Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Packet Brokers

Published byDerrick Morgan Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Packet Brokers"— Presentation transcript:

1 Network Packet Brokers
Andy & Atif Disclosure: Atif is from Arista, Oath uses Arista, Arista is sponsoring Happy Hour

2 What is a NPB NPB is a device that provides a means for aggregating traffic from taps and SPAN ports toward one or more analysis applications/platforms in 1:many, many:1 or many:many configuration Allows for easy horizontal scaling of Moloch and other security tools Used to be purpose built highly specialized hardware Tap/Span NPB Moloch 1 Moloch 2 Fireeye

3 Why use a NPB Easy to add Moloch capacity
Allows the networking team and security team to act more independently Networking team can add more links at any time, just connect taps to NPB The security team can add more tool capacity at any time, just connect tools to NPB Move the traffic filtering from a bpf to purpose built hardware Multiple tools can see the same traffic (or subset), again making network team happy they aren’t involved Load balancing Handles HA issues of packets taking different paths as long as all paths hit the same NPB

4 NPB Features To Pay Attention To:
Intelligent load balancing and consistent symmetric hashing - each direction of a flow goes out the same tool port 100G Traffic Enable 10G Tools on 100G networks Symmetric/Dynamic distribution of flows across Nx10G 10% Visibility Network Monitoring Tools DANZ TAP Aggregation 10G Tools

5 NPB Features To Pay Attention To:
Traffic Steering (IPv4 and IPv6) - Ability for different security tools to get different streams /24 Eth 2 /24 /24 Eth 1 /24 switchport mode tool switchport tool group set GROUP1 /24 www service-policy type tapagg input PMAP2 switchport mode tap switchport tap default group GROUP1 Eth 3 /24 /24 switchport mode tool switchport tool group set GROUP1 Eth 4 /24 switchport mode tool switchport tool group set GROUP2 Eth 5 www switchport mode tool switchport tool group set GROUP3 arriving data tagged/untagged tap port configuration tool port configuration output packets

6 NPB Features To Pay Attention To:
MPLS/VLAN/VPN stripping - some security tools require headers to be removed L2 Header MPLS Header User Traffic Visibility Network Monitoring Tools NPB Filtered User Traffic Header removal at Wire Speed Service Provide Backbone

7 Some Other NPB Features:
Automation capability - use ansible/apis or are you stuck using a web ui? Do features desired require an extra (expensive?) component and/or license Open and Programmable Operating System Buffers Density - Data Centers moving to 100G Has anyone used TCPDUMP on NPB ????

8 How Oath uses NPBs Office sites Production sites Traffic reduction
Multiple security tools Multiple Moloch boxes for retention requirements Handle HA issues Production sites Multiple Moloch boxes for CPU/Traffic rate support Removal of MPLS Combine multiple HA and routing paths

9

10 Office Deployment Tapping a HA pair of switches or firewalls with SPAN ports NPB filters and sends to N moloch boxes depending on users per site Arista 7150S-24 (or -52) 24x10TB RAID 6 = 200TB About 250 users per moloch for our retention Runs moloch, bro, suricata, other tools OOB & OS Switch Everything is also connected to a OOB switch and a normal switch for OS OOB FW 1 FW2 SWI T C H NPB Moloch 1 Moloch N

11 Prod Deployment Tapping many links in 2 comm rooms using optical taps
Tapped links are 10g, 40g, 100g Depending on where encryption is done, tapping may be between router and wave or south of router NPB per communication room, NPB 2 sends traffic to NPB 1 Arista 7504R Filters traffic 2x100g links NPB 1 distributes traffic to moloch 10g links Required because traffic is multi pathed COMM 2 COMM 1 IXIA Taps IXIA Taps NPB 2 NPB1 Moloch 1 Moloch N

12 Multi Tier Deployment Leaf Aggregator 1 Leaf Aggregator 2
…. 3 18 2 1 Monitored traffic identified by dot1Q tag Spine Aggregators pass through ID tags and timestamps To tools Leaf Aggregator 1 tap ports Id:1 Id:2 Id:3 Id:4 Id:5 Id:6 Id:7 Id:8 Id:9 tool port or portchannel as uplink (identity enabled) Leaf Aggregator 2 Id:10 Id:11 Id:12 Id:13 Id:14 Id:15 Id:16 Id:17 Id:18 Spine Aggregator tool port (channel) (identity disabled) Leaf Aggregators identify sources with dot1q tags towards spine Use Agile Ports for high capacity interconnects Unique identity tags applied to each each aggregator’s sources 12

13 Why Oath chose Arista IPv6 support 100G support MPLS stripping support
Other vendors had issues around number of ports, cost of ports, type of 100G connector MPLS stripping support many vendors require dedicated controller card or limit total bandwidth when required Not perfect, Arista requires physical loopback for MPLS stripping with symmetric load balancing Automation was poorly supported by our previous device Not a special device, just a switch in special mode Cost

14 Arista 7150S Family 350ns Latency Lowest Jitter SSD Option Resources
10G Interfaces 24, 52 or 64 10GbE 40G Interfaces 4, 13 or 16 40GbE Switching Capacity 1.28 Tbps Forwarding Rate 960Mpps L2 Table Size (u/mcast) 64K / 36K L3 Table Size (u/mcast) 84K / 23K 350ns Latency Lowest Jitter SSD Option

15 Arista 7500R and 7280R Family Common single EOS image, Deep Buffer, Lossless Architecture, Large Tables Choice of form factors, density and port speeds for varying use cases Standards based switching for reliable deployments 10G, 40G and 100G Line cards 7500R Series 30 100G QSFP 48 10G-T and 6 100G 24 40G and G QSFP 48 100G and 8 40G QSFP 48 10G-SFP and 6 100G 48 25G SFP and 6 100G 56 40G and G QSFP 60 100G QSFP

Download ppt "Network Packet Brokers"

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
Getting Traffic to your Cluster. Where to Tap WAN or Internal – WAN Detect intrusion attempts and out-bound misbehavior – Internal Detect internal-internal.

Getting Traffic to your Cluster. Where to Tap WAN or Internal – WAN Detect intrusion attempts and out-bound misbehavior – Internal Detect internal-internal.
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.

Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.
Net Optics Confidential and Proprietary Director xStream Intelligent Access and Monitoring Architecture Solutions.

Net Optics Confidential and Proprietary Director xStream Intelligent Access and Monitoring Architecture Solutions.
VLANs (Virtual LANs) CS 158B Elaine Lim Allison Nham.

VLANs (Virtual LANs) CS 158B Elaine Lim Allison Nham.
TCP/IP Reference Model Host To Network Layer Transport Layer Application Layer Internet Layer.

TCP/IP Reference Model Host To Network Layer Transport Layer Application Layer Internet Layer.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Mr. Mark Welton.  Three-tiered Architecture  Collapsed core – no distribution  Collapsed core – no distribution or access.

Mr. Mark Welton.  Three-tiered Architecture  Collapsed core – no distribution  Collapsed core – no distribution or access.
Connecting LANs, Backbone Networks, and Virtual LANs

Connecting LANs, Backbone Networks, and Virtual LANs
Agenda Network Infrastructures LCG Architecture Management

Agenda Network Infrastructures LCG Architecture Management
Networking Components

Networking Components
Net Optics Confidential and Proprietary 1 iLink Agg.

Net Optics Confidential and Proprietary 1 iLink Agg.
Barracuda Load Balancer Server Availability and Scalability.

Barracuda Load Balancer Server Availability and Scalability.
LECTURE 9 CT1303 LAN. LAN DEVICES Network: Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and.

LECTURE 9 CT1303 LAN. LAN DEVICES Network: Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.

Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
NETWORK TOPOLOGIES There are three basic configurations used to connect computers they are the  Bus  Ring  Star.

NETWORK TOPOLOGIES There are three basic configurations used to connect computers they are the  Bus  Ring  Star.

Similar presentations

Ads by Google