Profitap Blog

Recent Posts

Stay up to date


Return to Blog

Traffic Distribution by NPBs

Profitap Network Packet Brokers help:

  • Optimize Traffic: NPBs filter out unnecessary or redundant packets to ensure that only relevant data is sent to monitoring or security systems. This reduces data overload and enables more efficient analysis, helping organizations detect issues faster and more precisely, as we mentioned in this article about Traffic Optimization by NPBs.

  • Distribute Traffic: Ensure the correct data reaches the right tool, ensuring efficient use of monitoring resources. Intelligent traffic distribution helps maximize the efficiency and accuracy of network operations, such as performance monitoring, intrusion detection, or network forensics.

 

Distribution

The process of efficiently directing network traffic to the appropriate monitoring, security, or analysis tools. It ensures optimal resource utilization, prevents overload, and enhances network visibility by intelligently filtering, aggregating, replicating, or load-balancing data flows.

Network-Packet-Brokers-Diagram-Isometric-06

Aggregation

Aggregation combines traffic from multiple sources into one stream. This helps simplify the monitoring process, allowing tools to analyze all the data together.

Aggregation is helpful in environments with traffic coming from various sources (e.g., multiple TAP or SPAN links). Merging these streams ensures comprehensive monitoring while reducing the complexity of managing multiple separate data feeds.

How do we Aggregate? 

  • VLAN tag on ingress: Incoming traffic is labeled with a unique VLAN ID as it enters the NPB. This feature is highly beneficial for network monitoring and analysis because it provides a way to categorize and distinguish traffic based on its source.

  • VLAN tag on egress: Traffic is labeled with the VLAN ID as the traffic exits the NPB and goes toward the monitoring device. When multiple streams are aggregated onto a single output port, you can use different VLAN IDs to keep them logically separate. This way, the monitoring device (e.g., a packet capture appliance, SIEM, or analysis tool) knows which packets belong to which source or rule set.

  • Rule VLAN tagging: Instead of assigning one VLAN ID to all egress traffic on a port, a specific rule is set up in the NPB. Traffic matching each rule (e.g., by IP address range, protocol, port, etc.) is assigned a unique VLAN ID. With the ability to define many rules, you can handle a large number of network segments or services, such as database traffic or email traffic, each labeled with its own VLAN ID.

XX-series X2 X3 NPB Packet

Non-blocking: Oversubscribing one port will not affect the performance of other ports.

Oversubscription counter displaying packets dropped.

Many-to-any

Ingress VLAN tagging

Ingress/Egress/rule VLAN tagging

Egress/rule VLAN tagging

 

Replication

Replication is the process of duplicating network traffic and sending identical copies to multiple monitoring or security tools. This allows the same traffic to be analyzed by different systems without affecting the original data flow.

Replication ensures that multiple tools can analyze the same traffic for different purposes, such as performance monitoring, security analysis, data storage, and compliance checks, without interrupting or altering the original traffic. This improves network visibility and ensures comprehensive monitoring across different systems.

How replication helps

  • Enables multiple analyses without affecting the original traffic
  • Supports security, performance, and compliance monitoring simultaneously
  • Increases network visibility by distributing identical traffic to various tools

By replicating traffic, organizations can deploy different monitoring and analysis tools in parallel, ensuring each tool has the data it needs for its specific purpose. This enhances network visibility and troubleshooting capabilities across different departments or functions.

 

Overlapping/parallel rules

XX-Series and X2-Series network packet brokers run all rules simultaneously. This simplifies configuration because new rules will not override existing ones. DROP rules take precedence over ALLOW rules in XX, and with the X2-Series, you can configure rule priorities if needed. This parallel approach makes it easy to create scenarios like forwarding live traffic and simultaneously sending a copy for analysis without running into rule conflicts.

XX-series X2 X3 NPB Packet

Any-to-many

Non-conflicting rule creation

Any-to-many 

Non-conflicting rule creation

Any-to-many 

Priority-based rule creation

Conflicting rule

Load balancing

Load Balancing is the distribution of network traffic across multiple monitoring or security tools to ensure efficient data processing and prevent overload. Typically, this is done on Layer 3 or Layer 4 of the OSI model.

 

L3 Load Balancing (Layer 3):

Layer 3 load balancing distributes traffic based on IP addresses (source or destination). It directs packets to different tools or devices depending on IP hash values.

 

L4 Load Balancing (Layer 4):

Layer 4 load balancing also uses port numbers (TCP/UDP) and IP addresses to distribute traffic more granularly. This allows better distribution when multiple sessions or services use the same IP address.

Load balancing relies on hashing techniques to determine how traffic is split. The system computes a hash value based on IP addresses (L3) or port numbers (L4), which it uses to distribute traffic consistently across different monitoring tools or devices. Grouping tools together ensures the load is evenly spread, preventing any tool from becoming overwhelmed.

 

Why do we have L3 and L4 options?

  • L3 Load Balancing is sufficient when traffic flows from various IP addresses, but it can be limited when IPs are fewer or when only specific flows need balancing.

    For example, with a TAP placed between a router and a firewall, only two IP addresses (router and firewall) are visible. As a result, L3 load balancing will not work effectively because there is no variation in IP addresses to distribute traffic. Layer 4 load balancing is a better option if this is the case.

  • L4 Load Balancing offers finer control by considering IPs and TCP/UDP port numbers to make more granular traffic distribution decisions. For example, it allows traffic to be divided by application (e.g., web, email) based on port numbers. This is useful when the same IP addresses handle multiple services or sessions.

 

Key Benefits:

  • Port-Based Load Balancing: With L4 load balancing, port numbers are used to distribute traffic more effectively when IP-based balancing is not sufficient, such as between routers and firewalls with only two IPs.
  • Optimized Resource Usage: Ensures tools are not overloaded and resources are used efficiently.
  • Increased Redundancy and Reliability: This prevents system failures by distributing traffic evenly and rerouting traffic in case of tool or network failures.
  • Improved Monitoring Efficiency: Multiple monitoring tools can handle traffic in parallel, improving analysis and detection capabilities.

 

How do we Load Balance? 

Round Robin

In Round-Robin mode, traffic is distributed equally across all output ports. This mode is typically used when creating an uplink to move traffic between appliances.

 

Flow Hash

Flow Hash mode distributes traffic based on the selected header fields. This mode is suggested when multiple tools are attached and ensures that each one gets consistent traffic to perform flow detection and monitoring. Note that if Flow Hash is used with source AND destination options enabled for L3 or L4, the unit will distribute the traffic, maintaining flow symmetry and consistency.

XX-series X2 X3 NPB Packet

Flow Hash (L3, L4)

Flow Hash (L3, L4, IP and Source/destination)

Round Robin

Flow Hash (L3, L4)

Round Robin

Weighted Round Robin 



High Availability (HA) 

High Availability (HA) is a system design approach that ensures continuous operational performance by minimizing downtime. In networking, HA ensures that monitoring, security, or operational tools remain operational even during hardware failures or maintenance.

Why Is High Availability Important?

High Availability is critical for preventing disruptions in network monitoring or security functions. It ensures continuous access to essential services and data, reducing the risk of outages or performance degradation during failures or maintenance.

Different types of HA

High Availability network packet broker deployments can be divided into two configuration categories: Active-Active and Active-Passive. Active-Active is used for load balancing and performance optimization, while active-passive is used for simpler redundancy and failover scenarios.

Active-Active HA

Active-Passive HA

In an Active-Active HA configuration, all systems or devices process traffic simultaneously. Traffic is distributed between two or more active systems, providing load balancing and failover capabilities.

In an Active-Passive HA configuration, one system actively processes traffic while the other remains on standby. The passive system only becomes active in the event of a failure of the primary (active) system.

When to Use Active-Active:

When to Use Active-Passive:

  • High-traffic environments: Active-active is ideal when traffic volumes are high and multiple systems are required to handle the load efficiently.
  • Lower Traffic or Budget Constraints: Active-passive is typically used when traffic volumes are lower or when cost efficiency is a priority, as only one system is operational.
  • Load balancing needs: Active-Active configurations are preferred when the goal is to balance traffic across multiple systems for better performance.
  • Primary Backup Need: Active-passive is more efficient when the primary goal is to have a backup system for failover rather than distributing traffic.
  • Redundancy with full utilization: Active-active is used when all systems are running and utilized at full capacity, ensuring high efficiency and redundancy in case one system fails.
  • Simplicity: Active-passive is easier to manage and useful when full load balancing is unnecessary, but failover protection is required.

Key Benefits of High Availability:

  • Improved reliability: Both configurations ensure that tools or systems continue operating even in the event of a failure.
  • Redundancy: Provides a backup (active-passive) or load-sharing (active-active) system to handle traffic without interruption.
  • Minimized downtime: HA significantly reduces downtime, keeping monitoring, security, and operational tools functioning seamlessly.

 

How do we support HA? 

When utilizing multiple monitoring or security probes or appliances in a High Availability setup, it’s important that the traffic distribution layer also keeps up. 

 

Profitap packet brokers support High Availability (HA) deployments by ensuring resilient traffic distribution even when links fail. The XX, X2, and X3 models support dynamic Link Aggregation (LAG), which automatically redistributes traffic to remaining links if one goes down, minimizing data loss and downtime. Additionally, the X3 offers both dynamic and static LAG modes, as well as enhanced port redundancy features for an extra layer of protection. This robust design helps to keep monitoring and security probes continuously fed with critical data, sustaining seamless oversight and protection in any HA environment.

 

When configured in High Availability (HA), the XX and X2-Series network packet brokers forward mirrored traffic to multiple probes using load balancing to distribute incoming traffic between both probes simultaneously for optimal performance.

The NPB monitors the status of each probe in its load balance group. If one probe experiences a failure and its port link goes down, the NPB reconfigures the load balance group so that all traffic is directed to the remaining active probe.

XX-series X2 X3 NPB Packet

Active-Active dynamic load balancing 

Active-Active dynamic load balancing 

Port Redundancy

Load Balance group redundancy

Load Balance Port Replacement (Cascade Group)