain security, troubleshooting, and compliance and perform resource planning. With the technological advances and growth in cloud-based applications, it has become imperative to gain increased visibility into the network traffic. Traditional approaches to gain visibility into network traffic are expensive and rigid, making it difficult for managers of large-scale deployments.

Cisco Nexus Data Broker (NDB) with Cisco Nexus Switches provides a software-defined, programmable solution to aggregate copies of network traffic using Switched Port Analyzer (SPAN) or network Test Access Point (TAP) for monitoring and visibility. As opposed to traditional network taps and monitoring solutions, this packet-brokering approach offers a simple, scalable and cost-effective solution that is well-suited for customers who need to monitor higher-volume and business-critical traffic for efficient use of security, compliance, and application performance monitoring tools.

With the flexibility to use a variety of Cisco Nexus Switches and the ability to interconnect them to form a scalable topology provides the ability to aggregate traffic from multiple input TAP or SPAN ports, and replicate and forward traffic to multiple monitoring tools which may be connected across different switches. Using the Cisco NX-API agent to communicate to the switches, Cisco Nexus Data Broker provides advance features for traffic management.

Cisco NDB provides management support for multiple disjointed Cisco NDB networks. You can manage multiple Cisco NDB topologies that may be disjointed using the same application instance. For example, if you have 5 data centers and want to deploy an independent solution for each data center, you can manage all 5 independent deployments using a single application instance by creating a logical partition (network slice) for each monitoring network.

Basic Salient features of the the Cisco Nexus Data Broker:

  • Scalable topology for TAP and SPAN port aggregation.

  • Robust Representational State Transfer (REST) API and a web-based GUI for performing all functions.

  • Ability to replicate and forward traffic to multiple monitoring tools.

  • Rules for matching monitoring traffic based on Layer 1 through Layer 4 information.

  • Time-stamping using PTP.

  • Packet Truncation beyond a specified number of bytes to discard the payload.

  • Custom filtering of packets using User Defined Fields.

  • Ability to adapt to changes in TAP/SPAN aggregate network states.

  • End-to-end visibility.

  • High Availability.

  • Load Balancing.

  • Manage multiple disjointed networks.

  • Integration with ACI devices/ APIC and NX-OS devices.

  • Real-time statistics for easy troubleshooting.

  • Application management via IPv6.

  • Security features, such as role-based access control (RBAC), and integration with an external Active Directory using RADIUS, TACACS, or LDAP for authentication, authorization, and accounting (AAA) functions.

Platform-wise support of the additional features of the Cisco Nexus Data Broker:

Table 1. Supported Features

Feature Name

Cisco Nexus 9200

C92304QC,

C92160YC

Cisco Nexus 9300(First Gen)

C93128TX,

C9396TX

Cisco Nexus 9300(EX, FX, FX2)

C93180LC-EX,

C93180YC-EX,

C93108TC-EX,

C93108TC-FX,

C93180YC-FX,

C9336C-FX2,

C93240YC-FX2,

C93360YC-FX2

Port Channel Load Balancing

Y

Y

Y

MPLS Stripping

Y

Y

Y

MPLS Stripping- Label

N

Y

N

MPLS Filtering

N

N

N

sFlow

Y

Y

Y

PTP/ Timestamping

Y

N

Y

Jumbo MTU

Y

Y

Y

NetFlow

N

N

Y

Q-in-Q Tagging (for TAP and SPAN input ports)

N

Y

Y

Span Destination

Y

Y

Y

Timestamping

Y

N

Y

Packet Truncation

N

N

Y

Timestamping Strip

Y

N

Y

Input Port - TAP/ SPAN

Y

Y

Y

Local Monitoring Tool

Y

Y

Y

Remote Monitoring Tool with ERSPAN support

Y

Y

Y

Remote Source

Y

N

Y

UDF

Y

Y

Y

UDF v6

N

Y

Y

UDE

N

N

N

Drop ICMPv6

Y

N

Y

Table 2. Supported Features (contd)

Feature Name

Cisco Nexus 9500(EX, FX)

C9504,

C9508,

C9516

Cisco Nexus 9364C, 9332C

Cisco Nexus 9300-GX

93600CD-GX

9364C-GX

9316D-GX

Port Channel Load Balancing

Y

Y

Y

MPLS Stripping

N

N

Y

MPLS Stripping- Label

N

N

N

MPLS Filtering

N

N

N

sFlow

Y

Y

Y

PTP/ Timestamping

Y

Y

Y

Jumbo MTU

Y

Y

Y

NetFlow

Y

N

Y

Q-in-Q Tagging (for TAP and SPAN input ports)

Y

Y

Y

Span Destination

Y

Y

Y

Timestamping

Y

Y

Y

Packet Truncation

Y

Y

Y

Timestamping Strip

Y

Y

Y

Input Port - TAP/ SPAN

Y

Y

Y

Local Monitoring Tool

Y

Y

Y

Remote Monitoring Tool with ERSPAN support

Y

Y

Y

Remote Source

Y

N

Y

UDF

Y

Y

Y

UDF v6

Y

Y

Y

UDE

Y

N

N

Drop ICMPv6

Y

Y

Y


Note


The Cisco Nexus Series switches indicated in the above tables are recommended. For the supported NX-OS versions on the Nexus switches, see the Interoperability Matrix table in the Cisco Nexus Data Broker Release Notes, Release 3.10.

The following Cisco Nexus Series switches are also supported:

  • Cisco Nexus 3000 Series switches—3048, 3064

  • Cisco Nexus 3100 Series switches—3172, 3164, 31108TC-V, 31108PC-V, 3132C-Z

  • Cisco Nexus 3200 Series switches— 3232

  • Cisco Nexus 3500 Series switches


Limitations of Cisco Nexus Series switches:

Table 3. Limitations

Cisco Nexus Series Switch

Limitations

9364C-GX, 93600CD-GX,9316D-GX

  • Range for QinQ VLAN on input ports is from 2 to 509.

  • QinQ VLANs cannot be added after configuring MPLS label strip.

Prerequisites for Cisco Nexus Series Switches

Cisco Nexus Data Broker is supported on Cisco Nexus 3000, 3100, 3200, and 9000 series switches. Before you deploy the software, you must do the following:

  • Ensure that you have administrative rights to log in to the switch.

  • Verify that the management interface of the switch (mgmt0) has an IP address configured using the show running-config interface mgmt0 command.

  • Ensure that the switch is in Multiple Spanning Tree (MST) mode. You can use spanning-tree mode mst command to enable MST mode on a switch.

  • Add the VLAN range in the database that is to be used in Cisco Nexus Data Broker for tap aggregation and inline monitoring redirection to support VLAN filtering. For example, the VLAN range is <1-3967>.

  • Ensure that the spanning tree protocol is disabled for all the VLANs. You can use the no spanning-tree vlan 1-3967 to disable spanning tree on all the VLANs.

  • For the first NDB deployment with NXOS version 9.2(1), ensure that the feature nxapi and nxapi http port 80 commands are configured on the NDB switch. If you upgrading NDB switch from NXOS version I7(x) to 9.2(1), the feature nxapi and nxapi http port 80 configurations are not required.

For running the NX-API mode on the Cisco Nexus Series switches, see the following pre-requisites.


Note


The hardware command that is a pre-requisite for the IPv6 feature is hardware access-list tcam region ipv6-ifacl 512 double-wide.



Note


The TCAM configurations are based on the type of filters required. You may configure multiple TCAM entries from a specific region based on the network requirement. For example, ing-ifacl is the TCAM region to cater MAC, IPv4, IPv6 filters in case of N93180YC-E. You may configure multiple TCAM from this region to fit more filtering ACL TCAM entries.


Device Models

NX-API Mode

Cisco Nexus 3000 Series switches

Enter the following commands at the prompt:

  • # hardware profile tcam region qos 0

  • # hardware profile tcam region racl 0

  • # hardware profile tcam region vacl 0

  • # hardware profile tcam region ifacl 1024 double-wide

  • # hardware access-list tcam region mac-ifacl 512

  • #feature nxapi

  • #feature lldp

Cisco Nexus 3132Q, 3164Q switches

Enter the following commands at the prompt:

  • # hardware profile tcam region qos 0

  • # hardware profile tcam region racl 0

  • # hardware profile tcam region vacl 0

  • # hardware profile tcam region ifacl 1024 double-wide

  • # hardware access-list tcam region mac-ifacl 512

  • #feature nxapi

  • #feature lldp

Cisco Nexus 3172 Series switches

Use the hardware profile mode tap-aggregation [l2drop ] CLI command to enable tap aggregation and to reserve entries in the interface table that are needed for VLAN tagging. The l2drop option drops non-IP traffic ingress on tap interfaces.

Cisco Nexus 3200 Series switches

Enter the following commands at the prompt:

  • # hardware access-list tcam region e-racl 0

  • # hardware access-list tcam region span 0

  • # hardware access-list tcam region redirect 0

  • # hardware access-list tcam region vpc-convergence 0

  • # hardware access-list tcam region racl-lite 256

  • # hardware access-list tcam region l3qos-intra-lite 0

  • # hardware access-list tcam region ifacl 256 double-wide

  • # hardware access-list tcam region mac-ifacl 512

  • # hardware access-list tcam region ipv6-ifacl 256

  • #feature nxapi

  • #feature lldp

Cisco Nexus 9300 Series switches

Enter the following commands at the prompt:

  • # hardware access-list tcam region qos 0

  • # hardware access-list tcam region vacl 0

  • # hardware access-list tcam region racl 0

  • # hardware access-list tcam region redirect 0

  • # hardware access-list tcam region vpc-convergence 0

  • #hardware access-list tcam region ifacl 1024 double-wide

  • # hardware access-list tcam region mac-ifacl 512

  • # hardware access-list tcam region ipv6-ifacl 512

  • #feature nxapi

  • #feature lldp

Cisco Nexus 9200, 9300-EX, 9336C-FX2, 93240YC-FX2, and N9K-C93360YC-FX2 switches

Enter the following commands at the prompt:

  • #hardware access-list tcam region ing-l2-span-filter 0 (For Cisco Nexus 93108 series switch only)

  • #hardware access-list tcam region ing-l3-span-filter 0 (For Cisco Nexus 93108 series switch only)

  • # hardware access-list tcam region ing-racl 0

  • hardware access-list tcam region ing-l3-vlan-qos 0

  • # hardware access-list tcam region egr-racl 0

  • # hardware access-list tcam region ing-ifacl 1024

  • #feature nxapi

  • #feature lldp

Cisco Nexus 9500-EX and 9500-FX Series switches (9504, 9508 and 9516)

Enter the following commands at the prompt:

  • # hardware access-list tcam region ing-racl 0

  • # hardware access-list tcam region ing-l3-vlan-qos 0

  • # hardware access-list tcam region egr-racl 0

  • # hardware access-list tcam region ing-ifacl 1024

  • #feature nxapi

  • #hardware acl tap-agg

  • #feature lldp

Cisco Nexus 9300-GX Series switches

Enter the following commands at the prompt:

  • # hardware access-list tcam region ing-racl 0

  • # hardware access-list tcam region ing-l3-vlan-qos 0

  • # hardware access-list tcam region egr-racl 0

  • # hardware access-list tcam region ing-ifacl 1024

  • #feature nxapi

  • #hardware acl tap-agg

  • #feature lldp

Supported Web Browsers

The following web browsers are supported for Cisco Nexus Data Broker:

  • Firefox 85.0 and later versions.

  • Chrome 88.0 and later versions.

  • Microsoft Edge 88.0 and later versions.


Note


If incompatible browsers are used, you may encounter GUI display issues for Release 3.10.



Note


Enable JavaScript on your browser.


System Requirements

The following table lists the system requirements as per the deployment size for Cisco NDB:

Table 4. System Requirements per Deployment Size

Description

Small

Medium

Large

CPUs (virtual or physical)

6-core

12-core

18-core

Memory

8 GB RAM

16 GB RAM

24 GB RAM

Hard disk

Minimum of 40 GB of free space available on the partition on which the Cisco Nexus Data Broker software is installed.

Operating System

A recent 64-bit Linux distribution that supports Java, preferably Ubuntu, Fedora, or Red Hat.

Other

Java Virtual Machine 1.8.

Guidelines and Limitations

Cisco NDB runs in a Java Virtual Machine (JVM). As a Java-based application, Cisco NDB can run on any x86 server. For best results, we recommend the following:

  • Java Virtual Machine 1.8.0_45 and higher.

  • Python 2.7.3 and a higher version is required for the backup and restore script. This is also required to do the TLS configuration if Cisco Nexus Data Broker needs to use TLS for the device communication.

  • A $JAVA_HOME environment variable in your profile that is set to the path of the JVM.

  • JConsole and VisualVM that are both part of JDK are the recommended (but not required) additions for troubleshooting.

  • You should not configure the same name for more than one switch in the topology to avoid unpredictable behavior in the link discovery by Cisco Nexus Data Broker.

  • The following special characters are not allowed in description field for Port Definitions, Port Groups, Connections, Redirections, Monitoring Devices, and Service Nodes: Apostrophe (‘), Less Than (<), Greater Than (>), Double Quotation (“), Back Slash (\), Vertical Bar (|), and Question Mark (?).

  • When the domain name is enabled in the switch, it does not reflect the change in the LLDP neighbors and the links get removed for that particular switch. The workaround for this issue is to disable the LLDP feature and then to enable it again by using no feature lldp and feature lldp CLI commands respectively.

  • If Cisco Nexus 9000 Series switch is using 7.0(3)I4(1) or later version in NX-API mode and if a flow is installed using a VLAN filer, then the device goes through an IP access list and it does not match on the Layer 2 packet.

Filename Matrix

Filename Matrix for Cisco NDB:

Mode of Deployment

NXOS Image

Mode

File Name

Embedded

9.3(1) to 9.3(5)

NXAPI

ndb1000-sw-app-emb-k9-release-number.zip

Centralized

9.3(1) to 9.3(5)

NXAPI

ndb1000-sw-app-k9-release-number.zip

Interoperability Matrix

For the Interoperability Matrix, see the Cisco Nexus Data Broker Release Notes, Release 3.10.