Large-Scale Passive Monitoring using SDN

Similar documents
Large-Scale Passive Network Monitoring using Ordinary Switches

Microsoft s Demon Datacenter Scale Distributed Ethernet Monitoring Appliance

Packet Optimization & Visibility with Wireshark and PCAPs. Gordon Beith Director of Product Management VSS Monitoring

Open SDN for Network Visibility

OpenFlow and Software Defined Networking presented by Greg Ferro. OpenFlow Functions and Flow Tables

Enhancing Cisco Networks with Gigamon // White Paper

How To Orchestrate The Clouddusing Network With Andn

Cisco IOS Flexible NetFlow Technology

SolarWinds Certified Professional. Exam Preparation Guide

Affording the Upgrade to Higher Speed & Density

SDN. WHITE PAPER Intel Ethernet Switch FM6000 Series - Software Defined Networking. Recep Ozdag Intel Corporation

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Testing Software Defined Network (SDN) For Data Center and Cloud VERYX TECHNOLOGIES

Scalable Network Monitoring with SDN-Based Ethernet Fabrics

Network Management and Monitoring Software

Scalable Network Monitoring with SDN-Based Ethernet Fabrics

Question: 3 When using Application Intelligence, Server Time may be defined as.

Distributed Monitoring Pervasive Visibility & Monitoring, Selective Drill-Down

Network Security TCP/IP Refresher

Flow Analysis Versus Packet Analysis. What Should You Choose?

CS 91: Cloud Systems & Datacenter Networks Networks Background

Software-Defined Networking for the Data Center. Dr. Peer Hasselmeyer NEC Laboratories Europe

Observer Probe Family

Technical Bulletin. Enabling Arista Advanced Monitoring. Overview

DeltaV System Health Monitoring Networking and Security

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

VXLAN: Scaling Data Center Capacity. White Paper

Software Defined Networking (SDN) - Open Flow

Cloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam

Introduction to the Mobile Access Gateway

Ensuring end-user quality in NFV-based infrastructures

Ten Things to Look for in an SDN Controller

Administrator Guide. CA Multi-Port Monitor. Version 10.2

Enabling Visibility for Wireshark across Physical, Virtual and SDN. Patrick Leong, CTO Gigamon

VSS - Game Changing Technology

An Overview of OpenFlow

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Towards Smart and Intelligent SDN Controller

Flow processing and the rise of the middle.

OpenDaylight Project Proposal Dynamic Flow Management

Cisco Network Analysis Module Software 4.0

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

RUGGEDCOM NMS. Monitor Availability Quick detection of network failures at the port and

Enhancing Cisco Networks with Gigamon // White Paper

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Understanding OpenFlow

Network Monitoring and Traffic CSTNET, CNIC

Why Software Defined Networking (SDN)? Boyan Sotirov

Network Management Deployment Guide

Net Optics Learning Center Presents The Fundamentals of Passive Monitoring Access

CloudLink - The On-Ramp to the Cloud Security, Management and Performance Optimization for Multi-Tenant Private and Public Clouds

Masters Project Proxy SG

How To Make A Vpc More Secure With A Cloud Network Overlay (Network) On A Vlan) On An Openstack Vlan On A Server On A Network On A 2D (Vlan) (Vpn) On Your Vlan

Ranch Networks for Hosted Data Centers

IP SLAs Overview. Finding Feature Information. Information About IP SLAs. IP SLAs Technology Overview

Choosing Tap or SPAN for Data Center Monitoring

Any-to-any switching with aggregation and filtering reduces monitoring costs

Outline. Institute of Computer and Communication Network Engineering. Institute of Computer and Communication Network Engineering

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Wireshark Developer and User Conference

Integration with CA Transaction Impact Monitor

"Charting the Course...

High Availability. PAN-OS Administrator s Guide. Version 7.0

The Nexpose Expert System

Application Performance Analysis and Troubleshooting

Network Virtualization Based on Flows

基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器

End-to-End Network Centric Performance Management

Software Defined Networking What is it, how does it work, and what is it good for?

Whitepaper Unified Visibility Fabric A New Approach to Visibility

Network Packet Monitoring Optimizations in Data Centre

Scalable and Reliable control and Management for SDN-based Large-scale Networks. CJK CFI

Ensuring end-user quality in NFV-based infrastructure

Smart Network Access System SmartNA 10 Gigabit Aggregating Filtering TAP

Latency Analyzer (LANZ)

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

OpManager MSP Edition

Software Defined Networks

Cisco Certified Security Professional (CCSP)

McAfee Network Security Platform Administration Course

Open Source in Network Administration: the ntop Project

DMZ Network Visibility with Wireshark June 15, 2010

MANAGED SHAREPOINT SOLUTIONS

Are Duplicate Packets Interfering with Network Monitoring? White Paper

Networking and High Availability

IPv6 Transport Support and Market Segmentations

RAVEN, Network Security and Health for the Enterprise

Visibility in the Modern Data Center // Solution Overview

Overview - Using ADAMS With a Firewall

How To Learn Cisco Cisco Ios And Cisco Vlan

Creating Overlay Networks Using Intel Ethernet Converged Network Adapters

Observer Probe Family

OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS

IBM. Vulnerability scanning and best practices

Current Trends of Topology Discovery in OpenFlow-based Software Defined Networks

Overview - Using ADAMS With a Firewall

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

Diagnosing the cause of poor application performance

Transcription:

Global Foundation Services C# DATA CENTERS NETWORK S SERVERS ENERG Y SOFTWARE SECURIT Y Large-Scale Passive Monitoring using SDN Mohan Nanduri mnanduri@microsoft.com Justin Scott juscott@microsoft.com Onur Karaagaoglu onurka@microsoft.com

What is this about?

Why? Exonerate network quickly, reduce MTTR and MTTM Lack of ability to data mine telemetry data at the network layer Reduce operations engagement to troubleshoot service Multi-tenant offering Solution that s on-demand and always available Provides large-scale tap aggregation leveraging commodity hardware

Hyper Scale Thousands of 10G links per Data Center Cost makes it a non-starter with commercial solutions

Prior Attempts Capture-Net Off the shelf aggregation gear, was too expensive at scale Resulted in lots of gear gathering dust Operations not mature enough to back such a solution PMA/PUMA Passive Measurement Architecture Lower cost than Capture-net Designed for a specific environment and not intended to scale Extremely feature rich Stuck with shuffling sniffers around

NOT THE END Just took a step back

What Features Make Up a Packet Broker? Terminates taps Match on a 5-tuple Duplication Packets unaltered Low Latency Statistics Layer 7 packet inspection Time stamps Frame Slicing Microburst detection 80% 20% Merchant Silicon Requires specialized Hardware

Reverse Engineering Packet Broker MUX backplane Filter Ports Service (pre-filter, de-duplication of data) Service! Service! Timestamps,DPI,etc Delivery Ports (data duplication and delivery) Delivery

Architecture

Architecture Overview Monitor Ports r Filter MUX r Filter Service Service OF Controller Delivery Tools DEMon System

Filter Layer Monitor Ports Filter Filter e e Terminates all monitor ports Drops all traffic by default De-duplication of data if needed Aggressive sflow exports

MUX Layer Monitor Ports fr MUX Aggregates all filter switches in a data center Directs traffic to either service nodes or delivery interfaces Enables service chaining per policy

Service Layer monitor ports r Service Service Aggregated by MUX layer Flows are sent through services nodes to perform extended functions Resulting flows are sent back to the delivery switch and then to tools Some Applications: Deeper (layer 7) filtering Time stamping Microburst detection Traffic Ratio s (SYN/SYNC ACK) Frame slicing (64, 128 and 256 byte) Payload removal for compliance Rate limiting

Delivery Layer monitor ports r mux r Delivery tooling 1:N and N:1 delivery to duplication of data Delivery to local or tunnel traffic to remote tools

SDN Controller OpenFlow 1.0 based Discovers topology via LLDP Roles of each layer are assigned and discovered automatically

Controller policy demo description Ticket 12345689 1 match tcp dst-port 80 2 match tcp src-port 80 filter-interface 1_2 filter-interface 1_1 filter-interface 2_1 filter-interface 2_2 delivery-interface Capture_server_NIC_1 use-service tcp_trunk_1 sequence 1 action forward

Use Cases and Examples

Reactive Split the network into investigation domains Quickly exonerate or implicate a network segment Verify TCP intelligent network appliance are operating as expected

Proactive Monitoring Relying sole on SNMP polling and syslog's gives you false confidence Performance data can be gleaned from exposing TCP telemetry data Ability to detect re-transmissions (TCP-SACK)

IPv6 Users were unable to connect to the service intermittently via IPv6 Repro facts: 3-way TCP connection setup s up 9-way SSL handshake fails Ack for client hello was not making it back to load balancer Solution: Implicates or exonerates Layer7 devices that are commonly finger pointed Root cause: Race condition - If the client hello was received on the load balancer before the backend connection was made it would trigger the bug

DDOS 5 Minutes later

DDOS: Packet Capture

sflow Monitor Ports Filter Flows created based on policy MUX uses service node as egress for flow MUX Filter Service Delivery Controller Service is applied to frame and sent toward mux Traffic sent to delivery switch user

Caveats and Cost

Caveats TCP/IP fields with MPLS encapsulated packets cannot be matched Lack of IPv6 source and destination matching in OF 1.0 Limited number of flow rules due to TCAM limitation Policy will not load balance traffic amongst ECMP links Not all switch vendors OF implementation is the same Commercial controller support is splintering

Cost breakdown Number of links

Questions?

Backup

Creating a Service Chain Monitor Ports Filter MUX uses service node as egress for flow Filter Flows created based on policy MUX Service Delivery Controller Service is applied to frame and sent toward mux Traffic sent to delivery switch user

Sniffer Features

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information