This article was originally posted in October of 2012 at 10GbE.net.
This falls into the category of “just because you can do something it doesn’t mean you should.” First I welcome comments from the folks at Arista Networks and will update this entry accordingly as I learn anything new.
Next, I’d like to set the stage a bit. Myricom makes a lossless packet capture driver, Sniffer10G, designed to run on our 10GbE network adapters. Recently several people have said that Arista switches have a similar function, and why shouldn’t they just capture and analyze all the user traffic right on the switch. On the surface, this appears a very reasonable question.
Switches have two basic types of data that flow into and through them: user packets & management packets. User packets are what make up emails and the stuff we see in our browsers, like this blog entry, these are also called data plane traffic. Management packets, know as control plane traffic, are used to configure networks and tell switches how to route packets, rules to follow, etc…
A switch administrator can easily install the program TCPDump on EOS, the operating system that runs on an Arista switch, and quickly capture and analyze these management packets. This will NOT by default allow them to capture and analyze user traffic. This can be done though. Since EOS is Linux based, and Arista permits external programs to be installed on the switch Arista has created a recipe for accessing and capturing user traffic as well. For the adventurous, I’ll attach that link below.
It should be noted though that they strongly warn against doing this on a production switch as it can quickly consume the CPU of the switch, which is not a good thing. In Arista’s example, they are only sampling 1 out of every 16,383 packets (that’s 0.006% of the traffic) and they mention that the impact on the host CPU is significant and warn against doing it on a switch with more than 50Mbps of total traffic.
So yes you can do this, but again it is not recommended for a production switch, and frankly, if you’re only looking at 6/1000ths of 1% of the traffic what’s the point? Configure your Arista switch with a spanning port and connect a Myricom or Emulex 10GbE adapter with FastStack Sniffer10G. Then you can look at ALL THE TRAFFIC at 200X the Arista recommended maximum data rate suggested above.
One final note, the newest line of Arista Networks switches includes FPGA technology. If the FPGA is properly programmed, a non-trivial effort, then their capture and analysis performance could be substantially improved.
Here is the Arista link covering Collection and Analysis: