The modern approach to connecting monitoring and information security tools to the network infrastructure involves the use of traffic taps and network packet brokers. To ensure full visibility of traffic in the network (the main condition for the correct operation of monitoring systems and adequate analysis results), it is extremely important not only to branch traffic from the right points to the packet broker, but also to transfer it without loss after preprocessing to these systems. Today we will talk about the aggregation function in a packet broker – one of the most popular in this class of equipment. This function collects traffic from low-load network interfaces (according to the pre-configured division of input ports into independent aggregation groups with individual traffic distribution rules in them) and further transfer to one or more output ports.
Link aggregation is quite sensitive to bursts of traffic, resulting in packet loss. In this article, we will describe how we encountered this problem in one of the projects, what traffic bursts are, and how the burst protection function helps to solve the problem of packet loss.
While working on one of the projects, we came across (as it initially seemed) a trivial task – to transfer the traffic received from four optical couplers (TAP) to one port of the information security system. For its implementation, a network packet broker DS Integrity NG with an aggregation function was used. The connection scheme was organized as follows (Figure 1): traffic was received on eight input 10G interfaces of the packet broker, aggregated and transmitted to one output 10G interface. The load of each of the four links was about 10%, and all traffic during aggregation fit into one output interface with a margin.
After installing the specified scheme, we tested its operation, as a result of which, using the counter of dropped packets built into the Web interface of the packet broker, we noticed the loss of packets. The reason for the packet loss was an overflow of the switching fabric’s internal buffer due to bursts of traffic.
For such cases, the DS Integrity NG Network Packet Broker provides an anti-splash feature. When the burst protection function was enabled, the packet loss stopped. Let’s consider further what traffic bursts are and how the protection against them works.
Bursts of traffic on the network
First, let’s look at how packets are transmitted over the network. All data from various applications that run on end hosts (user equipment, servers) is sent from the central processor to the network card before being sent to the network. Note that the interface between the processor and the network card is faster than between the network card and the network. Therefore, the data coming from the processor cannot be processed and sent immediately, therefore, they will wait for processing in the network card buffer. The network card itself takes data from its buffer, packs them into packets, and then sends each packet sequentially and at a constant speed to the network.
The packet transmission process (Figure 2) stops only when the data in the buffer ends. Why is this happening? It’s all about how applications work. Applications, and therefore the network card, will transmit packets until their own or someone else’s request is processed. It should be noted that up to a hundred different applications are located on one host, and all of them can simultaneously receive or send requests.
Figure 2a shows the packet transmission schedule of the network card. As we can see, all packets are transmitted sequentially at the same rate. Gaps in the transmission of packets are due to the specifics of the applications – at a certain point in time, the network card is either loaded, or there are no packets for transmission. The same data can be presented in the form of a graph of the throughput of link 2b, to which we are all accustomed. It shows bursts of traffic in places where a large number of packets were sequentially transmitted, and a drop at the moment when the network card did not transmit packets. It should also be noted that this graph is an approximation and therefore, when there is a pause between the transmission of packets, the link throughput does not drop to zero.
Based on all of the above, we can say that a burst of traffic is a short-term load on the bandwidth of a link due to the simultaneous operation of several tens or even hundreds of applications.
Splash protection function
The burst protection function relies on the use of an additional buffer. With bursts of traffic on several aggregated links, the main buffer fills up, as a result, the packets have nowhere to be stored, they are discarded. When using the burst protection function, packets are not dropped, but are stored in an additional buffer and wait for their turn to be transmitted. The size of the additional buffer is 8 GB.
Solving the problem of protecting against traffic bursts on aggregated links is quite important for network packet brokers. It should be noted that not all manufacturers of package brokers have this functionality.
Now that you have an understanding of bursts of traffic and the operation of the burst protection feature, we’ll show you how to test this functionality.
We configure the packet broker as follows – traffic enters the 8x10G interfaces, is aggregated and transmitted to the 1x10G output interface (Figure 3), while the surge protection function is turned off.
Bursts are simulated on the aggregated links of a packet broker as follows: using the Spirent traffic generator, uniform traffic is sent to 6 interfaces with a load of each interface by 15%, and traffic is briefly sent to 2 other interfaces with a load of 50% each.
Having performed the test, we are convinced of the overflow of the output port bandwidth – the buffer overflows and the packets are discarded. Below is the statistics of packets on input (Figure 4) and output ports with a table of dropped packets (Figure 5).
Figure 6 shows a graph of this test. When loading the link and simulating short-term bursts, we see packet losses. When the short burst ends, the graph returns to its original state – the buffer receives all incoming packets, and, accordingly, the losses stop.
To prevent packet loss, enable the burst protection feature in the network packet broker and repeat the test. To simulate bursts, we increase the load on the two interfaces to 100% and make sure that there are no losses. Below is the statistics of packets on the input (Figure 7) and output ports with a table of dropped packets (Figure 8).
Overflow of the output port bandwidth during bursts is offset by a larger bandwidth of the additional buffer, thus avoiding packet loss. Figure 9 shows the traffic flow graph with burst protection enabled. In this case, the packets are accumulated in an additional buffer and, when the short burst ends, gradually arrive at the output port from the additional buffer.
The presence of the surge protection function allows you to store packets in an additional buffer until space in the queue becomes free, only after that the packet will be sent.
The use of the surge protection function clearly shows that during bursts of aggregated traffic, the packets will still uniformly flow through the network packet broker to monitoring and information security devices or any other systems connected to it.
Instead of a conclusion
Having considered the operation of the burst protection function during link aggregation, we can conclude that its use in packet brokers will help to avoid packet loss during traffic bursts. This function allows you to make the operation of tools based on the analysis of network traffic more efficient. Among the advantages of implementing the DS Integrity NG surge protection function, compared to foreign counterparts, one can single out a larger amount of additional buffer, work with all types of interfaces, as well as the availability of advanced traffic statistics with the ability to monitor dropped packets.