Read 09 301 - jserpa-p/lisbon-ops-301n1_Reading GitHub Wiki

Traffic Mirroring

Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of type interface

Port mirroring

Port mirroring, also known as SPAN, is a method of monitoring network traffic which forwards a copy of each incoming and/or outgoing packet from one (or several) port(s) (or VLAN) of a switch to another port where the analysis device is connected. Port mirroring can be managed locally or remotely.

  • Disadvantages:
  1. It can consume significant CPU resources while active
  2. There is a risk of not receiving some packets (such as media errors)
  3. In the case of traffic congestion at the switch level, port mirroring is likely to drop some traffic (because the SPAN process does not have priority)
  • Advantages:
  1. Low cost
  2. Can be configured remotely through IP or Console port
  3. The only way to capture intra-switch traffic
  4. A good way to capture traffic on several ports at once

Network TAP

A network TAP (Terminal Access Point) is a hardware device which can passively capture traffic on a network. It is commonly used to monitor the traffic between two points in the network. If the network between these two points consists of a physical cable, a network TAP may be the best way to capture traffic. The network TAP has at least three ports: an A port, a B port, and a monitor port.

  • Disadvantages:
  1. The device may require two listening interfaces on the analysis device
  2. Costly
  3. No visibility on intra-switch traffic
  4. Not appropriate for the observation of a narrow traffic range
  • Advantages:
  1. No risk of dropped packets
  2. Monitoring of all packets
  3. Provides full visibility, including congestion situations

Logs and Monitoring

Traffic Logs are used to identify traffic flows and view traffic summaries of routers, switches, firewalls, etc. It can be very detailed, it can show every flow from every device. Traffic logs are also importante for store information from past events. Audit Logs are often more sepecific than general traffic logs like: "what did they do?" or "when did they do it?" Syslog is a standardized protocol to retrive every single log from every single device.

Interface errors

Runts are frames that are less than 64 bytes, it usually means that there was a collision. Giants are frames that are more than 1518 bytes. CRC Error also knonw as Frame Check Sequence (FCS) and it usually means a bad cable or interface. Encapsulation Error are inconsistent configurations between switches

Environmental sensors

When you’re working with a data center or a computer room, you also have to be concerned about the environment. There are many different variables that can affect the overall health and availability of the network.

  • Temperature
  • Hummidity level
  • Electrical
  • Flooding (when you use water as a part os the cooling system)

Netflow

NetFlow allows you to gather statistics and details from the raw traffic traversing the network and there are many different ways to collect this data.

  • Probe will sit out on the network sometimes as part of a tapped connection or it may be receiving traffic from a switched port analyzer or span connection, and it’s watching all of the packets traverse the network. It’s gathering those details and exporting all of that NetFlow traffic back to a central NetFlow collector.

  • Collector can create detailed reports of everything that’s been seen over time. This allows you to get extensive information of what may be occurring on the network, such as the type of conversations, the endpoints communicating, the applications in use, and much more.