TechWeb

Network Monitoring Tools Face Off

Mar 13, 2009 (08:03 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=215801974


As enterprise networks expand--particularly Gigabit Ethernet and 10 Gigabit Ethernet networks--while budgets stay tight, IT departments need to make the most of the application monitors, security devices, and protocol analyzers they already own. More organizations are turning to network monitoring switches for help with this, because they can cost-effectively monitor 10-Gb networks using 1-Gb tools. These switches direct network traffic and connect, convert, aggregate, and filter data to probes and protocol analyzers. They document the monitoring process without touching the network wiring plant. This mean existing tools can be shared, and network changes are minimized.

In short, network monitoring switches save money while promoting stability.

Competition's Building
Gigamon Systems, the first vendor to introduce a network monitoring switch, has had the market to itself for almost four years. But now Gigamon has serious competition from established network emulation vendor Anue Systems. And there will probably be more: This doubling of options foretells an onslaught because these specialized switches are increasingly necessary pieces of networking equipment.

InformationWeek Reports

Both Gigamon's GigaVue and Anue's 5200 can switch and filter packets at wire speed, in Layer 2 to 4, in any-to-any port combinations. For example, a single 10-Gb port from a network tap can be filtered on source and destination network addresses and sent to one or many tools connected to output ports. The reverse is also possible: Switched Port Analyzer ports can be filtered and sent to a single port connected to a protocol analyzer.

Both vendors offer switches in roughly the same packages: 1-Gb and 10-Gb models that support a range of copper and fiber configurations, including small form-factor pluggable connectors. Both Anue's and Gigamon's switches support a mix of 1-Gb and 10-Gb ports in 24-port densities. The 1-Gb versions support as many as four 10-Gb ports with the rest being 1 Gb, and the 10-Gb versions can support 24 10-Gb ports.

But there are some key differences as well. Gigamon's offering sports a command-line interface (CLI) that allows in-depth tool configuration. Gigamon also enables multiple GigaVue switches to be linked in a master/slave configuration, creating a fabric of monitoring that can be addressed as if all were a single box. This interswitch topology can be daisy-chained or configured as a hub and spoke to reduce the number of hops traffic has to take and create a scalable system in dense deployments.

DIG DEEPER
The Switch Is In
Switch architectures can engineer higher-efficiency networks, but not overnight.
Anue supports interswitch connections, so a network attached to one box can be monitored by a tool connected to another. The Anue switches don't support a single point of management. On the other hand, they have a GUI that's much easier to configure and understand than the GigaVue CLI.

The interface difference will diminish or disappear in the future: Anue says it intends to add a CLI or API for automation later this year, most likely in Tool Command Language. And Gigamon says it plans to add a GUI to its switches. For organizations that can't wait, Gigamon is probably a better fit if they have network configuration experts on site and need to automate network monitoring in complex data centers. Anue is likely the better choice for companies that don't need an entire monitoring fabric.

The Essentials
Network Monitoring Tools
  Anue 5200 Gigamon GigaVue
GUI Yes No
API No Yes, CLI
10 Gb Up to 24 ports per switch Up to 24 ports per switch
Multibox support Yes, as separate boxes Yes, as single box
Filtering Multilevel Boolean Input and output port maps
Pricing 5204 starts at $17,000;
5236 starts at $25,000
GigaVue-420 starts at $14,995;
GigaVue-2404 starts at $45,000




Price Points
Anue's flexible per-port licensing may be more economical, because IT doesn't have to pay for ports that won't be used. The base configuration Anue 5204 1-Gb box with four ports licensed is $17,000; the 5236 10-Gb box with four ports starts at $25,000. Licenses to activate additional ports are $800 per port for both models. Gigamon's basic GigaVue-420 (with four 1-Gb ports) lists for $14,995; the 10-Gb GigaVue-2404 (with eight 10-Gb and four 1-Gb ports) has a list price of $45,000. Each GigaVue supports four expansion slots, with various copper/fiber options and network taps for passive monitoring.

The process of setting Layer 2-4 filters is both the most important function of a network monitoring switch and the biggest difference between the Anue and Gigamon offerings.

Creating a simple filter that matches IP source and destination, or TCP and HTTP ports, is a straightforward process with both systems. However, management interfaces--Gigamon's CLI approach versus Anue's GUI--make all the difference in the time it takes to use each vendor's offering. Anue requires only dragging a line between two port objects within the GUI, which then pops up a filter dialog. You fill in the fields as prompted. The interface also includes mouse-over tips and contact-sensitive help.

Creating the same type of filter within Gigamon takes a couple of additional steps as well as mastery of the CLI's syntax. GigaVue users might need to budget some time with the user manual to ensure that they can access the switch's full benefits.

We found that generating sample filters using either switch wasn't much of a challenge in tests, but watching Internet traffic was. Like many organizations, we monitor the Internet for performance, diagnostic, and security reasons, using a variety of tools. Our three WAN ISPs are fed by four router ports with potentially asynchronous routes, so we need to combine these streams to ensure that we see all the traffic and filter it into high and low IP address ranges to balance the load on our monitoring tools.

Gigamon's Map feature combines filters, which can then be applied across multiple network traffic ports. Organizations can direct this combined and filtered traffic to specific tools without overrunning the bandwidth of their interfaces. However, we spent the better part of four hours and some trial and error to get the map and its filters defined and applied.

That said, we found Map to be a powerful problem-solver if you're facing complex collection and filtering snarls, and it's reusable on other interfaces, so it's worth the extra effort up front.

Our Take
Anue 5200 Aggregator
  • Easy-to-use GUI speeds up network monitoring tasks
  • Flexible configuration options can save companies money on licensing fees
  • It filters a wide range of traffic
  • Its lack of an API means customers will need bridging software, which will add to the total cost
Gigamon GigaVue
  • Gigamon earns its market-leader status with strong monitoring features and a wide array of configuration options
  • CLI is automation-friendly, once you get the hang of it
  • Switch handles high-density environments with one-box address and single point of management
  • Gigamon has promised a GUI option, so CLI-shy organizations may want to wait before buying
Anue's Smart Filtering feature, on the other hand, took all of 10 minutes to perform the same task in our tests. We enabled our ports and connected them with a mouse drag. Once the resulting filter dialog was filled out, we right-clicked a clone and had all the tools connected to all our Internet traffic. No manual reading required for the same power and flexibility--just a lot less time invested.

In addition, Anue's Smart Filtering supports Boolean and "and/or" filters, including compound "or" and "and" combinations for complex selections. You don't need to worry about the order of a filter statement, as you would with an access control list or firewall rule.

Note that with power comes responsibility--Gigamon can put filters on incoming network ports or outgoing tool ports; however, if you're not careful, this could affect what traffic reaches each tool.

We tested a beta version of Gigamon's GUI and found it as easy to use as Anue's. Further, because the GUI is a Java applet, rather than a full-blown Java application, Gigamon won't require an installation on the desktop, meaning it can be used on any machine. However, this also means some functionality, like contextual right clicks for menus, won't be as rich.

The Gigamon GUI should make building filters a much faster process and will still let power users create the filter configuration in the CLI format behind the scenes.

Bruce Boardman is senior networking engineer at Syracuse University. Write to us at iweekletters@techweb.com.