Floating Filters: The ABCs of Network Visibility
An interesting troubleshooting benefit of certain network packet brokers (NPBs) is the ability to create unassigned data filters. At Ixia, we call these floating filters because they aren’t attached to any network port, so they are free floating. The advantage of this type of filter is that it is already pre-configured in the system. So when needed, the time it takes to actually deploy the filter is almost negligible.
Purpose of Floating Filters
Floating filters are only partially connected within the network packet broker (NPB) programming. They are typically connected to a specific tool but not to a network port. The power of the floating filter is that it is already created and connected on the tool side. When needed, the tools can instantly be connected to a network port to analyze incoming data. This speeds up diagnosis time since the forensic tools are already in place and in standby mode.
When you’re in a troubleshooting situation, minutes matter. According to the 2016 Cost of Data Center Outages study conducted by the Ponemon Institute, the average cost of a data center outage is $740,357 and lasts for about 95 minutes. This results in a cost of $7,793 per minute of downtime. A rapid response is needed to control costs. Since the floating filter is already created, this can save you several minutes, especially when compared to configuring filters manually using CLI.
To activate the filter takes less than 1 minute. You just draw a connection from the network port to the floating filter. It’s that easy. If you need to make any filter adjustments, they are simple button clicks.
Typical Use Cases
A typical use case would involve using something like a Wireshark tool or some sort of protocol analyzer. You can also use this technique for tools that you use often. For instance, maybe you’ve got a commonly reoccurring problem happening but you don’t have a long term fix for it yet. Any tool that is used often can be set up with a floating filter and pre-staged for problems.
Another use case is to have a senior engineer create various types of filters and save them to the filter library. This increases speed of deployment and the accuracy of the various data filters created.
In addition, the floating filters can be connected remotely by using the packet broker management system when needed. This gives you 24 x 7 x 365 diagnosis capabilities from remote locations.
Here are some things to keep in mind regarding floating filters because most vendors do not support this valuable capability:
Faster Troubleshooting Times – There is no “mapping” or extensive configurations needed. The power of this feature, is to pre-stage specific troubleshooting filters and connect them to standby troubleshooting tools like protocol analyzers (like Wireshark, etc.). This is what allows you to dramatically cut data collection times because it literally only takes a minute or less to connect the pre-existing filter to a network port.
Better Accuracy – These types of filters are predefined and can be stored in a library. This means that someone on the team who is an expert for certain activities can create special purpose filters that the whole IT team can use. Since the filter is created and validated by the company expert, there will be less issues with filter accuracy and correctness should a junior engineer, or someone not familiar with all of the nuances with a particular type of test procedure, need to conduct specific types of network testing.
Role-based Permissions – Filters should have the ability to be locked down, i.e. allow role-based permissions. This allows an individual or group to be able to access certain filters but not everyone. You may want filters that can be accessed by everyone but at other times, you want the ability to lock a filter so you do not have to check it all the time to make sure no one changed the core filter programming. When an event happens, you want to start data captures, packet captures (PCAPs), and data analysis as fast possible. By locking a filter down, you have the peace of mind it has not been changed and is “good to go.”
Ease of Use – If any configuration of the filter is needed for some reason, it should be as simple as making mouse clicks. A good packet broker will display the existing filter within the main User Interface so it’s easy to see the connections and easy to understand what a particular filter is used for. You can drag and drop to start the flow of data to the filter. The packet broker should support a remote interface so that you can make changes or place the floating filter into service remotely, i.e. no need to drive into the office.
More Information on Visibility Architectures
When all the components of a visibility architecture are combined, they eliminate the blind spots within your network and make troubleshooting much easier and faster. Floating filters allow you to improve your trouble alert response times.
Ixia’s entire series of blogs on visibility are available now in the e-book Visibility Architectures: The ABCs of Network Visibility.