The Why and How of a Two-Tier Network Monitoring Topology

A two-tier topology provides the freedom to upgrade the core network and various security and performance tools independently.

Ron Stein

May 11, 2021

4 Min Read
The Why and How of a Two-Tier Network Monitoring Topology
(Image: Pixabay)

As data centers upgrade to 100 Gbps speeds to support the need for speed and high-performance workloads, they will need to maintain network visibility and security during and after the process to prevent bottlenecks and threats. However, many security and performance tools cannot ingest data at 100Gbps, which leaves blind spots that can be exploited by cybercriminals. Visibility gaps also increase the time and effort required to troubleshoot and maximize performance and assure that end-users have exceptional experiences. Bridging data rate differences between components within a monitoring plane (where observation occurs) is easily handled by network packet brokers, which is why a best practice is to ensure the monitoring plane has this capability before upgrading the data plane to 100Gbps.

One way for enterprises to efficiently bridge these data rates is to use a two-tier monitoring topology. Let’s discuss when this approach is appropriate and how to put it in place.

Why enterprises should use a two-tier monitoring topology

A two-tier observability topology will benefit the enterprise in several ways, especially when many network ports are monitored. The primary benefits are:

  • Isolating the core network from the tools/tool rail so that brokering can provide the right data at the right data rates.

  • Optimizing cost by separating packet acquisition-and-aggregation from packet delivery. This enables IT to put packet processing power where it is needed.

Isolating the core network from the tools/tool rail gives IT greater freedom to upgrade the core network somewhat independently. Tools tend to get upgraded in a staggered fashion over time as the vendors bring their respective tools up to date. Separating them from the core network lets IT accommodate this without delaying the core network upgrades.  

Most of the advanced processing for the packet processing features listed below happens facing the receiving devices (i.e., the tools/tool rail). User-controlled packet data sizing and distribution also extends the useful life of tools and the investment in them. Real-time packet processing gives the user control over packet sizing and distribution, so the receiving devices operate at maximum efficiency by receiving the exact data they need.

Packet processing features for delivering the right data at the right data rate to the right tools include:

  • Deduplication

  • Filtering

  • Replication

  • Load Balancing

  • Data Rate Adjusting

  • Splicing

  • Header Stripping

How to create one

Now that you know there are several benefits to deploying a two-tier network packet observability plane, here is how to set one up, as depicted by the following diagram.

two-tier

two-tier.png

As you can see from the diagram, two network packet brokers (NPBs) are used; one for “aggregation” that acquires packet data via TAPs and span ports, and one for "distribution." Typically, the number of ports to observe/monitor exceeds the number of ports to which packets are delivered. Aggregation-class packet brokers typically have fewer features and a higher number of input and output ports, which is why they are used for acquisition to gain cost-efficiency. Distribution-class packet brokers have more power and hence more cost; they also often have fewer input and output ports, which is why they are deployed more sparingly.

Ideally, network packet acquisition should occur at data rates up to 100Gbps. Since every hop adds bias to performance data, it's best to observe this information as close to the source as possible, so another ideal capability of an aggregation-class packet broker is to add high-resolution timing information (e.g., timestamps) to the incoming packets, as well as observe other performance metrics such as microbursts. Aggregation brokers are aptly named because they do more than replicate-and-forward packets. They actually aggregate packets, reducing the number of packet streams. This is what makes it possible to use a distribution-class packet broker with fewer input and output ports. Depending on the network in question and IT’s needs, an aggregation-class packet broker can also deliver packets directly to other destinations, such as capture-to-disk solutions. Nevertheless, distribution-class packet brokers perform most of the packet delivery.   

Divide and conquer

Applying the right network packet brokering features, functionality, and port densities where they are needed is a cost-effective way to divide visibility needs into two tiers.

There you have it – the “why” and “how” of a two-tier network monitoring topology. Since network-centric visibility is vital, IT departments should make sure that their visibility is not compromised when upgrading the core network or tools. A two-tier topology provides the freedom to upgrade the core network and various security and performance tools independently.

Ron Stein is Director of Product Marketing at cPacket Networks.

About the Author

Ron Stein

Ron Stein is the Director of Product Marketing for cPacket Networks. His extensive background spans from semiconductors and IoT to Internet-scale systems and networking in development, product management, and marketing roles. Ron has also launched and marketed technology solutions to governments and major industries. His expertise includes marketing enterprise Artificial Intelligence solutions that leverage advanced analytics and machine learning applied to big and fast data.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights