Network Systems DesignLine | How to build a huge virtualized SpyNet

Get the latest news, products and how-to information on network systems. Sign up for the Network Systems DesignLine newsletter, a weekly e-mail guide dedicated to the needs of engineers developing networking equipment and components. Here is our RSS feed.

Network Systems DesignLine » How-To » Enterprise Networking

HOW-TO : Enterprise Networking

How to build a huge virtualized SpyNet

By Denny K. Miu, Gigamon Systems LLC

Page 2 of 2

Network Systems Designline
(06/12/2006 11:45 AM EDT)

Troubleshooting
As with the original SpyNet, troubleshooting is still the most important reason for out-of-band monitoring. Multiple protocol analyzers are deployed. The data-access switch is configured on the fly to quickly deploy any given tool to any given spot on the network whenever trouble arises during the show (including equipment deployed in remote locations on the off-show floor). In addition, traffic from four different tap points (eight streams total, using internal tap modules of the data-access switch) are aggregated such that tools can monitor traffic from both before and after the redundant firewalls. Finally, hardware filters must be deployed if there is a need to inspect only VoIP traffic or to drill down on a particular traffic type (e.g., HTTP) or a particular VLAN.

Security
There are two kinds of security tools. One prevents external attacks such as IDS (Intrusion Detection Systems) and the other prevents internal abuses (e.g., worms and viruses inadvertently delivered from portable computers carried by traveling salesmen). One IDS is connected such that it receives traffic from the two taps inside of the firewall (as a last-line-of-defense for the firewall) and the other IDS receives traffic from the 10G mirroring port of one of the two core switches (using the data-access switch to downshift from 10G to 1G).

The internal security tools (there are four) are more interested in internal abuses and receive traffic from the 1G mirroring ports of the eight access switches inside the eight racks. Using the data-access switch to aggregate and to load-share the aggregated traffic, multiple 1G tools can each receive a logical slice of the multi-Gigabit traffic such that each tool receives nominally 25% of the total traffic originating from any two racks (each of which is assigned its own subnet).

Figure 2 shows the NOC, which houses the equipment. The two identical racks on the left and center contain the routers (blue), Gigamon data-access switches (orange), firewalls (blue), and 10G core switches (purple). The rack on the right is the SpyNet rack, which contains fourteen monitoring tools: Juniper (blue), Internap (blue), Network Physics (black), Extreme (purple), Fluke (blue) and Network General (black and green.).

Figure 2. Housing the equipment at Interop 2006

Application
Application response time monitoring is surprisingly important. Inappropriate use of Bit Torrent or similar P2P applications consumes unreasonable amounts of bandwidth, leading to an unjustified complaint that the network is slow. A number of application probes are deployed at the show, using the data-access switch to aggregate and to logically map from critical points throughout the network.

Forensics
A new class of troubleshooting tools is deployed at the show which has off-line data storage capability allowing the NOC engineers to replay past events and attacks for forensic analysis (much like a TiVo). The data-access switch is used to customize connectivity for each of the three data recording tools (including downshifting from 10G to 1G and packet filtering).

Optimization
With InternopNet connected to the Internet using two redundant high-speed links from two different providers, there is a need for an optimization tool whose primary function is to balance traffic between the two links. To avoid unacceptable and costly downtime, the tool ensures that InteropNet is available even when one provider is completely down or performing poorly. Since this is a 10G tool, the data-access switch aggregates from multiple 1G links and up-shifts to 10G to provide custom connectivity.

Figure 3 shows the port assignment and the diverse connectivity between the various network access points (taps and SPAN ports) and the connecting tools, which together completely consume the 40 ports available on the two data-access switches (interconnected using a 10G GigaLINK to provide a contiguous switch fabric). For simplicity, the bit-mask packet filters are not shown which are used to customize traffic for each tool.

Figure 3. Port assignment and connectivity

Summary
In summary, at Interop Las Vegas 2006, a number of sponsors provided a collection of the Best Practice Best-of-Breed monitoring solutions to SpyNet, each delivering a specific and complementary function to protect, analyze and optimize the mission-critical InteropNet. But what's different about this year is that SpyNet has evolved into a virtualized network, providing a virtualized "data-socket" for multiple monitoring tool and allowing each tool to receive a customized logical slice of the total traffic that is suitable for their monitoring needs.

As with any virtualized network, SpyNet can accommodate moves, adds and changes without requiring a truck roll or any physical changes or impact to the mission critical production network. Moreover, with a virtualized SpyNet, multiple monitoring tools performing the same or dissimilar functions can be added one at a time to perfectly match the growing bandwidth requirement, each time getting a finer slice of the total traffic, such that no critical packet is ever lost and no tool is ever oversubscribed.

About the Author
Denny K. Miu, Ph.D. is the CEO and one of the six co-Founders of Gigamon. Miu has extensive experience in developing technology, products and business relationships. He has been a Professor, an engineer, an entrepreneur, a team leader as well as an individual contributor. He can be reached at: denny.miu@gigacom.com

Page 1 | 2