[c-nsp] Network tap solution recommendations
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jan 8 02:51:02 EST 2013
On 01/07/2013 08:00 PM, Eugeniu Patrascu wrote:
> even call it web 1.0 on some places. I have no idea how much they
> cost,
Quite a lot, actually... the kit looks very nice, but the price was too
high for our limited application.
If you find yourself in the position of wanting to monitor a subset of
traffic due to throughput, you can make a "gigamon on the cheap" using a
decent switch and tap, like so:
1. Tap the link
2. Bring the taps into the switch
3. Create 2 vlans "a2b_tap" and "b2a_tap" and put them on the tap
ports untagged and the output port tagged
4. Disable learning on both vlans
5. Put ACLs on the tap input ports to filter traffic
Now, you can't do everything a gigamon can do, but it's a handy way to
bring traffic down to a level you can monitor. We use an Extreme SummitX
with 10gig ports to do this, which has the handy feature of letting you
set an output port with an ACL permit modifier - so you can send
different types of traffic to different analyzers. You can also pick an
output link aggregate and load-share. Judicious use of the sharing
algorithm (SRC xor DST) can ensure both directions of a conversation go
to the same analyzer.
Modify using VACL as appropriate for Cisco-land.
More information about the cisco-nsp
mailing list