Explore other solutions

TWO-TIER LOAD BALANCING
PROTOCOL STRIPPING
KEYWORD & REGEX SEARCH
DEEP PACKET INSPECTION (DPI)
METADATA EXTRACTION
MAKE NETWORKS MORE SECURE WITH DNS TRAFFIC ANALYSIS
 SIP AND RTP FILTERING

6. Network Visibility for VXLAN Overlay Networks

THE CHALLENGE

Gaining full visibility into overlay and underlay networks while maintaining data integrity is a challenge. With the rapid expansion of NFV deployments and the use of VXLAN for building overlay networks comes increased complexity in getting accurate visibility into both the overlay and the underlay network. Traditional monitoring tools are typically unable to handle encapsulated network traffic nor can they handle the correlation necessary to differentiate the overlay networks. Organizations will often rely on Endpoint Visibility solutions in these cases, which have their strong points, but are also increasingly costly, require vendor lock-in, and are inefficient for troubleshooting. They also infer the network performance parameters rather than measure them directly from the actual network traffic.  

THE SOLUTION FROM CUBRO

Cubro offers three design solutions for this issue:

SOLUTION 1

Graphic Network Visibility For VXLAN Overlay Networks
  • Remove & Correlate flows across the path
  • Correlate flows based on the underlay transport information.
  • Combine flow/path segment based on BGP
  • Enrich Data from Switch inband Telemetry
  • Enrich Data with switch Table Information

NETWORK PATH

Now that applications and hosts impacted by physical network outages are identified, an SDDC administrator can select end nodes to view where VM to VM traffic is encapsulated, and can see specifically which physical network devices the traffic went through.

Graphic Network Path

Now SDDC administrators can pinpoint which of the network devices in the path are a cause of application performance problems.

The following image shows network device interfaces involved in VM to CM communication.

Graphic Network device interfaces in VM to CM communication.

For interfaces relaying a traced communication the following information is presented:

  • Relative traffic load on this interface as a percent of its nominal capacity
  • Relative packet rate on this interface of a maximal packet rate sustainable at a current average packet size
  • A total number of bytes passed in each direction through this interface over a selected time interval
  • A total number of packets passed in each direction through this interface over a selected time interval

The Path information is available not only for VM to VM (East-West traffic) within the date center, but also for VM to gateways (North-South traffic). This capability is useful in identifying network congestion and abnormal activity such as data exfiltration.

SOLUTION 2

The other possible option is dynamic VXLAN filtering. This solution is not as perfect as solution 1, but can reuse “old” monitoring gear. Old equipment can be repurposed because dynamic VXLAN filtering would assure that only the traffic from the relevant overlay is filtered out and sent to legacy monitoring tools.

Graphic Dynamic VXLAN Filtering

The challenge is that only a few NPBs are capable of VXLAN filtering. The second issue is that this must be done dynamically. For that reason, some signalling protocols must be decoded by the packet broker or an external appliance. This leads us to our third solution - Cubro Cloud Switch (CCS).

SOLUTION 3

The most advanced solution would be to use the Cubro Cloud Switch because the CCS combines an advanced switching fabric with a visibility fabric. Below image shows the transformation if you use the CCS.

Graphic CCS with Advanced Switching Fabric

The Cubro Cloud switch provides switching functions in layer 2 to 7 and at the same time visibility. This is possible because the packet forwarding is done in HW, the switch infrastructure knows where the micro service is running, and can copy the relevant traffic and send it over the switch infrastructure to the probing system (virtual/real).

PRODUCTS IN THIS SOLUTION

Explore other solutions

TWO-TIER LOAD BALANCING
PROTOCOL STRIPPING
KEYWORD & REGEX SEARCH
DEEP PACKET INSPECTION (DPI)
METADATA EXTRACTION
MAKE NETWORKS MORE SECURE WITH DNS TRAFFIC ANALYSIS
 SIP AND RTP FILTERING

always up to date stempel
Newsletter
CONTACT

  • Cubro Network Visibility
  • Ghegastraße 3, 1030 Vienna Austria
  • Tel.:+43 1 29826660
  • Fax: +43 1 2982666399
  • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.