Gaining Valuable Insight into Encapsulated Network Data: Part 2
This is the second part of Mike Simmonds' three-part blog series discussing data encapsulation and the benefits of using visibility aggregator technologies to manage encapsulated data to make the best use of network performance and security analysis tools and appliances. If you missed the first post, be sure to check it out here.
Why encapsulate packets?
Protocol headers, tags or labels are used in various network configurations to encapsulate the network data into separate paths to enhance security, reduce latency, improve performance or to simply reduce unnecessary traffic appearing on links where it will serve no useful purpose or potentially expose sensitive information to the informed observer. They are also used to create highly scalable layer two multi-path networks.
Some high-speed networks quickly transport packets by appending additional information to the original packet to "encapsulate" the original data frame and reduce the amount of processing needed at each intermediary switch, which enables the packet to swiftly transit the rest of the network.
Alternatively, in order to remove unnecessary broadcast packets from a network, control access to data sharing the same switch and ethernet port, and streamline data transfer between appliances, network administrators elect to configure their switches and networks to implement VLAN tag insertion and removal. By doing so, the Ethernet packets are "bound" to switch ports (based on configured tables in the switches) and network traffic such as broadcasts and other advertisement protocols are visible only in the VLANs where they are useful. Similarly, MPLS (Multi-Protocol Label Switching) is deployed to swiftly carry packets from one side of a network core to the other by the intermediate switches simply examining labels to determine the egress point which will be the next "hop" for the data.
This approach is particularly suitable for networks that include large deployments of many thousands or tens of thousands of individual connected appliances, private cloud networks and high-performance computing environments. Protocols used to achieve this encapsulation and segmentation such as VLAN, (Cisco) Fabric Path, MPLS and others are also used in network configurations to encapsulate the Ethernet data and facilitate the creation of highly scalable multi-path networks.
While there are multiple benefits to this approach, encapsulated traffic delivered to the analysis tool or security appliance presents the network engineer and the system designer with a challenge.
Monitoring and packet analysis tools are usually not equipped with the capability to remove the encapsulation details and are positively disadvantaged by multiple encapsulations that exist in a modern Software Defined Network, where encapsulation within encapsulation is often the norm.
The Encapsulation Process
The image to the left illustrates the principles of the process when data is transmitted using encapsulation. The customer’s computer at location A generates and transmits data to the local company network. When the data arrives at the network it is encapsulated for transmission via the company’s VLAN (Virtual Local Area Network) to location B. Location A and B are connected via a service provider’s network and when the customer’s VLAN data arrives at the service provider’s network it is encapsulated again for transmission within a VLAN dedicated to the customer via the service provider’s network. The process of VLAN de-encapsulation is carried out by the service provider when the data arrives at the destination edge of the service provider’s network, and by the company when the data arrives at location B. At this point the native data is passed on to the recipient device.
In the final part of this series, we'll explore how to remove encapsulation data to improve efficiency for security and performance monitoring tools.