The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
A computer network typically includes multiple network elements. These network elements may include hosts, such as personal computers and workstations, and devices that manage network traffic from the hosts, such as routers, hubs, and switches. A network element may send information to another network element by transmitting one or more data packets through the network.
A data packet may include a protocol-defined header that specifies one or more destination network elements. Network elements may be identified by network addresses. For example, an Internet Protocol (IP) address uniquely identifies a network element within a network that uses IP. An IP header includes a destination IP address of a network element to which the data packet that contains the IP header is to be delivered.
To analyze network traffic on a network, a user may wish to examine the contents of data packets that are transmitted over the network. To examine the contents of all of the data packets that are transmitted through the network, it is useful to receive all of the data packets at a network element that is configured to monitor network traffic. A network element that is configured to monitor network traffic may be called a “sniffer” or an “analyzer.”
The analyzer may remotely communicate, through the network, with network elements that communicate data packets to each other. By receiving these data packets, the analyzer can remotely monitor network traffic. Because many of the data packets may not be addressed to the analyzer, the analyzer will not receive all of the data packets unless some mechanism is used to ensure that copies of the data packets are delivered to the analyzer. Unless the mechanism also permits the original data packets to be delivered to their specified destination network elements, the remote monitoring will interrupt network traffic.
One mechanism for delivering copies of data packets to an analyzer uses a group of dedicated virtual local area networks (VLANs). This mechanism copies data packets that are transmitted between a source network element and a destination network element, and sends the copies over a particular VLAN that has been established exclusively to transmit the copies, for that source/destination network element pair, to the analyzer. This mechanism may be referred to as the “Remote Switch Port Analyzer” (RSPAN) mechanism.
The RSPAN mechanism suffers from several disadvantages. In order to monitor all network traffic on a given network using the RSPAN mechanism, every network switch within the network must be configured to use the RSPAN mechanism. Cisco Catalyst 6000 Series switches, from Cisco Systems, Inc., are configured to use the RSPAN mechanism. Unfortunately, many existing network switches are not capable of using the RSPAN mechanism. As a result, the RSPAN mechanism cannot be effectively used to monitor network traffic on a network that may or may not include specifically configured network elements (a “generic network”).
At least some existing implementations of the RSPAN mechanism “flood” copies of data packets over a VLAN. In other words, at least some implementations of the RSPAN mechanism broadcast, via the Data-Link Layer, copies of data packets to all network elements that are connected to the VLAN. Such flooding may degrade network performance.
At least some existing implementations of the RSPAN mechanism do not send copies of Bridge Protocol Data Unit (BPDU) packets to an analyzer. BPDU packets may contain information that a network administrator wants to monitor.
At least some existing implementations of the RSPAN mechanism transmit copies of data packets only over trunk links. A trunk link is a physical link, between network element interfaces, that carries data packets for multiple VLANs.
Based on the foregoing, there is a clear need for a way to remotely monitor network traffic through a generic network.