These days, network pros find that their network monitoring and management tools aren't getting the job done because
their networks haven't been properly instrumented to feed these tools the right information. Matrix switches, or network tap aggregators, could help.
At the heart of the matter is a general shortage of SPAN (Switched Port Analyzer) ports and network taps on network devices. Most network switches come with just two SPAN ports. Network taps are separate pieces of hardware that are plugged into switches and provide network flow information to monitoring tools. These SPAN ports and taps provide the network visibility that network-monitoring, management and security tools rely on.
An engineer can't just plug into any SPAN port or tap. Most monitoring devices must be plugged into points on the network where the most relevant traffic is flowing, such as in a core switch or on a top-of-rack switch that is managing a rack of servers with a specific set of critical applications.
"The idea is to configure as much as you can ahead of time," said Eric Siegel, senior analyst at the Burton Group. "You need to sit down and think, 'Where are my critical points, and where are the key aggregation points? If I put a tap into this point, will I be able to see all the traffic going into my Web server?'"
Many networking organizations haven't designed their networks for proper monitoring and diagnosing of problems, Siegel said. For one thing, SPAN ports and taps are always in short supply, and no one is ever quite clear on exactly who is using them.
"If you're a network engineer and everyone is screaming at you because something is screwed up, then you go into the server room, and in the back of these server racks, where there's no light, there might be a network tap port or SPAN port," Siegel said. "But someone else has plugged something else into it, and you have no idea what this stupid thing does. It could be that a year ago somebody else needed to connect to it, and if you unplug it now, all hell breaks loose. So you spend an hour trying to figure this thing out."
Siegel's example is not unusual. Forty-three percent of companies struggle with a shortage of -- or an inability to share -- SPAN ports and network taps, according to a new Enterprise Management Associates survey of approximately 150 companies, which was sponsored by monitoring visibility vendor Anue Systems. The survey also found that 47% of respondents said their monitoring tools are underutilized, and another 25% said their monitoring tools drop packets because of oversubscription, partly because of poor management of these SPAN ports and taps.
"When I worked at Netscout, we would hear about problems with people using SPANs and taps and not having enough of them," said Jim Frey, research director at Enterprise Management Associates. "Or we would hear about someone unplugging a security monitoring tool because they need the tap to do troubleshooting and then forgetting to plug the monitoring tool back in. Then your security tool is suddenly disabled, and if you had a better access plan, you wouldn't have these 'uh oh' moments."
Matrix switches -- as network tap aggregators -- to the rescue
In recent years, several vendors have introduced a new family of matrix switches, or network tap aggregators, which can collect flows from all the SPAN links and taps on a network and share them with multiple monitoring and management tools. These vendors include Apcon Inc., Anue Systems, Gigamon Systems, NetOptics and Datacom Systems.
Network engineers can plug any or all of their network monitoring and management tools directly into a matrix switch and have them all sit on a rack together. Through the matrix switch, an engineer can instruct all the configured SPAN ports and installed network taps on the network to feed their data into the matrix switch. The switch can share all the flow-based information with all of the engineer's tools, eliminating the SPAN port and network tap shortage that so many organizations are facing, according to Frey.
Matrix switches fix the span port shortage for one government agency
Bill Baltas, supervisory systems administrator with Clark County Water District in Nevada, started using a matrix switch from Anue Systems about a year ago to consolidate visibility for his various monitoring tools, including Netscout's NGenius, some Fluke Networks monitoring tools and a variety of network sniffers. He'll soon be plugging ACE Live from Opnet into the matrix switch, too, in order to monitor performance on some multi-tiered applications. The Anue matrix switch has helped him solve his SPAN port and network tap shortage.
"Before Anue, I had a problem with an IBM WebSphere application with Oracle on the back end," Baltas said. "We had to go around and set up SPAN ports across multiple switches. The problem is that the Catalyst 6500 only has two SPAN ports. At any one time, we had SPAN ports going into different monitoring systems. I had to break all that in order to troubleshoot this problem with WebSphere. That's the first time that I sat down and said to myself that I have to overcome this."
With a matrix switch, Baltas can keep his monitoring tools in place and simply plug an additional troubleshooting tool into the matrix switch. Then he instructs the relevant SPAN port or tap to feed information to the troubleshooting tool. Meanwhile, his various monitoring tools continue to get their data uninterrupted. No connections are broken, and nothing is left accidentally unplugged.
Filtering with matrix switches prevents oversubscription
Most matrix switches also have filtering capabilities that allow engineers to choose which data flows into specific tools.
"For data loss prevention, we don't want to plug those tools up with things like NetBIOS or VoIP data," Frey said. "We want to filter that stuff out, to allow the tools to spend their scanning cycles on actual payload contents. The same thing … if you have a special-purpose VoIP quality monitoring tool. You only want to look at VoIP traffic. You can get away with a lower-end tool in terms of its speed and capacity if you can filter down and focus on the right data."
These filtering features in matrix switches can allow monitoring tools designed for 1 Gigabit Ethernet (GbE) to work with 10 GbE networks. In an unfiltered environment, a 1 GbE tool will be overwhelmed with flows from a 10 GbE pipe. However, if an engineer tells a matrix switch to send only relevant data from the 10 GbE network into the 1 GbE tool, in many cases the filtered traffic will not overwhelm the monitoring tool.
Using matrix switches to evaluate IDS tools
Anue's matrix switch also enabled Baltas to perform a side-by-side, simultaneous comparison of three intrusion detection system (IDS) products.
"I was able to bring in Juniper, Tipping Point and Cisco at the same time by plugging them into the Anue device," he said. "I didn't put them in line, but I directed Internet traffic to all three systems at one time. I couldn't have done that without an aggregator. Once I made the decision to go with Tipping Point IPS, of course, I had to put the system in line. But at least I was able to see what the interface looked like and how it handled our Internet traffic off a SPAN port. It was really cool to have all three of them in place at one time."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor