We are checking into more efficient options of monitoring our network. Currently, we have GV HC2 receiving port-spanned traffic from our edge devices. Also connected to the HC2 is an AMD. Our network architect plans to remove port spans and mirroring from all devices. We are investigating if the AMD can accept and process syslogs in place of receiving "mirrored" traffic.
What other solutions have you used to remove mirror or port spans to capture data for the AMD's?
Thanks and God bless,
Ask your Network Architects how they expect to be able to monitor quality, quantity and content on the network. If they remove SPAN and MIRROR, they will also loose the ability to capture traffic for diagnosis or the ability to run IDS and IPS - but I guess they don't care as long as the network drawing looks good?
For yourself, you can always resort to use Netflow. But it's a poorer choice as you can't make very good use of the decodes (aka. being able to analyze and understand the payload) which is really the big value of DCRUM.
"More efficient" is a relative and sometimes dangerous term.
Yes, syslog is less network overhead than mirrors/spans to an AMD; however, syslog is also very significantly less insightful. It would be like the difference between analyzing a server's SSL/TLS operations with the CAS report, detailing the performance of individual URLs, and then trying to make the same analysis with the network display in Windows Task Manager. Yes, Windows Task Manager could be said to be "more efficient" because it uses less system and network overhead, but it does not remotely provide the insight that the AMD's analysis will provide
I don't know how they are performing their IDS and IPS functions, but I know they are in place.
What you provided is the type of specific information I need to further my case. Any other information (please include the humor - though I might not 😉 you or anyone else can provide, is very much appreciated.
Thanks and God bless,
Hi! Probably they find running ping tests from a server's shell also 'more efficient' than deploying a real network monitioring solution 😉
That said, I do see a point in stepping away from mirrors/spans, they do have their drawbacks, scale poorly and NetEngs tend not to be too fond of them. But then again, they are so easy to setup and deploy! And give a wealth of data, containing information gold.
But why step down if you can step up!? I am an advocate of (dedicated) monitoring networks and the use of network taps, virtual or physical, aggregation or regeneration taps, on fiber or copper.
Mind you, (old school?) network architects may have a thing again taps in their network too. Windmills I'm fighting at times. Using taps does have some significant benefits though, over span ports. And actually they should please the architects as well. No resources on network equipment, less outages, better insight and the possibility to filter what traffic to analyze.
To add a little to the humor, here are 4 good laughs I found in span versus tap usage:
Seriously, Tap's are a serious option if you compare and understand the use of Tap and Span Ports.
Which is, for anybody not fully familiar with these concepts, described quite eloquent in this PDF:
And since we are on topic, what about all those virtual server platforms? I do not mind selling a customer a range of (virtual) AMDs, but what if by using virtual taps, the costs and impact can be more likely to close a business case when they are significantly less?
Some more on TAPs versus SPAN if you are interested:
Of course you can always try to seek solution in analyzing netflow.
Or use the listings of the ping test's mentioned earlier 😉