Tool Optimization Technical Brief Benefits Extend the usage life of tools and avoid costly upgrades Increase the accuracy and results of data analysis Extend capacity of storage media by optimizing data streams Avoid oversubscription and maintain 00% visibility Improve utilization of tools across the organization Introduction Most companies already have many types of monitoring tools to oversee application and network performance, as well as specific tools to monitor various security measures throughout the network. But as network traffic continues to grow, driving network migration from G to 0G, 0G and beyond, how do companies know they have 00% visibility into all parts of the network? How do they utilize existing and new tools effectively while maintaining and reducing operational costs? In addition, companies want to improve online user experiences, increase security to prevent damages from cyber-attack or data leakage, implement additional access control, and address regulatory compliance requirements. This creates further pressure to achieve 00% visibility of network traffic and to maximize tool utilization. This ongoing pressure to save time and money, including expectations for better ROI from the current monitoring tools, while addressing the difficulty of staying ahead of production network traffic usually results in purchasing additional very costly high bandwidth monitoring tools. The optimization of existing tools to obtain more utility from them is critical and top of mind for every CIO and network monitoring engineer. TECHNICAL BRIEF
Monitoring Tool Challenges Here are some of the most common challenges that CIOs are facing: Ensuring all required packets from the network are delivered to the tool for analysis. A single tool connected directly to the production network is easily overloaded as the bandwidth is too much for the tools NICs and processors. Another factor is that the tool sees all the data instead of just the data set the tool needs to analyze. Both factors result in oversubscription, lost packets and inefficient tool utilization and inaccurate analysis results. Solving SPAN port contention to allow connection of many different to the production network. In many cases, there are to 0 different types of tools that must be connected, each to address different issues and have different requirements and data sets. Aggregating the data from many collection points across the network to deliver the data to the various tools for analysis. This in itself can cause oversubscription for the same reason outlined above but also imposes a new challenge of delivering only the data set required for each tool to analyze. Reducing or eliminating duplicate packets that are inherently created by deploying a monitoring network. Depending on how many collection points in the network, duplicate packets can be the largest contributor to oversubscription and ineffective analysis. Scale and growth of monitoring tools to meet increasing traffic and the scope of the network. In many cases, an additional instance of a tool is required, or it may require faster processors, larger disk capacity and additional higher bandwidth NICs, all increasing investment and cost to maintain status quo. Conforming to Governance and Legal Compliance regulations such as HIPAA, LI, PCI, SOX, without massive costly upgrades to existing monitoring tools. To address these concerns, a tool optimization program must include the following capabilities to achieve 00% visibility and to maximize the optimization of your tool set: Removal of duplicate packets to increase tool utilization and help reduce oversubscription. Filtering and distribution mechanisms to further decrease or eliminate tool oversubscription and deliver the correct data sets to each individual tool increase accuracy of the analysis. Data rate and media type conversion (copper vs. various optical formats) capability allowing the delivery of critical data to tools without compatibility concerns. Removal of confidential information from data streams to address compliancy issues and allow for easy implementation of future regulatory mandates. Ability to load balance traffic allowing 0G to multiple G tools. Intelligent aggregation and scalability to connect any data source to any tool instantly. Easy management of the monitoring network to decrease time to resolution and increase staff efficiency. The biggest and quickest impact on tools is eliminating duplicate packets. Deduplication is highlighted as a top feature but the other capabilities are still critical to maximize tool optimization and are discussed in less detail. The Impact of Duplicate Packets Duplicate packets create challenges for IT and security personnel, including monitoring tool oversubscription, false positives, and inaccurate performance reporting. It is estimated that network monitoring traffic can have up to as much as % duplicate packets can affect monitoring tools in the following ways: Diminished Monitoring Port Bandwidth Production bandwidth is outpacing monitoring tool capacities. Decreased effective link bandwidth, causing port and tool oversubscription (e.g. a G monitoring interface can effectively monitor only 00 Mbps traffic if 0% of the traffic is duplicate packets). Reduced Packet Capture Storage Capability Wasted storage due to duplicate packets (for example, data recorder time window reduced from to hours if 0% duplicate packets). Added incremental cost of storage to allow extended capture times, with little return on new analysis results. Decreased Processing of Analyzer Tools Tools use up CPU and memory resources for deduplicating network traffic instead of performing analysis. A high percentage of duplicate traffic can overload the tool and can halt the analysis function.
Interference with Network Analysis and Troubleshooting Duplicate packets skew network statistics causing a lack of precision in analysis. Session-aware tools do not work at all if there are duplicate packets in the data stream. If there are multiple identical packets being provided by the network monitoring infrastructure, an analytics tool has to do more work to separate the true transactions from the duplicates. The tool becomes less effective essentially costing more and additional tools must be purchased to analyze the same volume of traffic just to maintain status quo. It is important to note however, that an identical packet is not necessarily exactly the same bit for bit. For example, layer information (MAC, VLAN) may change as the packet traverses the network, but the remainder of the packet from layer upwards is identical. In some cases, defining packets as duplicate even when the layer header information is different, such as TTL, is critical. Therefore, any deduplication solution must have configurable parameters to define duplicate packets for different monitoring scenarios. The following diagram is an example of just such a scenario. When an application server is communicating with a database server in a different zone, the traffic will traverse the network through different uplinks in the aggregation layer of a typical -tier data center architecture. If all those links are being tapped and aggregated together, the same packets in this example will each be captured twice as indicated by the highlighted red tap points. Production Network Core Layer- Distribution Layer- T T T T T T T T EXPANSION Multiple Distribution Modules Access / ToR Layer- EXPANSION Multiple Access Modules SPAN from all Access Switches Application Server Figure Multiple identical packets traversing the network infrastructure. Database Server For more information on duplicate packets, please download APCON s technical brief Eliminate Duplicate Packets to Drive Network Monitoring Efficiency.
How Does APCON Help With Tool Optimization APCON s intelligent monitoring switches and taps directly address the issues of connecting multiple tools to a production network and simplify the architecture to allow 00% visibility. Moreover, APCON switches can fully optimize monitoring tool utilization. With advanced services such as deduplication, time stamping, load balancing, trunking, advanced ingress filtering, and easy to use web-based GUI provisioning, APCON s flexible and highly available monitoring solution can solve the most complex monitoring challenges. APCON solutions have been deployed by some of the largest telecom, financial, banking, and governmental entities in the world. Outlined below are some of the capabilities of APCON s monitoring solution and how they can help tool utilization and reduce the complexities of modern network monitoring. Packet Deduplication We have discussed how duplicate traffic is generated and the negative impact duplicate traffic has on tools. With APCON packet deduplication, the analytic tools can operate at their peak efficiency. With no duplicated packets presented to the tool, wasted processing cycles are eliminated. This results in a more reliable, accurate and precise analysis, maximizing the tool since it receives only the data it needs to analyze. With one of the largest deduplication time window in the industry and configurable settings, APCON, makes it easy to define exactly what constitutes a duplicated packet. Intelligent Traffic Distribution with Multi Stage Filtering The ability to send the right information to the right tool optimizes system performance and provides the best intelligence and clarity. APCON provides Multi Stage Filtering (MSF), which goes beyond simple ingress and egress traffic filtering. MSF provides diverse benefits, depending on how it is used. Many of the benefits fall into the following categories: Intelligent Traffic Distribution MSF can filter incoming packets on the aggregation connections, thereby controlling the correct types of traffic that go to specific tools. This can optimize the tool performance as each tool now sees only the traffic that it is expecting and nothing else. MSF greatly enhances tool performance and also maximizes effective throughput and analysis capability. Provide Bandwidth Control Since MSF is forwarding only the needed traffic to each tool, you can eliminate oversubscription and achieve zero packet loss on the egress ports even if the connection is coming from a high bandwidth 0G or 0G ingress port and going to a low bandwidth G egress port. Similarly, an aggregation connection from multiple ingress ports can be filtered and the data distributed among several egress ports. MSF is infinitely flexible and delivers the ability to finely tune traffic to avoid oversubscribing egress port and tool capabilities. In addition to the intelligent traffic distribution capabilities, MSF can be used with the native port tagging and load balancing features that come with all APCON switches at no additional cost. This feature can further enhance analysis functionality and traffic load management. Packet Slicing Many network monitoring tools analyze only the layer, layer and sometimes part of layer information in an IP packet. Tools either do not store the packet payload, or have no capability to view the packet contents beyond the header or a specific location within the packet. Despite those limitations, tools must still manage the entire packet, which creates an unnecessary load in turn requiring sufficient processing resources and NICs to handle the volume of data. By removing payload data from packets and leaving only the header information, the network monitoring switch can send more data across a given link to the tool. The tool receives more condensed network data for analysis, increasing efficiency and utilization. Another benefit of packet slicing is in regulatory compliance. Legislation such as HIPAA, PCI and others demand data confidentiality, and stripping sensitive payload data from packets before they go to monitoring tools ensures that this sensitive data is not stored outside secure boundaries. APCON s packet slicing can be performed on every port, either at ingress or egress. This creates flexibility in configuring your packet slicing solution. The ability to slice on either ingress or egress allows sharing of the packet payload with other tools by slicing at egress, or you can fully optimize your traffic through the switch by slicing on ingress.
Technical Brief Tool Optimization Access (Layer ) Catalyst 0-S Series SI Catalyst 0-S Series SI Catalyst 0-S Series SI Catalyst 0-S Series SI 0G (Aggregated) Before Packet Slicing Dest APCON 0 0..0. /..0.0.ºc ACI-00-E- 0 0 R ENTE INTELLAFLEX Blade ACI-0-E- 0 0 GPS ANT 0 0 0 Aggregator Plus Time Stamping VLAN Tag Ether IP Header Type FCS CRC IP Data D C B 0 Ether IP Header Type ACI-00-E- EL CANC VLAN Tag ACI-0-E0- PPS/IRIG IN OUT Src Packet Controller Unnamed S/N: 0000 Ver: Hit [Enter] for configuration After Packet Slicing A Dest Src FCS CRC G (Packet Slicing) Monitoring Tool Figure The solution to exploding network traffic volume is to effectively reduce the monitored data to just that portion that is required for analysis. Many tools require only packet header information and in some cases the actual packet payload information may be confidential, and storing that data may present a security risk. APCON s packet slicing feature provides customers the ability to specify the packet slice length for ingress or egress ports in effect reducing the packet size and providing security. While reducing the packet size benefit is clear, the removal of private information can be essential. Load Balancing Performing load balancing at the switch level prevents network traffic growth from overwhelming monitoring tools. APCON load balancing prevents oversubscription and packet loss, for example when monitoring 0G traffic with G tools. Load balancing distributes traffic across multiple monitor ports. Up to eight monitor ports can be configured to share traffic, with their output approximately evenly distributed throughout the load balanced group. L/L/L adjustable hashing algorithm: allows users to configure which layer of information is included in the hashing when distributing traffic to a load balanced group. Automatic redistribution: when a loss of connection is detected, the traffic is automatically redistributed to the remaining ports of the load balanced group. SPANs Catalyst 0-S Series SI Catalyst 0-S Series SI G G G G G (Aggregated) APCON 0..0. /..0.0.ºc ACI-00-E- 0 0 0 R ENTE PPS/IRIG IN OUT INTELLAFLEX Blade ACI-0-E- 0 0 GPS ANT 0 0 0 Aggregator Plus Time Stamping D C B 0 ACI-00-E- EL ACI-0-E0- CANC Packet Controller Unnamed S/N: 0000 Ver: Hit [Enter] for configuration APCON load balancing provides the following additional features to meet various load balancing requirements: APCON load balancing can reduce the bandwidth to an individual monitoring tool such that 0G or higher traffic can be monitored with an existing G tool. It also allows a 0G interface tool to monitor traffic higher than 0G by load balancing the traffic to multiple 0G interfaces on the same system or on different systems. In addition, load balancing helps increase the processing power of the capture tool by distributing the traffic to multiple systems, such as those for SSL decryption requirements. Output from the load balanced group is designed to maintain packet order within any given conversation, as well as to guarantee a consistent output port for any single conversation. This ensures that a packet sniffer or other monitoring tool will see every packet of a given conversation. Catalyst 0-S Series SI A Load Balanced G G Monitoring Tool Figure Load balancing distributes the workload, optimizes tool resources, maximizes throughput, minimizes response time, and prevents oversubscription and packet loss.
Switch Management APCON s TITAN provides a single, centralized point of switch management for network monitoring in a multi-switch environment. With TITAN EP, you can share expensive analysis devices throughout your network. It also allows you to manage all of your data sources and tools for maximum efficiency. Connections between any data source and any tool are made conveniently and instantly from your desktop, and locked in place for the duration of your monitoring session ABOUT APCON APCON develops innovative, scalable technology solutions to enhance network monitoring, support IT traffic analysis, and streamline IT network management and security. APCON is the industry leader for state-ofthe-art IT data aggregation, filtering, and network switching products, as well as leading-edge managementsoftware support. Organizations in over 0 countries depend on APCON network infrastructure solutions. Customers include Global Fortune 00 companies, banks and financial services institutions, telecommunication service providers, government and military, and computer equipment manufacturers. To help with tool optimization, TITAN allows you to review the use of every monitoring tool or other network device in the inventory and understand where, when and by whom it is being utilized. Conclusion When properly implemented, a network traffic optimization strategy increases the performance of all your monitoring tools and the productivity of your IT staff. APCON intelligent network monitoring switches with Multi Stage Filtering, packet deduplication, packet slicing and load balancing offloads compute-intensive tasks from monitoring tools, so that each tool runs better and produces more of the work it was designed for. This in turn reduces capital expenditures by breathing new life into existing tools, can decrease time to resolution, and ensures 00% visibility. Contact Us Please email sales@apcon.com or call 0 00 if you have any questions APCON, Inc. apcon.com + 0 00 00 0 0 APCON, Inc. All Rights Reserved. @APCON company/apcon APCON is an Equal Opportunity Employer MFDV 0-R-0