Network Critical - The Window to your Network

TAPs and Packet Brokers (What’s the Difference?)

Let’s start with a little history. TAPs were originally designed as a tool to connect diagnostic equipment - like a sniffer - when a problem was reported on a link, hence the acronym, Test Access Point. A TAP was connected to the link between a switch and router and made a mirror copy of all the traffic that flowed between the two endpoints while the actual live traffic continued to pass through the network. When the problem was discovered, the TAP was put back in the closet until the next problem.

As digital networks got bigger and more complex, there became a need for TAPs to be permanently connected to links, providing constant visibility to traffic on all links. The permanency of these new TAPs required fail-safe technology to keep the network traffic flowing if power was lost, and a design to provide visibility to all link connections. Many networks were simply connecting multiple single-link TAPs to meet expanded TAP requirements. Network Critical engineers came up with a unique 1U design that would provide fail safe protection, modular flexibility to connect multiple copper or optical links, AC or DC power for all modules and a Graphical User Interface (GUI) for easy deployment and management. That was about a decade ago.

Fast forward to 2017. TAPs have continued to add features for convenience, security and efficiency. These new TAPs are being called intelligent TAPs as a result of their ever expanding functionality. Here are some of the newer features provided by intelligent TAPs:

- AGGREGATION - This feature allows the aggregation of multiple network data streams (input ports) to a single data stream (output port) connected to the diagnostic tool. This is a cost saving feature, allowing a single tool to provide information about many links.
- REGENERATION - This is the reverse of aggregation. The input from a single network connection (input) is regenerated multiple times and sent (output) to multiple diagnostic tools. Regeneration delivers visibility from the same data stream to many specialized diagnostic tools. 
- FILTERING - The filtering feature allows the network manager to provide only relevant data to the diagnostic tool. If the tool is working on an HTTP traffic problem, filtering capability will eliminate all other data from the stream and provide only HTTP traffic to the tool.
- BYPASS - Initially, TAPs sent a mirror copy of the data stream to a tool for analysis and reporting. An increase in the use of TAPs with security appliances has made it necessary to connect TAPs in-line, so the security appliances can send packets back into the network to block attacks or isolate malicious traffic in real time. When connected in-line, TAPs need to be able to bypass the appliance if it goes offline for any reason. Bypass allows the network data to keep flowing and increases reliability and availability while providing security visibility and control of information flow.

Even with all this new technology, the primary function of TAPs remains the same…to safely connect tools and appliances to network links.

Packet Brokers
As networks become increasingly more complex, the visibility requirements are also growing. New network architectures such as cloud, private cloud and hybrid-cloud are requiring the connection of more specialized diagnostic and management tools. Malicious attacks and persistent cyber threats are causing rapid growth in specialized network protection appliances. Thus, the market for diagnostic tools and security appliances has expanded dramatically over the last few years and shows no sign of slowing.

The problem is how to efficiently and economically provide relevant visibility to all of these appliances at ever increasing speeds and varying physical media, without compromising network availability and reliability. The relatively new Network Packet Broker (NPB) is the perfect tool to solve this problem.

Note that a Network Packet Broker is not just a big TAP. While some NBPs include ports with TAP protections at lower speeds of 1G or below, Network Packet Brokers, generally, should not be thought of as TAPs. Here are some of the primary functions of NPBs that differentiate them from TAPs:

NPBs are designed for more complex deployments, usually combining copper and optical media, 1Gbps/10Gbps/25Gbps/100Gbps speeds and a variety of diagnostic, performance and security appliance connections.
Load Balancing - This feature allows the input of a high speed connection to be distributed among multiple lower speed appliances. This allows legacy appliances to be used with newer high speed links.
Ethernet Packet Slicing and Masking - Slicing allows packet manipulation so the device only sends relevant data to the appliance allowing faster, more efficient processing by the appliance. The Masking feature, allows confidential payload information to be eliminated from the analysis or archiving. These features are critical functions to meet government and industry privacy compliance requirements. Traffic Processing from Multiple Sources - NPBs can take input traffic from SPAN ports, TAPs, By-pass TAP pass-through as well as other NPBs. The “Broker” in Network Packet Broker refers to its ability to combine, integrate, separate, manipulate and process inputs from many sources delivering the data to a wide variety of appliance and tool destinations.

Combination TAP/Packet Broker
Now that we have discussed the differences between TAPs and Packet Brokers, we can look at how a combination TAP/NPB unit can provide the protection of a TAP and the advanced features of a NBP in a single modular unit. Integrating the two functions into a single modular 1RU chassis can save on rack space, power and capital cost.

The chassis/module architecture allows for a variety of modules to be integrated into a single chassis. An integrated chassis can accept TAP modules, providing the necessary network fail-safe functionality. It can also accept modules that provide features such as load balancing, packet manipulation and higher speed inputs up to 100Gbps. Copper and fiber inputs can be aggregated, processed and distributed via a high-speed common backplane.

While TAPs can provide some NPB functions and some NPBs have integrated TAP modules, the two are generally designed for different but complementary applications. A good rule of thumb, particularly in larger and more complex networks, is to use TAPs to bring network data into NPBs. A good understanding of TAP and Packet Broker functionality provides the foundation for a sound network visibility plan. Plan tool connectivity and visibility in harmony with a monitoring and security plan to avoid last minute problems that can cause outages and vulnerabilities.

More information on TAPs and Network Packet Brokers can be found at

Posted: 27/11/2017 14:07:37 by Network Critical with 0 comments