TAPs Overview: The Start of Visibility
Change is coming to networks faster than ever before. While growth is a new constant in most networks, it is being compounded by new regulations, virtualization of workloads and services, changing security needs, and migration of applications between data centers and the cloud.
Network and IT organizations are caught in a constant cycle of deploying new services, supporting new use cases, and managing growth – which results in networks that are always trying to get back to a reliable state before the next rounds of change hits.
What is needed is a Visibility Architecture that delivers the control and simplicity necessary to improve the usefulness of network tools – regardless of network scale or management needs. When starting to design a visibility architecture, or when reviewing your current architecture, the very first decision point is how to access the data. Should you use a SPAN or tap? Where should you locate it? How many access points do you need to maximize your monitoring and network efficiency?
Taps are primarily used to easily and passively monitor a network link. They are usually placed between any two network devices – like switches, routers, and firewalls – to provide network and security personnel a connection for monitoring devices. Taps can provide access for both inline and out-of-band monitoring solutions. Using a tap, protocol analyzers, RMON probes, and intrusion detection and prevention systems (IDS and IPS) can be easily connected to and removed from the network when needed. Taps also eliminate downtime needed to run cabling directly to the monitoring device from network devices, saving time and eliminating possible cabling issues.
Any monitoring device connected to an inline tap receives the same traffic as if it were inline, including all errors. The inline tap duplicates all traffic on the link and forwards this to the monitoring port/s. Taps do not introduce delay, or alter the content or structure of the data. They also fail open so that traffic continues to flow between network devices in the event a monitoring device is removed or power to the tap is lost.
Bypass taps (also known as bypass switches) provide fail-safe, inline protection for your security and monitoring devices. Inline monitoring appliances are single points of failure in computer networks because if the appliance loses power, experiences a software failure, or is removed, traffic can no longer flow through the link. A bypass tap generally uses a heartbeat packet to protect the network link from application, link, or power failure on the attached monitoring device. If the heartbeat packet is disrupted, then the bypass switch removes this point of failure by automatically shunting traffic around the appliance whenever the appliance is incapable of passing traffic.
Taps vs. SPANs
Taps are designed to pass through full duplex traffic at line rate non-blocking speeds. Network taps use passive splitting or regeneration technology to transmit inline traffic to an attached management or security device without data stream interference. The monitoring device sees the same traffic as if it were also inline, including physical layer errors.
It is also a common practice for network engineers to span VLANs across gigabit ports. In addition to the need for additional ports that may be available in one switch, it is often difficult to “combine” or match packets to a particular originating link. So while spanning a VLAN can be a great way to get an overall feel for network issues, pinpointing the source of actual problems becomes difficult.
When using SPAN ports to monitor the network, an engineer is usually required to configure the switch or switches. Switches also attempt to eliminate corrupt or non-conforming packets on ingress ports. In addition, switches may drop layer 1 and select layer 2 errors depending on what has been deemed as high priority. As SPAN setup normally captures data within the egress segment, this means you may not be getting the true “picture” of incoming traffic.
On the other hand, a tap passes all data on a link, capturing everything needed to properly troubleshoot common physical layer problems, including bad frames that can be caused by a faulty NIC.
Taps are designed to pass through full duplex traffic at line rate non-blocking speeds. The software architecture of low-end switches may introduce delay while packets are copied to the SPAN ports.
Furthermore, accessing full-duplex traffic may also be constrained by using a SPAN port. For example, to capture the traffic from a 100MB link, a SPAN port would need 200MB of capacity. This requirement can cause problems, so a gigabit link is often needed as a dedicated SPAN port.
Lastly, the use of taps optimizes both network and personnel resources. Monitoring devices can be easily deployed when and where needed, and engineers do not need to re-cable a network link to monitor traffic or re-configure switches. In contrast, a tap that includes two monitoring ports eliminates the need for both the network and security teams to share the one SPAN port that may have been configured to capture traffic for monitoring devices.
For an additional perspective on taps vs. SPAN ports, see Tim O’Neil’s blog post here.