Most enterprise security architectures are built around a perimeter model. Firewalls, intrusion prevention systems, and threat detection tools sit at the edge, scrutinizing traffic as it enters and leaves the network. That approach made sense when the majority of threats came from outside. It doesn't hold up nearly as well when attackers are already inside.
East-west traffic (server-to-server and workload-to-workload communication moving laterally across your network) now accounts for the majority of data center traffic in most organizations. When a threat actor gains an initial foothold, whether through phishing, a compromised credential, or a vulnerable endpoint, their next moves happen in this east-west space. They explore, escalate privileges, move toward high-value targets, and exfiltrate data, often for weeks or months before detection. If your monitoring tools can't see this lateral traffic, they can't detect these moves.
SPAN ports are the most commonly deployed method for feeding traffic to security and monitoring tools, but they have fundamental limitations that make east-west visibility particularly difficult to achieve. Network TAPs combined with intelligent network packet brokers offer a more reliable architecture for capturing the lateral traffic your security tools depend on. This article explains why SPAN ports fall short for east-west monitoring, and what a TAP-based approach looks like in practice.
In networking, north-south traffic refers to data moving between internal systems and external networks. This is the traffic that crosses your perimeter: a user accessing a cloud application, an API call to an external service, or an attacker's initial intrusion attempt.
East-west traffic moves differently. It flows laterally within the data center or across network segments, between servers, virtual machines, containers, databases, and applications. In a modern enterprise data center, east-west traffic typically dwarfs north-south traffic in volume. Applications communicate with databases, microservices call other microservices, authentication systems handle internal requests, and storage systems respond to workloads, all without ever touching the network perimeter.
Once inside a network, attackers rely heavily on east-west movement to achieve their objectives. The initial compromise is rarely the end goal. Instead, attackers use their initial foothold to reach more valuable systems.
Common east-west attack techniques include:
Each of these activities generates network traffic. With proper east-west visibility, your security tools can detect these patterns. Without it, they're invisible.
The longer an attacker remains undetected inside a network, the more damage they can cause. Industry research consistently shows that the average time between initial compromise and detection is measured in days or weeks rather than hours. Much of this dwell time is spent in the east-west space, moving carefully between systems, gathering information, and preparing for the final stage of the attack.
The core reason dwell times remain long is that security tools simply don't have access to the east-west traffic feeds they need to detect these behaviors. Fixing that monitoring gap is the starting point for reducing detection time.
A SPAN (Switched Port Analyzer) port, sometimes called a mirror port, is a software-configured feature on a managed network switch. When you configure a SPAN session, the switch copies traffic from one or more source ports or VLANs and forwards those copies to a designated destination port where your monitoring tool connects.
SPAN ports are built into most enterprise switches and require no additional hardware, which explains their widespread use. When budgets are tight or deployments are rushed, they're often the path of least resistance for connecting tools to network traffic.
The problem is that SPAN ports are a secondary function of a device whose primary job is switching traffic as fast as possible. When the switch is under load, SPAN suffers.
Key limitations include:
For perimeter monitoring, SPAN limitations are inconvenient. For east-west monitoring, they're often insurmountable. Here's why:
East-west traffic travels between many different switch ports and across many different switches. Capturing it comprehensively with SPAN requires configuring sessions on every relevant switch, managing those configurations consistently, and ensuring no sessions conflict with each other.
In a typical data center, this means:
Even when SPAN configurations are correct, the packet-dropping behavior under load means your security tools see a filtered, incomplete view of lateral traffic. The gaps in that visibility are exactly where attackers can operate undetected.
A network test access point (TAP) takes a fundamentally different approach to traffic capture. Rather than relying on switch software to copy packets, a TAP operates at the physical layer. It sits inline on the network link, passively copies every bit that passes through, and sends those copies to monitoring ports.
Passive fiber TAPs use optical splitting to divert a portion of the light signal to monitoring ports. They require no power, introduce no latency, and have no software that can drop packets. What goes through the link goes to your monitoring tools, every time, without exception.
Ethernet TAPs use hardware-level signal regeneration to deliver the same guaranteed capture capability on copper connections, with active electronics that maintain signal integrity without interfering with live traffic.
TAPs capture traffic at the physical layer before any switch processing occurs. This means they see:
Achieving east-west visibility isn't just about capturing traffic, it's about doing something useful with it. In a data center environment with extensive server-to-server communication, the raw volume of east-west traffic can overwhelm monitoring tools that were sized for north-south visibility only.
A single 10G link running at capacity generates far more data than most security tools can process continuously. Multiply that across the dozens or hundreds of inter-switch and server uplinks in a modern data center, and the challenge becomes clear. You need a way to intelligently manage which traffic goes to which tools.
This is where network packet brokers become critical.
A packet broker sits between your TAPs and your monitoring tools. It receives traffic from multiple TAP feed points, applies intelligent processing, and distributes the right traffic to the right tools.
For east-west monitoring specifically, packet brokers provide several essential capabilities:
The recommended architecture for east-west monitoring combines TAPs and packet brokers in a tiered structure:
This architecture scales as your network grows. Adding a new server cluster means deploying TAPs on the relevant uplinks and updating packet broker policies, without reconfiguring switch software across the environment.
Not every link in a data center needs a TAP for effective east-west monitoring. Strategic placement delivers comprehensive coverage without unnecessary infrastructure cost.
The highest-value TAP points for east-west monitoring include:
Different TAP types suit different physical environments within the data center:
Security tools dramatically improve their detection capability when they have complete access to east-west traffic feeds. With a TAP-based architecture feeding a packet broker, your existing security investments can do significantly more.
Detection capabilities that depend on east-west visibility include:
When an incident does occur, the quality of your investigation depends entirely on the quality of your traffic records. SPAN-based monitoring leaves gaps in packet capture. TAP-based monitoring, fed through a packet broker to a packet capture appliance, provides a complete and legally defensible record of network activity.
Forensic teams can reconstruct exactly what happened, trace the attacker's path through the network, identify all affected systems, and establish timelines that support both incident response and any subsequent legal or compliance proceedings. That capability is only possible when you've captured traffic completely from the start.
This assumption underestimates how much lateral movement can occur without generating north-south traffic. An attacker who compromises an internal server and moves to adjacent systems using legitimate protocols may never communicate with external infrastructure at all during the lateral phase of the attack. North-south monitoring simply won't see it.
SPAN ports work acceptably for low-priority monitoring tasks on lightly loaded links. For security monitoring in production data center environments, where packet drops under load are unacceptable and attack traffic is most likely to occur during high-traffic periods, the fundamental limitations of SPAN are a genuine security risk rather than a minor inconvenience.
This is a challenge, not a barrier. A well-designed packet broker architecture with intelligent filtering, deduplication, and load balancing makes east-west monitoring tractable even in high-traffic data centers. Tools receive only the traffic they're designed to process, avoiding the oversubscription problem that makes unmanaged east-west monitoring impractical.
The answer depends on your network topology. Start with TAPs on your highest-value links: core switch interconnects, distribution uplinks, and critical server segment connections. A packet broker with aggregation capability means you don't need a TAP on every single link. Strategic placement at key choke points, where multiple traffic flows converge, gives you broad coverage with a manageable number of devices.
Passive fiber TAPs introduce no latency and require no network processing, so they have zero performance impact on fiber links. Active Ethernet TAPs add nanoseconds of latency, which is imperceptible in any real-world application. Neither type requires switch configuration changes, so there's no risk of disrupting switch operation during deployment.
Yes. In practice, many organizations use a combination. TAPs handle high-priority links and critical segments where reliable capture matters most. SPAN ports may remain in use for lower-priority monitoring tasks or on links where deploying physical TAPs isn't practical. A packet broker can aggregate inputs from both sources, normalizing the traffic before distribution to tools.
The packet broker receives simultaneous feeds from all connected TAPs. You configure policies that define how traffic from each input is processed and where it's sent. Aggregation combines multiple feeds into unified streams. Filtering rules apply to each flow. Deduplication removes redundant packets before forwarding. Drag-n-Vu, Network Critical's management interface, provides a visual configuration environment that simplifies policy management across complex multi-TAP deployments.
Building east-west visibility requires the right physical infrastructure from the start. SPAN ports can't reliably provide the complete, consistent traffic feeds that security tools need for effective lateral threat detection. TAP-based architectures, managed through intelligent packet brokers, give you the foundation for genuinely comprehensive internal monitoring.
Network Critical has been designing and manufacturing network visibility solutions since 1997, helping enterprises across financial services, healthcare, government, and technology sectors achieve complete traffic visibility. Our network TAPs deliver guaranteed packet capture across speeds from 1G to 400G, with passive fiber options for high-speed links and active Ethernet solutions for copper environments.
Our SmartNA-XL combines TAP and packet broker functionality in a compact 1RU chassis, providing aggregation, filtering, deduplication, and load balancing to make east-west monitoring practical even in high-traffic environments. The SmartNA-PortPlus scales to 194 ports of 1G–100G visibility for larger data centers with more extensive east-west monitoring requirements. Whether you're addressing a specific blind spot or designing a complete east-west visibility architecture from the ground up, our team can help you build a solution that delivers the traffic coverage your security tools need.