<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

Network Packet Brokers Explained

June 29, 2022

Network Packet Broker

We all know traffic across the data center is increasing. The migration towards 100G ethernet is well underway, with 28% of data centers undergoing the upgrade as of 2018. Meanwhile, 400G ethernet is available and creeping towards widespread adoption. With more and more data passing through data centers, operators need granular information about what form the data may take. Network Packet Brokers (NPBs) are designed to make it easier for administrators and their tools to analyze this traffic, allowing for smoother and more functional data center operations.

Why Does Your Data Center Need Network Packet Brokers?

Even if you haven’t yet deployed 100G ethernet, you probably still need an NPB. Within your data center, you already have a lot of static tools designed to monitor network performance, provide visibility, and mitigate threats and bad actors. To function properly, these tools need a constant stream of packets—but without an NPB, there are few good options to manage them.

For example, you could put these tools directly inline with your incoming network connections, but this could potentially slow down traffic and create single points of failure. Accessing this traffic through network TAPs and SPAN ports provides visibility but can in turn generate too many incoming connections for your tools to process. Coping with this means adding more tools or more links, but this solution is neither efficient nor cost-effective.

Without the requisite data, security and monitoring tools can’t cover the entire network. There are blind spots where neither analytics tools nor human administrators can see what’s happening. This can lead to congestion and network outages—plus it can even give attackers enough cover to pull off a successful cyberattack.

These issues can be solved using a traffic aggregator or advanced features network packet broker. Network packet broker’s core functions are:

  1. They aggregate network traffic, taking data from multiple ports and streaming it to a single port (and subsequently a single device). This means that you don’t have to purchase multiple tools to cover multiple links.
  2. They filter network traffic, taking only the information specific to an individual tool and then directing it only to that tool. This helps your monitoring tool’s performance, by not getting overburdened by data.
  3. They load balance. For example, if you have 40G of traffic coming in and your appliance only supports 10G interfaces, your NPB can load balance the traffic across 4 x 10G interfaces into the appliance.


It’s true that data centers are handling more information than ever, but much of this information is redundant or uncompressed, especially for the purposes of your monitoring tools. NPBs have the capability to compress and deduplicate this data, giving monitoring tools only what they need to function. In addition, their port aggregation features obviate the necessity of purchasing multiple tools to cover increased data center traffic.

>> Aggregation - Adding Value Back Into Your Network and Maximize ROI [Free whitepaper]

What to Look For in a Packet Broker

Not all network packet brokers are created equal. If the NPB is oversubscribed and drops packets before they reach your monitoring tools, if it’s too complicated to set up and use easily, locks you in to endless license fees with limited flexibility or if it doesn’t incorporate proper visibility, then it doesn’t belong in your rack.

First of all, a NPB needs to be able to filter traffic intelligently. There’s a sliding scale of intelligence to consider. On one end, network administrators manually configure the NPB so that it sends one kind of traffic to the WAF, another kind of traffic to the SIEM, another type to IDS/IDP, and so on. In the middle of the scale, vendors include pre-written rules about what kind of traffic to send where. At the top of the scale, the appliance uses auto-discovery to find the tools already on the network and automatically determines where to send traffic.

More advanced NPB can reduce a large amount of manual effort. If you have a smaller data center, you may only need simple versions of the appliance, but your efforts may not scale well. In addition, more automated versions of the NPB will help you avoid the possibility of configuration mistakes that can slow down incident response.

Load balancing is another feature that administrators should be aware of. Basically, this means that a NPB should be able to take traffic coming in at high bandwidth and split it up so that lower-bandwidth appliances can monitor and process it. This has the effect of making your devices that much more survivable—if traffic increases suddenly, it can get spread out across multiple devices. Meanwhile, if a device fails, traffic can fail over to the remaining tools without forcing them to process dramatic rate increases.

One might not consider the user interface when shopping for an NPB, but the GUI is extremely important when it comes to managing its connections. Using a command line interface to manage and configure the NPB can be extremely inefficient, especially during traffic spikes, partial outages, and other emergency situations. A full graphical user interface with drag-and-drop controls is preferred in cases whether admins need to readjust packet flows.

 

Traffic Aggregator vs Advanced Features NPB

There are two main categories of network packet brokers. Traffic aggregators or Advanced aggregators perform the key packet broker tasks of aggregating, filtering, regenerating and load balancing the traffic delivered from network TAPs and SPAN ports. In most use cases, this functionality is all that is needed.

Next-generation network packet brokers (NGNPBs) or Advanced Features NPBs have recently emerged as a successor to the original devices that were introduced around 2012. The major difference between these devices and their predecessors is a new set of features.

  1. They can packet slice. If packets get dropped before reaching your security tools, then they’re useless for monitoring. Packet slicing reduces packets to only their most vital components, making it easier to store packets in memory and preventing dropped packets.
  2. They can deduplicate. Network traffic also can contain duplicate packets. Processing duplicate packets is a waste of resources. Advanced NPBs can natively deduplicate packets for faster throughput.
  3. They can perform time stamping. This means that you’ll know when each individual packet entered your network. If a packet comes in at the same time a problem starts to occur in your network, you’ll know to investigate that packet for potential problems.
  4. They can tunnel, using Generic Routing Encapsulation (GRE) or VXLAN protocols that aren’t native to your network to transport packets, taking suspect packets directly from the switch to an endpoint for further analysis.


Whether your network implements the more advanced capabilities of an Advanced Features NPB or a traffic aggregator is up to your needs and projected growth. What’s certain, however, is that every data center that needs to scale its capabilities to meet increasing traffic demands needs a network packet broker of some description in order for it to function in a secure and efficient manner.

Looking to add a packet broker to your deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.

Network Aggregation maximizes network visibility and optimize network packet broker ports

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES