Search

US-20260128998-A1 - ROLE-BASED TELEMETRY

US20260128998A1US 20260128998 A1US20260128998 A1US 20260128998A1US-20260128998-A1

Abstract

In a network, a network device can determine a role for a client device coupled to a first port of the network device. The network device can then determine a set of telemetry parameters associated with the role. The network device can also determine a flow identifier of a data flow received from the client device via the first port. Subsequently, the network device can identify a respective packet in the data flow associated with the flow identifier. The network device can then record, based on a telemetry process of the network device, the set of telemetry parameters associated with the packet.

Inventors

  • TATHAGATA NANDY
  • Renjith VIJAYAN
  • Venkatavaradhan Devarajan
  • Vijeesh Erankotte PANAYAMTHATTA
  • Vishnu Govind Mohanakumar Kusumakumari
  • Vinay Kumar Vishwakarma

Assignees

  • HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Dates

Publication Date
20260507
Application Date
20250130
Priority Date
20241106

Claims (20)

  1. 1 . A method, comprising: determining, by a network device, a role for a client device coupled to a first port of the network device; determining a set of telemetry parameters associated with the role; determining a flow identifier of a data flow received from the client device via the first port; identifying a respective packet in the data flow associated with the flow identifier; and recording, based on a telemetry process of the network device, the set of telemetry parameters associated with the packet.
  2. 2 . The method of claim 1 , further comprising: identifying, at an upstream port of the network device, a reverse data flow destined to the client device based on the flow identifier; and recording, based on the telemetry process, the set of telemetry parameters from a respective packet in the reverse data flow received at the upstream port.
  3. 3 . The method of claim 1 , further comprising: detecting the client device at a second port of the network device; and recording, based on the telemetry process, the set of telemetry parameters from a respective packet received from the client device via the second port.
  4. 4 . The method of claim 1 , further comprising maintaining, in a data structure, a mapping between the role and the set of telemetry parameters, wherein a respective entry of the data structure comprises a mapping between a role and a corresponding set of telemetry parameters.
  5. 5 . The method of claim 1 , further comprising determining the role of the client device based on authentication credentials received from the client device from the first port.
  6. 6 . The method of claim 1 , wherein the flow identifier comprises one or more of: a source Internet Protocol (IP) address; a destination IP address; a source protocol port; a destination protocol port; and a transport protocol.
  7. 7 . The method of claim 1 , wherein recording the set of telemetry parameters further comprises: performing a deep-packet inspection (DPI) on the packet; and recording, based on the DPI, respective values of the set of telemetry parameters from the packet.
  8. 8 . The method of claim 1 , further comprising forwarding the set of telemetry parameters recorded from the packet to a collector device.
  9. 9 . The method of claim 1 , further comprising: determining whether telemetry is enabled for the role; and in response to telemetry being enabled for the role, recording, based on the telemetry process, the set of telemetry parameters from the data flow.
  10. 10 . A non-transitory computer-readable storage medium storing instructions to: determine, by a network device, a role for a client device coupled to a first port of the network device; determine a set of telemetry parameters associated with the role; determine a flow identifier of a data flow received from the client device via the first port; identify a respective packet in the data flow associated with the flow identifier; and record, based on a telemetry process of the network device, the set of telemetry parameters associated with the packet.
  11. 11 . The non-transitory computer-readable storage medium of claim 10 , wherein the instructions are further to: identify, at an upstream port of the network device, a reverse data flow destined to the client device based on the flow identifier; and record, based on the telemetry process, the set of telemetry parameters from a respective packet in the reverse data flow received at the upstream port.
  12. 12 . The non-transitory computer-readable storage medium of claim 10 , wherein the instructions are further to: detect the client device at a second port of the network device; and record, based on the telemetry process, the set of telemetry parameters from a respective packet received from the client device via the second port.
  13. 13 . The non-transitory computer-readable storage medium of claim 10 , wherein the instructions are further to maintain, in a data structure, a mapping between the role and the set of telemetry parameters, wherein a respective entry of the data structure comprises a mapping between a role and a corresponding set of telemetry parameters.
  14. 14 . The non-transitory computer-readable storage medium of claim 10 , wherein the instructions are further to determine the role of the client device based on authentication credentials received from the client device from the first port.
  15. 15 . The non-transitory computer-readable storage medium of claim 10 , wherein the flow identifier comprises one or more of: a source Internet Protocol (IP) address; a destination IP address; a source protocol port; a destination protocol port; and a transport protocol.
  16. 16 . The non-transitory computer-readable storage medium of claim 10 , wherein, to record the set of telemetry parameters, the instructions are further to: perform a deep-packet inspection (DPI) on the packet; and record, based on the DPI, respective values of the set of telemetry parameters from the packet.
  17. 17 . The non-transitory computer-readable storage medium of claim 10 , wherein the instructions are further to forward the set of telemetry parameters recorded from the packet to a collector device.
  18. 18 . The non-transitory computer-readable storage medium of claim 10 , wherein the instructions are further to: determine whether telemetry is enabled for the role; and in response to telemetry being enabled for the role, record, based on the telemetry process, the set of telemetry parameters from the data flow.
  19. 19 . A computer system, comprising: a processing resource; a memory; and a non-transitory computer-readable storage medium storing instructions that when executed by the processing resource cause the computer system to: determine a role for a client device coupled to a first port of the computer system; determine a set of telemetry parameters associated with the role; determine a flow identifier of a data flow received from the client device via the first port; identify a respective packet in the data flow associated with the flow identifier; and record, based on a telemetry process of the computer system, the set of telemetry parameters associated with the packet.
  20. 20 . The computer system of claim 19 , wherein the instructions that when executed by the processing resource cause the computer system to: identify, at an upstream port of the computer system, a reverse data flow destined to the client device based on the flow identifier; and record, based on the telemetry process, the set of telemetry parameters from a respective packet in the reverse data flow received at the upstream port.

Description

BACKGROUND A network device, such as a switch, may support different network technologies, such as network telemetry. For example, the network device can collect data from packets of different data flows and provide the collected data to a network analyzer. BRIEF DESCRIPTION OF THE FIGURES FIG. 1A illustrates an example of a network supporting role-based telemetry for client devices, in accordance with an aspect of the present application. FIG. 1B illustrates an example of a network supporting role-based telemetry for a roaming client device, in accordance with an aspect of the present application. FIG. 2 illustrates examples of respective mappings between a role and a corresponding set of telemetry parameters, in accordance with an aspect of the present application. FIG. 3A presents a flowchart illustrating an example of a process of a network device applying role-based telemetry on a data flow from a client device, in accordance with an aspect of the present application. FIG. 3B presents a flowchart illustrating an example of a process of a network device applying role-based telemetry on a reverse data flow destined to a client device, in accordance with an aspect of the present application. FIG. 4 presents a flowchart illustrating an example of a process of a network device applying telemetry on a packet from a client device, in accordance with an aspect of the present application. FIG. 5 presents a flowchart illustrating an example of a process of a network device applying role-based telemetry on a data flow from a roaming client device, in accordance with an aspect of the present application. FIG. 6 illustrates an example of a computing system facilitating role-based telemetry, in accordance with an aspect of the present application. FIG. 7 illustrates an example of a computer-readable medium (CRM) facilitating role-based telemetry, in accordance with an aspect of the present application. In the figures, like reference numerals refer to the same figure elements. DETAILED DESCRIPTION The volume of traffic generated by various applications on user devices continues to increase. To efficiently forward and manage the traffic in a network, the network devices can be equipped with versatile capabilities, such as role-based traffic segmentation (RBTS). Since the devices with the same roles form a device group, RBTS can also be referred to as group-based traffic segmentation (GBTS). Typically, when a client device is coupled to a network, the client device can become associated with a role, which corresponds to a set of privileges allocated to the client device. If a packet is sent to the client device (i.e., the client device is the destination of the packet), the role of the client device can be the destination role of the packet. On the other hand, if a packet is sent from the client device (i.e., the client device is the source of the packet), the role of the client device can be the source role of the packet. A set of segmentation policies can indicate whether a destination role is allowed to receive traffic from a source role. For example, in an enterprise network, a client device in the engineering group can be associated with an “engineer” role. Consequently, the client device can receive traffic from the source roles (e.g., a “developer” role) that are allowed to send traffic to the engineer role. However, if the client device is associated with a “guest” role, the client device may not receive traffic from the developer role. Therefore, if a client device is not allowed to receive a packet from a source role, the network device coupled to the client device can refrain from forwarding the packet to the client device and may drop the packet. In this way, traffic segmentation can separate network traffic based on roles. The aspects described herein address the problem of relying on manual configuration for performing telemetry for a client device by (i) maintaining a mapping between a role and a corresponding set of parameters associated with telemetry; and (ii) upon determining the role of a client device, recording values of the set of parameters associated with the role from the packets to and from the client device. These parameters can be referred to as telemetry parameters. When a client device authenticates itself based on the corresponding credentials, the network device can determine a role for the client device based on the authentication. The network device can then obtain the telemetry parameters (i.e., the parameters associated with telemetry) mapped to the role. The telemetry process of the network device can then start recording values of the telemetry parameters from the packets to and from the client device. Here, the telemetry process can be a piece of software running on at least one processing resource of the network device and can record values of the telemetry parameters from the packets to and from the client device. As a result, the network device can efficiently perform telemetr