24 | GigaStor™ (pub. 25.Apr.2014)
when troubleshooting client-to-core connection problems. The best way to achieve this kind of visibility is to
configure SPAN/mirror sessions on each switch, and then direct the SPAN/mirror output to half-duplex probes.
A SPAN/mirror port duplicates the traffic on a switch port or a group of ports, and sends the copied data to an
analyzer. Using a SPAN/mirror port and half-duplex probes are inexpensive and convenient, but cannot give you
all the visibility you need to manage and troubleshoot a network that also includes gigabit, WAN, and wireless
infrastructure. For networks that include these other topologies, other solutions are needed.
Because full-duplex Ethernet lies at the core of most corporate networks, ensuring completely transparent
analyzer access to full-duplex Ethernet traffic is critical. A SPAN/mirror port access is fine for the half-duplex
Ethernet connections to stations at the edge, but may be unable to keep up with the higher-traffic full duplex
links to the core.
There are three common ways for a probe or analyzer to gain access to full-duplex streams of data flowing on
Ethernet cables:
Connect the probe to a SPAN/mirror port. A SPAN/mirror port can provide a copy of all designated traffic
on the switch in real time, assuming bandwidth utilization is below 50% of full capacity.
Deploy a port aggregator (sometimes called an “Aggregator TAP”) on critical full-duplex links.
Deploy a TAP (Test Access Port) on critical full-duplex links to capture traffic. For some types of traffic
such as full-duplex gigabit links, TAPs are the only way to guarantee complete analysis, especially when
traffic levels are high.
Connecting a probe to a switch SPAN/mirror port or aggregator can provide adequate visibility into most of the
traffic local to the switch, assuming that bandwidth utilization is low. However, if the aggregate switch traffic
ever exceeds 50% bandwidth saturation, SPAN/mirror ports and aggregators simply cannot transmit the data
fast enough to keep up; dropped packets (and perhaps sluggish switch performance) will result. This is because
SPAN/mirror ports and aggregators are designed to connect to a standard NIC, which allows them only one side
of the full duplex link to transmit data. A TAP, however, is designed to connect to a dual-receive capture card. By
sending data on both sides of the link to the capture card, a TAP has double the transmission capability of the
other options, allowing it to mirror both sides of a fully saturated link with no dropped packets and no possibility
of degrading switch performance. And regardless of utilization, SPAN/mirror ports filter out physical layer error
packets, rendering them invisible to your analyzer.
The most critical parts of your network are almost by definition those that see the most traffic. If your network
includes a business-critical link (for example, the gigabit link that connects the customer service database to
the core switch), a TAP connected to a compatible probe or analyzer is the only way to ensure both complete
visibility and complete transparency to the network, regardless of how saturated with traffic the link becomes.
Monitoring wireless traffic
If you place an Ethernet Probe on a switch to which a wireless access point is connected, you will see the
legitimate wireless station traffic connected to your wired network. What you will not see is the 802.11 headers
crucial to understanding wireless-specific problems and security threats. You will also not be able to see rogue
access points, or illegitimate stations trying to associate with access points. In short, to see all RF signals on the
air at your site, you need a wireless probe. In fact, you usually need more than one such probe to see all of the
access points and stations (legitimate or illicit) deployed on the site.
Deciding where to place probes in your network
Knowing where you want visibility has an impact on the number and type of ports needed on your probe. It
must be decided prior to purchasing so that the proper number of TAPs and SFPs are included in the package
that is shipped to you.
To guarantee that every packet passing between every device on the network, errors and all, is available to your
analyzer is practically impossible on a network with multiple switches. It would require placing a TAP on every
link to each switch. Fortunately, you need only place probes where the traffic is significant enough to warrant
the expense, and a lot of traffic is not that critical.