September Cover 


Cabling Infrastructure

CommScope

Hitachi Cable

HyperlineSystems

Panduit

Cable closures

Fiber Instrument Sales

Cabling Raceways

ADC Telecommunications

Pre-terminated cabling

Corning Cable Systems

HellermannTyton

WAN Services

Masergy Communications

Media conversion

Transition Networks

Network Security

Juniper Networks

Power over Ethernet

Transition Networks

Power Management

Eaton/Powerware Pulizzi

Remote Monitoring

Network Technologies

Sensaphone

Switching

Transition Networks

Voice over IP

Microsoft

TC Communications

VoIP Testing/Analysis

GL Communications

Wireless

Canon Broadcast

Oberon

OFS

Features

October 2007

NETWORK MONITORING

Performance analysis ‘tapped’ in

Aggregating taps offer a viable option for monitoring network performance and security.

by Robert Finlay

Effective IT security and performance management relies on visibility. IT departments need visibility of production network data to identify security vulnerabilities and violations, as well as network and application performance. Often, this involves the deployment of analysis devices capable of examining a vast quantity of data traversing critical network links. Intrusion detection, intrusion protection, network monitoring, application monitoring, Web monitoring and protocol analysis are some of the solutions increasingly deployed on the network to ensure IT compliance and performance.

CN
Dual-link aggregation taps provide full visibility across redundant links. This eliminates the need for multiple security and monitoring devices and saves organizations money on security and network-management budgets.

When planning to deploy analysis solutions on the network, two questions should be answered: How will the network data be accessed, and where will the access points be placed? The answer to these questions will often determine the effectiveness and value these solutions provide to IT groups.

There are several techniques that answer the question of network access. Typically, a network-security or performance-analysis device utilizes an in-line hub, a plain switch port, a mirror/SPAN port or an in-line tap. Not all of these techniques, however, are equal.

The use of in-line hubs and plain switch ports are the least-desirable access method for critical-link security and performance analysis. This leaves mirror/SPAN ports or in-line taps as the primary means of network access for IT analysis.

Where security and analysis devices get deployed is the other significant question. There are three locations at the center of performance and security analysis that require planned network access–the network’s edge, the data center and the distribution layer.

A common attribute of these three critical locations is the use of redundant, high-availability network architectures that rely on multiple paths and devices to ensure resiliency and performance. With the need for 100 percent visibility across the multiple links in a trunk, this architecture represents a challenge for security and performance analysis. Deploying multiple security and network-analysis devices on each route is one solution, but this is expensive and can involve complex, or inaccurate synchronization between monitoring solutions.

In-line taps recommended

In-line taps connect between two end-points on the network, typically a switch, router, firewall or server. Once installed, taps provide instant plug-and-play access to the network, with full visibility into link traffic, errors, security threats and applications.

Pre-installed taps on critical network segments are one solution, giving engineers instant access to data they need without configuration risks or contention issues for switch/router resources. Traditional in-line taps are best suited for use with dual-interface analysis devices.

Aggregating in-line taps combine full duplex traffic, or multiple mirror/SPAN ports into a single data stream for use with single interface security and performance-monitoring equipment. Aggregating taps offer a viable new option for analysis solutions originally intended for mirror/SPAN port deployment. Full-duplex Fast Ethernet and gigabit links have data rates of 200 Mbps or 2 Gbps, respectively.

Just like a mirror/SPAN port, aggregation taps can become oversubscribed. While many organizations do not encounter data rates that lead to oversubscription, it is still an issue to consider when planning the use of aggregation taps or mirror/SPAN ports. (Note: Fast Ethernet links are fully supported with an aggregation tap when a gigabit-capable analysis device is monitoring.)

The extension of full-duplex link-aggregation technology allows taps to combine data from multiple links. A dual-link, aggregation in-line tap installs on two links and combines traffic into a single gigabit data stream. For organizations utilizing redundant and asymmetrical network design, this tap provides a single access point for security and performance-analysis visibility across multiple network paths.

An IT department can now spend a fraction of the budget on monitoring solutions, while still maintaining full visibility across the critical network fabric.

Instead of purchasing a security or performance-analysis device for each link on a meshed trunk, an IT department can now spend less on monitoring solutions, while still maintaining full visibility across the critical network fabric. Packet timing issues are also resolved with dual-link aggregation taps since tricky clock synchronization between multiple monitoring devices does not skew packet timestamps.

Oversubscription a problem

Link aggregation extends the ROI of network security and performance solutions, but also subjects them to greater data rates that can cause overloaded CPU processing. In addition, as a greater number of links are aggregated, the chance of oversubscribing the monitoring ports used by security and performance-analysis devices increases.

Filtering link-aggregation taps resolve these two issues. These taps have line-rate filtering built into their architecture that offloads the processing of extraneous data normally sent to analysis solutions. Filtering aggregation taps allow the user to filter on specific traffic within the tap.

For instance, a tap can be used to block all broadcast and multicast traffic before aggregation, employing a second level of filters specific to each of the four analysis devices attached to the tap. This technique has two major benefits: It eliminates the chance of oversubscription during aggregation and frees up valuable processing cycles with the elimination of irrelevant packets.

In-line models of filtering link-aggregation taps can be used on up to two links, while mirror/SPAN models can process up to four connections. Each model also allows for media conversion and remote configuration within distributed analysis environments. With four monitoring ports on each tap, there are plenty of access points for several IT groups and users.

While modern network architectures make analyzing critical traffic across meshed architectures difficult, the latest generation of multilink aggregation taps eliminates this complexity and reduces the cost of analysis-solution deployment. Data regeneration offered by the latest generation of taps offers greater connectivity options and reduces the contention for data access often found with mirror/SPAN ports.

Finally, new filtering aggregation taps improve the performance of network analysis devices by limiting CPU processing spent on unnecessary packets. IT groups that spend resources on security, application and network analysis will benefit by understanding how the latest generation of taps provide greater visibility with lower overall cost and less complexity.

Robert Finlay is product manager, network management, for Fluke Networks, Everett, Wash.

For more information (click here)