What experts are saying about  Tim O’Neill ’s paper on  “SPAN Port or Tap” published on  LoveMyTool.com on August 23, 2007...
To read Tim’s article first, click on the following … http://www.LoveMyTool.com
Gerald Combs Inventor of Ethereal and Wireshark <ul><li>This is a good article to get people thinking about what they need...
Gerald Combs (cont) <ul><li>Unfortunately, most vendors don't bother to document the performance degradation characteristi...
Mike Pennacchi InteropNet Chief Engineer and Owner of Network Protocol Specialists <ul><li>This is a timely paper as we ju...
Mike Pennacchi  (cont) <ul><ul><li>It is often assumed that the same people monitoring the network are responsible for the...
Betty DuBois Sniffer Expert, Course Developer, Trainer, Writer and Network Consultant <ul><li>I think the things that Tim ...
Betty DuBois  (cont) <ul><li>Another issue is duplicate copies of the packet being sent to the analyzer.  If an entire VLA...
Steve Harriman VP Marketing of NetQoS <ul><li>You have captured the facts and I look forward to next installment when you ...
Chris Bihary Director for Americas, Network Critical <ul><li>Tim, this article sheds much-needed light on today ’s  demand...
Alastair Hartrup   CEO and Founder, Network Critical <ul><li>It ’s  the most fundamental, yet often overlooked, need of an...
Burt Bennett General Manager of Valparaiso Broadband Communication Systems <ul><li>Looks good. One comparison that you for...
Scott Haugdahl Former CTO of WildPackets, Noted Author and Valued Technologist <ul><li>Great article.   I especially liked...
Scott Haugdahl (cont) <ul><li>The real problem arises, as you pointed out, when the high speed backplane sends multiple pa...
Comment from another Industry Expert <ul><li>The only thing I would  a dd is that the configuration as a downside to SPAN ...
Comment from another veteran <ul><li>Something came to my attention today about spanning, that I feel every Senior Manager...
To read Tim’s article on  “SPAN Port or Tap” ,  click on the following … http://www.LoveMyTool.com
Upcoming SlideShare
Loading in...5
×

SPAN Port or Tap? CSO Beware

5,695

Published on

ABSTRACT - Network engineers and managers need to think about today’s compliance requirements and the limitations of conventional data access methods. This article is focused on taps versus port mirroring / SPAN technology.

SPAN is not all bad but one must be aware of its limitations and since managed switches are part of the infrastructure one must be careful not to establish a failure point. Understanding what can be monitored is important for success since SPAN ports are often overused leading to drop frames and the fact that LAN switches are designed to groom data (change timing, add delay) and extract bad frames as well as ignore all layer 1 &2 information. Furthermore, most implementations of SPAN ports cannot handle FDX monitoring and analysis of VLAN is also problematic.

Moreover, when dealing with Data Security Compliance, the combination of the facts that SPAN ports limit views, are not secure and transporting monitored traffic through the production network is simply not acceptable.

SPAN is not all bad and when used within its limits and properly focused it is a valuable resource to managers and monitoring systems. However, for 100% guaranteed view of network traffic, passive network TAP is back as a necessity for meeting many of today’s access requirements and as we approach larger deployments of 10 Gigabit and up, SPAN access limitation will become more problematic.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,695
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SPAN Port or Tap? CSO Beware

  1. 1. What experts are saying about Tim O’Neill ’s paper on “SPAN Port or Tap” published on LoveMyTool.com on August 23, 2007 CLICK to the Next Slide -->
  2. 2. To read Tim’s article first, click on the following … http://www.LoveMyTool.com
  3. 3. Gerald Combs Inventor of Ethereal and Wireshark <ul><li>This is a good article to get people thinking about what they need from the different data access technologies. Compliance and Lawful Intercept is changing the dynamics of what we need from access methods. </li></ul><ul><li>Some switch families (e.g., the Cisco 3500 series) don't set a lower priority on SPAN traffic, and will slow down the backplane in order to deliver packets to a SPAN port. </li></ul>
  4. 4. Gerald Combs (cont) <ul><li>Unfortunately, most vendors don't bother to document the performance degradation characteristics of mirrored ports. Cisco is the only exception that I'm aware of. </li></ul><ul><li>We have a page on the Wireshark wiki that we've used to collect SPAN/mirror port configurations for different manufacturers: </li></ul><ul><li> http://wiki.wireshark.org/SwitchReference </li></ul>
  5. 5. Mike Pennacchi InteropNet Chief Engineer and Owner of Network Protocol Specialists <ul><li>This is a timely paper as we just came across a situation where a switch began crashing after spanning was turned on.  All of the commands were entered correctly, but the switch was not stable after spanning was enabled.   </li></ul><ul><li>Here are some of our reasons for recommending taps: </li></ul><ul><ul><li>Every client will change their switching infrastructure at one time or another.  Chances are that the monitoring method for the new switch will be different than the old, or not exist. Problem is that the troubleshooting portion of the network should not have to change every time the switches change. </li></ul></ul>
  6. 6. Mike Pennacchi (cont) <ul><ul><li>It is often assumed that the same people monitoring the network are responsible for the switch configurations. In many cases the troubleshooting groups may not have or want configuration access to the switches.  By having a separate out-of-band monitoring system, changes can be made to the monitoring network without affecting the switch configuration. </li></ul></ul><ul><ul><li>We often need multiple devices watching the same traffic.  Most of the taps today support the ability to output traffic to multiple devices. </li></ul></ul>
  7. 7. Betty DuBois Sniffer Expert, Course Developer, Trainer, Writer and Network Consultant <ul><li>I think the things that Tim covers are great.  I would like to see the auditing/lawful intercept angle expanded on.  I don’t think people really think about how an auditor will approach their environment.  </li></ul><ul><li>I would also like to add information on losing the VLAN tag information when spanning.  If there is an issue with ISL or 802.1q, how will I ever know with a SPAN port? </li></ul>
  8. 8. Betty DuBois (cont) <ul><li>Another issue is duplicate copies of the packet being sent to the analyzer.  If an entire VLAN is SPAN’ed (which people do, even though they shouldn’t) and the traffic is destined for within the VLAN, a copy is sent both for the egress and ingress.  People think they have thousands of retransmissions when they really don’t. You can spend twice as much time troubleshooting problems that don’t exist as you do the ones that actually are happening. Real access taps solve this and other issues with spanning. </li></ul><ul><li>Cisco’s answer to high speed capture and statistical analysis is the NAM blade. You could do an entire separate paper on the limitations and benefits of that. </li></ul>
  9. 9. Steve Harriman VP Marketing of NetQoS <ul><li>You have captured the facts and I look forward to next installment when you review the appropriate use of SPAN technology for application and network performance monitoring. </li></ul>
  10. 10. Chris Bihary Director for Americas, Network Critical <ul><li>Tim, this article sheds much-needed light on today ’s demand for guaranteed, 100% access to properly monitor and analyze network traffic for compliance, security, QoS, and virtually any other network task. </li></ul><ul><li>Customers come to us because they ’r e looking for an unrestricted view into their critical network connections, with the assurance that they ’r e seeing everything happening on the network, and that the access device is not creating a fault point in the network. This type of guarantee is only available with proper TAP solutions, or as we refer to them - T raffic Access Points. </li></ul><ul><li>We ’r e happy to report that businesses are turning the corner from SPAN and other access technologies, and are starting to adopt permanent TAP solutions as part of a best-practice monitoring/management infrastructure. We ’v e seen 3X growth in TAP sales since we started operations in the U.S., and believe that it ’s a testament to the market being informed by thought-provoking articles like this! </li></ul>
  11. 11. Alastair Hartrup CEO and Founder, Network Critical <ul><li>It ’s the most fundamental, yet often overlooked, need of any network appliance or tool - access. Before any device can collect or analyze traffic to provide its service, whether that ’s security, compliance, performance acceleration, etc., it must first obtain 100% visibility to this data. </li></ul><ul><li>I started Network Critical in the 1990 ’s with a plan to resolve the inevitable limitations of SPAN access techniques and simplify installations. At the end of the day, a switch ’s first priority is performance, and it will drop mirrored monitoring ports the instant they threaten priority #1. </li></ul><ul><li>It takes dedicated monitoring solutions like TAPs to provide access, 24 hours day, 365 days a year, to help enterprise-class networks commit to today ’s management requirements. </li></ul>
  12. 12. Burt Bennett General Manager of Valparaiso Broadband Communication Systems <ul><li>Looks good. One comparison that you forgot is a hub. Hubs are a fair replacement for a &quot;tap&quot; in the 10/100 HDX environment (none for Gigabit). Yes, there are the collision and FDX issues but it is not a bad alternative to fit a quick and temporary access requirement for user focused on end terminus analysis. </li></ul><ul><li>Author’s Note – Burt, thanks for pointing that out – I have added Hubs in the final draft. </li></ul>
  13. 13. Scott Haugdahl Former CTO of WildPackets, Noted Author and Valued Technologist <ul><li>Great article. I especially liked your comments on SPAN not able to scale. We need more facts and even better, more testing to see what impact SPAN has on high bandwidth switches. </li></ul><ul><li>I have seen a white paper from Cisco claiming that the backplanes in high-end Catalyst switches do NOT take a performance hit on SPAN, since more than one destination port can pick up a source packet simultaneously (i.e., there is no penalty for SPAN no matter how heavily loaded the switch is!!!). </li></ul>
  14. 14. Scott Haugdahl (cont) <ul><li>The real problem arises, as you pointed out, when the high speed backplane sends multiple packets from multiple source ports (or full duplex) to one SPAN port - the SPAN port can only service at the rate that is negotiated with the analyzer. Nevertheless, it would be great for some industry standard testing of different switch architecture SPAN capabilities. </li></ul><ul><li>Speaking of SPAN, I would also like to see your take on RSPAN, something I generally discourage. </li></ul><ul><li>Regarding hubs, it ’s somewhat ironic that I actually solved a major performance problem by inserting a hub as a tap. The server did about 4 Mbps per second connected directly to a switch port and nearly 80 Mbps when we inserted the hub. The problem was recognized immediately - an auto negotiate mismatch between the switch and server and we didn ’t even need to look at any packets! As Mike always says, c heck the duplex! And never rely 100% on auto-negotiate . </li></ul>
  15. 15. Comment from another Industry Expert <ul><li>The only thing I would a dd is that the configuration as a downside to SPAN is not that administrators will screw it up (although that is a possibility) but that changing the span configuration is a CHANGE, which for a lot of companies initiates the change management process and approval necessities. If one is spanning one port, and something happens and they need to go look at another one, then I have to make a change to the switch configuration, which may require me to get several levels of management signoff and wait until a change window becomes available. Changing the switch changes the network. The switch is now behaving differently than it was, which means it can introduce variables to the troubleshooting process, as well as change the network map and point of measurement. </li></ul>
  16. 16. Comment from another veteran <ul><li>Something came to my attention today about spanning, that I feel every Senior Manager should strongly consider and keep in mind. One of my network engineers was using his control of the switch and the SPAN setup as a method of internal terrorism. Up until now, he had unmanaged control of devices in our network and he made sure that every time anyone in the company was attempting to do some diagnostics or vendors that were trying to show how their products could help the company, he would use his control over the switch to cause problems that most times led to tests being invalid and terminated, solutions failing and incorrect diagnostics. He would purposely setup the switch SPAN ports to cause problems. This could have been taken further even to bring down the network upon his dismissal. If there had been a dedicated access point (i.e., TAP) he would only had the ability to attach the diagnostic tools or not. He would not have had control of the data and the ability to harm the network and valuable diagnostic tools and potentially bring down the network or do serious harm to it. This should not have happened but unfortunately it did. </li></ul>
  17. 17. To read Tim’s article on “SPAN Port or Tap” , click on the following … http://www.LoveMyTool.com

×