Why Are Taps Critical to Network Visibility and Security?

Monitor your traffic, don’t disrupt it. Learn how.

Placed between any two network devices, a tap duplicates all traffic on the link and forwards it to your monitoring tools. In this solution brief you will learn how the use of taps optimizes both network and personnel resources without alterations to the content or structure of the data.

Why Are Taps Critical to Network Visibility and Security?
Why Are Taps Critical to Network Visibility and Security?

Taps help IT, groups, easily and passively monitor all network data by providing a way to capture data and remove blind spots. Discover how taps provide continuous, nondisruptive access to the network data you need to monitor performance and troubleshoot problems.

The first building-block to your visibility architecture is access to the data. That comes in one of two forms: a network tap or a switch port analyzer (SPAN) port (also known as port mirroring). But which is the right one? This document should help answer that question. These days, your network is as important to your business as any other item—including your products.

Whether your customers are internal or external, you need a dependable and secure network that grows with your business. Without one, you are dead in the water. IT managers have a nearly impossible job. They must understand, manage, and secure the network all the time against all problems. Anything less than a 100 percent working network is a failure.

Content Summary

Taps Passively Access and Monitor Network Data
Taps vs. SPAN Ports
Real-Time Accessibility
Advantage: Taps
Ixia’s Tap Family

Taps Passively Access and Monitor Network Data

IT managers have a nearly impossible job. They must understand, manage, and secure the network all the time against all problems. Anything less than a 100 percent working network is a failure. As the network grows larger, visibility becomes harder as blind spots creep into the network. These blind spots, or the inability to completely see what is happening on the network, can compromise network quality. Taps provide an unobtrusive way to capture network monitoring data and begin the process of removing blind spots.

Taps are used to help IT, groups, easily and passively monitor all network data. They are normally placed between any two network devices, including switches, routers, and firewalls. Taps provide continuous, nondisruptive access to the network data you need to monitor performance and troubleshoot problems. Taps are easily deployed, without the need to disrupt live network traffic. Any monitoring device connected to a tap receives all inline traffic. The tap duplicates all traffic on the link and forwards it to the monitoring tools. Taps do not introduce delay or alter the content or structure of the data. They also “fail open,” meaning traffic continues to flow between network devices in the event a monitoring tool is removed or power is lost.

Taps vs. SPAN Ports

Taps offer significant advantages over the use of switch port analyzer (SPAN) ports to monitor the network. SPAN ports require an engineer to configure the switch or switches. Switches also eliminate corrupt packets or packets that are below a minimum size. Also, switches may drop Layer 1 and select Layer 2 errors, depending on what has been deemed as a high priority. This means SPAN ports do not get all the traffic. On the other hand, a tap passes all data on a link. Taps capture everything needed to properly troubleshoot common physical-layer problems. This includes bad frames that can be caused by a faulty network interface card (NIC).

Table 1: Tap vs. span functionality
Table 1: Tap vs. span functionality

Real-Time Accessibility

Taps pass through full-duplex traffic at line-rate non-blocking speeds. Low-end switch SPAN ports can introduce delay while packets are copied to them. Data is aggregated from lower-speed ports to a higher-speed port can also introduce signal delay. Furthermore, a SPAN port needs 200Mb of capacity to capture all the data from speed SPAN port is needed to get all the data from a lower-speed link, which is not an efficient solution.

Common networking practice is to SPAN virtual local area networks (VLANs) across gigabit ports. In addition to requiring more ports than may be available in one switch, it is often difficult to “combine” or match packets to a particular originating link. So while spanning a VLAN is an accepted way to get an overall feel for network issues, pinpointing the source of actual problems becomes difficult. Some switches have problems processing normal network traffic, depending on loads. With SPAN, the switch also needs to determine what traffic gets sent to monitoring tools. This extra processing may introduce performance issues. Taps provide permanent, passive, zero delay alternatives.

How does it work? Network Tap Deployment Network taps use passive splitting or regeneration technology to transmit inline traffic to an attached management or security device without data stream interference.

Figure 1: Network Tap Deployment
Figure 1: Network Tap Deployment

Advantage: Taps

The use of taps optimizes both network and personnel resources. Monitoring devices can be easily added when and where they are needed. No extra cables are needed to monitor traffic or reconfigure switches. The example to the right illustrates a typical tap deployment for one monitoring device. A tap that includes two monitoring ports means the network and security teams do not share the one SPAN port. They get all the data they need.

Ixia’s Tap Family

Ixia’s comprehensive tap portfolio is the foundation of our integrated IxVision Visibility Architecture. Our taps pass all network traffic, including Layer 1 and 2 errors, without introducing bottlenecks or points of failure. Regardless of interface or location in the network, Ixia provides a tap solution, supporting copper, or multimode and single-mode fiber at speeds up to 100Gbps with media conversion models available.

Source: ixia