The Why and How of a Two-Tier Network Monitoring Topology
A two-tier topology provides the freedom to upgrade the core network and various security and performance tools independently.
May 11, 2021
As data centers upgrade to 100 Gbps speeds to support the need for speed and high-performance workloads, they will need to maintain network visibility and security during and after the process to prevent bottlenecks and threats. However, many security and performance tools cannot ingest data at 100Gbps, which leaves blind spots that can be exploited by cybercriminals. Visibility gaps also increase the time and effort required to troubleshoot and maximize performance and assure that end-users have exceptional experiences. Bridging data rate differences between components within a monitoring plane (where observation occurs) is easily handled by network packet brokers, which is why a best practice is to ensure the monitoring plane has this capability before upgrading the data plane to 100Gbps.
One way for enterprises to efficiently bridge these data rates is to use a two-tier monitoring topology. Let’s discuss when this approach is appropriate and how to put it in place.
Why enterprises should use a two-tier monitoring topology
A two-tier observability topology will benefit the enterprise in several ways, especially when many network ports are monitored. The primary benefits are:
Isolating the core network from the tools/tool rail so that brokering can provide the right data at the right data rates.
Optimizing cost by separating packet acquisition-and-aggregation from packet delivery. This enables IT to put packet processing power where it is needed.
Isolating the core network from the tools/tool rail gives IT greater freedom to upgrade the core network somewhat independently. Tools tend to get upgraded in a staggered fashion over time as the vendors bring their respective tools up to date. Separating them from the core network lets IT accommodate this without delaying the core network upgrades.
Most of the advanced processing for the packet processing features listed below happens facing the receiving devices (i.e., the tools/tool rail). User-controlled packet data sizing and distribution also extends the useful life of tools and the investment in them. Real-time packet processing gives the user control over packet sizing and distribution, so the receiving devices operate at maximum efficiency by receiving the exact data they need.
Packet processing features for delivering the right data at the right data rate to the right tools include:
Deduplication
Filtering
Replication
Load Balancing
Data Rate Adjusting
Splicing
Header Stripping
How to create one
Now that you know there are several benefits to deploying a two-tier network packet observability plane, here is how to set one up, as depicted by the following diagram.
two-tier.png
As you can see from the diagram, two network packet brokers (NPBs) are used; one for “aggregation” that acquires packet data via TAPs and span ports, and one for "distribution." Typically, the number of ports to observe/monitor exceeds the number of ports to which packets are delivered. Aggregation-class packet brokers typically have fewer features and a higher number of input and output ports, which is why they are used for acquisition to gain cost-efficiency. Distribution-class packet brokers have more power and hence more cost; they also often have fewer input and output ports, which is why they are deployed more sparingly.
Ideally, network packet acquisition should occur at data rates up to 100Gbps. Since every hop adds bias to performance data, it's best to observe this information as close to the source as possible, so another ideal capability of an aggregation-class packet broker is to add high-resolution timing information (e.g., timestamps) to the incoming packets, as well as observe other performance metrics such as microbursts. Aggregation brokers are aptly named because they do more than replicate-and-forward packets. They actually aggregate packets, reducing the number of packet streams. This is what makes it possible to use a distribution-class packet broker with fewer input and output ports. Depending on the network in question and IT’s needs, an aggregation-class packet broker can also deliver packets directly to other destinations, such as capture-to-disk solutions. Nevertheless, distribution-class packet brokers perform most of the packet delivery.
Divide and conquer
Applying the right network packet brokering features, functionality, and port densities where they are needed is a cost-effective way to divide visibility needs into two tiers.
There you have it – the “why” and “how” of a two-tier network monitoring topology. Since network-centric visibility is vital, IT departments should make sure that their visibility is not compromised when upgrading the core network or tools. A two-tier topology provides the freedom to upgrade the core network and various security and performance tools independently.
Ron Stein is Director of Product Marketing at cPacket Networks.
About the Author
You May Also Like