As the shift from traditional networking to SDN-based hyperscale networking take place in enterprise and cloud provider data centers, security and network operations teams still require granular visibility to applications.  Application visibility is important for the purpose of application response time measurements, application troubleshooting, application security monitoring (against advanced persistent threats), etc.  To achieve application visibility, customers deploy a separate monitoring infrastructure.  Typically, network engineers leverage optical network TAPs and/or SPAN sessions on physical switches to mirror production-network traffic and forward it to the monitoring infrastructure (such as Big Switch’s Big Monitoring Fabric).  With a high degree of virtualization in data centers -- 70% or more workloads virtualized in many cases -- complete visibility to virtual machine traffic also becomes paramount.

Consider an application, such as a 3-tier workload, that is distributed across both virtual and physical environments; for example, web and app tiers are virtualized but the database tier resides on a physical server.  If these web and app VMs are in the same network segment (e.g. VLAN) and are residing on the same server, then the network traffic between the two may never traverse the physical network (so will not traverse the TAP or physical switch SPAN port).  When it comes to application visibility, both physical and virtual workloads need to be first-class citizens.  How do we monitor this VM-to-VM traffic within a server?

Some vendors provide a special-purpose VM appliance for tapping VM-to-VM traffic, but that’s quite intrusive and cost prohibitive.  Given that a data center can have thousands of virtualized servers, deploying and managing a “tapping VM” on each virtualized server adds tremendous cost and operational complexity as well as impacts CPU performance.  Instead a simpler, zero-cost way to enable VM-level monitoring is by leveraging traffic replication capability native to a hypervisor’s virtual switch.  Modern hypervisor vSwitches support the Remote SPAN (RSPAN) feature, which allows vSwitch SPAN traffic to be encapsulated in a VLAN.  This vSwitch-created RSPAN traffic can traverse the upstream physical network onto monitoring network for VM-level visibility analysis.

To illustrate this further, consider the VMware vSphere 5.5 based virtualized environment shown in the figure below:

  • With RSPAN configured for vDS-1 (via VMware vCenter), all traffic between the Web-A VM and App-A VM is replicated on VLAN 10 and sent to the server pNIC.  
  • Upon exiting the server pNIC, the RSPAN traffic traverses physical network (e.g. Top of Rack switch, possibly aggregation switch -- depending on the physical network topology) towards the Big Monitoring Fabric.  
  • Big Monitoring Fabric aggregates and filters vSwitch-generated RSPAN traffic from vSwitches as well as physical switches and optical TAP, and forwards flows-to-be-monitored to monitoring tools.
  • If a packet modification function -- such as packet slicing -- is required, Big Mon can forward associated flows through one or more Network Packet Brokers (NPBs) before they are sent to the tools.  Big Mon treats NPBs as service nodes and creates a logical service chain of NPBs on a per-policy basis.  Since NPBs are no longer utilized for volume aggregation and filtering, their services can be leveraged in a highly efficient manner.

With private/public clouds, virtual desktops, virtualized Big Data analytics, VM-level monitoring can generate substantial amounts of traffic.  The fact that Big Monitoring Fabric is architected with software defined networking (SDN) principles and commodity bare-metal switches, it provides a highly scalable yet operationally simple, ultra low cost monitoring infrastructure compared to traditional network packet broker (NPB) based proprietary designs.  Through Big Mon Controller GUI (or CLI), entire multi-switch fabric can be managed and scaled for 1G, 10G and 40G monitoring (even 100G once bare-metal switches are available).  And with our Dell partnership, customers can have the choice to deploy Big Mon on Dell’s Open Networking switches and have the entire solution supported by Dell.

Next step on this exciting journey is to go deeper on visibility and broader on reach.  By inspecting deeper in the packet, finer-grained monitoring policies can be applied to application protocols (e.g. 4G/LTE protocols) as well as to encapsulated (e.g. MPLS) packets.  Extending the Big Mon fabric across data centers and to remote branches broaden the visibility diameter without moving the tools -- tools tend to be expensive, so why not bring traffic to the tools!  None of this requires proprietary, expensive HW.  With SDN principles and commodity bare-metal switch HW, we can easily achieve these advanced network visibility functions.

Related Blogs:

  • Next Generation Monitoring Fabrics based on Bare Metal SDN: Click Here
  • Big Monitoring Fabrics Release v3.0 - Simpler, Smarter, Scalable: Click Here

Additional Resources:

  • Rich Groves (Former Architect at Microsoft) on SDN Monitoring Fabrics: Watch Video
  • Dell/Big Switch Big Monitoring Fabric Solution: Read Brief
  • Rob Sherwood (CTO) on Modern SDN at ONS 2014: Watch Video

Join us at Sharkfest ’14:  Big Switch Networks is an Angel Shark Sponsor at the upcoming Sharkfest ’14 conference in San Rafael, CA (June 16th- June 19th). Request a meeting with our product and technology experts: Reserve a Slot

– Prashant Gandhi

VP Product Management & Strategy

*Big Monitoring Fabric was formerly Big Tap Monitoring Fabric