Gaining Valuable Insight into Encapsulated Data: Part 3

  • Calendar Icon

This is the final part of Mike Simmonds' blog series discussing data encapsulation and the benefits of using visibility aggregator technologies to manage encapsulated data to make the best use of network performance and security analysis tools and appliances. If you missed the previous post, check it out here.

In-Tool encapsulation removal

Some network security and packet analysis tool vendors declare their support for VLAN header removal and similarly, it is possible in some analysis tools to invoke software dissectors that remove a tag or header. In most instances, there may be simply no way of removing the unnecessary (for the analyzing tool) encapsulation information and therefore the tool’s usefulness is severely reduced.

In-Aggregator encapsulation removal

It is clear that there is a need to remove the encapsulation packets to improve (or even just simply provide) readability of the packets to the consuming analysis tool or security appliance. It is also clear that the variety of encapsulation methods that are available and deployed, along with the complexity presented when encapsulation encapsulates additional encapsulation, present a huge issue that requires resolution.

Within the traffic visualization layer of a network infrastructure, the approach of using taps and span ports to pass the real-time, as-seen data to an aggregation layer is well known and established for delivering the required data to the applicable analysis tool or security appliance to allow the tool or appliance to function correctly. With this approach, the aggregation technology can also be used to remove the data encapsulation before sending the native data to the tool or appliance.

That’s where header stripping comes in.

It is imperative in modern traffic visibility solutions’ design that an aggregator’s ingress or egress port or ports can be configured to remove the encapsulation or a series of encapsulations from the native data. Techniques such as nested tagging, when encapsulated data is itself further encapsulated such as where a service provider’s VLAN encapsulates a service users VLAN, for instance, and the growing deployment of Software Defined Network infrastructures, mean that the removal of just one encapsulation is unlikely to be enough, and so the need to remove multiple encapsulations in order, and by type becomes necessary to strip the data back to its original form and structure before passing it to the analysis tools or security appliances.

Stripping VxLAN encapsulation

Simply put – a network visibility layer must present the option of removing multiple layers of encapsulation to present native, understandable data packets to the analysis tool or security appliance of choice to be of most value to the network architecture to manage network performance and security.

Many modern network data aggregation appliances provide multiple advanced features such as header stripping (de-encapsulation), time stamping, packet slicing and traffic multi-layer filtering to ensure the correct network traffic can be sent most efficiently to the appropriate analysis tool or security appliance for them to function as needed to detect and help prevent IT performance degradations and security breaches.

Ideally, header stripping should be capable of being carried out by each individual port of the aggregator to ensure that the aggregator can process the high quantity of data passing through it which in turn ensures the integrity and accuracy of the complete data traffic is delivered to the analysis tools or security appliances.

In the situation when the header stripping is not carried out by a port then it is typically carried out by a central processor within the aggregator which is also used to execute the additional advanced features. This approach incurs the risk that the quantity of data received by the processor may be too much on occasions at which point the processor will discard or ‘drop’ packets until it is capable of processing the quantity of data it has received. Under this circumstance, the discarded data is not sent to the analysis tools or security appliances which means that indicators of IT performance degradation and/or security breaches may not be identified and analyzed and consequently, the risk of undetected service impacting performance degradations and breaches is increased.


High speed, low latency networks use data packet encapsulation to achieve the required high network performance and to enhance network security. The challenge this approach creates, though, is that most IT performance and security analysis tools and security appliances are unable to read encapsulated data which means they are unable to correctly fulfill their purpose of identifying, analyzing and preventing IT performance degradations and security vulnerabilities and breaches.

The best approach for delivering native data packets to the necessary analysis tools and security appliances that they can understand and use for their purpose is for data aggregator appliances to de-encapsulate encapsulated data. It is best that the aggregator appliance completes the de-encapsulation at the port level rather than by a centralized multi-functioning processor so that it does not drop data packets at busy periods and ensures that the entire and complete data traffic flow is analyzed to identify and reduce the risk of potential IT service degradations and security vulnerabilities and breaches for the required IT service performance and integrity.

Efficiently getting to the heart of the packet by stripping data packets back to their original form by an advanced visibility aggregation appliance extends the life of analysis tools connected to it, improves the reporting of traffic flows and paths, and presents consumable information to the appliances that need it.

Stay Connected

Sign up for our newsletter