Table of Contents
Advertisement
How to enable packet deduplication in a rule
In a rule, you can enable packet deduplication. Any duplicate ingress packets, coming from network ports
connected to the rule, are removed before being forwarded to tool ports and ultimately your analysis tools.
Prerequisite(s):
These steps require that at least one rule exists in your rules library. You can create a new rule if necessary.
While duplicate packets are determined by how your layout properties are configured, the actual
implementation of the packet deduplication feature is still controlled on a per-rule basis. This ensures that
individual rules remain the deciding factor if packet deduplication is enabled or not. When packet deduplication
is enabled in a rule, however, the deduplication behavior is always controlled by the layout the rule is used in.
To enable packet deduplication in a rule:
1. Starting in the dashboard, click Rules.
The rules and filters designer appears, where rules and filters can be created and edited.
2. Ensure the Rules tab is selected.
3. Click a rule from the list.
The rule opens and is ready to edit.
4. Select Deduplicate.
If selected, hardware-accelerated packet deduplication removes duplicate ingress packets in real time.
Note:
Criteria for determining if a packet is a duplicate is configurable in the layout properties.
5. Click Save.
Packet deduplication is now enabled in the rule. Connecting this rule between network and tool ports causes
the removal of duplicate ingress packets. Due to this, no duplicate packets are forwarded to tool ports, and
therefore none are forwarded to your analysis tools.
Understanding packet deduplication
Duplicate packets lower the statistical accuracy of analysis, increase network link saturation, and can interfere
with tools. Packet deduplication removes duplicate packets and helps you avoid those situations.
A duplicate packet is any packet that is identical to another packet within 600 milliseconds or 6000 packets,
whichever comes first. The packet header is inspected and all fields must be identical. Any packet that falls
outside of that range is considered unique to ensure throughput for your network.
Duplicate packets are tracked on a per connection basis. If two identical packets are received on two different
network ports, they are tracked and one is marked as a duplicate as long as both packets pass through the same
connection.
Identifying duplicate packets from a SPAN/mirror port or TAP is relatively straight forward because those devices
send multiple copies of the same packet. However, there are some situations where the header has been
modified slightly during the packet's journey. These situations require some fine-tuning of the deduplication
settings to ignore those fields that were modified before the duplicate packet is received.
What is deduplication and why do I need it?
Deduplication is useful when multiple copies of the same packet are received, but only a single copy should be
recorded and forwarded out the tool ports.
Duplicate traffic is part of any network environment and is unavoidable. However, reducing duplicate packets
as much as possible helps ensure your network is more efficient. It also allows your tools to be more accurate.
How to enable packet deduplication in a rule | 41
Advertisement
Table of Contents
