Anatomy and Physic of a Packet Broker

Nowadays packet brokers are being used for network monitoring, security analysis, data masking, deduplication and packet filtering.

There are so many of them like Gigamon, Ixia, Arista DMF and they are expensive!

Basically, a packet broker can see and redirect or manipulate any network packet that you want according to the rules you have specified.

Every feature of them is important according to the case we have faced. For example, if you want to monitor your 40 g/bit plus internet network traffic, you need to pass through all traffic from WAF(Web Application Firewall, IDS/IPS(intrusion detection and prevention systems) or similar devices, passing through all your traffic from such security devices can comes with network slowness and you need to exchange speed for security, that’ s what we don’t want on our web sites and applications.

Another deployment scenario would be mirroring all the required traffic to packet broker and transparently direct traffic to the security devices or data mask the important information like credit card numbers before processing network packets, that would cause no delay, latency or slowness according to packet broker you used for.

I am going to explain how we have achieved the latter one with minimum budget and with a leaf layer 2 network switch without buying any specific famous packet brokers that I have mentioned above.

I have used Arista 7280sr network switch and made it a packet filtering, deduplication preventing packet broker.

7280sr switches can be used for switching or for tapping (packet broking).

Let’s start from scratch, when you first boot your 7280sr, it comes with zero touch provisioning, which is used to automatically configure the switch from a DHCP location, first we need to disable that and put the switch into tapping mode.

After disabling the zero-touch provisioning, switch reboots.

Now we are ready to put the switch into tapping mode to use it as packet broker with the commands below:

• tap aggregation
• mode exclusive

This configuration disables all ports on the switch, unless they are specifically configured for TAP aggregation.

After putting switch to tapping mode, it also provides web gui for configuration. We can access to gui through web address below.

https://ipaddressofmanagementInterface/apps/TapAgg/

To enable a port, the interface has to be configured in one of the following modes:

• tap — if the port is connected to either a physical TAP or a SPAN/mirror session from another switch.
• tool — if the port is connected to the device that is capturing the data for analysis or for security processing.

Groups are used to control where traffic is sent. There are two main guidelines for groups:

• a tap port can only belong to a single group
• a tool port can belong to multiple groups

Which means we can mirror whole network traffic with tap ports and filter with the ACLs and redirect them to different tool ports, in our scenario to waf, ids/ips or to network monitoring software.

Now our 7280sr packet broker is ready for configuration, let’s connect it to our switching environment as described, we need to put it between the switching environment and the tools environment like WAF, IDS/IPS, network monitoring tools.

We need to mirror the network traffic from our spine switches to packet broker. Let’s look at the diagram.

What we need to do is mirror the ports from spine switches to packet broker and connect them physically, for that we need to run the following commands on the each spine:

• monitor session packetbroker source Port-Channel45
• monitor session packetbroker source Port-Channel47
• monitor session packetbroker destination Ethernet53/1

Now our network packets from the spines mirrored to packet broker, in the above example the port channel ports 45 and 47 are the ports our main network flows through and the destination port is where we connect spines to packet broker, what we need to be careful here is, packet broker should be able to handle that much of traffic by the way of physically and throughput vice.

First, we need to configure the tap ports of the packet broker with the commands below. We are telling the physically connected mirror ports to which packet broker group they are belong. I have connected the spine switches and the packet broker with the packet broker’ s ports 49–50.

• interface Ethernet49–50
• switchport mode tap
• switchport tap default group WAF

Let’s configure the packet broker tools ports.

The example configures two tap ports. Ethernet3 will be for “WAF” traffic and Ethernet4 will be for “Network Monitoring” traffic.

When it comes to packet filtering we need to use ACL (Access Control List) on the packet broker for specific traffic that we want to inspect.

For example, if we want to see only http-https traffic on the WAF ports and the WAF itself we need to create an ACL, and apply it to related tool port on the outgoing side with the commands below.

Now our WAF is ready to inspect http https traffic that is passing through from our production network environment.

we can check on the packet broking process with the commands below.

show interface counters rates | nz

nz is here shows only traffic passing through interfaces and skips zero counter interfaces.

Similar configuration goes for IDS/IPS inspection and network monitoring, just need to connect the devices with packet broker and configure the related ports with tap/tool vice and apply an ACL for packet filtering on the packet broker.

Everything that I have done here with cli, could also be done with GUI of the Packet Broker.

Conclusion

What we have achieved here is with minimum investment or none, we have created a Packet Broker from a normal switch, and we used it for to inspect network traffic with WAF, IDS/IPS and/or we can use it for network monitoring to see what is going on our network environment.

Regards.