Overcoming Challenges with SPAN and TAP limitations

How I overcame a challenge with limited SPAN sessions on a Cisco Switch.

About a week ago I taught an IPS class. It’s one of my favorite classes to teach. One of the topics that I cover is how to configure a SPAN port. For those of you unfamiliar with what a SPAN session is, let me explain. Essentially a SPAN or Switchport Analyzer Port is designed to copy the traffic from one port to another. I’ve linked you to a detailed document on the Cisco Web Site for your to read more about SPAN. Some want to simple copy traffic to the port that the IPS is watching, in the traditional IDS Promiscuous model. There is however, a number of drawbacks to this model. On of those drawbacks is that you usually only have a limited number of SPAN sessions that you can configure on a switch. I ran into a situation where I had two span sessions already configured, one to a packet analyzer and one to a production IPS, but I needed to span traffic to yet another IPS for some testing I was doing. My Problem: No More SPAN Sessions.

So in my searching for solutions I came in contact with a company named Anue Systems. Anue Systems is a provider of Network Emulation and Monitoring Optimization solutions. So how do they help with my issue? Basically they aggregate tap & SPAN port traffic & distribute it to monitoring tools that are defined in their appliance. What does this do for me? I can now SPAN traffic to that third IPS sensor without configuring another SPAN session on the switch. So basically, Problem Solved! In the image below I actually added the IPS to NTO and simply drug a connection from the Server Farm VLAN to the Sensor. Now this traffic is sent to the IPS, the Niksun NetVCR, and OPNET App Monitor.

Adding IPS

So for what I needed the Network Tool Optimizer (NTO) did the trick. And I could also think of a few other areas where this could be useful.

Scenario #1. A Monitoring Tool Goes Down. The NTO could automatically re-route network traffic to a second data recorder in the event the primary data recorder goes down.

Scenario #2. Perhaps I could Integrate it with an NMS that monitors interface utilization. I could have the management system trigger an automation script to sniff packets on the interface thats spiked. Since I’ve been playing with Solarwinds lately I know this is totally feasible.

Scenario #3. Have My IPS notify the NTP when a signature that I really want to track fires and then have NTO multicast traffic to both the IPS and a packet capture tool like Wireshark. I could just as easily have the IPS do IP logging, but why not off load it directly to the packet capture tool?

In short I can see a number of uses for the NTO, and there are a lot of little things about the NTO that really impress me. At this point here is how I see it:

The NTO can help to:

  • Prevent monitoring tool oversubscription
  • Monitor 10G networks with 1G tools
  • Auto-direct suspicious traffic to security appliances
  • Optimize storage on data recorders
  • Aggregate tap & SPAN port traffic & distribute it to my monitoring tools

I like the drag-and-drop interface. If this were more complex I would have downloaded it, installed it, and moved on. This was easy and I didn’t have to spend much time at all performing tasks that are probably much more complex under the hood.

I’d recommend taking a look at NTO if you do a lot with monitoring and face some of the challenges that I have. They have a free download that will let you demo the box but it’s actually an appliance. I’ll also be doing some more detailed posts as I play with it more, over on my personal blog at http://globalconfig.net.

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022