Traffic in a computer network can be analyzed in order to improve real-time decision-making for network operations, security techniques, etc. Often the traffic is acquired at numerous entry points by a variety of devices and/or applications to provide extensive visibility of network flow and security. This network of devices and appliances, which may include physical devices, virtual devices, and Software Defined Networking (SDN)/Network Functions Virtualization (NFV) environments, may be collectively referred to as the computer network's visibility fabric. Given the complexity often present in many network infrastructures, it is increasingly important to have a management model that provides visibility into infrastructure blind spots and allows responsive action to be rapidly applied.
A common scenario in a computer network involves a network appliance receiving a stream of data packets (e.g., from a network tap) and filtering the data packets (among other possible functions) by applying filtering rules that reside within an internal ternary content-addressable memory (TCAM) of the network appliance. Filtering may be done for various purposes, such as monitoring network flow, managing network operations, and identifying security threats to the computer network. Efficient and effective traffic filtering is more important than ever before, particularly in light of increases in the amount of traffic generally traversing computer networks, the danger posed by security threats to computer networks, and the complexity of those security threats.
The TCAM commonly used to store filtering rules in a network appliance is, however, limited in the number of filtering rules that it can store. Consequently, the filtering capabilities of the network appliance, and therefore the visibility fabric as a whole, are also limited.
Traffic traversing a computer network is often filtered and analyzed to identify security threats and/or bottlenecks in the flow and take appropriate action(s). Generally, an edge device (e.g., router, firewall, network tap) is configured to examine the traffic at an access point and to create a copy of the traffic for further analysis. For example, the copied stream of data packets may be transmitted to a visibility fabric that includes one or more network appliances (also referred to herein as “visibility nodes”) that filter and/or analyze the data packets. The visibility fabric typically does not include the edge devices (sometimes referred to as “source nodes”) that exchange data on the computer network or tools configured to analyze the stream of data packets after they have been filtered (also referred to as “destination nodes”). The network appliances can also be configured to forward some or all of the data packets downstream for further analysis.