Service provider and enterprise network operators are monitoring their networks to optimize performance, troubleshoot operational and security issues, and gain other benefits. But traditional monitoring methods fall short – port mirroring can compromise network performance, while network packet brokers are too expensive to deploy everywhere. For comprehensive monitoring, network operators need a monitoring fabric. Software-defined networking (SDN) systems can enable a monitoring fabric without compromising network performance and at a cost low enough to make sense. In this article, we’ll look at how SDN solutions provide the perfect fit for network monitoring fabrics.
A Brief History of Network Monitoring
Monitoring is used for troubleshooting, performance optimization, failure recovery, billing, compliance, and for a wide variety of security functions. Traditionally, troubleshooting a network meant dragging analysis tools to the point in the network you wanted to monitor. This was fine if the problem was localized to a single point and you could get to it, but it was impractical in large networks where monitoring was needed at many different points.
To make monitoring more scalable, the industry developed mirror ports in switches. These enabled users to copy traffic off of a live network and send it to an analysis tool. Unfortunately, port mirroring is like drinking from a fire hose – you can’t carefully select traffic, and the switch can be overloaded with the volume of traffic being mirrored. In addition, the mirrored port will feed traffic to another port, so it uses extra ports on the switch.
In response to these issues, the industry came up with dedicated devices called network packet brokers. These could select the traffic being monitored (based on IP address or application type, for example) and forward it to analysis tools. Network packet brokers do a great job of selecting and forwarding traffic for analysis, but at roughly $80,000 each, they’re too expensive to use everywhere one might want to monitor traffic.
Enter SDN
SDN solutions deliver the same level of granular traffic control as network packet brokers, but they do so at a far lower cost. There are three elements of an SDN solution: white box switches, Network Operating Software (NOS) that runs on the switches, and an SDN controller.
White box switches leverage the white box revolution that has taken the server world by storm. Commodity, off-the-shelf switches from original device manufacturers like Quanta and Accton cost far less than branded switches or packet brokers, making monitoring affordable. A white box switch that’s equivalent in port density to a packet broker costs $5,000 or less. For those who want a greater comfort level, “brite box” switches deliver the same functionality with brand names like Dell or HPE.
The second part of the SDN solution is Network Operating Software, which uses OpenFlow commands to deliver per-flow control. Using a central controller, the user can carefully select which traffic flows are to be monitored. The richness of OpenFlow means very detailed instructions can be given to the switch to indicate which flows to pick out and send for analysis.
With low-cost white box or brite box switches and very granular OpenFlow controls, monitoring becomes both affordable and extremely controllable. Because OpenFlow software is so scalable, and the CapEx is relatively low, there’s no limit to the number of ports you can sample – you can use well-established principles to build out the monitoring as broad as you like across a network.
Monitoring Use Cases
There are several categories of use cases for network monitoring as identified below. Many network operators use the monitoring fabric for a combination of them.
- Troubleshooting allows you to analyze network protocols and behaviors, and find protocol and traffic problems so you can remedy them.
- Billing and accounting allow the user to sample data to see what is on the network to better monetize traffic. For example, if you see that 80 percent of the traffic is video, you can charge accordingly. You might also look at usage rates per user, so you can see what percentage of the traffic is coming from one particular user.
- Security includes sampling data to look for network-based attack signatures.
- Compliance includes data collection to feed into compliance reporting tools and packages.
- Performance tuning gives you feedback to aid in getting the most from your network.
- Lawful intercept enables government agencies to monitor for information like user types or applications used.
- Capacity planning is using monitoring to understand the utilization of network equipment and predicting when to add more gear.
SDN Flexibility for Different Network Analysis Tools
Network analysis tools rarely have the capacity to handle a large amount of traffic, so they are typically used in groups. There are different types of tools, and their groups must be handled differently.
If you are collecting statistics, you can often just use a round robin, load-balanced approach to send traffic to an arbitrary member of an analysis group. Analytic tools are typically designed to operate as a group, so they can combine their statistics and present them in aggregate form.
You may want traffic from any source to always go to the same analysis tool in a group. This technique, called hashing, is useful for security applications, for example.
You may want the traffic to be analyzed by more than one tool, possibly for different purposes, so you could copy the data to more than one analysis group.
You may want to send the traffic to two sets of tools, then round robin load-balance among one group, and use hashing within the other group. For example, if you have two groups of analysis tools – one for security and one for troubleshooting – you could send traffic to the security group and also to the troubleshooting group, using load balancing in one case and hashing in the other.
These usage scenarios are easy to set up with an SDN solution because OpenFlow provides the controls to set up tools the way you want them, and regardless of where the tools are physically located or where they are connected to the network.
SDN hardware and software lets you create very large, fast, and inexpensive monitoring networks while containing all the controls you need to get the data to the right analysis tools. These monitoring networks are being used by service providers who want to understand the traffic going across their networks for billing and optimization purposes, and by enterprises who want to improve troubleshooting, security, and performance optimization.
Traffic is the lifeblood of any network, and monitoring allows network managers to discover what is happening inside that traffic at any given point in the network. SDN solutions are the key to flexible, scalable, and cost-effective monitoring.