Skip to content

Packet BrokerπŸ”—

A Packet Broker is a network device placed between network traffic sources and monitoring tools (or other destinations). It collects and manages network traffic, applies filtering and transformation rules, and sends the processed traffic to designated destinations. In Verity, the Packet Broker aggregates network traffic for delivery to multiple destinations. It operates on a dedicated network infrastructure that is physically separated from both the production and management networks. This infrastructure includes packet broker switches, optimized for packet processing rather than general-purpose switching.

Key Components of the Verity Packet BrokerπŸ”—

  • Packet Broker Switch (PBS): A SONiC-based network switch dedicated to aggregating traffic for delivery to multiple analyzers. These switches don't perform typical functions like VLAN switching.
  • Packet Broker Network (PBN): A network of interconnected PBS switches, used to forward packets based on Access Control Lists (ACLs).
  • Packet Broker Ingress Switch (PBIS): The PBS that connects to the network and receives incoming traffic.
  • Packet Broker Egress Profile (PBP): A user-created profile that specifies forwarding rules for traffic, including IP filters for traffic management.
  • Tap: A hardware device used to passively monitor and copy network traffic without interrupting it.

How the Packet Broker WorksπŸ”—

The Verity Integrated Packet Broker uses Packet Broker Switches (PBS), which aggregate network traffic for delivery to various Analyzers. These PBS switches form a Packet Broker Network (PBN). The PBS switches in this network don’t perform traditional switching functions, such as VLAN switching. Users create Packet Broker Egress Profiles (PBP) to define which traffic should be forwarded, applying these profiles to any port in the PBN.

Verity automatically detects the PBS connections and configures the interconnected ports, designating all other ports as input ports. Once PBPs are assigned, Verity sets up the packet forwarding rules from ingress to egress.

Verity manages Packet Broker Switches utilizing out-of-band ports. The PBN is displayed in the Topology section of the Verity interface, where PBS switches are shown in left-to-right order, representing the traffic flow. The PB Ingress Switch (PBIS) is where traffic begins. The PBN can have multiple PBISs depending on the traffic inputs and load, though PBISs cannot connect to each other.

Each port in the PBN can have a PBP assigned, but traffic can only flow from ingress to egress, as shown in the GUI from left to right. When PBS switches are connected, Link Aggregation Groups (LAGs) are created automatically for the connected ports. It is the user's responsibility to ensure that the fabric (the ports connecting PBS switches) has the capacity to handle the required traffic.

Network DiagramπŸ”—

Here is a high-level example diagram showing traffic flow through the PBN. While there's flexibility of where to place inputs, connections and egress ports, it is recommended to connect input ports to designated PBISs and place egress ports on the lowest tier switches (shown on the right of the diagram and Verity GUI). The network should follow a non-blocking architecture so all input traffic can reach egress switches without congestion.

Packet Broker Profiles and FiltersπŸ”—

The PBPs include IP filters that specify which traffic is allowed or denied based on criteria such as protocol, IP address subnet, port, and VLAN. These filters can be tailored to allow or block specific IP addresses, protocols, and ports, including finer control with IPv4 or IPv6 addresses.

UI OverviewπŸ”—

In the Verity interface, there are two key areas for managing the Packet Broker:

  • Packet Broker Topology
  • Packet Broker Templates

Packet Broker Topology ViewπŸ”—

The Packet Broker Topology is viewable from Topology -> Packet Broker.

This section visually represents the switches in the Packet Broker network and allows users to assign filter rules to ports.

Traffic Flow: Devices are arranged left to right, representing the direction of data flow.

Packet Broker TemplatesπŸ”—

Packet Broker Templates are found under Templates -> Packet Broker Templates. This section lets users create filter rules and group them into collections called PB Egress Profiles, which can then be assigned to specific ports in the PBN.

How to Visualize Connections Between Topology and Packet Broker Using TAPSπŸ”—

A TAP (Test Access Point) is a hardware device inserted into the network cabling to passively copy network traffic. The TAP icon in the user interface represents the point where network traffic is accessed and copied for the Packet Broker network.

How to Apply FiltersπŸ”—

Filtering determines whether selected network data is forwarded to a destination device or blocked.

These are the steps to create and assign filters.

  1. Determine the Traffic to be Screened: Identify IP type (IPv4 or IPv6), protocol by name (ip/tcp/udp/icmp only) or IANI number, bidirectional or unidirectional, source and/or destination IP or IP range, source and/or destination ethernet port(s) or range of ethernet ports with appropriate port operators (if applicable). Determine if filter is to Deny and/or Permit traffic types.

  2. Create Filters: Go to Templates -> Packet Broker Templates and create filters based on the type of traffic identified in step 1.

  3. Assign Filters to PB Egress Profiles: Once filters are created, group them into PB Egress Profiles.

  4. Apply the PB Egress Profile to Ports: Assign the created PB Egress Profiles to device ports.

Apply Filter Rules to a Range of IP AddressesπŸ”—

To filter a range of IP addresses, choose either IPv4 Filters or IPv6 Filters, depending on the address type.

Click the Create New Filter button.

Name the filter and click Save. ().

In the filter settings, edit the rules () and apply the changes.

Filter Rules

  • Protocol: IP protocol by name (ip, tcp, udp, or icmp, only) or IP Protocol by IANI number (0-255).
  • Bidirectional: Bidirectional packets if selected, else unidirectional.
  • Source IP: IPv4 or IPv6 packet source address. Use IP mask for range of IPs.
  • Source Port Operator: This field determines which match operation will be applied to TCP/UDP port(s). The choices are equal, greater-than, less-than or range.
  • Source Port 1: This field is used for equal, greater-than or less-than TCP/UDP port value in match operation. This field is also used for the lower value in the range port match operation.
  • Source Port 2: This field will only be used in the range TCP/UDP port value operation to define the top value in the range
  • Destination IP: IPv4 or IPv6 packet source address. Use IP mask for range of IPs.
  • Destination Port Operator: This field determines which match operation will be applied to TCP/UDP ports. The choices are equal, greater-than, less-than or range.
  • Destination Port 1: This field is used for equal, greater-than or less-than TCP/UDP port value in match operation. This field is also used for the lower value in the range port match operation.
  • Destination Port 2: This field will only be used in the range TCP/UDP port value match operation to define the top value in the range.

Filtering Individual Addresses as ListsπŸ”—

To filter individual IP addresses or lists of individual IP addresses, use an IPv4 List Filter or IPv6 List Filter and enter the addresses in the provided field. A comma must be used between each IP address. There are no spaces used in the lists.

From Packet Broker Templates Create an PB Egress Profile and enable it.

Edit the PB Egress Profile by assigning filters to any of the the four available options:

  • IPv4 Deny
  • IPv6 Deny
  • IPv4 Permit
  • IPv6 Permit

Check the Enable box to activate the Filter(s).

Use the navigation buttons at the bottom of the list to assign multiple Filters, create multiple rows, remove disabled rows, or sort the list.

Save the Profile by clicking the Save button () button.

Apply PB Egress Profile to Device PortπŸ”—

Once the filters are configured and saved, apply the PB Egress Profile to a device port. Double-click on the device port in the Packet Broker Topology view, and select the appropriate PB Egress Profile from the dropdown menu.