Choosing between a SPAN, Aggregator, or full-duplex TAP
Chapter 2: Why choose a TAP or SPAN port 9
most corporate networks, ensuring completely transparent analyzer access
to those links is critical.
Figure 1: TAP versus SPAN
Table 2. TAP versus SPAN
TAP
SPAN/mirror port
Pros
Greatly reduces the risk of
dropped packets
Low cost
Monitoring device receives
all packets, including physical
errors
Remotely configurable from
any system connected to the
switch
Provides full visibility into full-
duplex networks
Able to copy intra-switch
traffic
Cons
Analysis device may need
dual-receive capture interface
if you are using a full-duplex
TAP (does not apply to the
Aggregator TAP family)
Cannot handle heavily utilized
full-duplex links without
dropping packets
Additional cost with purchase
of TAP hardware
Filters out physical layer errors,
hampering some types of
analysis
Cannot monitor intra-switch
traffic
Burden placed on a switch’s
CPU to copy all data passing
through ports
Switch puts lower priority on
SPAN port data than regular
port-to-port data
Can change the timing of
frame interaction altering
response times
Bottom line
A TAP is ideal when analysis
requires seeing all the traffic,
including physical-layer errors.
A TAP is required if network
utilization is moderate to
heavy. The Aggregator TAP
can be used as an effective
compromise between a TAP
and SPAN port, delivering
some of the advantages
A SPAN port performs well
on low-utilized networks or
when analysis is not affected
by dropped packets.