Background
Exchange technology has been widely used. In recent years, with the steady decline in switch prices, it has become possible for companies around the world to switch to desktops. Although the exchange provides considerable bandwidth to end users, it makes fault diagnosis and monitoring more difficult, especially when Protocol analyzers are used.
How the vswitch works
When a monitoring device is connected to a vswitch, the switch works in the same way. After the switch learns the MAC address of the host connected to a port, it forwards the packets to the host connected to the MAC address. If the switch does not know which port the target host is connected to, it forwards data to all ports. Similarly, broadcast frames are sent to all ports. Because the switch follows this way, a host connected to a port of the switch can only receive Broadcast frames (Broadcast), and the destination address is the point-to-point data frame (Unicast) of the host ), and data frames with unclear destination addresses for this vswitch. These limited data frames do not provide sufficient data for the monitoring device. The monitoring device cannot even see the point-to-point transmission data frames between the other two ports on the same vswitch.
Diagnosis of exchange environment
In fact, many switch manufacturers are aware of this problem and add diagnostic functions to the switch during production. Several of these features are familiar to everyone, including port image spanning & grouping ). It allows us to set a port as an Image Port and copy all data frames flowing through one or more specified ports to this image port.
As shown in figure 1, the OptiView analyzer is connected to A configured switch port and can receive copies of all data frames sent to host A or sent by host. In this way, we can use the OptiView analyzer to capture all the conversation data between host A and host B. The OptiView analyzer is connected to an Image Port. The communication between host A and host B is not affected by the mirror port.
Mirror port limitations
One major problem is that the OptiView analyzer cannot access the network through the Image Port when it is connected to the Image Port. Due to the differences in the vswitch design between different manufacturers, some vswitch ports can only receive data after being set as mirror ports, and some vswitches can receive/send data. In this case, the OptiView analyzer determines whether the OptiView analyzer can send data to the Image Port, depending on which switch is connected.
As shown in figure 2, set the communication data image between host A and host B to OptiView analyzer. All information is copied to the analyzer, but the analyzer cannot send data to the switch.
The search for network conditions needs to send a large amount of query data to the network. Most image ports do not allow connected devices to send any data to the network. In this case, the OptiView analyzer does not have the ability to search for network conditions and query host devices on the network. Similarly, the OptiView remote user interface cannot be used because the analyzer cannot respond to the query at this time. A user can send data to the OptiView analyzer but will not receive a response from it.
Some Manufacturers' switches can be set to send data frames back to the mirror port. These ports with the image function retain the original port function. The switch also accepts the frames sent from the port and forwards them out. The difference is that a large amount of image data flows into the port. Not all vswitches support this feature. The results for different manufacturers of vswitches and different settings vary greatly.
In addition, the image port speed must be matched. The Image Port must support a large enough rate to meet the traffic passing through all source port images. For example, Site A is A high-load 100 M link, and the Optiview analyzer is connected to an image port on the 10 M link. Image A is connected to the Image Port, the switch cannot copy all frames to the Image Port. Figure 3)
Some are easy to ignore. If a 100 M full-duplex link is mirrored, theoretically the traffic of the Image Port will reach 200 Mbps. Because full duplex allows traffic to pass in both directions at the same time, this effectively doubles the network bandwidth and sends and receives traffic in each direction.) It can carry 100 Mbps of traffic. If the total traffic exceeds 100 Mbps, the switch will discard the traffic exceeding 100 MB of the Image Port without any prompt. The traffic for all copies must be limited to 100 MB.
When you use an image to diagnose a fault on a slow link, you must pay attention to the switch's forward/forward operation mechanism. By default, most vswitches use the storage and forwarding method of line rate. This method analyzes Frame Structure errors before Frame Forwarding, so collisions and errors are not forwarded to other port network segments ). There are also two types of fast forwarding technology, one is the switch cache read-only to get the target MAC address of the frame. This forwarding method will forward errors that occur after the target frame address and collision frames to other ports of the switch.
Under normal circumstances, traffic from the source port will also be sent to the Image Port. If the network segment is slow due to excessive collisions or errors, the traffic copied to the Image Port will not contain these error frames unless the switch uses the fast forwarding technology, frame errors occur after the forwarding check. Some manufacturers do not provide products that support fast forwarding, so that if you do not concatenate the Hub into a network segment that is suspected to be faulty, the analyzer cannot detect collision and error frames. When using the mirror function on a vswitch for testing and monitoring, the most important thing is to understand the type of forwarding technology currently used by the vswitch. Different vendors have different situations, and even they do not know the current status of the switch. Currently, images are still the best method to analyze the traffic of vswitches and capture packets.
With the popularization of the switch to desktop technology, it is very important to embed the image function into the switch. When used properly, images will be a powerful tool for switching network monitoring and fault diagnosis.
