TAP Into Network Analysis

Too often, solution providers get a frantic call from their customers with problems—sluggish performance, lost packets, misdirected traffic—with no effective troubleshooting mechanisms in place to identify and solve the issues. Nowadays, most networking equipment collects statistics and generates logs. With proper analysis tools, a clear image of the current state of network traffic emerges from the bewildering array of data.

Managing a network means dealing with an extensive to-do list. The list includes securing the network from attacks, preventing data leaks, monitoring for performance as well as assets, recording traffic and ensuring regulatory compliance.

Analyzing the data is not just another chore on the list, because the insights gleaned actually help accomplish the other tasks. Being aware of normal traffic and usage patterns will help identify unusual activity, which may be a precursor to an attack. An application taking up the most bandwidth and resources can be optimized for performance or rescheduled to run when traffic loads are lower. An application that should be running, but isn't, would be identified before a user flags the problem (by then, it's too late).

Understanding how applications vary in traffic usage, such as video vs. data, can help make decisions about network upgrades. For this Solutions that Work, CRN Test Center spoke with Chuck Hagerty, president and CEO of West Chester, Pa.-based DataPlus, on how to implement a network-analysis solution. DataPlus partners with a variety of vendors, including Network Critical.

id
unit-1659132512259
type
Sponsored post

The conversation centered on using network traffic access points (TAP) and network analyzers. While analyzers, such as sniffers and probes, are the key components of a network analytics solution, it is worthless without proper data collection. This is where the TAP comes in. Before any device can analyze traffic to monitor security, compliance or performance, it has to have access to 100 percent of the traffic data.

Previously, Switched Port for Analysis (SPAN) technology was commonly used to look at network traffic. Hagerty pointed out its limitations. While SPAN ports can copy traffic from any or all data ports to a single unused port for monitoring, it shows only "clean" traffic, he said. SPAN ports drop packets that are corrupt or below the minimum size, so not all the network traffic is passing through. An analyzer looking at the traffic as it comes from the SPAN port doesn't have the complete view of the traffic, and will not know why there are problems. SPAN ports remain popular, however, as it is often a feature on modern switches, such as the ones from Cisco Systems. Some switch families, such as the Cisco 3500 series, don't set a lower priority on SPAN traffic, which can also affect network speeds. Finally, SPAN ports drop the virtual LAN (VLAN) tag information. If the network contains any VLANs, the SPAN port will never notice the issue.

A TAP, on the other hand, is nonintrusive because it doesn't drop any corrupt packets, or lose frames when bandwidth is overloaded. A TAP can see VLAN tag information, so a network with VLANs can be monitored using a TAP.

Customers approach solution providers because they're looking for an unrestricted view into their critical network connections. Solution providers can offer the guarantee that a TAP is showing everything happening on the network, without any modification of filtering. A TAP sits between the router and the LAN link, seeing all the data as it is received and transmitted. TAP vendors include Fluke Networks, Network Critical and NetOptics.

Next: STEP 1 Investigate

Investigate
When a customer calls DataPlus for help in testing and monitoring the network, the engineers stop and ask questions. The investigation helps engineers understand the problem and determine whether the solution falls under the company's area of expertise. Engineers ask questions to probe what the customer needs from the network, what kind of applications are running and what the customer is seeing. It's important to understand what is in the network—the number of terminals and users, whether it's a Gigabit core, the WAN and LAN setup—in order to select necessary equipment. Learning what the customer is expecting to see happen is almost as important as knowing the exact problems the customer is seeing on the network. Depending on the kind of answers the customer gives, engineers can schedule a face-to-face meeting at the customer site to discuss the solution in greater detail.

At the meeting, customers can draw a rough map of how the network looks on a whiteboard, or demonstrate the actual issues and setup. Performing the investigation themselves to learn the customer's network is critical at this point, Hagerty said. The meeting presents a clear picture of the situation so that consultants and engineers don't get blindsided later on. "I tell my engineers, 'Don't go out there without knowing the client or you waste a day,'" he said.

Solution providers should keep in mind that there may be cases where throwing analysis products at a problem won't solve it. "Too many times, we get a call where they can't even get into the network," Hagerty said. It matters where this kind of analysis equipment is connected to the network. Merely plugging it in at any old place will not give accurate or complete data.

It's important to understand the customer's switching infrastructure. While troubleshooting the network shouldn't depend on the switches in place, the troubleshooting group often does not have configuration access to the switch to make changes. A separate out-of-band solution like a network TAP means changes can be made to the network without affecting the switch configuration.

Next: STEP 2 Choose The Products

Choose The Products
The products the solution provider chooses depend on what's in the network. There are products that are best optimized for 10-Mbit networks, and others for 10-Gbit. The speed of the network matters, as well as the size of the data center. Network Critical offers a range of portable TAP appliances, such as purely passive units that are used in the field for troubleshooting and configuration TAPs capable of Gigabit aggregation.

If the customer doesn't already have an analyzer, the solution provider should bundle one in with the TAPs. The protocol analyzer takes the data coming from the TAPs to understand what is happening. There are a variety of analyzer solutions, including forensic monitoring, sniffers and probes, e-mail and spam filtering, intrusion detection and intrusion prevention, and VoIP-analysis tools. ClearSight Networks is an example of a vendor offering sniffers. Fluke Networks also offers analyzers that can work with its TAP appliances.

All Network Critical TAP products are plug-and-play modules and are compatible with everyone, Hagerty said. Network Critical also offers a ConneX chassis for its portable TAP units. Network Critical TAP appliances are fairly affordable, Hagerty added, with products in the $300 range.

Since TAP can handle traffic over both copper and optical fiber, it can be used in essentially any Ethernet network. While it generally sits between the router and LAN Link, connecting to both with ordinary RJ-45 cables, there is no limit to the number of appliances to install. The actual number deployed depends entirely on customer preferences—such as having a separate unit for each switch or hub on the network.

Customers may have multiple devices on the network watching the same traffic. It's not necessary to buy a TAP for each device, although there is nothing stopping the customer from doing so. Solution providers can point out that most TAPs can output traffic to multiple devices without degrading the traffic or losing packets.

While the focus of this piece is on network TAPs, hubs are actually decent replacements in the 10/100 HDX (not Gigabit) environment. There are some issues associated with using a hub, but it's an alternative for a quick and temporary access. This is particularly the case for end-terminus analysis. Issues like an auto-negotiate mismatch between the switch and the server can be easily solved with a hub.

Next: STEP 3 Easy as 1-2-3

Easy as 1-2-3
The out-of-band device has uninterrupted visibility into network traffic with no competition for access, and no affect on network flow. The TAP appliance should be plugged in at the edge of the perimeter.

Installing a TAP is as easy as changing batteries in a flashlight, according to Hagerty. The TAP is slightly larger than a pack of cigarettes, measuring about 5 inches all around. As soon as the appliance is connected to the router and LAN link, a process that takes less than five minutes, it's up and running.

In a situation where multiple monitoring tools are in use instead of multiple TAPs, solution providers can deploy TAPs with aggregation capabilities. Aggregation TAPs can also take advantage of filtering and multirule mapping.

Network Critical's CriticalTAP is an aggregation TAP with two LC Optical connectors for the production network and two RJ-45 ports for monitoring tools. With this box, the two network streams can be monitored separately or combined into a single stream. The combined traffic is replicated and available through both RJ-45 ports, so each monitoring tool plugged into the box can see the traffic data from both production networks.

Having the combined data available on both RJ-45 ports means on-site maintenance is now possible. The overall monitoring tool can be plugged into one port to examine the packets and find any issues. In a setup situation, where not all the equipment is up, or configurations need to be tested, being able to troubleshoot from the second port can save time.

There's a lot of flexibility in using the aggregation TAP. Traffic can be customized to fit each monitoring tool. One tool might need the aggregated traffic in front of the firewall and the other might want the traffic behind the firewall. Another tool might focus on a subset of servers. An aggregation TAP such as Network Critical's CriticalTAP can easily accommodate all of these customizations.

Next: STEP 4 Analyze

Analyze
With the analyzer in place looking at the network data in its entirety, the information needs to be organized in a meaningful manner. Setting service quality definitions to assess things based on performance and behavior helps solution providers identify issues other than device availability and status. Problems related to user behavior can be flagged immediately and fixed before the end user even notices.

AppCritical, from Vancouver, Canada-based Apparent Networks, presents information in a point-and-click interface. AppCritical can identify certain conditions, such as the loss of a WAN connection or gateway, or pinpoint the cause of degradation in call quality. The application performs analysis, but instead of just generating graphs, it can also present suggested solutions. For example, the application may suggest changing the duplex setting from half-duplex to full-duplex.

ClearSight Networks offers both stand-alone and distributed versions of its Analyzer product. The distributed version allows for multiple sites to be simultaneously monitored, either individually or in aggregate. The application can drill down for details without opening multiple windows. The default interface displays a summary graphic view of all active and nonactive protocol sessions. Unknown protocols are categorized as generic traffic.

Fluke Networks has two analyzer products, OptiView and Link Analyzer, that can be used to monitor the network. OptiView automatically detects and identifies problems, such as loss of a gateway or a specific endpoint. The tool also detects degradation on a packet loss level. Link Analyzer can send alarms and escalate notifications when the network reaches predefined conditions.

Conclusion
Solution providers helping customers analyze the network face two tasks. The first step is to ensure all network data and traffic is visible, regardless of where it is and its quality. This is where a TAP, such as Network Critical's CriticalTAP solution, comes in. The second step is to use an analyzer tool to look at the complete data to diagnose problems and identify fixes. A complete solution should be able to compare what it knows about the transmitted packets and the received packets.