Tunneling encapsulates one type of network traffic within another protocol to transmit it securely across different networks. Think of it as creating a private, protected pipeline within a larger, often untrusted network. This technique enables traffic to traverse networks that might not support the original protocol or require enhanced security measures.
At the heart of tunneling lies encapsulation and decapsulation:
This ensures controlled access, where only authorized devices can connect to the tunnel termination points, preventing unauthorized access or data interception.
Organizations that operate in both physical and virtual environments want to monitor both to ensure complete observability. Tunneling bridges this gap by creating secure pathways to transport traffic from virtual TAPs to physical monitoring tools or vice versa. For example, Virtual TAPs send traffic for monitoring through a tunnel to a Network Packet Broker (NPB) that locally filters and optimizes the traffic before distributing the relevant traffic to a monitoring tool.
Profitap NPBs use tunneling to streamline network traffic management. Here are two common examples:
The NPB acts as the tunnel endpoint. It decapsulates incoming traffic (e.g., VXLAN or GRE) and distributes it to connected probes. By offloading decapsulation tasks from the probes, the NPB conserves processing resources, enabling the probes to focus on critical analysis tasks.
Traffic from virtualized servers is often encapsulated for transmission to a physical NPB. The NPB terminates the tunnel, decapsulates the traffic, and enables centralized management. This is especially useful in virtual-to-physical environments, enhancing operational efficiency and visibility.
The example above illustrates how the virtual and physical network monitoring tools interoperate to deliver network data from all network segments to the VoIP monitoring system. Virtual TAPs (vTAP) are deployed to TAP VoIP traffic across different virtual machines (VMs). This TAPped data is sent to the Profitap X2-2000G Network Packet Broker (NPB) through a GRE/ERSPAN tunnel.
The X2-2000G NPB functions as the tunnel endpoint, decapsulating the traffic and performing additional filtering and optimization. From the NPB, a new tunnel is created to send the optimized traffic to the virtual VoIP monitoring system. Additionally, traffic of choice can be forwarded to the IOTA to support network troubleshooting and performance monitoring activities. The use of tunneling in this setup ensures high-performance monitoring, security, and complete visibility across hybrid network infrastructures.
|
||
Tunnel |
ERSPAN (type 2 and 3), |
ERSPAN (type 2 and 3), VXLAN GRE-TAP, IP GRE, |
Tunnel Termination |
ERSPAN (type 2 and 3), GRE-TAP, VXLAN |
ERSPAN (type 2 and 3), GRE-TAP, IP GRE, VXLAN, CFP, GTP |
Tunnel Stripping |
ingress: ERSPAN (type 2 egress: ERSPAN (type 2 |
ingress: ASICS, ERSPAN (type 2 and 3), GRE-TAP, VXLAN, CFP, GTP egress: CPU: VXLAN, GRE-TAP, IP GRE, DCE |
|
Tunneling and tunnel termination are indispensable for secure and flexible network monitoring in hybrid environments. By leveraging these capabilities, NPBs provide seamless traffic handling, enhanced security, and protocol interoperability. Whether managing virtual-to-physical traffic or enabling remote access, tunneling remains a cornerstone technology for modern networking.