Network Packet Brokers

Posted by: Andy Huckridge | July 18, 2012

Network Packet Brokers – Wikipedia page

Certainly describes the line of VSS Monitoring Network Packet Brokers which have been keenly adopted by carrier operators worldwide…

From here on taken directly from the Wikipedia page in its entirety…

From Wikipedia, the free encyclopedia

Network Packet Brokers (NPBs) is the latest name coined by Gartner Analyst Deb Curtis and Jonah Kowall to define a set of hardware based appliances that help optimize the access and visibility of a variety of network monitoring, security and acceleration tools to traffic from one or many network links. A NPB or a system of NPBs provide a combination of functionality that may include aggregating monitored traffic from multiple links, traffic filtering and grooming, traffic regenerating and load balancing actionable traffic to multiple tools, pre-filtering traffic to offload tools, and directing traffic according to intelligent one-to-one and many-to-many port mappings.

Formerly they have been also called data monitoring switch, data access switch, matrix switches, traffic aggregator, net tool optimizer, and distributed traffic capture systems.

NPBs enable organizations to use their monitoring tools more efficiently, to centralize traffic monitoring and security functions and create centers of IT expertise, and to share tools and traffic access between groups. Most NPBs also provide functionality that helps extend the return on investment (ROI) on existing network monitoring, security and acceleration tool while also helping justify more expensive higher throughput monitoring and security tool purchases i.e. 10G and 40G.

In a nutshell, NPBs simplify deployment and management of security and monitoring tools while maximizing the ROI customers can achieve from these tools while helping reduce associated CAPEX, and the OPEX for managing and maintaining them.

Key Features and Functionality

NPBs broker network traffic from multiple Switched Port Analyzer (SPAN) ports from other network elements, and manipulate the traffic to allow more efficient use of Network Monitoring, Security, Analytics and Acceleration tools. The NPB product can also be deployed in line to reduce the latency reported to the attached network monitoring and security products while some even help increase the service availability of the inline tools via Layer 2 (session-aware) load balancing and tool health-check monitoring and fault tolerance capabilities.

Typical NPBs offer the following features: ^[1]

Many-to-many port mapping, with a configuration interface (graphical user interface [GUI] or command line interface [CLI]) for real-time adjustments of packet flow, including port mapping and paths.

Filtering of packet data based on the characteristics found in the packet headers, allowing filtering of Open Systems Interconnection (OSI) Layers 2 through 4.

Packet slicing and deduplication, (and some offer even network packet fragment re-assembly) which allows a subset of the full packet data to be passed to the monitoring device, thus allowing monitoring tools to scale more efficiently.

Aggregating multiple packet stream inputs into one larger stream, for example five 1Gb links into a single 10Gb link. Alternately, the reverse also will work, where a single 10Gb link would be fed into multiple 1Gb connections. The destination would be a monitoring tool with the proper interface.

Distributing traffic load per device by sending it to different probes or appliances in order to scale the monitoring, or to provide redundancy in the monitoring technology.

Insertion of hardware-based time stamps that can be used by the monitoring tools to provide more accurate measurements. These hardware-based features can change the accuracy of the packet time stamp from milliseconds to microseconds, enabling more granular time measurement.

Some NPBs also offer hardware based port stamping at the time of packet capture which when combined with sub-millisecond time stamping can help maintain link-layer visibility and in turn help support attribution during network or application performance troubleshooting or incident analysis and response activities.

Few NPBs also offer load balancing across multiple tool ports, filtering on patterns in packet payloads, and converting media and data rates so tools can be used to monitor traffic from dissimilar links.

More advanced NPBs will also offer:

Deep packet inspection, allowing for the filtering and routing of packets based on data characteristics in the header or payload, and support for filtering on OSI Layers 2 through 7.

The ability to capture ingress port identification data, enabling unique identification of traffic from multiple ingress ports.

The capability to mask specific data in the packets, or slice off undesired (large video files, [RTP] payloads) or highly sensitive payloads which could be applied in compliance use cases (e.g. Social Security numbers, credit card numbers, etc.)

Some NPB solution vendors have the ability to interconnect their appliances to configure logical systems with hundreds of ports, although user interface complexity can serve as a limiting factor in many products. Others have pushed the envelope even further allowing customer to build up a fully redundant mesh architecture to broker traffic across Virtual, Physical networks or LAN and WAN and Internet boundaries.

When a number of monitoring tools are connected to the NPBs tool ports, copies of traffic from any of the network ports can be optimized and delivered to any of the tools using the NPB’s CLI, GUI or central management interface. Some even offer extensible XML API to perform desired configuration changes and perform on-demand data capture and intelligent data delivery to one or more security and monitoring tool.

The more advanced NPBs offer enhanced security (access control, port permissions, etc.) either on the individual level or by using groups, filter library / archiving, and the ability to manage multiple devices simultaneously from a single interface.

Advantages

Network Packet Brokers facilitate centralizing network traffic monitoring and security tools and IT expertise across the enterprise and service provider network e.g. Networks Operations Center [NOC] / Security Operations Center [SOC].

By providing remote monitoring and control, they save the time and expense of traveling to remote locations to install monitoring and security tools at every location while keeping the capital expenditure low by avoiding the need for deploying multiple instances of the same tool(s) across the network

NPBs make it easier to share tools among groups and help extend the ROI from existing tools.

NPBs offering media and data rate conversion capabilities, enable 1 Gigabit tools to support 10 Gigabit links, and 10 Gigabit tools to monitor traffic aggregated from multiple 1 Gigabit links.

NPBs prevent tool oversubscription by pre-filtering traffic, and some even offer large-data buffers to mitigate against microburst in the network.

With NPBs customers can tap network links directly, instead of relying on switch SPAN ports for monitoring access. Those NPBs offering bypass switch capabilities also allow the IT network administrators to deploy multiple inline tools on the same network link or support 10G links with multiple 1G tools by leveraging the NPBs intelligent L2-L7 filtering and load balancing capabilities described earlier.

Because of their high port densities and modular form factors compared to discreet Taps, they save rack space and power, and can have a lower price per port while allowing customers to future-proof their investments. This is particularly true for those offering a system based approach for connecting multiple NPB appliances across LAN and WAN segments.

Disadvantages

Not all NPBs are created equal.

They are non-standard – different vendor devices operate and are managed differently.

Some NPB offer off-the-shelve hardware packaged (OEM) in different form factors which can lead to lack of backward compatibility and access to predictive engineering roadmaps.

Others provide a monolithic switched based architecture that offers an expensive initial investment to buy a large chassis that is unable to share access and intelligence across different platforms. These are often limited by backplane chassis throughputs and lack backward compatibility with other legacy platforms from the same vendor; they more dense switches often need a separate management interface.

Entry-level pricing is expensive – if just a few links or tools need to be instrumented, price per port will be higher than the customer is willing to invest in. Not everyone needs to build a large mesh architecture. So it’s imperative that those NPB vendors offering a system-based approach can offer customers a pay-as-you-grow model with a highly flexible and modular platform.

Advanced functionality on some products can be very cumbersome to activate and maintain over time. Make sure you do you due diligence to perform side-by-side evaluations to see which one offers a more user friendly and extensible management to help reduce any associated operational expense.

Some advanced NPBs require Command Line interfaces as the primary interface required to perform the vast majority of advanced functions, even on many boxes that also offer a GUI. While CLI offers a great deal of control over the operations of the box, only the utmost of advanced users will be able to configure filtering and connections using CLI without overlooking problems such as filter overlaps, replication and accuracy checks, and ongoing active system management.

References

^[2]

^[3]

^ NPB Landscape by Jonah Kowall (See link below)
^ Kowall, Jonah. “Application-aware-network-performance-monitoring-npm-and-network-packet-broker-npb-research”. Gartner. Retrieved 12 July 2012.
^ Laliberte, Bob. “Intelligent Network Packet Brokers”. Intelligent Network Packet Brokers – Market Report. ESG. Retrieved 12 July 2012.

Andy Huckridge