Packet Brokerπ
A Packet Broker is a network device placed between network traffic sources and monitoring tools (or other destinations). It forwards network traffic according to filtering and transformation rules to designated destinations. In Verity, the Packet Broker aggregates network traffic for delivery to multiple destinations. It operates on a dedicated network infrastructure that is physically separated from both the production and management networks. This infrastructure includes packet broker switches, optimized for packet processing rather than general-purpose switching.
Componentsπ
| Term | Description |
|---|---|
| Packet Broker Switch (PBS) | A SONiC-based network switch dedicated to aggregating traffic for delivery to multiple analyzers. These switches don't perform typical functions like VLAN switching. |
| Packet Broker Network (PBN) | A network of interconnected PBS switches, used to forward packets based on Access Control Lists (ACLs). |
| Packet Broker Ingress Switch (PBIS) | The PBS that connects to the network and receives incoming traffic. |
| Packet Broker Egress Profile (PBP) | A user-created profile that specifies forwarding rules for traffic, including IP filters for traffic management. |
| Tap | A hardware device used to passively monitor and copy network traffic without interrupting it. |
Functionalityπ
The Verity Integrated Packet Broker uses Packet Broker Switches (PBS), which aggregate network traffic for delivery to various Analyzers. These PBS switches form a Packet Broker Network (PBN). The PBS switches in this network donβt perform traditional switching functions, such as VLAN switching. Users create Packet Broker Egress Profiles (PBP) to define which traffic should be forwarded, applying these profiles to any port in the PBN.
Verity automatically detects the PBS connections and configures the interconnected ports, designating all other ports as input ports. Once PBPs are assigned, Verity sets up the packet forwarding rules from ingress to egress.
Verity manages Packet Broker Switches utilizing out-of-band ports. The PBN is displayed in the Topology section of the Verity interface, where PBS switches are shown in left-to-right order, representing the traffic flow. The PB Ingress Switch (PBIS) is where traffic begins. The PBN can have multiple PBISs depending on the traffic inputs and load, though PBISs cannot connect to each other.
Each port in the PBN can have a PBP assigned, but traffic can only flow from ingress to egress, as shown in the GUI from left to right. When PBS switches are connected, Link Aggregation Groups (LAGs) are created automatically for the connected ports. It is the user's responsibility to ensure that the fabric (the ports connecting PBS switches) has the capacity to handle the required traffic.
Architectureπ
This high-level example diagram shows how traffic flows through the PBN. While there's flexibility of where to place inputs, connections and egress ports, it is recommended to connect input ports to designated PBISs and place egress ports on the lowest tier switches (shown on the right of the diagram and Verity GUI). The network should follow a non-blocking architecture so all input traffic can reach egress switches without congestion.
Packet Broker Calculatorπ
This spreadsheet provides estimates for how many switches are needed based on traffic capturing capacity requirements.
Packet Broker Calculator available here.
Profiles and Filtersπ
The PBPs include IP filters that specify which traffic is allowed or denied based on criteria such as protocol, IP address subnet, and port. These filters can be tailored to allow or block specific IP addresses, protocols, and ports, including finer control with IPv4 or IPv6 addresses.
UI Overviewπ
In the Verity interface, these sections are used for managing the Packet Broker:
- Topology -> Packet Broker
- Templates -> Filters -> IPV4 Filters / IPV6 Filters
- Templates -> Diagnostics -> PB Egress Profiles
Topology Viewπ
- Topology -> Packet Broker
This section visually represents the switches in the Packet Broker network and allows users to assign filter rules to ports.
Devices are arranged left to right, representing the direction of data flow 
.
Packet Broker Templatesπ
The Template navigation menu contains these options used to configure Packet Broker.
- Templates -> Filters -> IPV4 Filters / IPV6 Filters / IPv4 List Filters / IPv6 List Filters
- Templates -> Diagnostics -> PB Egress Profiles
These tools let users create filter rules and group them into collections called PB Egress Profiles, which are then assigned to specific ports in the PBN.
TAPsπ
A TAP (Test Access Point) is a hardware device inserted into the network cabling to passively copy network traffic. The TAP icon in the user interface represents the point where network traffic is accessed and copied for the Packet Broker network.
Creating & Applying Filtersπ
Filtering determines whether selected network data is forwarded to a destination device or blocked.
- Determine the Traffic to be Screened: Identify IP type (IPv4 or IPv6), protocol by name (ip/tcp/udp/icmp only) or IANI number, bidirectional or unidirectional, source and/or destination IP or IP range, source and/or destination ethernet port(s) or range of ethernet ports with appropriate port operators (if applicable). Determine if filter is to Deny and/or Permit traffic types.
- Create Filters: Go to Templates -> Filters and create filters based on the type of traffic identified in step 1.
- Assign Filters to PB Egress Profiles: Once filters are created, group them into PB Egress Profiles.
- Apply the PB Egress Profile to Ports: Assign the created PB Egress Profiles to device ports.
Apply Filter Rules to a Range of IP Addressesπ
- Select either IPv4 Filters or IPv6 Filters, depending on the address type.
- Click the Add button, name the filter and click the Create Filter button
- In the filter settings, edit the rules and apply the changes.
Filter Rules
| Filter | Function |
|---|---|
| Protocol | IP protocol by name (ip, tcp, udp, or icmp, only) or IP Protocol by IANI number (0-255). |
| Bidirectional | Bidirectional packets if selected, else unidirectional. |
| Source IP | IPv4 or IPv6 packet source address. Use IP mask for range of IPs. |
| Source Port Operator | This field determines which match operation will be applied to TCP/UDP port(s). The choices are equal, greater-than, less-than or range. |
| Source Port 1 | This field is used for equal, greater-than or less-than TCP/UDP port value in match operation. This field is also used for the lower value in the range port match operation. |
| Source Port 2 | This field will only be used in the range TCP/UDP port value operation to define the top value in the range |
| Destination IP | IPv4 or IPv6 packet source address. Use IP mask for range of IPs. |
| Destination Port Operator | This field determines which match operation will be applied to TCP/UDP ports. The choices are equal, greater-than, less-than or range. |
| Destination Port 1 | This field is used for equal, greater-than or less-than TCP/UDP port value in match operation. This field is also used for the lower value in the range port match operation. |
| Destination Port 2 | his field will only be used in the range TCP/UDP port value match operation to define the top value in the range. |
Filtering Individual Addresses as Listsπ
To filter individual IP addresses or lists of individual IP addresses, use an IPv4 List Filter or IPv6 List Filter and enter the addresses in the provided field. A comma must be used between each IP address. There are no spaces used in the lists. 
- Navigate to Packet Broker Templates.
- Create an PB Egress Profile and enable it.
- Edit the PB Egress Profile by assigning filters to any of the the four available options:
- IPv4 Deny
- IPv6 Deny
- IPv4 Permit
- IPv6 Permit
- Check the Enabled box to activate the filter(s).
- Use the plus button at the bottom-right of the list to create additional rows for assigning multiple filters.
- When in Edit Mode save changes by clicking the Save button
.
Applying PB Egress Profile to Device Portπ
- Once the filters are configured and saved, apply the PB Egress Profile to a device port.
- Double-click on the device port in the Packet Broker Topology view.
- Select the appropriate PB Egress Profile from the dropdown menu.
Packet Queuingπ
This feature lets you set the priority for packets depending on bandwidth and is
available at Templates -> Layer-2 -> Packet Queues 
.
The window that appears lets you make your changes. Here you set the priority for p-bits and set the bandwidth (BW) for each queue as a percentage. The percentage is the maximum average percentage of the port output bandwidth that packets in that queue will be allowed to consume. The value cannot exceed 100 and a value of 0 means no limit is set.
