Network operators who want full visibility and insight into traffic patterns in their data center networks have traditionally needed to invest in network packet brokers, test access points (TAPs), and probes. Some network operators have sophisticated requirements for network and security visibility that can justify the added cost of such out-of-band monitoring systems, but for many others who want traffic analysis capabilities that won’t break the bank, the cost and complexity can be a significant barrier to entry.
At Pluribus, following our mission to simplify networking, we have developed an alternative approach that provides integrated traffic visibility and analysis without the need for external packet brokers, TAPs, and probes. Our approach is based on comprehensive flow monitoring and telemetry built into every switch, complemented by Insight Analytics, our real-time analytics and performance management module to view traffic flow patterns, see user activity, or even analyze VMware virtual machine traffic.
A brief introduction to Insight Analytics
Netvisor ONE, the Pluribus Network Operating System running on each data center switch, collects telemetry data from all traffic flows and sends it to the Insight Analytics engine. Insight Analytics leverages the telemetry information and packet flow data sources to provide pervasive visibility across the network. Additionally, Insight Analytics solves the need for granular traffic analysis capabilities for the Pluribus Networks’ Adaptive Cloud Fabric by collecting over thirty different fields of metadata on all traffic flows within the fabric and storing them in a powerful elastic database. The information is then displayed in a series of graphical dashboards, where selectable widgets and a search field apply filters to the data, allowing users to easily search the information and isolate issues all the way down to a specific flow.
What is a Traffic Flow?
A traffic flow is simply a set of packet transmissions, such as a TCP connection, between an entry point and an exit point in a fabric, typically between two IP addresses. For the rest of this blog, we will focus on TCP traffic flows, which are most common. Netvisor ONE also enables monitoring of non-TCP traffic such as UDP flows.
Figure 1. A traffic flow between a client and server
When a TCP traffic flow occurs, UNUM stores many different types of meta-data information. Below is a sample of the types of information stored:
- Packet Header– source IP, destination IP, L4 Port, VLAN, VXLAN.
- TCP Connection– TCP state, duration, bytes, round trip time.
- Switch– Timestamp, Fabric name/id, switch name/id, port number.
- Custom– UNUM enriched data such as geolocation, MAC OUI, and user-defined fields.
Metadata is saved for up to 30 days and can be archived long-term with the UNUM-Archiver add-on license.
The Connections Dashboard
The connections dashboard is a prime example of how UNUM displays collected metadata in easy to understand charts and graphs. This dashboard shows information about TCP connections via a series of clickable, graphical widgets, a search bar, and a Details pane.
Figure 2 – The Insight Analytics Connections dashboard
The widgets on the dashboard include:
- Search Bar– Search on specific fields and apply boolean search filters
- Circle Widgets– Sort metadata by Top Applications, Clients, Domains, servers, connection state and total number of connections via the outer ring. Further filters are applied by selecting servers/applications on the inner ring (where available).
- Connections Timeline– Drag and select a time window based on spikes in activity to refine searches
- Selectable time window– Sort displayed information using different timeline options (days, weeks, month), relative (current time + window) and absolute time windows (date & time to date & time)
- Histogram widgets– View and filter connections based on top servers by total clients, top applications by total clients as well as top connection latency by server.
- Detailed Connection/flow records– Examine & report detailed flow records.
Each widget on a dashboard displays information in an easy to understand graphical format and can be clicked on to apply a filter to the flows being displayed.
For example, in figure 2, clicking on “ssh” in the “Top L4 Services by Connections” circle widget will apply a filter so that all of the connections being displayed will be ssh connections.
Insight – Details
Each individual traffic flow is viewable in the Insight – Details pane.
Figure 3 – Sample data from an Insight Analytics Connection record – not all metadata fields shown
In figure 3 we can see a section from an individual flow record. This particular flow is from source IP 220.127.116.11 in the city of Angleton and is part of VLAN 106 and VXLAN 10600000.
Custom Metadata Tagging
Custom metadata Tagging is a means of enriching the metadata on a particular flow as well as tagging flows with information specific to a customer environment.
UNUM Enriched Metadata
Insight Analytics automatically tags flows with both geolocation data and Original Equipment Manufacturer data (MAC OUI), which helps in identifying the location and type of equipment that may be experiencing issues.
Custom tagging is the process where administrators can add their own metadata fields to a traffic flow, tailoring Insight Analytics to their own environment.
This is accomplished by building a spreadsheet with the appropriate tags, after which they become visible and searchable fields in Insight Analytics dashboards.
Figure 4 – Example of a spreadsheet with custom tags.
In figure 4, we see two sets of data. On the left in blue, there are a series of columns with field names in the header. The blue fields allow us to define which flows we want to tag. In the first line, we are stating that all flows from IP 172.18.20.3 (srcip) to 172.18.20.2 (dstip) with a destination port of 40000 will have a specific set of custom tag metadata.
On the right in red, the column headers represent custom fields created by the administrator. For example, the flow called out in the first line has an owner PnTme1, is part of the TME group and is named “203to202.” Other fields, all created by the administrator, provide more information on the flow such as the Source Server (PnHQ), the Destination Server (Colo), the Project (IA training), and so on.
Once the spreadsheet is complete, the administrator uploads it into UNUM with a single drag and drop operation, after which all flows are tagged with the custom metadata fields and is searchable within the Insight Analytics database.
Figure 5 – Searching Insight Analytics for Flow 203-to-202.
In figure 5 we see how a search for the flow name “203to202” displays 1206 different connections over the searched time period. Now the network administrator has the ability to do better troubleshooting for specific flows he/she is interested in troubleshooting, e.g. originating from SrcServer PnHQ and DstServer Colo.
As you can see, custom tagging provides a powerful means of identifying important connections and adding specific tags based on a customer’s business needs.
Insight Analytics also includes a dashboard that displays custom tag information in a series of widgets similar to the standard dashboards, which can be configured to display graphical widgets specific to the customer fabric.
Figure 6 – The Insight Analytics Custom Dashboard.
As we can see in figure 6, the custom dashboard has been configured to display information based on our spreadsheet metadata.
Insight Analytics enables network administrators to analyze their traffic patterns without breaking the bank on expensive, specialized equipment. Using custom metadata tags, they can simplify and tailor searches to their own environment, decreasing troubleshooting effort and time-to-resolution.
For more information
- Watch the Introduction to Insight Analytics video
- Refer to the Insight Analytics datasheet
- Read how customers like Scavolini or a large K-12 school district have used Insight Analytics to build business differentiation as well as secure their networks
- Watch the on-demand Analytics: Monitor and Analyze at the Speed of the Network webinar
If you’d like to see Insight Analytics capabilities and custom tagging in action, reach out to us for a demo.
Subscribe to our updates and be the first to hear about the latest blog posts, product announcements, thought leadership and other news and information from Pluribus Networks.
About the Author
Garry Lemasa pulls double-duty as a product manager and technical marketing engineer on the Pluribus Networks UNUM platform. His twenty-plus year technical career began in storage subsystems, which led to storage networking and then IP based networks. Now he focuses on fabric management and automation, as well as translating technical jargon into language most everyone can understand.Garry lives with his wife, daughter, and three cats in sunny California where he ponders technology and reads science fiction in his spare time.