You can use various methods to monitor packets. One method uses physical hardware taps.

Network taps can be extremely useful in monitoring traffic because they provide direct inline access to data that flows through the network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a network tap might be the best way to accomplish this monitoring. The network tap has at least three ports: an A port, a B port, and a monitor port. A tap inserted between the A and B ports passes all traffic through unimpeded, but it also copies that same data to its monitor port, which could enable a third party to listen.

Whether you are trying to gain visibility into the server-to-server data communication at the edge or virtual edge of your network or to provide a copy of traffic to the Intrusion Prevention System (IPS) appliance at the Internet edge of your network, you can use network taps nearly anywhere in the environment. However, this deployment can add significant costs, operation complexities, and cabling challenges in a large-scale environment.

An alternative solution to help with monitoring and troubleshooting tasks in the data center is a device that is especially designated to allow the aggregation of multiple taps and that also connects to multiple monitoring systems. This solution is referred to as tap aggregation. Tap aggregation switches link all the monitoring devices directly to specific points in the network fabric that handle the packets that need to be observed.

In the tap aggregation switch solution, the Cisco Nexus 3000 or Cisco Nexus 3100 Series switch is connected to various points in the network at which packet monitoring is advantageous. From each network element, you can use Switched Port Analyzer (SPAN) ports or optical taps to send traffic flows directly to this tap aggregation switch. The tap aggregation switch itself is directly connected to all the analysis tools used to monitor the events in the network fabric. These monitoring devices include remote monitor (RMON) probes, application firewalls, IPS devices, and packet sniffer tools.

You can dynamically program the tap aggregation switch with a configuration that allows traffic to enter the switch through a certain set of ports that are connected to the network elements. You can also configure a number of match criteria and actions to filter specific traffic and redirect them to one or more tools.

Tap aggregation has the following guidelines and limitations:

• TAP aggregation filters on MPLS tags is not supported on the Cisco Nexus 3000 Series switches.

• The interface to be applied with the tap aggregation policy must be in Layer 2. You can configure a Layer 3 interface with the policy, but the policy becomes nonfunctional.

• Each rule must be associated with only one unique match criterion.

• All tap aggregation interfaces must share the same ACL. Multiple ACLs are not required across interfaces because the match criteria includes an ingress interface.

• The actions vlan-set and vlan-strip must always be specified after the redirect action. Otherwise, the entry will be rejected as invalid.

• The deny rule does not support actions such as redirect, vlan-set, and vlan-strip .

• When you enter a list of inputs, for example, a list of interfaces for the policy, you must separate them with commas, but no spaces. For example, port-channel50,ethernet1/12,port-channel20.

• When you specify target interfaces in a policy, ensure that you enter the whole interface type and not just the short form of it. For example, ensure that you enter ethernet1/1 instead of eth1/1 and port-channel 50 instead of po50.

Multiprotocol Label Switching (MPLS) integrates the performance and traffic management capabilities of Layer 2 switching with the scalability, flexibility, and performance of Layer 3 routing.

An MPLS architecture provides the following benefits:

• Data can be transferred over any combination of Layer 2 technologies

• Support is offered for all Layer 3 protocols

• Scaling is possible well beyond anything offered in today's networks

The ingress ports of Cisco Nexus 3172 receive various MPLS packet types. Each data packet in an MPLS network has one or more label headers. These packets are redirected on the basis of a redirect ACL.

Because the MPLS label is imposed between the Layer 2 header and the Layer 3 header, its headers and data are not located at the standard byte offset. Standard network monitoring tools cannot monitor and analyze this traffic. To enable standard network monitoring tools to monitor this traffic, single-labeled packets are stripped off their MPLS label headers and redirected to T-cache devices.

MPLS packets with multiple label headers are sent to deep packet inspection (DPI) devices without stripping their MPLS headers.

MPLS stripping has the following guidelines and limitations:

• Disable all Layer 3 and vPC features before you enable MPLS stripping.

• Ensure that global tap-aggregation mode is enabled.

• The ingress and egress interfaces involved in MPLS stripping must have mode tap-aggregation enabled.

• You must configure the tap-aggregation ACL with a redirect action on the ingress interface to forward the packet to the desired destination.

• Only one tap ACL is supported on the system.

• The egress interface where stripped packets will exit must be an interface that has VLAN 1 as an allowed VLAN. We recommend that you configure the egress interface as a trunk with all VLANs allowed by default.

• To enable MPLS stripping, ensure that you configure the Control Plane Policing (CoPP) class for MPLS, copp-s-mpls.

• For MPLS stripped packets, port-channel load balancing is supported.

• Layer 3 header-based hashing and Layer 4 header-based hashing are supported, but Layer 2 header-based hashing is not supported.

• During MPLS stripping, the VLAN is also stripped with the MPLS label.

• MPLS stripping is supported only on Cisco Nexus 3100 Series switches.