Re: Switch designed for mirroring tap ports
Ameen, We've had very good success using Brocade MLX's for this very thing (actually, might be older XMRs, but should be same platform at this point). Check out the transparent-hw-flooding command under a VLAN. It basically turns off mac learning, and just floods it on the vlan's member ports. If you want to be creative and say split out port 80 traffic to one port and the rest to another, you can use policy based routing to change the destination VLAN for just tcp/80 traffic. If you want to have many different inputs going to many different outputs some with PBR, some without, then you may have to get very creative and use cables coming out of one port on the box and going back into another port. We're using this successfully with multiple 10GE ports. Jay -- Jay Moran http://tp.org/jay On Thu, Mar 1, 2012 at 3:12 PM, A. Pishdadi apishd...@gmail.com wrote: Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
Re: Switch designed for mirroring tap ports
Instead of monitoring the physical interface, monitor the vlan from a Cisco IOS perspective on a CAT6500. This will capture all physical interfaces associated with that vlan for mirroring/span. HTH Jonathan #22744 Sent from my HTC on the Now Network from Sprint! - Reply message - From: A. Pishdadi apishd...@gmail.com Date: Wed, Feb 29, 2012 11:12 pm Subject: Switch designed for mirroring tap ports To: NANOG nanog@nanog.org Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
Re: Switch designed for mirroring tap ports
No the issue isnt monitoring many ports at once, its having more then 1 set of monitoring or 2 sets in the 6500 case. So I am monitoring say port channel 1 to ports 1 2 3 4, and port channel 2 , ports 4 5 6 and 7. After that I cannot monitor anymore ports. On Thu, Mar 1, 2012 at 2:34 AM, gwoo...@gmail.com gwoo...@gmail.com wrote: Instead of monitoring the physical interface, monitor the vlan from a Cisco IOS perspective on a CAT6500. This will capture all physical interfaces associated with that vlan for mirroring/span. HTH Jonathan #22744 Sent from my HTC on the Now Network from Sprint! - Reply message - From: A. Pishdadi apishd...@gmail.com Date: Wed, Feb 29, 2012 11:12 pm Subject: Switch designed for mirroring tap ports To: NANOG nanog@nanog.org Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
Re: Switch designed for mirroring tap ports
Take a look at VACLs on the Cat side. It has a capture feature that is effectively the same as a local SPAN, but without the 2 session limit. If you do a lot of RSPAN though, this wouldn't be your complete answer (VACL captures are local only). VACLs are a bit more granular in defining what's captured, if say for example you only wanted traffic destined to TCP/80, you could configure it that way. David. On Thu, Mar 1, 2012 at 5:52 AM, Terry Baranski terry.baranski.l...@gmail.com wrote: On Mar 1, 2012, at 02:13 AM, apishd...@gmail.com wrote: Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. We like Gigamon for this purpose. -Terry
RE: Switch designed for mirroring tap ports
Echoing what Terry said... we use gigamon devices for this too. -Chris On Mar 1, 2012 5:53 AM, Terry Baranski terry.baranski.l...@gmail.com wrote: On Mar 1, 2012, at 02:13 AM, apishd...@gmail.com wrote: Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. We like Gigamon for this purpose. -Terry
RE: Switch designed for mirroring tap ports
Re: Switch designed for mirroring tap ports
A. Pishdadi apishd...@gmail.com writes: We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. http://www.netoptics.com/products/regeneration-taps Been reasonably happy with these on 100m and gigabit links in the past, can't imagine that their 10g products don't work just as well. -r
Re: Switch designed for mirroring tap ports
Hi Ameen, Wouldn#39;t it work to have a switch aggregating your monitor sessions just disable MAC learning? Traffic from a single input interface would be replicated to all other ports on the vlan where learning is disabled. I#39;ve used this with a 3750, and I haven#39;t seen any trouble (other than that you don#39;t want that switch in-line with anything else). David Barak
RE: Switch designed for mirroring tap ports
Yes, the Cat 6500s are limited to a certain number of SPAN/port monitoring sessions. Another tool, we've switched to after using the Gigamon for many years are taps and the Anue 5236 (10Gb) port aggregator. From this we can split the SPAN feeds into different IDS/monitoring servers or load-share among several output servers. It is a great tool and very easy GUI to control the feeds and output ports. Ian Slade Sr. Network Engineer, SAIC ITS Systems Engineering ian.sl...@saic.com 703-676-5234 http://www.saic.com -Original Message- From: nanog-bounces+ian.slade=saic@nanog.org [mailto:nanog-bounces+ian.slade=saic@nanog.org] On Behalf Of A. Pishdadi Sent: Thursday, March 01, 2012 3:54 AM To: gwoo...@gmail.com Cc: NANOG Subject: Re: Switch designed for mirroring tap ports No the issue isnt monitoring many ports at once, its having more then 1 set of monitoring or 2 sets in the 6500 case. So I am monitoring say port channel 1 to ports 1 2 3 4, and port channel 2 , ports 4 5 6 and 7. After that I cannot monitor anymore ports. On Thu, Mar 1, 2012 at 2:34 AM, gwoo...@gmail.com gwoo...@gmail.com wrote: Instead of monitoring the physical interface, monitor the vlan from a Cisco IOS perspective on a CAT6500. This will capture all physical interfaces associated with that vlan for mirroring/span. HTH Jonathan #22744 Sent from my HTC on the Now Network from Sprint! - Reply message - From: A. Pishdadi apishd...@gmail.com Date: Wed, Feb 29, 2012 11:12 pm Subject: Switch designed for mirroring tap ports To: NANOG nanog@nanog.org Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
Re: Switch designed for mirroring tap ports
I believe MRV's Media Cross Connects will do this. http://www.mrv.com/tap/physical-layer/ On Thu, Mar 1, 2012 at 1:12 AM, A. Pishdadi apishd...@gmail.com wrote: Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
Re: Switch designed for mirroring tap ports
Be careful when considering the Anue products. When we evaluated both Anue and Gigamon, we had to rule out Anue due to total lack of IPv6 support, and went with Gigamon instead. I have not heard whether the situation has changed in the last year. We liked both products for their functionality and ease of use, but for us IPv6 was the distinguishing capability. --Ron Ron Broersma DREN Chief Engineer On Mar 1, 2012, at 9:50 AM, Slade, Ian wrote: Yes, the Cat 6500s are limited to a certain number of SPAN/port monitoring sessions. Another tool, we've switched to after using the Gigamon for many years are taps and the Anue 5236 (10Gb) port aggregator. From this we can split the SPAN feeds into different IDS/monitoring servers or load-share among several output servers. It is a great tool and very easy GUI to control the feeds and output ports. Ian Slade Sr. Network Engineer, SAIC ITS Systems Engineering ian.sl...@saic.com 703-676-5234 http://www.saic.com -Original Message- From: nanog-bounces+ian.slade=saic@nanog.org [mailto:nanog-bounces+ian.slade=saic@nanog.org] On Behalf Of A. Pishdadi Sent: Thursday, March 01, 2012 3:54 AM To: gwoo...@gmail.com Cc: NANOG Subject: Re: Switch designed for mirroring tap ports No the issue isnt monitoring many ports at once, its having more then 1 set of monitoring or 2 sets in the 6500 case. So I am monitoring say port channel 1 to ports 1 2 3 4, and port channel 2 , ports 4 5 6 and 7. After that I cannot monitor anymore ports. On Thu, Mar 1, 2012 at 2:34 AM, gwoo...@gmail.com gwoo...@gmail.com wrote: Instead of monitoring the physical interface, monitor the vlan from a Cisco IOS perspective on a CAT6500. This will capture all physical interfaces associated with that vlan for mirroring/span. HTH Jonathan #22744 Sent from my HTC on the Now Network from Sprint! - Reply message - From: A. Pishdadi apishd...@gmail.com Date: Wed, Feb 29, 2012 11:12 pm Subject: Switch designed for mirroring tap ports To: NANOG nanog@nanog.org Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen smime.p7s Description: S/MIME cryptographic signature
Re: Switch designed for mirroring tap ports
How about splitting up a heavy stream (10G) into components (1G) to run through an inline device and reassemble the pieces back to an aggregate afterward? TippingPoint makes a core controller box for this but it's pretty hideously expensive. Could do it with two 6500s but that's pretty hideously expensive as well :) Jeff
Re: Switch designed for mirroring tap ports
Gigamon has a new product offering that claims to do this (their sales guys just met with me a few days ago and gave me a update on their latest offerings). It's the G-Secure-something or other. We're using the 2404's so I don't have any experience with it. Cheers, Harry On 03/01/2012 10:22 AM, Jeff Kell wrote: How about splitting up a heavy stream (10G) into components (1G) to run through an inline device and reassemble the pieces back to an aggregate afterward? TippingPoint makes a core controller box for this but it's pretty hideously expensive. Could do it with two 6500s but that's pretty hideously expensive as well :) Jeff
Re: [nanog] Re: Switch designed for mirroring tap ports
We're doing something similar - VACLs (using the redirect action) with port-channel destinations on a span aggregation 650x. If you've got a spare 650x chassis lying around and your configuration requirements aren't terribly complex/dynamic, you can do monitoring with filtering and load-balancing at high-throughput on it. On 03/01/12 06:03, David Swafford wrote: Take a look at VACLs on the Cat side. It has a capture feature that is effectively the same as a local SPAN, but without the 2 session limit. If you do a lot of RSPAN though, this wouldn't be your complete answer (VACL captures are local only). VACLs are a bit more granular in defining what's captured, if say for example you only wanted traffic destined to TCP/80, you could configure it that way. David. On Thu, Mar 1, 2012 at 5:52 AM, Terry Baranski terry.baranski.l...@gmail.com wrote: On Mar 1, 2012, at 02:13 AM, apishd...@gmail.com wrote: Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. We like Gigamon for this purpose. -Terry
Re: Switch designed for mirroring tap ports
Thus spake Jeff Kell (jeff-k...@utc.edu) on Thu, Mar 01, 2012 at 10:22:29AM -0500: How about splitting up a heavy stream (10G) into components (1G) to run through an inline device and reassemble the pieces back to an aggregate afterward? Sounds like a perfect job for a commodity switch that supports OpenFlow. Dale
Switch designed for mirroring tap ports
Hello All, We are looking for a switch or a device that we can use for mirroring tap ports. For example , take a mirror port off of a core router say a 6509, connect it to a port on said device, say port 1. I would like then to be able to mirror port 1 on said device to multiple ports, like port 2 , 3, 4. We have the need to analyze traffic from one port on multiple devices. Seems most switches are limited to mirroring to a max of 1 or 2 ports. Any suggestions would be great. Thanks, Ameen
