[CentOS] What about port mirroring? (Was: Switch to measure traffic at IP level)
Hello everyone: I was just reading an ntop guide and it mentioned many switches have port mirroring. According to what I am reading, the Cisco I am using will copy all traffic to the mirror port. Then, I can monitor what is going on from there. That seems like a good way to do this. Are there any pitfalls with this approach? Would ntop be a good tool for it? I would like to graph total bytes in and out as well as 95% usage on an IP address level. I would like daily, weekly, and monthly graphs. Thanks, Neil -- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask about our geographically redundant database system. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What about port mirroring? (Was: Switch to measure traffic at IP level)
Neil Aggarwal wrote: Hello everyone: I was just reading an ntop guide and it mentioned many switches have port mirroring. According to what I am reading, the Cisco I am using will copy all traffic to the mirror port. Then, I can monitor what is going on from there. That seems like a good way to do this. Are there any pitfalls with this approach? yeah, a 1gig port can't handle all the traffic from N 1gig ports. heck, ti can't even handle all the traffic from a single full duplex connection btw, someone mentioned NTOP... I played with this and found it can consume a LOT of cpu calculating statistics on the fly. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What about port mirroring? (Was: Switch to measure traffic at IP level)
On Fri, Oct 23, 2009 at 9:14 AM, Neil Aggarwal n...@jammconsulting.com wrote: Hello everyone: I was just reading an ntop guide and it mentioned many switches have port mirroring. According to what I am reading, the Cisco I am using will copy all traffic to the mirror port. Then, I can monitor what is going on from there. That seems like a good way to do this. Are there any pitfalls with this approach? Yes. Doing all traffic unless the switch is very lightly load could saturate the mirror port. The other pitfall is that you would need to high network performance nic/host set to capture that info. Would ntop be a good tool for it? I would like to graph total bytes in and out as well as 95% usage on an IP address level. I would like daily, weekly, and monthly graphs. SNMP monitoring of the switch could get you this details without port mirroring. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What about port mirroring? (Was: Switch to measure traffic at IP level)
Neil Aggarwal wrote: Are there any pitfalls with this approach? Performance is the biggest one. Port mirroring often involves the CPU, and is really not built for scaling. If your traffic levels are very low it may work fine. Port mirroring is often a low priority task so if the switch is busy it will drop packets on the mirror to try to ensure availability on the normal ports. If you have cisco gear they have NetFlow which is similar to sFlow but NetFlow is often a software service so has performance impact as well, depending on the precise equipment your using. Would ntop be a good tool for it? Looks like ntop has nProbe which can collect data from a mirrored port, put it in a NetFlow packet and send it to ntop or another collector device. So it really depends on the scale your operating at, if it's only 1 server with say less than 1Gbit/s of throughput your probably OK. If it's more, sFlow is the only thing that can scale to very high data rates and still be cost effective as it's implemented in the hardware of the switches. The Extreme X350 for example is a very budget minded gigabit switch, not much layer 3, or stacking, online pricing puts it in the $2000 range for 48 GbE, and has hardware sFlow - http://www.extremenetworks.com/products/summit-x350.aspx Optional 10GbE (even 10GbaseT for 10GbE over CAT5/6/6a) as well. Can go to the high end which is roughly triple the price though offers quite a bit more features. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What about port mirroring? (Was: Switch to measure traffic at IP level)
yeah, a 1gig port can't handle all the traffic from N 1gig ports. heck, ti can't even handle all the traffic from a single full duplex connection That is a good point. My traffic is light right now so I might be able to use it until the traffic grows. Thanks, Neil -- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask about our geographically redundant database system. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What about port mirroring? (Was: Switch to measure traffic at IP level)
Neil Aggarwal wrote: yeah, a 1gig port can't handle all the traffic from N 1gig ports. heck, ti can't even handle all the traffic from a single full duplex connection That is a good point. My traffic is light right now so I might be able to use it until the traffic grows. What kind of internet bandwidth do you have - that's going to be a limiting factor anyway. I've had some trouble keeping ntop running for long intervals but there are ways to database collected results so you could restart it without losing data. I'm not sure if it has a 95th percentile calculation, but it can summarize in a lot of other ways. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
