So You Want a Network Packet Broker — Remember These Nine Best Practices

Network packet brokers (NPB) eliminate blind spots in your network, enable virtualization and cloud migration, and help boost the overall security of your network and applications. They can be a critical piece of your infrastructure — but how do you decide which NPB is right for your enterprise?

Here are some best practices to follow as you consider your options.

#1. Go with a Next-Generation Network Packet Broker (NGNPB)

Are NGNPBs really that different than NPBs? In a word, yes. Historically, an NPB was expected to work in sync with network TAPs and aggregators and perform basic filtering, either at ingress or egress ports, and feed traffic to the tools.

The NGNPB goes further and encompasses a broad feature set that aids the brokering of the right traffic to the tools. Critical features of an NGNPB include de-duplication, slicing, masking and header/trailer stripping. Some packet broker vendors go even further and offer centralized decryption, deep packet inspection that provides application visibility, GTP correlation and NetFlow generation.

One important metric to pay attention to, however, is the maximum number of filters and rules that the device can support. The right NGNPB can support all your tools.

#2. Set Up Your Testing Environment

Be prepared to put the NGNPB to the test. Acquire the appliance, rack/mount, cabling and configuring management network to access the interface (for example, the GUI or the console). The user guide usually provides the prerequisites to successfully deploy the NGNPB in the network, and you may find that you need additional hardware, such as SFPs, cables or traffic generators before you can start testing.

Also ensure you identify and procure licenses for the hardware and software features.  This step might seem trivial, but it is often the most cumbersome for many users, so take some time upfront to ensure a smooth and efficient login process so you can jump right into testing the device. 

And if you want to try to break the box and test its true potential, get help from your quality engineering team. Those folks love to be challenged. You can even use their test plans to make sure you don’t miss important details.  

#3. Test TAPs and Aggregators for Line Rate Performance

Your tools need to be fed every packet in the network, so choose network TAPs and aggregators solution that ensures zero packet loss. The network topology should factor in every possible tapping point and eliminate blind spots. 

Also evaluate port density, split ratios for optics, and the speeds supported by these ports as you choose a solution. Ideally, you will also have the benefit of single-pane-of-glass management and monitoring software, which makes it easier to manage the nodes along with the NGNPB. 

#4. Evaluate the User Interface and Management Tools 

Users are frequently overwhelmed by the number of management tools and ongoing changes to the interface.

Select an NGNPB that provides a stable user interface and management software that offers a one-stop shop for configuration and troubleshooting. A single off-box solution to manage multiple devices and the ability to scale up without the need to use separate management portals prevents a great deal of frustration.  

#5. Ensure the NGNPB Supports Inline Bypass 

Inline security tools create a bottleneck for production traffic, due to the nature of the security policies implemented on the tools.

Providing a resilient fabric to eliminate single points of tool failure is the function of an inline bypass switch. Packet brokers are meant to prevent tool sprawl, but an inline bypass solution that is not integrated within a single appliance actually creates device sprawl. It defeats the purpose of having an all-in-one solution if the packet broker you choose needs additional devices to support inline bypass. So opt for an NGNPB that can perform inline bypass.

#6. Compare the Device Under Test (DUT) Performance

Understandably, end users want their networking gear to perform at peak power all the time. To sell them on their solution, vendors will publish performance metrics based on the most optimal testing methodology, and that doesn’t always provide the full picture.

When you investigate different packet brokers, look at the DUT performance with the exact same parameters for each one.   

Multiple iterations are usually run against basic metrics, such as throughput and latency, and the sizing methodology is key when understanding how performance is measured. 

Here are some key pointers to ensure these tests are accurately performed: 

• Topology. For the same traffic profile, plug in different DUTs (for example, for testing one feature, the traffic profile is static and the DUTs are dynamic). 
• Traffic profile. Designed to get the best performance out of the box, while following the RFC requirements. This type of metric will dictate what type of profile is used. For example, throughput test requires an IMIX profile with an average packet size in bytes. TCP tests measures flows per second or connections per second and so on.  

---

Table 1. IMIX traffic profile example (Source: Wikipedia)

Packet size (incl. IP header)	# Packets	Distribution (in packets)	Bytes	Distribution (in bytes)
40	7	58.333333%	280	7%
576	4	33.333333%	2304	56%
1500	1	8.333333%	1500	37%

---

The KPIs are measured based on the sizing guide provided by the vendors. This guide can be common for testing multiple features across the different products.

Example sizing guide: If the device throughput is 3MPPS and average packet size (MTU) is 500B, then throughput in Bps is 1.56 GBps (that is, 3 * 10^6 * (500 +20)), where 20B includes preamble, SFD and IFG. 

Another aspect of benchmarking features and functionality is to perform a system-level test, where multiple features are configured and run at the same time. With a similar traffic profile used in the IMIX tests, keep adding multiple levels of traffic manipulation. A typical example would be to apply de-duplication, then slicing and then masking or header stripping. This type of test when focusing on how much CPU the device utilizes will give you an idea of performance under heavy load. 

#7. Assess Security Features

A commonly overlooked aspect of choosing a packet broker is the ability to generate NetFlow and advanced metadata. Those are important capabilities because the need to perform security analytics with the use of SIEMS requires application-related metadata be fed to those tools.

The forensic tools are further empowered when the packet brokers utilize DPI (deep-packet inspection) to generate the metadata elements. Most leading security tools and SIEMs partner with packet broker vendors to offer customized support.  

#8. Gain Visibility in the Cloud 

Enterprises are moving their data centers to the cloud because doing so offers more flexibility in terms of cost and convenience than hosting servers on-prem, but security can be an issue. And the shared responsibility model dictates that you are responsible for security in the cloud.

To reap the benefits of the cloud — and improve your overall security posture — choose a network packet broker that can offer you visibility across your network. For example, hybrid and multi-cloud (on-prem and multiple public cloud) deployments have become common, and you will need the ability to scan east-west traffic. That can be achieved by designing the infrastructure with the appropriate NGNPB. 

#9. Keep It as Simple as Possible

From an administrator’s perspective, your tools need to work fast and be flexible and secure. Providing automation support through APIs and integration with continuous (CI) and continuous delivery (CD) tools such as Ansible or Puppet adds more value to the existing visibility platform. 

They can offer you pervasive visibility across your physical and virtual networks, optimize your existing tools and empower you to modernize, migrate to the cloud and meet your virtualization objectives.  As you search for the solution for your business, keep these key capabilities in mind.

Get the “Definitive Guide to Next-Generation Network Packet Brokers”

To learn more about network packet brokers check out the “Definitive Guide™ to Next-Generation Network Packet Brokers,” which is packed with information on how to:

• Eliminate blind spots to better detect attacks and protect application and network performance
• Understand how application filtering reduces the load on tools, preventing bottlenecks
• Ensure that all tools can inspect SSL/TLS traffic to detect hidden threats
• Discover why next-gen solutions add up to significant savings overall by reducing the number of security tools needed

See Giri’s profile in the Gigamon Community.