Mar 13, 2009 (08:03 PM EDT)
Network Monitoring Tools Face Off
Read the Original Article at InformationWeek
As enterprise networks expand--particularly Gigabit Ethernet and 10 Gigabit Ethernet networks--while budgets stay tight, IT departments need to make the most of the application monitors, security devices, and protocol analyzers they already own. More organizations are turning to network monitoring switches for help with this, because they can cost-effectively monitor 10-Gb networks using 1-Gb tools. These switches direct network traffic and connect, convert, aggregate, and filter data to probes and protocol analyzers. They document the monitoring process without touching the network wiring plant. This mean existing tools can be shared, and network changes are minimized.
In short, network monitoring switches save money while promoting stability.
Both Gigamon's GigaVue and Anue's 5200 can switch and filter packets at wire speed, in Layer 2 to 4, in any-to-any port combinations. For example, a single 10-Gb port from a network tap can be filtered on source and destination network addresses and sent to one or many tools connected to output ports. The reverse is also possible: Switched Port Analyzer ports can be filtered and sent to a single port connected to a protocol analyzer.
Both vendors offer switches in roughly the same packages: 1-Gb and 10-Gb models that support a range of copper and fiber configurations, including small form-factor pluggable connectors. Both Anue's and Gigamon's switches support a mix of 1-Gb and 10-Gb ports in 24-port densities. The 1-Gb versions support as many as four 10-Gb ports with the rest being 1 Gb, and the 10-Gb versions can support 24 10-Gb ports.
But there are some key differences as well. Gigamon's offering sports a command-line interface (CLI) that allows in-depth tool configuration. Gigamon also enables multiple GigaVue switches to be linked in a master/slave configuration, creating a fabric of monitoring that can be addressed as if all were a single box. This interswitch topology can be daisy-chained or configured as a hub and spoke to reduce the number of hops traffic has to take and create a scalable system in dense deployments.
The interface difference will diminish or disappear in the future: Anue says it intends to add a CLI or API for automation later this year, most likely in Tool Command Language. And Gigamon says it plans to add a GUI to its switches. For organizations that can't wait, Gigamon is probably a better fit if they have network configuration experts on site and need to automate network monitoring in complex data centers. Anue is likely the better choice for companies that don't need an entire monitoring fabric.
Anue's flexible per-port licensing may be more economical, because IT doesn't have to pay for ports that won't be used. The base configuration Anue 5204 1-Gb box with four ports licensed is $17,000; the 5236 10-Gb box with four ports starts at $25,000. Licenses to activate additional ports are $800 per port for both models. Gigamon's basic GigaVue-420 (with four 1-Gb ports) lists for $14,995; the 10-Gb GigaVue-2404 (with eight 10-Gb and four 1-Gb ports) has a list price of $45,000. Each GigaVue supports four expansion slots, with various copper/fiber options and network taps for passive monitoring.
The process of setting Layer 2-4 filters is both the most important function of a network monitoring switch and the biggest difference between the Anue and Gigamon offerings.
Creating a simple filter that matches IP source and destination, or TCP and HTTP ports, is a straightforward process with both systems. However, management interfaces--Gigamon's CLI approach versus Anue's GUI--make all the difference in the time it takes to use each vendor's offering. Anue requires only dragging a line between two port objects within the GUI, which then pops up a filter dialog. You fill in the fields as prompted. The interface also includes mouse-over tips and contact-sensitive help.
Creating the same type of filter within Gigamon takes a couple of additional steps as well as mastery of the CLI's syntax. GigaVue users might need to budget some time with the user manual to ensure that they can access the switch's full benefits.
We found that generating sample filters using either switch wasn't much of a challenge in tests, but watching Internet traffic was. Like many organizations, we monitor the Internet for performance, diagnostic, and security reasons, using a variety of tools. Our three WAN ISPs are fed by four router ports with potentially asynchronous routes, so we need to combine these streams to ensure that we see all the traffic and filter it into high and low IP address ranges to balance the load on our monitoring tools.
Gigamon's Map feature combines filters, which can then be applied across multiple network traffic ports. Organizations can direct this combined and filtered traffic to specific tools without overrunning the bandwidth of their interfaces. However, we spent the better part of four hours and some trial and error to get the map and its filters defined and applied.
That said, we found Map to be a powerful problem-solver if you're facing complex collection and filtering snarls, and it's reusable on other interfaces, so it's worth the extra effort up front.
In addition, Anue's Smart Filtering supports Boolean and "and/or" filters, including compound "or" and "and" combinations for complex selections. You don't need to worry about the order of a filter statement, as you would with an access control list or firewall rule.
Note that with power comes responsibility--Gigamon can put filters on incoming network ports or outgoing tool ports; however, if you're not careful, this could affect what traffic reaches each tool.
We tested a beta version of Gigamon's GUI and found it as easy to use as Anue's. Further, because the GUI is a Java applet, rather than a full-blown Java application, Gigamon won't require an installation on the desktop, meaning it can be used on any machine. However, this also means some functionality, like contextual right clicks for menus, won't be as rich.
The Gigamon GUI should make building filters a much faster process and will still let power users create the filter configuration in the CLI format behind the scenes.
Bruce Boardman is senior networking engineer at Syracuse University. Write to us at firstname.lastname@example.org.