Looking for a switch to do VLAN mirroring or port mirroring with several ports
Hello All,
We are looking at a product called LANGuardian. It's an agentless software that will allow us to track network traffic. The way it work is with port mirroring. My "gotcha" if you will, is that I have several physical servers that I would like to mirror as well, especially our shared storage. Currently we use Dell PowerConnect switches. They only allow for up to 4 source ports. I would probably need close to 30, maybe more. Someone mentioned to me Cisco Catalyst, HP or 3Com. I am not familiar with them so I am in the dark and was hoping someone else has done something similar and can recommend a switch that will do what I need. I've also been told that VLAN mirroring should work but I'm getting different explanations on what that really is.
We are looking at a product called LANGuardian. It's an agentless software that will allow us to track network traffic. The way it work is with port mirroring. My "gotcha" if you will, is that I have several physical servers that I would like to mirror as well, especially our shared storage. Currently we use Dell PowerConnect switches. They only allow for up to 4 source ports. I would probably need close to 30, maybe more. Someone mentioned to me Cisco Catalyst, HP or 3Com. I am not familiar with them so I am in the dark and was hoping someone else has done something similar and can recommend a switch that will do what I need. I've also been told that VLAN mirroring should work but I'm getting different explanations on what that really is.
ASKER
Thank you. do you monitor several ports on one switch or do you use the VLAN mirroring?
I see mirroring (SPAN) on a switch as a secondary function, and not something a switch was designed to do. I suspect thats why many switches are limited to only a few concurrent mirroring sessions.
If you need to monitor a large number of ports, you may want to consider network taps instead, which obviously do not impact the network switch.
If you need to monitor a large number of ports, you may want to consider network taps instead, which obviously do not impact the network switch.
Hi msidnam,
i monitor all the ports of the switch through the one that i choose to redirect the mirror, and i even span across multiple switches.
Basically you need to choose one port tht listens to all the others and send the results to the software that analyzes the traffic, in your case LANGuardian. Please note that when you do a mirror of the port, that port is really not accessible on the network, because it just listens to all the traffic: this means, in other words, that you can reach the LANGuardian machine only on its console, and not by any other means (rdp, remote access, and the like).
hope this helps
max
i monitor all the ports of the switch through the one that i choose to redirect the mirror, and i even span across multiple switches.
Basically you need to choose one port tht listens to all the others and send the results to the software that analyzes the traffic, in your case LANGuardian. Please note that when you do a mirror of the port, that port is really not accessible on the network, because it just listens to all the traffic: this means, in other words, that you can reach the LANGuardian machine only on its console, and not by any other means (rdp, remote access, and the like).
hope this helps
max
ASKER
I have a demo of the LANGuardian working, it just seems that if i need to monitor more than 4 physical servers i may have issues.
Hi,
this is from languardian website:
http://www.netfort.com/languardian/architecture
it seems you shouldn't have problems on mirroring multiple ports.
It may be a limitation of your trial version.
Port monitoring
back to top Most network core switches have the ability to copy network traffic from one port on the switch to another. This feature, which is called port monitoring or port mirroring, enables LANGuardian to capture traffic data for analysis.
Port monitoring is given different names by different switch vendors:
On a Cisco Systems switch, port monitoring is called Switched Port Analyzer (SPAN). You will often see references in the documentation to a SPAN port.
On 3Com switches, it is called a Roving Analysis Port (RAP).
The documentation for HP switches uses the term trunk monitoring.
Configuring a monitoring port on your switch involves the following steps:
Identify an unused switch port to designate as a monitoring port for LANGuardian.
Identify the switch ports you want to monitor (these are often called source ports).
Configure the switch to associate the source ports with the monitoring port.
The switch will send a copy to the monitoring port of all data flowing through the source ports. LANGuardian captures the data from the monitoring port for analysis. The actual data itself is not affected and there is no performance impact.
max
this is from languardian website:
http://www.netfort.com/languardian/architecture
it seems you shouldn't have problems on mirroring multiple ports.
It may be a limitation of your trial version.
Port monitoring
back to top Most network core switches have the ability to copy network traffic from one port on the switch to another. This feature, which is called port monitoring or port mirroring, enables LANGuardian to capture traffic data for analysis.
Port monitoring is given different names by different switch vendors:
On a Cisco Systems switch, port monitoring is called Switched Port Analyzer (SPAN). You will often see references in the documentation to a SPAN port.
On 3Com switches, it is called a Roving Analysis Port (RAP).
The documentation for HP switches uses the term trunk monitoring.
Configuring a monitoring port on your switch involves the following steps:
Identify an unused switch port to designate as a monitoring port for LANGuardian.
Identify the switch ports you want to monitor (these are often called source ports).
Configure the switch to associate the source ports with the monitoring port.
The switch will send a copy to the monitoring port of all data flowing through the source ports. LANGuardian captures the data from the monitoring port for analysis. The actual data itself is not affected and there is no performance impact.
max
ASKER
I guess my biggest question is will the cisco catalayst (or another switch) be able to monitor more than 20 ports at a time to one destination port?
I have the LANGuardian configured and working with no problem. However, my Dell 6248P can only monitor 4 ports and i have around 15 or more physical server that i want monitored including the router which will grab anything on the edge.
I have the LANGuardian configured and working with no problem. However, my Dell 6248P can only monitor 4 ports and i have around 15 or more physical server that i want monitored including the router which will grab anything on the edge.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I use cisco catalyst to do this, although i do not use LANGuardian (i use CAPSA) and it works really well.
Here is a link with full explanation
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swspan.html
also, be aware that cisco models will vary on price if you want gigabit (1000) ports or FastEthernet ports (10/100).
hope this helps
max