Deep packet inspection, also known as DPI, is a method used for examination and management of network traffic.
It’s a type of network packet filtering able to locate, categorize, block or reroute packets that haven’t been detected by the conventional data packet filtering.
Application Visibility and Enforcement protects networks against application-level threats.
1- Changes in Application Usage Patterns
Application usage patterns in the enterprise are changing, driven by the increased use of personal mobile devices, cloud-based, or Web 2.0, and peer-to-peer applications, thin and virtual desktop clients. Distinguishing between different applications in this kind of environment is not straightforward with traditional IP address- and TCP/UDP port-based monitoring mechanisms. If applications cannot be properly classified, QoS and security policies cannot be enforced.
In this contetxt, DPI is very useful, for example for real-time traffic because it’s possible to prioritize real-time communication platforms traffic, such as Skype or Rainbow, avoiding cuts, and disconnections, and by doing so, increasing the usage rate and ameliorating the user experience.
Application Analytics on the OmniSwitch 6860/6860E addresses the challenge of real-time classification of traffic at the application layer thus enabling IT to monitor and enforce differential Security (allow/block) and QoS (priority, bandwidth) policies in alignment with business goals.
Figure 1 – Application Analytics
2- Functional Components and Operation
The application analytics feature relies on a combination of hardware and Software components. The main goal is to apply policies in real-time on these applications and manage their traffic. Hardware can recognize an application and prioritize it.
Figure 2- Functional components
Flow Tracker (FT): The Flow Tracker is a hardware component in the OmniSwitch 6860/6860E ingress pipeline. The Flow Tracker can keep track of up to 8K IPv4 or 4K IPv6 flows. Each flow is recorded as a 5-tuple entry: Source IP, Destination IP, Source Port, Destination Port, Protocol (TCP/UDP). The FT has the capability of mirroring up to 15 initial packets to the SME running on the OmniSwitch 6860E External CPU.
External CPU: The External CPU is a hardware component and is independent from the main CPU. The External CPU runs the Signature Matching Software that identifies the application based on up to 15 initial mirrored packets. External CPU is only present on OmniSwitch 6860E models. Non-E OmniSwitch 6860 models do not have this external CPU.
Signature Matching Software (SMS): This software component runs on the OmniSwitch 6860E External CPU and identifies the application based on up to 15 initial mirrored packets. Once a positive match is made, the result is reported back to the AppMon Manager on the OmniSwitch 6860/6860E.
Application Monitoring Process (AMP): This software component runs on the OmniSwitch 6860/6860E main CPU. Upon receiving a positive match from the SMS, AMP will check if the application is associated to a UNP policy list and retrieve the list of applicable policy rules. These policy rules and actions will then be programmed back in the FT for activating the entry and enforcing the policies on subsequent packets.
Signature Kit: Applications are identified through various means such as REGEX, DNS correlation or SSL Certificate correlation in the case of HTTPS-encrypted traffic. The Signature Kit is the set of rules used to match applications by the SMS. Alcatel-Lucent Enterprise regularly updates the Signature Kit. Updated Signature Kits can be pushed to the OmniSwitch 6860E External CPU either manually or automatically with OmniVista 2500 NMS-E.
OmniVista 2500 NMS-E: OmniVista performs various functions: 1) Configuration of Application Analytics Profiles 2) Visualization of Application Analytics Monitoring Data 3) Automatic retrieval and update of Signature Kit files.
3- Supported Hardware and Software
Application Analytics is supported in the following hardware configurations:
- Standalone OmniSwitch 6860E
- Homogeneous OmniSwitch 6860E Virtual Chassis
- Mixed OmniSwitch 6860/6860E Virtual Chassis
Application Analytics is not supported in the following hardware configurations:
- Standalone OmniSwitch 6860
- Homogeneous OmniSwitch 6860 Virtual Chassis
Figure 3- Supported Hardware Configurations
The Application Analytics feature describes in this Technical Article is supported on the following software releases:
- AOS 8.2.1R01 or later
- OmniVista 4.2.1R01 or later
A minimum of 1 OS6860E either as Standalone or in a VC is required because only the OS6860E has the external CPU that runs the Signature Matching software. In a VC, a ratio or at least 1 OS6860E for every 2 OS6860 is recommended.
4- Deployment Guidelines
Please consider the following deployment guidelines:
- Application Analytics is an Access Layer feature. It is only supported when the switch or VC is deployed at the Access Layer. It is not supported when the switch or VC is deployed at the Aggregation or Core Layers.
- Application Analytics is only supported on individual ports. It is not supported on LAG ports.
- Application Analytics should be enabled on Access Ports only.
- Enabling Application Analytics on Uplink Ports is possible, but not recommended.
- Application Analytics should not be enabled on both Access and Uplink Ports simultaneously.
- Application Analytics only supports IP traffic (TCP/UDP).
- Application Analytics does not support tunnelled, encrypted or fragmented traffic (supported only if initial fragmented packet contains the signature).
- Application Analytics is not supported on SPB Access (SAP) or Backbone ports.
- Application Analytics and collection of SPB Service Statistics are mutually exclusive on the same switch.