The Dirty Little Secret of Network Packet Brokers

A Network Packet Broker has  a lot in common with a high performance vehicle. Imagine you bought an off-road vehicle with all the bells and whistles – high clearance, low and high range gears, high torque, plus top of the range Fox shocks like the ones in the trophy truck video. What if you then discovered you can’t use all the features without losing significant engine power and, that under load, the power to the wheels cuts in and out. This is what you get with most of the network packet brokers in the market, especially on 40Gbps and 100Gbps networks – let me explain.

What is a Packet Broker?

First let us remind ourselves why network packet brokers exist – it’s because access to network traffic is needed by multiple tools for multiple reasons. Network traffic is often described as “the source of truth” for both security tools and performance monitoring, whether it is collecting and analyzing network logs or finding the source of intermittent problems with a website – network traffic is a gold mine.

When looking for network issues, you can often find that logs have been turned off or are incomplete due to loading on individual devices. However, the communication over the network can’t be turned off, so if you can capture all the necessary traffic, you can see exactly what is happening on the network. The problem, which we shall come back to, is the “all network traffic”.

The same applies to security. It doesn’t matter how clever malware is at hiding, when it tries to spread or communicate in any way, the network traffic can help expose the threat. If you can collect and analyze all the necessary network traffic with the right security tools, you stand a better chance of catching the bad guys.

Watch a 2-Minute Hybrid Network Visibility Solution Video

Getting Access to Network Traffic

The problem is, network traffic is hard to get access to. With the explosion of new security devices analyzing network traffic, there are never enough SPAN ports or network TAPs to service them. As the need for more access to network traffic has grown, so has the need for a monitoring network made up of network TAPS, aggregators, and for some time now, the network packet broker.

Gartner Adds Network Packet Brokers

In 2018 NPB’s had recognition as a part of the standard network tool kit, especially in large networks, with Gartner putting them on the 2018 Enterprise Networking and Communications hype cycle. Starting life as intelligent TAP aggregators, NPBs have evolved to become smarter by providing functions such as filtering, de-duplication, header stripping, time-stamping, and intelligent distribution to security and performance monitoring tools.

Without a network packet broker, tools that needed access to the network traffic spread throughout the infrastructure often only at a few key points. This led to blind spots and an inconsistent view of traffic as well as high costs of purchase and management of those tools.

This is where TAPs aggregation and NPBs come to the rescue. Aggregators simply collect all the data from the TAPs distributed throughout the network and aggregate the traffic up to the tools. Tools can now see all the data from everywhere in the network – the ultimate source of truth – but there is a big problem. The aggregators alone can get overloaded and bombard the tools they are feeding with unnecessary and duplicate traffic. This delivers you a central tool rail, saving you some costs, but you are not fully capitalizing on the potential savings and you risk losing packets needed by the tolls to block threats and find issues in application performance.

Download the Why Use A Packet Capture Device? Infographic now!

Using a Network Packet Broker

NPBs, on the other hand, process the packets and broker them to deliver the right packets to the right tools. They can filter out unneeded packets, de-duplicate packets, packet slice, de-capsulate, mask, and intelligently distribute the traffic in the required format to the tools.

When choosing an NPB, should you just buy the NPB with the biggest list of features? Well there is a catch. Remember I said they need to see ALL the traffic? The problem with most NPBs is that they are CPUs or FPGAs built beside a standard switch chip set – the same chip set that is core to switches in a production network.

The Problem with Network Packet Brokers

The problem is that a switch is designed to work in a network where packets are expected to be dropped. Protocols such as TCP through well-tried and tested methods will deliver data at the rate at which the transporting networks and end devices can consume and retry when needed.  When a switch or switch port gets overloaded because of too much traffic, and there is no more room in the buffers, it drops packets. This is a pain, but not completely detrimental to the network since the network protocols take care of re-transmitting the packets if needed. However, on a monitoring network there are no retries. Plus, there is no back off or change in window size to slow the traffic down when the NPB is maxed out. The monitoring network is passively copying traffic from the production network, once a packet drops, it is gone for good.

The Problem with Most Network Packet Brokers

While everyone likes to poke holes in the well-known orange NPB dropping packets, any NPB architecture that sits behind merchant switch silicon will suffer dropped packets; especially when the switch fabric is oversubscribed or suffering from microbursts.  And, it doesn’t matter if you have a CPU or an FPGA. If the switch isn’t passing you the packets, you can’t process them! Back to the off-road example. You can have the best shocks on the market but if the engine doesn’t have the power to drive the vehicle, they are wasted and are at best only good for show.

NPB Can Filter Out Unnecessary Packets?

What about filtering? If the NPB can filter out unnecessary packets and reduce the load, won’t that mitigate against that? The issue here is that the packets drop before the NPB engine gets to process them. It also relies on the smarts themselves (CPU or FPGA based) having enough horse power, or they will drop packets. (The claimed datasheet throughput of the NPB smart engines can significantly lower when you use all the features.)  Filtering packets in the NPB engine is like locking the garage door after your vehicle has been stolen. If the switch is dropping packets, the smarts in the NPB vendor hardware can’t help. The other problem is that if you drop packets like voice and video, how does the network team troubleshoot issues when sales are losing customers due to poor voice quality?

Going back to where we started, network traffic is the source of truth but only if you have all the necessary traffic and with most NPBs out there, they will not be seeing all the packets, and they will not be passing all the packets to the necessary security and performance monitoring tools. This can give you a false sense of security and make it harder to find intermittent issues on your network.

The Network Packet Broker that Actually Delivers

The good news is that the cPacket cVu appliance is a network packet broker that can actually see and process packets at each port before they pass them on to the internal switch silicon. cPacket does not rely on the switch silicon to monitor and report on the packets. The cPacket Networks solution further processes and refines the packets on the egress to deliver just the right traffic to the right security or monitoring tool. How? Only cPacket has pre-ingress and post-egress Smart Ports with dedicated resources to inspect, report on, and process the traffic before any congestion can occur.

Smart ports perform functions such as filtering, nanosecond time-stamping, burst calculation, de-capsulation, de-duplication, slicing, and load balancing. By controlling the ingress and egress, packets cannot escape the view of cVu even in the case of over-subscription. By distributing the processing to the ports, cVu can run at 100Gbps wire speed on every port and does not get bogged down when you turn on more features.  More than just a packet broker, the complete cVu solution has network-wide visibility and can report on one-way latency across critical devices (firewalls, proxies, load balancers) or across your network. It can search for matches in any packet across the whole network.

Check out cVu if you want better than a standard NPB, one that:

  • Sees and reports on all the packets at line rate
  • Shows the overall health of your network
  • Shows the throughput and performance of your security tool and essential network devices
  • Proactively reports on network and server issues (latency and drops) and
  • That includes all the features in the price making it a third of the cost of other NPB’s

Contact cPacket and ask for a demo.

You can also check out these resources:

100Gbps Press releases

cVu 16100 product family datasheet

cVu 1000 datasheet