March 20, 2008 1:09 PM
Posted by: Troy Tate
, Network TAPs
What is the best means of watching data network traffic at the edge? My need: watch traffic inbound and outbound at the edge of the LAN and be able to remotely view reports. The reports would show information such as: current traffic flow volume & conversations; historic traffic flow volume; netflow data; latency from LAN to remote hosts.
So, some questions need to be asked and some answers given.
Where to place potential solutions:
- In the router or “cloud”.
- In the edge LAN switch.
- Between the router and the edge LAN switch.
What are the potential issues with sensor location:
- Router or “cloud” – network address translation (NAT) may hide actual source address information. What load would this service put on the router? Would there be any costs for implementing this on the router and/or in the cloud? We use managed data network services so this could be a concern.
- LAN edge switch – is port spanning or “mirroring” a valid option? What other monitoring services can the switch provide? SNMP or RMON? How would the monitor be remotely accessed if there is only one NIC and it is in listening mode only? Note that placing a destination switch port in span mode does not permit any outbound traffic to occur on that interface.
- Between the LAN & WAN – is another switch needed with port spanning/mirroring? Would a hub work with it creating a half-duplex link for inbound/outbound traffic?
What hardware provides potential solutions:
- Router or “cloud” – not the preferred method since not under my control and may have change request or monthly service costs involved.
- LAN edge switch – monitoring system would require dual NIC’s; one to listen/monitor and one for remote access. Port spanning or mirroring could place a load on the switch. SNMP or RMON queries can add traffic to the network link and impact the monitoring accuracy.
- Between the LAN & WAN – a hub is not desirable due to the fact mentioned above. It causes a full-duplex link to go to half-duplex and creates a bottleneck even though the WAN link is usually much smaller than the LAN. There is an alternative to the hub. That device appears to be called a network TAP or port aggregator. This is the solution I plan on investigating further.
Has anyone else had experience with implementing a network TAP or port aggregator for network monitoring? I will also discuss what applications I plan on using to monitor network traffic in a future post.
Thanks for your time. Let’s be good network citizens together & practice safe networking!