SANTA CLARA, Calif. -- Microsoft is using an OpenFlow software-defined network to capture and analyze traffic for network security and monitoring tools in its Internet-facing and cloud services data centers.
The OpenFlow-based tap aggregation system, called Distributed Ethernet Monitoring (DEMON) Appliance, is an alternative to expensive network packet brokers -- the specialized appliances that aggregate network taps and SPAN ports. Microsoft Principal Network Architect Rich Groves presented DEMON at the Open Networking Summit Tuesday.
Groves did not reveal which commercial software-defined networking (SDN) products Microsoft is using to enable DEMON, but he described the use of merchant silicon-based switches and an SDN control system to build the solution. Only a small number of vendors have announced products and features that enable SDN-based tap aggregation. For instance, Arista Networks announced DANZ, a feature set on the firmware of its merchant silicon-based 7050 switches that provides the ability to aggregate, replicate and capture traffic for networking monitoring applications with advanced features like precision timestamping. Big Switch Networks sells Big Tap, a network monitoring application that runs on top of its controller and that can turn an OpenFlow network into a continuous monitoring network.
Groves explained that using a traditional network packet broker to do tap and SPAN port aggregation wasn't feasible with the scale of the network he needed to instrument. He was looking for a system that could monitor thousands of 10 Gigabit Ethernet (GbE) links per data center. Given that his network has top-of-rack switches with as many as 32x10 GbE uplinks, the sheer number of monitoring ports needed made monitoring with a packet broker unfeasible from a scale and cost perspective.
DEMON enables data center-scale packet capture and analysis by turning merchant silicon-based switches into virtual appliances. "We have a layer of switches that do nothing but terminate monitoring ports," Groves said.
More on SDN use cases
How OpenFlow FlowVisor paves a path toward open network virtualization
SDN could make Network as a Service a reality
OpenFlow also allows Microsoft to create so-called service chains in DEMON. Network engineers can create policies that send the same traffic stream through multiple points of analysis and inspection.
Microsoft has also started programming application programming interfaces (APIs) on the system to do more advanced and proactive traffic analysis. "We can set up 24-by-seven monitoring of TCP events for critical systems," he said. "We are building triggers based on changes to add or modify policies. Applications can start to troubleshoot themselves. We have the ability to have a network management system that receives syslog traffic from network devices. If it sees an uptick of syslog entries, it can program the APIs to capture more interesting data [relevant to the surge in syslog traffic]."
"There was no way we could have done this without the [OpenFlow] system we partnered on," Groves said. "To use OpenFlow here helps us scale this method, and with a controller we were able to scale as large as we needed."
The only limitation Groves has run into is the number of flow entries he can program into his merchant silicon-based switches. He said he's generally limited to about 750 SDN flows per switch, which is fine for DEMON's purposes, "but more is always better."
Let us know what you think about the story; email: Shamus McGillicuddy, news director.