Enhancing Cisco Networks with Gigamon // White Paper The Smart Route To Visibility ™ 1 Many Fortune 1000 companies and beyond implement a Cisco switching architecture. When implementing a large scale Cisco network, the infrastructure to effectively monitor these networks is often overlooked. To monitor the networks customers will use Cisco technologies such as SPAN, RSPAN, ERSPAN, VACL. Many times these technologies are not scalable to support the diverse needs of network and security groups as they strive for maximum uptime within the network infrastructure. This white paper will discuss the various monitoring functions Cisco provides and how you can enhance these technologies using the Gigamon Traffic Visibility Fabric and TAP solutions. Cisco SPAN SPAN stands for Switch Port Analyzer. The SPAN functionality is offered in all Cisco switching solutions. A SPAN port copies data from one or more source ports to a destination port. Figure 1 shows an example of how the SPAN function operates. With most Cisco switching products, users are limited to two SPAN sessions per switch. For most large enterprises this is not suitable enough for monitoring purposes. In most large organizations between the network and security groups there are commonly four or more monitoring or analysis tools that all need to contend for the same data. Examples of some of the tools that are utilized are Application Performance Monitors, Intrusion Detection Tools, Data Recorders, Web Monitoring Tools, and many more. There are also limitations that prevent users from sending data from one source port to both of the available SPAN sessions as well as limitations that allow VLAN and Non-VLAN traffic to be sent to the same port. In summary, SPAN sessions are good for spot analysis but are limited in terms of scaling to support company monitoring initiatives. SPAN ports are typically best for small to medium environments where monitoring needs are not great. S o u r c e D a t a P o r t S P A N P o r t Figure 1 Cisco SPAN example Inside a Cisco Switch data is copied from a network port (in this example the port the router is connected to) to a SPAN port which has a monitoring tool connected
6
Embed
Enhancing Cisco Networks with Gigamon - NDM · Enhancing Cisco Networks with Gigamon // White Paper The Smart Route To Visibility™ 1 Many Fortune 1000 companies and beyond implement
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Enhancing Cisco Networks with Gigamon// White Paper
The Smart Route To Visibility™
1
Many Fortune 1000 companies and beyond implement a Cisco switching architecture. When implementing a large scale Cisco network, the infrastructure to effectively monitor these networks is often overlooked. To monitor the networks customers will use Cisco technologies such as SPAN, RSPAN, ERSPAN, VACL. Many times these technologies are not scalable to support the diverse needs of network and security groups as they strive for maximum uptime within the network infrastructure. This white paper will discuss the various monitoring functions Cisco provides and how you can enhance these technologies using the Gigamon Traffic Visibility Fabric and TAP solutions.
Cisco SPAN
SPAN stands for Switch Port Analyzer. The SPAN functionality is
offered in all Cisco switching solutions. A SPAN port copies data
from one or more source ports to a destination port. Figure 1
shows an example of how the SPAN function operates.
With most Cisco switching products, users are limited to two
SPAN sessions per switch. For most large enterprises this is
not suitable enough for monitoring purposes. In most large
organizations between the network and security groups there
are commonly four or more monitoring or analysis tools that all
need to contend for the same data. Examples of some of the
tools that are utilized are Application Performance Monitors,
Intrusion Detection Tools, Data Recorders, Web Monitoring
Tools, and many more. There are also limitations that prevent
users from sending data from one source port to both of the
available SPAN sessions as well as limitations that allow VLAN
and Non-VLAN traffic to be sent to the same port. In summary,
SPAN sessions are good for spot analysis but are limited in
terms of scaling to support company monitoring initiatives.
SPAN ports are typically best for small to medium environments
where monitoring needs are not great.
Source Data Port
SPAN Port
Figure 1 Cisco SPAN example
Inside a Cisco Switch data is copied from a network port (in
this example the port the router is connected to) to a SPAN port
which has a monitoring tool connected
Enhancing Cisco Networks with Gigamon// White Paper
The Smart Route To Visibility™
2
Cisco RSPAN
Cisco RSPAN stands for Remote Switch Port Analyzer. RSPAN
works very much like SPAN with the exception that data can
be sent between remote monitoring ports in the switching
architecture using VTP and reflector ports.
Users are only allowed to send data to two RSPAN destinations.
Just like SPAN, data from the same source port or VLAN cannot
be shared across the two sessions. RSPAN has additional
configuration complexity as users have to configure the correct
VTP domains on each switch that RSPAN data traverses. There
is a potential for duplicate packets in RSPAN configurations.
RSPAN ports will not pass Layer 2 data as well.
Cisco ERSPAN
ERSPAN stands for Encapsulated Remote SPAN. With ERSPAN
data from remote switches can be forwarded to a source
monitoring tool over a routed network or Internet using a
GRE Tunnel that is configured on the Cisco Switches.
ERSPAN is a feature that is only supported on Cisco Switches
that support the Supervisor Engine 720 manufactured with
PFC3A. This means this feature is limited to a few Cisco switch
families like the Catalyst 6500 family. This functionality has
not translated to the newer Cisco Nexus product line as an
option. Packets of an ERSPAN session are tagged with a 50-
byte header and replace the CRC. Items you need to be aware
of are fragmented frames and jumbo frames. ERSPAN does
not support fragmented frames and all switches have to be
configured to support jumbo frames or else frames that increase
past the 1500 byte limit with the 50 byte tagged data will be
dropped. Just like all other SPAN technologies you can only
create two ERSPAN destinations per switch. ERSPAN requires
additional configuration complexity to ensure that the tunneling
and frame sizes are correct for proper routing of data.
Cisco VACL
VACL stands for VLAN Access List. VACLs overcome most
SPAN limitations in addition to providing the ability to filter for
certain types of traffic such as a TCP port or IP Address. VACLs
are ACLs that only apply to data within a VLAN that are separate
from ACLs that would be used in router configurations. The
maximum number of VACLs a switch can support is determined
Routed Network
SPAN DataIn GRE Tunnel Monitoring
Tool
SourceData
SourceData
SPAN DataIn GRE Tunnel
SPAN DataIn GRE Tunnel
Originating switch with reflector port
RSPANVLAN
RSPANVLAN
SPANData
Monitoring Tool
Figure 2 CISCO RSPAN example
Data on the originating switch is sent over a RSPAN VLAN
created using VTP and Reflector Ports.
Figure 3 Cisco ERSPAN example
Enhancing Cisco Networks with Gigamon// White Paper
The Smart Route To Visibility™
3
by the amount of VLANs in a switch. For example if a switch
only has 5 configured VLANs then you can create 5 VACL
capture ports.
Users will mainly use VACLs to free up SPAN resources as a
bandaid to a complete monitoring infrastructure. Configuring
VACLs is usually reserved for more senior networking staff as
VACLs require the most configuration attention of all the Cisco
Network Visibility Technologies. Many users can mistakenly
block data from the VACL capture port if care is not taken when
configuring the VACL. Like SPAN’s, VACLs source data cannot
be sent to multiple VACLs limiting the benefit of having extra
VACL ports as many times monitoring tools will have to see
many VLANs at once leaving the user with one or two VACL
capture ports that can be used.
Gigamon GigaVUE Traffic Visibility Nodes
Gigamon GigaVUE® Traffic Visibility Nodes are purpose built
appliances create an out-of-band network that provides
enhanced visibility to all monitoring, data capture, and security
tools. With Traffic Visibility Nodes users can connect inputs
and aggregate, replicate, and filter data all at line-rate speeds
to any number of tools. Users can connect SPAN’s, RSPAN’s,
VACL’s, ERSPAN, and TAP input ports to control the traffic flow
from all network inputs to all monitoring inputs. You can think of
the Traffic Visibility Node as the central hub of your monitoring
infrastructure that is becoming a key component in new
10G and 1G data centers.
There are many benefits that users can gain by implementing a
United States and certain other countries. Visibility Fabric, Traffic Visibility Fabric (TVF), Citrus, and The Smart Route To Visibility are trademarks of Gigamon. All other trademarks