Selective aggregation enables you to direct traffic from specific network (ingress) ports to specific monitor (egress) ports, with ability to provide one to many, many to one, and many to many traffic direction.
VSS purpose-built hardware filters packets based on your defined criteria. This helps minimize oversubscription of monitoring and security tools by eliminating traffic that the tool is not designed (or intended) to inspect. A “negative filter” drops unwanted packets. A “positive filter” extracts only desired packets.
Packets can be filtered based on the following criteria:
Many NPB vendors handle filtering in software, which can introduce latency into the traffic. VSS hardware-based packet filtering is performed at line rate up to 100Gbps.
Extended filtering enables you to go beyond the outer packet headers to filter on inner layer 3 and/or layer 4 headers and fields inside tunneled or encapsulated packets, including GRE, GTP, MPLS, and multi-VLAN encapsulated traffic. This removes the need to de-encapsulate the packets before filtering.
A further extension to filtering is the ability to filter on any content anywhere in a packet, referred to as Deep Packet Filtering. Standard filtering typically has hardware scale limitations, so a large-scale filtering capability may be necessary for some applications.
Session-aware load balancing enables traffic from one or more network ports to be evenly distributed to two or more monitoring ports, while maintaining session integrity. All packets from a unique TCP session are routed through the same monitor port to the same monitoring or security tool, ensuring that a complete conversation is analyzed by the same tool in a load balanced group.
Load balancing prevents tool oversubscription and adds a layer of fault tolerance to tool deployments. If a failed tool is detected, VSS will stop passing traffic to the tool and will redistribute the traffic to the remaining load-balanced ports.
VSS can also re-direct traffic intended for a failed tool to a hot standby tool, or even redirect all traffic to a secondary (backup) group of load-balanced tools.
Load balanced output prevents oversubscription/packet loss, maintains session delivery consistency across multiple monitor ports, and ensures an even traffic distribution across a group of monitor ports based on session criteria. Criteria can consist of L2, L3, and/or L4 elements, and even L3 and/or L4 inside encapsulation.
Load balancing can be used for both passive and active monitoring and security tools.
Extended balancing enables you to go beyond the outer packet headers to load-balance traffic based on inner layer 3 and/or layer 4 headers inside tunneled or encapsulated packets, including GRE, GTP, MPLS, and multi-VLAN encapsulated traffic. This removes the need to de-encapsulate the packets before balancing.
The feature provides correlated control and user plane session balancing for mobile networks, based on mobile user identifiers (e.g. IMSI), referred to as GTP IMSI Load-Balancing.
Packet slicing discards the latter part of a copied packet before the tool receives it, allowing the tool to process and store only the data of interest. VSS conditional packet slicing, vSlice™, takes packet slicing a step further by enabling you to set slice points at different offsets for each type of traffic to be sliced, such as HTTP, SMTP, and the VoIP protocols RTP and RTCP.
vSlice also helps ensure compliance with regulations that mandate consumer privacy, such as the Payment Card Industry Data Security Standard (PCI DSS), which requires providing access to cardholder information only on a need-to-know basis.
Time stamping allows users to receive a time stamp, appended to each captured packet, indicating the time the packet entered a NPB. A time stamp is critical for network and application latency measurement, forensic evidence, and transaction-based application reconciliation, such as stock-market transactions.
The VSS time stamp is inserted as an 8-byte stamp after the payload, before the cyclic redundancy check (CRC). The first four bytes indicate seconds, and the second four bytes indicate nanoseconds; two of the nanosecond bits indicate the timing synchronization source. After the stamp is applied, the CRC is recalculated and forwarded to the monitor ports as a standard Ethernet frame.
When traffic from more than one network port is captured and directed to one or more (load balanced) monitoring or security tools, no record exists of which network port each packet flowed through. Port stamping overcomes this problem by stamping the port (interface) number on each packet.
A VLAN tag can be applied to packets on a VSS NPB monitor (egress) port to indicate a packet's ingress port, which gives you knowledge of where the packet was captured, as well as how the packet flowed throughout an infrastructure. In this sense, VLAN tagging can be used as an alternate port stamping mechanism, where the VLAN tag is made up of a starting value that you define to represent the NPB, plus a specific number to define the ingress network port on the NPB.
Planned redundancies in network design, monitoring tool access, and overlapping filters during traffic capture and aggregation, or the use of mirror/SPAN ports, can cause security and performance tools to receive duplicate packets. Duplicate packets create challenges for IT and security personnel, including monitoring tool oversubscription, false positives, and inaccurate performance reporting. VSS packet de-duplication eliminates duplicate packets, reducing the volume of traffic to monitoring and security tools, which increases tool efficiency and eliminates false-positives.
Packets can become fragmented when maximum transmission unit (MTU) size is exceeded due to tunneling/encapsulating and/or tranersing multiple networks, creating problems with ability to filter or balance traffic based on criteria above IP layer. Fragmented packets create obstacles to visibility because tools can’t inspect them properly or have to spend valuable cycles reassembling them.
VSS packet fragment reassembly places fragments into their original form before forwarding them to tools, which enables monitoring and security tools to see and inspect previously missed traffic.
Many tools are not designed to handle traffic containing certain protocols, labeling, or encapsulation, such as MPLS pseudowire.
VSS protocol stripping allows you to remove a specific protocol header, such as FabricPath, GRE/NVGRE, GTP, MAC-in-MAC, MPLS, VLAN, VN-tag, VXLAN. Stripping protocol headers enables monitoring tools to avoid wasting processing cycles to handle these headers. It also enables you to more easily apply filtering and/or load-balancing on the stripped packets.
Standard filtering in traffic capture tools typically accommodates packet header-based filter parameters only, and is restricted to a certain depth into the packet as well as a relatively small set of criteria. This level of filtering will not detect dynamically located content within flows. The VSS DPI-Finder feature allows complete control over the traffic sent to the monitor ports and does not store any traffic internally. This critical capability prevents extraneous or non-target information from reaching monitoring tools, where such data may corrupt the viability of the extracted traffic.
Content matches can be performed by the DPI-Finder feature based on up to 2,000 Perl-compatible Regular Expression (PCRE) rules, which dynamically look for multiple pieces of text or bytes within the packet. Once a match is attained, either the entire session associated with the matched packet, or just the matched packet, will be dropped or forwarded to security, analytics, and monitoring applications. It can simultaneously maintain tracking of up to 1M matched session flows or match an unlimited number of individual packets.
IP addresses and/or IP address ranges can be detected and filtered on within a packet by the IP ObjectFinder feature. Once a targeted IP address or range is detected, the matched packet will be forwarded to security and monitoring applications. Up to 500,000 IP addresses or address ranges can be filtered on, without limitation to the number of matched packets or sessions. Matching packets can either be dropped or forwarded.
Availability*: Contact VSS
High data-burst buffering (HDBB) is an optional feature on VSS NPBs VB220, VB420, and VB6000 that solves problems caused by microbursts. Network traffic is almost never smooth in profile, and microbursts are ever present, more so within multimedia traffic, such as video and audio.
Microbursts become significant when ingress traffic is aggregated or when ingress traffic is converted from a higher speed (e.g. 10G) to a lower speed (e.g. 1G), which will usually result in loss of packets without of extended buffering.
VSS HDBB mitigates the effects by buffering microbursts that would otherwise oversubscribe tool ports to ensure complete visibility and uninterrupted tool performance.
Availability*: vBroker Series (VB220, VB420, VB6000)
vCapacity™ is a high-performance real-time microburst measurement capability that provides sub-millisecond visibility into network performance. Its low-level view allows granular utilization data to be gathered in real time and made available to latency and high-performance network analyzers, without requiring separate TAPs and/or capture cards.
vCapacity samples one or multiple network links at millisecond intervals at speeds up to 10G. It measures traffic at the bit level and at full line rate, right at the point of connection, independent of switch SPAN ports, traditional TAPs, or high-speed capture cards. It records per-millisecond quanta, timestamps them at one-second intervals, and stores them for one-minute periods for retrieval by a network analyzer or other tool. Each one-second record includes average as well as the minimum and maximum millisecond utilization quanta for that second.
Availability*: vBroker Series (VB220, VB420)
*Features may be optional add-ons or not available in all products within a series.