Network Monitoring switches reduce the data load placed on the analyser and distribute data evenly among the monitoring tools.
Garland Technology’s FAB device is a network packet broker with filtering, aggregation and load balancing features, helping you to efficiently manage large data streams for monitoring purposes. Traditional network monitoring methods often connect analysers directly to data lines. This means the data is received unfiltered then processed by the monitoring systems. This carries certain risks since when data volumes increase the tools’ performance suffers and analysis systems can no longer detect data accurately. SPAN ports are still frequently used to gather data but they aren’t suitable for permanent monitoring. Even Cisco points out the risks of SPAN ports to their users.

For more information, please see our article about Network Taps.

Today, networks must be monitored for various reasons, including intrusion detection, classic error analysis, monitoring web performance and measuring application performance. The results are used for forensic analysis, compliance and security purposes.

It’s particularly important that monitoring systems only receive data from the network that’s needed for relevant analysis. If the data is forwarded unfiltered, then the analysis tool must accept any incoming data packets and process these, which is CPU intensive. This process requires expensive resources and negatively affects performance and analysis results.

Using a network packet broker you can switch to another layer between the network and the monitoring system and can filter relevant network packets from data streams. This method means the analysis systems get less data and can concentrate fully on analysing relevant information. So, for example, all non-DNS packets are removed from the data streams to analyse DNA performance, resulting in a lighter load on the tools, which optimises the use of resources. This simple and precise method allows you to remove data packets from large data streams or filter them out, which results in improved monitoring quality.

Another feature of data monitoring switches like these is their dynamic and intelligent redistribution of data streams according to the load. The network packet broker gathers centrally collected data in its entirety and redistributes it evenly between the connected tools. For this purpose a monitoring group is set up and network data is sent to the group according to the criteria that’s specified. So, for example, if 4 tools are assigned to a group, each will get about 25% of the total volume of data from the system. This also means you can map high availability scenarios. If any one tool fails the remaining 3 monitoring systems get 33% of the traffic and your network data remains in complete view. For load distribution to work automatically without any external intervention, the FAB network flows or sessions must recognise this, otherwise the connected monitoring systems would only receive fragmented information and analysis wouldn’t work.

In order to recognise sessions, Garland Technology’s data monitoring switch is equipped with very advanced features, as you can see in the image below. In this case the network packet broker identifies flows based on the following criteria; Source IP, Destination IP, Source Port, Destination Port, MPLS labels and IPv6 addresses.

Load Balancing Criteria

A Load balancing scenario

Depending on the configuration and filter settings, all traffic is evenly distributed to load balancing group 1. The network packet broker makes sure that each tool gets the same amount of data, and in the example below, each monitoring tool would receive 25% of the data traffic. The session table and traffic volume are evaluated to ensure an equitable distribution.

If a monitoring tool from the load-balanced group is removed for maintenance purposes by the switch, the network packet broker distributes the data according to the remaining tools. In this example, active analysis systems would each get approximately 33,3% of the traffic. Once the failed system is back online, normal load distribution is restored to all 4 tools. You’re proactively informed about such events through SNMP or Syslog and load balancing takes place automatically without any intervention needed.



Of course, you can create multiple load balancing groups and redistribute network traffic according to your interests. Another option is the Network Packet Broker, which allows you to sort out all traffic at the input port and / or at the output port with filter rules. Thus, you might want a certain portion of your network traffic, e.g. Database traffic for analysis to load balancing group 1 and everything else to LB group 2. It is also possible to distribute the complete data to both LB groups at the same time. If you have 10G or 40G lines but the data volume is less than 5G, you can easily distribute your entire data traffic redundantly to 1G analysis tools. If your total traffic is larger than 10G, and you still want to monitor it with 1G Tools, you have the option to cut the payload by packet slicing or filter the data by filter first. The Network Packet Broker is very flexible and allows a lot of configurations, which we would be happy to show you on the spot or also remote.




You can, of course, create multiple load balancing groups and redistribute the network traffic you’re interested in. Using a network packet broker you can also sort all traffic from the input and/or output ports using specific filter criteria. You can then allocate a certain portion of your network traffic, for example, sending database traffic for analysis to load-balancing group 1 and everything else to load balancing group 2. You can also evenly distribute complete data across both load balancing groups. If you have 10G or 40G lines but your data volume is smaller than 5G, you can easily send your entire traffic to 1G analysis tools. If your total traffic is larger than 10G but you still want to monitor it with 1G tools you have the option to cut the payload by packet slicing or to sort the data in advance using filters. A network packet broker is very flexible and permits many different configurations. We’d like to show you how it works by either visiting your site or by giving you a remote demonstration. 

You will find more information in our article Network Taps.

Networks today need to be monitored for various reasons, whether it is to detect intrusion attempts, classic fault analysis, web performance monitoring, application performance, forensic analysis, compliance, or other security purposes.

At this point it is particularly important that the monitoring systems receive only the data from the network, which are also necessary for the corresponding analysis. If the data is passed unfiltered, the analysis tool must accept all incoming data packages and process the data intensively. This process consumes expensive resources and has a negative impact on the performance and therefore the result of the analysis.

Instead, a further layer is switched between the network and the monitoring system, and the network packets that are of interest are filtered out using network packets from the data streams. By this method the analysis systems get less data and can concentrate completely on the evaluation of the relevant information. Thus, e.g. For an analysis of the DNS performance, all non-DNS packets are removed from the data streams, resulting in a load reduction on the tools and optimizing the resource usage. This method allows simple and targeted removal of data packets from giant data streams, which can lead to an improvement in monitoring quality.

A further feature of such a data monitoring switch is the dynamic and intelligent redistribution of the data streams based on the utilization. Here, the entire network data is also centralized at the Network Packet Broker and redistributed from here to the connected tools. For this purpose, a monitoring group is created and the network data are sent to the group according to the rules. For example, 4 tools assigned to this group, each system receives about 25% of the total data volume. High-availability scenarios can also be depicted. If a tool fails, the remaining 3 monitoring systems get 33% of the data traffic and you always have an overview of your network data. In order for such a load distribution to work automatically without external intervention, the FAB network must recognize flows or sessions, since otherwise the connected monitoring systems would only receive fragmented information and thus an analysis would not be possible.

For the recognition of sessions, the Data Monitoring Switch from Garland Technology is equipped with extensive functions, as you can see in the picture below. The Network Packet Broker can identify the flows using the following criteria; Source IP, destination IP, source port, destination port, MPLS labels and IPv6 addresses.

Load-balancing criteria

Load-balancing scenario

Depending on the configuration and filter policy, the entire data traffic is evenly distributed to the load balancing group 1. The Network Packet Broker ensures that each tool receives the same amount of data and, in the example below, would forward 25% of the data traffic to each monitoring tool. The session table and the volume of data traffic are evaluated for a fair distribution.

If a monitoring tool is removed from the load balancing group or is removed from the switch for maintenance purposes, the Network Packet Broker distributes the data accordingly to the remaining tools. In our example here, the still active analysis systems would each get about 31.3% of the data traffic. As soon as the failed system is online again, the usual load distribution takes place on all 4 tools. With SNMP or Syslog, you are informed proactively about such events. Load balancing takes place automatically without intervention.



Of course, you can create multiple load balancing groups and redistribute network traffic according to your interests. Another option is the Network Packet Broker, which allows you to sort out all traffic at the input port and / or at the output port with filter rules. Thus, you might want a certain portion of your network traffic, e.g. Database traffic for analysis to load balancing group 1 and everything else to LB group 2. It is also possible to distribute the complete data to both LB groups at the same time. If you have 10G or 40G lines but the data volume is less than 5G, you can easily distribute your entire data traffic redundantly to 1G analysis tools. If your total traffic is larger than 10G, and you still want to monitor it with 1G Tools, you have the option to cut the payload by packet slicing or filter the data by filter first. The Network Packet Broker is very flexible and allows a lot of configurations, which we would be happy to show you on the spot or also remote.




We are happy to advise you and look forward to hearing from you!

NEOX - Location

Our partners

IT Security made in Germany TeleTrusT Quality Seal


Contact Details

NEOX NETWORKS GmbH
Otto-Hahn Strasse 8
63225 Langen / Frankfurt am Main
Tel: +49 6103 37 215 910
Fax: +49 6103 37 215 919
Email: info@neox-networks.com
Web: http://www.neox-networks.com
Your route to us >>