Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Can my dss monitor multiple vlan in a multilayer switch?
- Thread starter ciscomeo
- Start date
Can you clarify a bit more? Are you looking to monitor all the VLAN traffic coming into and out of the switch to which the Gig Sniffer is presently connected? If that's the case you should consider putting a tap into that connecting link. Best to use a conventional tap (not the aggregation type). If you're trying to include internal switch conversations occuring within the switch that the Sniffer is attached to.... can't you just set up the source port to include the appropriate VLAN's? The dilemma in any case is going to be the possibility o fillignthe buffer of the Gig Sniffer too rapidly if these are active VLAN's. You'll need to look at doing some filtering first and try to narrow you captures down to specific types of traffic. Also - worth noting - VLAN tag's are visible through a tap and that makes it easier to filter just for specific VLAN's when using a tap for network access. SPAN/Mirror ports discard them. IIRC, setting up the SPAN port as a trunking port is the way around that challenge but someone with more experience will need to weigh on on this to clarify.
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
- Thread starter
- #3
Actually, I want to monitor all VLAN traffic coming in and out of the multiple layer switch thru the syskonnect then report to the npo. My setup is like this, instead of using tap i connected syskonnect to xyratex then to the switch port (Ge). So network traffic from switch will pass thru xyratex then syskonnect then back to xyratex again then to switch, just a pass thru traffic right?
So do you mean that you're actually passing the traffic from a trunked link through the monitor card and the capture card? In other words, are you actually using the Sniffer "in-line" so that all traffic passes through it?
If so, I should think that no filters would be necessary and you would set up the Gig card as though you were connected to a SPAN port. Again - I'm not sure I understand how you're doing this but there are a few things to consider....
1) It would be very easy to oversubscribe the capacity of the Xyratex card to really capture all that pass through if there's moderately high utilization levels on the link
2) If in fact you are using the Sniffer as an in-line device on an actual network link it represents a significant potential point of failure. Unlike optical fiber taps which are totally passive and fault tolerant or other types of taps that have power fault tolerance schemes, using a Sniffer in-line means that if it loses power you lose the link.
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
If so, I should think that no filters would be necessary and you would set up the Gig card as though you were connected to a SPAN port. Again - I'm not sure I understand how you're doing this but there are a few things to consider....
1) It would be very easy to oversubscribe the capacity of the Xyratex card to really capture all that pass through if there's moderately high utilization levels on the link
2) If in fact you are using the Sniffer as an in-line device on an actual network link it represents a significant potential point of failure. Unlike optical fiber taps which are totally passive and fault tolerant or other types of taps that have power fault tolerance schemes, using a Sniffer in-line means that if it loses power you lose the link.
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
- Thread starter
- #5
If that what it means (in-line), yes and yes my set up is from trunklink to monitor card to capture card.
Can you elaborate further regardig item no.1? i am a bit confused on the oversubscribe thing.
For item no. 2 i'am not concern about the physical power i am more concern on the traffic i am generating. the validity of the report.
Can you elaborate further regardig item no.1? i am a bit confused on the oversubscribe thing.
For item no. 2 i'am not concern about the physical power i am more concern on the traffic i am generating. the validity of the report.
You asked
"i am a bit confused on the oversubscribe thing."
The term "oversubscription" is typically used to refer to a SPAN or mirror port that has too much traffic copied to it, for example, when a busy VLAN or VLAN's have traffic that greatly exceeds the 1 gig output capacity of the mirror port.
In these instances the internal buffer or queuing of the network switch will begin discarding packets when it is full - switches have a prioritization built into their design to ensure that real data traffic takes priority over the copied data going to mirror ports.
If you're using the Sniffer in an in-line capacity you'll most likely see all or most of the monitoring stat info that represents what really happend on the link (the limitation being the capacity of the PC to write to disc quickly enough).
With the Xyratex capture card the potential dilemma is it can only hold a limited amount of info in its buffer. I don't recall the exact amount but think it may be 512 meg per side of the conversation or a total of 1 Gig - perhaps less on older generation cards. This means that without proper filtering you may fill the card with captured data so quickly that the duration of your capture will be extremely brief - quite possibly only a few seconds or slightly more. If you are attemtping to isolate and solve an intermittent problem this may be far too short a capture.
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
"i am a bit confused on the oversubscribe thing."
The term "oversubscription" is typically used to refer to a SPAN or mirror port that has too much traffic copied to it, for example, when a busy VLAN or VLAN's have traffic that greatly exceeds the 1 gig output capacity of the mirror port.
In these instances the internal buffer or queuing of the network switch will begin discarding packets when it is full - switches have a prioritization built into their design to ensure that real data traffic takes priority over the copied data going to mirror ports.
If you're using the Sniffer in an in-line capacity you'll most likely see all or most of the monitoring stat info that represents what really happend on the link (the limitation being the capacity of the PC to write to disc quickly enough).
With the Xyratex capture card the potential dilemma is it can only hold a limited amount of info in its buffer. I don't recall the exact amount but think it may be 512 meg per side of the conversation or a total of 1 Gig - perhaps less on older generation cards. This means that without proper filtering you may fill the card with captured data so quickly that the duration of your capture will be extremely brief - quite possibly only a few seconds or slightly more. If you are attemtping to isolate and solve an intermittent problem this may be far too short a capture.
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
- Thread starter
- #7
With my current setup what can you advise/suggest me to do? My objective generate valid network traffic report in a multiple vlan/multi-layer switch. Can you also advise on the proper filtering? Do you know what is the difference between and ip traffic and an ipx traffic, i am bit confused in this reports. I am using NPO as my reporting tool.
Thanks,
Diesel
Thanks,
Diesel
I'm afraid I'll have to defer to folks with more hands on experience than I have. Much of this I know and understand from the theoretical side by virtue of my job as a sales engineer but my practical expeirnec is limited. I have also been away from hands-on work with Sniffers for nearly three years and am a bit rusty.
If you are using a Sniffer try spending a few hours or more going through their Help files in the Sniffer interface. Unlike oxymoronic products like Microsoft Help, the Sniffer help screens are chock full of really good information that is helpful and easy to digest - just type in "filtering" and start reading! In addition to simly filtering for a particular VLAN you may choose to set filters for looking only at certain protocols or subsets of those protocols.
IPX is a proprietary Novell protocol (Internet Packet Exchange)that is increasingly less common but still in use on some networks.
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
If you are using a Sniffer try spending a few hours or more going through their Help files in the Sniffer interface. Unlike oxymoronic products like Microsoft Help, the Sniffer help screens are chock full of really good information that is helpful and easy to digest - just type in "filtering" and start reading! In addition to simly filtering for a particular VLAN you may choose to set filters for looking only at certain protocols or subsets of those protocols.
IPX is a proprietary Novell protocol (Internet Packet Exchange)that is increasingly less common but still in use on some networks.
Owen O'Neill
Datacom Systems Inc.
Northeastern SE
- Status
Similar threads
