recently i was asked to implement a solution to mirror a massive amount of traffic (2-8Gbps of sustained traffic) to several different locations for further analysis.

after comparing gigamon, netoptics, and network critical, i opted for netoptics to fill the roll (because of time i could not do a proof of concept, so the evaluation through reading specs, talking to a few techs, and some googling).

i have spent time over the last few weeks configuring the netoptics and thought it would be worth sharing my experience for someone else’s benefit.

the things i like about the netoptics box (this is a

netoptics director extreme):

  1. the ports: the director extreme is loaded with 24 unpopulated SFP+ ports. you can mix and match speeds, types, and roles for every port. you want several ten gig fiber ports aggregated and shipped to a single ten gig monitor interface? no problem. three gig copper connections filtered for a subnet and sent to a gig fiber connection? absolutely. the quantity and flexibility of the ports are great.
  2. flexibility: there are a lot of options on how you want to carve/shape/move your traffic (by VLAN/ports/etc). its pretty good, with one glaring issue (see my issues with the rules below).
  3. the roadmap: netoptics already is positioning themselves for virtual monitoring, which shows me they have a plan for the future and are thinking ahead, which i can appreciate.
  4. the support group: i have talked with several techs that have been very helpful (eric in particular has been a great resource). always good to be able to get a knowledgable person on the phone quickly to help troubleshoot any issues you have with their product.
i really only have two issues with the director extreme, and that is the rule set and how you manage the rules. here is what i mean:
  1. want to create a rule to monitor a whole subnet? no problem? want to create a rule to monitor a single IP? little different story. for each IP you want to monitor (assuming you want to see all traffic, both egress and ingress), you have to create *two* rules. doesn’t sound so bad until you have to do it for hundres of IP’s. in my case, i wanted to monitor hundreds of IP’s scattered throughout multiple subnets. here are the rules it takes to monitor a single IP:

    filter add in_ports=1-2,12 ip_src= action=redir redir_ports=20<br /> filter add in_ports=1-2,12 ip_dst= action=redir redir_ports=20

    again, not so bad for a few hosts, but painful for hundreds of machines. also, did i forget to mention the cap on the amount or rules/hosts you can monitor? i have seen it prevent me from adding rules, then let me add them, so i am not exactly sure what the cap is, but i have hit it (randomly). instead of having multiple rules, i would expect netoptics to have a rule that would let me look at a hosts traffic (ingress or egress) with one rule, like so:

    filter add in_ports=1-2,12 <strong>ip_host</strong>= action=redir redir_ports=20

  2. and now, my real issue with netoptics: rule management is a nightmare. let me explain. i like the command line (all our management of the director extreme is done over SSH, which is fine), so when i found out there was no webGUI i didn’t really sweat it. unfortunately, adding and removing rules is a very tedious, painfully slow process. to remove a rule, you have to remove *one rule at a time*, and it has to be by rule number. so in my case, where i wanted to remove a block of 50 rules (for 25 host’s), that meant i had to delete rule number 1 fifty times. because of how netoptics stores the rules (it reminds me a the stack in computer memory management), when you remove rule 1, rule 2 becomes rule 1 and rule 3 becomes rule 2, etc. this is painful.

    you should be able to remove multiple rules at once

    i thought i found away around this by deleting all rules, modifying my rule base in notepad++, then recreating all rules. and it would work too, if i could paste more than 50-100 rules in at a time. i tried on both my windows host with putty and my linux host to add hundreds of rules at once and never could get it to work. worse yet is that it didn’t just fail adding rule 50 every time, sometimes some rules in the hundreds would get added, other times ones in the teens would get added, i could never decipher a rhyme or reason to how or why rules were or were not added. i literally ended up hitting the paste button dozens of times to finally get all the rules in the ruleset. its quite a infuriating process when you feel like its going to be a simple change.
here would be my plea/suggestion for netoptics: do a better job managing rules.
          give me a rule where i don&#8217;t have to specify both a source and destination rule just to get all traffic from one host
          help me keep my sanity by making adding, modifying, removing a no brainer. there is no reason in the world why getting the correct rules in place should be a challenging process. i don&#8217;t care if its with a webGUI (although most users are going to prefer this) or through the command line, but make rule management easy, it will pay dividends later, i promise.

      <strong>parting notes:</strong>

      even with the frustration i have had with the netoptics box, when it works, it works well. its incredibly powerful and i feel like its very capable, it just seems like it is being limited by some poorly designed/implemented code. i don&#8217;t know if i would run into the same issues with gigamon or network critical so i can&#8217;t recommend them, but i can say i would hesitate to recommend netoptics in a case like mine (lots of IP&#8217;s and lots of different rules) until they get there rule management tightened up.

      i am hoping that instead of just sounding like a bashing session, this is viewed as constructive criticism by netoptics and i can update this post in the future with how they have made changes to make things better, but we will see.