The Why and How of a Two-Tier Network Monitoring Topology

As data centers upgrade to 100Gbps at an accelerating pace to support the demand for speed and high-performance workloads, they will need to maintain visibility and security of their networks during and after the process to prevent bottlenecks and threats. However, many security and performance tools cannot ingest data at 100Gbps, leaving blind spots that can be exploited by cybercriminals. Visibility gaps also increase the time and effort required to troubleshoot and maximize performance, and to ensure end users have an excellent experience, the best practice is to ensure that the monitoring plane has this capability before upgrading the data plane to 100Gbps.

One way for enterprises to efficiently connect to these data rates is to use a two-tier monitoring topology. Let’s discuss when this approach is appropriate and how to implement it.

[[402417]]

Why Enterprises Should Use a Two-Tier Monitoring Topology

A two-tier observability topology will benefit the enterprise in several ways, especially when many network ports are being monitored. The main benefits are:

Isolate the core network from the tool/tool ​​rails so that brokerages can deliver the right data at the right data rate.

Optimize costs by separating packet acquisition and aggregation from packet delivery. This enables IT departments to put packet processing power where it is needed.

Isolating the core network from the tools/tool ​​tracks gives IT greater freedom to upgrade the core network somewhat independently. Tools tend to be upgraded in a staggered fashion over time as vendors bring their respective tools to the latest versions. Separating them from the core network allows IT to accommodate this without delaying core network upgrades.

Much of the advanced processing for the packet handling functions listed below is performed facing the receiving device (i.e., tool/tool ​​track). User-controlled packet sizing and allocation also extends the life of the tools and the investment in them. Real-time packet processing enables the user to control packet sizing and allocation, so the receiving devices operate at maximum efficiency by receiving the exact data they need.

Packet processing is characterized by delivering the right data to the right tool at the right data rate, incl.

• Data Deduplication
• filter
• copy
• Load Balancing
• Data rate adjustment
• Splicing
• Stripping

How to create one

Now that you know there are several benefits to deploying a two-layer network packet observation plane, here’s how to build a two-layer network packet observation plane, as shown in the following figure.

As you can see from the diagram, two Network Packet Brokers (NPBs) are used; one for "aggregation" to get packets through the TAPs and span ports, and one for "distribution". Typically, the number of ports to be observed/monitored exceeds the number of ports to which packets are delivered. Aggregation-level packet brokers typically have fewer features and more input and output ports, which is why they are used for acquisition for cost-effectiveness. Distribution-level packet brokers have more features and therefore cost more; they also tend to have fewer input and output ports, which is why they are deployed less frequently.

Ideally, network packet capture should be performed at data rates up to 100Gbps. Because each hop adds skew to performance data, it is best to observe this information as close to the source as possible, so another ideal capability of aggregation-class packet agents is to add high-resolution time information (e.g., timestamps) to incoming packets, as well as observe performance metrics such as microbursts. Aggregation agents are aptly named because they do more than just copy and forward packets. They actually aggregate packets, reducing the number of packet flows. This makes it possible to use distribution-class packet agents with fewer input and output ports. Depending on the networks involved and the needs of IT, aggregation-class packet agents can also deliver packets directly to other destinations, such as capture-to-disk solutions. However, distribution-class packet agents perform the majority of packet delivery.

Divide and conquer

Applying the right network packet proxy features, capabilities, and port density where needed is a cost-effective way to segment visibility requirements into two tiers.

This is the “why” and “how” of a two-tier network monitoring topology. Since network-centric visibility is critical, IT departments should ensure that their visibility is not compromised when upgrading the core network or tools. A two-tier topology provides the freedom to independently upgrade the core network and various security and performance tools.