Choosing between a SPAN, Aggregator, or full-duplex TAP
8 10/100 Copper nTAP (7 Feb 2018) — Archive/Non-authoritative version
link to the analyzer’s single receive channel.
When to use a SPAN/mirror
port (page 10)
.
♦
Attaching a monitoring or analysis device to an Aggregator TAP inserted
into a full-duplex link.
As with a SPAN, the Aggregator TAP copies both sides of a full-duplex link
to the analyzer’s single receive channel. It uses buffering which makes it
somewhat better able to keep up with higher traffic levels than a SPAN.
For more details, see
When to use the Aggregator TAP (page 12)
and .
♦
Attaching a dual-receive monitoring or analysis device to a full-duplex TAP
inserted into a full-duplex link.
Dual-receive
means that the network card on the analysis device has two
receive channels rather than the transmit and receive channels associated
with a standard full-duplex link. For more details, see
When to use a full-
duplex TAP (page 13)
.
Deciding whether to use a TAP or a SPAN/mirror port
SPANs are great for proof of concepts and lightly used links. TAPs ensure you get
all of the traffic, including on high speed links, and physical layer errors.
A TAP is a passive splitting mechanism installed between a device of interest and
the network. A TAP copies the incoming network traffic and splits it. It passes the
network traffic to the network and sends a copy of that traffic (both send and
receive) to a monitoring device in real time.
A SPAN/mirror port on a switch that copies traffic on a port or group of ports
and sends the copied data to an analyzer. By its very nature it is half-duplex,
which means that it cannot send all of the send and receive traffic it sees if
traffic exceeds 50% of the bandwidth. Moreover, switch manufacturers design
their products so that the SPAN/mirror port has a lower priority in the switch
operating system. Therefore, one of the first things to stop working when the
switch gets busy is the SPAN/mirror port traffic flow. A SPAN/mirror port is fine
for connections to stations at the edge of your network, but may be unable to
keep up with the higher traffic volumes on your full duplex links at the core of
your network. It is convenient for a proof of concept, but cannot pass physical
layer errors (poorly formed packets, runts, CRCs) to the analyzer and give you all
of the visibility you need for Gigabit, 10 Gigabit or 40 Gigabit networks, but a
TAP will.
Most enterprise switches copy the activity of one or more ports through a
Switch
Port Analyzer
(SPAN) port, also known as a mirror port. An analysis device can
then be attached to the SPAN port to access network traffic.
There are four common ways to get full duplex data to a probe or analyzer:
♦
Connect the probe to a SPAN/mirror port. A SPAN/mirror port can provide
a copy of all designated traffic on the switch in real time, assuming
bandwidth utilization is below 50% of full capacity.
♦
Deploy an Aggregator TAP on critical full duplex links.
♦
Deploy a full duplex TAP on critical links to capture traffic. For some
types of traffic, such as full duplex gigabit links, TAPs are the only way to
guarantee complete analysis, especially when traffic levels are high.
♦
Traffic aggregators, like the Observer Matrix, allow you to copy and filter
full duplex traffic. Because full-duplex Ethernet links lies at the core of