Kate Brew is product marketing manager at Ixia Network Visibility Solutions.
Virtualization is unquestionably one of the biggest trends in computing in the last decade. By separating different elements of the computing platform, users in a growing number of businesses have done away with the “one app, one server” model and moved to virtual machines (VMs) in order to fully realize the potential of both their servers and their staff. Ignoring the benefits of virtualization is not an option in any competitive industry.
Unfortunately, the fact that many VMs could be handling traffic on a single server has a powerful downside – traffic visibility. The very “many in” notions that VMs are built upon become problematic when trying to trace a packet, or to analyze packet flow in order to understand how a network is performing at any given time.
In many deployments, the lack of visibility into virtual data center security and performance may not become apparent until it’s too late – for example, when a major performance problem occurs with a mission-critical networked application. But by making the right choices in network architecture, administrators can both achieve the business benefits of virtualization and meet the demand for packet-level visibility.
The Anatomy of the Virtual Blind Spot
In a traditional network, traffic analysis is done by tapping into network segments of interest with TAPs or by using port mirroring SPANs, and packet-level data flows between groups of servers in the same subnet can be captured and analyzed in a fairly straightforward manner.
In a virtual world, however, this model breaks down. In virtualized environments, the data may never traverse a physical switch or network, instead remaining in the same physical host, making monitoring difficult. Traffic passes from the virtual adapter to the virtual switch and back out again, without providing a place to monitor traffic.
For many organizations it often takes a network crisis before IT departments realize the consequence of this loss of visibility. Security teams may not realize until the time of a malicious security incident that they cannot see VM-to-VM traffic within the same physical host. Without this visibility, it is impossible to detect and investigate the attack, identify compromised resources, take corrective action and prevent future attacks. Because of the inability to see what’s happening in the virtual data center, it creates the Virtual Blind Spot.
Because virtualization is a mature technology and brings positive ROI so quickly, implementations may speed forward without attention to, or even awareness of the Virtual Blind Spot. Ironically, a virtualized model should be monitored more closely than physical infrastructure, since the design premise is to run the underlying hardware as close to capacity as possible.
Optimized Network Architecture
Virtualization vendors and third parties have quickly stepped up to provide visibility into inter- and intra-host VM traffic. While the market has seen the introduction of virtual network taps and the like, it is viable to use existing, mature monitoring technologies that can see both the physical and virtual infrastructure. This enables administrators to continue to use the monitoring tools they currently own and have expertise in, saving a substantial investment of time and money.
Customers using VMware vSphere 5.x’s vSphere Distributed Switch (VDS) with Port Mirroring provides visibility and the ability to mirror encrypted virtual traffic to the physical world and decrypt it, with the traffic from this switch in essence appearing as if it came from a physical switch. Other vendors such as Cisco also can provide packet-level data from virtual environments.
However, gaining access to packet-level data is only half the battle. For end-to-end visibility into both the physical and virtual infrastructure, the traffic from the VDS must be filtered, analyzed and broadcasted so a company’s full suite of performance security monitoring tools gets exactly the packet flow they needs to do their job, at the right time.
Many of the world’s largest data centers are investing in network monitoring switches – an emerging class of technology that intelligently connects the data center network with monitoring tools. Just like in physical networks, filtering and load-balancing for packets from virtual environments sent to analysis tools is critical, and the network monitoring switch’s job is to deliver exactly the data needed for analysis to each network tool.
This in turn improves overall data center productivity by making monitoring tools run more efficiently and more accurately. Other benefits include a resolution to common TAP and SPAN port shortages, an intuitive management interface that allows administrators to drag and drop traffic flows to tools without command line interface (CLI) scripting, and the ability to future-proof investments in tools and infrastructure as companies upgrade to higher-speed networks.
One issue that persists in the move from physical to virtual port mirroring is the generation of redundant packets. Just like a physical SPAN, port mirrored virtual traffic is very likely to contain duplicate packets. To solve these issues, leading network monitoring switches offer line-rate packet de-duplication and packet trimming. Packet trimming leads to more efficient monitoring and enhances security by removing sensitive payload, such as user information, before delivering data to monitoring tools.
Virtualization improves business-enabling IT capabilities and operational flexibility. However, it also brings with it a new challenge – the inability to gain critical packet-level visibility into network traffic. But by using the right network architecture including a network monitoring switch, administrators can achieve the benefits of virtualization while still achieving end-to-end visibility and protecting their existing monitoring tool investment.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.