Dumb switches are now too smart for my good

December 4, 2007

Here's an ironic thing: basic switches these days are now too smart for their own good, or at least for my good. The issue is that even theoretically dumb switches are VLAN aware, which means that they will only pass VLAN tagged packets if they've been told about the particular VLAN is tagged for.

The problem this creates is that it is now impossible to have a generic traffic monitoring switch. What you'd like to have is a small switch that's pre-configured with a mirror port that you could just transparently splice in at any spot in your network to debug traffic. Ideally this switch would be generic, so that it would work anywhere and everywhere in your network fabric, no matter what else was going on.

(You won't be able to monitor the full 2 Gb of potential traffic, but in many situations you don't need to because the link isn't that saturated.)

But this doesn't work if you want to splice the switch into a spot that's carrying tagged VLANs, because if the switch doesn't know about one of the VLANs it will just drop that VLAN's packets. Which is far from transparent.

You can't configure the switch to pass all possible VLANs, because no switch can be configured with anywhere near 4094 VLANs. You can try to configure the switch to pass all VLANs that are in use at your site, but this is both prone to errors as configurations change over time and limits where you can plug in the switch (you have to put it in front of something of yours that would drop any stray VLANs anyways).

(We actually ran into this with the switch that our traffic tracking system uses to take a tap of the traffic going through our NAT gateway. We added a new subnet on our core switch infrastructure and to the NAT gateway but forgot to update the traffic tap switch, and were very puzzled for a while as machines on the subnet couldn't talk to the NAT gateway to get out to the world.)

Comments on this page:

I realize this page is almost 6 years old, but if you haven't found a good answer to this, let me point out: http://www.dual-comm.com/gigabit_port-mirroring-LAN_switch.htm

It's USB-powered, which means you can power it right from your laptop (which is generally where you're running Wireshark). For tapping optical connections, I often couple this with a USB-powered media converter (and then use a copper SFP on the other side if needed).

The only criticism I have is that it's apparently not transparent to LACP. Other than that, it's transparent to everything I've thrown at it. It's even supposed to be transparent to power-over-Ethernet, though I haven't tested that personally.

By cks at 2013-10-05 01:48:17:

That's an interesting little piece of hardware. Thank you for mentioning it here; we may get one in to play with someday (it's not like they're very expensive, either).

We haven't found an answer to the overall problem since I originally wrote this entry, but we haven't had to deal with it for several years now for various reasons (including that our network seems to have stabilized for now).

Update for the record: I have since tested the PoE pass-through, and it works as expected.

Written on 04 December 2007.
« A comment spam precaution that didn't work out
Safely updating files that are read over NFS »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Dec 4 23:47:35 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.