Network mirroring methods (SPAN , N-TAP) and related inspection engines

This configuration is used in cases where an S-TAP® cannot be installed in the host where the database instances to be monitored are run. Instead, you can direct a copy of the network traffic that goes to the host running the database servers, to a Guardium collector. This method only captures network traffic, not local traffic within the database server host. The limitations are listed further on in this section. IBM strongly encourages you to use an S-TAP instead.

Port Mirroring: For network traffic, you can use port mirroring, which is mirroring through SPAN (Switched Port Analyzer) ports. This requires a network switch with port mirroring capability. Physical setup and configuration of the inspection engine is required for port mirroring.

Physical Setup: The LAN containing the desktop used for connecting to the Guardium collector GUI should be connected to the eth0 port on the Guardium collector appliance. The SPAN port from the network switch should be connected to the eth1 port of the Guardium collector appliance. You can also connect additional SPAN ports to the remaining ethernet ports of the Guardium appliance, in order. The network switch must then be configured to mirror all traffic to and from the databases to be monitored, to a port on which the appliance is connected. A network administrator should be able to perform this configuration. You may need to consult the switch vendor's documentation for the exact process for setting up this configuration.

Since all network traffic from the host is sent to the collector, there can be potentially a high amount of useless (non-DB related) traffic the collector has to check before deciding to ignore it.

The collector needs to have a separate port for the incoming traffic from SPAN/NTAP. The actual setup is beyond the scope of Guardium (and Guardium support). Your network administrators are responsible for configuring this solution. Once the mirrored traffic is directed to the collector, you need to define inspection engines for each of the databases for which the traffic has been mirrored. Note that these inspection engine definitions are different from the definitions with the same name under S-TAP control.

For more information about creating and managing inspection engines, see Configuring inspection engines.