News Stay informed about the latest enterprise technology news and product updates.

Microsoft uses OpenFlow SDN for network monitoring and analysis

Microsoft is using OpenFlow SDN to aggregate network taps and span ports as an alternative to network packet brokers for monitoring and traffic analysis.

SANTA CLARA, Calif. -- Microsoft is using an OpenFlow software-defined network to capture and analyze traffic for network security and monitoring tools in its Internet-facing and cloud services data centers.

The OpenFlow-based tap aggregation system, called Distributed Ethernet Monitoring (DEMON) Appliance, is an alternative to expensive network packet brokers -- the specialized appliances that aggregate network taps and SPAN ports. Microsoft Principal Network Architect Rich Groves presented DEMON at the Open Networking Summit Tuesday.

Groves did not reveal which commercial software-defined networking (SDN) products Microsoft is using to enable DEMON, but he described the use of merchant silicon-based switches and an SDN control system to build the solution. Only a small number of vendors have announced products and features that enable SDN-based tap aggregation. For instance, Arista Networks announced DANZ, a feature set on the firmware of its merchant silicon-based 7050 switches that provides the ability to aggregate, replicate and capture traffic for networking monitoring applications with advanced features like precision timestamping. Big Switch Networks sells Big Tap, a network monitoring application that runs on top of its controller and that can turn an OpenFlow network into a continuous monitoring network.

Groves explained that using a traditional network packet broker to do tap and SPAN port aggregation wasn't feasible with the scale of the network he needed to instrument. He was looking for a system that could monitor thousands of 10 Gigabit Ethernet (GbE) links per data center. Given that his network has top-of-rack switches with as many as 32x10 GbE uplinks, the sheer number of monitoring ports needed made monitoring with a packet broker unfeasible from a scale and cost perspective.

DEMON enables data center-scale packet capture and analysis by turning merchant silicon-based switches into virtual appliances. "We have a layer of switches that do nothing but terminate monitoring ports," Groves said.

More on SDN use cases

How OpenFlow FlowVisor paves a path toward open network virtualization

SDN could make Network as a Service a reality

Could SDN have an impact on unified communications?

SDN plays a role in network security

OpenFlow also allows Microsoft to create so-called service chains in DEMON. Network engineers can create policies that send the same traffic stream through multiple points of analysis and inspection.

Microsoft has also started programming application programming interfaces (APIs) on the system to do more advanced and proactive traffic analysis. "We can set up 24-by-seven monitoring of TCP events for critical systems," he said. "We are building triggers based on changes to add or modify policies. Applications can start to troubleshoot themselves. We have the ability to have a network management system that receives syslog traffic from network devices. If it sees an uptick of syslog entries, it can program the APIs to capture more interesting data [relevant to the surge in syslog traffic]."

"There was no way we could have done this without the [OpenFlow] system we partnered on," Groves said. "To use OpenFlow here helps us scale this method, and with a controller we were able to scale as large as we needed."

The only limitation Groves has run into is the number of flow entries he can program into his merchant silicon-based switches. He said he's generally limited to about 750 SDN flows per switch, which is fine for DEMON's purposes, "but more is always better."

Let us know what you think about the story; email: Shamus McGillicuddy, news director.

Dig Deeper on Network management and monitoring

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Will SDN alter network monitoring and traffic analysis?
It is one of the typical expected feature!
SDN is perfect tool for network analysis and monitor beyond legacy SNMP platform.
SDN is fragmented with so many different implementations for different vendors.
Nothing is safe.
SDN will open common platform to develop programmable APIs, OpenFlows and SDN controllers for many talents. 360 degree monitoring and traffic analysis is inevitable.
Go to download something that I want or is important & I have all these downloads I do not want on there. Is there a way to shop it? Otherwise, ill just delete media smart
It is high time to separate the management from the equipment and have an end to end view from a management perspective.
Note that there would still be some questions around multi-vendors in the net.
it looks a possibility