SPAN-aggregation and packet brokers. Protocol Stripping

Why you may need protocol stripping function?

As you know there are 7 OSI model levels. Each one adds some particular volume header to the packet. 

SPAN-aggregation and packet brokers. Packets deduplication

One may ask: is it real to be so stupid implementing TAPs and brokers that packets are duplicated? Yes, of course, and it doesn't indicate architects' stupidity. E.g. we need the datacenter traffic analysis. So, it is necessary to mirror datacenter uplinks (no matter Internet or corporate) to have an incoming/outgoing traffic visibility, and aggregation/service layer links according to the datacenter network design. Inbound/outbound packet has no duplicates if it is going to some segment connected via dedicated physical lines, no router/firewall on a stick etc.

SPAN-агрегация и пакетные брокеры. Дедупликация пакетов

Может возникнуть вопрос: как нужно так неправильно строить систему зеркалирования трафика, чтобы пакеты дублировались? Да запросто. Предположим, при необходимости анализа трафика ЦОД отзеркаливаем линки в ЦОД извне (независимо от того, Интернет это или остальная часть корпоративной сети), чтобы видеть внешние подключения, и линки на уровне распределения либо сервисного уровня ЦОД в зависимости от модели, по которой построена сеть. Пакет, влетающий извне, не продублируется только если в ЦОД есть сегмент, взаимодействующий только с остальными сегментами ЦОД, и недоступный снаружи, подключенный физически через другие линки.

IXIA ThreatArmor: how does it work

No advertisement (unfortunately, vendor doesn't pay me for it :) ) but for technology review only: one more IXIA solution analysis.

Packet brokers throughput math realism

This post was inspired by the IXIA seminar. As long as such events usually contain some advertising information it is necessary to search an information myself to have a material for analysis.

According to my hands-on experience with some SPAN-aggregation solutions I can observe several mismatches.

Let me analyze a piece of information according to particular IXIA product. This information is also actual for another vendors using the same math.

1. Throughput. 

Let's try IXIA xStream 10. According to the datasheet one can see that the hardware throughput is 480 Gbps

but there are only 24 10G-interfaces in it.