Gigamon offers two variations to filtering. The first is called a Pre-Filter or filter before aggregation. The second type of packet filter is a Post-Filter or filter after aggregation.
The diagram above shows a connectivity scenario where packets are flowing from left to right. Ports on the left are called Network Ports (ingress ports) and ports on the right are Tool Ports (egress ports). Network Ports are to be connected to the network via SPAN ports, external taps or internal taps such as the GigaTAP, or optical splitter in the case of an “Aggregation Tap”). Similarly, Tool Ports are to be connected to security tools used for the purpose of troubleshooting, monitoring and analysis. Any passive ethernet based tool can be plugged into the GigaVUE including protocol analyzers, intrusion detection systems, forensic recorders, application performance monitors, data loss prevention and VOIP analyzers.
Packet filtering can be implemented either at the ingress or the egress. Filters that are implemented on the ingress side are called Pre-Filters since filtering is done before any connectivity operations, i.e., before aggregation (Many-to-Any) and replication (Any-to-Many). Similarly, filters that are implemented on the egress side are called Post-Filters since filtering is done only after aggregation.
Pre-Filters are used to prevent over subscription since it cuts down on incoming traffic before aggregation.
Post-Filter are a very useful as a way of customizing traffic for multiple attached tools (filtering of one tool does not affect its neighbors).
The GigaVUE network monitoring switches have a third way of customizing traffic which is called “Mapping” and can be thought of as a “multi-rule” Pre-Filter and is available for both 1G and 10G ingress ports.
The above diagram shows a typical example where the ingress ports are 10G which can receive traffic from the SPAN port of a 10G core switch or from a 10G passive tap. Using these multi-rule Pre-Filters, 10G traffic can be “mapped” to multiple load-sharing 1G monitoring tools with each tool analyzing a specific VLAN range, port number or IP subnet according to the specific filter rule. This provides the ability to perform comprehensive monitoring at 10G line-rate without oversubscribing any single 1G tool.
Mapping is a combination of “multicasting” and “pre-filtering”. Unlike conventional single-rule Pre-Filter, GigaVUE can first make a backup copy of the incoming traffic before we perform filtering so that subsequent filtering can be performed on the original ingress traffic. Multiple filters may be combined by using Boolean logic statements before the customized data stream is delivered to your monitoring tools.
