We are looking for a switch or a device that we can use for mirroring tap
ports. For example , take a mirror port off of a core router say a 6509,
connect it to a port on said device, say port 1. I would like then to be
able to mirror port 1 on said device to multiple ports, like port 2 , 3,
4. We have the need to analyze traffic from one port on multiple devices.
Seems most switches are limited to mirroring to a max of 1 or 2 ports.
We've had very good success using Brocade MLX's for this very thing
(actually, might be older XMRs, but should be same platform at this point).
Check out the transparent-hw-flooding command under a VLAN. It basically
turns off mac learning, and just floods it on the vlan's member ports.
If you want to be creative and say split out port 80 traffic to one port
and the rest to another, you can use policy based routing to change the
destination VLAN for just tcp/80 traffic.
If you want to have many different inputs going to many different outputs
some with PBR, some without, then you may have to get very creative and use
cables coming out of one port on the box and going back into another port.
We're using this successfully with multiple 10GE ports.
Take a look at VACLs on the Cat side. It has a capture feature that is
effectively the same as a local SPAN, but without the 2 session limit. If
you do a lot of RSPAN though, this wouldn't be your complete answer (VACL
captures are local only). VACLs are a bit more granular in defining what's
captured, if say for example you only wanted traffic destined to TCP/80,
you could configure it that way.
We are looking for a switch or a device that we can use for mirroring tap
ports. For example , take a mirror port off of a core router say a 6509,
connect it to a port on said device, say port 1. I would like then to be
able to mirror port 1 on said device to multiple ports, like port 2 , 3,
4. We have the need to analyze traffic from one port on multiple devices.
Seems most switches are limited to mirroring to a max of 1 or 2 ports.
How about splitting up a heavy stream (10G) into components (1G) to run through an
inline device and reassemble the pieces back to an aggregate afterward?
TippingPoint makes a "core controller" box for this but it's pretty hideously expensive.
Could do it with two 6500s but that's pretty hideously expensive as well
Gigamon has a new product offering that claims to do this (their sales guys just met with me a few days ago and gave me a update on their latest offerings).
It's the G-Secure-<something or other>.
We're using the 2404's so I don't have any experience with it.
We're doing something similar - VACLs (using the "redirect" action) with
port-channel destinations on a span aggregation 650x. If you've got a
spare 650x chassis lying around and your configuration requirements
aren't terribly complex/dynamic, you can do monitoring with filtering
and load-balancing at high-throughput on it.
Thus spake Jeff Kell (jeff-kell@utc.edu) on Thu, Mar 01, 2012 at 10:22:29AM -0500:
How about splitting up a heavy stream (10G) into components (1G) to run through an
inline device and reassemble the pieces back to an aggregate afterward?
Sounds like a perfect job for a commodity switch that supports OpenFlow.
NetOptics has some very nice gear ; take a look at the Director series with aggregation, load balancing and filtering based on physical port, ip, protocol, etc.
