Keith Bromley
Sr. Manager, Product Marketing at Ixia

When It Comes To Network Visibility—Performance Matters

November 16, 2016 by Keith Bromley

Performance matters. If you can’t use your monitoring equipment to its fullest potential, then why use it? It will run slow, buffer overloads will drop packets, troubleshooting costs will increase, and worst of all—security threats will infiltrate your network. So no one would do this, right? Actually, it may be happening and you don’t even know it. This whitepaper, The Importance of Lossless Visibility, shows you why.

To be able to operate at full line rate, ALL of the pieces of your monitoring architecture must be able to run at this rate. This means the data access components, network packet brokers (NPBs), and the monitoring tools all need to be able to operate at peak performance. What you may not know is that products from various vendors do not operate correctly at full line rate. What you need is a high performance, non-blocking architecture.

When it comes to data access, this is where you definitely need the right “tool” for the right job. SPAN ports just can’t deliver the performance needed. They provide a summarized version of the data, not all of the data packets. Malformed packets, corrupt packets, etc. all get dropped. Only select network data, not all of it, can be exported on the SPAN port. This can be a serious issue when you’re trying to troubleshoot network problems or security issues. Taps are the answer to this problem. However, you need the right tap. It matters whether you are deploying the tap with inline security and monitoring tools (like an IPS, firewall, etc.) or whether you are deploying out-of-band tools like protocol analyzers, DLPs, or performance monitors. The wrong type of tap can cause you headaches.

In regards to packet brokers, you need to know exactly what they are, and are not delivering to the tools and they need to deliver everything they are supposed to. The Tolly Group ran a comparison between two network packet brokers and found that one packet broker was indeed dropping packet data and not reporting it. According to the 2016 report, the vendor in question “demonstrated packet loss at every data size. At 256-bytes and below, the loss ranged from 20% to nearly 75%.”  The only thing worse than missing data is not knowing that you are missing the data in the first place.

According to a 2016 ZK Research survey, 45% of respondents admitted to turning off features in security devices in order to improve performance. This because the tools suffered from slow performance when too many features were activated at one time. This means that you need to verify that your security and monitoring tools can handle the line rate of your monitoring solution as well. As mentioned earlier, the whole chain of components in the monitoring (visibility) architecture need to be designed correctly.

It’s not just the tools that have performance problems when too many features are activated. Some packet brokers can’t support line rate when multiple features (e.g. deduplication plus NetFlow or SSL Decrypt in a single module) are turned on either. The same Tolly report showed this situation as well. The issue is especially true of software-based NPB systems. The use of a CPU and software-based processing results in a solution capability limited by the CPU’s capability. Why buy a monitoring solution only to run it at half speed or with only half the features activated?

So what can you do about this? There are actually several simple answers:

  • Replace SPAN ports with taps for your monitoring data access
  • Test your system – it needs to be able to operate with 60% or more load. Do your own validation instead of relying on what the vendor says. This will be increasingly important as core network speeds move from 10 GE to 40 GE and then to 100 GE.
  • Select packet brokers with FPGA-based solutions. FPGA solutions can be purpose-built to process monitoring functions (like deduplication, packet slicing, protocol header stripping, etc.) and still run at line rate.

These three steps will allow you to eliminate the need for performance compromises and trade-offs.  More information is available here or if you have questions, reach out to Ixia and we can show you the truth in person.