Switches connect your network together. This is Layer 2 networking technology that operates at the Data Link Layer of the OSI stack. By connecting the lengths of cable into a switch, you can link endpoints and other devices into the network. The receptor on a switch that the Ethernet cable plugs into is called a port.
When you introduce a new switch on a network, you don’t need to tell it which device each connected cable leads to. First of all, the switch registers which ports have cables attached to them.
When the switch receives traffic in for the first time on a cable, it examines the header of the frame that carries the incoming message and extracts the source MAC address. It then associates that address with the port the frame arrived on.
The switch reads the destination address on the frame. However, at this point, it does not know the addresses of the devices connected to it. Rather than using the destination address on the incoming frame, the switch just broadcasts the new message to all ports. When one of the devices connected to the switch responds to that incoming message, the switch registers the source address on that incoming frame with the port the message comes in on.
Message by message, the switch works out which port leads to which device and associates the appropriate MAC address with each port. Once the switch knows the address of a port, it reads the destination addresses on frames and only sends frames destined for that endpoint to the associated port instead of broadcasting those frames on all ports.
As a network administrator, connecting a network together, you have no idea how well that port address association process is going.
Switch port monitoring
The first monitoring requirement you have with a switch is to find out what addresses your switches have allocated to their ports. You know which devices you plugged into each switch. However, thanks to the self-configuration service on each switch, you probably didn’t bother to note down which cable plugged into which port.
The self-configuration service on switches can make network administrators a little lazy. However, if you bought an automated device, it would be a waste of effort to duplicate that automation with manual processes. Monitoring is the automated answer that adds data gathering features to automated Layer 2 address management.
Monitoring systems that query switches and collate port address allocations are called switch port mappers. A very basic switch port mapper will just log each switch and the occupied ports on each together with the MAC addresses associated with those ports. This in itself is a useful aid because it shows you which switches have spare capacity because they have unassigned ports. If you have IP address management software as well as a switch port mapper, the two tools can work together to give you a list of which IP address runs through which switch.
Advanced switch port monitoring
The basic information that a simple switch port mapper provides is just the start of all of the features that switch port monitoring can give you. A more comprehensive monitoring tool can easily draw up a network topology map just by converting the address mapping information provided by each switch into a graphical representation. You will be able to see which switches are connected to each other and which endpoints are connected to each switch.
As switches are the essential devices that link your network together, switch port monitoring is the basis for all live network monitoring.
Network terminology includes a number of terms that are confusing because the same word is used by different specializations to mean different things. “Port” Is one such word. You might hear of port scanners and think that these tools perform the network switch port monitoring service described above. However, this is not the case.
You probably know that, at the Transport Layer, TCP/IP operates two different protocols: Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). TCP and UDP add protocol data to an IP header by referencing a port number. For example, HTTP is port 80 and FTP uses port 20 for data and port 21 for control messages.
Transport Layer port numbers are not the same as switch port addresses. In fact, they are completely different. Transport Layer port numbers are addresses that identify which daemon running on the receiving device should handle the incoming packet. A switch, operating at Layer 2, doesn’t even deal with IP packets and has no idea what those Transport Layer port numbers mean. A switch port is a hole in the case of the switch that is a receptor for a connector on the end of a network cable.
Port scanners test network routers/gateways to find out which packet-receiving daemons are running, waiting for incoming data. This is termed an “open port.” Port scanners don’t look at switches because those daemons associated with port numbers don’t run on those devices.
When you are investigating port monitoring, be very careful about which type of port the software tools that you encounter in your search are actually dealing with. Similarly, when a colleague talks to you about ports, don’t be afraid to ask for clarification on the topic before you start talking about the other type of port.
Generally, when IT professionals mention port monitoring, they are referring to Transport Layer ports. To be clear, in this guide, we are looking into switch port monitoring and not port monitoring.
Switch port monitoring notifications
During the installation phase of a switch, you would expect it to discover new devices and allocate their addresses. Switch port monitoring tools pick up these actions and register them in a log. The dashboard of the tool should also display these notifications.
Although you might not have noted down the addresses of each device that you connected to a switch, you should know how many devices you plugged in. The arriving notification of a device discovery helps you to count down the recognition of all of the devices that you attached to the switch. Once all of those devices have been recognized, you shouldn’t get any additional notification of device discovery from that switch.
Switches are a great source of data and you need to be careful that an intruder doesn’t connect to one of them. Once all expected devices are logged as operational on the switch, any additional device discovery indicates that someone has made an unauthorized connection to one of your switches.
Network intruders have two ways of accessing your infrastructure. One of those is by getting in from the internet and exploring the network remotely. The other method is to physically connect a laptop or a monitoring device to a switch.
Device recognition notifications from your switch port monitor will let you know if an unexpected physical connection has occurred. Immediately, you will know which switch to go to and which cable to pull.
Switch port statuses
Most of the cables that connect to your network lead to endpoints. However, at least one port on each switch connects to another switch or a router. These are known as trunk connections. It is important to ensure that all connections are active. Data moves across a network by traveling along these trunk connections from switch to switch. If one of the connectors plugged into a switch port comes loose or malfunctions in some way, a whole section of your network will go down.
Switch port problems cause serious outages on the network and if one occurs, you need to know about it straight away. Although a switch port failure is a serious event, you can’t waste time sitting watching the switch port monitoring dashboard all day on the off-chance that an error will occur.
Fortunately, switch port monitoring tools include an alerting mechanism. Normal activities will be logged and displayed on the screen as they occur. However, a serious problem generates an alert, which can be forwarded to key personnel as SMS or email notifications.
The alerting system means that you can assume that everything is going well with the network and get on with other tasks instead of watching live statuses on the switch port monitoring dashboard.
Traffic statistics monitoring
Switches are smart devices. They have onboard computers that can compile statistics and respond to remote commands. The types of data that each switch can provide depends on its firmware and which communication standards it operates.
There are various statistical reporting standards and most of them are proprietary systems that were created by network device manufacturers. Switches usually ship with metrics querying system pre-loaded onto them. Network administrators have the option of accessing the firmware menu of the switch directly or employing a switch monitoring tool that will interface with switches, gather data, and then repackage it in the monitoring dashboard.
The main statistics gathering standards and their creators are:
- NetFlow – Cisco Systems
- IPFIX – Cisco Systems
- NetSteam – Huawei
- J-Flow – Juniper Networks
- sFlow – Vendor-neutral
Of these systems, NetFlow is the definitive standard. The others are variations on NetFlow, which was the first statistics monitoring protocol to be created for switches.
All of these services will produce statistics down to port level. So, they provide switch port traffic throughput monitoring. Network traffic monitors chain together port throughput data from all of the switches on a network.
One last switch port monitoring technique to try out is port mirroring. This is a service that needs to be set up directly on the switch. The switch will duplicate all of the traffic on a nominated port and send that to a second, virtual port. You then set up a file on a server or on your own workstation to receive those data streams. It is possible to specify whether you want copies of inbound traffic, outbound traffic, or both. This is a packet capture system built into switches.
One note of caution when capturing packets with port mirroring is that the process can create very large files very quickly. However, this technique is useful for feeding real network traffic into a protocol analyzer. It is also a good source of input data for a network stress testing tool, which will replay the traffic over parts of the network to test for performance bottlenecks.
You can find out more about port mirroring in The Ultimate Guide to Port Mirroring. If you have Cisco switches, check out A guide to port mirroring on Cisco (SPAN) switches, which has step-by-step instructions.
Switch port monitoring tools
If you want some ideas on which tools to look into in order to perform switch port monitoring, here is our list of seven recommended switch port monitoring systems.
- SolarWinds Switch Port Mapper EDITORS CHOICE – This straightforward switch portmapper is part of a bundle of more than 60 network administration tools, called the Engineer’s Toolset.
- SolarWinds User Device Tracker (FREE TRIAL) – This monitoring tool examines both switch port activity and Transport Layer port data to identify traffic by protocol. It will also compile throughput statistics at each port according to source and destination IP address or user account.
- ManageEngine OpUtils – this package includes a switch port mapper and an IP address manager to help you monitor all traffic and the addresses used in its transmission.
- Site24x7 Infrastructure – A network and server monitoring package that includes switch monitoring facilities.
- Paessler PRTG – A package of monitoring tools that includes three types of switch monitors with port monitoring features.
- Nagios XI – this infrastructure monitoring system includes switch port data gathering processes that operate through the Simple Network Management. Protocol (SNMP).
- Cisco Switched Port Analyzer (SPAN) – A free system for monitoring switch ports and port mirroring on Cisco switches.