Making the right choice for your network strategy
Introduction
The first step in network analysis is to obtain actionable data in a reliable and secure manner. Test access points (TAPs) and switch port analyzers (SPAN) are basically the two methods for gaining network access. But, what’s the difference between them? When should one method be used over the other?
The analysis is only as good as the data being fed into the tool. So, any discussion of network analysis must start with the foundational question; “How to access the network data so that the analysis appliance sees 100% pure and relevant data?” In today’s compliance era, this takes on added significance as IT Managers struggle to keep up with reporting and security regulations while managing an increasingly diverse IT infrastructure. Meanwhile, cyberthreats are becoming increasingly sophisticated. Therefore, network visibility is crucial for network monitoring, management, and security.
How do TAP and SPAN technologies work?
A TAP, commonly known as Ethernet or Network TAP, is a simple device that makes an exact copy of all of the traffic that flows between two end-points in a network (see figure 1). They are usually favored because they are independent of the network, making them fully configurable. The copied traffic, from the TAP, is then able to undergo complex packet manipulation, as it is output to various network tools; such as security and performance tools.
All this is completed while the live traffic continues to pass through the network, without disturbance. This method ensures that every packet, regardless of size, is copied, and removes the possibility of oversubscription. Once the data is copied, it can be used for monitoring, security, and analytic use. As a result, network TAPs are an essential part of any network visibility solution.
On the other hand, a SPAN port (sometimes called a mirror port) is a software feature built into a switch or router that replicates or mirrors packets in the switch and directs them to a monitor port where the analysis appliance is connected. SPAN access can work well in low bandwidth applications where throughput is well below switch capacity. However, because the SPAN session copies full-duplex traffic, a fully loaded 1Gbps link actually can produce 2Gbps of traffic to the monitor port oversubscribing the capability of the port. Note also, that SPAN traffic is the lowest priority traffic in the switch. This will cause all output traffic beyond 1Gbps to be dropped (see figure 2). Because there is no provision for intelligent filtering or load balancing, the packets will be randomly dropped causing unreliable traffic information to be passed to the analysis appliance.
The top priority for a switch, of course, is to direct network traffic. Therefore, as the switch reaches capacity, packets to the SPAN port will be dropped. This problem is critical because, just as a need for switch traffic analysis presents itself (packets overrunning switch capacity), so does the condition when the SPAN port will not provide accurate switch traffic information.
Even in low utilization environments, there are certain packets such as undersized or error packets that can be filtered on the switch and never make it to the SPAN port. If the analysis requires 100% of packets to be submitted to the appliance, SPAN cannot guarantee such accuracy. In this era of required legal compliance in many industries, it is important to be able to document 100% capture with no packet manipulation.
Historically, analysis was primarily a troubleshooting tool. In today’s high-speed, networked environment, analysis can take on many new functions such as policy management, security, legal compliance, application performance monitoring, quality of service, customer experience management, policy enforcement, and more. As a result of this broad spectrum of analytical applications, there are many specialized appliances that require access to the same data. This often requires more physical connections than SPAN can deliver.
The benefits of a TAP
Unlike SPAN ports, there are many TAP modes that are available. TAPs to allow for in-line as well as out of-band operation. There will be more on operational characteristics later. It is important to note that TAPs do not analyze packets, change packet timing, alter or otherwise interfere with network traffic. To the network, a TAP looks like a piece of wire. If a TAP loses power, a fail-safe relay will maintain traffic flow. TAPs are independent of the network endpoints making up a link. There are many different points in the network where taps can be inserted offering access to a variety of analysis, compliance, and security tools. Some typical tapping points for analysis applications include:
• Between router and firewall for protocol analysis, bandwidth monitoring, traffic trending, and packet analysis
• Inside the firewall for LAN analysis, session monitoring, and Intrusion Prevention
• Between LAN switches for subnet monitoring or departmental monitoring
• Between LAN switches and access points for user access control, VoIP monitoring or workstation monitoring
• Between network endpoints providing visibility to security devices
TAP Operational Environment
TAPs also provide flexibility in how they pass traffic to the monitor port. There are four different modes of operation:
Breakout – A breakout TAP operates like the diagram in Figure 3. The directional traffic is broken out between two output (monitor) ports. This allows each direction of traffic to be sent to a discreet monitor port at full wire speed. For example, if each direction is operating at a full 1Gbps, the total duplex traffic is 2Gbps. So, not to oversubscribe the monitor port, this method uses two 1Gbps output ports to connect to the analysis appliance eliminating any chance of dropped packets.
Aggregation – Providing access for applications with lower throughput, TAPs can aggregate both directions of the traffic and send the frames to a single monitor port. This mode can reduce port costs on probes and other analysis appliances by making efficient utilization of expensive analyzer ports. Aggregation can provide appliance savings, depending on link throughput, up to 8:1. This is accomplished by aggregating multiple 1G ports to a single 10G output. Aggregation can also be used to consolidate traffic from low utilization 1G ports to an available 1G output port.
Regeneration – As mentioned above, there are often requirements for specialized analysis using a variety of appliances. Regeneration mode allows the same data stream to be sent to two or more monitor ports.
In-Line or Virtual-In-Line (V-Line) – This is sometimes called By-Pass tapping. In this mode, the live network traffic passes through the
analysis device in real-time and then back to the TAP. This is used primarily in security analysis appliances such as IPS and DLP. This allows
the appliance to see and act on live data as it passes through the network. In this mode, the TAP continuously monitors the analysis appliance for a heartbeat and bypasses the appliance if the appliance goes down. This By-Pass feature allows these in-line appliances to be connected without the risk of taking down the network as a result of a software glitch or power loss to the appliance.
Because of a TAP’s independence from the network endpoints, it can copy 100% of the data to the monitor port. Physical layer errors, error packets, short frames, and other packets that might be filtered out on a SPAN session are all passed through TAPs to the monitor port(s). This provides the IT Manager with a legally defensible, pure data stream for analysis and reporting. TAPs guarantee access to all the data all the time.
TAP Types
TAPs are available for both copper and optical fiber links and each has unique operational characteristics. Below are some of the unique characteristics of each:
Copper Taps
Copper TAPs are used for link speeds of 10Mbps up to 1Gbps. They require power and can also offer some value-added features such as aggregation and regeneration. Some TAPs may also act as a transition from copper inputs to fiber outputs. As mentioned above, copper TAPs are equipped with fast relays that will close in the event of a power failure providing network continuity. If there is a failure in an endpoint failure, however, the TAP will pass the failure information to the device at the other end. This procedure allows the device at the other end to perform as expected in a normal failure event and also to renegotiate with the other endpoint when normal operation resumes.
There are also security features built into copper TAP ports. Because these TAPs are connected to the network and see all network traffic, access can be password protected. Further, unavailable ports can be locked out so an unauthorized person can not plug a probe into an unused port and capture network traffic. If port connections are manually disconnected or unplugged, the port becomes disabled until an administrator with the correct level password re-enables the port.
Fiber Taps
There are two ways to use TAPs with fiber links. There are active TAPs that provide all the value-added features described in the Copper TAP section and passive optical taps which only tap a fiber link and distribute the traffic to an optical interface on an appliance. Some active TAPs provide integrated optical to electrical conversion so fiber ports can access a backplane and provide output to copper ports. This is helpful in providing added features and also in cases where fiber links need to provide traffic data to appliances with copper input ports. Passive Optical TAPs provide very small form factor access to fiber links with built-in network fail-safe because they require no power. The copying of the network data is done by splitting the light on the incoming network connection. The splitter can break off
anywhere from 10% to 90% of the incoming light and send it to an appliance such as a probe or other network tool. The light that is not split off stays in the network and sends the network packets undisturbed. When determining the light split ratio it is important to plan
ahead and look at factors such as the length of the fiber and the speed of the link. There are specific formulas to help determine the split ratios for best performance.
When to use a SPAN port
As mentioned above there’re more benefits in using a TAP than a SPAN port. However, there are still some situations in which a TAP isn’t effective, and SPAN ports can still be useful. For example, in remote locations with modest traffic that cannot justify a full-time TAP on the
link; to access traffic that either stays within a switch or never reaches a physical link where the traffic can be TAPed; or low-cost troubleshooting alternative where links have low utilization.
On heavier traffic networks, however, the capacity, security, and reliability of TAPs will provide crucial full visibility into the traffic on your network without worrying that packets are being dropped or physical layer errors are being filtered out.
Summary
IT Managers are increasingly turning to TAPs as the preferred method for connecting network, performance, and security tools. TAPs provide access to all the data to ensure an accurate analysis. They grant fail-safe operation avoiding the risk of network disruption as a
result of power interruption or failure of an appliance.
Take into account that TAP or SPAN ports are just the beginning of gaining comprehensive visibility throughout your complete network infrastructure. After capturing the traffic you can send it to a network packet broker to be monitored, controlled, and secured. The SmartNA™ range provides the high-speed performance and flexibility needed to optimize traffic and give the right data to the right tools you use to increase their performance and efficiency.