Network Monitoring switches reduce the data load to the analyzer and distribute the amounts of data evenly among the monitoring tools to

Network Monitoring switches reduce the data load placed on the analyser and distribute data evenly among the monitoring tools.

Garland Technology’s FAB device is a network packet broker with filtering, aggregation and load balancing features, helping you to efficiently manage large data streams for monitoring purposes. Traditional network monitoring methods often connect analysers directly to data lines. This means the data is received unfiltered then processed by the monitoring systems. This carries certain risks since when data volumes increase the tools’ performance suffers and analysis systems can no longer detect data accurately. SPAN ports are still frequently used to gather data but they aren’t suitable for permanent monitoring. Even Cisco points out the risks of SPAN ports to their users.

For more information, please see our article about Network Taps.

Today, networks must be monitored for various reasons, including intrusion detection, classic error analysis, monitoring web performance and measuring application performance. The results are used for forensic analysis, compliance and security purposes.

It’s particularly important that monitoring systems only receive data from the network that’s needed for relevant analysis. If the data is forwarded unfiltered, then the analysis tool must accept any incoming data packets and process these, which is CPU intensive. This process requires expensive resources and negatively affects performance and analysis results.

Using a network packet broker you can switch to another layer between the network and the monitoring system and can filter relevant network packets from data streams. This method means the analysis systems get less data and can concentrate fully on analysing relevant information. So, for example, all non-DNS packets are removed from the data streams to analyse DNA performance, resulting in a lighter load on the tools, which optimises the use of resources. This simple and precise method allows you to remove data packets from large data streams or filter them out, which results in improved monitoring quality.

Another feature of data monitoring switches like these is their dynamic and intelligent redistribution of data streams according to the load. The network packet broker gathers centrally collected data in its entirety and redistributes it evenly between the connected tools. For this purpose a monitoring group is set up and network data is sent to the group according to the criteria that’s specified. So, for example, if 4 tools are assigned to a group, each will get about 25% of the total volume of data from the system. This also means you can map high availability scenarios. If any one tool fails the remaining 3 monitoring systems get 33% of the traffic and your network data remains in complete view. For load distribution to work automatically without any external intervention, the FAB network flows or sessions must recognise this, otherwise the connected monitoring systems would only receive fragmented information and analysis wouldn’t work.

In order to recognise sessions, Garland Technology’s data monitoring switch is equipped with very advanced features, as you can see in the image below. In this case the network packet broker identifies flows based on the following criteria; Source IP, Destination IP, Source Port, Destination Port, MPLS labels and IPv6 addresses.

Load Balancing Criteria

A Load balancing scenario

Depending on the configuration and filter settings, all traffic is evenly distributed to load balancing group 1. The network packet broker makes sure that each tool gets the same amount of data, and in the example below, each monitoring tool would receive 25% of the data traffic. The session table and traffic volume are evaluated to ensure an equitable distribution.

If a monitoring tool from the load-balanced group is removed for maintenance purposes by the switch, the network packet broker distributes the data according to the remaining tools. In this example, active analysis systems would each get approximately 33,3% of the traffic. Once the failed system is back online, normal load distribution is restored to all 4 tools. You’re proactively informed about such events through SNMP or Syslog and load balancing takes place automatically without any intervention needed.

Of course, you can create multiple load balancing groups and redistribute network traffic according to your interests. Another option is the Network Packet Broker, which allows you to sort out all traffic at the input port and / or at the output port with filter rules. Thus, you might want a certain portion of your network traffic, e.g. Database traffic for analysis to load balancing group 1 and everything else to LB group 2. It is also possible to distribute the complete data to both LB groups at the same time. If you have 10G or 40G lines but the data volume is less than 5G, you can easily distribute your entire data traffic redundantly to 1G analysis tools. If your total traffic is larger than 10G, and you still want to monitor it with 1G Tools, you have the option to cut the payload by packet slicing or filter the data by filter first. The Network Packet Broker is very flexible and allows a lot of configurations, which we would be happy to show you on the spot or also remote.

We are happy to advise you and look forward to