DMF 8.9.0 TOI

Security policies occasionally prevent the download of PCAP files from packet queries. The integrated Wireshark web interface enables PCAP analysis within the DMF environment and requires authentication for access. This integration provides full Wireshark functionality while keeping the PCAP file on the Controller to maintain adherence to security requirements.

The AES-256 Support for SNMPv3 feature implements 256-bit encryption for SNMPv3 interactions on the DMF Controller and managed devices. Configuring the AES-256 privacy protocol option enhances the User-based Security Model (USM) by enforcing 256-bit encryption standards.

Until the DMF release 8.9, DMF users had no direct visibility into the current scale against the verified scale across the DMF fabric. This feature exposes the current scale against the verified scale via REST APIs, GUI, and CLI commands. The verified scale represents the capacity tested under reference conditions.

The DMF VN-TAG Decapsulation (decap) feature introduces native support for removing the VN-TAG header within the DMF platform. This capability is implemented directly on the DMF Service Node to process traffic frames, and it integrates comprehensive control plane support via the Controller schema and the standard CLI workflow.

The Filter managed service action filters packets on the Service Node (SN) interface and supports optional VLAN tagging. Utilizing ACL rules, the system forwards or drops matched traffic. Traffic tagged with a VLAN exits the interface (Tx) after processing through the action chain. VLAN tagging specifically facilitates traffic steering in Switch-less SN deployments, where the forwarding plane relies on VLANs. This configuration produces no functional impact when the SN connects directly to a DMF switch within the fabric.

Latency and drop information help determine if there is a loss in a particular flow and where the loss occurred. A Service Node action configured as a DANZ Monitoring Fabric (DMF) managed service has multiple separate taps or spans in the production network and can measure the latency of a flow traversing through any pair of these points. It can also detect packet drops between any two points in the network if the packet only appears on one point within a specified time frame, currently set to 200ms.

This feature enables the direct generation of public/private key pairs and TLS Certificate Signing Requests (CSRs) on Atlas appliances. The previous workflow required generating keys and CSRs externally, followed by importing the private key and CA-signed certificate. This enhancement simplifies the process by securely retaining the private key on the appliance, eliminating the need for external key management.

Beginning with DMF version 8.9, the action keyword is required to add or modify actions within a managed service. This keyword is a mandatory token across all managed service submodes, providing a consistent way to define service behaviors.

DMF 8.9 introduces a redesigned Managed Services dashboard, replacing the former interface.

The Mask Dual-tone Multi-Frequency (DTMF) in Real-time Transport Protocol (RTP) feature supports masking digits in voice data to hide sensitive information, such as credit card or social security numbers. Masking of sensitive data is a compliance issue that various agencies require to obfuscate information before storage.

As of DMF-8.9.0, when several IP addresses are used in a single policy (whether via an address group or individually across match rules with otherwise identical conditions), the controller groups the addresses together and programs them as a field set on supported switches. This field set has a label that can be directly referenced by TCAM, which allows that TCAM entry to match against packets with any of the IP prefixes in that field set. This optimization dramatically reduces the TCAM consumption for policies that reference many addresses, allowing significantly more policies or addresses to be programmed without exceeding switch TCAM capacity limits. For example, on a switch incapable of performing this optimization, a policy matching traffic from a 100-entry source address group to a 100-entry destination address group would require 100x100=10,000 individual entries. With this optimization, the controller programs two field sets and a single match rule that references both field sets, reducing TCAM consumption from 10,000 entries to just 1 entry for that policy.

The Multi-vCenter VM Support in Single Policy feature enhances scalability and configuration management by allowing the inclusion of Virtual Machines (VMs) from multiple vCenters within a single policy. Previously, integrating a large number of vCenters with a single DMF fabric required a separate policy for each instance. With this update, DMF supports configuring match rules to include multiple VMs across disparate vCenters, unifying policy application and reducing configuration overhead.

The Nutanix Prism Central vendor integration enables the DANZ Monitoring Fabric (DMF) to fetch the inventory of the infrastructure and resources managed through Prism Central. This inventory includes information on entities such as virtual machines, virtual NICs, and hosts. The integration also helps to monitor virtual machines by creating network monitoring policies based on virtual machine names.

DANZ Monitoring Fabric (DMF) 8.9.0 adds a new managed service action, called record, to the Service Node (SN). This action enables packet recording using an SN similar to a Recorder Node (RN) and supports basic packet recording and querying capabilities.

The Analytics Node (AN) enables the correlation of 5-tuple data from Flows and DMF metadata with the corresponding packets retrieved from the Recorder Node (RN). Previously, the system displayed Egress sFlow® to indicate potentially recorded flow packets.

The regex-session action enables matching of Regular Expression patterns against packet content. When a packet matches the specified pattern, its session is tracked based on configured timeouts and other parameters including, anchor, offset, and ip-proto.

Link Aggregation Group (LAG) or port channel interfaces comprise multiple member interfaces. Network devices typically distribute packets across the member interfaces using a hash computed from packet header fields. The Round-Robin LAG Distribution feature introduces a new packet distribution method: the round-robin method. A round-robin LAG configuration balances packets evenly across all member interfaces in a sequential, round-robin fashion.

Beginning with DMF version 8.9, the action keyword is required to add or modify actions within a managed service. This keyword is a mandatory token across all managed service submodes, providing a consistent way to define service behaviors.

The Rule Groups Dashboard aligns with modern DMF User Interface (UI) standards. This view maintains full functional parity with the previous version while delivering a consistent and unified user experience.

The SHA-256 Support for SNMPv3 feature implements 256-bit encryption for SNMPv3 interactions on the DMF Controller and managed devices. Configuring the SHA-256 authentication protocol option enhances the User-based Security Model (USM) by enforcing 256-bit encryption standards.

The feature exposes metrics and health status of storage devices on controllers and all managed nodes, but not switches.

Often, there is a need to accept IPFIX/NFv9 and NFv5 traffic arriving at ports other than the standard 4739 and 2055 ports, respectively. To address this need, DMF allows the following non-standard ports to forward traffic to their standard ports on the physical IP of the Analytics Node (AN) and the cluster's Virtual IP (VIP).

The Switch-less Service Node (SN) feature enables the direct installation of managed services on a service node, eliminating the requirement for an associated policy or connected switch. This capability supports deployments that are independent of the full Network Packet Broker (NPB) switching infrastructure. Existing workflows support the direct installation of managed services, such as filtering and deduplication, on the SN.

The Dapper action, derived from Brown University research, identifies TCP session issues by measuring specific connection attributes. This analysis determines whether performance degradation stems from the client, server, or network devices.

The Command-API (CAPI) client on the Controller utilizes port 443 for EOS connectivity.