Network switch apparatus has been used to copy and forward network traffic from the span ports and tapped links of a production network to one or more management or monitoring systems (called network “tools”) including, but not limited to, network sniffers, intrusion detection systems, application monitors, forensic recorders, etc. The traffic can be intelligently multiplexed, aggregated, filtered or distributed according to user-defined “map rules” while on the way from the ingress point (a network port) to the egress point (a tool port). Such network switch apparatus is commercially available from Gigamon in Milpitas, Calif. Multiple network switch apparatuses may be combined (stacked) together to form a much bigger network switch apparatus (system) where traffic can enter any port of one network switch apparatus and be forwarded out of another port on the same or a different network switch apparatus via stacking links. Such devices/systems have been described in U.S. Pat. Nos. 7,440,467, 7,436,832, 7,424,018, 7,792,047, 7,889,748, and 7,835,358, the disclosures of all of which are expressly incorporated by reference herein.
Over the past decade, there has been a very significant growth of the amount of network traffic in both enterprise and telecom service providers' networks. This growth in traffic comes from various sources, including the increasing popularity of smart phones; the rapid growth in the adoption of video-based applications and service; and the widespread deployment of virtualization technologies where by many applications demanding network access can be run on the same physical host machine. During the same period, more sensitive information is being sent over the Internet including online banking and trading, electronic medical records, distance learning, etc., that in combination with the growing trend to outsource application delivery by IT organizations, is driving more traffic and information into the “Cloud”. From a security and compliance standpoint, there are concerns about where this information is being stored, how it is accessed and whether it is copied to an unauthorized third-party.
Also, virtualization brings in new challenges to network visibility. At the highest level, the network is quickly evolving from a static component of infrastructure to a very dynamic and agile component. For example, a monitoring or management tool has no easy access to the traffic created by the communications between any two virtual machines that reside within the same physical host. Additionally, when virtual machines are moved from one physical host to another, they create a number of network issues such as a static IP address suddenly showing up at a different location, or that any tool tracking this virtual machine may have to find a different physical port span to access the traffic flow once the virtual machine is relocated.
Furthermore, network traffic is becoming more mobile. Traffic destined for the user community within an enterprise is now delivered across and between multiple geographic locations as a user moves from one location to another. As a further complication, although a user may be static, he/she may be “mobile” between devices so traffic may be delivered over local networks, local wireless networks and third-party service provider networks at the same time. How to monitor and secure a user's traffic becomes significantly more challenging since no single point tool can cover all the traffic.