To Mirror or to TAP, That is the Question!
Network managers are dealing with transitions such as work from home (WFH), increasing speeds, media updates from copper to fiber, new applications and physical moves. Keeping up with constant changes in network activity requires consistent, accurate and complete visibility into network traffic. There are two technologies that provide network traffic visibility. One is using existing mirror ports on a switch (in Cisco terminology, Switched Port Analyzer or SPAN) and the other is deploying independent TAPs. Each method has its own advantages and drawbacks. It is critical for network managers to understand the differences in order to make visibility decisions that fit their own needs and priorities.
Mirror or SPAN ports are already on the switch. They are generally limited to two ports per switch and activated in software. They will duplicate switch traffic and send a copy to an analysis device. TAPs are independent hardware that provide virtually unlimited physical ports to take in traffic from links and send a mirror copy of that traffic to a device for analysis. At first, it sounds like they are very much alike but they actually operate quite differently.
SPAN ports replicate mirror packets in the switch and direct them to a monitor port where the analysis appliance is connected. SPAN is seen as a simple way to send packets for analysis. SPAN access can work well in low bandwidth applications where throughput is well below switch capacity and 100% accuracy of packet delivery is not critical. In fact, to paraphrase many analytic tool web sites, “you can attach our products using a SPAN port or TAP.” The implication is that the two are interchangeable. However, there are significant differences between these technologies.
The top priority for a switch, of course, is to direct network traffic. Adding SPAN traffic increases internal switch traffic and taxes the CPU. Therefore, as the switch reaches capacity, low priority SPAN packets will be randomly dropped. This problem is critical because, just as a need for switch traffic analysis presents itself (packets overrunning switch capacity), so does the condition of the SPAN port not providing accurate traffic information. Without accurate input, the network tool will not be able to provide reliable analysis.
Another problem with port mirroring is that certain packets such as undersized or error packets are filtered in the switch and never make it to the SPAN port. These packets are dropped and not reported by the switch. Detailed and accurate traffic analysis requires 100% of packets be submitted to the analysis tool. SPAN ports cannot guarantee such accuracy. In this era of required legal compliance in many industries, it is important to be able to document 100% capture with no packet manipulation.
Taps can offer virtually an unlimited number of physical ports for access to network links passing data to analysis, compliance, security and other appliances. The TAP connects two network end points and provides a mirror copy of the traffic passing through the TAP. It is important to note that TAPs do not analyze packets, change packet timing, add delay, alter or otherwise interfere with network traffic. To the network, a TAP looks like a wire. If a Tap loses power, a fail-safe relay will maintain traffic flow.
Because of a TAP’s independence from the network end points, they can mirror 100% of the data to the monitor port. Physical layer errors, error packets, short frames and other packets that might be filtered out on a SPAN session are all passed through TAPs to monitor port(s). This provides the IT Manager with a legally defensible, pure data stream for analysis and reporting. TAPs guarantee access to all the data all the time.
Some of the industry trends that are leading IT Managers toward TAPs include the massive increase in network bandwidth with 10Gbps-100Gbps links becoming common in the data center. In addition to increasing speeds, analysis must often hold up to compliance audits. Examples of data privacy legislation includes the EU's GDPR, global banking's Basel iii requirements and the raft of US legislation including; the Affordable Care Act (ACA) and HIPPA in healthcare, Dodd Franks in financial services, the Cyber Security Bill and the California Consumer Privacy Act (CCPA).
Some current innovations in this technology include drag and drop user interfaces such as the Drag ’n Vu GUI by Network Critical, for ease of configuration, accuracy and management. TAPs are also being combined with packet brokers providing efficient port utilization of expensive analytic tools. Taps and packet brokers are also providing advanced filtering and load balancing options that allow optimization of tool performance and improved management of network resources.
Budget is always a consideration in network design decisions.
SPAN ports are in the switch so there is no direct up front cost with this option but there are operational costs involved in programming and management of the ports. There are also potential hidden costs of bad decision making as a result of corrupt data from overloaded ports and dropped packets. Physical ports are limited to two ports per switch. If more tools are deployed TAPs will have to be added for physical access.
TAP pricing varies depending on speeds, features and flexibility. Hardware costs can range from sub $400 for a single fiber TAP to sub $800 per port and up for fully featured access modules. These systems provide safe, secure access to links providing 100% of network traffic to tools along with filtering and load balancing features.
While SPAN ports can be utilized for simple, low speed network analysis, IT Managers are increasingly turning to TAPs as the preferred method for providing network access to analytic and security tools. TAPs provide access to all the data to ensure accurate analysis. They provide fail-safe operation avoiding risk of network disruption as a result of power interruption or failure of an appliance. Taps can also provide simultaneous access to many tools for a wide variety of analytics, security and compliance applications at speeds up to 100Gbps.