Skip to main content

 

Splunk Lantern

Network switch data

 

Switches are network intersections, places where packets move from one network segment to another. In their purest form, switches work within a particular IP subnet and can’t route Layer 3 packets to another network. Modern data center designs typically use a two-tier switch hierarchy: top-of-rack (ToR) switches connecting servers and storage arrays at the edge and aggregation or spine switches connecting to the network core. Although ethernet switches are far more widespread, some organizations also use fiber channels or infiniband for storage area networks or HPC interconnects, each of which has its own type of switch.

Network switch data refers to the information generated, collected, or processed by network switches, which are devices used to connect and manage communication between devices within a local area network (LAN) or data center. This data provides insights into the status, performance, traffic, and configuration of the switch and its connected devices. 

Data from switches is often accessed via protocols like SNMP, NETCONF, REST APIs, or CLI commands. It is often analyzed by network management systems (NMS), software-defined networking (SDN) controllers, or monitoring tools for tasks like traffic routing, ensuring quality of service (QoS), and maintaining security. Network switch data is integrated into network monitoring tools like Cisco DNA Center, SolarWinds, or open-source platforms like Nagios or Zabbix. 

Network switch data typically includes:

  • Port status data: Data related to the operational status of individual ports on the switch
  • Traffic flow data: Information about the volume and type of traffic passing through the switch
  • MAC address table data: Mapping of MAC addresses to switch ports to determine device connections
  • VLAN configuration data: Data related to Virtual Local Area Networks (VLANs) configured on the switch
  • Spanning tree protocol (STP) data: Information related to the spanning tree protocol, which prevents network loops
  • Quality of service (QoS) data: Data about traffic prioritization and bandwidth management
  • Switch CPU and memory usage data: Information about the performance and resource utilization of the switch
  • Network events and logs: Logs and events generated by the switch for monitoring and troubleshooting
  • Power-over-Ethernet (PoE) data: Data related to powering devices through ethernet cables
  • Link aggregation data: Data about combined ports (link aggregation) for higher bandwidth or redundancy
  • IPv4/IPv6 routing table data: Information about routing tables and Layer 3 configurations on Layer 3 switches
  • Network security data: Data related to security features and policies on the switch
  • SNMP monitoring data: Data collected via simple network management protocol (SNMP) for monitoring
  • Software and firmware version data: Information about the switch's operating system and firmware versions

Switch data, often captured as NetFlow records, is a critical data source for flagging advanced persistent threats, analyzing traffic flows for unusual activity and identifying potential data exfiltration. As a wire-level data source, switch statistics are almost impossible to spoof and thus a crucial source of security data. This data can also be used to correlate users or IP addresses to a physical network location. It must be secured against unauthorized access, as it can reveal sensitive network configurations and traffic patterns. 

Operations teams use switch logs to see the state of traffic flow, such as source and destination, class of service and causes of congestion. Logs also can show traffic statistics in the aggregate, by port and by client, and whether particular ports are congested, failing or down.

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: