Using sFlowTrend to analyse IEEE 802.1ah (PBB or MAC-in-MAC) traffic

The Provider Backbone Bridges (PBB or MAC-in-MAC) standard IEEE 802.1ah defines an architecture and protocol that allows service providers to build large, scalable ethernet bridged networks, interconnecting multiple Provider Bridge networks without losing each customer's individually defined VLANs. It operates using a MAC tunnelling scheme in which a customer packet, including MAC addresses, is encapsulated in a new ethernet frame with new MAC addresses (the backbone bridge MAC addresses). This eliminates the need for backbone core bridges to learn all MAC addresses of every customer and provides complete separation of provider and customer domains. However, visibility of both the backbone traffic and the encapsulated customer traffic is important for troubleshooting configuration problems and managing performance. sFlowTrend (version 6.5 onwards) understands the IEEE 802.1ah frame format, decoding the outer backbone header and the inner customer frame. Here is an example of using sFlowTrend-Pro to gain full visibility of traffic in a PBBN.

The diagram below illustrates a typical IEEE 802.1ah PBB frame and shows the key fields used by sFlowTrend-Pro to represent the header fields. The sFlowTrend-Pro help gives a full list of the MAC, VLAN, priority, and IEEE 802.1ah key fields.

One way to view the details of traffic in a PBBN, is to use the Network > Top N tab and create a custom top N chart.

In this example we have build a custom top N chart showing the backbone header fields and the MAC and IP addresses and VLAN in the customer frame. Selecting this custom top N chart from the Chart selection list, generates a chart showing the details of the PBB traffic.

Using sFlowTrend to analyse tunnelled and encapsulated traffic

Layer 3/4 tunnels (Geneve, GRE, NVGRE, VXLAN) are often used to virtualise network services so that communication between virtual machines can be provisioned and controlled without dependencies on the underlying network. Hiding the physical network topology is a useful abstraction which offers a significant benefit of operational flexibility, however lack of visibility into the physical and virtual network can result in poorly placed workloads, inefficient use of resources and as a consequence, performance problems. sFlowTrend-Pro v6.5 provides the comprehensive visibility into tunnelled traffic which is essential for effective management of these more complex environments. Here is an example of how you can use sFlowTrend-Pro to understand and analyse tunnelled traffic.

sFlowTrend-Pro recognises VXLAN tunnelled traffic using the well known port UDP 4789. It then decodes the encapsulated packet in the UDP payload and stores the encapsulated packet header fields using key fields such as sourceAddress.1, destinationAddress.1 etc. It also records the VXLAN Network Identifier (VNI). The sFlowTrend-Pro help includes a section on L3/4 encapsulations which lists the key fields available for tunnelled traffic. One way to view a VXLAN tunnel is to Network > Top N tab and select the Top source-destination flows chart and then add a filter isVXLAN:

If you click on the source and destination address in the legend, you can also add the tunnel end points to the filter:

To see the traffic inside the tunnel, you can build a custom top N chart (click on the edit button next to the Chart selection list):

In this example we have built a custom Top N chart with fields vni, sourceAddress.1, sourcePort.1, destinationAddress.1, destinationPort.1. Selecting this custom top  N chart from the Chart selection list, generates a chart showing the details of the traffic flows carried by the tunnel that we are filtering on:

You can use a similar technique to look at traffic flows carried by other tunnelling protocols (Geneve, GRE, NVGRE).

You can also create reports using the Reports tab and creating a query section using Advanced settings to select key fields for encapsulated packets.