(apologies, this really was just a marketing presentation in very, very thin disguise. I really want that hour of my life back. :( --Matt ) 2006.06.06 Net Optics Learning Center Presents The fundamentals of Passive Monitoring Access [slides are at: http://www.nanog.org/mtg-0606/pdf/joy-weber.pdf TAP technology--tools change, but some things stay somewhat constant--need a way to collect information. Port contention for monitoring--how many people are running into these issues? How many people use SPAN ports to get access to information? Agenda: Present an overview of Tap technology and how it makes network monitoring and security devices more effective and efficient. tap technology overview taps, port aggregators, and regen taps active response, bypass switches link aggregators and matrix switches taps with intelligence Add more intelligence, SNMP capability into remote tap systems. passive monitoring access--you should have full access to 100% of the packet data; even errors, etc. at layer 1 and layer 2. passive means without affecting traffic no latency no IP addresses no packets added, dropped, or manipulated No link failure traffic can be collected via: hubs optical taps What is zero delay? eliminates delays caused by the 10msec delay found in most taps when the tap loses power. Zero Delay means if the tap loses power no packets dropped/resent no latency introduced power loss to tap undetectable in the network Hubs are cheap and easy, get most of the info you need. The more utilization, the higher the collision rate means you're not getting all the data you need. Placing devices in-line; you get full visibility, but requires impact when you need to move monitoring tool from one place to another, or work on the tool. advantage: see all traffic including layer 1 and 2 errs preserve full duplex links SPAN ports--gain access to data, internal to a switch; good for data internal to switch fabric. But you lose layer1 and layer2 errs; not so bad for security tools, but for network debugging, horrible. Only supports seeing data flowing through a single switch. fights over who gets access to the port for tools. Test Access Ports (TAP) designed to duplicate traffic for monitoring devices. You put it inline once, it's inline, passive. preserves full duplex links, device neutral, can be installed between any 2 devices. remains passive no failure point introduced fiber taps don't even require power. always need to fail through, no interruption. creates a permanent access port to the data stream. copper and fiber handled differently; copper has a retransmit system to replicate the information; fiber, just splits photon streams. Two output ports, only transmitting data; no way to send data back through. No way to introduce errors. Different types: single tap: duplicates link traffic for a monitoring device regeneration tap: duplicates link traffic for multiple monitoring devices link aggregator tap: combines traffic from multiple links matrix switches: offer software-control access to multiple links other tap options: built-in media conversion--use mismatched interfaces without separate media converter active response--inject responses back into the link. converter taps serve two purposes--connect dissimilar interfaces without media converter. but usually don't fail through cleanly. Active response is generally in the security arena. sends back to both sides. Copper tap devices 10/100baseT 10/100/1000baseT triple speed 1000baseT normal gig tap Need TWO monitoring NICs to see full duplex data, since you get TWO TX links coming at you. Try to get triple speed TAP with dip switch speed/flow setting, rather than trying to autosense. Fiber taps gigabit SX/LX/SZ, 10gig SR/LR/ER (multimode and single mode) still has 2 TX outputs. topology, and split ratio split ratio is amount of light going to each port. split ratio--amount of light you're willing to tolerate giving up on the network port. Basically, work up a Loss Power budget for the link, figure out how much you can afford to lose before you lose link. Need to make sure that there will be no impact for either end! Do you take distance between the monitoring device and the tap output device? Yes, try to keep within the reduced power budget available off the monitor port, usually about 10 meters should be fine. Can you re-use optical taps for OC12 ATM as well as gigE or 10gigE? will be specific for multimode vs single mode, if you stay at 50/50, generally not a problem. Converter taps are generally powered. the primary path is passive, but the monitoring port has to be active to support the media conversion. Port aggregator taps full duplex link being tapped, aggregating out a single link so you don't need 2 NICs to capture the TX data. can also make a port a full duplex, 2 way active/passive port in newer models. what about multiple output ports? allow passive access for multiple monitoring devices to a single through port. regeneration taps go all the way up to 10gig at the moment. SPAN regeneration taps slightly different; that assumes you're off a SPAN port; dual-span, two sets of data flow. Non-aggregated, two independent sets of ports. Primarily used for cases where multiple devices need access to the wire. Initial costs of TAPs is generally the only major downside. Aggregation taps are same type, but monitor via a single NIC Active response and bypass switches. ability to inject data back into the network. can set *one* monitor port to bidirectional mode. Bypass switches--allow devices to be inserted *inline* without breaking fiber path or copper path. It can watch for heartbeat packet, electrical or optical signal coming through, and if the inline device drops, the router ports are passed through to each other. Good for IPS devices. Generally available with a heartbeat packet that it watches for; device just needs to be able to receive and pass through heartbeat packet. Q: from audience--how fast does it switch over? 10msec when heartbeat fails. Q: and how fast is the heartbeat packet? A: Should be configurable down to one second. If it doesn't recieve 3 in a row, goes into bypass mode. So really 3 second failover. Also check to make sure they're certified with your vendor! power-only bypass switch vs heartbeat detection. the power-only one just shares the same power cord as the IPS device; pretty much a kludge. Link Aggregators Span link aggregator taps usually 10/100/1000; not much push for fiber aggregators yet. take multiple span ports, collect to a single pair of monitoring ports. One thing to watch out for with link aggregator taps is to make sure you don't oversubscribe your ports through to the monitoring port! Can also to get link aggregation tap with regeneration, to take several fiber paths, aggregate to copper monitoring devices. Matrix switches give access to multiple ports inline and span matrix ports. inline matrix switch use passive tap on the front-end; multiple passive ports, monitoring port gets to pick which ones you're monitoring from. ethernet ports, snmp traps, send traps to monitoring station for specific stats, coming out as next hot thing. Common, central monitoring point. Useful to have software controlling matrix switch so you can look at different ports at different times. front-end still passive, monitor ports need to be active. SPAN matrix switches--give you access to multiple network switch SPAN ports. Can daisychain ports if necessary. Highest density usually 8 or 16 passive inline ports for the most part. SPAN works a bit differently, you can get about 96 SPAN port visibility by chaining them together, master/slave relationship. software is key, need to make sure the software serves your purpose of roaming across links. TAPs with intelligence and remote access. how do you turn off monitor ports, how do you see what peak traffic level was? Less passive, more active device. intelligent taps usually have a display screen on them, shows A and B side peak utilization. can disable ports remotely, turn off display in a datacenter, etc. main features: realtime utilization levels for each side of link traffic size and time of the greatest traffic peaks SNMP traps for system, link, power, and threshold counters for total packets, bytes, CRC errors, collisions, and more status for system, link, and power Security and Control Turn off management and monitor ports set utilization alarm thresholds reset statistics basically, add more intelligence into the network, abeit with passive front-side tap. senior technical specialist joy@netoptics.com www.netoptics.com ts-support@netoptics.com Time for dinner! Wraps up at 1736 hours Pacific Time.