virtual network taps and port mirroring

Port mirroring is the capability on a network switch to send aImage copy of network packets seen on a switch port to a network-monitoring device connected to another switch port. Port mirroring is also referred to as Switch Port Analyzer (SPAN).



Here is a quick summary of various network monitoring options available for virtual infrastructure.

VMware vSphere ESXi Distributed Virtual Switch

In VMware vSphere 5, a Distributed Switch provides a similar port mirroring capability that is available on a physical network switch. After a port mirror session is configured with a destination—a virtual machine, a vmknic or an uplink port—the Distributed Switch copies packets to the destination.

Cisco Nexus 1000v Virtual Switch

The N1Kv switch from Cisco supports Microsoft Hyper-V, VMware vSphere ESX, Citrix Xen Server, and Linux Kernel-Based Virtual Machine (KVM) on Red Hat and Ubuntu.

The Switched Port Analyzer (SPAN), Encapsulated Remote SPAN (ERSPAN), and NetFlow Version 9 features allow network traffic to be analyzed by a network analyzer such as a Cisco SwitchProbe or other Remote Monitoring (RMON) probe.

SPAN lets you monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports where the network analyzer is attached.

Cisco Nexus 1000V Essential Edition includes a free 60-day trial of Cisco Nexus 1000V Advanced Edition. With a single command you can unleash the full potential of Cisco Nexus 1000V Advanced Edition. Installation is simple. After installing Cisco Nexus 1000V Essential Edition type ‘svs switch edition advanced’ in your switch console. This unlocks the full feature set, and provides you complete access to Advanced Edition capabilities.




A simple networking tapping application created to illustrate SDN and OpenFlow (1.0) basic functionality.

Ixia NetOptics

  • Ixia purchased netoptics in 2013 –


BigSwitch Networks Big Tap Monitoring Fabric

Virtualized Application Visibility with Big Tap Monitoring Fabric

As the shift from traditional networking to SDN-based hyperscale networking take place in enterprise and cloud provider data centers, security and network operations teams still require granular visibility to applications. Application visibility is important for the purpose of application response time measurements, application troubleshooting, application security monitoring (against advanced persistent threats), etc. To achieve application visibility, customers deploy a separate monitoring infrastructure. Typically, network engineers leverage optical network TAPs and/or SPAN sessions on physical switches to mirror production-network traffic and forward it to the monitoring infrastructure (such as Big Switch’s Big Tap Monitoring Fabric). With a high degree of virtualization in data centers — 70% or more workloads virtualized in many cases — complete visibility to virtual machine traffic also becomes paramount.

Consider an application, such as a 3-tier workload, that is distributed across both virtual and physical environments; for example, web and app tiers are virtualized but the database tier resides on a physical server. If these web and app VMs are in the same network segment (e.g. VLAN) and are residing on the same server, then the network traffic between the two may never traverse the physical network (so will not traverse the TAP or physical switch SPAN port). When it comes to application visibility, both physical and virtual workloads need to be first-class citizens. How do we monitor this VM-to-VM traffic within a server?

Some vendors provide a special-purpose VM appliance for tapping VM-to-VM traffic, but that’s quite intrusive and cost prohibitive. Given that a data center can have thousands of virtualized servers, deploying and managing a “tapping VM” on each virtualized server adds tremendous cost and operational complexity as well as impacts CPU performance. Instead a simpler, zero-cost way to enable VM-level monitoring is by leveraging traffic replication capability native to a hypervisor’s virtual switch. Modern hypervisor vSwitches support the Remote SPAN (RSPAN) feature, which allows vSwitch SPAN traffic to be encapsulated in a VLAN. This vSwitch-created RSPAN traffic can traverse the upstream physical network onto monitoring network for VM-level visibility analysis.

To illustrate this further, consider the VMware vSphere 5.5 based virtualized environment shown in the figure below:

With RSPAN configured for vDS-1 (via VMware vCenter), all traffic between the Web-A VM and App-A VM is replicated on VLAN 10 and sent to the server pNIC.
Upon exiting the server pNIC, the RSPAN traffic traverses physical network (e.g. Top of Rack switch, possibly aggregation switch — depending on the physical network topology) towards the Big Tap Monitoring Fabric.
Big Tap Monitoring Fabric aggregates and filters vSwitch-generated RSPAN traffic from vSwitches as well as physical switches and optical TAP, and forwards flows-to-be-monitored to monitoring tools.
If a packet modification function — such as packet slicing — is required, Big Tap can forward associated flows through one or more Network Packet Brokers (NPBs) before they are sent to the tools. Big Tap treats NPBs as service nodes and creates a logical service chain of NPBs on a per-policy basis. Since NPBs are no longer utilized for volume aggregation and filtering, their services can be leveraged in a highly efficient manner.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s