Network packet broker

Network packet broker receives traffic from TAP devices and SPAN ports of network equipment. The network packet broker analyzes the contents of each network traffic packet according to many criteria, such as belonging to a specific network segment, TCP session, protocol or application, etc. Criteria can be either predefined by the equipment manufacturer or set by the administrator. With packages that meet the established criteria, a custom set of operations is performed, such as filtering, package modification, and session trimming. Further, traffic is distributed over the output ports of the device, if necessary, using load balancing. Thus, the network packet broker provides controlled loading of connected monitoring and analysis tools and centrally performs common processing tasks, allocating and preparing the necessary traffic.

Network brokers are available in a 1U (sometimes 2U) form factor for a standard 19-inch server rack. The front panel of the device usually has a large number (up to 40 or more) of network interfaces (ports). Some network packet brokers support stacking , which makes it possible to build virtual devices with hundreds of ports.

Network packet brokers are a relatively new class of devices and a corresponding technology stack. There are several different approaches to the implementation of the software and hardware of these devices, so each product has a number of advantages and differs from competitors. The most common are the functions ^{[1] [2] [3]} :

• Switching traffic from any number of input ports to any number of output ports with the ability to configure switching parameters in real time and make various changes to the packet stream.
• Filtering at levels from L2 to L4 of the OSI model . Filtering rules may include such fields as VLAN tag, MAC address, IP address, TCP / UDP port, etc.
• Aggregation and distribution. Traffic from several low-speed interfaces, such as 10G , can be collected and sent via the 100G interface. Conversely, traffic received from a 100G interface can be distributed across several 10G interfaces.
• Trimming packages, which allows you to send to the analysis tools only the necessary part of the data for maximum efficiency, for example, only headers
• Load balancing between multiple output ports. When balancing, packets belonging to one session can be sent to one output port.
• Limiting the speed of traffic in accordance with the capabilities of analysis and monitoring tools.
• Security management (user access control to settings, permissions for individual ports, etc.)

Network packet brokers support one or more management interfaces:

• A text- based command line interface that can be accessed locally through the serial port using a terminal emulation program, or remotely via a secure network connection (for example, SSH ).
• Web GUI . Many products implement a web interface, including the intuitive drag & drop style, and provide a number of graphical features that simplify the device setup process.

The following external interfaces may also be available:

• Central Management Server - used for stacking to manage a large number of devices through a single common interface.
• SNMP interface. Convenient in environments with centralized management systems such as IBM Tivoli or HP OpenView.

• Facilitate centralized control of network traffic in the Network Management Center (NCC).
• Save time and money when installing analysis and monitoring tools.
• Simplify the sharing of monitoring tools across departments.
• Allows you to use monitoring tools with a performance of 1G and 10G in 100G networks. It also allows 10G monitoring devices to examine traffic aggregated from 1G connections.
• Reduce the burden on monitoring tools.
• Due to the higher density of ports than in individual TAP devices, they save rack space and energy, which leads to a lower cost per port.

• They are expensive and difficult to configure devices with a large set of complex functions that may not be needed in a particular case.
• Different devices of even one manufacturer may operate and operate differently due to the lack of a standard.
• High minimum cost - if you need to use only a few ports, the price per port will be high.

• Deep Packet Inspection (abbreviated DPI) - Traffic processing technology.
• SORM - System of technical means to ensure the functions of operational-search measures of the FSB of Russia .

• Monitoring the data center network . Alexey Zasetskiy, Vladimir Shelgov. Journal of Network Solutions / LAN, 2013 No. 05
• How to connect to the network to capture traffic? Part 3. Network traffic taps (TAPs) . Igor Panov. www.networkguru.ru
• Batch brokers: solvable problems and implementation options . Anna Mikhailova. www.anti-malware.ru
• Gigamon: Traffic Aggregators www.gigamon.com/products/access-traffic/traffic-aggregators.html
• NPP "Digital Solutions": Brokers of network packets http://dsol.ru/telecommunication/paketnye-brokery/
• IXIA: Network Visibility
• RDP: Deep Packet Inspection