1 Network Monitoring and Analysis Techniques Using Taps and SPAN Switches Networks have evolved into complex structures supporting critical business processes and communications. As this complexity has increased, network monitoring, analysis and troubleshooting solutions have filled the gap required to keep services up and running smoothly. A common way to improve the return and effectiveness of network management solutions is to leverage network taps and switching taps for increased visibility, manageability and flexibility. This white paper reviews common network monitoring strategies and how taps and switching taps work. It will show how these devices can be used to minimize network access contention, and improve the effectiveness of network analysis solutions. Table of contents Abstract The network Security Monitoring the network Hubs SPAN Ports Taps Multi-port in-line taps In-line taps and media considerations... 8 SPAN solutions Summary Glossary
2 Network Monitoring and Analysis Techniques Using Taps and SPAN Switches Abstract Networks have evolved into complex structures supporting critical business processes and communications. As this complexity has increased, network monitoring, analysis and troubleshooting solutions have filled the gap required to keep services up and running smoothly. A common way to improve the return and effectiveness of network management solutions is to leverage network taps and switching taps for increased visibility, manageability and flexibility. This white paper reviews common network monitoring strategies and how taps and switching taps work. It will show how these devices can be used to minimize network access contention, and improve the effectiveness of network analysis solutions. The network Networks have evolved, and so have solutions used to keep them up and running smoothly. Today s IT groups, which previously fought basic connectivity issues, are more concerned with application performance and security. To effectively manage the latest issues, knowledgeable IT departments are leveraging their network management solutions with a broad range of network taps and switches to help identify, troubleshoot and monitor network behavior. Network monitoring, analysis and troubleshooting has progressed since early Ethernet networks provided shared access to all applications and users. Early network designs allowed IT technicians to monitor and access networks by simply plugging in a protocol analyzer to any hub port. A flat network design ensured that network problems could be seen no matter where the analysis port was located. This type of troubleshooting focused on physical and data link layer issues such as error packets, broadcast storms, high utilization, duplicate MAC addresses, etc. In the 1990s, MAC and network layer switches started increasing network complexity by hiding errors that were easily seen in the past. A technician could no longer plug into a hub and see symptoms as they would appear across the whole network. While switched networks were good at isolating network problems, they hid those problems from diagnosis and resolution. In order to improve visibility, many companies adopted a distributed network monitoring and troubleshooting framework. This approach placed remote monitoring devices on strategic parts of the network for increased visibility and troubleshooting capabilities. When distributed monitoring is not available, IT staff members utilize portable analysis devices to plug into hot spots for analysis. The need for greater access to the network has become increasingly important to those responsible for maintaining its performance and uptime. The switching of packets based on network or MAC layer addresses is now the norm and IT departments see further complexity being introduced with the switching of applications and Quality of Service (QoS) based routing. While these technologies offer the ability to control application performance, the trade-off for IT is the uncertainty of application traffic traveling across many routes from server to end user. This creates a greater need for visibility at multiple points where application uncertainty might be introduced on different network segments. Meanwhile, the number of network monitoring and troubleshooting devices available to IT departments continues to grow. With growing complexity in the network and reduced IT staffing, organizations need more effective ways to manage, understand, troubleshoot and even modify the behavior of communications and applications. The following list summarizes general categories of products that are commonly deployed on the network to manage and troubleshoot it. Protocol analyzers the age-old grandfather of almost all network management tools. Protocol analyzers provide a view of the packets, with valuable timing and communications translated from binary to plan text. To a lesser extent, protocol analyzers also provide statistical analysis of the traffic on a 24x7 basis.
3 Network monitoring probe these devices commonly support the RMON and RMON2 standard for statistical analysis of network performance. SNMP support provides the communications necessary to consolidate the information from many probes to a centralized reporting application. Application performance monitoring these devices analyze the performance of applications running on the network. Degradation of application response is detected in real time, allowing IT staff to troubleshoot the problem before end users are substantially impacted. Web content monitoring systems these solutions are a specialized breed of application performance monitoring devices that focus on HTTP traffic. Security The change that occurred to switched network architectures in the 90s was also accompanied by a new area of responsibility in the IT department the security administration. As organizations expanded their networks for business competitiveness, the data grew in value and importance. Customer information, financial data, marketing and voice communications are all now served by the network. High-profile network infiltrations have compounded the need to ensure the network, and the data on it, is secure. Unfortunately, the growth of black-hat hackers and crackers has led to some very costly network compromises requiring security to become a top priority within the IT organization. With this new responsibility came additional needs for access to the data traveling over the network media. The following list summarizes general categories of security products commonly deployed on the network to manage and protect it. Types of network security devices include: Intrusion detection solutions (IDS) use a promiscuous NIC to analyze every packet on the network for specific signatures (string signatures, port signatures, and header condition signatures) and anomalous statistics which could indicate an intrusion condition. Intrusion prevention solutions (IPS) take over after an intrusion has been detected. IPS systems have the ability to shut off or reconfigure devices that are allowing invasive traffic or being attacked. Monitoring the network IT departments have seen an increased need for greater access to the network for monitoring and analysis because: Greater segmentation of the network results in more locations that need to provide access for troubleshooting and monitoring solutions. An increase in the number of monitoring and analysis solutions being deployed on the network. Limited availability and authorization for SPAN ports usage. As discussed previously, the need to access network traffic has grown over the past two decades. Additional pressure is also being placed on organizations to effectively utilize network management equipment across a greater segment of the network. What might not be apparent to IT organizations is the availability of new solutions that can help relieve the pressure placed on network access, and increase return delivered by a network management device. The rest of this paper will discuss how network taps and SPAN switches can be used to effectively manage network uptime and performance. You would think that access for network and security management devices would be straightforward: simply plug in your device to the network and start analyzing using your solution(s) of preference. However, because of network design changes discussed earlier, accessing the data has become more of a challenge. There are three ways analysis devices currently connect to a network in order to monitor traffic: Hubs SPAN or mirror ports In-line taps
4 Hubs Hubs are the most traditional way of gaining shared access to a network. In theory, these inexpensive devices forward everything, good or bad, to all ports on the hub. Unfortunately, most hubs these days are not as open as expected in their forwarding rules. It is common to find devices labeled hubs that act as bridges, switches or even routers. This limits the ability of an analysis device to see problem packets on a segment when the hub is not forwarding them. When using a hub in series between two devices, you must also remember that these devices will force a full duplex link to half duplex. Any performance advantages gained by full duplex would then be lost. Figure 1: A network probe connected between a server and switch via a common hub Pros and cons of hubs to access a network Pros Inexpensive and easily available Cons Must be tested in order to understand forwarding rules being employed Will force full duplex link to half duplex Hubs become an active part of the network, and therefore an additional point of failure SPAN ports When layer 2 network switches were first introduced, manufacturers did not provide a way for network troubleshooting devices to view packets from the backplane or a specific port. In response, SPAN (or mirror ports) allow for the insertion of protocol analyzers and other network monitoring devices onto the switch. The SPAN port is now a common means of accessing network traffic on switched networks. Unfortunately, most switch models only allow for one or two SPANs to be created on a device. This results in a shortage of these strategic listening posts. Plugging, unplugging and reconfiguring SPAN ports is possible, but usually not practical when troubleshooting needs to take place in real-time and engineers to configure SPAN sessions are not always available. For monitoring solutions designed for 24x7 implementation, this scenario is not practical. Figure 2: The increased use of network analysis devices has created contention for SPAN ports.
5 Almost all corporate class layer 2 and 3 switches offer the ability to set up SPAN configurations packet for monitoring and analysis. SPAN configurations allow traffic from one or more switch ports to be copied and forwarded to a single analysis port. Spanning is economical and somewhat easy to use. It provides visibility across the backplane of a switch from all ports, a group of ports, or a specific VLAN being served by the switch. This consolidation of traffic is useful when analysis needs to occur across multiple links or segments. Unfortunately, this ability to replicate traffic in a SPAN session has a few drawbacks. Figure 3: SPAN ports were introduced by switch manufacturers so network monitoring devices could view network data across the backplane of the switch. First, SPAN configurations are not regulated from oversubscription of traffic to the monitor port. This can result in dropped packets and buffer overflows when the SPAN configuration sends more traffic to the monitor port than that port speed can support. In addition, since packets go through a buffer and are retimed, accurate time-sensitive measurements such as jitter, packet gap analysis or latency are difficult to attain. Finally, most mirror ports filter error frames and VLAN tags, making troubleshooting a challenge. This filtering, buffering and forwarding process also puts a load on the switch s CPU/transfer logic, possibly impacting the switch s operational performance. While SPAN configurations are fairly straightforward, they can still cause problems when done incorrectly. A simple mistake in a SPAN configuration has the ability to bring down a whole network or oversubscribe a critical network trunk. While spanning is a valuable solution for many companies, some network policies won t allow it due to the mission-critical nature of their networks. Still, SPAN port availability has led to its widespread adoption by security and network engineering IT groups. This, in turn, has led to contention for access to these windows into the network. Some of the taps mentioned later in this paper will address how to resolve some of the contention issues surrounding SPAN ports. Pros and cons of SPAN access to network Pros Readily available on most switches Zero cost to implement Can be remotely adjusted Can forward full duplex traffic to single interface device Cons SPAN ports block physical layer errors VLAN tags are removed from packets making VLAN analysis more difficult Consumes a port on the switch Some switch manufacturers only provide for one SPAN port configuration SPAN port configuration can be tricky. Incorrect configuration setting can bring down the network SPAN ports can be overcommitted by forwarding too much traffic Excess burden on some switch models can cause their performance to deteriorate
6 Taps Network taps provide network traffic visibility without relying on a SPAN port. Taps connect directly to a network link between two devices, similar to the way a hub is inserted on a network. However, a network tap does not actively participate in network switching, bridging, or routing. As packets pass through a tap, a copy of the signal is forwarded to the monitoring port(s). If an in-line tap s power fails, the network link does not fail and connectivity between devices is maintained. There are two types of in-line taps available on the market. A traditional in-line tap forwards each direction of data on a full duplex link as a unique data flow to the monitor ports on the tap. The monitoring or analysis device recombines the traffic through dual NICs and a common clock for packet timing. The greatest benefit of traditional in-line taps is support for full, line rate data flows and accurate interpacket timing. A limitation of traditional in-line taps is the need for dual NIC devices which can recombine the packets using a common clock. Most often in-line taps will be placed on switch trunks, switch/router trunks, or critical server links. Figure 4: Schematic of a traditional in-line tap as installed on a switch trunk. Aggregating in-line taps simplify the analysis of full duplex data streams for single NIC solutions (typically developed for SPAN use). An aggregation in-line tap combines the data from both Rx/Tx directions and outputs it as a single data stream. Now single port analysis and monitoring devices can tap in-line on a full duplex link and see both directions of traffic while maintaining accurate inter-packet timing. While most Ethernet networks maintain fairly low utilization levels, any aggregation tap on a link that goes above 50% utilization will drop packets since it is not possible to pass high rate full duplex traffic through a single duplex connection. Figure 5: Schematic of an aggregating in-line tap with dual monitor ports. Using the same technology as aggregating in-line taps, a dual link aggregation tap makes it possible to view traffic from two full-duplex links on a single interface monitoring device. For redundant and asymmetric network designs, this solution allows the network engineers to monitor dual links using only one analysis device to see packets no matter which path they travel. However, with the possibility of oversubscribing the monitor port by 4x, it is recommended that a user first understand the traffic levels on the links being tapped.
7 Figure 6: A dual link in-line aggregation tap allows simultaneous packet analysis on either redundant link at the same time. Pros and cons of in-line taps access to network Pros In-line taps can provide visibility to physical layer errors Do not require configuration Full line rate monitoring possible with traditional in-line taps Switch not burdened with SPANing process Simple plug and play access to the network Inter-packet timing is maintained for analysis Cons Links need to be dropped for installation Dual port analysis devices are required for line rate performance Multi-port in-line taps In-line taps are available in more than just a single port configuration. Multi-port in-line taps, which can switch analysis device(s) between ports across a broad network environment, are an ideal solution for broad visibility. These devices incorporate multiple in-line taps and a configurable monitor port(s) to allow switching between any of the tapped links. Most multi-port in-line taps also allow for remote configuration so a network engineer at any location can point their attached analysis device to any of the links in need of Figure 7: In this diagram, a multi-port in-line tap is being used with a protocol analyzer and IDS device to monitor individual server links or the switch trunk. Port configuration is done remotely over the network using software.
8 monitoring. Multi-port in-line taps offer extended visibility for any monitoring or analysis device by providing a single attach point with visibility to multiple locations on the network. Monitoring and analysis across multiple locations on the network is simpler, more cost effective and powerful when cables do not need to be manually connected and disconnected. The most likely deployment locations for a multi-port in-line tap are on switch distribution trunks or server farm links. This allows a technician to analyze discreet network traffic as it behaves on different network segments. In-line taps and media considerations In-line taps support both fiber and copper media types, as well as LAN and WAN topologies. The mechanics of tapping both fiber and copper are slightly different so it is important to have a general understanding of this technology when using these devices. A fiber tap is the simplest form of an in-line tap. Fiber splitters, which are created by wrapping the glass core of two fiber strands around each other, are employed to bleed off a part of the fiber light signal to a monitor port. Depending on the number of times the glass cores are wrapped, different split ratios can be created. A typical fiber split ratio is 50/50, meaning that 50% of the link s optical power is sent to the tap port and the link s optical power is reduced by 50%. Since fiber optic systems must receive a minimum optical power level, it is important to ensure that insertion loss of an in-line tap fits within the available loss budget of the fiber link. This should be done by using an optical power meter and source, testing for total attenuation. If a link s attenuation is already nearly the available loss budget, an in-line tap with a lower split ratio, 60/40, 70/30 or 90/10 should be used. Once a tap or splitter is installed, an optical power meter should be used to ensure that the power level at the receiver is within the appropriate range. Fiber splitters provide a completely passive connection to the network. A passive connection is one which does not require the tap to link with the end point devices. Passive taps send a network signal to the monitor ports with all physical layer information, including malformed frames, errors, tags and trunking headers. Every bit present on the link is forwarded to the monitor ports for evaluation by the analysis device. This is valuable when troubleshooting data link and physical layer errors. Protocol analyzers and RMON monitoring probes that utilize this information benefit from the attributes of passive taps. Figure 8: A schematic of a fiber splitter within a tap. Notice that the connections are directional and the tapping mechanism is completely passive. Copper in-line taps are a bit more complicated than fiber in-line taps due to the different specifications of 10/100 Copper Ethernet and copper Gigabit Ethernet. 10/100 Ethernet utilizes two pairs of a four pair UTP cable, one pair to transmit and one pair to receive data. Meanwhile, copper Gigabit Ethernet transmits simultaneously on all four pairs of a UTP cable. These specification differences make it fairly straightforward to passively tap the signal from each strand of a 10/100BASE-T link. It also allows 10/100 copper Ethernet taps to be completely passive, just like fiber taps.
9 Figure 9: A schematic of an active copper aggregating tap for copper Gigabit Ethernet with the relay failover. While 10/100BASE-T transmits directionally unique traffic on individual pairs of copper, Gigabit Ethernet transmits and receives simultaneously on all copper pairs. This necessitates the use of a copper Gigabit receiver to separate the Tx/Rx signals, eliminate echo and filter crosstalk. The copper Gigabit receivers in a tap negotiate link with each end device and help extend the signal strength of the link. This type of tap is often referred to as an active tap. In order to assure failsafe operation in case power is lost on an active tap, a relay provides immediate bypass of the receivers so the end points can communicate directly through the tap. This failover mechanism in copper Gigabit in-line taps can engage in a matter of milliseconds, and is not even recognized by users in most environments. If the tap is located between switches using spanning tree protocol, an interruption of the link for even milliseconds is enough time to cause a spanning tree to reconfigure. Depending on the size of the network, spanning tree reconfiguration can take several seconds to a minute of time until the network is available again. The likelihood of a Gigabit tap having a relay failover is low due to the use of dual power supplies in most taps, and backup power facilities in most data centers. To greatly decrease the time it takes a spanning tree to reconfigure, users can hard set link port speeds on each side of a Gigabit tap and set spanning tree to fast restart. SPAN solutions In many situations, a SPAN port offers the most flexible way to connect network monitoring and analysis devices to the network. In order to more effectively leverage SPAN technology, a few tap like devices are available. A SPAN switch is very similar to a multi-port in-line tap described above. SPAN switches allow one or more monitoring devices to be permanently connected to different switches serving different locations on the network. However, instead of connecting in-line on the network link, the multi-port SPAN switch connects to numerous SPAN ports. Remote configuration using software allows any network technician to switch between SPAN ports for one or more of the monitoring devices. Data centers that have numerous switches using SPAN will greatly benefit from SPAN switching. Instead of manually connecting monitoring devices to SPAN ports as needed, a SPAN switch allows a single analysis device to be remotely pointed to any SPAN connection as needed. This saves time and money when IT departments develop their network performance analysis plans.
10 Figure 10: SPAN switching allows monitoring device(s) to be leveraged across multiple network locations with a simple click of the mouse. Multiple monitor ports also reduce contention for SPAN port access. Another SPAN solution is the SPAN aggregation tap. These devices combine the data from two or more SPAN connections into a single data stream. SPAN aggregation taps are ideal when used with security devices monitoring for suspicious activity on the network. By combining the data from multiple, low utilization links, a single security monitoring device can alert IT to suspicious activity, without having to deploy a device in each location. SPAN aggregation taps are also ideal for monitoring redundant paths. SPAN ports from redundant switches are combined in the SPAN aggregation tap, giving the monitoring device full visibility of network traffic, no matter which path the traffic takes. Combining traffic from multiple SPAN ports does present the opportunity to oversubscribe the monitor port, but as long as baseline traffic levels are understood, this limitation can be easily managed. Figure 11: A SPAN aggregation tap will combine the traffic from multiple uni-directional data flows. In this case, a single application performance analyzer is able to see traffic from two SPAN connections simultaneously. This ensures that analysis will occur no matter which path the packets traverse. Single port monitoring and analysis devices benefit from the capabilities of SPAN aggregation taps when used in combination with traditional in-line taps. Normally, a traditional in-line tap requires a monitoring device with dual NICs. However, a SPAN aggregation tap will aggregate the two data streams into one for analysis by any single port solution. 10
11 Figure 12: A SPAN aggregation tap can be used in conjunction with a traditional in-line tap to provide in-line visibility for single port analysis devices. Summary Network monitoring and analysis is critical for IT departments who want to ensure that quality services and applications are delivered to end users. As the number of monitoring and analysis solutions have grown, access to the network has become a point of contention. The latest generation of taps and switches can relieve this contention and extend visibility across a greater number of segments using fewer monitoring devices. This benefits IT by decreasing the resources spent on monitoring and analysis solutions and increasing the effectiveness of network analysis. For a personalized assessment of how network taps and switches can help you more effectively manage your network, contact at 11
12 Glossary White Paper Aggregation in-line taps Aggregation in-line taps connect between two network devices and forward all traffic without regard for MAC or network address. Full-duplex connectivity is maintained between the devices and a copy of the traffic is output on a single directional connector. Bridge Network bridges connect network segments and forward everything except MAC layer error packets or packets with MAC addresses known to be on a local network. Broadcast traffic is also forwarded. Dual link in-line aggregation tap Dual link in-line aggregation taps connect on two links between four network devices. Traffic is forwarded between devices without regard for MAC or network address. Full-duplex connectivity is maintained between the devices and the traffic on both links is combined into a single data stream and output on a single directional connector. Hub A hub can also be called a repeater. Multi-port hubs connect network segments and forward everything without any analysis of the signal. Hubs usually operate in half-duplex mode. In-line tap In-line taps connect between two network devices and forward all traffic without regard for MAC or network address. Full-duplex connectivity is maintained between the devices and a copy of the traffic is output on two directional connectors. In-line passive A passive in-line tap does not link with the remote devices on each side. Passive taps reduce the signal strength between devices, but forward all packets and signals as an exact representation of the network being tapped. Insertion loss This is the amount of light energy that is lost on a fiber link when a fiber in-line tap is installed. The insertion loss should not cause the light power to go below the minimum sensitivity of the receivers on the end of the link. If necessary, insertion loss can be managed by using different split ratios on the fiber taps being used. Layer 2 The OSI model of network connectivity is represented by a 7 layer framework. Layer two controls how a computer on the network gains access to the data, permission to transmit it, frame synchronization, flow control and error checking. Layer 3 Layer 3 of the OSI model provides switching and routing technologies, creating logical paths, known as virtual circuits, for transmitting data from node to node. Routing and forwarding are functions of this layer, as well as addressing, internetworking, error handling, congestion control and packet sequencing. Oversubscription This occurs when a switch or tap port receives more data than it can effectively handle based on its configured speed. When a 100BASE-T port tries to forward 120Mb/sec of network traffic it will drop packets until it has only a 100Mb of data to send. NIC Network Interface Card. NICs are common on almost all PCs and laptops today. RMON Remote Monitoring (RMON) is a standard monitoring specification that enables various network monitors and console systems to exchange network-monitoring data. SPAN The Switched Port Analyzer (SPAN), sometimes called port mirroring or port monitoring, is a feature available on almost all enterprise switches. This feature forwards network traffic by port on the switch for analysis by a network analyzer or monitoring device SPAN switch SPAN switches connect to multiple SPAN ports and allow users to remotely direct switch traffic to one or more monitoring and analysis devices. SPAN aggregation tap SPAN aggregation taps connect to multiple SPAN ports and combine the traffic of all into a single data stream for analysis and monitoring devices. Spanning tree Spanning-Tree Protocol (STP) prevents loops from being formed when switches or bridges are interconnected via multiple paths. Spanning-Tree Protocol implements the 802.1D IEEE algorithm by exchanging BPDU messages with other switches to detect loops, and then removes the loop by shutting down selected bridge interfaces. This algorithm guarantees that there is one and only one active path between two network devices. Switch A switch is a form of a bridge. However, its capabilities and forwarding rules can vary widely depending on the manufacturer and model. In simplistic terms, switches create private paths (direct bridged connections) between devices connected to them. Packet forwarding can be done based on the MAC or the Network address. N E T W O R K S U P E R V I S I O N P.O. Box 777, Everett, WA USA operates in more than 50 countries worldwide. To find your local office contact details, go to /contact Fluke Corporation. All rights reserved. Printed in U.S.A. 2/ D-ENG-N Rev A 12