Is ‘Virtual’ Packet Brokering Possible?

Understanding packet visibility challenges in the cloud

virtual packet
Peter Vinsel

Achieving visibility of network traffic in the physical vs. virtual environments requires fundamentally different approaches. In the physical world, you have access to physical ports on switches and routers. As packets traverse the wire, you can tap the traffic as you desire—it’s easy to ‘capture’ traffic either at the point of origination or at destination with readily available physical taps and condition them with packet flow switches.

In the virtualized environments, you don’t have this level of control. In fact, you mostly have chaos. There are three key challenges any packet brokering approach has to overcome. These are:

  • Lack of guaranteed delivery: Unlike with physical environments, packets are not easily captured in virtual and cloud environments. Their distribution is often on a best-effort basis, lacking predictability of physical packet flow switches that can guarantee zero packet loss, even at high utilization.
  • Limited control of virtual resources: The processing and network resources are under the control of the virtual environment provider. Any virtual packet brokering function requires processing resources, while advanced capabilities, such as header stripping or de-duplication, will increase the processing requirements even further.
  • Virtually infinite number of points of contact: Virtualization means that packets cannot be easily collected by capturing them at the aggregation point. There’s no organized flow of traffic, so a typical brokering approach (physical “capture-and-forward”) would not work.

How can we then enable packet brokering in the virtualized world? Since the problem is fundamentally different, it cannot be solved by traditional means. We need to capture the traffic at the first point of contact, in the acquisition layer, and then determine where it needs to be sent using virtualized means in a distribution layer. Lastly, the packets need to be received at a service layer where they are analyzed and optionally stored for later processing.

Since moving raw packets between virtual processes can be resource-intensive (read: expensive), being able to do some portion of the service layer analytics in the acquisition layer (and even the distribution layer) can greatly reduce the operational costs. The NETSCOUT vSCOUT agent provides this capability, and, as an option, delivers the raw packets to distribution and service layers when advanced analytics are required.

This is just the beginning of the solution to the puzzle of virtualized visibility. Stay tuned for more in our future posts!