Follow

Asymmetry concerns in Vectra sensor feeds

This KnowledgeBase article explores the concern of asymmetry in sensor feeds.  

Both physical and virtual Vectra sensors can be impacted by asymmetric traffic feeds.  In simple terms, asymmetric traffic captures are "one way".  For example, a capture feed of north/south traffic from a core switch that includes only north-bound or only south-bound traffic would be considered asymmetric.

Network protocols are by nature bi-directional. Little if any useful information can be gleaned from taps which include only packets sent in one or the other direction.  The quality of received traffic directly impacts Vectra's detection algorithms.

Vectra sensors require that all traffic associated with a given stream (TCP or UDP) are sent to the same sensor.  Packets from the same stream can be distributed among the ports on the sensor, the sensor will reassemble the data stream into a contiguous flow for analysis.

Network engineers forward traffic to Vectra sensors using SPAN [port mirroring], network taps, or packet brokers.  Packet brokers aggregate traffic from both SPAN ports and network taps before forwarding.  Packet brokers shape network traffic, so received flows in these environments rarely require additional tuning. 

Direct feeds from network taps are slightly more complex.  Asymmetry can be a problem as a tap generally has one port per direction unless an aggregation tap is being used.  Although able to provide the same traffic, SPAN ports may require ACLs and explicit configuration statements to eliminate asymmetric flows and reduce duplicates.

The table below summarizes typical vendor implementations.  Implementations vary by vendor and by version and you may find it beneficial to discuss your packet capture set-up with your equipment vendor.

Capture Device Type

Notes

SPAN Port

  • SPAN can be configured to use a port or a vlan as the source; ports and vlans cannot be combined.
  • If using a single port as the source, for example, a trunk port, SPAN must be configured as TX and RX.
  • If using a vlan or vlans as the source, all ports associated with the vlan will be included in the SPAN.  In the case where all VLANs are included, SPAN should be configured as RX only as flows will be seen in the TX direction on one port and the RX direction on a second port.
  • If using multiple ports but not all ports as the source, the SPAN must be configured as TX and RX, which may increase duplicate packets. 
  • Some newer switches support ACLs [filters], which can be used to reduce duplicate traffic.  Care should be taken to avoid accidentally excluding traffic in one direction.

Network Tap

  • Traditional network taps have one port per direction.  Aggregation taps combine the two directions into one feed.  If using traditional tap ensure that both ports are in use.
  • Asymmetric traffic may indicate that a traditional network tap is being used in on direction.

Packet Broker

  • Packet brokers can shape received traffic from both SPAN ports and network taps. Received flows from packet brokers are usually already optimized for existing network monitoring tools and require little or no adjustment.

 

Was this article helpful?
1 out of 1 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.