1. Field of the Invention
The present invention relates generally to network tap devices used to enable monitoring of data transiting switched packet networks and, more particularly, to a fail-safe intelligent network data stream monitor tap device capable of maintaining continuous network availability in the monitored network segment under various tap device failure conditions.
2. Description of the Related Art
Intentional administrative monitoring of Ethernet network segments, and switched data networks in general, is desirable, if not required as a practical matter, in conventional network infrastructures. Network taps are embedded in the network infrastructure in order to derive tap data streams that are routed to dedicated monitoring devices. Conventionally, these monitoring devices include various network use and performance probes, network intrusion detection systems, VoIP recorders, packet sniffers, and other auditing and collection devices. The collected data enables, for example, ongoing evaluation and analysis of network infrastructure performance, including network segment loading, protocol and end-point routing usage, infrastructure configuration and optimization planning, and various forms of error-detection that may reveal present or predict future network infrastructure failures. Examination of the tap data streams also enables detection of the source and nature of intrusion attempts and the evaluation other security concerns.
Various network elements and associated analysis methods have been devised and, over time, evolved, to enable appropriate administrative monitoring of switched data networks. Basic techniques involve a passive tapping of network segments combined with an analog amplification of the derived network data stream signals. With the advent of gigabit speed Ethernet over unshielded twisted pair media, also known as 1000Base-T or the IEEE 802.3z standard, passive tap techniques can no longer be applied to capture and accurately reproduce the packet data stream. Specifically, these network data transmission protocols allow bidirectional data signaling: both ends of a network segment are permitted to simultaneously transmit data on a single wire pair. Use of a passive tap would impose an impractical requirement on monitoring devices to separate the bidirectionally combined signals in order to correctly extract the data packets.
More recently devised active tap devices, such as shown in U.S. Pat. No. 6,424,627, issued Jul. 23, 2002 to Sorhaug et al., are designed to be physically inserted into existing network segments and digitally copy all transiting data packets to a separate network routed to one or more monitoring devices. Data relays are conventionally implemented in parallel with the tap interception of the existing network segment to provide a passive path in protection of the network segment transmission integrity. On power or other failure of the tap device, the data relays close in a fail-safe mode to enable continued use of the network segment. The data relays may also be intentionally closed, forcing passive bypass of the network tap, on occasion for various administrative reasons.
A particular problem arises in connection with the use of active tap devices in networks that employ port-based routing network switches. Characteristically, these problems arise in routed networks that utilize some variant of the spanning tree protocol to automatically ensure loop free connectivity across redundant network links. The spanning tree protocol is a layer-2 protocol that defines a distributed configuration process commonly implemented by the network routers to selectively disable mesh connected network segments as needed to obtain only a single active network path between any two network end points. The formal spanning tree protocol (STP) is defined in the IEEE Standard 802.1D. While currently manufactured network routers typically implement a rapid spanning tree protocol (RSTP), as defined in the IEEE Standard 802.1w, many established network infrastructures still use network routers capable of supporting only IEEE 802.1D.
The spanning tree protocols also define a continuous network topology change monitoring process that will automatically trigger reselection of active and blocked network segments appropriate to account for the topology change. Bridge Protocol Data Units (BPDUs) are passed functionally as keep-alive data packets. Aged failure to receive is interpreted as indicating a topology change, signaling connected routers to block pending completion of the reconfiguration. That is, because of the indeterminate nature of the topology change, which may include the addition of new redundant links, each topology change event immediately causes a potentially wide-ranging network outage. Under the best of circumstances, in a pure RSTP network, the outage can last from several seconds to several tens of seconds and, in mixed STP networks, from 30 to 90 seconds, if not longer.
The switching of a conventional active tap device between active and passive states will result in most circumstances in a network link drop across the monitored segment. Although the physical layer disconnect/reconnect cycle in conventional tap devices can be quite short, depending essentially on the electro-mechanical switch and settle time of the relays, the lost of network link is driven by other factors. Specifically, any difference in link configuration, including difference in connection speed, Automatic Medium Dependent Interface (MDI-X) configuration, and master/slave timing orientation, as applicable to the different 10Base-T, 100Base-T and 1000Base-T Ethernet standard connections, requires that a link drop and communications protocol renegotiation to establish a working network link.
Conventionally, reestablishment of the link through the network segment being monitored will typically occur within a range from one half second to several seconds. Regardless of the actual time required to reestablish the network link, however, the link drop itself is conventionally seen as a topology change event and directly results in a significant and undesired network outage. Although the interruption for link reestablishment might be acceptable in basic network use cases, the wider and significantly longer network outage due to the spanning tree protocol reconfiguration is highly undesirable, if not entirely unacceptable for many high-valued applications, such as telephony and similar continuity critical applications.
Further improvements have been made in conventionally modern active tap devices. These advances are, for example, embodied in a current active top device product, identified as nTAP™, manufactured by Network Instruments, LLC, Minnetonka, Minn. Based on publically available information, this nTAP device supports full-duplex 10/100/1000Base-T connection monitoring with power-loss fail-over to a fully passive connection. The two identified improvements implemented are a connection speed constraint and a connection loss constraint. The connection speed constraint limits both sides of the monitored network segment to the some connection speed, thereby enabling a correct valuing of the carrying capacity of the monitored network segment by the two network devices connected to the remote ends of the monitored network segment. The connection loss constraint forces down the remaining network segment when the active tap device recognizes that the network link through either connected network segment is lost. A consistent connection state is therefore seen by both of the remote end connected network devices. Neither improvement, however, addresses the occurrence of topology change events or prevents network outages due to spanning tree protocol reconfigurations.