There is no denying that the appetite for computing power is growing. Whether that computing capacity is in Public cloud or private cloud is a choice often influenced by economics, applications, security and other data governance issues. Regardless of where the applications are hosted, there is also a need to continuously monitor the data center infrastructure along with applications and security threats that are constantly presented from within and outside of the data center. The modern network packet broker approach that has been introduced by Big Switch Networks allows customers to bring pervasive visibility in all parts of the data center by 

  • Centralizing the tool farms using a visibility fabric of TAP and SPAN ports. This tool farm could have security tools, application performance monitoring tools or any other type of tools that provide visibility to the production traffic.
  • Managing the visibility fabric from a single point of control using modern approach with an SDN controller.
  • Changing the economics of how visibility fabrics are designed by leveraging open networking switches (White Box or Brite Box) and allowing customers to tap and span every rack in data center, which is not possible with current expensive & proprietary systems that limit the span of how much traffic can be monitored.

Often, when people think of visibility fabrics or network packet brokers, they think of getting data from production DC network (or any network for that matter) and moving it efficiently to all the security and performance monitoring tools. What is even more interesting is when the visibility fabrics or network packet brokers have access to all this traffic, they can start to do things that are very important beyond just steering the traffic to the right set of tools, which is what an NPB needs to do at a minimum.

Enter Advanced Telemetry and Analytics with Big Monitoring Fabric (BMF)

By way of “brokering” the traffic between production data center pods and monitoring tools, network packet brokers have a unique place wherein they can peer inside a lot of interesting traffic and start to create a graph of some very useful data such as hosts within the network, DHCP servers, DNS servers, sFLOW data. By doing that, the Network packet broker or the visibility fabric in and of itself becomes another tool that provides value added information that operators find critical for debugging and monitoring the networks. 

Host Tracking

The host tracking feature of Big Monitoring Fabric works by snooping on the incoming ARP packets into BMF and building out the inventory of hosts by mapping them to incoming ports & creating an inventory of all the hosts seen in the network by way of having access to the traffic that is being monitored. Some of the key information that host tracking feature can provide is 

  • Tracks host’s IP ownership history
  • Tracks IP address spoofing
  • Tracks host’s movement
  • Tracks dead hosts & VMs if they have not been in use for a while.

DNS/DHCP Server Tracking

Another data set that is captured and analyzed by Big Monitoring Fabric is all the DHCP and DNS transactions. This allows BMF to track all the DHCP and DNS servers in the network and presented to the operator. This way, network operators can easily determine if there are rogue DHCP/DNS servers in the network or DNS servers that are not preferred but used by end customers.

sFLOW Generation

Besides tracking hosts, DHCP and DNS related data, Big Monitoring Fabric also runs sFLOW by default on the visibility fabric and can send flow information to an existing sFLOW collector or to a BMF analytics virtual machine (more on that in a moment). Essentially, a visibility fabric can offload the sflow collection from production DC fabric to out of band visibility fabric.

Analytics Virtual Machine

Big Monitoring Fabric can collect the information about hosts, DHCP, DNS servers and can do sflow generation. Besides doing that in real time, it can also send this information to BMF analytics virtual machine. The BMF analytics virtual machine is separate and independent from the BMF controller such that it can continue to collect all the historic data from the controller and provide a historic view of this data rather than real time view which is what the controller is responsible for. Additionally, this VM can also serve as an sflow collector.

A very interesting use case of BMF analytics VM is to be able to figure out any traffic anomalies in the network. For example , if the network is slow at a specific time of day, a report can be generated with an sFLOW data to look at the top talkers & figure out if that is contributing to network slowness.

As an example, we can see that traffic spiked within a specific time window between two hosts as shown below.

 

In summary, Big Monitoring Fabric does not only serve as network packet broker but provide vastly more intelligent services to enable unprecedented levels of visibility for the data center to enable quicker time to resolution and detecting any security and traffic anomalies.

Here is a video demo of the BMF analytics.

Salman Zahid

Systems Engineering