Basic Gigamon Configuration
Discusses basic Gigamon overview of the hardware, setup, and configuration. There will also be a few troubleshooting steps at the end.
Last updated
Discusses basic Gigamon overview of the hardware, setup, and configuration. There will also be a few troubleshooting steps at the end.
Last updated
The Gigamon GigaVUE HC1 is a TAP Aggregator that provides visibility into network traffic without packet loss. It generates exact copies of packets traveling over a map and sends them to other tools (typically a Security Onion Sensor, Arkime, or other full packet capture solution). The Gigamon HC1 is a very intricate tool that can be configured to fit almost any type of network. This includes tapping a network tunnel and tapping multiple enclaves at once. This guide is designed to develop a firm knowledge base of this tool and provide resources to learn more. This is by no means a comprehensive guide. More advanced topics and configurations will be discussed in an intermediate Gigamon guide that assumes a base understanding of this tool.
The Gigamon HC1 has three modules as can be seen in Figure 2.1. Module 1 (center) is the core of the Gigamon and has one GigaSmart engine (Discussed in section 5 “GigaSmart”) and provides, without extra fiber SFPs, four copper ports that can be used in any mode (Discussed in section 4 “Type of ports”) that do not provide the physical bypass functionality commonly referred to as ‘fail open’. Module 2 (left) has four copper ports that cannot be used as tool ports. These ports provide the physical bypass functionality.
All DCO Gigamon HC1s have Module 3 as a BPS-HC1-D25A24 module as depicted in Figure 2.2 This is the only module that provides physical bypass on fiber connections. Unfortunately, this module only supports multi-mode fiber which can be a limitation if the customer network uses single-mode fiber.
Before you can get to the Web interface of a Gigamon HC1, you need to set up the basic configuration of the Gigamon.
When consoling into an HC1 it is important to remember the speed is 115200
Default Credentials for a new Gigamon are: admin / admin123A!
Packets that are ingested into a Gigamon come in at network ports and are sent to various different tools by tool ports. Below will define each type of port and their use case:
Network (Ingress Port) - Network ports are ports that ingest traffic. This can be a switch SPAN any device that is not inline in the network.
Tool (Egress Port) - Tool ports are where all traffic from Network or Hybrid ports is directed. In the case of DCO, traffic is typically sent from the Gigamon to Security Onion.
Hybrid Port - Hybrid ports are where traffic is sent and treated like a loopback. This traffic will be sent to a hybrid port and then to another map. This allows for multiple functions to be performed on traffic before it gets sent to its final tool port.
Stack Port - Stack ports take traffic from network ports of one Gigamon and direct it to a tool port in another Gigamon node in a cluster.
Inline Network - This type of network port is one that is used inline with a network. For instance, between two switches, a router to a switch, router to router, etc. These are typically assigned to the physical port that has a physical bypass.
Inline Tool - Inline tool ports are where all traffic from an inline network is sent. Inline tool ports can only be mapped to inline network ports.
The basic deployment of the Gigamon HC1 requires one copper port on the customers' network for management and one IP. This allows DCO to manage and configure the Gigamon HC1 remotely. Two ports on the HC1 are utilized per inline tap (Ingest, and Egress)
Note. Physical bypass on the TAP module is between specific ports as depicted in the figure below:
When configuring a network port TapTx Must be enabled. If you do not see that as an option, you will need to access the CLI and add it
Configure at least two ports as a network, or inline network, port. This accounts for one connection (See "Deployment techniques" for more information)
Configure at least one port as a tool, or inline tool, port. This port can not be on a TAP-HC1-G10040 Module as depicted in Figure 5.1
Configure a port group for the two network ports you created
Create a port pair for network ports with "Link Failure Propagation" enabled
Create a map with the source being your newly created port group and the destination being the tool port. By default, the map is set to "by-rule" passing with no rules. Make sure you change the settings to fit your environment.
The GigaSmart Engine can perform various functions on traffic flowing through a map. Examples include GRE Header Stripping, Deduplication, SSL Decryption, and much more.
Below are steps to enable GigaSmart GRE header stripping, a use case we have seen before.
Create a new GigaSmart group
Give the group an Alias
Add the GigaSmart engine port to the group (On an HC1, it's 1/1/e1)
Create a new GigaSmart Operation (GSOP)
Give the operation an alias
Apply the GigaSmart group previously created to this operation
Select an operation to perform. In this case Header Stripping -> GRE
In the network traffic map make sure "subtype" is set to "by-rule"
Add your GSOP group to the GigaSmart Operations section of "Map Source and Destination"
Make sure, since the "subtype" is set to by rule, that you add pass rules as by default it will deny all
This technique is the most likely with our use case of the HC1 given that we don't have a smaller solution with the MDS Kit. In this deployment, an inline tap will be configured between the customers' core router and their core switch. A SPAN (should the customer allow it) would also be configured and, through the use of the GigaSmart engine, a deduplication GSOP will be attached to the map. Finally, the tool port will output to a full PCAP solution (for us its typically Security Onion)
Another technique we have utilized includes tapping between two load-balancing switches that are port channeled to the customers' core router. Again, this too will be configured with a deduplication GSOP on the map to eliminate duplicate traffic. Typically a SPAN is not used in this type of deployment
We have never had an HC1 that does not work. Almost every single time there are issues with tapping. It's one of two situations:
When sending tool traffic to a hypervisor, the operator does not set the "Egress VLAN tag" to strip in the tool port configuration, and/or the operator does not allow promiscuous packets / forged MAC packets through the NIC on the hypervisor
When the operator fails to select the "Active" option for TapTx when configuring the network ports. If TapTx is not visible under port configuration, you will need to access the terminal and manually ad TapTx active to the NIC.
As a rule of thumb, the first thing to do whenever traffic is not populating in your packet capture solution is to connect a laptop and open Wireshark. If you see traffic and you are utilizing a hypervisor, then the first solution should be your next course of action. If no traffic populates in Wireshark then the second solution would be next.
As a last resort, and yes I have seen this work before, delete the map, port group, and port pairs, and set the network ports to an empty/off configuration. Then redo the whole thing.
