Keith Bromley
Sr. Manager, Product Marketing at Ixia

Aggregation: The ABCs of Network Visibility

March 6, 2018 by Keith Bromley

Most monitoring and security tools need access to packet data from many locations within the network. Inserting a direct connection to every device would be impractical and expensive. Aggregation is a simple but powerful feature of network packet brokers (NPBs) that eliminates this problem. This feature allows IT engineers to remove port contention issues on SPAN ports, tap ports, and security and monitoring tool ports. Basically, each of these devices has only a limited set of output or input ports. Aggregation helps IT to overcome the issue.

What Is Aggregation?

Aggregation is the ability to combine monitoring data from many input feeds and then consolidate that data. That data can then be replicated and distributed to one or more security and monitoring tools. This means that data can be combined and concentrated from multiple input sources to the NPB. This includes multiple taps spread out across the network and SPAN ports. Data from both types of sources can be combined into a single output stream to specific or multiple tools, as needed.

Typical Use Cases

In regards to monitoring data aggregation, there are several specific use cases and instances where the feature can be beneficial. Here are some specific situations:

  • Mixture of data from SPAN ports and taps – The requirement for total network visibility may include the capture of monitoring data from different sources and combining that data to deliver a single source of data to one or more tools.
  • SDN solutions – New SDN solutions like Cisco’s ACI architecture exacerbate the need for data from multiple network locations because packets of interest may be dynamically changing to any link. This means you need to access to all of the tap and SPAN ports.
  • Alleviation of SPAN port contention – Network switches usually only have two SPAN ports. If three or more tools need monitoring data from the network switch, then there is a contention issue which results in one or more tools not getting the data it needs or there needs to be some sort of manual data cable switching process.
  • Alleviation of tool input port contention – Security and monitoring tools often have a limited number of input ports. If data is required from more monitoring data sources than the direct input ports that exist, then there needs to be some sort of manual data cable switching process.


The following are some things to keep in mind about data aggregation within an NPB:

Processing at line rate capability – High-speed networks require the capture and processing of monitoring data at line rate. Make sure your NPB selection can handle this.

Ease of Use – Aggregation needs to be easily enabled and initiated through a visual interface, not a command line interface (CLI), because the visual interface makes it quicker and easier to understand how things are connected to the NPB. This makes it quicker to create and remove data connections.

Use an NPB to deliver aggregation capabilities – One of the side effects of aggregation is that it creates large amounts of data that can overwhelm security and monitoring tools. Because of this, aggregation is usually used in conjunction with data grooming (filtering, de-duplication, header stripping, payload slicing, etc.) capabilities to decrease unnecessary data within traffic loads. This reduces the load on those tools and allow them to focus on traffic of interest from any location within the network.

More Information on Aggregation and Network Visibility

Further information about aggregation, along with Ixia’s network performance, network security and network visibility solutions and how they can help generate the insight needed for your business, is available on the Ixia website.