Deploying Distributed Traffic Capture Systems


Published on

Distributed Taps are intelligent, hardware-based network traffic capture devices designed to passively tap inline networks or connect to SPAN ports for capturing and forwarding traffic to monitoring or security tools.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Deploying Distributed Traffic Capture Systems

  1. 1. Deploying Distributed Traffic Capture Systems™ Best Practices for Total Network Visibility White Paper The power of unrestricted visibility. See network traffic in any part or all of the largest distributed networks. The flexibility of integrated visibility. See what you want, wherever you need to see it. In real time, at the packet level. Network visibility is the critical factor in heading off the increasing number of application performance issues, outages, data breaches and attacks against large-scale distributed networks. It is vital to accommodating growth in numbers of users and the implementation of Ethernet speeds to 100 Gigabits per second (Gbps) and beyond. It is essential to meet the demands of government regulation. It is crucial to maximum efficiency and optimization. This white paper explores best practices in designing and deploying a VSS Monitoring Distributed Traffic Capture System. Distributed traffic capture provides total network visibility to your monitoring infrastructure. Total visibility is the only way to achieve complete, proactive network control. Why You Can’t See What’s On Your Network Up to now complete visibility of large Ethernet networks has been infeasible due to the prohibitive cost of deploying analytical devices at every point where network traffic needs to be captured. As a result, at present network traffic is typically monitored locally, using switch SPAN ports and/or inline with network taps. SPAN ports are ubiquitous but in many IT infrastructures there are not enough available for more than minimal monitoring coverage. In addition, SPAN ports tend to drop packets at random when the switch is busy. They can potentially degrade switch performance, especially in full duplex, and, depending on switch configuration and network traffic, drop CRC errors as well as under- and oversized packets. They may attempt to correct bad packets or add packets from other than the links being monitored. If spanning is done with multiple switches as in a large network, it demands complex configuration and can consume additional network ports. In addition, depending on the switch, remote spanning does not support monitoring of several packet types, including bridge protocol data unit packets as well as the Layer 2 packets used in Cisco’s Discovery, VLAN Trunking and Dynamic Trunking protocols. Inline network taps are a direct way to capture traffic without the limitations of SPAN ports but they can present problems of their own. Taps have not had the range of port densities and intelligence–such as selective aggregation, traffic filtering, load balancing and distributed management features–to make them more than a standalone solution. If multiple taps are connected, administrators may need to manage each tap separately, and if one tap fails, the entire traffic capture system may fail. High-speed 10 Gbps taps may not have the port density (low or high) required for a given deployment. And in Gigabit copper networks, where a tap cannot be completely passive since both sides of a link transmit simultaneously, a tap can cause network link failure on tap power loss and restore. With no way to get a centralized view over a LAN down to Layer 2, SLAs for real-time applications such as video, VoIP, financial transactions and other critical applications cannot be assured and enterprises cannot comply with regulations requiring a true-and-complete copy of transactions and lawful intercepts. This situation is exacerbated by the need to use existing Gigabit monitoring infrastructure for cost reasons even as 10 Gbps switches continue to be rolled out at the core and access layers.With distributed traffic capture, more than one view of the network can exist simultaneously. Administratorscan define a centralized monitoring view of all network traffic as well as additional segmented views ofnetwork physical topology and/or traffic types. Multiple instances of these views may be established fordifferent monitoring groups, such as security and performance operations, call center managers, and specificcentral or branch office administrators. 1
  2. 2. Virtual Traffic CaptureA Distributed Traffic Capture System comprises intelligent traffic capture devices deployed anywhere they need to be,architected between network infrastructure and the analytical equipment as one virtual system. In this way traffic captureclosely meshes with the network’s topology. The Distributed Traffic Capture System collects a copy of traffic at any pointand sends it in real time to centralized monitoring tools. Monitoring SystemsVSS DistributedAccess PlatformCommunications InfrastructureBecause it functions as one system, distributed traffic capture offers network monitoring, for the first time, fault tolerance,ultra low latency, infinite flexibility and full optimization. A Distributed Traffic Capture System not only adapts as rapidlyas conditions require but also delivers multiple views of the network simultaneously, so that each monitoring group cansee the view appropriate to its function. 2
  3. 3. How to Deploy Distributed The additional capabilities of vStack+’s redundant mesh topology introduces a few choices that the traffic captureTraffic Capture architect will need to make. First is to specify the desired levelThe best deployment of a Distributed Traffic Capture System of redundancy. Triple redundancy is adequate in all but theis one designed to exploit its core capabilities: flexibility, most critical installations. Second is to design contingencyredundancy, monitoring optimization. plans should the traffic capture system default to slower speeds and increased number of hops in the event that multiple high-Flexibility speed links between traffic capture devices fail. One of theA Distributed Traffic Capture System collapses the hierarchical most important elements in this is to set alerts to be generatedschema of traditional network monitoring architecture by by a change in link status, and to have these alerts sent tovirtualizing traffic capture. As a result more than one view of IT personnel, as well as, if desired, to third-party monitoringthe network can exist simultaneously. This allows administrators companies via multiple methods: pager, text message, andto define a centralized monitoring view of all network traffic well as additional segmented views of network physicaltopology and/or traffic types. Multiple instances of these Monitoring Optimizationviews may be established for one or more monitoring groups, By providing real time granular control of the traffic capturesuch as security and performance operations, call center process a Distributed Traffic Capture System can significantlymanagers, specific central or branch office administrators, enhance the ROI of monitoring infrastructure and the peopleetc. As conditions require, these parameters may be rapidly who administer it.reconfigured. The traffic capture architect should use the system’s dataBefore implementing a traffic capture system, a network grooming capabilities–especially selective aggregation,traffic capture architect should think about which views are filtering, and load balancing–to maximize the traffic reachingthe most important given the speeds, nature of traffic and its each analytical device, ensuring that each device is fullylocation in the network’s core, distribution, access and/or subscribed to only its traffic of interest. Examples of thesegateway layers, the analytical equipment on hand and to be decisions include splitting voice and data signaling traffic toimplemented, the level of traffic-capture redundancy required, respective analyzers, sending the same traffic to analyzers inand how the traffic capture and monitoring systems will be different regions, and using multiple 1-Gigabit analyzers tomanaged–e.g., permission levels for management views of monitor a 10 Gbps stream.device configurations and port assignments–and the personnelavailable for monitoring. Designing a DistributedRedundancyA Distributed Traffic Capture System’s mesh topology is fault- Traffic Capture Systemtolerant. VSS Monitoring’s vStack+™ technology auto discovers The design of a Distributed Traffic Capture System is orientedlink failures and re-routes the copied traffic automatically, to the requirements of the monitoring devices. Four types ofusing the highest speed links and lowest number of hops. commonly used passive monitoring equipment are intrusionThis capability eliminates the pitfalls associated with similar detection systems, performance monitors, service assurancetopologies in network IP routing, such as convergence time tools and data recording devices. Each of these devices mayand route flap as well as the need to manage routing tables. need to see only certain slices of traffic, such as HTTP, voice, video, signaling, or VLAN tagged packets, and from onlyThe redundant mesh topology also offers a number of selected network segments or the entire network.advantages over traditional connectivity approaches for trafficcapture devices such as daisy chaining or stacking. Each of Design also varies by need. Key design criteria for trafficthese introduces a single point of failure (if one traffic capture capture are similar to those of an IP network. They include:device fails the entire traffic capture system fails). In addition, availability, efficiency, lower latency, optimization, security,their serial connectivity increases latency, requires that each stability and throughput. Each organization should decide itstraffic capture device be configured separately, as if it were own prioritization of these criteria depending on the servicesstandalone, and limits their management to a single campus. delivered and to whom they are delivered. 3
  4. 4. In general, design criteria that traffic capture architects should take into account include: ƒ The number of networks being monitored. ƒ Whether their media are copper, fiber or mixed. ƒ The location and number of capture points, whether SPAN ports or inline. ƒ The speed for each link associated with a capture point. ƒ The type and volume of traffic to be monitored. ƒ The performance capability/bandwidth of the analytical equipment and its location. ƒ Available rack space. ƒ The topologies of traffic capture depending on desired visibility and redundancy: full mesh, star and/or star-mesh hybrid. The most efficient design process for a Distributed Traffic Capture System usually follows these steps: 1) Determine the traffic your monitoring tools must see. 2) Identify the traffic capture points. 3) Map the capture points to the best combinations of port densities, speeds and grooming capabilities of the traffic capture device connected to that capture point. Do this for each monitoring view desired. 4) For each view, at the traffic capture distribution layer configure the monitor output ports to send traffic customized for each monitoring device. An additional factor to take into account is how the traffic capture device handles Gigabit failover on copper media should the device lose power. A traffic capture architect should ensure that the device will failover quickly enough, typically less than 100 milliseconds, so as not to cause link loss. Gigabit traffic capture devices may cause a momentary link failure when power is lost or restored. This can disrupt time-sensitive traffic and cause unnecessary spanning tree and routing changes, with additional delays due to network reconfiguration. VSS Monitoring’s vAssure™ reduces normal Gigabit fail-over time to ≤ 100ms (typically 30-60ms), helping ensure that packet-sensitive applications running on copper media, such as VoIP and Video on Demand, continue to function uninterrupted and at specified quality-of-service levels. VSS traffic capture devices are the fastest in link switch-over and the only ones that do not cause link loss. The key to effective monitoring is being able to scale a growing number of analytics systems across a growing number of capture points. A Distributed Traffic Capture System offers the flexibility, redundancy and monitoring optimization necessary to cost-effectively achieve unrestricted visibility. USA Japan China (Corporate HQ) + 81 422 26-8831 phone + 86 10 6563- 7771 phone + 1 650 697 8770 phone + 81 422 26-8832 fax + 86 10 6563- 7775 fax + 1 650 697 8779 fax T’s Loft 3F, 1-1-9, C519, 5 Floor, 1850 Gateway Drive, Suite 500 Nishikubo, Musashino, CBD International Tower San Mateo, CA 94404 Tokyo, 180-0013 16 Yong’An Dong Li, USA Japan Beijing, China 100022 Monitoring, Inc. is the world’s leading innovator of Distributed Traffic Capture Systems and network taps, focused on meeting the rapidly evolving requirements of security and performanceconscious network professionals. Distributed Traffic Capture Systems herald a new architecture of network monitoring, one which fundamentally improves its capability and price-performance.VSS, Distributed Traffic Capture System, vAssure, vStack+, and LinkSafe are trademarks or registered trademarks of VSS Monitoring, Inc. in the United States and other countries. Any othertrademarks contained herein are the property of their respective owners.© Copyright 2003 – 2011. VSS Monitoring Inc. All rights reserved. 1200 -20110127.1703r-003