The Dirty Little Secret of Network Packet Brokers

Imagine you bought an off-road vehicle with all the bells and whistles – high clearance, low and high range gears, high torque, plus top of the range Fox shocks like the ones in the trophy truck video. What if you then discovered you can’t use all the features without losing significant engine power and, that under load, the power to the wheels cuts in and out. This is what you get with most of the network packet brokers in the market, especially on 40G and 100G networks – let me explain.

First let us remind ourselves why network packet brokers exist – it’s because access to network traffic is needed by multiple tools for multiple reasons. Network traffic is often described as “the source of truth” for both security tools and performance monitoring, whether it is collecting and analyzing network logs or finding the source of intermittent problems with a website – network traffic is a gold mine.  When looking for network issues, you can often find that logs have been turned off or are incomplete due to loading on individual devices. However, the communication over the network can’t be turned off, so if you can capture all the necessary traffic, you can see exactly what is happening on the network. The problem, which we shall come back to, is the “all network traffic”.

The same applies to security. It doesn’t matter how clever malware is at hiding, when it tries to spread or communicate in anyway, the network traffic can help expose the threat. If you can collect and analyze all the necessary network traffic with the right security tools, you stand a better chance of catching the bad guys.

Getting Access To Network Traffic

The problem is, network traffic is hard to get access to. With the explosion of new security devices analyzing network traffic, there are never enough SPAN ports or network TAPs to service them. As the need for more access to network traffic has grown, so has the need for a monitoring network made up of network TAPS, aggregators and for some time now, the network packet broker. In 2018 NPB’s had recognition as a part of the standard network tool kit, especially in large networks, with Gartner putting them on the 2018 Enterprise Networking and Communications hype cycle. Starting life as intelligent TAP aggregators, NPB’s have evolved to become smarter by providing functions such as filtering, de-duplication, header stripping, time-stamping, and intelligent distribution to security and performance monitoring tools.

Without a network packet broker, tools that needed access to the network traffic spread throughout the infrastructure often only at a few key points. This led to blind spots and an inconsistent view of traffic as well as high costs of purchase and management of those tools.

This is where TAP’s aggregation and NPB’s come to the rescue. Aggregators simply collect all the data from the TAPs distributed throughout the network and aggregate the traffic up to the tools. Tools can now see all the data from everywhere in the network – the ultimate source of truth – but there is a big problem. The aggregators alone can get overloaded and bombard the tools they are feeding with unnecessary and duplicate traffic.  This delivers you a central tool rail, saving you some costs, but you are not fully capitalizing on the potential savings and you risk losing packets needed by the tolls to bock threats and find issues in application performance.

Using a Network Packet Broker

NPBs on the other hand process the packets and broker them to deliver the right packets to the right tools. They can filter out unneeded packets, de-duplicate packets, packet slice, de-capsulate, mask, and intelligently distribute the traffic in the required format to the tools.

When choosing an NPB, should you just buy the NPB with the biggest list of features? Well there is a catch. Remember I said they need to see all the traffic? The problem with most NPB’s is that they are CPU’s or FPGA’s built beside a standard switch chip set – the same chip set that is core to switches in a production network. The problem is that a switch is designed to work in a network where packets are expected to be dropped. Protocols such as TCP through well tried and tested methods will deliver data at the rate at which the transporting networks and end devices can consume and retry when needed.  When a switch or switch port gets overloaded because of too much traffic, and there is no more room in the buffers, it drops packets. This is a pain, but not completely detrimental to the network since the network protocols take care of re-transmitting the packets if needed. However, on a monitoring network there are no retires. Plus, there is no back off or change in window size to slow the traffic down when the NPB is maxed out. The monitoring network is passively copying traffic from the production network, once a packet drops, it is gone for good.

The Problem With Most Network Packet Brokers

While everyone likes to poke holes in the well know orange NPB dropping packets, any NPB architecture that sits behind merchant switch silicon will suffer dropped packets; especially when the switch fabric is oversubscribed or suffering from microbursts.  And, it doesn’t matter if you have a CPU or an FPGA. If the switch isn’t passing you the packets you can’t process them! Back to the off-road example. You can have the best shocks on the market but if the engine doesn’t have the power to drive the vehicle, they are wasted and are at best only good for show.

What about filtering? If the NPB can filter out unnecessary packets and reduce the load, won’t that mitigate against that? The issue here is that the packets drop before the NPB engine gets to process them. It also relies on the smarts themselves (CPU or FPGA based) having enough horse power or they will drop packets. (The claimed datasheet throughput of the NPB smart engines can significantly lower when you use all the features.)  Filtering packets in the NPB engine is like locking the garage door after your vehicle has been stolen. If the switch is dropping packets, the smarts in the NPB vendor hardware can’t help. The other problem is that if you drop packets like voice and video, how does the network team trouble shoot issues when sales are losing customers due to poor voice quality?

Going back to where we started, network traffic is the source of truth but only if you have all the necessary traffic and with most NPB’s out there, they will not be seeing all the packets and they will not be passing all the packets to the necessary security and performance monitoring tools. This can give you a false sense of security and make it harder to find intermittent issues on your network.

The Network Packet Broker That Actually Delivers

The good news is that cPacket cVu is a network packet broker that can actually see and process packets at each port before they pass them on to the internal switch silicon. cPacket does not rely on the switch silicon to monitor and report on the packets. The cPackets solution  further process and refine the packets on the egress to deliver just the right traffic to the right security or monitoring tool. How? Only cPacket has pre-ingress and post-egress Smart Ports with dedicated resources to inspect, report on and process the traffic before any congestion can occur.

Smart ports perform functions such as filtering, nanosecond time-stamping, burst calculation, de-capsulation, de-duplication, slicing and load balancing. By controlling the ingress and egress, packets cannot escape the view of cPacket even in the case of over-subscription. By distributing the processing to the ports, cPacket can run at 100G wire speed on every port and does not get bogged down when you turn on more features.  More than just a packet broker, the complete cPacket solution has network wide visibility and can report on one-way latency across critical devices (firewalls, proxies, load-balancers) or across your network. It can search for matches in any packet across the whole network.

If you want better than a standard NPB; one that:

  • Sees and report on all the packets at line rate
  • Shows the overall health of your network
  • Shows the throughput and performance of your security tool and essential network devices
  • Proactively can report on network and server issues (latency and drops)
  • That includes all the features in the price making it a third of the cost of other NPB’s

Contact cPacket and ask for a demo

You can also check out these resources:

100G Press releases

cVu 16100 product family datasheet

cVu 1000 datasheet

100G Case Study

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *