By Paul Brett
Apart from removing network blind-spots, providing a complete and consistent fail-safe source of all network traffic for network performance, security and analytics monitoring, reliably duplicating and forwarding all network traffic to Network Packet Brokers (NPB) and network tools, providing media conversion to extend network tools’ life span, while not affecting the original network traffic?
In my previous blog, I described the importance of deploying a network visibility solution to help organizations meet their business and IT objectives by improving network performance, security posture, network planning, business continuity, and the ROI of network infrastructure and network tools. The fundamental component of any successful visibility solution is the 100% reliable, accurate source of network traffic delivered by network TAPs used for network performance and security monitoring.
Network TAPs are connected in-line to copper or fibre network links, copy all network traffic, and forward the duplicated network traffic to other network visibility products, such as an NPB, and/or network performance, security and analytics tools. TAPs are typically passive (there are a few exceptions), fail-safe devices that are able to duplicate all traffic crossing a network link without affecting the original traffic in any way even in the event of a TAP failure or oversubscription of the network link.
In most use cases, TAPs forward network traffic to an NPB which filters and optimizes the traffic before it, in turn, sends the optimized, duplicated network traffic to the relevant network tool for analysis and action. The successful outcome of this process is dependent on the reliability and accuracy of the network traffic source.
An alternative network traffic source that is sometimes deployed is SPAN (Switch Port Analyzer) or Mirror ports.
A SPAN is a software function of a network switch or router that duplicates network traffic and sends it to a SPAN port for forwarding to an NPB or network tool. SPAN ports are less reliable than TAPs so are normally only deployed when it is impracticable to deploy network TAPs – sometimes SPAN ports are deployed alongside network TAPs in locations where TAPs cannot be installed and when their reduced reliability is a better alternative than no traffic source.
SPAN network traffic’s reliability is compromised because SPAN ports can drop packets to create blind-spots when oversubscribed or when the switch/router processor is heavily loaded. SPAN ports can also drop malformed or errored packets and alter the timing of forwarded network traffic.
All of these considerations mean that in the best-case scenarios SPAN traffic does not completely accurately reflect the original network traffic, and in the worst-case scenario it can be missing vital information that is key to detecting a network performance or security issue – this is not the case for TAPs and the reason why they are normally the preferred approach.
So, apart from removing network blind-spots to allow reliable and effective network performance and security monitoring, providing fail-safe access to all network traffic, requiring zero configuration, being completely secure, delivering an exact duplicate of network traffic, injecting no added latency or altered timing, including all traffic errors as well as good data packets, being unaffected by over subscription, being able to connect to copper and fibre links, and supporting network speeds from 10Mbps through to 400Gbps – what has network TAP ever done for us!!!